Commit Graph

355 Commits

Author SHA1 Message Date
Ryan Scott
02c2bc468e macaw-base: Introduce *.Panic module
This is cargo-culted from the `*.Panic` module of a similar name in
`macaw-aarch32`. This will be useful in a subsequent commit in which we replace
some unreachable calls to `fail` with `panic`.
2023-04-18 15:17:23 -04:00
Ryan Scott
97c61e471a Add basic support for simulating PLT stubs and shared libraries
This extends `Data.Macaw.Symbolic.Testing` in `macaw-symbolic` to be able to
handle binaries that depend on shared libraries. This is fully functional for
the x86-64 and AArch32 symbolic backends, and I have added test cases to the
respective repos demonstrating that it works. (The PowerPC backend is not yet
supported. At a minimum, this is blocked on GaloisInc/elf-edit#35.)

To implement this, I also needed to add some additional infrastructure to
`macaw-base` (I put this infrastructure here as it doesn't depend on any
Crucible-specific functionality):

* `Data.Macaw.Memory.ElfLoader.DynamicDependencies`: a basic ELF dynamic
  loader that performs a breadth-first search over all `DT_NEEDED` entries
  that an ELF binary depends on (both directly and indirectly).
* `Data.Macaw.Memory.ElfLoader.PLTStubs`: a collection of heuristics for
  detecting the addresses of PLT stubs in a dynamically linked binary.

It is worth noting that shared libraries are rife with nuance and subtlety,
and the way `macaw` models shared libraries is not 100% accurate. I have
written a length `Note [Shared libraries]` in `Data.Macaw.Symbolic.Testing`
to describe where corners had to be cut.

Fixes #318.
2023-02-23 17:16:12 -05:00
Ryan Scott
122db57c99 Consistently use symbol table functionality from elf-edit
This:

* Bumps the `elf-edit` submodule to bring in the changes from
  GaloisInc/elf-edit#34.
* Updates `Data.Macaw.Memory.ElfLoader` to consolidate the symbol table logic
  with the corresponding functions from `elf-edit`.

Fixes #277.
2023-02-23 17:16:12 -05:00
Ryan Scott
fa3f82314a macaw-base: Document hashable-related API changes 2023-02-20 17:49:17 -05:00
Valentin Robert
aa127f240f support hashable-1.4 2023-02-16 13:55:30 -08:00
Ryan Scott
560f292d16 macaw-base: Support loading R_ARM_COPY ELF relocations
We already have support for `R_X86_64_COPY` relocations, so adding support
for `R_ARM_COPY` on the AArch32 side is straightforward.

This is related to #47, although this is not a full fix for the issue.
2022-09-13 15:20:22 -04:00
Tristan Ravitch
6a4f406c68 Revisit handling of tail calls
It turns out that we have to be more conservative with tail call identification,
as incorrectly identifying a block as the target of a tail call (instead of a
branch) can cause other branch classifiers to fail if that block is the target
of another jump.

Ultimately, we will need to give up some tail call recognition (since they are
in general indistinguishable from jumps), and instead only identify known call
targets as tail call candidates.

With additional global analysis we could do better.

Fixes #294
2022-06-27 15:02:43 -07:00
Tristan Ravitch
f217bf860e Remove an unused NatRepr 2022-06-09 13:07:30 -07:00
Tristan Ravitch
3011920fc5 Improve a classifier failure diagnostic and fix a typo
The call classifier was missing a label, which led to a less readable error
message in the case where all classifiers fail.
2022-06-09 13:07:30 -07:00
Tristan Ravitch
9296692138 Fix a sign extension bug in the abstract domain calculation
The bug arose in the handling of `StackOffsetAbsVal`, which track an abstraction
of references relative to the stack pointer. The offsets in `StackOffsetAbsVal`
are `Int64`; they are signed because references are both above and below the
stack pointer.  The code constructing new values of this type was incorrectly
zero-extending new offsets instead of sign extending them.  This did not matter
on 64 bit architectures, as it happened to result in the same values.  It
substantially corrupted the abstract stack on PowerPC 32.  It did not seem to
affect AArch32, but that is likely just due to luck in compiler code generation
that does not require this level of precision in the abstract stack.

