AST::Ptr DeepCopyAnAST(AST::Ptr ast) {
if (ast->getID() == AST::V_RoseAST) {
RoseAST::Ptr roseAST = boost::static_pointer_cast<RoseAST>(ast);
AST::Children kids;
unsigned totalChildren = ast->numChildren();
for (unsigned i = 0 ; i < totalChildren; ++i) {
kids.push_back(DeepCopyAnAST(ast->child(i)));
}
return RoseAST::create(ROSEOperation(roseAST->val()), kids);
} else if (ast->getID() == AST::V_VariableAST) {
VariableAST::Ptr varAST = boost::static_pointer_cast<VariableAST>(ast);
return VariableAST::create(Variable(varAST->val()));
} else if (ast->getID() == AST::V_ConstantAST) {
ConstantAST::Ptr constAST = boost::static_pointer_cast<ConstantAST>(ast);
return ConstantAST::create(Constant(constAST->val()));
} else if (ast->getID() == AST::V_BottomAST) {
BottomAST::Ptr bottomAST = boost::static_pointer_cast<BottomAST>(ast);
return BottomAST::create(bottomAST->val());
}
fprintf(stderr, "ast type %d, %s\n", ast->getID(), ast->format().c_str());
assert(0);
return AST::Ptr();
}
void BoundFactsCalculator::CalcTransferFunction(Node::Ptr curNode, BoundFact *newFact){
SliceNode::Ptr node = boost::static_pointer_cast<SliceNode>(curNode);
if (!node->assign()) return;
if (node->assign() && node->assign()->out().absloc().type() == Absloc::Register &&
(node->assign()->out().absloc().reg() == x86::zf || node->assign()->out().absloc().reg() == x86_64::zf)) {
// zf should be only predecessor of this node
parsing_printf("\t\tThe predecessor node is zf assignment!\n");
newFact->SetPredicate(node->assign(), ExpandAssignment(node->assign()) );
return;
}
entryID id = node->assign()->insn()->getOperation().getID();
// The predecessor is not a conditional jump,
// then we can determine buond fact based on the src assignment
parsing_printf("\t\tThe predecessor node is normal node\n");
parsing_printf("\t\t\tentry id %d\n", id);
AbsRegion &ar = node->assign()->out();
Instruction::Ptr insn = node->assign()->insn();
pair<AST::Ptr, bool> expandRet = ExpandAssignment(node->assign());
if (expandRet.first == NULL) {
parsing_printf("\t\t\t No semantic support for this instruction. Assume it does not affect jump target calculation. Ignore it (Treat as identity function) except for ptest. ptest should kill the current predicate\n");
if (id == e_ptest) {
parsing_printf("\t\t\t\tptest instruction, kill predciate.\n");
newFact->pred.valid = false;
}
return;
} else {
parsing_printf("\tAST: %s\n", expandRet.first->format().c_str());
}
AST::Ptr calculation = expandRet.first;
BoundCalcVisitor bcv(*newFact, node->block(), handleOneByteRead);
calculation->accept(&bcv);
AST::Ptr outAST;
// If the instruction writes memory,
// we need the AST that represents the memory access and the address.
// When the AbsRegion represents memory,
// the generator of the AbsRegion is set to be the AST that represents
// the memory address during symbolic expansion.
// In other cases, if the AbsRegion represents a register,
// the generator is not set.
if (ar.generator() != NULL)
outAST = SimplifyAnAST(RoseAST::create(ROSEOperation(ROSEOperation::derefOp, ar.size()), ar.generator()), node->assign()->insn()->size());
else
outAST = VariableAST::create(Variable(ar));
/*
* Naively, bsf and bsr produces a bound from 0 to the number of bits of the source operands.
* In pratice, especially in libc, the real bound is usually smaller than the size of the source operand.
* Ex 1: shl %cl,%edx
* bsf %rdx,%rcx
* Here rcx is in range [0,31] rather than [0,63] even though rdx has 64 bits.
*
* Ex 2: pmovmskb %xmm0,%edx
* bsf %rdx, %rdx
* Here rdx is in range[0,15] because pmovmskb only sets the least significat 16 bits
* In addition, overapproximation of the bound can lead to bogus control flow
* that causes overlapping blocks or function.
