i#5771: On AArch64 optionally mangle MRS to make CTR_EL0.DIC seem zero. (#7578)

This is a work-around rather than a proper fix for issue #5771. It may
also facilitate experimentation by users.

When "-fake_ctr_dic" is specified the MRS instruction is mangled by
adding a following AND (immediate) instruction that clears the
corresponding bit. Most programs will then execute the IC IVAU
instruction that DynamoRIO currently relies on for detecting a code
modification. (See, for example, LLVM's implementation of
__clear_cache.)

Issue: #5771

Author: egrimley-arm

core/arch/aarchxx/mangle.c

@@ -2999,6 +2999,25 @@ float_pc_update(dcontext_t *dcontext)
 }
 
 #ifdef AARCH64
+void
+mangle_ctr_read(dcontext_t *dcontext, instrlist_t *ilist, instr_t *instr)
+{
+    if (instr_get_opcode(instr) == OP_mrs && instr_num_srcs(instr) == 1 &&
+        opnd_is_reg(instr_get_src(instr, 0)) &&
+        opnd_get_reg(instr_get_src(instr, 0)) == DR_REG_CTR_EL0 &&
+        instr_num_dsts(instr) == 1 && opnd_is_reg(instr_get_dst(instr, 0))) {
+        // Insert an AND (immediate) instruction after the MRS so that the
+        // app thinks the bit is clear. This will (one hopes) make the app
+        // execute the OP_ic_ivau instruction that DynamoRIO currently relies
+        // on for detecting code modifications.
+        const int CTR_EL0_DIC_BIT = 29;
+        reg_t reg = opnd_get_reg(instr_get_dst(instr, 0));
+        POST(ilist, instr,
+             INSTR_CREATE_and(dcontext, opnd_create_reg(reg), opnd_create_reg(reg),
+                              OPND_CREATE_INT64(~(1UL << CTR_EL0_DIC_BIT))));
+    }
+}
+
 instr_t *
 mangle_icache_op(dcontext_t *dcontext, instrlist_t *ilist, instr_t *instr,
                  instr_t *next_instr, app_pc pc)

core/arch/arch.h

@@ -763,6 +763,8 @@ mangle_reads_thread_register(dcontext_t *dcontext, instrlist_t *ilist, instr_t *
 #endif /* ARM */
 
 #ifdef AARCH64
+void
+mangle_ctr_read(dcontext_t *dcontext, instrlist_t *ilist, instr_t *instr);
 instr_t *
 mangle_icache_op(dcontext_t *dcontext, instrlist_t *ilist, instr_t *instr,
                  instr_t *next_instr, app_pc pc);

core/arch/mangle_shared.c

@@ -1950,6 +1950,12 @@ d_r_mangle(dcontext_t *dcontext, instrlist_t *ilist, uint *flags DR_PARAM_INOUT,
         }
 #endif
 
+#ifdef AARCH64
+        /* XXX i#5771: This may no longer be required when the issue is fixed. */
+        if (INTERNAL_OPTION(fake_ctr_dic))
+            mangle_ctr_read(dcontext, ilist, instr);
+#endif
+
 #ifdef AARCH64
         if (instr_is_icache_op(instr) && instr_is_app(instr)) {
             next_instr = mangle_icache_op(dcontext, ilist, instr, next_instr,

core/optionsx.h

@@ -633,6 +633,12 @@ OPTION_DEFAULT_INTERNAL(bool, unsafe_build_ldstex, false,
                         "replace blocks using exclusive load/store with a "
                         "macro-instruction (unsafe)")
 #endif
+#ifdef AARCH64
+/* XXX i#5771: This option may no longer be required when the issue is fixed. */
+OPTION_DEFAULT_INTERNAL(bool, fake_ctr_dic, false,
+                        "mangle read of CTR_EL0 so app believes DIC bit is "
+                        "clear, which can help with apps that modify code")
+#endif
 #if defined(AARCHXX) || defined(RISCV64)
 /* TODO i#1698: ARM is still missing the abilty to convert the following:
  * + ldrexd..strexd.

suite/tests/CMakeLists.txt

@@ -2368,6 +2368,12 @@ if (NOT ANDROID) # XXX i#1874: failing on Android
   tobuild(common.segfault common/segfault.c)
 endif ()
 
+if (AARCH64)
+  tobuild(common.fake_ctr_dic common/fake_ctr_dic.c)
+  torunonly(common.fake_ctr_dic common.fake_ctr_dic common/fake_ctr_dic.c
+    "-fake_ctr_dic" "")
+endif ()
+
 # PR 217255: these 4 removed to shorten the regression suite since not
 # adding much value in terms of testing corner cases
 #tobuild(common.hello common/hello.c)

suite/tests/common/fake_ctr_dic.c

@@ -0,0 +1,52 @@
+/* **********************************************************
+ * Copyright (c) 2025 Arm Limited. All rights reserved.
+ * **********************************************************/
+
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ * * Neither the name of Arm Limited nor the names of its contributors may be
+ *   used to endorse or promote products derived from this software without
+ *   specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL ARM LIMITED OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+/* Check that CTR_EL0.DIC appears to be zero, which it should if
+ * DynamoRIO was run with -fake_ctr_dic. See i#5771.
+ */
+
+#include "tools.h"
+
+int
+main()
+{
+    const int CTR_EL0_DIC_BIT = 29;
+    unsigned long ctr;
+    asm volatile("mrs %[ctr], ctr_el0" : [ctr] "=r"(ctr));
+    if (TEST(ctr, 1U << CTR_EL0_DIC_BIT)) {
+        print("CTR_EL0 = %lx\n", ctr);
+        return 1;
+    } else {
+        print("PASS\n");
+        return 0;
+    }
+}

suite/tests/common/fake_ctr_dic.expect

@@ -0,0 +1 @@
+PASS