Re: some binaries crash with SIGILL on Zybo-Z7-20

[Martin Husemann <martin%duskware.de@localhost>]

On Wed, Oct 31, 2018 at 10:08:31AM +0000, Alexander Nasonov wrote:
> There is indeed an invalid instruction if I open libc.so on my
> Intel notebook in radare2 tool:
> 
> [0x000a03e4]> s sym._string_hash_func
> [0x000a03e4]> pd 125
> ...
>        0x000a0568      a0c1a0e1       lsr ip, r0, 3
>        0x000a056c      03308fe0       add r3, pc, r3
>        0x000a0570      7fc00ce2       and ip, ip, 0x7f
>        0x000a0574      30402de9       push {r4, r5, lr}
>        0x000a0578      0c3183e0       add r3, r3, ip, lsl 2
>        0x000a057c      01e0a0e3       mov lr, 1
>   ..-> 0x000a0580      9e4003e1       invalid                     <--- HERE
>  ,===< 0x000a0584      010000ea       b 0xa0590
>  |::   0x000a0588      000055e3       cmp r5, 0
>  |`==< 0x000a058c      fbffff1a       bne 0xa0580
>  `---> 0x000a0590      000054e3       cmp r4, 0
>    `=< 0x000a0594      f9ffff1a       bne 0xa0580

Not sure what that tool does, but this is how objdump -D looks on my armv5
machine:

   a0434:       e1a0c1a0        lsr     ip, r0, #3
   a0438:       e08f3003        add     r3, pc, r3
   a043c:       e20cc07f        and     ip, ip, #127    ; 0x7f
   a0440:       e92d4030        push    {r4, r5, lr}
   a0444:       e083310c        add     r3, r3, ip, lsl #2
   a0448:       e3a0e001        mov     lr, #1
>> a044c:       e103409e        swp     r4, lr, [r3]  <<--- HERE
   a0450:       ea000001        b       a045c <_string_hash_func+0x70>
   a0454:       e3550000        cmp     r5, #0
   a0458:       1afffffb        bne     a044c <_string_hash_func+0x60>
   a045c:       e3540000        cmp     r4, #0
   a0460:       1afffff9        bne     a044c <_string_hash_func+0x60>
   a0464:       e5d03000        ldrb    r3, [r0]

And SWP{B} are valid in all arm versions AFAICT (though deprecated since
armv6 in favor of strex/ldrex).

Martin