Fix RSB, VLDMIA; Add RSC (#197)

* Fix RSB; Add RSC
* Fix vldmia semantics
* To trigger build

README.md

@@ -134,3 +134,4 @@ m.run()
 ```
 
 See the [wiki](https://github.com/trailofbits/manticore/wiki), [examples](examples) directory, and [API reference](http://manticore.readthedocs.io/en/latest/) for further documentation.
+

manticore/core/cpu/arm.py

@@ -347,10 +347,11 @@ class Armv7Cpu(Cpu):
 
 
     # TODO add to abstract cpu, and potentially remove stacksub/add from it?
-    def stack_push(self, data):
+    def stack_push(self, data, nbytes=None):
         if isinstance(data, (int, long)):
-            self.SP -= self.address_bit_size/8
-            self.write_int(self.SP, data, self.address_bit_size)
+            nbytes = nbytes or self.address_bit_size/8
+            self.SP -= nbytes
+            self.write_int(self.SP, data, nbytes * 8)
         elif isinstance(data, BitVec):
             self.SP -= data.size/8
             self.write_int(self.SP, data, data.size)
@@ -572,7 +573,16 @@ class Armv7Cpu(Cpu):
 
     @instruction
     def RSB(cpu, dest, src, add):
-        result, carry, overflow = cpu._ADD(~src.read(), add.read(), 1)
+        inv_src = GetNBits(~src.read(), cpu.address_bit_size)
+        result, carry, overflow = cpu._ADD(inv_src, add.read(), 1)
+        dest.write(result)
+        return result, carry, overflow
+
+    @instruction
+    def RSC(cpu, dest, src, add):
+        carry = cpu.regfile.read('APSR_C')
+        inv_src = GetNBits(~src.read(), cpu.address_bit_size)
+        result, carry, overflow = cpu._ADD(inv_src, add.read(), carry)
         dest.write(result)
         return result, carry, overflow
 
@@ -668,10 +678,10 @@ class Armv7Cpu(Cpu):
 
         for reg in regs:
             reg.write(cpu.read_int(address, cpu.address_bit_size))
-            address += cpu.address_bit_size/8
+            address += reg.size/8
 
         if insn_id == ARM_INS_LDMIB:
-            address -= cpu.address_bit_size/8
+            address -= reg.size/8
 
         if cpu.instruction.writeback:
             base.writeback(address)

tests/test_armv7cpu.py

@@ -1260,6 +1260,12 @@ class Armv7CpuInstructions(unittest.TestCase):
         # Diverging instruction from trace
         self.assertEqual(self.rf.read('R2'), 2)
 
+    @itest_setregs("R6=2", "R8=0xfffffffe")
+    @itest("RSBS r8, r6, #0")
+    def test_rsbs_carry(self):
+        self.assertEqual(self.rf.read('R8'), 0xFFFFFFFE)
+        self._checkFlagsNZCV(1, 0, 0, 0)
+
     def test_flag_state_continuity(self):
         '''If an instruction only partially updates flags, cpu.setFlags should
         ensure unupdated flags are preserved.
@@ -1361,9 +1367,9 @@ class Armv7CpuInstructions(unittest.TestCase):
 
     @itest_custom("vldmia  r1, {d8, d9, d10}")
     def test_vldmia(self):
-        self.cpu.stack_push(20)
-        self.cpu.stack_push(21)
-        self.cpu.stack_push(22)
+        self.cpu.stack_push(20, 8)
+        self.cpu.stack_push(21, 8)
+        self.cpu.stack_push(22, 8)
         self.cpu.R1 = self.cpu.SP
         pre = self.cpu.R1
         self.cpu.execute()
@@ -1375,9 +1381,9 @@ class Armv7CpuInstructions(unittest.TestCase):
     @itest_custom("vldmia  r1!, {d8, d9, d10}")
     def test_vldmia_wb(self):
         pre = self.cpu.SP
-        self.cpu.stack_push(20)
-        self.cpu.stack_push(21)
-        self.cpu.stack_push(22)
+        self.cpu.stack_push(20, 8)
+        self.cpu.stack_push(21, 8)
+        self.cpu.stack_push(22, 8)
         self.cpu.R1 = self.cpu.SP
         self.cpu.execute()
         self.assertEqual(self.cpu.D8, 22)