Sawyer::Optional<BaseSemantics::SValuePtr>
SValue::createOptionalMerge(const BaseSemantics::SValuePtr &other_, const BaseSemantics::MergerPtr &merger,
const SmtSolverPtr &solver) const {
SValuePtr other = SValue::promote(other_);
SValuePtr retval = create_empty(other->get_width());
bool changed = false;
for (size_t i=0; i<subvalues.size(); ++i) {
BaseSemantics::SValuePtr thisValue = subvalues[i];
BaseSemantics::SValuePtr otherValue = other->subvalues[i];
if (otherValue) {
if (thisValue==NULL) {
retval->subvalues.push_back(otherValue);
changed = true;
} else if (BaseSemantics::SValuePtr mergedValue =
thisValue->createOptionalMerge(otherValue, merger, solver).orDefault()) {
changed = true;
retval->subvalues.push_back(mergedValue);
} else {
retval->subvalues.push_back(thisValue);
}
} else {
retval->subvalues.push_back(thisValue);
}
}
return changed ? Sawyer::Optional<BaseSemantics::SValuePtr>(retval) : Sawyer::Nothing();
}
int64_t
Function::stackDeltaConcrete() const {
BaseSemantics::SValuePtr v = stackDelta();
if (v && v->is_number() && v->get_width() <= 64)
return IntegerOps::signExtend2<uint64_t>(v->get_number(), v->get_width(), 64);
return SgAsmInstruction::INVALID_STACK_DELTA;
}
BinaryAnalysis::Disassembler::AddressSet
SgAsmX86Instruction::getSuccessors(const std::vector<SgAsmInstruction*>& insns, bool *complete,
const MemoryMap::Ptr &initial_memory)
{
Stream debug(mlog[DEBUG]);
using namespace Rose::BinaryAnalysis::InstructionSemantics2;
if (debug) {
debug <<"SgAsmX86Instruction::getSuccessors(" <<StringUtility::addrToString(insns.front()->get_address())
<<" for " <<insns.size() <<" instruction" <<(1==insns.size()?"":"s") <<"):" <<"\n";
}
BinaryAnalysis::Disassembler::AddressSet successors = SgAsmInstruction::getSuccessors(insns, complete);
/* If we couldn't determine all the successors, or a cursory analysis couldn't narrow it down to a single successor then
* we'll do a more thorough analysis now. In the case where the cursory analysis returned a complete set containing two
* successors, a thorough analysis might be able to narrow it down to a single successor. We should not make special
* assumptions about CALL and FARCALL instructions -- their only successor is the specified address operand. */
if (!*complete || successors.size()>1) {
const RegisterDictionary *regdict;
if (SgAsmInterpretation *interp = SageInterface::getEnclosingNode<SgAsmInterpretation>(this)) {
regdict = RegisterDictionary::dictionary_for_isa(interp);
} else {
switch (get_baseSize()) {
case x86_insnsize_16:
regdict = RegisterDictionary::dictionary_i286();
break;
case x86_insnsize_32:
regdict = RegisterDictionary::dictionary_pentium4();
break;
case x86_insnsize_64:
regdict = RegisterDictionary::dictionary_amd64();
break;
default:
ASSERT_not_reachable("invalid x86 instruction size");
}
}
const RegisterDescriptor IP = regdict->findLargestRegister(x86_regclass_ip, 0);
PartialSymbolicSemantics::RiscOperatorsPtr ops = PartialSymbolicSemantics::RiscOperators::instance(regdict);
ops->set_memory_map(initial_memory);
BaseSemantics::DispatcherPtr cpu = DispatcherX86::instance(ops, IP.get_nbits(), regdict);
try {
BOOST_FOREACH (SgAsmInstruction *insn, insns) {
cpu->processInstruction(insn);
SAWYER_MESG(debug) <<" state after " <<insn->toString() <<"\n" <<*ops;
}
BaseSemantics::SValuePtr ip = ops->readRegister(IP);
if (ip->is_number()) {
successors.clear();
successors.insert(ip->get_number());
*complete = true;
}
} catch(const BaseSemantics::Exception &e) {
BaseSemantics::SValuePtr RiscOperators::readMemory(const RegisterDescriptor &segreg,
const BaseSemantics::SValuePtr &addr,
const BaseSemantics::SValuePtr &dflt,
const BaseSemantics::SValuePtr &cond) {
// XXX: we just skip large memory queries for now and return '0'. We probably should do something smarter.
