ROSE  0.9.11.115
BinaryFeasiblePath.h
1 #ifndef ROSE_BinaryAnalysis_FeasiblePath_H
2 #define ROSE_BinaryAnalysis_FeasiblePath_H
3 
4 #include <BaseSemantics2.h>
5 #include <BinarySmtSolver.h>
6 #include <BinarySymbolicExprParser.h>
7 #include <Partitioner2/CfgPath.h>
8 #include <Sawyer/CommandLine.h>
9 #include <Sawyer/Message.h>
10 #include <boost/filesystem/path.hpp>
11 
12 namespace Rose {
13 namespace BinaryAnalysis {
14 
18 class FeasiblePath {
20  // Types and public data members
22 public:
24  enum SearchMode {
25  SEARCH_SINGLE_DFS,
26  SEARCH_SINGLE_BFS,
27  SEARCH_MULTI
28  };
29 
31  enum SemanticMemoryParadigm {
32  LIST_BASED_MEMORY,
33  MAP_BASED_MEMORY
34  };
35 
37  enum EdgeVisitOrder {
38  VISIT_NATURAL,
39  VISIT_REVERSE,
40  VISIT_RANDOM,
41  };
42 
44  enum IoMode { READ, WRITE };
45 
47  enum MayOrMust { MAY, MUST };
48 
50  typedef std::set<rose_addr_t> AddressSet;
51 
58  struct Expression {
59  AddressIntervalSet location;
60  std::string parsable;
61  SymbolicExpr::Ptr expr;
63  Expression() {}
64  /*implicit*/ Expression(const std::string &parsable): parsable(parsable) {}
65  /*implicit*/ Expression(const SymbolicExpr::Ptr &expr): expr(expr) {}
66 
67  void print(std::ostream&) const;
68  };
69 
71  struct Settings {
72  // Path feasibility
73  SearchMode searchMode;
74  Sawyer::Optional<rose_addr_t> initialStackPtr;
75  size_t maxVertexVisit;
76  size_t maxPathLength;
77  size_t maxCallDepth;
78  size_t maxRecursionDepth;
79  std::vector<Expression> assertions;
80  std::vector<std::string> assertionLocations;
81  std::vector<rose_addr_t> summarizeFunctions;
82  bool nonAddressIsFeasible;
83  std::string solverName;
84  SemanticMemoryParadigm memoryParadigm;
85  bool processFinalVertex;
86  bool ignoreSemanticFailure;
87  double kCycleCoefficient;
88  EdgeVisitOrder edgeVisitOrder;
89  bool trackingCodeCoverage;
91  // Null dereferences
92  struct NullDeref {
93  bool check;
94  MayOrMust mode;
95  bool constOnly;
97  NullDeref()
98  : check(false), mode(MUST), constOnly(false) {}
99  } nullDeref;
101  std::string exprParserDoc;
104  Settings()
105  : searchMode(SEARCH_SINGLE_DFS), maxVertexVisit((size_t)-1), maxPathLength(200), maxCallDepth((size_t)-1),
106  maxRecursionDepth((size_t)-1), nonAddressIsFeasible(true), solverName("best"),
107  memoryParadigm(LIST_BASED_MEMORY), processFinalVertex(false), ignoreSemanticFailure(false),
108  kCycleCoefficient(0.0), edgeVisitOrder(VISIT_NATURAL), trackingCodeCoverage(true) {}
109  };
110 
112  static Sawyer::Message::Facility mlog;
113 
121  RegisterDescriptor REG_PATH;
122 
124  struct VarDetail {
125  std::string registerName;
126  std::string firstAccessMode;
127  SgAsmInstruction *firstAccessInsn;
128  Sawyer::Optional<size_t> firstAccessIdx;
129  SymbolicExpr::Ptr memAddress;
130  size_t memSize;
131  size_t memByteNumber;
132  Sawyer::Optional<rose_addr_t> returnFrom;
134  VarDetail(): firstAccessInsn(NULL), memSize(0), memByteNumber(0) {}
135  std::string toString() const;
136  };
137 
139  typedef Sawyer::Container::Map<std::string /*name*/, FeasiblePath::VarDetail> VarDetails;
140 
144  class PathProcessor {
145  public:
146  enum Action {
147  BREAK,
148  CONTINUE
149  };
150 
151  virtual ~PathProcessor() {}
152 
167  virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,
168  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
169  const SmtSolverPtr &solver) { return CONTINUE; }
170 
182  virtual void nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,
183  const SmtSolverPtr &solver, IoMode ioMode,
184  const InstructionSemantics2::BaseSemantics::SValuePtr &addr, SgAsmInstruction *insn) {}
185 
190  virtual void memoryIo(const FeasiblePath &analyzer, IoMode ioMode,
191  const InstructionSemantics2::BaseSemantics::SValuePtr &addr,
192  const InstructionSemantics2::BaseSemantics::SValuePtr &value,
193  const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &ops) {}
194  };
195 
199  struct FunctionSummary {
200  rose_addr_t address;
201  int64_t stackDelta;
202  std::string name;
205  FunctionSummary(): stackDelta(SgAsmInstruction::INVALID_STACK_DELTA) {}
206 
208  FunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgFuncVertex, uint64_t stackDelta);
