From 79e1a39038b5307b96a3cb1ee684002c6927e851 Mon Sep 17 00:00:00 2001
From: Ryan Scott <rscott@galois.com>
Date: Fri, 12 Jul 2024 15:12:57 -0400
Subject: [PATCH] macaw-x86-symbolic: Fix idiv/div semantics

When converting a Macaw value with the Macaw type `TupleType [x_1, ..., x_n]`
to Crucible, the resulting Crucible value will have the Crucible type
`StructType (EmptyCtx ::> ToCrucibleType x_n ::> ... ::> ToCrucibleType x_1)`.
(See `macawListToCrucible(M)` in `Data.Macaw.Symbolic.PersistentState` for
where this is implemented.) Note that the order of the tuple's fields is
reversed in the process of converting it to a Crucible struct. This is a
convention that one must keep in mind when dealing with Macaw tuples at the
Crucible level.

As it turns out, the part of `macaw-x86-symbolic` reponsible for interpreting
the semantics of the `idiv` instruction (for signed quotient/remainder) and the
`div` instruction (for unsigned quotient/remainder) were _not_ respecting this
convention. This is because the `macaw-x86-symbolic` semantics were returning a
Crucible struct consisting of `Empty :> quotient :> remainder)`, but at the
Macaw level, this was interpreted as the tuple `(remainder, quotient)`, which
is the opposite of the intended order. This led to subtle bugs such as those
observed in #393.

The solution is straightforward: have the `macaw-x86-symbolic` semantics
compute `Empty :> remainder :> quotient` instead. Somewhat counterintuitive,
but it does work.

Fixes #393.
---
 x86_symbolic/src/Data/Macaw/X86/Crucible.hs   |  15 ++++--
 x86_symbolic/tests/pass/T393-division.c       |  47 ++++++++++++++++++
 x86_symbolic/tests/pass/T393-division.opt.exe | Bin 0 -> 9552 bytes
 .../tests/pass/T393-division.unopt.exe        | Bin 0 -> 9664 bytes
 4 files changed, 58 insertions(+), 4 deletions(-)
 create mode 100644 x86_symbolic/tests/pass/T393-division.c
 create mode 100755 x86_symbolic/tests/pass/T393-division.opt.exe
 create mode 100755 x86_symbolic/tests/pass/T393-division.unopt.exe

diff --git a/x86_symbolic/src/Data/Macaw/X86/Crucible.hs b/x86_symbolic/src/Data/Macaw/X86/Crucible.hs
index 998e0a2e..18dacdf0 100644
--- a/x86_symbolic/src/Data/Macaw/X86/Crucible.hs
+++ b/x86_symbolic/src/Data/Macaw/X86/Crucible.hs
@@ -674,17 +674,24 @@ divNatReprClasses r x =
     M.DWordRepVal -> x
     M.QWordRepVal -> x
 
+-- | Construct a symbolic Macaw pair. Note that @'mkPair' sym x y@ returns the
+-- pair @(y, x)@ and /not/ @(x, y)@. This is because Macaw tuples have the order
+-- of their fields reversed when converted to a Crucible value (see
+-- 'macawListToCrucible' in "Data.Macaw.Symbolic.PersistentState" in
+-- @macaw-symbolic@), so we also reverse the order here to be consistent with
+-- this convention. (Not doing this can cause serious bugs, such as
+-- <https://github.com/GaloisInc/macaw/issues/393>).
 mkPair :: forall sym bak x y
        .  (IsSymBackend sym bak, KnownRepr TypeRepr x, KnownRepr TypeRepr y)
        => Sym sym bak
        -> RegValue sym x
        -> RegValue sym y
-       -> IO (RegValue sym (StructType (EmptyCtx ::> x ::> y)))
+       -> IO (RegValue sym (StructType (EmptyCtx ::> y ::> x)))
 mkPair sym q r = do
-  let pairType :: Ctx.Assignment TypeRepr (EmptyCtx ::> x ::> y)
+  let pairType :: Ctx.Assignment TypeRepr (EmptyCtx ::> y ::> x)
       pairType = Ctx.empty Ctx.:> knownRepr Ctx.:> knownRepr
-  let pairRes :: Ctx.Assignment (RegValue' sym) (EmptyCtx ::> x ::> y)
-      pairRes = Ctx.empty Ctx.:> RV q Ctx.:> RV r
+  let pairRes :: Ctx.Assignment (RegValue' sym) (EmptyCtx ::> y ::> x)
+      pairRes = Ctx.empty Ctx.:> RV r Ctx.:> RV q
   evalApp' sym (\v -> pure (unRV v)) $ MkStruct pairType pairRes
 
