1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * x86 instruction nmemonic table to parse disasm lines for annotate.
4 * This table is searched twice - one for exact match and another for
5 * match without a size suffix (b, w, l, q) in case of AT&T syntax.
6 *
7 * So this table should not have entries with the suffix unless it's
8 * a complete different instruction than ones without the suffix.
9 */
10 static struct ins x86__instructions[] = {
11 { .name = "adc", .ops = &mov_ops, },
12 { .name = "add", .ops = &mov_ops, },
13 { .name = "addsd", .ops = &mov_ops, },
14 { .name = "and", .ops = &mov_ops, },
15 { .name = "andpd", .ops = &mov_ops, },
16 { .name = "andps", .ops = &mov_ops, },
17 { .name = "bsr", .ops = &mov_ops, },
18 { .name = "bt", .ops = &mov_ops, },
19 { .name = "btr", .ops = &mov_ops, },
20 { .name = "bts", .ops = &mov_ops, },
21 { .name = "call", .ops = &call_ops, },
22 { .name = "cmovbe", .ops = &mov_ops, },
23 { .name = "cmove", .ops = &mov_ops, },
24 { .name = "cmovae", .ops = &mov_ops, },
25 { .name = "cmp", .ops = &mov_ops, },
26 { .name = "cmpxch", .ops = &mov_ops, },
27 { .name = "cmpxchg", .ops = &mov_ops, },
28 { .name = "cs", .ops = &mov_ops, },
29 { .name = "dec", .ops = &dec_ops, },
30 { .name = "divsd", .ops = &mov_ops, },
31 { .name = "divss", .ops = &mov_ops, },
32 { .name = "gs", .ops = &mov_ops, },
33 { .name = "imul", .ops = &mov_ops, },
34 { .name = "inc", .ops = &dec_ops, },
35 { .name = "ja", .ops = &jump_ops, },
36 { .name = "jae", .ops = &jump_ops, },
37 { .name = "jb", .ops = &jump_ops, },
38 { .name = "jbe", .ops = &jump_ops, },
39 { .name = "jc", .ops = &jump_ops, },
40 { .name = "jcxz", .ops = &jump_ops, },
41 { .name = "je", .ops = &jump_ops, },
42 { .name = "jecxz", .ops = &jump_ops, },
43 { .name = "jg", .ops = &jump_ops, },
44 { .name = "jge", .ops = &jump_ops, },
45 { .name = "jl", .ops = &jump_ops, },
46 { .name = "jle", .ops = &jump_ops, },
47 { .name = "jmp", .ops = &jump_ops, },
48 { .name = "jna", .ops = &jump_ops, },
49 { .name = "jnae", .ops = &jump_ops, },
50 { .name = "jnb", .ops = &jump_ops, },
51 { .name = "jnbe", .ops = &jump_ops, },
52 { .name = "jnc", .ops = &jump_ops, },
53 { .name = "jne", .ops = &jump_ops, },
54 { .name = "jng", .ops = &jump_ops, },
55 { .name = "jnge", .ops = &jump_ops, },
56 { .name = "jnl", .ops = &jump_ops, },
57 { .name = "jnle", .ops = &jump_ops, },
58 { .name = "jno", .ops = &jump_ops, },
59 { .name = "jnp", .ops = &jump_ops, },
60 { .name = "jns", .ops = &jump_ops, },
61 { .name = "jnz", .ops = &jump_ops, },
62 { .name = "jo", .ops = &jump_ops, },
63 { .name = "jp", .ops = &jump_ops, },
64 { .name = "jpe", .ops = &jump_ops, },
65 { .name = "jpo", .ops = &jump_ops, },
66 { .name = "jrcxz", .ops = &jump_ops, },
67 { .name = "js", .ops = &jump_ops, },
68 { .name = "jz", .ops = &jump_ops, },
