PowerPC: Branch codes not set for some simplified mnemonics (e.g. bdnzt)

[PeterMatula]

In some cases, branch codes are not properly set by Capstone (next branch). For example, instructions bdnzt lt, 0x4bc and bdnzt eq, 0x4bc are undistinguishable from each other -- branch code is PPC_BC_INVALID, there is no PPC_OP_CRX operand.

The output of my Capstone dumper utility program (dumps everything Capstone knows about an instruction) should be pretty self-explanatory:

$ capstone-dumper -a ppc -m 32 -e big -b 0x10000510 -t "bdnzt lt, 0x4bc"

Keystone input : bdnzt lt, 0x4bc
Keystone output: 41 00 ff ac 

Capstone version: 1024 (major: 4, minor: 0)

#0
        General info:
                id     :  1062 (bdnzt)
                addr   :  10000510
                size   :  4
                bytes  :  41 00 ff ac 
                mnem   :  bdnzt
                op str :  lt, 0x100004bc
        Detail info:
                R regs :  2
                        10 (ctr)
                        205 (rm)
                W regs :  1
                        10 (ctr)
                groups :  0
        Architecture-dependent info:
                branch code :  PPC_BC_INVALID
                branch hint :  PPC_BH_INVALID
                update cr0  :  false
                op count    :  1

                        type   :  PPC_OP_IMM
                        imm    :  100004bc

$ capstone-dumper -a ppc -m 32 -e big -b 0x10000510 -t "bdnzt eq, 0x4bc"

Keystone input : bdnzt eq, 0x4bc
Keystone output: 41 02 ff ac 

Capstone version: 1024 (major: 4, minor: 0)

#0
        General info:
                id     :  1062 (bdnzt)
                addr   :  10000510
                size   :  4
                bytes  :  41 02 ff ac 
                mnem   :  bdnzt
                op str :  eq, 0x100004bc
        Detail info:
                R regs :  2
                        10 (ctr)
                        205 (rm)
                W regs :  1
                        10 (ctr)
                groups :  0
        Architecture-dependent info:
                branch code :  PPC_BC_INVALID
                branch hint :  PPC_BH_INVALID
                update cr0  :  false
                op count    :  1

                        type   :  PPC_OP_IMM
                        imm    :  100004bc

This seems to happen when branches work with flags in CR0. When I use some other condition register, another operand of PPC_OP_CRX type is present and it is ok:

$ capstone-dumper -a ppc -m 32 -e big -b 0x10000510 -t "bdnzt 4*cr4+lt, 0x4bc"

Keystone input : bdnzt 4*cr4+lt, 0x4bc
Keystone output: 41 10 ff ac 

Capstone version: 1024 (major: 4, minor: 0)

#0
        General info:
                id     :  1062 (bdnzt)
                addr   :  10000510
                size   :  4
                bytes  :  41 10 ff ac 
                mnem   :  bdnzt
                op str :  4*cr4+lt, 0x100004bc
        Detail info:
                R regs :  2
                        10 (ctr)
                        205 (rm)
                W regs :  1
                        10 (ctr)
                groups :  0
        Architecture-dependent info:
                branch code :  PPC_BC_INVALID
                branch hint :  PPC_BH_PLUS
                update cr0  :  false
                op count    :  2

                        type   :  PPC_OP_CRX
                        scale  :  4
                        reg    :  6 (cr4)
                        br cnd :  PPC_BC_LT

                        type   :  PPC_OP_IMM
                        imm    :  100004bc

[PeterMatula]

It seems like this is happening for all these simplified mnemonics classes:

• Decrement CTR, branch if CTR non-zero AND condition true -- bdnzt, bdnzta, bdnztlr, bdnztl, bdnztla, bdnztlrl
• Decrement CTR, branch if CTR non-zero AND condition false -- bdnzf, bdnzfa, bdnzflr, bdnzfl, bdnzfla, bdnzflrl
• Decrement CTR, branch if CTR zero AND condition true -- bdzt, bdzta, bdztlr, bdztl, bdztla, bdztlrl
• Decrement CTR, branch if CTR zero AND condition false -- bdzf, bdzfa, bdzflr, bdzfl, bdzfla, bdzflrl

[aquynh]

latest code from "next" branch handles these input like below

$ cstool -d ppc64be "4100ffac 4102ffac"   
 0  41 00 ff ac  bdnzt	cr0lt, 0xffac
	ID: 52 (bdnzt)
	op_count: 2
		operands[0].type: REG = cr0lt
		operands[1].type: IMM = 0xffac

 4  41 02 ff ac  bdnzt	cr0eq, 0xffb0
	ID: 52 (bdnzt)
	op_count: 2
		operands[0].type: REG = cr0eq
		operands[1].type: IMM = 0xffb0

[aquynh]

i revised the way condition bits are displayed.

