add flow insensitive analysis for GOT rewriting

plus support swith statement jump for rewriting

Author: yellowbyte

.github/workflows/build.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - dev
       - main
+      - instrument-framework
 jobs:
   execute-tests-ubuntu22:
     runs-on: ubuntu-22.04

Makefile

@@ -3,7 +3,7 @@
 all:
 	test/test_all.py -a -c
 	test/test_instrument.sh 2>&1 | tee test.instrument
-	rm src/points.ins src/fun.o
+	rm src/points.ins src/fun.o || true
 	test/test_action.sh 2>&1 | tee test.all
 	test/test_coreutils.sh 2>&1 | tee test.coreutils
 

src/ail.ml

@@ -9,42 +9,48 @@ open Cg
 open Ail_utils
 
 
-
 class ail =
 object (self)
   val mutable funcs : func list = []
   val mutable secs: section list = []
   val mutable intrs: string list = []
   val mutable instrs_list: instr list = []
   val mutable datas: string list = []
-  val mutable g_bss: (string*string*string) list = []
+  val mutable g_bss: (string * string * string) list = []
 
-  method sections =
+  method sections : unit =
     let filelines = File.lines_of "sections.info"
     and help l =
       let items = Str.split (Str.regexp " +") l in
       let addr = int_of_string ("0x"^(List.nth items 1))
       and size = int_of_string ("0x"^(List.nth items 3))
       and secname = List.nth items 0 in
-      secs <- {sec_name=secname; sec_begin_addr=addr;
-               sec_size=size}::secs
+      secs <- {
+        sec_name = secname;
+        sec_begin_addr = addr;
+        sec_size = size
+      } :: secs
     in
     Enum.iter help filelines
 
-  method externfuncs =
+  method externfuncs : unit =
     let filelines = File.lines_of "externfuncs.info"
     and help l =
       let items = Str.split (Str.regexp " +") l in
       let addr = int_of_string ("0x"^(List.nth items 0))
       and func = List.nth items 1 in
-      funcs <- {func_name=func; func_begin_addr=addr; func_end_addr = 0;
-                is_lib=true}::funcs
+      funcs <- {
+        func_name = func;
+        func_begin_addr = addr;
+        func_end_addr = 0;
+        is_lib = true
+      } :: funcs
     in
     Enum.iter help filelines
 
-  (* in stripped binary, any user functions' information has been stripped
+  (** in stripped binary, any user functions' information has been stripped
    *  so slicing function class really does the job *)
-  method userfuncs =
+  method userfuncs : unit =
     let filelines = File.lines_of "userfuncs.info"
     and help l =
       if String.exists l "-0x" || String.exists l "+0x" then
@@ -58,28 +64,35 @@ object (self)
           let funname' = String.sub funname 1 (len-3) in
           if String.exists funname' "@@" then
             let fn = List.nth (Str.split (Str.regexp_string "@@") funname') 0 in
-            funcs <- {func_name=fn; func_begin_addr=addr; func_end_addr = 0;
-                    is_lib=false}::funcs
+            funcs <- {
+              func_name = fn;
+              func_begin_addr = addr;
+              func_end_addr = 0;
+              is_lib = false
+            } :: funcs
           else
-          funcs <- {func_name=funname'; func_begin_addr=addr; func_end_addr = 0;
-                    is_lib=false}::funcs
+          funcs <- {
+            func_name = funname';
+            func_begin_addr = addr;
+            func_end_addr = 0;
+            is_lib = false
+          } :: funcs
         end
     in
     Enum.iter help filelines
 
-
-  method get_userfuncs =
+  method get_userfuncs : func list =
     List.filter (fun f -> f.is_lib=false) funcs
 
-  method externdatas =
+  method externdatas : unit =
     let filelines = File.lines_of "externdatas.info"
     and help l =
       let data = String.trim l in
       datas <- data::datas
     in
     Enum.iter help filelines
 
-  method global_bss =
+  method global_bss : unit =
     let filelines = File.lines_of "globalbss.info"
     and help l =
       let items = Str.split (Str.regexp " +") l in
@@ -88,11 +101,11 @@ object (self)
       let addr' = String.uppercase_ascii addr
       and rtype = List.nth items 1
       and n = String.trim (List.nth items 2) in
-      g_bss <- (addr', rtype, n)::g_bss
+      g_bss <- (addr', rtype, n) :: g_bss
     in
     Enum.iter help filelines
 
