ROSE_HTML_Reference/FeasiblePath_8h_source.html

#ifndef ROSE_BinaryAnalysis_FeasiblePath_H

#define ROSE_BinaryAnalysis_FeasiblePath_H

#include <featureTests.h>

#ifdef ROSE_ENABLE_BINARY_ANALYSIS


#include <Rose/BinaryAnalysis/BasicTypes.h>

#include <Rose/BinaryAnalysis/InstructionSemantics/SymbolicSemantics.h>

#include <Rose/BinaryAnalysis/SmtSolver.h>

#include <Rose/BinaryAnalysis/SymbolicExpressionParser.h>

#include <Rose/BinaryAnalysis/Partitioner2/CfgPath.h>

#include <Rose/Exception.h>

#include <Sawyer/CommandLine.h>

#include <Sawyer/Message.h>

#include <boost/filesystem/path.hpp>

#include <boost/logic/tribool.hpp>


namespace Rose {

namespace BinaryAnalysis {


class FeasiblePath {

    //                                  Types and public data members

public:


    class Exception: public Rose::Exception {

    public:

        Exception(const std::string &what)

            : Rose::Exception(what) {}

        ~Exception() throw () {}

    };


    enum SearchMode {

        SEARCH_SINGLE_DFS,

        SEARCH_SINGLE_BFS,

        SEARCH_MULTI

    };


    enum SemanticMemoryParadigm {

        LIST_BASED_MEMORY,

        MAP_BASED_MEMORY

    };


    enum EdgeVisitOrder {

        VISIT_NATURAL,

        VISIT_REVERSE,

        VISIT_RANDOM,

    };


    enum IoMode { READ, WRITE };


    enum MayOrMust { MAY, MUST };


    typedef std::set<rose_addr_t> AddressSet;


    struct Expression {

        AddressIntervalSet location;

        std::string parsable;

        SymbolicExpressionPtr expr;

        Expression() {}

        /*implicit*/ Expression(const std::string &parsable): parsable(parsable) {}

        /*implicit*/ Expression(const SymbolicExpressionPtr &expr): expr(expr) {}


        void print(std::ostream&) const;

    };


    struct Settings {

        // Path feasibility

        SearchMode searchMode;

        Sawyer::Optional<rose_addr_t> initialStackPtr;

        size_t maxVertexVisit;

        size_t maxPathLength;

        size_t maxCallDepth;

        size_t maxRecursionDepth;

        std::vector<Expression> assertions;

        std::vector<std::string> assertionLocations;

        std::vector<rose_addr_t> summarizeFunctions;

        bool nonAddressIsFeasible;

        std::string solverName;

        SemanticMemoryParadigm memoryParadigm;

        bool processFinalVertex;

        bool ignoreSemanticFailure;

        double kCycleCoefficient;

        EdgeVisitOrder edgeVisitOrder;

        bool trackingCodeCoverage;

        std::vector<rose_addr_t> ipRewrite;

        Sawyer::Optional<boost::chrono::duration<double> > smtTimeout;

        size_t maxExprSize;

        bool traceSemantics;

        // Null dereferences


        struct NullDeref {

            bool check;

            MayOrMust mode;

            bool constOnly;

            rose_addr_t minValid;

            NullDeref()

                : check(false), mode(MUST), constOnly(false), minValid(1024) {}

        } nullDeref;

        std::string exprParserDoc;


        Settings()

            : searchMode(SEARCH_SINGLE_DFS), maxVertexVisit((size_t)-1), maxPathLength(200), maxCallDepth((size_t)-1),

              maxRecursionDepth((size_t)-1), nonAddressIsFeasible(true), solverName("best"),

              memoryParadigm(LIST_BASED_MEMORY), processFinalVertex(false), ignoreSemanticFailure(false),

              kCycleCoefficient(0.0), edgeVisitOrder(VISIT_NATURAL), trackingCodeCoverage(true), maxExprSize(UNLIMITED),

              traceSemantics(false) {}


    };


    struct Statistics {

        size_t nPathsExplored;

        size_t maxVertexVisitHits;

        size_t maxPathLengthHits;

        size_t maxCallDepthHits;

        size_t maxRecursionDepthHits;

        Sawyer::Container::Map<rose_addr_t, size_t> reachedBlockVas;

        Statistics()

            : nPathsExplored(0), maxVertexVisitHits(0), maxPathLengthHits(0), maxCallDepthHits(0), maxRecursionDepthHits(0) {}


        Statistics& operator+=(const Statistics&);

    };


    static Sawyer::Message::Facility mlog;


     RegisterDescriptor REG_PATH;


    struct VarDetail {

        std::string registerName;

        std::string firstAccessMode;

        SgAsmInstruction *firstAccessInsn;

        Sawyer::Optional<size_t> firstAccessIdx;

        SymbolicExpressionPtr memAddress;

        size_t memSize;

        size_t memByteNumber;

        Sawyer::Optional<rose_addr_t> returnFrom;

        VarDetail(): firstAccessInsn(NULL), memSize(0), memByteNumber(0) {}

        std::string toString() const;

    };


    typedef Sawyer::Container::Map<std::string /*name*/, FeasiblePath::VarDetail> VarDetails;


    class PathProcessor {

    public:


        enum Action {

            BREAK,

            CONTINUE

        };


        virtual ~PathProcessor() {}


        virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path,

                             const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu,

                             const SmtSolverPtr &solver);


        virtual Action nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, SgAsmInstruction *insn,

                                 const InstructionSemantics::BaseSemantics::RiscOperatorsPtr &cpu, const SmtSolverPtr &solver,

                                 IoMode ioMode, const InstructionSemantics::BaseSemantics::SValuePtr &addr);


        virtual Action memoryIo(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, SgAsmInstruction *insn,

                                const InstructionSemantics::BaseSemantics::RiscOperatorsPtr &cpu, const SmtSolverPtr &solver,

                                IoMode ioMode, const InstructionSemantics::BaseSemantics::SValuePtr &addr,

                                const InstructionSemantics::BaseSemantics::SValuePtr &value);

    };


    struct FunctionSummary {

        rose_addr_t address = 0;

        int64_t stackDelta;

        std::string name;