 
diff --git a/x86_symbolic/tests/pass/T393-division.c b/x86_symbolic/tests/pass/T393-division.c
new file mode 100644
index 00000000..30076d66
--- /dev/null
+++ b/x86_symbolic/tests/pass/T393-division.c
@@ -0,0 +1,47 @@
+// A regression test for #393 which ensures that macaw-x86-symbolic's semantics
+// for the `idiv` (signed division) and `div` (unsigned division) instructions
+// compute the correct results.
+//
+// GCC is quite clever at optimizing away division-related instructions when one
+// of the operands is a constant, so we have to define things somewhat
+// indirectly to ensure that the resulting x86-64 assembly actually does contain
+// `idiv` and `div`.
+
+int __attribute__((noinline)) mod_signed(int x, int y) {
+  return x % y;
+}
+
+int __attribute__((noinline)) test_mod_signed(void) {
+  return mod_signed(1, 2);
+}
+
+int __attribute__((noinline)) div_signed(int x, int y) {
+  return x / y;
+}
+
+int __attribute__((noinline)) test_div_signed(void) {
+  return !div_signed(1, 2);
+}
+
+unsigned int __attribute__((noinline)) mod_unsigned(unsigned int x, unsigned int y) {
+  return x % y;
+}
+
+unsigned int __attribute__((noinline)) test_mod_unsigned(void) {
+  return mod_unsigned(1, 2);
+}
+
+unsigned int __attribute__((noinline)) div_unsigned(unsigned int x, unsigned int y) {
+  return x / y;
+}
+
+unsigned int __attribute__((noinline)) test_div_unsigned(void) {
+  return !div_unsigned(1, 2);
+}
+
+void _start(void) {
+  test_mod_signed();
+  test_div_signed();
+  test_mod_unsigned();
+  test_div_unsigned();
+};
diff --git a/x86_symbolic/tests/pass/T393-division.opt.exe b/x86_symbolic/tests/pass/T393-division.opt.exe
new file mode 100755
index 0000000000000000000000000000000000000000..b358e47da7b5acc335f64f9c7b30fcc2b7dcd5e4
GIT binary patch
literal 9552
zcmeHN!Alfj6n|@$TE=b>5g0k72O}JI)q{1Y2`fEBX(>dPY1bKb!JU<z+0YK<CBjo3
zymSckAoLF;1W_9nc<><A!9#(UK<E$=q;zO|Z|1#G2L&VOAm4*G@4esm-uw3Z?d)N8
z-u+8gE?2~2AW{M6fTF2{;X}a{AkpB5jI~1*7*GS%es1OZ5_$$lfvv3wLa~qtV%lRb
zxf}!UCw3-C1F@1vb^d-DCum0Cuw7tStkh8r={z5GK4$otVl_Vk5L?Z$)U9yc3fGBk
z<UFyIPjcgnXOaK6`}JVmKEK1xE<zveMLu!bd9@Fa_7Y)xP)W!?f=V&1Pd{3Ev-s|5
zeD-0N_o8m$!_4&C0xl_03@8Q^1BwB~fMP%~pcqgLC<YV*ih*6qz>oNeUlVIjR)0?{
z&c*8up!gL%v%jVX-mlBy`rJUg{vt%yS3Z}^<p-tsWGOyd3hO7<QtwxP`VAxb(vQ|L
zeTV(#b}9GjSc(C~fMP%~pcqgLC<YV*iUGxdVn8vV82Dcd&^uw0*xl<88%@OOYOAUr
z<D);lOFoXe{H<KBr34hhlBk~$BcFsUKE}fmV*3d|A?zmVN5rTH31P#i)bAhxD1?op
zM*B@7M*R+;C84}$sL_5e5u<+o90B^B9UW)2roK$k@rqh1rMKzH=2X!SQ}<e0^kmy9
zhB0{?p?^Ip;d?o{d<cQV`1X99=M>~zbauiu#)X4+#-|vU&)C3tf^j+<Nh@lC-qITe
zg`u2BkNPJg`yOR{gmK~O8soPk{d*bjW?a65G~!$BJG2en#C?GK$h`r*t!G-Bt?Zqw
zo6S3VKX|t5nHZZz$IT8pwiO_`yk&B1ni<zMT`yhm*0ZCzVYO*nX)g_??N|W1JC^g(
z8MIy@utVZGdC%4douWQc$dA|sZw&Mh$`rH1R&&+@-LpqM(Cr~}ppeelp!er<Iot8@
zaQ`TESYL%of1#1ce2L6~Xg<1rkvS7VbaXb>%bbbKpEOD$TfAd7$pwt)9u8+n_<Qny
zM2Ls;G+ZV3ABWJ14%N%&2h9kUw7`UOH9?3IK%1opL#j`1hG9VqfYTA2a!EGYaPMHr
wzpiOP(9Ma$k?enrb8FDb%nL)l={gxixs4$Dvai7OJKw7QIoIEkM7GiTKZQ940RR91

