1 /* 2 * Copyright (c) 2018-2019, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <stdbool.h> 9 #include <stdint.h> 10 11 #include <arch_helpers.h> 12 #include <common/debug.h> 13 #include <drivers/console.h> 14 15 /* Maximum number of entries in the backtrace to display */ 16 #define UNWIND_LIMIT 20U 17 18 /* 19 * If -fno-omit-frame-pointer is used: 20 * 21 * - AArch64: The AAPCS defines the format of the frame records and mandates the 22 * usage of r29 as frame pointer. 23 * 24 * - AArch32: The format of the frame records is not defined in the AAPCS. 25 * However, at least GCC and Clang use the same format. When they are forced 26 * to only generate A32 code (with -marm), they use r11 as frame pointer and a 27 * similar format as in AArch64. If interworking with T32 is enabled, the 28 * frame pointer is r7 and the format is different. This is not supported by 29 * this implementation of backtrace, so it is needed to use -marm. 30 */ 31 32 /* Frame records form a linked list in the stack */ 33 struct frame_record { 34 /* Previous frame record in the list */ 35 struct frame_record *parent; 36 /* Return address of the function at this level */ 37 uintptr_t return_addr; 38 }; 39 40 /* 41 * Strip the Pointer Authentication Code (PAC) from the address to retrieve the 42 * original one. 43 * 44 * The PAC field is stored on the high bits of the address and defined as: 45 * - PAC field = Xn[54:bottom_PAC_bit], when address tagging is used. 46 * - PAC field = Xn[63:56, 54:bottom_PAC_bit], without address tagging. 47 * 48 * With bottom_PAC_bit = 64 - TCR_ELx.TnSZ 49 */ 50 #if ENABLE_PAUTH 51 static uintptr_t demangle_address(uintptr_t addr) 52 { 53 unsigned int el, t0sz, bottom_pac_bit; 54 uint64_t tcr, pac_mask; 55 56 /* 57 * Different virtual address space size can be defined for each EL. 58 * Ensure that we use the proper one by reading the corresponding 59 * TCR_ELx register. 60 */ 61 el = get_current_el(); 62 63 if (el == 3U) { 64 tcr = read_tcr_el3(); 65 } else if (el == 2U) { 66 tcr = read_tcr_el2(); 67 } else { 68 tcr = read_tcr_el1(); 69 } 70 71 /* T0SZ = TCR_ELx[5:0] */ 72 t0sz = tcr & 0x1f; 73 bottom_pac_bit = 64 - t0sz; 74 pac_mask = (1ULL << bottom_pac_bit) - 1; 75 76 /* demangle the address with the computed mask */ 77 return (addr & pac_mask); 78 } 79 #endif /* ENABLE_PAUTH */ 80 81 static const char *get_el_str(unsigned int el) 82 { 83 if (el == 3U) { 84 return "EL3"; 85 } else if (el == 2U) { 86 return "EL2"; 87 } else { 88 return "S-EL1"; 89 } 90 } 91 92 /* 93 * Returns true if the address points to a virtual address that can be read at 94 * the current EL, false otherwise. 95 */ 96 #ifdef __aarch64__ 97 static bool is_address_readable(uintptr_t addr) 98 { 99 unsigned int el = get_current_el(); 100 101 #if ENABLE_PAUTH 102 /* 103 * When pointer authentication is enabled, the LR value saved on the 104 * stack contains a PAC. It must be stripped to retrieve the return 105 * address. 106 */ 107 addr = demangle_address(addr); 108 #endif 109 110 if (el == 3U) { 111 ats1e3r(addr); 112 } else if (el == 2U) { 113 ats1e2r(addr); 114 } else { 115 ats1e1r(addr); 116 } 117 118 isb(); 119 120 /* If PAR.F == 1 the address translation was aborted. */ 121 if ((read_par_el1() & PAR_F_MASK) != 0U) 122 return false; 123 124 return true; 125 } 126 #else /* !__aarch64__ */ 127 static bool is_address_readable(uintptr_t addr) 128 { 129 unsigned int el = get_current_el(); 130 131 if (el == 3U) { 132 write_ats1cpr(addr); 133 } else if (el == 2U) { 134 write_ats1hr(addr); 135 } else { 136 write_ats1cpr(addr); 137 } 138 139 isb(); 140 141 /* If PAR.F == 1 the address translation was aborted. */ 142 if ((read64_par() & PAR_F_MASK) != 0U) 143 return false; 144 145 return true; 146 } 147 #endif /* __aarch64__ */ 148 149 /* 150 * Returns true if all the bytes in a given object are in mapped memory and an 151 * LDR using this pointer would succeed, false otherwise. 152 */ 153 static bool is_valid_object(uintptr_t addr, size_t size) 154 { 155 assert(size > 0U); 156 157 if (addr == 0U) 158 return false; 159 160 /* Detect overflows */ 161 if ((addr + size) < addr) 162 return false; 163 164 /* A pointer not aligned properly could trigger an alignment fault. */ 165 if ((addr & (sizeof(uintptr_t) - 1U)) != 0U) 166 return false; 167 168 /* Check that all the object is readable */ 169 for (size_t i = 0; i < size; i++) { 170 if (!is_address_readable(addr + i)) 171 return false; 172 } 173 174 return true; 175 } 176 177 /* 178 * Returns true if the specified address is correctly aligned and points to a 179 * valid memory region. 