ROSE  0.9.12.19
BinaryFeasiblePath.h
1 #ifndef ROSE_BinaryAnalysis_FeasiblePath_H
2 #define ROSE_BinaryAnalysis_FeasiblePath_H
3 
4 #include <BaseSemantics2.h>
5 #include <BinarySmtSolver.h>
6 #include <BinarySymbolicExprParser.h>
7 #include <Partitioner2/CfgPath.h>
8 #include <RoseException.h>
9 #include <Sawyer/CommandLine.h>
10 #include <Sawyer/Message.h>
11 #include <boost/filesystem/path.hpp>
12 
13 namespace Rose {
14 namespace BinaryAnalysis {
15 
19 class FeasiblePath {
21  // Types and public data members
23 public:
25  class Exception: public Rose::Exception {
26  public:
27  Exception(const std::string &what)
28  : Rose::Exception(what) {}
29  ~Exception() throw () {}
30  };
31 
33  enum SearchMode {
34  SEARCH_SINGLE_DFS,
35  SEARCH_SINGLE_BFS,
36  SEARCH_MULTI
37  };
38 
40  enum SemanticMemoryParadigm {
41  LIST_BASED_MEMORY,
42  MAP_BASED_MEMORY
43  };
44 
46  enum EdgeVisitOrder {
47  VISIT_NATURAL,
48  VISIT_REVERSE,
49  VISIT_RANDOM,
50  };
51 
53  enum IoMode { READ, WRITE };
54 
56  enum MayOrMust { MAY, MUST };
57 
59  typedef std::set<rose_addr_t> AddressSet;
60 
67  struct Expression {
68  AddressIntervalSet location;
69  std::string parsable;
70  SymbolicExpr::Ptr expr;
72  Expression() {}
73  /*implicit*/ Expression(const std::string &parsable): parsable(parsable) {}
74  /*implicit*/ Expression(const SymbolicExpr::Ptr &expr): expr(expr) {}
75 
76  void print(std::ostream&) const;
77  };
78 
80  struct Settings {
81  // Path feasibility
82  SearchMode searchMode;
83  Sawyer::Optional<rose_addr_t> initialStackPtr;
84  size_t maxVertexVisit;
85  size_t maxPathLength;
86  size_t maxCallDepth;
87  size_t maxRecursionDepth;
88  std::vector<Expression> assertions;
89  std::vector<std::string> assertionLocations;
90  std::vector<rose_addr_t> summarizeFunctions;
91  bool nonAddressIsFeasible;
92  std::string solverName;
93  SemanticMemoryParadigm memoryParadigm;
94  bool processFinalVertex;
95  bool ignoreSemanticFailure;
96  double kCycleCoefficient;
97  EdgeVisitOrder edgeVisitOrder;
98  bool trackingCodeCoverage;
99  std::vector<rose_addr_t> ipRewrite;
101  // Null dereferences
102  struct NullDeref {
103  bool check;
104  MayOrMust mode;
105  bool constOnly;
107  NullDeref()
108  : check(false), mode(MUST), constOnly(false) {}
109  } nullDeref;
111  std::string exprParserDoc;
114  Settings()
115  : searchMode(SEARCH_SINGLE_DFS), maxVertexVisit((size_t)-1), maxPathLength(200), maxCallDepth((size_t)-1),
116  maxRecursionDepth((size_t)-1), nonAddressIsFeasible(true), solverName("best"),
117  memoryParadigm(LIST_BASED_MEMORY), processFinalVertex(false), ignoreSemanticFailure(false),
118  kCycleCoefficient(0.0), edgeVisitOrder(VISIT_NATURAL), trackingCodeCoverage(true) {}
119  };
120 
122  static Sawyer::Message::Facility mlog;
123 
131  RegisterDescriptor REG_PATH;
132 
134  struct VarDetail {
135  std::string registerName;
136  std::string firstAccessMode;
137  SgAsmInstruction *firstAccessInsn;
138  Sawyer::Optional<size_t> firstAccessIdx;
139  SymbolicExpr::Ptr memAddress;
140  size_t memSize;
141  size_t memByteNumber;
142  Sawyer::Optional<rose_addr_t> returnFrom;
144  VarDetail(): firstAccessInsn(NULL), memSize(0), memByteNumber(0) {}
145  std::string toString() const;
146  };
147 
149  typedef Sawyer::Container::Map<std::string /*name*/, FeasiblePath::VarDetail> VarDetails;
150 
154  class PathProcessor {
155  public:
156  enum Action {
157  BREAK,
158  CONTINUE
159  };
160 
161  virtual ~PathProcessor() {}
162 
177  virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,
178  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
179  const SmtSolverPtr &solver) { return CONTINUE; }
180 
192  virtual void nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,
193  const SmtSolverPtr &solver, IoMode ioMode,
194  const InstructionSemantics2::BaseSemantics::SValuePtr &addr, SgAsmInstruction *insn) {}
195 
200  virtual void memoryIo(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,
201  const SmtSolverPtr &solver, IoMode ioMode,
202  const InstructionSemantics2::BaseSemantics::SValuePtr &addr,
203  const InstructionSemantics2::BaseSemantics::SValuePtr &value,
204  const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &ops) {}
205  };
206 
210  struct FunctionSummary {
211  rose_addr_t address;
212  int64_t stackDelta;
