[ARM32] Hook for "svc" always returns interrupt number 2 #2153
Comments
|
Qiling workarounds this by: https://github.com/qilingframework/qiling/blob/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/posix/syscall/abi/arm.py#L26 Your patch is correct at first glance. Nice catch! |
|
Thank you. Should i open a PR? |
Sure please do so. This also let CI check if it breaks other things. |
kittennbfive
added a commit
to kittennbfive/unicorn
that referenced
this issue
Apr 11, 2025
Currently svc $n always passes intno 2 to the hook, this PR should fix this.
This was referenced Apr 11, 2025
Closed
|
PR is there after some false start. I am not very familiar with github... |
|
@amaanq Gives a much better way to handle this, please refer to this example: The change will live at dev branch until next release. |
|
No problem for me, thank you! |
|
Just for the record: My patch (that has been superseeded) would break unit test test_arm_m_exc_return_hook_interrupt(). This issue can be closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
sorry to bother you again. I think this time i found a real bug regarding ARM32 "svc" instruction (supervisor call).
I compiled current master (f8c6db9) on Linux.
Please consider the attached testcase.
Expected output:
Real output:
I spent a lot of time tracking this down but as i am not familiar with QEMU/Unicorn-internals i don't know the correct way to fix this.
If an
svc $ninstruction is encountered then https://github.com/unicorn-engine/unicorn/blob/master/qemu/target/arm/op_helper.c#L30 is somehow called withexcpset toEXCP_SWI(==2, the wrong value we are always seeing, defined inside https://github.com/unicorn-engine/unicorn/blob/master/qemu/target/arm/cpu.h ). The actualsvccall number is insidesyndromewith some other informations (i don't understand the details).At https://github.com/unicorn-engine/unicorn/blob/master/qemu/target/arm/op_helper.c#L49
cs->exception_indexis then set toexcp(which is 2), butsyndrome(which contails the actual call number we are interested in) is not stored insidecs. Maybe there is the (first part of) the problem?See also the comment at https://github.com/unicorn-engine/unicorn/blob/master/qemu/target/arm/cpu.h#L528 .
I have hacked together a patch, attached here, that works for me; but as i have basically no idea what i am doing i won't open a PR. Somebody else should look at this. No hurry, for me the bug is kinda "resolved".
Thank you.
main.c.txt
arm_svc_patch.diff.txt
The text was updated successfully, but these errors were encountered: