Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PPC uplifting #2823

Merged
merged 100 commits into from
Aug 11, 2022
Merged

PPC uplifting #2823

merged 100 commits into from
Aug 11, 2022

Conversation

Rot127
Copy link
Member

@Rot127 Rot127 commented Jul 19, 2022
edited
Loading

Supersedes #2497

Overview

This PR uplifts the most common instructions of PPC32 and PPC64. Most common means almost all instructions with a occurrence of 0.001% in ~17,5 million tested (libraries for this statistic were: libc, libglib, libcairo and two or three more.)

The semantics of the instructions was tested against ppc64le and ppc32be binaries (see test bins PR).

Missing instructions

A handful instructions are not uplifted.

Due to missing operand information in Capstone v4 instructions (fixed in v5):

  • PPC_INS_SLDI -> The immediate operand is missing in the instruction.
  • PPC_INS_ISEL -> The BC operand is set to a GPR. Although it should be CR register.
  • all CR logical instructions -> Capstone v4 instructions hold GPRs instead of CR registers.

Due to missing operand information in Capstone v5 instructions

Because they were too complex to implement

  • PPC_INS_LWARX: Needs some kind of "reserve address" mechanism. Also: Is disassembled to invalid in v4
  • PPC_INS_LMW (0.07163% occurrence): Iterates of GPR X to 31, where x is determined during runtime -> needs a new RZIL effect.

Because register ca32, ov32 are not implemented (see TODO list below):

  • PPC_INS_MFXER -> Copies a value from xer to a gpr register. QEMU and Rizin have a mismatch in register content here. The adapter can only change the value of the xer register. Not the gpr register. Hence this instruction fails in rz-tracetest.

Others

  • Float and vector instruction are not implemented.
  • Trap instructions are NOPed.
Not implemented 0.001% instructions 

# Trap instructions: NOPed
- [x] PPC_INS_TWLTI:        0.16662%
- [x] PPC_INS_TDLTI:        0.11114%
- [x] PPC_INS_TDNEI:        0.03006%
- [x] PPC_INS_TDEQI:        0.02348%
- [x] PPC_INS_TDLLTI:       0.02165%
- [x] PPC_INS_TDGTI:        0.02154%
- [x] PPC_INS_TWLLTI:       0.01733%
- [x] PPC_INS_TWEQI:        0.01539%
- [x] PPC_INS_TWGTI:        0.01366%
- [x] PPC_INS_TDLGTI:       0.00998%
- [x] PPC_INS_TWLGTI:       0.00752%
- [x] PPC_INS_TWNEI:        0.00668%
- [x] PPC_INS_TWUI:         0.00167%
- [x] PPC_INS_TDUI:         0.00158%

**Vector**
PPC_INS_VADDFP: 0.10065%
PPC_INS_VADDUBM: 0.06212%
PPC_INS_STVX: 0.00537%
PPC_INS_VSUBUBS: 0.00459%
PPC_INS_VCMPEQUB: 0.00391%
PPC_INS_STVEBX: 0.00141%
PPC_INS_VPKSHUS: 0.00252%
PPC_INS_XSADDDP: 0.00261%
PPC_INS_XSMADDADP: 0.00233%
PPC_INS_VPERM: 0.00369%
PPC_INS_VCMPGTSH: 0.00309%
PPC_INS_VADDUBS: 0.00204%
PPC_INS_VMSUMSHS: 0.00195%
PPC_INS_VSUBCUW: 0.00187%
PPC_INS_VSUBUWS: 0.00185%
PPC_INS_VADDSBS: 0.00185%
PPC_INS_VMHADDSHS: 0.00158%
PPC_INS_VADDCUW: 0.00158%
PPC_INS_VOR: 0.00131%
PPC_INS_VSPLTISB: 0.00130%
PPC_INS_VMINUB: 0.00127%
PPC_INS_VMSUMSHM: 0.00125%
PPC_INS_VMHRADDSHS: 0.00115%
PPC_INS_XVADDDP: 0.00130%
PPC_INS_LVX:          0.00988%
PPC_INS_VSUBSBS:      0.00577%
PPC_INS_XXSEL:        0.09343%


**Floats**
PPC_INS_FNMADD: 0.57950% -> 0x0 opcodes decode to this instruction
PPC_INS_STFDU: 0.54502%
PPC_INS_STFD: 0.35903%
PPC_INS_STFS: 0.11684%
PPC_INS_STFSU: 0.10500%
PPC_INS_FMR: 0.09640%
PPC_INS_FNMSUB: 0.09472%
PPC_INS_FNMADDS: 0.08764%
PPC_INS_FSUB: 0.07570%
PPC_INS_FCMPU: 0.06448%
PPC_INS_FMSUB: 0.05237%
PPC_INS_FCTIWZ: 0.02801%
PPC_INS_FMADD: 0.02275%
PPC_INS_FADD: 0.01949%
PPC_INS_FMUL: 0.01802%
PPC_INS_FSEL: 0.01373%
PPC_INS_FDIV: 0.01235%
PPC_INS_FRSP: 0.00821%
PPC_INS_FNEG: 0.00568%
PPC_INS_FABS: 0.00400%
PPC_INS_FMULS: 0.00320%
PPC_INS_FMADDS: 0.00300%
PPC_INS_FMSUBS: 0.00198%
PPC_INS_FCPSGN: 0.00183%
PPC_INS_FDIVS: 0.00161%
PPC_INS_FNMSUBS: 0.00146%
PPC_INS_FADDS: 0.00127%
PPC_INS_FSUBS: 0.00263%
PPC_INS_MTFSF:        0.00143%
PPC_INS_MFFS:         0.00107%