        FunctionSummary();


        FunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgFuncVertex, uint64_t stackDelta);

    };


    typedef Sawyer::Container::Map<rose_addr_t, FunctionSummary> FunctionSummaries;


    class FunctionSummarizer: public Sawyer::SharedObject {

    public:

        typedef Sawyer::SharedPointer<FunctionSummarizer> Ptr;

    protected:

        FunctionSummarizer() {}

    public:

        virtual void init(const FeasiblePath &analysis, FunctionSummary &summary /*in,out*/,

                          const Partitioner2::FunctionPtr &function,

                          Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget) = 0;


        virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary,

                             const InstructionSemantics::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;


        virtual InstructionSemantics::SymbolicSemantics::SValuePtr

        returnValue(const FeasiblePath &analysis, const FunctionSummary &summary,

                    const InstructionSemantics::SymbolicSemantics::RiscOperatorsPtr &ops) = 0;

    };


    //                                  Private data members

private:

    Partitioner2::PartitionerConstPtr partitioner_;     // binary analysis context, might be null

    RegisterDictionaryPtr registers_;                   // registers augmented with "path" pseudo-register

    RegisterDescriptor REG_RETURN_;                     // FIXME[Robb P Matzke 2016-10-11]: see source

    Settings settings_;

    FunctionSummaries functionSummaries_;

    Partitioner2::CfgVertexMap vmap_;                   // relates CFG vertices to path vertices

    Partitioner2::ControlFlowGraph paths_;              // all possible paths, feasible or otherwise

    Partitioner2::CfgConstVertexSet pathsBeginVertices_;// vertices of paths_ where searching starts

    Partitioner2::CfgConstVertexSet pathsEndVertices_;  // vertices of paths_ where searching stops

    bool isDirectedSearch_ = true;                      // use pathsEndVertices_?

    Partitioner2::CfgConstEdgeSet cfgAvoidEdges_;       // CFG edges to avoid

    Partitioner2::CfgConstVertexSet cfgEndAvoidVertices_;// CFG end-of-path and other avoidance vertices

    FunctionSummarizer::Ptr functionSummarizer_;        // user-defined function for handling function summaries

    InstructionSemantics::BaseSemantics::StatePtr initialState_; // set by setInitialState.

    static Sawyer::Attribute::Id POST_STATE;            // stores semantic state after executing the insns for a vertex

    static Sawyer::Attribute::Id POST_INSN_LENGTH;      // path length in instructions at end of vertex

    static Sawyer::Attribute::Id EFFECTIVE_K;           // (double) effective maximimum path length


    mutable SAWYER_THREAD_TRAITS::Mutex statsMutex_;    // protects the following data member

    Statistics stats_;                                  // statistical results of the analysis


    //                                  Construction, destruction

public:

    FeasiblePath();

    virtual ~FeasiblePath();


    void reset();


    void resetStatistics() {

        SAWYER_THREAD_TRAITS::LockGuard lock(statsMutex_);

        stats_ = Statistics();

    }


    static void initDiagnostics();


    //                                  Settings affecting behavior

public:

    const Settings& settings() const { return settings_; }

    Settings& settings() { return settings_; }

    void settings(const Settings &s) { settings_ = s; }

    static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings);


    static std::string expressionDocumentation();


    //                                  Overridable processing functions

public:

    virtual InstructionSemantics::BaseSemantics::DispatcherPtr

    buildVirtualCpu(const Partitioner2::PartitionerConstPtr&, const Partitioner2::CfgPath*, PathProcessor*, const SmtSolverPtr&);


    virtual void

    setInitialState(const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu,

                    const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex);


    virtual void

    processBasicBlock(const Partitioner2::BasicBlockPtr &bblock,

                      const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex);


    virtual void

    processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex,

                              const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu,

                              size_t pathInsnIndex);


    virtual void

    processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,

                           const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu,

                           size_t pathInsnIndex);


    virtual void

    processVertex(const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu,

                  const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex,

                  size_t pathInsnIndex);


    virtual bool

    shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex,

                        const Partitioner2::ControlFlowGraph &cfg,

                        const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);


    virtual bool

    shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget);


    FunctionSummarizer::Ptr functionSummarizer() const { return functionSummarizer_; }

    void functionSummarizer(const FunctionSummarizer::Ptr &f) { functionSummarizer_ = f; }

    //                                  Utilities

public:

    Partitioner2::ControlFlowGraph::ConstVertexIterator

    pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const;


    Partitioner2::CfgConstVertexSet

    cfgToPaths(const Partitioner2::CfgConstVertexSet&) const;


    Partitioner2::CfgConstEdgeSet

    cfgToPaths(const Partitioner2::CfgConstEdgeSet&) const;


    bool pathEndsWithFunctionCall(const Partitioner2::CfgPath&) const;


    bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator&) const;


    void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex,

                         size_t &insnIdx /*in,out*/) const;


    void printPath(std::ostream &out, const Partitioner2::CfgPath&) const;


    bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg,

                                const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex,

                                const Partitioner2::CfgConstVertexSet &endVertices);


    //                                  Functions for describing the search space

public:


    void

    setSearchBoundary(const Partitioner2::PartitionerConstPtr &partitioner,

                      const Partitioner2::CfgConstVertexSet &cfgBeginVertices,

                      const Partitioner2::CfgConstVertexSet &cfgEndVertices,

                      const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),

                      const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());

    void

    setSearchBoundary(const Partitioner2::PartitionerConstPtr &partitioner,

                      const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgBeginVertex,

                      const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgEndVertex,

                      const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),

                      const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());

    void

    setSearchBoundary(const Partitioner2::PartitionerConstPtr &partitioner,

                      const Partitioner2::CfgConstVertexSet &cfgBeginVertices,

                      const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),

                      const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());

    void

    setSearchBoundary(const Partitioner2::PartitionerConstPtr &partitioner,

                      const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgBeginVertex,

                      const Partitioner2::CfgConstVertexSet &cfgAvoidVertices = Partitioner2::CfgConstVertexSet(),

                      const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges = Partitioner2::CfgConstEdgeSet());


    bool isDirectedSearch() const {

        return isDirectedSearch_;

