ROSE  0.9.11.56
BinaryFeasiblePath.h
1 #ifndef ROSE_BinaryAnalysis_FeasiblePath_H
2 #define ROSE_BinaryAnalysis_FeasiblePath_H
3 
4 #include <BaseSemantics2.h>
5 #include <BinarySmtSolver.h>
6 #include <BinarySymbolicExprParser.h>
7 #include <Partitioner2/CfgPath.h>
8 #include <Sawyer/CommandLine.h>
9 #include <Sawyer/Message.h>
10 #include <boost/filesystem/path.hpp>
11 
12 namespace Rose {
13 namespace BinaryAnalysis {
14 
18 class FeasiblePath {
20  // Types and public data members
22 public:
24  enum SearchMode {
25  SEARCH_SINGLE_DFS,
26  SEARCH_SINGLE_BFS,
27  SEARCH_MULTI
28  };
29 
31  enum SemanticMemoryParadigm {
32  LIST_BASED_MEMORY,
33  MAP_BASED_MEMORY
34  };
35 
37  enum EdgeVisitOrder {
38  VISIT_NATURAL,
39  VISIT_REVERSE,
40  VISIT_RANDOM,
41  };
42 
44  enum IoMode { READ, WRITE };
45 
47  enum MayOrMust { MAY, MUST };
48 
50  typedef std::set<rose_addr_t> AddressSet;
51 
58  struct Expression {
59  AddressIntervalSet location;
60  std::string parsable;
61  SymbolicExpr::Ptr expr;
63  Expression() {}
64  /*implicit*/ Expression(const std::string &parsable): parsable(parsable) {}
65  /*implicit*/ Expression(const SymbolicExpr::Ptr &expr): expr(expr) {}
66 
67  void print(std::ostream&) const;
68  };
69 
71  struct Settings {
72  // Path feasibility
73  SearchMode searchMode;
74  Sawyer::Optional<rose_addr_t> initialStackPtr;
75  size_t maxVertexVisit;
76  size_t maxPathLength;
77  size_t maxCallDepth;
78  size_t maxRecursionDepth;
79  std::vector<Expression> assertions;
80  std::vector<std::string> assertionLocations;
81  std::vector<rose_addr_t> summarizeFunctions;
82  bool nonAddressIsFeasible;
83  std::string solverName;
84  SemanticMemoryParadigm memoryParadigm;
85  bool processFinalVertex;
86  bool ignoreSemanticFailure;
87  double kCycleCoefficient;
88  EdgeVisitOrder edgeVisitOrder;
89  bool trackingCodeCoverage;
91  // Null dereferences
92  struct NullDeref {
93  bool check;
94  MayOrMust mode;
95  bool constOnly;
97  NullDeref()
98  : check(false), mode(MUST), constOnly(false) {}
99  } nullDeref;
101  std::string exprParserDoc;
104  Settings()
105  : searchMode(SEARCH_SINGLE_DFS), maxVertexVisit((size_t)-1), maxPathLength(200), maxCallDepth((size_t)-1),
106  maxRecursionDepth((size_t)-1), nonAddressIsFeasible(true), solverName("best"),
107  memoryParadigm(LIST_BASED_MEMORY), processFinalVertex(false), ignoreSemanticFailure(false),
108  kCycleCoefficient(0.0), edgeVisitOrder(VISIT_NATURAL), trackingCodeCoverage(true) {}
109  };
110 
112  static Sawyer::Message::Facility mlog;
113 
121  RegisterDescriptor REG_PATH;
122 
124  struct VarDetail {
125  std::string registerName;
126  std::string firstAccessMode;
127  SgAsmInstruction *firstAccessInsn;
128  Sawyer::Optional<size_t> firstAccessIdx;
129  SymbolicExpr::Ptr memAddress;
130  size_t memSize;
131  size_t memByteNumber;
132  Sawyer::Optional<rose_addr_t> returnFrom;
134  VarDetail(): firstAccessInsn(NULL), memSize(0), memByteNumber(0) {}
135  std::string toString() const;
136  };
137 
139  typedef Sawyer::Container::Map<std::string /*name*/, FeasiblePath::VarDetail> VarDetails;
140 
144  class PathProcessor {
145  public:
146  enum Action {
147  BREAK,
148  CONTINUE
149  };
150 
151  virtual ~PathProcessor() {}
152 
167  virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,
168  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
169  const SmtSolverPtr &solver) { return CONTINUE; }
170 
182  virtual void nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,
183  IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr, SgAsmInstruction*) {}
184 
189  virtual void memoryIo(const FeasiblePath &analyzer, IoMode ioMode,
190  const InstructionSemantics2::BaseSemantics::SValuePtr &addr,
191  const InstructionSemantics2::BaseSemantics::SValuePtr &value,
192  const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &ops) {}
193  };
194 
198  struct FunctionSummary {
199  rose_addr_t address;
200  int64_t stackDelta;
201  std::string name;
204  FunctionSummary(): stackDelta(SgAsmInstruction::INVALID_STACK_DELTA) {}
205 
207  FunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgFuncVertex, uint64_t stackDelta);
208  };
209 
211  typedef Sawyer::Container::Map<rose_addr_t, FunctionSummary> FunctionSummaries;
212 
216  class FunctionSummarizer: public Sawyer::SharedObject {