if (dflt->get_width() > 32) {
return PartialSymbolicSemantics::SValue::instance(dflt->get_width());
}
return PartialSymbolicSemantics::RiscOperators::readMemory(segreg, addr, dflt, cond);
}
static std::string
arguments(const VirtualMachine &vm, size_t nArgs) {
std::ostringstream ss;
ss <<"(";
for (size_t i=0; i<nArgs; ++i) {
BaseSemantics::SValuePtr arg = vm.argument(i);
ss <<(i?", ":"") <<"arg_" <<i <<" = " <<*arg;
if (vm.map()->at(arg->get_number()).exists()) {
if (uint64_t deref = vm.readMemory(arg->get_number()))
ss <<" [deref=" <<StringUtility::toHex2(deref, vm.wordSize()) <<"]";
}
}
ss <<")";
return ss.str();
}
std::string
NoOperation::StateNormalizer::toString(const BaseSemantics::DispatcherPtr &cpu, const BaseSemantics::StatePtr &state_) {
BaseSemantics::StatePtr state = state_;
BaseSemantics::RiscOperatorsPtr ops = cpu->get_operators();
if (!state)
return "";
bool isCloned = false; // do we have our own copy of the state?
// If possible and appropriate, remove the instruction pointer register
const RegisterDescriptor regIp = cpu->instructionPointerRegister();
BaseSemantics::RegisterStateGenericPtr rstate = BaseSemantics::RegisterStateGeneric::promote(state->registerState());
if (rstate && rstate->is_partly_stored(regIp)) {
BaseSemantics::SValuePtr ip = ops->readRegister(cpu->instructionPointerRegister());
if (ip->is_number()) {
state = state->clone();
isCloned = true;
rstate = BaseSemantics::RegisterStateGeneric::promote(state->registerState());
rstate->erase_register(regIp, ops.get());
}
}
// Get the memory state, cloning the state if not done so above.
BaseSemantics::MemoryCellStatePtr mem =
boost::dynamic_pointer_cast<BaseSemantics::MemoryCellState>(state->memoryState());
if (mem && !isCloned) {
state = state->clone();
isCloned = true;
mem = BaseSemantics::MemoryCellState::promote(state->memoryState());
}
// Erase memory that has never been written (i.e., cells that sprang into existence by reading an address) of which appears
// to have been recently popped from the stack.
CellErasurePredicate predicate(ops, ops->readRegister(cpu->stackPointerRegister()), ignorePoppedMemory_);
if (mem)
mem->eraseMatchingCells(predicate);
BaseSemantics::Formatter fmt;
fmt.set_show_latest_writers(false);
fmt.set_show_properties(false);
std::ostringstream ss;
ss <<(*state+fmt);
return ss.str();
}
/* Analyze a single interpretation a block at a time */
static void
analyze_interp(SgAsmInterpretation *interp)
{
/* Get the set of all instructions except instructions that are part of left-over blocks. */
struct AllInstructions: public SgSimpleProcessing, public std::map<rose_addr_t, SgAsmX86Instruction*> {
void visit(SgNode *node) {
SgAsmX86Instruction *insn = isSgAsmX86Instruction(node);
SgAsmFunction *func = SageInterface::getEnclosingNode<SgAsmFunction>(insn);
if (func && 0==(func->get_reason() & SgAsmFunction::FUNC_LEFTOVERS))
insert(std::make_pair(insn->get_address(), insn));
}
} insns;
insns.traverse(interp, postorder);
while (!insns.empty()) {
std::cout <<"=====================================================================================\n"
<<"=== Starting a new basic block ===\n"
<<"=====================================================================================\n";
AllInstructions::iterator si = insns.begin();
SgAsmX86Instruction *insn = si->second;
insns.erase(si);
BaseSemantics::RiscOperatorsPtr operators = make_ops();
BaseSemantics::Formatter formatter;
formatter.set_suppress_initial_values();
formatter.set_show_latest_writers(do_usedef);
BaseSemantics::DispatcherPtr dispatcher;
if (do_trace) {
// Enable RiscOperators tracing, but turn off a bunch of info that makes comparisons with a known good answer
// difficult.
Sawyer::Message::PrefixPtr prefix = Sawyer::Message::Prefix::instance();
prefix->showProgramName(false);
prefix->showThreadId(false);
prefix->showElapsedTime(false);
prefix->showFacilityName(Sawyer::Message::Prefix::NEVER);
prefix->showImportance(false);
Sawyer::Message::UnformattedSinkPtr sink = Sawyer::Message::StreamSink::instance(std::cout);
sink->prefix(prefix);
sink->defaultPropertiesNS().useColor = false;
TraceSemantics::RiscOperatorsPtr trace = TraceSemantics::RiscOperators::instance(operators);
trace->stream().destination(sink);
trace->stream().enable();
dispatcher = DispatcherX86::instance(trace, 32);
} else {
dispatcher = DispatcherX86::instance(operators, 32);
}
operators->set_solver(make_solver());
// The fpstatus_top register must have a concrete value if we'll use the x86 floating-point stack (e.g., st(0))
if (const RegisterDescriptor *REG_FPSTATUS_TOP = regdict->lookup("fpstatus_top")) {
BaseSemantics::SValuePtr st_top = operators->number_(REG_FPSTATUS_TOP->get_nbits(), 0);
operators->writeRegister(*REG_FPSTATUS_TOP, st_top);
}
#if SEMANTIC_DOMAIN == SYMBOLIC_DOMAIN
BaseSemantics::SValuePtr orig_esp;
if (do_test_subst) {
// Only request the orig_esp if we're going to use it later because it causes an esp value to be instantiated
// in the state, which is printed in the output, and thus changes the answer.
