A prototype model: a model for passing parameters between functions. More...

#include <fspec.hh>

Inheritance diagram for ProtoModel:

Public Types
enum	{ extrapop_unknown = 0x8000 }

Public Member Functions
	ProtoModel (Architecture *g)
	Constructor for use with restoreXml() More...

	ProtoModel (const string &nm, const ProtoModel &op2)
	Copy constructor changing the name. More...

virtual	~ProtoModel (void)
	Destructor.

const string &	getName (void) const
	Get the name of the prototype model.

Architecture *	getArch (void) const
	Get the owning Architecture.

uint4	hasEffect (const Address &addr, int4 size) const
	Determine side-effect of this on the given memory range. More...

int4	getExtraPop (void) const
	Get the stack-pointer extrapop for this model.

void	setExtraPop (int4 ep)
	Set the stack-pointer extrapop.

int4	getInjectUponEntry (void) const
	Get the inject uponentry id.

int4	getInjectUponReturn (void) const
	Get the inject uponreturn id.

void	deriveInputMap (ParamActive *active) const
	Given a list of input trials, derive the most likely input prototype. More...

void	deriveOutputMap (ParamActive *active) const
	Given a list of output trials, derive the most likely output prototype. More...

void	assignParameterStorage (const vector< Datatype * > &typelist, vector< ParameterPieces > &res, bool ignoreOutputError)
	Calculate input and output storage locations given a function prototype. More...

bool	checkInputJoin (const Address &hiaddr, int4 hisize, const Address &loaddr, int4 losize) const
	Check if the given two input storage locations can represent a single logical parameter. More...

bool	checkOutputJoin (const Address &hiaddr, int4 hisize, const Address &loaddr, int4 losize) const
	Check if the given two output storage locations can represent a single logical return value. More...

bool	checkInputSplit (const Address &loc, int4 size, int4 splitpoint) const
	Check if it makes sense to split a single storage location into two input parameters. More...

const RangeList &	getLocalRange (void) const
	Get the range of (possible) local stack variables.

const RangeList &	getParamRange (void) const
	Get the range of (possible) stack parameters.

vector< EffectRecord >::const_iterator	effectBegin (void) const
	Get an iterator to the first EffectRecord.

vector< EffectRecord >::const_iterator	effectEnd (void) const
	Get an iterator to the last EffectRecord.

int4	numLikelyTrash (void) const
	Get the number of likelytrash locations.

const VarnodeData &	getLikelyTrash (int4 i) const
	Get the i-th likelytrashh location.

bool	possibleInputParam (const Address &loc, int4 size) const
	Does the given storage location make sense as an input parameter. More...

bool	possibleOutputParam (const Address &loc, int4 size) const
	Does the given storage location make sense as a return value. More...

bool	possibleInputParamWithSlot (const Address &loc, int4 size, int4 &slot, int4 &slotsize) const
	Pass-back the slot and slot size for the given storage location as an input parameter. More...

bool	possibleOutputParamWithSlot (const Address &loc, int4 size, int4 &slot, int4 &slotsize) const
	Pass-back the slot and slot size for the given storage location as a return value. More...

bool	unjustifiedInputParam (const Address &loc, int4 size, VarnodeData &res) const
	Check if the given storage location looks like an unjustified input parameter. More...

OpCode	assumedInputExtension (const Address &addr, int4 size, VarnodeData &res) const
	Get the type of extension and containing input parameter for the given storage. More...

OpCode	assumedOutputExtension (const Address &addr, int4 size, VarnodeData &res) const
	Get the type of extension and containing return value location for the given storage. More...

AddrSpace *	getSpacebase (void) const
	Get the stack space associated with this model.

bool	isStackGrowsNegative (void) const
	Return true if the stack grows toward smaller addresses.

bool	hasThisPointer (void) const
	Is this a model for (non-static) class methods.

bool	isConstructor (void) const
	Is this model for class constructors.

int4	getMaxInputDelay (void) const
	Return the maximum heritage delay across all possible input parameters. More...

int4	getMaxOutputDelay (void) const
	Return the maximum heritage delay across all possible return values. More...

virtual bool	isMerged (void) const
	Is this a merged prototype model.

virtual void	restoreXml (const Element *el)
	Restore this model from an XML stream. More...

