Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 1 | /* Copyright (c) 2018, Google Inc. |
| 2 | * |
| 3 | * Permission to use, copy, modify, and/or distribute this software for any |
| 4 | * purpose with or without fee is hereby granted, provided that the above |
| 5 | * copyright notice and this permission notice appear in all copies. |
| 6 | * |
| 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| 14 | |
| 15 | #ifndef OPENSSL_HEADER_ABI_TEST_H |
| 16 | #define OPENSSL_HEADER_ABI_TEST_H |
| 17 | |
| 18 | #include <gtest/gtest.h> |
| 19 | |
| 20 | #include <string> |
| 21 | #include <type_traits> |
| 22 | #include <vector> |
| 23 | |
| 24 | #include <openssl/base.h> |
| 25 | |
| 26 | #include "../internal.h" |
| 27 | |
| 28 | |
| 29 | // abi_test provides routines for verifying that functions satisfy platform ABI |
| 30 | // requirements. |
| 31 | namespace abi_test { |
| 32 | |
| 33 | // Result stores the result of an ABI test. |
| 34 | struct Result { |
| 35 | bool ok() const { return errors.empty(); } |
| 36 | |
| 37 | std::vector<std::string> errors; |
| 38 | }; |
| 39 | |
| 40 | namespace internal { |
| 41 | |
| 42 | // DeductionGuard wraps |T| in a template, so that template argument deduction |
| 43 | // does not apply to it. This may be used to force C++ to deduce template |
| 44 | // arguments from another parameter. |
| 45 | template <typename T> |
| 46 | struct DeductionGuard { |
| 47 | using Type = T; |
| 48 | }; |
| 49 | |
| 50 | // Reg128 contains storage space for a 128-bit register. |
| 51 | struct alignas(16) Reg128 { |
| 52 | bool operator==(const Reg128 &x) const { return x.lo == lo && x.hi == hi; } |
| 53 | bool operator!=(const Reg128 &x) const { return !((*this) == x); } |
| 54 | uint64_t lo, hi; |
| 55 | }; |
| 56 | |
| 57 | // LOOP_CALLER_STATE_REGISTERS is a macro that iterates over all registers the |
| 58 | // callee is expected to save for the caller, with the exception of the stack |
| 59 | // pointer. The stack pointer is tested implicitly by the function successfully |
| 60 | // returning at all. |
| 61 | #if defined(OPENSSL_X86_64) |
| 62 | |
| 63 | // References: |
| 64 | // SysV64: https://github.com/hjl-tools/x86-psABI/wiki/x86-64-psABI-1.0.pdf |
| 65 | // Win64: https://docs.microsoft.com/en-us/cpp/build/x64-software-conventions?view=vs-2017#register-usage |
| 66 | #if defined(OPENSSL_WINDOWS) |
| 67 | #define LOOP_CALLER_STATE_REGISTERS() \ |
| 68 | CALLER_STATE_REGISTER(uint64_t, rbx) \ |
| 69 | CALLER_STATE_REGISTER(uint64_t, rbp) \ |
| 70 | CALLER_STATE_REGISTER(uint64_t, rdi) \ |
| 71 | CALLER_STATE_REGISTER(uint64_t, rsi) \ |
| 72 | CALLER_STATE_REGISTER(uint64_t, r12) \ |
| 73 | CALLER_STATE_REGISTER(uint64_t, r13) \ |
| 74 | CALLER_STATE_REGISTER(uint64_t, r14) \ |
| 75 | CALLER_STATE_REGISTER(uint64_t, r15) \ |
| 76 | CALLER_STATE_REGISTER(Reg128, xmm6) \ |
| 77 | CALLER_STATE_REGISTER(Reg128, xmm7) \ |
| 78 | CALLER_STATE_REGISTER(Reg128, xmm8) \ |
| 79 | CALLER_STATE_REGISTER(Reg128, xmm9) \ |
| 80 | CALLER_STATE_REGISTER(Reg128, xmm10) \ |
| 81 | CALLER_STATE_REGISTER(Reg128, xmm11) \ |
| 82 | CALLER_STATE_REGISTER(Reg128, xmm12) \ |
| 83 | CALLER_STATE_REGISTER(Reg128, xmm13) \ |
| 84 | CALLER_STATE_REGISTER(Reg128, xmm14) \ |
| 85 | CALLER_STATE_REGISTER(Reg128, xmm15) |
| 86 | #else |
| 87 | #define LOOP_CALLER_STATE_REGISTERS() \ |
| 88 | CALLER_STATE_REGISTER(uint64_t, rbx) \ |
| 89 | CALLER_STATE_REGISTER(uint64_t, rbp) \ |
| 90 | CALLER_STATE_REGISTER(uint64_t, r12) \ |
| 91 | CALLER_STATE_REGISTER(uint64_t, r13) \ |
| 92 | CALLER_STATE_REGISTER(uint64_t, r14) \ |