209  };
210 
212  typedef Sawyer::Container::Map<rose_addr_t, FunctionSummary> FunctionSummaries;
213 
217  class FunctionSummarizer: public Sawyer::SharedObject {
218  public:
220  typedef Sawyer::SharedPointer<FunctionSummarizer> Ptr;
221  protected:
222  FunctionSummarizer() {}
223  public:
225  virtual void init(const FeasiblePath &analysis, FunctionSummary &summary /*in,out*/,
226  const Partitioner2::Function::Ptr &function,
227  Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget) = 0;
228 
233  virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary,
234  const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;
235 
240  virtual InstructionSemantics2::SymbolicSemantics::SValuePtr
241  returnValue(const FeasiblePath &analysis, const FunctionSummary &summary,
242  const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;
243  };
244 
246  // Private data members
248 private:
249  const Partitioner2::Partitioner *partitioner_; // binary analysis context
250  RegisterDictionary *registers_; // registers augmented with "path" pseudo-register
251  RegisterDescriptor REG_RETURN_; // FIXME[Robb P Matzke 2016-10-11]: see source
252  Settings settings_;
253  FunctionSummaries functionSummaries_;
254  Partitioner2::CfgVertexMap vmap_; // relates CFG vertices to path vertices
255  Partitioner2::ControlFlowGraph paths_; // all possible paths, feasible or otherwise
256  Partitioner2::CfgConstVertexSet pathsBeginVertices_;// vertices of paths_ where searching starts
257  Partitioner2::CfgConstVertexSet pathsEndVertices_; // vertices of paths_ where searching stops
258  Partitioner2::CfgConstEdgeSet cfgAvoidEdges_; // CFG edges to avoid
259  Partitioner2::CfgConstVertexSet cfgEndAvoidVertices_;// CFG end-of-path and other avoidance vertices
260  FunctionSummarizer::Ptr functionSummarizer_; // user-defined function for handling function summaries
261  AddressSet reachedBlockVas_; // basic block addresses reached during analysis
262  static Sawyer::Attribute::Id POST_STATE; // stores semantic state after executing the insns for a vertex
263  static Sawyer::Attribute::Id POST_INSN_LENGTH; // path length in instructions at end of vertex
264  static Sawyer::Attribute::Id EFFECTIVE_K; // (double) effective maximimum path length
265 
266 
268  // Construction, destruction
270 public:
272  FeasiblePath()
273  : registers_(NULL) {}
274 
275  virtual ~FeasiblePath() {}
276 
278  void reset() {
279  partitioner_ = NULL;
280  registers_ = NULL;
281  REG_PATH = REG_RETURN_ = RegisterDescriptor();
282  functionSummaries_.clear();
283  vmap_.clear();
284  paths_.clear();
285  pathsBeginVertices_.clear();
286  pathsEndVertices_.clear();
287  cfgAvoidEdges_.clear();
288  cfgEndAvoidVertices_.clear();
289  reachedBlockVas_.clear();
290  }
291 
293  static void initDiagnostics();
294 
295 
297  // Settings affecting behavior
299 public:
303  const Settings& settings() const { return settings_; }
304  Settings& settings() { return settings_; }
305  void settings(const Settings &s) { settings_ = s; }
312  static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings);
313 
315  static std::string expressionDocumentation();
316 
317 
319  // Overridable processing functions
321 public:
327  virtual InstructionSemantics2::BaseSemantics::DispatcherPtr
328  buildVirtualCpu(const Partitioner2::Partitioner&, const Partitioner2::CfgPath*, PathProcessor*, const SmtSolver::Ptr&);
329 
336  virtual void
337  setInitialState(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
338  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex);
339 
344  virtual void
345  processBasicBlock(const Partitioner2::BasicBlock::Ptr &bblock,
346  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex);
347 
351  virtual void
352  processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex,
353  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
354  size_t pathInsnIndex);
355 
359  virtual void
360  processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,
361  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
362  size_t pathInsnIndex);
363 
367  virtual void
368  processVertex(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