* It is important to further anaylze the operand in bsf rather than directly conclude the bound
if (id == e_bsf || id == e_bsr) {
int size = node->assign()->insn()->getOperand(0).getValue()->size();
newFact->GenFact(outAST, new BoundValue(StridedInterval(1,0, size * 8 - 1)), false);
parsing_printf("\t\t\tCalculating transfer function: Output facts\n");
newFact->Print();
return;
}
*/
if (id == e_xchg) {
newFact->SwapFact(calculation, outAST);
parsing_printf("\t\t\tCalculating transfer function: Output facts\n");
newFact->Print();
return;
}
if (id == e_push) {
if (calculation->getID() == AST::V_ConstantAST) {
ConstantAST::Ptr c = boost::static_pointer_cast<ConstantAST>(calculation);
newFact->PushAConst(c->val().val);
parsing_printf("\t\t\tCalculating transfer function: Output facts\n");
newFact->Print();
return;
}
}
if (id == e_pop) {
if (newFact->PopAConst(outAST)) {
parsing_printf("\t\t\tCalculating transfer function: Output facts\n");
newFact->Print();
return;
}
}
// Assume all SETxx entry ids are contiguous
if (id >= e_setb && id <= e_setz) {
newFact->GenFact(outAST, new BoundValue(StridedInterval(1,0,1)), false);
parsing_printf("\t\t\tCalculating transfer function: Output facts\n");
newFact->Print();
return;
}
if (bcv.IsResultBounded(calculation)) {
parsing_printf("\t\t\tGenerate bound fact for %s\n", outAST->format().c_str());
newFact->GenFact(outAST, new BoundValue(*bcv.GetResultBound(calculation)), false);
}
else {
parsing_printf("\t\t\tKill bound fact for %s\n", outAST->format().c_str());
newFact->KillFact(outAST, false);
}
if (calculation->getID() == AST::V_VariableAST) {
// We only track alising between registers
parsing_printf("\t\t\t%s and %s are equal\n", calculation->format().c_str(), outAST->format().c_str());
newFact->InsertRelation(calculation, outAST, BoundFact::Equal);
}
newFact->AdjustPredicate(outAST, calculation);
// Now try to track all aliasing.
// Currently, all variables in the slice are presented as an AST
// consists of input variables to the slice (the variables that
// we do not the sources of their values).
newFact->TrackAlias(DeepCopyAnAST(calculation), outAST);
// Apply tracking relations to the calculation to generate a
// potentially stricter bound
BoundValue *strictValue = newFact->ApplyRelations(outAST);
if (strictValue != NULL) {
parsing_printf("\t\t\tGenerate stricter bound fact for %s\n", outAST->format().c_str());
newFact->GenFact(outAST, strictValue, false);
}
parsing_printf("\t\t\tCalculating transfer function: Output facts\n");
newFact->Print();
}
SymEval::Retval_t SymEval::process(SliceNode::Ptr ptr,
Result_t &dbase,
std::set<Edge::Ptr> &skipEdges) {
bool failedTranslation;
bool skippedEdge = false;
bool skippedInput = false;
bool success = false;
std::map<const AbsRegion*, std::set<Assignment::Ptr> > inputMap;
expand_cerr << "Calling process on " << ptr->format() << endl;
// Don't try an expansion of a widen node...
if (!ptr->assign()) return WIDEN_NODE;
EdgeIterator begin, end;
ptr->ins(begin, end);
for (; begin != end; ++begin) {
SliceEdge::Ptr edge = boost::static_pointer_cast<SliceEdge>(*begin);
SliceNode::Ptr source = boost::static_pointer_cast<SliceNode>(edge->source());
// Skip this one to break a cycle.
if (skipEdges.find(edge) != skipEdges.end()) {
expand_cerr << "In process, skipping edge from "
<< source->format() << endl;
skippedEdge = true;
continue;
}
Assignment::Ptr assign = source->assign();
if (!assign) continue; // widen node
expand_cerr << "Assigning input " << edge->data().format()
<< " from assignment " << assign->format() << endl;
inputMap[&edge->data()].insert(assign);
}
expand_cerr << "\t Input map has size " << inputMap.size() << endl;
// All of the expanded inputs are in the parameter dbase
// If not (like this one), add it
AST::Ptr ast;
boost::tie(ast, failedTranslation) = SymEval::expand(ptr->assign());
// expand_cerr << "\t ... resulting in " << dbase.format() << endl;
// We have an AST. Now substitute in all of its predecessors.
for (std::map<const AbsRegion*, std::set<Assignment::Ptr> >::iterator iter = inputMap.begin();
iter != inputMap.end(); ++iter) {
// If we have multiple secondary definitions, we:
// if all definitions are equal, use the first
// otherwise, use nothing
AST::Ptr definition;
for (std::set<Assignment::Ptr>::iterator iter2 = iter->second.begin();
iter2 != iter->second.end(); ++iter2) {
AST::Ptr newDef = dbase[*iter2];
if (!definition) {
definition = newDef;
continue;
} else if (definition->equals(newDef)) {
continue;
} else {
// Not equal
definition = AST::Ptr();
skippedInput = true;
break;
}
}
// The region used by the current assignment...
const AbsRegion ® = *iter->first;
// Create an AST around this one
VariableAST::Ptr use = VariableAST::create(Variable(reg, ptr->addr()));
if (!definition) {
// Can happen if we're expanding out of order, and is generally harmless.
