2 * This file is subject to the terms and conditions of the GNU General Public
3 * License. See the file "COPYING" in the main directory of this archive
6 * Copyright (c) 2006, 2007 Silicon Graphics, Inc. All Rights Reserved.
8 * Common code for doing accurate backtraces on i386 and x86_64, including
9 * printing the values of arguments.
12 #include <linux/init.h>
13 #include <linux/kallsyms.h>
14 #include <linux/kdb.h>
15 #include <linux/kdbprivate.h>
16 #include <linux/ctype.h>
17 #include <linux/string.h>
18 #include <linux/stringify.h>
19 #include <linux/kernel.h>
20 #include <linux/sched.h>
21 #include <linux/nmi.h>
22 #include <asm/asm-offsets.h>
23 #include <asm/system.h>
25 #define KDB_DEBUG_BB(fmt, ...) \
26 {if (KDB_DEBUG(BB)) kdb_printf(fmt, ## __VA_ARGS__);}
27 #define KDB_DEBUG_BB_OFFSET_PRINTF(offset, prefix, suffix) \
28 kdb_printf(prefix "%c0x%x" suffix, \
29 offset >= 0 ? '+' : '-', \
30 offset >= 0 ? offset : -offset)
31 #define KDB_DEBUG_BB_OFFSET(offset, prefix, suffix) \
32 {if (KDB_DEBUG(BB)) KDB_DEBUG_BB_OFFSET_PRINTF(offset, prefix, suffix);}
34 #define BB_CHECK(expr, val, ret) \
36 if (unlikely(expr)) { \
37 kdb_printf("%s, line %d: BB_CHECK(" #expr ") failed " \
39 __FUNCTION__, __LINE__, (long)val); \
47 /* Use BBRG_Rxx for both i386 and x86_64. RAX through R15 must be at the end,
48 * starting with RAX. Some of these codes do not reflect actual registers,
49 * such codes are special cases when parsing the record of register changes.
50 * When updating BBRG_ entries, update bbrg_name as well.
55 BBRG_UNDEFINED = 0, /* Register contents are undefined */
56 BBRG_OSP, /* original stack pointer on entry to function */
75 const static char *bbrg_name[] = {
76 [BBRG_UNDEFINED] = "undefined",
96 /* Map a register name to its register code. This includes the sub-register
97 * addressable fields, e.g. parts of rax can be addressed as ax, al, ah, eax.
98 * The list is sorted so it can be binary chopped, sort command is:
99 * LANG=C sort -t '"' -k2
102 struct bb_reg_code_map {
103 enum bb_reg_code reg;
107 const static struct bb_reg_code_map
108 bb_reg_code_map[] = {
134 { BBRG_R10, "r10d" },
135 { BBRG_R10, "r10l" },
136 { BBRG_R10, "r10w" },
138 { BBRG_R11, "r11d" },
139 { BBRG_R11, "r11l" },
140 { BBRG_R11, "r11w" },
142 { BBRG_R12, "r12d" },
143 { BBRG_R12, "r12l" },
144 { BBRG_R12, "r12w" },
146 { BBRG_R13, "r13d" },
147 { BBRG_R13, "r13l" },
148 { BBRG_R13, "r13w" },
150 { BBRG_R14, "r14d" },
151 { BBRG_R14, "r14l" },
152 { BBRG_R14, "r14w" },
154 { BBRG_R15, "r15d" },
155 { BBRG_R15, "r15l" },
156 { BBRG_R15, "r15w" },
179 /* Record register contents in terms of the values that were passed to this
180 * function, IOW track which registers contain an input value. A register's
181 * contents can be undefined, it can contain an input register value or it can
182 * contain an offset from the original stack pointer.
184 * This structure is used to represent the current contents of the integer
185 * registers, it is held in an array that is indexed by BBRG_xxx. The element
186 * for BBRG_xxx indicates what input value is currently in BBRG_xxx. When
187 * 'value' is BBRG_OSP then register BBRG_xxx contains a stack pointer,
188 * pointing at 'offset' from the original stack pointer on entry to the
189 * function. When 'value' is not BBRG_OSP then element BBRG_xxx contains the
190 * original contents of an input register and offset is ignored.
192 * An input register 'value' can be stored in more than one register and/or in
193 * more than one memory location.
196 struct bb_reg_contains
198 enum bb_reg_code value: 8;
202 /* Note: the offsets in struct bb_mem_contains in this code are _NOT_ offsets
203 * from OSP, they are offsets from current RSP. It fits better with the way
204 * that struct pt_regs is built, some code pushes extra data before pt_regs so
205 * working with OSP relative offsets gets messy. struct bb_mem_contains
206 * entries must be in descending order of RSP offset.
209 typedef struct { DECLARE_BITMAP(bits, BBRG_R15+1); } bbrgmask_t;
210 #define BB_SKIP(reg) (1 << (BBRG_ ## reg))
211 struct bb_mem_contains {
212 short offset_address;
213 enum bb_reg_code value: 8;
216 /* Transfer of control to a label outside the current function. If the
217 * transfer is to a known common restore path that expects known registers
218 * and/or a known memory state (e.g. struct pt_regs) then do a sanity check on
219 * the state at this point.
222 struct bb_name_state {
223 const char *name; /* target function */
224 bfd_vma address; /* Address of target function */
225 const char *fname; /* optional from function name */
226 const struct bb_mem_contains *mem; /* expected memory state */
227 const struct bb_reg_contains *regs; /* expected register state */
228 const unsigned short mem_size; /* ARRAY_SIZE(mem) */
229 const unsigned short regs_size; /* ARRAY_SIZE(regs) */
230 const short osp_offset; /* RSP in regs == OSP+osp_offset */
231 const bbrgmask_t skip_mem; /* Some slots in mem may be undefined */
232 const bbrgmask_t skip_regs; /* Some slots in regs may be undefined */
235 /* NS (NAME_STATE) macros define the register and memory state when we transfer
236 * control to or start decoding a special case name. Use NS when the target
237 * label always has the same state. Use NS_FROM and specify the source label
238 * if the target state is slightly different depending on where it is branched
239 * from. This gives better state checking, by isolating the special cases.
241 * Note: for the same target label, NS_FROM entries must be followed by a
245 #define NS_FROM(iname, ifname, imem, iregs, iskip_mem, iskip_regs, iosp_offset) \
251 .mem_size = ARRAY_SIZE(imem), \
252 .regs_size = ARRAY_SIZE(iregs), \
253 .skip_mem.bits[0] = iskip_mem, \
254 .skip_regs.bits[0] = iskip_regs, \
255 .osp_offset = iosp_offset, \
259 /* Shorter forms for the common cases */
260 #define NS(iname, imem, iregs, iskip_mem, iskip_regs, iosp_offset) \
261 NS_FROM(iname, NULL, imem, iregs, iskip_mem, iskip_regs, iosp_offset)
262 #define NS_MEM(iname, imem, iskip_mem) \
263 NS_FROM(iname, NULL, imem, no_regs, iskip_mem, 0, 0)
264 #define NS_MEM_FROM(iname, ifname, imem, iskip_mem) \
265 NS_FROM(iname, ifname, imem, no_regs, iskip_mem, 0, 0)
266 #define NS_REG(iname, iregs, iskip_regs) \
267 NS_FROM(iname, NULL, no_memory, iregs, 0, iskip_regs, 0)
268 #define NS_REG_FROM(iname, ifname, iregs, iskip_regs) \
269 NS_FROM(iname, ifname, no_memory, iregs, 0, iskip_regs, 0)
272 bb_reg_code_set_value(enum bb_reg_code dst, enum bb_reg_code src);
274 static const char *bb_mod_name, *bb_func_name;
277 bb_noret(const char *name)
279 if (strcmp(name, "panic") == 0 ||
280 strcmp(name, "do_exit") == 0 ||
281 strcmp(name, "do_group_exit") == 0 ||
282 strcmp(name, "complete_and_exit") == 0)
287 /*============================================================================*/
289 /* Most of the basic block code and data is common to x86_64 and i386. This */
290 /* large ifdef contains almost all of the differences between the two */
293 /* Make sure you update the correct section of this ifdef. */
295 /*============================================================================*/
299 /* Registers that can be used to pass parameters, in the order that parameters
303 const static enum bb_reg_code
313 const static enum bb_reg_code
314 bb_preserved_reg[] = {
324 static const struct bb_mem_contains full_pt_regs[] = {
341 static const struct bb_mem_contains partial_pt_regs[] = {
352 static const struct bb_mem_contains partial_pt_regs_plus_1[] = {
363 static const struct bb_mem_contains partial_pt_regs_plus_2[] = {
374 static const struct bb_mem_contains no_memory[] = {
376 /* Hardware has already pushed an error_code on the stack. Use undefined just
377 * to set the initial stack offset.
379 static const struct bb_mem_contains error_code[] = {
380 { 0x0, BBRG_UNDEFINED },
382 /* error_code plus original rax */
383 static const struct bb_mem_contains error_code_rax[] = {
384 { 0x8, BBRG_UNDEFINED },
388 static const struct bb_reg_contains all_regs[] = {
389 [BBRG_RAX] = { BBRG_RAX, 0 },
390 [BBRG_RBX] = { BBRG_RBX, 0 },
391 [BBRG_RCX] = { BBRG_RCX, 0 },
392 [BBRG_RDX] = { BBRG_RDX, 0 },
393 [BBRG_RDI] = { BBRG_RDI, 0 },
394 [BBRG_RSI] = { BBRG_RSI, 0 },
395 [BBRG_RBP] = { BBRG_RBP, 0 },
396 [BBRG_RSP] = { BBRG_OSP, 0 },
397 [BBRG_R8 ] = { BBRG_R8, 0 },
398 [BBRG_R9 ] = { BBRG_R9, 0 },
399 [BBRG_R10] = { BBRG_R10, 0 },
400 [BBRG_R11] = { BBRG_R11, 0 },
401 [BBRG_R12] = { BBRG_R12, 0 },
402 [BBRG_R13] = { BBRG_R13, 0 },
403 [BBRG_R14] = { BBRG_R14, 0 },
404 [BBRG_R15] = { BBRG_R15, 0 },
406 static const struct bb_reg_contains no_regs[] = {
409 static struct bb_name_state bb_special_cases[] = {
411 /* First the cases that pass data only in memory. We do not check any
412 * register state for these cases.
415 /* Simple cases, no exceptions */
416 NS_MEM("ia32_ptregs_common", partial_pt_regs_plus_1, 0),
417 NS_MEM("ia32_sysret", partial_pt_regs, 0),
418 NS_MEM("int_careful", partial_pt_regs, 0),
419 NS_MEM("int_restore_rest", full_pt_regs, 0),
420 NS_MEM("int_signal", full_pt_regs, 0),
421 NS_MEM("int_very_careful", partial_pt_regs, 0),
422 NS_MEM("int_with_check", partial_pt_regs, 0),
423 #ifdef CONFIG_TRACE_IRQFLAGS
424 NS_MEM("paranoid_exit0", full_pt_regs, 0),
425 #endif /* CONFIG_TRACE_IRQFLAGS */
426 NS_MEM("paranoid_exit1", full_pt_regs, 0),
427 NS_MEM("ptregscall_common", partial_pt_regs_plus_1, 0),
428 NS_MEM("restore_norax", partial_pt_regs, 0),
429 NS_MEM("restore", partial_pt_regs, 0),
430 NS_MEM("ret_from_intr", partial_pt_regs_plus_2, 0),
431 NS_MEM("stub32_clone", partial_pt_regs_plus_1, 0),
432 NS_MEM("stub32_execve", partial_pt_regs_plus_1, 0),
433 NS_MEM("stub32_fork", partial_pt_regs_plus_1, 0),
434 NS_MEM("stub32_iopl", partial_pt_regs_plus_1, 0),
435 NS_MEM("stub32_rt_sigreturn", partial_pt_regs_plus_1, 0),
436 NS_MEM("stub32_rt_sigsuspend", partial_pt_regs_plus_1, 0),
437 NS_MEM("stub32_sigaltstack", partial_pt_regs_plus_1, 0),
438 NS_MEM("stub32_sigreturn", partial_pt_regs_plus_1, 0),
439 NS_MEM("stub32_sigsuspend", partial_pt_regs_plus_1, 0),
440 NS_MEM("stub32_vfork", partial_pt_regs_plus_1, 0),
441 NS_MEM("stub_clone", partial_pt_regs_plus_1, 0),
442 NS_MEM("stub_execve", partial_pt_regs_plus_1, 0),
443 NS_MEM("stub_fork", partial_pt_regs_plus_1, 0),
444 NS_MEM("stub_iopl", partial_pt_regs_plus_1, 0),
445 NS_MEM("stub_rt_sigreturn", partial_pt_regs_plus_1, 0),
446 NS_MEM("stub_rt_sigsuspend", partial_pt_regs_plus_1, 0),
447 NS_MEM("stub_sigaltstack", partial_pt_regs_plus_1, 0),
448 NS_MEM("stub_vfork", partial_pt_regs_plus_1, 0),
450 NS_MEM_FROM("ia32_badsys", "ia32_sysenter_target",
452 /* ia32_sysenter_target uses CLEAR_RREGS to clear R8-R11 on
453 * some paths. It also stomps on RAX.
455 BB_SKIP(R8) | BB_SKIP(R9) | BB_SKIP(R10) | BB_SKIP(R11) |
457 NS_MEM_FROM("ia32_badsys", "ia32_cstar_target",
459 /* ia32_cstar_target uses CLEAR_RREGS to clear R8-R11 on some
460 * paths. It also stomps on RAX. Even more confusing, instead
461 * of storing RCX it stores RBP. WTF?
463 BB_SKIP(R8) | BB_SKIP(R9) | BB_SKIP(R10) | BB_SKIP(R11) |
464 BB_SKIP(RAX) | BB_SKIP(RCX)),
465 NS_MEM("ia32_badsys", partial_pt_regs, 0),
467 /* Various bits of code branch to int_ret_from_sys_call, with slightly
468 * different missing values in pt_regs.
470 NS_MEM_FROM("int_ret_from_sys_call", "ret_from_fork",
473 NS_MEM_FROM("int_ret_from_sys_call", "stub_execve",
475 BB_SKIP(RAX) | BB_SKIP(RCX)),
476 NS_MEM_FROM("int_ret_from_sys_call", "stub_rt_sigreturn",
478 BB_SKIP(RAX) | BB_SKIP(RCX)),
479 NS_MEM_FROM("int_ret_from_sys_call", "kernel_execve",
482 NS_MEM_FROM("int_ret_from_sys_call", "ia32_syscall",
484 /* ia32_syscall only saves RDI through RCX. */
485 BB_SKIP(R8) | BB_SKIP(R9) | BB_SKIP(R10) | BB_SKIP(R11) |
487 NS_MEM_FROM("int_ret_from_sys_call", "ia32_sysenter_target",
489 /* ia32_sysenter_target uses CLEAR_RREGS to clear R8-R11 on
490 * some paths. It also stomps on RAX.
492 BB_SKIP(R8) | BB_SKIP(R9) | BB_SKIP(R10) | BB_SKIP(R11) |
494 NS_MEM_FROM("int_ret_from_sys_call", "ia32_cstar_target",
496 /* ia32_cstar_target uses CLEAR_RREGS to clear R8-R11 on some
497 * paths. It also stomps on RAX. Even more confusing, instead
498 * of storing RCX it stores RBP. WTF?
500 BB_SKIP(R8) | BB_SKIP(R9) | BB_SKIP(R10) | BB_SKIP(R11) |
501 BB_SKIP(RAX) | BB_SKIP(RCX)),
502 NS_MEM("int_ret_from_sys_call", partial_pt_regs, 0),
504 #ifdef CONFIG_PREEMPT
505 NS_MEM("retint_kernel", partial_pt_regs, BB_SKIP(RAX)),
506 #endif /* CONFIG_PREEMPT */
508 NS_MEM("retint_careful", partial_pt_regs, BB_SKIP(RAX)),
510 /* Horrible hack: For a brand new x86_64 task, switch_to() branches to
511 * ret_from_fork with a totally different stack state from all the
512 * other tasks that come out of switch_to(). This non-standard state
513 * cannot be represented so just ignore the branch from switch_to() to
514 * ret_from_fork. Due to inlining and linker labels, switch_to() can
515 * appear as several different function labels, including schedule,
516 * context_switch and __sched_text_start.
518 NS_MEM_FROM("ret_from_fork", "schedule", no_memory, 0),
519 NS_MEM_FROM("ret_from_fork", "__sched_text_start", no_memory, 0),
520 NS_MEM_FROM("ret_from_fork", "context_switch", no_memory, 0),
521 NS_MEM("ret_from_fork", full_pt_regs, 0),
524 NS_MEM_FROM("ret_from_sys_call", "ret_from_fork",
527 NS_MEM("ret_from_sys_call", partial_pt_regs, 0),
529 NS_MEM("retint_restore_args",
531 BB_SKIP(RAX) | BB_SKIP(RCX)),
533 NS_MEM("retint_swapgs",
535 BB_SKIP(RAX) | BB_SKIP(RCX)),
537 /* Now the cases that pass data in registers. We do not check any
538 * memory state for these cases.
541 NS_REG("bad_put_user",
543 BB_SKIP(RAX) | BB_SKIP(RCX) | BB_SKIP(R8)),
545 NS_REG("bad_get_user",
547 BB_SKIP(RAX) | BB_SKIP(RCX) | BB_SKIP(R8)),
549 NS_REG("bad_to_user",
551 BB_SKIP(RAX) | BB_SKIP(RCX)),
553 NS_REG("ia32_ptregs_common",
557 NS_REG("copy_user_generic_unrolled",
559 BB_SKIP(RAX) | BB_SKIP(RCX)),
561 NS_REG("copy_user_generic_string",
563 BB_SKIP(RAX) | BB_SKIP(RCX)),
569 /* Finally the cases that pass data in both registers and memory.
572 NS("invalid_TSS", error_code, all_regs, 0, 0, 0),
573 NS("segment_not_present", error_code, all_regs, 0, 0, 0),
574 NS("alignment_check", error_code, all_regs, 0, 0, 0),
575 NS("page_fault", error_code, all_regs, 0, 0, 0),
576 NS("general_protection", error_code, all_regs, 0, 0, 0),
577 NS("error_entry", error_code_rax, all_regs, 0, BB_SKIP(RAX), -0x10),
578 NS("common_interrupt", error_code, all_regs, 0, 0, -0x8),
581 static const char *bb_spurious[] = {
594 "int_ret_from_sys_call",
600 /* common_interrupt */
603 "retint_with_reschedule",
606 "retint_restore_args",
612 #ifdef CONFIG_PREEMPT
614 #endif /* CONFIG_PREEMPT */
615 /* .macro paranoidexit */
616 #ifdef CONFIG_TRACE_IRQFLAGS
618 "paranoid_userspace0",
621 "paranoid_schedule0",
622 #endif /* CONFIG_TRACE_IRQFLAGS */
626 "paranoid_userspace1",
627 "paranoid_schedule1",
636 /* ia32_sysenter_target */
639 /* ia32_cstar_target */
648 #ifdef CONFIG_HIBERNATION
652 #endif /* CONFIG_HIBERNATION */
653 #ifdef CONFIG_KPROBES
656 /* kretprobe_trampoline_holder */
657 "kretprobe_trampoline",
658 #endif /* CONFIG_KPROBES */
660 /* relocate_kernel */
661 "relocate_new_kernel",
662 #endif /* CONFIG_KEXEC */
664 /* arch/i386/xen/xen-asm.S */
665 "xen_irq_enable_direct_end",
666 "xen_irq_disable_direct_end",
667 "xen_save_fl_direct_end",
668 "xen_restore_fl_direct_end",
669 "xen_iret_start_crit",
673 #endif /* CONFIG_XEN */
676 static const char *bb_hardware_handlers[] = {
690 bb_hardware_pushed_arch(kdb_machreg_t rsp,
691 const struct kdb_activation_record *ar)
693 /* x86_64 interrupt stacks are 16 byte aligned and you must get the
694 * next rsp from stack, it cannot be statically calculated. Do not
695 * include the word at rsp, it is pushed by hardware but is treated as
696 * a normal software return value.
698 * When an IST switch occurs (e.g. NMI) then the saved rsp points to
699 * another stack entirely. Assume that the IST stack is 16 byte
700 * aligned and just return the size of the hardware data on this stack.
701 * The stack unwind code will take care of the stack switch.
703 kdb_machreg_t saved_rsp = *((kdb_machreg_t *)rsp + 3);
704 int hardware_pushed = saved_rsp - rsp - KDB_WORD_SIZE;
705 if (hardware_pushed < 4 * KDB_WORD_SIZE ||
706 saved_rsp < ar->stack.logical_start ||
707 saved_rsp >= ar->stack.logical_end)
708 return 4 * KDB_WORD_SIZE;
710 return hardware_pushed;
714 bb_start_block0(void)
716 bb_reg_code_set_value(BBRG_RAX, BBRG_RAX);
717 bb_reg_code_set_value(BBRG_RBX, BBRG_RBX);
718 bb_reg_code_set_value(BBRG_RCX, BBRG_RCX);
719 bb_reg_code_set_value(BBRG_RDX, BBRG_RDX);
720 bb_reg_code_set_value(BBRG_RDI, BBRG_RDI);
721 bb_reg_code_set_value(BBRG_RSI, BBRG_RSI);
722 bb_reg_code_set_value(BBRG_RBP, BBRG_RBP);
723 bb_reg_code_set_value(BBRG_RSP, BBRG_OSP);
724 bb_reg_code_set_value(BBRG_R8, BBRG_R8);
725 bb_reg_code_set_value(BBRG_R9, BBRG_R9);
726 bb_reg_code_set_value(BBRG_R10, BBRG_R10);
727 bb_reg_code_set_value(BBRG_R11, BBRG_R11);
728 bb_reg_code_set_value(BBRG_R12, BBRG_R12);
729 bb_reg_code_set_value(BBRG_R13, BBRG_R13);
730 bb_reg_code_set_value(BBRG_R14, BBRG_R14);
731 bb_reg_code_set_value(BBRG_R15, BBRG_R15);
734 /* x86_64 does not have a special case for __switch_to */
737 bb_fixup_switch_to(char *p)
742 bb_asmlinkage_arch(void)
744 return strncmp(bb_func_name, "__down", 6) == 0 ||
745 strncmp(bb_func_name, "__up", 4) == 0 ||
746 strncmp(bb_func_name, "stub_", 5) == 0 ||
747 strcmp(bb_func_name, "ret_from_fork") == 0 ||
748 strcmp(bb_func_name, "ptregscall_common") == 0;
751 #else /* !CONFIG_X86_64 */
753 /* Registers that can be used to pass parameters, in the order that parameters
757 const static enum bb_reg_code
764 const static enum bb_reg_code
765 bb_preserved_reg[] = {
773 static const struct bb_mem_contains full_pt_regs[] = {
782 static const struct bb_mem_contains no_memory[] = {
784 /* Hardware has already pushed an error_code on the stack. Use undefined just
785 * to set the initial stack offset.
