mu/032check_operand_bounds.cc

//:: Check that the different operands of an instruction aren't too large for their bitfields.

void test_check_bitfield_sizes() {
  Hide_errors = true;
  run(
      "== code 0x1\n"
      "01/add 4/mod 3/rm32 1/r32\n"  // add ECX to EBX
  );
  CHECK_TRACE_CONTENTS(
      "error: '4/mod' too large to fit in bitfield mod\n"
  );
}

:(before "End Globals")
map<string, uint32_t> Operand_bound;
:(before "End One-time Setup")
put_new(Operand_bound, "subop", 1<<3);
put_new(Operand_bound, "mod", 1<<2);
put_new(Operand_bound, "rm32", 1<<3);
put_new(Operand_bound, "base", 1<<3);
put_new(Operand_bound, "index", 1<<3);
put_new(Operand_bound, "scale", 1<<2);
put_new(Operand_bound, "r32", 1<<3);
put_new(Operand_bound, "disp8", 1<<8);
put_new(Operand_bound, "disp16", 1<<16);
// no bound needed for disp32
put_new(Operand_bound, "imm8", 1<<8);
// no bound needed for imm32

:(before "Pack Operands(segment code)")
check_operand_bounds(code);
if (trace_contains_errors()) return;
:(code)
void check_operand_bounds(const segment& code) {
  trace(3, "transform") << "-- check operand bounds" << end();
  for (int i = 0;  i < SIZE(code.lines);  ++i) {
    const line& inst = code.lines.at(i);
    for (int j = first_operand(inst);  j < SIZE(inst.words);  ++j)
      check_operand_bounds(inst.words.at(j));
    if (trace_contains_errors()) return;  // stop at the first mal-formed instruction
  }
}

void check_operand_bounds(const word& w) {
  for (map<string, uint32_t>::iterator p = Operand_bound.begin();  p != Operand_bound.end();  ++p) {
    if (!has_operand_metadata(w, p->first)) continue;
    if (!looks_like_hex_int(w.data)) continue;  // later transforms are on their own to do their own bounds checking
    int32_t x = parse_int(w.data);
    if (x >= 0) {
      if (p->first == "disp8" || p->first == "disp16") {
        if (static_cast<uint32_t>(x) >= p->second/2)
          raise << "'" << w.original << "' too large to fit in signed bitfield " << p->first << '\n' << end();
      }
      else {
        if (static_cast<uint32_t>(x) >= p->second)
          raise << "'" << w.original << "' too large to fit in bitfield " << p->first << '\n' << end();
      }
    }
    else {
      // hacky? assuming bound is a power of 2
      if (x < -1*static_cast<int32_t>(p->second/2))
        raise << "'" << w.original << "' too large to fit in bitfield " << p->first << '\n' << end();
    }
  }
}

void test_check_bitfield_sizes_for_imm8() {
  run(
      "== code 0x1\n"
      "c1/shift 4/subop/left 3/mod/direct 1/rm32/ECX 0xff/imm8"  // shift EBX left
  );
  CHECK(!trace_contains_errors());
}

void test_check_bitfield_sizes_for_imm8_error() {
  Hide_errors = true;
  run(
      "== code 0x1\n"
      "c1/shift 4/subop/left 3/mod/direct 1/rm32/ECX 0x100/imm8"  // shift EBX left
  );
  CHECK_TRACE_CONTENTS(
      "error: '0x100/imm8' too large to fit in bitfield imm8\n"
  );
}

void test_check_bitfield_sizes_for_negative_imm8() {
  run(
      "== code 0x1\n"
      "c1/shift 4/subop/left 3/mod/direct 1/rm32/ECX -0x80/imm8"  // shift EBX left
  );
  CHECK(!trace_contains_errors());
}

void test_check_bitfield_sizes_for_negative_imm8_error() {
  Hide_errors = true;
  run(
      "== code 0x1\n"
      "c1/shift 4/subop/left 3/mod/direct 1/rm32/ECX -0x81/imm8"  // shift EBX left
  );
  CHECK_TRACE_CONTENTS(
      "error: '-0x81/imm8' too large to fit in bitfield imm8\n"
  );
}

