Skip to content
GitLab
Open
Issue created by Administrator@rootContributor

Mangling-inserted side exits break instrumentation

Created by: egrimley

There seems to be a bad interaction between drreg (used by bbcount.c in this example) and the mangling of ISB (see mangle_icache_op). It looks as though drreg thinks that X0 and X1 do not need to be restored before the ISB, but they do, because of the way ISB is mangled.

What's the right way of solving this?

The original basic block is just:

  0xa60894:  dsb     ish
  0xa60898:  isb
  0xa6089c:  ret

The mangled and instrumented version in the fragment cache is:

0x4be0700c:  str     x0, [x28,#272]        <-- drreg saves X0
0x4be07010:  str     x1, [x28,#280]        <-- drreg saves X1
0x4be07014:  mov     x0, #0x1490           <-- start of code inserted by drx_insert_counter_update
0x4be07018:  movk    x0, #0x7201, lsl #16
0x4be0701c:  ldr     x1, [x0]
0x4be07020:  add     x1, x1, #0x1
0x4be07024:  str     x1, [x0]              <-- end of instrumentation code; x0 and x1 are not restored!
0x4be07028:  dsb     ish
0x4be0702c:  isb                           <-- start of mangled ISB
0x4be07030:  str     x0, [x28]             <-- corrupted X0 is saved; it is later retrieved by icache_op_isb_asm
0x4be07034:  mov     x0, #0x2b20
0x4be07038:  movk    x0, #0x559c, lsl #16
0x4be0703c:  movk    x0, #0x55, lsl #32
0x4be07040:  ldr     w0, [x0]
0x4be07044:  cbz     w0, 0x4be07064        <-- if we took this branch there would be no problem
0x4be07048:  stp     x1, x2, [x28,#8]      <-- corrupted X1 is saved; it is later retrieved by icache_op_isb_asm
0x4be0704c:  mov     x2, #0x2698
0x4be07050:  movk    x2, #0x5587, lsl #16
0x4be07054:  movk    x2, #0x55, lsl #32
0x4be07058:  mov     x1, #0x0
0x4be0705c:  mov     x0, x28
0x4be07060:  br      x2                    <-- branch to icache_op_isb_asm
0x4be07064:  ldr     x0, [x28]             <-- end of mangled ISB
0x4be07068:  ldr     x0, [x28,#272]        <-- X0 is restored by drreg, but it's too late!
0x4be0706c:  ldr     x1, [x28,#280]        <-- X1 is restored by drreg, but it's too late!
0x4be07070:  str     x2, [x28,#16]         <-- start of mangled RET
0x4be07074:  mov     x2, x30
0x4be07078:  b       0x4be0707c
0x4be0707c:  stp     x0, x1, [x28]
0x4be07080:  mov     x0, #0xd230
0x4be07084:  movk    x0, #0x4be0, lsl #16
0x4be07088:  movk    x0, #0x0, lsl #32
0x4be0708c:  movk    x0, #0x0, lsl #48
0x4be07090:  ldr     x1, [x28,#120]
0x4be07094:  br      x1