def compareHap(self, from_eip, third, breakpoint, memory):
eip = getEIP(self.cpu)
instruct = SIM_disassemble_address(self.cpu, eip, 1, 0)
parts = instruct[1].split()
mn = parts[0]
if mn == 'cmp':
op1, op0 = decode.getOperands(instruct[1])
self.lgr.debug('operands 1:<%s> 0:<%s>' % (op1, op0))
if '[' in op1:
address = decode.getAddressFromOperand(self.cpu, op1, self.lgr)
#self.lgr.debug('[ in op1, got address 0x%x' % address)
val1 = self.mem_utils.readWord32(self.cpu, address)
else:
val1 = decode.getValue(op1, self.cpu, self.lgr)
if '[' in op0:
address = decode.getAddressFromOperand(self.cpu, op0, self.lgr)
#self.lgr.debug('[ in op0, got address 0x%x' % address)
val0 = self.mem_utils.readWord32(self.cpu, address)
else:
val0 = decode.getValue(op0, self.cpu, self.lgr)
#self.lgr.debug('0x%08x cmp 0 is 0x%x, 1 0x%x' % (eip, val0, val1))
if eip in self.compares:
old0, old1 = self.compares[eip]
if old1 != val1 or old0 != val0:
self.lgr.debug('CHANGED: o0: 0x%x o1: 0x%x' % (old0, old1))
self.lgr.debug('TO : v0: 0x%x v1: 0x%x' % (val0, val1))
current_len = self.cpu.cycles - self.cycle_start
if current_len > self.cycle_len * 1000:
self.lgr.debug('did 1000 loops?')
self.live_cmp.append(eip)
self.lgr.debug('ExitMaze cmpareHap remove compare hap')
self.context_manager.genDeleteHap(self.compare_hap)
SIM_run_alone(self.plantBreaks, False)
self.compares[eip] = (val0, val1)
def showCmp(self, addr):
eip = self.top.getEIP(self.cpu)
instruct = SIM_disassemble_address(self.cpu, eip, 1, 0)
self.lgr.debug('showCmp eip 0x%x %s' % (eip, instruct[1]))
mval = self.mem_utils.readWord32(self.cpu, addr)
if instruct[1].startswith('cmp'):
op2, op1 = decode.getOperands(instruct[1])
val = None
if decode.isReg(op2):
val = self.mem_utils.getRegValue(self.cpu, op2)
elif decode.isReg(op1):
val = self.mem_utils.getRegValue(self.cpu, op1)
if val is not None:
print('%s reg: 0x%x addr:0x%x mval: 0x%08x' %
(instruct[1], val, addr, mval))
def modeChanged(self, cpu, one, old, new):
if self.__mode_changed is None:
return
cell_name = self.top.getTopComponentName(cpu)
cpu, cur_addr, comm, pid = self.os_p_utils[cell_name].getPinfo(cpu)
#self.lgr.debug('modeChanged %d %s' % (pid, comm))
if self.isTraced(comm, pid):
# force comm, may not be updated in proc utils
comm = self.i_trace
cpl = memUtils.getCPL(cpu)
if cpl == 0:
cmd = '%s.stop' % self.tracer
SIM_run_alone(SIM_run_command, cmd)
self.lgr.debug('stopped tracing %s' % comm)
if True:
eip = self.top.getEIP(cpu)
instruct = SIM_disassemble_address(cpu, eip, 1, 0)
if decode.getMn(instruct[1]) == 'jmp':
op1, op0 = decode.getOperands(instruct[1])
eip_str = '0x%x' % eip
self.lgr.debug(
'modeChanged jmp is %s eip_str is <%s> op0 is <%s>'
% (instruct[1], eip_str, op0))
if op0 == eip_str:
self.closeTrace(cell_name, pid)
self.lgr.debug(
'modeChanged, found ebfe, stop tracing')
return
else:
if self.tracer is None:
SIM_run_alone(self.createTracer, comm)
self.lgr.debug('created tracer for %s' % comm)
else:
outfile = self.outfile[comm]
cmd = '%s.start file=%s' % (self.tracer, outfile)
SIM_run_alone(SIM_run_command, cmd)
self.lgr.debug('start tracing %s' % comm)
def backOneAlone(self, dum):
current = SIM_cycle_count(self.cpu)
eip = self.top.getEIP(self.cpu)
instruct = SIM_disassemble_address(self.cpu, eip, 1, 0)
value = self.os_p_utils.getMemUtils().readWord32(self.cpu, self.addr)
self.lgr.debug(
'backOne user space write of 0x%x to addr 0x%x cycle/eip after write is 0x%x eip:0x%x '
% (value, self.addr, current, eip))
if not self.forward:
previous = current - 1
SIM_run_command('pselect cpu-name = %s' % self.cpu.name)
if SIM_simics_is_running():
self.lgr.error(
'backOneAlone, simics is still running, is this not part of a stop hap???'
