Merge pull request #1333 from psi-func/aarch64_unicorn_tests

More Aarch64 instruction support

.github/workflows/linux.yml

@@ -9,7 +9,7 @@ jobs:
       matrix:
         python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
         boost-interface: ['ON', 'OFF']
-        capstone-version: ['5.0.1', '4.0.2']
+        capstone-version: ['5.0.1']
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.github/workflows/python.yml

@@ -107,10 +107,13 @@ jobs:
           tar -xf z3-4.12.2-x64-win.zip
         shell: powershell
 
-      - name: Download Capstone
+      - name: Download and build Capstone
         run: |
-          wget -UseBasicParsing https://github.com/capstone-engine/capstone/releases/download/4.0.2/capstone-4.0.2-win64.zip -O capstone-4.0.2-win64.zip
-          tar -xf capstone-4.0.2-win64.zip
+          wget -UseBasicParsing https://github.com/capstone-engine/capstone/archive/refs/tags/5.0.1.zip -O capstone-5.0.1.zip
+          tar -xf capstone-5.0.1.zip
+          mkdir -p capstone-5.0.1/build
+          cd capstone-5.0.1/build
+          ../nmake.bat
         shell: powershell
 
       - name: Build Triton Python package
@@ -121,8 +124,8 @@ jobs:
           PYTHON_LIBRARY: ${{ env.pythonLocation }}\libs\${{ matrix.pylib }}
           Z3_INCLUDE_DIRS: ${{ github.workspace }}\z3-4.12.2-x64-win\include
           Z3_LIBRARIES: ${{ github.workspace }}\z3-4.12.2-x64-win\bin\libz3.lib
-          CAPSTONE_INCLUDE_DIRS: ${{ github.workspace }}\capstone-4.0.2-win64\include
-          CAPSTONE_LIBRARIES: ${{ github.workspace }}\capstone-4.0.2-win64\capstone.lib
+          CAPSTONE_INCLUDE_DIRS: ${{ github.workspace }}\capstone-5.0.1\include
+          CAPSTONE_LIBRARIES: ${{ github.workspace }}\capstone-5.0.1\build\capstone.lib
 
       - name: Repair wheel package
         run: |

.gitignore

@@ -11,6 +11,7 @@
 .DS_Store
 .gdb_history
 CMakeLists.txt.user
+CMakeUserPresets.json
 build*/*
 peda-session*
 pin.log
@@ -19,6 +20,7 @@ private/*
 *.so
 .cache
 .vscode
+.venv
 dist/
 *.egg-info/
 wheelhouse/

CMakeLists.txt

@@ -192,7 +192,7 @@ endif()
 
 # Find Capstone
 message(STATUS "Compiling with Capstone")
-find_package(CAPSTONE REQUIRED)
+find_package(CAPSTONE 5 REQUIRED)
 message(STATUS "CAPSTONE version: ${CAPSTONE_VERSION}")
 if(TARGET capstone::capstone)
     link_libraries(capstone::capstone)

Dockerfile

@@ -11,9 +11,9 @@ RUN apt update && apt upgrade -y && apt install -y build-essential clang curl gi
 
 # libcapstone >= 4.0.x
 RUN cd /tmp && \
-    curl -o cap.tgz -L https://github.com/aquynh/capstone/archive/4.0.2.tar.gz && \
-    tar xvf cap.tgz && cd capstone-4.0.2/ && ./make.sh && make install && rm -rf /tmp/cap* \
-    && ln -s /usr/lib/libcapstone.so.4 /usr/lib/x86_64-linux-gnu/libcapstone.so
+    curl -o cap.tgz -L https://github.com/aquynh/capstone/archive/5.0.1.tar.gz && \
+    tar xvf cap.tgz && cd capstone-5.0.1/ && ./make.sh && make install && rm -rf /tmp/cap* \
+    && ln -s /usr/lib/libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so
 
 # libbitwuzla >= 0.4.0
 RUN cd /tmp && \

src/libtriton/arch/arm/aarch64/aarch64Semantics.cpp

@@ -65,6 +65,7 @@ EON (shifted register)        | Bitwise Exclusive OR NOT (shifted register)
 EOR (immediate)               | Bitwise Exclusive OR (immediate)
 EOR (shifted register)        | Bitwise Exclusive OR (shifted register)
 EXTR                          | EXTR: Extract register
+FMOV                          | Floating-point Move register without conversion.
 LD3 (multiple structure)      | Load multiple 3-element structures to three registers.
 LD3R                          | Load single 3-element structure and Replicate to all lanes of three registers.
 LD4 (multiple structure)      | Load multiple 4-element structures to four registers.
@@ -259,6 +260,7 @@ namespace triton {
             case ID_INS_EON:       this->eon_s(inst);           break;
             case ID_INS_EOR:       this->eor_s(inst);           break;
             case ID_INS_EXTR:      this->extr_s(inst);          break;
+            case ID_INS_FMOV:      this->fmov_s(inst);          break;
             case ID_INS_LD3:       this->ld3_s(inst);           break;
             case ID_INS_LD3R:      this->ld3r_s(inst);          break;
             case ID_INS_LD4:       this->ld4_s(inst);           break;
@@ -1854,6 +1856,22 @@ namespace triton {
           this->controlFlow_s(inst);
         }
 
+        void AArch64Semantics::fmov_s(triton::arch::Instruction& inst) {
+          auto& dst  = inst.operands[0];
+          auto& src = inst.operands[1];
+
+          /* Create the semantics */
+          auto node = this->symbolicEngine->getOperandAst(inst, src);
+
+          /* Create symbolic expression */
+          auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "FMOV operation");
+
+          /* Spread taint */
+          expr->isTainted = this->taintEngine->taintAssignment(dst, src);
+
+          /* Update the symbolic control flow */
+          this->controlFlow_s(inst);
+        }
 
         void AArch64Semantics::ld3_s(triton::arch::Instruction& inst) {
           std::list<triton::ast::SharedAbstractNode> vec0;
@@ -5677,16 +5695,10 @@ namespace triton {
           /* Create the semantics */
           auto vas_size = src.getConstRegister().getVASSize() * triton::bitsize::byte;
 
-          auto low = src.getConstRegister().getVectorIndex() * vas_size;
-          auto high = low + vas_size - 1;
-
           auto node = 
             this->astCtxt->zx(
               dst.getBitSize() - vas_size, 
-              this->astCtxt->extract(
-                      high,  
-                      low, 
-                      this->symbolicEngine->getOperandAst(inst, src))
+              this->symbolicEngine->getOperandAst(src)    
             );
 
           /* Create symbolic expression */

src/libtriton/engines/symbolic/symbolicEngine.cpp

@@ -790,6 +790,15 @@ namespace triton {
         }
       }
 
+      triton::ast::SharedAbstractNode SymbolicEngine::getIndexAst(const triton::arch::arm::ArmOperandProperties& vas_index, const triton::ast::SharedAbstractNode& node) {
+        auto vas_size = vas_index.getVASSize() * triton::bitsize::byte;
+
+        auto low = vas_index.getVectorIndex() * vas_size;
+        auto high = low + vas_size - 1;
+
+        return this->astCtxt->extract(high, low, node);
+      }
+
 
       triton::ast::SharedAbstractNode SymbolicEngine::getExtendAst(const triton::arch::arm::ArmOperandProperties& extend, const triton::ast::SharedAbstractNode& node) {
         triton::uint32 size = extend.getExtendSize();
@@ -938,6 +947,11 @@ namespace triton {
           return this->getShiftAst(static_cast<const triton::arch::arm::ArmOperandProperties>(reg), node);
         }
 
