|
ROSE 0.11.145.147
|
Stack delta anzalyzer.
Local variables within a function are generally found at constant offsets from a stack frame located on the stack. Some architectures have a stack frame pointer register that points to the current frame, but even on these architectures the register can sometimes be used for other purposes. If there is no frame pointer register, then the stack frame still exists and can be found at a constant offset from the stack pointer's initial value (at the start of the function).
This class performs a data-flow analysis to attempt to assign stack deltas to each instruction: one delta at the start of the instruction and one delta after the instruction executes. A stack delta is the difference between the current top-of-stack and the original top-of-stack.
If a stack delta is known at a particular instruction, then it can be used to find the original stack pointer by subtracting it from the current stack pointer. For example, if a function's first instruction is x86 "PUSH EAX" then the pre-instruction delta is zero and the post-instruction delta will be -4 due to the "push" decrementing ESP by four. After the "push", subtracting -4 from the current ESP value will give you the original ESP, from which you can find the frame.
Definition at line 55 of file StackDelta.h.
#include <Rose/BinaryAnalysis/StackDelta.h>
Public Types | |
| typedef Sawyer::Container::Map< rose_addr_t, InstructionSemantics::BaseSemantics::SValuePtr > | DeltasPerAddress |
| typedef std::pair< InstructionSemantics::BaseSemantics::SValuePtr, InstructionSemantics::BaseSemantics::SValuePtr > | SValuePair |
| typedef Sawyer::Container::Map< rose_addr_t, SValuePair > | SValuePairPerAddress |
Public Member Functions | |
| Analysis () | |
| Default constructor. | |
| Analysis (const Disassembler::BasePtr &d) | |
| Construct an analyzer using a specified disassembler. | |
| Analysis (const InstructionSemantics::BaseSemantics::DispatcherPtr &cpu) | |
| Construct an analysis using a specified dispatcher. | |
| void | analyzeFunction (const Partitioner2::PartitionerConstPtr &, const Partitioner2::FunctionPtr &, Partitioner2::DataFlow::InterproceduralPredicate &) |
| Analyze one function. | |
| bool | hasResults () const |
| Whether a function has been analyzed. | |
| bool | didConverge () const |
| Whether the analysis results are valid. | |
| void | clearResults () |
| Clear analysis results. | |
| void | clearStackPointers () |
| Clear stack pointers, not deltas. | |
| void | clearStackDeltas () |
| Clear stack deltas, not pointers. | |
| void | clearNonResults () |
| Clears everything but results. | |
| SValuePair | functionStackPointers () const |
| Initial and final stack pointers for an analyzed function. | |
| InstructionSemantics::BaseSemantics::SValuePtr | functionStackDelta () const |
| Stack delta for an analyzed function. | |
| int64_t | functionStackDeltaConcrete () const |
| Concrete stack delta for an analyzed function. | |
| SValuePair | basicBlockStackPointers (rose_addr_t basicBlockAddress) const |
| Initial and final stack pointers for a basic block. | |
| InstructionSemantics::BaseSemantics::SValuePtr | basicBlockStackDelta (rose_addr_t basicBlockAddress) const |
| Stack delta for an analyzed basic block. | |
| int64_t | basicBlockStackDeltaConcrete (rose_addr_t basicBlockAddress) const |
| Concrete stack delta for an analyzed basic block. | |
| SValuePair | instructionStackPointers (SgAsmInstruction *) const |
| Initial and final stack ponters for an analyzed instruction. | |
| InstructionSemantics::BaseSemantics::SValuePtr | instructionStackDelta (SgAsmInstruction *) const |
| Stack delta for an instruction. | |
| int64_t | instructionStackDeltaConcrete (SgAsmInstruction *) const |
| Concrete stack delta for an instruction. | |
| void | saveAnalysisResults (SgAsmFunction *) const |
| Update AST with analysis results. | |
| InstructionSemantics::BaseSemantics::DispatcherPtr | cpu () const |