    }


    //                                  Functions for searching for paths

public:

    void depthFirstSearch(PathProcessor &pathProcessor);


    //                                  Functions for getting the results

public:

    Partitioner2::PartitionerConstPtr partitioner() const;


    const FunctionSummaries& functionSummaries() const {

        return functionSummaries_;

    }


    const FunctionSummary& functionSummary(rose_addr_t entryVa) const;


    const VarDetail& varDetail(const InstructionSemantics::BaseSemantics::StatePtr&, const std::string &varName) const;


    const VarDetails& varDetails(const InstructionSemantics::BaseSemantics::StatePtr&) const;


    InstructionSemantics::BaseSemantics::StatePtr initialState() const;


    static InstructionSemantics::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath&, size_t vertexIdx);


    double pathEffectiveK(const Partitioner2::CfgPath&) const;


    static size_t pathLength(const Partitioner2::CfgPath&, int position = -1);


    Statistics statistics() const {

        SAWYER_THREAD_TRAITS::LockGuard lock(statsMutex_);

        return stats_;

    }


    //                                  Private supporting functions

private:

    // Check that analysis settings are valid, or throw an exception.

    void checkSettings() const;


    static rose_addr_t virtualAddress(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex);


    void insertCallSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsCallSite,

                           const Partitioner2::ControlFlowGraph &cfg,

                           const Partitioner2::ControlFlowGraph::ConstEdgeIterator &cfgCallEdge);


    boost::filesystem::path emitPathGraph(size_t callId, size_t graphId);  // emit paths graph to "rose-debug" directory


    // Pop an edge (or more) from the path and follow some other edge.  Also, adjust the SMT solver's stack in a similar

    // way. The SMT solver will have an initial state, plus one pushed state per edge of the path.

    void backtrack(Partitioner2::CfgPath &path /*in,out*/, const SmtSolverPtr&);


    // Process one edge of a path to find any path constraints. When called, the cpu's current state should be the virtual

    // machine state at it exists just prior to executing the target vertex of the specified edge.

    //

    // Returns a null pointer if the edge's assertion is trivially unsatisfiable, such as when the edge points to a basic block

    // whose address doesn't match the contents of the instruction pointer register after executing the edge's source

    // block. Otherwise, returns a symbolic expression which must be tree if the edge is feasible. For trivially feasible

    // edges, the return value is the constant 1 (one bit wide; i.e., true).

    SymbolicExpressionPtr pathEdgeConstraint(const Partitioner2::ControlFlowGraph::ConstEdgeIterator &pathEdge,

                                             const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu);


    // Parse the expression if it's a parsable string, otherwise return the expression as is. */

    Expression parseExpression(Expression, const std::string &where, SymbolicExpressionParser&) const;


    SymbolicExpressionPtr expandExpression(const Expression&, const SymbolicExpressionParser&);


    // Based on the last vertex of the path, insert user-specified assertions into the SMT solver.

    void insertAssertions(const SmtSolverPtr&, const Partitioner2::CfgPath&,

                          const std::vector<Expression> &assertions, bool atEndOfPath, const SymbolicExpressionParser&);


    // Size of vertex. How much of "k" does this vertex consume?

    static size_t vertexSize(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);


    // Information needed for adding user-supplied assertions to the solver.

    struct Substitutions {

        SymbolicExpressionParser exprParser;

        std::vector<Expression> assertions;

        SymbolicExpressionParser::RegisterSubstituter::Ptr regSubber;

        SymbolicExpressionParser::MemorySubstituter::Ptr memSubber;

    };


    // Insert the edge assertion and any applicable user assertions (after delayed expansion of the expressions' register

    // and memory references), and run the solver, returning its result.

    SmtSolver::Satisfiable

    solvePathConstraints(const SmtSolverPtr&, const Partitioner2::CfgPath&, const SymbolicExpressionPtr &edgeAssertion,

                         const Substitutions&, bool atEndOfPath);


    // Mark vertex as being reached

    void markAsReached(const Partitioner2::ControlFlowGraph::ConstVertexIterator&);


    // Top-level info for debugging

    void dfsDebugHeader(Sawyer::Message::Stream &trace, Sawyer::Message::Stream &debug, size_t callId, size_t graphId);


    // Top-level info for debugging a path.

    void dfsDebugCurrentPath(Sawyer::Message::Stream&, const Partitioner2::CfgPath&, const SmtSolverPtr&, size_t effectiveK);


    // Prepare substitutions for registers and memory based on user-supplied symbolic expressions.

    Substitutions parseSubstitutions();


    // Substitute registers and memory values into user-supplied symbolic expressions.

    void makeSubstitutions(const Substitutions&, const InstructionSemantics::BaseSemantics::RiscOperatorsPtr&);


    // Create an SMT solver. It will have an initial state plus, eventually, a transaction for each path edge.

    SmtSolverPtr createSmtSolver();


    // The parts of the instruction semantics framework

    struct Semantics {

        InstructionSemantics::BaseSemantics::DispatcherPtr cpu;

        InstructionSemantics::BaseSemantics::RiscOperatorsPtr ops;

        InstructionSemantics::BaseSemantics::StatePtr originalState;

    };


    // Create the parts of the instruction semantics framework.

    Semantics createSemantics(const Partitioner2::CfgPath&, PathProcessor&, const SmtSolverPtr&);


    // Convert a position to an index. Negative positions measure from the end of the sequence so that -1 refers to the last

    // element, -2 to the second-to-last element, etc. Non-negative positions are the same thing as an index.  Returns nothing

    // if the position is out of range.

    static Sawyer::Optional<size_t> positionToIndex(int position, size_t nElmts);


    // Obtain the incoming state for the specified path vertex. This is a pointer to the state, so copy it if you make changes.

    // The incoming state for the first vertex is the specified initial state.