+        /* Extract AST if it's have vector index (mainly used for Arm Neon) */
+        if (reg.getVectorIndex() != -1 && reg.getVASSize() != 0) {
+          return this->getIndexAst(static_cast<const triton::arch::arm::ArmOperandProperties>(reg), node);
+        }
+
         return node;
       }
 

src/libtriton/includes/triton/aarch64Semantics.hpp

@@ -254,6 +254,9 @@ namespace triton {
 
             //! The EXTR semantics.
             void extr_s(triton::arch::Instruction& inst);
+
+            //! The FMOV semantics.
+            void fmov_s(triton::arch::Instruction& inst);
 
             //! The LD3 semantics.
             void ld3_s(triton::arch::Instruction& inst);

src/libtriton/includes/triton/symbolicEngine.hpp

@@ -229,6 +229,9 @@ namespace triton {
           //! Returns the AST corresponding to the shift operation. Mainly used for Arm32 operands.
           triton::ast::SharedAbstractNode getShiftAst(const triton::arch::arm::ArmOperandProperties& shift, const triton::ast::SharedAbstractNode& node);
 
+          //! Returns the AST corresponding to the VAS vector index operation. Mainly used for Arm Neon vector operands.
+          triton::ast::SharedAbstractNode getIndexAst(const triton::arch::arm::ArmOperandProperties& vas_index, const triton::ast::SharedAbstractNode& node);
+
           //! Returns the new symbolic expression and links this expression to the instruction.
           TRITON_EXPORT const SharedSymbolicExpression& createSymbolicExpression(triton::arch::Instruction& inst, const triton::ast::SharedAbstractNode& node, const triton::arch::OperandWrapper& dst, const std::string& comment="");
 

src/testers/aarch64/unicorn_test_aarch64.py

@@ -2096,16 +2096,16 @@
     (b"\x20\xe8\x40\x0d", "ld3r {v0.2s, v1.2s, v2.2s}, [x1]"),
     (b"\x20\xec\x40\x0d", "ld3r {v0.1d, v1.1d, v2.1d}, [x1]"),
 
-    #(b"\x20\x40\xdf\x4c", "ld3 {v0.16b, v1.16b, v2.16b}, [x1], #48"),   # working on capstone 5.x but not on 4.x
-    #(b"\x20\x44\xdf\x0c", "ld3 {v0.4h, v1.4h, v2.4h}, [x1], #24"),      # working on capstone 5.x but not on 4.x
-    #(b"\x20\xe0\xdf\x4d", "ld3r {v0.16b, v1.16b, v2.16b}, [x1], #3"),   # working on capstone 5.x but not on 4.x
-    #(b"\x20\xe4\xdf\x4d", "ld3r {v0.8h, v1.8h, v2.8h}, [x1], #6"),      # working on capstone 5.x but not on 4.x
-    #(b"\x20\xe8\xdf\x4d", "ld3r {v0.4s, v1.4s, v2.4s}, [x1], #12"),     # working on capstone 5.x but not on 4.x
-    #(b"\x20\xec\xdf\x4d", "ld3r {v0.2d, v1.2d, v2.2d}, [x1], #24"),     # working on capstone 5.x but not on 4.x
-    #(b"\x20\xe0\xdf\x0d", "ld3r {v0.8b, v1.8b, v2.8b}, [x1], #3"),      # working on capstone 5.x but not on 4.x
-    #(b"\x20\xe4\xdf\x0d", "ld3r {v0.4h, v1.4h, v2.4h}, [x1], #6"),      # working on capstone 5.x but not on 4.x
-    #(b"\x20\xe8\xdf\x0d", "ld3r {v0.2s, v1.2s, v2.2s}, [x1], #12"),     # working on capstone 5.x but not on 4.x
-    #(b"\x20\xec\xdf\x0d", "ld3r {v0.1d, v1.1d, v2.1d}, [x1], #24"),     # working on capstone 5.x but not on 4.x
+    (b"\x20\x40\xdf\x4c", "ld3 {v0.16b, v1.16b, v2.16b}, [x1], #48"),   # working on capstone 5.x but not on 4.x
+    (b"\x20\x44\xdf\x0c", "ld3 {v0.4h, v1.4h, v2.4h}, [x1], #24"),      # working on capstone 5.x but not on 4.x
+    (b"\x20\xe0\xdf\x4d", "ld3r {v0.16b, v1.16b, v2.16b}, [x1], #3"),   # working on capstone 5.x but not on 4.x
+    (b"\x20\xe4\xdf\x4d", "ld3r {v0.8h, v1.8h, v2.8h}, [x1], #6"),      # working on capstone 5.x but not on 4.x
+    (b"\x20\xe8\xdf\x4d", "ld3r {v0.4s, v1.4s, v2.4s}, [x1], #12"),     # working on capstone 5.x but not on 4.x
+    (b"\x20\xec\xdf\x4d", "ld3r {v0.2d, v1.2d, v2.2d}, [x1], #24"),     # working on capstone 5.x but not on 4.x
+    (b"\x20\xe0\xdf\x0d", "ld3r {v0.8b, v1.8b, v2.8b}, [x1], #3"),      # working on capstone 5.x but not on 4.x
+    (b"\x20\xe4\xdf\x0d", "ld3r {v0.4h, v1.4h, v2.4h}, [x1], #6"),      # working on capstone 5.x but not on 4.x
+    (b"\x20\xe8\xdf\x0d", "ld3r {v0.2s, v1.2s, v2.2s}, [x1], #12"),     # working on capstone 5.x but not on 4.x
+    (b"\x20\xec\xdf\x0d", "ld3r {v0.1d, v1.1d, v2.1d}, [x1], #24"),     # working on capstone 5.x but not on 4.x
 