void test_check_bitfield_sizes_for_disp8() {
  // not bothering to run
  transform(
      "== code 0x1\n"
      "01/add 1/mod/*+disp8 3/rm32 1/r32 0x7f/disp8\n"  // add ECX to *(EBX+0x7f)
  );
  CHECK(!trace_contains_errors());
}

void test_check_bitfield_sizes_for_disp8_error() {
  Hide_errors = true;
  run(
      "== code 0x1\n"
      "01/add 1/mod/*+disp8 3/rm32 1/r32 0x80/disp8\n"  // add ECX to *(EBX+0x80)
  );
  CHECK_TRACE_CONTENTS(
      "error: '0x80/disp8' too large to fit in signed bitfield disp8\n"
  );
}

void test_check_bitfield_sizes_for_negative_disp8() {
  // not bothering to run
  transform(
      "== code 0x1\n"
      "01/add 1/mod/*+disp8 3/rm32 1/r32 -0x80/disp8\n"  // add ECX to *(EBX-0x80)
  );
  CHECK(!trace_contains_errors());
}

void test_check_bitfield_sizes_for_negative_disp8_error() {
  Hide_errors = true;
  run(
      "== code 0x1\n"
      "01/add 1/mod/*+disp8 3/rm32 1/r32 -0x81/disp8\n"  // add ECX to *(EBX-0x81)
  );
  CHECK_TRACE_CONTENTS(
      "error: '-0x81/disp8' too large to fit in bitfield disp8\n"
  );
}
4390 - check for instruction operand overflow 2018-07-23 15:49:55 +00:00			`//:: Check that the different operands of an instruction aren't too large for their bitfields.`

