PointerDetection.h

#ifndef ROSE_BinaryAnalysis_PointerDetection_H
#define ROSE_BinaryAnalysis_PointerDetection_H
#include <featureTests.h>
#ifdef ROSE_ENABLE_BINARY_ANALYSIS
 
#include <Rose/BinaryAnalysis/Disassembler/BasicTypes.h>
#include <Rose/BinaryAnalysis/Partitioner2/BasicTypes.h>
#include <Rose/BinaryAnalysis/InstructionSemantics/BaseSemantics.h>
#include <Sawyer/Set.h>
 
namespace Rose {
namespace BinaryAnalysis {
 
namespace PointerDetection {
 
void initDiagnostics();
 
extern Sawyer::Message::Facility mlog;
 
// Settings
 
class Settings {
public:
    bool ignoreConstIp = true;
 
    bool ignoreStrangeSizes = true;
 
    bool saveDataPointers = true;
 
    bool saveCodePointers = true;
 
    bool savePointerVas = true;
 
    bool savePointerAccesses = true;
 
    bool savePointerAccessValues = true;
 
    bool savePointerDereferences = true;
 
    bool savePointerDereferenceValues = true;
 
    uint64_t symbolicTrimThreshold = std::numeric_limits<uint64_t>::max();
 
    size_t maximumDataFlowIterationFactor = 5;
};
 
// PointerDescriptor
 
class PointerDescriptor {
public:
    enum Direction {
        READ,                                           
        WRITE                                           
    };
 
    struct Access {
        rose_addr_t insnVa;                             
        Direction direction;                            
        SymbolicExpression::Ptr value;                  
        Access(rose_addr_t insnVa, Direction direction, const SymbolicExpression::Ptr &value)
            : insnVa(insnVa), direction(direction), value(value) {}
 
        bool operator<(const Access &other) const {
            if (insnVa != other.insnVa)
                return insnVa < other.insnVa;
            if (direction != other.direction)
                return direction < other.direction;
            if (value && other.value) {
                return value->hash() < other.value->hash();
            } else {
                return !value && other.value;
            }
        }
    };
 
    SymbolicExpression::Ptr pointerVa;                  
    size_t nBits;                                       
    std::set<Access> pointerAccesses;                   
    std::set<Access> dereferences;                      
    PointerDescriptor(const SymbolicExpression::Ptr &pointerVa, size_t nBits, rose_addr_t insnVa, Direction dir,
                      const SymbolicExpression::Ptr &pointerValue)
        : pointerVa(pointerVa), nBits(nBits) {
        pointerAccesses.insert(Access(insnVa, dir, pointerValue));
    }
};
 
using PointerDescriptors = std::list<PointerDescriptor>;
 
// Pointer analysis
 
class Analysis {
public:
 
private:
    Settings settings_;
    InstructionSemantics::BaseSemantics::DispatcherPtr cpu_;
    bool hasResults_;                                   // Are the following data members initialized?
    bool didConverge_;                                  // Are the following data members valid (else only appoximations)?
    PointerDescriptors codePointers_;                   // Memory addresses that hold a pointer to code
    PointerDescriptors dataPointers_;                   // Memory addresses that hold a pointer to data
    InstructionSemantics::BaseSemantics::StatePtr initialState_; // Initial state for analysis
    InstructionSemantics::BaseSemantics::StatePtr finalState_;   // Final state for analysis
 
public:
    Analysis()
        : hasResults_(false), didConverge_(false) {}
 
    explicit Analysis(const Disassembler::BasePtr &d, const Settings &settings = Settings())
        : settings_(settings), hasResults_(false), didConverge_(false) {
        init(d);
    }
 
    explicit Analysis(const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu,
                      const Settings &settings = Settings())
        : settings_(settings), cpu_(cpu), hasResults_(false), didConverge_(false) {}
 
    const Settings& settings() const { return settings_; }
    
    void analyzeFunction(const Partitioner2::PartitionerConstPtr&, const Sawyer::SharedPointer<Partitioner2::Function>&);
 
    bool hasResults() const { return hasResults_; }
 
    bool didConverge() const { return didConverge_; }
 
    void clearResults();
 
    void clearNonResults();
 
    const PointerDescriptors& codePointers() const {
        return codePointers_;
    }
 
    const PointerDescriptors& dataPointers() const {
        return dataPointers_;
    }
    
    InstructionSemantics::BaseSemantics::StatePtr initialState() const {
        return initialState_;
    }
 
    InstructionSemantics::BaseSemantics::StatePtr finalState() const {
        return finalState_;
    }
    
private:
    void init(const Disassembler::BasePtr&);
 
    InstructionSemantics::BaseSemantics::RiscOperatorsPtr
    makeRiscOperators(const Partitioner2::PartitionerConstPtr&) const;
 
    // Prints instructions to the mlog[DEBUG] diagnostic stream if that stream is enabled.
    void
    printInstructionsForDebugging(const Partitioner2::PartitionerConstPtr&, const Sawyer::SharedPointer<Partitioner2::Function>&);
 
    // Given a potential pointer's r-value, determine if the r-value is a pointer and if so, store its address in the
    // result. The pointer's value and the defining instructions are added to the two sets, and the result is not updated for
    // values and instructions that have already been processed.
    void
    conditionallySavePointer(const InstructionSemantics::BaseSemantics::SValuePtr &ptrValue,
                             Sawyer::Container::Set<uint64_t> &ptrValueSeen, PointerDescriptors &result);
 
    // Prune results based on settings
    void pruneResults(PointerDescriptors&);
};
 
} // namespace
} // namespace
} // namespace
 
#endif
#endif