Bug 409646

Summary: No case for 1Uto32 - arm64
Product: [Developer tools] valgrind Reporter: Marek Zmysłowski <marekzmyslowski>
Component: vexAssignee: Julian Seward <jseward>
Status: REPORTED ---    
Severity: crash    
Priority: NOR    
Version First Reported In: 3.15 SVN   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Marek Zmysłowski 2019-07-09 10:41:44 UTC 
SUMMARY
While running the taintgrind plugin, the following error occurs:
1Uto32(t60)
vex: the `impossible' happened:
   iselIntExpr_R: cannot reduce tree

This happens becuse the 1Uto32 case is not found inside host_arm64_isel.c (missing the case for Iop_1Uto32)

STEPS TO REPRODUCE
1. Install taintgrind according to the instruction https://github.com/wmkhoo/taintgrind/
2. Run the simple command
3. /work/temp/valgrind/build/bin/valgrind --tool=taintgrind --file-filter=/work --taint-start=0 --taint-len=1 ls


OBSERVED RESULT
Crash

EXPECTED RESULT
No crash

SOFTWARE/OS VERSIONS
ARMBIAN 5.83 stable Ubuntu 18.04.2 LTS 4.19.38-sunxi64
Linux pine64so 4.19.38-sunxi64 #5.83 SMP Fri May 3 21:02:31 CEST 2019 aarch64 aarch64 aarch64 GNU/Linux 

ADDITIONAL INFORMATION
/work/temp/valgrind/build/bin/valgrind --tool=taintgrind --file-filter=/work --taint-start=0 --taint-len=1 ls 
==18427== Taintgrind, the taint analysis tool
==18427== Copyright (C) 2010-2018, and GNU GPL'd, by Wei Ming Khoo.
==18427== Using Valgrind-3.16.0.GIT and LibVEX; rerun with -h for copyright info
==18427== Command: ls
==18427== 
1Uto32(t60)
vex: the `impossible' happened:
   iselIntExpr_R: cannot reduce tree
vex storage: T total 12936 bytes allocated
vex storage: P total 0 bytes allocated

valgrind: the 'impossible' happened:
   LibVEX called failure_exit().

host stacktrace:
==18427==    at 0x5802CE1C: show_sched_status_wrk (m_libcassert.c:386)
==18427==    by 0x5802CF4B: report_and_quit (m_libcassert.c:457)
==18427==    by 0x5802D183: vgPlain_core_panic_at (m_libcassert.c:533)
==18427==    by 0x5802D1A7: vgPlain_core_panic (m_libcassert.c:543)
==18427==    by 0x580B30D7: failure_exit (m_translate.c:749)
==18427==    by 0x5813025F: vpanic (main_util.c:253)
==18427==    by 0x58191F4F: iselIntExpr_R_wrk (host_arm64_isel.c:2082)
==18427==    by 0x58193ABB: iselIntExpr_R (host_arm64_isel.c:1458)
==18427==    by 0x58192C4B: iselIntExpr_R_wrk (host_arm64_isel.c:1766)
==18427==    by 0x58193ABB: iselIntExpr_R (host_arm64_isel.c:1458)
==18427==    by 0x58198D53: doHelperCall.isra.28.constprop.29 (host_arm64_isel.c:685)
==18427==    by 0x58199FFB: iselSB_ARM64 (host_arm64_isel.c:3761)
==18427==    by 0x5812CB2F: LibVEX_Translate (main_main.c:1047)
==18427==    by 0x580B5CEF: vgPlain_translate (m_translate.c:1811)
==18427==    by 0x58083CBF: handle_chain_me (scheduler.c:1165)
==18427==    by 0x58086DB3: vgPlain_scheduler (scheduler.c:1514)
==18427==    by 0x580E68AF: run_a_thread_NORETURN (syswrap-linux.c:101)
==18427==    by 0xFFFFFFFFFFFFFFFF: ???

sched status:
  running_tid=1
--18427-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--18427-- si_code=1;  Faulting address: 0x140;  sp: 0x1004b6d300

