PATMInternal.h revision 997c47dc1532875eb8e995bf9993dff13071c16f
/* $Id$ */
/** @file
* PATM - Internal header file.
*/
/*
* Copyright (C) 2006-2007 Oracle Corporation
*
* This file is part of VirtualBox Open Source Edition (OSE), as
* available from http://www.virtualbox.org. This file is free software;
* General Public License (GPL) as published by the Free Software
* Foundation, in version 2 as it comes in the "COPYING" file of the
* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
*/
#ifndef ___PATMInternal_h
#define ___PATMInternal_h
#define PATM_SSM_VERSION 55
#define PATM_SSM_VERSION_FIXUP_HACK 54
#define PATM_SSM_VERSION_FIXUP_HACK 54
#define PATM_SSM_VERSION_VER16 53
/* Enable for call patching. */
#define PATM_ENABLE_CALL
/*
* Internal patch type flags (starts at RT_BIT(11))
*/
#define PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT RT_BIT_64(20) /** internal flag to avoid duplicate entrypoints */
#define PATMFL_CODE_MONITORED RT_BIT_64(24) /** code pages of guest monitored for self-modifying code. */
#define PATMFL_CALLABLE_AS_FUNCTION RT_BIT_64(25) /** cli and pushf blocks can be used as callable functions. */
#define PATMFL_TRAMPOLINE RT_BIT_64(27) /** trampoline patch that clears PATM_INTERRUPTFLAG and jumps to patch destination */
#define PATMFL_MUST_INSTALL_PATCHJMP RT_BIT_64(31) /** Need to patch guest code in order to activate patch. */
#define PATMFL_EXTERNAL_JUMP_INSIDE RT_BIT_64(33) /** A trampoline patch was created that jumps to an instruction in the patch block */
#define PATMFL_CODE_REFERENCED RT_BIT_64(34) /** patch block referenced (called, jumped to) by another patch. */
#define MAX_INSTR_SIZE 16
/* Patch states */
#define PATCH_REFUSED 1
#define PATCH_DISABLED 2
#define PATCH_ENABLED 4
#define PATCH_UNUSABLE 8
#define PATCH_DIRTY 16
#define PATCH_DISABLE_PENDING 32
#define MAX_PATCH_TRAPS 4
#define PATM_MAX_CALL_DEPTH 32
/* Maximum nr of writes before a patch is marked dirty. (disabled) */
#define PATM_MAX_CODE_WRITES 32
/* Maximum nr of invalid writes before a patch is disabled. */
#define PATM_MAX_INVALID_WRITES 16384
#define FIXUP_ABSOLUTE 0
#define FIXUP_REL_JMPTOPATCH 1
#define FIXUP_REL_JMPTOGUEST 2
#define PATM_ILLEGAL_DESTINATION 0xDEADBEEF
/** Size of the instruction that's used for requests from patch code (currently only call) */
#define PATM_ILLEGAL_INSTR_SIZE 2
/** No statistics counter index allocated just yet */
/** Dummy counter to handle overflows */
#define PATM_STAT_INDEX_DUMMY 0
#ifdef VBOX_WITH_STATISTICS
#define PATM_STAT_RUN_INC(pPatch) \
#define PATM_STAT_FAULT_INC(pPatch) \
#else
#define PATM_STAT_RUN_INC(pPatch) do { } while (0)
#define PATM_STAT_FAULT_INC(pPatch) do { } while (0)
#endif
/** Maximum number of stat counters. */
#define PATM_STAT_MAX_COUNTERS 1024
/** Size of memory allocated for patch statistics. */
/** aCpus[0].fLocalForcedActions fixup (must be uneven to avoid theoretical clashes with valid pointers) */
#define PATM_FIXUP_CPU_FF_ACTION 0xffffff01
/** default cpuid pointer fixup */
#define PATM_FIXUP_CPUID_DEFAULT 0xffffff03
/** standard cpuid pointer fixup */
#define PATM_FIXUP_CPUID_STANDARD 0xffffff05
/** extended cpuid pointer fixup */
#define PATM_FIXUP_CPUID_EXTENDED 0xffffff07
/** centaur cpuid pointer fixup */
#define PATM_FIXUP_CPUID_CENTAUR 0xffffff09
typedef struct
{
/** The key is a HC virtual address. */
/* forward decl */
struct _PATCHINFO;
/* Cache record for guest to host pointer conversions. */
typedef struct
{
/* Obsolete; do not use. */
typedef struct
{
typedef struct
{
/** The key is a pointer to a JUMPREC structure. */
/**
* Patch to guest lookup type (single or both direction)
*/
typedef enum
{
/** patch to guest */
/** guest to patch + patch to guest */
/**
* Patch to guest address lookup record.
