PERFORCE change 997430 for review
Robert Watson
rwatson at FreeBSD.org
Mon Oct 7 19:07:58 UTC 2013
http://p4web.freebsd.org/@@997430?ac=10
Change 997430 by rwatson at rwatson_zenith_cl_cam_ac_uk on 2013/10/07 19:07:50
Integrate changes to sandbox-entry code for readpng-cheri and
minifile. In the future this code (or code very much like it) will
move to a new sandbox-specific csu (if some sort), rather than
existing in each sandboxed component.
Affected files ...
.. //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng-cheri/mips64/chsbrt.S#3 integrate
.. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/mips64/chsbrt.S#2 integrate
Differences ...
==== //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng-cheri/mips64/chsbrt.S#3 (text+ko) ====
@@ -1,5 +1,5 @@
#-
-# Copyright (c) 2012 Robert N. M. Watson
+# Copyright (c) 2012-2013 Robert N. M. Watson
# All rights reserved.
#
# This software was developed by SRI International and the University of
@@ -49,17 +49,16 @@
#
# $c0, $pcc contain access to (100% overlapped) sandbox code and data
#
-# $c1-$c7 contain user capability arguments
+# $c1, $c2 contain the invoked object capability
+# $c3-$c10 contain user capability arguments
#
-# $c26 contains the invoked data capability - the complete segment,
-# which will also be installed in $c0 locally due to lack of CCALL.
+# $c26 contains the invoked data capability - the complete segment, which
+# we will install into $c0 to allow MIPS code to access it.
#
# For now, assume:
-# (1) We are on the receiving end of CJALR, not CCALL.
-# (2) We enter with the caller's $c0 due to no CCALL
-# (3) The caller has not set up the general-purpose register context, that's
+# (1) The caller has not set up the general-purpose register context, that's
# our job.
-# (4) The goal is not to set up the CHERI calling convention .. yet; we will
+# (2) The goal is not to set up the CHERI calling convention .. yet; we will
# run only native MIPS64 code, or hand-crafted CHERI assembler. Thus
# must change before we can run Clang-compiled CHERI code.
#
@@ -69,31 +68,12 @@
__start:
#
- # Temporarily, save caller stack in temporaries so that we can
- # restore them on return.
- #
- # XXXRW: To change once we use CCALL.
- #
- move $t0, $sp
- move $t1, $fp
-
- #
# Set up in-sandbox stack.
#
cgetlen $sp, $c26
move $fp, $sp
#
- # Temporarily, save caller $c0 for later restoration.
- #
- # Notice: store relative to $c26, not $c0.
- #
- # XXXRW: To change once we use CCALL.
- #
- daddiu $sp, -32
- csc $c0, $sp, 0($c26)
-
- #
# Install $idc as $c0. From here on out, we can do MIPS feteches and
# stores to memory inside the sandbox, and $c0-relative capability
# fetches and stores.
@@ -101,27 +81,6 @@
cmove $c0, $c26
#
- # Push return capability.
- #
- daddiu $sp, -32
- csc $c24, $sp, 0($c0)
-
- #
- # Push return address.
- #
- daddiu $sp, -8
- sd $ra, 0($sp)
-
- #
- # Save caller stack pointers for later restoration.
- #
- # XXXRW: To change once we use CCALL.
- #
- daddiu $sp, -16
- sd $t0, 0($sp)
- sd $t1, 8($sp)
-
- #
# XXXRW: Defensively clear all general-purpose and capability
# registers that aren't explicit or ABI-implied arguments.
#
@@ -137,89 +96,32 @@
sd $a5, 0($at)
#
- # If abort() is called, we effectively longjmp back to just after the
- # call to invoke(). Save a stack pointer for that unwind.
+ # Invoke MIPS ABI C "invoke" function.
#
- dla $at, abort_stack
- sd $sp, 0($at)
-
- #
- # Invoke MIPS ABI C "invoke" function.
+ # XXXRW: $t9 not set properly.
#
dla $25, invoke
jalr $25
nop # Branch-delay slot
- #
- # Pop caller stack pointers for later installation.
- #
- # XXXRW: To move to caller context once using CCALL.
- #
abort_target:
- ld $t0, 0($sp)
- ld $t1, 8($sp)
- daddiu $sp, 16
-
#
- # Pop return address.
+ # Clear our $c0 so that it is not leaked back to caller.
#
- ld $ra, 0($sp)
- daddiu $sp, 8
-
- #
- # Pop return capability.
- #
- clc $c24, $sp, 0($c0)
- daddiu $sp, 32
-
- #
- # Pop caller $c0 -- no more use of MIPS fetch/store after this point.
- #
- # XXXRW: To move to caller context once using CCALL.
- #
- clc $c0, $sp, 0($c0)
- daddiu $sp, 32
+ ccleartag $c0
#
- # Re-install caller stack.
- #
- # XXXRW: To move to caller context once using CCALL.
- #
- move $sp, $t0
- move $fp, $t1
-
- #
- # XXXRW: Defensively clear general-purpose and capability registers
- # that aren't explicit or ABI-implied return values.
- #
- dli $at, 0
- dli $t2, 0
- dli $t3, 0
- dli $t8, 0
- dli $t9, 0
-
- #
# Return to caller.
#
- cjr $31($c24) # Jump to return capability register
- nop # Branch-delay slot?
+ creturn
.end __start
.global abort
.ent abort
abort:
- #
- # If abort() is called, unwind the stack and jump into the return
- # code. Set $v0 to -2 so that it's somewhat recognisable, even if
- # non-ideal.
