New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible Emulator Bug? #6404
Comments
I'm not certain about what bug might be occurring, but I did find a minor issue with your sleigh. You should have add_tmp_6 be size 4. Otherwise the multiplication in
or
|
Thank you for the fast response. I made the requested changes. As predicted it did not affect my issue. I believe I have additional information to add:
is incorrect with Y being 26 (I swear it was 24 yesterday....). This however is correct:
with Y being 16 as expected. So likely an issue with storing back to itself? Thanks again. |
I've just tried this (as best I can given the bits I see reported here) in the Java emulator from the UI, and it seems to be behaving properly. Since I don't have your slaspec at hand, I just imported 1K of 0s, then injected the following at address
It's the same as your original post, but with
This was in the master branch with a couple patches to fix UI integration for emulated breakpoints. So, I see three possibilities:
FWIW, p-code op line 8 is where the "storing back to itself" happens. If you are able to try this same experiment, but with the actual instruction and your slaspec (rather than a breakpoint injection), I'd be interested to see the results. I can try in 11.0.2 later to rule out version differences, but I'm a bit pre-occupied at the moment. |
I am attaching a 6502 slaspec and sla that repro the issue. It is in the macro for adc on line 98.
This is Ghidra 11.0.2, I will test in Ghidra 11.0.3.
I am using the C++ version of the Sleigh compiler on Ghidra 11.0.2.
I am using the C++ emulator. |
11.0.3 has the same behavior as 11.0.2. The compiled .sla files are identical (built with /support/sleigh from both 11.0.2 and 11.03). I also rebuilt libsla.a and recompiled my verifier program. |
Here's the Pcode for ADC in 11.0.3:
I'm also attaching a test.bin I made. |
OK. In that case, I must bring in @caheckman. |
I'm unable to reproduce the issue in the C++ emulator. If I emulate the following instructions using the provided 6502.slaspec
It executes the following p-code for the ADC macro:
all of which seems correct and puts the value of 16 in Y as expected. |
@caheckman, thank you for the fast response. How are you testing? I would like to replicate your testing setup. Currently I am seeing the issue using my Verifier tool (https://github.com/oberoisecurity/ghidra-processor-module-verifier). Does your .slaspec compile to an identical version of my .sla? Here is the exact state I am using:
|
I've triaged the bug down to setValue not setting the value correctly. I added printfs() to setValue() before and after the set:
Specifically here:
setValue is called with 0x10 (16), but then immediately calling getValue returns 0x1a (26). Update: Too sleepy to debug this tonight, but the issue is in memstate.cc:MemoryBank::setValue(uintb offset,int4 size,uintb val). Specifically in the last else block:
Val1 is set to 0x1a instead of 0x10. Will need to review this code to figure out what's going on. |
Swapping the shifts seems to have fixed my issue:
That being said I don't understand this code at all to be making changes to it. |
@caheckman , checking in. Anything I can do to help you debug this issue? Thanks in advance. |
It looks like the memory state objects are misconfigured. From your sla_emulator.cpp
The test_params.word_size is being initialized from the address space "wordsize" in the sla file, but word size in the context of MemoryBank objects is unrelated to address space "wordsize" and refers to the internal structure of the memory object. The MemoryBank word size should be initialized to 8 (regardless of the sleigh language) to match the number of bytes in the uintb typedef. |
While working on PR-5870, I think I stumbled across a possible Emulator bug. See the following snippet of SLEIGH:
Everything is sane until I get to the
tmp = tmp + zext(add_tmp_6 * 0x6)
line. I have verified the values along the way and at this point add_tmp_6 = 1, and tmp = 10. This meanstmp = tmp + zext(add_tmp_6 * 0x6)
should betmp = 10 + zext(1 * 0x6)
which istmp = 10 + 6
ortmp = 16
. However I am getting tmp to be 24.I am using the patch from #5262 on Ghidra 11.0.2. Thanks in advance.
@ryanmkurtz @GhidorahRex
The text was updated successfully, but these errors were encountered: