+ add aarch64 FMOV instruction

JonathanSalwan · May 30, 2024 · c60e4eb · c60e4eb
1 parent baf01bd
commit c60e4eb
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 11 deletions.
diff --git a/src/libtriton/arch/arm/aarch64/aarch64Semantics.cpp b/src/libtriton/arch/arm/aarch64/aarch64Semantics.cpp
@@ -65,6 +65,7 @@ EON (shifted register)        | Bitwise Exclusive OR NOT (shifted register)
 EOR (immediate)               | Bitwise Exclusive OR (immediate)
 EOR (shifted register)        | Bitwise Exclusive OR (shifted register)
 EXTR                          | EXTR: Extract register
+FMOV                          | Floating-point Move register without conversion.
 LD3 (multiple structure)      | Load multiple 3-element structures to three registers.
 LD3R                          | Load single 3-element structure and Replicate to all lanes of three registers.
 LD4 (multiple structure)      | Load multiple 4-element structures to four registers.
@@ -259,6 +260,7 @@ namespace triton {
             case ID_INS_EON:       this->eon_s(inst);           break;
             case ID_INS_EOR:       this->eor_s(inst);           break;
             case ID_INS_EXTR:      this->extr_s(inst);          break;
+            case ID_INS_FMOV:      this->fmov_s(inst);          break;
             case ID_INS_LD3:       this->ld3_s(inst);           break;
             case ID_INS_LD3R:      this->ld3r_s(inst);          break;
             case ID_INS_LD4:       this->ld4_s(inst);           break;
@@ -1854,6 +1856,22 @@ namespace triton {
           this->controlFlow_s(inst);
         }
 
+        void AArch64Semantics::fmov_s(triton::arch::Instruction& inst) {
+          auto& dst  = inst.operands[0];
+          auto& src = inst.operands[1];
+
+          /* Create the semantics */
+          auto node = this->symbolicEngine->getOperandAst(inst, src);
+
+          /* Create symbolic expression */
+          auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "FMOV operation");
+
+          /* Spread taint */
+          expr->isTainted = this->taintEngine->taintAssignment(dst, src);
+
+          /* Update the symbolic control flow */
+          this->controlFlow_s(inst);
+        }
 
         void AArch64Semantics::ld3_s(triton::arch::Instruction& inst) {
           std::list<triton::ast::SharedAbstractNode> vec0;
@@ -5677,16 +5695,10 @@ namespace triton {
           /* Create the semantics */
           auto vas_size = src.getConstRegister().getVASSize() * triton::bitsize::byte;
 
-          auto low = src.getConstRegister().getVectorIndex() * vas_size;
-          auto high = low + vas_size - 1;
-
           auto node = 
             this->astCtxt->zx(
               dst.getBitSize() - vas_size, 
-              this->astCtxt->extract(
-                      high,  
-                      low, 
-                      this->symbolicEngine->getOperandAst(inst, src))
+              this->symbolicEngine->getOperandAst(src)    
             );
 
           /* Create symbolic expression */

diff --git a/src/libtriton/engines/symbolic/symbolicEngine.cpp b/src/libtriton/engines/symbolic/symbolicEngine.cpp
@@ -790,6 +790,15 @@ namespace triton {
         }
       }
 
+      triton::ast::SharedAbstractNode SymbolicEngine::getIndexAst(const triton::arch::arm::ArmOperandProperties& vas_index, const triton::ast::SharedAbstractNode& node) {
+        auto vas_size = vas_index.getVASSize() * triton::bitsize::byte;
+
+        auto low = vas_index.getVectorIndex() * vas_size;
+        auto high = low + vas_size - 1;
+
+        return this->astCtxt->extract(high, low, node);
+      }
+
 
       triton::ast::SharedAbstractNode SymbolicEngine::getExtendAst(const triton::arch::arm::ArmOperandProperties& extend, const triton::ast::SharedAbstractNode& node) {
         triton::uint32 size = extend.getExtendSize();
@@ -938,6 +947,11 @@ namespace triton {
           return this->getShiftAst(static_cast<const triton::arch::arm::ArmOperandProperties>(reg), node);
         }
 