    InstructionSemantics::BaseSemantics::StatePtr

    incomingState(const Partitioner2::CfgPath&, int position, const InstructionSemantics::BaseSemantics::StatePtr &initialState);


    // Number of steps (e.g., instructions) up to but not including the specified path vertex.

    size_t incomingStepCount(const Partitioner2::CfgPath&, int position);


    // Number of steps (e.g., instructions) up to and including the specified path vertex.

    size_t outgoingStepCount(const Partitioner2::CfgPath&, int position);


    // Evaluate semantics up to and including the specified path vertex, returning the outgoing state for that vertex. If

    // semantics fails, then returns a null state pointer.

    InstructionSemantics::BaseSemantics::StatePtr evaluate(Partitioner2::CfgPath&, int position, const Semantics&);


    // Check whether the last vertex of the path is feasible. Returns true if provably feasible, false if provably infeasible,

    // or indeterminate if not provable one way or the other.

    boost::logic::tribool isFeasible(Partitioner2::CfgPath&, const Substitutions&, const Semantics&, const SmtSolverPtr&);


    // Safely call the path processor's "found" action for the path's final vertex and return its value.

    PathProcessor::Action callPathProcessorFound(PathProcessor&, Partitioner2::CfgPath&, const Semantics&, const SmtSolverPtr&);


    // Given an effective K value, adjust it based on how often the last vertex of the path has been visited.  Returns a new

    // effective K. As a special case, the new K is zero if the last vertex has been visited too often.

    double adjustEffectiveK(Partitioner2::CfgPath&, double oldK);


    // Given a path that ends with a function call, inline the function or a summary of the function, adjusting the paths_

    // control flow graph.

    void summarizeOrInline(Partitioner2::CfgPath&, const Semantics&);

};


} // namespace

} // namespace


std::ostream& operator<<(std::ostream&, const Rose::BinaryAnalysis::FeasiblePath::Expression&);


// Convert string to feasible path expression during command-line parsing


namespace Sawyer {


    namespace CommandLine {

        template<>


        struct LexicalCast<Rose::BinaryAnalysis::FeasiblePath::Expression> {

            static Rose::BinaryAnalysis::FeasiblePath::Expression convert(const std::string &src) {

                return Rose::BinaryAnalysis::FeasiblePath::Expression(src);

            }

        };


    }


}


#endif

#endif


Rose::BinaryAnalysis::FeasiblePath::Exception
Exception for errors specific to feasible path analysis.
Definition FeasiblePath.h:29

Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer
Base class for callbacks for function summaries.
Definition FeasiblePath.h:310

Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::returnValue
virtual InstructionSemantics::SymbolicSemantics::SValuePtr returnValue(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Return value for function.

Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::init
virtual void init(const FeasiblePath &analysis, FunctionSummary &summary, const Partitioner2::FunctionPtr &function, Partitioner2::ControlFlowGraph::ConstVertexIterator cfgCallTarget)=0
Invoked when a new summary is created.

Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::Ptr
Sawyer::SharedPointer< FunctionSummarizer > Ptr
Reference counting pointer.
Definition FeasiblePath.h:313

Rose::BinaryAnalysis::FeasiblePath::FunctionSummarizer::process
virtual bool process(const FeasiblePath &analysis, const FunctionSummary &summary, const InstructionSemantics::SymbolicSemantics::RiscOperatorsPtr &ops)=0
Invoked when the analysis traverses the summary.

Rose::BinaryAnalysis::FeasiblePath::PathProcessor
Path searching functor.
Definition FeasiblePath.h:178

Rose::BinaryAnalysis::FeasiblePath::PathProcessor::memoryIo
virtual Action memoryIo(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, SgAsmInstruction *insn, const InstructionSemantics::BaseSemantics::RiscOperatorsPtr &cpu, const SmtSolverPtr &solver, IoMode ioMode, const InstructionSemantics::BaseSemantics::SValuePtr &addr, const InstructionSemantics::BaseSemantics::SValuePtr &value)
Function invoked every time a memory reference occurs.

Rose::BinaryAnalysis::FeasiblePath::PathProcessor::Action
Action
Definition FeasiblePath.h:180

Rose::BinaryAnalysis::FeasiblePath::PathProcessor::CONTINUE
@ CONTINUE
Continue along this path.
Definition FeasiblePath.h:182

Rose::BinaryAnalysis::FeasiblePath::PathProcessor::BREAK
@ BREAK
Do not continue along this path.
Definition FeasiblePath.h:181

Rose::BinaryAnalysis::FeasiblePath::PathProcessor::nullDeref
virtual Action nullDeref(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, SgAsmInstruction *insn, const InstructionSemantics::BaseSemantics::RiscOperatorsPtr &cpu, const SmtSolverPtr &solver, IoMode ioMode, const InstructionSemantics::BaseSemantics::SValuePtr &addr)
Function invoked whenever a null pointer dereference is detected.

Rose::BinaryAnalysis::FeasiblePath::PathProcessor::found
virtual Action found(const FeasiblePath &analyzer, const Partitioner2::CfgPath &path, const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu, const SmtSolverPtr &solver)
Function invoked whenever a complete path is found.

Rose::BinaryAnalysis::FeasiblePath
Feasible path analysis.
Definition FeasiblePath.h:23

Rose::BinaryAnalysis::FeasiblePath::statistics
Statistics statistics() const
Cumulative statistics about prior analyses.
Definition FeasiblePath.h:637

Rose::BinaryAnalysis::FeasiblePath::REG_PATH
RegisterDescriptor REG_PATH
Descriptor of path pseudo-registers.
Definition FeasiblePath.h:155

Rose::BinaryAnalysis::FeasiblePath::commandLineSwitches
static Sawyer::CommandLine::SwitchGroup commandLineSwitches(Settings &settings)
Describe command-line switches.

Rose::BinaryAnalysis::FeasiblePath::settings
void settings(const Settings &s)
Property: Settings used by this analysis.
Definition FeasiblePath.h:395

Rose::BinaryAnalysis::FeasiblePath::IoMode
IoMode
Read or write operation.
Definition FeasiblePath.h:57

Rose::BinaryAnalysis::FeasiblePath::setSearchBoundary
void setSearchBoundary(const Partitioner2::PartitionerConstPtr &partitioner, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgBeginVertex, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgEndVertex, const Partitioner2::CfgConstVertexSet &cfgAvoidVertices=Partitioner2::CfgConstVertexSet(), const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges=Partitioner2::CfgConstEdgeSet())
Specify search boundary.