| 93 | CALLER_STATE_REGISTER(uint64_t, r15) |
| 94 | #endif // OPENSSL_WINDOWS |
| 95 | |
| 96 | #elif defined(OPENSSL_X86) |
| 97 | |
| 98 | // References: |
| 99 | // SysV32: https://uclibc.org/docs/psABI-i386.pdf and |
| 100 | // Win32: https://docs.microsoft.com/en-us/cpp/cpp/argument-passing-and-naming-conventions?view=vs-2017 |
| 101 | #define LOOP_CALLER_STATE_REGISTERS() \ |
| 102 | CALLER_STATE_REGISTER(uint32_t, esi) \ |
| 103 | CALLER_STATE_REGISTER(uint32_t, edi) \ |
| 104 | CALLER_STATE_REGISTER(uint32_t, ebx) \ |
| 105 | CALLER_STATE_REGISTER(uint32_t, ebp) |
| 106 | |
| 107 | #elif defined(OPENSSL_ARM) |
| 108 | |
| 109 | // References: |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 110 | // AAPCS: https://developer.arm.com/docs/ihi0042/latest |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 111 | // iOS32: https://developer.apple.com/library/archive/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARMv6FunctionCallingConventions.html |
| 112 | // Linux: http://sourcery.mentor.com/sgpp/lite/arm/portal/kbattach142/arm_gnu_linux_%20abi.pdf |
| 113 | // |
| 114 | // ARM specifies a common calling convention, except r9 is left to the platform. |
| 115 | // Linux treats r9 as callee-saved, while iOS 3+ treats it as caller-saved. Most |
| 116 | // of our assembly treats it as callee-saved to be uniform, but we match the |
| 117 | // platform to avoid false positives when testing compiler-generated output. |
| 118 | #define LOOP_CALLER_STATE_REGISTERS_PRE_R9() \ |
| 119 | CALLER_STATE_REGISTER(uint64_t, d8) \ |
| 120 | CALLER_STATE_REGISTER(uint64_t, d9) \ |
| 121 | CALLER_STATE_REGISTER(uint64_t, d10) \ |
| 122 | CALLER_STATE_REGISTER(uint64_t, d11) \ |
| 123 | CALLER_STATE_REGISTER(uint64_t, d12) \ |
| 124 | CALLER_STATE_REGISTER(uint64_t, d13) \ |
| 125 | CALLER_STATE_REGISTER(uint64_t, d14) \ |
| 126 | CALLER_STATE_REGISTER(uint64_t, d15) \ |
| 127 | CALLER_STATE_REGISTER(uint32_t, r4) \ |
| 128 | CALLER_STATE_REGISTER(uint32_t, r5) \ |
| 129 | CALLER_STATE_REGISTER(uint32_t, r6) \ |
| 130 | CALLER_STATE_REGISTER(uint32_t, r7) \ |
| 131 | CALLER_STATE_REGISTER(uint32_t, r8) |
| 132 | #define LOOP_CALLER_STATE_REGISTERS_POST_R9() \ |
| 133 | CALLER_STATE_REGISTER(uint32_t, r10) \ |
| 134 | CALLER_STATE_REGISTER(uint32_t, r11) |
| 135 | #if defined(OPENSSL_APPLE) |
| 136 | #define LOOP_CALLER_STATE_REGISTERS() \ |
| 137 | LOOP_CALLER_STATE_REGISTERS_PRE_R9() \ |
| 138 | LOOP_CALLER_STATE_REGISTERS_POST_R9() |
| 139 | #else // !OPENSSL_APPLE |
| 140 | #define LOOP_CALLER_STATE_REGISTERS() \ |
| 141 | LOOP_CALLER_STATE_REGISTERS_PRE_R9() \ |
| 142 | CALLER_STATE_REGISTER(uint32_t, r9) \ |
| 143 | LOOP_CALLER_STATE_REGISTERS_POST_R9() |
| 144 | #endif // OPENSSL_APPLE |
| 145 | |
| 146 | #elif defined(OPENSSL_AARCH64) |
| 147 | |
| 148 | // References: |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 149 | // AAPCS64: https://developer.arm.com/docs/ihi0055/latest |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 150 | // iOS64: https://developer.apple.com/library/archive/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARM64FunctionCallingConventions.html |
| 151 | // |
Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame] | 152 | // In aarch64, r18 (accessed as w18 or x18 in a 64-bit context) is the platform |
| 153 | // register. iOS says user code may not touch it. We found no clear reference |
| 154 | // for Linux. The iOS behavior implies portable assembly cannot use it, and |
| 155 | // aarch64 has many registers. Thus this framework ignores register's existence. |