217  public:
219  typedef Sawyer::SharedPointer<FunctionSummarizer> Ptr;
220  protected:
221  FunctionSummarizer() {}
222  public:
224  virtual void init(const FeasiblePath &analysis, FunctionSummary &summary /*in,out*/,
225  const Partitioner2::Function::Ptr &function,
226  Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget) = 0;
227 
232  virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary,
233  const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;
234 
239  virtual InstructionSemantics2::SymbolicSemantics::SValuePtr
240  returnValue(const FeasiblePath &analysis, const FunctionSummary &summary,
241  const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;
242  };
243 
245  // Private data members
247 private:
248  const Partitioner2::Partitioner *partitioner_; // binary analysis context
249  RegisterDictionary *registers_; // registers augmented with "path" pseudo-register
250  RegisterDescriptor REG_RETURN_; // FIXME[Robb P Matzke 2016-10-11]: see source
251  Settings settings_;
252  FunctionSummaries functionSummaries_;
253  Partitioner2::CfgVertexMap vmap_; // relates CFG vertices to path vertices
254  Partitioner2::ControlFlowGraph paths_; // all possible paths, feasible or otherwise
255  Partitioner2::CfgConstVertexSet pathsBeginVertices_;// vertices of paths_ where searching starts
256  Partitioner2::CfgConstVertexSet pathsEndVertices_; // vertices of paths_ where searching stops
257  Partitioner2::CfgConstEdgeSet cfgAvoidEdges_; // CFG edges to avoid
258  Partitioner2::CfgConstVertexSet cfgEndAvoidVertices_;// CFG end-of-path and other avoidance vertices
259  FunctionSummarizer::Ptr functionSummarizer_; // user-defined function for handling function summaries
260  AddressSet reachedBlockVas_; // basic block addresses reached during analysis
261  static Sawyer::Attribute::Id POST_STATE; // stores semantic state after executing the insns for a vertex
262  static Sawyer::Attribute::Id POST_INSN_LENGTH; // path length in instructions at end of vertex
263  static Sawyer::Attribute::Id EFFECTIVE_K; // (double) effective maximimum path length
264 
265 
267  // Construction, destruction
269 public:
271  FeasiblePath()
272  : registers_(NULL) {}
273 
274  virtual ~FeasiblePath() {}
275 
277  void reset() {
278  partitioner_ = NULL;
279  registers_ = NULL;
280  REG_PATH = REG_RETURN_ = RegisterDescriptor();
281  functionSummaries_.clear();
282  vmap_.clear();
283  paths_.clear();
284  pathsBeginVertices_.clear();
285  pathsEndVertices_.clear();
286  cfgAvoidEdges_.clear();
287  cfgEndAvoidVertices_.clear();
288  reachedBlockVas_.clear();
289  }
290 
292  static void initDiagnostics();
293 
294 
296  // Settings affecting behavior
298 public:
302  const Settings& settings() const { return settings_; }
303  Settings& settings() { return settings_; }
304  void settings(const Settings &s) { settings_ = s; }
311  static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings);
312 
314  static std::string expressionDocumentation();
315 
316 
318  // Overridable processing functions
320 public:
326  virtual InstructionSemantics2::BaseSemantics::DispatcherPtr
327  buildVirtualCpu(const Partitioner2::Partitioner&, const Partitioner2::CfgPath*, PathProcessor*, const SmtSolver::Ptr&);
328 
335  virtual void
336  setInitialState(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
337  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex);
338 
343  virtual void
344  processBasicBlock(const Partitioner2::BasicBlock::Ptr &bblock,
345  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex);
346 
350  virtual void
351  processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex,
352  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
353  size_t pathInsnIndex);
354 
358  virtual void
359  processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,
360  const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
361  size_t pathInsnIndex);
362 
366  virtual void
367  processVertex(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu,
368  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,
369  size_t &pathInsnIndex /*in,out*/);
370 
372  virtual bool
373  shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex,
374  const Partitioner2::ControlFlowGraph &cfg,
375  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);
