Bug 422174 - unhandled instruction bytes: 0x48 0xE9 (REX prefixed JMP instruction)
Summary: unhandled instruction bytes: 0x48 0xE9 (REX prefixed JMP instruction)
Status: RESOLVED FIXED
Alias: None
Product: valgrind
Classification: Developer tools
Component: vex (show other bugs)
Version: 3.15 SVN
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Julian Seward
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-28 12:46 UTC by Tom Deseyn
Modified: 2020-08-17 19:08 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Handle REX prefixed JMP instruction. (2.10 KB, text/plain)
2020-07-26 19:31 UTC, Mark Wielaard 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Deseyn 2020-05-28 12:46:54 UTC 
When running .NET Core 3.1 applications under valgrind I get SIGILL for

vex amd64->IR: unhandled instruction bytes: 0x48 0xE9 0x70 0xB3 0x41 0xA9 0x49 0xBA 0x88 0xCD
vex amd64->IR:   REX=1 REX.W=1 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR:   VEX=0 VEX.L=0 VEX.nVVVV=0x0 ESC=NONE
vex amd64->IR:   PFX.66=0 PFX.F2=0 PFX.F3=0
Comment 1 Mark Wielaard 2020-06-03 12:55:29 UTC 
(In reply to Tom Deseyn from comment #0)
> When running .NET Core 3.1 applications under valgrind I get SIGILL for
> 
> vex amd64->IR: unhandled instruction bytes: 0x48 0xE9 0x70 0xB3 0x41 0xA9
> 0x49 0xBA 0x88 0xCD
> vex amd64->IR:   REX=1 REX.W=1 REX.R=0 REX.X=0 REX.B=0
> vex amd64->IR:   VEX=0 VEX.L=0 VEX.nVVVV=0x0 ESC=NONE
> vex amd64->IR:   PFX.66=0 PFX.F2=0 PFX.F3=0

This is tricky. This looks like a jmp instruction followed by some noise. It might be that something went wrong earlier and we are now looking at some bad data.

Since this is a JIT could you try running with --smc-check=all which will make valgrind more aggressively look when it needs to update its code translations.

Also could you show a bit more info on how you precisely run valgrind, which options you used, etc. Are there any other warnings? Could you run with -v and post the full output here?
Comment 2 Tom Deseyn 2020-06-03 14:10:33 UTC 
> This looks like a jmp instruction followed by some noise.

I can't parse this myself. Quoting others: this is a pc relative jump with 32 bit offset (the first 6 bytes) with added REX.W prefix.

> Since this is a JIT could you try running with --smc-check=all which will make valgrind more aggressively look when it needs to update its code translations

Using '--smc-check=all' the result is similar.

> Also could you show a bit more info on how you precisely run valgrind

You can reproduce this on Fedora 32:

# dnf install dotnet-sdk-3.1
$ dotnet --version
$ valgrind dotnet --version
Comment 3 Tom Hughes 2020-06-03 14:45:47 UTC 
Not sure what Mark means by noise - it looks like JMP rel32 to me.

0x48 is a REX prefix
0xE9 is JMP rel32 in 64 bit mode
0x70 0xB3 0x41 0xA9 is the offset

The offset of 0xA941B370 is sign extended to 64 bits.

So I make that a jump to RIP-0x56be4c90 which I'll admit seems like a very large offset to be using on a PC relative jump...

Thing is that we appear to handle that instruction... I think we're failing on this:

      if (sz != 4)
         goto decode_failure; /* JRS added 2004 July 11 */

because the REX.W bit has changed sz to 8 but the Intel manual has note f64 attached to that instruction in the opcode map which is:

"The operand size is forced to a 64-bit operand size when in 64-bit mode (prefixes that change operand size are ignored for this instruction in 64-bit mode)."

So I think the size check is invalid.
Comment 4 Mark Wielaard 2020-06-03 15:10:56 UTC 
(In reply to Tom Hughes from comment #3)
> Not sure what Mark means by noise - it looks like JMP rel32 to me.

Clearly I am a bad instruction decoder.

> 0x48 is a REX prefix
> 0xE9 is JMP rel32 in 64 bit mode
> 0x70 0xB3 0x41 0xA9 is the offset
> 
> The offset of 0xA941B370 is sign extended to 64 bits.
> 
> So I make that a jump to RIP-0x56be4c90 which I'll admit seems like a very
> large offset to be using on a PC relative jump...
> 
> Thing is that we appear to handle that instruction... I think we're failing
> on this:
> 
>       if (sz != 4)
>          goto decode_failure; /* JRS added 2004 July 11 */
> 
> because the REX.W bit has changed sz to 8 but the Intel manual has note f64
> attached to that instruction in the opcode map which is:
> 
> "The operand size is forced to a 64-bit operand size when in 64-bit mode
> (prefixes that change operand size are ignored for this instruction in
> 64-bit mode)."
> 
> So I think the size check is invalid.

