Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[← Prev[Date]  [Next →] [← Prev[Thread]  [Next →]

[DynInst_API:] Instruction decoding bug

Date: Fri, 06 Jul 2018 18:44:43 -0500
From: Yizi Gu <yg31@xxxxxxxx>
Subject: [DynInst_API:] Instruction decoding bug
A complete example demonstrating the bug could be found in the following url. 

https://rice.box.com/s/zhz305kqwn3e6t7rusun7bis864c09k6

Below is the readme that explains the bug with instruction decoding on x86 and how to reproduce it. 

Instruction decoding works on 9.3.0 but gets the wrong answer on 9.3.2 and master. 

  1 1. To compile live.c, call make
  2 2. The live-output-master is generated by ./live ./abelian with environment variable DATAFLOW_DEBUG_LIVENESS=1 and dyninst library 9.3.2 or master
  3    The live-output-9.3.0 is generated by ./live ./abelian with environment variable DATAFLOW_DEBUG_LIVENESS=1 and dyninst library 9.3.0
  4 3. The issue
  5 
  6 With DynInst-9.3.0, the read set for instruction at address 0x4009dc includes rsi. The following two instructions are from binary 'abelian'. The first instruction writes rsi, the second instruction re    ads rsi.
  7 
  8   4009d8:   48 8b 75 f8             mov    -0x8(%rbp),%rsi
  9 
 10   4009dc:   44 8b 16                mov    (%rsi),%r10d
 11 
 12 It could be seen that after instruction at address 0x4009d8, the 'Written' bit at rsi is set. And after instruction at address 0x4009dc, the 'Read' bit at rsi is set. So the liveness analysis correctl    y treats rsi as being live and therefore preserve the value of rsi in instrumented code.
 13 
 14 liveness.C[145] After instruction mov RSI, [RBP + fffffffffffffff8] at address 0x4009d8:
 15 calcRWSets for mov RSI, [RBP + fffffffffffffff8] @ 4009d8
 16 Read registers:
 17     x86_64::rbp
 18 Write Registers:
 19     x86_64::rsi
 20 liveness.C[157] After instruction at address 0x4009d8:
 21                                                                                                  ttttttttddddddddcccccccmxxxxxxxxxxxxxxxxgf                  rrrrrrrrrrrrrrrrr
 22                                                                                                  rrrrrrrrrrrrrrrrrrrrrrrm1111110000000000ssoscgfedrnoditszapci11111100dsbsbdca
 23                                                                                                  7654321076543210765432105432109876543210bbrssssssftfffffffffp54321098iippxxxx
 24 Read    0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000
 25 Written 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000
 26 Used    0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011110100
 27 Defined 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001111100000001101110111
 28 liveness.C[145] After instruction mov R10D, [RSI] at address 0x4009dc:
 29 calcRWSets for mov R10D, [RSI] @ 4009dc
 30 Read registers:
 31     x86_64::rsi
 32 Write Registers:
 33     x86_64::r10d
 34 liveness.C[157] After instruction at address 0x4009dc:
 35                                                                                                  ttttttttddddddddcccccccmxxxxxxxxxxxxxxxxgf                  rrrrrrrrrrrrrrrrr
 36                                                                                                  rrrrrrrrrrrrrrrrrrrrrrrm1111110000000000ssoscgfedrnoditszapci11111100dsbsbdca
 37                                                                                                  7654321076543210765432105432109876543210bbrssssssftfffffffffp54321098iippxxxx
 38 Read    0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000
 39 Written 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000
 40 Used    0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011110100
 41 Defined 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001111100000011101110111
 42 
 43 However, with DynInst master and DynInst-9.3.2, the read set for instruction at address 0x4009dc does not set rsi. Instead, it sets $r14, which is shown below. Liveness analysis thus treats rsi as non    e-alive register and consequently the instrumented code does not preserve rsi which stores a value that will be used by the program. This consequently causes segmentation fault in the instrumentd prog    ram because the value in rsi is changed becomes some wild value, the move instruction at 0x4009dc causes the segmentation fault.
 44 
 45 We checked the LivenessAnalyzer::calcRWSets function, the curInsn it gets was mov ($r14d), %r10d @ 4009dc. This implies that the instruction decoding is not correct.
 46 
 47 
 48 liveness.C[145] After instruction mov 0xfffffffffffffff8(%rbp),%rsi at address 0x4009d8:
 49 calcRWSets for mov 0xfffffffffffffff8(%rbp),%rsi @ 4009d8
 50 Read registers:
 51     x86_64::rbp
 52 Write Registers:
 53     x86_64::rsi
 54 liveness.C[157] After instruction at address 0x4009d8:
 55                                                                                                  ttttttttddddddddcccccccmxxxxxxxxxxxxxxxxgf                  rrrrrrrrrrrrrrrrr
 56                                                                                                  rrrrrrrrrrrrrrrrrrrrrrrm1111110000000000ssoscgfedrnoditszapci11111100dsbsbdca
 57                                                                                                  7654321076543210765432105432109876543210bbrssssssftfffffffffp54321098iippxxxx
 58 Read    0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000
                                                                                                                                                                                          1,1           Top

[← Prev in Thread] Current Thread [Next in Thread→]
  • [DynInst_API:] Instruction decoding bug, Yizi Gu <=
Previous by Date:  [DynInst_API:] [dyninst/dyninst] 673a94: 1. More static variables should be declared in TLS, Xiaozhu Meng
Next by Date:  [DynInst_API:] [dyninst/dyninst] 4276b4: Changing URL of Elfutils to always download the la..., Sasha Nicolas
Previous by Thread:  Re: [DynInst_API:] Installing Dyninst, Bill Williams
Next by Thread:  [DynInst_API:] instrumenting single instructions while running a program, Marc
Indexes:  [Date] [Thread]