Changeset 86701 in vbox for trunk

Timestamp:

Oct 25, 2020 6:20:09 PM (4 years ago)

Author:

vboxsync

Message:

VMM/DBGF: Start implementing support for int3 breakpoints, bugref:9837

Location:

trunk

Files:

• include/VBox/err.h (modified) (1 diff)
• include/VBox/vmm/dbgf.h (modified) (1 diff)
• include/VBox/vmm/vm.h (modified) (1 diff)
• src/VBox/VMM/VMMR3/DBGFR3Bp.cpp (modified) (6 diffs)
• src/VBox/VMM/VMMRZ/DBGFRZ.cpp (modified) (3 diffs)
• src/VBox/VMM/include/DBGFInternal.h (modified) (2 diffs)

trunk/include/VBox/err.h

@@ -341 +341 @@
 /** Internal processing error \#5 in the DBGF breakpoint manager code. */
 #define VERR_DBGF_BP_IPE_5                  (-1230)
+/** Internal processing error \#6 in the DBGF breakpoint manager code. */
+#define VERR_DBGF_BP_IPE_6                  (-1231)
+/** Number of tries to add an int3 breakpoint table to the lookup tables reached. */
+#define VERR_DBGF_BP_INT3_ADD_TRIES_REACHED (-1232)
 /** @} */
 

trunk/include/VBox/vmm/dbgf.h

@@ -51 +51 @@
  */
 VMMRZ_INT_DECL(int) DBGFRZTrap01Handler(PVM pVM, PVMCPU pVCpu, PCPUMCTXCORE pRegFrame, RTGCUINTREG uDr6, bool fAltStepping);
-VMMRZ_INT_DECL(int) DBGFRZTrap03Handler(PVM pVM, PVMCPU pVCpu, PCPUMCTXCORE pRegFrame);
+VMMRZ_INT_DECL(int) DBGFRZTrap03Handler(PVMCC pVM, PVMCPUCC pVCpu, PCPUMCTXCORE pRegFrame);
 /** @} */
 #endif

trunk/include/VBox/vmm/vm.h

@@ -1392 +1392 @@
             /** The number of enabled hardware I/O breakpoints. */
             uint8_t                     cEnabledHwIoBreakpoints;
+#ifndef VBOX_WITH_LOTS_OF_DBGF_BPS
             /** The number of enabled INT3 breakpoints. */
             uint8_t                     cEnabledInt3Breakpoints;
             uint8_t                     abPadding[1]; /**< Unused padding space up for grabs. */
+#else
+            uint16_t                    u16Pad; /**< Unused padding space up for grabs. */
+            /** The number of enabled INT3 breakpoints. */
+            volatile uint32_t           cEnabledInt3Breakpoints;
+#endif
         } const     ro;
 #endif

trunk/src/VBox/VMM/VMMR3/DBGFR3Bp.cpp

@@ -643 +643 @@
 
 /**
+ * Adds the given int3 breakpoint to the appropriate lookup tables.
+ *
+ * @returns VBox status code.
+ * @param   pUVM                The user mode VM handle.
+ * @param   hBp                 The breakpoint handle to add.
+ * @param   pBp                 The internal breakpoint state.
+ */
+static int dbgfR3BpInt3Add(PUVM pUVM, DBGFBP hBp, PDBGFBPINT pBp)
+{
+    AssertReturn(DBGF_BP_PUB_GET_TYPE(pBp->Pub.fFlagsAndType) == DBGFBPTYPE_INT3, VERR_DBGF_BP_IPE_3);
+
+    int rc = VINF_SUCCESS;
+    uint16_t idxL1 = DBGF_BP_INT3_L1_IDX_EXTRACT_FROM_ADDR(pBp->Pub.u.Int3.GCPtr);
+    uint8_t  cTries = 16;
+
+    while (cTries--)
+    {
+        uint32_t u32Entry = ASMAtomicReadU32(&pUVM->dbgf.s.paBpLocL1R3[idxL1]);
+
+        if (u32Entry == DBGF_BP_INT3_L1_ENTRY_TYPE_NULL)
+        {
+            /*
+             * No breakpoint assigned so far for this entry, create an entry containing
+             * the direct breakpoint handle and try to exchange it atomically.
+             */
+            u32Entry = DBGF_BP_INT3_L1_ENTRY_CREATE_BP_HND(hBp);
+            if (ASMAtomicCmpXchgU32(&pUVM->dbgf.s.paBpLocL1R3[idxL1], u32Entry, DBGF_BP_INT3_L1_ENTRY_TYPE_NULL))
+                break;
+        }
+        else
+        {
+            uint8_t u8Type = DBGF_BP_INT3_L1_ENTRY_GET_TYPE(u32Entry);
+            if (u8Type == DBGF_BP_INT3_L1_ENTRY_TYPE_BP_HND)
+            {
+                /** @todo Allocate a new root entry and one leaf to accomodate for the two handles,
+                 * then replace the new entry. */
+                rc = VERR_NOT_IMPLEMENTED;
+                break;
+            }
+            else if (u8Type == DBGF_BP_INT3_L1_ENTRY_TYPE_L2_IDX)
+            {
+                /** @todo Walk the L2 tree searching for the correct spot, add the new entry
+                 * and rebalance the tree. */
+                rc = VERR_NOT_IMPLEMENTED;
+                break;
+            }
+        }
+    }
+
+    if (   RT_SUCCESS(rc)
+        && !cTries) /* Too much contention, abort with an error. */
+        rc = VERR_DBGF_BP_INT3_ADD_TRIES_REACHED;
+
+    return rc;
+}
+
+
+/**
+ * Removes the given int3 breakpoint from all lookup tables.
+ *
+ * @returns VBox status code.
+ * @param   pUVM                The user mode VM handle.
+ * @param   hBp                 The breakpoint handle to remove.
+ * @param   pBp                 The internal breakpoint state.
+ */
+static int dbgfR3BpInt3Remove(PUVM pUVM, DBGFBP hBp, PDBGFBPINT pBp)
+{
+    AssertReturn(DBGF_BP_PUB_GET_TYPE(pBp->Pub.fFlagsAndType) == DBGFBPTYPE_INT3, VERR_DBGF_BP_IPE_3);
+
+    int rc = VINF_SUCCESS;
+    uint16_t idxL1 = DBGF_BP_INT3_L1_IDX_EXTRACT_FROM_ADDR(pBp->Pub.u.Int3.GCPtr);
+
+    for (;;)
+    {
+        uint32_t u32Entry = ASMAtomicReadU32(&pUVM->dbgf.s.paBpLocL1R3[idxL1]);
+        AssertReturn(u32Entry != DBGF_BP_INT3_L1_ENTRY_TYPE_NULL, VERR_DBGF_BP_IPE_6);
+
+        uint8_t u8Type = DBGF_BP_INT3_L1_ENTRY_GET_TYPE(u32Entry);
+        if (u8Type == DBGF_BP_INT3_L1_ENTRY_TYPE_BP_HND)
+        {
+            /* Single breakpoint, just exchange atomically with the null value. */
+            if (ASMAtomicCmpXchgU32(&pUVM->dbgf.s.paBpLocL1R3[idxL1], DBGF_BP_INT3_L1_ENTRY_TYPE_NULL, u32Entry))
+                break;
+            break;
+        }
+        else if (u8Type == DBGF_BP_INT3_L1_ENTRY_TYPE_L2_IDX)
+        {