213  std::string name;
216  FunctionSummary(): stackDelta(SgAsmInstruction::INVALID_STACK_DELTA) {}
217 
219  FunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgFuncVertex, uint64_t stackDelta);
220  };
221 
223  typedef Sawyer::Container::Map<rose_addr_t, FunctionSummary> FunctionSummaries;
224 
228  class FunctionSummarizer: public Sawyer::SharedObject {
229  public:
231  typedef Sawyer::SharedPointer<FunctionSummarizer> Ptr;
232  protected:
233  FunctionSummarizer() {}
234  public:
236  virtual void init(const FeasiblePath &analysis, FunctionSummary &summary /*in,out*/,
237  const Partitioner2::Function::Ptr &function,
238  Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget) = 0;
239 
244  virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary,
245  const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;
246 
251  virtual InstructionSemantics2::SymbolicSemantics::SValuePtr
252  returnValue(const FeasiblePath &analysis, const FunctionSummary &summary,
253  const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;
254  };
255 
257  // Private data members
259 private:
260  const Partitioner2::Partitioner *partitioner_; // binary analysis context
261  RegisterDictionary *registers_; // registers augmented with "path" pseudo-register
262  RegisterDescriptor REG_RETURN_; // FIXME[Robb P Matzke 2016-10-11]: see source
263  Settings settings_;
264  FunctionSummaries functionSummaries_;
265  Partitioner2::CfgVertexMap vmap_; // relates CFG vertices to path vertices
266  Partitioner2::ControlFlowGraph paths_; // all possible paths, feasible or otherwise
267  Partitioner2::CfgConstVertexSet pathsBeginVertices_;// vertices of paths_ where searching starts
268  Partitioner2::CfgConstVertexSet pathsEndVertices_; // vertices of paths_ where searching stops
269  Partitioner2::CfgConstEdgeSet cfgAvoidEdges_; // CFG edges to avoid
270  Partitioner2::CfgConstVertexSet cfgEndAvoidVertices_;// CFG end-of-path and other avoidance vertices
271  FunctionSummarizer::Ptr functionSummarizer_; // user-defined function for handling function summaries
272  AddressSet reachedBlockVas_; // basic block addresses reached during analysis
273  static Sawyer::Attribute::Id POST_STATE; // stores semantic state after executing the insns for a vertex
274  static Sawyer::Attribute::Id POST_INSN_LENGTH; // path length in instructions at end of vertex
275  static Sawyer::Attribute::Id EFFECTIVE_K; // (double) effective maximimum path length
276 
277 
279  // Construction, destruction
281 public:
283  FeasiblePath()
284  : registers_(NULL) {}
285 
286  virtual ~FeasiblePath() {}
287 
289  void reset() {
290  partitioner_ = NULL;
291  registers_ = NULL;
292  REG_PATH = REG_RETURN_ = RegisterDescriptor();
293  functionSummaries_.clear();
294  vmap_.clear();
295  paths_.clear();
296  pathsBeginVertices_.clear();
297  pathsEndVertices_.clear();
298  cfgAvoidEdges_.clear();
299  cfgEndAvoidVertices_.clear();
300  reachedBlockVas_.clear();
301  }
302 
304  static void initDiagnostics();
305 
306 
308  // Settings affecting behavior
310 public:
314  const Settings& settings() const { return settings_; }
315  Settings& settings() { return settings_; }
316  void settings(const Settings &s) { settings_ = s; }
323  static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings);
324 
326  static std::string expressionDocumentation();
327 
328 
330  // Overridable processing functions
332 public:
338  virtual InstructionSemantics2::BaseSemantics::DispatcherPtr
339  buildVirtualCpu(const Partitioner2::Partitioner&, const Partitioner2::CfgPath*, PathProcessor*, const SmtSolver::Ptr&);
340 
347  virtual void
348  setInitialState(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
349  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex);
350 
355  virtual void
356  processBasicBlock(const Partitioner2::BasicBlock::Ptr &bblock,
357  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex);
358 
362  virtual void
363  processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex,
364  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
365  size_t pathInsnIndex);
366 
370  virtual void
371  processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,
372  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
373  size_t pathInsnIndex);
374 
378  virtual void
