qemu/tcg: fix UC_HOOK_MEM_READ on aarch64. (#2028)

glennsec · web-flow · commit 8442eb6feb4d · 2025-01-04T18:48:53.000+08:00
* qemu/tcg: fix UC_HOOK_MEM_READ on aarch64. Directly jump into the slow path when there is any hookmem enabled. This fixes #1908. Signed-off-by: Glenn Baker <glenn.baker@gmx.com> * qemu/tcg: fix UC_HOOK_MEM_READ on ppc64. Directly jump into the slow path when there is any hookmem enabled. Signed-off-by: Glenn Baker <glenn.baker@gmx.com> * qemu/tcg: check for UC_HOOK_MEM_READ_AFTER. Use has_hookmem() helper to determine wether "slow-path" TLB read is needed. Add this helper to x86 architecture as well so that to check for all hookmem. Signed-off-by: Glenn Baker <glenn.baker@gmx.com> * qemu/tcg: factor out has_hookmem(). It's the same implementation for all architectures, so factor out has_hookmem() into tcg_uc_has_hookmem(). Signed-off-by: Glenn Baker <glenn.baker@gmx.com> --------- Signed-off-by: Glenn Baker <glenn.baker@gmx.com>
diff --git a/qemu/include/tcg/tcg.h b/qemu/include/tcg/tcg.h
@@ -1578,4 +1578,11 @@ struct jit_code_entry {
 void uc_del_inline_hook(uc_engine *uc, struct hook *hk);
 void uc_add_inline_hook(uc_engine *uc, struct hook *hk, void** args, int args_len);
 
+static inline bool tcg_uc_has_hookmem(TCGContext *s)
+{
+    return HOOK_EXISTS(s->uc, UC_HOOK_MEM_READ) ||
+        HOOK_EXISTS(s->uc, UC_HOOK_MEM_READ_AFTER) ||
+        HOOK_EXISTS(s->uc, UC_HOOK_MEM_WRITE);
+}
+
 #endif /* TCG_H */
diff --git a/qemu/tcg/aarch64/tcg-target.inc.c b/qemu/tcg/aarch64/tcg-target.inc.c
@@ -1587,7 +1587,8 @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     MemOp opc = get_memop(oi);
     MemOp size = opc & MO_SIZE;
 
-    if (!reloc_pc19(lb->label_ptr[0], s->code_ptr)) {
+    const int type = tcg_uc_has_hookmem(s) ? R_AARCH64_JUMP26 : R_AARCH64_CONDBR19;
+    if (!patch_reloc(lb->label_ptr[0], type, (intptr_t)s->code_ptr, 0)) {
         return false;
     }
 
@@ -1612,7 +1613,8 @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     MemOp opc = get_memop(oi);
     MemOp size = opc & MO_SIZE;
 
-    if (!reloc_pc19(lb->label_ptr[0], s->code_ptr)) {
+    const int type = tcg_uc_has_hookmem(s) ? R_AARCH64_JUMP26 : R_AARCH64_CONDBR19;
+    if (!patch_reloc(lb->label_ptr[0], type, (intptr_t)s->code_ptr, 0)) {
         return false;
     }
 
@@ -1711,7 +1713,11 @@ static void tcg_out_tlb_read(TCGContext *s, TCGReg addr_reg, MemOp opc,
 
     /* If not equal, we jump to the slow path. */
     *label_ptr = s->code_ptr;
-    tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
+    // Unicorn: fast path if hookmem is not enabled
+    if (!tcg_uc_has_hookmem(s))
+        tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
+    else
+        tcg_out_insn(s, 3206, B, 0);
 }
 
 #endif /* CONFIG_SOFTMMU */
diff --git a/qemu/tcg/i386/tcg-target.inc.c b/qemu/tcg/i386/tcg-target.inc.c
@@ -1763,7 +1763,7 @@ static inline void tcg_out_tlb_load(TCGContext *s, TCGReg addrlo, TCGReg addrhi,
     tcg_out_mov(s, ttype, r1, addrlo);
 
     // Unicorn: fast path if hookmem is not enable
-    if (!HOOK_EXISTS(s->uc, UC_HOOK_MEM_READ) && !HOOK_EXISTS(s->uc, UC_HOOK_MEM_WRITE))
+    if (!tcg_uc_has_hookmem(s))
         tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
     else
         /* slow_path, so data access will go via load_helper() */
diff --git a/qemu/tcg/ppc/tcg-target.inc.c b/qemu/tcg/ppc/tcg-target.inc.c
@@ -2014,7 +2014,8 @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     MemOp opc = get_memop(oi);
     TCGReg hi, lo, arg = TCG_REG_R3;
 
-    if (!reloc_pc14(lb->label_ptr[0], s->code_ptr)) {
+    const int type = tcg_uc_has_hookmem(s) ? R_PPC_REL24 : R_PPC_REL14;
+    if (!patch_reloc(lb->label_ptr[0], type, (intptr_t)s->code_ptr, 0)) {
         return false;
     }
 
@@ -2062,7 +2063,8 @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     MemOp s_bits = opc & MO_SIZE;
     TCGReg hi, lo, arg = TCG_REG_R3;
 
-    if (!reloc_pc14(lb->label_ptr[0], s->code_ptr)) {
+    const int type = tcg_uc_has_hookmem(s) ? R_PPC_REL24 : R_PPC_REL14;
+    if (!patch_reloc(lb->label_ptr[0], type, (intptr_t)s->code_ptr, 0)) {
         return false;
     }
 
@@ -2142,7 +2144,11 @@ static void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, bool is_64)
 
     /* Load a pointer into the current opcode w/conditional branch-link. */
     label_ptr = s->code_ptr;
-    tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
+    // Unicorn: fast path if hookmem is not enabled
+    if (!tcg_uc_has_hookmem(s))
+        tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
+    else
+        tcg_out32(s, B | LK);
 
     rbase = TCG_REG_R3;
 #else  /* !CONFIG_SOFTMMU */
@@ -2217,7 +2223,11 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, bool is_64)
 
     /* Load a pointer into the current opcode w/conditional branch-link. */
     label_ptr = s->code_ptr;
-    tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
+    // Unicorn: fast path if hookmem is not enabled
+    if (!tcg_uc_has_hookmem(s))
+        tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
+    else
+        tcg_out32(s, B | LK);
 
     rbase = TCG_REG_R3;
 #else  /* !CONFIG_SOFTMMU */
