Wrong semantics of x86 instruction BT when operand is in memory

jasmin-lang / jasmin

Language for high-assurance and high-speed cryptography

MIT License

271 stars 55 forks source link

Wrong semantics of x86 instruction BT when operand is in memory #931

Closed vbgl closed 3 weeks ago

vbgl commented 1 month ago

The following (safe) program produces zero in Jasmin semantics but one when run on hardware after compilation.

export fn test() -> reg u8 {
  reg bool cf;
  stack u64[2] s;
  s[0] = 0;
  s[1] = 1;
  reg u64 ofs = 64;
  cf = #BT(s[0], ofs);
  reg u8 r = #SETcc(cf);
  return r;
}