379  processVertex(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
380  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,
381  size_t &pathInsnIndex /*in,out*/);
382 
384  virtual bool
385  shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex,
386  const Partitioner2::ControlFlowGraph &cfg,
387  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);
388 
390  virtual bool
391  shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);
392 
401  FunctionSummarizer::Ptr functionSummarizer() const { return functionSummarizer_; }
402  void functionSummarizer(const FunctionSummarizer::Ptr &f) { functionSummarizer_ = f; }
405  // Utilities
408 public:
410  Partitioner2::ControlFlowGraph::ConstVertexIterator
411  pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const;
412 
414  Partitioner2::CfgConstVertexSet
415  cfgToPaths(const Partitioner2::CfgConstVertexSet&) const;
416 
418  bool pathEndsWithFunctionCall(const Partitioner2::CfgPath&) const;
419 
421  bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator&) const;
422 
424  void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex,
425  size_t &insnIdx /*in,out*/) const;
426 
430  void printPath(std::ostream &out, const Partitioner2::CfgPath&) const;
431 
435  static bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg,
436  const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex,
437  const Partitioner2::CfgConstVertexSet &endVertices);
438 
440  // Functions for describing the search space
442 public:
443 
450  void
451  setSearchBoundary(const Partitioner2::Partitioner &partitioner,
452  const Partitioner2::CfgConstVertexSet &cfgBeginVertices,
453  const Partitioner2::CfgConstVertexSet &cfgEndVertices,
454  const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),
455  const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());
456  void
457  setSearchBoundary(const Partitioner2::Partitioner &partitioner,
458  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgBeginVertex,
459  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgEndVertex,
460  const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),
461  const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());
465  // Functions for searching for paths
468 public:
473  void depthFirstSearch(PathProcessor &pathProcessor);
474 
475 
477  // Functions for getting the results
479 public:
484  const Partitioner2::Partitioner& partitioner() const;
485 
489  const FunctionSummaries& functionSummaries() const {
490  return functionSummaries_;
491  }
492 
497  const FunctionSummary& functionSummary(rose_addr_t entryVa) const;
498 
500  const VarDetail& varDetail(const InstructionSemantics2::BaseSemantics::StatePtr&, const std::string &varName) const;
501 
503  const VarDetails& varDetails(const InstructionSemantics2::BaseSemantics::StatePtr&) const;
504 
506  static InstructionSemantics2::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath&, size_t vertexIdx);
507 
513  double pathEffectiveK(const Partitioner2::CfgPath&) const;
514 
521  static size_t pathLength(const Partitioner2::CfgPath&);
522 
524  // Functions for code coverage
526 public:
531  const AddressSet& reachedBlockVas() const;
532 
534  // Private supporting functions
536 private:
537  // Check that analysis settings are valid, or throw an exception.
538  void checkSettings() const;
539 
540  static rose_addr_t virtualAddress(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex);
541 
542  void insertCallSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsCallSite,
543  const Partitioner2::ControlFlowGraph &cfg,
544  const Partitioner2::ControlFlowGraph::ConstEdgeIterator &cfgCallEdge);
545 
546  boost::filesystem::path emitPathGraph(size_t callId, size_t graphId); // emit paths graph to "rose-debug" directory
547 
548  // Pop an edge (or more) from the path and follow some other edge. Also, adjust the SMT solver's stack in a similar
549  // way. The SMT solver will have an initial state, plus one pushed state per edge of the path.
550  void backtrack(Partitioner2::CfgPath &path /*in,out*/, const SmtSolver::Ptr&);
551 
552  // Process one edge of a path to find any path constraints. When called, the cpu's current state should be the virtual
553  // machine state at it exists just prior to executing the target vertex of the specified edge.
