ROSE  0.9.13.77
BinaryFeasiblePath.h
1 #ifndef ROSE_BinaryAnalysis_FeasiblePath_H
2 #define ROSE_BinaryAnalysis_FeasiblePath_H
3 
4 #include <BaseSemantics2.h>
5 #include <BinarySmtSolver.h>
6 #include <BinarySymbolicExprParser.h>
7 #include <Partitioner2/CfgPath.h>
8 #include <RoseException.h>
9 #include <Sawyer/CommandLine.h>
10 #include <Sawyer/Message.h>
11 #include <boost/filesystem/path.hpp>
12 
13 namespace Rose {
14 namespace BinaryAnalysis {
15 
19 class FeasiblePath {
21  // Types and public data members
23 public:
25  class Exception: public Rose::Exception {
26  public:
27  Exception(const std::string &what)
28  : Rose::Exception(what) {}
29  ~Exception() throw () {}
30  };
31 
33  enum SearchMode {
34  SEARCH_SINGLE_DFS,
35  SEARCH_SINGLE_BFS,
36  SEARCH_MULTI
37  };
38 
40  enum SemanticMemoryParadigm {
41  LIST_BASED_MEMORY,
42  MAP_BASED_MEMORY
43  };
44 
46  enum EdgeVisitOrder {
47  VISIT_NATURAL,
48  VISIT_REVERSE,
49  VISIT_RANDOM,
50  };
51 
53  enum IoMode { READ, WRITE };
54 
56  enum MayOrMust { MAY, MUST };
57 
59  typedef std::set<rose_addr_t> AddressSet;
60 
67  struct Expression {
68  AddressIntervalSet location;
69  std::string parsable;
70  SymbolicExpr::Ptr expr;
72  Expression() {}
73  /*implicit*/ Expression(const std::string &parsable): parsable(parsable) {}
74  /*implicit*/ Expression(const SymbolicExpr::Ptr &expr): expr(expr) {}
75 
76  void print(std::ostream&) const;
77  };
78 
80  struct Settings {
81  // Path feasibility
82  SearchMode searchMode;
83  Sawyer::Optional<rose_addr_t> initialStackPtr;
84  size_t maxVertexVisit;
85  size_t maxPathLength;
86  size_t maxCallDepth;
87  size_t maxRecursionDepth;
88  std::vector<Expression> assertions;
89  std::vector<std::string> assertionLocations;
90  std::vector<rose_addr_t> summarizeFunctions;
91  bool nonAddressIsFeasible;
92  std::string solverName;
93  SemanticMemoryParadigm memoryParadigm;
94  bool processFinalVertex;
95  bool ignoreSemanticFailure;
96  double kCycleCoefficient;
97  EdgeVisitOrder edgeVisitOrder;
98  bool trackingCodeCoverage;
99  std::vector<rose_addr_t> ipRewrite;
101  // Null dereferences
102  struct NullDeref {
103  bool check;
104  MayOrMust mode;
105  bool constOnly;
107  NullDeref()
108  : check(false), mode(MUST), constOnly(false) {}
109  } nullDeref;
111  std::string exprParserDoc;
114  Settings()
115  : searchMode(SEARCH_SINGLE_DFS), maxVertexVisit((size_t)-1), maxPathLength(200), maxCallDepth((size_t)-1),
116  maxRecursionDepth((size_t)-1), nonAddressIsFeasible(true), solverName("best"),
117  memoryParadigm(LIST_BASED_MEMORY), processFinalVertex(false), ignoreSemanticFailure(false),
118  kCycleCoefficient(0.0), edgeVisitOrder(VISIT_NATURAL), trackingCodeCoverage(true) {}
119  };
120 
122  static Sawyer::Message::Facility mlog;
123 
131  RegisterDescriptor REG_PATH;
132 
134  struct VarDetail {
135  std::string registerName;
136  std::string firstAccessMode;
137  SgAsmInstruction *firstAccessInsn;
138  Sawyer::Optional<size_t> firstAccessIdx;
139  SymbolicExpr::Ptr memAddress;
140  size_t memSize;
141  size_t memByteNumber;
142  Sawyer::Optional<rose_addr_t> returnFrom;
144  VarDetail(): firstAccessInsn(NULL), memSize(0), memByteNumber(0) {}
145  std::string toString() const;
146  };
147 
149  typedef Sawyer::Container::Map<std::string /*name*/, FeasiblePath::VarDetail> VarDetails;
150 
154  class PathProcessor {
155  public:
156  enum Action {
157  BREAK,
158  CONTINUE
159  };
160 
161  virtual ~PathProcessor() {}
162 
177  virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,
178  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
179  const SmtSolverPtr &solver) { return CONTINUE; }
180 
210  virtual void nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, SgAsmInstruction *insn,
211  const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &cpu, const SmtSolverPtr &solver,
212  IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr) {}
213 
249  virtual void memoryIo(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, SgAsmInstruction *insn,
250  const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &cpu, const SmtSolverPtr &solver,
251  IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr,
252  const InstructionSemantics2::BaseSemantics::SValuePtr &value) {}
253  };
254 
258  struct FunctionSummary {
259  rose_addr_t address;