369  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,
370  size_t &pathInsnIndex /*in,out*/);
371 
373  virtual bool
374  shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex,
375  const Partitioner2::ControlFlowGraph &cfg,
376  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);
377 
379  virtual bool
380  shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);
381 
390  FunctionSummarizer::Ptr functionSummarizer() const { return functionSummarizer_; }
391  void functionSummarizer(const FunctionSummarizer::Ptr &f) { functionSummarizer_ = f; }
394  // Utilities
397 public:
399  Partitioner2::ControlFlowGraph::ConstVertexIterator
400  pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const;
401 
403  Partitioner2::CfgConstVertexSet
404  cfgToPaths(const Partitioner2::CfgConstVertexSet&) const;
405 
407  bool pathEndsWithFunctionCall(const Partitioner2::CfgPath&) const;
408 
410  bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator&) const;
411 
413  void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex,
414  size_t &insnIdx /*in,out*/) const;
415 
419  void printPath(std::ostream &out, const Partitioner2::CfgPath&) const;
420 
424  static bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg,
425  const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex,
426  const Partitioner2::CfgConstVertexSet &endVertices);
427 
429  // Functions for describing the search space
431 public:
432 
439  void
440  setSearchBoundary(const Partitioner2::Partitioner &partitioner,
441  const Partitioner2::CfgConstVertexSet &cfgBeginVertices,
442  const Partitioner2::CfgConstVertexSet &cfgEndVertices,
443  const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),
444  const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());
445  void
446  setSearchBoundary(const Partitioner2::Partitioner &partitioner,
447  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgBeginVertex,
448  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgEndVertex,
449  const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),
450  const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());
454  // Functions for searching for paths
457 public:
462  void depthFirstSearch(PathProcessor &pathProcessor);
463 
464 
466  // Functions for getting the results
468 public:
473  const Partitioner2::Partitioner& partitioner() const;
474 
478  const FunctionSummaries& functionSummaries() const {
479  return functionSummaries_;
480  }
481 
486  const FunctionSummary& functionSummary(rose_addr_t entryVa) const;
487 
489  const VarDetail& varDetail(const InstructionSemantics2::BaseSemantics::StatePtr&, const std::string &varName) const;
490 
492  const VarDetails& varDetails(const InstructionSemantics2::BaseSemantics::StatePtr&) const;
493 
495  static InstructionSemantics2::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath&, size_t vertexIdx);
496 
502  double pathEffectiveK(const Partitioner2::CfgPath&) const;
503 
510  static size_t pathLength(const Partitioner2::CfgPath&);
511 
513  // Functions for code coverage
515 public:
520  const AddressSet& reachedBlockVas() const;
521 
523  // Private supporting functions
525 private:
526  static rose_addr_t virtualAddress(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex);
527 
528  void insertCallSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsCallSite,
529  const Partitioner2::ControlFlowGraph &cfg,
530  const Partitioner2::ControlFlowGraph::ConstEdgeIterator &cfgCallEdge);
531 
532  boost::filesystem::path emitPathGraph(size_t callId, size_t graphId); // emit paths graph to "rose-debug" directory
533 
534  // Pop an edge (or more) from the path and follow some other edge. Also, adjust the SMT solver's stack in a similar
535  // way. The SMT solver will have an initial state, plus one pushed state per edge of the path.
536  void backtrack(Partitioner2::CfgPath &path /*in,out*/, const SmtSolver::Ptr&);
537 
538  // Process one edge of a path to find any path constraints. When called, the cpu's current state should be the virtual
539  // machine state at it exists just prior to executing the target vertex of the specified edge.