180 */ 181 static bool is_valid_jump_address(uintptr_t addr) 182 { 183 if (addr == 0U) 184 return false; 185 186 /* Check alignment. Both A64 and A32 use 32-bit opcodes */ 187 if ((addr & (sizeof(uint32_t) - 1U)) != 0U) 188 return false; 189 190 if (!is_address_readable(addr)) 191 return false; 192 193 return true; 194 } 195 196 /* 197 * Returns true if the pointer points at a valid frame record, false otherwise. 198 */ 199 static bool is_valid_frame_record(struct frame_record *fr) 200 { 201 return is_valid_object((uintptr_t)fr, sizeof(struct frame_record)); 202 } 203 204 /* 205 * Adjust the frame-pointer-register value by 4 bytes on AArch32 to have the 206 * same layout as AArch64. 207 */ 208 static struct frame_record *adjust_frame_record(struct frame_record *fr) 209 { 210 #ifdef __aarch64__ 211 return fr; 212 #else 213 return (struct frame_record *)((uintptr_t)fr - 4U); 214 #endif 215 } 216 217 static void unwind_stack(struct frame_record *fr, uintptr_t current_pc, 218 uintptr_t link_register) 219 { 220 uintptr_t call_site; 221 static const char *backtrace_str = "%u: %s: 0x%lx\n"; 222 const char *el_str = get_el_str(get_current_el()); 223 224 if (!is_valid_frame_record(fr)) { 225 printf("ERROR: Corrupted frame pointer (frame record address = %p)\n", 226 fr); 227 return; 228 } 229 230 if (fr->return_addr != link_register) { 231 printf("ERROR: Corrupted stack (frame record address = %p)\n", 232 fr); 233 return; 234 } 235 236 /* The level 0 of the backtrace is the current backtrace function */ 237 printf(backtrace_str, 0U, el_str, current_pc); 238 239 /* 240 * The last frame record pointer in the linked list at the beginning of 241 * the stack should be NULL unless stack is corrupted. 242 */ 243 for (unsigned int i = 1U; i < UNWIND_LIMIT; i++) { 244 /* If an invalid frame record is found, exit. */ 245 if (!is_valid_frame_record(fr)) 246 return; 247 /* 248 * A32 and A64 are fixed length so the address from where the 249 * call was made is the instruction before the return address, 250 * which is always 4 bytes before it. 251 */ 252 call_site = fr->return_addr - 4U; 253 254 #if ENABLE_PAUTH 255 /* 256 * When pointer authentication is enabled, the LR value saved on 257 * the stack contains a PAC. It must be stripped to retrieve the 258 * return address. 259 */ 260 call_site = demangle_address(call_site); 261 #endif 262 263 /* 264 * If the address is invalid it means that the frame record is 265 * probably corrupted. 266 */ 267 if (!is_valid_jump_address(call_site)) 268 return; 269 270 printf(backtrace_str, i, el_str, call_site); 271 272 fr = adjust_frame_record(fr->parent); 273 } 274 275 printf("ERROR: Max backtrace depth reached\n"); 276 } 277 278 /* 279 * Display a backtrace. The cookie string parameter is displayed along the 280 * trace to help filter the log messages. 281 * 282 * Many things can prevent displaying the expected backtrace. For example, 283 * compiler optimizations can use a branch instead of branch with link when it 284 * detects a tail call. The backtrace level for this caller will not be 285 * displayed, as it does not appear in the call stack anymore. Also, assembly 286 * functions will not be displayed unless they setup AAPCS compliant frame 287 * records on AArch64 and compliant with GCC-specific frame record format on 288 * AArch32. 289 * 290 * Usage of the trace: addr2line can be used to map the addresses to function 291 * and source code location when given the ELF file compiled with debug 292 * information. The "-i" flag is highly recommended to improve display of 293 * inlined function. The *.dump files generated when building each image can 294 * also be used. 295 * 296 * WARNING: In case of corrupted stack, this function could display security 297 * sensitive information past the beginning of the stack so it must not be used 298 * in production build. This function is only compiled in when ENABLE_BACKTRACE 299 * is set to 1. 300 */ 301 void backtrace(const char *cookie) 302 { 303 uintptr_t return_address = (uintptr_t)__builtin_return_address(0U); 304 struct frame_record *fr = __builtin_frame_address(0U); 305 306 /* Printing the backtrace may crash the system, flush before starting */ 307 (void)console_flush(); 308 309 fr = adjust_frame_record(fr); 310 311 printf("BACKTRACE: START: %s\n", cookie); 312 313 unwind_stack(fr, (uintptr_t)&backtrace, return_address); 314 315 printf("BACKTRACE: END: %s\n", cookie); 316 } 317