BaseSemantics::RegisterStateGeneric::promote(operators->get_state()->get_register_state())->initialize_large();
orig_esp = operators->readRegister(*regdict->lookup("esp"));
std::cout <<"Original state:\n" <<*operators;
}
#endif
/* Perform semantic analysis for each instruction in this block. The block ends when we no longer know the value of
* the instruction pointer or the instruction pointer refers to an instruction that doesn't exist or which has already
* been processed. */
while (1) {
/* Analyze current instruction */
std::cout <<"\n" <<unparseInstructionWithAddress(insn) <<"\n";
try {
dispatcher->processInstruction(insn);
# if 0 /*DEBUGGING [Robb P. Matzke 2013-05-01]*/
show_state(operators); // for comparing RegisterStateGeneric with the old RegisterStateX86 output
# else
std::cout <<(*operators + formatter);
# endif
} catch (const BaseSemantics::Exception &e) {
std::cout <<e <<"\n";
}
/* Never follow CALL instructions */
if (insn->get_kind()==x86_call || insn->get_kind()==x86_farcall)
break;
/* Get next instruction of this block */
BaseSemantics::SValuePtr ip = operators->readRegister(dispatcher->findRegister("eip"));
if (!ip->is_number())
break;
rose_addr_t next_addr = ip->get_number();
si = insns.find(next_addr);
if (si==insns.end()) break;
insn = si->second;
insns.erase(si);
}
// Test substitution on the symbolic state.
#if SEMANTIC_DOMAIN == SYMBOLIC_DOMAIN
if (do_test_subst) {
SymbolicSemantics::SValuePtr from = SymbolicSemantics::SValue::promote(orig_esp);
BaseSemantics::SValuePtr newvar = operators->undefined_(32);
newvar->set_comment("frame_pointer");
SymbolicSemantics::SValuePtr to =
SymbolicSemantics::SValue::promote(operators->add(newvar, operators->number_(32, 4)));
std::cout <<"Substituting from " <<*from <<" to " <<*to <<"\n";
SymbolicSemantics::RiscOperators::promote(operators)->substitute(from, to);
std::cout <<"Substituted state:\n" <<(*operators+formatter);
}
#endif
}
}
/* Analyze a single interpretation a block at a time */
static void
analyze_interp(SgAsmInterpretation *interp)
{
/* Get the set of all instructions except instructions that are part of left-over blocks. */
struct AllInstructions: public SgSimpleProcessing, public std::map<rose_addr_t, SgAsmx86Instruction*> {
void visit(SgNode *node) {
SgAsmx86Instruction *insn = isSgAsmx86Instruction(node);
SgAsmFunction *func = SageInterface::getEnclosingNode<SgAsmFunction>(insn);
if (func && 0==(func->get_reason() & SgAsmFunction::FUNC_LEFTOVERS))
insert(std::make_pair(insn->get_address(), insn));
}
} insns;
insns.traverse(interp, postorder);
while (!insns.empty()) {
std::cout <<"=====================================================================================\n"
<<"=== Starting a new basic block ===\n"
<<"=====================================================================================\n";
AllInstructions::iterator si = insns.begin();
SgAsmx86Instruction *insn = si->second;
insns.erase(si);
#if SEMANTIC_API == NEW_API
BaseSemantics::RiscOperatorsPtr operators = make_ops();
BaseSemantics::Formatter formatter;
formatter.set_suppress_initial_values();
BaseSemantics::DispatcherPtr dispatcher;
if (do_trace) {
TraceSemantics::RiscOperatorsPtr trace = TraceSemantics::RiscOperators::instance(operators);
trace->set_stream(stdout);
dispatcher = DispatcherX86::instance(trace);
} else {
dispatcher = DispatcherX86::instance(operators);
}
operators->set_solver(make_solver());
#else // OLD_API
typedef X86InstructionSemantics<MyPolicy, MyValueType> MyDispatcher;
MyPolicy operators;
MyDispatcher dispatcher(operators);
# if SEMANTIC_DOMAIN == SYMBOLIC_DOMAIN
operators.set_solver(make_solver());
SymbolicSemantics::Formatter formatter;
formatter.expr_formatter.do_rename = true;
formatter.expr_formatter.add_renames = true;
# elif SEMANTIC_DOMAIN != FINDCONST_DOMAIN && SEMANTIC_DOMAIN != FINDCONSTABI_DOMAIN
BaseSemantics::Formatter formatter;
# endif
#endif
#if SEMANTIC_DOMAIN == SYMBOLIC_DOMAIN && SEMANTIC_API == NEW_API
BaseSemantics::SValuePtr orig_esp;
if (do_test_subst) {
// Only request the orig_esp if we're going to use it later because it causes an esp value to be instantiated
// in the state, which is printed in the output, and thus changes the answer.