| 156 | // We test r18 violations in arm-xlate.pl. |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 157 | #define LOOP_CALLER_STATE_REGISTERS() \ |
| 158 | /* Per AAPCS64, section 5.1.2, only the bottom 64 bits of v8-v15 */ \ |
| 159 | /* are preserved. These are accessed as dN. */ \ |
| 160 | CALLER_STATE_REGISTER(uint64_t, d8) \ |
| 161 | CALLER_STATE_REGISTER(uint64_t, d9) \ |
| 162 | CALLER_STATE_REGISTER(uint64_t, d10) \ |
| 163 | CALLER_STATE_REGISTER(uint64_t, d11) \ |
| 164 | CALLER_STATE_REGISTER(uint64_t, d12) \ |
| 165 | CALLER_STATE_REGISTER(uint64_t, d13) \ |
| 166 | CALLER_STATE_REGISTER(uint64_t, d14) \ |
| 167 | CALLER_STATE_REGISTER(uint64_t, d15) \ |
| 168 | /* For consistency with dN, use the 64-bit name xN, rather than */ \ |
| 169 | /* the generic rN. */ \ |
| 170 | CALLER_STATE_REGISTER(uint64_t, x19) \ |
| 171 | CALLER_STATE_REGISTER(uint64_t, x20) \ |
| 172 | CALLER_STATE_REGISTER(uint64_t, x21) \ |
| 173 | CALLER_STATE_REGISTER(uint64_t, x22) \ |
| 174 | CALLER_STATE_REGISTER(uint64_t, x23) \ |
| 175 | CALLER_STATE_REGISTER(uint64_t, x24) \ |
| 176 | CALLER_STATE_REGISTER(uint64_t, x25) \ |
| 177 | CALLER_STATE_REGISTER(uint64_t, x26) \ |
| 178 | CALLER_STATE_REGISTER(uint64_t, x27) \ |
| 179 | CALLER_STATE_REGISTER(uint64_t, x28) \ |
| 180 | CALLER_STATE_REGISTER(uint64_t, x29) |
| 181 | |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 182 | #elif defined(OPENSSL_PPC64LE) |
| 183 | |
| 184 | // CRReg only compares the CR2-CR4 bits of a CR register. |
| 185 | struct CRReg { |
| 186 | uint32_t masked() const { return value & 0x00fff000; } |
| 187 | bool operator==(CRReg r) const { return masked() == r.masked(); } |
| 188 | bool operator!=(CRReg r) const { return masked() != r.masked(); } |
| 189 | uint32_t value; |
| 190 | }; |
| 191 | |
| 192 | // References: |
| 193 | // ELFv2: http://openpowerfoundation.org/wp-content/uploads/resources/leabi/leabi-20170510.pdf |
| 194 | // |
| 195 | // Note vector and floating-point registers on POWER have two different names. |
| 196 | // Originally, there were 32 floating-point registers and 32 vector registers, |
| 197 | // labelled f0-f31 and v0-v31 respectively. Later, VSX (Vector Scalar Extension) |
| 198 | // unified them into 64 registers vs0-vs63. f0-f31 map to the lower halves of |
| 199 | // vs0-vs31. v0-v31 map to vs32-vs63. The ABI was defined in terms of pre-VSX |
| 200 | // names, so we use those names here. In particular, f14-f31 are |
| 201 | // callee-saved, but the upper halves of vs14-vs31 are not. |
| 202 | #define LOOP_CALLER_STATE_REGISTERS() \ |
| 203 | CALLER_STATE_REGISTER(Reg128, v20) \ |
| 204 | CALLER_STATE_REGISTER(Reg128, v21) \ |
| 205 | CALLER_STATE_REGISTER(Reg128, v22) \ |
| 206 | CALLER_STATE_REGISTER(Reg128, v23) \ |
| 207 | CALLER_STATE_REGISTER(Reg128, v24) \ |
| 208 | CALLER_STATE_REGISTER(Reg128, v25) \ |
| 209 | CALLER_STATE_REGISTER(Reg128, v26) \ |
| 210 | CALLER_STATE_REGISTER(Reg128, v27) \ |
| 211 | CALLER_STATE_REGISTER(Reg128, v28) \ |
| 212 | CALLER_STATE_REGISTER(Reg128, v29) \ |
| 213 | CALLER_STATE_REGISTER(Reg128, v30) \ |
| 214 | CALLER_STATE_REGISTER(Reg128, v31) \ |
| 215 | CALLER_STATE_REGISTER(uint64_t, r14) \ |
| 216 | CALLER_STATE_REGISTER(uint64_t, r15) \ |
| 217 | CALLER_STATE_REGISTER(uint64_t, r16) \ |
| 218 | CALLER_STATE_REGISTER(uint64_t, r17) \ |
| 219 | CALLER_STATE_REGISTER(uint64_t, r18) \ |
| 220 | CALLER_STATE_REGISTER(uint64_t, r19) \ |
| 221 | CALLER_STATE_REGISTER(uint64_t, r20) \ |
| 222 | CALLER_STATE_REGISTER(uint64_t, r21) \ |
| 223 | CALLER_STATE_REGISTER(uint64_t, r22) \ |
