Commit Graph

224 Commits

Author SHA1 Message Date
Andrew Kent
5906f34a63 doc: fix MemCmp docs w.r.t. semantics of return value 2021-09-10 16:16:41 -07:00
Tristan Ravitch
380d732d0e
Implement system call support for x86 (#226)
Implement support for symbolically executing system calls in macaw-symbolic. **To update code that does not need to symbolically execute system calls (i.e., most clients of macaw-symbolic), just pass the new `unsupportedSyscalls` default handler as the fifth argument of `macawExtensions`.**

The primary interface is via the new `LookupSyscallHandle` callback passed to `macawExtensions`. This callback inspects the environment and returns a Crucible `FunctionHandle` that models the behavior of the requested system call. Note that this mechanism only supports concrete system calls (i.e., system calls where the system call number is concrete). The x86 backend has been updated to support this new functionality.

The representation of system calls in macaw is still architecture-specific (because there are interesting differences between system call instructions across architectures). The idea is that system calls are now treated in two steps:
1. A macaw-symbolic extension statement that looks up the override to invoke for the given syscall (returned as a Crucible FunctionHandle)
2. A call to that handle

We need this two step approach because the handlers that interpret syntax extension statements cannot symbolically branch (and thus cannot call overrides). The extension interpreter just looks up the necessary handle and uses the standard call/override machinery to handle any branching required to support the system call model functionality.

The major complication to this approach is that system calls need to update values in registers when they return. To capture these updates, the architecture-specific syntax extension needs to explicitly update any machine registers that could possibly be affected. The explicit updates are necessary because machine registers do not exist anymore at the macaw-symbolic level (at least within a block). To handle all of these constraints:
1. System calls are represented as extension functions at the macaw level when lifted from machine code.
2. During translation into crucible (via macaw-symbolic), the extension functions are translated into two statements: a function handle lookup and then a function call (with the return values being explicitly threaded through the Crucible function).
3. During symbolic execution, the lookup statement examines the environment to return the necessary function handle, while the handle is called via the normal machinery.

Note that the feature is entirely controlled by the `LookupSyscallHandle` function, which determines the system call dispatch policy. No system call models are included with this change.

Co-authored-by: Brett Boston <boston@galois.com>
2021-08-27 15:47:40 -07:00
Joe Hendrix
cdc90bd846 Update to more recent flexdis 2021-06-14 13:22:46 -07:00
Joe Hendrix
ceb64be843 Sort x86 functions for easier browsing. 2021-04-27 23:54:11 -07:00
Sam Breese
8a0c760886
x86: Add semantics for SHA256 instructions (#196)
* Add semantics for SHA256 instructions

* Use an additional helper function

* Address comments
2021-03-30 18:32:35 -04:00
Joe Hendrix
8756d2e9d3 Minor layout changes 2021-01-29 12:01:16 -08:00
Sam Breese
d5e4a441cd
x86: Add semantics for aesimc (#177)
* x86: Add semantics for aesimc

* x86: Use safeSymbol rather than userSymbol
2021-01-11 13:24:16 -05:00
Sam Breese
2bd0633ba8
x86: Fix semantics for pinsrw, add semantics for pinsr{b,d,q} (#183)
* x86: Fix semantics for pinsrw, add semantics for pinsr{b,d,q}

* x86: Add comments on exec_pinsrx parameters
2020-12-22 15:44:55 -05:00
Brian Huffman
b3af7d63e9 Use OverloadedStrings for the prettyprinter Doc type. 2020-12-02 17:23:47 -08:00
Brian Huffman
2a620d41de Switch from ansi-wl-pprint to the prettyprinter package.
This patch relies on the following submodule updates:
- GaloisInc/what4#77
- GaloisInc/elf-edit#20
- GaloisInc/crucible#586
- GaloisInc/asl-translator#28

This patch updates the following packages:
- macaw-base
- macaw-symbolic
- macaw-x86
- macaw-x86-symbolic
- macaw-aarch32
- macaw-ppc
- macaw-semmc
- macaw-refinement
2020-12-02 11:38:19 -08:00
Sam Breese
2a56e404bd
x86: Special case for sbb with duplicated operand (#176)
This better handles cases like sbb rax, rax, where we know that the result will be -cf regardless of the value in rax.
2020-11-18 04:19:27 -05:00
Joe Hendrix
d2b81d3c2f Fixes for jump table tests.
* Update macaw-x86-tests to build properly.
* Fix off by two error in memMapOverwrite
* Introduce some special handling for unsigned-extension in stack
  analysis so it knows one value is the unsigned extension of another.
* Error report formating improvements
* Slightly more precise treatment of archfn is bound updates.
2020-11-12 11:25:30 -08:00
Joe Hendrix
22a9104faa Various cleanups.
Consolidate three different checks that control when to explore
a function into a single one defined in exploreFunPred.

