Helper class for determining if Varnodes can trace their value from a legitimate source. More...

#include <funcdata.hh>

Classes
class	State
	Node in a depth first traversal of ancestors. More...

Public Member Functions
bool	execute (PcodeOp op, int4 slot, ParamTrial t, bool allowFail)
	Perform a full ancestor check on a given parameter trial. More...

Private Types
enum	{ enter_node, pop_success, pop_solid, pop_fail, pop_failkill }
	Enumerations for state of depth first traversal. More...

Private Member Functions
void	mark (Varnode *vn)
	Mark given Varnode is visited by the traversal. More...

int4	enterNode (State &state)
	Traverse into a new Varnode. More...

int4	uponPop (State &state, int4 command)
	Pop a Varnode from the traversal stack. More...

bool	checkConditionalExe (State &state)
	Check if current Varnode produced by conditional flow. More...

Private Attributes
ParamTrial *	trial
	Current trial being analyzed for suitability.

vector< State >	stateStack
	Holds the depth-first traversal stack.

vector< const Varnode * >	markedVn
	Holds visited Varnodes to properly trim cycles.

int4	multiDepth
	Number of MULTIEQUAL ops along current traversal path.

bool	allowFailingPath
	True if we allow and test for failing paths due to conditional execution.

Detailed Description

Helper class for determining if Varnodes can trace their value from a legitimate source.

Try to determine if a Varnode (expressed as a particular input to a CALL, CALLIND, or RETURN op) makes sense as parameter passing (or return value) storage by examining the Varnode's ancestors. If it has ancestors that are unaffected, abnormal inputs, or killedbycall, then this is a sign that the Varnode doesn't make a good parameter.

Member Enumeration Documentation

◆ anonymous enum

anonymous enum

private

Enumerations for state of depth first traversal.

Enumerator
enter_node	Extending path into new Varnode.
pop_success	Backtracking, from path that contained a reasonable ancestor.
pop_solid	Backtracking, from path with successful, solid, movement, via COPY, LOAD, or other arith/logical.
pop_fail	Backtracking, from path with a bad ancestor.
pop_failkill	Backtracking, from path with a bad ancestor, specifically killedbycall.

Member Function Documentation

◆ checkConditionalExe()

bool AncestorRealistic::checkConditionalExe ( State & state )

private

Check if current Varnode produced by conditional flow.

Returns: true if there are two input flows, one of which is a normal solid flow

References FlowBlock::getIn(), PcodeOp::getParent(), AncestorRealistic::State::getSolidSlot(), AncestorRealistic::State::op, FlowBlock::sizeIn(), and FlowBlock::sizeOut().

Referenced by uponPop().

◆ enterNode()

int4 AncestorRealistic::enterNode ( State & state )

private

Traverse into a new Varnode.

Analyze a new node that has just entered, during the depth-first traversal

Parameters

state is the current node on the path, with associated state information

Returns: the command indicating the next traversal step: push (enter_node), or pop (pop_success, pop_fail, pop_solid...)

References PcodeOp::code(), CPUI_COPY, CPUI_INDIRECT, CPUI_MULTIEQUAL, CPUI_SUBPIECE, enter_node, Varnode::getAddr(), Varnode::getDef(), PcodeOp::getIn(), PcodeOp::getOpFromConst(), PcodeOp::getOut(), Varnode::getSpace(), AddrSpace::getType(), IPTR_INTERNAL, PcodeOp::isCall(), Varnode::isDirectWrite(), Varnode::isIncidentalCopy(), PcodeOp::isIndirectCreation(), Varnode::isIndirectZero(), Varnode::isInput(), ParamTrial::isKilledByCall(), Varnode::isMark(), Varnode::isPersist(), Varnode::isReturnAddress(), Varnode::isUnaffected(), Varnode::isWritten(), mark(), multiDepth, pop_fail, pop_failkill, pop_solid, pop_success, ParamTrial::setIndCreateFormed(), stateStack, trial, and AncestorRealistic::State::vn.

Referenced by execute().

◆ execute()

bool AncestorRealistic::execute	(	PcodeOp *	op,
		int4	slot,
		ParamTrial *	t,
		bool	allowFail
	)

Perform a full ancestor check on a given parameter trial.

Parameters

op	is the CALL or RETURN to test parameter passing for
slot	is the index of the particular input varnode to test
t	is the ParamTrial object corresponding to the varnode
allowFailingPath	is true if we allow and test for failing paths due to conditional execution

Returns: true if the varnode has realistic ancestors for a parameter passing location

References allowFailingPath, enter_node, enterNode(), PcodeOp::getIn(), ParamTrial::hasCondExeEffect(), Varnode::isInput(), markedVn, multiDepth, pop_fail, pop_failkill, pop_solid, pop_success, stateStack, trial, and uponPop().

Referenced by ActionReturnRecovery::apply(), FuncCallSpecs::checkInputTrialUse(), and FuncCallSpecs::finalInputCheck().

◆ mark()

void AncestorRealistic::mark ( Varnode * vn )

inlineprivate

Mark given Varnode is visited by the traversal.

Parameters

vn	is the given Varnode

References markedVn, and Varnode::setMark().

Referenced by enterNode().

◆ uponPop()

int4 AncestorRealistic::uponPop	(	State &	state,
		int4	pop_command
	)

private

Pop a Varnode from the traversal stack.

Backtrack into a previously visited node

Parameters

state	is the node that needs to be popped from the stack
pop_command	is the type of pop (pop_success, pop_fail, pop_failkill, pop_solid) being performed

Returns: the command to execute (push or pop) after the current pop

References allowFailingPath, checkConditionalExe(), PcodeOp::code(), CPUI_MULTIEQUAL, enter_node, PcodeOp::getIn(), multiDepth, PcodeOp::numInput(), AncestorRealistic::State::op, pop_fail, pop_failkill, pop_solid, pop_success, ParamTrial::setCondExeEffect(), AncestorRealistic::State::slot, stateStack, trial, and AncestorRealistic::State::vn.

Referenced by execute().

The documentation for this class was generated from the following files:

funcdata.hh
funcdata_varnode.cc

Classes

Public Member Functions

Private Types

Private Member Functions

Private Attributes

Detailed Description

Member Enumeration Documentation

◆ anonymous enum

Member Function Documentation

◆ checkConditionalExe()

◆ enterNode()

◆ execute()

◆ mark()

◆ uponPop()