Skip to content

Improve x86 flag lifting semantics#8300

Open
zznop wants to merge 1 commit into
devfrom
test_x86_flags
Open

Improve x86 flag lifting semantics#8300
zznop wants to merge 1 commit into
devfrom
test_x86_flags

Conversation

@zznop

@zznop zznop commented Jun 30, 2026

Copy link
Copy Markdown
Member

Summary

This improves x86 LLIL flag lifting coverage and correctness across arithmetic, test, rotate, shift, double-shift, and signed multiply instructions. It replaces previously unimplemented or ad hoc flag behavior with proper flag-system callbacks where possible, using newer LLIL operations such as POPCNT (for PF) and Unknown (to model flags that are expectedly undefined).

Changes

  • Model parity flag computation using POPCNT.
  • Model auxiliary carry for arithmetic instructions using low-nibble carry/borrow formulas.
  • Represent architecturally undefined flags with LLIL_UNKNOWN.
  • Add or fix CF/OF behavior for:
    • ADC
    • SBB
    • one-, two-, and three-operand IMUL
    • ROL / ROR
    • RCL / RCR
    • SHL / SAL
    • SHR
    • SAR
    • SHLD
    • SHRD
  • Fix count-sensitive shift/rotate behavior:
    • masked count 0 preserves destination/flags
    • count 1 uses defined OF behavior
    • larger counts produce undefined OF where required
    • memory destinations still avoid writes for count 0
  • Keep register shift/rotate value lifts cleaner by moving count-specific flag behavior into flag callbacks instead of emitting unnecessary LLIL control flow.
  • Fix PTEST / VPTEST:
    • correct CF operand polarity
    • clear OF, SF, AF, and PF
    • use the flag system instead of explicit SetFlag writes
  • Fix APX conditional flag handling:
    • CCMPNL / CTESTNL now use signed greater-or-equal
    • EVEX default flag assignment no longer derives PF from CF
  • Fix SHLD / SHRD issues:
    • count-zero no-op behavior
    • correct source merge direction
    • compute ZF/SF/PF from the final merged result
    • model SHRD count-1 OF from the merged result
  • Improve ENTER lifting for nonzero nesting levels by emitting the frame pointer display setup described by the instruction semantics.

Testing

I've constructed the attached binary that contains each affected instruction along with lahf and seto to ensure that flags are consumed and emitted during lifting for observation. I've also tested with other binaries shared by users.

x86_flag_lift_variants.zip

Closes #4044

@zznop zznop added this to the Krypton milestone Jun 30, 2026
@zznop zznop self-assigned this Jun 30, 2026
@zznop zznop added the Arch: x86 Issues with the x86/x64 architecture plugin label Jun 30, 2026
@plafosse plafosse requested a review from xusheng6 June 30, 2026 21:03
Comment thread arch/x86/arch_x86.cpp Outdated
Expand x86 LLIL flag modeling for arithmetic, test, rotate, shift,
double-shift, and signed multiply instructions. Add popcnt-based parity
calculation, auxiliary-carry formulas, SBB/ADC carry and overflow handling,
IMUL truncation checks, and count-sensitive CF/OF behavior for shifts and
rotates. Use LLIL unknown for architecturally undefined flags.

Fix several flag correctness issues, including PTEST/VPTEST flag polarity and
cleared flags, CCMP/CTEST signed-not-less conditions, EVEX default flag values,
and SHLD/SHRD count/result flag behavior.

Keep variable-count register shift and rotate value lifts clean by moving
count-zero/count-one flag handling into flag callbacks, while preserving
count-zero no-op behavior for memory destinations. Also improve ENTER lifting
for nonzero nesting levels.
@zznop zznop force-pushed the test_x86_flags branch from 7d79d09 to c60bdc9 Compare July 1, 2026 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Arch: x86 Issues with the x86/x64 architecture plugin

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement C, P, A, and O flags on x86

2 participants