69 { .name = "lea", .ops = &mov_ops, },
70 { .name = "lock", .ops = &lock_ops, },
71 { .name = "mov", .ops = &mov_ops, },
72 { .name = "movapd", .ops = &mov_ops, },
73 { .name = "movaps", .ops = &mov_ops, },
74 { .name = "movdqa", .ops = &mov_ops, },
75 { .name = "movdqu", .ops = &mov_ops, },
76 { .name = "movsd", .ops = &mov_ops, },
77 { .name = "movss", .ops = &mov_ops, },
78 { .name = "movsb", .ops = &mov_ops, },
79 { .name = "movsw", .ops = &mov_ops, },
80 { .name = "movsl", .ops = &mov_ops, },
81 { .name = "movupd", .ops = &mov_ops, },
82 { .name = "movups", .ops = &mov_ops, },
83 { .name = "movzb", .ops = &mov_ops, },
84 { .name = "movzw", .ops = &mov_ops, },
85 { .name = "movzl", .ops = &mov_ops, },
86 { .name = "mulsd", .ops = &mov_ops, },
87 { .name = "mulss", .ops = &mov_ops, },
88 { .name = "nop", .ops = &nop_ops, },
89 { .name = "or", .ops = &mov_ops, },
90 { .name = "orps", .ops = &mov_ops, },
91 { .name = "pand", .ops = &mov_ops, },
92 { .name = "paddq", .ops = &mov_ops, },
93 { .name = "pcmpeqb", .ops = &mov_ops, },
94 { .name = "por", .ops = &mov_ops, },
95 { .name = "rcl", .ops = &mov_ops, },
96 { .name = "ret", .ops = &ret_ops, },
97 { .name = "sbb", .ops = &mov_ops, },
98 { .name = "sete", .ops = &mov_ops, },
99 { .name = "sub", .ops = &mov_ops, },
100 { .name = "subsd", .ops = &mov_ops, },
101 { .name = "test", .ops = &mov_ops, },
102 { .name = "tzcnt", .ops = &mov_ops, },
103 { .name = "ucomisd", .ops = &mov_ops, },
104 { .name = "ucomiss", .ops = &mov_ops, },
105 { .name = "vaddsd", .ops = &mov_ops, },
106 { .name = "vandpd", .ops = &mov_ops, },
107 { .name = "vmovdqa", .ops = &mov_ops, },
108 { .name = "vmovq", .ops = &mov_ops, },
109 { .name = "vmovsd", .ops = &mov_ops, },
110 { .name = "vmulsd", .ops = &mov_ops, },
111 { .name = "vorpd", .ops = &mov_ops, },
112 { .name = "vsubsd", .ops = &mov_ops, },
113 { .name = "vucomisd", .ops = &mov_ops, },
114 { .name = "xadd", .ops = &mov_ops, },
115 { .name = "xbegin", .ops = &jump_ops, },
116 { .name = "xchg", .ops = &mov_ops, },
117 { .name = "xor", .ops = &mov_ops, },
118 { .name = "xorpd", .ops = &mov_ops, },
119 { .name = "xorps", .ops = &mov_ops, },
120 };
121
amd__ins_is_fused(struct arch * arch,const char * ins1,const char * ins2)122 static bool amd__ins_is_fused(struct arch *arch, const char *ins1,
123 const char *ins2)
124 {
125 if (strstr(ins2, "jmp"))
126 return false;
127
128 /* Family >= 15h supports cmp/test + branch fusion */
129 if (arch->family >= 0x15 && (strstarts(ins1, "test") ||
130 (strstarts(ins1, "cmp") && !strstr(ins1, "xchg")))) {
131 return true;
132 }
133
134 /* Family >= 19h supports some ALU + branch fusion */
135 if (arch->family >= 0x19 && (strstarts(ins1, "add") ||
136 strstarts(ins1, "sub") || strstarts(ins1, "and") ||
137 strstarts(ins1, "inc") || strstarts(ins1, "dec") ||