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==18427==    at 0x580880D8: vgPlain_is_in_syscall (syswrap-main.c:1640)
==18427==    by 0x5802C9CF: print_thread_state (m_libcassert.c:324)
==18427==    by 0x5802CC0F: show_sched_status_wrk (m_libcassert.c:420)
==18427==    by 0x5802CF4B: report_and_quit (m_libcassert.c:457)
==18427==    by 0x5802D183: vgPlain_core_panic_at (m_libcassert.c:533)
==18427==    by 0x5802D1A7: vgPlain_core_panic (m_libcassert.c:543)
==18427==    by 0x580B30D7: failure_exit (m_translate.c:749)
==18427==    by 0x5813025F: vpanic (main_util.c:253)
==18427==    by 0x58191F4F: iselIntExpr_R_wrk (host_arm64_isel.c:2082)
==18427==    by 0x58193ABB: iselIntExpr_R (host_arm64_isel.c:1458)
==18427==    by 0x58192C4B: iselIntExpr_R_wrk (host_arm64_isel.c:1766)
==18427==    by 0x58193ABB: iselIntExpr_R (host_arm64_isel.c:1458)
==18427==    by 0x58198D53: doHelperCall.isra.28.constprop.29 (host_arm64_isel.c:685)
==18427==    by 0x58199FFB: iselSB_ARM64 (host_arm64_isel.c:3761)
==18427==    by 0x5812CB2F: LibVEX_Translate (main_main.c:1047)
==18427==    by 0x580B5CEF: vgPlain_translate (m_translate.c:1811)
==18427==    by 0x58083CBF: handle_chain_me (scheduler.c:1165)
==18427==    by 0x58086DB3: vgPlain_scheduler (scheduler.c:1514)
==18427==    by 0x580E68AF: run_a_thread_NORETURN (syswrap-linux.c:101)
==18427==    by 0xFFFFFFFFFFFFFFFF: ???

sched status:
  running_tid=1
Segmentation fault
Comment 1 Julian Seward 2019-12-28 16:30:14 UTC 
Find the 1Uto64 case in host_arm64_isel.c and make 1Uto32 do the
same thing.  That should fix it.  Then send us the patch :-)
Comment 2 Julian Seward 2019-12-28 16:31:36 UTC 
I should add: fixing this is trivial (it's a 1-liner).  But I don't
want to land the fix without at least someone having tested it.  And
I don't have a way to test it.
Comment 3 Marek Zmysłowski 2020-01-15 08:40:20 UTC 
So I created following fix:
-------------------------------------------------------------------------------
diff --git a/VEX/priv/host_arm64_isel.c b/VEX/priv/host_arm64_isel.c
index b2ab7422b..724633737 100644
--- a/VEX/priv/host_arm64_isel.c
+++ b/VEX/priv/host_arm64_isel.c
@@ -1946,7 +1946,9 @@ static HReg iselIntExpr_R_wrk ( ISelEnv* env, IRExpr* e )
             addInstr(env, ARM64Instr_VXfromQ(dst, tmp, 0/*laneNo*/));
             return dst;
          }
-         case Iop_1Uto64: {
+         case Iop_1Uto64: 
+         case Iop_1Uto32:
+         {
             /* 1Uto64(tmp). */
             HReg dst = newVRegI(env);
             if (e->Iex.Unop.arg->tag == Iex_RdTmp) {
-------------------------------------------------------------------------------

Currently I have a following issue:

==2953== Taintgrind, the taint analysis tool
==2953== Copyright (C) 2010-2018, and GNU GPL'd, by Wei Ming Khoo.
==2953== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==2953== Command: /bin/ls
==2953== 
t111 = 64HLto128(CmpwNEZ64(t109),t109)
vex: the `impossible' happened:
   iselStmt
vex storage: T total 32492776 bytes allocated
vex storage: P total 0 bytes allocated

valgrind: the 'impossible' happened:
   LibVEX called failure_exit().

host stacktrace:
==2953==    at 0x5802E0DC: show_sched_status_wrk (m_libcassert.c:388)
==2953==    by 0x5802E20B: report_and_quit (m_libcassert.c:459)
==2953==    by 0x5802E443: vgPlain_core_panic_at (m_libcassert.c:535)
==2953==    by 0x5802E467: vgPlain_core_panic (m_libcassert.c:545)
==2953==    by 0x580B415F: failure_exit (m_translate.c:751)
==2953==    by 0x58130E8F: vpanic (main_util.c:255)
==2953==    by 0x5819A263: iselSB_ARM64 (host_arm64_isel.c:4015)
==2953==    by 0x5812D75F: LibVEX_Translate (main_main.c:1049)
==2953==    by 0x580B6D77: vgPlain_translate (m_translate.c:1813)
==2953==    by 0x58084EE7: handle_chain_me (scheduler.c:1167)
==2953==    by 0x58087FDB: vgPlain_scheduler (scheduler.c:1516)
==2953==    by 0x580E8937: run_a_thread_NORETURN (syswrap-linux.c:103)
==2953==    by 0xFFFFFFFFFFFFFFFF: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 2953)
==2953==    at 0x4007764: ??? (in /lib/aarch64-linux-gnu/ld-2.27.so)
client stack range: [0x1FFEFFF000 0x1FFF000FFF] client SP: 0x1FFEFFFBA0
valgrind stack range: [0x100486E000 0x100496DFFF] top usage: 6400 of 1048576