718467815b
We now thread a snapshot of the register state from the beginning of the instruction evaluation through each instruction's semantics instead of re-fetching register values each time we need it and potentially seeing incorrect, partially modified register values. |
||
---|---|---|
doc | ||
macaw-arm | ||
macaw-ppc | ||
macaw-ppc-symbolic | ||
macaw-semmc | ||
submodules | ||
.gitignore | ||
.gitmodules | ||
cabal.project.dist | ||
README.org | ||
stack-ghc-8.2.yaml |
Overview
The high level goal is to write and/or generate architecture-specific backends for macaw based on the semantics discovered by semmc. In particular, we are interested in making macaw-ppc and macaw-arm. We will hand-write some of the code, but we will generate as much as possible automatically. We will read in the semantics files generated by semmc and use Template Haskell to generate a function that transforms machine states according to the learned semantics.
We will implement a base package (macaw-semmc) that provides shared infrastructure for all of our backends; this will include the Template Haskell function to create a state transformer function from learned semantics files.
Repository Layout
macaw-semmc
contains the architecture-independent components of the translation from semmc semantics into macaw IR.macaw-ppc
implements the PowerPC-specific backend of the translation.macaw-ppc-symbolic
implements a translation of macaw IR (with PowerPC architecture-specific functions) into Crucible IR, which is suitable for symbolic execution.macaw-arm
implements the ARM-specific backend of the translation.
Building
The dependencies of this project that are not available on Hackage are tracked via git submodules. To build with a reasonably modern version of cabal
(i.e., one that supports new-build
):
$ git submodule update --init
$ ln -s cabal.project.dist cabal.project
$ cabal new-configure
$ cabal new-build macaw-ppc
To build with stack
:
$ git submodule update --init
# Choose one of the provided GHC version-specific
# stack-ghc-<version>.yaml files, e.g. stack-ghc-8.2.yaml.
$ ln -s stack-ghc-<version>.yaml stack.yaml
$ stack build
Code dependencies and related packages
- macaw (binary code discovery)
- macaw-x86 (x86_64 backend for macaw)
- semmc (semantics learning and code synthesis)
- semmc-ppc (PowerPC backend for synthesis)
- dismantle-tablegen (disassembler infrastructure)
- dismantle-ppc (PowerPC disassembler)
- crucible (interface to SMT solvers)
- parameterized-utils (utilities for working with parameterized types)
Semantics background
The semmc library is designed to learn semantics for machine code
instructions. Its output, for each Instruction Set Architecture (ISA), is a
directory of files where each file contains a formula corresponding to the
semantics for an opcode in the ISA. For example, the ADDI.sem
file
contains the semantics for the add immediate instruction in PowerPC.
There are functions in semmc for dealing with this representation.
Formulas are loaded into a data type called ParameterizedFormula
, which
contains formula fragments based on the ExprBuilder
representation of
crucible. This can be thought of as a convenient representation of SMT
formulas.
Status
This codebase is a work in progress. PowerPC support (both 32 and 64 bit) is reasonably robust. Support for ARM is ongoing.
License
This code is made available under the BSD3 license and without any support.