void PatchMgr::getFuncCandidates(Scope &scope, Point::Type types, Candidates &ret) {
// We can either have a scope of PatchObject and be looking for all
// the functions it contains, a scope of a Function, or be looking
// for every single function we know about.
Functions funcs;
getFuncs(scope, funcs);
for (Functions::iterator iter = funcs.begin(); iter != funcs.end(); ++iter) {
if (types & Point::FuncDuring) ret.push_back(Candidate(Location::Function(*iter), Point::FuncDuring));
if (types & Point::FuncEntry) ret.push_back(Candidate(Location::EntrySite(*iter, (*iter)->entry(), true), Point::FuncEntry));
}
}
void PatchMgr::getExitSites(Scope &scope, ExitSites &sites) {
// All sites in whatever functions we want
Functions funcs;
getFuncs(scope, funcs);
for (Functions::iterator iter = funcs.begin(); iter != funcs.end(); ++iter) {
const PatchFunction::Blockset &e = (*iter)->exitBlocks();
for (PatchFunction::Blockset::const_iterator iter2 = e.begin(); iter2 != e.end(); ++iter2) {
if (!scope.block || (scope.block == *iter2))
sites.push_back(ExitSite_t(*iter, *iter2));
}
}
}
void PatchMgr::getBlockInstances(Scope &scope, BlockInstances &blocks) {
Functions funcs;
getFuncs(scope, funcs);
for (Functions::iterator iter = funcs.begin(); iter != funcs.end(); ++iter) {
const PatchFunction::Blockset &b = (*iter)->blocks();
for (PatchFunction::Blockset::const_iterator iter2 = b.begin(); iter2 != b.end(); ++iter2) {
// TODO FIXME: make this more efficient to avoid iunnecessary iteration
if (scope.block && scope.block != *iter2) continue;
blocks.push_back(BlockInstance(*iter, *iter2));
}
}
}
// Detect functions that are semantically similar by running multiple iterations of partition_functions().
void analyze() {
RTS_Message *m = thread->tracing(TRACE_MISC);
Functions functions = find_functions(m, thread->get_process());
PointerDetectors pointers = detect_pointers(m, thread, functions);
PartitionForest partition;
while (partition.nlevels()<MAX_ITERATIONS) {
InputValues inputs = choose_inputs(3, 3);
size_t level = partition.new_level(inputs);
m->mesg("####################################################################################################");
m->mesg("%s: fuzz testing %zu function%s at level %zu", name, functions.size(), 1==functions.size()?"":"s", level);
m->mesg("%s: using these input values:\n%s", name, inputs.toString().c_str());
if (0==level) {
partition_functions(m, partition, functions, pointers, inputs, NULL);
} else {
const PartitionForest::Vertices &parent_vertices = partition.vertices_at_level(level-1);
for (PartitionForest::Vertices::const_iterator pvi=parent_vertices.begin(); pvi!=parent_vertices.end(); ++pvi) {
PartitionForest::Vertex *parent_vertex = *pvi;
if (parent_vertex->functions.size()>MAX_SIMSET_SIZE)
partition_functions(m, partition, parent_vertex->functions, pointers, inputs, parent_vertex);
}
}
// If the new level doesn't contain any vertices then we must not have needed to repartition anything and we're all
// done.
if (partition.vertices_at_level(level).empty())
break;
}
m->mesg("==========================================================================================");
m->mesg("%s: The entire partition forest follows...", name);
m->mesg("%s", StringUtility::prefixLines(partition.toString(), std::string(name)+": ").c_str());
m->mesg("==========================================================================================");
m->mesg("%s: Final function similarity sets are:", name);
PartitionForest::Vertices leaves = partition.get_leaves();
size_t setno=0;
for (PartitionForest::Vertices::iterator vi=leaves.begin(); vi!=leaves.end(); ++vi, ++setno) {
PartitionForest::Vertex *leaf = *vi;
const Functions &functions = leaf->get_functions();
m->mesg("%s: set #%zu at level %zu has %zu function%s:",
name, setno, leaf->get_level(), functions.size(), 1==functions.size()?"":"s");
for (Functions::const_iterator fi=functions.begin(); fi!=functions.end(); ++fi)
m->mesg("%s: 0x%08"PRIx64" <%s>", name, (*fi)->get_entry_va(), (*fi)->get_name().c_str());
}
m->mesg("%s: dumping final similarity sets to clones.sql", name);
partition.dump("clones.sql", "NO_USER", "NO_PASSWD");
}
void PatchMgr::getInsnInstances(Scope &scope, InsnInstances &insns) {
Functions funcs;
getFuncs(scope, funcs);
for (Functions::iterator iter = funcs.begin(); iter != funcs.end(); ++iter) {
const PatchFunction::Blockset &b = (*iter)->blocks();
for (PatchFunction::Blockset::const_iterator iter2 = b.begin(); iter2 != b.end(); ++iter2) {
// TODO FIXME: make this more efficient to avoid iunnecessary iteration
if (scope.block && scope.block != *iter2) continue;
PatchBlock::Insns i;
(*iter2)->getInsns(i);
for (PatchBlock::Insns::iterator iter3 = i.begin(); iter3 != i.end(); ++iter3) {
insns.push_back(InsnInstance(*iter, InsnLoc_t(*iter2, iter3->first, iter3->second)));
}
}
}
}
// Run each function from the specified set of functions in order to produce an output set for each function. Then insert
// the functions into the bottom of the specified PartitionForest. This runs one iteration of partitioning.