787 static const struct bb_mem_contains error_code[] = {
788 { 0x0, BBRG_UNDEFINED },
790 /* rbx already pushed */
791 static const struct bb_mem_contains rbx_pushed[] = {
794 #ifdef CONFIG_MATH_EMULATION
795 static const struct bb_mem_contains mem_fpu_reg_round[] = {
801 #endif /* CONFIG_MATH_EMULATION */
803 static const struct bb_reg_contains all_regs[] = {
804 [BBRG_RAX] = { BBRG_RAX, 0 },
805 [BBRG_RBX] = { BBRG_RBX, 0 },
806 [BBRG_RCX] = { BBRG_RCX, 0 },
807 [BBRG_RDX] = { BBRG_RDX, 0 },
808 [BBRG_RDI] = { BBRG_RDI, 0 },
809 [BBRG_RSI] = { BBRG_RSI, 0 },
810 [BBRG_RBP] = { BBRG_RBP, 0 },
811 [BBRG_RSP] = { BBRG_OSP, 0 },
813 static const struct bb_reg_contains no_regs[] = {
815 #ifdef CONFIG_MATH_EMULATION
816 static const struct bb_reg_contains reg_fpu_reg_round[] = {
817 [BBRG_RBP] = { BBRG_OSP, -0x4 },
818 [BBRG_RSP] = { BBRG_OSP, -0x10 },
820 #endif /* CONFIG_MATH_EMULATION */
822 static struct bb_name_state bb_special_cases[] = {
824 /* First the cases that pass data only in memory. We do not check any
825 * register state for these cases.
828 /* Simple cases, no exceptions */
829 NS_MEM("check_userspace", full_pt_regs, 0),
830 NS_MEM("device_not_available_emulate", full_pt_regs, 0),
831 NS_MEM("ldt_ss", full_pt_regs, 0),
832 NS_MEM("no_singlestep", full_pt_regs, 0),
833 NS_MEM("restore_all", full_pt_regs, 0),
834 NS_MEM("restore_nocheck", full_pt_regs, 0),
835 NS_MEM("restore_nocheck_notrace", full_pt_regs, 0),
836 NS_MEM("ret_from_exception", full_pt_regs, 0),
837 NS_MEM("ret_from_fork", full_pt_regs, 0),
838 NS_MEM("ret_from_intr", full_pt_regs, 0),
839 NS_MEM("work_notifysig", full_pt_regs, 0),
840 NS_MEM("work_pending", full_pt_regs, 0),
842 #ifdef CONFIG_PREEMPT
843 NS_MEM("resume_kernel", full_pt_regs, 0),
844 #endif /* CONFIG_PREEMPT */
846 NS_MEM("common_interrupt", error_code, 0),
847 NS_MEM("error_code", error_code, 0),
849 NS_MEM("bad_put_user", rbx_pushed, 0),
851 NS_MEM_FROM("resume_userspace", "syscall_badsys",
852 full_pt_regs, BB_SKIP(RAX)),
853 NS_MEM_FROM("resume_userspace", "syscall_fault",
854 full_pt_regs, BB_SKIP(RAX)),
855 NS_MEM_FROM("resume_userspace", "syscall_trace_entry",
856 full_pt_regs, BB_SKIP(RAX)),
857 /* Too difficult to trace through the various vm86 functions for now.
858 * They are C functions that start off with some memory state, fiddle
859 * the registers then jmp directly to resume_userspace. For the
860 * moment, just assume that they are valid and do no checks.
862 NS_FROM("resume_userspace", "do_int",
863 no_memory, no_regs, 0, 0, 0),
864 NS_FROM("resume_userspace", "do_sys_vm86",
865 no_memory, no_regs, 0, 0, 0),
866 NS_FROM("resume_userspace", "handle_vm86_fault",
867 no_memory, no_regs, 0, 0, 0),
868 NS_FROM("resume_userspace", "handle_vm86_trap",
869 no_memory, no_regs, 0, 0, 0),
870 NS_MEM("resume_userspace", full_pt_regs, 0),
872 NS_MEM_FROM("syscall_badsys", "sysenter_entry",
873 full_pt_regs, BB_SKIP(RBP)),
874 NS_MEM("syscall_badsys", full_pt_regs, 0),
876 NS_MEM_FROM("syscall_call", "syscall_trace_entry",
877 full_pt_regs, BB_SKIP(RAX)),
878 NS_MEM("syscall_call", full_pt_regs, 0),
880 NS_MEM_FROM("syscall_exit", "syscall_trace_entry",
881 full_pt_regs, BB_SKIP(RAX)),
882 NS_MEM("syscall_exit", full_pt_regs, 0),
884 NS_MEM_FROM("syscall_exit_work", "sysenter_entry",
885 full_pt_regs, BB_SKIP(RAX) | BB_SKIP(RBP)),
886 NS_MEM_FROM("syscall_exit_work", "system_call",
887 full_pt_regs, BB_SKIP(RAX)),
888 NS_MEM("syscall_exit_work", full_pt_regs, 0),
890 NS_MEM_FROM("syscall_trace_entry", "sysenter_entry",
891 full_pt_regs, BB_SKIP(RBP)),
892 NS_MEM_FROM("syscall_trace_entry", "system_call",
893 full_pt_regs, BB_SKIP(RAX)),
894 NS_MEM("syscall_trace_entry", full_pt_regs, 0),
896 /* Now the cases that pass data in registers. We do not check any
897 * memory state for these cases.
900 NS_REG("syscall_fault", all_regs, 0),
902 NS_REG("bad_get_user", all_regs,
903 BB_SKIP(RAX) | BB_SKIP(RDX)),
905 /* Finally the cases that pass data in both registers and memory.
908 /* This entry is redundant now because bb_fixup_switch_to() hides the
909 * jmp __switch_to case, however the entry is left here as
912 * NS("__switch_to", no_memory, no_regs, 0, 0, 0),
915 NS("iret_exc", no_memory, all_regs, 0, 0, 0x20),
917 #ifdef CONFIG_MATH_EMULATION
918 NS("fpu_reg_round", mem_fpu_reg_round, reg_fpu_reg_round, 0, 0, 0),
919 #endif /* CONFIG_MATH_EMULATION */
922 static const char *bb_spurious[] = {
923 /* ret_from_exception */
928 #ifdef CONFIG_PREEMPT
930 #endif /* CONFIG_PREEMPT */
939 "restore_nocheck_notrace",
941 /* do not include iret_exc, it is in a .fixup section */
946 "work_notifysig_v86",
947 #endif /* CONFIG_VM86 */
950 /* device_not_available */
951 "device_not_available_emulate",
953 "debug_esp_fix_insn",
954 "debug_stack_correct",
958 "nmi_debug_stack_check",
960 #ifdef CONFIG_HIBERNATION
964 #endif /* CONFIG_HIBERNATION */
965 #ifdef CONFIG_KPROBES
968 #endif /* CONFIG_KPROBES */
970 /* relocate_kernel */
971 "relocate_new_kernel",
972 #endif /* CONFIG_KEXEC */
973 #ifdef CONFIG_MATH_EMULATION
974 /* assorted *.S files in arch/i386/math_emu */
976 "Denorm_shift_more_than_32",
977 "Denorm_shift_more_than_63",
978 "Denorm_shift_more_than_64",
979 "Do_unmasked_underflow",
983 "fpu_reg_round_signed_special_exit",
984 "fpu_reg_round_special_exit",
994 "L_bugged_denorm_486",
998 "LCheck_24_round_up",
999 "LCheck_53_round_up",
1000 "LCheck_Round_Overflow",
1001 "LCheck_truncate_24",
1002 "LCheck_truncate_53",
1003 "LCheck_truncate_64",
1004 "LDenormal_adj_exponent",
1047 "L_no_precision_loss",
1053 "L_precision_lost_down",
1054 "L_precision_lost_up",
1055 "LPrevent_2nd_overflow",
1056 "LPrevent_3rd_overflow",
1059 "LResult_Normalised",
1062 "LRound_nearest_24",
1063 "LRound_nearest_53",
1064 "LRound_nearest_64",
1069 "L_round_the_result",
1074 "LSecond_div_not_1",
1082 "L_Store_significand",
1088 "L_underflow_to_zero",
1096 "sqrt_get_more_precision",
1097 "sqrt_more_prec_large",
1098 "sqrt_more_prec_ok",
1099 "sqrt_more_prec_small",
1101 "sqrt_near_exact_large",
1102 "sqrt_near_exact_ok",
1103 "sqrt_near_exact_small",
1104 "sqrt_near_exact_x",
1105 "sqrt_prelim_no_adjust",
1106 "sqrt_round_result",
1107 "sqrt_stage_2_done",
1108 "sqrt_stage_2_error",
1109 "sqrt_stage_2_finish",
1110 "sqrt_stage_2_positive",
1111 "sqrt_stage_3_error",
1112 "sqrt_stage_3_finished",
1113 "sqrt_stage_3_no_error",
1114 "sqrt_stage_3_positive",
1115 "Unmasked_underflow",
1116 "xExp_not_underflow",
1117 #endif /* CONFIG_MATH_EMULATION */
1120 static const char *bb_hardware_handlers[] = {
1121 "ret_from_exception",
1126 "coprocessor_error",
1127 "simd_coprocessor_error",
1128 "device_not_available",
1135 "coprocessor_segment_overrun",
1137 "segment_not_present",
1139 "general_protection",
1144 "spurious_interrupt_bug",
1148 bb_hardware_pushed_arch(kdb_machreg_t rsp,
1149 const struct kdb_activation_record *ar)
1151 return (2 * KDB_WORD_SIZE);
1155 bb_start_block0(void)
1157 bb_reg_code_set_value(BBRG_RAX, BBRG_RAX);
1158 bb_reg_code_set_value(BBRG_RBX, BBRG_RBX);
1159 bb_reg_code_set_value(BBRG_RCX, BBRG_RCX);
1160 bb_reg_code_set_value(BBRG_RDX, BBRG_RDX);
1161 bb_reg_code_set_value(BBRG_RDI, BBRG_RDI);
1162 bb_reg_code_set_value(BBRG_RSI, BBRG_RSI);
1163 bb_reg_code_set_value(BBRG_RBP, BBRG_RBP);
1164 bb_reg_code_set_value(BBRG_RSP, BBRG_OSP);
1167 /* The i386 code that switches stack in a context switch is an extremely
1168 * special case. It saves the rip pointing to a label that is not otherwise
1169 * referenced, saves the current rsp then pushes a word. The magic code that
1170 * resumes the new task picks up the saved rip and rsp, effectively referencing
1171 * a label that otherwise is not used and ignoring the pushed word.
1173 * The simplest way to handle this very strange case is to recognise jmp
1174 * address <__switch_to> and treat it as a popfl instruction. This avoids
1175 * terminating the block on this jmp and removes one word from the stack state,
1176 * which is the end effect of all the magic code.
1178 * Called with the instruction line, starting after the first ':'.
1182 bb_fixup_switch_to(char *p)
1185 p += strspn(p, " \t"); /* start of instruction */
1186 if (strncmp(p, "jmp", 3))
1188 p += strcspn(p, " \t"); /* end of instruction */
1189 p += strspn(p, " \t"); /* start of address */
1190 p += strcspn(p, " \t"); /* end of address */
1191 p += strspn(p, " \t"); /* start of comment */
1192 if (strcmp(p, "<__switch_to>") == 0)
1193 strcpy(p1, "popfl");
1197 bb_asmlinkage_arch(void)
1199 return strcmp(bb_func_name, "ret_from_exception") == 0 ||
1200 strcmp(bb_func_name, "syscall_trace_entry") == 0;
1203 #endif /* CONFIG_X86_64 */
1206 /*============================================================================*/
1208 /* Common code and data. */
1210 /*============================================================================*/
1213 /* Tracking registers by decoding the instructions is quite a bit harder than
1214 * doing the same tracking using compiler generated information. Register
1215 * contents can remain in the same register, they can be copied to other
1216 * registers, they can be stored on stack or they can be modified/overwritten.
1217 * At any one time, there are 0 or more copies of the original value that was
1218 * supplied in each register on input to the current function. If a register
1219 * exists in multiple places, one copy of that register is the master version,
1220 * the others are temporary copies which may or may not be destroyed before the
1221 * end of the function.
1223 * The compiler knows which copy of a register is the master and which are
1224 * temporary copies, which makes it relatively easy to track register contents
1225 * as they are saved and restored. Without that compiler based knowledge, this
1226 * code has to track _every_ possible copy of each register, simply because we
1227 * do not know which is the master copy and which are temporary copies which
1228 * may be destroyed later.
1230 * It gets worse: registers that contain parameters can be copied to other
1231 * registers which are then saved on stack in a lower level function. Also the
1232 * stack pointer may be held in multiple registers (typically RSP and RBP)
1233 * which contain different offsets from the base of the stack on entry to this
1234 * function. All of which means that we have to track _all_ register
1235 * movements, or at least as much as possible.
1237 * Start with the basic block that contains the start of the function, by
1238 * definition all registers contain their initial value. Track each
1239 * instruction's effect on register contents, this includes reading from a
1240 * parameter register before any write to that register, IOW the register
1241 * really does contain a parameter. The register state is represented by a
1242 * dynamically sized array with each entry containing :-
1245 * Location it is copied to (another register or stack + offset)
1247 * Besides the register tracking array, we track which parameter registers are
1248 * read before being written, to determine how many parameters are passed in
1249 * registers. We also track which registers contain stack pointers, including
1250 * their offset from the original stack pointer on entry to the function.
1252 * At each exit from the current basic block (via JMP instruction or drop
1253 * through), the register state is cloned to form the state on input to the
1254 * target basic block and the target is marked for processing using this state.
1255 * When there are multiple ways to enter a basic block (e.g. several JMP
1256 * instructions referencing the same target) then there will be multiple sets
1257 * of register state to form the "input" for that basic block, there is no
1258 * guarantee that all paths to that block will have the same register state.
1260 * As each target block is processed, all the known sets of register state are
1261 * merged to form a suitable subset of the state which agrees with all the
1262 * inputs. The most common case is where one path to this block copies a
1263 * register to another register but another path does not, therefore the copy
1264 * is only a temporary and should not be propogated into this block.
1266 * If the target block already has an input state from the current transfer
1267 * point and the new input state is identical to the previous input state then
1268 * we have reached a steady state for the arc from the current location to the
1269 * target block. Therefore there is no need to process the target block again.
1271 * The steps of "process a block, create state for target block(s), pick a new
1272 * target block, merge state for target block, process target block" will
1273 * continue until all the state changes have propogated all the way down the
1274 * basic block tree, including round any cycles in the tree. The merge step
1275 * only deletes tracking entries from the input state(s), it never adds a
1276 * tracking entry. Therefore the overall algorithm is guaranteed to converge
1277 * to a steady state, the worst possible case is that every tracking entry into
1278 * a block is deleted, which will result in an empty output state.
1280 * As each instruction is decoded, it is checked to see if this is the point at
1281 * which execution left this function. This can be a call to another function
1282 * (actually the return address to this function) or is the instruction which
1283 * was about to be executed when an interrupt occurred (including an oops).
1284 * Save the register state at this point.
1286 * We always know what the registers contain when execution left this function.
1287 * For an interrupt, the registers are in struct pt_regs. For a call to
1288 * another function, we have already deduced the register state on entry to the
1289 * other function by unwinding to the start of that function. Given the
1290 * register state on exit from this function plus the known register contents
1291 * on entry to the next function, we can determine the stack pointer value on
1292 * input to this function. That in turn lets us calculate the address of input
1293 * registers that have been stored on stack, giving us the input parameters.
1294 * Finally the stack pointer gives us the return address which is the exit
1295 * point from the calling function, repeat the unwind process on that function.
1297 * The data that tracks which registers contain input parameters is function
1298 * global, not local to any basic block. To determine which input registers
1299 * contain parameters, we have to decode the entire function. Otherwise an
1300 * exit early in the function might not have read any parameters yet.
1303 /* Record memory contents in terms of the values that were passed to this
1304 * function, IOW track which memory locations contain an input value. A memory
1305 * location's contents can be undefined, it can contain an input register value
1306 * or it can contain an offset from the original stack pointer.
1308 * This structure is used to record register contents that have been stored in
1309 * memory. Location (BBRG_OSP + 'offset_address') contains the input value
1310 * from register 'value'. When 'value' is BBRG_OSP then offset_value contains
1311 * the offset from the original stack pointer that was stored in this memory
1312 * location. When 'value' is not BBRG_OSP then the memory location contains
1313 * the original contents of an input register and offset_value is ignored.
1315 * An input register 'value' can be stored in more than one register and/or in
1316 * more than one memory location.
1319 struct bb_memory_contains
1321 short offset_address;
1322 enum bb_reg_code value: 8;
1326 /* Track the register state in each basic block. */
1330 /* Indexed by register value 'reg - BBRG_RAX' */
1331 struct bb_reg_contains contains[KDB_INT_REGISTERS];
1334 /* dynamic size for memory locations, see mem_count */
1335 struct bb_memory_contains memory[0];
1338 static struct bb_reg_state *bb_reg_state, *bb_exit_state;
1339 static int bb_reg_state_max, bb_reg_params, bb_memory_params;
1347 /* Contains the actual hex value of a register, plus a valid bit. Indexed by
1348 * register value 'reg - BBRG_RAX'
1350 static struct bb_actual bb_actual[KDB_INT_REGISTERS];
1352 static bfd_vma bb_func_start, bb_func_end;
1353 static bfd_vma bb_common_interrupt, bb_error_entry, bb_ret_from_intr,
1354 bb_thread_return, bb_sync_regs, bb_save_v86_state,
1355 bb__sched_text_start, bb__sched_text_end;
1357 /* Record jmp instructions, both conditional and unconditional. These form the
1358 * arcs between the basic blocks. This is also used to record the state when
1359 * one block drops through into the next.
1361 * A bb can have multiple associated bb_jmp entries, one for each jcc
1362 * instruction plus at most one bb_jmp for the drop through case. If a bb
1363 * drops through to the next bb then the drop through bb_jmp entry will be the
1364 * last entry in the set of bb_jmp's that are associated with the bb. This is
1365 * enforced by the fact that jcc entries are added during the disassembly phase
1366 * of pass 1, the drop through entries are added near the end of pass 1.
1368 * At address 'from' in this block, we have a jump to address 'to'. The
1369 * register state at 'from' is copied to the target block.
1376 struct bb_reg_state *state;
1377 unsigned int drop_through: 1;
1383 /* The end address of a basic block is sloppy. It can be the first
1384 * byte of the last instruction in the block or it can be the last byte
1388 unsigned int changed: 1;
1389 unsigned int drop_through: 1;
1392 static struct bb **bb_list, *bb_curr;
1393 static int bb_max, bb_count;
1395 static struct bb_jmp *bb_jmp_list;
1396 static int bb_jmp_max, bb_jmp_count;
1398 /* Add a new bb entry to the list. This does an insert sort. */
1401 bb_new(bfd_vma order)
1407 if (bb_count == bb_max) {
1408 struct bb **bb_list_new;
1410 bb_list_new = debug_kmalloc(bb_max*sizeof(*bb_list_new),
1413 kdb_printf("\n\n%s: out of debug_kmalloc\n", __FUNCTION__);
1417 memcpy(bb_list_new, bb_list, bb_count*sizeof(*bb_list));
1418 debug_kfree(bb_list);
1419 bb_list = bb_list_new;
1421 bb = debug_kmalloc(sizeof(*bb), GFP_ATOMIC);
1423 kdb_printf("\n\n%s: out of debug_kmalloc\n", __FUNCTION__);
1427 memset(bb, 0, sizeof(*bb));
1428 for (i = 0; i < bb_count; ++i) {
1430 if ((p->start && p->start > order) ||
1431 (p->end && p->end > order))
1434 for (j = bb_count-1; j >= i; --j)
1435 bb_list[j+1] = bb_list[j];
1441 /* Add a new bb_jmp entry to the list. This list is not sorted. */
1443 static struct bb_jmp *
1444 bb_jmp_new(bfd_vma from, bfd_vma to, unsigned int drop_through)
1446 struct bb_jmp *bb_jmp;
1449 if (bb_jmp_count == bb_jmp_max) {
1450 struct bb_jmp *bb_jmp_list_new;
1453 debug_kmalloc(bb_jmp_max*sizeof(*bb_jmp_list_new),
1455 if (!bb_jmp_list_new) {
1456 kdb_printf("\n\n%s: out of debug_kmalloc\n",
1461 memcpy(bb_jmp_list_new, bb_jmp_list,
1462 bb_jmp_count*sizeof(*bb_jmp_list));
1463 debug_kfree(bb_jmp_list);
1464 bb_jmp_list = bb_jmp_list_new;
1466 bb_jmp = bb_jmp_list + bb_jmp_count++;
1467 bb_jmp->from = from;
1469 bb_jmp->drop_through = drop_through;
1470 bb_jmp->state = NULL;
1477 struct bb *bb = bb_list[i];
1478 memcpy(bb_list+i, bb_list+i+1, (bb_count-i-1)*sizeof(*bb_list));
1479 bb_list[--bb_count] = NULL;
1484 bb_add(bfd_vma start, bfd_vma end)
1488 /* Ignore basic blocks whose start address is outside the current
1489 * function. These occur for call instructions and for tail recursion.