| 224 | CALLER_STATE_REGISTER(uint64_t, r23) \ |
| 225 | CALLER_STATE_REGISTER(uint64_t, r24) \ |
| 226 | CALLER_STATE_REGISTER(uint64_t, r25) \ |
| 227 | CALLER_STATE_REGISTER(uint64_t, r26) \ |
| 228 | CALLER_STATE_REGISTER(uint64_t, r27) \ |
| 229 | CALLER_STATE_REGISTER(uint64_t, r28) \ |
| 230 | CALLER_STATE_REGISTER(uint64_t, r29) \ |
| 231 | CALLER_STATE_REGISTER(uint64_t, r30) \ |
| 232 | CALLER_STATE_REGISTER(uint64_t, r31) \ |
| 233 | CALLER_STATE_REGISTER(uint64_t, f14) \ |
| 234 | CALLER_STATE_REGISTER(uint64_t, f15) \ |
| 235 | CALLER_STATE_REGISTER(uint64_t, f16) \ |
| 236 | CALLER_STATE_REGISTER(uint64_t, f17) \ |
| 237 | CALLER_STATE_REGISTER(uint64_t, f18) \ |
| 238 | CALLER_STATE_REGISTER(uint64_t, f19) \ |
| 239 | CALLER_STATE_REGISTER(uint64_t, f20) \ |
| 240 | CALLER_STATE_REGISTER(uint64_t, f21) \ |
| 241 | CALLER_STATE_REGISTER(uint64_t, f22) \ |
| 242 | CALLER_STATE_REGISTER(uint64_t, f23) \ |
| 243 | CALLER_STATE_REGISTER(uint64_t, f24) \ |
| 244 | CALLER_STATE_REGISTER(uint64_t, f25) \ |
| 245 | CALLER_STATE_REGISTER(uint64_t, f26) \ |
| 246 | CALLER_STATE_REGISTER(uint64_t, f27) \ |
| 247 | CALLER_STATE_REGISTER(uint64_t, f28) \ |
| 248 | CALLER_STATE_REGISTER(uint64_t, f29) \ |
| 249 | CALLER_STATE_REGISTER(uint64_t, f30) \ |
| 250 | CALLER_STATE_REGISTER(uint64_t, f31) \ |
| 251 | CALLER_STATE_REGISTER(CRReg, cr) |
| 252 | |
| 253 | #endif // X86_64 || X86 || ARM || AARCH64 || PPC64LE |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 254 | |
| 255 | // Enable ABI testing if all of the following are true. |
| 256 | // |
| 257 | // - We have CallerState and trampoline support for the architecture. |
| 258 | // |
| 259 | // - Assembly is enabled. |
| 260 | // |
| 261 | // - This is not a shared library build. Assembly functions are not reachable |
| 262 | // from tests in shared library builds. |
| 263 | #if defined(LOOP_CALLER_STATE_REGISTERS) && !defined(OPENSSL_NO_ASM) && \ |
| 264 | !defined(BORINGSSL_SHARED_LIBRARY) |
| 265 | #define SUPPORTS_ABI_TEST |
| 266 | |
| 267 | // CallerState contains all caller state that the callee is expected to |
| 268 | // preserve. |
| 269 | struct CallerState { |
| 270 | #define CALLER_STATE_REGISTER(type, name) type name; |
| 271 | LOOP_CALLER_STATE_REGISTERS() |
| 272 | #undef CALLER_STATE_REGISTER |
| 273 | }; |
| 274 | |
| 275 | // RunTrampoline runs |func| on |argv|, recording ABI errors in |out|. It does |
| 276 | // not perform any type-checking. If |unwind| is true and unwind tests have been |
| 277 | // enabled, |func| is single-stepped under an unwind test. |
| 278 | crypto_word_t RunTrampoline(Result *out, crypto_word_t func, |
| 279 | const crypto_word_t *argv, size_t argc, |
| 280 | bool unwind); |
| 281 | |
| 282 | template <typename T> |
| 283 | inline crypto_word_t ToWord(T t) { |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 284 | // ABIs typically pass floats and structs differently from integers and |
| 285 | // pointers. We only need to support the latter. |
| 286 | static_assert(std::is_integral<T>::value || std::is_pointer<T>::value, |
| 287 | "parameter types must be integral or pointer types"); |
| 288 | // We only support types which fit in registers. |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 289 | static_assert(sizeof(T) <= sizeof(crypto_word_t), |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 290 | "parameter types must be at most word-sized"); |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 291 | |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 292 | // ABIs are complex around arguments that are smaller than native words. |