Modify noreturn function calls to not treat the return address
as a potential function entry point.

Add basic checking of LSDA address to compare-dwarfdump.

Minor code refactoring and submodule updates.
2020-11-06 14:37:13 -08:00
Joe Hendrix
9203a37b94 Minor cleanups; dwarf updates 2020-11-06 14:35:06 -08:00
Lisanna Dettwyler
47544e4b2d Fix warnings in GHC 8.10 2020-10-20 13:53:22 -07:00
Sam Breese
34e7394c14
x86: Implement semantics for a few instructions (#167)
* x86: Add aesenc, aesenclast, aesdec, aesdeclast

* x86: Add vpcmpgtd

* WIP

* Implement Pshufb

* Fix AESNI_AESEncLast.

* Fix PtCmpGt.

* Refactor AESNI instructions a bit

* Finish refactoring

* Forgot MultiWayIf

* Reduce duplication a bit

* Address comments

Co-authored-by: Andrei Stefanescu <andrei@stefanescu.io>
2020-10-08 19:37:17 -04:00
Sam Breese
5fdfdb2eaa
x86: Add some entries to the export list of Data.Macaw.X86 (#164) 2020-10-08 18:25:30 -04:00
Sam Breese
b248cf7f45
x86: Add semantics for vpunpckhqdq, vxorps, vpaddb, and movbe (#155)
* Add semantics for vpunpckhqdq

* Add semantics for movbe

* Add semantics for vxorps and vpaddb
2020-08-20 14:50:20 -04:00
Sam Breese
48737990f3
x86: Add semantics for some AVX2 instructions (#149)
* x86: Add semantics for the vpsrld and vpsrlq instructions

* x86: Add semantics for vpaddq

* Fix Haddock for PointwiseLogicalShiftR

* x86: Change vpsubd to PtSub rather than PtAdd
2020-07-14 14:41:16 -04:00
Tristan Ravitch
b160e480a7
x86: Add semantics for the endbr instructions (#147)
This change treats them as no-ops (which is what they do on all released
hardware).  We could represent them with arch extensions.  This has a supporting
change in flexdis86 (included as a submodule).
2020-06-25 13:43:15 -07:00
Sam Breese
02c6cc3cb5
Handle bitwise operations on stack offset abstract values (#136)
- Generalize handling of bitwise operations to also apply them to stack offsets
- Use the extended bitwise handling on AND
2020-05-28 14:04:06 -04:00
Brian Huffman
f65c80d7b1 Make code compile without warnings in ghc-8.6 and ghc-8.8. 2020-04-23 20:22:30 -07:00
Tristan Ravitch
c825332f39
Update/ghc 8.8 (#112)
Updates for GHC 8.8

The two main classes of update are related to MonadFail and type alias expansion.

The MonadFail updates introduce explicit MonadFail instances and backward-compatible `fail` implementations under `Monad` for older GHC versions.

The type alias expansion rules changed in GHC 8.8 in a way that breaks the `Simple Lens` idiom; instead, we have to use `Lens'`.  Lens started supporting this alias in version 3.8, which was released in 2013.

This change includes necessary submodule updates, as well as the update for the split of what4 into its own repository.
2020-03-03 13:28:26 -08:00
Joe Hendrix
46be7aa52b Implement new registerUse analysis.
The new registerUse analysis uses a three phase process:

Phase 1 computes invariants about the start state of each block.  It
will indicate when registers/stack locations store stack offsets, and
where callee saved registers are stashed.  It also memoizes
information about stack reads and writes to simplify later passes.

Phase 2 is a demand analysis that computes which registers and stack
locations must be available to execute the program.  It then
propagates those constraints across blocks in the function.