| Virtual CPU used for analysis. | |
| void | print (std::ostream &) const |
| Print multi-line value to specified stream. | |
| void | adjustInstruction (SgAsmInstruction *, const InstructionSemantics::BaseSemantics::SValuePtr &spIn, const InstructionSemantics::BaseSemantics::SValuePtr &spOut, const InstructionSemantics::BaseSemantics::SValuePtr &delta) |
| Sawyer::Optional< rose_addr_t > | initialConcreteStackPointer () const |
| Property: Initial value to use for stack pointers. | |
| void | initialConcreteStackPointer (const Sawyer::Optional< rose_addr_t > &val) |
| Property: Initial value to use for stack pointers. | |
| InstructionSemantics::BaseSemantics::SValuePtr | basicBlockInputStackDeltaWrtFunction (rose_addr_t basicBlockAddress) const |
| Stack delta for block w.r.t. | |
| InstructionSemantics::BaseSemantics::SValuePtr | basicBlockOutputStackDeltaWrtFunction (rose_addr_t basicBlockAddress) const |
| Stack delta for block w.r.t. | |
| InstructionSemantics::BaseSemantics::SValuePtr | instructionInputStackDeltaWrtFunction (SgAsmInstruction *) const |
| Stack delta for instruction w.r.t. | |
| InstructionSemantics::BaseSemantics::SValuePtr | instructionOutputStackDeltaWrtFunction (SgAsmInstruction *) const |
| Stack delta for instruction w.r.t. | |
Static Public Member Functions | |
| static void | clearAstStackDeltas (SgNode *) |
| Clear AST stack deltas. | |
| static int64_t | toInt (const InstructionSemantics::BaseSemantics::SValuePtr &) |
| Convert a symbolic value to an integer. | |
| typedef Sawyer::Container::Map<rose_addr_t, InstructionSemantics::BaseSemantics::SValuePtr> Rose::BinaryAnalysis::StackDelta::Analysis::DeltasPerAddress |
Definition at line 57 of file StackDelta.h.
| typedef std::pair<InstructionSemantics::BaseSemantics::SValuePtr, InstructionSemantics::BaseSemantics::SValuePtr> Rose::BinaryAnalysis::StackDelta::Analysis::SValuePair |
Definition at line 59 of file StackDelta.h.
| typedef Sawyer::Container::Map<rose_addr_t, SValuePair> Rose::BinaryAnalysis::StackDelta::Analysis::SValuePairPerAddress |
Definition at line 60 of file StackDelta.h.
|
inline |
Default constructor.
Creates an analyzer that is not suitable for analysis since it doesn't know anything about the architecture it would be analyzing. This is mostly for use in situations where an analyzer must be constructed as a member of another class's default constructor, in containers that initialize their contents with a default constructor, etc.
Definition at line 134 of file StackDelta.h.
|
inlineexplicit |
Construct an analyzer using a specified disassembler.
This constructor chooses a symbolic domain and a dispatcher appropriate for the disassembler's architecture.
Definition at line 140 of file StackDelta.h.
|
inlineexplicit |
Construct an analysis using a specified dispatcher.
This constructor uses the supplied dispatcher and associated semantic domain. For best results, the semantic domain should be a symbolic domain that uses RegisterStateGeneric. The memory state can be the InstructionSemantics::NullSemantics memory state to speed up dataflow converging when the stack pointer is known to not be saved/restored (which is usually the case), and is what the analysis uses when no state is specified.
Definition at line 152 of file StackDelta.h.
|
inline |
Property: Initial value to use for stack pointers.
A concrete value can be specified for the initial stack pointer, in which case many arithmetic operations on the stack pointer are constant folded, which leads to more data-flow solutions. The default is to not initialize the stack pointer at the start of the analysis.
Definition at line 162 of file StackDelta.h.
|
inline |
Property: Initial value to use for stack pointers.
A concrete value can be specified for the initial stack pointer, in which case many arithmetic operations on the stack pointer are constant folded, which leads to more data-flow solutions. The default is to not initialize the stack pointer at the start of the analysis.
Definition at line 163 of file StackDelta.h.
| void Rose::BinaryAnalysis::StackDelta::Analysis::analyzeFunction | ( | const Partitioner2::PartitionerConstPtr & | , |
| const Partitioner2::FunctionPtr & | , | ||
| Partitioner2::DataFlow::InterproceduralPredicate & | |||
| ) |
Analyze one function.
This analysis method uses Partitioner2 data structures which are generally faster than using the AST. The specified function need not be attached to the partitioner. Results of the analysis are stored in this analysis object to be queried after the analysis completes.
|
inline |
Whether a function has been analyzed.
Returns true if this analysis object holds results from analyzing a function. The results might be only approximations depending on whether didConverge also returns true.
Definition at line 179 of file StackDelta.h.
|
inline |
Whether the analysis results are valid.
Returns true if hasResults is true and the analysis converged to a solution. If the analysis did not converge then the other results are only approximations.
Definition at line 185 of file StackDelta.h.
| void Rose::BinaryAnalysis::StackDelta::Analysis::clearResults | ( | ) |
Clear analysis results.
Resets the analysis results so it looks like this analyzer is initialized but has not run yet. When this method returns, hasResults and didConverge will both return false.
| void Rose::BinaryAnalysis::StackDelta::Analysis::clearStackPointers | ( | ) |
Clear stack pointers, not deltas.
Clears the stack pointer results but not the stack deltas.
| void Rose::BinaryAnalysis::StackDelta::Analysis::clearStackDeltas | ( | ) |
Clear stack deltas, not pointers.
Clears the stack delta results but not the stack pointers.
| void Rose::BinaryAnalysis::StackDelta::Analysis::clearNonResults | ( | ) |
Clears everything but results.
This resets the virtual CPU to the null pointer, possibly freeing some memory if the CPU isn't being used for other things. Once the CPU is removed it's no longer possible to do more analysis.
|
inline |
Initial and final stack pointers for an analyzed function.
These are the initial and final stack pointers for the function as determined by the data-flow analysis. Returns null pointers if the data-flow did not reach the initial and/or final vertices of the function's control flow graph.
Definition at line 213 of file StackDelta.h.
|
inline |
Stack delta for an analyzed function.
Returns the net effect that an analyzed function has on the stack pointer. If the data-flow did not complete then returns a null pointer. See also, functionStackDeltaConcrete.
Definition at line 219 of file StackDelta.h.
| int64_t Rose::BinaryAnalysis::StackDelta::Analysis::functionStackDeltaConcrete | ( | ) | const |
Concrete stack delta for an analyzed function.
Returns a concrete stack delta for a function if known, otherwise the SgAsmInstruction::INVALID_STACK_DELTA constant is returned. See also, functionStackDelta.
| SValuePair Rose::BinaryAnalysis::StackDelta::Analysis::basicBlockStackPointers | ( | rose_addr_t | basicBlockAddress | ) | const |
Initial and final stack pointers for a basic block.
Returns the incoming and outgoing stack pointers for each basic block as determined by a data-flow analysis. If the data-flow did not reach the beginning and/or end of the basic block then null pointers are returned.
| InstructionSemantics::BaseSemantics::SValuePtr Rose::BinaryAnalysis::StackDelta::Analysis::basicBlockStackDelta | ( | rose_addr_t | basicBlockAddress | ) | const |
Stack delta for an analyzed basic block.
Returns the net effect that an analyzed basic block has on the stack pointer. If the data-flow did not reach this basic block then returns a null pointer. See also, basicBlockStackDeltaConcrete.
| InstructionSemantics::BaseSemantics::SValuePtr Rose::BinaryAnalysis::StackDelta::Analysis::basicBlockInputStackDeltaWrtFunction | ( | rose_addr_t | basicBlockAddress | ) | const |
Stack delta for block w.r.t.
function.