continue;
}
expand_cerr << "Before substitution: " << (ast ? ast->format() : "<NULL AST>") << endl;
if (!ast) {
expand_cerr << "Skipping substitution because of null AST" << endl;
} else {
ast = AST::substitute(ast, use, definition);
success = true;
}
expand_cerr << "\t result is " << (ast ? ast->format() : "<NULL AST>") << endl;
}
expand_cerr << "Result of substitution: " << ptr->assign()->format() << " == "
<< (ast ? ast->format() : "<NULL AST>") << endl;
// And attempt simplification again
ast = simplifyStack(ast, ptr->addr(), ptr->func(), ptr->block());
expand_cerr << "Result of post-substitution simplification: " << ptr->assign()->format() << " == "
<< (ast ? ast->format() : "<NULL AST>") << endl;
dbase[ptr->assign()] = ast;
if (failedTranslation) return FAILED_TRANSLATION;
else if (skippedEdge || skippedInput) return SKIPPED_INPUT;
else if (success) return SUCCESS;
else return FAILED;
}
// Do the previous, but use a Graph as a guide for
// performing forward substitution on the AST results
SymEval::Retval_t SymEval::expand(Dyninst::Graph::Ptr slice, DataflowAPI::Result_t &res) {
bool failedTranslation = false;
bool skippedInput = false;
//cout << "Calling expand" << endl;
// Other than the substitution this is pretty similar to the first example.
NodeIterator gbegin, gend;
slice->allNodes(gbegin, gend);
// First, we'll sort the nodes in some deterministic order so that the loop removal
// is deterministic
std::vector<SliceNode::Ptr> sortVector;
for ( ; gbegin != gend; ++gbegin) {
Node::Ptr ptr = *gbegin;
expand_cerr << "pushing " << (*gbegin)->format() << " to sortVector" << endl;
SliceNode::Ptr cur = boost::static_pointer_cast<SliceNode>(ptr);
sortVector.push_back(cur);
}
std::stable_sort(sortVector.begin(), sortVector.end(), vectorSort);
// Optimal ordering of search
ExpandOrder worklist;
std::queue<Node::Ptr> dfs_worklist;
std::vector<SliceNode::Ptr>::iterator vit = sortVector.begin();
for ( ; vit != sortVector.end(); ++vit) {
SliceNode::Ptr ptr = *vit;
Node::Ptr cur = boost::static_pointer_cast<Node>(ptr);
dfs_worklist.push(cur);
}
/* First, we'll do DFS to check for circularities in the graph;
* if so, mark them so we don't do infinite substitution */
std::map<Node::Ptr, int> state;
while (!dfs_worklist.empty()) {
Node::Ptr ptr = dfs_worklist.front();
dfs_worklist.pop();
dfs(ptr, state, worklist.skipEdges());
}
slice->allNodes(gbegin, gend);
for (; gbegin != gend; ++gbegin) {
expand_cerr << "adding " << (*gbegin)->format() << " to worklist" << endl;
Node::Ptr ptr = *gbegin;
SliceNode::Ptr sptr =
boost::static_pointer_cast<SliceNode>(ptr);
worklist.insert(sptr,false);
}
/* have a list
* for each node, process
* if processessing succeeded, remove the element
* if the size of the list has changed, continue */
while (1) {
SliceNode::Ptr aNode;
int order;
boost::tie(aNode,order) = worklist.pop_next();
if (order == -1) // empty
break;
if (!aNode->assign()) {
worklist.mark_done(aNode);
continue; // Could be a widen point
}
expand_cerr << "Visiting node " << aNode->assign()->format()
<< " order " << order << endl;
if (order != 0) {
cerr << "ERROR: order is non zero: " << order << endl;
}
assert(order == 0); // there are no loops
AST::Ptr prev = res[aNode->assign()];
Retval_t result = process(aNode, res, worklist.skipEdges());
AST::Ptr post = res[aNode->assign()];
switch (result) {
case FAILED:
return FAILED;
break;
case WIDEN_NODE:
// Okay...
break;
case FAILED_TRANSLATION:
failedTranslation = true;
break;
case SKIPPED_INPUT:
skippedInput = true;
break;
case SUCCESS:
break;
}
// We've visited this node, freeing its children
// to be visited in turn
worklist.mark_done(aNode);
if (post && !(post->equals(prev))) {
expand_cerr << "Adding successors to list, as new expansion " << endl
<< "\t" << post->format() << endl
<< " != " << endl
<< "\t" << (prev ? prev->format() : "<NULL>") << endl;
EdgeIterator oB, oE;
aNode->outs(oB, oE);
for (; oB != oE; ++oB) {
if(worklist.skipEdges().find(*oB) == worklist.skipEdges().end()) {
SliceNode::Ptr out =
boost::static_pointer_cast<SliceNode>(
(*oB)->target());
worklist.insert(out);
}
}
}
}
if (failedTranslation) return FAILED_TRANSLATION;
else if (skippedInput) return SKIPPED_INPUT;
else return SUCCESS;
}