+        /* Extract AST if it's have vector index (mainly used for Arm Neon) */
+        if (reg.getVectorIndex() != -1 && reg.getVASSize() != 0) {
+          return this->getIndexAst(static_cast<const triton::arch::arm::ArmOperandProperties>(reg), node);
+        }
+
         return node;
       }
 

diff --git a/src/libtriton/includes/triton/aarch64Semantics.hpp b/src/libtriton/includes/triton/aarch64Semantics.hpp
@@ -254,6 +254,9 @@ namespace triton {
 
             //! The EXTR semantics.
             void extr_s(triton::arch::Instruction& inst);
+
+            //! The FMOV semantics.
+            void fmov_s(triton::arch::Instruction& inst);
 
             //! The LD3 semantics.
             void ld3_s(triton::arch::Instruction& inst);

diff --git a/src/libtriton/includes/triton/symbolicEngine.hpp b/src/libtriton/includes/triton/symbolicEngine.hpp
@@ -229,6 +229,9 @@ namespace triton {
           //! Returns the AST corresponding to the shift operation. Mainly used for Arm32 operands.
           triton::ast::SharedAbstractNode getShiftAst(const triton::arch::arm::ArmOperandProperties& shift, const triton::ast::SharedAbstractNode& node);
 
+          //! Returns the AST corresponding to the VAS vector index operation. Mainly used for Arm Neon vector operands.
+          triton::ast::SharedAbstractNode getIndexAst(const triton::arch::arm::ArmOperandProperties& vas_index, const triton::ast::SharedAbstractNode& node);
+
           //! Returns the new symbolic expression and links this expression to the instruction.
           TRITON_EXPORT const SharedSymbolicExpression& createSymbolicExpression(triton::arch::Instruction& inst, const triton::ast::SharedAbstractNode& node, const triton::arch::OperandWrapper& dst, const std::string& comment="");
 

diff --git a/src/testers/aarch64/unicorn_test_aarch64.py b/src/testers/aarch64/unicorn_test_aarch64.py
@@ -2147,10 +2147,15 @@
     (b"\x68\x3c\x16\x0e", "umov w8, v3.H[5]"),  # working on capstone 5.x but not on 4.x
     (b"\x49\x3c\x06\x0e", "umov w9, v2.H[1]"),  # working on capstone 5.x but not on 4.x
 
-    #(b"\x43\x3c\x1c\x0e", "umov w3, v2.S[3]"),  # working on capstone next branch but not on 4.x or 5.x
-    #(b"\x29\x3c\x0c\x0e", "umov w9, v1.S[1]"),  # working on capstone next branch but not on 4.x or 5.x
-    #(b"\x22\x3c\x18\x4e", "umov x4, v1.D[1]"),  # working on capstone next branch but not on 4.x or 5.x
-    #(b"\x21\x3c\x08\x4e", "umov x5, v1.D[0]"),  # working on capstone next branch but not on 4.x or 5.x
+    (b"\x43\x3c\x1c\x0e", "umov w3, v2.S[3]"),  # working on capstone 5.x but not on 4.x
+    (b"\x29\x3c\x0c\x0e", "umov w9, v1.S[1]"),  # working on capstone 5.x but not on 4.x
+    (b"\x22\x3c\x18\x4e", "umov x4, v1.D[1]"),  # working on capstone 5.x but not on 4.x
+    (b"\x21\x3c\x08\x4e", "umov x5, v1.D[0]"),  # working on capstone 5.x but not on 4.x
+
+    #(b"\x5a\x00\xae\x9e", "fmov x26, v2.D[1]"), # working on capstone next branch
+    #(b"\x00\x00\xaf\x9e", "fmov v0.D[1], x0"),  # working on capstone next branch
+    (b"\x40\x03\x67\x9e", "fmov d0, x26"),  
+    (b"\x02\x00\x66\x9e", "fmov x2, d0"),
 ]
 
 def emu_with_unicorn(opcode, istate):