search

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.
http://www.capstone-engine.org
7.18k stars 1.52k forks source link

ARM AArch32 instruction ADD may decode wrong in ADR situation #2373

Closed yakamoz423 closed 1 month ago

yakamoz423 commented 1 month ago

Work environment

Questions Answers
OS/arch/bits MSYS2 - MinGW64
Architecture armv8
Source of Capstone git clone
Version/git commit next, fe60b1371c109288278faa06b7efb545b18ed45d

Instruction bytes giving faulty results

0xe28fc600

image

Expected results

It should be:

ADR - A1 format

image

Steps to get the wrong result

With cstool:

$ 233/bin/cstool.exe -d armbe e28fc600
 0  e2 8f c6 00  add    r12, pc, #0, #12
        ID: 31 (add)
        op_count: 4
                operands[0].type: REG = r12
                operands[0].access: WRITE
                operands[1].type: REG = r15
                operands[1].access: READ
                operands[2].type: IMM = 0x0
                operands[2].access: READ
                operands[3].type: IMM = 0xc
                operands[3].access: READ
        Registers read: r15
        Registers modified: r12
        Groups: IsARM

Additional Logs, screenshots, source code, configuration dump, ...

I'm using the latest next version.

$ git log
commit fe60b1371c109288278faa06b7efb545b18ed45d (HEAD -> next, origin/next, origin/HEAD)
Author: Rot127 <45763064+Rot127@users.noreply.github.com>
Date:   Sat May 18 06:32:01 2024 +0000

    Apply #2360 to next (#2361)
yakamoz423 commented 1 month ago

Another case:

0xe28cca24

image

Should be:

ADD, ADDS (immediate) - A1

But result with cstool:

 0  e2 8c ca 24  add    r12, r12, #36, #20
        ID: 31 (add)
        op_count: 4
                operands[0].type: REG = r12
                operands[0].access: WRITE
                operands[1].type: REG = r12
                operands[1].access: READ
                operands[2].type: IMM = 0x24
                operands[2].access: READ
                operands[3].type: IMM = 0x14
                operands[3].access: READ
        Registers read: r12
        Registers modified: r12
        Groups: IsARM

Got an unexpected imm op[3], which seems not be expanded (rotr op[2] by op[3]).

Rot127 commented 1 month ago

This is an LLVM bug as it turns out:

echo "0x24,0xca,0x8c,0xe2,0x00,0xc6,0x8f,0xe2" | llvm-mc-19 --triple=arm --disassemble
    .text
    add r12, r12, #36, #20
    add r12, pc, #0, #12

Same for llvm-mc-18. Could you please open an issue with LLVM?

yakamoz423 commented 1 month ago

This is an LLVM bug as it turns out:

echo "0x24,0xca,0x8c,0xe2,0x00,0xc6,0x8f,0xe2" | llvm-mc-19 --triple=arm --disassemble
  .text
  add r12, r12, #36, #20
  add r12, pc, #0, #12

Same for llvm-mc-18. Could you please open an issue with LLVM?

I post on https://github.com/llvm/llvm-project/issues/93930