Bug 385651 - vex amd64->IR: unhandled instruction bytes: 0x8F 0xEA 0xF8 0x10 0xC8 0x6 0x2 0x0 0x0 0x48
Summary: vex amd64->IR: unhandled instruction bytes: 0x8F 0xEA 0xF8 0x10 0xC8 0x6 0x2 ...
Status: REPORTED
Alias: None
Product: valgrind
Classification: Developer tools
Component: vex (show other bugs)
Version: 3.13.0
Platform: unspecified Linux
: NOR crash
Target Milestone: ---
Assignee: Julian Seward
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-12 10:16 UTC by VS
Modified: 2017-10-12 10:16 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description VS 2017-10-12 10:16:14 UTC 
Code:

#include <mpfr.h>
#include <stdlib.h>

#define PREC 53
#define N 13
int
main (void)
{
  mpfr_t r, b, e;

  mpfr_set_default_prec (PREC);
  mpfr_init_set_si (b, N - 2, MPFR_RNDN);
  mpfr_sqrt (b, b, MPFR_RNDN);
  mpfr_init_set_si (e, N - 1, MPFR_RNDN);
  mpfr_sqrt (e, e, MPFR_RNDN);
  mpfr_init (r);
  mpfr_pow (r, b, e, MPFR_RNDN);
  mpfr_printf ("%Re\n", r);
  mpfr_clears (r, b, e, (mpfr_ptr) 0);
  mpfr_free_cache ();
  return EXIT_SUCCESS;
}

The code above triggers the (likely) bug.

- Compilation command is: 
gcc -Wall -Wextra -Wpedantic -g -O0 -o <name> <name>.c -lmpfr

Version of mpfr is:3.1.5.

Version of gmp is: 6.1.2

Version of gcc is: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609

Output of uname -a is: Linux metfac-100 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Full output from valgrind when run with the -v flag is:

==11398== Memcheck, a memory error detector
==11398== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==11398== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==11398== Command: ./vg_unhandled
==11398== 
--11398-- Valgrind options:
--11398--    -v
--11398-- Contents of /proc/version:
--11398--   Linux version 4.10.0-35-generic (buildd@lcy01-33) (gcc version 5.4.0
 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #39~16.04.1-Ubuntu SMP Wed Sep 13 09
:02:42 UTC 2017
--11398-- 
--11398-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx
-bmi
--11398-- Page sizes: currently 4096, max supported 4096
--11398-- Valgrind library directory: /usr/local/lib/valgrind
--11398-- Reading syms from /home/sunye/storage/src/tmp/vg_unhandled
--11398-- Reading syms from /lib/x86_64-linux-gnu/ld-2.23.so
--11398--   Considering /lib/x86_64-linux-gnu/ld-2.23.so ..
--11398--   .. CRC mismatch (computed 9bc477cd wanted 3da2f12a)
--11398--   Considering /usr/lib/debug/lib/x86_64-linux-gnu/ld-2.23.so ..
--11398--   .. CRC is valid
--11398-- Reading syms from /usr/local/lib/valgrind/memcheck-amd64-linux
--11398--    object doesn't have a dynamic symbol table
--11398-- Scheduler: using generic scheduler lock implementation.
--11398-- Reading suppressions file: /usr/local/lib/valgrind/default.supp
==11398== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-11398-by-
sunye-on-???
==11398== embedded gdbserver: writing to   /tmp/vgdb-pipe-to-vgdb-from-11398-by-
sunye-on-???
==11398== embedded gdbserver: shared mem   /tmp/vgdb-pipe-shared-mem-vgdb-11398-
by-sunye-on-???
==11398== 
==11398== TO CONTROL THIS PROCESS USING vgdb (which you probably
==11398== don't want to do, unless you know exactly what you're doing,
==11398== or are doing some strange experiment):
==11398==   /usr/local/lib/valgrind/../../bin/vgdb --pid=11398 ...command...
==11398== 
==11398== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==11398==   /path/to/gdb ./vg_unhandled
==11398== and then give GDB the following command
==11398==   target remote | /usr/local/lib/valgrind/../../bin/vgdb --pid=11398
==11398== --pid is optional if only one valgrind process is running
==11398== 
--11398-- REDIR: 0x401cf90 (ld-linux-x86-64.so.2:strlen) redirected to 0x580a1e9
1 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--11398-- REDIR: 0x401b8e0 (ld-linux-x86-64.so.2:index) redirected to 0x580a1eab
 (vgPlain_amd64_linux_REDIR_FOR_index)
--11398-- Reading syms from /usr/local/lib/valgrind/vgpreload_core-amd64-linux.s
o
--11398-- Reading syms from /usr/local/lib/valgrind/vgpreload_memcheck-amd64-lin
ux.so
==11398== WARNING: new redirection conflicts with existing -- ignoring it
--11398--     old: 0x0401cf90 (strlen              ) R-> (0000.0) 0x580a1e91 vgP
lain_amd64_linux_REDIR_FOR_strlen
--11398--     new: 0x0401cf90 (strlen              ) R-> (2007.0) 0x04c30ad0 str
len
--11398-- REDIR: 0x401bb00 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4c31b80
 (strcmp)
--11398-- REDIR: 0x401dcf0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x4c34d6
0 (mempcpy)
--11398-- Reading syms from /usr/local/lib/libmpfr.so.4.1.5
--11398-- Reading syms from /lib/x86_64-linux-gnu/libc-2.23.so
--11398--   Considering /lib/x86_64-linux-gnu/libc-2.23.so ..
--11398--   .. CRC mismatch (computed b2979fac wanted 1affc958)
--11398--   Considering /usr/lib/debug/lib/x86_64-linux-gnu/libc-2.23.so ..
--11398--   .. CRC is valid
--11398-- Reading syms from /usr/local/lib/libgmp.so.10.3.2
--11398-- REDIR: 0x512ba00 (libc.so.6:strcasecmp) redirected to 0x4a28770 (_vgnU
_ifunc_wrapper)
--11398-- REDIR: 0x5127280 (libc.so.6:strcspn) redirected to 0x4a28770 (_vgnU_if
unc_wrapper)
--11398-- REDIR: 0x512dcf0 (libc.so.6:strncasecmp) redirected to 0x4a28770 (_vgn