376 
378  virtual bool
379  shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);
380 
389  FunctionSummarizer::Ptr functionSummarizer() const { return functionSummarizer_; }
390  void functionSummarizer(const FunctionSummarizer::Ptr &f) { functionSummarizer_ = f; }
393  // Utilities
396 public:
398  Partitioner2::ControlFlowGraph::ConstVertexIterator
399  pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const;
400 
402  Partitioner2::CfgConstVertexSet
403  cfgToPaths(const Partitioner2::CfgConstVertexSet&) const;
404 
406  bool pathEndsWithFunctionCall(const Partitioner2::CfgPath&) const;
407 
409  bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator&) const;
410 
412  void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex,
413  size_t &insnIdx /*in,out*/) const;
414 
418  void printPath(std::ostream &out, const Partitioner2::CfgPath&) const;
419 
423  static bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg,
424  const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex,
425  const Partitioner2::CfgConstVertexSet &endVertices);
426 
428  // Functions for describing the search space
430 public:
431 
438  void
439  setSearchBoundary(const Partitioner2::Partitioner &partitioner,
440  const Partitioner2::CfgConstVertexSet &cfgBeginVertices,
441  const Partitioner2::CfgConstVertexSet &cfgEndVertices,
442  const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),
443  const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());
444  void
445  setSearchBoundary(const Partitioner2::Partitioner &partitioner,
446  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgBeginVertex,
447  const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgEndVertex,
448  const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),
449  const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());
453  // Functions for searching for paths
456 public:
461  void depthFirstSearch(PathProcessor &pathProcessor);
462 
463 
465  // Functions for getting the results
467 public:
472  const Partitioner2::Partitioner& partitioner() const;
473 
477  const FunctionSummaries& functionSummaries() const {
478  return functionSummaries_;
479  }
480 
485  const FunctionSummary& functionSummary(rose_addr_t entryVa) const;
486 
488  const VarDetail& varDetail(const InstructionSemantics2::BaseSemantics::StatePtr&, const std::string &varName) const;
489 
491  const VarDetails& varDetails(const InstructionSemantics2::BaseSemantics::StatePtr&) const;
492 
494  static InstructionSemantics2::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath&, size_t vertexIdx);
495 
501  double pathEffectiveK(const Partitioner2::CfgPath&) const;
502 
509  static size_t pathLength(const Partitioner2::CfgPath&);
510 
512  // Functions for code coverage
514 public:
519  const AddressSet& reachedBlockVas() const;
520 
522  // Private supporting functions
524 private:
525  static rose_addr_t virtualAddress(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex);
526 
527  void insertCallSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsCallSite,
528  const Partitioner2::ControlFlowGraph &cfg,
529  const Partitioner2::ControlFlowGraph::ConstEdgeIterator &cfgCallEdge);
530 
531  boost::filesystem::path emitPathGraph(size_t callId, size_t graphId); // emit paths graph to "rose-debug" directory
532 
533  // Pop an edge (or more) from the path and follow some other edge. Also, adjust the SMT solver's stack in a similar
534  // way. The SMT solver will have an initial state, plus one pushed state per edge of the path.
535  void backtrack(Partitioner2::CfgPath &path /*in,out*/, const SmtSolver::Ptr&);
536 
537  // Process one edge of a path to find any path constraints. When called, the cpu's current state should be the virtual
538  // machine state at it exists just prior to executing the target vertex of the specified edge.
539  //
540  // Returns a null pointer if the edge's assertion is trivially unsatisfiable, such as when the edge points to a basic block
541  // whose address doesn't match the contents of the instruction pointer register after executing the edge's source
542  // block. Otherwise, returns a symbolic expression which must be tree if the edge is feasible. For trivially feasible
543  // edges, the return value is the constant 1 (one bit wide; i.e., true).
