Add a regression test for invalidating empty TB and have a better solution

2021-11-03 01:07:06 +01:00 · 2021-11-03 01:07:06 +01:00 · eb75d459f0
commit eb75d459f0
parent c11b9aa5c3
3 changed files with 36 additions and 7 deletions
--- a/qemu/accel/tcg/translate-all.c
+++ b/qemu/accel/tcg/translate-all.c
@ -1745,7 +1745,8 @@ tb_invalidate_phys_page_range__locked(struct uc_struct *uc, struct page_collecti
            tb_start = tb->page_addr[1];
            tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
        }
-        if (!(tb_end <= start || tb_start >= end)) {
+        // Unicorn: We may indeed generate a TB without any instruction which breaks qemu assumption.
+        if ( (!(tb_end <= start || tb_start >= end)) || (tb_start == tb_end) ) {
 #ifdef TARGET_HAS_PRECISE_SMC
            if (current_tb_not_found) {
                current_tb_not_found = false;
--- a/tests/unit/test_x86.c
+++ b/tests/unit/test_x86.c
@ -663,6 +663,39 @@ static void test_x86_clear_tb_cache()
    OK(uc_close(uc));
 }

+// This is a regression bug.
+static void test_x86_clear_empty_tb()
+{
+    uc_engine *uc;
+    // lb:
+    //    add ecx, 1;
+    //    cmp ecx, 0;
+    //    jz lb;
+    //    dec edx;
+    char code[] = "\x83\xc1\x01\x83\xf9\x00\x74\xf8\x4a";
+    int r_edx = 0x7890;
+    uint64_t code_start = 0x1240; // Choose this address by design
+    uint64_t code_len = 0x1000;
+
+    OK(uc_open(UC_ARCH_X86, UC_MODE_32, &uc));
+    OK(uc_mem_map(uc, code_start & (1 << 12), code_len, UC_PROT_ALL));
+    OK(uc_mem_write(uc, code_start, code, sizeof(code)));
+    OK(uc_reg_write(uc, UC_X86_REG_EDX, &r_edx));
+
+    // Make sure we generate an empty tb at the exit address by stopping at dec
+    // edx.
+    OK(uc_emu_start(uc, code_start, code_start + 8, 0, 0));
+
+    // If tb cache is not cleared, edx would be still 0x7890
+    OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0));
+
+    OK(uc_reg_read(uc, UC_X86_REG_EDX, &r_edx));
+
+    TEST_CHECK(r_edx == 0x788f);
+
+    OK(uc_close(uc));
+}
+
 TEST_LIST = {{"test_x86_in", test_x86_in},
             {"test_x86_out", test_x86_out},
             {"test_x86_mem_hook_all", test_x86_mem_hook_all},
@ -685,4 +718,5 @@ TEST_LIST = {{"test_x86_in", test_x86_in},
             {"test_x86_sysenter", test_x86_sysenter},
             {"test_x86_hook_cpuid", test_x86_hook_cpuid},
             {"test_x86_clear_tb_cache", test_x86_clear_tb_cache},
+             {"test_x86_clear_empty_tb", test_x86_clear_empty_tb},
             {NULL, NULL}};
--- a/uc.c
+++ b/uc.c
@ -657,12 +657,6 @@ uc_err uc_emu_start(uc_engine *uc, uint64_t begin, uint64_t until,
    uc->timed_out = false;
    uc->first_tb = true;

-    // In this case, we don't do any emulation because it will generate
-    // an empty translation block which we can't invalidate.
-    if (begin == until) {
-        return UC_ERR_OK;
-    }
-
    switch (uc->arch) {
    default:
        break;