540  //
541  // Returns a null pointer if the edge's assertion is trivially unsatisfiable, such as when the edge points to a basic block
542  // whose address doesn't match the contents of the instruction pointer register after executing the edge's source
543  // block. Otherwise, returns a symbolic expression which must be tree if the edge is feasible. For trivially feasible
544  // edges, the return value is the constant 1 (one bit wide; i.e., true).
545  SymbolicExpr::Ptr pathEdgeConstraint(const Partitioner2::ControlFlowGraph::ConstEdgeIterator &pathEdge,
546  InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu);
547 
548  // Parse the expression if it's a parsable string, otherwise return the expression as is. */
549  Expression parseExpression(Expression, const std::string &where, SymbolicExprParser&) const;
550 
551  SymbolicExpr::Ptr expandExpression(const Expression&, SymbolicExprParser&);
552 
553  // Based on the last vertex of the path, insert user-specified assertions into the SMT solver.
554  void insertAssertions(const SmtSolver::Ptr&, const Partitioner2::CfgPath&,
555  const std::vector<Expression> &assertions, bool atEndOfPath, SymbolicExprParser&);
556 
557  // Size of vertex. How much of "k" does this vertex consume?
558  static size_t vertexSize(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);
559 
560  // Insert the edge assertion and any applicable user assertions (after delayed expansion of the expressions' register
561  // and memory references), and run the solver, returning its result.
562  SmtSolver::Satisfiable
563  solvePathConstraints(SmtSolver::Ptr&, const Partitioner2::CfgPath&, const SymbolicExpr::Ptr &edgeAssertion,
564  const std::vector<Expression> &userAssertions, bool atEndOfPath, SymbolicExprParser&);
565 
566  // Mark vertex as being reached
567  void markAsReached(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);
568 };
569 
570 } // namespace
571 } // namespace
572 
573 std::ostream& operator<<(std::ostream&, const Rose::BinaryAnalysis::FeasiblePath::Expression&);
574 
575 // Convert string to feasible path expression during command-line parsing
576 namespace Sawyer {
577  namespace CommandLine {
578  template<>
579  struct LexicalCast<Rose::BinaryAnalysis::FeasiblePath::Expression> {
580  static Rose::BinaryAnalysis::FeasiblePath::Expression convert(const std::string &src) {
581  return Rose::BinaryAnalysis::FeasiblePath::Expression(src);
582  }
583  };
584  }
585 }
586 
587 #endif
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessMode
std::string firstAccessMode
How was variable first accessed ("read" or "write").
Definition: BinaryFeasiblePath.h:126
Rose::BinaryAnalysis::FeasiblePath::Settings::summarizeFunctions
std::vector< rose_addr_t > summarizeFunctions
Functions to always summarize.
Definition: BinaryFeasiblePath.h:81
Rose::BinaryAnalysis::FeasiblePath::FunctionSummaries
Sawyer::Container::Map< rose_addr_t, FunctionSummary > FunctionSummaries
Summaries for multiple functions.
Definition: BinaryFeasiblePath.h:212
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::mode
MayOrMust mode
Check for addrs that may or must be null.
Definition: BinaryFeasiblePath.h:94
Rose::BinaryAnalysis::FeasiblePath::Settings::edgeVisitOrder
EdgeVisitOrder edgeVisitOrder
Order in which to visit edges.
Definition: BinaryFeasiblePath.h:88
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::returnValue
virtual InstructionSemantics2::SymbolicSemantics::SValuePtr returnValue(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Return value for function.
Rose::BinaryAnalysis::FeasiblePath::isAnyEndpointReachable
static bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex, const Partitioner2::CfgConstVertexSet &endVertices)
Determine whether any ending vertex is reachable.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::address
rose_addr_t address
Address of summarized function.
Definition: BinaryFeasiblePath.h:200
Rose::BinaryAnalysis::FeasiblePath::Settings::memoryParadigm
SemanticMemoryParadigm memoryParadigm
Type of memory state when there's a choice to be made.
Definition: BinaryFeasiblePath.h:84
Rose::BinaryAnalysis::FeasiblePath::Settings::trackingCodeCoverage
bool trackingCodeCoverage
If set, track which block addresses are reached.
Definition: BinaryFeasiblePath.h:89
Rose::BinaryAnalysis::FeasiblePath::pathEffectiveK
double pathEffectiveK(const Partitioner2::CfgPath &) const
Effective maximum path length.