)
return
SIM_run_command('skip-to cycle=%d' % previous)
new = SIM_cycle_count(self.cpu)
self.lgr.debug('backOne back to 0x%x got 0x%x' % (previous, new))
else:
self.lgr.debug('backOneAlone, was going forward')
if self.forward_break is not None:
self.lgr.debug('backOne alone delete forward_break')
SIM_delete_breakpoint(self.forward_break)
self.forward_break = None
eip = self.top.getEIP(self.cpu)
instruct = SIM_disassemble_address(self.cpu, eip, 1, 0)
mn = decode.getMn(instruct[1])
self.lgr.debug(
'stopToCheckWriteCallback BACKTRACK backOneAlone, write described above occured at 0x%x : %s'
% (eip, str(instruct[1])))
bm = 'backtrack eip:0x%x inst:"%s"' % (eip, instruct[1])
self.bookmarks.setDebugBookmark(bm)
self.lgr.debug('BT bookmark: %s' % bm)
if decode.modifiesOp0(mn):
self.lgr.debug('stopToCheckWriteCallback get operands from %s' %
instruct[1])
op1, op0 = decode.getOperands(instruct[1])
actual_addr = decode.getAddressFromOperand(self.cpu, op0, self.lgr)
if actual_addr is None:
self.lgr.error('failed to get op0 address from %s' %
instruct[1])
return
offset = self.addr - actual_addr
self.lgr.debug(
'stopToCheckWriteCallback cycleRegisterMod mn: %s op0: %s op1: %s actual_addr 0x%x orig 0x%x address offset is %d'
% (mn, op0, op1, actual_addr, self.addr, offset))
if decode.isIndirect(op1):
reg_num = self.cpu.iface.int_register.get_number(op1)
address = self.cpu.iface.int_register.read(reg_num)
new_address = address + offset
#if not self.top.isProtectedMemory(new_address):
if not self.top.isProtectedMemory(
new_address) and not '[' in op0:
self.lgr.debug(
'stopToCheckWriteCallback, %s is indirect, check for write to 0x%x'
% (op1, new_address))
self.top.stopAtKernelWrite(new_address, self.rev_to_call)
else:
self.lgr.debug(
'stopToCheckWriteCallback is indirect reg point to magic page, or move to memory, find mod of the reg vice the address content'
)
self.rev_to_call.doRevToModReg(op1,
taint=True,
offset=offset,
value=self.value,
num_bytes=self.num_bytes)
elif decode.isReg(op1):
reg_num = self.cpu.iface.int_register.get_number(op1)
value = self.cpu.iface.int_register.read(reg_num)
self.lgr.debug(
'stopToCheckWriteCallback %s is reg, find where wrote value 0x%x reversing from cycle 0x%x'
% (op1, value, self.cpu.cycles))
self.rev_to_call.doRevToModReg(op1,
taint=True,
offset=offset,
value=self.value,
num_bytes=self.num_bytes)
else:
value = None
try:
value = int(op1, 16)
except:
pass
if value is not None:
if self.top.isProtectedMemory(value):
self.lgr.debug(
'stopToCheckWriteCallback, found protected memory %x '
% value)
SIM_run_alone(self.cleanup, False)
self.top.skipAndMail()
else:
''' stumped, constant loaded into memory '''
self.lgr.debug(
'stopToCheckWriteCallback, found constant %x, stumped'
% value)
SIM_run_alone(self.cleanup, False)
self.top.skipAndMail()
elif mn == 'push':
op1, op0 = decode.getOperands(instruct[1])
self.lgr.debug('stopToCheckWriteCallback is push reg %s, find mod',
op0)
self.rev_to_call.doRevToModReg(op0,
taint=True,
value=self.value,
num_bytes=self.num_bytes)
else:
self.lgr.debug('backOneAlone, cannot track values back beyond %s' %
str(instruct))
SIM_run_alone(self.cleanup, False)
self.top.skipAndMail()