After merge

After this PR is merged issues about the missing features should be opened:

  • The dcbz instruction zeros a cache line/block. The size of this line depends on the PPC implementation (ESIL hardcodes it to 128. RZIL to 32). It should be replaced with a plugin config option once RzArch is done.
    Also, if this PR is merged before RzArch, an issue should be opened.
  • All instructions which are currently not testable due to Capstone bugs in v4 and v5 should be added to an issue.
  • The PPC plugin should get a cpu=ISA300 option and implement flags ca32 and ov32 again. Mind to update the rz-tracetest adapter.
    • mfxer fails in rz-tracetest because of this issue if the traced binary was an ISA3 one.
  • Issue about VLE. The Rizin internal libvle disassembles VLE instructions. Since many 32bit VLE instructions match the normal instructions by operands and exeution semantics, maybe an adapter function between vle_t <-> cs_insn could be added. This would allow to use the current code to be used by libvle as well. For the 16bit instructions additional code should be written.
  • Exception cases are not handled at all. Examples are: default cases of MT/MFSPR.

Relevant other PRs this relies on:

Test binaries: rizinorg/rizin-testbins#75
rz-tracetest adapter: rizinorg/rz-tracetest#6
QEMU trace: BinaryAnalysisPlatform/qemu#20

@Rot127 Rot127 mentioned this pull request Jul 19, 2022
Closed
26 tasks
@Rot127 Rot127 added this to the 0.5.0 milestone Jul 19, 2022
@Rot127 Rot127 removed this from the 0.5.0 milestone Jul 19, 2022
@Rot127 Rot127 added this to the 0.5.0 milestone Jul 19, 2022
@XVilka XVilka mentioned this pull request Jul 27, 2022
Open
38 tasks
Rot127 added 14 commits July 29, 2022 05:21
@Rot127
Print warning if config for VM was NULL.
ccab52b
@Rot127
Add warning if register is not added to VM due to overlap.
d447b74
@Rot127
Add several rz_warn_if_reached to ease debugging.
977759e
@Rot127
Reformulate documentation.
597b0ce
@Rot127
Update PPC register profile.
4ca31be 
* Mainly adds vector and float registers. As well as some control and system registers.
@Rot127
Enable to write values 4bit registers.
04dc89b
@Rot127
PPC: Uplift most common instructions.
1d5ec39 
Uplifts:
* Branch instructions
* Fixed point instructions
* Memory load/stores
@Rot127
Print warning if reserved SPR instruction is encountered.
82f4b15
@Rot127
Fix asm tests.
fc75bdc
@Rot127
Update PC/LR addresses and add ca32 writes.
216e253
@Rot127
Fix load and store tests.
f997033 
* Write cache needs to get flushed so load and store tests don't share the same memory.
@Rot127
Add missing T/F branch mnemonics.
e3b0215
@Rot127
Add Move to/from CR/CR0-7
5559c46
@Rot127
Fix TA address calculation for branch instructions.
5c27606
@XVilka
Copy link
Member

XVilka commented Aug 10, 2022

@Rot127 @wargio I think if such simplification is planned, it's better to do it in a separate PR; also easier to review. If no major objections to this - I suggest merging this as is and continuing to improve separately. Moreover, it will benefit from stuff like CodeQL, Coverity, fuzzing tests, etc that happen on the dev branch periodically.

@wargio
Copy link
Member

wargio commented Aug 10, 2022

i will optimize those checks later, in another PR

@XVilka XVilka added merge-when-green ready Ready to be merged labels Aug 10, 2022
thestr4ng3r
thestr4ng3r requested changes Aug 10, 2022
View reviewed changes
Copy link
Member

@thestr4ng3r thestr4ng3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few valid instructions are still missing tests:
https://app.codecov.io/gh/rizinorg/rizin/blob/ppc-rzil-uplifting-cov/librz/analysis/arch/ppc/ppc_il_ops.c
https://app.codecov.io/gh/rizinorg/rizin/blob/ppc-rzil-uplifting-cov/librz/analysis/arch/ppc/ppc_il.c

Please add asm tests for those, and perhaps also some for ppc_32.

@Rot127 Rot127 mentioned this pull request Aug 10, 2022
Closed
@Rot127
Remove unused code.
a1158a0
@Rot127
Remove la instruction.
6433ce4 
`la` is a mnemonic for `addi`. I could not find a single occurrence in any of the test binaries of it.
The assembler always resolves the `la` mnemonic into `addi`.
I couldn't find a documented bit difference between `la` and `addi`. Because the instruction can not be tested it is removed.
@Rot127
Remove SPR instructions which are not supported by QEMU or not traced…
229c720 
… yet.

