Skip to content

Assertion in Zax/STARS

When running zafl.sh a.ncexe ./xxx (see attached binary), I'm getting intermittent assertion failures in STARS. While duplication has been challenging, this binary seems to cause the issue pretty often. Enough that I could duplicate the issue in gdb and get a backtrace of the problem and problematic instruction:

(gdb) bt[a.ncexe](/uploads/823cde770f9b70beb48636c85531e7c7/a.ncexe)
#0  0x00007fc5adae2f90 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fc5ac8118d2 in SMPInstr::SyncRTLDefUse (this=0x55a6e14d68c0, CurrRT=0x55a6e14d6bd0, UseFP=false, FPDelta=0) at SMPStaticAnalyzer/src/base/SMPInstr.cpp:27110
#2  0x00007fc5ac81176f in SMPInstr::SyncAllRTs (this=0x55a6e14d68c0, UseFP=false, FPDelta=0) at SMPStaticAnalyzer/src/base/SMPInstr.cpp:27081
u#3  0x00007fc5ac6dcc1a in SMPFunction::AdvancedAnalysis (this=0x55a6e133b900) at SMPStaticAnalyzer/src/base/SMPFunction.cpp:5473
p#4  0x00007fc5ac81947c in SMPProgram::Analyze (this=0x55a6dea04050, pi=0x55a6ddbf9020, AnnotFile=0x55a6dea03c40, InfoAnnotFile=0x55a6dea03880) at SMPStaticAnalyzer/src/base/SMPProgram.cpp:501
#5  0x00007fc5ac8a63a6 in STARS::IRDB_Interface_t::do_STARS (this=0x55a6df166938, firp=0x55a6ddb19b20) at SMPStaticAnalyzer/src/drivers/library/stars_irdb.cpp:194
#6  0x00007fc5adf15d74 in libIRDB::StarsDeepAnalysis_t::StarsDeepAnalysis_t (this=0x55a6df166920, firp=0x55a6ddb19b20, options=std::vector of length 0, capacity 0) at irdb-libs/libIRDB-deep/src/deep.cpp:30
#7  0x00007fc5adf17301 in IRDB_SDK::DeepAnalysis_t::factory (firp=0x55a6ddb19b20, ae=@0x7fffdda28aa0: IRDB_SDK::aeSTARS, options=std::vector of length 0, capacity 0) at irdb-libs/libIRDB-deep/src/deep.cpp:195
#8  0x000055a6dc6064eb in Zafl::ZaxBase_t::ZaxBase_t (this=0x55a6de9f25a0, p_dbinterface=..., p_variantIR=0x55a6ddb19b20, p_forkServerEntryPoint="0x5ca0", p_exitPoints=std::set with 0 elements, p_use_stars=true, p_autozafl=false)
    at tools/zax/zax_base.cpp:136
#9  0x000055a6dc5fd3c0 in Zafl::Zax_t::Zax_t (this=0x55a6de9f25a0, p_dbinterface=..., p_variantIR=0x55a6ddb19b20, p_forkServerEntryPoint="0x5ca0", p_exitPoints=std::set with 0 elements, p_use_stars=true, p_autozafl=false) at tools/zax/zax.cpp:46
#10 0x000055a6dc61b773 in main (argc=6, argv=0x7fffdda292c8) at tools/zax/zax_driver.cpp:317
(gdb) up
#1  0x00007fc5ac8118d2 in SMPInstr::SyncRTLDefUse (this=0x55a6e14d68c0, CurrRT=0x55a6e14d6bd0, UseFP=false, FPDelta=0) at SMPStaticAnalyzer/src/base/SMPInstr.cpp:27110
27110			assert(! LeftOp->IsImmedOp());
(gdb) p this->Dump()
bdfc 6 SMPitype: 0 SPOffset: 0 palignr xmm3, xmm2, 1
USEs:  Operand: immed 1 
 Operand: XMMReg reg: 66 SSANum: -1 
 Operand: XMMReg reg: 67 SSANum: -1 
DEFs:  Operand: immed 1 
RTL:  Operand: immed 1 SMP_ASSIGN  Operand: XMMReg reg: 66 SMP_REVERSE_SHIFT_U  Operand: immed 1 SMP_CONCATENATE  Operand: XMMReg reg: 67


DEFMemOp: 
USEMemOp: 
booleans1: 3 booleans2: 0 booleans3: 192 booleans4: 0 booleans5: 0 
Flow type: DEFAULT

$1 = void
(gdb)

Notes:

  • This binary comes from the GT benchmark suite and is: res20-anope.icx.O2.pie.strip.elf.gz
  • The faulting instruction is palignr xmm3, xmm2, 1 and the fault is that "LeftOp->IsImmed()". As a rare, 3-op instruction in x86, I think it's probably an obvious fix.
  • keep track of hours for AIS. AIS hours are limited. @jwd or @an7s will need to give limits.

May be related: #32 (closed)

a.ncexe

Edited by Jason Hiser