Rose::BinaryAnalysis::FeasiblePath::printPathVertex
void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex, size_t &insnIdx) const
Print one vertex of a path for debugging.
Rose::BinaryAnalysis::FeasiblePath::Expression::parsable
std::string parsable
String to be parsed as an expression.
Definition: BinaryFeasiblePath.h:60
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary
Information stored per V_USER_DEFINED path vertex.
Definition: BinaryFeasiblePath.h:199
Rose::BinaryAnalysis::FeasiblePath::VarDetails
Sawyer::Container::Map< std::string, FeasiblePath::VarDetail > VarDetails
Variable detail by name.
Definition: BinaryFeasiblePath.h:139
Rose::BinaryAnalysis::FeasiblePath::setSearchBoundary
void setSearchBoundary(const Partitioner2::Partitioner &partitioner, const Partitioner2::CfgConstVertexSet &cfgBeginVertices, const Partitioner2::CfgConstVertexSet &cfgEndVertices, const Partitioner2::CfgConstVertexSet &cfgAvoidVertices=Partitioner2::CfgConstVertexSet(), const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges=Partitioner2::CfgConstEdgeSet())
Specify search boundary.
Rose::BinaryAnalysis::FeasiblePath::depthFirstSearch
void depthFirstSearch(PathProcessor &pathProcessor)
Find all feasible paths.
Rose::BinaryAnalysis::FeasiblePath::processIndeterminateBlock
virtual void processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process an indeterminate block.
SgAsmInstruction
Base class for machine instructions.
Definition: binaryInstruction.C:691
Rose::BinaryAnalysis::FeasiblePath::VarDetail::returnFrom
Sawyer::Optional< rose_addr_t > returnFrom
This variable is the return value from the specified function.
Definition: BinaryFeasiblePath.h:132
Rose::BinaryAnalysis::InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr
boost::shared_ptr< class RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to symbolic RISC operations.
Definition: SymbolicSemantics2.h:773
Rose::BinaryAnalysis::FeasiblePath::FeasiblePath
FeasiblePath()
Constructs a new feasible path analyzer.
Definition: BinaryFeasiblePath.h:272
Rose::BinaryAnalysis::FeasiblePath::SearchMode
SearchMode
How to search for paths.
Definition: BinaryFeasiblePath.h:24
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::process
virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Invoked when the analysis traverses the summary.
Rose::BinaryAnalysis::FeasiblePath::processFunctionSummary
virtual void processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process a function summary vertex.
Rose::BinaryAnalysis::FeasiblePath::REG_PATH
RegisterDescriptor REG_PATH
Descriptor of path pseudo-registers.
Definition: BinaryFeasiblePath.h:121
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::name
std::string name
Name of summarized function.
Definition: BinaryFeasiblePath.h:202
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessIdx
Sawyer::Optional< size_t > firstAccessIdx
Instruction position in path where this var was first read.
Definition: BinaryFeasiblePath.h:128
Sawyer::CommandLine::SwitchGroup
A collection of related switch declarations.
Definition: util/Sawyer/CommandLine.h:2522
Rose
Main namespace for the ROSE library.
Definition: BinaryTutorial.dox:3
Rose::BinaryAnalysis::SymbolicExprParser
Parses symbolic expressions from text.
Definition: BinarySymbolicExprParser.h:27
Rose::BinaryAnalysis::SmtSolver::Satisfiable
Satisfiable
Satisfiability constants.
Definition: BinarySmtSolver.h:78
Rose::BinaryAnalysis::FeasiblePath::Settings::maxCallDepth
size_t maxCallDepth
Max length of path in terms of function calls.
Definition: BinaryFeasiblePath.h:77
Rose::BinaryAnalysis::FeasiblePath::Settings::nullDeref
struct Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref nullDeref
Settings for null-dereference analysis.
Rose::BinaryAnalysis::FeasiblePath::SEARCH_MULTI
Blast everything at once to the SMT solver.
Definition: BinaryFeasiblePath.h:27
Sawyer
Name space for the entire library.
Definition: BinaryFeasiblePath.h:576
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::nullDeref
virtual void nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, const SmtSolverPtr &solver, IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr, SgAsmInstruction *insn)
Function invoked whenever a null pointer dereference is detected.