260  int64_t stackDelta;
261  std::string name;
264  FunctionSummary(): stackDelta(SgAsmInstruction::INVALID_STACK_DELTA) {}
265 
267  FunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgFuncVertex, uint64_t stackDelta);
268  };
269 
271  typedef Sawyer::Container::Map<rose_addr_t, FunctionSummary> FunctionSummaries;
272 
276  class FunctionSummarizer: public Sawyer::SharedObject {
277  public:
279  typedef Sawyer::SharedPointer<FunctionSummarizer> Ptr;
280  protected:
281  FunctionSummarizer() {}
282  public:
284  virtual void init(const FeasiblePath &analysis, FunctionSummary &summary /*in,out*/,
285  const Partitioner2::Function::Ptr &function,
286  Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget) = 0;
287 
292  virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary,
293  const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;
294 
299  virtual InstructionSemantics2::SymbolicSemantics::SValuePtr
300  returnValue(const FeasiblePath &analysis, const FunctionSummary &summary,
301  const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;
302  };
303 
305  // Private data members
307 private:
308  const Partitioner2::Partitioner *partitioner_; // binary analysis context
309  RegisterDictionary *registers_; // registers augmented with "path" pseudo-register
310  RegisterDescriptor REG_RETURN_; // FIXME[Robb P Matzke 2016-10-11]: see source
311  Settings settings_;
312  FunctionSummaries functionSummaries_;
313  Partitioner2::CfgVertexMap vmap_; // relates CFG vertices to path vertices
314  Partitioner2::ControlFlowGraph paths_; // all possible paths, feasible or otherwise
315  Partitioner2::CfgConstVertexSet pathsBeginVertices_;// vertices of paths_ where searching starts
316  Partitioner2::CfgConstVertexSet pathsEndVertices_; // vertices of paths_ where searching stops
317  Partitioner2::CfgConstEdgeSet cfgAvoidEdges_; // CFG edges to avoid
318  Partitioner2::CfgConstVertexSet cfgEndAvoidVertices_;// CFG end-of-path and other avoidance vertices
319  FunctionSummarizer::Ptr functionSummarizer_; // user-defined function for handling function summaries
320  AddressSet reachedBlockVas_; // basic block addresses reached during analysis
321  static Sawyer::Attribute::Id POST_STATE; // stores semantic state after executing the insns for a vertex
322  static Sawyer::Attribute::Id POST_INSN_LENGTH; // path length in instructions at end of vertex
323  static Sawyer::Attribute::Id EFFECTIVE_K; // (double) effective maximimum path length
324 
325 
327  // Construction, destruction
329 public:
331  FeasiblePath()
332  : registers_(NULL) {}
333 
334  virtual ~FeasiblePath() {}
335 
337  void reset() {
338  partitioner_ = NULL;
339  registers_ = NULL;
340  REG_PATH = REG_RETURN_ = RegisterDescriptor();
341  functionSummaries_.clear();
342  vmap_.clear();
343  paths_.clear();
344  pathsBeginVertices_.clear();
345  pathsEndVertices_.clear();
346  cfgAvoidEdges_.clear();
347  cfgEndAvoidVertices_.clear();
348  reachedBlockVas_.clear();
349  }
350 
352  static void initDiagnostics();
353 
354 
356  // Settings affecting behavior
358 public:
362  const Settings& settings() const { return settings_; }
363  Settings& settings() { return settings_; }
364  void settings(const Settings &s) { settings_ = s; }
371  static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings);
372 
374  static std::string expressionDocumentation();
375 
376 
378  // Overridable processing functions
380 public:
386  virtual InstructionSemantics2::BaseSemantics::DispatcherPtr
387  buildVirtualCpu(const Partitioner2::Partitioner&, const Partitioner2::CfgPath*, PathProcessor*, const SmtSolver::Ptr&);
388 
395  virtual void
396  setInitialState(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
397  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex);
398 
403  virtual void
404  processBasicBlock(const Partitioner2::BasicBlock::Ptr &bblock,
405  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex);
406 
410  virtual void
411  processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex,
412  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
413  size_t pathInsnIndex);
414 
418  virtual void
419  processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,
420  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
421  size_t pathInsnIndex);
422 
426  virtual void