Thanks so much for that analysis.
With the following patch:

diff --git a/VEX/priv/guest_amd64_toIR.c b/VEX/priv/guest_amd64_toIR.c
index fadf47d41..6d26be5fa 100644
--- a/VEX/priv/guest_amd64_toIR.c
+++ b/VEX/priv/guest_amd64_toIR.c
@@ -21392,9 +21393,8 @@ Long dis_ESC_NONE (
 
    case 0xE9: /* Jv (jump, 16/32 offset) */
       if (haveF3(pfx)) goto decode_failure;
-      if (sz != 4) 
-         goto decode_failure; /* JRS added 2004 July 11 */
       if (haveF2(pfx)) DIP("bnd ; "); /* MPX bnd prefix. */
+      sz = 4; /* Force 32bit signed offset. */
       d64 = (guest_RIP_bbstart+delta+sz) + getSDisp(sz,delta); 
       delta += sz;
       jmp_lit(dres, Ijk_Boring, d64);

We get the result from dotnet --version we expect!

$ ./vg-in-place dotnet --version 2>/dev/null
3.1.103

But there are lots of "issues" reported by valgrind that probably need some investigation:

$ ./vg-in-place dotnet --version
==99198== Memcheck, a memory error detector
==99198== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==99198== Using Valgrind-3.16.0.GIT and LibVEX; rerun with -h for copyright info
==99198== Command: dotnet --version
==99198== 
==99198== Warning: set address range perms: large range [0x59c87000, 0xd3877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xd3877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xcb877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xcb877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xc3877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xc3877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xbb877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xbb877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xb3877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xb3877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xab877000) (noaccess)
==99198== Warning: set address range perms: large range [0x59c87000, 0xab877000) (noaccess)
==99198== Warning: set address range perms: large range [0x6f78000, 0x50b68000) (noaccess)
==99198== Warning: set address range perms: large range [0x6f78000, 0x50b68000) (noaccess)
==99198== Warning: set address range perms: large range [0x6f78000, 0x48b68000) (noaccess)
==99198== Warning: set address range perms: large range [0x6f78000, 0x48b68000) (noaccess)
==99198== Warning: set address range perms: large range [0x6f78000, 0x40b68000) (noaccess)
==99198== Warning: set address range perms: large range [0x6f78000, 0x40b68000) (noaccess)
==99198== Warning: set address range perms: large range [0x6f78000, 0x38b68000) (noaccess)
==99198== Warning: set address range perms: large range [0x6f78000, 0x38b68000) (noaccess)
==99198== Warning: set address range perms: large range [0x5ba69000, 0x85659000) (noaccess)
==99198== Warning: set address range perms: large range [0x879b000, 0x2079d000) (noaccess)
==99198== Conditional jump or move depends on uninitialised value(s)
==99198==    at 0x227C8281: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227BC071: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x22862AF9: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x2279F1F8: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A13D5: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A0DA3: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A1CCB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A56FB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x576B733: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576B81A: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576B960: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576C23F: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198== 
==99198== Conditional jump or move depends on uninitialised value(s)
==99198==    at 0x227BE388: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227C2E9A: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x2286F38C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x2279F65E: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A13D5: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A0DA3: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A1CCB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A56FB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x576B733: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576B81A: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576B960: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576C23F: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198== 
==99198== Conditional jump or move depends on uninitialised value(s)
==99198==    at 0x2279B009: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x2279B0E1: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x22794034: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A0645: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A13D5: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A0DA3: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A1CCB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x227A56FB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libclrjit.so)
==99198==    by 0x576B733: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576B81A: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576B960: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x576C23F: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198== 
==99198== Thread 11:
==99198== Conditional jump or move depends on uninitialised value(s)
==99198==    at 0x5B03ED7: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x57E1DA9: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5B065D2: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x4875431: start_thread (in /usr/lib64/libpthread-2.31.so)
==99198==    by 0x4BA19D2: clone (in /usr/lib64/libc-2.31.so)
==99198== 
==99198== Thread 1:
==99198== Conditional jump or move depends on uninitialised value(s)
==99198==    at 0x484234A: strstr (vg_replace_strmem.c:1642)
==99198==    by 0x5AD4F7C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AD529C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AD598D: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5718BD8: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5791C5A: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5906F98: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AC41FB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AC47AA: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5ABA160: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x59064DD: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58CE3BC: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198== 
==99198== Conditional jump or move depends on uninitialised value(s)
==99198==    at 0x484235C: strstr (vg_replace_strmem.c:1642)
==99198==    by 0x5AD4F7C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AD529C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AD598D: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5718BD8: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5791C5A: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5906F98: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AC41FB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AC47AA: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5ABA160: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x59064DD: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58CE3BC: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198== 