literal 0
HcmV?d00001

diff --git a/x86_symbolic/tests/pass/T393-division.unopt.exe b/x86_symbolic/tests/pass/T393-division.unopt.exe
new file mode 100755
index 0000000000000000000000000000000000000000..6b8f7b4368ad5b7ef4d202e9341e4e6c4bc9c657
GIT binary patch
literal 9664
zcmeHN%WD&15dTtZA5d)+QA>SnZH0<-NgrSpACX$CAhoTnh+3AkS=)$7O0tnwd|gz6
zmma(b9{d;dAYzLKdhmfr=|zMdyc7aGhzho7CC=<Ov%3v#QM~Cl@O|^mZ|1j?{5Cmk
zGB;XJ94+wq1Y3bPC@`A#2W?31LfovjL&BOxu?UJ%QDWB?x+ypXDU!adK!)svU&h#D
zH6AGz)Q|lSSti(X9rEmc8Wm_kc_80RZ-qVckb~<L<zM+EkG%#tG|k=xyfbOc%Mve3
zJoYtI#~$m^PR&?hJpXCGPT&>USNOe+<-=ZhMort=dj!ayL2MN)G(2yBg)!#Sf$aOA
zfky|v&BjMZi@wb4c|3a)Qp%J9N&%&SQa~x76i^B%1(X6x0i}Ra;2%}sYx%bCJ;%~B
z>1zw=)coDnh5K{Y=F^kC6P$RC5AZMW={Gx>%jMj}B8Cfl>ZhRoR;K)3ru<39EpT|x
zP|~^7a^2o8-Hlo91w9?#E!i;}062RNw|lrvz&6@Df$fzk1(X6x0i}RaKq;UUPzopo
zlmbctrGQf4zfb`G6Gro0=@PzSzpt{axMUQb_O}3r>*J?ft^x~M*ZOZ4w5%!WfC9?x
z2mfJ({CUVvL4Ff>hu`k<uLArU@>Sma88`m`@Hdd(>dkk%`EkHsuF!uP@)^iidih;0
ze*y5Z75Z-h9mXNQ-OE2M`E4yN`?T7gzEsRgY4!DblOCw6PuXGp^@avL(6ozSBrk9H
z!%Cs}oXf9R2f%vxw|<P~B5aKSJ3@E^;kLGbH51Nr8}@4kteWr&s<-bYV2!Z+I28~K
z!pXHmaKygH^ZITi{2}4CrhuI!{7&BWy9vKYxP1=+3&C2d@8B|cEnSD_LiqKI?#8{1
zb>Yb6NHP+S>HWeola>Lok%}cF12Ho!k!U<@P;3}|$)u6ALJ7;Q&aZXYh8Yf7Az_%Y
zun>B3Bx;5Fz*`CF2l*6>Tc$n`OX)+2_>h^fMuhG_eW}Q$a9t!UbjuvJgl-NR7ZRbU
zDfIq$G-}2ycyoVgcpr*k;jeUPJkP>&Cz_4A8_%^cqQk+<=eZW1cd6k*^6-gSWQQTb
z&#*JILid~JZk+iYVqvY<+8{uTU%$|TGObDH%<;(3naiP2bix7o0S3r7SINWfJe>P`
zz0=!MJ4pNvDrAjVzs*!z3Z7?dJaqANhm4|L5YF6}Vf>yi#ovivT(Gm!IeR|;7eoG4
A5dZ)H

literal 0
HcmV?d00001