427  processVertex(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
428  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,
429  size_t &pathInsnIndex /*in,out*/);
430 
432  virtual bool
433  shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex,
434  const Partitioner2::ControlFlowGraph &cfg,
435  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);
436 
438  virtual bool
439  shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);
440 
449  FunctionSummarizer::Ptr functionSummarizer() const { return functionSummarizer_; }
450  void functionSummarizer(const FunctionSummarizer::Ptr &f) { functionSummarizer_ = f; }
453  // Utilities
456 public:
458  Partitioner2::ControlFlowGraph::ConstVertexIterator
459  pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const;
460 
462  Partitioner2::CfgConstVertexSet
463  cfgToPaths(const Partitioner2::CfgConstVertexSet&) const;
464 
466  bool pathEndsWithFunctionCall(const Partitioner2::CfgPath&) const;
467 
469  bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator&) const;
470 
472  void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex,
473  size_t &insnIdx /*in,out*/) const;
474 
478  void printPath(std::ostream &out, const Partitioner2::CfgPath&) const;
479 
483  static bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg,
484  const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex,
485  const Partitioner2::CfgConstVertexSet &endVertices);
486 
488  // Functions for describing the search space
490 public:
491 
498  void
499  setSearchBoundary(const Partitioner2::Partitioner &partitioner,
500  const Partitioner2::CfgConstVertexSet &cfgBeginVertices,
501  const Partitioner2::CfgConstVertexSet &cfgEndVertices,
502  const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),
503  const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());
504  void
505  setSearchBoundary(const Partitioner2::Partitioner &partitioner,
506  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgBeginVertex,
507  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgEndVertex,
508  const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),
509  const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());
513  // Functions for searching for paths
516 public:
521  void depthFirstSearch(PathProcessor &pathProcessor);
522 
523 
525  // Functions for getting the results
527 public:
532  const Partitioner2::Partitioner& partitioner() const;
533 
537  const FunctionSummaries& functionSummaries() const {
538  return functionSummaries_;
539  }
540 
545  const FunctionSummary& functionSummary(rose_addr_t entryVa) const;
546 
548  const VarDetail& varDetail(const InstructionSemantics2::BaseSemantics::StatePtr&, const std::string &varName) const;
549 
551  const VarDetails& varDetails(const InstructionSemantics2::BaseSemantics::StatePtr&) const;
552 
554  static InstructionSemantics2::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath&, size_t vertexIdx);
555 
561  double pathEffectiveK(const Partitioner2::CfgPath&) const;
562 
569  static size_t pathLength(const Partitioner2::CfgPath&);
570 
572  // Functions for code coverage
574 public:
579  const AddressSet& reachedBlockVas() const;
580 
582  // Private supporting functions
584 private:
585  // Check that analysis settings are valid, or throw an exception.
586  void checkSettings() const;
587 
588  static rose_addr_t virtualAddress(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex);
589 
590  void insertCallSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsCallSite,
591  const Partitioner2::ControlFlowGraph &cfg,
592  const Partitioner2::ControlFlowGraph::ConstEdgeIterator &cfgCallEdge);
593 
594  boost::filesystem::path emitPathGraph(size_t callId, size_t graphId); // emit paths graph to "rose-debug" directory
595 
596  // Pop an edge (or more) from the path and follow some other edge. Also, adjust the SMT solver's stack in a similar
597  // way. The SMT solver will have an initial state, plus one pushed state per edge of the path.
598  void backtrack(Partitioner2::CfgPath &path /*in,out*/, const SmtSolver::Ptr&);
599 
600  // Process one edge of a path to find any path constraints. When called, the cpu's current state should be the virtual
601  // machine state at it exists just prior to executing the target vertex of the specified edge.
