incorrect POP semantics with relative stack pointer

[gyorokpeter]

>>> from triton import *
>>> setArchitecture(ARCH.X86)
>>> inst1 = Instruction('\xBC\x00\xFE\x19\x00')
>>> inst2 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
>>> inst3 = Instruction('\x8F\x04\x24')
>>> processing(inst1)
True
>>> processing(inst2)
True
>>> processing(inst3)
True
>>> inst1
0: mov esp, 0x19fe00
>>> inst2
0: mov dword ptr [esp], 0x11111111
>>> inst3
0: pop dword ptr [esp]
>>> for sa in inst3.getStoreAccess():
...     print hex(sa[0].getAddress())
...
0x19fe00L

The expected result is 0x19fe04L. When popping a value to an address relative to ESP, the change to ESP comes before the address resolution.

[JonathanSalwan]

One more weird semantics undocumented into the Intel manual. Thanks!

[gyorokpeter]

It is actually documented, I just checked in the manual available from the official site (https://software.intel.com/en-us/articles/intel-sdm):

If the ESP register is used as a base register for addressing a destination operand in memory, the POP instruction computes the effective address of the operand after it increments the ESP register.

[JonathanSalwan]

Indeed. My bad.

[KnoooW]

trying modeling intel instructions is really tough job..