Rose::BinaryAnalysis::FeasiblePath::setSearchBoundary
void setSearchBoundary(const Partitioner2::PartitionerConstPtr &partitioner, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgBeginVertex, const Partitioner2::CfgConstVertexSet &cfgAvoidVertices=Partitioner2::CfgConstVertexSet(), const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges=Partitioner2::CfgConstEdgeSet())
Specify search boundary.

Rose::BinaryAnalysis::FeasiblePath::cfgToPaths
Partitioner2::CfgConstVertexSet cfgToPaths(const Partitioner2::CfgConstVertexSet &) const
Convert CFG vertices to path vertices.

Rose::BinaryAnalysis::FeasiblePath::FeasiblePath
FeasiblePath()
Constructs a new feasible path analyzer.

Rose::BinaryAnalysis::FeasiblePath::MayOrMust
MayOrMust
Types of comparisons.
Definition FeasiblePath.h:60

Rose::BinaryAnalysis::FeasiblePath::isFunctionCall
bool isFunctionCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &) const
True if vertex is a function call.

Rose::BinaryAnalysis::FeasiblePath::pathEffectiveK
double pathEffectiveK(const Partitioner2::CfgPath &) const
Effective maximum path length.

Rose::BinaryAnalysis::FeasiblePath::VarDetails
Sawyer::Container::Map< std::string, FeasiblePath::VarDetail > VarDetails
Variable detail by name.
Definition FeasiblePath.h:173

Rose::BinaryAnalysis::FeasiblePath::resetStatistics
void resetStatistics()
Reset only statistics.
Definition FeasiblePath.h:377

Rose::BinaryAnalysis::FeasiblePath::buildVirtualCpu
virtual InstructionSemantics::BaseSemantics::DispatcherPtr buildVirtualCpu(const Partitioner2::PartitionerConstPtr &, const Partitioner2::CfgPath *, PathProcessor *, const SmtSolverPtr &)
Create the virtual CPU.

Rose::BinaryAnalysis::FeasiblePath::EdgeVisitOrder
EdgeVisitOrder
Edge visitation order.
Definition FeasiblePath.h:50

Rose::BinaryAnalysis::FeasiblePath::VISIT_NATURAL
@ VISIT_NATURAL
Visit edges in their natural, forward order.
Definition FeasiblePath.h:51

Rose::BinaryAnalysis::FeasiblePath::VISIT_RANDOM
@ VISIT_RANDOM
Visit edges in random order.
Definition FeasiblePath.h:53

Rose::BinaryAnalysis::FeasiblePath::VISIT_REVERSE
@ VISIT_REVERSE
Visit edges in reverse of the natural order.
Definition FeasiblePath.h:52

Rose::BinaryAnalysis::FeasiblePath::setSearchBoundary
void setSearchBoundary(const Partitioner2::PartitionerConstPtr &partitioner, const Partitioner2::CfgConstVertexSet &cfgBeginVertices, const Partitioner2::CfgConstVertexSet &cfgEndVertices, const Partitioner2::CfgConstVertexSet &cfgAvoidVertices=Partitioner2::CfgConstVertexSet(), const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges=Partitioner2::CfgConstEdgeSet())
Specify search boundary.

Rose::BinaryAnalysis::FeasiblePath::varDetail
const VarDetail & varDetail(const InstructionSemantics::BaseSemantics::StatePtr &, const std::string &varName) const
Details about a variable.

Rose::BinaryAnalysis::FeasiblePath::shouldInline
virtual bool shouldInline(const Partitioner2::CfgPath &path, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be inlined.

Rose::BinaryAnalysis::FeasiblePath::isDirectedSearch
bool isDirectedSearch() const
Property: Whether search is directed or not.
Definition FeasiblePath.h:567

Rose::BinaryAnalysis::FeasiblePath::functionSummaries
const FunctionSummaries & functionSummaries() const
Function summary information.
Definition FeasiblePath.h:595

Rose::BinaryAnalysis::FeasiblePath::processVertex
virtual void processVertex(const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, size_t pathInsnIndex)
Process one vertex.

Rose::BinaryAnalysis::FeasiblePath::pathPostState
static InstructionSemantics::BaseSemantics::StatePtr pathPostState(const Partitioner2::CfgPath &, size_t vertexIdx)
Get the state at the end of the specified vertex.

Rose::BinaryAnalysis::FeasiblePath::shouldSummarizeCall
virtual bool shouldSummarizeCall(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex, const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgCallTarget)
Determines whether a function call should be summarized instead of inlined.

Rose::BinaryAnalysis::FeasiblePath::cfgToPaths
Partitioner2::CfgConstEdgeSet cfgToPaths(const Partitioner2::CfgConstEdgeSet &) const
Convert CFG edges to path edges.

Rose::BinaryAnalysis::FeasiblePath::isAnyEndpointReachable
bool isAnyEndpointReachable(const Partitioner2::ControlFlowGraph &cfg, const Partitioner2::ControlFlowGraph::ConstVertexIterator &beginVertex, const Partitioner2::CfgConstVertexSet &endVertices)
Determine whether any ending vertex is reachable.

Rose::BinaryAnalysis::FeasiblePath::depthFirstSearch
void depthFirstSearch(PathProcessor &pathProcessor)
Find all feasible paths.

Rose::BinaryAnalysis::FeasiblePath::processFunctionSummary
virtual void processFunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsVertex, const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process a function summary vertex.

Rose::BinaryAnalysis::FeasiblePath::partitioner
Partitioner2::PartitionerConstPtr partitioner() const
Property: Partitioner currently in use.

Rose::BinaryAnalysis::FeasiblePath::expressionDocumentation
static std::string expressionDocumentation()
Documentation for the symbolic expression parser.

Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
FunctionSummarizer::Ptr functionSummarizer() const
Property: Function summary handling.
Definition FeasiblePath.h:480

Rose::BinaryAnalysis::FeasiblePath::mlog
static Sawyer::Message::Facility mlog
Diagnostic output.
Definition FeasiblePath.h:146

Rose::BinaryAnalysis::FeasiblePath::initialState
InstructionSemantics::BaseSemantics::StatePtr initialState() const
Get the initial state before the first path vertex.

