add manually reviewed semantic bugs

1 files changed, 38 insertions, 0 deletions

diff --git a/results/classifier/semantic-bugs/instruction/514 b/results/classifier/semantic-bugs/instruction/514
new file mode 100644
index 00000000..f973fe24
--- /dev/null
+++ b/results/classifier/semantic-bugs/instruction/514
@@ -0,0 +1,38 @@
+instruction: 0.922
+device: 0.778
+graphic: 0.745
+semantic: 0.631
+mistranslation: 0.623
+vnc: 0.549
+assembly: 0.514
+boot: 0.468
+socket: 0.457
+network: 0.427
+other: 0.370
+KVM: 0.335
+
+MTE reports false positive for "str" instruction with the SP as the base register.
+Description of problem:
+When PE executes "sp"-based store instruction with offset I got tag check fault exception. But according to arm spec. load or store that uses "sp" register should generate Tag Unchecked access.
+Steps to reproduce:
+Clang version: clang version 12.0.1. 
+I compiled my code using "-target aarch64-linux -march=armv8+memtag -fsanitize=memtag" for Clang. Clang generates following code:
+```
+0000000000000c14 <test_func>:
+     c14:       a9bc7bfd        stp     x29, x30, [sp, #-64]!
+     c18:       f9000bf7        str     x23, [sp, #16]
+     ...
+```
+Whole stack was mapped in translation tables as Tagged memory."SCTLR" register was configured to trigger synchronous exception on tag mismatch.
+When cpu executes firs instruction "stp     x29, x30, [sp, #-64]!" I got tag check fault exception: "0b010001 When FEAT_MTE is implemented Synchronous Tag Check Fault":
+ESR_EL1=0x96000051.
+
+According to ARM specification load or store that uses "sp" register should generate Tag Unchecked access:
+```
+A Tag Unchecked access will be generated for a load or store that uses either of the following:
+• A base register only, with the SP as the base register.
+• A base register plus immediate offset addressing form, with the SP as the base register.
+```
+Looks like qemu erroneously generates tag mismatch exceptions for SP-based loads and stores with immediate offset.
+Additional information:
+