-  method ail_dump =
+  method ail_dump : unit =
     (* currently we just dump the extern function info *)
     let check_sym_func f =
       try
@@ -106,23 +119,23 @@ object (self)
      |> List.iter (fun l -> Printf.fprintf oc "extern %s\n" l.func_name));
     close_out oc
 
-  method ehframe_dump =
-    ignore (Sys.command("cat eh_frame.data >> final.s"))
+  method ehframe_dump : unit =
+    ignore ( Sys.command ("cat eh_frame.data >> final.s") )
 
-  method excpt_tbl_dump =
-    ignore (Sys.command("cat gcc_exception_table.data >> final.s"))
+  method excpt_tbl_dump : unit =
+    ignore ( Sys.command ("cat gcc_exception_table.data >> final.s") )
 
-  method post_process f (arch : string) = 
-    ignore (Sys.command ("python3 main_discover.py " ^ " " ^ f ^ " " ^ arch));
-    ignore (Sys.command("python3 post_process.py "^arch));
-    ignore (Sys.command("python3 post_process_lib.py"))
+  method post_process (f : string) (arch : string) : unit =
+    ignore ( Sys.command ("python3 main_discover.py " ^ " " ^ f ^ " " ^ arch) );
+    ignore ( Sys.command ("python3 post_process.py "^arch) );
+    ignore ( Sys.command ("python3 post_process_lib.py") )
     (*
     self#ehframe_dump;
     self#excpt_tbl_dump;
     *)
 
-  method pre_process =
-    ignore (Sys.command("python3 pre_process.py"))
+  method pre_process : unit =
+    ignore ( Sys.command ("python3 pre_process.py") )
 
   method instr_process (f : string) (arch : string) : unit =
     let open Disassemble_process in
@@ -138,9 +151,9 @@ object (self)
 
     let fbl, bbl, cfg_t, cg, il', re, ufl = A.analyze_one il fl re in
 
-    let il', ufl', fch = S.apply il' ufl in
+    let il', ufl', fch = S.apply il' ufl f in
 
-    let instrumented_il =
+    let instrumented_il : instr list =
       I.apply ~instrs:il' ~fbl ~bbl ~funcs:ufl' ~fname_callsites:fch
     in
 

src/ail_utils.ml

@@ -28,6 +28,12 @@ module IntSet = Set.Make(
 
 module StringSet = Set.Make(String)
 
+let stub_loc : loc = {
+  loc_label = "";
+  loc_addr = 0;
+  loc_visible = true
+}
+
 let read_lines (filename : string) : string list =
   File.with_file_in filename (fun input ->
     List.of_enum (IO.lines_of input)
@@ -103,6 +109,14 @@ let string_to_int32 s =
 let compare_loc l1 l2 =
   l1.loc_addr = l2.loc_addr && (l1.loc_label = l2.loc_label)
 
+let get_tags i =
+  match i with
+  | SingleInstr (_, _, _, tags) -> tags
+  | DoubleInstr (_, _, _, _, tags) -> tags
+  | TripleInstr (_, _, _, _, _, tags) -> tags
+  | FourInstr (_, _, _, _, _, _, tags) -> tags
+  | FifInstr (_, _, _, _, _, _, _, tags) -> tags
+
 let get_loc i =
   match i with
   | SingleInstr (_, l, _, _) -> l
@@ -1445,34 +1459,10 @@ module Func_utils = struct
         (*aux "S_0x80541C5" (Hashtbl.find func2cfg_table "S_0x80541C5")*)
         Hashtbl.iter aux func2cfg_table
 