Rose::BinaryAnalysis::FeasiblePath::printPathVertex
void printPathVertex(std::ostream &out, const Partitioner2::ControlFlowGraph::Vertex &pathVertex, size_t &insnIdx) const
Print one vertex of a path for debugging.

Rose::BinaryAnalysis::FeasiblePath::setInitialState
virtual void setInitialState(const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu, const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathsBeginVertex)
Initialize state for first vertex of path.

Rose::BinaryAnalysis::FeasiblePath::pathToCfg
Partitioner2::ControlFlowGraph::ConstVertexIterator pathToCfg(const Partitioner2::ControlFlowGraph::ConstVertexIterator &pathVertex) const
Convert path vertex to a CFG vertex.

Rose::BinaryAnalysis::FeasiblePath::varDetails
const VarDetails & varDetails(const InstructionSemantics::BaseSemantics::StatePtr &) const
Details about all variables by name.

Rose::BinaryAnalysis::FeasiblePath::functionSummarizer
void functionSummarizer(const FunctionSummarizer::Ptr &f)
Property: Function summary handling.
Definition FeasiblePath.h:481

Rose::BinaryAnalysis::FeasiblePath::setSearchBoundary
void setSearchBoundary(const Partitioner2::PartitionerConstPtr &partitioner, const Partitioner2::CfgConstVertexSet &cfgBeginVertices, const Partitioner2::CfgConstVertexSet &cfgAvoidVertices=Partitioner2::CfgConstVertexSet(), const Partitioner2::CfgConstEdgeSet &cfgAvoidEdges=Partitioner2::CfgConstEdgeSet())
Specify search boundary.

Rose::BinaryAnalysis::FeasiblePath::SemanticMemoryParadigm
SemanticMemoryParadigm
Organization of semantic memory.
Definition FeasiblePath.h:44

Rose::BinaryAnalysis::FeasiblePath::MAP_BASED_MEMORY
@ MAP_BASED_MEMORY
Fast but not precise.
Definition FeasiblePath.h:46

Rose::BinaryAnalysis::FeasiblePath::LIST_BASED_MEMORY
@ LIST_BASED_MEMORY
Precise but slow.
Definition FeasiblePath.h:45

Rose::BinaryAnalysis::FeasiblePath::processBasicBlock
virtual void processBasicBlock(const Partitioner2::BasicBlockPtr &bblock, const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process instructions for one basic block on the specified virtual CPU.

Rose::BinaryAnalysis::FeasiblePath::pathLength
static size_t pathLength(const Partitioner2::CfgPath &, int position=-1)
Total length of path up to and including the specified vertex.

Rose::BinaryAnalysis::FeasiblePath::settings
Settings & settings()
Property: Settings used by this analysis.
Definition FeasiblePath.h:394

Rose::BinaryAnalysis::FeasiblePath::initDiagnostics
static void initDiagnostics()
Initialize diagnostic output.

Rose::BinaryAnalysis::FeasiblePath::SearchMode
SearchMode
How to search for paths.
Definition FeasiblePath.h:37

Rose::BinaryAnalysis::FeasiblePath::SEARCH_SINGLE_DFS
@ SEARCH_SINGLE_DFS
Perform a depth first search.
Definition FeasiblePath.h:38

Rose::BinaryAnalysis::FeasiblePath::SEARCH_SINGLE_BFS
@ SEARCH_SINGLE_BFS
Perform a breadth first search.
Definition FeasiblePath.h:39

Rose::BinaryAnalysis::FeasiblePath::SEARCH_MULTI
@ SEARCH_MULTI
Blast everything at once to the SMT solver.
Definition FeasiblePath.h:40

Rose::BinaryAnalysis::FeasiblePath::settings
const Settings & settings() const
Property: Settings used by this analysis.
Definition FeasiblePath.h:393

Rose::BinaryAnalysis::FeasiblePath::pathEndsWithFunctionCall
bool pathEndsWithFunctionCall(const Partitioner2::CfgPath &) const
True if path ends with a function call.

Rose::BinaryAnalysis::FeasiblePath::functionSummary
const FunctionSummary & functionSummary(rose_addr_t entryVa) const
Function summary information.

Rose::BinaryAnalysis::FeasiblePath::FunctionSummaries
Sawyer::Container::Map< rose_addr_t, FunctionSummary > FunctionSummaries
Summaries for multiple functions.
Definition FeasiblePath.h:305

Rose::BinaryAnalysis::FeasiblePath::AddressSet
std::set< rose_addr_t > AddressSet
Set of basic block addresses.
Definition FeasiblePath.h:63

Rose::BinaryAnalysis::FeasiblePath::processIndeterminateBlock
virtual void processIndeterminateBlock(const Partitioner2::ControlFlowGraph::ConstVertexIterator &vertex, const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu, size_t pathInsnIndex)
Process an indeterminate block.

Rose::BinaryAnalysis::FeasiblePath::reset
void reset()
Reset to initial state without changing settings.

Rose::BinaryAnalysis::FeasiblePath::printPath
void printPath(std::ostream &out, const Partitioner2::CfgPath &) const
Print the path to the specified output stream.

