CRASH (8.0.18523) x64: dr_insert_clean_call generates wrong encoding for (invalid) `mov r64, imm16`
Created by: clslgrnc
Describe the bug
The documentation of dr_insert_clean_call currently states that:
The routine also supports immediate integers that are smaller than the register size
Yet on x64 a dr_insert_clean_call with an operand of size 8 or 16 leads to a crash.
To Reproduce From the root of the repository, at the currently last commit on branch master 6c638197 (tag: cronbuild-8.0.18523).
Modify suite/tests/client-interface/count-bbs.dll.c to test dr_insert_clean_call with a 16 bits operand:
--- a/suite/tests/client-interface/count-bbs.dll.c
+++ b/suite/tests/client-interface/count-bbs.dll.c
@@ -38,7 +38,7 @@ static uint64 bbcnt1 = 0;
static uint64 bbcnt4 = 0;
static void
-bbcount4(reg_t r1, reg_t r2, reg_t r3, reg_t r4)
+bbcount4(reg_t r1, reg_t r2, reg_t r3, u_int16_t r4)
{
bbcnt4++;
}
@@ -74,7 +74,7 @@ bb_event(void *drcontext, void *tag, instrlist_t *bb, bool for_trace, bool trans
opnd_create_reg(REG_XAX));
dr_insert_clean_call(drcontext, bb, instr, bbcount4, false, 4,
opnd_create_reg(REG_XAX), opnd_create_reg(REG_XBX),
- opnd_create_reg(REG_XCX), opnd_create_reg(REG_XDX));
+ opnd_create_reg(REG_XCX), OPND_CREATE_INT16(0));
return DR_EMIT_DEFAULT;
}Build and test:
$ cmake -DBUILD_TESTS=ON ../dynamorio
$ make -j6
$ ctest -V -R "count-bbs"
test 127
Start 127: code_api|client.count-bbs
127: Test command: /dynamorio/bin64/drrun "-s" "90" "-quiet" "-killpg" "-stderr_mask" "0xC" "-dumpcore_mask" "0" "-code_api" "-c" "/dynamorio/suite/tests/bin/libclient.count-bbs.dll.so" "--" "/dynamorio/suite/tests/bin/simple_app"
127: Test timeout computed to be: 1500
127: <Application /dynamorio/suite/tests/bin/simple_app (259721). Tool internal crash at PC 0x00007f1d70a6be1d. Please report this at your tool's issue tracker. Program aborted.
127: Received SIGSEGV at generated pc 0x00007f1d70a6be1d in thread 259721
127: Base: 0x00007f1db4a5a000
127: Registers:eax=0x0000000000000000 ebx=0x00007f1b70b05720 ecx=0x0000000000000000 edx=0x0000000000000000
127: esi=0x0000000000000000 edi=0x00007f1b70b05700 esp=0x00007f1b70b05778 ebp=0x0000000000000000
127: r8 =0x0000000000000000 r9 =0x0000000000000000 r10=0x0000000000000000 r11=0x0000000000000000
127: r12=0x0000000000000000 r13=0x0000000000000000 r14=0x0000000000000000 r15=0x0000000000000000
127: eflags=0x0000000000010202
127: version 8.0.18523, custom build
127: -no_dynamic_options -client_lib '/dynamorio/suite/tests/bin/libclient.count-bbs.dll.so;0;' -client_lib64 '/dynamorio/suite/tests/bin/libclient.count-bbs.dll.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_sy
127: 0x00007f1b70adf080 0x0000000000000000>
1/1 Test #127: code_api|client.count-bbs ........***Failed Required regular expression not found. Regex=[^Hello, world!
bbcount0_fp\.\.\. yes
bbcount1\.\.\. yes
bbcount4\.\.\. yes
$
] 0.03 sec
0% tests passed, 1 tests failed out of 1Expected behavior The modified test should pass, or the doc should be modified to state more explicitly what operands are not supported.
Versions
- What version of DynamoRIO are you using? 8.0.1
- Does the latest build from https://github.com/DynamoRIO/dynamorio/wiki/Latest-Build solve the problem? No
- What operating system version are you running on? Ubuntu 20.04.1 LTS
- Is your application 32-bit or 64-bit? 64
Additional context Might be a duplicate of #1707.