*/
typedef struct RECPATCHTOGUEST
{
/** The key is an offset inside the patch memory block. */
/** GC address of the guest instruction this record is for. */
/** Patch to guest lookup type. */
/** Flag whether the original instruction was changed by the guest. */
bool fDirty;
/** Flag whether this guest instruction is a jump target from
* a trampoline patch. */
bool fJumpTarget;
/** Original opcode before writing 0xCC there to mark it dirty. */
/**
* Guest to patch address lookup record
*/
typedef struct RECGUESTTOPATCH
{
/** The key is a GC virtual address. */
/** Patch offset (relative to PATM::pPatchMemGC / PATM::pPatchMemHC). */
/**
* Temporary information used in ring 3 only; no need to waste memory in the patch record itself.
*/
typedef struct
{
/* Temporary tree for storing the addresses of illegal instructions. */
/* Temporary tree of encountered jumps. (debug only) */
/** Last original guest instruction pointer; used for disassembly log. */
/** Keeping track of multiple ret instructions. */
/** Forward declaration for a pointer to a trampoline patch record. */
/**
* Patch information.
*/
typedef struct _PATCHINFO
{
/** Current patch state (enabled, disabled, etc.). */
/** Previous patch state. Used when enabling a disabled patch. */
/** CPU mode (16bit or 32bit). */
/** GC pointer of privileged instruction */
/** @todo: Can't remove due to structure size dependencies in saved states. */
/** Original privileged guest instructions overwritten by the jump patch. */
/** Number of valid bytes in the instruction buffer. */
/** Opcode for priv instr (OP_*). */
/** Size of the patch jump in the guest code. */
/** Only valid for PATMFL_JUMP_CONFLICT patches */
/** Offset of the patch code from the beginning of the patch memory area. */
/** Size of the patch code in bytes. */
/** Current offset of the patch starting from pPatchBlockOffset.
* Used during patch creation. */
#if HC_ARCH_BITS == 64
#endif
/** PATM flags (see PATMFL_*). */
/**
* Lowest and highest patched GC instruction address. To optimize searches.
*/
/* Tree of fixup records for the patch. */
/* Tree of jumps inside the generated patch code. */
/**
* Lookup trees for determining the corresponding guest address of an
* instruction in the patch block.
*/
#if HC_ARCH_BITS == 64
#endif
/** Unused, but can't remove due to structure size dependencies in the saved state. */
/** Temporary information during patch creation. Don't waste hypervisor memory for this. */
/** List of trampoline patches referencing this patch.
* Used when refreshing the patch. (Only for function duplicates) */
/** Count the number of writes to the corresponding guest code. */
/** Some statistics to determine if we should keep this patch activated. */
/** Count the number of invalid writes to pages monitored for the patch. */
/** Index into the uPatchRun and uPatchTrap arrays (0..MAX_PATCHES-1) */
/** First opcode byte, that's overwritten when a patch is marked dirty. */
/** Align the structure size on a 8-byte boundary. */
} PATCHINFO, *PPATCHINFO;
/**
* Lookup record for patches
*/
typedef struct PATMPATCHREC
{
/** The key is a GC virtual address. */
/** The key is a patch offset. */
/** The patch information. */
/**
* Record for a trampoline patch.
*/
typedef struct TRAMPREC
{
/** Pointer to the next trampoline patch. */
/** Pointer to the trampoline patch record. */
} TRAMPREC;
/** Increment for allocating room for pointer array */
#define PATMPATCHPAGE_PREALLOC_INCREMENT 16
/**
* Lookup record for patch pages
*/
typedef struct PATMPATCHPAGE
{
/** The key is a GC virtual address. */
/** Region to monitor. */
/** Number of patches for this page. */
/** Maximum nr of pointers in the array. */
/** Array of patch pointers for this page. */
#define PATM_PATCHREC_FROM_COREOFFSET(a) (PPATMPATCHREC)((uintptr_t)a - RT_OFFSETOF(PATMPATCHREC, CoreOffset))
#define PATM_PATCHREC_FROM_PATCHINFO(a) (PPATMPATCHREC)((uintptr_t)a - RT_OFFSETOF(PATMPATCHREC, patch))
/**
* AVL trees used by PATM.