138 strstarts(ins1, "or") || strstarts(ins1, "xor"))) {
139 return true;
140 }
141
142 return false;
143 }
144
intel__ins_is_fused(struct arch * arch,const char * ins1,const char * ins2)145 static bool intel__ins_is_fused(struct arch *arch, const char *ins1,
146 const char *ins2)
147 {
148 if (arch->family != 6 || arch->model < 0x1e || strstr(ins2, "jmp"))
149 return false;
150
151 if (arch->model == 0x1e) {
152 /* Nehalem */
153 if ((strstr(ins1, "cmp") && !strstr(ins1, "xchg")) ||
154 strstr(ins1, "test")) {
155 return true;
156 }
157 } else {
158 /* Newer platform */
159 if ((strstr(ins1, "cmp") && !strstr(ins1, "xchg")) ||
160 strstr(ins1, "test") ||
161 strstr(ins1, "add") ||
162 strstr(ins1, "sub") ||
163 strstr(ins1, "and") ||
164 strstr(ins1, "inc") ||
165 strstr(ins1, "dec")) {
166 return true;
167 }
168 }
169
170 return false;
171 }
172
x86__cpuid_parse(struct arch * arch,char * cpuid)173 static int x86__cpuid_parse(struct arch *arch, char *cpuid)
174 {
175 unsigned int family, model, stepping;
176 int ret;
177
178 /*
179 * cpuid = "GenuineIntel,family,model,stepping"
180 */
181 ret = sscanf(cpuid, "%*[^,],%u,%u,%u", &family, &model, &stepping);
182 if (ret == 3) {
183 arch->family = family;
184 arch->model = model;
185 arch->ins_is_fused = strstarts(cpuid, "AuthenticAMD") ?
186 amd__ins_is_fused :
187 intel__ins_is_fused;
188 return 0;
189 }
190
191 return -1;
192 }
193
x86__annotate_init(struct arch * arch,char * cpuid)194 static int x86__annotate_init(struct arch *arch, char *cpuid)
195 {
196 int err = 0;
197
198 if (arch->initialized)
199 return 0;
200
201 if (cpuid) {
202 if (x86__cpuid_parse(arch, cpuid))
203 err = SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_CPUID_PARSING;
204 }
205
206 arch->initialized = true;
207 return err;
208 }
209
210 #ifdef HAVE_DWARF_SUPPORT
update_insn_state_x86(struct type_state * state,struct data_loc_info * dloc,Dwarf_Die * cu_die,struct disasm_line * dl)211 static void update_insn_state_x86(struct type_state *state,
212 struct data_loc_info *dloc, Dwarf_Die *cu_die,
213 struct disasm_line *dl)
214 {
215 struct annotated_insn_loc loc;
216 struct annotated_op_loc *src = &loc.ops[INSN_OP_SOURCE];
217 struct annotated_op_loc *dst = &loc.ops[INSN_OP_TARGET];
218 struct type_state_reg *tsr;
219 Dwarf_Die type_die;
220 u32 insn_offset = dl->al.offset;
221 int fbreg = dloc->fbreg;
222 int fboff = 0;
223
224 if (annotate_get_insn_location(dloc->arch, dl, &loc) < 0)
225 return;
226
227 if (ins__is_call(&dl->ins)) {
228 struct symbol *func = dl->ops.target.sym;
229
230 if (func == NULL)
231 return;
232
233 /* __fentry__ will preserve all registers */
234 if (!strcmp(func->name, "__fentry__"))
235 return;
236
237 pr_debug_dtp("call [%x] %s\n", insn_offset, func->name);
238
239 /* Otherwise invalidate caller-saved registers after call */
