The test plugin intercepts execution in different contexts. Without the plugin, any of the implemented test functions would trigger an assert and fail. With the plugin, control flow is redirected to skip the assert and return cleanly via the qemu_plugin_set_pc() API.
Signed-off-by: Pierrick Bouvier <[email protected]> Signed-off-by: Florian Hofhammer <[email protected]> --- MAINTAINERS | 1 + tests/tcg/arm/Makefile.target | 6 + tests/tcg/hexagon/Makefile.target | 8 ++ tests/tcg/multiarch/Makefile.target | 17 ++- .../multiarch/{ => plugin}/check-plugin-output.sh | 0 .../{ => plugin}/test-plugin-mem-access.c | 0 tests/tcg/multiarch/plugin/test-plugin-set-pc.c | 134 +++++++++++++++++++++ tests/tcg/plugins/meson.build | 1 + tests/tcg/plugins/setpc.c | 109 +++++++++++++++++ 9 files changed, 273 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 6698e5ff69..63c0af4d86 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4104,6 +4104,7 @@ S: Maintained F: docs/devel/tcg-plugins.rst F: plugins/ F: tests/tcg/plugins/ +F: tests/tcg/multiarch/plugin/ F: tests/functional/aarch64/test_tcg_plugins.py F: contrib/plugins/ F: scripts/qemu-plugin-symbols.py diff --git a/tests/tcg/arm/Makefile.target b/tests/tcg/arm/Makefile.target index 6189d7a0e2..613bbf0939 100644 --- a/tests/tcg/arm/Makefile.target +++ b/tests/tcg/arm/Makefile.target @@ -78,4 +78,10 @@ sha512-vector: sha512.c ARM_TESTS += sha512-vector +ifeq ($(CONFIG_PLUGIN),y) +# Require emitting arm32 instructions, otherwise the vCPU might accidentally +# try to execute Thumb instructions in arm32 mode after qemu_plugin_set_pc() +test-plugin-set-pc: CFLAGS+=-marm +endif + TESTS += $(ARM_TESTS) diff --git a/tests/tcg/hexagon/Makefile.target b/tests/tcg/hexagon/Makefile.target index f86f02bb31..a70ef2f660 100644 --- a/tests/tcg/hexagon/Makefile.target +++ b/tests/tcg/hexagon/Makefile.target @@ -126,3 +126,11 @@ v73_scalar: CFLAGS += -Wno-unused-function hvx_histogram: hvx_histogram.c hvx_histogram_row.S $(CC) $(CFLAGS) $(CROSS_CC_GUEST_CFLAGS) $^ -o $@ $(LDFLAGS) + +ifeq ($(CONFIG_PLUGIN),y) +# LLVM is way too aggressive with inlining and dead code elimination even at +# -O0, which interferes with the test. What looks like dead code in this test +# to the compiler isn't actually dead code, so we need to disable all potential +# LLVM optimization passes. +test-plugin-set-pc: CFLAGS += -Xclang -disable-llvm-passes +endif diff --git a/tests/tcg/multiarch/Makefile.target b/tests/tcg/multiarch/Makefile.target index 07d0b27bdd..a347efbadf 100644 --- a/tests/tcg/multiarch/Makefile.target +++ b/tests/tcg/multiarch/Makefile.target @@ -14,6 +14,10 @@ ifeq ($(filter %-linux-user, $(TARGET)),$(TARGET)) VPATH += $(MULTIARCH_SRC)/linux MULTIARCH_SRCS += $(notdir $(wildcard $(MULTIARCH_SRC)/linux/*.c)) endif +ifeq ($(CONFIG_PLUGIN),y) +VPATH += $(MULTIARCH_SRC)/plugin +MULTIARCH_SRCS += $(notdir $(wildcard $(MULTIARCH_SRC)/plugin/*.c)) +endif MULTIARCH_TESTS = $(MULTIARCH_SRCS:.c=) # @@ -200,13 +204,20 @@ run-plugin-test-plugin-mem-access-with-libmem.so: \ PLUGIN_ARGS=$(COMMA)print-accesses=true run-plugin-test-plugin-mem-access-with-libmem.so: \ CHECK_PLUGIN_OUTPUT_COMMAND= \ - $(SRC_PATH)/tests/tcg/multiarch/check-plugin-output.sh \ + $(SRC_PATH)/tests/tcg/multiarch/plugin/check-plugin-output.sh \ $(QEMU) $< run-plugin-test-plugin-syscall-filter-with-libsyscall.so: +run-plugin-test-plugin-set-pc-with-libsetpc.so: EXTRA_RUNS_WITH_PLUGIN += run-plugin-test-plugin-mem-access-with-libmem.so \ - run-plugin-test-plugin-syscall-filter-with-libsyscall.so -else + run-plugin-test-plugin-syscall-filter-with-libsyscall.so \ + run-plugin-test-plugin-set-pc-with-libsetpc.so + +else # CONFIG_PLUGIN=n +# Do not build the syscall skipping test if it's not tested with the setpc +# plugin because it will simply fail the test. +MULTIARCH_TESTS := $(filter-out test-plugin-set-pc, $(MULTIARCH_TESTS)) + # test-plugin-syscall-filter needs syscall plugin to succeed test-plugin-syscall-filter: CFLAGS+=-DSKIP endif diff --git a/tests/tcg/multiarch/check-plugin-output.sh b/tests/tcg/multiarch/plugin/check-plugin-output.sh similarity index 100% rename from tests/tcg/multiarch/check-plugin-output.sh rename to tests/tcg/multiarch/plugin/check-plugin-output.sh diff --git a/tests/tcg/multiarch/test-plugin-mem-access.c