Encoding failure while instrumenting data16 div %di

[derekbruening]

From [email protected] on February 11, 2013 16:04:42

Splitting from issue #626 .

We seem to generate bad instrumentation on div %di. DR's disas of this instr:
0xf6937cfd 66 f7 f7 data16 div %di %dx %ax -> %dx %ax

I can add a minimal repro to registers.c and get the same encoding failure:
<Application /usr/local/google/home/rnk/drmemory/build/tests/registers (887) DynamoRIO usage error : instr_encode error: no encoding found>

We're trying to generate something like this:
+255 m4 @0x4eb0d100 64 8a 15 53 00 00 00 mov %fs:0x00000053 -> %dl
+262 m4 @0x4eb0cb40 64 0a 15 4c 00 00 00 or %fs:0x0000004c %dl -> %dl
+269 m4 @0x4eb0d180 8a ca mov %dl -> %cl
+271 m4 @0x4eb0cf9c 80 e1 0f and $0x0f %cl -> %cl
+274 m4 @0x4eb0cfe8 64 8a 2d 4e 00 00 00 mov %fs:0x0000004e -> %ch
+281 m4 @0x4eb0d034 0a cd or %ch %cl -> %cl
+283 m4 @0x4eb0cf5c 64 08 0d 4e 00 00 00 or %cl %fs:0x0000004e -> %fs:0x0000004e
+290 m4 @0x4eb0ca40 80 e1 0f and $0x0f %cl -> %cl
+293 m4 @0x4eb0d074 64 88 0d 54 00 00 00 mov %cl -> %fs:0x00000054

The instr is OP_mov_ld %cl -> (null opnd).

So we're trying to save shadow bits to a null shadow operand or something.

I need to run the minimal repro at a high log level to get more info.

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1127

[derekbruening]

From [email protected] on February 12, 2013 08:17:29

Callstack where we create the bad mov_ld:

(gdb) set print pretty off
(gdb) bt
#0 syscall_0args () at ../../core/x86/x86.asm:1127
#1 0x4bc0de10 in ?? ()
#2 0xf728405a in os_read (f=..., buf=..., count=...) at ../../core/linux/os.c:3877
#3 0xf70f9b80 in notify (priority=..., internal=..., synch=..., substitution_num=..., prefix=..., fmt=...) at ../../core/utils.c:1955
#4 0xf70f4d20 in external_error (file=..., line=..., msg=...) at ../../core/utils.c:196
#5 0xf71f8b17 in instr_encode_common (dcontext=..., instr=..., copy_pc=..., final_pc=..., check_reachable=..., has_instr_opnds=..., assert_reachable=...) at ../../core/x86/encode.c:2365
#6 0xf71f9634 in instr_encode_check_reachability (dcontext=..., instr=..., pc=..., has_instr_opnds=...) at ../../core/x86/encode.c:2684
#7 0xf7213fd4 in private_instr_encode (dcontext=..., instr=..., always_cache=...) at ../../core/x86/instr.c:1894
#8 0xf72157e6 in instr_length (dcontext=..., instr=...) at ../../core/x86/instr.c:2718
#9 0x739098c2 in must_encode_instrlist_meta_preinsert (ilist=..., where=..., instr=...) at ../common/utils.c:121
#10 0x738534cc in add_dst_shadow_write (drcontext=..., bb=..., inst=..., mi=..., dst=..., src=..., src_opsz=..., dst_opsz=..., scratch8=..., si8=..., nowrite_target=..., process_eflags=...,
alu_uncombined=..., preserve=...) at ../drmemory/fastpath.c:3162
#11 0x73853828 in add_dstX2_shadow_write (drcontext=..., bb=..., inst=..., mi=..., src=..., src_opsz=..., dst_opsz=..., scratch8=..., si8=..., nowrite_target=..., process_eflags=..., alu_uncombined=...)
at ../drmemory/fastpath.c:3186
#12 0x73864e4c in instrument_fastpath (drcontext=..., bb=..., inst=..., mi=..., check_ignore_unaddr=...) at ../drmemory/fastpath.c:4882
#13 0x73834ad2 in instru_event_bb_insert (drcontext=..., tag=..., bb=..., inst=..., for_trace=..., translating=..., user_data=...) at ../drmemory/readwrite.c:4264
#14 0x739195a7 in drmgr_bb_event (drcontext=..., tag=..., bb=..., for_trace=..., translating=...) at ../../ext/drmgr/drmgr.c:457
#15 0xf726fd61 in instrument_basic_block (dcontext=..., tag=..., bb=..., for_trace=..., translating=..., emitflags=...) at ../../core/x86/instrument.c:1397
#16 0xf7226cd0 in client_process_bb (dcontext=..., bb=...) at ../../core/x86/interp.c:2486
#17 0xf722a800 in build_bb_ilist (dcontext=..., bb=...) at ../../core/x86/interp.c:3495
#18 0xf722ea36 in build_basic_block_fragment (dcontext=..., start=..., initial_flags=..., link=..., visible=..., for_trace=..., unmangled_ilist=...) at ../../core/x86/interp.c:4445
#19 0xf70dea7b in dispatch (dcontext=...) at ../../core/dispatch.c:187
#20 0x4bbc1f47 in ?? ()
#21 0x08048d1a in main () at ../tests/registers.c:663

The important bit is:

#10 0x738534cc in add_dst_shadow_write() at ../drmemory/fastpath.c:3162
#11 0x73853828 in add_dstX2_shadow_write() at ../drmemory/fastpath.c:3186

This is the first of the two register dsts of the div instr.

[derekbruening]

From [email protected] on February 12, 2013 10:05:01

Derek, can you take a look at this?

In the test case in the attached diff, we have a divw %di %ax %dx -> %ax %dx instruction.

The execution is something like:

• call add_dstX2_shadow_write()
• first call to add_dst_shadow_write
• into the else bucket titled:
  /* dynamically-varying src.shadow or offset */
• into the else if bucket titled:
  else if (opnd_is_immed_int(dst.offs)) {
  /* Load from memory into register, or register-to-register move */
• preserve is true (this is the first dst write)
• at the end of the else bucket, we run this code (I added the assert):
  if (preserve) {
  /* XXX: more efficient to combine the 2 dst writes but simpler
  * code-wise for now to fully restore and then put back into cl
  */
  ASSERT(!opnd_is_null(memoffs), "can't preserve with no memoffs?");
  PRE(bb, inst, INSTR_CREATE_mov_ld
  (drcontext, memoffs, opnd_create_reg(REG_CL)));

I'm not familiar with this code and it seems like the wrong time to start learning it. I spent a few hours on it but I can't figure out what's supposed to happen on this 3src 2dst 2-byte ALU op.

Owner: [email protected]
Labels: Component-FullMode

Attachment: divw-test.diff

[derekbruening]

From [email protected] on February 14, 2013 11:21:20

This issue was closed by revision r1177 .

Status: Fixed