1492 (start < bb_func_start || start >= bb_func_end))
1494 for (i = 0; i < bb_count; ++i) {
1496 if ((start && bb->start == start) ||
1497 (end && bb->end == end))
1500 bb = bb_new(start ? start : end);
1508 static struct bb_jmp *
1509 bb_jmp_add(bfd_vma from, bfd_vma to, unsigned int drop_through)
1512 struct bb_jmp *bb_jmp;
1513 for (i = 0, bb_jmp = bb_jmp_list; i < bb_jmp_count; ++i, ++bb_jmp) {
1514 if (bb_jmp->from == from &&
1516 bb_jmp->drop_through == drop_through)
1519 bb_jmp = bb_jmp_new(from, to, drop_through);
1523 static unsigned long bb_curr_addr, bb_exit_addr;
1524 static char bb_buffer[256]; /* A bit too big to go on stack */
1526 /* Computed jmp uses 'jmp *addr(,%reg,[48])' where 'addr' is the start of a
1527 * table of addresses that point into the current function. Run the table and
1528 * generate bb starts for each target address plus a bb_jmp from this address
1529 * to the target address.
1531 * Only called for 'jmp' instructions, with the pointer starting at 'jmp'.
1535 bb_pass1_computed_jmp(char *p)
1537 unsigned long table, scale;
1540 p += strcspn(p, " \t"); /* end of instruction */
1541 p += strspn(p, " \t"); /* start of address */
1544 table = simple_strtoul(p, &p, 0);
1545 if (strncmp(p, "(,%", 3) != 0)
1548 p += strcspn(p, ","); /* end of reg */
1551 scale = simple_strtoul(p, &p, 0);
1552 if (scale != KDB_WORD_SIZE || strcmp(p, ")"))
1554 while (!bb_giveup) {
1555 if (kdb_getword(&addr, table, sizeof(addr)))
1557 if (addr < bb_func_start || addr >= bb_func_end)
1559 bb = bb_add(addr, 0);
1561 bb_jmp_add(bb_curr_addr, addr, 0);
1562 table += KDB_WORD_SIZE;
1566 /* Pass 1, identify the start and end of each basic block */
1569 bb_dis_pass1(PTR file, const char *fmt, ...)
1571 int l = strlen(bb_buffer);
1575 vsnprintf(bb_buffer + l, sizeof(bb_buffer) - l, fmt, ap);
1577 if ((p = strchr(bb_buffer, '\n'))) {
1579 /* ret[q], iret[q], sysexit, sysret, ud2a or jmp[q] end a
1580 * block. As does a call to a function marked noret.
1583 p += strcspn(p, ":");
1585 bb_fixup_switch_to(p);
1586 p += strspn(p, " \t"); /* start of instruction */
1587 if (strncmp(p, "ret", 3) == 0 ||
1588 strncmp(p, "iret", 4) == 0 ||
1589 strncmp(p, "sysexit", 7) == 0 ||
1590 strncmp(p, "sysret", 6) == 0 ||
1591 strncmp(p, "ud2a", 4) == 0 ||
1592 strncmp(p, "jmp", 3) == 0) {
1593 if (strncmp(p, "jmp", 3) == 0)
1594 bb_pass1_computed_jmp(p);
1595 bb_add(0, bb_curr_addr);
1597 if (strncmp(p, "call", 4) == 0) {
1598 strsep(&p, " \t"); /* end of opcode */
1600 p += strspn(p, " \t"); /* operand(s) */
1601 if (p && strchr(p, '<')) {
1602 p = strchr(p, '<') + 1;
1603 *strchr(p, '>') = '\0';
1605 bb_add(0, bb_curr_addr);
1609 bb_buffer[0] = '\0';
1615 bb_printaddr_pass1(bfd_vma addr, disassemble_info *dip)
1617 kdb_symtab_t symtab;
1618 unsigned int offset;
1620 /* disasm only calls the printaddr routine for the target of jmp, loop
1621 * or call instructions, i.e. the start of a basic block. call is
1622 * ignored by bb_add because the target address is outside the current
1625 dip->fprintf_func(dip->stream, "0x%lx", addr);
1626 kdbnearsym(addr, &symtab);
1627 if (symtab.sym_name) {
1628 dip->fprintf_func(dip->stream, " <%s", symtab.sym_name);
1629 if ((offset = addr - symtab.sym_start))
1630 dip->fprintf_func(dip->stream, "+0x%x", offset);
1631 dip->fprintf_func(dip->stream, ">");
1633 bb = bb_add(addr, 0);
1635 bb_jmp_add(bb_curr_addr, addr, 0);
1644 struct bb_jmp *bb_jmp;
1646 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM))
1647 kdb_printf("%s: func_name %s func_start " kdb_bfd_vma_fmt0
1648 " func_end " kdb_bfd_vma_fmt0 "\n",
1653 kdb_di.fprintf_func = bb_dis_pass1;
1654 kdb_di.print_address_func = bb_printaddr_pass1;
1656 bb_add(bb_func_start, 0);
1657 for (bb_curr_addr = bb_func_start;
1658 bb_curr_addr < bb_func_end;
1661 if (kdb_getarea(c, bb_curr_addr)) {
1662 kdb_printf("%s: unreadable function code at ",
1664 kdb_symbol_print(bb_curr_addr, NULL, KDB_SP_DEFAULT);
1665 kdb_printf(", giving up\n");
1670 for (addr = bb_func_start; addr < bb_func_end; ) {
1671 bb_curr_addr = addr;
1672 addr += kdba_id_printinsn(addr, &kdb_di);
1673 kdb_di.fprintf_func(NULL, "\n");
1678 /* Special case: a block consisting of a single instruction which is
1679 * both the target of a jmp and is also an ending instruction, so we
1680 * add two blocks using the same address, one as a start and one as an
1681 * end, in no guaranteed order. The end must be ordered after the
1684 for (i = 0; i < bb_count-1; ++i) {
1685 struct bb *bb1 = bb_list[i], *bb2 = bb_list[i+1];
1686 if (bb1->end && bb1->end == bb2->start) {
1688 bb_list[i+1] = bb_list[i];
1693 /* Some bb have a start address, some have an end address. Collapse
1694 * them into entries that have both start and end addresses. The first
1695 * entry is guaranteed to have a start address.
1697 for (i = 0; i < bb_count-1; ++i) {
1698 struct bb *bb1 = bb_list[i], *bb2 = bb_list[i+1];
1702 bb1->end = bb2->start - 1;
1703 bb1->drop_through = 1;
1704 bb_jmp_add(bb1->end, bb2->start, 1);
1706 bb1->end = bb2->end;
1710 bb = bb_list[bb_count-1];
1712 bb->end = bb_func_end - 1;
1714 /* It would be nice to check that all bb have a valid start and end
1715 * address but there is just too much garbage code in the kernel to do
1716 * that check. Aligned functions in assembler code mean that there is
1717 * space between the end of one function and the start of the next and
1718 * that space contains previous code from the assembler's buffers. It
1719 * looks like dead code with nothing that branches to it, so no start
1720 * address. do_sys_vm86() ends with 'jmp resume_userspace' which the C
1721 * compiler does not know about so gcc appends the normal exit code,
1722 * again nothing branches to this dangling code.
1724 * The best we can do is delete bb entries with no start address.
1726 for (i = 0; i < bb_count; ++i) {
1727 struct bb *bb = bb_list[i];
1731 for (i = 0; i < bb_count; ++i) {
1732 struct bb *bb = bb_list[i];
1734 kdb_printf("%s: incomplete bb state\n", __FUNCTION__);
1744 kdb_printf("%s: end\n", __FUNCTION__);
1745 for (i = 0; i < bb_count; ++i) {
1747 kdb_printf(" bb[%d] start "
1749 " end " kdb_bfd_vma_fmt0
1751 i, bb->start, bb->end, bb->drop_through);
1754 for (i = 0; i < bb_jmp_count; ++i) {
1755 bb_jmp = bb_jmp_list + i;
1756 kdb_printf(" bb_jmp[%d] from "
1758 " to " kdb_bfd_vma_fmt0
1759 " drop_through %d\n",
1760 i, bb_jmp->from, bb_jmp->to, bb_jmp->drop_through);
1764 /* Pass 2, record register changes in each basic block */
1766 /* For each opcode that we care about, indicate how it uses its operands. Most
1767 * opcodes can be handled generically because they completely specify their
1768 * operands in the instruction, however many opcodes have side effects such as
1769 * reading or writing rax or updating rsp. Instructions that change registers
1770 * that are not listed in the operands must be handled as special cases. In
1771 * addition, instructions that copy registers while preserving their contents
1772 * (push, pop, mov) or change the contents in a well defined way (add with an
1773 * immediate, lea) must be handled as special cases in order to track the
1774 * register contents.
1776 * The tables below only list opcodes that are actually used in the Linux
1777 * kernel, so they omit most of the floating point and all of the SSE type
1778 * instructions. The operand usage entries only cater for accesses to memory
1779 * and to the integer registers, accesses to floating point registers and flags
1780 * are not relevant for kernel backtraces.
1783 enum bb_operand_usage {
1785 /* generic entries. because xchg can do any combinations of
1786 * read src, write src, read dst and write dst we need to
1787 * define all 16 possibilities. These are ordered by rs = 1,
1788 * rd = 2, ws = 4, wd = 8, bb_usage_x*() functions rely on this
1791 BBOU_RS = 1, /* read src */ /* 1 */
1792 BBOU_RD, /* read dst */ /* 2 */
1794 BBOU_WS, /* write src */ /* 4 */
1797 BBOU_RSRDWS, /* 7 */
1798 BBOU_WD, /* write dst */ /* 8 */
1801 BBOU_RSRDWD, /* 11 */
1803 BBOU_RSWSWD, /* 13 */
1804 BBOU_RDWSWD, /* 14 */
1805 BBOU_RSRDWSWD, /* 15 */
1806 /* opcode specific entries */
1851 struct bb_opcode_usage {
1853 enum bb_operand_usage usage;
1857 /* This table is sorted in alphabetical order of opcode, except that the
1858 * trailing '"' is treated as a high value. For example, 'in' sorts after
1859 * 'inc', 'bt' after 'btc'. This modified sort order ensures that shorter
1860 * opcodes come after long ones. A normal sort would put 'in' first, so 'in'
1861 * would match both 'inc' and 'in'. When adding any new entries to this table,
1862 * be careful to put shorter entries last in their group.
1864 * To automatically sort the table (in vi)
1865 * Mark the first and last opcode line with 'a and 'b
1867 * !'bsed -e 's/"}/}}/' | LANG=C sort -t '"' -k2 | sed -e 's/}}/"}/'
1869 * If a new instruction has to be added, first consider if it affects registers
1870 * other than those listed in the operands. Also consider if you want to track
1871 * the results of issuing the instruction, IOW can you extract useful
1872 * information by looking in detail at the modified registers or memory. If
1873 * either test is true then you need a special case to handle the instruction.
1875 * The generic entries at the start of enum bb_operand_usage all have one thing
1876 * in common, if a register or memory location is updated then that location
1877 * becomes undefined, i.e. we lose track of anything that was previously saved
1878 * in that location. So only use a generic BBOU_* value when the result of the
1879 * instruction cannot be calculated exactly _and_ when all the affected
1880 * registers are listed in the operands.
1884 * 'call' does not generate a known result, but as a side effect of call,
1885 * several scratch registers become undefined, so it needs a special BBOU_CALL
1888 * 'adc' generates a variable result, it depends on the carry flag, so 'adc'
1889 * gets a generic entry. 'add' can generate an exact result (add with
1890 * immediate on a register that points to the stack) or it can generate an
1891 * unknown result (add a variable, or add immediate to a register that does not
1892 * contain a stack pointer) so 'add' has its own BBOU_ADD entry.
1895 static const struct bb_opcode_usage
1896 bb_opcode_usage_all[] = {
1897 {3, BBOU_RSRDWD, "adc"},
1898 {3, BBOU_ADD, "add"},
1899 {3, BBOU_RSRDWD, "and"},
1900 {3, BBOU_RSWD, "bsf"},
1901 {3, BBOU_RSWD, "bsr"},
1902 {5, BBOU_RSWS, "bswap"},
1903 {3, BBOU_RSRDWD, "btc"},
1904 {3, BBOU_RSRDWD, "btr"},
1905 {3, BBOU_RSRDWD, "bts"},
1906 {2, BBOU_RSRD, "bt"},
1907 {4, BBOU_CALL, "call"},
1908 {4, BBOU_CBW, "cbtw"}, /* Intel cbw */
1909 {3, BBOU_NOP, "clc"},
1910 {3, BBOU_NOP, "cld"},
1911 {7, BBOU_RS, "clflush"},
1912 {4, BBOU_NOP, "clgi"},
1913 {3, BBOU_NOP, "cli"},
1914 {4, BBOU_CWD, "cltd"}, /* Intel cdq */
1915 {4, BBOU_CBW, "cltq"}, /* Intel cdqe */
1916 {4, BBOU_NOP, "clts"},
1917 {4, BBOU_CMOV, "cmov"},
1918 {9, BBOU_CMPXCHGD,"cmpxchg16"},
1919 {8, BBOU_CMPXCHGD,"cmpxchg8"},
1920 {7, BBOU_CMPXCHG, "cmpxchg"},
1921 {3, BBOU_RSRD, "cmp"},
1922 {5, BBOU_CPUID, "cpuid"},
1923 {4, BBOU_CWD, "cqto"}, /* Intel cdo */
1924 {4, BBOU_CWD, "cwtd"}, /* Intel cwd */
1925 {4, BBOU_CBW, "cwtl"}, /* Intel cwde */
1926 {4, BBOU_NOP, "data"}, /* alternative ASM_NOP<n> generates data16 on x86_64 */
1927 {3, BBOU_RSWS, "dec"},
1928 {3, BBOU_DIV, "div"},
1929 {5, BBOU_RS, "fdivl"},
1930 {5, BBOU_NOP, "finit"},
1931 {6, BBOU_RS, "fistpl"},
1932 {4, BBOU_RS, "fldl"},
1933 {4, BBOU_RS, "fmul"},
1934 {6, BBOU_NOP, "fnclex"},
1935 {6, BBOU_NOP, "fninit"},
1936 {6, BBOU_RS, "fnsave"},
1937 {7, BBOU_NOP, "fnsetpm"},
1938 {6, BBOU_RS, "frstor"},
1939 {5, BBOU_WS, "fstsw"},
1940 {5, BBOU_RS, "fsubp"},
1941 {5, BBOU_NOP, "fwait"},
1942 {7, BBOU_RS, "fxrstor"},
1943 {6, BBOU_RS, "fxsave"},
1944 {3, BBOU_NOP, "hlt"},
1945 {4, BBOU_IDIV, "idiv"},
1946 {4, BBOU_IMUL, "imul"},
1947 {3, BBOU_RSWS, "inc"},
1948 {3, BBOU_NOP, "int"},
1949 {7, BBOU_RSRD, "invlpga"},
1950 {6, BBOU_RS, "invlpg"},
1951 {2, BBOU_RSWD, "in"},
1952 {4, BBOU_IRET, "iret"},
1954 {4, BBOU_LAHF, "lahf"},
1955 {3, BBOU_RSWD, "lar"},
1956 {5, BBOU_RS, "lcall"},
1957 {5, BBOU_LEAVE, "leave"},
1958 {3, BBOU_LEA, "lea"},
1959 {6, BBOU_NOP, "lfence"},
1960 {4, BBOU_RS, "lgdt"},
1961 {4, BBOU_RS, "lidt"},
1962 {4, BBOU_RS, "ljmp"},
1963 {4, BBOU_RS, "lldt"},
1964 {4, BBOU_RS, "lmsw"},
1965 {4, BBOU_LODS, "lods"},
1966 {4, BBOU_LOOP, "loop"},
1967 {4, BBOU_NOP, "lret"},
1968 {3, BBOU_RSWD, "lsl"},
1969 {3, BBOU_LSS, "lss"},
1970 {3, BBOU_RS, "ltr"},
1971 {6, BBOU_NOP, "mfence"},
1972 {7, BBOU_MONITOR, "monitor"},
1973 {4, BBOU_MOVS, "movs"},
1974 {3, BBOU_MOV, "mov"},
1975 {3, BBOU_MUL, "mul"},
1976 {5, BBOU_MWAIT, "mwait"},
1977 {3, BBOU_RSWS, "neg"},
1978 {3, BBOU_NOP, "nop"},
1979 {3, BBOU_RSWS, "not"},
1980 {2, BBOU_RSRDWD, "or"},
1981 {4, BBOU_OUTS, "outs"},
1982 {3, BBOU_RSRD, "out"},
1983 {5, BBOU_NOP, "pause"},
1984 {4, BBOU_POPF, "popf"},
1985 {3, BBOU_POP, "pop"},
1986 {8, BBOU_RS, "prefetch"},
1987 {5, BBOU_PUSHF, "pushf"},
1988 {4, BBOU_PUSH, "push"},
1989 {3, BBOU_RSRDWD, "rcl"},
1990 {3, BBOU_RSRDWD, "rcr"},
1991 {5, BBOU_RDMSR, "rdmsr"},
1992 {5, BBOU_RDMSR, "rdpmc"}, /* same side effects as rdmsr */
1993 {5, BBOU_RDTSC, "rdtsc"},
1994 {3, BBOU_RET, "ret"},
1995 {3, BBOU_RSRDWD, "rol"},
1996 {3, BBOU_RSRDWD, "ror"},
1997 {4, BBOU_SAHF, "sahf"},
1998 {3, BBOU_RSRDWD, "sar"},
1999 {3, BBOU_RSRDWD, "sbb"},
2000 {4, BBOU_SCAS, "scas"},
2001 {3, BBOU_WS, "set"},
2002 {6, BBOU_NOP, "sfence"},
2003 {4, BBOU_WS, "sgdt"},
2004 {3, BBOU_RSRDWD, "shl"},
2005 {3, BBOU_RSRDWD, "shr"},
2006 {4, BBOU_WS, "sidt"},
2007 {4, BBOU_WS, "sldt"},
2008 {3, BBOU_NOP, "stc"},
2009 {3, BBOU_NOP, "std"},
2010 {4, BBOU_NOP, "stgi"},
2011 {3, BBOU_NOP, "sti"},
2012 {4, BBOU_SCAS, "stos"},
2013 {4, BBOU_WS, "strl"},
2014 {3, BBOU_WS, "str"},
2015 {3, BBOU_SUB, "sub"},
2016 {6, BBOU_NOP, "swapgs"},
2017 {7, BBOU_SYSEXIT, "sysexit"},
2018 {6, BBOU_SYSRET, "sysret"},
2019 {4, BBOU_NOP, "test"},
2020 {4, BBOU_NOP, "ud2a"},
2021 {7, BBOU_RS, "vmclear"},
2022 {8, BBOU_NOP, "vmlaunch"},
2023 {6, BBOU_RS, "vmload"},
2024 {7, BBOU_RS, "vmptrld"},
2025 {6, BBOU_WD, "vmread"}, /* vmread src is an encoding, not a register */
2026 {8, BBOU_NOP, "vmresume"},
2027 {5, BBOU_RS, "vmrun"},
2028 {6, BBOU_RS, "vmsave"},
2029 {7, BBOU_WD, "vmwrite"}, /* vmwrite src is an encoding, not a register */
2030 {6, BBOU_NOP, "wbinvd"},
2031 {5, BBOU_WRMSR, "wrmsr"},
2032 {4, BBOU_XADD, "xadd"},
2033 {4, BBOU_XCHG, "xchg"},
2034 {3, BBOU_XOR, "xor"},
2035 {10, BBOU_WS, "xstore-rng"},
2038 /* To speed up searching, index bb_opcode_usage_all by the first letter of each
2042 const struct bb_opcode_usage *opcode;
2044 } bb_opcode_usage[26];
2052 enum bb_reg_code base_rc; /* UNDEFINED or RAX through R15 */
2053 enum bb_reg_code index_rc; /* UNDEFINED or RAX through R15 */
2054 unsigned int present :1;
2055 unsigned int disp_present :1;
2056 unsigned int indirect :1; /* must be combined with reg or memory */
2057 unsigned int immediate :1; /* exactly one of these 3 must be set */
2058 unsigned int reg :1;
2059 unsigned int memory :1;
2065 const struct bb_opcode_usage *match;
2066 struct bb_operand src;
2067 struct bb_operand dst;
2068 struct bb_operand dst2;
2071 static struct bb_decode bb_decode;
2073 static enum bb_reg_code
2074 bb_reg_map(const char *reg)
2077 const struct bb_reg_code_map *p;
2079 hi = ARRAY_SIZE(bb_reg_code_map) - 1;
2081 int mid = (hi + lo) / 2;
2082 p = bb_reg_code_map + mid;
2083 c = strcmp(p->name, reg+1);
2091 return BBRG_UNDEFINED;
2095 bb_parse_operand(char *str, struct bb_operand *operand)
2099 operand->present = 1;
2100 /* extract any segment prefix */
2101 if (p[0] == '%' && p[1] && p[2] == 's' && p[3] == ':') {
2102 operand->memory = 1;
2103 operand->segment = p;
2107 /* extract displacement, base, index, scale */
2109 /* jmp/call *disp(%reg), *%reg or *0xnnn */
2110 operand->indirect = 1;
2118 operand->immediate = 1;
2119 operand->disp_present = 1;
2120 operand->disp = simple_strtoul(p+1, &p, 0);
2121 } else if (isdigit(*p)) {
2122 operand->memory = 1;
2123 operand->disp_present = 1;