b/tests/tcg/multiarch/plugin/test-plugin-mem-access.c similarity index 100% rename from tests/tcg/multiarch/test-plugin-mem-access.c rename to tests/tcg/multiarch/plugin/test-plugin-mem-access.c diff --git a/tests/tcg/multiarch/plugin/test-plugin-set-pc.c b/tests/tcg/multiarch/plugin/test-plugin-set-pc.c new file mode 100644 index 0000000000..f8343dfba8 --- /dev/null +++ b/tests/tcg/multiarch/plugin/test-plugin-set-pc.c @@ -0,0 +1,134 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * Copyright (C) 2026, Florian Hofhammer <[email protected]> + * + * This test set exercises the qemu_plugin_set_pc() function in four different + * contexts: + * 1. in an instruction callback during normal execution, + * 2. in an instruction callback during signal handling, + * 3. in a memory access callback. + * 4. in a syscall callback, + */ +#include <assert.h> +#include <signal.h> +#include <stdint.h> +#include <stdlib.h> +#include <stdio.h> +#include <unistd.h> + +/* If we issue this magic syscall, ... */ +#define MAGIC_SYSCALL 4096 +/* ... the plugin either jumps directly to the target address ... */ +#define SETPC 0 +/* ... or just updates the target address for future use in callbacks. */ +#define SETTARGET 1 + +static int signal_handled; + +void panic(const char *msg) +{ + fprintf(stderr, "Panic: %s\n", msg); + abort(); +} + +/* + * This test executes a magic syscall which communicates two addresses to the + * plugin via the syscall arguments. Whenever we reach the "bad" instruction + * during normal execution, the plugin should redirect control flow to the + * "good" instruction instead. + */ +void test_insn(void) +{ + long ret = syscall(MAGIC_SYSCALL, SETTARGET, &&bad_insn, &&good_insn, + NULL); + assert(ret == 0 && "Syscall filter did not return expected value"); +bad_insn: + panic("PC redirection in instruction callback failed"); +good_insn: + puts("PC redirection in instruction callback succeeded"); +} + +/* + * This signal handler communicates a "bad" and a "good" address to the plugin + * similar to the previous test, and skips to the "good" address when the "bad" + * one is reached. This serves to test whether PC redirection via + * qemu_plugin_set_pc() also works properly in a signal handler context. + */ +void usr1_handler(int signum) +{ + long ret = syscall(MAGIC_SYSCALL, SETTARGET, &&bad_signal, &&good_signal, + NULL); + assert(ret == 0 && "Syscall filter did not return expected value"); +bad_signal: + panic("PC redirection in instruction callback failed"); +good_signal: + signal_handled = 1; + puts("PC redirection in instruction callback succeeded"); +} + +/* + * This test sends a signal to the process, which should trigger the above + * signal handler. The signal handler should then exercise the PC redirection + * functionality in the context of a signal handler, which behaves a bit + * differently from normal execution. + */ +void test_sighandler(void) +{ + struct sigaction sa = {0}; + sa.sa_handler = usr1_handler; + sigaction(SIGUSR1, &sa, NULL); + pid_t pid = getpid(); + kill(pid, SIGUSR1); + assert(signal_handled == 1 && "Signal handler was not executed properly"); +} + +/* + * This test communicates a "good" address and the address of a local variable + * to the plugin. Upon accessing the local variable, the plugin should then + * redirect control flow to the "good" address via qemu_plugin_set_pc(). + */ +void test_mem(void) +{ + static uint32_t test = 1; + long ret = syscall(MAGIC_SYSCALL, SETTARGET, NULL, &&good_mem, &test); + assert(ret == 0 && "Syscall filter did not return expected value"); + /* Ensure read access to the variable to trigger the plugin callback */ + assert(test == 1); + panic("PC redirection in memory access callback failed"); +good_mem: + puts("PC redirection in memory access callback succeeded"); +} + +/* + * This test executes a magic syscall which is intercepted and its actual + * execution skipped via the qemu_plugin_set_pc() API. In a proper plugin, + * syscall skipping would rather be implemented via the syscall filtering + * callback, but we want to make sure qemu_plugin_set_pc() works in different + * contexts. + */ +__attribute__((noreturn)) +void test_syscall(void) +{ + syscall(MAGIC_SYSCALL, SETPC, &&good_syscall); + panic("PC redirection in syscall callback failed"); +good_syscall: + /* + * Note: we execute this test last and exit straight from here because when + * the plugin redirects control flow upon syscall, the stack frame for the + * syscall function (and potential other functions in the call chain in + * libc) is still live and the stack is not unwound properly. Thus, + * returning from here is risky and breaks on some architectures, so we + * just exit directly from this test. + */ + _exit(EXIT_SUCCESS); +} + + +int main(int argc, char *argv[]) +{ + test_insn(); + test_sighandler(); + test_mem(); + test_syscall(); +} diff --git a/tests/tcg/plugins/meson.build b/tests/tcg/plugins/meson.build index c5e49753fd..b3e3a9a6d0 100644 --- a/tests/tcg/plugins/meson.build +++ b/tests/tcg/plugins/meson.build @@ -7,6 +7,7 @@ test_plugins = [ 'mem.c', 'patch.c', 'reset.c', +'setpc.c', 'syscall.c', ] diff --git a/tests/tcg/plugins/setpc.c b/tests/tcg/plugins/setpc.c new file mode 100644 index 0000000000..8e66026d2c --- /dev/null +++ b/tests/tcg/plugins/setpc.c @@ -0,0 +1,109 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * Copyright (C) 2026, Florian Hofhammer <[email protected]> + */ +#include <assert.h> +#include <glib.h> +#include <inttypes.h> +#include <unistd.h> + +#include <qemu-plugin.h> + +/* If we detect this magic syscall, ... */ +#define MAGIC_SYSCALL 4096 +/* ... the plugin either jumps directly to the target address ... */ +#define SETPC 0 +/* ... or just updates the target address for future use in callbacks. */ +#define SETTARGET 1 + +QEMU_PLUGIN_EXPORT int qemu_plugin_version = QEMU_PLUGIN_VERSION; + +static uint64_t source_pc; +static uint64_t target_pc; +static uint64_t target_vaddr; + +static bool vcpu_syscall_filter(qemu_plugin_id_t id, unsigned int vcpu_index, + int64_t num, uint64_t a1, uint64_t a2, + uint64_t a3, uint64_t a4, uint64_t a5, + uint64_t a6, uint64_t a7, uint64_t a8, + uint64_t *sysret) +{ + if (num == MAGIC_SYSCALL) { + if (a1 == SETPC) { + qemu_plugin_outs("Magic syscall detected, jump to clean exit\n"); + qemu_plugin_set_pc(a2); + } else if (a1 == SETTARGET) { + qemu_plugin_outs("Magic syscall detected, set target_pc / " + "target_vaddr\n"); + source_pc = a2; + target_pc = a3; + target_vaddr = a4; + *sysret = 0; + return true; + } else { + qemu_plugin_outs("Unknown magic syscall argument, ignoring\n"); + } + } + return false; +} + +static void vcpu_insn_exec(unsigned int vcpu_index, void *userdata) +{ + uint64_t vaddr = (uint64_t)userdata; + if (vaddr == source_pc) { + g_assert(target_pc != 0); + g_assert(target_vaddr == 0); + + qemu_plugin_outs("Marker insn detected, jump to clean return\n"); + qemu_plugin_set_pc(target_pc); + } +} + +static void vcpu_mem_access(unsigned int vcpu_index, + qemu_plugin_meminfo_t info, + uint64_t vaddr, void *userdata) +{ + if (vaddr != 0 && vaddr == target_vaddr) { + g_assert(source_pc == 0); + g_assert(target_pc != 0); + qemu_plugin_mem_value val = qemu_plugin_mem_get_value(info); + /* target_vaddr points to our volatile guard ==> should always be 1 */ + g_assert(val.type == QEMU_PLUGIN_MEM_VALUE_U32); + g_assert(val.data.u32 == 1); + + qemu_plugin_outs("Marker mem access detected, jump to clean return\n"); + qemu_plugin_set_pc(target_pc); + } +} + +static void vcpu_tb_trans(qemu_plugin_id_t id, struct qemu_plugin_tb *tb) +{ + size_t insns = qemu_plugin_tb_n_insns(tb); + for (size_t i = 0; i < insns; i++) { + struct qemu_plugin_insn *insn = qemu_plugin_tb_get_insn(tb, i); + uint64_t insn_vaddr = qemu_plugin_insn_vaddr(insn); + /* + * Note: we cannot only register the callbacks if the instruction is + * in one of the functions of interest, because symbol lookup for + * filtering does not work for all architectures (e.g., ppc64). + */ + qemu_plugin_register_vcpu_insn_exec_cb(insn, vcpu_insn_exec, + QEMU_PLUGIN_CB_RW_REGS_PC, + (void *)insn_vaddr); + qemu_plugin_register_vcpu_mem_cb(insn, vcpu_mem_access, + QEMU_PLUGIN_CB_RW_REGS_PC, + QEMU_PLUGIN_MEM_R, NULL); + } +} + + +QEMU_PLUGIN_EXPORT int qemu_plugin_install(qemu_plugin_id_t id, + const qemu_info_t *info, + int argc, char **argv) +{ + + qemu_plugin_register_vcpu_syscall_filter_cb(id, vcpu_syscall_filter); + qemu_plugin_register_vcpu_tb_trans_cb(id, vcpu_tb_trans); + return 0; +} -- 2.53.0