602  //
603  // Returns a null pointer if the edge's assertion is trivially unsatisfiable, such as when the edge points to a basic block
604  // whose address doesn't match the contents of the instruction pointer register after executing the edge's source
605  // block. Otherwise, returns a symbolic expression which must be tree if the edge is feasible. For trivially feasible
606  // edges, the return value is the constant 1 (one bit wide; i.e., true).
607  SymbolicExpr::Ptr pathEdgeConstraint(const Partitioner2::ControlFlowGraph::ConstEdgeIterator &pathEdge,
608  InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu);
609 
610  // Parse the expression if it's a parsable string, otherwise return the expression as is. */
611  Expression parseExpression(Expression, const std::string &where, SymbolicExprParser&) const;
612 
613  SymbolicExpr::Ptr expandExpression(const Expression&, SymbolicExprParser&);
614 
615  // Based on the last vertex of the path, insert user-specified assertions into the SMT solver.
616  void insertAssertions(const SmtSolver::Ptr&, const Partitioner2::CfgPath&,
617  const std::vector<Expression> &assertions, bool atEndOfPath, SymbolicExprParser&);
618 
619  // Size of vertex. How much of "k" does this vertex consume?
620  static size_t vertexSize(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);
621 
622  // Insert the edge assertion and any applicable user assertions (after delayed expansion of the expressions' register
623  // and memory references), and run the solver, returning its result.
624  SmtSolver::Satisfiable
625  solvePathConstraints(SmtSolver::Ptr&, const Partitioner2::CfgPath&, const SymbolicExpr::Ptr &edgeAssertion,
626  const std::vector<Expression> &userAssertions, bool atEndOfPath, SymbolicExprParser&);
627 
628  // Mark vertex as being reached
629  void markAsReached(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);
630 };
631 
632 } // namespace
633 } // namespace
634 
635 std::ostream& operator<<(std::ostream&, const Rose::BinaryAnalysis::FeasiblePath::Expression&);
636 
637 // Convert string to feasible path expression during command-line parsing
638 namespace Sawyer {
639  namespace CommandLine {
640  template<>
641  struct LexicalCast<Rose::BinaryAnalysis::FeasiblePath::Expression> {
642  static Rose::BinaryAnalysis::FeasiblePath::Expression convert(const std::string &src) {
643  return Rose::BinaryAnalysis::FeasiblePath::Expression(src);
644  }
645  };
646  }
647 }
648 
649 #endif
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessMode
std::string firstAccessMode
How was variable first accessed ("read" or "write").
Definition: BinaryFeasiblePath.h:136
Rose::BinaryAnalysis::FeasiblePath::Settings::summarizeFunctions
std::vector< rose_addr_t > summarizeFunctions
Functions to always summarize.
Definition: BinaryFeasiblePath.h:90
Rose::BinaryAnalysis::FeasiblePath::FunctionSummaries
Sawyer::Container::Map< rose_addr_t, FunctionSummary > FunctionSummaries
Summaries for multiple functions.
Definition: BinaryFeasiblePath.h:271
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::mode
MayOrMust mode
Check for addrs that may or must be null.
Definition: BinaryFeasiblePath.h:104
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::RiscOperatorsPtr
boost::shared_ptr< RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to a RISC operators object.
Definition: BaseSemanticsTypes.h:54
Rose::BinaryAnalysis::FeasiblePath::Settings::edgeVisitOrder
EdgeVisitOrder edgeVisitOrder
Order in which to visit edges.
Definition: BinaryFeasiblePath.h:97
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::returnValue
virtual InstructionSemantics2::SymbolicSemantics::SValuePtr returnValue(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Return value for function.
Rose::BinaryAnalysis::FeasiblePath::isAnyEndpointReachable
static bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex, const Partitioner2::CfgConstVertexSet &endVertices)
Determine whether any ending vertex is reachable.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::address
rose_addr_t address
Address of summarized function.
Definition: BinaryFeasiblePath.h:259
Rose::BinaryAnalysis::FeasiblePath::Settings::memoryParadigm
SemanticMemoryParadigm memoryParadigm
Type of memory state when there's a choice to be made.
Definition: BinaryFeasiblePath.h:93
Rose::BinaryAnalysis::FeasiblePath::Settings::trackingCodeCoverage
bool trackingCodeCoverage
If set, track which block addresses are reached.
Definition: BinaryFeasiblePath.h:98
Rose::BinaryAnalysis::FeasiblePath::pathEffectiveK
double pathEffectiveK(const Partitioner2::CfgPath &) const
Effective maximum path length.