U_ifunc_wrapper)
--11398-- REDIR: 0x51296f0 (libc.so.6:strpbrk) redirected to 0x4a28770 (_vgnU_if
unc_wrapper)
--11398-- REDIR: 0x5129a80 (libc.so.6:strspn) redirected to 0x4a28770 (_vgnU_ifu
nc_wrapper)
--11398-- REDIR: 0x512b14b (libc.so.6:memcpy@GLIBC_2.2.5) redirected to 0x4a2877
0 (_vgnU_ifunc_wrapper)
--11398-- REDIR: 0x5129400 (libc.so.6:rindex) redirected to 0x4c30450 (rindex)
--11398-- REDIR: 0x5120130 (libc.so.6:malloc) redirected to 0x4c2db6f (malloc)
--11398-- REDIR: 0x512b1b0 (libc.so.6:memset) redirected to 0x4a28770 (_vgnU_ifu
nc_wrapper)
--11398-- REDIR: 0x512b240 (libc.so.6:__GI_memset) redirected to 0x4c33f70 (mems
et)
--11398-- REDIR: 0x51303f0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x4a2877
0 (_vgnU_ifunc_wrapper)
--11398-- REDIR: 0x513b820 (libc.so.6:__memcpy_sse2_unaligned) redirected to 0x4
c31f50 (memcpy@@GLIBC_2.14)
--11398-- REDIR: 0x51206c0 (libc.so.6:realloc) redirected to 0x4c2fac1 (realloc)
--11398-- REDIR: 0x51204f0 (libc.so.6:free) redirected to 0x4c2ec69 (free)
--11398-- REDIR: 0x51fa420 (libc.so.6:__memmove_ssse3_back) redirected to 0x4c31
ce0 (memcpy@GLIBC_2.2.5)
vex amd64->IR: unhandled instruction bytes: 0x8F 0xEA 0xF8 0x10 0xC8 0x6 0x2 0x0
 0x0 0x48
vex amd64->IR:   REX=0 REX.W=0 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR:   VEX=0 VEX.L=0 VEX.nVVVV=0x0 ESC=NONE
vex amd64->IR:   PFX.66=0 PFX.F2=0 PFX.F3=0
==11398== valgrind: Unrecognised instruction at address 0x5498ef9.
==11398==    at 0x5498EF9: __gmpn_perfect_square_p (in /usr/local/lib/libgmp.so.
10.3.2)
==11398==    by 0x4E56B57: __gmpz_perfect_square_p (gmp.h:1827)
==11398==    by 0x4E56B57: mpfr_pow_is_exact (pow.c:80)
==11398==    by 0x4E56B57: mpfr_pow_general (pow.c:306)
==11398==    by 0x4E5741D: mpfr_pow (pow.c:711)
==11398==    by 0x4009E9: main (vg_unhandled.c:17)
==11398== Your program just tried to execute an instruction that Valgrind
==11398== did not recognise.  There are two possible reasons for this.
==11398== 1. Your program has a bug and erroneously jumped to a non-code
==11398==    location.  If you are running Memcheck and you just saw a
==11398==    warning about a bad jump, it's probably your program's fault.
==11398== 2. The instruction is legitimate but Valgrind doesn't handle it,
==11398==    i.e. it's Valgrind's fault.  If you think this is the case or
==11398==    you are not sure, please let us know and we'll try to fix it.
==11398== Either way, Valgrind will now raise a SIGILL signal which will
==11398== probably kill your program.
==11398== 
==11398== Process terminating with default action of signal 4 (SIGILL)
==11398==  Illegal opcode at address 0x5498EF9
==11398==    at 0x5498EF9: __gmpn_perfect_square_p (in /usr/local/lib/libgmp.so.
10.3.2)
==11398==    by 0x4E56B57: __gmpz_perfect_square_p (gmp.h:1827)
==11398==    by 0x4E56B57: mpfr_pow_is_exact (pow.c:80)
==11398==    by 0x4E56B57: mpfr_pow_general (pow.c:306)
==11398==    by 0x4E5741D: mpfr_pow (pow.c:711)
==11398==    by 0x4009E9: main (vg_unhandled.c:17)
==11398== 
==11398== HEAP SUMMARY:
==11398==     in use at exit: 144 bytes in 8 blocks
==11398==   total heap usage: 220 allocs, 212 frees, 4,480 bytes allocated
==11398== 
==11398== Searching for pointers to 8 not-freed blocks
==11398== Checked 83,472 bytes
==11398== 
==11398== LEAK SUMMARY:
==11398==    definitely lost: 0 bytes in 0 blocks
==11398==    indirectly lost: 0 bytes in 0 blocks
==11398==      possibly lost: 0 bytes in 0 blocks
sunye@metfac-100:~/storage/src/tmp$ clear
[3;J
sunye@metfac-100:~/storage/src/tmp$ more vg_out 
==11398== Memcheck, a memory error detector
==11398== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==11398== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==11398== Command: ./vg_unhandled
