AArch64 CRASH from some stolen register handling bug
On a proprietary app we are seeing a crash where the app reads from the address 0x100.
The bug goes away with -steal_reg 29
and seems to be some kind of stolen register mangling bug.
The problematic code involves reading from the thread reg into x28:
0xaaaab55ec634 +116: mrs x28, tpidr_el0
0xaaaab55ec638 +120: mov w8, #0x1 // #1
0xaaaab55ec63c +124: ldr w10, [x20]
0xaaaab55ec640 +128: cbz w10, 0xaaaab55ec660 +160
0xaaaab55ec644 +132: mov w9, w10
0xaaaab55ec648 +136: sub w11, w10, #0x1
0xaaaab55ec64c +140: casa w9, w11, [x20]
0xaaaab55ec650 +144: cmp w9, w10
0xaaaab55ec654 +148: b.eq 0xaaaab55ec730 +368 // b.none
0xaaaab55ec658 +152: mov w10, w9
0xaaaab55ec65c +156: cbnz w9, 0xaaaab55ec648 +136
0xaaaab55ec660 +160: tbnz w8, #0, 0xaaaab55ec68c +204
This is DR linked statically into the app, so the thread reg holds the app value. It looks like DR mangles the thread reg when static, which it shouldn't (filed #4459 (closed)) but fixing that doesn't eliminate the problem here.
I don't know where the mangling bug is: I'm using the workaround to work around it.