[valgrind] [Bug 432809] New: VEX should support REX.W + POPF

Thu, 11 Feb 2021 09:32:06 -0800 

https://bugs.kde.org/show_bug.cgi?id=432809

            Bug ID: 432809
           Summary: VEX should support REX.W + POPF
           Product: valgrind
           Version: unspecified
          Platform: Mint (Ubuntu based)
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: vex
          Assignee: jsew...@acm.org
          Reporter: mike.dales...@gmail.com
  Target Milestone: ---

SUMMARY

When running valgrind on code that was assembled by a JIT, the assembly
combination of a REX.W prefix followed by POPF (0x9D) fails an assertion:

> vex: priv/guest_amd64_toIR.c:20628 (dis_ESC_NONE): Assertion `sz == 2 || sz 
> == 4' failed.

which comes from this section of `dis_ESC_NONE`:

```
   case 0x9D: /* POPF */
      /* Note.  There is no encoding for a 32-bit popf in 64-bit mode.
         So sz==4 actually means sz==8. */
      if (haveF2orF3(pfx)) goto decode_failure;
      vassert(sz == 2 || sz == 4);
      if (sz == 4) sz = 8;
      if (sz != 8) goto decode_failure; // until we know a sz==2 test case
exists
```

The input parameter `sz` is set to 8 in `disInstr_AMD64_WRK` by this line:

> if ((pfx & PFX_REX) && (pfx & PFX_REXW)) sz = 8;

To my knowledge, REX.W+POPF is a valid instruction combination and should be
allowed.


STEPS TO REPRODUCE
1. have assembly instructions 0x48 0x9D as REX.W+POPF
2. run under valgrind



OBSERVED RESULT

> vex: priv/guest_amd64_toIR.c:20628 (dis_ESC_NONE): Assertion `sz == 2 || sz 
> == 4' failed.

followed by program exit.


EXPECTED RESULT

This should be allowed and execution should continue.



ADDITIONAL INFORMATION

The following patch seems to fix this:

```
diff --git a/VEX/priv/guest_amd64_toIR.c b/VEX/priv/guest_amd64_toIR.c
index 7a20d45..21a3a6f 100644
--- a/VEX/priv/guest_amd64_toIR.c
+++ b/VEX/priv/guest_amd64_toIR.c
@@ -20625,7 +20625,7 @@ Long dis_ESC_NONE (
       /* Note.  There is no encoding for a 32-bit popf in 64-bit mode.
          So sz==4 actually means sz==8. */
       if (haveF2orF3(pfx)) goto decode_failure;
-      vassert(sz == 2 || sz == 4);
+      vassert(sz == 2 || sz == 4 || sz == 8);
       if (sz == 4) sz = 8;
       if (sz != 8) goto decode_failure; // until we know a sz==2 test case
exists
       t1 = newTemp(Ity_I64); t2 = newTemp(Ity_I64);
```

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to