Definition: BinaryFeasiblePath.h:182
Rose::BinaryAnalysis::FeasiblePath::Settings::assertionLocations
std::vector< std::string > assertionLocations
Locations at which "constraints" are checked.
Definition: BinaryFeasiblePath.h:80
Rose::BinaryAnalysis::FeasiblePath::functionSummaries
const FunctionSummaries & functionSummaries() const
Function summary information.
Definition: BinaryFeasiblePath.h:478
Rose::BinaryAnalysis::FeasiblePath::cfgToPaths
Partitioner2::CfgConstVertexSet cfgToPaths(const Partitioner2::CfgConstVertexSet &) const
Convert CFG vertices to path vertices.
Rose::BinaryAnalysis::FeasiblePath::shouldInline
virtual bool shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be inlined.
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::memoryIo
virtual void memoryIo(const FeasiblePath &analyzer, IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr, const InstructionSemantics2::BaseSemantics::SValuePtr &value, const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &ops)
Function invoked every time a memory reference occurs.
Definition: BinaryFeasiblePath.h:190
Rose::BinaryAnalysis::FeasiblePath::expressionDocumentation
static std::string expressionDocumentation()
Documentation for the symbolic expression parser.
Rose::BinaryAnalysis::FeasiblePath::settings
void settings(const Settings &s)
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:305
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::StatePtr
boost::shared_ptr< class State > StatePtr
Shared-ownership pointer to a semantic state.
Definition: BaseSemantics2.h:1124
Rose::BinaryAnalysis::FeasiblePath::Settings::maxPathLength
size_t maxPathLength
Limit path length in terms of number of instructions.
Definition: BinaryFeasiblePath.h:76
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::constOnly
bool constOnly
If true, check only constants or sets of constants.
Definition: BinaryFeasiblePath.h:95
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer
Base class for callbacks for function summaries.
Definition: BinaryFeasiblePath.h:217
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::DispatcherPtr
boost::shared_ptr< class Dispatcher > DispatcherPtr
Shared-ownership pointer to a semantics instruction dispatcher.
Definition: BaseSemantics2.h:2074
Rose::BinaryAnalysis::FeasiblePath::Expression::location
AddressIntervalSet location
Location where constraint applies.
Definition: BinaryFeasiblePath.h:59
Sawyer::Container::GraphIteratorBiMap::clear
void clear()
Remove all entries from this container.
Definition: GraphIteratorBiMap.h:102
Rose::BinaryAnalysis::FeasiblePath::VISIT_REVERSE
Visit edges in reverse of the natural order.
Definition: BinaryFeasiblePath.h:39
Rose::BinaryAnalysis::FeasiblePath::pathPostState
static InstructionSemantics2::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath &, size_t vertexIdx)
Get the state at the end of the specified vertex.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::FunctionSummary
FunctionSummary()
Construct empty function summary.
Definition: BinaryFeasiblePath.h:205
Rose::BinaryAnalysis::FeasiblePath::Settings::nonAddressIsFeasible
bool nonAddressIsFeasible
Indeterminate/undiscovered vertices are feasible?
Definition: BinaryFeasiblePath.h:82
Rose::BinaryAnalysis::FeasiblePath::Settings::maxVertexVisit
size_t maxVertexVisit
Max times to visit a particular vertex in one path.
Definition: BinaryFeasiblePath.h:75
Rose::BinaryAnalysis::RegisterDescriptor
Describes (part of) a physical CPU register.
Definition: RegisterDescriptor.h:25
Rose::BinaryAnalysis::FeasiblePath::Settings::maxRecursionDepth
size_t maxRecursionDepth
Max path length in terms of recursive function calls.
Definition: BinaryFeasiblePath.h:78
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::RiscOperatorsPtr
boost::shared_ptr< class RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to a RISC operators object.
Definition: BaseSemantics2.h:1357
Rose::BinaryAnalysis::FeasiblePath::reset
void reset()
Reset to initial state without changing settings.
Definition: BinaryFeasiblePath.h:278
Rose::BinaryAnalysis::Partitioner2::CfgPath
A path through a control flow graph.
Definition: CfgPath.h:15
Rose::BinaryAnalysis::FeasiblePath::VarDetail
Information about a variable seen on a path.
