/** Returns true if basic block appears to be a function call. If the target address is known and is a single value then it is
* stored in the @p target_va argument, otherwise we store the maximum 64-bit address. If the return address for the function
* call is known then it is stored in the @p return_va argument, otherwise @p return_va will contain the maximum 64-bit
* address. The return address is usually the fall-through address of the basic block.
*
* Note: Use this function in preference to SgAsmInstruction::is_function_call() because the latter is intended to be used by
* the Partitioner before an AST is created and might not be as accurate. */
bool
SgAsmBlock::is_function_call(rose_addr_t &target_va, rose_addr_t &return_va)
{
static const rose_addr_t INVALID_ADDR = (rose_addr_t)(-1);
target_va = return_va = INVALID_ADDR;;
if (!is_basic_block())
return false;
std::vector<SgAsmInstruction*> insns = SageInterface::querySubTree<SgAsmInstruction>(this);
assert(!insns.empty()); // basic blocks must have instructions
// Check that all the successors point to functions entry addresses (other functions or this block's function). There
// might be one edge that points to the fall-through address of this block, and that's ok.
SgAsmFunction *func = SageInterface::getEnclosingNode<SgAsmFunction>(this);
SgAsmInterpretation *interp = SageInterface::getEnclosingNode<SgAsmInterpretation>(func);
std::set<rose_addr_t> callee_vas;
if (interp) {
const InstructionMap &imap = interp->get_instruction_map();
const SgAsmIntegerValuePtrList &successors = get_successors();
for (SgAsmIntegerValuePtrList::const_iterator si=successors.begin(); si!=successors.end(); ++si) {
rose_addr_t successor_va = (*si)->get_absolute_value();
if (SgAsmInstruction *target_insn = imap.get_value_or(successor_va, NULL)) {
SgAsmFunction *target_func = SageInterface::getEnclosingNode<SgAsmFunction>(target_insn);
if (successor_va==target_func->get_entry_va()) {
callee_vas.insert(successor_va); // branches to a function entry point
} else if (return_va!=INVALID_ADDR) {
target_va = return_va = INVALID_ADDR;
return false; // multiple function-local CFG edges that are not this function's entry point
} else {
return_va = successor_va; // possible return address
}
}
}
}
// Now for the architecture-dependent determination. This will not update target_va or return_va if they cannot be
// determined or are ambiguous; so we must reset them to INVALID_ADDR if we're about to return false.
bool retval = insns.front()->is_function_call(insns, &target_va, &return_va);
if (!retval) {
target_va = return_va = INVALID_ADDR;
} else if (INVALID_ADDR==target_va && 1==callee_vas.size()) {
target_va = *callee_vas.begin();
}
return retval;
}
// see base class
bool
SgAsmX86Instruction::isFunctionCallSlow(const std::vector<SgAsmInstruction*>& insns, rose_addr_t *target, rose_addr_t *return_va)
{
if (isFunctionCallFast(insns, target, return_va))
return true;
// The following stuff works only if we have a relatively complete AST.
static const size_t EXECUTION_LIMIT = 10; // max size of basic blocks for expensive analyses
if (insns.empty())
return false;
SgAsmX86Instruction *last = isSgAsmX86Instruction(insns.back());
if (!last)
return false;
SgAsmFunction *func = SageInterface::getEnclosingNode<SgAsmFunction>(last);
SgAsmInterpretation *interp = SageInterface::getEnclosingNode<SgAsmInterpretation>(func);
// Slow method: Emulate the instructions and then look at the EIP and stack. If the EIP points outside the current
// function and the top of the stack holds an address of an instruction within the current function, then this must be a
// function call.
if (interp && insns.size()<=EXECUTION_LIMIT) {
using namespace Rose::BinaryAnalysis;
using namespace Rose::BinaryAnalysis::InstructionSemantics2;
using namespace Rose::BinaryAnalysis::InstructionSemantics2::SymbolicSemantics;
const InstructionMap &imap = interp->get_instruction_map();
const RegisterDictionary *regdict = RegisterDictionary::dictionary_for_isa(interp);
SmtSolverPtr solver = SmtSolver::instance(Rose::CommandLine::genericSwitchArgs.smtSolver);
BaseSemantics::RiscOperatorsPtr ops = RiscOperators::instance(regdict, solver);
ASSERT_not_null(ops);
const RegisterDescriptor SP = regdict->findLargestRegister(x86_regclass_gpr, x86_gpr_sp);
DispatcherX86Ptr dispatcher = DispatcherX86::instance(ops, SP.get_nbits());
SValuePtr orig_esp = SValue::promote(ops->readRegister(dispatcher->REG_anySP));
try {
for (size_t i=0; i<insns.size(); ++i)
dispatcher->processInstruction(insns[i]);
} catch (const BaseSemantics::Exception &e) {
return false;
}
// If the next instruction address is concrete but does not point to a function entry point, then this is not a call.