- #
- dla $at, abort_stack
- ld $sp, 0($at)
dli $v0, -2
b abort_target
nop
.end abort
.data
-abort_stack:
- .dword 0x0000000000000000 # What to restore sp to on abort
==== //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/mips64/chsbrt.S#2 (text+ko) ====
@@ -1,5 +1,5 @@
#-
-# Copyright (c) 2012 Robert N. M. Watson
+# Copyright (c) 2012-2013 Robert N. M. Watson
# All rights reserved.
#
# This software was developed by SRI International and the University of
@@ -49,17 +49,16 @@
#
# $c0, $pcc contain access to (100% overlapped) sandbox code and data
#
-# $c1-$c7 contain user capability arguments
+# $c1, $c2 contain the invoked object capability
+# $c3-$c10 contain user capability arguments
#
-# $c26 contains the invoked data capability - the complete segment,
-# which will also be installed in $c0 locally due to lack of CCALL.
+# $c26 contains the invoked data capability - the complete segment, which
+# we will install into $c0 to allow MIPS code to access it.
#
# For now, assume:
-# (1) We are on the receiving end of CJALR, not CCALL.
-# (2) We enter with the caller's $c0 due to no CCALL
-# (3) The caller has not set up the general-purpose register context, that's
+# (1) The caller has not set up the general-purpose register context, that's
# our job.
-# (4) The goal is not to set up the CHERI calling convention .. yet; we will
+# (2) The goal is not to set up the CHERI calling convention .. yet; we will
# run only native MIPS64 code, or hand-crafted CHERI assembler. Thus
# must change before we can run Clang-compiled CHERI code.
#
@@ -69,31 +68,12 @@
__start:
#
- # Temporarily, save caller stack in temporaries so that we can
- # restore them on return.
- #
- # XXXRW: To change once we use CCALL.
- #
- move $t0, $sp
- move $t1, $fp
-
- #
# Set up in-sandbox stack.
#
cgetlen $sp, $c26
move $fp, $sp
#
- # Temporarily, save caller $c0 for later restoration.
- #
- # Notice: store relative to $c26, not $c0.
- #
- # XXXRW: To change once we use CCALL.
- #
- daddiu $sp, -32
- csc $c0, $sp, 0($c26)
-
- #
# Install $idc as $c0. From here on out, we can do MIPS feteches and
# stores to memory inside the sandbox, and $c0-relative capability
# fetches and stores.
@@ -101,27 +81,6 @@
cmove $c0, $c26
#
- # Push return capability.
- #
- daddiu $sp, -32
- csc $c24, $sp, 0($c0)
-
- #
- # Push return address.
- #
- daddiu $sp, -8
- sd $ra, 0($sp)
-
- #
- # Save caller stack pointers for later restoration.
- #
- # XXXRW: To change once we use CCALL.
- #
- daddiu $sp, -16
- sd $t0, 0($sp)
- sd $t1, 8($sp)
-
- #
# XXXRW: Defensively clear all general-purpose and capability
# registers that aren't explicit or ABI-implied arguments.
#
@@ -137,89 +96,32 @@
sd $a5, 0($at)
#
- # If abort() is called, we effectively longjmp back to just after the
- # call to invoke(). Save a stack pointer for that unwind.
+ # Invoke MIPS ABI C "invoke" function.
#
- dla $at, abort_stack
- sd $sp, 0($at)
-
- #
- # Invoke MIPS ABI C "invoke" function.
+ # XXXRW: $t9 not set properly.
#
dla $25, invoke
jalr $25
nop # Branch-delay slot
- #
- # Pop caller stack pointers for later installation.
- #
- # XXXRW: To move to caller context once using CCALL.
- #
abort_target:
- ld $t0, 0($sp)
- ld $t1, 8($sp)
- daddiu $sp, 16
-
#
- # Pop return address.
+ # Clear our $c0 so that it is not leaked back to caller.
#
- ld $ra, 0($sp)
- daddiu $sp, 8
-
- #
- # Pop return capability.
- #
- clc $c24, $sp, 0($c0)
- daddiu $sp, 32
-
- #
- # Pop caller $c0 -- no more use of MIPS fetch/store after this point.
- #
- # XXXRW: To move to caller context once using CCALL.
- #
- clc $c0, $sp, 0($c0)
- daddiu $sp, 32
+ ccleartag $c0
#
- # Re-install caller stack.
- #
- # XXXRW: To move to caller context once using CCALL.
- #
- move $sp, $t0
- move $fp, $t1
-
- #
- # XXXRW: Defensively clear general-purpose and capability registers
- # that aren't explicit or ABI-implied return values.
- #
- dli $at, 0
- dli $t2, 0
- dli $t3, 0
- dli $t8, 0
- dli $t9, 0
-
- #
# Return to caller.
#
- cjr $31($c24) # Jump to return capability register
- nop # Branch-delay slot?
+ creturn
.end __start
.global abort
.ent abort
abort:
- #
- # If abort() is called, unwind the stack and jump into the return
- # code. Set $v0 to -2 so that it's somewhat recognisable, even if
- # non-ideal.
- #
- dla $at, abort_stack
- ld $sp, 0($at)
dli $v0, -2
b abort_target
nop
.end abort
.data
-abort_stack:
- .dword 0x0000000000000000 # What to restore sp to on abort
More information about the p4-projects
mailing list