2124 operand->disp = simple_strtoul(p, &p, 0) * sign;
2129 } else if (*p == '(') {
2130 operand->memory = 1;
2131 operand->base = ++p;
2132 p += strcspn(p, ",)");
2133 if (p == operand->base)
2134 operand->base = NULL;
2137 operand->index = ++p;
2138 p += strcspn(p, ",)");
2139 if (p == operand->index)
2140 operand->index = NULL;
2144 operand->scale = simple_strtoul(p+1, &p, 0);
2148 kdb_printf("%s: unexpected token '%c' after disp '%s'\n",
2149 __FUNCTION__, *p, str);
2152 if ((operand->immediate + operand->reg + operand->memory != 1) ||
2153 (operand->indirect && operand->immediate)) {
2154 kdb_printf("%s: incorrect decode '%s' N %d I %d R %d M %d\n",
2156 operand->indirect, operand->immediate, operand->reg,
2161 operand->base_rc = bb_reg_map(operand->base);
2163 operand->index_rc = bb_reg_map(operand->index);
2167 bb_print_operand(const char *type, const struct bb_operand *operand)
2169 if (!operand->present)
2171 kdb_printf(" %s %c%c: ",
2173 operand->indirect ? 'N' : ' ',
2174 operand->immediate ? 'I' :
2175 operand->reg ? 'R' :
2176 operand->memory ? 'M' :
2179 if (operand->segment)
2180 kdb_printf("%s:", operand->segment);
2181 if (operand->immediate) {
2182 kdb_printf("$0x%lx", operand->disp);
2183 } else if (operand->reg) {
2184 if (operand->indirect)
2186 kdb_printf("%s", operand->base);
2187 } else if (operand->memory) {
2188 if (operand->indirect && (operand->base || operand->index))
2190 if (operand->disp_present) {
2191 kdb_printf("0x%lx", operand->disp);
2193 if (operand->base || operand->index || operand->scale) {
2196 kdb_printf("%s", operand->base);
2197 if (operand->index || operand->scale)
2200 kdb_printf("%s", operand->index);
2202 kdb_printf(",%d", operand->scale);
2206 if (operand->base_rc)
2207 kdb_printf(" base_rc %d (%s)",
2208 operand->base_rc, bbrg_name[operand->base_rc]);
2209 if (operand->index_rc)
2210 kdb_printf(" index_rc %d (%s)",
2212 bbrg_name[operand->index_rc]);
2217 bb_print_opcode(void)
2219 const struct bb_opcode_usage *o = bb_decode.match;
2221 if (bb_decode.prefix)
2222 kdb_printf("%s ", bb_decode.prefix);
2223 kdb_printf("opcode '%s' matched by '%s', usage %d\n",
2224 bb_decode.opcode, o->opcode, o->usage);
2228 bb_parse_opcode(void)
2231 const struct bb_opcode_usage *o;
2232 static int bb_parse_opcode_error_limit = 5;
2233 c = bb_decode.opcode[0] - 'a';
2234 if (c < 0 || c >= ARRAY_SIZE(bb_opcode_usage))
2236 o = bb_opcode_usage[c].opcode;
2239 for (i = 0; i < bb_opcode_usage[c].size; ++i, ++o) {
2240 if (strncmp(bb_decode.opcode, o->opcode, o->length) == 0) {
2241 bb_decode.match = o;
2248 if (!bb_parse_opcode_error_limit)
2250 --bb_parse_opcode_error_limit;
2251 kdb_printf("%s: no match at [%s]%s " kdb_bfd_vma_fmt0 " - '%s'\n",
2253 bb_mod_name, bb_func_name, bb_curr_addr,
2259 bb_is_int_reg(enum bb_reg_code reg)
2261 return reg >= BBRG_RAX && reg < (BBRG_RAX + KDB_INT_REGISTERS);
2265 bb_is_simple_memory(const struct bb_operand *operand)
2267 return operand->memory &&
2268 bb_is_int_reg(operand->base_rc) &&
2269 !operand->index_rc &&
2270 operand->scale == 0 &&
2275 bb_is_static_disp(const struct bb_operand *operand)
2277 return operand->memory &&
2278 !operand->base_rc &&
2279 !operand->index_rc &&
2280 operand->scale == 0 &&
2281 !operand->segment &&
2285 static enum bb_reg_code
2286 bb_reg_code_value(enum bb_reg_code reg)
2288 BB_CHECK(!bb_is_int_reg(reg), reg, 0);
2289 return bb_reg_state->contains[reg - BBRG_RAX].value;
2293 bb_reg_code_offset(enum bb_reg_code reg)
2295 BB_CHECK(!bb_is_int_reg(reg), reg, 0);
2296 return bb_reg_state->contains[reg - BBRG_RAX].offset;
2300 bb_reg_code_set_value(enum bb_reg_code dst, enum bb_reg_code src)
2302 BB_CHECK(!bb_is_int_reg(dst), dst, );
2303 bb_reg_state->contains[dst - BBRG_RAX].value = src;
2307 bb_reg_code_set_offset(enum bb_reg_code dst, short offset)
2309 BB_CHECK(!bb_is_int_reg(dst), dst, );
2310 bb_reg_state->contains[dst - BBRG_RAX].offset = offset;
2314 bb_is_osp_defined(enum bb_reg_code reg)
2316 if (bb_is_int_reg(reg))
2317 return bb_reg_code_value(reg) == BBRG_OSP;
2323 bb_actual_value(enum bb_reg_code reg)
2325 BB_CHECK(!bb_is_int_reg(reg), reg, 0);
2326 return bb_actual[reg - BBRG_RAX].value;
2330 bb_actual_valid(enum bb_reg_code reg)
2332 BB_CHECK(!bb_is_int_reg(reg), reg, 0);
2333 return bb_actual[reg - BBRG_RAX].valid;
2337 bb_actual_set_value(enum bb_reg_code reg, bfd_vma value)
2339 BB_CHECK(!bb_is_int_reg(reg), reg, );
2340 bb_actual[reg - BBRG_RAX].value = value;
2344 bb_actual_set_valid(enum bb_reg_code reg, int valid)
2346 BB_CHECK(!bb_is_int_reg(reg), reg, );
2347 bb_actual[reg - BBRG_RAX].valid = valid;
2350 /* The scheduler code switches RSP then does PUSH, it is not an error for RSP
2351 * to be undefined in this area of the code.
2354 bb_is_scheduler_address(void)
2356 return bb_curr_addr >= bb__sched_text_start &&
2357 bb_curr_addr < bb__sched_text_end;
2361 bb_reg_read(enum bb_reg_code reg)
2364 if (!bb_is_int_reg(reg) ||
2365 bb_reg_code_value(reg) != reg)
2368 i < min_t(unsigned int, REGPARM, ARRAY_SIZE(bb_param_reg));
2370 if (reg == bb_param_reg[i]) {
2375 bb_reg_params = max(bb_reg_params, r);
2379 bb_do_reg_state_print(const struct bb_reg_state *s)
2381 int i, offset_address, offset_value;
2382 const struct bb_memory_contains *c;
2383 enum bb_reg_code value;
2384 kdb_printf(" bb_reg_state %p\n", s);
2385 for (i = 0; i < ARRAY_SIZE(s->contains); ++i) {
2386 value = s->contains[i].value;
2387 offset_value = s->contains[i].offset;
2388 kdb_printf(" %s = %s",
2389 bbrg_name[i + BBRG_RAX], bbrg_name[value]);
2390 if (value == BBRG_OSP)
2391 KDB_DEBUG_BB_OFFSET_PRINTF(offset_value, "", "");
2394 for (i = 0, c = s->memory; i < s->mem_count; ++i, ++c) {
2395 offset_address = c->offset_address;
2397 offset_value = c->offset_value;
2398 kdb_printf(" slot %d offset_address %c0x%x %s",
2400 offset_address >= 0 ? '+' : '-',
2401 offset_address >= 0 ? offset_address : -offset_address,
2403 if (value == BBRG_OSP)
2404 KDB_DEBUG_BB_OFFSET_PRINTF(offset_value, "", "");
2410 bb_reg_state_print(const struct bb_reg_state *s)
2413 bb_do_reg_state_print(s);
2416 /* Set register 'dst' to contain the value from 'src'. This includes reading
2417 * from 'src' and writing to 'dst'. The offset value is copied iff 'src'
2418 * contains a stack pointer.
2420 * Be very careful about the context here. 'dst' and 'src' reflect integer
2421 * registers by name, _not_ by the value of their contents. "mov %rax,%rsi"
2422 * will call this function as bb_reg_set_reg(BBRG_RSI, BBRG_RAX), which
2423 * reflects what the assembler code is doing. However we need to track the
2424 * _values_ in the registers, not their names. IOW, we really care about "what
2425 * value does rax contain when it is copied into rsi?", so we can record the
2426 * fact that we now have two copies of that value, one in rax and one in rsi.
2430 bb_reg_set_reg(enum bb_reg_code dst, enum bb_reg_code src)
2432 enum bb_reg_code src_value = BBRG_UNDEFINED;
2433 short offset_value = 0;
2434 KDB_DEBUG_BB(" %s = %s", bbrg_name[dst], bbrg_name[src]);
2435 if (bb_is_int_reg(src)) {
2437 src_value = bb_reg_code_value(src);
2438 KDB_DEBUG_BB(" (%s", bbrg_name[src_value]);
2439 if (bb_is_osp_defined(src)) {
2440 offset_value = bb_reg_code_offset(src);
2441 KDB_DEBUG_BB_OFFSET(offset_value, "", "");
2445 if (bb_is_int_reg(dst)) {
2446 bb_reg_code_set_value(dst, src_value);
2447 bb_reg_code_set_offset(dst, offset_value);
2453 bb_reg_set_undef(enum bb_reg_code dst)
2455 bb_reg_set_reg(dst, BBRG_UNDEFINED);
2458 /* Delete any record of a stored register held in osp + 'offset' */
2461 bb_delete_memory(short offset)
2464 struct bb_memory_contains *c;
2465 for (i = 0, c = bb_reg_state->memory;
2466 i < bb_reg_state->mem_count;
2468 if (c->offset_address == offset &&
2469 c->value != BBRG_UNDEFINED) {
2470 KDB_DEBUG_BB(" delete %s from ",
2471 bbrg_name[c->value]);
2472 KDB_DEBUG_BB_OFFSET(offset, "osp", "");
2473 KDB_DEBUG_BB(" slot %d\n",
2474 (int)(c - bb_reg_state->memory));
2475 memset(c, BBRG_UNDEFINED, sizeof(*c));
2476 if (i == bb_reg_state->mem_count - 1)
2477 --bb_reg_state->mem_count;
2482 /* Set memory location *('dst' + 'offset_address') to contain the supplied
2483 * value and offset. 'dst' is assumed to be a register that contains a stack
2488 bb_memory_set_reg_value(enum bb_reg_code dst, short offset_address,
2489 enum bb_reg_code value, short offset_value)
2492 struct bb_memory_contains *c, *free = NULL;
2493 BB_CHECK(!bb_is_osp_defined(dst), dst, );
2494 KDB_DEBUG_BB(" *(%s", bbrg_name[dst]);
2495 KDB_DEBUG_BB_OFFSET(offset_address, "", "");
2496 offset_address += bb_reg_code_offset(dst);
2497 KDB_DEBUG_BB_OFFSET(offset_address, " osp", ") = ");
2498 KDB_DEBUG_BB("%s", bbrg_name[value]);
2499 if (value == BBRG_OSP)
2500 KDB_DEBUG_BB_OFFSET(offset_value, "", "");
2501 for (i = 0, c = bb_reg_state->memory;
2502 i < bb_reg_state_max;
2504 if (c->offset_address == offset_address)
2506 else if (c->value == BBRG_UNDEFINED && !free)
2510 struct bb_reg_state *new, *old = bb_reg_state;
2511 size_t old_size, new_size;
2513 old_size = sizeof(*old) + bb_reg_state_max *
2514 sizeof(old->memory[0]);
2515 slot = bb_reg_state_max;
2516 bb_reg_state_max += 5;
2517 new_size = sizeof(*new) + bb_reg_state_max *
2518 sizeof(new->memory[0]);
2519 new = debug_kmalloc(new_size, GFP_ATOMIC);
2521 kdb_printf("\n\n%s: out of debug_kmalloc\n", __FUNCTION__);
2524 memcpy(new, old, old_size);
2525 memset((char *)new + old_size, BBRG_UNDEFINED,
2526 new_size - old_size);
2529 free = bb_reg_state->memory + slot;
2533 int slot = free - bb_reg_state->memory;
2534 free->offset_address = offset_address;
2535 free->value = value;
2536 free->offset_value = offset_value;
2537 KDB_DEBUG_BB(" slot %d", slot);
2538 bb_reg_state->mem_count = max(bb_reg_state->mem_count, slot+1);
2543 /* Set memory location *('dst' + 'offset') to contain the value from register
2544 * 'src'. 'dst' is assumed to be a register that contains a stack pointer.
2545 * This differs from bb_memory_set_reg_value because it takes a src register
2546 * which contains a value and possibly an offset, bb_memory_set_reg_value is
2547 * passed the value and offset directly.
2551 bb_memory_set_reg(enum bb_reg_code dst, enum bb_reg_code src,
2552 short offset_address)
2555 enum bb_reg_code value;
2556 BB_CHECK(!bb_is_osp_defined(dst), dst, );
2557 if (!bb_is_int_reg(src))
2559 value = bb_reg_code_value(src);
2560 if (value == BBRG_UNDEFINED) {
2561 bb_delete_memory(offset_address + bb_reg_code_offset(dst));
2564 offset_value = bb_reg_code_offset(src);
2566 bb_memory_set_reg_value(dst, offset_address, value, offset_value);
2569 /* Set register 'dst' to contain the value from memory *('src' + offset_address).
2570 * 'src' is assumed to be a register that contains a stack pointer.
2574 bb_reg_set_memory(enum bb_reg_code dst, enum bb_reg_code src, short offset_address)
2577 struct bb_memory_contains *s;
2578 BB_CHECK(!bb_is_osp_defined(src), src, );
2579 KDB_DEBUG_BB(" %s = *(%s",
2580 bbrg_name[dst], bbrg_name[src]);
2581 KDB_DEBUG_BB_OFFSET(offset_address, "", ")");
2582 offset_address += bb_reg_code_offset(src);
2583 KDB_DEBUG_BB_OFFSET(offset_address, " (osp", ")");
2584 for (i = 0, s = bb_reg_state->memory;
2585 i < bb_reg_state->mem_count;
2587 if (s->offset_address == offset_address && bb_is_int_reg(dst)) {
2588 bb_reg_code_set_value(dst, s->value);
2589 KDB_DEBUG_BB(" value %s", bbrg_name[s->value]);
2590 if (s->value == BBRG_OSP) {
2591 bb_reg_code_set_offset(dst, s->offset_value);
2592 KDB_DEBUG_BB_OFFSET(s->offset_value, "", "");
2594 bb_reg_code_set_offset(dst, 0);
2600 bb_reg_set_reg(dst, BBRG_UNDEFINED);
2605 /* A generic read from an operand. */
2608 bb_read_operand(const struct bb_operand *operand)
2611 if (operand->base_rc)
2612 bb_reg_read(operand->base_rc);
2613 if (operand->index_rc)
2614 bb_reg_read(operand->index_rc);
2615 if (bb_is_simple_memory(operand) &&
2616 bb_is_osp_defined(operand->base_rc) &&
2617 bb_decode.match->usage != BBOU_LEA) {
2618 m = (bb_reg_code_offset(operand->base_rc) + operand->disp +
2619 KDB_WORD_SIZE - 1) / KDB_WORD_SIZE;
2620 bb_memory_params = max(bb_memory_params, m);
2624 /* A generic write to an operand, resulting in an undefined value in that
2625 * location. All well defined operands are handled separately, this function
2626 * only handles the opcodes where the result is undefined.
2630 bb_write_operand(const struct bb_operand *operand)
2632 enum bb_reg_code base_rc = operand->base_rc;
2633 if (operand->memory) {
2635 bb_reg_read(base_rc);
2636 if (operand->index_rc)
2637 bb_reg_read(operand->index_rc);
2638 } else if (operand->reg && base_rc) {
2639 bb_reg_set_undef(base_rc);
2641 if (bb_is_simple_memory(operand) && bb_is_osp_defined(base_rc)) {
2643 offset = bb_reg_code_offset(base_rc) + operand->disp;
2644 offset = ALIGN(offset - KDB_WORD_SIZE + 1, KDB_WORD_SIZE);
2645 bb_delete_memory(offset);
2649 /* Adjust a register that contains a stack pointer */
2652 bb_adjust_osp(enum bb_reg_code reg, int adjust)
2654 int offset = bb_reg_code_offset(reg), old_offset = offset;
2655 KDB_DEBUG_BB(" %s osp offset ", bbrg_name[reg]);
2656 KDB_DEBUG_BB_OFFSET(bb_reg_code_offset(reg), "", " -> ");
2658 bb_reg_code_set_offset(reg, offset);
2659 KDB_DEBUG_BB_OFFSET(bb_reg_code_offset(reg), "", "\n");
2660 /* When RSP is adjusted upwards, it invalidates any memory
2661 * stored between the old and current stack offsets.
2663 if (reg == BBRG_RSP) {
2664 while (old_offset < bb_reg_code_offset(reg)) {
2665 bb_delete_memory(old_offset);
2666 old_offset += KDB_WORD_SIZE;
2671 /* The current instruction adjusts a register that contains a stack pointer.
2672 * Direction is 1 or -1, depending on whether the instruction is add/lea or
2677 bb_adjust_osp_instruction(int direction)
2679 enum bb_reg_code dst_reg = bb_decode.dst.base_rc;
2680 if (bb_decode.src.immediate ||
2681 bb_decode.match->usage == BBOU_LEA /* lea has its own checks */) {
2682 int adjust = direction * bb_decode.src.disp;
2683 bb_adjust_osp(dst_reg, adjust);
2685 /* variable stack adjustment, osp offset is not well defined */
2686 KDB_DEBUG_BB(" %s osp offset ", bbrg_name[dst_reg]);
2687 KDB_DEBUG_BB_OFFSET(bb_reg_code_offset(dst_reg), "", " -> undefined\n");
2688 bb_reg_code_set_value(dst_reg, BBRG_UNDEFINED);
2689 bb_reg_code_set_offset(dst_reg, 0);
2693 /* Some instructions using memory have an explicit length suffix (b, w, l, q).
2694 * The equivalent instructions using a register imply the length from the
2695 * register name. Deduce the operand length.
2699 bb_operand_length(const struct bb_operand *operand, char opcode_suffix)
2702 switch (opcode_suffix) {
2716 if (l == 0 && operand->reg) {
2717 switch (strlen(operand->base)) {
2719 switch (operand->base[2]) {
2729 if (operand->base[1] == 'r')
2740 bb_reg_state_size(const struct bb_reg_state *state)
2742 return sizeof(*state) +
2743 state->mem_count * sizeof(state->memory[0]);
2746 /* Canonicalize the current bb_reg_state so it can be compared against
2747 * previously created states. Sort the memory entries in descending order of
2748 * offset_address (stack grows down). Empty slots are moved to the end of the
2753 bb_reg_state_canonicalize(void)
2755 int i, order, changed;
2756 struct bb_memory_contains *p1, *p2, temp;
2759 for (i = 0, p1 = bb_reg_state->memory;
2760 i < bb_reg_state->mem_count-1;
2763 if (p2->value == BBRG_UNDEFINED) {
2765 } else if (p1->value == BBRG_UNDEFINED) {
2767 } else if (p1->offset_address < p2->offset_address) {
2769 } else if (p1->offset_address > p2->offset_address) {
2782 for (i = 0, p1 = bb_reg_state->memory;
2783 i < bb_reg_state_max;
2785 if (p1->value != BBRG_UNDEFINED)
2786 bb_reg_state->mem_count = i + 1;
2788 bb_reg_state_print(bb_reg_state);
2792 bb_special_case(bfd_vma to)
2794 int i, j, rsp_offset, expect_offset, offset, errors = 0, max_errors = 40;
2795 enum bb_reg_code reg, expect_value, value;
2796 struct bb_name_state *r;
2798 for (i = 0, r = bb_special_cases;
2799 i < ARRAY_SIZE(bb_special_cases);
2801 if (to == r->address &&
2802 (r->fname == NULL || strcmp(bb_func_name, r->fname) == 0))
2805 /* Some inline assembler code has jumps to .fixup sections which result
2806 * in out of line transfers with undefined state, ignore them.
