[Bug gas/31885] New: [GAS] Change register types

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31885

Bug ID: 31885
   Summary: [GAS] Change register types
   Product: binutils
   Version: 2.41
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I found that GAS 2.41 changes register types without any warning. 
I believe GAS should more accurately verify assembly syntax and issue warnings
if it alters register types.

I identified this issue with 9 opcodes in x64 binaries and 4 opcodes in x86
binaries.

# x64 binareis

```
.intel_syntax noprefix
Bug:
lar RAX, RBX
lsl RAX, WORD PTR [1]
mov RAX, GS
movmskpd RAX, XMM0   
pmovmskb RAX, MM2
sldt RAX
str RAX
verr RAX
verr RAX  
main:
jmp Bug
```

Compiled Code
```
Bug:
 lareax,ebx
 lsleax,WORD PTR ds:0x1
 moveax,gs
 movmskpd eax,xmm0
 pmovmskb eax,mm2
 sldt   eax
 streax
 verr   eax
 verr   eax

```

# x86 binaries

Buggy code
```
.intel_syntax noprefix
Bug:
   ltr EAX
   lldt EAX
   verw ESP
   verw EDI
```

Compiled Code
```
Bug:
  ltrax
  lldt   ax
  verr   ax
  verw   ax
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/31886] New: [GAS] Allows incorrect memory size directive

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31886

Bug ID: 31886
   Summary: [GAS] Allows incorrect memory size directive
   Product: binutils
   Version: 2.41
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I found that the GAS 2.41 improperly checks memory size directives.

This error has been identified in 11 opcodes in x64 and x86 binaries.

Buggy Code (x86/x64)
```
.intel_syntax noprefix
Bugs:
cldemote ZMMWORD PTR [EAX] 
clflush ZMMWORD PTR [EAX] 
clflushopt ZMMWORD PTR [EAX]  
clwb ZMMWORD PTR [EAX]
invlpg ZMMWORD PTR [EAX]
prefetch ZMMWORD PTR [EAX]   
prefetchw ZMMWORD PTR [EAX]  
prefetcht0 ZMMWORD PTR [EAX]  
prefetcht1 ZMMWORD PTR [EAX] 
prefetcht2 ZMMWORD PTR [EAX]  
prefetchwt1 ZMMWORD PTR [EAX]
```

Compiled Code (x86/x64)
```
Bugs:
 cldemote BYTE PTR [eax]
 clflush BYTE PTR [eax]
 clflushopt BYTE PTR [eax]
 clwb   BYTE PTR [eax]
 invlpg BYTE PTR [eax]
 prefetch BYTE PTR [eax]
 prefetchw BYTE PTR [eax]
 prefetcht0 BYTE PTR [eax]
 prefetcht1 BYTE PTR [eax]
 prefetcht2 BYTE PTR [eax]
 prefetchwt1 BYTE PTR [eax]
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/31887] New: [GAS] Confuse an memory operand as immediate value

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31887

Bug ID: 31887
   Summary: [GAS] Confuse an memory operand as immediate value
   Product: binutils
   Version: 2.41
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I discovered that the GAS 2.41 transforms memory operands to immediate value.
I think GAS should more accurately verify assembly syntax.
This error has been identified in 5 opcodes when I tested x64(x86) assembly.

Buggy Code (x86/x64)
```
.intel_syntax noprefix
Bugs:
jecxz YMMWORD PTR [1]
jrcxz QWORD PTR [1]
loop XMMWORD PTR [1]
loope XMMWORD PTR [1]
loopne XMMWORD PTR [1]
```

Compiled Code (x86/x64)
```
Bugs:
 jecxz  3 
 jrcxz  5 
 loop   7 
 loope  9 
 loopne b 
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/31888] New: [GAS] Ignore operand expression

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31888

Bug ID: 31888
   Summary: [GAS] Ignore operand expression
   Product: binutils
   Version: 2.41
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I observed that ARMv8 GAS ignores the third operand, likely due to alias
operations.
I believe GAS should perform more precise syntax checks.

Buggy Code
```
lsr R0, #1
lsr R0, #1, 1<<4
```

Compiled Code.
```
 lsrr0, r0, #1
 lsrr0, r0, #1
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/31889] New: [GAS] Confuse operand types