==99198== Conditional jump or move depends on uninitialised value(s)
==99198==    at 0x4842382: strstr (vg_replace_strmem.c:1642)
==99198==    by 0x5AD4F7C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AD529C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AD598D: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5718BD8: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5791C5A: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5906F98: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AC41FB: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AC47AA: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5ABA160: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x59064DD: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58CE3BC: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198== 
==99198== Warning: invalid file descriptor -1 in syscall close()
==99198== Warning: invalid file descriptor -1 in syscall close()
==99198== Syscall param write(buf) points to unaddressable byte(s)
==99198==    at 0x4B9C43D: syscall (in /usr/lib64/libc-2.31.so)
==99198==    by 0x5DE4EA1: ??? (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5DE4CB7: ??? (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5DE9267: ??? (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5DE9B9C: ??? (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5DE5BC3: _ULx86_64_step (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5AD162C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AD1A47: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5742C39: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x583644D: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5C0012AD: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/System.Private.CoreLib.dll)
==99198==    by 0x5C001010: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/System.Private.CoreLib.dll)
==99198==  Address 0x1ffeffc000 is on thread 1's stack
==99198==  1352 bytes below stack pointer
==99198== 
==99198== Syscall param write(buf) points to uninitialised byte(s)
==99198==    at 0x4B9C43D: syscall (in /usr/lib64/libc-2.31.so)
==99198==    by 0x5DE4EA1: ??? (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5DE4CB7: ??? (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5DE969B: ??? (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5DE9B9C: ??? (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5DE5BC3: _ULx86_64_step (in /usr/lib64/libunwind.so.8.0.1)
==99198==    by 0x5AD162C: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5AD1A47: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5742C39: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x583644D: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5C0012AD: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/System.Private.CoreLib.dll)
==99198==    by 0x5C001010: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/System.Private.CoreLib.dll)
==99198==  Address 0x1ffeffd000 is on thread 1's stack
==99198== 
==99198== Conditional jump or move depends on uninitialised value(s)
==99198==    at 0x5AD15AD: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58C026D: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x57511D6: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5750FD5: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58B4371: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58B3CA7: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58B2FFD: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58B7D11: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x58B7F46: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5836578: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x5C0012AD: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/System.Private.CoreLib.dll)
==99198==    by 0x5C001010: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/System.Private.CoreLib.dll)
==99198== 
3.1.103
==99198== Thread 14:
==99198== Syscall param sigaltstack(ss) points to uninitialised byte(s)
==99198==    at 0x4ADD3DB: sigaltstack (in /usr/lib64/libc-2.31.so)
==99198==    by 0x5B058B8: ??? (in /usr/lib64/dotnet/shared/Microsoft.NETCore.App/3.1.3/libcoreclr.so)
==99198==    by 0x4875250: __nptl_deallocate_tsd (in /usr/lib64/libpthread-2.31.so)
==99198==    by 0x4875444: start_thread (in /usr/lib64/libpthread-2.31.so)
==99198==    by 0x4BA19D2: clone (in /usr/lib64/libc-2.31.so)
==99198==  Address 0x26e3ae78 is on thread 14's stack
==99198== 
==99198== 
==99198== HEAP SUMMARY:
==99198==     in use at exit: 2,974,023 bytes in 3,594 blocks
==99198==   total heap usage: 57,255 allocs, 53,661 frees, 19,544,194 bytes allocated
==99198== 
==99198== LEAK SUMMARY:
==99198==    definitely lost: 2,872 bytes in 1 blocks
==99198==    indirectly lost: 0 bytes in 0 blocks
==99198==      possibly lost: 13,114 bytes in 73 blocks
==99198==    still reachable: 2,956,537 bytes in 3,501 blocks
==99198==                       of which reachable via heuristic:
==99198==                         newarray           : 4,264 bytes in 1 blocks
==99198==         suppressed: 1,500 bytes in 19 blocks
==99198== Rerun with --leak-check=full to see details of leaked memory
==99198== 
==99198== Use --track-origins=yes to see where uninitialised values come from
==99198== For lists of detected and suppressed errors, rerun with: -s
==99198== ERROR SUMMARY: 184 errors from 11 contexts (suppressed: 0 from 0)
Comment 5 Tom Deseyn 2020-06-04 09:08:39 UTC 
Mark, Tom, thank you for looking into this, and fixing the issue!

I look forward to use valgrind with .NET Core! :)
Comment 6 Mark Wielaard 2020-07-26 19:31:41 UTC 
Created attachment 130413 [details]
Handle REX prefixed JMP instruction.

I went over the instructions that had the 'f64' note attached: "The operand size is forced to a 64-bit operand size when in 64-bit mode (prefixes that change operand size are ignored for this instruction in 64-bit mode)."

It looks like we handle that as intended for all instructions, except for two JMP variants.

So I believe this patch is correct (it also makes a simple .net Core program run under valgrind).

The original sz check and comment come from the x86 backend, and were copied over when the amd64 backend was added.
Comment 7 Mark Wielaard 2020-08-17 19:08:11 UTC 
commit 0c23373b702752289e390b3a16e0a6265284a55e
Author: Mark Wielaard <mark@klomp.org>
Date:   Sun Jul 26 21:17:23 2020 +0200

    Handle REX prefixed JMP instruction.
    
    The NET Core runtime might generate a JMP with a REX prefix.
    For Jv (32bit offset) and Jb (8bit offset) this is valid.
    Prefixes that change operand size are ignored for such JMPs.
    So remove the check for sz == 4 and force sz = 4 for Jv.
    
    https://bugs.kde.org/show_bug.cgi?id=422174