544  SymbolicExpr::Ptr pathEdgeConstraint(const Partitioner2::ControlFlowGraph::ConstEdgeIterator &pathEdge,
545  InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu);
546 
547  // Parse the expression if it's a parsable string, otherwise return the expression as is. */
548  Expression parseExpression(Expression, const std::string &where, SymbolicExprParser&) const;
549 
550  SymbolicExpr::Ptr expandExpression(const Expression&, SymbolicExprParser&);
551 
552  // Based on the last vertex of the path, insert user-specified assertions into the SMT solver.
553  void insertAssertions(const SmtSolver::Ptr&, const Partitioner2::CfgPath&,
554  const std::vector<Expression> &assertions, bool atEndOfPath, SymbolicExprParser&);
555 
556  // Size of vertex. How much of "k" does this vertex consume?
557  static size_t vertexSize(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);
558 
559  // Insert the edge assertion and any applicable user assertions (after delayed expansion of the expressions' register
560  // and memory references), and run the solver, returning its result.
561  SmtSolver::Satisfiable
562  solvePathConstraints(SmtSolver::Ptr&, const Partitioner2::CfgPath&, const SymbolicExpr::Ptr &edgeAssertion,
563  const std::vector<Expression> &userAssertions, bool atEndOfPath, SymbolicExprParser&);
564 
565  // Mark vertex as being reached
566  void markAsReached(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);
567 };
568 
569 } // namespace
570 } // namespace
571 
572 std::ostream& operator<<(std::ostream&, const Rose::BinaryAnalysis::FeasiblePath::Expression&);
573 
574 // Convert string to feasible path expression during command-line parsing
575 namespace Sawyer {
576  namespace CommandLine {
577  template<>
578  struct LexicalCast<Rose::BinaryAnalysis::FeasiblePath::Expression> {
579  static Rose::BinaryAnalysis::FeasiblePath::Expression convert(const std::string &src) {
580  return Rose::BinaryAnalysis::FeasiblePath::Expression(src);
581  }
582  };
583  }
584 }
585 
586 #endif
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessMode
std::string firstAccessMode
How was variable first accessed ("read" or "write").
Definition: BinaryFeasiblePath.h:126
Rose::BinaryAnalysis::FeasiblePath::Settings::summarizeFunctions
std::vector< rose_addr_t > summarizeFunctions
Functions to always summarize.
Definition: BinaryFeasiblePath.h:81
Rose::BinaryAnalysis::FeasiblePath::FunctionSummaries
Sawyer::Container::Map< rose_addr_t, FunctionSummary > FunctionSummaries
Summaries for multiple functions.
Definition: BinaryFeasiblePath.h:211
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::mode
MayOrMust mode
Check for addrs that may or must be null.
Definition: BinaryFeasiblePath.h:94
Rose::BinaryAnalysis::FeasiblePath::Settings::edgeVisitOrder
EdgeVisitOrder edgeVisitOrder
Order in which to visit edges.
Definition: BinaryFeasiblePath.h:88
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::returnValue
virtual InstructionSemantics2::SymbolicSemantics::SValuePtr returnValue(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Return value for function.
Rose::BinaryAnalysis::FeasiblePath::isAnyEndpointReachable
static bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex, const Partitioner2::CfgConstVertexSet &endVertices)
Determine whether any ending vertex is reachable.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::address
rose_addr_t address
Address of summarized function.
Definition: BinaryFeasiblePath.h:199
Rose::BinaryAnalysis::FeasiblePath::Settings::memoryParadigm
SemanticMemoryParadigm memoryParadigm
Type of memory state when there's a choice to be made.
Definition: BinaryFeasiblePath.h:84
Rose::BinaryAnalysis::FeasiblePath::Settings::trackingCodeCoverage
bool trackingCodeCoverage
If set, track which block addresses are reached.
Definition: BinaryFeasiblePath.h:89
Rose::BinaryAnalysis::FeasiblePath::pathEffectiveK
double pathEffectiveK(const Partitioner2::CfgPath &) const
Effective maximum path length.
Rose::BinaryAnalysis::FeasiblePath::printPathVertex
void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex, size_t &insnIdx) const
Print one vertex of a path for debugging.
Rose::BinaryAnalysis::FeasiblePath::Expression::parsable
std::string parsable
String to be parsed as an expression.
Definition: BinaryFeasiblePath.h:60
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary
Information stored per V_USER_DEFINED path vertex.