554  //
555  // Returns a null pointer if the edge's assertion is trivially unsatisfiable, such as when the edge points to a basic block
556  // whose address doesn't match the contents of the instruction pointer register after executing the edge's source
557  // block. Otherwise, returns a symbolic expression which must be tree if the edge is feasible. For trivially feasible
558  // edges, the return value is the constant 1 (one bit wide; i.e., true).
559  SymbolicExpr::Ptr pathEdgeConstraint(const Partitioner2::ControlFlowGraph::ConstEdgeIterator &pathEdge,
560  InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu);
561 
562  // Parse the expression if it's a parsable string, otherwise return the expression as is. */
563  Expression parseExpression(Expression, const std::string &where, SymbolicExprParser&) const;
564 
565  SymbolicExpr::Ptr expandExpression(const Expression&, SymbolicExprParser&);
566 
567  // Based on the last vertex of the path, insert user-specified assertions into the SMT solver.
568  void insertAssertions(const SmtSolver::Ptr&, const Partitioner2::CfgPath&,
569  const std::vector<Expression> &assertions, bool atEndOfPath, SymbolicExprParser&);
570 
571  // Size of vertex. How much of "k" does this vertex consume?
572  static size_t vertexSize(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);
573 
574  // Insert the edge assertion and any applicable user assertions (after delayed expansion of the expressions' register
575  // and memory references), and run the solver, returning its result.
576  SmtSolver::Satisfiable
577  solvePathConstraints(SmtSolver::Ptr&, const Partitioner2::CfgPath&, const SymbolicExpr::Ptr &edgeAssertion,
578  const std::vector<Expression> &userAssertions, bool atEndOfPath, SymbolicExprParser&);
579 
580  // Mark vertex as being reached
581  void markAsReached(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);
582 };
583 
584 } // namespace
585 } // namespace
586 
587 std::ostream& operator<<(std::ostream&, const Rose::BinaryAnalysis::FeasiblePath::Expression&);
588 
589 // Convert string to feasible path expression during command-line parsing
590 namespace Sawyer {
591  namespace CommandLine {
592  template<>
593  struct LexicalCast<Rose::BinaryAnalysis::FeasiblePath::Expression> {
594  static Rose::BinaryAnalysis::FeasiblePath::Expression convert(const std::string &src) {
595  return Rose::BinaryAnalysis::FeasiblePath::Expression(src);
596  }
597  };
598  }
599 }
600 
601 #endif
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessMode
std::string firstAccessMode
How was variable first accessed ("read" or "write").
Definition: BinaryFeasiblePath.h:136
Rose::BinaryAnalysis::FeasiblePath::Settings::summarizeFunctions
std::vector< rose_addr_t > summarizeFunctions
Functions to always summarize.
Definition: BinaryFeasiblePath.h:90
Rose::BinaryAnalysis::FeasiblePath::FunctionSummaries
Sawyer::Container::Map< rose_addr_t, FunctionSummary > FunctionSummaries
Summaries for multiple functions.
Definition: BinaryFeasiblePath.h:223
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::mode
MayOrMust mode
Check for addrs that may or must be null.
Definition: BinaryFeasiblePath.h:104
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::RiscOperatorsPtr
boost::shared_ptr< RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to a RISC operators object.
Definition: BaseSemanticsTypes.h:54
Rose::BinaryAnalysis::FeasiblePath::Settings::edgeVisitOrder
EdgeVisitOrder edgeVisitOrder
Order in which to visit edges.
Definition: BinaryFeasiblePath.h:97
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::returnValue
virtual InstructionSemantics2::SymbolicSemantics::SValuePtr returnValue(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Return value for function.
Rose::BinaryAnalysis::FeasiblePath::isAnyEndpointReachable
static bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex, const Partitioner2::CfgConstVertexSet &endVertices)
Determine whether any ending vertex is reachable.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::address
rose_addr_t address
Address of summarized function.
Definition: BinaryFeasiblePath.h:211
Rose::BinaryAnalysis::FeasiblePath::Settings::memoryParadigm
SemanticMemoryParadigm memoryParadigm
Type of memory state when there's a choice to be made.
Definition: BinaryFeasiblePath.h:93
Rose::BinaryAnalysis::FeasiblePath::Settings::trackingCodeCoverage
bool trackingCodeCoverage
If set, track which block addresses are reached.