void partition_functions(RTS_Message *m, PartitionForest &partition,
const Functions &functions, PointerDetectors &pointers,
InputValues &inputs, PartitionForest::Vertex *parent) {
for (Functions::const_iterator fi=functions.begin(); fi!=functions.end(); ++fi) {
PointerDetectors::iterator ip = pointers.find(*fi);
assert(ip!=pointers.end());
CloneDetection::Outputs<RSIM_SEMANTICS_VTYPE> *outputs = fuzz_test(*fi, inputs, ip->second);
#if 1 /*DEBUGGING [Robb Matzke 2013-01-14]*/
std::ostringstream output_values_str;
OutputValues output_values = outputs->get_values();
for (OutputValues::iterator ovi=output_values.begin(); ovi!=output_values.end(); ++ovi)
output_values_str <<" " <<*ovi;
m->mesg("%s: function output values are {%s }", name, output_values_str.str().c_str());
#endif
partition.insert(*fi, output_values, parent);
}
}
ScriptingService::Functions ScriptingService::loadFunctions( const string& code, const string& filename, bool mrethrow )
{
Logger::In in("ScriptingService::loadFunctions");
Parser p;
Functions exec;
Functions ret;
try {
Logger::log() << Logger::Info << "Parsing file "<<filename << Logger::endl;
ret = p.parseFunction(code, mowner, filename);
}
catch( const file_parse_exception& exc )
{
#ifndef ORO_EMBEDDED
Logger::log() << Logger::Error << filename<<" :"<< exc.what() << Logger::endl;
if ( mrethrow )
throw;
#endif
return Functions();
}
if ( ret.empty() )
{
Logger::log() << Logger::Debug << "No Functions executed from "<< filename << Logger::endl;
Logger::log() << Logger::Info << filename <<" : Successfully parsed." << Logger::endl;
return Functions();
} else {
// Load all listed functions in the TaskContext's Processor:
for( Parser::ParsedFunctions::iterator it = ret.begin(); it != ret.end(); ++it) {
Logger::log() << "Queueing Function "<< (*it)->getName() << Logger::endl;
if ( mowner->engine()->runFunction( it->get() ) == false) {
Logger::log() << Logger::Error << "Could not run Function '"<< (*it)->getName() <<"' :" << Logger::nl;
Logger::log() << "Processor not accepting or function queue is full." << Logger::endl;
} else
exec.push_back( *it ); // is being executed.
}
}
return exec;
}
pair<FunctionId,FunctionPtr> FunctionSet::getRandomFunction(int argumentsNumber) const
{
Functions argFunctions;
Functions::const_iterator it = functions_.begin();
//Rewrite funciton with the same number of arguments as argumentsNumber
for(auto it = functions_.begin(); it != functions_.end();)
{
if(it->second.first == argumentsNumber)
argFunctions.insert(make_pair(it->first,it->second));
++it;
}
if (argFunctions.size() < 1)
{
string exception = "Nie ma zadnej funkcji o takiej liczbie argumentow";
throw exception;
}
it = argFunctions.begin();
std::advance(it, rand() % argFunctions.size() );
return this->conversion(it);
}
PointerDetectors detect_pointers(RTS_Message *m, RSIM_Thread *thread, const Functions &functions) {
// Choose an SMT solver. This is completely optional. Pointer detection still seems to work fairly well (and much,
// much faster) without an SMT solver.
SMTSolver *solver = NULL;
#if 0 // optional code
if (YicesSolver::available_linkage())
solver = new YicesSolver;
#endif
PointerDetectors retval;
CloneDetection::InstructionProvidor *insn_providor = new CloneDetection::InstructionProvidor(thread->get_process());
for (Functions::iterator fi=functions.begin(); fi!=functions.end(); ++fi) {
m->mesg("%s: performing pointer detection analysis for \"%s\" at 0x%08"PRIx64,
name, (*fi)->get_name().c_str(), (*fi)->get_entry_va());
CloneDetection::PointerDetector pd(insn_providor, solver);
pd.initial_state().registers.gpr[x86_gpr_sp] = SYMBOLIC_VALUE<32>(thread->policy.INITIAL_STACK);
pd.initial_state().registers.gpr[x86_gpr_bp] = SYMBOLIC_VALUE<32>(thread->policy.INITIAL_STACK);
//pd.set_debug(stderr);
pd.analyze(*fi);
retval.insert(std::make_pair(*fi, pd));
#if 1 /*DEBUGGING [Robb P. Matzke 2013-01-24]*/
if (m->get_file()) {
const CloneDetection::PointerDetector::Pointers plist = pd.get_pointers();
for (CloneDetection::PointerDetector::Pointers::const_iterator pi=plist.begin(); pi!=plist.end(); ++pi) {
std::ostringstream ss;
if (pi->type & BinaryAnalysis::PointerAnalysis::DATA_PTR)
ss <<"data ";
if (pi->type & BinaryAnalysis::PointerAnalysis::CODE_PTR)
ss <<"code ";
ss <<"pointer at " <<pi->address;
m->mesg(" %s", ss.str().c_str());
}
}
#endif
}
return retval;
}