Definition: BinaryFeasiblePath.h:198
Rose::BinaryAnalysis::FeasiblePath::VarDetails
Sawyer::Container::Map< std::string, FeasiblePath::VarDetail > VarDetails
Variable detail by name.
Definition: BinaryFeasiblePath.h:139
Rose::BinaryAnalysis::FeasiblePath::setSearchBoundary
void setSearchBoundary(const Partitioner2::Partitioner &partitioner, const Partitioner2::CfgConstVertexSet &cfgBeginVertices, const Partitioner2::CfgConstVertexSet &cfgEndVertices, const Partitioner2::CfgConstVertexSet &cfgAvoidVertices=Partitioner2::CfgConstVertexSet(), const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges=Partitioner2::CfgConstEdgeSet())
Specify search boundary.
Rose::BinaryAnalysis::FeasiblePath::depthFirstSearch
void depthFirstSearch(PathProcessor &pathProcessor)
Find all feasible paths.
Rose::BinaryAnalysis::FeasiblePath::processIndeterminateBlock
virtual void processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process an indeterminate block.
SgAsmInstruction
Base class for machine instructions.
Definition: binaryInstruction.C:683
Rose::BinaryAnalysis::FeasiblePath::VarDetail::returnFrom
Sawyer::Optional< rose_addr_t > returnFrom
This variable is the return value from the specified function.
Definition: BinaryFeasiblePath.h:132
Sawyer::Message::Facility
Collection of streams.
Definition: Message.h:1579
Rose::BinaryAnalysis::InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr
boost::shared_ptr< class RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to symbolic RISC operations.
Definition: SymbolicSemantics2.h:773
Rose::BinaryAnalysis::FeasiblePath::FeasiblePath
FeasiblePath()
Constructs a new feasible path analyzer.
Definition: BinaryFeasiblePath.h:271
Rose::BinaryAnalysis::FeasiblePath::SearchMode
SearchMode
How to search for paths.
Definition: BinaryFeasiblePath.h:24
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::process
virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics2::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Invoked when the analysis traverses the summary.
Sawyer::Container::BiMap::clear
void clear()
Erase all mappings.
Definition: BiMap.h:63
Rose::BinaryAnalysis::Partitioner2::CfgConstVertexSet
std::set< ControlFlowGraph::ConstVertexIterator > CfgConstVertexSet
Set of CFG vertex pointers.
Definition: ControlFlowGraph.h:240
Rose::BinaryAnalysis::FeasiblePath::processFunctionSummary
virtual void processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process a function summary vertex.
Rose::BinaryAnalysis::FeasiblePath::REG_PATH
RegisterDescriptor REG_PATH
Descriptor of path pseudo-registers.
Definition: BinaryFeasiblePath.h:121
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::name
std::string name
Name of summarized function.
Definition: BinaryFeasiblePath.h:201
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessIdx
Sawyer::Optional< size_t > firstAccessIdx
Instruction position in path where this var was first read.
Definition: BinaryFeasiblePath.h:128
Sawyer::CommandLine::SwitchGroup
A collection of related switch declarations.
Definition: util/Sawyer/CommandLine.h:2522
Rose
Main namespace for the ROSE library.
Definition: BinaryTutorial.dox:3
Rose::BinaryAnalysis::SymbolicExprParser
Parses symbolic expressions from text.
Definition: BinarySymbolicExprParser.h:27
Rose::BinaryAnalysis::SmtSolver::Satisfiable
Satisfiable
Satisfiability constants.
Definition: BinarySmtSolver.h:78
Rose::BinaryAnalysis::FeasiblePath::Settings::maxCallDepth
size_t maxCallDepth
Max length of path in terms of function calls.
Definition: BinaryFeasiblePath.h:77
Rose::BinaryAnalysis::FeasiblePath::Settings::nullDeref
struct Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref nullDeref
Settings for null-dereference analysis.
Rose::BinaryAnalysis::FeasiblePath::SEARCH_MULTI
Blast everything at once to the SMT solver.
Definition: BinaryFeasiblePath.h:27
Sawyer
Name space for the entire library.
Definition: BinaryFeasiblePath.h:575
Rose::BinaryAnalysis::FeasiblePath::Settings::assertionLocations
std::vector< std::string > assertionLocations
Locations at which "constraints" are checked.
