TCG trace plugin

.github/workflows/build.yaml

@@ -0,0 +1,36 @@
+name: Build
+
+on: [pull_request, workflow_dispatch]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python 3.x
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+    - name: Install deps
+      run: |
+        sudo apt-get -y update
+        sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build autoconf libtool protobuf-c-compiler libprotobuf-c-dev
+    - name: Install piqi
+      run: |
+        curl -OL https://raw.github.com/alavrik/piqi-binary/master/Linux-x86_64/piqi
+        chmod +x piqi
+        sudo mv piqi /usr/local/bin
+        piqi --version
+    - name: Checkout qemu
+      uses: actions/checkout@v4
+      with:
+        repository: BinaryAnalysisPlatform/qemu
+        path: qemu
+        submodules: true
+    - name: Build for Targets
+      run: |
+        cd qemu
+        mkdir build
+        cd build
+        ../configure --enable-plugins --target-list=sparc-linux-user,sparc64-linux-user
+        ninja

.gitmodules

@@ -43,3 +43,6 @@
 [submodule "tests/lcitool/libvirt-ci"]
 	path = tests/lcitool/libvirt-ci
 	url = https://gitlab.com/libvirt/libvirt-ci.git
+[submodule "contrib/plugins/bap-tracing/bap-frames"]
+	path = contrib/plugins/bap-tracing/bap-frames
+	url = [email protected]:BinaryAnalysisPlatform/bap-frames.git

README.md

@@ -0,0 +1,104 @@
+# BAP emulation trace generator
+
+This QEMU fork implements the TCG plugin to generate execution traces in the
+[bap-frame](https://github.com/BinaryAnalysisPlatform/bap-frames) format.
+
+This plugin does not yet support all targets.
+If not listed below it is untested.
+
+Known to work:
+
+- Sparc
+- Hexagon
+- PPC
+
+Needs fixes:
+
+- ARM (cannot get current mode of VCPU if target can switch between ARM/Thumb).
+
+Previous traces were generated with a patched QEMU.
+You can find these in tracewrap-* branches.
+
+## Dependencies
+
+1. Install [piqi](https://piqi.org/downloads/) so you have the `piqi` binary in `PATH`.
+2. Install the developer package of `protobuf-c`. E.g. `protobuf-c-devel` (Fedora), `libprotobuf-c-dev` (Debian).
+3. QEMU dependencies (see [QEMU docs](https://www.qemu.org/docs/master/devel/build-environment.html)).
+
+## Building
+
+```bash
+mkdir build
+cd build
+# See `../configure --help` for a list of targets.
+../configure --enable-plugins --target-list=<target>
+make
+```
+
+## Tracing a binary
+
+The plugin takes two required arguments:
+
+`bin_path`: The path to the binary emulated. Due to a [QEMU bug](https://gitlab.com/qemu-project/qemu/-/issues/3014) this cannot be inferred.
+`out`: The output file to save the trace into.
+`endianness`: The architecture endanness.
+
+```bash
+./qemu-sparc64 -plugin file=buil/contrib/plugins/bap-tracing/libbap_tracing.so,bin_path=<bin_path>,out=<output-file>,endianness=[b/l] -d plugin <bin_path>
+ls <output-file>
+```
+
+You can also use the helper shell script:
+
+```bash
+./gen-trace.sh ./build/ sparc64 b <path_to_bin>
+```
+
+> [!NOTE]
+> The trace plugin currently only generates standard frames.
+> This is due to the limitations of the QEMU plugin API.
+>
+> If the traced binary exits due to an exception it can only indirectly be observed.
+> It will produce a standard frame without any logged post register state.
+> Any completed memory read/write might still be logged.
+>
+> If you suspect this, execute the binary with the `execlog` plugin (see `gen-trace.sh`)
+> to check of the execution stops earlier than expected.
+
+
+## Trace format
+
+The generated trace consists of three parts: the header,
+a table of contents (TOC) holding the frame entries, and an index into the TOC.
+
+Each frame entry starts with the size of the frame, followed by the actual frame data.
+A fixed number of frame entries are considered one _entry_ in the TOC.
+
+The TOC index is stored at the end.
+
+For specifics about the frame contents, please refer
+to the [definitions](https://github.com/BinaryAnalysisPlatform/bap-frames/tree/master/piqi) in
+the BAP-frames repository.
+
+**Format**
+
+| Offset | Type | Field | Trace section |
+|--------|------|-------|------|
+|    0x0    | uint64_t | magic number (7456879624156307493LL) | Header begin |
+|    0x8    | uint64_t | trace version number | |
+|    0x10    | uint64_t | frame_architecture | |
+|    0x18    | uint64_t | frame_machine, 0 for unspecified. | |
+|    0x20    | uint64_t | n = total number of frames in trace. | |
+|    0x28    | uint64_t | T = offset to TOC index. | |
+|    0x30    | uint64_t | sizeof(frame_0) | TOC begin  |
+|    0x38    | meta_frame   | frame_0 | |
+|    0x40    | uint64_t     | sizeof(frame_1) | |
+|    0x48    | type(frame_1) | frame_1 | |
+|    ...     | ...          | ... | |
+|    T-0x10  | uint64_t     | sizeof(frame_n-1) | |
+|    T-0x8   | type(frame_n-1) | frame_n-1 | |
+|    T+0     | uint64_t     | m = number of frames per TOC entry | TOC index begin |
+|    T+0x8   | uint64_t     | offset toc_entry(0) | |
+|    T+0x10  | uint64_t     | offset toc_entry(1) | |
+|    ...     | ...          | ... | |
+|    T+0x8+(0x8*ceil(n/m))   | uint64_t     | offset toc_entry(ceil(n/m)) | |