Returns the incoming or outgoing stack delta for a basic block with respect to the beginning of the function. Returns a null pointer if the data-flow did not reach the beginning or end of this block.
| InstructionSemantics::BaseSemantics::SValuePtr Rose::BinaryAnalysis::StackDelta::Analysis::basicBlockOutputStackDeltaWrtFunction | ( | rose_addr_t | basicBlockAddress | ) | const |
Stack delta for block w.r.t.
function.
Returns the incoming or outgoing stack delta for a basic block with respect to the beginning of the function. Returns a null pointer if the data-flow did not reach the beginning or end of this block.
| int64_t Rose::BinaryAnalysis::StackDelta::Analysis::basicBlockStackDeltaConcrete | ( | rose_addr_t | basicBlockAddress | ) | const |
Concrete stack delta for an analyzed basic block.
Returns the concrete stack delta for a basic block if known, otherwise returns the SgAsmInstruction::INVALID_STACK_DELTA constant.
| SValuePair Rose::BinaryAnalysis::StackDelta::Analysis::instructionStackPointers | ( | SgAsmInstruction * | ) | const |
Initial and final stack ponters for an analyzed instruction.
These are the initial and final stack pointers for the instruction as determined by data-flow analysis. Returns null pointers if the data-flow did not reach the beginning and/or end of the instruction.
| InstructionSemantics::BaseSemantics::SValuePtr Rose::BinaryAnalysis::StackDelta::Analysis::instructionStackDelta | ( | SgAsmInstruction * | ) | const |
Stack delta for an instruction.
Returns the stack delta for a single instruction if known, otherwise a null pointer. See also, instructionStackDeltaConcrete. The stack delta for an instruction is the difference between the stack pointer after the instruction executes and the stack pointer before the instruction executes.
| InstructionSemantics::BaseSemantics::SValuePtr Rose::BinaryAnalysis::StackDelta::Analysis::instructionInputStackDeltaWrtFunction | ( | SgAsmInstruction * | ) | const |
Stack delta for instruction w.r.t.
function.
Returns the incoming or outgoing stack delta for an instruction with respect to the beginning of the function. Returns a null pointer if the data-flow did not reach the beginning or end of the instruction.
| InstructionSemantics::BaseSemantics::SValuePtr Rose::BinaryAnalysis::StackDelta::Analysis::instructionOutputStackDeltaWrtFunction | ( | SgAsmInstruction * | ) | const |
Stack delta for instruction w.r.t.
function.
Returns the incoming or outgoing stack delta for an instruction with respect to the beginning of the function. Returns a null pointer if the data-flow did not reach the beginning or end of the instruction.
| int64_t Rose::BinaryAnalysis::StackDelta::Analysis::instructionStackDeltaConcrete | ( | SgAsmInstruction * | ) | const |
Concrete stack delta for an instruction.
Returns the concrete stack delta for an instruction if known, otherwise returns the SgAsmInstruction::INVALID_STACK_DELTA constants. See also, instructionStackDelta.
| void Rose::BinaryAnalysis::StackDelta::Analysis::saveAnalysisResults | ( | SgAsmFunction * | ) | const |
Update AST with analysis results.
The analysis results are copied into the AST, Instructions in the AST that belong to the function but were not present during the analysis have their stack deltas set to SgAsmInstruction::INVALID_STACK_DELTA. Only the specified function, its basic blocks, and their instructions are affected.
|
static |
Clear AST stack deltas.
Clear all stack deltas stored in the specified AST by setting them to SgAsmInstruction::INVALID_STACK_DELTA.
|
inline |
Virtual CPU used for analysis.
Returns the dispatcher set by the constructor or the latest analysis. If no dispatcher is set in the constructor then the analysis itself may set one.
Definition at line 300 of file StackDelta.h.
|
static |
Convert a symbolic value to an integer.
Converts the specified symbolic value to a 64-bit signed stack delta. If the symbolic value is a null pointer or is not an integer, or is wider than 64 bits, then the SgAsmInstruction::INVALID_STACK_DELTA constant is returned.
1.9.8