SValuePtr eip = SValue::promote(ops->readRegister(dispatcher->REG_anyIP));
if (eip->is_number()) {
rose_addr_t target_va = eip->get_number();
SgAsmFunction *target_func = SageInterface::getEnclosingNode<SgAsmFunction>(imap.get_value_or(target_va, NULL));
if (!target_func || target_va!=target_func->get_entry_va())
return false;
}
// If nothing was pushed onto the stack, then this isn't a function call.
const size_t spWidth = dispatcher->REG_anySP.get_nbits();
SValuePtr esp = SValue::promote(ops->readRegister(dispatcher->REG_anySP));
SValuePtr stack_delta = SValue::promote(ops->add(esp, ops->negate(orig_esp)));
SValuePtr stack_delta_sign = SValue::promote(ops->extract(stack_delta, spWidth-1, spWidth));
if (stack_delta_sign->is_number() && 0==stack_delta_sign->get_number())
return false;
// If the top of the stack does not contain a concrete value or the top of the stack does not point to an instruction
// in this basic block's function, then this is not a function call.
const size_t ipWidth = dispatcher->REG_anyIP.get_nbits();
SValuePtr top = SValue::promote(ops->readMemory(dispatcher->REG_SS, esp, esp->undefined_(ipWidth), esp->boolean_(true)));
if (top->is_number()) {
rose_addr_t va = top->get_number();
SgAsmFunction *return_func = SageInterface::getEnclosingNode<SgAsmFunction>(imap.get_value_or(va, NULL));
if (!return_func || return_func!=func) {
return false;
}
} else {
return false;
}
// Since EIP might point to a function entry address and since the top of the stack contains a pointer to an
// instruction in this function, we assume that this is a function call.
if (target && eip->is_number())
*target = eip->get_number();
if (return_va && top->is_number())
*return_va = top->get_number();
return true;
}
// Similar to the above method, but works when all we have is the basic block (e.g., this case gets hit quite a bit from
// the Partitioner). Returns true if, after executing the basic block, the top of the stack contains the fall-through
// address of the basic block. We depend on our caller to figure out if EIP is reasonably a function entry address.
if (!interp && insns.size()<=EXECUTION_LIMIT) {
using namespace Rose::BinaryAnalysis;
using namespace Rose::BinaryAnalysis::InstructionSemantics2;
using namespace Rose::BinaryAnalysis::InstructionSemantics2::SymbolicSemantics;
SmtSolverPtr solver = SmtSolver::instance(Rose::CommandLine::genericSwitchArgs.smtSolver);
SgAsmX86Instruction *x86insn = isSgAsmX86Instruction(insns.front());
ASSERT_not_null(x86insn);
#if 1 // [Robb P. Matzke 2015-03-03]: FIXME[Robb P. Matzke 2015-03-03]: not ready yet; x86-64 semantics still under construction
if (x86insn->get_addressSize() != x86_insnsize_32)
return false;
#endif
const RegisterDictionary *regdict = registersForInstructionSize(x86insn->get_addressSize());
const RegisterDescriptor SP = regdict->findLargestRegister(x86_regclass_gpr, x86_gpr_sp);
BaseSemantics::RiscOperatorsPtr ops = RiscOperators::instance(regdict, solver);
DispatcherX86Ptr dispatcher = DispatcherX86::instance(ops, SP.get_nbits());
try {
for (size_t i=0; i<insns.size(); ++i)
dispatcher->processInstruction(insns[i]);
} catch (const BaseSemantics::Exception &e) {
return false;
}
// Look at the top of the stack
const size_t ipWidth = dispatcher->REG_anyIP.get_nbits();
SValuePtr top = SValue::promote(ops->readMemory(dispatcher->REG_SS, ops->readRegister(SP),
ops->protoval()->undefined_(ipWidth),
ops->protoval()->boolean_(true)));
if (top->is_number() && top->get_number() == last->get_address()+last->get_size()) {
if (target) {
SValuePtr eip = SValue::promote(ops->readRegister(dispatcher->REG_anyIP));
if (eip->is_number())
*target = eip->get_number();
}
if (return_va)
*return_va = top->get_number();
return true;
}
}
return false;
}
// see base class; don't modify target_va or return_va if they are not known
bool
SgAsmM68kInstruction::isFunctionCallSlow(const std::vector<SgAsmInstruction*>& insns, rose_addr_t *target_va,
rose_addr_t *return_va)
{
if (isFunctionCallFast(insns, target_va, return_va))
return true;
static const size_t EXECUTION_LIMIT = 25; // max size of basic blocks for expensive analyses
if (insns.empty())
return false;
SgAsmM68kInstruction *last = isSgAsmM68kInstruction(insns.back());
if (!last)
return false;
SgAsmFunction *func = SageInterface::getEnclosingNode<SgAsmFunction>(last);
SgAsmInterpretation *interp = SageInterface::getEnclosingNode<SgAsmInterpretation>(func);
// Slow method: Emulate the instructions and then look at the program counter (PC) and stack (A7). If the PC points
// outside the current function and the top of the stack holds an address of an instruction within the current function,
// then this must be a function call.