Static Public Member Functions
static uint4	lookupEffect (const vector< EffectRecord > &efflist, const Address &addr, int4 size)
	Look up an effect from the given EffectRecord list. More...

Private Member Functions
void	defaultLocalRange (void)
	Set the default stack range used for local variables.

void	defaultParamRange (void)
	Set the default stack range used for input parameters.

void	buildParamList (const string &strategy)
	Establish the main resource lists for input and output parameters. More...

Private Attributes
Architecture *	glb
	The Architecture owning this prototype model.

string	name
	Name of the model.

int4	extrapop
	Extra bytes popped from stack.

ParamList *	input
	Resource model for input parameters.

ParamList *	output
	Resource model for output parameters.

vector< EffectRecord >	effectlist
	List of side-effects.

vector< VarnodeData >	likelytrash
	Storage locations potentially carrying trash values.

int4	injectUponEntry
	Id of injection to perform at beginning of function (-1 means not used)

int4	injectUponReturn
	Id of injection to perform after a call to this function (-1 means not used)

RangeList	localrange
	Memory range(s) of space-based locals.

RangeList	paramrange
	Memory range(s) of space-based parameters.

bool	stackgrowsnegative
	True if stack parameters have (normal) low address to high address ordering.

bool	hasThis
	True if this model has a this parameter (auto-parameter)

bool	isConstruct
	True if this model is a constructor for a particular object.

Friends
class	ProtoModelMerged

Detailed Description

A prototype model: a model for passing parameters between functions.

This encompasses both input parameters and return values. It attempts to describe the ABI, Application Binary Interface, of the processor or compiler. Any number of function prototypes (FuncProto) can be implemented under a prototype model, which represents a static rule set the compiler uses to decide:

Storage locations for input parameters
Storage locations for return values
Expected side-effects of a function on other (non-parameter) registers and storage locations
Behavior of the stack and the stack pointer across function calls

Major analysis concerns are:

Recovering function prototypes from data-flow information: deriveInputMap() and deriveOutputMap()
Calculating parameter storage locations given a function prototype: assignParameterStorage()
Behavior of data-flow around call sites

A prototype model supports the concept of extrapop, which is defined as the change in value of the stack pointer (or the number of bytes popped from the stack) across a call. This value is calculated starting from the point of the p-code CALL or CALLIND op, when the stack parameters have already been pushed by the calling function. So extrapop only reflects changes made by the callee.

Member Enumeration Documentation

◆ anonymous enum

anonymous enum

Enumerator
extrapop_unknown	Reserved extrapop value meaning the function's extrapop is unknown.

Constructor & Destructor Documentation

◆ ProtoModel() [1/2]

ProtoModel::ProtoModel ( Architecture * g )

Constructor for use with restoreXml()

Parameters

g	is the Architecture that will own the new prototype model

References defaultLocalRange(), defaultParamRange(), extrapop, glb, hasThis, injectUponEntry, injectUponReturn, input, isConstruct, output, and stackgrowsnegative.

◆ ProtoModel() [2/2]

ProtoModel::ProtoModel	(	const string &	nm,
		const ProtoModel &	op2
	)

Copy constructor changing the name.

Everything is copied from the given prototype model except the name

Parameters

nm	is the new name for this copy
op2	is the prototype model to copy

References ParamList::clone(), effectlist, extrapop, glb, hasThis, injectUponEntry, injectUponReturn, input, isConstruct, likelytrash, localrange, name, output, paramrange, and stackgrowsnegative.

Member Function Documentation

◆ assignParameterStorage()

void ProtoModel::assignParameterStorage	(	const vector< Datatype * > &	typelist,
		vector< ParameterPieces > &	res,
		bool	ignoreOutputError
	)

Calculate input and output storage locations given a function prototype.

The data-types of the function prototype are passed in as an ordered list, with the first data-type corresponding to the return value and all remaining data-types corresponding to the input parameters. Based on this model, a storage location is selected for each (input and output) parameter and passed back to the caller. The passed back storage locations are ordered similarly, with the output storage as the first entry. The model has the option of inserting a hidden return value pointer in the input storage locations.