5001 - drop the :(scenario) DSL I've been saying for a while[1][2][3] that adding extra abstractions makes things harder for newcomers, and adding new notations doubly so. And then I notice this DSL in my own backyard. Makes me feel like a hypocrite. [1] https://news.ycombinator.com/item?id=13565743#13570092 [2] https://lobste.rs/s/to8wpr/configuration_files_are_canary_warning [3] https://lobste.rs/s/mdmcdi/little_languages_by_jon_bentley_1986#c_3miuf2 The implementation of the DSL was also highly hacky: a) It was happening in the tangle/ tool, but was utterly unrelated to tangling layers. b) There were several persnickety constraints on the different kinds of lines and the specific order they were expected in. I kept finding bugs where the translator would silently do the wrong thing. Or the error messages sucked, and readers may be stuck looking at the generated code to figure out what happened. Fixing error messages would require a lot more code, which is one of my arguments against DSLs in the first place: they may be easy to implement, but they're hard to design to go with the grain of the underlying platform. They require lots of iteration. Is that effort worth prioritizing in this project? On the other hand, the DSL did make at least some readers' life easier, the ones who weren't immediately put off by having to learn a strange syntax. There were fewer quotes to parse, fewer backslash escapes. Anyway, since there are also people who dislike having to put up with strange syntaxes, we'll call that consideration a wash and tear this DSL out. --- This commit was sheer drudgery. Hopefully it won't need to be redone with a new DSL because I grow sick of backslashes. 2019-03-13 01:56:55 +00:00			`void test_check_bitfield_sizes() {`
			`Hide_errors = true;`
			`run(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5001 - drop the :(scenario) DSL I've been saying for a while[1][2][3] that adding extra abstractions makes things harder for newcomers, and adding new notations doubly so. And then I notice this DSL in my own backyard. Makes me feel like a hypocrite. [1] https://news.ycombinator.com/item?id=13565743#13570092 [2] https://lobste.rs/s/to8wpr/configuration_files_are_canary_warning [3] https://lobste.rs/s/mdmcdi/little_languages_by_jon_bentley_1986#c_3miuf2 The implementation of the DSL was also highly hacky: a) It was happening in the tangle/ tool, but was utterly unrelated to tangling layers. b) There were several persnickety constraints on the different kinds of lines and the specific order they were expected in. I kept finding bugs where the translator would silently do the wrong thing. Or the error messages sucked, and readers may be stuck looking at the generated code to figure out what happened. Fixing error messages would require a lot more code, which is one of my arguments against DSLs in the first place: they may be easy to implement, but they're hard to design to go with the grain of the underlying platform. They require lots of iteration. Is that effort worth prioritizing in this project? On the other hand, the DSL did make at least some readers' life easier, the ones who weren't immediately put off by having to learn a strange syntax. There were fewer quotes to parse, fewer backslash escapes. Anyway, since there are also people who dislike having to put up with strange syntaxes, we'll call that consideration a wash and tear this DSL out. --- This commit was sheer drudgery. Hopefully it won't need to be redone with a new DSL because I grow sick of backslashes. 2019-03-13 01:56:55 +00:00			`"01/add 4/mod 3/rm32 1/r32\n" // add ECX to EBX`
			`);`
			`CHECK_TRACE_CONTENTS(`
			`"error: '4/mod' too large to fit in bitfield mod\n"`
			`);`
			`}`
4390 - check for instruction operand overflow 2018-07-23 15:49:55 +00:00
			`:(before "End Globals")`
			`map<string, uint32_t> Operand_bound;`
			`:(before "End One-time Setup")`
4694 Check for duplicate docstrings. 2018-10-14 06:55:07 +00:00			`put_new(Operand_bound, "subop", 1<<3);`
			`put_new(Operand_bound, "mod", 1<<2);`
			`put_new(Operand_bound, "rm32", 1<<3);`
			`put_new(Operand_bound, "base", 1<<3);`
			`put_new(Operand_bound, "index", 1<<3);`
			`put_new(Operand_bound, "scale", 1<<2);`
			`put_new(Operand_bound, "r32", 1<<3);`
			`put_new(Operand_bound, "disp8", 1<<8);`
			`put_new(Operand_bound, "disp16", 1<<16);`
4390 - check for instruction operand overflow 2018-07-23 15:49:55 +00:00			`// no bound needed for disp32`
4694 Check for duplicate docstrings. 2018-10-14 06:55:07 +00:00			`put_new(Operand_bound, "imm8", 1<<8);`
4390 - check for instruction operand overflow 2018-07-23 15:49:55 +00:00			`// no bound needed for imm32`

4499 More tweaks for check passes. Ensure they're never first-class transforms. 2018-08-10 04:35:04 +00:00			`:(before "Pack Operands(segment code)")`
4483 Reorganize layers in accordance with the plan in layer 29. 2018-08-05 05:59:47 +00:00			`check_operand_bounds(code);`
			`if (trace_contains_errors()) return;`
4390 - check for instruction operand overflow 2018-07-23 15:49:55 +00:00			`:(code)`
4483 Reorganize layers in accordance with the plan in layer 29. 2018-08-05 05:59:47 +00:00			`void check_operand_bounds(const segment& code) {`
4987 - support `browse_trace` tool in SubX I've extracted it into a separate binary, independent of my Mu prototype. I also cleaned up my tracing layer to be a little nicer. Major improvements: - Realized that incremental tracing really ought to be the default. And to minimize printing traces to screen. - Finally figured out how to combine layers and call stack frames in a single dimension of depth. The answer: optimize for the experience of `browse_trace`. Instructions occupy a range of depths based on their call stack frame, and minor details of an instruction lie one level deeper in each case. Other than that, I spent some time adjusting levels everywhere to make `browse_trace` useful. 2019-02-25 08:17:46 +00:00			`trace(3, "transform") << "-- check operand bounds" << end();`
4432 Good idea from @tekknolagi: make more explicit that the first segment is code. 2018-07-27 06:26:20 +00:00			`for (int i = 0; i < SIZE(code.lines); ++i) {`
			`const line& inst = code.lines.at(i);`
4419 Unshadow variable. Thanks Max Bernstein for pointing this out. 2018-07-26 16:02:06 +00:00			`for (int j = first_operand(inst); j < SIZE(inst.words); ++j)`
			`check_operand_bounds(inst.words.at(j));`
4390 - check for instruction operand overflow 2018-07-23 15:49:55 +00:00			`if (trace_contains_errors()) return; // stop at the first mal-formed instruction`
			`}`
			`}`