240 for (unsigned i = 0; i < ARRAY_SIZE(state->regs); i++) {
241 if (state->regs[i].caller_saved)
242 state->regs[i].ok = false;
243 }
244
245 /* Update register with the return type (if any) */
246 if (die_find_func_rettype(cu_die, func->name, &type_die)) {
247 tsr = &state->regs[state->ret_reg];
248 tsr->type = type_die;
249 tsr->kind = TSR_KIND_TYPE;
250 tsr->ok = true;
251
252 pr_debug_dtp("call [%x] return -> reg%d",
253 insn_offset, state->ret_reg);
254 pr_debug_type_name(&type_die, tsr->kind);
255 }
256 return;
257 }
258
259 if (!strncmp(dl->ins.name, "add", 3)) {
260 u64 imm_value = -1ULL;
261 int offset;
262 const char *var_name = NULL;
263 struct map_symbol *ms = dloc->ms;
264 u64 ip = ms->sym->start + dl->al.offset;
265
266 if (!has_reg_type(state, dst->reg1))
267 return;
268
269 tsr = &state->regs[dst->reg1];
270 tsr->copied_from = -1;
271
272 if (src->imm)
273 imm_value = src->offset;
274 else if (has_reg_type(state, src->reg1) &&
275 state->regs[src->reg1].kind == TSR_KIND_CONST)
276 imm_value = state->regs[src->reg1].imm_value;
277 else if (src->reg1 == DWARF_REG_PC) {
278 u64 var_addr = annotate_calc_pcrel(dloc->ms, ip,
279 src->offset, dl);
280
281 if (get_global_var_info(dloc, var_addr,
282 &var_name, &offset) &&
283 !strcmp(var_name, "this_cpu_off") &&
284 tsr->kind == TSR_KIND_CONST) {
285 tsr->kind = TSR_KIND_PERCPU_BASE;
286 tsr->ok = true;
287 imm_value = tsr->imm_value;
288 }
289 }
290 else
291 return;
292
293 if (tsr->kind != TSR_KIND_PERCPU_BASE)
294 return;
295
296 if (get_global_var_type(cu_die, dloc, ip, imm_value, &offset,
297 &type_die) && offset == 0) {
298 /*
299 * This is not a pointer type, but it should be treated
300 * as a pointer.
301 */
302 tsr->type = type_die;
303 tsr->kind = TSR_KIND_POINTER;
304 tsr->ok = true;
305
306 pr_debug_dtp("add [%x] percpu %#"PRIx64" -> reg%d",
307 insn_offset, imm_value, dst->reg1);
308 pr_debug_type_name(&tsr->type, tsr->kind);
309 }
310 return;
311 }
312
313 if (strncmp(dl->ins.name, "mov", 3))
314 return;
315
316 if (dloc->fb_cfa) {
317 u64 ip = dloc->ms->sym->start + dl->al.offset;
318 u64 pc = map__rip_2objdump(dloc->ms->map, ip);
319
320 if (die_get_cfa(dloc->di->dbg, pc, &fbreg, &fboff) < 0)
321 fbreg = -1;
322 }
323
324 /* Case 1. register to register or segment:offset to register transfers */
325 if (!src->mem_ref && !dst->mem_ref) {
326 if (!has_reg_type(state, dst->reg1))
327 return;
328
329 tsr = &state->regs[dst->reg1];
330 tsr->copied_from = -1;
331
332 if (dso__kernel(map__dso(dloc->ms->map)) &&
333 src->segment == INSN_SEG_X86_GS && src->imm) {
334 u64 ip = dloc->ms->sym->start + dl->al.offset;
335 u64 var_addr;
336 int offset;
337
338 /*
339 * In kernel, %gs points to a per-cpu region for the
340 * current CPU. Access with a constant offset should
341 * be treated as a global variable access.