2808 if (strcmp(bb_func_name, "strnlen_user") == 0 ||
2809 strcmp(bb_func_name, "copy_from_user") == 0)
2814 /* Check the running registers match */
2815 for (reg = BBRG_RAX; reg < r->regs_size; ++reg) {
2816 expect_value = r->regs[reg].value;
2817 if (test_bit(expect_value, r->skip_regs.bits)) {
2818 /* this regs entry is not defined for this label */
2821 if (expect_value == BBRG_UNDEFINED)
2823 expect_offset = r->regs[reg].offset;
2824 value = bb_reg_code_value(reg);
2825 offset = bb_reg_code_offset(reg);
2826 if (expect_value == value &&
2827 (value != BBRG_OSP || r->osp_offset == offset))
2829 kdb_printf("%s: Expected %s to contain %s",
2832 bbrg_name[expect_value]);
2834 KDB_DEBUG_BB_OFFSET_PRINTF(r->osp_offset, "", "");
2835 kdb_printf(". It actually contains %s", bbrg_name[value]);
2837 KDB_DEBUG_BB_OFFSET_PRINTF(offset, "", "");
2840 if (max_errors-- == 0)
2843 /* Check that any memory data on stack matches */
2845 while (i < bb_reg_state->mem_count &&
2847 expect_value = r->mem[j].value;
2848 if (test_bit(expect_value, r->skip_mem.bits) ||
2849 expect_value == BBRG_UNDEFINED) {
2850 /* this memory slot is not defined for this label */
2854 rsp_offset = bb_reg_state->memory[i].offset_address -
2855 bb_reg_code_offset(BBRG_RSP);
2857 r->mem[j].offset_address) {
2858 /* extra slots in memory are OK */
2860 } else if (rsp_offset <
2861 r->mem[j].offset_address) {
2862 /* Required memory slot is missing */
2863 kdb_printf("%s: Invalid bb_reg_state.memory, "
2864 "missing memory entry[%d] %s\n",
2865 __FUNCTION__, j, bbrg_name[expect_value]);
2867 if (max_errors-- == 0)
2871 if (bb_reg_state->memory[i].offset_value ||
2872 bb_reg_state->memory[i].value != expect_value) {
2873 /* memory slot is present but contains wrong
2876 kdb_printf("%s: Invalid bb_reg_state.memory, "
2877 "wrong value in slot %d, "
2878 "should be %s, it is %s\n",
2880 bbrg_name[expect_value],
2881 bbrg_name[bb_reg_state->memory[i].value]);
2883 if (max_errors-- == 0)
2890 while (j < r->mem_size) {
2891 expect_value = r->mem[j].value;
2892 if (test_bit(expect_value, r->skip_mem.bits) ||
2893 expect_value == BBRG_UNDEFINED)
2898 if (j != r->mem_size) {
2899 /* Hit end of memory before testing all the pt_reg slots */
2900 kdb_printf("%s: Invalid bb_reg_state.memory, "
2901 "missing trailing entries\n",
2904 if (max_errors-- == 0)
2911 kdb_printf("%s: on transfer to %s\n", __FUNCTION__, r->name);
2916 /* Transfer of control to a label outside the current function. If the
2917 * transfer is to a known common code path then do a sanity check on the state
2922 bb_sanity_check(int type)
2924 enum bb_reg_code expect, actual;
2925 int i, offset, error = 0;
2927 for (i = 0; i < ARRAY_SIZE(bb_preserved_reg); ++i) {
2928 expect = bb_preserved_reg[i];
2929 actual = bb_reg_code_value(expect);
2930 offset = bb_reg_code_offset(expect);
2931 if (expect == actual)
2933 /* type == 1 is sysret/sysexit, ignore RSP */
2934 if (type && expect == BBRG_RSP)
2936 #ifndef CONFIG_X86_64
2937 /* type == 1 is sysret/sysexit, ignore RBP for i386 */
2938 if (type && expect == BBRG_RBP)
2940 #endif /* !CONFIG_X86_64 */
2941 /* RSP should contain OSP+0. Except for ptregscall_common and
2942 * ia32_ptregs_common, they get a partial pt_regs, fudge the
2943 * stack to make it a full pt_regs then reverse the effect on
2944 * exit, so the offset is -0x50 on exit.
2946 if (expect == BBRG_RSP &&
2947 bb_is_osp_defined(expect) &&
2950 (strcmp(bb_func_name, "ptregscall_common") == 0 ||
2951 strcmp(bb_func_name, "ia32_ptregs_common") == 0))))
2953 kdb_printf("%s: Expected %s, got %s",
2955 bbrg_name[expect], bbrg_name[actual]);
2957 KDB_DEBUG_BB_OFFSET_PRINTF(offset, "", "");
2961 BB_CHECK(error, error, );
2964 /* Transfer of control. Follow the arc and save the current state as input to
2965 * another basic block.
2969 bb_transfer(bfd_vma from, bfd_vma to, unsigned int drop_through)
2973 struct bb* bb = NULL; /*stupid gcc */
2974 struct bb_jmp *bb_jmp;
2975 struct bb_reg_state *state;
2976 bb_reg_state_canonicalize();
2978 for (i = 0; i < bb_jmp_count; ++i) {
2979 bb_jmp = bb_jmp_list + i;
2980 if (bb_jmp->from == from &&
2982 bb_jmp->drop_through == drop_through) {
2988 /* Transfer outside the current function. Check the special
2989 * cases (mainly in entry.S) first. If it is not a known
2990 * special case then check if the target address is the start
2991 * of a function or not. If it is the start of a function then
2992 * assume tail recursion and require that the state be the same
2993 * as on entry. Otherwise assume out of line code (e.g.
2994 * spinlock contention path) and ignore it, the state can be
2997 kdb_symtab_t symtab;
2998 if (bb_special_case(to))
3000 kdbnearsym(to, &symtab);
3001 if (symtab.sym_start != to)
3007 /* Only print this message when the kernel is compiled with
3008 * -fno-optimize-sibling-calls. Otherwise it would print a
3009 * message for every tail recursion call. If you see the
3010 * message below then you probably have an assembler label that
3011 * is not listed in the special cases.
3013 kdb_printf(" not matched: from "
3015 " to " kdb_bfd_vma_fmt0
3016 " drop_through %d bb_jmp[%d]\n",
3017 from, to, drop_through, i);
3018 #endif /* NO_SIBLINGS */
3021 KDB_DEBUG_BB(" matched: from " kdb_bfd_vma_fmt0
3022 " to " kdb_bfd_vma_fmt0
3023 " drop_through %d bb_jmp[%d]\n",
3024 from, to, drop_through, i);
3026 for (i = 0; i < bb_count; ++i) {
3028 if (bb->start == to) {
3033 BB_CHECK(!found, to, );
3034 /* If the register state for this arc has already been set (we are
3035 * rescanning the block that originates the arc) and the state is the
3036 * same as the previous state for this arc then this input to the
3037 * target block is the same as last time, so there is no need to rescan
3040 state = bb_jmp->state;
3041 size = bb_reg_state_size(bb_reg_state);
3043 bb_reg_state->ref_count = state->ref_count;
3044 if (memcmp(state, bb_reg_state, size) == 0) {
3045 KDB_DEBUG_BB(" no state change\n");
3048 if (--state->ref_count == 0)
3050 bb_jmp->state = NULL;
3052 /* New input state is required. To save space, check if any other arcs
3053 * have the same state and reuse them where possible. The overall set
3054 * of inputs to the target block is now different so the target block
3055 * must be rescanned.
3058 for (i = 0; i < bb_jmp_count; ++i) {
3059 state = bb_jmp_list[i].state;
3062 bb_reg_state->ref_count = state->ref_count;
3063 if (memcmp(state, bb_reg_state, size) == 0) {
3064 KDB_DEBUG_BB(" reuse bb_jmp[%d]\n", i);
3065 bb_jmp->state = state;
3070 state = debug_kmalloc(size, GFP_ATOMIC);
3072 kdb_printf("\n\n%s: out of debug_kmalloc\n", __FUNCTION__);
3076 memcpy(state, bb_reg_state, size);
3077 state->ref_count = 1;
3078 bb_jmp->state = state;
3079 KDB_DEBUG_BB(" new state %p\n", state);
3082 /* Isolate the processing for 'mov' so it can be used for 'xadd'/'xchg' as
3085 * xadd/xchg expect this function to return BBOU_NOP for special cases,
3086 * otherwise it returns BBOU_RSWD. All special cases must be handled entirely
3087 * within this function, including doing bb_read_operand or bb_write_operand
3091 static enum bb_operand_usage
3092 bb_usage_mov(const struct bb_operand *src, const struct bb_operand *dst, int l)
3094 int full_register_src, full_register_dst;
3095 full_register_src = bb_operand_length(src, bb_decode.opcode[l])
3096 == KDB_WORD_SIZE * 8;
3097 full_register_dst = bb_operand_length(dst, bb_decode.opcode[l])
3098 == KDB_WORD_SIZE * 8;
3099 /* If both src and dst are full integer registers then record the
3103 bb_is_int_reg(src->base_rc) &&
3105 bb_is_int_reg(dst->base_rc) &&
3106 full_register_src &&
3107 full_register_dst) {
3108 /* Special case for the code that switches stacks in
3109 * jprobe_return. That code must modify RSP but it does it in
3110 * a well defined manner. Do not invalidate RSP.
3112 if (src->base_rc == BBRG_RBX &&
3113 dst->base_rc == BBRG_RSP &&
3114 strcmp(bb_func_name, "jprobe_return") == 0) {
3115 bb_read_operand(src);
3118 /* math_abort takes the equivalent of a longjmp structure and
3119 * resets the stack. Ignore this, it leaves RSP well defined.
3121 if (dst->base_rc == BBRG_RSP &&
3122 strcmp(bb_func_name, "math_abort") == 0) {
3123 bb_read_operand(src);
3126 bb_reg_set_reg(dst->base_rc, src->base_rc);
3129 /* If the move is from a full integer register to stack then record it.
3132 bb_is_simple_memory(dst) &&
3133 bb_is_osp_defined(dst->base_rc) &&
3134 full_register_src) {
3135 /* Ugly special case. Initializing list heads on stack causes
3136 * false references to stack variables when the list head is
3137 * used. Static code analysis cannot detect that the list head
3138 * has been changed by a previous execution loop and that a
3139 * basic block is only executed after the list head has been
3142 * These false references can result in valid stack variables
3143 * being incorrectly cleared on some logic paths. Ignore
3144 * stores to stack variables which point to themselves or to
3145 * the previous word so the list head initialization is not
3148 if (bb_is_osp_defined(src->base_rc)) {
3149 int stack1 = bb_reg_code_offset(src->base_rc);
3150 int stack2 = bb_reg_code_offset(dst->base_rc) +
3152 if (stack1 == stack2 ||
3153 stack1 == stack2 - KDB_WORD_SIZE)
3156 bb_memory_set_reg(dst->base_rc, src->base_rc, dst->disp);
3159 /* If the move is from stack to a full integer register then record it.
3161 if (bb_is_simple_memory(src) &&
3162 bb_is_osp_defined(src->base_rc) &&
3164 bb_is_int_reg(dst->base_rc) &&
3165 full_register_dst) {
3166 #ifndef CONFIG_X86_64
3167 /* mov from TSS_sysenter_sp0+offset to esp to fix up the
3168 * sysenter stack, it leaves esp well defined. mov
3169 * TSS_sysenter_esp0+offset(%esp),%esp is followed by up to 5
3170 * push instructions to mimic the hardware stack push. If
3171 * TSS_sysenter_esp0 is offset then only 3 words will be
3174 if (dst->base_rc == BBRG_RSP &&
3175 src->disp >= TSS_sysenter_sp0 &&
3176 bb_is_osp_defined(BBRG_RSP)) {
3178 pushes = src->disp == TSS_sysenter_sp0 ? 5 : 3;
3179 bb_reg_code_set_offset(BBRG_RSP,
3180 bb_reg_code_offset(BBRG_RSP) +
3181 pushes * KDB_WORD_SIZE);
3182 KDB_DEBUG_BB_OFFSET(
3183 bb_reg_code_offset(BBRG_RSP),
3184 " sysenter fixup, RSP",
3188 #endif /* !CONFIG_X86_64 */
3189 bb_read_operand(src);
3190 bb_reg_set_memory(dst->base_rc, src->base_rc, src->disp);
3193 /* move %gs:0x<nn>,%rsp is used to unconditionally switch to another
3194 * stack. Ignore this special case, it is handled by the stack
3198 strcmp(src->segment, "%gs") == 0 &&
3200 dst->base_rc == BBRG_RSP)
3202 /* move %reg,%reg is a nop */
3207 strcmp(src->base, dst->base) == 0)
3209 /* Special case for the code that switches stacks in the scheduler
3210 * (switch_to()). That code must modify RSP but it does it in a well
3211 * defined manner. Do not invalidate RSP.
3214 dst->base_rc == BBRG_RSP &&
3215 full_register_dst &&
3216 bb_is_scheduler_address()) {
3217 bb_read_operand(src);
3220 /* Special case for the code that switches stacks in resume from
3221 * hibernation code. That code must modify RSP but it does it in a
3222 * well defined manner. Do not invalidate RSP.
3226 dst->base_rc == BBRG_RSP &&
3227 full_register_dst &&
3228 strcmp(bb_func_name, "restore_image") == 0) {
3229 bb_read_operand(src);
3235 static enum bb_operand_usage
3236 bb_usage_xadd(const struct bb_operand *src, const struct bb_operand *dst)
3238 /* Simulate xadd as a series of instructions including mov, that way we
3239 * get the benefit of all the special cases already handled by
3242 * tmp = src + dst, src = dst, dst = tmp.
3244 * For tmp, pick a register that is undefined. If all registers are
3245 * defined then pick one that is not being used by xadd.
3247 enum bb_reg_code reg = BBRG_UNDEFINED;
3248 struct bb_operand tmp;
3249 struct bb_reg_contains save_tmp;
3250 enum bb_operand_usage usage;
3252 for (reg = BBRG_RAX; reg < BBRG_RAX + KDB_INT_REGISTERS; ++reg) {
3253 if (bb_reg_code_value(reg) == BBRG_UNDEFINED) {
3259 for (reg = BBRG_RAX; reg < BBRG_RAX + KDB_INT_REGISTERS; ++reg) {
3260 if (reg != src->base_rc &&
3261 reg != src->index_rc &&
3262 reg != dst->base_rc &&
3263 reg != dst->index_rc &&
3268 KDB_DEBUG_BB(" %s saving tmp %s\n", __FUNCTION__, bbrg_name[reg]);
3269 save_tmp = bb_reg_state->contains[reg - BBRG_RAX];
3270 bb_reg_set_undef(reg);
3271 memset(&tmp, 0, sizeof(tmp));
3274 tmp.base = debug_kmalloc(strlen(bbrg_name[reg]) + 2, GFP_ATOMIC);
3277 strcpy(tmp.base + 1, bbrg_name[reg]);
3280 bb_read_operand(src);
3281 bb_read_operand(dst);
3282 if (bb_usage_mov(src, dst, sizeof("xadd")-1) == BBOU_NOP)
3285 usage = BBOU_RSRDWS;
3286 bb_usage_mov(&tmp, dst, sizeof("xadd")-1);
3287 KDB_DEBUG_BB(" %s restoring tmp %s\n", __FUNCTION__, bbrg_name[reg]);
3288 bb_reg_state->contains[reg - BBRG_RAX] = save_tmp;
3289 debug_kfree(tmp.base);
3293 static enum bb_operand_usage
3294 bb_usage_xchg(const struct bb_operand *src, const struct bb_operand *dst)
3296 /* Simulate xchg as a series of mov instructions, that way we get the
3297 * benefit of all the special cases already handled by BBOU_MOV.
3299 * mov dst,tmp; mov src,dst; mov tmp,src;
3301 * For tmp, pick a register that is undefined. If all registers are
3302 * defined then pick one that is not being used by xchg.
3304 enum bb_reg_code reg = BBRG_UNDEFINED;
3305 int rs = BBOU_RS, rd = BBOU_RD, ws = BBOU_WS, wd = BBOU_WD;
3306 struct bb_operand tmp;
3307 struct bb_reg_contains save_tmp;
3309 for (reg = BBRG_RAX; reg < BBRG_RAX + KDB_INT_REGISTERS; ++reg) {
3310 if (bb_reg_code_value(reg) == BBRG_UNDEFINED) {
3316 for (reg = BBRG_RAX; reg < BBRG_RAX + KDB_INT_REGISTERS; ++reg) {
3317 if (reg != src->base_rc &&
3318 reg != src->index_rc &&
3319 reg != dst->base_rc &&
3320 reg != dst->index_rc &&
3325 KDB_DEBUG_BB(" %s saving tmp %s\n", __FUNCTION__, bbrg_name[reg]);
3326 save_tmp = bb_reg_state->contains[reg - BBRG_RAX];
3327 memset(&tmp, 0, sizeof(tmp));
3330 tmp.base = debug_kmalloc(strlen(bbrg_name[reg]) + 2, GFP_ATOMIC);
3333 strcpy(tmp.base + 1, bbrg_name[reg]);
3336 if (bb_usage_mov(dst, &tmp, sizeof("xchg")-1) == BBOU_NOP)
3338 if (bb_usage_mov(src, dst, sizeof("xchg")-1) == BBOU_NOP) {
3342 if (bb_usage_mov(&tmp, src, sizeof("xchg")-1) == BBOU_NOP)
3344 KDB_DEBUG_BB(" %s restoring tmp %s\n", __FUNCTION__, bbrg_name[reg]);
3345 bb_reg_state->contains[reg - BBRG_RAX] = save_tmp;
3346 debug_kfree(tmp.base);
3347 return rs | rd | ws | wd;
3350 /* Invalidate all the scratch registers */
3353 bb_invalidate_scratch_reg(void)
3356 for (i = BBRG_RAX; i < BBRG_RAX + KDB_INT_REGISTERS; ++i) {
3357 for (j = 0; j < ARRAY_SIZE(bb_preserved_reg); ++j) {
3358 if (i == bb_preserved_reg[j])
3361 bb_reg_set_undef(i);
3368 bb_pass2_computed_jmp(const struct bb_operand *src)
3370 unsigned long table = src->disp;
3372 while (!bb_giveup) {
3373 if (kdb_getword(&addr, table, sizeof(addr)))
3375 if (addr < bb_func_start || addr >= bb_func_end)
3377 bb_transfer(bb_curr_addr, addr, 0);
3378 table += KDB_WORD_SIZE;
3382 /* The current instruction has been decoded and all the information is in
3383 * bb_decode. Based on the opcode, track any operand usage that we care about.
3389 enum bb_operand_usage usage = bb_decode.match->usage;
3390 struct bb_operand *src = &bb_decode.src;
3391 struct bb_operand *dst = &bb_decode.dst;
3392 struct bb_operand *dst2 = &bb_decode.dst2;
3393 int opcode_suffix, operand_length;
3395 /* First handle all the special usage cases, and map them to a generic
3396 * case after catering for the side effects.
3399 if (usage == BBOU_IMUL &&
3400 src->present && !dst->present && !dst2->present) {
3401 /* single operand imul, same effects as mul */
3405 /* AT&T syntax uses movs<l1><l2> for move with sign extension, instead
3406 * of the Intel movsx. The AT&T syntax causes problems for the opcode
3407 * mapping; movs with sign extension needs to be treated as a generic
3408 * read src, write dst, but instead it falls under the movs I/O
3409 * instruction. Fix it.
3411 if (usage == BBOU_MOVS && strlen(bb_decode.opcode) > 5)
3414 /* This switch statement deliberately does not use 'default' at the top
3415 * level. That way the compiler will complain if a new BBOU_ enum is
3416 * added above and not explicitly handled here.
3419 case BBOU_UNKNOWN: /* drop through */
3420 case BBOU_RS: /* drop through */
3421 case BBOU_RD: /* drop through */
3422 case BBOU_RSRD: /* drop through */
3423 case BBOU_WS: /* drop through */
3424 case BBOU_RSWS: /* drop through */
3425 case BBOU_RDWS: /* drop through */
3426 case BBOU_RSRDWS: /* drop through */
3427 case BBOU_WD: /* drop through */
3428 case BBOU_RSWD: /* drop through */
3429 case BBOU_RDWD: /* drop through */
3430 case BBOU_RSRDWD: /* drop through */
3431 case BBOU_WSWD: /* drop through */
3432 case BBOU_RSWSWD: /* drop through */
3433 case BBOU_RDWSWD: /* drop through */
3435 break; /* ignore generic usage for now */
3437 /* Special case for add instructions that adjust registers
3438 * which are mapping the stack.
3440 if (dst->reg && bb_is_osp_defined(dst->base_rc)) {
3441 bb_adjust_osp_instruction(1);
3444 usage = BBOU_RSRDWD;
3448 /* Invalidate the scratch registers. Functions sync_regs and
3449 * save_v86_state are special, their return value is the new
3452 bb_reg_state_print(bb_reg_state);
3453 bb_invalidate_scratch_reg();
3454 if (bb_is_static_disp(src)) {
3455 if (src->disp == bb_sync_regs) {
3456 bb_reg_set_reg(BBRG_RAX, BBRG_RSP);
3457 } else if (src->disp == bb_save_v86_state) {
3458 bb_reg_set_reg(BBRG_RAX, BBRG_RSP);
3459 bb_adjust_osp(BBRG_RAX, +KDB_WORD_SIZE);
3465 /* Convert word in RAX. Read RAX, write RAX */
3466 bb_reg_read(BBRG_RAX);
3467 bb_reg_set_undef(BBRG_RAX);
3471 /* cmove %gs:0x<nn>,%rsp is used to conditionally switch to
3472 * another stack. Ignore this special case, it is handled by
3473 * the stack unwinding code.