| 293 | // Parameters passed in memory are sometimes packed and sometimes padded to a |
| 294 | // word. When parameters are padded in memory or passed in a larger register, |
| 295 | // the unused bits may be undefined or sign- or zero-extended. |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 296 | // |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 297 | // We could simply cast to |crypto_word_t| everywhere but, on platforms where |
| 298 | // padding is undefined, we perturb the bits to test the function accounts for |
| 299 | // for this. |
| 300 | #if defined(OPENSSL_32_BIT) |
| 301 | // We never pass parameters smaller than int, so require word-sized parameters |
| 302 | // on 32-bit architectures for simplicity. |
| 303 | static_assert(sizeof(T) == 4, "parameter types must be word-sized"); |
| 304 | return (crypto_word_t)t; |
| 305 | #elif defined(OPENSSL_PPC64LE) |
| 306 | // ELFv2, section 2.2.2.3 says the parameter save area sign- or zero-extends |
| 307 | // parameters passed in memory. Section 2.2.3 is unclear on how to handle |
| 308 | // register parameters, but section 2.2.2.3 additionally says that the memory |
| 309 | // copy of a parameter is identical to the register one. |
| 310 | return (crypto_word_t)t; |
| 311 | #elif defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64) |
| 312 | // AAPCS64, section 5.4.2, clauses C.7 and C.14 says any remaining bits in |
| 313 | // aarch are unspecified. iOS64 contradicts this and says the callee extends |
| 314 | // arguments up to 32 bits, and only the upper 32 bits are unspecified. |
| 315 | // |
| 316 | // On x86_64, Win64 leaves all unused bits unspecified. SysV also leaves |
| 317 | // unused bits in stack parameters unspecified, but it behaves like iOS64 for |
| 318 | // register parameters. This was determined via experimentation. |
| 319 | // |
| 320 | // We limit to 32-bit and 64-bit parameters, the subset where the above all |
| 321 | // align, and then test that functions tolerate arbitrary unused bits. |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 322 | // |
| 323 | // TODO(davidben): Find authoritative citations for x86_64. For x86_64, I |
| 324 | // observed the behavior of Clang, GCC, and MSVC. ABI rules here may be |
| 325 | // inferred from two kinds of experiments: |
| 326 | // |
| 327 | // 1. When passing a value to a small-argument-taking function, does the |
| 328 | // compiler ensure unused bits are cleared, sign-extended, etc.? Tests for |
| 329 | // register parameters are confounded by x86_64's implicit clearing of |
| 330 | // registers' upper halves, but passing some_u64 >> 1 usually clears this. |
| 331 | // |
| 332 | // 2. When compiling a small-argument-taking function, does the compiler make |
| 333 | // assumptions about unused bits of arguments? |
| 334 | // |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 335 | // MSVC was observed to tolerate and produce arbitrary values for unused bits, |
| 336 | // which is conclusive. GCC and Clang, targeting Linux, were similarly |
| 337 | // conclusive on stack parameters. Clang was also conclusive for register |
| 338 | // parameters. Callers only extended parameters up to 32 bits, and callees |
| 339 | // took advantage of the 32-bit extension. GCC only exhibited the callee |
| 340 | // behavior. |
| 341 | static_assert(sizeof(T) >= 4, "parameters must be at least 32 bits wide"); |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 342 | crypto_word_t ret; |
| 343 | // Filling extra bits with 0xaa will be vastly out of bounds for code |
