Incomplete memory address for push/call and incomplete size for far call/ret, int/iret, pusha/popa, and enter

[derekbruening]

From [email protected] on June 24, 2009 21:40:13

Current DR uses (%esp) to represent memory reference operand of instruction
like push, call, which is not correct.

Push instruction first decrement %esp and then access memory pointed by
%esp, so the memory address before execution push should be -4(%esp)
instead of (%esp). Similar problems for instructions pop, return.

This is caused by the decode table.
See comments in decode.h:

• All i_eSP really read 0x4(esp) or some other offset, depending on
• if take esp value before or after instrs, etc.
  and next to OPSZ_4x8_short2:
• Note that this IR does not distinguish multiple stack
• operations; dispatch by opcode must be used:
• X2 = far call/far ret
• X3 = int/iret
• X8 = pusha/popa
• X* = enter (dynamically varying amount)
• Note that stack operations may also modify the stack
• pointer prior to accessing the top of the stack, so
• for example "(esp)" may in fact be "4(esp)" depending
• on the opcode.

It would be better to have work around code in the decoding instead of on
each tool.

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=164

[derekbruening]

From [email protected] on June 24, 2009 21:29:36

This was filed as PR 214976.
We punted on adding this complexity, in particular
the sizes, to the IR in the past.

[derekbruening]

From [email protected] on December 08, 2009 11:10:54

Summary: Incomplete memory address for push/call and incomplete size for far call/ret, int/iret, pusha/popa, and enter

[derekbruening]

From [email protected] on December 06, 2010 19:41:12

Owner: derek.bruening

[derekbruening]

From [email protected] on January 23, 2011 19:24:41

This issue was closed by revision r554 .

Status: Fixed