capstone
capstone copied to clipboard
capstone-engine
HPPA disassembler does not initialize op->access in some cases
Work environment
| Questions | Answers |
|---|---|
| System Capstone runs on OS/arch/bits | Debian x86 |
| Capstone module affected | hppa |
| Source of Capstone | git clone |
| Version/git commit | v6.0.0-alpha4 |
Expected behavior
The op->access field should be initialized and valgrind should not complain.
Actual behavior
Add the following code to print op->access in cstool:
--- a/cstool/cstool_hppa.c
+++ b/cstool/cstool_hppa.c
@@ -66,6 +66,20 @@ void print_insn_detail_hppa(csh handle, cs_insn *ins)
printf("TARGET = 0x%" PRIx64 "\n", target_addr);
break;
}
+
+ switch(op->access) {
+ default:
+ break;
+ case CS_AC_READ:
+ printf("\t\toperands[%u].access: READ\n", i);
+ break;
+ case CS_AC_WRITE:
+ printf("\t\toperands[%u].access: WRITE\n", i);
+ break;
+ case CS_AC_READ | CS_AC_WRITE:
+ printf("\t\toperands[%u].access: READ | WRITE\n", i);
+ break;
+ }
}
if (!cs_regs_access(handle, ins, regs_read, ®s_read_count,
Running cstool with valgrind:
$ valgrind ./cstool -d hppa20be "002050a2"
==3131749== Memcheck, a memory error detector
==3131749== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==3131749== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==3131749== Command: ./cstool -d hppa20be 002050a2
==3131749==
0 00 20 50 a2 ldsid (sr1,r1),rp
ID: 145 (ldsid)
op_count: 2
operands[0].type: MEM
operands[0].mem.space: REG = sr1
operands[0].mem.base: REG = r1
==3131749== Conditional jump or move depends on uninitialised value(s)
==3131749== at 0x3D7E4E: print_insn_detail_hppa (cstool_hppa.c:70)
==3131749== by 0x3D4BA1: print_details (cstool.c:444)
==3131749== by 0x3D59C7: main (cstool.c:770)
==3131749==
==3131749== Conditional jump or move depends on uninitialised value(s)
==3131749== at 0x3D7E53: print_insn_detail_hppa (cstool_hppa.c:70)
==3131749== by 0x3D4BA1: print_details (cstool.c:444)
==3131749== by 0x3D59C7: main (cstool.c:770)
==3131749==
==3131749== Conditional jump or move depends on uninitialised value(s)
==3131749== at 0x3D7E58: print_insn_detail_hppa (cstool_hppa.c:70)
==3131749== by 0x3D4BA1: print_details (cstool.c:444)
==3131749== by 0x3D59C7: main (cstool.c:770)
==3131749==
==3131749== Conditional jump or move depends on uninitialised value(s)
==3131749== at 0x3D7E5D: print_insn_detail_hppa (cstool_hppa.c:70)
==3131749== by 0x3D4BA1: print_details (cstool.c:444)
==3131749== by 0x3D59C7: main (cstool.c:770)
==3131749==
operands[1].type: REG = rp
operands[1].access: WRITE
Registers read: r1 sr1
Registers modified: rp
Groups: system_control
==3131749==
==3131749== HEAP SUMMARY:
==3131749== in use at exit: 0 bytes in 0 blocks
==3131749== total heap usage: 6 allocs, 6 frees, 11,608 bytes allocated
==3131749==
==3131749== All heap blocks were freed -- no leaks are possible
==3131749==
==3131749== Use --track-origins=yes to see where uninitialised values come from
==3131749== For lists of detected and suppressed errors, rerun with: -s
==3131749== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
Steps to reproduce the behavior
- Described above
Additional Logs, screenshots, source code, configuration dump, ...
Drag and drop zip archives containing the Additional info here, don't use external services or link. Screenshots can be directly dropped here.
The problem is that memory operand does not get its access type set:
static void set_op_mem(cs_hppa *hppa, uint32_t base, uint32_t space,
cs_ac_type base_access)
{
cs_hppa_op *op = &hppa->operands[hppa->op_count++];
op->type = HPPA_OP_MEM;
op->mem.base = base;
op->mem.space = space;
op->mem.base_access = base_access;
}
Why is the distinction of op->mem.base_access from op->accsss?
