Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[APP CRASH, AArch64] aflags not properly restored using drreg API due to incomplete decoder #4687

Closed
sapostolakis opened this issue Jan 23, 2021 · 1 comment · Fixed by #4688
Closed

[APP CRASH, AArch64] aflags not properly restored using drreg API due to incomplete decoder #4687

sapostolakis opened this issue Jan 23, 2021 · 1 comment · Fixed by #4688
Assignees
@sapostolakis
Labels
Bug-AppCrash OpSys-AArch64

Comments

@sapostolakis
Copy link
Contributor

Use of drreg's API ( drreg_reserve_aflags() and drreg_unreserve_aflags()) to save and restore aflags on AArch64 clobbered the aflags for an application. The control flow under DR was different than the control flow on a native run leading to an unexpected application-level assertion. The bug exhibited after a couple of millions of instructions and DR was run with these arguments: -unsafe_build_ldstex -disable_traces -vm_size 2G -no_enable_reset -t drcachesim -offline -trace_after_instrs 3000G -exit_after_tracing 20G.

As an optimization, drreg performs restoration of aflags as late as possible to minimize spills/fills. This optimization works fine for all the recognized flags-sensitive (read/write flags) instructions in the application that I checked. However, for AArch64 the decoder is incomplete and there are unrecognized instructions decoded as instances of a generic instruction, OP_xx. It seems that the placement of the aflags restoration by drreg does not take into account these unrecognized instructions and there are multiple cases like the following:

m4  ...   subs   ...
L3  ...   xx     ...
m4  ...   msr    %x1 -> %nzcv

In this example, DR clobbers the aflags (with subs), then an unrecognized instruction of the application (xx) that may read/write aflags operates on the clobbered aflags, and then the flags are overwritten (msr) nullifying any effect of the unrecognized instruction on the flags. Instead, the flags should have been restored prior to the xx instruction.
@sapostolakis sapostolakis self-assigned this Jan 23, 2021
sapostolakis added a commit that referenced this issue Jan 23, 2021
@sapostolakis
i#4687: handle OP_xx insts when using drreg_unreserve_aflags on AArch64
fd040d9 
Conservatively restore aflags before unrecognized instructions in case they read/write the flags.

Fixes: #4687
This was referenced Jan 23, 2021
Merged
Merged
@derekbruening
Copy link
Contributor

So this is in some sense a duplicate of #2626. Having an incomplete decoder was presumed to be a temporary condition. Since the missing instructions could cause many other problems in liveness and other analyses of GPR's (including drreg problems with GPR's akin to the aflags here), of SIMD registers for clean call state preservation analysis as well as drreg, and are a non-starter for taint analysis which needs to know every operand: it seems #2626 should have its priority raised.

@derekbruening derekbruening mentioned this issue Jan 23, 2021
Open
@derekbruening derekbruening changed the title [APP CRASH, AArch64] aflags not properly restored using drreg API [APP CRASH, AArch64] aflags not properly restored using drreg API due to incomplete decoder Jan 23, 2021
sapostolakis added a commit that referenced this issue Jan 25, 2021
@sapostolakis
i#4687: conservatively handle aflags for OP_xx instructions on AArch64 (
da71023 
#4688)

For AArch64, conservatively assume that all OP_xx instructions (i.e., unrecognized instructions) may read/write aflags until the decoder for AArch64 handles all the opcodes that read/write aflags.

Fixes: #4687
@derekbruening derekbruening mentioned this issue Apr 14, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sapostolakis sapostolakis

Labels
Bug-AppCrash OpSys-AArch64
Projects
None yet
Milestone
No milestone
2 participants
@derekbruening @sapostolakis