As part of a research project testing the accuracy of the SLEIGH specifications compared to real hardware, we observed an unexpected behaviour in the ldrsh.w & ldrsb.w instructions for Thumb (ARM:LE:32:v8T).
According to the manual, it calculates an address from the PC value and an immediate offset, loads a halfword/byte from memory, sign-extends it to form a 32-bit word, and writes it to a register. However, we noticed the output was incorrect.
As part of a research project testing the accuracy of the SLEIGH specifications compared to real hardware, we observed an unexpected behaviour in the
ldrsh.w&ldrsb.winstructions for Thumb (ARM:LE:32:v8T).According to the manual, it calculates an address from the PC value and an immediate offset, loads a halfword/byte from memory, sign-extends it to form a 32-bit word, and writes it to a register. However, we noticed the output was incorrect.
e.g, for Thumb with,
Instruction:
0xbff90000, ldrsh.w r0,[0x10000004]initial_registers:{ "pc": 0x10000000 }We get:
Hardware:
{ "r0": 0xffffe82d }Patched Spec:{ "r0": 0xffffe82d }Existing Spec:{ "r0": 0xffffbcc6 }and,
Instruction:
0x1ff90000, ldrsb.w r0,[0x10000004]initial_registers:{ "pc": 0x10000000 }We get:
Hardware:
{ "r0": 0x2d }Patched Spec:{ "r0": 0x2d }Existing Spec:{ "r0": 0xffffffc6 }Note: The patched spec does not introduce any disassembly changes to the best of our knowledge.