The resulting errors manifest in the `absEvalCall` function. Because of the lack
of sign extension in `StackOffsetAbsVal`s, it made the current stack pointer
look like a huge number, which caused *all* stack entries to be dropped after
function calls.

This fix simplifies the stack offset abstract value computation substantially
and ensures that signs are extended correctly. The commit adds a PowerPC32 test
case that only passes with this fix.
2022-06-09 13:07:30 -07:00
Tristan Ravitch
3d95517097 Remove an unused export
This function is used internally, but no clients use it
2022-06-09 13:07:30 -07:00
Ryan Scott
6e020bcde6 Fix -Wincomplete-uni-patterns warnings
GHC 9.2 adds `-Wincomplete-uni-patterns` to `-Wall`, which uncovers a slew of
previously unnoticed warnings in `macaw`. This patch fixes them, mostly by
adding explicit fall-through cases.
2022-05-31 15:50:48 -04:00
Ryan Scott
3f65a253a1 Fix -Wunused-imports warning with base-4.16.*
In `base-4.16.*`, `Nat` is now a type synonym for `Natural`, and `GHC.TypeLits`
now re-exports `Natural`. This causes a `-Wunused-imports` warning in
`macaw-base` as a consequence. I fixed the warning by tightening up the imports
slightly.
2022-05-31 15:50:48 -04:00
Tristan Ravitch
8e10643b0f
Fix tail call classification (#286)
The tail call classifier came after the jump classifier, which was a problem because it is less strict than the tail call classifier, meaning it would always fire.  This commit moves direct jump to be the last classifier applied, giving the others a chance.

Includes a test case in the ARM backend.

This requires some updates to some of the expected test results, as a few blocks are now classified as tail calls that were
plain jumps before.  They really could be considered either.  I think it would be nice if these could be classified as jumps instead, but the reason they are flagged as tail calls is mostly down to the fact that their surrounding context is so simple that either interpretation works.

Correcting this would require some heuristics based on additional analysis passes.

The test harness for macaw symbolic required a few changes because the new detection of some jumps as tail calls introduces new calls into the symbolic test suites. However, the symbolic testing harness did not support calls before.  Adding support required a bit of plumbing, including a more extensive code discovery pass.


Fixes #285
2022-05-10 07:29:55 -07:00
Ryan Scott
c86e13d35c Adapt to dynSymEntry being definition-aware in elf-edit
This bump the `elf-edit` submodule to bring in the changes from
https://github.com/GaloisInc/elf-edit/pull/29, which adds an additional
`VersionDefMap` argument to `elf-edit` to make it aware of version definitions.
This requires some changes to the API in `Data.Macaw.Memory.ElfLoader` to
accommodate.
2022-04-19 12:47:24 -04:00
Brett Boston
93ca88c2fc
Export Data.Macaw.Discovery.Classifier.classifierEndBlock (#275) 2022-04-04 11:57:19 -07:00
Simon Winwood
7ca8e4c237
Ignore relocations with zero size when constructing Memory 2022-03-23 01:36:07 -07:00
Tristan Ravitch
dd9448db3c Export an extra function from the discovery API
This is necessary to implement custom logic using the incremental computation
monad, as the even lower-level infrastructure is not exposed at all.
2022-03-21 09:20:35 -07:00
Ryan Scott
ce10bc9243 Drop support for GHC 8.6
This allows us to remove gobs of CPP as a consequence.
2022-01-10 16:40:23 -05:00
Ryan Scott
049096c506 Support building with GHC 9.0
This contains a variety of fixes needed to make the packages in the `macaw`
repo compile with GHC 9.0:

* GHC 9.0 implements simplified subsumption (see
  [here](https://gitlab.haskell.org/ghc/ghc/-/wikis/migration/9.0?version_id=5fcd0a50e0872efb3c38a32db140506da8310d87#simplified-subsumption)).
  In most cases, adapting to this is a matter of manually eta expanding
  definitions, such as in `base:Data.Macaw.Analysis.RegisterUse`. In the case
  of `macaw-x86-symbolic:Data.Macaw.X86.Crucible`, the type signature of
  `evalExt` had to be made more specific to adapt to the loss of contravariance
  when typechecking `(->)`.
* GHC's constraint solver now solves constraints in each top-level group
  sooner (see
  [here](https://gitlab.haskell.org/ghc/ghc/-/wikis/migration/9.0?version_id=5fcd0a50e0872efb3c38a32db140506da8310d87#the-order-of-th-splices-is-more-important)).
  This affects `macaw-aarch32` and `macaw-symbolic`, as they separate top-level
  groups with `$(return [])` Template Haskell splices. The previous locations
  of these splices made it so that the TH-generated instances in that package
  were not available to any code before the splice, resulting in type errors
  when compiled with GHC 9.0.