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31889

Bug ID: 31889
   Summary: [GAS] Confuse operand types
   Product: binutils
   Version: 2.41
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I noticed that AArch64 GAS accepts immediate values as the third operand for
tbz, tbnz, and adrp opcodes. However, according to the manual, these opcodes
should only accept labels as their third operand. Therefore, I believe GAS
should raise an error message for the following example code.


Buggy Code.
```
Bugs:
tbz X0, [1], 1<<2
tbnz X0, [1], 1<<2
adrp X0, 1<<2
```

Compiled Code
```
Bugs:
 tbzw0, #1, 4 
 tbnz   w0, #1, 8 
 adrp   x0, 0 
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/32501] New: [GAS] Imprecise assembly syntax check in MIPS

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=32501

Bug ID: 32501
   Summary: [GAS] Imprecise assembly syntax check in MIPS
   Product: binutils
   Version: 2.41
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I observed an issue in GAS related to inaccurate syntax checking and incorrect
encoding in MIPS.

Specifically, I found that syntactically incorrect assembly code was
successfully compiled. For instance, in the example below, parentheses in the
operand, which should indicate memory references, were misinterpreted in the
compiled output as the operand is an immediate value.

```
$ ./bin/mips-linux-gnu-as buggy.s -o buggy.o

$ cat buggy.s
syscall (1)
break (2)
c2 (3)
c3 (4)

$ objdump -d buggy.o

buggy.o: file format elf32-tradbigmips

Disassembly of section .text:

 <.text>:
   0:   004csyscall 0x1
   4:   0002000dbreak   0x2
   8:   4a03c2  0x3
   c:   4e04c3  0x4
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/32500] New: [GAS] Imprecise assembly syntax check in RISC-V

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=32500

Bug ID: 32500
   Summary: [GAS] Imprecise assembly syntax check in RISC-V
   Product: binutils
   Version: 2.41
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I observed an issue in GAS involving inaccurate syntax checking and incorrect
encoding in RISC-V.

First, in the RISC-V environment, I noticed that syntactically incorrect
assembly code was still successfully compiled. In the example below,
parentheses in the operand, which are intended to indicate memory references,
were misinterpreted in the compiled output as if the operand had no
parentheses.

Additionally, in the example, `j (1)` and `jal (2)` instructions can branch to
addresses that are not 4-byte aligned. I think GAS should issue a warning or an
error during the compilation process in these scenarios.

```
$ cat buggy.s
j (1)
jal (2)
jalr (a3)
jr (a4)

$ ./bin/riscv-linux-gnu-as buggy.s -o buggy.o


$ ./bin/objdump -d buggy.o

buggy.o: file format elf64-littleriscv

Disassembly of section .text:

 <.text>:
   0:   006fj   0 <.text>
   4:   00efjal 4 <.text+0x4>
   8:   000680e7jalra3
   c:   00070067jr  a4
Disassembly of section .text:

```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/30919] Assembly Syntax Bugs in GAS

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30919

Hyungseok Kim  changed:

   What|Removed |Added

 CC||witbring at gmail dot com

--- Comment #2 from Hyungseok Kim  ---
I have reported the related bugs individually. 
The bug links are provided below. Please review them.

https://sourceware.org/bugzilla/show_bug.cgi?id=31885
https://sourceware.org/bugzilla/show_bug.cgi?id=31886
https://sourceware.org/bugzilla/show_bug.cgi?id=31887
https://sourceware.org/bugzilla/show_bug.cgi?id=31888
https://sourceware.org/bugzilla/show_bug.cgi?id=31889
https://sourceware.org/bugzilla/show_bug.cgi?id=32500
https://sourceware.org/bugzilla/show_bug.cgi?id=32501