Definition: BinaryFeasiblePath.h:98
Rose::BinaryAnalysis::FeasiblePath::pathEffectiveK
double pathEffectiveK(const Partitioner2::CfgPath &) const
Effective maximum path length.
Rose::BinaryAnalysis::FeasiblePath::printPathVertex
void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex, size_t &insnIdx) const
Print one vertex of a path for debugging.
Rose::BinaryAnalysis::FeasiblePath::Expression::parsable
std::string parsable
String to be parsed as an expression.
Definition: BinaryFeasiblePath.h:69
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary
Information stored per V_USER_DEFINED path vertex.
Definition: BinaryFeasiblePath.h:210
Rose::BinaryAnalysis::FeasiblePath::VarDetails
Sawyer::Container::Map< std::string, FeasiblePath::VarDetail > VarDetails
Variable detail by name.
Definition: BinaryFeasiblePath.h:149
Rose::BinaryAnalysis::FeasiblePath::setSearchBoundary
void setSearchBoundary(const Partitioner2::Partitioner &partitioner, const Partitioner2::CfgConstVertexSet &cfgBeginVertices, const Partitioner2::CfgConstVertexSet &cfgEndVertices, const Partitioner2::CfgConstVertexSet &cfgAvoidVertices=Partitioner2::CfgConstVertexSet(), const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges=Partitioner2::CfgConstEdgeSet())
Specify search boundary.
Rose::BinaryAnalysis::FeasiblePath::depthFirstSearch
void depthFirstSearch(PathProcessor &pathProcessor)
Find all feasible paths.
Rose::BinaryAnalysis::FeasiblePath::processIndeterminateBlock
virtual void processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process an indeterminate block.
SgAsmInstruction
Base class for machine instructions.
Definition: binaryInstruction.C:691
Rose::BinaryAnalysis::FeasiblePath::VarDetail::returnFrom
Sawyer::Optional< rose_addr_t > returnFrom
This variable is the return value from the specified function.
Definition: BinaryFeasiblePath.h:142
Rose::BinaryAnalysis::InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr
boost::shared_ptr< class RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to symbolic RISC operations.
Definition: SymbolicSemantics2.h:773
Rose::BinaryAnalysis::FeasiblePath::FeasiblePath
FeasiblePath()
Constructs a new feasible path analyzer.
Definition: BinaryFeasiblePath.h:283
Rose::BinaryAnalysis::FeasiblePath::SearchMode
SearchMode
How to search for paths.
Definition: BinaryFeasiblePath.h:33
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::process
virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Invoked when the analysis traverses the summary.
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::StatePtr
boost::shared_ptr< State > StatePtr
Shared-ownership pointer to a semantic state.
Definition: BaseSemanticsTypes.h:51
Rose::BinaryAnalysis::FeasiblePath::processFunctionSummary
virtual void processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process a function summary vertex.
Rose::BinaryAnalysis::FeasiblePath::REG_PATH
RegisterDescriptor REG_PATH
Descriptor of path pseudo-registers.
Definition: BinaryFeasiblePath.h:131
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::name
std::string name
Name of summarized function.
Definition: BinaryFeasiblePath.h:213
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessIdx
Sawyer::Optional< size_t > firstAccessIdx
Instruction position in path where this var was first read.
Definition: BinaryFeasiblePath.h:138
Sawyer::CommandLine::SwitchGroup
A collection of related switch declarations.
Definition: util/Sawyer/CommandLine.h:2522
Rose
Main namespace for the ROSE library.
Definition: BinaryTutorial.dox:3
Rose::BinaryAnalysis::SymbolicExprParser
Parses symbolic expressions from text.
Definition: BinarySymbolicExprParser.h:27
Rose::BinaryAnalysis::SmtSolver::Satisfiable
Satisfiable
Satisfiability constants.
Definition: BinarySmtSolver.h:78
Rose::BinaryAnalysis::FeasiblePath::Settings::maxCallDepth
size_t maxCallDepth
Max length of path in terms of function calls.
Definition: BinaryFeasiblePath.h:86
Rose::BinaryAnalysis::FeasiblePath::Settings::nullDeref
struct Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref nullDeref
Settings for null-dereference analysis.
Rose::BinaryAnalysis::FeasiblePath::SEARCH_MULTI
Blast everything at once to the SMT solver.
Definition: BinaryFeasiblePath.h:36
Sawyer
Name space for the entire library.