342 */
343 var_addr = src->offset;
344
345 if (var_addr == 40) {
346 tsr->kind = TSR_KIND_CANARY;
347 tsr->ok = true;
348
349 pr_debug_dtp("mov [%x] stack canary -> reg%d\n",
350 insn_offset, dst->reg1);
351 return;
352 }
353
354 if (!get_global_var_type(cu_die, dloc, ip, var_addr,
355 &offset, &type_die) ||
356 !die_get_member_type(&type_die, offset, &type_die)) {
357 tsr->ok = false;
358 return;
359 }
360
361 tsr->type = type_die;
362 tsr->kind = TSR_KIND_TYPE;
363 tsr->ok = true;
364
365 pr_debug_dtp("mov [%x] this-cpu addr=%#"PRIx64" -> reg%d",
366 insn_offset, var_addr, dst->reg1);
367 pr_debug_type_name(&tsr->type, tsr->kind);
368 return;
369 }
370
371 if (src->imm) {
372 tsr->kind = TSR_KIND_CONST;
373 tsr->imm_value = src->offset;
374 tsr->ok = true;
375
376 pr_debug_dtp("mov [%x] imm=%#x -> reg%d\n",
377 insn_offset, tsr->imm_value, dst->reg1);
378 return;
379 }
380
381 if (!has_reg_type(state, src->reg1) ||
382 !state->regs[src->reg1].ok) {
383 tsr->ok = false;
384 return;
385 }
386
387 tsr->type = state->regs[src->reg1].type;
388 tsr->kind = state->regs[src->reg1].kind;
389 tsr->imm_value = state->regs[src->reg1].imm_value;
390 tsr->ok = true;
391
392 /* To copy back the variable type later (hopefully) */
393 if (tsr->kind == TSR_KIND_TYPE)
394 tsr->copied_from = src->reg1;
395
396 pr_debug_dtp("mov [%x] reg%d -> reg%d",
397 insn_offset, src->reg1, dst->reg1);
398 pr_debug_type_name(&tsr->type, tsr->kind);
399 }
400 /* Case 2. memory to register transers */
401 if (src->mem_ref && !dst->mem_ref) {
402 int sreg = src->reg1;
403
404 if (!has_reg_type(state, dst->reg1))
405 return;
406
407 tsr = &state->regs[dst->reg1];
408 tsr->copied_from = -1;
409
410 retry:
411 /* Check stack variables with offset */
412 if (sreg == fbreg) {
413 struct type_state_stack *stack;
414 int offset = src->offset - fboff;
415
416 stack = find_stack_state(state, offset);
417 if (stack == NULL) {
418 tsr->ok = false;
419 return;
420 } else if (!stack->compound) {
421 tsr->type = stack->type;
422 tsr->kind = stack->kind;
423 tsr->ok = true;
424 } else if (die_get_member_type(&stack->type,
425 offset - stack->offset,
426 &type_die)) {
427 tsr->type = type_die;
428 tsr->kind = TSR_KIND_TYPE;
429 tsr->ok = true;
430 } else {
431 tsr->ok = false;
432 return;
433 }
434
435 pr_debug_dtp("mov [%x] -%#x(stack) -> reg%d",
436 insn_offset, -offset, dst->reg1);
437 pr_debug_type_name(&tsr->type, tsr->kind);
438 }
439 /* And then dereference the pointer if it has one */
440 else if (has_reg_type(state, sreg) && state->regs[sreg].ok &&
441 state->regs[sreg].kind == TSR_KIND_TYPE &&
442 die_deref_ptr_type(&state->regs[sreg].type,
443 src->offset, &type_die)) {
444 tsr->type = type_die;
445 tsr->kind = TSR_KIND_TYPE;
446 tsr->ok = true;
447
448 pr_debug_dtp("mov [%x] %#x(reg%d) -> reg%d",
449 insn_offset, src->offset, sreg, dst->reg1);
450 pr_debug_type_name(&tsr->type, tsr->kind);
451 }
452 /* Or check if it's a global variable */
453 else if (sreg == DWARF_REG_PC) {
454 struct map_symbol *ms = dloc->ms;
455 u64 ip = ms->sym->start + dl->al.offset;
456 u64 addr;
457 int offset;
458
459 addr = annotate_calc_pcrel(ms, ip, src->offset, dl);
460
461 if (!get_global_var_type(cu_die, dloc, ip, addr, &offset,
462 &type_die) ||
463 !die_get_member_type(&type_die, offset, &type_die)) {
464 tsr->ok = false;
465 return;
466 }
467
468 tsr->type = type_die;
469 tsr->kind = TSR_KIND_TYPE;
470 tsr->ok = true;
471
472 pr_debug_dtp("mov [%x] global addr=%"PRIx64" -> reg%d",
473 insn_offset, addr, dst->reg1);
474 pr_debug_type_name(&type_die, tsr->kind);
475 }
476 /* And check percpu access with base register */
477 else if (has_reg_type(state, sreg) &&
478 state->regs[sreg].kind == TSR_KIND_PERCPU_BASE) {
479 u64 ip = dloc->ms->sym->start + dl->al.offset;
480 u64 var_addr = src->offset;
481 int offset;
482
483 if (src->multi_regs) {
484 int reg2 = (sreg == src->reg1) ? src->reg2 : src->reg1;
485
486 if (has_reg_type(state, reg2) && state->regs[reg2].ok &&
487 state->regs[reg2].kind == TSR_KIND_CONST)
488 var_addr += state->regs[reg2].imm_value;
489 }
490
491 /*
492 * In kernel, %gs points to a per-cpu region for the
493 * current CPU. Access with a constant offset should
494 * be treated as a global variable access.