configs/targets/sparc-linux-user.mak

@@ -2,4 +2,5 @@ TARGET_ARCH=sparc
 TARGET_SYSTBL_ABI=common,32
 TARGET_SYSTBL=syscall.tbl
 TARGET_BIG_ENDIAN=y
+TARGET_XML_FILES= gdb-xml/sparc32-core.xml gdb-xml/sparc32-cp0.xml gdb-xml/sparc32-cpu.xml gdb-xml/sparc32-fpu.xml
 TARGET_LONG_BITS=32

configs/targets/sparc-softmmu.mak

@@ -1,4 +1,5 @@
 TARGET_ARCH=sparc
 TARGET_BIG_ENDIAN=y
 TARGET_SUPPORTS_MTTCG=y
+TARGET_XML_FILES= gdb-xml/sparc32-core.xml gdb-xml/sparc32-cp0.xml gdb-xml/sparc32-cpu.xml gdb-xml/sparc32-fpu.xml
 TARGET_LONG_BITS=32

configs/targets/sparc32plus-linux-user.mak

@@ -5,4 +5,5 @@ TARGET_ABI_DIR=sparc
 TARGET_SYSTBL_ABI=common,32
 TARGET_SYSTBL=syscall.tbl
 TARGET_BIG_ENDIAN=y
+TARGET_XML_FILES= gdb-xml/sparc64-core.xml gdb-xml/sparc64-cp0.xml gdb-xml/sparc64-cpu.xml gdb-xml/sparc64-fpu.xml
 TARGET_LONG_BITS=64

configs/targets/sparc64-linux-user.mak

@@ -4,4 +4,5 @@ TARGET_ABI_DIR=sparc
 TARGET_SYSTBL_ABI=common,64
 TARGET_SYSTBL=syscall.tbl
 TARGET_BIG_ENDIAN=y
+TARGET_XML_FILES= gdb-xml/sparc64-core.xml gdb-xml/sparc64-cp0.xml gdb-xml/sparc64-cpu.xml gdb-xml/sparc64-fpu.xml
 TARGET_LONG_BITS=64

configs/targets/sparc64-softmmu.mak

@@ -2,4 +2,5 @@ TARGET_ARCH=sparc64
 TARGET_BASE_ARCH=sparc
 TARGET_BIG_ENDIAN=y
 TARGET_SUPPORTS_MTTCG=y
+TARGET_XML_FILES= gdb-xml/sparc64-core.xml gdb-xml/sparc64-cp0.xml gdb-xml/sparc64-cpu.xml gdb-xml/sparc64-fpu.xml
 TARGET_LONG_BITS=64

contrib/plugins/bap-tracing/fix_proto_src.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+"""
+This just does:
+sed -i 's/->base/->__base/g' <file>
+sed -i 's/ProtobufCMessage base;/ProtobufCMessage __base;/g' <file>
+"""
+
+import sys
+import re
+
+if len(sys.argv) != 6 or sys.argv[3] != "-o":
+    print("usage: fix_proto_src.py frame.piqi.pb-c.c frame.piqi.pb-c.h -o frame.piqi.pb-c-fixed.c frame.piqi.pb-c-fixed.h")
+    exit(1)
+
+for (in_file, out_file) in zip(sys.argv[1:3], sys.argv[4:6]):
+    with open(in_file, "r") as i:
+        contents = i.read()
+    contents = contents.replace("->base", "->__base")
+    contents = contents.replace("ProtobufCMessage base;", "ProtobufCMessage __base;")
+    contents = re.sub(r'".*frame.piqi.pb-c.h"', '"frame.piqi.pb-c-patched.h"', contents)
+    with open(out_file, "w") as o:
+        o.write(contents)