<div dir="ltr"><div><div><div><div><div><div><div><div><div>Hi all,<br><br></div>Thanks for the pointer! The instruction callbacks are very useful.<br></div>Now, I'm trying to get the target address the instruction is trying to flush.<br><br></div>But I seem to be getting bogus results, i.e.<br></div>for some instruction `clflush (%rax)`, I get flushes at extremely high addresses such as 0xffffc90040001180,<br></div>even though the workload under examination is performing its writes to the 1G-2G range.<br><br></div>I'm trying to read the register from the instruction encoding then grab it from the CPU state,<br></div>does this look like I'm accessing the QEMU emulated registers correctly? <br><a href="https://github.com/williewillus/panda_scratchpad/blob/master/personal_plugins/panda/plugins/writetracker/writetracker.cpp#L24-L61">https://github.com/williewillus/panda_scratchpad/blob/master/personal_plugins/panda/plugins/writetracker/writetracker.cpp#L24-L61</a><br><br></div>Thanks in advance,<br></div>Vincent<br><div><br><div><div><div><div><div><div><div><br></div></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Mar 18, 2018 at 2:08 PM, Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Even though it doesn't result in native code generation, you should<br>
still be able to use an instruction hook. Use an insn_translate<br>
callback to check if QEMU is about to translate a<br>
clflush/clflushopt/clwb instruction and then return true from that<br>
callback. Then your insn_exec callback will fire whenever one of those<br>
instructions is executed. Roughly:<br>
<br>
bool insn_translate(CPUState *env, target_ulong pc) {<br>
uint8_t bytes[2];<br>
panda_virtual_memory_read(env, pc, bytes, 2);<br>
if (bytes[0] == 0x0F && bytes[1] == 0xAE) return true; // clflush<br>
else return false;<br>
}<br>
<br>
int insn_exec(CPUState *env, target_ulong pc) {<br>
printf("Saw a clflush at " TARGET_FMT_lx "\n", pc);<br>
return 0;<br>
}<br>
<br>
-Brendan<br>
<div><div class="h5"><br>
On Sun, Mar 18, 2018 at 2:59 PM, Vincent Lee <<a href="mailto:vincent_lee@utexas.edu">vincent_lee@utexas.edu</a>> wrote:<br>
> Hi all,<br>
><br>
> I'd like to communicate to a plugin whenever a (x86_64) guest calls the<br>
> clflush, clflushopt, or clwb instructions.<br>
> Does anyone have any pointers or documentation where I should look to begin<br>
> implementing this?<br>
><br>
> From what I can tell so far:<br>
> * TCG translation of clwb/clflush/clflushopt simply call "gen_nop_modrm",<br>
> which does nothing<br>
> * TCG->native codegen is where panda's memory hooks are inserted<br>
><br>
> Would this be a valid (if ad-hoc) plan?<br>
> * Modify QEMU TCG to have some concept of "clflush/clwb/clflushopt" and emit<br>
> this from code->TCG translation<br>
> * add a new panda callback type for "clflush/clwb/clflushopt"<br>
> * change TCG->native codegen to inject a call to panda callbacks<br>
><br>
> Thanks,<br>
> Vincent<br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/panda-users</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br>
</font></span></blockquote></div><br></div>