Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x86isa instruction issues #1528

Open
bacam opened this issue Aug 27, 2023 · 3 comments
Open

x86isa instruction issues #1528

bacam opened this issue Aug 27, 2023 · 3 comments

Comments

@bacam
Copy link

bacam commented Aug 27, 2023

As part of the ETC project we did some model-based test generation on a version of x86isa translated into the Sail language. As well as identifying some problems with our translation, we encountered some issues which appear to affect the ACL2 model. (These are all in 64-bit user-mode.)

I found several stack instructions didn't use REX.W when they should:

  • x86-pop-general-register
  • x86-push-general-register
  • x86-push-i

A couple of instruction misbehave when there's an unnecessary REX.W:

  • x86-add/adc/sub/sbb/or/and/xor/cmp-test-rax-i uses the wrong size for rax when there's a bogus REX.W on a 8 or 16-bit instruction.
  • Similarly, x86-sal/sar/shl/shr/rcl/rcr/rol/ror can use the wrong countmask.

The other issues are more semantically interesting:

  • The double precision shift left instructions choose the wrong bits in shld-spec-16/32/64.
  • x86-call-ff/2-op/en-m uses the old stack pointer when writing the return pointer, and writes the wrong value to it.
  • In x86-cmovcc the upper 32 bits need to be zeroed when there isn't a move in IA32-e modes.
  • x86-imul-op/en-rmi doesn't sign extend the immediate operand.
@shigoel
Copy link
Member

shigoel commented Aug 27, 2023
edited

Brian, thank you so much for reporting these here!

I will fix these as soon as I can -- maybe over the next week, but it will probably be by the week after.

@ericwhitmansmith
Copy link
Member

This is very interesting! Can you say more about how you found these issues?

@bacam
Copy link
Author

bacam commented Dec 11, 2023

This is very interesting! Can you say more about how you found these issues?

Sorry, I forgot to reply to this before. Once we had a Sail version of the model I was able to adapt a randomised testing tool that I previously built for the Morello project. This picks some instructions randomly, runs them in our Isla symbolic execution tool, then uses the resulting path constraint to pick an initial state with Z3 that should replicate that execution. Finally a test running harness compares the result of execution on different targets; I was using an Intel processor via gdbserver, qemu, and the Sail model itself.

acoglio added a commit that referenced this issue May 10, 2024
@acoglio
[X86ISA] Fix 3 bugs in CALL near absolute.
1ea8558 
These were in `x86-call-FF/2-Op/En-M`:

1. An old stack pointer was used to push the return address, instead of the
updated stack pointer.

2. The pushed address was the called address instead of the return address.

3. The size of the instruction pointer was the instruction address size, but
instead it should be the code segment size.

The first two bugs were reported in GitHub Issue #1528.

The third bug was found while looking at this instruction to fix the first two
bugs.
acoglio added a commit that referenced this issue May 14, 2024
@acoglio
[X86ISA] Fix bug in CMOVcc.
c4fa69a 
This was reported in GitHub Issue #1528.
acoglio added a commit that referenced this issue May 14, 2024
@acoglio
[X86ISA] Fix IMUL with immediate operand.
fcc241c 
The immediate was not properly sign-extended.

This was reported in GitHub Issue #1528.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bacam @shigoel @ericwhitmansmith