Rose::BinaryAnalysis::FeasiblePath::printPathVertex
void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex, size_t &insnIdx) const
Print one vertex of a path for debugging.
Rose::BinaryAnalysis::FeasiblePath::Expression::parsable
std::string parsable
String to be parsed as an expression.
Definition: BinaryFeasiblePath.h:69
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary
Information stored per V_USER_DEFINED path vertex.
Definition: BinaryFeasiblePath.h:258
Rose::BinaryAnalysis::FeasiblePath::VarDetails
Sawyer::Container::Map< std::string, FeasiblePath::VarDetail > VarDetails
Variable detail by name.
Definition: BinaryFeasiblePath.h:149
Rose::BinaryAnalysis::FeasiblePath::setSearchBoundary
void setSearchBoundary(const Partitioner2::Partitioner &partitioner, const Partitioner2::CfgConstVertexSet &cfgBeginVertices, const Partitioner2::CfgConstVertexSet &cfgEndVertices, const Partitioner2::CfgConstVertexSet &cfgAvoidVertices=Partitioner2::CfgConstVertexSet(), const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges=Partitioner2::CfgConstEdgeSet())
Specify search boundary.
Rose::BinaryAnalysis::FeasiblePath::depthFirstSearch
void depthFirstSearch(PathProcessor &pathProcessor)
Find all feasible paths.
Rose::BinaryAnalysis::FeasiblePath::processIndeterminateBlock
virtual void processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process an indeterminate block.
SgAsmInstruction
Base class for machine instructions.
Definition: binaryInstruction.C:691
Rose::BinaryAnalysis::FeasiblePath::VarDetail::returnFrom
Sawyer::Optional< rose_addr_t > returnFrom
This variable is the return value from the specified function.
Definition: BinaryFeasiblePath.h:142
Sawyer::Message::Facility
Collection of streams.
Definition: Message.h:1595
Rose::BinaryAnalysis::InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr
boost::shared_ptr< class RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to symbolic RISC operations.
Definition: SymbolicSemantics2.h:781
Rose::BinaryAnalysis::FeasiblePath::FeasiblePath
FeasiblePath()
Constructs a new feasible path analyzer.
Definition: BinaryFeasiblePath.h:331
Rose::BinaryAnalysis::FeasiblePath::SearchMode
SearchMode
How to search for paths.
Definition: BinaryFeasiblePath.h:33
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::nullDeref
virtual void nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, SgAsmInstruction *insn, const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &cpu, const SmtSolverPtr &solver, IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr)
Function invoked whenever a null pointer dereference is detected.
Definition: BinaryFeasiblePath.h:210
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::process
virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Invoked when the analysis traverses the summary.
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::StatePtr
boost::shared_ptr< State > StatePtr
Shared-ownership pointer to a semantic state.
Definition: BaseSemanticsTypes.h:51
Rose::BinaryAnalysis::FeasiblePath::processFunctionSummary
virtual void processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process a function summary vertex.
Rose::BinaryAnalysis::FeasiblePath::REG_PATH
RegisterDescriptor REG_PATH
Descriptor of path pseudo-registers.
Definition: BinaryFeasiblePath.h:131
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::name
std::string name
Name of summarized function.
Definition: BinaryFeasiblePath.h:261
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessIdx
Sawyer::Optional< size_t > firstAccessIdx
Instruction position in path where this var was first read.
Definition: BinaryFeasiblePath.h:138
Sawyer::CommandLine::SwitchGroup
A collection of related switch declarations.
Definition: util/Sawyer/CommandLine.h:2522
Rose
Main namespace for the ROSE library.
Definition: BinaryTutorial.dox:3
Rose::BinaryAnalysis::SymbolicExprParser
Parses symbolic expressions from text.
Definition: BinarySymbolicExprParser.h:27
Rose::BinaryAnalysis::SmtSolver::Satisfiable
Satisfiable
Satisfiability constants.
Definition: BinarySmtSolver.h:78
Rose::BinaryAnalysis::FeasiblePath::Settings::maxCallDepth
size_t maxCallDepth
Max length of path in terms of function calls.
Definition: BinaryFeasiblePath.h:86
Rose::BinaryAnalysis::FeasiblePath::Settings::nullDeref
struct Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref nullDeref
Settings for null-dereference analysis.
Rose::BinaryAnalysis::FeasiblePath::SEARCH_MULTI
Blast everything at once to the SMT solver.
