From 76c0167f5b5734a607ccfa355b07d913a7fc5d42 Mon Sep 17 00:00:00 2001
From: Ryan Scott <rscott@galois.com>
Date: Tue, 13 Aug 2024 11:27:35 -0400
Subject: [PATCH] macaw-x86: Fix `call` semantics when call target involves the
 stack pointer

Previously, the `macaw-x86` semantics for `call` would retrieve the call target
*after* pushing the next instruction's address to the stack, but if the call
target involves the stack pointer, then this would mean that it would get the
next instruction's address when retrieving the call target. This is not what is
intended!

This patch fixes the issue by always retrieving the call target *before*
pushing the next instruction's address to the stack. I have added a test case
to the `macaw-x86-symbolic` test suite which demonstrates that this fix works
as intended.

Fixes #420.
---
 x86/src/Data/Macaw/X86/Semantics.hs    |   7 ++++-
 x86_symbolic/tests/pass/T420.c         |  42 +++++++++++++++++++++++++
 x86_symbolic/tests/pass/T420.opt.exe   | Bin 0 -> 9232 bytes
 x86_symbolic/tests/pass/T420.unopt.exe | Bin 0 -> 9272 bytes
 4 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 x86_symbolic/tests/pass/T420.c
 create mode 100755 x86_symbolic/tests/pass/T420.opt.exe
 create mode 100755 x86_symbolic/tests/pass/T420.unopt.exe

diff --git a/x86/src/Data/Macaw/X86/Semantics.hs b/x86/src/Data/Macaw/X86/Semantics.hs
index 370567a3..6aafcc83 100644
--- a/x86/src/Data/Macaw/X86/Semantics.hs
+++ b/x86/src/Data/Macaw/X86/Semantics.hs
@@ -1376,11 +1376,16 @@ def_set_list =
 
 def_call :: InstructionDef
 def_call = defUnary "call" $ \_ v -> do
+  -- Get the address to branch to. Make sure to do this *before* pushing the
+  -- value of the next instruction. If the call target is the stack pointer,
+  -- then pushing a value will change the underlying value of the stack, so we
+  -- want to ensure that we get the call target before the stack is modified.
+  -- (See the T420 test case in macaw-x86-symbolic's test suite.)
+  tgt <- getCallTarget v
   -- Push value of next instruction
   old_pc <- getReg R.X86_IP
   push addrRepr old_pc
   -- Set IP
-  tgt <- getCallTarget v
   rip .= tgt
 
 -- | Conditional jumps
diff --git a/x86_symbolic/tests/pass/T420.c b/x86_symbolic/tests/pass/T420.c
new file mode 100644
index 00000000..d0c94919
--- /dev/null
+++ b/x86_symbolic/tests/pass/T420.c
@@ -0,0 +1,42 @@
+/**
+ * A regression test for #420 which ensures that macaw-x86's semantics for the
+ * `call` instruction are correct when the call target involves the stack
+ * pointer. If we get it wrong, then the `call *0x8(%rsp)` instruction below
+ * will call a nonsensical address.
+ *
+ * It is surprisingly difficult to get `gcc` to generate code with a
+ * `call *0x8(%rsp)` instruction, so we resort to inline assembly to guarantee
+ * that this happens.
+ */
+
+int one(void) {
+  return 1;
+}
+
+int __attribute__((noinline)) test_callit(void) {
+  int (*fn)(void) = &one;
+  int ret = 0;
+  __asm__(
+    // 1. Decrement the stack pointer in preparation for storing `fn` on the
+    //    stack.
+    "sub $0x10,%%rsp;"
+    // 2. Store the `fn` function pointer (passed as an input) on the stack.
+    "mov  %1,0x8(%%rsp);"
+    // 3. Load `fn` from the stack and call it. This is the key part of the
+    //    test, as we want to ensure that macaw-x86's semantics for `call` will
+    //    retrieve `fn` *before* pushing the next instruction's address onto the
+    //    stack.
+    "call *0x8(%%rsp);"
+    // 4. Save the return value of `fn` as output.
+    "mov %%eax, %0;"
+    // 5. Increment the stack pointer back to its original position.
+    "add $0x10,%%rsp;"
+    : "=r"(ret) /* Outputs */
+    : "r"(fn) /* Inputs */
+    );
+  return ret;
+}
+
+void _start() {
+  test_callit();
+}
diff --git a/x86_symbolic/tests/pass/T420.opt.exe b/x86_symbolic/tests/pass/T420.opt.exe
new file mode 100755
index 0000000000000000000000000000000000000000..062abd862b6925a90223871cfceeb6a75a6661dc
GIT binary patch
literal 9232
zcmeHNOKTHR6h4!_QYmy4L8W4+kcA>0l2B2)kSVP;3lXZx#!Z|w(+A{Hk{f6RAJA17
zh5iH={s@<axTrgE<)VU{LKcFkJ2&GwbMKj^p#_Dm!Z~o~JI^_HzRV_b&+7+|9wsac
zSQ2m_$V%H@<kDAwPg9X;eD`1kJQ#&!lskAFLd`Rl#<7Gp8Nt>z^%x@6*kJlG-qC5m
z$az#3^>a*u<7vfU-nbdLj%sKf&<!H=PM{N60E|gvb6v;Obu2H6Fs4i%BjuAkJyK=T
z|F_=~)(uB@__qtwN4-cVP8S~+0BPSR-vBNW(l6s8o8qg_f4$uO`fm8++m$bO=ROY{
z&R!{CNJJPA2801&Ko}4PgaKhd7!U@80b!s|8TdVZ<Ij8gZ`)oOpIiVSJGVP@6oz4L
z`@5anSx6<rd@8xKpWFUmxA!RC?o%%0v4jC(Ko}4PgaKhd7!U@80bxKG5C(*Ser15p
zgh{LyPr%x=t%<Rb<Q{$xptI!bxW4@e!wZyvLcTPvL-b9O1BHC}*#J7|i_Y^=U!0$x
zb#4|)t(s~%nT$K*rl&Kl$jrRTX5IA6E#t=IGlV`#48qT_H+&5pm+%yu=M%Umo!67!
zHgg2LKYBi!PQN`5wPSHmrF@<@;Ac#s|FrzuXZRsMlTEwJpn|3<F8h_rx`JY{)NB@;
z%5NyB*8(U8WncLSwK9O)+^Q<Sgs2)C*I297Rp74HTJA=pz7aIk7Pzsi)LO5Ur`OBi
zs$f%r8>|&q8h$kZce!4z1~rBII}e$_n~dPX`GH6dEYF~}9S!l7=OozSqS9T@a}qp1
zLHu?L{xT<I4lVla;~9u}E<~rr^B|^*-oI{HM1$&i|KNB!>}beqh_Ai-U&090(|g`6
zc}H9H9&`)kl5}I-TZf|S8%G=a8e)#P|5f83MWh*xUh$^1r*~i6m-8>8a$5a{sei_a
I27BxO0uPFk!T<mO

