void AssignmentConverter::handlePushEquivalent(const Instruction::Ptr I,
Address addr,
ParseAPI::Function *func,
ParseAPI::Block *block,
std::vector<AbsRegion> &operands,
std::vector<Assignment::Ptr> &assignments) {
// The handled-in operands are used to define *SP
// And then we update SP
AbsRegion stackTop = aConverter.stack(addr, func, block, true);
AbsRegion sp(Absloc::makeSP(func->isrc()->getArch()));
Assignment::Ptr spA = Assignment::Ptr(new Assignment(I,
addr,
func,
block,
stackTop));
spA->addInputs(operands);
spA->addInput(sp);
Assignment::Ptr spB = Assignment::Ptr(new Assignment(I, addr, func, block, sp));
spB->addInput(sp);
assignments.push_back(spA);
assignments.push_back(spB);
}
void AssignmentConverter::handlePopEquivalent(const Instruction::Ptr I,
Address addr,
ParseAPI::Function *func,
ParseAPI::Block *block,
std::vector<AbsRegion> &operands,
std::vector<Assignment::Ptr> &assignments) {
// We use the top of the stack and any operands beyond the first.
// (Can you pop into memory?)
AbsRegion stackTop = aConverter.stack(addr, func, block, false);
AbsRegion sp(Absloc::makeSP(func->isrc()->getArch()));
Assignment::Ptr spA = Assignment::Ptr(new Assignment(I,
addr,
func,
block,
operands[0]));
spA->addInput(stackTop);
spA->addInput(sp);
for (unsigned i = 1; i < operands.size(); i++) {
spA->addInput(operands[i]);
}
// Now stack assignment
Assignment::Ptr spB = Assignment::Ptr(new Assignment(I, addr, func, block, sp));
spB->addInput(sp);
assignments.push_back(spA);
assignments.push_back(spB);
}
void AssignmentConverter::convert(const Instruction::Ptr I,
const Address &addr,
ParseAPI::Function *func,
ParseAPI::Block *block,
std::vector<Assignment::Ptr> &assignments) {
assignments.clear();
if (cache(func, addr, assignments)) return;
// Decompose the instruction into a set of abstract assignments.
// We don't have the Definition class concept yet, so we'll do the
// hard work here.
// Two phases:
// 1) Special-cased for IA32 multiple definition instructions,
// based on the opcode of the instruction
// 2) Generic handling for things like flags and the PC.
// Non-PC handling section
switch(I->getOperation().getID()) {
case e_push: {
// SP = SP - 4
// *SP = <register>
std::vector<Operand> operands;
I->getOperands(operands);
// According to the InstructionAPI, the first operand will be the argument, the second will be ESP.
assert(operands.size() == 2);
// The argument can be any of the following:
// 1) a register (push eax);
// 2) an immediate value (push $deadbeef)
// 3) a memory location.
std::vector<AbsRegion> oper0;
aConverter.convertAll(operands[0].getValue(),
addr,
func,
block,
oper0);
handlePushEquivalent(I, addr, func, block, oper0, assignments);
break;
}
case e_call: {
// This can be seen as a push of the PC...
std::vector<AbsRegion> pcRegion;
pcRegion.push_back(Absloc::makePC(func->isrc()->getArch()));
Absloc sp = Absloc::makeSP(func->isrc()->getArch());
handlePushEquivalent(I, addr, func, block, pcRegion, assignments);
// Now for the PC definition
// Assume full intra-dependence of non-flag and non-pc registers.
std::vector<AbsRegion> used;
std::vector<AbsRegion> defined;
aConverter.convertAll(I,
addr,
func,
block,
used,
defined);
Assignment::Ptr a = Assignment::Ptr(new Assignment(I, addr, func, block, pcRegion[0]));
if (!used.empty()) {
for(std::vector<AbsRegion>::const_iterator u = used.begin();
u != used.end();
++u)
{
if(!(u->contains(pcRegion[0])) &&
!(u->contains(sp)))
{
a->addInput(*u);
}
}
}
else {
a->addInputs(pcRegion);
}
assignments.push_back(a);
break;
}
case e_pop: {
// <reg> = *SP
// SP = SP + 4/8
// Amusingly... this doesn't have an intra-instruction dependence. It should to enforce
// the order that <reg> = *SP happens before SP = SP - 4, but since the input to both
// uses of SP in this case are the, well, input values... no "sideways" edges.
// However, we still special-case it so that SP doesn't depend on the incoming stack value...
// Also, we use the same logic for return, defining it as
// PC = *SP
// SP = SP + 4/8
// As with push, eSP shows up as operand 1.
std::vector<Operand> operands;
I->getOperands(operands);
// According to the InstructionAPI, the first operand will be the explicit register, the second will be ESP.
assert(operands.size() == 2);
std::vector<AbsRegion> oper0;
aConverter.convertAll(operands[0].getValue(),
addr,
func,
block,
oper0);
handlePopEquivalent(I, addr, func, block, oper0, assignments);
break;
}
case e_leave: {
// a leave is equivalent to:
// mov ebp, esp
// pop ebp
// From a definition POV, we have the following:
// SP = BP
// BP = *SP
// BP STACK[newSP]
// | |
// v v
// SP -> BP
// This is going to give the stack analysis fits... for now, I think it just reverts the
// stack depth to 0.
