Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AArch32: (Thumb32) BranchWritePC does not clear bit-0 #6545

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

AArch32: (Thumb32) BranchWritePC does not clear bit-0 #6545

wants to merge 1 commit into from

Conversation

Sleigh-InSPECtor
Copy link

@Sleigh-InSPECtor Sleigh-InSPECtor commented May 20, 2024
edited

As part of a research project testing the accuracy of the SLEIGH specifications compared to real hardware, we observed an unexpected behaviour in the add & mov instruction to pc for Thumb (ARM:LE:32:v8T).

According to the manual, BranchWritePC in Thumb clears bit-0 to 0. However, we noticed the output was incorrect.

e.g, for Thumb with,

Instruction: 0xc746, mov pc,r8
initial_registers: { "r8": 0x5165fa67 }

We get:

Hardware: { "pc": 0x5165fa66 }
Patched Spec: { "pc": 0x5165fa66 }
Existing Spec: { "pc": 0x5165fa67 }

and,

Instruction: 0xc744, add pc,r8
initial_registers: { "r8": 0x42728a67, "pc": 0x10000000 }

We get:

Hardware: { "pc": 0x52728a6a }
Patched Spec: { "pc": 0x52728a6a }
Existing Spec: { "pc": 0x52728a6b }

Note: The patched spec does not introduce any disassembly changes to the best of our knowledge.

@Sleigh-InSPECtor
AArch32: (Thumb32) fixed mov & add to pc
f28ce10 
* BranchWritePC in thumb mode now clears bit-0
@GhidorahRex
Copy link
Collaborator

This is the code for BranchWritePC from the manual, copied here for clarity:

// BranchWritePC()
// ===============
BranchWritePC(bits(32) address_in, BranchType branch_type)
  bits(32) address = address_in;
  if CurrentInstrSet() == InstrSet_A32 then
    address<1:0> = '00';
  else
    address<0> = '0';
  boolean branch_conditional = !(AArch32.CurrentCond() IN {'111x'});
  BranchTo(address, branch_type, branch_conditional);

Clearly, the issue with Thumb needs to be fixed. But it also looks like we need a fix for A32 as well. BranchWritePC probably needs to be split into two functions - one for A32 and one for T32, since that also uses BranchWritePC.

@GhidorahRex GhidorahRex self-assigned this May 20, 2024
@GhidorahRex GhidorahRex added Type: Bug Something isn't working Feature: Processor/ARM Status: Triage Information is being gathered labels May 20, 2024
@GhidorahRex GhidorahRex added Status: Waiting on customer Waiting for customer feedback and removed Status: Triage Information is being gathered labels May 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@GhidorahRex GhidorahRex

Labels
Feature: Processor/ARM Status: Waiting on customer Waiting for customer feedback Type: Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Sleigh-InSPECtor @GhidorahRex