+            /** @todo Walk the L2 tree searching for the correct spot, remove the entry
+             * and rebalance the tree. */
+            RT_NOREF(hBp);
+            rc = VERR_NOT_IMPLEMENTED;
+            break;
+        }
+    }
+
+    return rc;
+}
+
+
+/**
  * @callback_method_impl{FNVMMEMTRENDEZVOUS}
  */
@@ -678 +778 @@
  * @param   hBp                 The breakpoint handle to arm.
  * @param   pBp                 The internal breakpoint state pointer for the handle.
+ *
+ * @thread Any thread.
  */
 static int dbgfR3BpArm(PUVM pUVM, DBGFBP hBp, PDBGFBPINT pBp)
@@ -704 +806 @@
         }
         case DBGFBPTYPE_INT3:
+        {
+            dbgfR3BpSetEnabled(pBp, true /*fEnabled*/);
+
+            /** @todo When we enable the first int3 breakpoint we should do this in an EMT rendezvous
+             * as the VMX code intercepts #BP only when at least one int3 breakpoint is enabled.
+             * A racing vCPU might trigger it and forward it to the guest causing panics/crashes/havoc. */
+            /*
+             * Save current byte and write the int3 instruction byte.
+             */
+            rc = PGMPhysSimpleReadGCPhys(pVM, &pBp->Pub.u.Int3.bOrg, pBp->Pub.u.Int3.PhysAddr, sizeof(pBp->Pub.u.Int3.bOrg));
+            if (RT_SUCCESS(rc))
+            {
+                static const uint8_t s_bInt3 = 0xcc;
+                rc = PGMPhysSimpleWriteGCPhys(pVM, pBp->Pub.u.Int3.PhysAddr, &s_bInt3, sizeof(s_bInt3));
+                if (RT_SUCCESS(rc))
+                {
+                    ASMAtomicIncU32(&pVM->dbgf.s.cEnabledInt3Breakpoints);
+                    Log(("DBGF: Set breakpoint at %RGv (Phys %RGp)\n", pBp->Pub.u.Int3.GCPtr, pBp->Pub.u.Int3.PhysAddr));
+                }
+            }
+
+            if (RT_FAILURE(rc))
+                dbgfR3BpSetEnabled(pBp, false /*fEnabled*/);
+
+            break;
+        }
         case DBGFBPTYPE_PORT_IO:
         case DBGFBPTYPE_MMIO:
@@ -724 +852 @@
  * @param   hBp                 The breakpoint handle to disarm.
  * @param   pBp                 The internal breakpoint state pointer for the handle.
+ *
+ * @thread Any thread.
  */
 static int dbgfR3BpDisarm(PUVM pUVM, DBGFBP hBp, PDBGFBPINT pBp)
@@ -750 +880 @@
         }
         case DBGFBPTYPE_INT3:
+        {
+            dbgfR3BpSetEnabled(pBp, false /*fEnabled*/);
+
+            /*
+             * Check that the current byte is the int3 instruction, and restore the original one.
+             * We currently ignore invalid bytes.
+             */
+            uint8_t bCurrent = 0;
+            rc = PGMPhysSimpleReadGCPhys(pVM, &bCurrent, pBp->Pub.u.Int3.PhysAddr, sizeof(bCurrent));
+            if (   RT_SUCCESS(rc)
+                && bCurrent == 0xcc)
+            {
+                rc = PGMPhysSimpleWriteGCPhys(pVM, pBp->Pub.u.Int3.PhysAddr, &pBp->Pub.u.Int3.bOrg, sizeof(pBp->Pub.u.Int3.bOrg));
+                if (RT_SUCCESS(rc))
+                {
+                    ASMAtomicDecU32(&pVM->dbgf.s.cEnabledInt3Breakpoints);
+                    Log(("DBGF: Removed breakpoint at %RGv (Phys %RGp)\n", pBp->Pub.u.Int3.GCPtr, pBp->Pub.u.Int3.PhysAddr));
+                }
+            }
+
+            if (RT_FAILURE(rc))
+                dbgfR3BpSetEnabled(pBp, true /*fEnabled*/);
+
+            break;
+        }
         case DBGFBPTYPE_PORT_IO:
         case DBGFBPTYPE_MMIO:
@@ -877 +1032 @@
             pBp->Pub.u.Int3.GCPtr     = pAddress->FlatPtr;
 
-            /* Enable the breakpoint. */
-            rc = dbgfR3BpArm(pUVM, hBp, pBp);
+            /* Add the breakpoint to the lookup tables. */
+            rc = dbgfR3BpInt3Add(pUVM, hBp, pBp);
             if (RT_SUCCESS(rc))
             {
-                *phBp = hBp;
-                return VINF_SUCCESS;
+                /* Enable the breakpoint. */
+                rc = dbgfR3BpArm(pUVM, hBp, pBp);
+                if (RT_SUCCESS(rc))
+                {
+                    *phBp = hBp;
+                    return VINF_SUCCESS;
+                }
+
+                int rc2 = dbgfR3BpInt3Remove(pUVM, hBp, pBp); AssertRC(rc2);
             }
         }

trunk/src/VBox/VMM/VMMRZ/DBGFRZ.cpp

@@ -190 +190 @@
 }
 
+#ifdef VBOX_WITH_LOTS_OF_DBGF_BPS
+# ifdef IN_RING0
+/**
+ * Returns the internal breakpoint state for the given handle.
+ *
+ * @returns Pointer to the internal breakpoint state or NULL if the handle is invalid.
+ * @param   pVM                 The ring-0 VM structure pointer.
+ * @param   hBp                 The breakpoint handle to resolve.
+ * @param   ppBpR0              Where to store the pointer to the ring-0 only part of the breakpoint
+ *                              on success, optional.
+ */
+DECLINLINE(PDBGFBPINT) dbgfR0BpGetByHnd(PVMCC pVM, DBGFBP hBp, PDBGFBPINTR0 *ppBpR0)
+{
+    uint32_t idChunk  = DBGF_BP_HND_GET_CHUNK_ID(hBp);
+    uint32_t idxEntry = DBGF_BP_HND_GET_ENTRY(hBp);
+
+    AssertReturn(idChunk < DBGF_BP_CHUNK_COUNT, NULL);
+    AssertReturn(idxEntry < DBGF_BP_COUNT_PER_CHUNK, NULL);
+
+    PDBGFBPCHUNKR0 pBpChunk = &pVM->dbgfr0.s.aBpChunks[idChunk];
+    AssertPtrReturn(pBpChunk->paBpBaseSharedR0, NULL);
+
+    if (ppBpR0)
+        *ppBpR0 = &pBpChunk->paBpBaseR0Only[idxEntry];
+    return &pBpChunk->paBpBaseSharedR0[idxEntry];
+}
+# endif
+
+
+/**
+ * Executes the actions associated with the given breakpoint.
+ *
+ * @returns VBox status code.
+ * @param   pVM         The cross context VM structure.
+ * @param   pVCpu       The cross context virtual CPU structure.
+ * @param   pRegFrame   Pointer to the register frame for the trap.
+ * @param   hBp         The breakpoint handle which hit.
+ * @param   pBp         The shared breakpoint state.
+ * @param   pBpR0       The ring-0 only breakpoint state.
+ * @param   fInHyper    Flag whether the breakpoint triggered in hypervisor code.
+ */
+DECLINLINE(int) dbgfRZBpHit(PVMCC pVM, PVMCPUCC pVCpu, PCPUMCTXCORE pRegFrame,
+                            DBGFBP hBp, PDBGFBPINT pBp, PDBGFBPINTR0 pBpR0, bool fInHyper)
+{
+    uint64_t cHits = ASMAtomicIncU64(&pBp->Pub.cHits);
+    pVCpu->dbgf.s.hBpActive = hBp;
+
+    /** @todo Owner handling. */
+
+    LogFlow(("dbgfRZBpHit: hit breakpoint %u at %04x:%RGv cHits=0x%RX64\n",
+             hBp, pRegFrame->cs.Sel, pRegFrame->rip, cHits));
+    return fInHyper
+         ? VINF_EM_DBG_HYPER_BREAKPOINT
+         : VINF_EM_DBG_BREAKPOINT;
+}
+#endif /* !VBOX_WITH_LOTS_OF_DBGF_BPS */
 
 /**
@@ -202 +258 @@
  * @param   pRegFrame   Pointer to the register frame for the trap.
  */
-VMMRZ_INT_DECL(int) DBGFRZTrap03Handler(PVM pVM, PVMCPU pVCpu, PCPUMCTXCORE pRegFrame)
+VMMRZ_INT_DECL(int) DBGFRZTrap03Handler(PVMCC pVM, PVMCPUCC pVCpu, PCPUMCTXCORE pRegFrame)
 {
 #ifdef IN_RC
@@ -247 +303 @@
         }
     }
+#else
+# ifdef IN_RC
+# error "You lucky person have the pleasure to implement the raw mode part for this!"
+# endif
+
+    if (pVM->dbgfr0.s.CTX_SUFF(paBpLocL1))
+    {
+        RTGCPTR GCPtrBp;
+        int rc = SELMValidateAndConvertCSAddr(pVCpu, pRegFrame->eflags, pRegFrame->ss.Sel, pRegFrame->cs.Sel, &pRegFrame->cs,
+# ifdef IN_RC
+                                              pRegFrame->eip - 1,
+# else
+                                              pRegFrame->rip /* no -1 in R0 */,
+# endif
+                                              &GCPtrBp);
+        AssertRCReturn(rc, rc);
+
+        const uint16_t idxL1      = DBGF_BP_INT3_L1_IDX_EXTRACT_FROM_ADDR(GCPtrBp);
+        const uint32_t u32L1Entry = ASMAtomicReadU32(&pVM->dbgfr0.s.CTX_SUFF(paBpLocL1)[idxL1]);
+
+        LogFlowFunc(("GCPtrBp=%RGv idxL1=%u u32L1Entry=%#x\n", GCPtrBp, idxL1, u32L1Entry));
+        if (u32L1Entry != DBGF_BP_INT3_L1_ENTRY_TYPE_NULL)
+        {
+            uint8_t u8Type = DBGF_BP_INT3_L1_ENTRY_GET_TYPE(u32L1Entry);
+            if (u8Type == DBGF_BP_INT3_L1_ENTRY_TYPE_BP_HND)
+            {
+                DBGFBP hBp = DBGF_BP_INT3_L1_ENTRY_GET_BP_HND(u32L1Entry);
+
+                /* Query the internal breakpoint state from the handle. */
+                PDBGFBPINTR0 pBpR0 = NULL;
+                PDBGFBPINT pBp = dbgfR0BpGetByHnd(pVM, hBp, &pBpR0);
+                if (   pBp
+                    && DBGF_BP_PUB_GET_TYPE(pBp->Pub.fFlagsAndType) == DBGFBPTYPE_INT3)
+                {
+                    if (pBp->Pub.u.Int3.GCPtr == (RTGCUINTPTR)GCPtrBp)
+                        return dbgfRZBpHit(pVM, pVCpu, pRegFrame, hBp, pBp, pBpR0, fInHyper);
+                    /* else Genuine guest trap. */
+                }
+                /** @todo else Guru meditation */
+            }
+            else if (u8Type == DBGF_BP_INT3_L1_ENTRY_TYPE_L2_IDX)
+            {
+                /** @todo Walk the L2 tree searching for the correct spot. */
+            }
+            /** @todo else Guru meditation */
+        }
+    }
 #endif /* !VBOX_WITH_LOTS_OF_DBGF_BPS */
 