495 */
496 if (get_global_var_type(cu_die, dloc, ip, var_addr,
497 &offset, &type_die) &&
498 die_get_member_type(&type_die, offset, &type_die)) {
499 tsr->type = type_die;
500 tsr->kind = TSR_KIND_TYPE;
501 tsr->ok = true;
502
503 if (src->multi_regs) {
504 pr_debug_dtp("mov [%x] percpu %#x(reg%d,reg%d) -> reg%d",
505 insn_offset, src->offset, src->reg1,
506 src->reg2, dst->reg1);
507 } else {
508 pr_debug_dtp("mov [%x] percpu %#x(reg%d) -> reg%d",
509 insn_offset, src->offset, sreg, dst->reg1);
510 }
511 pr_debug_type_name(&tsr->type, tsr->kind);
512 } else {
513 tsr->ok = false;
514 }
515 }
516 /* And then dereference the calculated pointer if it has one */
517 else if (has_reg_type(state, sreg) && state->regs[sreg].ok &&
518 state->regs[sreg].kind == TSR_KIND_POINTER &&
519 die_get_member_type(&state->regs[sreg].type,
520 src->offset, &type_die)) {
521 tsr->type = type_die;
522 tsr->kind = TSR_KIND_TYPE;
523 tsr->ok = true;
524
525 pr_debug_dtp("mov [%x] pointer %#x(reg%d) -> reg%d",
526 insn_offset, src->offset, sreg, dst->reg1);
527 pr_debug_type_name(&tsr->type, tsr->kind);
528 }
529 /* Or try another register if any */
530 else if (src->multi_regs && sreg == src->reg1 &&
531 src->reg1 != src->reg2) {
532 sreg = src->reg2;
533 goto retry;
534 }
535 else {
536 int offset;
537 const char *var_name = NULL;
538
539 /* it might be per-cpu variable (in kernel) access */
540 if (src->offset < 0) {
541 if (get_global_var_info(dloc, (s64)src->offset,
542 &var_name, &offset) &&
543 !strcmp(var_name, "__per_cpu_offset")) {
544 tsr->kind = TSR_KIND_PERCPU_BASE;
545 tsr->ok = true;
546
547 pr_debug_dtp("mov [%x] percpu base reg%d\n",
548 insn_offset, dst->reg1);
549 return;
550 }
551 }
552
553 tsr->ok = false;
554 }
555 }
556 /* Case 3. register to memory transfers */
557 if (!src->mem_ref && dst->mem_ref) {
558 if (!has_reg_type(state, src->reg1) ||
559 !state->regs[src->reg1].ok)
560 return;
561
562 /* Check stack variables with offset */
563 if (dst->reg1 == fbreg) {
564 struct type_state_stack *stack;
565 int offset = dst->offset - fboff;
566
567 tsr = &state->regs[src->reg1];
568
569 stack = find_stack_state(state, offset);
570 if (stack) {
571 /*
572 * The source register is likely to hold a type
573 * of member if it's a compound type. Do not
574 * update the stack variable type since we can
575 * get the member type later by using the
576 * die_get_member_type().
577 */
578 if (!stack->compound)
579 set_stack_state(stack, offset, tsr->kind,
580 &tsr->type);
581 } else {
582 findnew_stack_state(state, offset, tsr->kind,
583 &tsr->type);
584 }
585
586 pr_debug_dtp("mov [%x] reg%d -> -%#x(stack)",
587 insn_offset, src->reg1, -offset);
588 pr_debug_type_name(&tsr->type, tsr->kind);
589 }
590 /*
591 * Ignore other transfers since it'd set a value in a struct
592 * and won't change the type.
593 */
594 }
595 /* Case 4. memory to memory transfers (not handled for now) */
596 }
597 #endif
598