3476 strcmp(src->segment, "%gs") == 0 &&
3478 dst->base_rc == BBRG_RSP)
3484 /* Read RAX, write RAX plus src read, dst write */
3485 bb_reg_read(BBRG_RAX);
3486 bb_reg_set_undef(BBRG_RAX);
3490 /* Read RAX, RBX, RCX, RDX, write RAX, RDX plus src read/write */
3491 bb_reg_read(BBRG_RAX);
3492 bb_reg_read(BBRG_RBX);
3493 bb_reg_read(BBRG_RCX);
3494 bb_reg_read(BBRG_RDX);
3495 bb_reg_set_undef(BBRG_RAX);
3496 bb_reg_set_undef(BBRG_RDX);
3500 /* Read RAX, write RAX, RBX, RCX, RDX */
3501 bb_reg_read(BBRG_RAX);
3502 bb_reg_set_undef(BBRG_RAX);
3503 bb_reg_set_undef(BBRG_RBX);
3504 bb_reg_set_undef(BBRG_RCX);
3505 bb_reg_set_undef(BBRG_RDX);
3509 /* Convert word in RAX, RDX. Read RAX, write RDX */
3510 bb_reg_read(BBRG_RAX);
3511 bb_reg_set_undef(BBRG_RDX);
3514 case BBOU_DIV: /* drop through */
3516 /* The 8 bit variants only affect RAX, the 16, 32 and 64 bit
3517 * variants affect RDX as well.
3521 opcode_suffix = bb_decode.opcode[3];
3524 opcode_suffix = bb_decode.opcode[4];
3527 opcode_suffix = 'q';
3530 operand_length = bb_operand_length(src, opcode_suffix);
3531 bb_reg_read(BBRG_RAX);
3532 bb_reg_set_undef(BBRG_RAX);
3533 if (operand_length != 8) {
3534 bb_reg_read(BBRG_RDX);
3535 bb_reg_set_undef(BBRG_RDX);
3540 /* Only the two and three operand forms get here. The one
3541 * operand form is treated as mul.
3543 if (dst2->present) {
3544 /* The three operand form is a special case, read the first two
3545 * operands, write the third.
3547 bb_read_operand(src);
3548 bb_read_operand(dst);
3549 bb_write_operand(dst2);
3552 usage = BBOU_RSRDWD;
3560 if (bb_is_static_disp(src))
3561 bb_transfer(bb_curr_addr, src->disp, 0);
3562 else if (src->indirect &&
3564 src->base == NULL &&
3566 src->scale == KDB_WORD_SIZE)
3567 bb_pass2_computed_jmp(src);
3572 bb_reg_set_undef(BBRG_RAX);
3576 /* dst = src + disp. Often used to calculate offsets into the
3577 * stack, so check if it uses a stack pointer.
3580 if (bb_is_simple_memory(src)) {
3581 if (bb_is_osp_defined(src->base_rc)) {
3582 bb_reg_set_reg(dst->base_rc, src->base_rc);
3583 bb_adjust_osp_instruction(1);
3585 } else if (src->disp == 0 &&
3586 src->base_rc == dst->base_rc) {
3587 /* lea 0(%reg),%reg is generated by i386
3591 } else if (src->disp == 4096 &&
3592 (src->base_rc == BBRG_R8 ||
3593 src->base_rc == BBRG_RDI) &&
3594 strcmp(bb_func_name, "relocate_kernel") == 0) {
3595 /* relocate_kernel: setup a new stack at the
3596 * end of the physical control page, using
3597 * (x86_64) lea 4096(%r8),%rsp or (i386) lea
3605 /* RSP = RBP; RBP = *(RSP); RSP += KDB_WORD_SIZE; */
3606 bb_reg_set_reg(BBRG_RSP, BBRG_RBP);
3607 if (bb_is_osp_defined(BBRG_RSP))
3608 bb_reg_set_memory(BBRG_RBP, BBRG_RSP, 0);
3610 bb_reg_set_undef(BBRG_RBP);
3611 if (bb_is_osp_defined(BBRG_RSP))
3612 bb_adjust_osp(BBRG_RSP, KDB_WORD_SIZE);
3613 /* common_interrupt uses leave in a non-standard manner */
3614 if (strcmp(bb_func_name, "common_interrupt") != 0)
3619 /* Read RSI, write RAX, RSI */
3620 bb_reg_read(BBRG_RSI);
3621 bb_reg_set_undef(BBRG_RAX);
3622 bb_reg_set_undef(BBRG_RSI);
3626 /* Read and write RCX */
3627 bb_reg_read(BBRG_RCX);
3628 bb_reg_set_undef(BBRG_RCX);
3629 if (bb_is_static_disp(src))
3630 bb_transfer(bb_curr_addr, src->disp, 0);
3634 /* lss offset(%esp),%esp leaves esp well defined */
3636 dst->base_rc == BBRG_RSP &&
3637 bb_is_simple_memory(src) &&
3638 src->base_rc == BBRG_RSP) {
3639 bb_adjust_osp(BBRG_RSP, 2*KDB_WORD_SIZE + src->disp);
3646 /* Read RAX, RCX, RDX */
3647 bb_reg_set_undef(BBRG_RAX);
3648 bb_reg_set_undef(BBRG_RCX);
3649 bb_reg_set_undef(BBRG_RDX);
3653 usage = bb_usage_mov(src, dst, sizeof("mov")-1);
3656 /* Read RSI, RDI, write RSI, RDI */
3657 bb_reg_read(BBRG_RSI);
3658 bb_reg_read(BBRG_RDI);
3659 bb_reg_set_undef(BBRG_RSI);
3660 bb_reg_set_undef(BBRG_RDI);
3664 /* imul (one operand form only) or mul. Read RAX. If the
3665 * operand length is not 8 then write RDX.
3667 if (bb_decode.opcode[0] == 'i')
3668 opcode_suffix = bb_decode.opcode[4];
3670 opcode_suffix = bb_decode.opcode[3];
3671 operand_length = bb_operand_length(src, opcode_suffix);
3672 bb_reg_read(BBRG_RAX);
3673 if (operand_length != 8)
3674 bb_reg_set_undef(BBRG_RDX);
3679 bb_reg_read(BBRG_RAX);
3680 bb_reg_read(BBRG_RCX);
3686 /* Read RSI, RDX, write RSI */
3687 bb_reg_read(BBRG_RSI);
3688 bb_reg_read(BBRG_RDX);
3689 bb_reg_set_undef(BBRG_RSI);
3693 /* Complicated by the fact that you can pop from top of stack
3694 * to a stack location, for this case the destination location
3695 * is calculated after adjusting RSP. Analysis of the kernel
3696 * code shows that gcc only uses this strange format to get the
3697 * flags into a local variable, e.g. pushf; popl 0x10(%esp); so
3698 * I am going to ignore this special case.
3701 if (!bb_is_osp_defined(BBRG_RSP)) {
3702 if (!bb_is_scheduler_address()) {
3703 kdb_printf("pop when BBRG_RSP is undefined?\n");
3708 bb_reg_set_memory(src->base_rc, BBRG_RSP, 0);
3711 /* pop %rsp does not adjust rsp */
3713 src->base_rc != BBRG_RSP)
3714 bb_adjust_osp(BBRG_RSP, KDB_WORD_SIZE);
3718 /* Do not care about flags, just adjust RSP */
3719 if (!bb_is_osp_defined(BBRG_RSP)) {
3720 if (!bb_is_scheduler_address()) {
3721 kdb_printf("popf when BBRG_RSP is undefined?\n");
3725 bb_adjust_osp(BBRG_RSP, KDB_WORD_SIZE);
3730 /* Complicated by the fact that you can push from a stack
3731 * location to top of stack, the source location is calculated
3732 * before adjusting RSP. Analysis of the kernel code shows
3733 * that gcc only uses this strange format to restore the flags
3734 * from a local variable, e.g. pushl 0x10(%esp); popf; so I am
3735 * going to ignore this special case.
3738 if (!bb_is_osp_defined(BBRG_RSP)) {
3739 if (!bb_is_scheduler_address()) {
3740 kdb_printf("push when BBRG_RSP is undefined?\n");
3744 bb_adjust_osp(BBRG_RSP, -KDB_WORD_SIZE);
3746 bb_reg_code_offset(BBRG_RSP) <= 0)
3747 bb_memory_set_reg(BBRG_RSP, src->base_rc, 0);
3751 /* Do not care about flags, just adjust RSP */
3752 if (!bb_is_osp_defined(BBRG_RSP)) {
3753 if (!bb_is_scheduler_address()) {
3754 kdb_printf("pushf when BBRG_RSP is undefined?\n");
3758 bb_adjust_osp(BBRG_RSP, -KDB_WORD_SIZE);
3763 /* Read RCX, write RAX, RDX */
3764 bb_reg_read(BBRG_RCX);
3765 bb_reg_set_undef(BBRG_RAX);
3766 bb_reg_set_undef(BBRG_RDX);
3770 /* Write RAX, RDX */
3771 bb_reg_set_undef(BBRG_RAX);
3772 bb_reg_set_undef(BBRG_RDX);
3777 /* Functions that restore state which was saved by another
3778 * function or build new kernel stacks. We cannot verify what
3779 * is being restored so skip the sanity check.
3781 if (strcmp(bb_func_name, "restore_image") == 0 ||
3782 strcmp(bb_func_name, "relocate_kernel") == 0 ||
3783 strcmp(bb_func_name, "identity_mapped") == 0 ||
3784 strcmp(bb_func_name, "xen_iret_crit_fixup") == 0 ||
3785 strcmp(bb_func_name, "math_abort") == 0)
3791 bb_reg_read(BBRG_RAX);
3795 /* Read RAX, RDI, write RDI */
3796 bb_reg_read(BBRG_RAX);
3797 bb_reg_read(BBRG_RDI);
3798 bb_reg_set_undef(BBRG_RDI);
3802 /* Special case for sub instructions that adjust registers
3803 * which are mapping the stack.
3805 if (dst->reg && bb_is_osp_defined(dst->base_rc)) {
3806 bb_adjust_osp_instruction(-1);
3809 usage = BBOU_RSRDWD;
3821 /* Read RCX, RAX, RDX */
3822 bb_reg_read(BBRG_RCX);
3823 bb_reg_read(BBRG_RAX);
3824 bb_reg_read(BBRG_RDX);
3828 usage = bb_usage_xadd(src, dst);
3831 /* i386 do_IRQ with 4K stacks does xchg %ebx,%esp; call
3832 * irq_handler; mov %ebx,%esp; to switch stacks. Ignore this
3833 * stack switch when tracking registers, it is handled by
3834 * higher level backtrace code. Convert xchg %ebx,%esp to mov
3835 * %esp,%ebx so the later mov %ebx,%esp becomes a NOP and the
3836 * stack remains defined so we can backtrace through do_IRQ's
3839 * Ditto for do_softirq.
3843 src->base_rc == BBRG_RBX &&
3844 dst->base_rc == BBRG_RSP &&
3845 (strcmp(bb_func_name, "do_IRQ") == 0 ||
3846 strcmp(bb_func_name, "do_softirq") == 0)) {
3847 strcpy(bb_decode.opcode, "mov");
3848 usage = bb_usage_mov(dst, src, sizeof("mov")-1);
3850 usage = bb_usage_xchg(src, dst);
3854 /* xor %reg,%reg only counts as a register write, the original
3855 * contents of reg are irrelevant.
3857 if (src->reg && dst->reg && src->base_rc == dst->base_rc)
3860 usage = BBOU_RSRDWD;
3864 /* The switch statement above handled all the special cases. Every
3865 * opcode should now have a usage of NOP or one of the generic cases.
3867 if (usage == BBOU_UNKNOWN || usage == BBOU_NOP) {
3869 } else if (usage >= BBOU_RS && usage <= BBOU_RSRDWSWD) {
3870 if (usage & BBOU_RS)
3871 bb_read_operand(src);
3872 if (usage & BBOU_RD)
3873 bb_read_operand(dst);
3874 if (usage & BBOU_WS)
3875 bb_write_operand(src);
3876 if (usage & BBOU_WD)
3877 bb_write_operand(dst);
3879 kdb_printf("%s: opcode not fully handled\n", __FUNCTION__);
3880 if (!KDB_DEBUG(BB)) {
3882 if (bb_decode.src.present)
3883 bb_print_operand("src", &bb_decode.src);
3884 if (bb_decode.dst.present)
3885 bb_print_operand("dst", &bb_decode.dst);
3886 if (bb_decode.dst2.present)
3887 bb_print_operand("dst2", &bb_decode.dst2);
3894 bb_parse_buffer(void)
3896 char *p, *src, *dst = NULL, *dst2 = NULL;
3899 memset(&bb_decode, 0, sizeof(bb_decode));
3900 KDB_DEBUG_BB(" '%s'\n", p);
3901 p += strcspn(p, ":"); /* skip address and function name+offset: */
3903 kdb_printf("%s: cannot find ':' in buffer '%s'\n",
3904 __FUNCTION__, bb_buffer);
3908 p += strspn(p, " \t"); /* step to opcode */
3909 if (strncmp(p, "(bad)", 5) == 0)
3911 /* separate any opcode prefix */
3912 if (strncmp(p, "lock", 4) == 0 ||
3913 strncmp(p, "rep", 3) == 0 ||
3914 strncmp(p, "rex", 3) == 0 ||
3915 strncmp(p, "addr", 4) == 0) {
3916 bb_decode.prefix = p;
3917 p += strcspn(p, " \t");
3919 p += strspn(p, " \t");
3921 bb_decode.opcode = p;
3922 strsep(&p, " \t"); /* step to end of opcode */
3923 if (bb_parse_opcode())
3927 p += strspn(p, " \t"); /* step to operand(s) */
3931 p = strsep(&p, " \t"); /* strip comments after operands */
3932 /* split 'src','dst' but ignore ',' inside '(' ')' */
3936 } else if (*p == ')') {
3938 } else if (*p == ',' && paren == 0) {
3947 bb_parse_operand(src, &bb_decode.src);
3949 bb_print_operand("src", &bb_decode.src);
3950 if (dst && !bb_giveup) {
3951 bb_parse_operand(dst, &bb_decode.dst);
3953 bb_print_operand("dst", &bb_decode.dst);
3955 if (dst2 && !bb_giveup) {
3956 bb_parse_operand(dst2, &bb_decode.dst2);
3958 bb_print_operand("dst2", &bb_decode.dst2);
3966 bb_dis_pass2(PTR file, const char *fmt, ...)
3969 int l = strlen(bb_buffer);
3972 vsnprintf(bb_buffer + l, sizeof(bb_buffer) - l, fmt, ap);
3974 if ((p = strchr(bb_buffer, '\n'))) {
3977 p += strcspn(p, ":");
3979 bb_fixup_switch_to(p);
3981 bb_buffer[0] = '\0';
3987 bb_printaddr_pass2(bfd_vma addr, disassemble_info *dip)
3989 kdb_symtab_t symtab;
3990 unsigned int offset;
3991 dip->fprintf_func(dip->stream, "0x%lx", addr);
3992 kdbnearsym(addr, &symtab);
3993 if (symtab.sym_name) {
3994 dip->fprintf_func(dip->stream, " <%s", symtab.sym_name);
3995 if ((offset = addr - symtab.sym_start))
3996 dip->fprintf_func(dip->stream, "+0x%x", offset);
3997 dip->fprintf_func(dip->stream, ">");
4001 /* Set the starting register and memory state for the current bb */
4004 bb_start_block0_special(void)
4007 short offset_address;
4008 enum bb_reg_code reg, value;
4009 struct bb_name_state *r;
4010 for (i = 0, r = bb_special_cases;
4011 i < ARRAY_SIZE(bb_special_cases);
4013 if (bb_func_start == r->address && r->fname == NULL)
4018 /* Set the running registers */
4019 for (reg = BBRG_RAX; reg < r->regs_size; ++reg) {
4020 value = r->regs[reg].value;
4021 if (test_bit(value, r->skip_regs.bits)) {
4022 /* this regs entry is not defined for this label */
4025 bb_reg_code_set_value(reg, value);
4026 bb_reg_code_set_offset(reg, r->regs[reg].offset);
4028 /* Set any memory contents, e.g. pt_regs. Adjust RSP as required. */
4030 for (i = 0; i < r->mem_size; ++i) {
4031 offset_address = max_t(int,
4032 r->mem[i].offset_address + KDB_WORD_SIZE,
4035 if (bb_reg_code_offset(BBRG_RSP) > -offset_address)
4036 bb_adjust_osp(BBRG_RSP, -offset_address - bb_reg_code_offset(BBRG_RSP));
4037 for (i = 0; i < r->mem_size; ++i) {
4038 value = r->mem[i].value;
4039 if (test_bit(value, r->skip_mem.bits)) {
4040 /* this memory entry is not defined for this label */
4043 bb_memory_set_reg_value(BBRG_RSP, r->mem[i].offset_address,
4045 bb_reg_set_undef(value);
4051 bb_pass2_start_block(int number)
4053 int i, j, k, first, changed;
4055 struct bb_jmp *bb_jmp;
4056 struct bb_reg_state *state;
4057 struct bb_memory_contains *c1, *c2;
4058 bb_reg_state->mem_count = bb_reg_state_max;
4059 size = bb_reg_state_size(bb_reg_state);
4060 memset(bb_reg_state, 0, size);
4063 /* The first block is assumed to have well defined inputs */
4065 /* Some assembler labels have non-standard entry
4068 bb_start_block0_special();
4069 bb_reg_state_print(bb_reg_state);
4073 /* Merge all the input states for the current bb together */
4076 for (i = 0; i < bb_jmp_count; ++i) {
4077 bb_jmp = bb_jmp_list + i;
4078 if (bb_jmp->to != bb_curr->start)
4080 state = bb_jmp->state;
4084 size = bb_reg_state_size(state);
4085 memcpy(bb_reg_state, state, size);
4086 KDB_DEBUG_BB(" first state %p\n", state);
4087 bb_reg_state_print(bb_reg_state);
4092 KDB_DEBUG_BB(" merging state %p\n", state);
4093 /* Merge the register states */
4094 for (j = 0; j < ARRAY_SIZE(state->contains); ++j) {
4095 if (memcmp(bb_reg_state->contains + j,
4096 state->contains + j,
4097 sizeof(bb_reg_state->contains[0]))) {
4098 /* Different states for this register from two
4099 * or more inputs, make it undefined.
4101 if (bb_reg_state->contains[j].value ==
4103 KDB_DEBUG_BB(" ignoring %s\n",
4104 bbrg_name[j + BBRG_RAX]);
4106 bb_reg_set_undef(BBRG_RAX + j);
4112 /* Merge the memory states. This relies on both
4113 * bb_reg_state->memory and state->memory being sorted in
4114 * descending order, with undefined entries at the end.
4116 c1 = bb_reg_state->memory;
4119 while (j < bb_reg_state->mem_count &&
4120 k < state->mem_count) {
4121 if (c1->offset_address < c2->offset_address) {
4122 KDB_DEBUG_BB_OFFSET(c2->offset_address,
4123 " ignoring c2->offset_address ",
4129 if (c1->offset_address > c2->offset_address) {
4130 /* Memory location is not in all input states,
4131 * delete the memory location.
4133 bb_delete_memory(c1->offset_address);
4139 if (memcmp(c1, c2, sizeof(*c1))) {
4140 /* Same location, different contents, delete
4141 * the memory location.
4143 bb_delete_memory(c1->offset_address);
4144 KDB_DEBUG_BB_OFFSET(c2->offset_address,
4145 " ignoring c2->offset_address ",
4154 while (j < bb_reg_state->mem_count) {
4155 bb_delete_memory(c1->offset_address);
4162 KDB_DEBUG_BB(" final state\n");
4163 bb_reg_state_print(bb_reg_state);
4167 /* We have reached the exit point from the current function, either a call to
4168 * the next function or the instruction that was about to executed when an
4169 * interrupt occurred. Save the current register state in bb_exit_state.
4173 bb_save_exit_state(void)
4176 debug_kfree(bb_exit_state);
4177 bb_exit_state = NULL;
4178 bb_reg_state_canonicalize();
4179 size = bb_reg_state_size(bb_reg_state);
4180 bb_exit_state = debug_kmalloc(size, GFP_ATOMIC);
4181 if (!bb_exit_state) {
4182 kdb_printf("\n\n%s: out of debug_kmalloc\n", __FUNCTION__);
4186 memcpy(bb_exit_state, bb_reg_state, size);
4190 bb_pass2_do_changed_blocks(int allow_missing)
4192 int i, j, missing, changed, maxloops;
4194 struct bb_jmp *bb_jmp;
4195 KDB_DEBUG_BB("\n %s: allow_missing %d\n", __FUNCTION__, allow_missing);
4196 /* Absolute worst case is we have to iterate over all the basic blocks
4197 * in an "out of order" state, each iteration losing one register or
4198 * memory state. Any more loops than that is a bug. "out of order"
4199 * means that the layout of blocks in memory does not match the logic
4200 * flow through those blocks so (for example) block 27 comes before
4201 * block 2. To allow for out of order blocks, multiply maxloops by the
4204 maxloops = (KDB_INT_REGISTERS + bb_reg_state_max) * bb_count;
4208 for (i = 0; i < bb_count; ++i) {
4209 bb_curr = bb_list[i];
4210 if (!bb_curr->changed)
4213 for (j = 0, bb_jmp = bb_jmp_list;
4216 if (bb_jmp->to == bb_curr->start &&
4220 if (missing > allow_missing)
4222 bb_curr->changed = 0;
4224 KDB_DEBUG_BB("\n bb[%d]\n", i);
4225 bb_pass2_start_block(i);
4226 for (addr = bb_curr->start;
4227 addr <= bb_curr->end; ) {
4228 bb_curr_addr = addr;
4229 if (addr == bb_exit_addr)
4230 bb_save_exit_state();
4231 addr += kdba_id_printinsn(addr, &kdb_di);
4232 kdb_di.fprintf_func(NULL, "\n");
4236 if (!bb_exit_state) {
4237 /* ATTRIB_NORET functions are a problem with
4238 * the current gcc. Allow the trailing address
4241 if (addr == bb_exit_addr ||
4242 addr == bb_exit_addr + 1)
4243 bb_save_exit_state();
4245 if (bb_curr->drop_through)
4246 bb_transfer(bb_curr->end,
4247 bb_list[i+1]->start, 1);
4249 if (maxloops-- == 0) {
4250 kdb_printf("\n\n%s maxloops reached\n",
4257 for (i = 0; i < bb_count; ++i) {
4258 bb_curr = bb_list[i];
4259 if (bb_curr->changed)
4260 return 1; /* more to do, increase allow_missing */
4262 return 0; /* all blocks done */
4265 /* Assume that the current function is a pass through function that does not
4266 * refer to its register parameters. Exclude known asmlinkage functions and
4267 * assume the other functions actually use their registers.