trunk/src/VBox/VMM/include/DBGFInternal.h

@@ -788 +788 @@
 
 
+/** @name DBGF int3 L1 lookup table entry types.
+ * @{ */
+/** No breakpoint handle assigned for this entry - special value which can be used
+ * for comparison with the whole entry. */
+#define DBGF_BP_INT3_L1_ENTRY_TYPE_NULL                 UINT32_C(0)
+/** Direct breakpoint handle. */
+#define DBGF_BP_INT3_L1_ENTRY_TYPE_BP_HND               1
+/** Index into the L2 tree denoting the root of a search tree. */
+#define DBGF_BP_INT3_L1_ENTRY_TYPE_L2_IDX               2
+/** @} */
+
+
+/** Returns the entry type for the given L1 lookup table entry. */
+#define DBGF_BP_INT3_L1_ENTRY_GET_TYPE(a_u32Entry)      ((a_u32Entry) >> 28)
+/** Returns a DBGF breakpoint handle from the given L1 lookup table entry,
+ * type needs to be DBGF_BP_INT3_L1_ENTRY_TYPE_BP_HND. */
+#define DBGF_BP_INT3_L1_ENTRY_GET_BP_HND(a_u32Entry)    ((DBGFBP)((a_u32Entry) & UINT32_C(0x0fffffff)))
+/** Returns a L2 index from the given L1 lookup table entry,
+ * type needs to be DBGF_BP_INT3_L1_ENTRY_TYPE_L2_IDX. */
+#define DBGF_BP_INT3_L1_ENTRY_GET_L2_IDX(a_u32Entry)    ((a_u32Entry) & UINT32_C(0x0fffffff))
+/** Creates a L1 entry value from the given type and data. */
+#define DBGF_BP_INT3_L1_ENTRY_CREATE(a_Type, a_u32Data) ((((uint32_t)(a_Type)) << 28) | ((a_u32Data) & UINT32_C(0x0fffffff)))
+/** Creates a breakpoint handle type L1 lookup entry. */
+#define DBGF_BP_INT3_L1_ENTRY_CREATE_BP_HND(a_hBp)      DBGF_BP_INT3_L1_ENTRY_CREATE(DBGF_BP_INT3_L1_ENTRY_TYPE_BP_HND, a_hBp)
+/** Creates a L2 index type L1 lookup entry. */
+#define DBGF_BP_INT3_L1_ENTRY_CREATE_L2_IDX(a_idxL2)    DBGF_BP_INT3_L1_ENTRY_CREATE(DBGF_BP_INT3_L1_ENTRY_TYPE_L2_IDX, a_idxL2)
+
+/** Extracts the lowest bits from the given GC pointer used as an index into the L1 lookup table. */
+#define DBGF_BP_INT3_L1_IDX_EXTRACT_FROM_ADDR(a_GCPtr)  ((uint16_t)((a_GCPtr) & UINT16_C(0xffff)))
+
 /**
  * The internal breakpoint state, shared part.
@@ -920 +950 @@
     uint8_t                     cEnabledInt3Breakpoints;
     uint8_t                     abPadding; /**< Unused padding space up for grabs. */
+    uint32_t                    uPadding;
 #else
-    uint16_t                    u16Pad;
+    uint16_t                    u16Pad; /**< Unused padding space up for grabs. */
+    /** The number of enabled INT3 breakpoints. */
+    volatile uint32_t           cEnabledInt3Breakpoints;
 #endif
-    uint32_t                    uPadding;
 
     /** Debugger Attached flag.