MIPS Groups incorrect for JALR, BLTZAL

[zachriggle]

Surely jalr deserves CS_GRP_JUMP (or even CS_GRP_CALL)?

>>> i.bytes, i.mnemonic, i.op_str, i.groups
(bytearray(b'\t\xf8 \x03'), 'jalr', '$t9', [137, 144])

[zachriggle]

It looks like this may be a general thing with MIPS, as most (all?) branches are missing these groups.

>>> i.bytes, i.mnemonic, i.op_str, i.groups
(bytearray(b'\x01\x00\x10\x05'), 'bltzal', '$t0, 0x767cb8c8', [137, 146, 147])

[hlide]

yeah they are CS_GRP_CALL. In most cases, jalr rd, rsuses $ra for rd and so rd is also omitted to give jalr rs. As for bltzaland consoeurs, they can be seen as conditional calls.

[aquynh]

Zach, can you also post the hardware mode of the engine, so i can test this?

[zachriggle]

Should have just been CS_ARCH_MIPS, CS_MODE_32, with cs.detail=True, on the next branch.

[aquynh]

can you list all the instructions with this problem here, so i can fix them all in one go?

thanks.

[hlide]

technically, all instructions ending with AL :-)

[zachriggle]

Yeah, everything *al for "and link" should be a CS_GRP_CALL type.

Has any infrastructure been put in place for MIPS condition codes?

[zachriggle]

Also, the specific sequence jr $ra should probably have CS_GRP_RET.

>>> from capstone import *
>>> cs=Cs(CS_ARCH_MIPS, CS_MODE_32)
>>> cs.detail=True
>>> for i in cs.disasm('\x08\x00\xe0\x03',0):
..:     print(i.bytes, i.mnemonic, i.op_str, i.groups)
..:     
(bytearray(b'\x08\x00\xe0\x03'), u'jr', u'$ra', [137, 1])

[zachriggle]

To clarify, I think that these should also all have CS_GRP_JMP. While it's nice when CS_GRP_XXX are mutually exclusive, I don't think they should be in this case.

[hlide]

CS_GRP_JUMP is not enough in my opinion we should add MIPS specifics like:

• CS_GRP_BRANCH_DELAY_SLOT : this branch instruction has a delay slot. Every branch instruction not ending with suffix L(likely) or C(compact).
• CS_GRP_BRANCH_LIKELY_SLOT : this branch instruction has a likely slot. Every branch instruction ending with suffix L or ALL(likely).
• CS_GRP_BRANCH_FORBIDDEN_SLOT : this branch instruction has a forbidden slot. Every branch instruction ending with suffix C(compact). forbidden means no delay/likely slot but control flow instruction cannot follow this instruction.

J/JR/JAL/JALR must have CS_GRP_BRANCH_DELAY_SLOT.

EDIT:

that way, CS_GROUP_JUMP, CS_GROUP_CALL and CS_GROUP_RET can be mutually exclusive as higher generic semantics. If we need more specific details about a jump or call instruction:

• J/JR/Bxx : CS_GROUP_JUMP + CS_GRP_BRANCH_DELAY_SLOT
• BxxL : CS_GROUP_JUMP + CS_GRP_BRANCH_LIKELY_SLOT
• JAL/JALR/BxxAL : CS_GROUP_CALL + CS_GRP_BRANCH_DELAY_SLOT
• BxxALL : CS_GROUP_CALL + CS_GRP_BRANCH_LIKELY_SLOT
• JR $RA : CS_GROUP_RET + CS_GRP_BRANCH_DELAY_SLOT

[hlide]

Note that those specifics should have equivalents for Sparc too since it has similar slots after a branch instruction.

[hlide]

Argh, those are enumerated values, not from a bitset :(

[zachriggle]

I disagree that there should be a top level variant for that. Arch-level maybe. Delay slot is not an instruction group in either case. On Mon, Jul 13, 2015 at 8:26 AM hlide notifications@github.com wrote:

Argh, those are enumerated values, not from a bitset :(

— Reply to this email directly or view it on GitHub https://github.com/aquynh/capstone/issues/370#issuecomment-120909105.

[hlide]

Whatever, those flags are missing. Trying to detect by their instruction id is a nightmare (I'm trying to add delayslot handling in decompiler snowman for MIPS). Not only those id are not unique per opcode (for instance, MIPS_INSN_ADD encodes add,add.s and add.d) but I must also to handle branch instruction aliases ineptie. I wish to be able to refactorize the code to handle the delay slot by simply having those flags. Sorry to say, capstone as a decomposer is a bit lacking.

[aquynh]

@hlide, anything prevents you from refactoring the code to handle the missing features?

i will gather all the issues and look at them when i have more time. some issues can be fixed by us, and some can be reported to upstream.

LLVM community (mostly Imgtec guys) are working hard on this Mips disassembler, so we can be optimistic (and i am, always).

thanks.

[hlide]

I can do the delay slot handling using instruction id but that's not very orthogonal (MIPS is, capstone is not) and not elegant (switch with a lot of cases).