4271 bb_assume_pass_through(void)
4273 static int first_time = 1;
4274 if (strncmp(bb_func_name, "sys_", 4) == 0 ||
4275 strncmp(bb_func_name, "compat_sys_", 11) == 0 ||
4276 strcmp(bb_func_name, "schedule") == 0 ||
4277 strcmp(bb_func_name, "do_softirq") == 0 ||
4278 strcmp(bb_func_name, "printk") == 0 ||
4279 strcmp(bb_func_name, "vprintk") == 0 ||
4280 strcmp(bb_func_name, "preempt_schedule") == 0 ||
4281 strcmp(bb_func_name, "start_kernel") == 0 ||
4282 strcmp(bb_func_name, "csum_partial") == 0 ||
4283 strcmp(bb_func_name, "csum_partial_copy_generic") == 0 ||
4284 strcmp(bb_func_name, "math_state_restore") == 0 ||
4285 strcmp(bb_func_name, "panic") == 0 ||
4286 strcmp(bb_func_name, "kdb_printf") == 0 ||
4287 strcmp(bb_func_name, "kdb_interrupt") == 0)
4289 if (bb_asmlinkage_arch())
4291 bb_reg_params = REGPARM;
4293 kdb_printf(" %s has memory parameters but no register "
4294 "parameters.\n Assuming it is a 'pass "
4295 "through' function that does not refer to "
4296 "its register\n parameters and setting %d "
4297 "register parameters\n",
4298 bb_func_name, REGPARM);
4302 kdb_printf(" Assuming %s is 'pass through' with %d register "
4304 bb_func_name, REGPARM);
4311 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM))
4312 kdb_printf("%s: start\n", __FUNCTION__);
4314 kdb_di.fprintf_func = bb_dis_pass2;
4315 kdb_di.print_address_func = bb_printaddr_pass2;
4317 bb_reg_state = debug_kmalloc(sizeof(*bb_reg_state), GFP_ATOMIC);
4318 if (!bb_reg_state) {
4319 kdb_printf("\n\n%s: out of debug_kmalloc\n", __FUNCTION__);
4323 bb_list[0]->changed = 1;
4325 /* If a block does not have all its input states available then it is
4326 * possible for a register to initially appear to hold a known value,
4327 * but when other inputs are available then it becomes a variable
4328 * value. The initial false state of "known" can generate false values
4329 * for other registers and can even make it look like stack locations
4330 * are being changed.
4332 * To avoid these false positives, only process blocks which have all
4333 * their inputs defined. That gives a clean depth first traversal of
4334 * the tree, except for loops. If there are any loops, then start
4335 * processing blocks with one missing input, then two missing inputs
4338 * Absolute worst case is we have to iterate over all the jmp entries,
4339 * each iteration allowing one more missing input. Any more loops than
4340 * that is a bug. Watch out for the corner case of 0 jmp entries.
4342 for (allow_missing = 0; allow_missing <= bb_jmp_count; ++allow_missing) {
4343 if (!bb_pass2_do_changed_blocks(allow_missing))
4348 if (allow_missing > bb_jmp_count) {
4349 kdb_printf("\n\n%s maxloops reached\n",
4355 if (bb_memory_params && bb_reg_params)
4356 bb_reg_params = REGPARM;
4360 bb_assume_pass_through();
4361 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM)) {
4362 kdb_printf("%s: end bb_reg_params %d bb_memory_params %d\n",
4363 __FUNCTION__, bb_reg_params, bb_memory_params);
4364 if (bb_exit_state) {
4365 kdb_printf("%s: bb_exit_state at " kdb_bfd_vma_fmt0 "\n",
4366 __FUNCTION__, bb_exit_addr);
4367 bb_do_reg_state_print(bb_exit_state);
4377 struct bb_reg_state *state;
4382 debug_kfree(bb_list);
4384 bb_count = bb_max = 0;
4385 for (i = 0; i < bb_jmp_count; ++i) {
4386 state = bb_jmp_list[i].state;
4387 if (state && --state->ref_count == 0)
4390 debug_kfree(bb_jmp_list);
4392 bb_jmp_count = bb_jmp_max = 0;
4393 debug_kfree(bb_reg_state);
4394 bb_reg_state = NULL;
4395 bb_reg_state_max = 0;
4396 debug_kfree(bb_exit_state);
4397 bb_exit_state = NULL;
4398 bb_reg_params = bb_memory_params = 0;
4403 bb_spurious_global_label(const char *func_name)
4406 for (i = 0; i < ARRAY_SIZE(bb_spurious); ++i) {
4407 if (strcmp(bb_spurious[i], func_name) == 0)
4413 /* Given the current actual register contents plus the exit state deduced from
4414 * a basic block analysis of the current function, rollback the actual register
4415 * contents to the values they had on entry to this function.
4419 bb_actual_rollback(const struct kdb_activation_record *ar)
4421 int i, offset_address;
4422 struct bb_memory_contains *c;
4423 enum bb_reg_code reg;
4424 unsigned long address, osp = 0;
4425 struct bb_actual new[ARRAY_SIZE(bb_actual)];
4428 if (!bb_exit_state) {
4429 kdb_printf("%s: no bb_exit_state, cannot rollback\n",
4434 memcpy(bb_reg_state, bb_exit_state, bb_reg_state_size(bb_exit_state));
4435 memset(new, 0, sizeof(new));
4437 /* The most important register for obtaining saved state is rsp so get
4438 * its new value first. Prefer rsp if it is valid, then other
4439 * registers. Saved values of rsp in memory are unusable without a
4440 * register that points to memory.
4442 if (!bb_actual_valid(BBRG_RSP)) {
4443 kdb_printf("%s: no starting value for RSP, cannot rollback\n",
4448 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM))
4449 kdb_printf("%s: rsp " kdb_bfd_vma_fmt0,
4450 __FUNCTION__, bb_actual_value(BBRG_RSP));
4452 if (!bb_is_osp_defined(i)) {
4453 for (i = BBRG_RAX; i < BBRG_RAX + KDB_INT_REGISTERS; ++i) {
4454 if (bb_is_osp_defined(i) && bb_actual_valid(i))
4458 if (bb_is_osp_defined(i) && bb_actual_valid(i)) {
4459 osp = new[BBRG_RSP - BBRG_RAX].value =
4460 bb_actual_value(i) - bb_reg_code_offset(i);
4461 new[BBRG_RSP - BBRG_RAX].valid = 1;
4462 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM))
4463 kdb_printf(" -> osp " kdb_bfd_vma_fmt0 "\n", osp);
4465 bb_actual_set_valid(BBRG_RSP, 0);
4466 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM))
4467 kdb_printf(" -> undefined\n");
4468 kdb_printf("%s: no ending value for RSP, cannot rollback\n",
4474 /* Now the other registers. First look at register values that have
4475 * been copied to other registers.
4477 for (i = BBRG_RAX; i < BBRG_RAX + KDB_INT_REGISTERS; ++i) {
4478 reg = bb_reg_code_value(i);
4479 if (bb_is_int_reg(reg)) {
4480 new[reg - BBRG_RAX] = bb_actual[i - BBRG_RAX];
4481 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM)) {
4482 kdb_printf("%s: %s is in %s ",
4486 if (bb_actual_valid(i))
4487 kdb_printf(" -> " kdb_bfd_vma_fmt0 "\n",
4488 bb_actual_value(i));
4490 kdb_printf("(invalid)\n");
4495 /* Finally register values that have been saved on stack */
4496 for (i = 0, c = bb_reg_state->memory;
4497 i < bb_reg_state->mem_count;
4499 offset_address = c->offset_address;
4501 if (!bb_is_int_reg(reg))
4503 address = osp + offset_address;
4504 if (address < ar->stack.logical_start ||
4505 address >= ar->stack.logical_end) {
4506 new[reg - BBRG_RAX].value = 0;
4507 new[reg - BBRG_RAX].valid = 0;
4508 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM))
4509 kdb_printf("%s: %s -> undefined\n",
4513 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM)) {
4514 kdb_printf("%s: %s -> *(osp",
4517 KDB_DEBUG_BB_OFFSET_PRINTF(offset_address, "", " ");
4518 kdb_printf(kdb_bfd_vma_fmt0, address);
4520 new[reg - BBRG_RAX].value = *(bfd_vma *)address;
4521 new[reg - BBRG_RAX].valid = 1;
4522 if (KDB_DEBUG(BB) | KDB_DEBUG(BB_SUMM))
4523 kdb_printf(") = " kdb_bfd_vma_fmt0 "\n",
4524 new[reg - BBRG_RAX].value);
4528 memcpy(bb_actual, new, sizeof(bb_actual));
4531 /* Return true if the current function is an interrupt handler */
4534 bb_interrupt_handler(kdb_machreg_t rip)
4536 unsigned long disp8, disp32, target, addr = (unsigned long)rip;
4537 unsigned char code[5];
4540 for (i = 0; i < ARRAY_SIZE(bb_hardware_handlers); ++i)
4541 if (strcmp(bb_func_name, bb_hardware_handlers[i]) == 0)
4544 /* Given the large number of interrupt handlers, it is easiest to look
4545 * at the next instruction and see if it is a jmp to the common exit
4548 if (kdb_getarea(code, addr) ||
4549 kdb_getword(&disp32, addr+1, 4) ||
4550 kdb_getword(&disp8, addr+1, 1))
4551 return 0; /* not a valid code address */
4552 if (code[0] == 0xe9) {
4553 target = addr + (s32) disp32 + 5; /* jmp disp32 */
4554 if (target == bb_ret_from_intr ||
4555 target == bb_common_interrupt ||
4556 target == bb_error_entry)
4559 if (code[0] == 0xeb) {
4560 target = addr + (s8) disp8 + 2; /* jmp disp8 */
4561 if (target == bb_ret_from_intr ||
4562 target == bb_common_interrupt ||
4563 target == bb_error_entry)
4570 /* Copy argument information that was deduced by the basic block analysis and
4571 * rollback into the kdb stack activation record.
4575 bb_arguments(struct kdb_activation_record *ar)
4578 enum bb_reg_code reg;
4580 ar->args = bb_reg_params + bb_memory_params;
4581 bitmap_zero(ar->valid.bits, KDBA_MAXARGS);
4582 for (i = 0; i < bb_reg_params; ++i) {
4583 reg = bb_param_reg[i];
4584 if (bb_actual_valid(reg)) {
4585 ar->arg[i] = bb_actual_value(reg);
4586 set_bit(i, ar->valid.bits);
4589 if (!bb_actual_valid(BBRG_RSP))
4591 rsp = bb_actual_value(BBRG_RSP);
4592 for (i = bb_reg_params; i < ar->args; ++i) {
4593 rsp += KDB_WORD_SIZE;
4594 if (kdb_getarea(ar->arg[i], rsp) == 0)
4595 set_bit(i, ar->valid.bits);
4599 /* Given an exit address from a function, decompose the entire function into
4600 * basic blocks and determine the register state at the exit point.
4604 kdb_bb(unsigned long exit)
4606 kdb_symtab_t symtab;
4607 if (!kdbnearsym(exit, &symtab)) {
4608 kdb_printf("%s: address " kdb_bfd_vma_fmt0 " not recognised\n",
4609 __FUNCTION__, exit);
4613 bb_exit_addr = exit;
4614 bb_mod_name = symtab.mod_name;
4615 bb_func_name = symtab.sym_name;
4616 bb_func_start = symtab.sym_start;
4617 bb_func_end = symtab.sym_end;
4618 /* Various global labels exist in the middle of assembler code and have
4619 * a non-standard state. Ignore these labels and use the start of the
4620 * previous label instead.
4622 while (bb_spurious_global_label(symtab.sym_name)) {
4623 if (!kdbnearsym(symtab.sym_start - 1, &symtab))
4625 bb_func_start = symtab.sym_start;
4627 bb_mod_name = symtab.mod_name;
4628 bb_func_name = symtab.sym_name;
4629 bb_func_start = symtab.sym_start;
4630 /* Ignore spurious labels past this point and use the next non-spurious
4631 * label as the end point.
4633 if (kdbnearsym(bb_func_end, &symtab)) {
4634 while (bb_spurious_global_label(symtab.sym_name)) {
4635 bb_func_end = symtab.sym_end;
4636 if (!kdbnearsym(symtab.sym_end + 1, &symtab))
4644 kdb_printf("%s: " kdb_bfd_vma_fmt0
4645 " [%s]%s failed at " kdb_bfd_vma_fmt0 "\n\n",
4647 bb_mod_name, bb_func_name, bb_curr_addr);
4651 kdb_bb1(int argc, const char **argv)
4655 bb_cleanup(); /* in case previous command was interrupted */
4656 kdba_id_init(&kdb_di);
4658 return KDB_ARGCOUNT;
4659 if ((diag = kdbgetularg((char *)argv[1], &addr)))
4662 kdb_flags |= KDB_DEBUG_FLAG_BB << KDB_DEBUG_FLAG_SHIFT;
4665 kdb_restore_flags();
4666 kdbnearsym_cleanup();
4670 /* Run a basic block analysis on every function in the base kernel. Used as a
4671 * global sanity check to find errors in the basic block code.
4675 kdb_bb_all(int argc, const char **argv)
4678 const char *symname;
4680 int i, max_errors = 20;
4681 struct bb_name_state *r;
4682 kdb_printf("%s: build variables:"
4683 " CCVERSION \"" __stringify(CCVERSION) "\""
4684 #ifdef CONFIG_X86_64
4687 #ifdef CONFIG_4KSTACKS
4690 #ifdef CONFIG_PREEMPT
4696 #ifdef CONFIG_FRAME_POINTER
4697 " CONFIG_FRAME_POINTER"
4699 #ifdef CONFIG_TRACE_IRQFLAGS
4700 " CONFIG_TRACE_IRQFLAGS"
4702 #ifdef CONFIG_HIBERNATION
4703 " CONFIG_HIBERNATION"
4705 #ifdef CONFIG_KPROBES
4711 #ifdef CONFIG_MATH_EMULATION
4712 " CONFIG_MATH_EMULATION"
4717 #ifdef CONFIG_DEBUG_INFO
4718 " CONFIG_DEBUG_INFO"
4723 " REGPARM=" __stringify(REGPARM)
4724 "\n\n", __FUNCTION__);
4725 for (i = 0, r = bb_special_cases;
4726 i < ARRAY_SIZE(bb_special_cases);
4729 kdb_printf("%s: cannot find special_case name %s\n",
4730 __FUNCTION__, r->name);
4732 for (i = 0; i < ARRAY_SIZE(bb_spurious); ++i) {
4733 if (!kallsyms_lookup_name(bb_spurious[i]))
4734 kdb_printf("%s: cannot find spurious label %s\n",
4735 __FUNCTION__, bb_spurious[i]);
4737 while ((symname = kdb_walk_kallsyms(&pos))) {
4739 if (strcmp(symname, "_stext") == 0 ||
4740 strcmp(symname, "stext") == 0)
4744 kdb_printf("%s: cannot find _stext\n", __FUNCTION__);
4747 kdba_id_init(&kdb_di);
4749 while ((symname = kdb_walk_kallsyms(&pos))) {
4750 if (strcmp(symname, "_etext") == 0)
4754 /* x86_64 has some 16 bit functions that appear between stext
4755 * and _etext. Skip them.
4757 if (strcmp(symname, "verify_cpu") == 0 ||
4758 strcmp(symname, "verify_cpu_noamd") == 0 ||
4759 strcmp(symname, "verify_cpu_sse_test") == 0 ||
4760 strcmp(symname, "verify_cpu_no_longmode") == 0 ||
4761 strcmp(symname, "verify_cpu_sse_ok") == 0 ||
4762 strcmp(symname, "mode_seta") == 0 ||
4763 strcmp(symname, "bad_address") == 0 ||
4764 strcmp(symname, "wakeup_code") == 0 ||
4765 strcmp(symname, "wakeup_code_start") == 0 ||
4766 strcmp(symname, "wakeup_start") == 0 ||
4767 strcmp(symname, "wakeup_32_vector") == 0 ||
4768 strcmp(symname, "wakeup_32") == 0 ||
4769 strcmp(symname, "wakeup_long64_vector") == 0 ||
4770 strcmp(symname, "wakeup_long64") == 0 ||
4771 strcmp(symname, "gdta") == 0 ||
4772 strcmp(symname, "idt_48a") == 0 ||
4773 strcmp(symname, "gdt_48a") == 0 ||
4774 strcmp(symname, "bogus_real_magic") == 0 ||
4775 strcmp(symname, "bogus_64_magic") == 0 ||
4776 strcmp(symname, "no_longmode") == 0 ||
4777 strcmp(symname, "mode_set") == 0 ||
4778 strcmp(symname, "mode_seta") == 0 ||
4779 strcmp(symname, "setbada") == 0 ||
4780 strcmp(symname, "check_vesa") == 0 ||
4781 strcmp(symname, "check_vesaa") == 0 ||
4782 strcmp(symname, "_setbada") == 0 ||
4783 strcmp(symname, "wakeup_stack_begin") == 0 ||
4784 strcmp(symname, "wakeup_stack") == 0 ||
4785 strcmp(symname, "wakeup_level4_pgt") == 0 ||
4786 strcmp(symname, "acpi_copy_wakeup_routine") == 0 ||
4787 strcmp(symname, "wakeup_end") == 0 ||
4788 strcmp(symname, "do_suspend_lowlevel_s4bios") == 0 ||
4789 strcmp(symname, "do_suspend_lowlevel") == 0 ||
4790 strcmp(symname, "wakeup_pmode_return") == 0 ||
4791 strcmp(symname, "restore_registers") == 0)
4793 /* __kprobes_text_end contains branches to the middle of code,
4794 * with undefined states.
4796 if (strcmp(symname, "__kprobes_text_end") == 0)
4798 /* Data in the middle of the text segment :( */
4799 if (strcmp(symname, "level2_kernel_pgt") == 0 ||
4800 strcmp(symname, "level3_kernel_pgt") == 0)
4802 if (bb_spurious_global_label(symname))
4804 if ((addr = kallsyms_lookup_name(symname)) == 0)
4806 // kdb_printf("BB " kdb_bfd_vma_fmt0 " %s\n", addr, symname);
4807 bb_cleanup(); /* in case previous command was interrupted */
4808 kdbnearsym_cleanup();
4810 touch_nmi_watchdog();
4812 if (max_errors-- == 0) {
4813 kdb_printf("%s: max_errors reached, giving up\n",
4823 kdbnearsym_cleanup();
4828 *=============================================================================
4830 * Everything above this line is doing basic block analysis, function by
4831 * function. Everything below this line uses the basic block data to do a
4832 * complete backtrace over all functions that are used by a process.
4834 *=============================================================================
4838 /*============================================================================*/
4840 /* Most of the backtrace code and data is common to x86_64 and i386. This */
4841 /* large ifdef contains all of the differences between the two architectures. */
4843 /* Make sure you update the correct section of this ifdef. */
4845 /*============================================================================*/
4847 #ifdef CONFIG_X86_64
4852 #define ARCH_RSP rsp
4853 #define ARCH_RIP rip
4854 #define ARCH_NORMAL_PADDING (16 * 8)
4856 /* x86_64 has multiple alternate stacks, with different sizes and different
4857 * offsets to get the link from one stack to the next. Some of the stacks are
4858 * referenced via cpu_pda, some via per_cpu orig_ist. Debug events can even
4859 * have multiple nested stacks within the single physical stack, each nested
4860 * stack has its own link and some of those links are wrong.
4862 * Consistent it's not!
4864 * Do not assume that these stacks are aligned on their size.