A void return type is indicated by the formal TYPE_VOID in the (either) list. If the model can't map the specific output prototype, the caller has the option of whether an exception (ParamUnassignedError) is thrown. If they choose not to throw, the unmapped return value is assumed to be void.

Parameters

typelist	is the list of data-types from the function prototype
res	will hold the storage locations for each parameter
ignoreOutputError	is true if problems assigning the output parameter are ignored

References ParamList::assignMap(), TypeFactory::getTypeVoid(), glb, input, output, and Architecture::types.

Referenced by FuncProto::paramShift(), ProtoStoreInternal::restoreXml(), and FuncProto::updateAllTypes().

◆ assumedInputExtension()

OpCode ProtoModel::assumedInputExtension	(	const Address &	addr,
		int4	size,
		VarnodeData &	res
	)		const

inline

Get the type of extension and containing input parameter for the given storage.

If the given storage is properly contained within a normal parameter and the model typically extends a small value into the full container, pass back the full container and the type of extension.

Parameters

addr	is the starting address of the given storage
size	is the number of bytes in the given storage
res	is the parameter storage to pass back

Returns: the extension operator (INT_ZEXT INT_SEXT) or INT_COPY if there is no extension. INT_PIECE indicates the extension is determined by the specific prototype.

References ParamList::assumedExtension(), and input.

Referenced by FuncProto::assumedInputExtension().

◆ assumedOutputExtension()

OpCode ProtoModel::assumedOutputExtension	(	const Address &	addr,
		int4	size,
		VarnodeData &	res
	)		const

inline

Get the type of extension and containing return value location for the given storage.

If the given storage is properly contained within a normal return value location and the model typically extends a small value into the full container, pass back the full container and the type of extension.

Parameters

addr	is the starting address of the given storage
size	is the number of bytes in the given storage
res	is the parameter storage to pass back

Returns: the extension operator (INT_ZEXT INT_SEXT) or INT_COPY if there is no extension. INT_PIECE indicates the extension is determined by the specific prototype.

References ParamList::assumedExtension(), and output.

Referenced by FuncProto::assumedOutputExtension().

◆ buildParamList()

void ProtoModel::buildParamList ( const string & strategy )

private

Establish the main resource lists for input and output parameters.

Generate derived ParamList objects based on a given strategy

Parameters

strategy is the resource strategy: currently "standard" or "register"

References input, and output.

Referenced by restoreXml().

◆ checkInputJoin()

bool ProtoModel::checkInputJoin	(	const Address &	hiaddr,
		int4	hisize,
		const Address &	loaddr,
		int4	losize
	)		const

inline

Check if the given two input storage locations can represent a single logical parameter.

Within the conventions of this model, do the two (hi/lo) locations represent consecutive input parameter locations that can be replaced by a single logical parameter.

Parameters

hiaddr	is the address of the most significant part of the value
hisize	is the size of the most significant part in bytes
loaddr	is the address of the least significant part of the value
losize	is the size of the least significant part in bytes

Returns: true if the two pieces can be joined

References ParamList::checkJoin(), and input.

Referenced by FuncProto::checkInputJoin().

◆ checkInputSplit()

bool ProtoModel::checkInputSplit	(	const Address &	loc,
		int4	size,
		int4	splitpoint
	)		const

inline

Check if it makes sense to split a single storage location into two input parameters.

A storage location and split point is provided, implying two new storage locations. Does this model allow these locations to be considered separate parameters.

Parameters

loc	is the starting address of provided storage location
size	is the size of the location in bytes
splitpoint	is the number of bytes to consider in the first (in address order) piece

Returns: true if the storage location can be split

References ParamList::checkSplit(), and input.

Referenced by FuncProto::checkInputSplit().

◆ checkOutputJoin()

bool ProtoModel::checkOutputJoin	(	const Address &	hiaddr,
		int4	hisize,
		const Address &	loaddr,
		int4	losize
	)		const

inline

Check if the given two output storage locations can represent a single logical return value.

Within the conventions of this model, do the two (hi/lo) locations represent consecutive locations that can be replaced by a single logical return value.