Definition: BinaryFeasiblePath.h:590
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::nullDeref
virtual void nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, const SmtSolverPtr &solver, IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr, SgAsmInstruction *insn)
Function invoked whenever a null pointer dereference is detected.
Definition: BinaryFeasiblePath.h:192
Rose::BinaryAnalysis::FeasiblePath::Settings::assertionLocations
std::vector< std::string > assertionLocations
Locations at which "constraints" are checked.
Definition: BinaryFeasiblePath.h:89
Rose::BinaryAnalysis::FeasiblePath::functionSummaries
const FunctionSummaries & functionSummaries() const
Function summary information.
Definition: BinaryFeasiblePath.h:489
Rose::BinaryAnalysis::FeasiblePath::cfgToPaths
Partitioner2::CfgConstVertexSet cfgToPaths(const Partitioner2::CfgConstVertexSet &) const
Convert CFG vertices to path vertices.
Rose::BinaryAnalysis::FeasiblePath::shouldInline
virtual bool shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be inlined.
Rose::BinaryAnalysis::FeasiblePath::Settings::ipRewrite
std::vector< rose_addr_t > ipRewrite
An even number of from,to pairs for rewriting the insn ptr reg.
Definition: BinaryFeasiblePath.h:99
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::DispatcherPtr
boost::shared_ptr< Dispatcher > DispatcherPtr
Shared-ownership pointer to a semantics instruction dispatcher.
Definition: BaseSemanticsTypes.h:57
Rose::BinaryAnalysis::FeasiblePath::expressionDocumentation
static std::string expressionDocumentation()
Documentation for the symbolic expression parser.
Rose::BinaryAnalysis::FeasiblePath::settings
void settings(const Settings &s)
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:316
Rose::BinaryAnalysis::FeasiblePath::Settings::maxPathLength
size_t maxPathLength
Limit path length in terms of number of instructions.
Definition: BinaryFeasiblePath.h:85
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::constOnly
bool constOnly
If true, check only constants or sets of constants.
Definition: BinaryFeasiblePath.h:105
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer
Base class for callbacks for function summaries.
Definition: BinaryFeasiblePath.h:228
Rose::BinaryAnalysis::FeasiblePath::Expression::location
AddressIntervalSet location
Location where constraint applies.
Definition: BinaryFeasiblePath.h:68
Sawyer::Container::GraphIteratorBiMap::clear
void clear()
Remove all entries from this container.
Definition: GraphIteratorBiMap.h:102
Rose::BinaryAnalysis::FeasiblePath::VISIT_REVERSE
Visit edges in reverse of the natural order.
Definition: BinaryFeasiblePath.h:48
Rose::BinaryAnalysis::FeasiblePath::pathPostState
static InstructionSemantics2::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath &, size_t vertexIdx)
Get the state at the end of the specified vertex.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::FunctionSummary
FunctionSummary()
Construct empty function summary.
Definition: BinaryFeasiblePath.h:216
Rose::BinaryAnalysis::FeasiblePath::Settings::nonAddressIsFeasible
bool nonAddressIsFeasible
Indeterminate/undiscovered vertices are feasible?
Definition: BinaryFeasiblePath.h:91
Rose::BinaryAnalysis::FeasiblePath::Settings::maxVertexVisit
size_t maxVertexVisit
Max times to visit a particular vertex in one path.
Definition: BinaryFeasiblePath.h:84
Rose::BinaryAnalysis::RegisterDescriptor
Describes (part of) a physical CPU register.
Definition: RegisterDescriptor.h:25
Rose::BinaryAnalysis::FeasiblePath::Settings::maxRecursionDepth
size_t maxRecursionDepth
Max path length in terms of recursive function calls.
Definition: BinaryFeasiblePath.h:87
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::memoryIo
virtual void memoryIo(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, const SmtSolverPtr &solver, IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr, const InstructionSemantics2::BaseSemantics::SValuePtr &value, const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &ops)
Function invoked every time a memory reference occurs.
Definition: BinaryFeasiblePath.h:200
Rose::BinaryAnalysis::FeasiblePath::reset
void reset()
Reset to initial state without changing settings.
Definition: BinaryFeasiblePath.h:289
Rose::BinaryAnalysis::Partitioner2::CfgPath
A path through a control flow graph.
Definition: CfgPath.h:15
Rose::BinaryAnalysis::FeasiblePath::VarDetail
Information about a variable seen on a path.