BaseSemantics::RegisterStateGeneric::promote(operators->get_state()->get_register_state())->initialize_large();
orig_esp = operators->readRegister(*regdict->lookup("esp"));
std::cout <<"Original state:\n" <<*operators;
}
#endif
/* Perform semantic analysis for each instruction in this block. The block ends when we no longer know the value of
* the instruction pointer or the instruction pointer refers to an instruction that doesn't exist or which has already
* been processed. */
while (1) {
/* Analyze current instruction */
std::cout <<"\n" <<unparseInstructionWithAddress(insn) <<"\n";
#if SEMANTIC_API == NEW_API
try {
dispatcher->processInstruction(insn);
# if 0 /*DEBUGGING [Robb P. Matzke 2013-05-01]*/
show_state(operators); // for comparing RegisterStateGeneric with the old RegisterStateX86 output
# else
std::cout <<(*operators + formatter);
# endif
} catch (const BaseSemantics::Exception &e) {
std::cout <<e <<"\n";
}
#else // OLD API
try {
dispatcher.processInstruction(insn);
# if SEMANTIC_DOMAIN == FINDCONST_DOMAIN || SEMANTIC_DOMAIN == FINDCONSTABI_DOMAIN
operators.print(std::cout);
# else
operators.print(std::cout, formatter);
# endif
} catch (const MyDispatcher::Exception &e) {
std::cout <<e <<"\n";
break;
# if SEMANTIC_DOMAIN == PARTSYM_DOMAIN
} catch (const MyPolicy::Exception &e) {
std::cout <<e <<"\n";
break;
# endif
} catch (const SMTSolver::Exception &e) {
std::cout <<e <<" [ "<<unparseInstructionWithAddress(insn) <<"]\n";
break;
}
#endif
/* Never follow CALL instructions */
if (insn->get_kind()==x86_call || insn->get_kind()==x86_farcall)
break;
/* Get next instruction of this block */
#if SEMANTIC_API == NEW_API
BaseSemantics::SValuePtr ip = operators->readRegister(dispatcher->findRegister("eip"));
if (!ip->is_number())
break;
rose_addr_t next_addr = ip->get_number();
#else // OLD_API
# if SEMANTIC_DOMAIN == PARTSYM_DOMAIN || SEMANTIC_DOMAIN == SYMBOLIC_DOMAIN
MyValueType<32> ip = operators.get_ip();
if (!ip.is_known()) break;
rose_addr_t next_addr = ip.known_value();
# elif SEMANTIC_DOMAIN == NULL_DOMAIN || SEMANTIC_DOMAIN == INTERVAL_DOMAIN
MyValueType<32> ip = operators.readRegister<32>(dispatcher.REG_EIP);
if (!ip.is_known()) break;
rose_addr_t next_addr = ip.known_value();
# elif SEMANTIC_DOMAIN == MULTI_DOMAIN
PartialSymbolicSemantics::ValueType<32> ip = operators.readRegister<32>(dispatcher.REG_EIP)
.get_subvalue(MyMultiSemanticsClass::SP0());
if (!ip.is_known()) break;
rose_addr_t next_addr = ip.known_value();
# else
if (operators.newIp->get().name) break;
rose_addr_t next_addr = operators.newIp->get().offset;
# endif
#endif
si = insns.find(next_addr);
if (si==insns.end()) break;
insn = si->second;
insns.erase(si);
}
// Test substitution on the symbolic state.
#if SEMANTIC_DOMAIN == SYMBOLIC_DOMAIN && SEMANTIC_API == NEW_API
if (do_test_subst) {
SymbolicSemantics::SValuePtr from = SymbolicSemantics::SValue::promote(orig_esp);
BaseSemantics::SValuePtr newvar = operators->undefined_(32);
newvar->set_comment("frame_pointer");
SymbolicSemantics::SValuePtr to =
SymbolicSemantics::SValue::promote(operators->add(newvar, operators->number_(32, 4)));
std::cout <<"Substituting from " <<*from <<" to " <<*to <<"\n";
SymbolicSemantics::RiscOperators::promote(operators)->substitute(from, to);
std::cout <<"Substituted state:\n" <<(*operators+formatter);
}
#endif
}
}
