[{"data":1,"prerenderedAt":235},["ShallowReactive",2],{"pages":3},[4,57,88,112,135,160],{"id":5,"title":6,"body":7,"description":47,"extension":48,"meta":49,"navigation":50,"path":51,"seo":52,"status":53,"stem":54,"tool":55,"tracker":53,"__hash__":56},"binaryToolBugs\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fincorrect-bt-bit-offset.md","Incorrect bit offset for BT\u002FBTS\u002FBTR\u002FBTC with memory operand",{"type":8,"value":9,"toc":43},"minimark",[10,30],[11,12,14,15,19,20,19,23,19,26,29],"h1",{"id":13},"incorrect-bit-offset-for-btbtsbtrbtc-with-memory-operand","Incorrect bit offset for ",[16,17,18],"code",{},"BT","\u002F",[16,21,22],{},"BTS",[16,24,25],{},"BTR",[16,27,28],{},"BTC"," with memory operand",[31,32,33,34,19,36,19,38,19,40,42],"p",{},"In all bit test variants (",[16,35,18],{},[16,37,22],{},[16,39,25],{},[16,41,28],{},") on memory with a register bit offset, the bit offset is computed incorrectly. The bit offset is converted to a byte offset by shifting right by 3, then zero-extending the result to 64 bits. It should be sign-extended, to preserve the sign bits of negative offsets.",{"title":44,"searchDepth":45,"depth":45,"links":46},"",2,[],"In all bit test variants (BT\u002FBTS\u002FBTR\u002FBTC) on memory with a register bit offset, the bit offset is computed incorrectly. The bit offset is converted to a byte offset by shifting right by 3, then zero-extending the result to 64 bits. It should be sign-extended, to preserve the sign bits of negative offsets.","md",{},true,"\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fincorrect-bt-bit-offset",{"title":6,"description":47},null,"binary-tool-bugs\u002Fdasgupta\u002Fincorrect-bt-bit-offset","Dasgupta et al.","27R2i9GoHErWtTsMzhlY5q8vummeR0OM7uJL9axdb60",{"id":58,"title":59,"body":60,"description":82,"extension":48,"meta":83,"navigation":50,"path":84,"seo":85,"status":53,"stem":86,"tool":55,"tracker":53,"__hash__":87},"binaryToolBugs\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fincorrect-cmps-comparison.md","CMPS performs comparison incorrectly",{"type":8,"value":61,"toc":80},[62,69],[11,63,65,68],{"id":64},"cmps-performs-comparison-incorrectly",[16,66,67],{},"CMPS"," performs comparison incorrectly",[31,70,71,72,75,76,79],{},"The CMPS variants perform a comparison by setting flags according to ",[16,73,74],{},"Mem2 - Mem1",", but they should be set according to ",[16,77,78],{},"Mem1 - Mem2",".",{"title":44,"searchDepth":45,"depth":45,"links":81},[],"The CMPS variants perform a comparison by setting flags according to Mem2 - Mem1, but they should be set according to Mem1 - Mem2.",{},"\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fincorrect-cmps-comparison",{"title":59,"description":82},"binary-tool-bugs\u002Fdasgupta\u002Fincorrect-cmps-comparison","UMXbyAIOk7jAlicOR_6XGF9huTFosXRpB3Y9UzVD6Do",{"id":89,"title":90,"body":91,"description":106,"extension":48,"meta":107,"navigation":50,"path":108,"seo":109,"status":53,"stem":110,"tool":55,"tracker":53,"__hash__":111},"binaryToolBugs\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fincorrect-rclb-rcrb-of.md","OF incorrect for RCLB\u002FRCRB",{"type":8,"value":92,"toc":104},[93,96],[11,94,90],{"id":95},"of-incorrect-for-rclbrcrb",[31,97,98,99,103],{},"The overflow flag (OF) of RCLB\u002FRCRB is undefined when the masked rotate count is not 0 or 1. However, Dasgupta et al. specifies the OF as undefined when the masked rotate count ",[100,101,102],"em",{},"modulo the operand size + 1"," is not 0 or 1.",{"title":44,"searchDepth":45,"depth":45,"links":105},[],"The overflow flag (OF) of RCLB\u002FRCRB is undefined when the masked rotate count is not 0 or 1. However, Dasgupta et al. specifies the OF as undefined when the masked rotate count modulo the operand size + 1 is not 0 or 1.",{},"\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fincorrect-rclb-rcrb-of",{"title":90,"description":106},"binary-tool-bugs\u002Fdasgupta\u002Fincorrect-rclb-rcrb-of","c7Aw-mgXRjLTrPDU3reaVI-tq7FfNd4lY5vyCqcypVw",{"id":113,"title":114,"body":115,"description":129,"extension":48,"meta":130,"navigation":50,"path":131,"seo":132,"status":53,"stem":133,"tool":55,"tracker":53,"__hash__":134},"binaryToolBugs\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fincorrect-vmpsadbw-destination-register.md","vmpsadbw_xmm_xmm_m128_imm8 