			`void check_operand_bounds(const word& w) {`
4414 - subx: syntax checking This is a large patch, and there's a few things wrong with it: a) Helpers are incredibly messy. I want to use has_metadata in layer 24, but can't since it also does error checking. There must be a better basis set of primitives for managing metadata. b) Layer 22 introduces operands for checking, but programs with operands don't actually run until layer 24. So I can't write non-error scenarios in layer 22. That seems ugly. But if I try to introduce layer 24 first there's nothing left to check after it. I could play tricks with ordering layers vs transforms. Mu does that a bit, but it becomes hard to mess with, so I'm trying to avoid that. My current plan is for layers within an "abstraction level" to be run in order. Higher layers will necessarily need to come before lower ones. But hopefully this level of hierarchy will help manage the chaos. c) The check for whether an instruction is all hex bytes makes me nervous. I do want to check that an instruction that's just: cd tells the programmer that an operand is missing. The check I currently have is likely not perfectly correct. I could put layer 25 in its own commit. But I guess I'm not doing that now. We have a new example program: hello world! 2018-07-26 03:53:43 +00:00			`for (map<string, uint32_t>::iterator p = Operand_bound.begin(); p != Operand_bound.end(); ++p) {`
4544 Attempt #3 at fixing CI. In the process the feature gets a lot less half-baked. Ridiculously misleading that we had `has_metadata()` was special-cased to one specific transform. I suck. 2018-09-13 04:21:31 +00:00			`if (!has_operand_metadata(w, p->first)) continue;`
4616 - fix subx/examples/ex7 It was broken since I added support for global variables, back on Sep 1. One other subtle thing I've improved is the name `looks_like_hex_int`. We can now distinguish in the pack-operands transform between ignoring 'foo' because it doesn't look like a number, and immediately flagging '0xfoo' as an error because it should be a number. 2018-09-29 19:06:28 +00:00			`if (!looks_like_hex_int(w.data)) continue; // later transforms are on their own to do their own bounds checking`
4445 - support labels 2018-07-27 20:26:12 +00:00			`int32_t x = parse_int(w.data);`
			`if (x >= 0) {`
5008 2019-03-18 05:57:42 +00:00			`if (p->first == "disp8" \|\| p->first == "disp16") {`
			`if (static_cast<uint32_t>(x) >= p->second/2)`
			`raise << "'" << w.original << "' too large to fit in signed bitfield " << p->first << '\n' << end();`
			`}`
			`else {`
			`if (static_cast<uint32_t>(x) >= p->second)`
			`raise << "'" << w.original << "' too large to fit in bitfield " << p->first << '\n' << end();`
			`}`
4445 - support labels 2018-07-27 20:26:12 +00:00			`}`
			`else {`
			`// hacky? assuming bound is a power of 2`
			`if (x < -1*static_cast<int32_t>(p->second/2))`
			`raise << "'" << w.original << "' too large to fit in bitfield " << p->first << '\n' << end();`
4414 - subx: syntax checking This is a large patch, and there's a few things wrong with it: a) Helpers are incredibly messy. I want to use has_metadata in layer 24, but can't since it also does error checking. There must be a better basis set of primitives for managing metadata. b) Layer 22 introduces operands for checking, but programs with operands don't actually run until layer 24. So I can't write non-error scenarios in layer 22. That seems ugly. But if I try to introduce layer 24 first there's nothing left to check after it. I could play tricks with ordering layers vs transforms. Mu does that a bit, but it becomes hard to mess with, so I'm trying to avoid that. My current plan is for layers within an "abstraction level" to be run in order. Higher layers will necessarily need to come before lower ones. But hopefully this level of hierarchy will help manage the chaos. c) The check for whether an instruction is all hex bytes makes me nervous. I do want to check that an instruction that's just: cd tells the programmer that an operand is missing. The check I currently have is likely not perfectly correct. I could put layer 25 in its own commit. But I guess I'm not doing that now. We have a new example program: hello world! 2018-07-26 03:53:43 +00:00			`}`
4397 - temporarily revert syntax checks I accidentally published commit 4387, which is broken; most example files are untranslateable. I spent a while trying to push on through, but packing operands correctly into bytes has been surprisingly difficult. Fixing the repo without further delay. 2018-07-25 03:55:34 +00:00			`}`
			`}`
5008 2019-03-18 05:57:42 +00:00
			`void test_check_bitfield_sizes_for_imm8() {`
			`run(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5008 2019-03-18 05:57:42 +00:00			`"c1/shift 4/subop/left 3/mod/direct 1/rm32/ECX 0xff/imm8" // shift EBX left`
			`);`
			`CHECK(!trace_contains_errors());`
			`}`