  To overcome this, I rearranged the TH-generated instances so that they appear
  before the top-level groups that make use of them.
* GHC 9.0 now enables `-Wstar-is-type` in `-Wall`, so this patch replaces some
  uses of `*` with `Data.Kind.Type`. `Data.Kind` requires the use of GHC 8.0 or
  later, so this patch also updates thes lower bounds on `base` to `>= 4.9` in
  the appropriate `.cabal` files. (I'm fairly certain that this requirement was
  already present implicity, but better to be explicit about it.)
* The `asl-translator`, `crucible`, and `semmc` submodules were updated to
  allow them to build with GHC 9.0. The `llvm-pretty` and
  `llvm-pretty-bc-parser` submodules were also bumped to accommodate unrelated
  changes in `crucible` that were brought in.
* The upper version bounds on `doctest` in `macaw-symbolic`'s test suite were
  raised to allow it to build with GHC 9.0.
2022-01-10 16:40:23 -05:00
Tristan Ravitch
9ce3d43188
AArch32: Support conditional returns (#243)
Adds support in macaw-aarch32 for conditional returns. These are not supported in core macaw, and are thus architecture-specific block terminators.

This required changes to the type of arch-specific block terminators. Before, `ArchTermStmt` was only parameterized by a state thread (`ids`).  This meant that they could not contain macaw (or crucible) values.  Some work on. AArch32 requires being able to store condition values in arch terminators (to support conditional returns). This change modifies the `ArchTermStmt` to enable this, which requires a bit of plumbing through various definitions and some extra instances.

In support of actually using this, it also became necessary to plumb fallthrough block labels through the architecture-specific terminator translation in macaw-symbolic.

Note that this change was overdue, as the PowerPC backend was storing macaw values in a way that would have rendered them unusable in the macaw-ppc-symbolic translation, had any interpretation been provided.  These new changes will enable a handler to be written for the conditional PowerPC trap instructions.

PowerPC, x86, and ARM have been updated.

Improves the macaw-aarch32 tests. There is now a command line option to save the generated macaw IR for each
discovered function to /tmp. Note that this reuses some infrastructure from the macaw-symbolic tests. This
shared functionality should be extracted into a macaw-testing library.
2021-11-19 16:20:50 -08:00
Tristan Ravitch
2c85dce18e Expose block classification in the ArchitectureInfo
This change makes the block classifier heuristic part of the `ArchitectureInfo`
structure.  This enables clients and architecture backends to customize the
block classification heuristics.  This is most useful for architectures that
have complex architecture-specific block terminators that require analysis to
generate (e.g., conditional returns).  It will also make macaw-refinement
simpler in the future, as the SMT-based refinement is just an additional block
classifier (but is currently implemented via a hacky side channel).

This change introduces an ancillary change, which should not be very
user-visible.

It splits the Macaw.Discovery and Macaw.Discovery.State modules to break
module import cycles in a way that enables us to expose the classifier.  This
should not be user-visible, as Macaw.Discovery still exports the same
names (with one minor exception that should not appear in user code).