4866 #define INTERRUPT_STACK (N_EXCEPTION_STACKS + 1)
4868 kdba_get_stack_info_alternate(kdb_machreg_t addr, int cpu,
4869 struct kdb_activation_record *ar)
4873 unsigned int total_size;
4874 unsigned int nested_size;
4876 } *sdp, stack_data[] = {
4877 [STACKFAULT_STACK - 1] = { "stackfault", EXCEPTION_STKSZ, EXCEPTION_STKSZ, EXCEPTION_STKSZ - 2*sizeof(void *) },
4878 [DOUBLEFAULT_STACK - 1] = { "doublefault", EXCEPTION_STKSZ, EXCEPTION_STKSZ, EXCEPTION_STKSZ - 2*sizeof(void *) },
4879 [NMI_STACK - 1] = { "nmi", EXCEPTION_STKSZ, EXCEPTION_STKSZ, EXCEPTION_STKSZ - 2*sizeof(void *) },
4880 [DEBUG_STACK - 1] = { "debug", DEBUG_STKSZ, EXCEPTION_STKSZ, EXCEPTION_STKSZ - 2*sizeof(void *) },
4881 [MCE_STACK - 1] = { "machine check", EXCEPTION_STKSZ, EXCEPTION_STKSZ, EXCEPTION_STKSZ - 2*sizeof(void *) },
4882 [INTERRUPT_STACK - 1] = { "interrupt", IRQSTACKSIZE, IRQSTACKSIZE, IRQSTACKSIZE - sizeof(void *) },
4884 unsigned long total_start = 0, total_size, total_end;
4886 extern unsigned long kdba_orig_ist(int, int);
4888 for (sd = 0, sdp = stack_data;
4889 sd < ARRAY_SIZE(stack_data);
4891 total_size = sdp->total_size;
4893 continue; /* in case stack_data[] has any holes */
4895 /* Arbitrary address which can be on any cpu, see if it
4896 * falls within any of the alternate stacks
4899 for_each_online_cpu(c) {
4900 if (sd == INTERRUPT_STACK - 1)
4901 total_end = (unsigned long)cpu_pda(c)->irqstackptr;
4903 total_end = per_cpu(orig_ist, c).ist[sd];
4904 total_start = total_end - total_size;
4905 if (addr >= total_start && addr < total_end) {
4914 /* Only check the supplied or found cpu */
4915 if (sd == INTERRUPT_STACK - 1)
4916 total_end = (unsigned long)cpu_pda(cpu)->irqstackptr;
4918 total_end = per_cpu(orig_ist, cpu).ist[sd];
4919 total_start = total_end - total_size;
4920 if (addr >= total_start && addr < total_end) {
4927 /* find which nested stack the address is in */
4928 while (addr > total_start + sdp->nested_size)
4929 total_start += sdp->nested_size;
4930 ar->stack.physical_start = total_start;
4931 ar->stack.physical_end = total_start + sdp->nested_size;
4932 ar->stack.logical_start = total_start;
4933 ar->stack.logical_end = total_start + sdp->next;
4934 ar->stack.next = *(unsigned long *)ar->stack.logical_end;
4935 ar->stack.id = sdp->id;
4937 /* Nasty: when switching to the interrupt stack, the stack state of the
4938 * caller is split over two stacks, the original stack and the
4939 * interrupt stack. One word (the previous frame pointer) is stored on
4940 * the interrupt stack, the rest of the interrupt data is in the old
4941 * frame. To make the interrupted stack state look as though it is
4942 * contiguous, copy the missing word from the interrupt stack to the
4943 * original stack and adjust the new stack pointer accordingly.
4946 if (sd == INTERRUPT_STACK - 1) {
4947 *(unsigned long *)(ar->stack.next - KDB_WORD_SIZE) =
4949 ar->stack.next -= KDB_WORD_SIZE;
4953 /* rip is not in the thread struct for x86_64. We know that the stack value
4954 * was saved in schedule near the label thread_return. Setting rip to
4955 * thread_return lets the stack trace find that we are in schedule and
4956 * correctly decode its prologue.
4959 static kdb_machreg_t
4960 kdba_bt_stack_rip(const struct task_struct *p)
4962 return bb_thread_return;
4965 #else /* !CONFIG_X86_64 */
4970 #define ARCH_RSP esp
4971 #define ARCH_RIP eip
4972 #define ARCH_NORMAL_PADDING (19 * 4)
4974 #ifdef CONFIG_4KSTACKS
4975 static struct thread_info **kdba_hardirq_ctx, **kdba_softirq_ctx;
4976 #endif /* CONFIG_4KSTACKS */
4978 /* On a 4K stack kernel, hardirq_ctx and softirq_ctx are [NR_CPUS] arrays. The
4979 * first element of each per-cpu stack is a struct thread_info.
4982 kdba_get_stack_info_alternate(kdb_machreg_t addr, int cpu,
4983 struct kdb_activation_record *ar)
4985 #ifdef CONFIG_4KSTACKS
4986 struct thread_info *tinfo;
4987 tinfo = (struct thread_info *)(addr & -THREAD_SIZE);
4989 /* Arbitrary address, see if it falls within any of the irq
4993 for_each_online_cpu(cpu) {
4994 if (tinfo == kdba_hardirq_ctx[cpu] ||
4995 tinfo == kdba_softirq_ctx[cpu]) {
5003 if (tinfo == kdba_hardirq_ctx[cpu] ||
5004 tinfo == kdba_softirq_ctx[cpu]) {
5005 ar->stack.physical_start = (kdb_machreg_t)tinfo;
5006 ar->stack.physical_end = ar->stack.physical_start + THREAD_SIZE;
5007 ar->stack.logical_start = ar->stack.physical_start +
5008 sizeof(struct thread_info);
5009 ar->stack.logical_end = ar->stack.physical_end;
5010 ar->stack.next = tinfo->previous_esp;
5011 if (tinfo == kdba_hardirq_ctx[cpu])
5012 ar->stack.id = "hardirq_ctx";
5014 ar->stack.id = "softirq_ctx";
5016 #endif /* CONFIG_4KSTACKS */
5019 /* rip is in the thread struct for i386 */
5021 static kdb_machreg_t
5022 kdba_bt_stack_rip(const struct task_struct *p)
5024 return p->thread.ip;
5027 #endif /* CONFIG_X86_64 */
5029 /* Given an address which claims to be on a stack, an optional cpu number and
5030 * an optional task address, get information about the stack.
5032 * t == NULL, cpu < 0 indicates an arbitrary stack address with no associated
5033 * struct task, the address can be in an alternate stack or any task's normal
5036 * t != NULL, cpu >= 0 indicates a running task, the address can be in an
5037 * alternate stack or that task's normal stack.
5039 * t != NULL, cpu < 0 indicates a blocked task, the address can only be in that
5040 * task's normal stack.
5042 * t == NULL, cpu >= 0 is not a valid combination.
5046 kdba_get_stack_info(kdb_machreg_t rsp, int cpu,
5047 struct kdb_activation_record *ar,
5048 const struct task_struct *t)
5050 struct thread_info *tinfo;
5051 struct task_struct *g, *p;
5052 memset(&ar->stack, 0, sizeof(ar->stack));
5054 kdb_printf("%s: " RSP "=0x%lx cpu=%d task=%p\n",
5055 __FUNCTION__, rsp, cpu, t);
5056 if (t == NULL || cpu >= 0) {
5057 kdba_get_stack_info_alternate(rsp, cpu, ar);
5058 if (ar->stack.logical_start)
5061 rsp &= -THREAD_SIZE;
5062 tinfo = (struct thread_info *)rsp;
5064 /* Arbitrary stack address without an associated task, see if
5065 * it falls within any normal process stack, including the idle
5068 kdb_do_each_thread(g, p) {
5069 if (tinfo == task_thread_info(p)) {
5073 } kdb_while_each_thread(g, p);
5074 for_each_online_cpu(cpu) {
5076 if (tinfo == task_thread_info(p)) {
5083 kdb_printf("%s: found task %p\n", __FUNCTION__, t);
5084 } else if (cpu >= 0) {
5086 struct kdb_running_process *krp = kdb_running_process + cpu;
5087 if (krp->p != t || tinfo != task_thread_info(t))
5090 kdb_printf("%s: running task %p\n", __FUNCTION__, t);
5093 if (tinfo != task_thread_info(t))
5096 kdb_printf("%s: blocked task %p\n", __FUNCTION__, t);
5099 ar->stack.physical_start = rsp;
5100 ar->stack.physical_end = rsp + THREAD_SIZE;
5101 ar->stack.logical_start = rsp + sizeof(struct thread_info);
5102 ar->stack.logical_end = ar->stack.physical_end - ARCH_NORMAL_PADDING;
5104 ar->stack.id = "normal";
5107 if (ar->stack.physical_start && KDB_DEBUG(ARA)) {
5108 kdb_printf("%s: ar->stack\n", __FUNCTION__);
5109 kdb_printf(" physical_start=0x%lx\n", ar->stack.physical_start);
5110 kdb_printf(" physical_end=0x%lx\n", ar->stack.physical_end);
5111 kdb_printf(" logical_start=0x%lx\n", ar->stack.logical_start);
5112 kdb_printf(" logical_end=0x%lx\n", ar->stack.logical_end);
5113 kdb_printf(" next=0x%lx\n", ar->stack.next);
5114 kdb_printf(" id=%s\n", ar->stack.id);
5115 kdb_printf(" set MDCOUNT %ld\n",
5116 (ar->stack.physical_end - ar->stack.physical_start) /
5118 kdb_printf(" mds " kdb_machreg_fmt0 "\n",
5119 ar->stack.physical_start);
5124 bt_print_one(kdb_machreg_t rip, kdb_machreg_t rsp,
5125 const struct kdb_activation_record *ar,
5126 const kdb_symtab_t *symtab, int argcount)
5131 kdbgetintenv("BTSYMARG", &btsymarg);
5132 kdbgetintenv("NOSECT", &nosect);
5134 kdb_printf(kdb_machreg_fmt0, rsp);
5135 kdb_symbol_print(rip, symtab,
5136 KDB_SP_SPACEB|KDB_SP_VALUE);
5137 if (argcount && ar->args) {
5138 int i, argc = ar->args;
5140 if (argc > argcount)
5142 for (i = 0; i < argc; i++) {
5145 if (test_bit(i, ar->valid.bits))
5146 kdb_printf("0x%lx", ar->arg[i]);
5148 kdb_printf("invalid");
5153 if (symtab->sym_name) {
5157 if (symtab->sec_name && symtab->sec_start)
5158 kdb_printf(" 0x%lx 0x%lx",
5159 symtab->sec_start, symtab->sec_end);
5160 kdb_printf(" 0x%lx 0x%lx\n",
5161 symtab->sym_start, symtab->sym_end);
5164 if (argcount && ar->args && btsymarg) {
5165 int i, argc = ar->args;
5166 kdb_symtab_t arg_symtab;
5167 for (i = 0; i < argc; i++) {
5168 kdb_machreg_t arg = ar->arg[i];
5169 if (test_bit(i, ar->valid.bits) &&
5170 kdbnearsym(arg, &arg_symtab)) {
5171 kdb_printf(" ARG %2d ", i);
5172 kdb_symbol_print(arg, &arg_symtab,
5173 KDB_SP_DEFAULT|KDB_SP_NEWLINE);
5180 kdba_bt_new_stack(struct kdb_activation_record *ar, kdb_machreg_t *rsp,
5181 int *count, int *suppress)
5183 /* Nasty: common_interrupt builds a partial pt_regs, with r15 through
5184 * rbx not being filled in. It passes struct pt_regs* to do_IRQ (in
5185 * rdi) but the stack pointer is not adjusted to account for r15
5186 * through rbx. This has two effects :-
5188 * (1) struct pt_regs on an external interrupt actually overlaps with
5189 * the local stack area used by do_IRQ. Not only are r15-rbx
5190 * undefined, the area that claims to hold their values can even
5191 * change as the irq is processed.
5193 * (2) The back stack pointer saved for the new frame is not pointing
5194 * at pt_regs, it is pointing at rbx within the pt_regs passed to
5197 * There is nothing that I can do about (1) but I have to fix (2)
5198 * because kdb backtrace looks for the "start" address of pt_regs as it
5199 * walks back through the stacks. When switching from the interrupt
5200 * stack to another stack, we have to assume that pt_regs has been
5201 * seen and turn off backtrace supression.
5203 int probable_pt_regs = strcmp(ar->stack.id, "interrupt") == 0;
5204 *rsp = ar->stack.next;
5206 kdb_printf("new " RSP "=" kdb_machreg_fmt0 "\n", *rsp);
5207 bb_actual_set_value(BBRG_RSP, *rsp);
5208 kdba_get_stack_info(*rsp, -1, ar, NULL);
5209 if (!ar->stack.physical_start) {
5210 kdb_printf("+++ Cannot resolve next stack\n");
5211 } else if (!*suppress) {
5212 kdb_printf(" ======================= <%s>\n",
5216 if (probable_pt_regs)
5224 * addr Address provided to 'bt' command, if any.
5226 * p Pointer to task for 'btp' command.
5230 * zero for success, a kdb diagnostic if error
5234 * Ultimately all the bt* commands come through this routine. If
5235 * old_style is 0 then it uses the basic block analysis to get an accurate
5236 * backtrace with arguments, otherwise it falls back to the old method of
5237 * printing anything on stack that looks like a kernel address.
5239 * Allowing for the stack data pushed by the hardware is tricky. We
5240 * deduce the presence of hardware pushed data by looking for interrupt
5241 * handlers, either by name or by the code that they contain. This
5242 * information must be applied to the next function up the stack, because
5243 * the hardware data is above the saved rip for the interrupted (next)
5246 * To make things worse, the amount of data pushed is arch specific and
5247 * may depend on the rsp for the next function, not the current function.
5248 * The number of bytes pushed by hardware cannot be calculated until we
5249 * are actually processing the stack for the interrupted function and have
5252 * It is also possible for an interrupt to occur in user space and for the
5253 * interrupt handler to also be interrupted. Check the code selector
5254 * whenever the previous function is an interrupt handler and stop
5255 * backtracing if the interrupt was not in kernel space.
5259 kdba_bt_stack(kdb_machreg_t addr, int argcount, const struct task_struct *p,
5262 struct kdb_activation_record ar;
5263 kdb_machreg_t rip = 0, rsp = 0, prev_rsp, cs;
5264 kdb_symtab_t symtab;
5265 int rip_at_rsp = 0, count = 0, btsp = 0, suppress,
5266 interrupt_handler = 0, prev_interrupt_handler = 0, hardware_pushed,
5268 struct pt_regs *regs = NULL;
5270 kdbgetintenv("BTSP", &btsp);
5272 memset(&ar, 0, sizeof(ar));
5274 kdb_printf("Using old style backtrace, unreliable with no arguments\n");
5277 * The caller may have supplied an address at which the stack traceback
5278 * operation should begin. This address is assumed by this code to
5279 * point to a return address on the stack to be traced back.
5281 * Warning: type in the wrong address and you will get garbage in the
5286 kdb_getword(&rip, rsp, sizeof(rip));
5289 kdba_get_stack_info(rsp, -1, &ar, NULL);
5292 struct kdb_running_process *krp =
5293 kdb_running_process + task_cpu(p);
5298 krp->seqno >= kdb_seqno - 1 &&
5299 !KDB_NULL_REGS(regs)) {
5300 /* valid saved state, continue processing */
5303 ("Process did not save state, cannot backtrace\n");
5307 kdba_getregcontents(XCS, regs, &cs);
5308 if ((cs & 0xffff) != __KERNEL_CS) {
5309 kdb_printf("Stack is not in kernel space, backtrace not available\n");
5312 rip = krp->arch.ARCH_RIP;
5313 rsp = krp->arch.ARCH_RSP;
5314 kdba_get_stack_info(rsp, kdb_process_cpu(p), &ar, p);
5316 /* Not on cpu, assume blocked. Blocked tasks do not
5317 * have pt_regs. p->thread contains some data, alas
5318 * what it contains differs between i386 and x86_64.
5320 rip = kdba_bt_stack_rip(p);
5323 kdba_get_stack_info(rsp, -1, &ar, p);
5326 if (!ar.stack.physical_start) {
5327 kdb_printf(RSP "=0x%lx is not in a valid kernel stack, backtrace not available\n",
5331 memset(&bb_actual, 0, sizeof(bb_actual));
5332 bb_actual_set_value(BBRG_RSP, rsp);
5333 bb_actual_set_valid(BBRG_RSP, 1);
5335 kdb_printf(RSP "%*s" RIP "%*sFunction (args)\n",
5336 2*KDB_WORD_SIZE, " ",
5337 2*KDB_WORD_SIZE, " ");
5338 if (ar.stack.next && !suppress)
5339 kdb_printf(" ======================= <%s>\n",
5343 /* Run through all the stacks */
5344 while (ar.stack.physical_start) {
5346 rip = *(kdb_machreg_t *)rsp;
5347 /* I wish that gcc was fixed to include a nop
5348 * instruction after ATTRIB_NORET functions. The lack
5349 * of a nop means that the return address points to the
5350 * start of next function, so fudge it to point to one
5353 * No, we cannot just decrement all rip values.
5354 * Sometimes an rip legally points to the start of a
5355 * function, e.g. interrupted code or hand crafted
5359 kdbnearsym(rip, &symtab);
5360 if (rip == symtab.sym_start) {
5363 kdb_printf("\tprev_noret, " RIP
5368 kdbnearsym(rip, &symtab);
5370 if (__kernel_text_address(rip) && !suppress) {
5371 bt_print_one(rip, rsp, &ar, &symtab, 0);
5374 if (rsp == (unsigned long)regs) {
5375 if (ar.stack.next && suppress)
5376 kdb_printf(" ======================= <%s>\n",
5383 if (rsp >= ar.stack.logical_end) {
5386 kdba_bt_new_stack(&ar, &rsp, &count, &suppress);
5391 /* Start each analysis with no dynamic data from the
5392 * previous kdb_bb() run.
5398 prev_interrupt_handler = interrupt_handler;
5399 interrupt_handler = bb_interrupt_handler(rip);
5402 if (prev_interrupt_handler) {
5403 cs = *((kdb_machreg_t *)rsp + 1) & 0xffff;
5405 bb_hardware_pushed_arch(rsp, &ar);
5408 hardware_pushed = 0;
5410 rsp += sizeof(rip) + hardware_pushed;
5412 kdb_printf("%s: " RSP " "
5414 " -> " kdb_machreg_fmt0
5415 " hardware_pushed %d"
5416 " prev_interrupt_handler %d"
5422 prev_interrupt_handler,
5424 if (rsp >= ar.stack.logical_end &&
5426 kdba_bt_new_stack(&ar, &rsp, &count,
5431 bb_actual_set_value(BBRG_RSP, rsp);
5436 bb_actual_rollback(&ar);
5439 if (bb_actual_value(BBRG_RSP) < rsp) {
5440 kdb_printf("%s: " RSP " is going backwards, "
5441 kdb_machreg_fmt0 " -> "
5442 kdb_machreg_fmt0 "\n",
5445 bb_actual_value(BBRG_RSP));
5451 bt_print_one(rip, prev_rsp, &ar, &symtab, argcount);
5454 /* Functions that terminate the backtrace */
5455 if (strcmp(bb_func_name, "cpu_idle") == 0 ||
5456 strcmp(bb_func_name, "child_rip") == 0)
5458 if (rsp >= ar.stack.logical_end &&
5461 if (rsp <= (unsigned long)regs &&
5462 bb_actual_value(BBRG_RSP) > (unsigned long)regs) {
5463 if (ar.stack.next && suppress)
5464 kdb_printf(" ======================= <%s>\n",
5469 if (cs != __KERNEL_CS) {
5470 kdb_printf("Reached user space\n");
5473 rsp = bb_actual_value(BBRG_RSP);
5475 prev_noret = bb_noret(bb_func_name);
5482 kdbnearsym_cleanup();
5485 kdb_printf("bt truncated, count limit reached\n");
5487 } else if (suppress) {
5489 ("bt did not find pt_regs - no trace produced. Suggest 'set BTSP 1'\n");
5499 * Do a backtrace starting at a specified stack address. Use this if the
5500 * heuristics get the stack decode wrong.
5503 * addr Address provided to 'bt' command.
5508 * zero for success, a kdb diagnostic if error
5512 * mds %rsp comes in handy when examining the stack to do a manual
5516 int kdba_bt_address(kdb_machreg_t addr, int argcount)
5519 kdba_id_init(&kdb_di); /* kdb_bb needs this done once */
5520 ret = kdba_bt_stack(addr, argcount, NULL, 0);
5522 ret = kdba_bt_stack(addr, argcount, NULL, 1);
5529 * Do a backtrace for a specified process.
5532 * p Struct task pointer extracted by 'bt' command.
5537 * zero for success, a kdb diagnostic if error
5542 int kdba_bt_process(const struct task_struct *p, int argcount)
5545 kdba_id_init(&kdb_di); /* kdb_bb needs this done once */
5546 ret = kdba_bt_stack(0, argcount, p, 0);
5548 ret = kdba_bt_stack(0, argcount, p, 1);
5552 static int __init kdba_bt_x86_init(void)
5555 struct bb_name_state *r;
5557 kdb_register_repeat("bb1", kdb_bb1, "<vaddr>", "Analyse one basic block", 0, KDB_REPEAT_NONE);
5558 kdb_register_repeat("bb_all", kdb_bb_all, "", "Backtrace check on all built in functions", 0, KDB_REPEAT_NONE);
5560 /* Split the opcode usage table by the first letter of each set of
5561 * opcodes, for faster mapping of opcode to its operand usage.
5563 for (i = 0; i < ARRAY_SIZE(bb_opcode_usage_all); ++i) {
5564 c = bb_opcode_usage_all[i].opcode[0] - 'a';
5567 bb_opcode_usage[c].opcode = bb_opcode_usage_all + i;
5569 ++bb_opcode_usage[c].size;
5572 bb_common_interrupt = kallsyms_lookup_name("common_interrupt");
5573 bb_error_entry = kallsyms_lookup_name("error_entry");
5574 bb_ret_from_intr = kallsyms_lookup_name("ret_from_intr");
5575 bb_thread_return = kallsyms_lookup_name("thread_return");
5576 bb_sync_regs = kallsyms_lookup_name("sync_regs");
5577 bb_save_v86_state = kallsyms_lookup_name("save_v86_state");
5578 bb__sched_text_start = kallsyms_lookup_name("__sched_text_start");
5579 bb__sched_text_end = kallsyms_lookup_name("__sched_text_end");
5580 for (i = 0, r = bb_special_cases;
5581 i < ARRAY_SIZE(bb_special_cases);
5583 r->address = kallsyms_lookup_name(r->name);
5586 #ifdef CONFIG_4KSTACKS
5587 kdba_hardirq_ctx = (struct thread_info **)kallsyms_lookup_name("hardirq_ctx");
5588 kdba_softirq_ctx = (struct thread_info **)kallsyms_lookup_name("softirq_ctx");
5589 #endif /* CONFIG_4KSTACKS */
5594 static void __exit kdba_bt_x86_exit(void)
5596 kdb_unregister("bb1");
5597 kdb_unregister("bb_all");
5600 module_init(kdba_bt_x86_init)
5601 module_exit(kdba_bt_x86_exit)
projects / linux-flexiantxendom0-3.2.10.git / blob