Skip to content
GitLab
Closed
Issue created by John F.X. Galea@johnfxgaleaContributor

Illegal Instruction PEXT

I am encountering an illegal instruction exception when creating and inlining a pext instruction. There seems be a bug in the decoding of the instruction.

Here is a simple test snippet:

opnd_t msk_opnd = opnd_create_reg(scratch_reg2);
opnd_t src_opnd = opnd_create_reg(scratch_reg);
opnd_t dst_opnd = opnd_create_reg(scratch_reg3);

instr_t *instr = INSTR_CREATE_pext(drcontext, dst_opnd, src_opnd, msk_opnd);
instrlist_meta_preinsert(bb, where, instr);

instr_disassemble(drcontext, instr, STDERR);

The instruction’s entry in the decode table has the following encoding: .

{OP_pext, 0x6638f518, "pext", Gy, xx, Ey, By, xx, mrm|vex, x, END_LIST},

Shouldn’t the prefix be f3 instead of 66? Ref: https://www.felixcloutier.com/x86/pext Is this causing the crash?

With this in mind, I went on to create a patch, replacing, 0x6638f518 with 0xf338f518, but this is where things got a bit strange. The non-working patch is available here: https://github.com/johnfxgalea/dynamorio/commit/f2e6363a89d4f92486027983f1e5524854a7779c

With the patch, I am no longer getting a crash, but after some testing, the encoded instruction does not correspond with the operand sequence specified via the INSTR_CREATE_pext macro, and therefore I am getting incorrect functionality.

I attached gdb, and disassembled the instruction. The results is the following (disassembly flavour set to intel):

   0x4a625014:	mov    DWORD PTR fs:0x5c,ebx
=> 0x4a62501b:	mov    DWORD PTR ds:0x1,ecx
   0x4a625021:	pext   ebx,edx,ecx
   0x4a625026:	mov    ecx,DWORD PTR fs:0x54
   0x4a62502d:	mov    edx,DWORD PTR fs:0x58

But instr_disassemble, found in the test case, outputs (also with -syntax intel):

pext ebx, ecx, edx

Notice that the source operand (the second operand) is swapped with the mask (the third operand). BUT this is not the operand sequence that was specified with INSTR_CREATE_pext. I've confirmed this also with a set of pre and post clean call tests.

May another DR developer try and replicate this crash please just in case I missed something. I'm not sure how to fix this so any help would be greatly appreciated.

Test case may be found here: https://github.com/johnfxgalea/dynamorio/tree/test_pext_branch

Due to other constraints, I am running on a 32-bit Ubuntu System. My CPU does support BMI2 instructions (confirmed via proc/cpuinfo). In fact, pdep does not cause an illegal instruction crash on my machine.

I am working on the current head (i.e., c258f5b1)