Parameters

hiaddr	is the address of the most significant part of the value
hisize	is the size of the most significant part in bytes
loaddr	is the address of the least significant part of the value
losize	is the size of the least significant part in bytes

Returns: true if the two pieces can be joined

References ParamList::checkJoin(), and output.

◆ deriveInputMap()

void ProtoModel::deriveInputMap ( ParamActive * active ) const

inline

Given a list of input trials, derive the most likely input prototype.

Trials are sorted and marked as used or not.

Parameters

active is the collection of Varnode input trials

References ParamList::fillinMap(), and input.

Referenced by FuncProto::deriveInputMap().

◆ deriveOutputMap()

void ProtoModel::deriveOutputMap ( ParamActive * active ) const

inline

Given a list of output trials, derive the most likely output prototype.

One trial (at most) is marked used and moved to the front of the list

Parameters

active is the collection of output trials

References ParamList::fillinMap(), and output.

Referenced by FuncProto::deriveOutputMap().

◆ getMaxInputDelay()

int4 ProtoModel::getMaxInputDelay ( void ) const

inline

Return the maximum heritage delay across all possible input parameters.

Depending on the address space, data-flow for a parameter may not be available until extra transform passes have completed. This method returns the number of passes that must occur before we can guarantee that all parameters have data-flow info.

Returns: the maximum number of passes across all input parameters in this model

References ParamList::getMaxDelay(), and input.

Referenced by FuncProto::getMaxInputDelay().

◆ getMaxOutputDelay()

int4 ProtoModel::getMaxOutputDelay ( void ) const

inline

Return the maximum heritage delay across all possible return values.

Depending on the address space, data-flow for a parameter may not be available until extra transform passes have completed. This method returns the number of passes that must occur before we can guarantee that any return value has data-flow info.

Returns: the maximum number of passes across all output parameters in this model

References ParamList::getMaxDelay(), and output.

Referenced by FuncProto::getMaxOutputDelay().

◆ hasEffect()

uint4 ProtoModel::hasEffect	(	const Address &	addr,
		int4	size
	)		const

Determine side-effect of this on the given memory range.

The model is searched for an EffectRecord matching the given range and the effect type is returned. If there is no EffectRecord or the effect generally isn't known, EffectRecord::unknown_effect is returned.

Parameters

addr	is the starting address of the given memory range
size	is the number of bytes in the given range

Returns: the EffectRecord type

References effectlist, and lookupEffect().

Referenced by FuncProto::hasEffect().

◆ lookupEffect()

uint4 ProtoModel::lookupEffect	(	const vector< EffectRecord > &	efflist,
		const Address &	addr,
		int4	size
	)

static

Look up an effect from the given EffectRecord list.

If a given memory range matches an EffectRecord, return the effect type. Otherwise return EffectRecord::unknown_effect

Parameters

efflist	is the list of EffectRecords which must be sorted
addr	is the starting address of the given memory range
size	is the number of bytes in the memory range

Returns: the EffectRecord type

References Address::getSpace(), AddrSpace::getType(), IPTR_INTERNAL, Address::overlap(), EffectRecord::unaffected, and EffectRecord::unknown_effect.

Referenced by hasEffect(), and FuncProto::hasEffect().

◆ possibleInputParam()

bool ProtoModel::possibleInputParam	(	const Address &	loc,
		int4	size
	)		const

inline

Does the given storage location make sense as an input parameter.

Within this model, decide if the storage location can be considered an input parameter.

Parameters

loc	is the starting address of the storage location
size	is the number of bytes in the storage location

Returns: true if the location can be a parameter

References input, and ParamList::possibleParam().

Referenced by FuncProto::possibleInputParam().

◆ possibleInputParamWithSlot()

bool ProtoModel::possibleInputParamWithSlot	(	const Address &	loc,
		int4	size,
		int4 &	slot,
		int4 &	slotsize
	)		const

inline

Pass-back the slot and slot size for the given storage location as an input parameter.

This checks if the given storage location acts as an input parameter in this model and passes back the number of slots that it occupies.

Parameters

loc	is the starting address of the storage location
size	is the number of bytes in the storage location
slot	if the slot number to pass back
slotsize	is the number of consumed slots to pass back

Returns: true if the location can be a parameter

References input, and ParamList::possibleParamWithSlot().