Definition: BinaryFeasiblePath.h:134
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::found
virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const SmtSolverPtr &solver)
Function invoked whenever a complete path is found.
Definition: BinaryFeasiblePath.h:177
Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
FunctionSummarizer::Ptr functionSummarizer() const
Property: Function summary handling.
Definition: BinaryFeasiblePath.h:401
Rose::BinaryAnalysis::FeasiblePath::Exception
Exception for errors specific to feasible path analysis.
Definition: BinaryFeasiblePath.h:25
Rose::BinaryAnalysis::FeasiblePath::shouldSummarizeCall
virtual bool shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex, const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be summarized instead of inlined.
Rose::BinaryAnalysis::FeasiblePath::isFunctionCall
bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &) const
True if vertex is a function call.
Rose::BinaryAnalysis::FeasiblePath::Expression::expr
SymbolicExpr::Ptr expr
Symbolic expression.
Definition: BinaryFeasiblePath.h:70
Rose::BinaryAnalysis::FeasiblePath::Settings::ignoreSemanticFailure
bool ignoreSemanticFailure
Whether to ignore instructions with no semantic info.
Definition: BinaryFeasiblePath.h:95
Rose::BinaryAnalysis::FeasiblePath::Settings::searchMode
SearchMode searchMode
Method to use when searching for feasible paths.
Definition: BinaryFeasiblePath.h:82
Sawyer::Attribute::Id
size_t Id
Attribute identification.
Definition: Attribute.h:140
Sawyer::Container::Graph::clear
void clear()
Remove all vertices and edges.
Definition: Graph.h:1978
Rose::BinaryAnalysis::FeasiblePath::pathEndsWithFunctionCall
bool pathEndsWithFunctionCall(const Partitioner2::CfgPath &) const
True if path ends with a function call.
Rose::BinaryAnalysis::FeasiblePath::printPath
void printPath(std::ostream &out, const Partitioner2::CfgPath &) const
Print the path to the specified output stream.
Rose::BinaryAnalysis::FeasiblePath::AddressSet
std::set< rose_addr_t > AddressSet
Set of basic block addresses.
Definition: BinaryFeasiblePath.h:59
Rose::BinaryAnalysis::FeasiblePath::buildVirtualCpu
virtual InstructionSemantics2::BaseSemantics::DispatcherPtr buildVirtualCpu(const Partitioner2::Partitioner &, const Partitioner2::CfgPath *, PathProcessor *, const SmtSolver::Ptr &)
Create the virtual CPU.
Rose::BinaryAnalysis::FeasiblePath::settings
const Settings & settings() const
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:314
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memByteNumber
size_t memByteNumber
Byte number for memory access.
Definition: BinaryFeasiblePath.h:141
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::stackDelta
int64_t stackDelta
Stack delta for summarized function.
Definition: BinaryFeasiblePath.h:212
Sawyer::SharedObject
Base class for reference counted objects.
Definition: SharedObject.h:64
Rose::BinaryAnalysis::FeasiblePath::Settings::kCycleCoefficient
double kCycleCoefficient
Coefficient for adjusting maxPathLengh during CFG cycles.
Definition: BinaryFeasiblePath.h:96
Rose::BinaryAnalysis::FeasiblePath::commandLineSwitches
static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings)
Describe command-line switches.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::Ptr
Sawyer::SharedPointer< FunctionSummarizer > Ptr
Reference counting pointer.
Definition: BinaryFeasiblePath.h:231
Rose::BinaryAnalysis::FeasiblePath::mlog
static Sawyer::Message::Facility mlog
Diagnostic output.
Definition: BinaryFeasiblePath.h:122
Rose::BinaryAnalysis::FeasiblePath::processVertex
virtual void processVertex(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, size_t &pathInsnIndex)
Process one vertex.
Rose::BinaryAnalysis::FeasiblePath::varDetails
const VarDetails & varDetails(const InstructionSemantics2::BaseSemantics::StatePtr &) const
Details about all variables by name.
Sawyer::Container::GraphIteratorSet::clear
void clear()
Remove all edges or vertices from this set.
Definition: GraphIteratorSet.h:121
Rose::BinaryAnalysis::FeasiblePath::pathLength
static size_t pathLength(const Partitioner2::CfgPath &)
Total length of path.
Rose::BinaryAnalysis::FeasiblePath::pathToCfg
Partitioner2::ControlFlowGraph::ConstVertexIterator pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const
Convert path vertex to a CFG vertex.