			`void test_check_bitfield_sizes_for_imm8_error() {`
			`Hide_errors = true;`
			`run(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5008 2019-03-18 05:57:42 +00:00			`"c1/shift 4/subop/left 3/mod/direct 1/rm32/ECX 0x100/imm8" // shift EBX left`
			`);`
			`CHECK_TRACE_CONTENTS(`
			`"error: '0x100/imm8' too large to fit in bitfield imm8\n"`
			`);`
			`}`

			`void test_check_bitfield_sizes_for_negative_imm8() {`
			`run(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5008 2019-03-18 05:57:42 +00:00			`"c1/shift 4/subop/left 3/mod/direct 1/rm32/ECX -0x80/imm8" // shift EBX left`
			`);`
			`CHECK(!trace_contains_errors());`
			`}`

			`void test_check_bitfield_sizes_for_negative_imm8_error() {`
			`Hide_errors = true;`
			`run(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5008 2019-03-18 05:57:42 +00:00			`"c1/shift 4/subop/left 3/mod/direct 1/rm32/ECX -0x81/imm8" // shift EBX left`
			`);`
			`CHECK_TRACE_CONTENTS(`
			`"error: '-0x81/imm8' too large to fit in bitfield imm8\n"`
			`);`
			`}`

			`void test_check_bitfield_sizes_for_disp8() {`
			`// not bothering to run`
			`transform(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5008 2019-03-18 05:57:42 +00:00			`"01/add 1/mod/+disp8 3/rm32 1/r32 0x7f/disp8\n" // add ECX to (EBX+0x7f)`
			`);`
			`CHECK(!trace_contains_errors());`
			`}`

			`void test_check_bitfield_sizes_for_disp8_error() {`
			`Hide_errors = true;`
			`run(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5008 2019-03-18 05:57:42 +00:00			`"01/add 1/mod/+disp8 3/rm32 1/r32 0x80/disp8\n" // add ECX to (EBX+0x80)`
			`);`
			`CHECK_TRACE_CONTENTS(`
			`"error: '0x80/disp8' too large to fit in signed bitfield disp8\n"`
			`);`
			`}`

			`void test_check_bitfield_sizes_for_negative_disp8() {`
			`// not bothering to run`
			`transform(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5008 2019-03-18 05:57:42 +00:00			`"01/add 1/mod/+disp8 3/rm32 1/r32 -0x80/disp8\n" // add ECX to (EBX-0x80)`
			`);`
			`CHECK(!trace_contains_errors());`
			`}`

			`void test_check_bitfield_sizes_for_negative_disp8_error() {`
			`Hide_errors = true;`
			`run(`
switch to new syntax for segment headers in C++ 2019-05-18 07:00:18 +00:00			`"== code 0x1\n"`
5008 2019-03-18 05:57:42 +00:00			`"01/add 1/mod/+disp8 3/rm32 1/r32 -0x81/disp8\n" // add ECX to (EBX-0x81)`
			`);`
			`CHECK_TRACE_CONTENTS(`
			`"error: '-0x81/disp8' too large to fit in bitfield disp8\n"`
			`);`
			`}`