// TODO FIXME update stack analysis to make this really work.
AbsRegion sp(Absloc::makeSP(func->isrc()->getArch()));
AbsRegion fp(Absloc::makeFP(func->isrc()->getArch()));
// Should be "we assign SP using FP"
Assignment::Ptr spA = Assignment::Ptr(new Assignment(I,
addr,
func,
block,
sp));
spA->addInput(fp);
// And now we want "FP = (stack slot -2*wordsize)"
/*
AbsRegion stackTop(Absloc(0,
0,
func));
*/
// Actually, I think this is ebp = pop esp === ebp = pop ebp
Assignment::Ptr fpA = Assignment::Ptr(new Assignment(I,
addr,
func,
block,
fp));
//fpA->addInput(aConverter.stack(addr + I->size(), func, false));
fpA->addInput(aConverter.frame(addr, func, block, false));
assignments.push_back(spA);
assignments.push_back(fpA);
break;
}
case e_ret_near:
case e_ret_far: {
// PC = *SP
// SP = SP + 4/8
// Like pop, except it's all implicit.
AbsRegion pc = AbsRegion(Absloc::makePC(func->isrc()->getArch()));
Assignment::Ptr pcA = Assignment::Ptr(new Assignment(I,
addr,
func,
block,
pc));
pcA->addInput(aConverter.stack(addr, func, block, false));
AbsRegion sp = AbsRegion(Absloc::makeSP(func->isrc()->getArch()));
Assignment::Ptr spA = Assignment::Ptr(new Assignment(I,
addr,
func,
block,
sp));
spA->addInput(sp);
assignments.push_back(pcA);
assignments.push_back(spA);
break;
}
case e_xchg: {
// xchg defines two abslocs, and uses them as appropriate...
std::vector<Operand> operands;
I->getOperands(operands);
// According to the InstructionAPI, the first operand will be the argument, the second will be ESP.
assert(operands.size() == 2);
// We use the first to define the second, and vice versa
std::vector<AbsRegion> oper0;
aConverter.convertAll(operands[0].getValue(),
addr,
func,
block,
oper0);
std::vector<AbsRegion> oper1;
aConverter.convertAll(operands[1].getValue(),
addr,
func,
block,
oper1);
// Okay. We may have a memory reference in here, which will
// cause either oper0 or oper1 to have multiple entries (the
// remainder will be registers). So. Use everything from oper1
// to define oper0[0], and vice versa.
Assignment::Ptr a = Assignment::Ptr(new Assignment(I, addr, func, block, oper0[0]));
a->addInputs(oper1);
Assignment::Ptr b = Assignment::Ptr(new Assignment(I, addr, func, block, oper1[0]));
b->addInputs(oper0);
assignments.push_back(a);
assignments.push_back(b);
break;
}
case power_op_stwu: {
std::vector<Operand> operands;
I->getOperands(operands);
// stwu <a>, <b>, <c>
// <a> = R1
// <b> = -16(R1)
// <c> = R1
// From this, R1 <= R1 - 16; -16(R1) <= R1
// So a <= b (without a deref)
// deref(b) <= c
std::set<Expression::Ptr> writes;
I->getMemoryWriteOperands(writes);
assert(writes.size() == 1);
Expression::Ptr tmp = *(writes.begin());
AbsRegion effAddr = aConverter.convert(tmp,
addr,
func,
block);
std::vector<AbsRegion> regions;
aConverter.convertAll(operands[0].getValue(), addr, func, block, regions);
AbsRegion RS = regions[0];
regions.clear();
aConverter.convertAll(operands[2].getValue(), addr, func, block, regions);
AbsRegion RA = regions[0];
Assignment::Ptr mem = Assignment::Ptr(new Assignment(I,
addr,
func,
block,
effAddr));
mem->addInput(RS);
Assignment::Ptr ra = Assignment::Ptr(new Assignment(I,
addr,
func,
block,
RA));
ra->addInput(RS);
assignments.push_back(mem);
assignments.push_back(ra);
break;
}
default:
// Assume full intra-dependence of non-flag and non-pc registers.
std::vector<AbsRegion> used;
std::vector<AbsRegion> defined;
aConverter.convertAll(I,
addr,
func,
block,
used,
defined);
for (std::vector<AbsRegion>::const_iterator i = defined.begin();
i != defined.end(); ++i) {
Assignment::Ptr a = Assignment::Ptr(new Assignment(I, addr, func, block, *i));
a->addInputs(used);
assignments.push_back(a);
}
break;
}
// Now for flags...
// According to Matt, the easiest way to represent dependencies for flags on
// IA-32/AMD-64 is to have them depend on the inputs to the instruction and
// not the outputs of the instruction; therefore, there's no intra-instruction
// dependence.
// PC-handling section
// Most instructions use the PC to set the PC. This includes calls, relative branches,
// and the like. So we're basically looking for indirect branches or absolute branches.
// (are there absolutes on IA-32?).
// Also, conditional branches and the flag registers they use.
if (cacheEnabled_) {
cache_[func][addr] = assignments;
}
}