AArch32 encoding failure for predicated return: IT block tracking bug

[derekbruening]

While trying to get attach #38 working on AArch32 I was using "cat" as a
test target for attaching and it contains a predicated return "bx.cc %lr"
which DR correctly mangles, but then failes to encode. We must have some
tests of this: I wonder if there's something slightly different here, or
this is a regression, or what.

interp: start_pc = 0xb6e83056
check_thread_vm_area: pc = 0xb6e83056
prepend_entry_to_fraglist: putting fragment @0xb6e83056 (shared) on vmarea 0xb6dfb000-0xb6ed1000
check_thread_vm_area: check_stop = 0xb6ed1000
  0xb6e83056  bc80       ldm    (%sp)[4byte] %sp -> %r7 %sp
  0xb6e83058  f510 5f80  cmn    %r0 $0x00001000
  0xb6e8305c  bf38       it     $0x03 $0x08
  0xb6e8305e  4770       bx.cc  %lr
        reads flag before writing it!
mbr exit target = 0x46895180
end_pc = 0xb6e83060

exit_branch_type=0x6 bb->exit_target=0x46895180
bb ilist after mangling:
TAG  0xb6e83056
 +0    L3 @0x468dc96c  bc80       ldm    (%sp)[4byte] %sp -> %r7 %sp
 +2    L3 @0x468dc928  f510 5f80  cmn    %r0 $0x00001000
 +6    m4 @0x468dc9d4  f8ca 2008  str    %r2 -> +0x08(%r10)[4byte]
 +10   m4 @0x468dcaac             <label note=0x00000000>
 +10   L4 @0x468dca24  bf32       itee   $0x00000003 $0x00000002
 +12   m4 @0x468dcaf0  4672       mov.cc %lr -> %r2
 +14   m4 @0x468dcb34  f243 0261  movw.cs $0x00003061 -> %r2
 +18   m4 @0x468dcb84  f2cb 62e8  movt.cs $0x0000b6e8 -> %r2
 +22   L4 @0x468dca68  f7bb ba92  b      $0x46895180 <shared_bb_ibl_ret>
END 0xb6e83056

emit_fragment: bb use ibl <0x46895180>
fcache_add_fragment to Basic block (shared) cache (size 4KB): F2 w/ size 46 (=> 52)
find_free_list_slot: 52 bytes
        added F2 to unfilled unit @0x4689b024 (4012 [/57344] bytes left now)
SYSLOG_ERROR: No predicate is supported
ERROR: Could not find encoding for: movw.cs $0x00003061 -> %r2
Reason: No predicate is supported

In gdb:

(gdb) x/8i 0xb6f1e054
=> 0xb6f1e054 <read+20>:	svc	0
   0xb6f1e056 <read+22>:	pop	{r7}
   0xb6f1e058 <read+24>:	cmn.w	r0, #4096	; 0x1000
   0xb6f1e05c <read+28>:	it	cc
   0xb6f1e05e <read+30>:	bxcc	lr
   0xb6f1e060 <read+32>:	b.w	0xb6eac990 <__syscall_error>
   0xb6f1e064 <read+36>:	push	{r0, r1, r2, r3, lr}
   0xb6f1e066 <read+38>:	bl	0xb6f31c28 <__libc_enable_asynccancel>

Looks right:

$ echo 0x32 0xbf 0x72 0x46 0x43 0xf2 0x61 0x02 0xcb 0xf2 0xe8 0x62 | /usr/bin/llvm-mc-13 -arch thumb -mcpu=cortex-a15 --disassemble 
	.text
	itee	lo
	movlo	r2, lr
	movwhs	r2, #12385
	movths	r2, #46824

Looks like a bug in encode_in_it_block() incorrectly returning false here.
It's not from the -loglevel 4: w/o logging we have:

<No predicate is supported>
<Application /bin/cat (19431).  Internal Error: DynamoRIO debug check failure: /home/derek/dr/git/src/core/emit.c:363 pc != NULL
(Error occurred @2 frags in tid 19431)
version 9.0.19090, custom build

It's there w/o attach too:

> bin32/drrun -- /bin/cat
<Starting application /bin/cat (11852)>
<Not tested @/home/derek/dr/git/src/core/arch/emit_utils_shared.c:5574>
<Initial options = -no_dynamic_options -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<(1+x) Handling our fault in a TRY at 0x711eb21c>
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/home/derek/dr/git/build_dbg_tests/lib32/debug/libdynamorio.so' 0x71024628
>
<No predicate is supported>
<Application /bin/cat (11852).  Internal Error: DynamoRIO debug check failure: /home/derek/dr/git/src/core/emit.c:363 pc != NULL
(Error occurred @211 frags in tid 11852)

Unfortunately this also shows up at the end of the infloop test, so it blocks the test for #38.

[derekbruening]

Ah it turns out this was caused by a local fix in my attach tree that fixed an encoder error on arm where it tries to get the opcode before outputting a pure-binary instr.