Referenced by ScoreProtoModel::addParameter().

◆ possibleOutputParam()

bool ProtoModel::possibleOutputParam	(	const Address &	loc,
		int4	size
	)		const

inline

Does the given storage location make sense as a return value.

Within this model, decide if the storage location can be considered an output parameter.

Parameters

loc	is the starting address of the storage location
size	is the number of bytes in the storage location

Returns: true if the location can be a parameter

References output, and ParamList::possibleParam().

Referenced by FuncProto::possibleOutputParam().

◆ possibleOutputParamWithSlot()

bool ProtoModel::possibleOutputParamWithSlot	(	const Address &	loc,
		int4	size,
		int4 &	slot,
		int4 &	slotsize
	)		const

inline

Pass-back the slot and slot size for the given storage location as a return value.

This checks if the given storage location acts as an output parameter in this model and passes back the number of slots that it occupies.

Parameters

loc	is the starting address of the storage location
size	is the number of bytes in the storage location
slot	if the slot number to pass back
slotsize	is the number of consumed slots to pass back

Returns: true if the location can be a parameter

References output, and ParamList::possibleParamWithSlot().

Referenced by ScoreProtoModel::addParameter().

◆ restoreXml()

void ProtoModel::restoreXml ( const Element * el )

virtual

Restore this model from an XML stream.

Read in details about this model from a <prototype> tag

Parameters

el	is the <prototype> element

Reimplemented in ProtoModelMerged.

References buildParamList(), InjectPayload::CALLMECHANISM_TYPE, RangeList::clear(), defaultLocalRange(), defaultParamRange(), Architecture::defaultReturnAddr, effectlist, RangeList::empty(), extrapop, extrapop_unknown, Range::getFirst(), Range::getLast(), ParamList::getRangeList(), Range::getSpace(), AddrSpaceManager::getStackSpace(), glb, hasThis, injectUponEntry, injectUponReturn, input, RangeList::insertRange(), isConstruct, EffectRecord::killedbycall, likelytrash, localrange, name, output, paramrange, Architecture::pcodeinjectlib, Range::restoreXml(), ParamList::restoreXml(), PcodeInjectLibrary::restoreXmlInject(), EffectRecord::return_address, VarnodeData::space, AddrSpace::stackGrowsNegative(), stackgrowsnegative, and EffectRecord::unaffected.

Referenced by Architecture::parseProto().

◆ unjustifiedInputParam()

bool ProtoModel::unjustifiedInputParam	(	const Address &	loc,
		int4	size,
		VarnodeData &	res
	)		const

inline

Check if the given storage location looks like an unjustified input parameter.

The storage for a value may be contained in a normal parameter location but be unjustified within that container, i.e. the least significant bytes are not being used. If this is the case, pass back the full parameter location and return true.

Parameters

loc	is the starting address of the given storage
size	is the number of bytes in the given storage
res	is the full parameter storage to pass back

Returns: true if the given storage is unjustified within its parameter container

References input, and ParamList::unjustifiedContainer().

Referenced by FuncProto::unjustifiedInputParam().

The documentation for this class was generated from the following files:

fspec.hh
fspec.cc

Public Types

Public Member Functions

Static Public Member Functions

Private Member Functions

Private Attributes

Friends

Detailed Description

Member Enumeration Documentation

◆ anonymous enum

Constructor & Destructor Documentation

◆ ProtoModel() [1/2]

◆ ProtoModel() [2/2]

Member Function Documentation

◆ assignParameterStorage()

◆ assumedInputExtension()

◆ assumedOutputExtension()

◆ buildParamList()

◆ checkInputJoin()

◆ checkInputSplit()

◆ checkOutputJoin()

◆ deriveInputMap()

◆ deriveOutputMap()

◆ getMaxInputDelay()

◆ getMaxOutputDelay()

◆ hasEffect()

◆ lookupEffect()

◆ possibleInputParam()

◆ possibleInputParamWithSlot()

◆ possibleOutputParam()

◆ possibleOutputParamWithSlot()

◆ restoreXml()

◆ unjustifiedInputParam()