capstone icon indicating copy to clipboard operation
capstone copied to clipboard
verified publisher icon capstone-engine

[python, x86] Mismatch between operand type and type constant

Open cristianassaiante opened this issue 1 year ago • 2 comments

Hi,

I just found out that starting from version 5.0.1, the value of CS_OP_MEM (accessed from the python library) has changed, from 3 to 128, potentially causing issues in automated tools that make use of such constant value to check the type of the operands of an instruction.

Below a python run that shows the difference, using as example the x86 instruction mov eax, dword ptr [rsp + 0x14]:

Capstone version 5.0.0

>>> import capstone as cs
>>> md = cs.Cs(cs.CS_ARCH_X86, cs.CS_MODE_64)
>>> md.detail = True
>>> md.disasm("\x8b\x44\x24\x14", 0)
>>> ins = md.disasm(b"\x8b\x44\x24\x14", 0).__next__()
>>> ins
<CsInsn 0x0 [8b442414]: mov eax, dword ptr [rsp + 0x14]>
>>> ins.operands[1].type
3
>>> cs.CS_OP_MEM
3

Capstone version 5.0.1

>>> import capstone as cs
>>> cs.debug()
'python-standard-arm-arm64-bpf-evm-m680x-m68k-mips-mos65xx-ppc-riscv-sparc-sysz-tms320c64x-xcore-x86-c5.0-b5.0'
>>> md.disasm("\x8b\x44\x24\x14", 0)
>>> md.detail = True
>>> ins = md.disasm(b"\x8b\x44\x24\x14", 0).__next__()
>>> ins
<CsInsn 0x0 [8b442414]: mov eax, dword ptr [rsp + 0x14]>
>>> ins.operands[1].type
3
>>> cs.CS_OP_MEM
128

So my question is: is this an issue or is there another constant available to check the operand type?

Thanks in advance for the support.

cristianassaiante avatar Feb 15 '24 14:02 cristianassaiante

Thanks for pointing this out. Turns out this was accidentally pulled in, because we wanted to have the TriCore architecture being part of v5. TriCore used the new auto-sync updater (will be released with v6) for creation. And architectures using it require to distinguish registers/immediate values used for memory and non memory registers/immediate values.

TriCore though probably doesn't require the value change? @imbillow

Here is the PR reverting it: https://github.com/capstone-engine/capstone/pull/2275

I propose to change it back for v5.0.2? It's annoying to have this inconsistency between those versions. But IMHO it is still better, because people can get a clear pre-AutoSync version and a post-AutoSync version of Capstone. cc @kabeor @XVilka (candidate for https://github.com/capstone-engine/capstone/issues/2081)

Rot127 avatar Feb 16 '24 04:02 Rot127

See also https://github.com/capstone-engine/capstone/issues/2144

XVilka avatar Feb 16 '24 04:02 XVilka