Phase 3 combines the information into a form relevant for function
recovery.
2020-02-06 19:26:46 -08:00
Samuel Breese
fb1611a127
Semantics for MULX from BMI2 and all of ADX 2019-12-19 10:43:54 -05:00
Joe Hendrix
1ed99917b4
Add testcase for non-zero index jumptable. 2019-12-04 14:31:45 -08:00
Joe Hendrix
df9b5bbe27
Support for offset jump tables. 2019-11-19 14:52:58 -08:00
Joe Hendrix
1be68af2a0
Fix warnings. 2019-10-21 21:18:54 -07:00
Joe Hendrix
81d0469fbe
Group mod/div x86 functions. 2019-10-21 14:59:43 -07:00
Joe Hendrix
744424d28b
Remove unused X86PrimLoc. 2019-09-20 15:19:37 -07:00
Joe Hendrix
5e834122d1
Segment register updates; stack offset calculation. 2019-09-20 13:58:05 -07:00
Joe Hendrix
7aee0cd803
Remove unused debug reg code. 2019-09-09 00:55:28 -07:00
Joe Hendrix
3dc9463b8d
Remove unused control register code. 2019-09-09 00:50:07 -07:00
Joe Hendrix
df95e65987
Various changes to support VCG.
The changes include:

  Clean up elf loading to fix a bug in rel addend parsing.

  Introduce block preconditions for populating reopt-vcg fields.

  Change load options to match reopt's interface.
2019-09-04 23:21:23 -07:00
Joe Hendrix
0ad6ed8a85
Minor cleanup 2019-08-29 23:50:25 -07:00
Joe Hendrix
0767302c21
Add .gitignore for assembly files. 2019-08-27 16:42:08 -07:00
Joe Hendrix
433df7399e
Additional Hashable instances for Macaw/hashtable compatibility. 2019-08-27 16:40:16 -07:00
Joe Hendrix
821d434370
Add support for equalities in jump table bounds. 2019-08-27 16:39:41 -07:00
Joe Hendrix
c2545b1bb1
Work-in-progres: Cleanups to discovery for jumpbounds improvements. 2019-08-23 01:11:52 -07:00
Joe Hendrix
494aff6ff0
This makes a number of changes to abstract domains.
The goal is to support a jumptable testcase that is not supported by
the current jump bounds check.  The jump bounds check needs to be
augmented so that it understands equality relationships between stack
values and registers, and bounds on both.

This patch tracks when a register points to a concrete stack offset.

As part of this, we droped the AbsDomain instance for AbsBlockState.
Clients should now likely use `fnStartAbsBlockState` in lieu of `top`.

The other client visible change is that the ClassifyFailure
constructor now has an extra argument with details about why
classification failure occured.
2019-08-21 23:29:16 -07:00
Joe Hendrix
073e774a43
Introduce CValue; clarify function arguments fields.
This introduces a new datatype CValue for representing constants
in Macaw programs, modifies the existing Value datatype to use then,
and introduces patterns for compatibility with existing datatypes.

The patch also updates the function argument analysis to use more
explicit argument passing rather than monadic updates.  The intent is
to help clarify when data is initialized rather than updated.

Finally this updates a README and does some minor updates.
2019-08-06 09:37:41 -07:00
Joe Hendrix
06b0390cfd
Fix missing import in x86 2019-07-01 17:13:06 -07:00
Joe Hendrix
17c09c974f
Bump submodules; clarify stack offset abstract values 2019-07-01 16:35:47 -07:00
Joe Hendrix
ee6f1379ae
Additional cleanup to function args; bump versions.
This also provides some exports needed by Reopt.
2019-06-12 15:26:19 -07:00
Joe Hendrix
1607e83eef
Minor refactoring; improved branch abstract state propagation.
This primarily refines the abstract state propagated to branch
pairs.  It was needed on the ARM platform to support the IT blocks
with the changes to the Core representation in macaw-base 0.3.6.

This also includes a few simplifications added and comment
improvements.
2019-05-14 17:45:30 -07:00
Joe Hendrix
c6a7ba7cd6
Rename pblock fields to be more descriptive. 2019-04-29 22:21:10 -07:00
Joe Hendrix
327003ae56
Fix test case. 2019-04-29 22:04:21 -07:00
Joe Hendrix
3331a19571
Drop support for branches within blocks. 2019-04-28 13:19:20 -07:00
Joe Hendrix
2d12aea63b
Merge branch 'jhx/bump-submodules' into jhx/cond-write 2019-04-26 10:38:50 -07:00
Joe Hendrix
89f89e9ce6
This adds a conditional memory write to macaw. 2019-04-17 11:15:12 -07:00