capstone icon indicating copy to clipboard operation
capstone copied to clipboard
verified publisher icon capstone-engine

[X86] Missing `ACCESS` mode in operands and `EFLAGS` are missing in instruction `test`

Open venkyqz opened this issue 1 year ago • 1 comments

Work environment

Questions Answers
OS/arch/bits x86_64 Ubuntu 20.04
Architecture x86_64
Source of Capstone git clone, default on next branch.
Version/git commit v6.0.0, e46838

Instruction bytes giving faulty results

0x85 0x58 0x01

Expected results

It should be:

$ ./cstool_v6.0.0 -d x64 "855801"
 0  85 58 01                                         test       dword ptr [rax + 1], ebx
        ID: 734 (test)
        Prefix:0x00 0x00 0x00 0x00 
        Opcode:0x85 0x00 0x00 0x00 
        rex: 0x0
        addr_size: 8
        modrm: 0x58
        disp: 0x1
        sib: 0x0
        op_count: 2
                operands[0].type: MEM
                        operands[0].mem.base: REG = rax
                        operands[0].mem.disp: 0x1
                operands[0].size: 4
 *****          operands[0].access: READ        ******* MISSING LINE *****
                operands[1].type: REG = ebx
                operands[1].size: 4
 *****          operands[1].access: READ        ******* MISSING LINE *****
        Registers read: rax  (rbx  <--- MISSING FIELD)
 *****  EFLAGS: MOD_SF MOD_ZF MOD_PF UNDEF_AF     ******* MISSING LINE *****

Steps to get the wrong result

With cstool:

$ ./cstool_v6.0.0 -d x64 "855801"
 0  85 58 01                                         test       dword ptr [rax + 1], ebx
        ID: 734 (test)
        Prefix:0x00 0x00 0x00 0x00 
        Opcode:0x85 0x00 0x00 0x00 
        rex: 0x0
        addr_size: 8
        modrm: 0x58
        disp: 0x1
        sib: 0x0
        op_count: 2
                operands[0].type: MEM
                        operands[0].mem.base: REG = rax
                        operands[0].mem.disp: 0x1
                operands[0].size: 4
                operands[1].type: REG = ebx
                operands[1].size: 4
        Registers read: rax

Additional Logs, screenshots, source code, configuration dump, ...

  • test instruction in x86 performs a bitwise AND operation between the value at a memory location and the contents of a register. The test instruction sets the corresponding EFLAGS but the result itself is discarded. Capstone seems failed to display the EFLAGS fields of instruction test.
  • This issue is detected with a fully automatic decoder testing tool based on my research. Please add a Bug tag to this page if you verify it's a problem. It means a lot to me and my research. Thank you for your consideration😊!

venkyqz avatar Dec 07 '24 05:12 venkyqz

Note that I've encountered the same issue with the following instruction:

 0  84 05 00 00 00 00                                testb      %al, (%rip)
        ID: 734 (test)
        Prefix:0x00 0x00 0x00 0x00 
        Opcode:0x84 0x00 0x00 0x00 
        rex: 0x0
        addr_size: 8
        modrm: 0x5
        disp: 0x0
        sib: 0x0
        op_count: 2
                operands[0].type: REG = al
                operands[0].size: 1
                operands[1].type: MEM
                        operands[1].mem.base: REG = rip
                operands[1].size: 1
        Registers read: rip

missing the read to register al.

In general, the following templates yield the same type of error:

  • testb r, m64
  • testw r, m64
  • testl r, m64

Tested on fad9f80564501f083adc92db3ef37f999af28dd0

oldiob avatar Aug 29 '25 17:08 oldiob