search

unicorn-engine / unicorn

Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, PowerPC, RiscV, S390x, TriCore, X86)
http://www.unicorn-engine.org
GNU General Public License v2.0
7.67k stars 1.35k forks source link

qemu: fix ASAN errors in tcg and arm translation #1904

Closed StalkR closed 1 year ago

wtdcode commented 1 year ago

Do you have full ASAN error backtrace?

StalkR commented 1 year ago

Sure, here it is (slightly redacted). It's more specifically UBSAN from the family of sanitizers.

For the fix in tcp-op.h:

SanitizerError
UndefinedBehaviorSanitizer: out-of-bounds-index unicorn/qemu/include/tcg/tcg-op.h:49:9 in

Details unicorn/qemu/include/tcg/tcg-op.h:49:9: runtime error: index 66 out of bounds for type 'int[17]'
    #0 0x7f0637b2656d in gen_uc_tracecode unicorn/qemu/include/tcg/tcg-op.h:49:9
    #1 0x7f0637b98b72 in thumb_tr_translate_insn unicorn/qemu/target/arm/translate.c
    #2 0x7f0637adef12 in translator_loop_arm unicorn/qemu/accel/tcg/translator.c:124:9
    #3 0x7f0637b21df6 in gen_intermediate_code_arm unicorn/qemu/target/arm/translate.c:11775:5
    #4 0x7f0637adc01b in tb_gen_code_arm unicorn/qemu/accel/tcg/translate-all.c:1636:5
    #5 0x7f0637ac3dbc in tb_find unicorn/qemu/accel/tcg/cpu-exec.c:259:14
    #6 0x7f0637ac3dbc in cpu_exec_arm unicorn/qemu/accel/tcg/cpu-exec.c:600:18
    #7 0x7f0637a72c5c in tcg_cpu_exec unicorn/qemu/softmmu/cpus.c:96:17
    #8 0x7f0637a72c5c in resume_all_vcpus_arm unicorn/qemu/softmmu/cpus.c:215:13
    #9 0x7f0637a72f98 in vm_start_arm unicorn/qemu/softmmu/cpus.c:234:5
    #10 0x7f0638903426 in uc_emu_start unicorn/uc.c:880:5

For the fix in arm/translate.c:

SanitizerError
UndefinedBehaviorSanitizer: signed-integer-overflow unicorn/qemu/target/arm/translate.c:7777:13

Details
unicorn/qemu/target/arm/translate.c:7777:13: runtime error: signed integer overflow: 255 * 16843009 cannot be represented in type 'int'
    #0 0x7fc28eda0389 in t32_expandimm_imm unicorn/qemu/target/arm/translate.c:7777:13
    #1 0x7fc28eda0389 in disas_t32_extract_s_rri_rot unicorn/qemu/target/arm/decode-t32.inc.c:845:14
    #2 0x7fc28ed9dbad in disas_t32 unicorn/qemu/target/arm/decode-t32.inc.c:1621:21
    #3 0x7fc28ed98cd0 in disas_thumb2_insn unicorn/qemu/target/arm/translate.c:11105:9
    #4 0x7fc28ed98cd0 in thumb_tr_translate_insn unicorn/qemu/target/arm/translate.c:11582:9
    #5 0x7fc28ecdef12 in translator_loop_arm unicorn/qemu/accel/tcg/translator.c:124:9
    #6 0x7fc28ed21df6 in gen_intermediate_code_arm unicorn/qemu/target/arm/translate.c:11775:5
    #7 0x7fc28ecdc01b in tb_gen_code_arm unicorn/qemu/accel/tcg/translate-all.c:1636:5
    #8 0x7fc28ecc3dbc in tb_find unicorn/qemu/accel/tcg/cpu-exec.c:259:14
    #9 0x7fc28ecc3dbc in cpu_exec_arm unicorn/qemu/accel/tcg/cpu-exec.c:600:18
    #10 0x7fc28ec72c5c in tcg_cpu_exec unicorn/qemu/softmmu/cpus.c:96:17
    #11 0x7fc28ec72c5c in resume_all_vcpus_arm unicorn/qemu/softmmu/cpus.c:215:13
    #12 0x7fc28ec72f98 in vm_start_arm unicorn/qemu/softmmu/cpus.c:234:5
    #13 0x7fc28faeb426 in uc_emu_start unicorn/uc.c:880:5
wtdcode commented 1 year ago

LGTM, here you go.

wtdcode commented 1 year ago

Oh wait, you need to target the dev branch.

StalkR commented 1 year ago

Thanks! sent a new PR targeting dev branch as https://github.com/unicorn-engine/unicorn/pull/1907

And you rebase master on dev from time to time, e.g. for stable releases?