For most set/read SPR instructions QEMU segfaults.
Those which don't cause segfaults are not traced in QEMU currently.
Because they are barely used anyways I removed them (instead if imeplenting the tracing in QEMU which would have cost too much time for me currently).

In case of SPR 1 (xer), 8 (lr) and 9 (ctr) the assembler resolves them to their mnemonics (mtxer, mtlr etc.). This means the code here is never reached.
To test the get_xer code MFXER was added again. The rz-tracetests will fail for this instructions (due to missing ca32, ov32). But this case is covert in an issue.
@Rot127
Add little endian tests for load bytes reverse instructions.
7f07d60
@Rot127
Add test which covers cr5 check.
d08226e 
This should cover the uncovered branch in `get_cr_bit`
@Rot127
Copy link
Member Author

Rot127 commented Aug 10, 2022

@thestr4ng3r Regarding la: I thought about assembling a la instruction manually and add it to the asm tests but decided against it eventually. Because it seems to be resolved by the assembler anyways and I couldn't find a documented bit difference between addi <-> la.

@wargio
Copy link
Member

wargio commented Aug 10, 2022

la
image

la is addi

@XVilka
Copy link
Member

XVilka commented Aug 11, 2022

Since @Rot127 addressed your comments @thestr4ng3r, I am merging. If you have any additional feedback, please open a new issue, ok?

@XVilka XVilka merged commit b46e7bd into rizinorg:dev Aug 11, 2022
ajakk added a commit to ajakk/rizin that referenced this pull request Feb 19, 2023
@ajakk
fix capstone include paths
7518230 
capstone include paths were adjusted in
2b8104b, and this wasn't picked up in
the "PPC uplifting" commit, leading to a build failure with system
capstone.

Also fix the path of the ppc.h include, which seems to mistakenly use
capstone's ppc.h when building with bundled capstone.

Fixes: b46e7bd ("PPC uplifting to RzIL (rizinorg#2823)")
Signed-off-by: John Helmert III <ajak@gentoo.org>
ajakk added a commit to ajakk/rizin that referenced this pull request Feb 19, 2023
@ajakk
fix capstone include paths
e1a6504 
capstone include paths were adjusted in
2b8104b, and this wasn't picked up in
the "PPC uplifting" commit, leading to a build failure with system
capstone.

Also fix the path of the ppc.h include, which seems to mistakenly use
capstone's ppc.h when building with bundled capstone.

Fixes: b46e7bd ("PPC uplifting to RzIL (rizinorg#2823)")
Signed-off-by: John Helmert III <ajak@gentoo.org>
XVilka pushed a commit that referenced this pull request Feb 19, 2023
@ajakk @XVilka
fix capstone include paths
c4b663b 
capstone include paths were adjusted in
2b8104b, and this wasn't picked up in
the "PPC uplifting" commit, leading to a build failure with system
capstone.

Also fix the path of the ppc.h include, which seems to mistakenly use
capstone's ppc.h when building with bundled capstone.

Fixes: b46e7bd ("PPC uplifting to RzIL (#2823)")
Signed-off-by: John Helmert III <ajak@gentoo.org>
XVilka pushed a commit that referenced this pull request Feb 21, 2023
@ajakk @XVilka
fix capstone include paths
eb916ae 
capstone include paths were adjusted in
2b8104b, and this wasn't picked up in
the "PPC uplifting" commit, leading to a build failure with system
capstone.

Also fix the path of the ppc.h include, which seems to mistakenly use
capstone's ppc.h when building with bundled capstone.

Fixes: b46e7bd ("PPC uplifting to RzIL (#2823)")
Signed-off-by: John Helmert III <ajak@gentoo.org>
XVilka pushed a commit that referenced this pull request Feb 21, 2023
@ajakk @XVilka
fix capstone include paths
c553062 
capstone include paths were adjusted in
2b8104b, and this wasn't picked up in
the "PPC uplifting" commit, leading to a build failure with system
capstone.

Also fix the path of the ppc.h include, which seems to mistakenly use
capstone's ppc.h when building with bundled capstone.

Fixes: b46e7bd ("PPC uplifting to RzIL (#2823)")
Signed-off-by: John Helmert III <ajak@gentoo.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thestr4ng3r thestr4ng3r thestr4ng3r requested changes

@wargio wargio wargio approved these changes

@XVilka XVilka XVilka approved these changes

@ret2libc ret2libc Awaiting requested review from ret2libc ret2libc is a code owner

@kazarmy kazarmy Awaiting requested review from kazarmy kazarmy is a code owner

Assignees

@wargio wargio

Labels
API merge-when-green PPC ready Ready to be merged rz-test RzAnalysis RZIL RzReg RzUtil
Projects
RzIL
Status: Done
Milestone
0.5.0
Development

Successfully merging this pull request may close these issues.
4 participants
@Rot127 @wargio @XVilka @thestr4ng3r