As part of a research project testing the accuracy of the SLEIGH specifications compared to real hardware, we observed an unexpected behaviour in the FLDM*X and FSTM*X instructions for AArch32 (ARM:LE:32:v8).
According to the manual,
FLDM*X: loads multiple SIMD&FP registers from consecutive locations in the Advanced SIMD and floating-point register file using an address from a general-purpose register.
FSTM*X: stores multiple SIMD&FP registers from the Advanced SIMD and floating-point register file to consecutive locations in using an address from a general-purpose register.
However, we noticed the output was incorrect when rn is PC.
As part of a research project testing the accuracy of the SLEIGH specifications compared to real hardware, we observed an unexpected behaviour in the
FLDM*XandFSTM*Xinstructions for AArch32 (ARM:LE:32:v8).According to the manual,
FLDM*X: loads multiple SIMD&FP registers from consecutive locations in the Advanced SIMD and floating-point register file using an address from a general-purpose register.FSTM*X: stores multiple SIMD&FP registers from the Advanced SIMD and floating-point register file to consecutive locations in using an address from a general-purpose register.However, we noticed the output was incorrect when rn is PC.
e.g, for AArch32 with,
Instruction:
0x03fb9fbc, fldmiaxlt pc, {d15}initial_registers:{ "q7": 0x3402e490d6f731503f84dc49ea483fa8, "pc": 0x10000000, "NG": 0x1, "OV": 0x0 }initial_memory:{ "0x10000004": [ 0x2d, 0xe8, 0x4f, 0x9f, 0xfd, 0xd6, 0xf0, 0x8f, 0xf2, 0x9b, 0x63, 0x4e ] }We get:
Hardware:
{ "q7": 0x4e639bf28ff0d6fd3f84dc49ea483fa8 }Patched Spec:
{ "q7": 0x4e639bf28ff0d6fd3f84dc49ea483fa8 }Existing Spec:
{ "q7": 0x9f4fe82dbc9ffb033f84dc49ea483fa8 }and,
Instruction:
0x03fb8fbc, fstmiaxlt {d15}, pcinitial_registers:{ "q7": 0x91806b2353487fa01ffb87e5aa1a6e1b, "pc": 0x10000000, "NG": 0x1, "OV": 0x0 }We get:
Hardware:
{ 0x10000008: 0xa0, 0x10000009: 0x7f, 0x1000000A: 0x48, 0x1000000B: 0x53, 0x1000000C: 0x23, 0x1000000D: 0x6b, 0x1000000E: 0x80, 0x1000000F: 0x91 }Patched Spec:
{ 0x10000008: 0xa0, 0x10000009: 0x7f, 0x1000000A: 0x48, 0x1000000B: 0x53, 0x1000000C: 0x23, 0x1000000D: 0x6b, 0x1000000E: 0x80, 0x1000000F: 0x91 }Existing Spec:
{ 0x10000000: 0xa0, 0x10000001: 0x7f, 0x10000002: 0x48, 0x10000003: 0x53, 0x10000004: 0x23, 0x10000005: 0x6b, 0x10000006: 0x80, 0x10000007: 0x91 }In Thumb mode (
ARM:LE:32:v8T), if rn is PC, it results inUNPREDICTABLEbehaviour. However, this is permissible in AArch32 mode.Note: The patched spec does not introduce any disassembly changes to the best of our knowledge.