Definition: BinaryFeasiblePath.h:80
Rose::BinaryAnalysis::FeasiblePath::functionSummaries
const FunctionSummaries & functionSummaries() const
Function summary information.
Definition: BinaryFeasiblePath.h:477
Rose::BinaryAnalysis::FeasiblePath::cfgToPaths
Partitioner2::CfgConstVertexSet cfgToPaths(const Partitioner2::CfgConstVertexSet &) const
Convert CFG vertices to path vertices.
Rose::BinaryAnalysis::FeasiblePath::shouldInline
virtual bool shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be inlined.
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::memoryIo
virtual void memoryIo(const FeasiblePath &analyzer, IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr, const InstructionSemantics2::BaseSemantics::SValuePtr &value, const InstructionSemantics2::BaseSemantics::RiscOperatorsPtr &ops)
Function invoked every time a memory reference occurs.
Definition: BinaryFeasiblePath.h:189
Rose::BinaryAnalysis::FeasiblePath::expressionDocumentation
static std::string expressionDocumentation()
Documentation for the symbolic expression parser.
Rose::BinaryAnalysis::FeasiblePath::settings
void settings(const Settings &s)
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:304
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::StatePtr
boost::shared_ptr< class State > StatePtr
Shared-ownership pointer to a semantic state.
Definition: BaseSemantics2.h:1124
Rose::BinaryAnalysis::FeasiblePath::Settings::maxPathLength
size_t maxPathLength
Limit path length in terms of number of instructions.
Definition: BinaryFeasiblePath.h:76
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::constOnly
bool constOnly
If true, check only constants or sets of constants.
Definition: BinaryFeasiblePath.h:95
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer
Base class for callbacks for function summaries.
Definition: BinaryFeasiblePath.h:216
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::DispatcherPtr
boost::shared_ptr< class Dispatcher > DispatcherPtr
Shared-ownership pointer to a semantics instruction dispatcher.
Definition: BaseSemantics2.h:2049
Rose::BinaryAnalysis::FeasiblePath::Expression::location
AddressIntervalSet location
Location where constraint applies.
Definition: BinaryFeasiblePath.h:59
Rose::BinaryAnalysis::FeasiblePath::VISIT_REVERSE
Visit edges in reverse of the natural order.
Definition: BinaryFeasiblePath.h:39
Rose::BinaryAnalysis::FeasiblePath::pathPostState
static InstructionSemantics2::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath &, size_t vertexIdx)
Get the state at the end of the specified vertex.
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::FunctionSummary
FunctionSummary()
Construct empty function summary.
Definition: BinaryFeasiblePath.h:204
Rose::BinaryAnalysis::FeasiblePath::Settings::nonAddressIsFeasible
bool nonAddressIsFeasible
Indeterminate/undiscovered vertices are feasible?
Definition: BinaryFeasiblePath.h:82
Rose::BinaryAnalysis::FeasiblePath::Settings::maxVertexVisit
size_t maxVertexVisit
Max times to visit a particular vertex in one path.
Definition: BinaryFeasiblePath.h:75
Rose::BinaryAnalysis::RegisterDescriptor
Describes (part of) a physical CPU register.
Definition: RegisterDescriptor.h:25
Rose::BinaryAnalysis::FeasiblePath::Settings::maxRecursionDepth
size_t maxRecursionDepth
Max path length in terms of recursive function calls.
Definition: BinaryFeasiblePath.h:78
Rose::BinaryAnalysis::InstructionSemantics2::BaseSemantics::RiscOperatorsPtr
boost::shared_ptr< class RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to a RISC operators object.
Definition: BaseSemantics2.h:1357
Rose::BinaryAnalysis::FeasiblePath::reset
void reset()
Reset to initial state without changing settings.
Definition: BinaryFeasiblePath.h:277
Rose::BinaryAnalysis::Partitioner2::CfgPath
A path through a control flow graph.
Definition: CfgPath.h:15
Rose::BinaryAnalysis::Partitioner2::CfgConstEdgeSet
std::set< ControlFlowGraph::ConstEdgeIterator > CfgConstEdgeSet
Set of CFG edge pointers.
Definition: ControlFlowGraph.h:247
Rose::BinaryAnalysis::FeasiblePath::VarDetail
Information about a variable seen on a path.
Definition: BinaryFeasiblePath.h:124
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::found
virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const SmtSolverPtr &solver)
Function invoked whenever a complete path is found.