It also moves the definition of the `ArchBlockPrecond` type family; the few
affected places should be updated. User code should probably not be able to see
this.
2021-11-05 18:25:03 -07:00
Ryan Scott
49a6d9d7b8
stripPLTRead: Avoid referencing dropped IDs in ArchStates (#233)
It is possible for later `ArchState` updates to reference the `AssignId` of
the `AssignStmt` that is dropped as a part of `stripPLTRead`, so make sure to
prune such updates from the `ArchState` to avoid referencing the now
out-of-scope `AssignId`.
2021-09-28 09:17:20 -04:00
Joe Hendrix
4afe6fd82e Specify function name in register use error message 2021-07-12 11:59:43 -07:00
Joe Hendrix
a50faaebd1 Move isExecutableSegOff check in discovery 2021-06-13 11:55:08 -07:00
Joe Hendrix
cda1d50b28 Expand register use error reasons.
This allows architecture-specific functions to add additional detail.
2021-06-12 12:33:42 -07:00
Joe Hendrix
ad6573556b Cleanups, formatting changes, and remove unused functionality. 2021-06-10 14:09:04 -07:00
Joe Hendrix
7729de2d2c Fix typos in error message; export ArchAddrWidth 2021-06-05 16:07:03 -07:00
Joe Hendrix
e55ebc95cd WIP. Improved error messages 2021-05-27 14:13:13 -07:00
Joe Hendrix
8216088158 Invariant inference changes.
This refactors demand analysis so we export assignment inferred values
and also no longer compute demands for assigments when inference
infers a value for them.

This exposes more information but requires changes to consumers of
information.
2021-05-24 14:03:24 -07:00
Joe Hendrix
7db9baf439 Support elf-edit changes 2021-05-07 14:18:56 -07:00
Joe Hendrix
12c3829a1e Reorganize event reporting for Reopt compatibility. 2021-04-27 23:54:11 -07:00
Joe Hendrix
e2ae54cd04 Add error messages and generalize function argument analysis. 2021-04-27 23:54:11 -07:00
Joe Hendrix
3fb39610bb Export lower level function for getting memory from elf segments. 2021-04-27 23:54:11 -07:00
Joe Hendrix
b26a4e64d8 Declare BlockInvariantMap 2021-04-27 23:54:11 -07:00
Joe Hendrix
483cc25553 Relax requirement on pointer type byte size attribute. 2021-04-27 23:54:11 -07:00
Joe Hendrix
1cb86f771c Cleanup discovery; fix macaw-symbolic 2021-04-21 11:27:27 -07:00
Joe Hendrix
1dd776b636 Introduce incremental computation monad; use in discovery. 2021-04-21 11:27:27 -07:00
Kevin Quick
05f10ed6c9
Update ElfLoader error messages to be more generic. 2021-04-05 08:45:00 -07:00
Kevin Quick
b5c5ebcf42
Comment/haddock updates in ElfLoader. 2021-04-05 08:44:59 -07:00
Joe Hendrix
7f32ea5b42 Vector operations; widthEqSym 2021-03-23 21:58:37 -07:00
Joe Hendrix
19f0e9814e Remove unused import 2021-03-23 21:58:15 -07:00
Joe Hendrix
8756d2e9d3 Minor layout changes 2021-01-29 12:01:16 -08:00
Joe Hendrix
4abbe8817f Relax constraints on stack read/write for register use. 2021-01-29 12:00:58 -08:00
Joe Hendrix
6d1e47623d Provide jumptable layout info 2021-01-27 15:27:53 -08:00
Tristan Ravitch
a84fa82d90
Export the DwarfExpr constructor (#182)
This enables client code to decode the rest of the DWARF structure (which may
produce errors that we don't want to expose in the macaw-provided API).
2020-12-10 12:55:03 -08:00
Brian Huffman
b3af7d63e9 Use OverloadedStrings for the prettyprinter Doc type. 2020-12-02 17:23:47 -08:00
Brian Huffman
2a620d41de Switch from ansi-wl-pprint to the prettyprinter package.
This patch relies on the following submodule updates:
- GaloisInc/what4#77
- GaloisInc/elf-edit#20
- GaloisInc/crucible#586
- GaloisInc/asl-translator#28

This patch updates the following packages:
- macaw-base
- macaw-symbolic
- macaw-x86
- macaw-x86-symbolic
- macaw-aarch32
- macaw-ppc
- macaw-semmc
- macaw-refinement
2020-12-02 11:38:19 -08:00
Joe Hendrix
d977d72006 Minr format change. 2020-11-12 13:59:06 -08:00
Joe Hendrix
0ec2dae8e6 Minor refactorings to clarify and simplify macaw base. 2020-11-12 12:37:30 -08:00