writes to wrong destination",{"type":8,"value":116,"toc":127},[117,120],[11,118,114],{"id":119},"vmpsadbw_xmm_xmm_m128_imm8-writes-to-wrong-destination",[31,121,122,123,126],{},"The ",[16,124,125],{},"VMPSADBW"," instruction incorrectly writes to the source operand (R3) instead of destination operand (R4).",{"title":44,"searchDepth":45,"depth":45,"links":128},[],"The VMPSADBW instruction incorrectly writes to the source operand (R3) instead of destination operand (R4).",{},"\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fincorrect-vmpsadbw-destination-register",{"title":114,"description":129},"binary-tool-bugs\u002Fdasgupta\u002Fincorrect-vmpsadbw-destination-register","Z8tc16Q1dfGcy-T3zGZKk2F4UHZu5u2yS602UG297qQ",{"id":136,"title":137,"body":138,"description":154,"extension":48,"meta":155,"navigation":50,"path":156,"seo":157,"status":53,"stem":158,"tool":55,"tracker":53,"__hash__":159},"binaryToolBugs\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fmulx-equal-destination-crash.md","Crash when MULX is executed with identical destination registers",{"type":8,"value":139,"toc":152},[140,143],[11,141,137],{"id":142},"crash-when-mulx-is-executed-with-identical-destination-registers",[31,144,122,145,148,149,151],{},[16,146,147],{},"MULX"," instructions write a result to two destination operands. The destination operands can be equal. Dasgupta et al.'s semantics have not taken this possibility into account, causing the K prover to crash when ",[16,150,147],{}," with equal destination operands is executed.",{"title":44,"searchDepth":45,"depth":45,"links":153},[],"The MULX instructions write a result to two destination operands. The destination operands can be equal. Dasgupta et al.'s semantics have not taken this possibility into account, causing the K prover to crash when MULX with equal destination operands is executed.",{},"\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fmulx-equal-destination-crash",{"title":137,"description":154},"binary-tool-bugs\u002Fdasgupta\u002Fmulx-equal-destination-crash","JSTTA1_zbD4xgypju4yqoAcMTqoCOJbFtVLh4iG3TNE",{"id":161,"title":162,"body":163,"description":228,"extension":48,"meta":229,"navigation":50,"path":230,"seo":231,"status":232,"stem":233,"tool":55,"tracker":53,"__hash__":234},"binaryToolBugs\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fxchg-disassembler-confusion.md","XCHGL is disassembled incorrectly",{"type":8,"value":164,"toc":226},[165,172,215],[11,166,168,171],{"id":167},"xchgl-is-disassembled-incorrectly",[16,169,170],{},"XCHGL"," is disassembled incorrectly",[31,173,174,175,178,179,182,183,186,187,190,191,193,194,197,198,201,202,204,205,208,209,211,212,214],{},"The instruction ",[16,176,177],{},"XCHGL EAX, EAX"," can be encoded as both ",[16,180,181],{},"87C0"," and ",[16,184,185],{},"90",". The second encoding has the semantics of ",[16,188,189],{},"NOP"," (do nothing), while the first has the semantics of ",[16,192,170],{}," (set the upper 32 bits of ",[16,195,196],{},"RAX"," to zero). ",[16,199,200],{},"objdump",", the disassembler used by Dasgupta et al. incorrectly disassembles ",[16,203,185],{}," with a ",[16,206,207],{},"REX"," prefix as ",[16,210,170],{}," instead of ",[16,213,189],{},".\"",[31,216,217,218,225],{},"This bug ",[219,220,224],"a",{"href":221,"rel":222},"https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=binutils-gdb.git;a=commit;h=2f399d995b59a522c2739c0ab163c501c082cafb",[223],"nofollow","has since been fixed in binutils",".\nPlease note that older versions of Ubuntu ship old versions of binutils that still contain this bug. You will need a version newer than Ubuntu 22.04.",{"title":44,"searchDepth":45,"depth":45,"links":227},[],"The instruction XCHGL EAX, EAX can be encoded as both 87C0 and 90. The second encoding has the semantics of NOP (do nothing), while the first has the semantics of XCHGL (set the upper 32 bits of RAX to zero). objdump, the disassembler used by Dasgupta et al. incorrectly disassembles 90 with a REX prefix as XCHGL instead of NOP.\"",{},"\u002Fbinary-tool-bugs\u002Fdasgupta\u002Fxchg-disassembler-confusion",{"title":162,"description":228},"fixed","binary-tool-bugs\u002Fdasgupta\u002Fxchg-disassembler-confusion","5wMXwoHF-FVcNulLAIgvA6VFx6Hc0Nx2sk-SN1qnHFg",1781024813297]