*/
typedef struct PATMTREES
{
/**
* AVL tree with all patches (active or disabled) sorted by guest instruction address
*/
/**
* AVL tree with all patches sorted by patch address (offset actually)
*/
/**
* AVL tree with all pages which were (partly) patched
*/
} PATMTREES, *PPATMTREES;
/**
* PATM VM Instance data.
* Changes to this must checked against the padding of the patm union in VM!
*/
typedef struct PATM
{
/** Offset to the VM structure.
* See PATM2VM(). */
/** Pointer to the patch memory area (GC) */
/** Pointer to the patch memory area (HC) */
/** Size of the patch memory area in bytes. */
/** Relative offset to the next free byte starting from the start of the region. */
/** Flag whether PATM ran out of patch memory. */
bool fOutOfMemory;
/** Delta to the new relocated HMA area.
* Used only during PATMR3Relocate(). */
/* GC PATM state pointer - HC pointer. */
/* GC PATM state pointer - GC pointer. */
/** PATM stack page for call instruction execution. (2 parts: one for our private stack and one to store the original return address */
/** HC pointer of the PATM stack page. */
/** GC pointer to CPUMCTX structure. */
/** GC statistics pointer. */
/** HC statistics pointer. */
/* Current free index value (uPatchRun/uPatchTrap arrays). */
/* Temporary counter for patch installation call depth. (in order not to go on forever) */
/** Number of page lookup records. */
/** Lowest and highest patched GC instruction addresses. To optimize searches. */
/** Pointer to the patch tree for instructions replaced by 'int 3'. */
/** Global PATM lookup and call function (used by call patches). */
/** Global PATM return function (used by ret patches). */
/** Global PATM jump function (used by indirect jmp patches). */
/** Global PATM return function (used by iret patches). */
/** Fake patch record for global functions. */
/** Pointer to original sysenter handler */
/** Pointer to sysenter handler trampoline */
/** Sysenter patch index (for stats only) */
/** GC address of fault in monitored page (set by PATMGCMonitorPage, used by PATMR3HandleMonitoredPage)- */
/** Temporary information for pending MMIO patch. Set in GC or R0 context. */
struct
{
} mmio;
struct
{
#if HC_ARCH_BITS == 64
#endif
} savedstate;
DECLCALLBACK(int) patmVirtPageHandler(PVM pVM, RTGCPTR GCPtr, void *pvPtr, void *pvBuf, size_t cbBuf, PGMACCESSTYPE enmAccessType, void *pvUser);
#ifdef IN_RING3
RTRCPTR patmGuestGCPtrToClosestPatchGCPtr(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t*) pInstrGC);
#endif
/* Add a patch to guest lookup record
*
* @param pVM The VM to operate on.
* @param pPatch Patch structure ptr
* @param pPatchInstrHC Guest context pointer to patch block
* @param pInstrGC Guest context pointer to privileged instruction
* @param enmType Lookup type
* @param fDirty Dirty flag
*
*/
void patmr3AddP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, uint8_t *pPatchInstrHC, RTRCPTR pInstrGC, PATM_LOOKUP_TYPE enmType, bool fDirty=false);
/**
* Insert page records for all guest pages that contain instructions that were recompiled for this patch
*
* @returns VBox status code.
* @param pVM The VM to operate on.
* @param pPatch Patch record
*/
/**
* Remove page records for all guest pages that contain instructions that were recompiled for this patch
*
* @returns VBox status code.
* @param pVM The VM to operate on.
* @param pPatch Patch record
*/
/**
* Returns the GC address of the corresponding patch statistics counter
*
* @returns Stat address
* @param pVM The VM to operate on.
* @param pPatch Patch structure
*/
/**
* Remove patch for privileged instruction at specified location
*
* @returns VBox status code.
* @param pVM The VM to operate on.
* @param pPatchRec Patch record
* @param fForceRemove Remove *all* patches
*/
/**
* Call for analysing the instructions following the privileged instr. for compliance with our heuristics
*
* @returns VBox status code.
* @param pVM The VM to operate on.