if (interp && insns.size()<=EXECUTION_LIMIT) {
using namespace Rose::BinaryAnalysis;
using namespace Rose::BinaryAnalysis::InstructionSemantics2;
using namespace Rose::BinaryAnalysis::InstructionSemantics2::SymbolicSemantics;
const InstructionMap &imap = interp->get_instruction_map();
const RegisterDictionary *regdict = RegisterDictionary::dictionary_for_isa(interp);
SmtSolverPtr solver = SmtSolver::instance(Rose::CommandLine::genericSwitchArgs.smtSolver);
BaseSemantics::RiscOperatorsPtr ops = RiscOperators::instance(regdict, solver);
DispatcherM68kPtr dispatcher = DispatcherM68k::instance(ops, 32);
SValuePtr orig_sp = SValue::promote(ops->readRegister(dispatcher->REG_A[7]));
try {
for (size_t i=0; i<insns.size(); ++i)
dispatcher->processInstruction(insns[i]);
} catch (const BaseSemantics::Exception &e) {
return false;
}
// If the next instruction address is concrete but does not point to a function entry point, then this is not a call.
SValuePtr ip = SValue::promote(ops->readRegister(dispatcher->REG_PC));
if (ip->is_number()) {
rose_addr_t target_va = ip->get_number();
SgAsmFunction *target_func = SageInterface::getEnclosingNode<SgAsmFunction>(imap.get_value_or(target_va, NULL));
if (!target_func || target_va!=target_func->get_entry_va())
return false;
}
// If nothing was pushed onto the stack, then this isn't a function call.
SValuePtr sp = SValue::promote(ops->readRegister(dispatcher->REG_A[7]));
SValuePtr stack_delta = SValue::promote(ops->add(sp, ops->negate(orig_sp)));
SValuePtr stack_delta_sign = SValue::promote(ops->extract(stack_delta, 31, 32));
if (stack_delta_sign->is_number() && 0==stack_delta_sign->get_number())
return false;
// If the top of the stack does not contain a concrete value or the top of the stack does not point to an instruction
// in this basic block's function, then this is not a function call.
SValuePtr top = SValue::promote(ops->readMemory(RegisterDescriptor(), sp, sp->undefined_(32), sp->boolean_(true)));
if (top->is_number()) {
rose_addr_t va = top->get_number();
SgAsmFunction *return_func = SageInterface::getEnclosingNode<SgAsmFunction>(imap.get_value_or(va, NULL));
if (!return_func || return_func!=func) {
return false;
}
} else {
return false;
}
// Since the instruction pointer might point to a function entry address and since the top of the stack contains a
// pointer to an instruction in this function, we assume that this is a function call.
if (target_va && ip->is_number())
*target_va = ip->get_number();
if (return_va && top->is_number())
*return_va = top->get_number();
return true;
}
// Similar to the above method, but works when all we have is the basic block (e.g., this case gets hit quite a bit from
// the Partitioner). Returns true if, after executing the basic block, the top of the stack contains the fall-through
// address of the basic block. We depend on our caller to figure out if the instruction pointer is reasonably a function
// entry address.
if (!interp && insns.size()<=EXECUTION_LIMIT) {
using namespace Rose::BinaryAnalysis;
using namespace Rose::BinaryAnalysis::InstructionSemantics2;
using namespace Rose::BinaryAnalysis::InstructionSemantics2::SymbolicSemantics;
const RegisterDictionary *regdict = RegisterDictionary::dictionary_coldfire_emac();
SmtSolverPtr solver = SmtSolver::instance(Rose::CommandLine::genericSwitchArgs.smtSolver);
BaseSemantics::RiscOperatorsPtr ops = RiscOperators::instance(regdict, solver);
DispatcherM68kPtr dispatcher = DispatcherM68k::instance(ops, 32);
try {
for (size_t i=0; i<insns.size(); ++i)
dispatcher->processInstruction(insns[i]);
} catch (const BaseSemantics::Exception &e) {
return false;
}
// Look at the top of the stack
SValuePtr top = SValue::promote(ops->readMemory(RegisterDescriptor(), ops->readRegister(dispatcher->REG_A[7]),
ops->protoval()->undefined_(32),
ops->protoval()->boolean_(true)));
if (top->is_number() && top->get_number() == last->get_address()+last->get_size()) {
if (target_va) {
SValuePtr ip = SValue::promote(ops->readRegister(dispatcher->REG_PC));
if (ip->is_number())
*target_va = ip->get_number();
}
if (return_va)
*return_va = top->get_number();
return true;
}
}
return false;
}