Confusion of source and destination operands - `palingr`, `cmpxchg`

[mfaerevaag]

Description

Some instructions occasionally confuses source and destination operand, by writing to the wrong one. The sum of the operands should be written to the destination operand, i.e. the first one, but instead writes to source operand.

Reference:
Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2B 4-219
Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2A 3-181

Affected instructions:

0x0f3a0f0042    # palingr
0x64660fb100    # cmpxchg

NOTE: All combinations of prefixes and operands are omitted.

Reproduction guide

Instruction:

00000000  0F3A0F0042        palignr mm0,[eax],0x42

Input:

binsec disasm -decode 0f3a0f0042

Observed output:

            ⎧ 0: temp128 := (xmm0₍₁₂₈₎{0,63} :: @[eax₍₃₂₎]₈)
            ⎪ 1: temp128 := (temp128₍₁₂₈₎ ≫𝒖 528₍₃₂₎)
            ⎪ 2: temp64 := @[eax₍₃₂₎]₈
palignr ... ⎨ 3: temp64{0, 63} := temp128₍₁₂₈₎{0,63}
            ⎪ 4: @[eax₍₃₂₎]₈ := temp64₍₆₄₎
            ⎩ 5: goto ({0x00000005; 32}, 0)

Expected output:
Instead of writing to EAX, it should be written to mm0.

System Info

OS:

# uname -a
Linux ubuntu 4.10.0-28-generic #32-Ubuntu SMP Fri Jun 30 05:32:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.04
DISTRIB_CODENAME=zesty
DISTRIB_DESCRIPTION="Ubuntu 17.04"

BINSEC: 20170301 0.1