==11398== 
--11398-- Valgrind options:
--11398--    -v
--11398-- Contents of /proc/version:
--11398--   Linux version 4.10.0-35-generic (buildd@lcy01-33) (gcc version 5.4.0
 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #39~16.04.1-Ubuntu SMP Wed Sep 13 09
:02:42 UTC 2017
--11398-- 
--11398-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx
-bmi
--11398-- Page sizes: currently 4096, max supported 4096
--11398-- Valgrind library directory: /usr/local/lib/valgrind
--11398-- Reading syms from /home/sunye/storage/src/tmp/vg_unhandled
--11398-- Reading syms from /lib/x86_64-linux-gnu/ld-2.23.so
--11398--   Considering /lib/x86_64-linux-gnu/ld-2.23.so ..
--11398--   .. CRC mismatch (computed 9bc477cd wanted 3da2f12a)
--11398--   Considering /usr/lib/debug/lib/x86_64-linux-gnu/ld-2.23.so ..
--11398--   .. CRC is valid
--11398-- Reading syms from /usr/local/lib/valgrind/memcheck-amd64-linux
--11398--    object doesn't have a dynamic symbol table
--11398-- Scheduler: using generic scheduler lock implementation.
--11398-- Reading suppressions file: /usr/local/lib/valgrind/default.supp
==11398== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-11398-by-
sunye-on-???
==11398== embedded gdbserver: writing to   /tmp/vgdb-pipe-to-vgdb-from-11398-by-
sunye-on-???
==11398== embedded gdbserver: shared mem   /tmp/vgdb-pipe-shared-mem-vgdb-11398-
by-sunye-on-???
==11398== 
==11398== TO CONTROL THIS PROCESS USING vgdb (which you probably
==11398== don't want to do, unless you know exactly what you're doing,
==11398== or are doing some strange experiment):
==11398==   /usr/local/lib/valgrind/../../bin/vgdb --pid=11398 ...command...
==11398== 
==11398== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==11398==   /path/to/gdb ./vg_unhandled
==11398== and then give GDB the following command
==11398==   target remote | /usr/local/lib/valgrind/../../bin/vgdb --pid=11398
==11398== --pid is optional if only one valgrind process is running
==11398== 
--11398-- REDIR: 0x401cf90 (ld-linux-x86-64.so.2:strlen) redirected to 0x580a1e9
1 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--11398-- REDIR: 0x401b8e0 (ld-linux-x86-64.so.2:index) redirected to 0x580a1eab
 (vgPlain_amd64_linux_REDIR_FOR_index)
--11398-- Reading syms from /usr/local/lib/valgrind/vgpreload_core-amd64-linux.s
o
--11398-- Reading syms from /usr/local/lib/valgrind/vgpreload_memcheck-amd64-lin
ux.so
==11398== WARNING: new redirection conflicts with existing -- ignoring it
--11398--     old: 0x0401cf90 (strlen              ) R-> (0000.0) 0x580a1e91 vgP
lain_amd64_linux_REDIR_FOR_strlen
--11398--     new: 0x0401cf90 (strlen              ) R-> (2007.0) 0x04c30ad0 str
len
--11398-- REDIR: 0x401bb00 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4c31b80
 (strcmp)
--11398-- REDIR: 0x401dcf0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x4c34d6
0 (mempcpy)
--11398-- Reading syms from /usr/local/lib/libmpfr.so.4.1.5
--11398-- Reading syms from /lib/x86_64-linux-gnu/libc-2.23.so
--11398--   Considering /lib/x86_64-linux-gnu/libc-2.23.so ..
--11398--   .. CRC mismatch (computed b2979fac wanted 1affc958)
--11398--   Considering /usr/lib/debug/lib/x86_64-linux-gnu/libc-2.23.so ..
--11398--   .. CRC is valid
--11398-- Reading syms from /usr/local/lib/libgmp.so.10.3.2
--11398-- REDIR: 0x512ba00 (libc.so.6:strcasecmp) redirected to 0x4a28770 (_vgnU
_ifunc_wrapper)
--11398-- REDIR: 0x5127280 (libc.so.6:strcspn) redirected to 0x4a28770 (_vgnU_if
unc_wrapper)
--11398-- REDIR: 0x512dcf0 (libc.so.6:strncasecmp) redirected to 0x4a28770 (_vgn
U_ifunc_wrapper)
--11398-- REDIR: 0x51296f0 (libc.so.6:strpbrk) redirected to 0x4a28770 (_vgnU_if
unc_wrapper)
--11398-- REDIR: 0x5129a80 (libc.so.6:strspn) redirected to 0x4a28770 (_vgnU_ifu