Definition: BinaryFeasiblePath.h:36
Sawyer
Name space for the entire library.
Definition: BinaryFeasiblePath.h:638
Rose::BinaryAnalysis::FeasiblePath::Settings::assertionLocations
std::vector< std::string > assertionLocations
Locations at which "constraints" are checked.
Definition: BinaryFeasiblePath.h:89
Rose::BinaryAnalysis::FeasiblePath::functionSummaries
const FunctionSummaries & functionSummaries() const
Function summary information.
Definition: BinaryFeasiblePath.h:537
Rose::BinaryAnalysis::FeasiblePath::cfgToPaths
Partitioner2::CfgConstVertexSet cfgToPaths(const Partitioner2::CfgConstVertexSet &) const
Convert CFG vertices to path vertices.
Rose::BinaryAnalysis::FeasiblePath::shouldInline
virtual bool shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be inlined.
Rose::BinaryAnalysis::FeasiblePath::Settings::ipRewrite
std::vector< rose_addr_t > ipRewrite
An even number of from,to pairs for rewriting the insn ptr reg.
Definition: BinaryFeasiblePath.h:99
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::DispatcherPtr
boost::shared_ptr< Dispatcher > DispatcherPtr
Shared-ownership pointer to a semantics instruction dispatcher.
Definition: BaseSemanticsTypes.h:57
Rose::BinaryAnalysis::FeasiblePath::expressionDocumentation
static std::string expressionDocumentation()
Documentation for the symbolic expression parser.
Rose::BinaryAnalysis::FeasiblePath::settings
void settings(const Settings &s)
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:364
Rose::BinaryAnalysis::FeasiblePath::Settings::maxPathLength
size_t maxPathLength
Limit path length in terms of number of instructions.
Definition: BinaryFeasiblePath.h:85
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::constOnly
bool constOnly
If true, check only constants or sets of constants.
Definition: BinaryFeasiblePath.h:105
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer
Base class for callbacks for function summaries.
Definition: BinaryFeasiblePath.h:276
Rose::BinaryAnalysis::FeasiblePath::Expression::location
AddressIntervalSet location
Location where constraint applies.
Definition: BinaryFeasiblePath.h:68
Sawyer::Container::GraphIteratorBiMap::clear
void clear()
Remove all entries from this container.
Definition: GraphIteratorBiMap.h:102
Rose::BinaryAnalysis::FeasiblePath::VISIT_REVERSE
Visit edges in reverse of the natural order.
Definition: BinaryFeasiblePath.h:48
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::memoryIo
virtual void memoryIo(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, SgAsmInstruction *insn, const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &cpu, const SmtSolverPtr &solver, IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr, const InstructionSemantics2::BaseSemantics::SValuePtr &value)
Function invoked every time a memory reference occurs.
Definition: BinaryFeasiblePath.h:249
Rose::BinaryAnalysis::FeasiblePath::pathPostState
static InstructionSemantics2::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath &, size_t vertexIdx)
Get the state at the end of the specified vertex.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::FunctionSummary
FunctionSummary()
Construct empty function summary.
Definition: BinaryFeasiblePath.h:264
Rose::BinaryAnalysis::FeasiblePath::Settings::nonAddressIsFeasible
bool nonAddressIsFeasible
Indeterminate/undiscovered vertices are feasible?
Definition: BinaryFeasiblePath.h:91
Rose::BinaryAnalysis::FeasiblePath::Settings::maxVertexVisit
size_t maxVertexVisit
Max times to visit a particular vertex in one path.
Definition: BinaryFeasiblePath.h:84
Rose::BinaryAnalysis::RegisterDescriptor
Describes (part of) a physical CPU register.
Definition: RegisterDescriptor.h:25
Rose::BinaryAnalysis::FeasiblePath::Settings::maxRecursionDepth
size_t maxRecursionDepth
Max path length in terms of recursive function calls.
Definition: BinaryFeasiblePath.h:87
Rose::BinaryAnalysis::FeasiblePath::reset
void reset()
Reset to initial state without changing settings.
Definition: BinaryFeasiblePath.h:337
Rose::BinaryAnalysis::Partitioner2::CfgPath
A path through a control flow graph.
Definition: CfgPath.h:15
Rose::BinaryAnalysis::FeasiblePath::VarDetail
Information about a variable seen on a path.