Definition: BinaryFeasiblePath.h:167
Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
FunctionSummarizer::Ptr functionSummarizer() const
Property: Function summary handling.
Definition: BinaryFeasiblePath.h:389
Rose::BinaryAnalysis::FeasiblePath::shouldSummarizeCall
virtual bool shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex, const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be summarized instead of inlined.
Rose::BinaryAnalysis::FeasiblePath::isFunctionCall
bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &) const
True if vertex is a function call.
Rose::BinaryAnalysis::FeasiblePath::Expression::expr
SymbolicExpr::Ptr expr
Symbolic expression.
Definition: BinaryFeasiblePath.h:61
Rose::BinaryAnalysis::FeasiblePath::Settings::ignoreSemanticFailure
bool ignoreSemanticFailure
Whether to ignore instructions with no semantic info.
Definition: BinaryFeasiblePath.h:86
Rose::BinaryAnalysis::FeasiblePath::Settings::searchMode
SearchMode searchMode
Method to use when searching for feasible paths.
Definition: BinaryFeasiblePath.h:73
Sawyer::Attribute::Id
size_t Id
Attribute identification.
Definition: Attribute.h:140
Sawyer::Container::Graph::clear
void clear()
Remove all vertices and edges.
Definition: Graph.h:1998
Rose::BinaryAnalysis::FeasiblePath::pathEndsWithFunctionCall
bool pathEndsWithFunctionCall(const Partitioner2::CfgPath &) const
True if path ends with a function call.
Rose::BinaryAnalysis::FeasiblePath::printPath
void printPath(std::ostream &out, const Partitioner2::CfgPath &) const
Print the path to the specified output stream.
Rose::BinaryAnalysis::FeasiblePath::AddressSet
std::set< rose_addr_t > AddressSet
Set of basic block addresses.
Definition: BinaryFeasiblePath.h:50
Rose::BinaryAnalysis::FeasiblePath::buildVirtualCpu
virtual InstructionSemantics2::BaseSemantics::DispatcherPtr buildVirtualCpu(const Partitioner2::Partitioner &, const Partitioner2::CfgPath *, PathProcessor *, const SmtSolver::Ptr &)
Create the virtual CPU.
Rose::BinaryAnalysis::FeasiblePath::settings
const Settings & settings() const
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:302
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memByteNumber
size_t memByteNumber
Byte number for memory access.
Definition: BinaryFeasiblePath.h:131
Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::stackDelta
int64_t stackDelta
Stack delta for summarized function.
Definition: BinaryFeasiblePath.h:200
Sawyer::SharedObject
Base class for reference counted objects.
Definition: SharedObject.h:64
Rose::BinaryAnalysis::FeasiblePath::Settings::kCycleCoefficient
double kCycleCoefficient
Coefficient for adjusting maxPathLengh during CFG cycles.
Definition: BinaryFeasiblePath.h:87
Rose::BinaryAnalysis::FeasiblePath::commandLineSwitches
static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings)
Describe command-line switches.
Rose::BinaryAnalysis::FeasiblePath::PathProcessor::nullDeref
virtual void nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, IoMode ioMode, const InstructionSemantics2::BaseSemantics::SValuePtr &addr, SgAsmInstruction *)
Function invoked whenever a null pointer dereference is detected.
Definition: BinaryFeasiblePath.h:182
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::Ptr
Sawyer::SharedPointer< FunctionSummarizer > Ptr
Reference counting pointer.
Definition: BinaryFeasiblePath.h:219
Rose::BinaryAnalysis::FeasiblePath::mlog
static Sawyer::Message::Facility mlog
Diagnostic output.
Definition: BinaryFeasiblePath.h:112
Rose::BinaryAnalysis::FeasiblePath::processVertex
virtual void processVertex(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, size_t &pathInsnIndex)
Process one vertex.
Rose::BinaryAnalysis::FeasiblePath::varDetails
const VarDetails & varDetails(const InstructionSemantics2::BaseSemantics::StatePtr &) const
Details about all variables by name.
Rose::BinaryAnalysis::FeasiblePath::pathLength
static size_t pathLength(const Partitioner2::CfgPath &)
Total length of path.
Rose::BinaryAnalysis::FeasiblePath::pathToCfg
Partitioner2::ControlFlowGraph::ConstVertexIterator pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const
Convert path vertex to a CFG vertex.
Rose::BinaryAnalysis::FeasiblePath::VISIT_NATURAL
Visit edges in their natural, forward order.