     (b"\x00\xe4\x01\x4f", "movi v0.16b, #32"),
     (b"\xc0\xe6\x00\x0f", "movi v0.8b, #22"),
@@ -2141,6 +2141,21 @@
     (b"\x20\x1c\xa2\x0e", "orr v0.8b, v1.8b, v2.8b"),
     (b"\x20\x1c\x22\x4e", "and v0.16b, v1.16b, v2.16b"),
     (b"\x20\x1c\x22\x0e", "and v0.8b, v1.8b, v2.8b"),
+
+    (b"\x61\x3d\x01\x0e", "umov w1, v11.b[0]"), # working on capstone 5.x but not on 4.x
+    (b"\x61\x3d\x03\x0e", "umov w1, v11.b[1]"), # working on capstone 5.x but not on 4.x
+    (b"\x68\x3c\x16\x0e", "umov w8, v3.H[5]"),  # working on capstone 5.x but not on 4.x
+    (b"\x49\x3c\x06\x0e", "umov w9, v2.H[1]"),  # working on capstone 5.x but not on 4.x
+
+    (b"\x43\x3c\x1c\x0e", "umov w3, v2.S[3]"),  # working on capstone 5.x but not on 4.x
+    (b"\x29\x3c\x0c\x0e", "umov w9, v1.S[1]"),  # working on capstone 5.x but not on 4.x
+    (b"\x22\x3c\x18\x4e", "umov x4, v1.D[1]"),  # working on capstone 5.x but not on 4.x
+    (b"\x21\x3c\x08\x4e", "umov x5, v1.D[0]"),  # working on capstone 5.x but not on 4.x
+
+    #(b"\x5a\x00\xae\x9e", "fmov x26, v2.D[1]"), # working on capstone next branch
+    #(b"\x00\x00\xaf\x9e", "fmov v0.D[1], x0"),  # working on capstone next branch
+    (b"\x40\x03\x67\x9e", "fmov d0, x26"),  
+    (b"\x02\x00\x66\x9e", "fmov x2, d0"),
 ]
 
 def emu_with_unicorn(opcode, istate):