| 344 | // expecting either sign- or zero-extension. (0xaa is 0b10101010.) |
| 345 | OPENSSL_memset(&ret, 0xaa, sizeof(ret)); |
| 346 | OPENSSL_memcpy(&ret, &t, sizeof(t)); |
| 347 | return ret; |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 348 | #else |
| 349 | #error "unknown architecture" |
| 350 | #endif |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 351 | } |
| 352 | |
| 353 | // CheckImpl runs |func| on |args|, recording ABI errors in |out|. If |unwind| |
| 354 | // is true and unwind tests have been enabled, |func| is single-stepped under an |
| 355 | // unwind test. |
| 356 | // |
| 357 | // It returns the value as a |crypto_word_t| to work around problems when |R| is |
| 358 | // void. |args| is wrapped in a |DeductionGuard| so |func| determines the |
| 359 | // template arguments. Otherwise, |args| may deduce |Args| incorrectly. For |
| 360 | // instance, if |func| takes const int *, and the caller passes an int *, the |
| 361 | // compiler will complain the deduced types do not match. |
| 362 | template <typename R, typename... Args> |
| 363 | inline crypto_word_t CheckImpl(Result *out, bool unwind, R (*func)(Args...), |
| 364 | typename DeductionGuard<Args>::Type... args) { |
Tobias Thierer | 43be7d2 | 2020-03-02 19:23:34 +0000 | [diff] [blame] | 365 | // We only support up to 8 arguments, so all arguments on aarch64 and ppc64le |
| 366 | // are passed in registers. This is simpler and avoids the iOS discrepancy |
| 367 | // around packing small arguments on the stack. (See the iOS64 reference.) |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 368 | static_assert(sizeof...(args) <= 8, |
| 369 | "too many arguments for abi_test_trampoline"); |
| 370 | |
| 371 | // Allocate one extra entry so MSVC does not complain about zero-size arrays. |
| 372 | crypto_word_t argv[sizeof...(args) + 1] = { |
| 373 | ToWord(args)..., |
| 374 | }; |
| 375 | return RunTrampoline(out, reinterpret_cast<crypto_word_t>(func), argv, |
| 376 | sizeof...(args), unwind); |
| 377 | } |
| 378 | #else |
| 379 | // To simplify callers when ABI testing support is unavoidable, provide a backup |
| 380 | // CheckImpl implementation. It must be specialized for void returns because we |
| 381 | // call |func| directly. |
| 382 | template <typename R, typename... Args> |
| 383 | inline typename std::enable_if<!std::is_void<R>::value, crypto_word_t>::type |
| 384 | CheckImpl(Result *out, bool /* unwind */, R (*func)(Args...), |
| 385 | typename DeductionGuard<Args>::Type... args) { |
| 386 | *out = Result(); |
| 387 | return func(args...); |
| 388 | } |
| 389 | |
| 390 | template <typename... Args> |
| 391 | inline crypto_word_t CheckImpl(Result *out, bool /* unwind */, |
| 392 | void (*func)(Args...), |
| 393 | typename DeductionGuard<Args>::Type... args) { |
| 394 | *out = Result(); |
| 395 | func(args...); |
| 396 | return 0; |
| 397 | } |
| 398 | #endif // SUPPORTS_ABI_TEST |
| 399 | |
| 400 | // FixVAArgsString takes a string like "f, 1, 2" and returns a string like |
| 401 | // "f(1, 2)". |
| 402 | // |
| 403 | // This is needed because the |CHECK_ABI| macro below cannot be defined as |
| 404 | // CHECK_ABI(func, ...). The C specification requires that variadic macros bind |
| 405 | // at least one variadic argument. Clang, GCC, and MSVC all ignore this, but |
| 406 | // there are issues with trailing commas and different behaviors across |
| 407 | // compilers. |
| 408 | std::string FixVAArgsString(const char *str); |
| 409 | |
| 410 | // CheckGTest behaves like |CheckImpl|, but it returns the correct type and |
