Skip to content
GitLab
Closed
Issue created by John F.X. Galea@johnfxgaleaContributor

Decode bug resulting in invalid cmovcc opcode

When inlining a valid cmov instruction, DynamoRIO issues an incorrect usage error.

<Application /bin/echo (8033) DynamoRIO usage error : invalid cmovcc opcode>

More specifically, the following code added to the memtrace sample causes the error:

    opnd1 = opnd_create_reg(reg1);
    opnd2 = opnd_create_reg(reg1);
    instr = INSTR_CREATE_cmovcc(drcontext, OP_cmovnz, opnd1, opnd2);
    instrlist_meta_preinsert(ilist, where, instr);

The root cause is in read_instruction as the opcode field in decode information is not initialised. Consequently, as seen in the stack trace, when decode_predicate_from_instr_info is called, garbage uninitialised data acting as the opcode is passed, hence causing the error.

I'll provide a fix soon.

#0  syscall_0args ()
    at /home/john/dynamorio/core/arch/x86/x86_shared.asm:176
#1  0x50351ca8 in ?? ()
#2  0x7121bf28 in os_read (f=0, buf=0x50351333, count=1)
    at /home/john/dynamorio/core/unix/os.c:4368
#3  0x710a5917 in notify (priority=SYSLOG_ERROR, internal=false, synch=true, substitution_num=4, 
    prefix=0x7128b5d8 "SYSLOG_ERROR", fmt=0x7128b5b0 "Application %s (%s) %s usage error : %s")
    at /home/john/dynamorio/core/utils.c:1933
#4  0x710a130e in external_error (
    file=0x712c5b50 "/home/john/dynamorio/core/arch/x86/instr.c", 
    line=1777, msg=0x712c6c78 "invalid cmovcc opcode")
    at /home/john/dynamorio/core/utils.c:202
#5  0x711ba17e in instr_cmovcc_to_jcc (cmovcc_opcode=1345301108)
    at /home/john/dynamorio/core/arch/x86/instr.c:1777
#6  0x711c04e9 in decode_predicate_from_instr_info (opcode=**1345301108**, info=0x7131ec60 <second_byte+2464>)
    at /home/john/dynamorio/core/arch/x86/decode.c:1841
#7  0x711c053d in decode_eflags_usage (dcontext=0x502fa7c0, pc=0x50355120 "\017MҼ\274\274\274\274\200O5PlM5P", 
    usage=0x50354c90, flags=DR_QUERY_INCLUDE_ALL)
    at /home/john/dynamorio/core/arch/x86/decode.c:1877
#8  0x711afea7 in instr_get_eflags (instr=0x50354c60, flags=DR_QUERY_INCLUDE_COND_SRCS)
    at /home/john/dynamorio/core/arch/instr_shared.c:928
#9  0x711aff8d in instr_get_arith_flags (instr=0x50354c60, flags=DR_QUERY_INCLUDE_COND_SRCS)
    at /home/john/dynamorio/core/arch/instr_shared.c:961
#10 0x711d3980 in eflags_analysis (instr=0x50354c60, status=0, eflags_6=0x50351c80)
    at /home/john/dynamorio/core/arch/interp.c:644
#11 0x711e7ded in forward_eflags_analysis (dcontext=0x502fa7c0, ilist=0x50355128, instr=0x50354f80)
    at /home/john/dynamorio/core/arch/interp.c:7045
#12 0x711da19b in client_process_bb (dcontext=0x502fa7c0, bb=0x50351e90)
    at /home/john/dynamorio/core/arch/interp.c:3118
#13 0x711ddf7e in build_bb_ilist (dcontext=0x502fa7c0, bb=0x50351e90)
    at /home/john/dynamorio/core/arch/interp.c:4134
#14 0x711e1f25 in build_basic_block_fragment (dcontext=0x502fa7c0, 
    start=0xb7fdaa20 <temp_heapmgt+14784> "\211\340\350\231\v", initial_flags=0, link=true, visible=true, 
    for_trace=false, unmangled_ilist=0x0)
    at /home/john/dynamorio/core/arch/interp.c:5137
#15 0x71089d54 in dispatch (dcontext=0x502fa7c0)
    at /home/john/dynamorio/core/dispatch.c:215
#16 0x71202409 in call_dispatch_alt_stack_no_free ()
    at /home/john/dynamorio/core/arch/x86/x86.asm:299