Illegal instruction caused by <UNDEFINED> instruction: 0x0000bab6

Hello,

I have precompiled 3rd party library (driver) for handling device. Library works on my PC with x64 system but when I try to run very simple "Find -> Open -> Close device" program it gives me Illegal instruction. First I thought there is an error in library and someone is calling undefined function pointer or something... But disassembly shows:

[...]
    18a6:       eb02 1303       add.w   r3, r2, r3, lsl #4
    18aa:       69d8            ldr     r0, [r3, #28]
    18ac:       f7ff eda6       blx     13fc <usb_close@plt>
    18b0:       9900            ldr     r1, [sp, #0]
    18b2:       f8d9 9000       ldr.w   r9, [r9]
    18b6:       f8d1 3118       ldr.w   r3, [r1, #280]  ; 0x118
    18ba:       f1b9 0f00       cmp.w   r9, #0
    18be:       f47f af6e       bne.w   179e <RY2_Find+0x9a>
    18c2:       e7e1            b.n     1888 <RY2_Find+0x184>
    18c4:       4b0c            ldr     r3, [pc, #48]   ; (18f8 <RY2_Find+0x1f4>)
    18c6:       447b            add     r3, pc
    18c8:       f8d3 3118       ldr.w   r3, [r3, #280]  ; 0x118
    18cc:       e7dc            b.n     1888 <RY2_Find+0x184>
    18ce:       f7ff ecf0       blx     12b0 <__stack_chk_fail@plt>
    18d2:       bf00            nop
    18d4:       0000b9a0        .word   0x0000b9a0
    18d8:       00000100        .word   0x00000100
    18dc:       0000bab6        .word   0x0000bab6
    18e0:       00000110        .word   0x00000110
    18e4:       0000ba4e        .word   0x0000ba4e
    18e8:       0000ba46        .word   0x0000ba46
    18ec:       0000ba40        .word   0x0000ba40
    18f0:       0000ba38        .word   0x0000ba38
    18f4:       0000ba36        .word   0x0000ba36
    18f8:       0000b90a        .word   0x0000b90a
[...]

The problem is with instruction "18dc: 0000bab6 .word 0x0000bab6"

When I load core to gdb and step to this line I got:

[...] cmp.w r9, #0 │ bne.w 0xb6ef679e <RY2_Find+154> │ b.n 0xb6ef6888 <RY2_Find+388> │ ldr r3, [pc, #48] ; (0xb6ef68f8 <RY2_Find+500>) │ add r3, pc │ ldr.w r3, [r3, #280] ; 0x118 │ b.n 0xb6ef6888 <RY2_Find+388> │ blx 0xb6ef62b0 │ nop │ andeq r11, r0, r0, lsr #19 │ andeq r0, r0, r0, lsl #2 │ ; <UNDEFINED> instruction: 0x0000bab6 │ andeq r0, r0, r0, lsl r1 │ andeq r11, r0, lr, asr #20 │ andeq r11, r0, r6, asr #20 │ andeq r11, r0, r0, asr #20 │ andeq r11, r0, r8, lsr r10 │ andeq r11, r0, r6, lsr r10 │ andeq r11, r0, r10, lsl #18

Is it some kind of "special" instruction that my ARM (Raspberry PI B+, ARMv6-compatible processor rev 7 (v6l)) does not have?

I couldn't find any complete list of all ARM instructions with _bytecode_ and which _version of arm core_ supports them. Is there such list?

+1 Elizabeth Weidmann over 7 years ago

What an "0x0000bab6" instruction actually is depends on the architecture for the processor you are using and the instruction state the processor is executing in.

When I had a debugger decode "0x0000bab6"on a compatible v7-A processor in ARM state, the instruction resolved to "STRHEQ r11, [r0], -r6". If the processor is in Thumb state, the instruction resolved to "DCI 0xbab6".

A listing of all the instructions supported by a particular architecture version can be found in the relevant ARM Architecture Reference Manual (ARM ARM). If you do not have the relevant ARM ARM, you can request a copy from

infocenter.arm.com/.../index.html
Cancel
Up 0 Down

Reply

Reject answer

Cancel
0 mlaski over 7 years ago in reply to Elizabeth Weidmann

Thank you for information.

I've downloaded the manual and digging.
But I have some additional questions:

In which state the processor is when linux is runnuing and I execute program as normal user? I assume ARM state, right?

Does normal compilation using arm-linux-gnueabihf-gcc will produce this illegal code or I have to enable "processor special features" to get this code?

If this code is generated by compiler by default, how to disable it?

regards
Maciek.
Cancel
Up 0 Down

Reply

Accept answer

Cancel
0 mlaski over 7 years ago in reply to Elizabeth Weidmann

Hmm.. I can't even find the instruction STRHEQ in manual (downloaded for armv6, armv7 and armv8). There is STRH (Store Register Halfword) but it is avaliable in all versions of CPU. So... Why I get illegal instruction exception?

What is currently my big issue... I have run program using valgrind and there is no illegal instruction there...
Cancel
Up 0 Down

Reply

Accept answer

Cancel
+1 Ash Wilding over 7 years ago in reply to mlaski

Hi,

The `STRHEQ' instruction can be rewritten as `STRH.EQ' which makes it a bit easier to read; this is an `STRH' instruction that is conditionally executed based on the ALU flags (condition code `EQ' i.e. `Z==1').

Regarding your question though, I would expect this to decode as an illegal instruction if you're in THUMB state at the point that the instruction is decoded:

The opcode you're trying to decode is `0xBAB6' i.e. `0b101101010110010'. In the ARMv5 Architecture Reference Manual §A6.8 "Undefined instruction space" you'll see that any THUMB opcode beginning `0b101110' is undefined, hence it decoding as an illegal instruction.

Alternatively you can look in the ARMv7-AR Architecture Reference Manual and search for "1 0 1 1 1 0 1 0 1 0"; you'll get no results.

However if bit [6] were =1 (i.e. opcode `0xBAF6') then that would be a THUMB `REVSH' instruction. You can find this in the ARMv7-AR manual by searching for "1 0 1 1 1 0 1 0 1 1".

I'm not sure how much that actually helps you with your issue but hopefully it explains what's happening.

Ash.
Cancel
Up 0 Down

Reply

Reject answer

Cancel