| 411 | // raises GTest assertions on failure. If |unwind| is true and unwind tests are |
| 412 | // enabled, |func| is single-stepped under an unwind test. |
| 413 | template <typename R, typename... Args> |
| 414 | inline R CheckGTest(const char *va_args_str, const char *file, int line, |
| 415 | bool unwind, R (*func)(Args...), |
| 416 | typename DeductionGuard<Args>::Type... args) { |
| 417 | Result result; |
| 418 | crypto_word_t ret = CheckImpl(&result, unwind, func, args...); |
| 419 | if (!result.ok()) { |
| 420 | testing::Message msg; |
| 421 | msg << "ABI failures in " << FixVAArgsString(va_args_str) << ":\n"; |
| 422 | for (const auto &error : result.errors) { |
| 423 | msg << " " << error << "\n"; |
| 424 | } |
| 425 | ADD_FAILURE_AT(file, line) << msg; |
| 426 | } |
| 427 | return (R)ret; |
| 428 | } |
| 429 | |
| 430 | } // namespace internal |
| 431 | |
| 432 | // Check runs |func| on |args| and returns the result. If ABI-testing is |
| 433 | // supported in this build configuration, it writes any ABI failures to |out|. |
| 434 | // Otherwise, it runs the function transparently. |
| 435 | template <typename R, typename... Args> |
| 436 | inline R Check(Result *out, R (*func)(Args...), |
| 437 | typename internal::DeductionGuard<Args>::Type... args) { |
| 438 | return (R)internal::CheckImpl(out, false, func, args...); |
| 439 | } |
| 440 | |
| 441 | // EnableUnwindTests enables unwind tests, if supported. If not supported, it |
| 442 | // does nothing. |
| 443 | void EnableUnwindTests(); |
| 444 | |
| 445 | // UnwindTestsEnabled returns true if unwind tests are enabled and false |
| 446 | // otherwise. |
| 447 | bool UnwindTestsEnabled(); |
| 448 | |
| 449 | } // namespace abi_test |
| 450 | |
| 451 | // CHECK_ABI calls the first argument on the remaining arguments and returns the |
| 452 | // result. If ABI-testing is supported in this build configuration, it adds a |
| 453 | // non-fatal GTest failure if the call did not satisfy ABI requirements. |
| 454 | // |
| 455 | // |CHECK_ABI| does return the value and thus may replace any function call, |
| 456 | // provided it takes only simple parameters. However, it is recommended to test |
| 457 | // ABI separately from functional tests of assembly. Fully instrumenting a |
| 458 | // function for ABI checking requires single-stepping the function, which is |
| 459 | // inefficient. |
| 460 | // |
| 461 | // Functional testing requires coverage of input values, while ABI testing only |
| 462 | // requires branch coverage. Most of our assembly is constant-time, so usually |
| 463 | // only a few instrumented calls are necessary. |
| 464 | // |
| 465 | // TODO(https://crbug.com/boringssl/259): Most of Windows assembly currently |
| 466 | // fails SEH testing. For now, |CHECK_ABI| behaves like |CHECK_ABI_NO_UNWIND| |
| 467 | // on Windows. Functions which work with unwind testing on Windows should use |
| 468 | // |CHECK_ABI_SEH|. |
| 469 | #if defined(OPENSSL_WINDOWS) |
| 470 | #define CHECK_ABI(...) CHECK_ABI_NO_UNWIND(__VA_ARGS__) |
| 471 | #else |
| 472 | #define CHECK_ABI(...) CHECK_ABI_SEH(__VA_ARGS__) |
| 473 | #endif |
| 474 | |
| 475 | // CHECK_ABI_SEH behaves like |CHECK_ABI| but enables unwind testing on Windows. |
| 476 | #define CHECK_ABI_SEH(...) \ |
| 477 | abi_test::internal::CheckGTest(#__VA_ARGS__, __FILE__, __LINE__, true, \ |
| 478 | __VA_ARGS__) |
| 479 | |
| 480 | // CHECK_ABI_NO_UNWIND behaves like |CHECK_ABI| but disables unwind testing. |
| 481 | #define CHECK_ABI_NO_UNWIND(...) \ |
| 482 | abi_test::internal::CheckGTest(#__VA_ARGS__, __FILE__, __LINE__, false, \ |