Thank you.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/31888] gas ignores operand expression for lsr and doesn't emit a diagnostic

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31888

--- Comment #2 from Hyungseok Kim  ---
Thank you for confirming. I would also appreciate it if you could address the
bug fixes.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/31885] gas silently changes register types without any diagnostic/warning

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31885

--- Comment #3 from Hyungseok Kim  ---
Thank you for your response. I believe it would be beneficial for assembly
tools to conduct syntax checks more thoroughly and explicitly. In that regard,
I believe the non-default mode is more advantageous. Thanks.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/31889] gas confuses operand types for tbz/tbnz/adrp (accepts illegal syntax)

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31889

--- Comment #2 from Hyungseok Kim  ---
Thank you for confirming. I would also appreciate it if you could address the
confirmed bugs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/32534] New: [GAS] Intel Assembly Bugs (Mishandle Labels)

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=32534

Bug ID: 32534
   Summary: [GAS] Intel Assembly Bugs (Mishandle Labels)
   Product: binutils
   Version: 2.38
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I am reporting GNU AS bug found during research.
The tests were conducted using the latest version (binutils 2.38).
The issue occurs in the same way with previous versions as well.

When some register names are used in operands, GAS interprets them as
actual registers. Notably, GAS allows the creation of these labels,
which could potentially lead to problems.


1. Example Code

```
.intel_syntax noprefix
.data
RAX:
RbX:
Rcx:
.long 0
.text
test:
mov edx, DWORD PTR [RAX]
mov edx, DWORD PTR [RbX]
mov edx, DWORD PTR [Rcx]
call rsP

rsP:
ret
```

2. Compilation Command

```
gcc -c test.c
```

3. Compiled Binary Output

```
 :
   0:   8b 10   movedx,DWORD PTR [rax]
   2:   8b 13   movedx,DWORD PTR [rbx]
   4:   8b 11   movedx,DWORD PTR [rcx]
   6:   ff d4   call   rsp

0008 :
   8:   c3  ret
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/32531] New: [GAS] Intel Assembly Bugs (Mishandle Directive Names)

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=32531

Bug ID: 32531
   Summary: [GAS] Intel Assembly Bugs (Mishandle Directive Names)
   Product: binutils
   Version: 2.38
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: witbring at gmail dot com
  Target Milestone: ---

I am reporting GNU AS bug found during research.
The tests were conducted using the latest version (v2.38).
The issue occurs in the same way with previous versions as well.

When some directive names are used in memory operands, incorrect binary code is
generated.
It seems that the issue arises due to handling the data labels used in the mov
instruction as directives.`


1. Example Code

```
.intel_syntax noprefix
.data
byte:
word:
qword:
.long 0

.text
test:
mov edx, DWORD PTR [byte]
mov edx, DWORD PTR [word]
mov edx, DWORD PTR [qword]
```

2. Compilation Command

```
gcc -c test.c
```

3. Compiled Binary Output
The memory operands were replaced with constant values in the compiled binary
code.

```
 :
   0:   8b 14 25 01 00 00 00movedx,DWORD PTR ds:0x1
   7:   8b 14 25 02 00 00 00movedx,DWORD PTR ds:0x2
   e:   8b 14 25 02 00 00 00movedx,DWORD PTR ds:0x4
```

This related bug can also be observed when we use other labels such as qword.
rd, qword, tbyte, owrd, xmmword, ymmword, zmmword, far, and near.


This bug can also be reproduced on Godbolt:
https://godbolt.org/z/hj49W734M

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gas/32534] [GAS] Intel Assembly Bugs (Mishandle Labels)

[witbring at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=32534

--- Comment #2 from Hyungseok Kim  ---
I reproduced the issue with the latest version (2.43.1)

-- 
You are receiving this mail because:
You are on the CC list for the bug.