-      let func2cfg (il : instr list) funcs =
-        let func2il il =
-          let func2il_table = Hashtbl.create 40 in
-          let rec slice_il fl il =
-            match (fl,il) with
-            | ([], il') -> func2il_table
-            | (hf::tf, []) -> func2il_table
-            | (hf::tf, hi::ti) ->
-              begin
-                let f_ba = hf.func_begin_addr in
-                let f_ea = hf.func_end_addr in
-                let i_loc = get_loc hi in
-                let i_addr = i_loc.loc_addr in
-                if i_addr >= f_ba && i_addr < f_ea then
-                  begin
-                    if Hashtbl.mem func2il_table hf.func_name then
-                      let hf_il = Hashtbl.find func2il_table hf.func_name in
-                      Hashtbl.replace func2il_table hf.func_name (hi::hf_il)
-                    else
-                      Hashtbl.add func2il_table hf.func_name [hi];
-                    slice_il fl ti
-                  end
-                else
-                  slice_il tf il
-              end
-          in
-          slice_il funcs il
-        in
+      let func2cfg
+          (il : instr list)
+          (funcs : func list)
+        : (string, cfgi) Hashtbl.t =
         let is_ct op =
           match op with
           | Intel_OP io -> (
@@ -1494,7 +1484,74 @@ module Func_utils = struct
               | _ -> None)
           | _ -> None
         in
-        let add_edge curr_cfg (i_from:instr option) (i_to:instr option) : (instr option, instr option list) Hashtbl.t =
+        let fb2fn funcs d =
+          match List.find_opt (fun f -> f.func_begin_addr = d) funcs with
+          | Some f -> Some f.func_name
+          | None -> None
+        in
+        let func2il il =
+          let func2il_table = Hashtbl.create 40 in
+          let worklist = Queue.create () in
+          let rec slice_il
+              (fl : func list)
+              (il : instr list)
+            : (string, instr list) Hashtbl.t =
+            match (fl,il) with
+            | ([], il') -> func2il_table
+            | (hf :: tf, []) -> func2il_table
+            | (hf :: tf, hi :: ti) ->
+              begin
+                let f_ba = hf.func_begin_addr in
+                let f_ea = hf.func_end_addr in
+                let i_loc = get_loc hi in
+                let i_addr = i_loc.loc_addr in
+                if i_addr >= f_ba && i_addr < f_ea then
+                  begin
+                    if Hashtbl.mem func2il_table hf.func_name then
+                      let hf_il = Hashtbl.find func2il_table hf.func_name in
+                      Hashtbl.replace func2il_table hf.func_name (hi :: hf_il)
+                    else Hashtbl.add func2il_table hf.func_name [hi];
+                    let _ = match get_ct_des hi with
+                    | Some d ->
+                      if d >= f_ea then
+                        begin
+                          match fb2fn funcs d with
+                          | Some fn ->
+                            Queue.push (hf.func_name, fn) worklist
+                          | None -> ()
+                        end
+                    | None -> () in
+                    slice_il fl ti
+                  end
+                else
+                  slice_il tf il
+              end
+          in
+          let func2il' = slice_il funcs il in
+          while not (Queue.is_empty worklist) do
+            let (fn, fn2) = Queue.pop worklist in
+            match Hashtbl.find_opt func2il' fn with
+            | Some f_il ->
+              begin
+                match Hashtbl.find_opt func2il' fn2 with
+                | Some f_il2 ->
+                  Hashtbl.replace func2il' fn (f_il @ f_il2);
+                  Hashtbl.remove func2il' fn2
+                | None -> ()
+              end
+            | None -> ()
+            (*let f_il = Hashtbl.find func2il' fn in
+            let f_il2 = Hashtbl.find func2il' fn2 in
+            Hashtbl.replace func2il' fn (f_il @ f_il2);
+            Hashtbl.remove func2il' fn2*)
+          done;
+          func2il'
+        in
+        let add_edge
+            curr_cfg
+            (i_from : instr option)
+            (i_to : instr option)
+          : (instr option, instr option list) Hashtbl.t =
           if Hashtbl.mem curr_cfg i_from then
             let existing_edges = Hashtbl.find curr_cfg i_from in
             Hashtbl.replace curr_cfg i_from (i_to :: existing_edges)
@@ -1504,7 +1561,7 @@ module Func_utils = struct
         in
         let func2cfg_table = Hashtbl.create 40 in
         let func2il_table = func2il il in
-        let rec create_cfg f (f_il:instr list) pred_cfg succ_cfg =
+        let rec create_cfg f (f_il : instr list) pred_cfg succ_cfg =
           match f_il with
           | [] ->
             let ordered_il = List.rev (Hashtbl.find func2il_table f.func_name) in

src/cfg.ml

@@ -290,7 +290,7 @@ class cfg =
     method visit il =
       let last_i = List.nth il (List.length il - 1) in
       end_loc <- get_loc last_i;
-      let il' = List.map self#vinst il in
+      let il' = List.map self#vinst' il in
       bl <- self#update_bl;
       self#fb_list bl;
       let bl' = List.sort (fun b1 b2 ->