| 483 | __VA_ARGS__) |
| 484 | |
| 485 | |
| 486 | // Internal functions. |
| 487 | |
| 488 | #if defined(SUPPORTS_ABI_TEST) |
| 489 | struct Uncallable { |
| 490 | Uncallable() = delete; |
| 491 | }; |
| 492 | |
| 493 | extern "C" { |
| 494 | |
| 495 | // abi_test_trampoline loads callee-saved registers from |state|, calls |func| |
| 496 | // with |argv|, then saves the callee-saved registers into |state|. It returns |
| 497 | // the result of |func|. If |unwind| is non-zero, this function triggers unwind |
| 498 | // instrumentation. |
| 499 | // |
| 500 | // We give |func| type |crypto_word_t| to avoid tripping MSVC's warning 4191. |
| 501 | crypto_word_t abi_test_trampoline(crypto_word_t func, |
| 502 | abi_test::internal::CallerState *state, |
| 503 | const crypto_word_t *argv, size_t argc, |
| 504 | crypto_word_t unwind); |
| 505 | |
| 506 | #if defined(OPENSSL_X86_64) |
| 507 | // abi_test_unwind_start points at the instruction that starts unwind testing in |
| 508 | // |abi_test_trampoline|. This is the value of the instruction pointer at the |
| 509 | // first |SIGTRAP| during unwind testing. |
| 510 | // |
| 511 | // This symbol is not a function and should not be called. |
| 512 | void abi_test_unwind_start(Uncallable); |
| 513 | |
| 514 | // abi_test_unwind_return points at the instruction immediately after the call in |
| 515 | // |abi_test_trampoline|. When unwinding the function under test, this is the |
| 516 | // expected address in the |abi_test_trampoline| frame. After this address, the |
| 517 | // unwind tester should ignore |SIGTRAP| until |abi_test_unwind_stop|. |
| 518 | // |
| 519 | // This symbol is not a function and should not be called. |
| 520 | void abi_test_unwind_return(Uncallable); |
| 521 | |
| 522 | // abi_test_unwind_stop is the value of the instruction pointer at the final |
| 523 | // |SIGTRAP| during unwind testing. |
| 524 | // |
| 525 | // This symbol is not a function and should not be called. |
| 526 | void abi_test_unwind_stop(Uncallable); |
| 527 | |
| 528 | // abi_test_bad_unwind_wrong_register preserves the ABI, but annotates the wrong |
| 529 | // register in unwind metadata. |
| 530 | void abi_test_bad_unwind_wrong_register(void); |
| 531 | |
| 532 | // abi_test_bad_unwind_temporary preserves the ABI, but temporarily corrupts the |
| 533 | // storage space for a saved register, breaking unwind. |
| 534 | void abi_test_bad_unwind_temporary(void); |
| 535 | |
| 536 | #if defined(OPENSSL_WINDOWS) |
| 537 | // abi_test_bad_unwind_epilog preserves the ABI, and correctly annotates the |
| 538 | // prolog, but the epilog does not match Win64's rules, breaking unwind during |
| 539 | // the epilog. |
| 540 | void abi_test_bad_unwind_epilog(void); |
| 541 | #endif |
| 542 | #endif // OPENSSL_X86_64 |
| 543 | |
| 544 | #if defined(OPENSSL_X86_64) || defined(OPENSSL_X86) |
| 545 | // abi_test_get_and_clear_direction_flag clears the direction flag. If the flag |
| 546 | // was previously set, it returns one. Otherwise, it returns zero. |
| 547 | int abi_test_get_and_clear_direction_flag(void); |
| 548 | |
| 549 | // abi_test_set_direction_flag sets the direction flag. This does not conform to |
| 550 | // ABI requirements and must only be called within a |CHECK_ABI| guard to avoid |
| 551 | // errors later in the program. |
| 552 | int abi_test_set_direction_flag(void); |
| 553 | #endif // OPENSSL_X86_64 || OPENSSL_X86 |
| 554 | |
| 555 | } // extern "C" |
| 556 | #endif // SUPPORTS_ABI_TEST |
| 557 | |
| 558 | |
| 559 | #endif // OPENSSL_HEADER_ABI_TEST_H |