literal 0
HcmV?d00001

diff --git a/x86_symbolic/tests/pass/T420.unopt.exe b/x86_symbolic/tests/pass/T420.unopt.exe
new file mode 100755
index 0000000000000000000000000000000000000000..57da9251a72195b7068a3fb63c734a7de1ba5dec
GIT binary patch
literal 9272
zcmeHN&ubG=5T1?wkwUdmJSdg2g+LYQl9V1)L{{oHdk~@8f=EkDn$;GXq$Dqp_MnG?
z5Q@;Fe}Q=NES?G#EQomYB#2PVK@qV?@v_eBd$ZYu78JZ#-oV>$=9`&)FJF3T-aK@!
zPsR)b*kW)6C~^~aK*=Y--f$2q?gI3J4Sf&~YP(t~^lTML?2pNi5fU<{J-W$NF{u3*
zZ_6@Z<T~mL_A^z1X-h|8UD1r(M?JK*=>-AWZD<A&0ApOm+}BinO~Vc{j7e3;NcCj5
zc0_^vzuj*N`+9;m{Mm!$qrJ!{O*1!U0A=4K?g%b2@=xNTnDXy`&drW|NPQgw^X{9c
z&p)re9T~!uHm!hGKr5gX&<bb;v;tZIt$<cQE1(rPqze2P82UBiHg;an|F?5n9J-IY
zKl#4zHk`fJ&Mtj+ciq`@*S;j&#<gVJpH9Xbo9^1HM8nx#cXnHi&6n7=F}HO{<<cKZ
zE1(t73TOqi0$KsBfL1^&pcT*xXa%$a|D^(SCroCn-UOqbFb4a3;~V%}z!~Idef;M8
z161G~OFW8A9POFJ0+qXr_zv?Iqxt1leir#A=7T$G?$5}4W@6%!d3GjWD~Xz!PFv$v
zYBXI7!t{f&F)KBGPSN!8gN=T+=z{NlXT@nGPT*}f&oS^lIh~#O0X1(BoE<sRAwjp~
zwvArPOmwN9=Mn-fkW1p)um1c2JWP*|rL1`nUR7l0b4yE$0<zhBwVJJpTtz^+<U!Ue
z<U|gkQ~<E5D@BpZBZ`W|1@=m1;aT@fHEX$2UiK<t1+0+D*A|xwql*QwgjW|}c?;Ql
zm0ZySYrb48dL@D9`xiEdFX_dFa|VHJ8@56jn-an&&r>jAp%d-rc?zDhAbq2T-%Oib
z#fZN9a8@FmACYC@+=%L;+NfnPAdb%urY+N^gm8XDhB)ccZc`Xif2y5^x+w|zJBS+Z
yAH{I*NZ~V62Ahgwjd=f4itj_DS&mLy7?w=uxp-f$KaS3R{ZCZ?9WGSZ+5a0Y%dXM@

literal 0
HcmV?d00001