1 /*
2  * Copyright (C) 2023 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "gtest/gtest.h"
18 
19 #include <sys/mman.h>
20 #include <unistd.h>
21 
22 #include <cstdint>
23 #include <cstring>
24 
25 namespace {
26 
27 // Flush cache and i-cache
ClearInsnCache(void * start,void * end)28 extern "C" void ClearInsnCache(void* start, void* end) {
29   // Only use __builtin___clear_cache with Clang or with GCC >= 4.3.0
30   __builtin___clear_cache(static_cast<char*>(start), static_cast<char*>(end));
31 }
32 
33 }  // namespace
34 
35 extern "C" char PatchCodeInCurrentThreadHelper_begin;
36 extern "C" char PatchCodeInCurrentThreadHelper_end;
37 // By default the Android .text section, including this snippet, is not writeable. We ensure it is
38 // position independent, so that we can copy it to a writable page, where it'll actually work. The
39 // only position dependent address of ClearInsnCache callback must be provided in a0.
40 asm(R"(
41 .globl PatchCodeInCurrentThreadHelper_begin
42 PatchCodeInCurrentThreadHelper_begin:
43   // Save return address and ClearInsnCache callback.
44   addi sp, sp, -16
45   sd ra, 0(sp)
46   mv t0, a0
47 
48   // Facilitate caching of the result setting code.
49   li t1, 1000
50 1:
51   jal PatchCodeInCurrentThreadHelper_assign_result
52   addi t1, t1, -1
53   bnez t1, 1b
54 
55   // Overwrite bad-clobber with nop.
56   lw t1, PatchCodeInCurrentThreadHelper_nop
57   lla a0, PatchCodeInCurrentThreadHelper_bad_clobber
58   sw t1, 0(a0)
59   // Call ClearInsnCache. a0 is pointing at the overwritten instruction.
60   addi a1, a0, 4
61   jalr t0
62 
63   // Final result assignment.
64   jal PatchCodeInCurrentThreadHelper_assign_result
65 
66   ld ra, 0(sp)
67   addi sp, sp, 16
68   ret
69 
70 .option push
71 .option norvc  // Prevent instruction compression to ensure that both loads are 4 bytes.
72 PatchCodeInCurrentThreadHelper_assign_result:
73   li a0, 42
74 PatchCodeInCurrentThreadHelper_bad_clobber:
75   li a0, 21
76   ret
77 
78 PatchCodeInCurrentThreadHelper_nop:
79   nop
80 .option pop
81 
82 .globl PatchCodeInCurrentThreadHelper_end
83 PatchCodeInCurrentThreadHelper_end:
84 )");
85 
TEST(RuntimeCodePatching,PatchCodeInCurrentThread)86 TEST(RuntimeCodePatching, PatchCodeInCurrentThread) {
87   const long kPageSize = sysconf(_SC_PAGESIZE);
88   uint32_t* code = reinterpret_cast<uint32_t*>(
89       mmap(0, kPageSize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0));
90   memcpy(code,
91          &PatchCodeInCurrentThreadHelper_begin,
92          &PatchCodeInCurrentThreadHelper_end - &PatchCodeInCurrentThreadHelper_begin);
93   // Flush the instruction cache to ensure that the page is not cached with the wrong protection.
94   ClearInsnCache(code, code + 1024);
95 
96   auto Func = reinterpret_cast<uint64_t (*)(void*)>(code);
97   uint64_t result = Func(reinterpret_cast<void*>(ClearInsnCache));
98   EXPECT_EQ(result, 42U);
99 
100   munmap(code, kPageSize);
101 }
102