Definition: BinaryFeasiblePath.h:134
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::found
virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const SmtSolverPtr &solver)
Function invoked whenever a complete path is found.
Definition: BinaryFeasiblePath.h:177
Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
FunctionSummarizer::Ptr functionSummarizer() const
Property: Function summary handling.
Definition: BinaryFeasiblePath.h:449
Rose::BinaryAnalysis::FeasiblePath::Exception
Exception for errors specific to feasible path analysis.
Definition: BinaryFeasiblePath.h:25
Rose::BinaryAnalysis::FeasiblePath::shouldSummarizeCall
virtual bool shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex, const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be summarized instead of inlined.
Rose::BinaryAnalysis::FeasiblePath::isFunctionCall
bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &) const
True if vertex is a function call.
Rose::BinaryAnalysis::FeasiblePath::Expression::expr
SymbolicExpr::Ptr expr
Symbolic expression.
Definition: BinaryFeasiblePath.h:70
Rose::BinaryAnalysis::FeasiblePath::Settings::ignoreSemanticFailure
bool ignoreSemanticFailure
Whether to ignore instructions with no semantic info.
Definition: BinaryFeasiblePath.h:95
Rose::BinaryAnalysis::FeasiblePath::Settings::searchMode
SearchMode searchMode
Method to use when searching for feasible paths.
Definition: BinaryFeasiblePath.h:82
Sawyer::Attribute::Id
size_t Id
Attribute identification.
Definition: Attribute.h:140
Sawyer::Container::Graph::clear
void clear()
Remove all vertices and edges.
Definition: Graph.h:1978
Rose::BinaryAnalysis::FeasiblePath::pathEndsWithFunctionCall
bool pathEndsWithFunctionCall(const Partitioner2::CfgPath &) const
True if path ends with a function call.
Rose::BinaryAnalysis::FeasiblePath::printPath
void printPath(std::ostream &out, const Partitioner2::CfgPath &) const
Print the path to the specified output stream.
Rose::BinaryAnalysis::FeasiblePath::AddressSet
std::set< rose_addr_t > AddressSet
Set of basic block addresses.
Definition: BinaryFeasiblePath.h:59
Rose::BinaryAnalysis::FeasiblePath::buildVirtualCpu
virtual InstructionSemantics2::BaseSemantics::DispatcherPtr buildVirtualCpu(const Partitioner2::Partitioner &, const Partitioner2::CfgPath *, PathProcessor *, const SmtSolver::Ptr &)
Create the virtual CPU.
Rose::BinaryAnalysis::FeasiblePath::settings
const Settings & settings() const
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:362
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memByteNumber
size_t memByteNumber
Byte number for memory access.
Definition: BinaryFeasiblePath.h:141
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::stackDelta
int64_t stackDelta
Stack delta for summarized function.
Definition: BinaryFeasiblePath.h:260
Sawyer::SharedObject
Base class for reference counted objects.
Definition: SharedObject.h:64
Rose::BinaryAnalysis::FeasiblePath::Settings::kCycleCoefficient
double kCycleCoefficient
Coefficient for adjusting maxPathLengh during CFG cycles.
Definition: BinaryFeasiblePath.h:96
Rose::BinaryAnalysis::FeasiblePath::commandLineSwitches
static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings)
Describe command-line switches.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::Ptr
Sawyer::SharedPointer< FunctionSummarizer > Ptr
Reference counting pointer.
Definition: BinaryFeasiblePath.h:279
Rose::BinaryAnalysis::FeasiblePath::mlog
static Sawyer::Message::Facility mlog
Diagnostic output.
Definition: BinaryFeasiblePath.h:122
Rose::BinaryAnalysis::FeasiblePath::processVertex
virtual void processVertex(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, size_t &pathInsnIndex)
Process one vertex.
Rose::BinaryAnalysis::FeasiblePath::varDetails
const VarDetails & varDetails(const InstructionSemantics2::BaseSemantics::StatePtr &) const
Details about all variables by name.
Sawyer::Container::GraphIteratorSet::clear
void clear()
Remove all edges or vertices from this set.
Definition: GraphIteratorSet.h:121
Rose::BinaryAnalysis::FeasiblePath::pathLength
static size_t pathLength(const Partitioner2::CfgPath &)
Total length of path.
Rose::BinaryAnalysis::FeasiblePath::pathToCfg
Partitioner2::ControlFlowGraph::ConstVertexIterator pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const
Convert path vertex to a CFG vertex.