Definition: BinaryFeasiblePath.h:124
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::found
virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const SmtSolverPtr &solver)
Function invoked whenever a complete path is found.
Definition: BinaryFeasiblePath.h:167
Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
FunctionSummarizer::Ptr functionSummarizer() const
Property: Function summary handling.
Definition: BinaryFeasiblePath.h:390
Rose::BinaryAnalysis::FeasiblePath::shouldSummarizeCall
virtual bool shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex, const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be summarized instead of inlined.
Rose::BinaryAnalysis::FeasiblePath::isFunctionCall
bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &) const
True if vertex is a function call.
Rose::BinaryAnalysis::FeasiblePath::Expression::expr
SymbolicExpr::Ptr expr
Symbolic expression.
Definition: BinaryFeasiblePath.h:61
Rose::BinaryAnalysis::FeasiblePath::Settings::ignoreSemanticFailure
bool ignoreSemanticFailure
Whether to ignore instructions with no semantic info.
Definition: BinaryFeasiblePath.h:86
Rose::BinaryAnalysis::FeasiblePath::Settings::searchMode
SearchMode searchMode
Method to use when searching for feasible paths.
Definition: BinaryFeasiblePath.h:73
Sawyer::Attribute::Id
size_t Id
Attribute identification.
Definition: Attribute.h:140
Sawyer::Container::Graph::clear
void clear()
Remove all vertices and edges.
Definition: Graph.h:1978
Rose::BinaryAnalysis::FeasiblePath::pathEndsWithFunctionCall
bool pathEndsWithFunctionCall(const Partitioner2::CfgPath &) const
True if path ends with a function call.
Rose::BinaryAnalysis::FeasiblePath::printPath
void printPath(std::ostream &out, const Partitioner2::CfgPath &) const
Print the path to the specified output stream.
Rose::BinaryAnalysis::FeasiblePath::AddressSet
std::set< rose_addr_t > AddressSet
Set of basic block addresses.
Definition: BinaryFeasiblePath.h:50
Rose::BinaryAnalysis::FeasiblePath::buildVirtualCpu
virtual InstructionSemantics2::BaseSemantics::DispatcherPtr buildVirtualCpu(const Partitioner2::Partitioner &, const Partitioner2::CfgPath *, PathProcessor *, const SmtSolver::Ptr &)
Create the virtual CPU.
Rose::BinaryAnalysis::FeasiblePath::settings
const Settings & settings() const
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:303
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memByteNumber
size_t memByteNumber
Byte number for memory access.
Definition: BinaryFeasiblePath.h:131
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::stackDelta
int64_t stackDelta
Stack delta for summarized function.
Definition: BinaryFeasiblePath.h:201
Sawyer::SharedObject
Base class for reference counted objects.
Definition: SharedObject.h:64
Rose::BinaryAnalysis::FeasiblePath::Settings::kCycleCoefficient
double kCycleCoefficient
Coefficient for adjusting maxPathLengh during CFG cycles.
Definition: BinaryFeasiblePath.h:87
Rose::BinaryAnalysis::FeasiblePath::commandLineSwitches
static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings)
Describe command-line switches.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::Ptr
Sawyer::SharedPointer< FunctionSummarizer > Ptr
Reference counting pointer.
Definition: BinaryFeasiblePath.h:220
Rose::BinaryAnalysis::FeasiblePath::mlog
static Sawyer::Message::Facility mlog
Diagnostic output.
Definition: BinaryFeasiblePath.h:112
Rose::BinaryAnalysis::FeasiblePath::processVertex
virtual void processVertex(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, size_t &pathInsnIndex)
Process one vertex.
Rose::BinaryAnalysis::FeasiblePath::varDetails
const VarDetails & varDetails(const InstructionSemantics2::BaseSemantics::StatePtr &) const
Details about all variables by name.
Sawyer::Container::GraphIteratorSet::clear
void clear()
Remove all edges or vertices from this set.
Definition: GraphIteratorSet.h:121
Rose::BinaryAnalysis::FeasiblePath::pathLength
static size_t pathLength(const Partitioner2::CfgPath &)
Total length of path.
Rose::BinaryAnalysis::FeasiblePath::pathToCfg
Partitioner2::ControlFlowGraph::ConstVertexIterator pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const
Convert path vertex to a CFG vertex.
Rose::BinaryAnalysis::FeasiblePath::VISIT_NATURAL
Visit edges in their natural, forward order.
Definition: BinaryFeasiblePath.h:38
Rose::BinaryAnalysis::FeasiblePath::functionSummary
const FunctionSummary & functionSummary(rose_addr_t entryVa) const
Function summary information.
Rose::BinaryAnalysis::FeasiblePath::partitioner
const Partitioner2::Partitioner & partitioner() const
Property: Partitioner currently in use.
Rose::BinaryAnalysis::RegisterDictionary
Defines registers available for a particular architecture.
Definition: Registers.h:35
Rose::BinaryAnalysis::FeasiblePath::varDetail
const VarDetail & varDetail(const InstructionSemantics2::BaseSemantics::StatePtr &, const std::string &varName) const
Details about a variable.
Rose::BinaryAnalysis::FeasiblePath::processBasicBlock
virtual void processBasicBlock(const Partitioner2::BasicBlock::Ptr &bblock, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process instructions for one basic block on the specified virtual CPU.
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memAddress
SymbolicExpr::Ptr memAddress
Address where variable is located.
Definition: BinaryFeasiblePath.h:129
Rose::BinaryAnalysis::Partitioner2::Partitioner
Partitions instructions into basic blocks and functions.
Definition: Partitioner.h:316
Rose::BinaryAnalysis::FeasiblePath::reachedBlockVas
const AddressSet & reachedBlockVas() const
Property: Addresses reached during analysis.
Rose::BinaryAnalysis::FeasiblePath::Settings::solverName
std::string solverName
Type of SMT solver.
Definition: BinaryFeasiblePath.h:83
Rose::BinaryAnalysis::FeasiblePath::EdgeVisitOrder
EdgeVisitOrder
Edge visitation order.
Definition: BinaryFeasiblePath.h:37
Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
void functionSummarizer(const FunctionSummarizer::Ptr &f)
Property: Function summary handling.
Definition: BinaryFeasiblePath.h:391
Rose::BinaryAnalysis::FeasiblePath::settings
Settings & settings()
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:304
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memSize
size_t memSize
Size of total memory access in bytes.
Definition: BinaryFeasiblePath.h:130
Sawyer::Container::Map
Container associating values with keys.
Definition: Sawyer/Map.h:66
Rose::BinaryAnalysis::FeasiblePath::Settings::exprParserDoc
std::string exprParserDoc
String documenting how expressions are parsed, empty for default.
Definition: BinaryFeasiblePath.h:101
Rose::BinaryAnalysis::FeasiblePath::Settings::processFinalVertex
bool processFinalVertex
Whether to process the last vertex of the path.
Definition: BinaryFeasiblePath.h:85
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessInsn
SgAsmInstruction * firstAccessInsn
Instruction address where this var was first read.
Definition: BinaryFeasiblePath.h:127
Rose::BinaryAnalysis::FeasiblePath::Settings
Settings that control this analysis.
Definition: BinaryFeasiblePath.h:71
Rose::BinaryAnalysis::FeasiblePath::initDiagnostics
static void initDiagnostics()
Initialize diagnostic output.
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::check
bool check
If true, look for null dereferences along the paths.
Definition: BinaryFeasiblePath.h:93
Rose::BinaryAnalysis::FeasiblePath::setInitialState
virtual void setInitialState(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex)
Initialize state for first vertex of path.
Rose::BinaryAnalysis::FeasiblePath::Settings::initialStackPtr
Sawyer::Optional< rose_addr_t > initialStackPtr
Concrete value to use for stack pointer register initial value.
Definition: BinaryFeasiblePath.h:74
Rose::BinaryAnalysis::FeasiblePath::SemanticMemoryParadigm
SemanticMemoryParadigm
Organization of semantic memory.
Definition: BinaryFeasiblePath.h:31
Rose::BinaryAnalysis::FeasiblePath::Settings::assertions
std::vector< Expression > assertions
Constraints to be satisfied at some point along the path.
Definition: BinaryFeasiblePath.h:79
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::init
virtual void init(const FeasiblePath &analysis, FunctionSummary &summary, const Partitioner2::Function::Ptr &function, Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget)=0
Invoked when a new summary is created.
Generated on Thu Sep 12 2019 11:37:13 for ROSE by   doxygen 1.8.10