Rose::BinaryAnalysis::Partitioner2::CfgPath
A path through a control flow graph.
Definition CfgPath.h:17

Rose::BinaryAnalysis::RegisterDescriptor
Describes (part of) a physical CPU register.
Definition RegisterDescriptor.h:28

Rose::BinaryAnalysis::SmtSolver::Satisfiable
Satisfiable
Satisfiability constants.
Definition SmtSolver.h:87

Rose::BinaryAnalysis::SymbolicExpressionParser
Parses symbolic expressions from text.
Definition SymbolicExpressionParser.h:31

Rose::Exception
Base class for all ROSE exceptions.
Definition Rose/Exception.h:10

Sawyer::CommandLine::SwitchGroup
A collection of related switch declarations.
Definition Sawyer/CommandLine.h:2569

Sawyer::Container::GraphIteratorBiMap< ControlFlowGraph::ConstVertexIterator, ControlFlowGraph::ConstVertexIterator >

Sawyer::Container::GraphIteratorSet< ControlFlowGraph::ConstVertexIterator >

Sawyer::Container::Graph< CfgVertex, CfgEdge >

Sawyer::Container::IntervalSet< AddressInterval >

Sawyer::Container::Map
Container associating values with keys.
Definition Sawyer/Map.h:72

Sawyer::Message::Facility
Collection of streams.
Definition Message.h:1606

Sawyer::Message::Stream
Converts text to messages.
Definition Message.h:1396

Sawyer::Optional
Holds a value or nothing.
Definition Optional.h:56

Sawyer::SharedObject
Base class for reference counted objects.
Definition SharedObject.h:64

Sawyer::SharedPointer< Node >

SgAsmInstruction
Base class for machine instructions.
Definition binaryInstruction.C:43518

Rose::BinaryAnalysis::InstructionSemantics::BaseSemantics::RiscOperatorsPtr
boost::shared_ptr< RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to a RISC operators object.
Definition Rose/BinaryAnalysis/InstructionSemantics/BaseSemantics/BasicTypes.h:66

Rose::BinaryAnalysis::InstructionSemantics::BaseSemantics::DispatcherPtr
boost::shared_ptr< Dispatcher > DispatcherPtr
Shared-ownership pointer to a semantics instruction dispatcher.
Definition Rose/BinaryAnalysis/InstructionSemantics/BaseSemantics/BasicTypes.h:69

Rose::BinaryAnalysis::InstructionSemantics::BaseSemantics::StatePtr
boost::shared_ptr< State > StatePtr
Shared-ownership pointer to a semantic state.
Definition Rose/BinaryAnalysis/InstructionSemantics/BaseSemantics/BasicTypes.h:63

Rose::BinaryAnalysis::InstructionSemantics::SymbolicSemantics::RiscOperatorsPtr
boost::shared_ptr< class RiscOperators > RiscOperatorsPtr
Shared-ownership pointer to symbolic RISC operations.
Definition SymbolicSemantics.h:717

Rose::BinaryAnalysis::SmtSolverPtr
std::shared_ptr< SmtSolver > SmtSolverPtr
Reference counting pointer.
Definition Rose/BinaryAnalysis/BasicTypes.h:57

Rose
The ROSE library.
Definition BinaryTutorial.dox:3

Rose::UNLIMITED
const size_t UNLIMITED
Effectively unlimited size.
Definition Constants.h:19

Sawyer::Attribute::Id
size_t Id
Attribute identification.
Definition Attribute.h:140

Sawyer
Sawyer support library.
Definition FeasiblePath.h:767

Rose::BinaryAnalysis::FeasiblePath::Expression
Expression to be evaluated.
Definition FeasiblePath.h:71

Rose::BinaryAnalysis::FeasiblePath::Expression::expr
SymbolicExpressionPtr expr
Symbolic expression.
Definition FeasiblePath.h:74

Rose::BinaryAnalysis::FeasiblePath::Expression::location
AddressIntervalSet location
Location where constraint applies.
Definition FeasiblePath.h:72

Rose::BinaryAnalysis::FeasiblePath::Expression::parsable
std::string parsable
String to be parsed as an expression.
Definition FeasiblePath.h:73

Rose::BinaryAnalysis::FeasiblePath::FunctionSummary
Information stored per V_USER_DEFINED path vertex.
Definition FeasiblePath.h:292

Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::FunctionSummary
FunctionSummary()
Construct empty function summary.

Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::name
std::string name
Name of summarized function.
Definition FeasiblePath.h:295

Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::FunctionSummary
FunctionSummary(const Partitioner2::ControlFlowGraph::ConstVertexIterator &cfgFuncVertex, uint64_t stackDelta)
Construct function summary with information.

Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::stackDelta
int64_t stackDelta
Stack delta for summarized function.
Definition FeasiblePath.h:294

Rose::BinaryAnalysis::FeasiblePath::FunctionSummary::address
rose_addr_t address
Address of summarized function.
Definition FeasiblePath.h:293

Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref
Definition FeasiblePath.h:109

Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::minValid
rose_addr_t minValid
Minnimum address that is not treated as a null dereference.
Definition FeasiblePath.h:113

Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::constOnly
bool constOnly
If true, check only constants or sets of constants.
Definition FeasiblePath.h:112

Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::mode
MayOrMust mode
Check for addrs that may or must be null.
Definition FeasiblePath.h:111

Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref::check
bool check
If true, look for null dereferences along the paths.
Definition FeasiblePath.h:110

Rose::BinaryAnalysis::FeasiblePath::Settings
Settings that control this analysis.
Definition FeasiblePath.h:84

Rose::BinaryAnalysis::FeasiblePath::Settings::nullDeref
struct Rose::BinaryAnalysis::FeasiblePath::Settings::NullDeref nullDeref
Settings for null-dereference analysis.

Rose::BinaryAnalysis::FeasiblePath::Settings::summarizeFunctions
std::vector< rose_addr_t > summarizeFunctions
Functions to always summarize.
Definition FeasiblePath.h:94

Rose::BinaryAnalysis::FeasiblePath::Settings::maxPathLength
size_t maxPathLength
Limit path length in terms of number of instructions.
Definition FeasiblePath.h:89

Rose::BinaryAnalysis::FeasiblePath::Settings::smtTimeout
Sawyer::Optional< boost::chrono::duration< double > > smtTimeout
Max seconds allowed per SMT solve call.
Definition FeasiblePath.h:104

Rose::BinaryAnalysis::FeasiblePath::Settings::searchMode
SearchMode searchMode
Method to use when searching for feasible paths.
Definition FeasiblePath.h:86

Rose::BinaryAnalysis::FeasiblePath::Settings::maxVertexVisit
size_t maxVertexVisit
Max times to visit a particular vertex in one path.
Definition FeasiblePath.h:88

Rose::BinaryAnalysis::FeasiblePath::Settings::initialStackPtr
Sawyer::Optional< rose_addr_t > initialStackPtr
Concrete value to use for stack pointer register initial value.
Definition FeasiblePath.h:87