nc_wrapper)
--11398-- REDIR: 0x512b14b (libc.so.6:memcpy@GLIBC_2.2.5) redirected to 0x4a2877
0 (_vgnU_ifunc_wrapper)
--11398-- REDIR: 0x5129400 (libc.so.6:rindex) redirected to 0x4c30450 (rindex)
--11398-- REDIR: 0x5120130 (libc.so.6:malloc) redirected to 0x4c2db6f (malloc)
--11398-- REDIR: 0x512b1b0 (libc.so.6:memset) redirected to 0x4a28770 (_vgnU_ifu
nc_wrapper)
--11398-- REDIR: 0x512b240 (libc.so.6:__GI_memset) redirected to 0x4c33f70 (mems
et)
--11398-- REDIR: 0x51303f0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x4a2877
0 (_vgnU_ifunc_wrapper)
--11398-- REDIR: 0x513b820 (libc.so.6:__memcpy_sse2_unaligned) redirected to 0x4
c31f50 (memcpy@@GLIBC_2.14)
--11398-- REDIR: 0x51206c0 (libc.so.6:realloc) redirected to 0x4c2fac1 (realloc)
--11398-- REDIR: 0x51204f0 (libc.so.6:free) redirected to 0x4c2ec69 (free)
--11398-- REDIR: 0x51fa420 (libc.so.6:__memmove_ssse3_back) redirected to 0x4c31
ce0 (memcpy@GLIBC_2.2.5)
vex amd64->IR: unhandled instruction bytes: 0x8F 0xEA 0xF8 0x10 0xC8 0x6 0x2 0x0
 0x0 0x48
vex amd64->IR:   REX=0 REX.W=0 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR:   VEX=0 VEX.L=0 VEX.nVVVV=0x0 ESC=NONE
vex amd64->IR:   PFX.66=0 PFX.F2=0 PFX.F3=0
==11398== valgrind: Unrecognised instruction at address 0x5498ef9.
==11398==    at 0x5498EF9: __gmpn_perfect_square_p (in /usr/local/lib/libgmp.so.
10.3.2)
==11398==    by 0x4E56B57: __gmpz_perfect_square_p (gmp.h:1827)
==11398==    by 0x4E56B57: mpfr_pow_is_exact (pow.c:80)
==11398==    by 0x4E56B57: mpfr_pow_general (pow.c:306)
==11398==    by 0x4E5741D: mpfr_pow (pow.c:711)
==11398==    by 0x4009E9: main (vg_unhandled.c:17)
==11398== Your program just tried to execute an instruction that Valgrind
==11398== did not recognise.  There are two possible reasons for this.
==11398== 1. Your program has a bug and erroneously jumped to a non-code
==11398==    location.  If you are running Memcheck and you just saw a
==11398==    warning about a bad jump, it's probably your program's fault.
==11398== 2. The instruction is legitimate but Valgrind doesn't handle it,
==11398==    i.e. it's Valgrind's fault.  If you think this is the case or
==11398==    you are not sure, please let us know and we'll try to fix it.
==11398== Either way, Valgrind will now raise a SIGILL signal which will
==11398== probably kill your program.
==11398== 
==11398== Process terminating with default action of signal 4 (SIGILL)
==11398==  Illegal opcode at address 0x5498EF9
==11398==    at 0x5498EF9: __gmpn_perfect_square_p (in /usr/local/lib/libgmp.so.
10.3.2)
==11398==    by 0x4E56B57: __gmpz_perfect_square_p (gmp.h:1827)
==11398==    by 0x4E56B57: mpfr_pow_is_exact (pow.c:80)
==11398==    by 0x4E56B57: mpfr_pow_general (pow.c:306)
==11398==    by 0x4E5741D: mpfr_pow (pow.c:711)
==11398==    by 0x4009E9: main (vg_unhandled.c:17)
==11398== 
==11398== HEAP SUMMARY:
==11398==     in use at exit: 144 bytes in 8 blocks
==11398==   total heap usage: 220 allocs, 212 frees, 4,480 bytes allocated
==11398== 
==11398== Searching for pointers to 8 not-freed blocks
==11398== Checked 83,472 bytes
==11398== 
==11398== LEAK SUMMARY:
==11398==    definitely lost: 0 bytes in 0 blocks
==11398==    indirectly lost: 0 bytes in 0 blocks
==11398==      possibly lost: 0 bytes in 0 blocks
==11398==    still reachable: 144 bytes in 8 blocks
==11398==                       of which reachable via heuristic:
==11398==                         newarray           : 112 bytes in 6 blocks
==11398==         suppressed: 0 bytes in 0 blocks
==11398== Rerun with --leak-check=full to see details of leaked memory
==11398== 
==11398== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==11398== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)