A jump-table model assisted by pseudo-op directives in the code. More...
#include <jumptable.hh>
Public Member Functions | |
| JumpAssisted (JumpTable *jt) | |
| Constructor. | |
| virtual bool | isOverride (void) const |
| Return true if this model was manually overridden. | |
| virtual int4 | getTableSize (void) const |
| Return the number of entries in the address table. | |
| virtual bool | recoverModel (Funcdata *fd, PcodeOp *indop, uint4 matchsize, uint4 maxtablesize) |
| Attempt to recover details of the model, given a specific BRANCHIND. More... | |
| virtual void | buildAddresses (Funcdata *fd, PcodeOp *indop, vector< Address > &addresstable, vector< LoadTable > *loadpoints) const |
| Construct the explicit list of target addresses (the Address Table) from this model. More... | |
| virtual void | findUnnormalized (uint4 maxaddsub, uint4 maxleftright, uint4 maxext) |
| Recover the unnormalized switch variable. More... | |
| virtual void | buildLabels (Funcdata *fd, vector< Address > &addresstable, vector< uintb > &label, const JumpModel *orig) const |
| Recover case labels associated with the Address table. More... | |
| virtual Varnode * | foldInNormalization (Funcdata *fd, PcodeOp *indop) |
| Do normalization of the given switch specific to this model. More... | |
| virtual bool | foldInGuards (Funcdata *fd, JumpTable *jump) |
| Eliminate any guard code involved in computing the switch destination. More... | |
| virtual bool | sanityCheck (Funcdata *fd, PcodeOp *indop, vector< Address > &addresstable) |
| Perform a sanity check on recovered addresses. More... | |
| virtual JumpModel * | clone (JumpTable *jt) const |
| Clone this model. | |
| virtual void | clear (void) |
| Clear any non-permanent aspects of the model. | |
 Public Member Functions inherited from JumpModel | |
| JumpModel (JumpTable *jt) | |
| Construct given a parent jump-table. | |
| virtual | ~JumpModel (void) |
| Destructor. | |
| virtual void | saveXml (ostream &s) const |
| Save this model as an XML tag. | |
| virtual void | restoreXml (const Element *el, Architecture *glb) |
| Restore this model from an XML tag. | |
Private Attributes | |
| PcodeOp * | assistOp |
| The jumpassist PcodeOp. | |
| JumpAssistOp * | userop |
| The jumpassist p-code models. | |
| int4 | sizeIndices |
| Total number of indices in the table (not including the defaultaddress) | |
| Varnode * | switchvn |
| The switch variable. | |
Additional Inherited Members | |
| Protected Attributes inherited from JumpModel | |
| JumpTable * | jumptable |
| The jump-table that is building this model. | |
Detailed Description
A jump-table model assisted by pseudo-op directives in the code.
This model looks for a special jumpassist pseudo-op near the branch site, which contains p-code models describing how to parse a jump-table for case labels and addresses. It views the switch table calculation as a two-stage process:
- case2index: convert the switchvar to an index into a table
- index2address: convert the index to an address
The pseudo-op holds:
- the table address, size (number of indices)
- exemplar p-code for inverting the case2index part of the calculation
- exemplar p-code for calculating index2address
Member Function Documentation
|
virtual |
Construct the explicit list of target addresses (the Address Table) from this model.
The addresses produced all come from the BRANCHIND and may not be deduped. Alternate guard destinations are not yet included.
- Parameters
-
fd is the function containing the switch indop is the root BRANCHIND of the switch addresstable will hold the list of Addresses loadpoints if non-null will hold LOAD table information used by the model
Implements JumpModel.
References ExecutablePcode::evaluate(), PcodeOp::getAddr(), Funcdata::getArch(), PcodeInjectLibrary::getPayload(), Address::getSpace(), Architecture::pcodeinjectlib, and InjectPayload::sizeInput().
|
virtual |
Recover case labels associated with the Address table.
The unnormalized switch variable must already be recovered. Values that the normalized switch value can hold or walked back to obtain the value that the unnormalized switch variable would hold. Labels are returned in the order provided by normalized switch variable iterator JumpValues.
- Parameters
-
fd is the function containing the switch addresstable is the address table (used to label code blocks with bad or missing labels) label will hold recovered labels in JumpValues order orig is the JumpModel to use for the JumpValues iterator
Implements JumpModel.
References ExecutablePcode::evaluate(), Funcdata::getArch(), PcodeInjectLibrary::getPayload(), Architecture::pcodeinjectlib, and InjectPayload::sizeInput().
|
inlinevirtual |
Recover the unnormalized switch variable.
The normalized switch variable must already be recovered. The amount of normalization between the two switch variables can be restricted.
- Parameters
-
maxaddsub is a restriction on arithmetic operations maxleftright is a restriction on shift operations maxext is a restriction on extension operations
Implements JumpModel.
Eliminate any guard code involved in computing the switch destination.
We now think of the BRANCHIND as encompassing any guard function.
- Parameters
-
fd is the function containing the switch jump is the JumpTable owning this model.
Implements JumpModel.
References JumpTable::getDefaultBlock(), and JumpTable::setLastAsMostCommon().
Do normalization of the given switch specific to this model.
The PcodeOp machinery is removed so it looks like the CPUI_BRANCHIND simply takes the switch variable as an input Varnode and automatically interprets its values to reach the correct destination.
- Parameters
-
fd is the function containing the switch indop is the given switch as a CPUI_BRANCHIND
- Returns
- the Varnode holding the final unnormalized switch variable
Implements JumpModel.
References Varnode::beginDescend(), Varnode::endDescend(), Funcdata::opDestroy(), Funcdata::opSetInput(), and JumpBasic::switchvn.
|
virtual |
Attempt to recover details of the model, given a specific BRANCHIND.
This generally recovers the normalized switch variable and any guards.
- Parameters
-
fd is the function containing the switch indop is the given BRANCHIND matchsize is the expected number of address table entries to recover, or 0 for no expectation maxtablesize is maximum number of address table entries to allow in the model
- Returns
- true if details of the model were successfully recovered
Implements JumpModel.
References CPUI_CALLOTHER, ExecutablePcode::evaluate(), Funcdata::getArch(), Varnode::getDef(), PcodeOp::getIn(), Varnode::getOffset(), UserOpManage::getOp(), PcodeInjectLibrary::getPayload(), Varnode::isWritten(), Architecture::pcodeinjectlib, InjectPayload::sizeInput(), JumpBasic::switchvn, and Architecture::userops.
|
inlinevirtual |
Perform a sanity check on recovered addresses.
Individual addresses are checked against the function or its program to determine if they are reasonable. This method can optionally remove addresses from the table. If it does so, the underlying model is changed to reflect the removal.
- Parameters
-
fd is the function containing the switch indop is the root BRANCHIND of the switch addresstable is the list of recovered Addresses, which may be modified
- Returns
- true if there are (at least some) reasonable addresses in the table
Implements JumpModel.
The documentation for this class was generated from the following files:
- jumptable.hh
- jumptable.cc