Definition: BinaryFeasiblePath.h:38
Rose::BinaryAnalysis::FeasiblePath::functionSummary
const FunctionSummary & functionSummary(rose_addr_t entryVa) const
Function summary information.
Rose::BinaryAnalysis::FeasiblePath::partitioner
const Partitioner2::Partitioner & partitioner() const
Property: Partitioner currently in use.
Rose::BinaryAnalysis::RegisterDictionary
Defines registers available for a particular architecture.
Definition: Registers.h:35
Rose::BinaryAnalysis::FeasiblePath::varDetail
const VarDetail & varDetail(const InstructionSemantics2::BaseSemantics::StatePtr &, const std::string &varName) const
Details about a variable.
Rose::BinaryAnalysis::FeasiblePath::processBasicBlock
virtual void processBasicBlock(const Partitioner2::BasicBlock::Ptr &bblock, const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process instructions for one basic block on the specified virtual CPU.
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memAddress
SymbolicExpr::Ptr memAddress
Address where variable is located.
Definition: BinaryFeasiblePath.h:129
Rose::BinaryAnalysis::Partitioner2::Partitioner
Partitions instructions into basic blocks and functions.
Definition: Partitioner.h:317
Rose::BinaryAnalysis::FeasiblePath::reachedBlockVas
const AddressSet & reachedBlockVas() const
Property: Addresses reached during analysis.
Rose::BinaryAnalysis::FeasiblePath::Settings::solverName
std::string solverName
Type of SMT solver.
Definition: BinaryFeasiblePath.h:83
Rose::BinaryAnalysis::FeasiblePath::EdgeVisitOrder
EdgeVisitOrder
Edge visitation order.
Definition: BinaryFeasiblePath.h:37
Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
void functionSummarizer(const FunctionSummarizer::Ptr &f)
Property: Function summary handling.
Definition: BinaryFeasiblePath.h:390
Rose::BinaryAnalysis::FeasiblePath::settings
Settings & settings()
Property: Settings used by this analysis.
Definition: BinaryFeasiblePath.h:303
Rose::BinaryAnalysis::FeasiblePath::VarDetail::memSize
size_t memSize
Size of total memory access in bytes.
Definition: BinaryFeasiblePath.h:130
Sawyer::Container::Map
Container associating values with keys.
Definition: Sawyer/Map.h:66
Rose::BinaryAnalysis::FeasiblePath::Settings::exprParserDoc
std::string exprParserDoc
String documenting how expressions are parsed, empty for default.
Definition: BinaryFeasiblePath.h:101
Rose::BinaryAnalysis::FeasiblePath::Settings::processFinalVertex
bool processFinalVertex
Whether to process the last vertex of the path.
Definition: BinaryFeasiblePath.h:85
Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessInsn
SgAsmInstruction * firstAccessInsn
Instruction address where this var was first read.
Definition: BinaryFeasiblePath.h:127
Rose::BinaryAnalysis::FeasiblePath::Settings
Settings that control this analysis.
Definition: BinaryFeasiblePath.h:71
Rose::BinaryAnalysis::FeasiblePath::initDiagnostics
static void initDiagnostics()
Initialize diagnostic output.
Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::check
bool check
If true, look for null dereferences along the paths.
Definition: BinaryFeasiblePath.h:93
Rose::BinaryAnalysis::FeasiblePath::setInitialState
virtual void setInitialState(const InstructionSemantics2::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex)
Initialize state for first vertex of path.
Rose::BinaryAnalysis::FeasiblePath::Settings::initialStackPtr
Sawyer::Optional< rose_addr_t > initialStackPtr
Concrete value to use for stack pointer register initial value.
Definition: BinaryFeasiblePath.h:74
Rose::BinaryAnalysis::FeasiblePath::SemanticMemoryParadigm
SemanticMemoryParadigm
Organization of semantic memory.
Definition: BinaryFeasiblePath.h:31
Rose::BinaryAnalysis::FeasiblePath::Settings::assertions
std::vector< Expression > assertions
Constraints to be satisfied at some point along the path.
Definition: BinaryFeasiblePath.h:79
Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::init
virtual void init(const FeasiblePath &analysis, FunctionSummary &summary, const Partitioner2::Function::Ptr &function, Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget)=0
Invoked when a new summary is created.
Generated on Mon Jul 8 2019 04:55:20 for ROSE by   doxygen 1.8.10