Rose::BinaryAnalysis::FeasiblePath::Settings::assertionLocations
std::vector< std::string > assertionLocations
Locations at which "constraints" are checked.
Definition FeasiblePath.h:93

Rose::BinaryAnalysis::FeasiblePath::Settings::processFinalVertex
bool processFinalVertex
Whether to process the last vertex of the path.
Definition FeasiblePath.h:98

Rose::BinaryAnalysis::FeasiblePath::Settings::maxCallDepth
size_t maxCallDepth
Max length of path in terms of function calls.
Definition FeasiblePath.h:90

Rose::BinaryAnalysis::FeasiblePath::Settings::ignoreSemanticFailure
bool ignoreSemanticFailure
Whether to ignore instructions with no semantic info.
Definition FeasiblePath.h:99

Rose::BinaryAnalysis::FeasiblePath::Settings::ipRewrite
std::vector< rose_addr_t > ipRewrite
An even number of from,to pairs for rewriting the insn ptr reg.
Definition FeasiblePath.h:103

Rose::BinaryAnalysis::FeasiblePath::Settings::traceSemantics
bool traceSemantics
Trace all instruction semantics operations.
Definition FeasiblePath.h:106

Rose::BinaryAnalysis::FeasiblePath::Settings::nonAddressIsFeasible
bool nonAddressIsFeasible
Indeterminate/undiscovered vertices are feasible?
Definition FeasiblePath.h:95

Rose::BinaryAnalysis::FeasiblePath::Settings::kCycleCoefficient
double kCycleCoefficient
Coefficient for adjusting maxPathLengh during CFG cycles.
Definition FeasiblePath.h:100

Rose::BinaryAnalysis::FeasiblePath::Settings::memoryParadigm
SemanticMemoryParadigm memoryParadigm
Type of memory state when there's a choice to be made.
Definition FeasiblePath.h:97

Rose::BinaryAnalysis::FeasiblePath::Settings::maxRecursionDepth
size_t maxRecursionDepth
Max path length in terms of recursive function calls.
Definition FeasiblePath.h:91

Rose::BinaryAnalysis::FeasiblePath::Settings::solverName
std::string solverName
Type of SMT solver.
Definition FeasiblePath.h:96

Rose::BinaryAnalysis::FeasiblePath::Settings::assertions
std::vector< Expression > assertions
Constraints to be satisfied at some point along the path.
Definition FeasiblePath.h:92

Rose::BinaryAnalysis::FeasiblePath::Settings::trackingCodeCoverage
bool trackingCodeCoverage
If set, track which block addresses are reached.
Definition FeasiblePath.h:102

Rose::BinaryAnalysis::FeasiblePath::Settings::Settings
Settings()
Default settings.
Definition FeasiblePath.h:122

Rose::BinaryAnalysis::FeasiblePath::Settings::edgeVisitOrder
EdgeVisitOrder edgeVisitOrder
Order in which to visit edges.
Definition FeasiblePath.h:101

Rose::BinaryAnalysis::FeasiblePath::Settings::maxExprSize
size_t maxExprSize
Maximum symbolic expression size before replacement.
Definition FeasiblePath.h:105

Rose::BinaryAnalysis::FeasiblePath::Settings::exprParserDoc
std::string exprParserDoc
String documenting how expressions are parsed, empty for default.
Definition FeasiblePath.h:119

Rose::BinaryAnalysis::FeasiblePath::Statistics
Statistics from path searching.
Definition FeasiblePath.h:131

Rose::BinaryAnalysis::FeasiblePath::Statistics::maxPathLengthHits
size_t maxPathLengthHits
Number of times settings.maxPathLength was hit (effective K).
Definition FeasiblePath.h:134

Rose::BinaryAnalysis::FeasiblePath::Statistics::maxVertexVisitHits
size_t maxVertexVisitHits
Number of times settings.maxVertexVisit was hit.
Definition FeasiblePath.h:133

Rose::BinaryAnalysis::FeasiblePath::Statistics::nPathsExplored
size_t nPathsExplored
Number of paths explored.
Definition FeasiblePath.h:132

Rose::BinaryAnalysis::FeasiblePath::Statistics::maxCallDepthHits
size_t maxCallDepthHits
Number of times settings.maxCallDepth was hit.
Definition FeasiblePath.h:135

Rose::BinaryAnalysis::FeasiblePath::Statistics::reachedBlockVas
Sawyer::Container::Map< rose_addr_t, size_t > reachedBlockVas
Number of times each basic block was reached.
Definition FeasiblePath.h:137

Rose::BinaryAnalysis::FeasiblePath::Statistics::maxRecursionDepthHits
size_t maxRecursionDepthHits
Number of times settings.maxRecursionDepth was hit.
Definition FeasiblePath.h:136

Rose::BinaryAnalysis::FeasiblePath::VarDetail
Information about a variable seen on a path.
Definition FeasiblePath.h:158

Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessIdx
Sawyer::Optional< size_t > firstAccessIdx
Instruction position in path where this var was first read.
Definition FeasiblePath.h:162

Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessMode
std::string firstAccessMode
How was variable first accessed ("read" or "write").
Definition FeasiblePath.h:160

Rose::BinaryAnalysis::FeasiblePath::VarDetail::memAddress
SymbolicExpressionPtr memAddress
Address where variable is located.
Definition FeasiblePath.h:163

Rose::BinaryAnalysis::FeasiblePath::VarDetail::memSize
size_t memSize
Size of total memory access in bytes.
Definition FeasiblePath.h:164

Rose::BinaryAnalysis::FeasiblePath::VarDetail::returnFrom
Sawyer::Optional< rose_addr_t > returnFrom
This variable is the return value from the specified function.
Definition FeasiblePath.h:166

Rose::BinaryAnalysis::FeasiblePath::VarDetail::memByteNumber
size_t memByteNumber
Byte number for memory access.
Definition FeasiblePath.h:165

Rose::BinaryAnalysis::FeasiblePath::VarDetail::firstAccessInsn
SgAsmInstruction * firstAccessInsn
Instruction address where this var was first read.
Definition FeasiblePath.h:161

Sawyer::CommandLine::LexicalCast
Definition Sawyer/CommandLine.h:754