$ cstool -d ppc64be "4100ffac 4102ffac"   
 0  41 00 ff ac  bdnzt	lt, 0xffac
	ID: 52 (bdnzt)
	op_count: 1
		operands[0].type: IMM = 0xffac
	Branch code: 12

 4  41 02 ff ac  bdnzt	eq, 0xffb0
	ID: 52 (bdnzt)
	op_count: 1
		operands[0].type: IMM = 0xffb0
	Branch code: 76

[aquynh]

fixed this in v4 branch (for v4.0.2 release)

$ cstool -d ppc64be "4100ffac 4102ffac"

 0  41 00 ff ac  bdnzt	lt, 0xffffffffffffffac
	ID: 1062 (bdnzt)
	op_count: 1
		operands[0].type: IMM = 0xffffffffffffffac
	Branch code: 12

 4  41 02 ff ac  bdnzt	eq, 0xffffffffffffffb0
	ID: 1062 (bdnzt)
	op_count: 1
		operands[0].type: IMM = 0xffffffffffffffb0
	Branch code: 76

[PeterMatula]

The original issue was fixed, but I have got the same potential issue as here.

It is possible to determine an exact CR registers (cr0lt vs cr4lt) from operands from commit 8623090:

$ cstool -d ppc64be "4100ffac 4102ffac 4110ffac"
 0  41 00 ff ac  bdnzt  cr0lt, 0xffac
        ID: 52 (bdnzt)
        op_count: 2
                operands[0].type: REG = cr0lt
                operands[1].type: IMM = 0xffac
        Branch code: 32625

 4  41 02 ff ac  bdnzt  cr0eq, 0xffb0
        ID: 52 (bdnzt)
        op_count: 2
                operands[0].type: REG = cr0eq
                operands[1].type: IMM = 0xffb0
        Branch code: 294769

 8  41 10 ff ac  bdnzt  cr4lt, 0xffb4
        ID: 52 (bdnzt)
        op_count: 2
                operands[0].type: REG = cr4lt
                operands[1].type: IMM = 0xffb4
        Branch code: 294769

But I'm not sure this is possible in the latest commit in next e3edf79:

$ cstool -d ppc64be "4100ffac 4102ffac 4110ffac"
 0  41 00 ff ac  bdnzt  lt, 0xffffffffffffffac
        ID: 52 (bdnzt)
        op_count: 1
                operands[0].type: IMM = 0xffffffffffffffac
        Branch code: 12
        Groups: jump 

 4  41 02 ff ac  bdnzt  eq, 0xffffffffffffffb0
        ID: 52 (bdnzt)
        op_count: 1
                operands[0].type: IMM = 0xffffffffffffffb0
        Branch code: 76
        Groups: jump 

 8  41 10 ff ac  bdnzt  4*cr4+lt, 0xffffffffffffffb4
        ID: 52 (bdnzt)
        op_count: 1
                operands[0].type: IMM = 0xffffffffffffffb4
        Branch code: 12
        Branch hint: 1
        Groups: jump

How do you distinguish between CR0 in the fist instruction and CR4 in the third one? The only difference is Branch hint set to 1 = PPC_BH_PLUS.

I must admit I'm a bit lost in details of PowerPC branches, so this might not be an issue. But I would like to discuss it with someone more knowledgeable, because right now it seems like some information that was previously present in Capstone structures got lost in the recent changes.

[aquynh]

with the latest code, we have this now.

$ cstool -d ppc64be "4100ffac 4102ffac 4110ffac"
 0  41 00 ff ac  bdnzt	lt, 0xffffffffffffffac
	ID: 52 (bdnzt)
	op_count: 1
		operands[0].type: IMM = 0xffffffffffffffac
	Branch code: 12
	Groups: jump 

 4  41 02 ff ac  bdnzt	eq, 0xffffffffffffffb0
	ID: 52 (bdnzt)
	op_count: 1
		operands[0].type: IMM = 0xffffffffffffffb0
	Branch code: 76
	Groups: jump 

 8  41 10 ff ac  bdnzt	4*cr4+lt, 0xffffffffffffffb4
	ID: 52 (bdnzt)
	op_count: 2
		operands[0].type: REG = cr4lt
		operands[1].type: IMM = 0xffffffffffffffb4
	Branch code: 12
	Branch hint: 1
	Groups: jump 

the last instruction is fixed, but the first 2 still miss LT & EQ as operands.
should we should revert back these as registers CR0LT & CR0EQ?
if so, to be consistent, should we print "4*cr4+lt" as CR4LT?

[aquynh]

fixed now.

$ ./cstool/cstool -d ppc64be "4100ffac 4102ffac 4110ffac"
 0  41 00 ff ac  bdnzt	lt, 0xffffffffffffffac
	ID: 52 (bdnzt)
	op_count: 2
		operands[0].type: REG = cr0lt
		operands[1].type: IMM = 0xffffffffffffffac
	Branch code: 12
	Groups: jump 

 4  41 02 ff ac  bdnzt	eq, 0xffffffffffffffb0
	ID: 52 (bdnzt)
	op_count: 2
		operands[0].type: REG = cr0eq
		operands[1].type: IMM = 0xffffffffffffffb0
	Branch code: 76
	Groups: jump 

 8  41 10 ff ac  bdnzt	4*cr4+lt, 0xffffffffffffffb4
	ID: 52 (bdnzt)
	op_count: 2
		operands[0].type: REG = cr4lt
		operands[1].type: IMM = 0xffffffffffffffb4
	Branch code: 12
	Branch hint: 1
	Groups: jump 

[PeterMatula]

Great, it looks ok now.

[Rot127]

Closed with #2013