Rose::BinaryAnalysis::FeasiblePath::VISIT_NATURAL
Visit edges in their natural, forward order.
Definition: BinaryFeasiblePath.h:47
Rose::BinaryAnalysis::FeasiblePath::functionSummary
const FunctionSummary & functionSummary(rose_addr_t entryVa) const
Function summary information.
Rose::BinaryAnalysis::FeasiblePath::partitioner
const Partitioner2::Partitioner & partitioner() const
Property: Partitioner currently in use.
Rose::BinaryAnalysis::RegisterDictionary
Defines registers available for a particular architecture.
Definition: Registers.h:35
Rose::BinaryAnalysis::FeasiblePath::varDetail
const VarDetail & varDetail(const InstructionSemantics2::BaseSemantics::StatePtr &, const std::string &varName) const
Details about a variable.
Rose::BinaryAnalysis::FeasiblePath::processBasicBlock
virtual void processBasicBlock(const Partitioner2::BasicBlock::Ptr &bblock, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process instructions for one basic block on the specified virtual CPU.
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memAddress
SymbolicExpr::Ptr memAddress
Address where variable is located.
Definition: BinaryFeasiblePath.h:139
Rose::BinaryAnalysis::Partitioner2::Partitioner
Partitions instructions into basic blocks and functions.
Definition: Partitioner.h:318
Rose::Exception
Base class for all ROSE exceptions.
Definition: RoseException.h:9
Rose::BinaryAnalysis::FeasiblePath::reachedBlockVas
const AddressSet & reachedBlockVas() const
Property: Addresses reached during analysis.
Rose::BinaryAnalysis::FeasiblePath::Settings::solverName
std::string solverName
Type of SMT solver.
Definition: BinaryFeasiblePath.h:92
Rose::BinaryAnalysis::FeasiblePath::EdgeVisitOrder
EdgeVisitOrder
Edge visitation order.
Definition: BinaryFeasiblePath.h:46
Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
void functionSummarizer(const FunctionSummarizer::Ptr &f)
Property: Function summary handling.
Definition: BinaryFeasiblePath.h:450
Rose::BinaryAnalysis::FeasiblePath::settings
Settings & settings()
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:363
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memSize
size_t memSize
Size of total memory access in bytes.
Definition: BinaryFeasiblePath.h:140
Sawyer::Container::Map
Container associating values with keys.
Definition: Sawyer/Map.h:66
Rose::BinaryAnalysis::FeasiblePath::Settings::exprParserDoc
std::string exprParserDoc
String documenting how expressions are parsed, empty for default.
Definition: BinaryFeasiblePath.h:111
Rose::BinaryAnalysis::FeasiblePath::Settings::processFinalVertex
bool processFinalVertex
Whether to process the last vertex of the path.
Definition: BinaryFeasiblePath.h:94
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessInsn
SgAsmInstruction * firstAccessInsn
Instruction address where this var was first read.
Definition: BinaryFeasiblePath.h:137
Rose::BinaryAnalysis::FeasiblePath::Settings
Settings that control this analysis.
Definition: BinaryFeasiblePath.h:80
Rose::BinaryAnalysis::FeasiblePath::initDiagnostics
static void initDiagnostics()
Initialize diagnostic output.
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::check
bool check
If true, look for null dereferences along the paths.
Definition: BinaryFeasiblePath.h:103
Rose::BinaryAnalysis::FeasiblePath::setInitialState
virtual void setInitialState(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex)
Initialize state for first vertex of path.
Rose::BinaryAnalysis::FeasiblePath::Settings::initialStackPtr
Sawyer::Optional< rose_addr_t > initialStackPtr
Concrete value to use for stack pointer register initial value.
Definition: BinaryFeasiblePath.h:83
Rose::BinaryAnalysis::FeasiblePath::SemanticMemoryParadigm
SemanticMemoryParadigm
Organization of semantic memory.
Definition: BinaryFeasiblePath.h:40
Rose::BinaryAnalysis::FeasiblePath::Settings::assertions
std::vector< Expression > assertions
Constraints to be satisfied at some point along the path.
Definition: BinaryFeasiblePath.h:88
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::init
virtual void init(const FeasiblePath &analysis, FunctionSummary &summary, const Partitioner2::Function::Ptr &function, Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget)=0
Invoked when a new summary is created.
Generated on Mon Feb 24 2020 09:48:07 for ROSE by   doxygen 1.8.10