Rose::BinaryAnalysis::FeasiblePath::VISIT_NATURAL
Visit edges in their natural, forward order.
Definition: BinaryFeasiblePath.h:47
Rose::BinaryAnalysis::FeasiblePath::functionSummary
const FunctionSummary & functionSummary(rose_addr_t entryVa) const
Function summary information.
Rose::BinaryAnalysis::FeasiblePath::partitioner
const Partitioner2::Partitioner & partitioner() const
Property: Partitioner currently in use.
Rose::BinaryAnalysis::RegisterDictionary
Defines registers available for a particular architecture.
Definition: Registers.h:35
Rose::BinaryAnalysis::FeasiblePath::varDetail
const VarDetail & varDetail(const InstructionSemantics2::BaseSemantics::StatePtr &, const std::string &varName) const
Details about a variable.
Rose::BinaryAnalysis::FeasiblePath::processBasicBlock
virtual void processBasicBlock(const Partitioner2::BasicBlock::Ptr &bblock, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process instructions for one basic block on the specified virtual CPU.
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memAddress
SymbolicExpr::Ptr memAddress
Address where variable is located.
Definition: BinaryFeasiblePath.h:139
Rose::BinaryAnalysis::Partitioner2::Partitioner
Partitions instructions into basic blocks and functions.
Definition: Partitioner.h:316
Rose::Exception
Base class for all ROSE exceptions.
Definition: RoseException.h:9
Rose::BinaryAnalysis::FeasiblePath::reachedBlockVas
const AddressSet & reachedBlockVas() const
Property: Addresses reached during analysis.
Rose::BinaryAnalysis::FeasiblePath::Settings::solverName
std::string solverName
Type of SMT solver.
Definition: BinaryFeasiblePath.h:92
Rose::BinaryAnalysis::FeasiblePath::EdgeVisitOrder
EdgeVisitOrder
Edge visitation order.
Definition: BinaryFeasiblePath.h:46
Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
void functionSummarizer(const FunctionSummarizer::Ptr &f)
Property: Function summary handling.
Definition: BinaryFeasiblePath.h:402
Rose::BinaryAnalysis::FeasiblePath::settings
Settings & settings()
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:315
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memSize
size_t memSize
Size of total memory access in bytes.
Definition: BinaryFeasiblePath.h:140
Sawyer::Container::Map
Container associating values with keys.
Definition: Sawyer/Map.h:66
Rose::BinaryAnalysis::FeasiblePath::Settings::exprParserDoc
std::string exprParserDoc
String documenting how expressions are parsed, empty for default.
Definition: BinaryFeasiblePath.h:111
Rose::BinaryAnalysis::FeasiblePath::Settings::processFinalVertex
bool processFinalVertex
Whether to process the last vertex of the path.
Definition: BinaryFeasiblePath.h:94
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessInsn
SgAsmInstruction * firstAccessInsn
Instruction address where this var was first read.
Definition: BinaryFeasiblePath.h:137
Rose::BinaryAnalysis::FeasiblePath::Settings
Settings that control this analysis.
Definition: BinaryFeasiblePath.h:80
Rose::BinaryAnalysis::FeasiblePath::initDiagnostics
static void initDiagnostics()
Initialize diagnostic output.
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::check
bool check
If true, look for null dereferences along the paths.
Definition: BinaryFeasiblePath.h:103
Rose::BinaryAnalysis::FeasiblePath::setInitialState
virtual void setInitialState(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex)
Initialize state for first vertex of path.
Rose::BinaryAnalysis::FeasiblePath::Settings::initialStackPtr
Sawyer::Optional< rose_addr_t > initialStackPtr
Concrete value to use for stack pointer register initial value.
Definition: BinaryFeasiblePath.h:83
Rose::BinaryAnalysis::FeasiblePath::SemanticMemoryParadigm
SemanticMemoryParadigm
Organization of semantic memory.
Definition: BinaryFeasiblePath.h:40
Rose::BinaryAnalysis::FeasiblePath::Settings::assertions
std::vector< Expression > assertions
Constraints to be satisfied at some point along the path.
Definition: BinaryFeasiblePath.h:88
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::init
virtual void init(const FeasiblePath &analysis, FunctionSummary &summary, const Partitioner2::Function::Ptr &function, Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget)=0
Invoked when a new summary is created.
Generated on Mon Nov 11 2019 08:33:20 for ROSE by   doxygen 1.8.10