* @param pCpu CPU disassembly state
* @param pInstrHC Guest context pointer to privileged instruction
* @param pCurInstrHC Guest context pointer to current instruction
* @param pCacheRec Cache record ptr
*
*/
typedef int (VBOXCALL *PFN_PATMR3ANALYSE)(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PPATMP2GLOOKUPREC pCacheRec);
/**
* Install guest OS specific patch
*
* @returns VBox status code.
* @param pVM The VM to operate on
* @param pCpu Disassembly state of instruction.
* @param pInstrGC GC Instruction pointer for instruction
* @param pInstrHC GC Instruction pointer for instruction
* @param pPatchRec Patch structure
*
*/
int PATMInstallGuestSpecificPatch(PVM pVM, PDISCPUSTATE pCpu, RTRCPTR pInstrGC, uint8_t *pInstrHC, PPATMPATCHREC pPatchRec);
/**
* Check if the instruction is patched as a duplicated function
*
* @returns patch record
* @param pVM The VM to operate on.
* @param pInstrGC Guest context point to the instruction
*
*/
/**
* Empty the specified tree (PV tree, MMR3 heap)
*
* @param pVM The VM to operate on.
* @param ppTree Tree to empty
*/
/**
* Empty the specified tree (U32 tree, MMR3 heap)
*
* @param pVM The VM to operate on.
* @param ppTree Tree to empty
*/
/**
* Return the name of the patched instruction
*
* @returns instruction name
*
* @param opcode DIS instruction opcode
* @param fPatchFlags Patch flags
*/
/**
* #PF Virtual Handler callback for Guest access a page monitored by PATM
*
* @returns VBox status code (appropriate for trap handling and GC return).
* @param pVM VM Handle.
* @param uErrorCode CPU Error code.
* @param pRegFrame Trap register frame.
* @param pvFault The fault address (cr2).
* @param pvRange The base address of the handled virtual range.
* @param offRange The offset of the access into this range.
* (If it's a EIP range this is the EIP, if not it's pvFault.)
*/
VMMRCDECL(int) PATMGCMonitorPage(PVM pVM, RTGCUINT uErrorCode, PCPUMCTXCORE pRegFrame, RTGCPTR pvFault, RTGCPTR pvRange, uintptr_t offRange);
/**
* Find patch for privileged instruction at specified location
*
* @returns Patch structure pointer if found; else NULL
* @param pVM The VM to operate on.
* @param pInstr Guest context point to instruction that might lie within 5 bytes of an existing patch jump
* @param fIncludeHints Include hinted patches or not
*
*/
/**
*
* @returns VBox status code.
* @param pVM The VM to operate on.
* @param pInstrGC Guest context point to privileged instruction
* @param pInstrHC Host context point to privileged instruction
* @param uOpcode Instruction opcodee
* @param uOpSize Size of starting instruction
* @param pPatchRec Patch record
*
* @note returns failure if patching is not allowed or possible
*
*/
/**
* Replace an instruction with a breakpoint (0xCC), that is handled dynamically in the guest context.
*
* @returns VBox status code.
* @param pVM The VM to operate on.
* @param pInstrGC Guest context point to privileged instruction
* @param pInstrHC Host context point to privileged instruction
* @param pCpu Disassembly CPU structure ptr
* @param pPatch Patch record
*
* @note returns failure if patching is not allowed or possible
*
*/
VMMR3DECL(int) PATMR3PatchInstrInt3(PVM pVM, RTRCPTR pInstrGC, R3PTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATCHINFO pPatch);
/**
* Mark patch as dirty
*
* @returns VBox status code.
* @param pVM The VM to operate on.
* @param pPatch Patch record
*
* @note returns failure if patching is not allowed or possible
*
*/
R3PTRTYPE(uint8_t *) PATMGCVirtToHCVirt(PVM pVM, PPATMP2GLOOKUPREC pCacheRec, RCPTRTYPE(uint8_t *) pGCPtr);
/**
* Calculate the branch destination
*
* @returns branch destination or 0 if failed
* @param pCpu Disassembly state of instruction.
* @param pBranchInstrGC GC pointer of branch instruction
*/
{
{
}
else
{
}
else
{
}
else
{
return 0;
}
#ifdef IN_RC
#else
#endif
}
#ifdef LOG_ENABLED
int patmr3DisasmCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PPATMP2GLOOKUPREC pCacheRec);
int patmr3DisasmCodeStream(PVM pVM, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Analyse, PPATMP2GLOOKUPREC pCacheRec);
#endif
#endif