[Bug 1925512] Re: UNDEFINED case for instruction BLX

Fri, 23 Apr 2021 00:01:25 -0700 

Hi

Thanks for your reply. I don't think return false is the right behavior
here. H is related to decoding rather than encoding phase. The value of
symbol *H* should not be used to check whether the (encoding) pattern is
matched or not. In other words, whatever value H is, if the bytecode
meet the pattern of BLX in Thumb T2 encoding, it should be a BLX
instruction.

During the decoding phase, QEMU should check whether H equals to 1. If
so, a SIGILL signal should be raised.  Please see a concrete case below:

Below is the sample code, and 0xf279cf25 has the encoding pattern of
instruction BLX. H is 1 here.

int main()
{
        __asm__(".inst.w 0xf279cf25");
        printf("no signal\n");
}


I cross compiled it in thumb mode and generate the binary named test_BLX, which 
is attached. I set a breakpoint at 0x102f0. The value in 0x102f0 is 0xf279cf25, 
which should be an UNDEFINED instruction and a SIGILL signal should be raised 
when executing this instruction.

Breakpoint 1, 0x000102f0 in ?? ()
gef> x/4i $pc
=> 0x102f0:                     ; <UNDEFINED> instruction: 0xf279cf25
   0x102f4:     ldr     r3, [pc, #12]   ; (0x10304)
   0x102f6:     movs    r0, r3
   0x102f8:     bl      0x5fe28

When I use si to execute the instruction at 0x102f0, it will jump to
0x102f6. No signal is raised. Finally, the program will be exit without
any raised signal.

gef> si
0x000102f6 in ?? ()

I don't think this should be the right behavior. The same binary is
tested on a physical ARM device and SIGILL is triggered. Return false
seems not work here.  Many Thanks

Regards
Muhui


** Attachment added: "test_BLX"
   
https://bugs.launchpad.net/qemu/+bug/1925512/+attachment/5491252/+files/test_BLX

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1925512

Title:
  UNDEFINED case for instruction BLX

Status in QEMU:
  Invalid

Bug description:
  Hi

  I refer to the instruction BLX imm (T2 encoding) in ARMv7 (Thumb
  mode).

  11110 S imm10H  11 J1 0 J2 imm10L H

  
  if H == '1' then UNDEFINED;
  I1 = NOT(J1 EOR S);  I2 = NOT(J2 EOR S);  imm32 = 
SignExtend(S:I1:I2:imm10H:imm10L:'00', 32);
  targetInstrSet = InstrSet_A32;
  if InITBlock() && !LastInITBlock() then UNPREDICTABLE;

  According to the manual, if H equals to 1, this instruction should be
  an UNDEFINED instruction. However, it seems QEMU does not check this
  constraint in function trans_BLX_i. Thanks

  Regards
  Muhui

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1925512/+subscriptions

Reply via email to