EX and EXRL can produce spurious PIC 3 (S0C3) with a crafted test case #415
Comments
|
Hi Toni, Well it looks like yet another day one bug! We've seen quite a few in Hercules recently. Thanks for reporting it. I'll take a look at it. It might be a welcome distraction from the harder to fix issues we're currently having. Cheers. |
Fish-Git
added
the
BUG
|
Some time ago I started thinking about this odd notion of EX changing the target instruction opcode. I'm sure this has extremely limited legitimate use (well I guess TRAP2 and TRAP4 were intentionally made I suppose they could have defined EX so that it doesn't do the OR if it would change the opcode, but that would probably add to the decoding overhead. It still has to OR the part of the byte that isn't the opcode (typically a register number). There is no integrity or security exposure that I can see from this architectural decision, even though one can change from an unpriv to a priv instruction. But of course a bug in an emulator (or Real Iron, I suppose) could lead to badness. IIRC one of those IBM architecture papers says that EX is treated like a branch instruction that is always predicted to succeed, but that is discovered to always fail (after execution of the target). And of course there needs to be special handling if the EXecuted instruction is itself a branch or an LPSW or the like. Here's how I can imagine an integrity bug working: (I'm not at all claiming that there is such a bug in Hercules!) If some kind of pre-checking for priv vs. non-priv instructions was performed in an I-unit (perhaps as part of a general pre-fetch and instruction setup operation) and the opcode was then changed by EX from non-priv to priv, then we'd have a classic TOCTTOU ("Time-of-check to time-of-use") exposure. I suppose it would be pretty easy to compile a table of all possible opcodes that can be converted by EX from non-priv to priv, and then try them all on various hardware and emulators. Looks as though the instruction formats with part of the opcode in the second byte are |
|
Fixed by commit cbc3d75. Closing. Tony? (@TonyH-Git ) If you can (and are willing), -OR- if you want, please pull current 'develop' branch git, rebuild and retest. It should work as expected now. Thanks. |
|
Fish, The new test, Bill |
Correct.
Yes. |
This test was run on Juergen's system wotho4.ethz.ch at reported Hercules Version : 4.3.9999.10200-SDL-g208e766-modified. Looking at the current code on Github, I see no updates that would have fixed this.
Execute of an Execute is defined to produce a program interruption 3. The Hercules implementation has a bug that - in a contrived case - produces such an exception even when the target is not another execute instruction.
Here is that case:
This happens because the test for Execute of Execute is made before the low byte of the register (in this case R1) is OR'd with the second byte of the target of the Execute.
In the case of EX/EXRL of EX, this is fine. In the case of EX/EXRL of EXRL however, the second byte is part of the opcode, and so after the OR, if the low byte of the register is not 0, it won't be an EXRL instruction anymore. In the above example, R1 contains 5, which turns the coded EXRL (C6x0) into a CHRL (C6x5) (Compare Halfword Relative Long), which is a completely valid instruction to be EXecuted.
Obviously this is a bizarre corner case that nobody in the Real World is going to encounter. But it looks trivial to fix, and on principle it should be done, though certainly with low priority.
I have confirmed that on both Real Iron (zBC12) and a zPDT, the behaviour matches my expectations.
The text was updated successfully, but these errors were encountered: