Merge remote-tracking branch 'origin/emteere_GT-2723' into Ghidra_9.0.2

Ghidra/Features/Base/src/main/java/ghidra/app/plugin/core/analysis/ConstantPropagationAnalyzer.java

@@ -67,10 +67,16 @@ public class ConstantPropagationAnalyzer extends AbstractAnalyzer {
 	protected static final int MINKNOWNREFADDRESS_OPTION_DEFAULT_VALUE = 4;
 
 	protected static final String MINSPECULATIVEREFADDRESS_OPTION_NAME =
-		"Min speculative reference";
+		"Speculative reference min";
 	protected static final String MINSPECULATIVEREFADDRESS_OPTION_DESCRIPTION =
 		"Minimum speculative reference address for offsets and parameters";
 	protected static final int MINSPECULATIVEREFADDRESS_OPTION_DEFAULT_VALUE = 1024;
+	
+	protected static final String MAXSPECULATIVEREFADDRESS_OPTION_NAME =
+			"Speculative reference max";
+	protected static final String MAXSPECULATIVEREFADDRESS_OPTION_DESCRIPTION =
+			"Maxmimum speculative reference address offset from the end of memory for offsets and parameters";
+	protected static final int MAXSPECULATIVEREFADDRESS_OPTION_DEFAULT_VALUE = 256;
 
 	protected final static int NOTIFICATION_INTERVAL = 100;
 
@@ -80,6 +86,7 @@ public class ConstantPropagationAnalyzer extends AbstractAnalyzer {
 	protected int maxThreadCount = MAXTHREADCOUNT_OPTION_DEFAULT_VALUE;
 	protected long minStoreLoadRefAddress = MINKNOWNREFADDRESS_OPTION_DEFAULT_VALUE;
 	protected long minSpeculativeRefAddress = MINSPECULATIVEREFADDRESS_OPTION_DEFAULT_VALUE;
+	protected long maxSpeculativeRefAddress = MAXSPECULATIVEREFADDRESS_OPTION_DEFAULT_VALUE;
 
 	protected boolean followConditional = false;
 
@@ -391,7 +398,7 @@ public class ConstantPropagationAnalyzer extends AbstractAnalyzer {
 			throws CancelledException {
 		
 		ContextEvaluator eval = new ConstantPropagationContextEvaluator(trustWriteMemOption,
-			minStoreLoadRefAddress, minSpeculativeRefAddress);
+			minStoreLoadRefAddress, minSpeculativeRefAddress, maxSpeculativeRefAddress);
 
 		return symEval.flowConstants(flowStart, flowSet, eval, true, monitor);
 	}
@@ -461,9 +468,13 @@ public class ConstantPropagationAnalyzer extends AbstractAnalyzer {
 			MINKNOWNREFADDRESS_OPTION_DESCRIPTION);
 
 		long size = program.getAddressFactory().getDefaultAddressSpace().getSize();
-		minSpeculativeRefAddress = size * 8;
+		minSpeculativeRefAddress = size * 16;
 		options.registerOption(MINSPECULATIVEREFADDRESS_OPTION_NAME, minSpeculativeRefAddress, null,
 			MINSPECULATIVEREFADDRESS_OPTION_DESCRIPTION);
+		
+		maxSpeculativeRefAddress = size * 8;
+		options.registerOption(MAXSPECULATIVEREFADDRESS_OPTION_NAME, maxSpeculativeRefAddress, null,
+			MAXSPECULATIVEREFADDRESS_OPTION_DESCRIPTION);
 	}
 
 	@Override
@@ -479,6 +490,8 @@ public class ConstantPropagationAnalyzer extends AbstractAnalyzer {
 			options.getLong(MINKNOWNREFADDRESS_OPTION_NAME, minStoreLoadRefAddress);
 		minSpeculativeRefAddress =
 			options.getLong(MINSPECULATIVEREFADDRESS_OPTION_NAME, minSpeculativeRefAddress);
+		maxSpeculativeRefAddress =
+				options.getLong(MAXSPECULATIVEREFADDRESS_OPTION_NAME, maxSpeculativeRefAddress);
 	}
 
 }

Ghidra/Features/Base/src/main/java/ghidra/app/plugin/core/analysis/ConstantPropagationContextEvaluator.java

@@ -42,7 +42,9 @@ public class ConstantPropagationContextEvaluator extends ContextEvaluatorAdapter
 	protected AddressSet destSet = new AddressSet();
     private boolean trustMemoryWrite = false;
 	private long minStoreLoadOffset = 4;
-	private long minSpeculativeOffset = 1024;
+	private long minSpeculativeOffset = 1024;   // from the beginning of memory
+	private long maxSpeculativeOffset = 256;    // from the end of memory
+
     
     public ConstantPropagationContextEvaluator() {
 	}
@@ -55,10 +57,10 @@ public class ConstantPropagationContextEvaluator extends ContextEvaluatorAdapter
 	}
     
 	public ConstantPropagationContextEvaluator(boolean trustWriteMemOption,
-			long minStoreLoadRefAddress, long minSpeculativeRefAddress) {
+			long minStoreLoadRefAddress, long minSpeculativeRefAddress, long maxSpeculativeRefAddress) {
 		this(trustWriteMemOption);
 		this.minStoreLoadOffset = minStoreLoadRefAddress;
-		this.minSpeculativeOffset = minSpeculativeRefAddress;
+		this.maxSpeculativeOffset = maxSpeculativeRefAddress;
 	}
 
 	/**
@@ -85,7 +87,7 @@ public class ConstantPropagationContextEvaluator extends ContextEvaluatorAdapter
 		long wordOffset = constant.getOffset();
 
 		if (((wordOffset >= 0 && wordOffset < minSpeculativeOffset) ||
-			(Math.abs(maxAddrOffset - wordOffset) < minSpeculativeOffset)) &&
+			(Math.abs(maxAddrOffset - wordOffset) < maxSpeculativeOffset)) &&
 			!space.isExternalSpace()) {
 			return null;
 		}

Ghidra/Features/Base/src/main/java/ghidra/program/util/SymbolicPropogator.java

@@ -43,7 +43,7 @@ public class SymbolicPropogator {
 	// 1. How are "register-relative" varnodes distinguished based upon target space ?  Not sure how we handle wrapping/truncation concerns.
 	//   1) The offset is the only thing that could be used as a reference.
 
-	private static final int _POINTER_MIN_BOUNDS = 0x7fff;
+	private static final int _POINTER_MIN_BOUNDS = 0x100;
 
 	// mask for sub-piece extraction
 	private static long[] maskSize = { 0xffL, 0xffL, 0xffffL, 0xffffffL, 0xffffffffL, 0xffffffffffL,
@@ -1836,7 +1836,7 @@ public class SymbolicPropogator {
 				// see if the offset is a large constant offset from the symbolic space
 				long offset = refLocation.getOffset();
 
-				if (checkPossibleOffsetAddr(offset)) {
+				if (evaluator != null) {
 					// symbolic spaces will have the name of the symbolic space be the register space
 //					String spaceName = refLocation.getAddress().getAddressSpace().getName();
 //					Register register = vContext.getRegister(spaceName);
@@ -1850,7 +1850,7 @@ public class SymbolicPropogator {
 //						}
 //					} else
 
-					if (evaluator == null) {
+			        if (!vContext.isStackSymbolicSpace(refLocation) && evaluator != null) {
 						Address constant = program.getAddressFactory().getAddress(
 							(int) targetSpaceID.getOffset(), offset);
 						Address newTarget = evaluator.evaluateConstant(vContext, instruction,
@@ -2051,7 +2051,7 @@ public class SymbolicPropogator {
 	 */
 	private int getReferenceSpaceID(Instruction instruction, long offset) {
 		// TODO: this should be passed to the client callback to make the decision
-		if (offset <= 4096 && offset >= -1) {
+		if (offset <= 4 && offset >= -1) {
 			return -1; // don't make speculative reference to certain offset values
 		}
 

Ghidra/Features/Base/src/main/java/ghidra/program/util/VarnodeContext.java

@@ -312,7 +312,7 @@ public class VarnodeContext implements ProcessorContext {
 	/**
 	 * Return true if this varnode is stored in the symbolic stack space
 	 */
-	private boolean isStackSymbolicSpace(Varnode varnode) {
+	public boolean isStackSymbolicSpace(Varnode varnode) {
 		// symbolic spaces are off of a register, find the space
 		AddressSpace regSpace = addrFactory.getAddressSpace(varnode.getSpace());
 
@@ -785,7 +785,9 @@ public class VarnodeContext implements ProcessorContext {
 	 * return the location that this register was last set
 	 * This is a transient thing, so it should only be used as a particular flow is being processed...
 	 * 
-	 * @param reg
+	 * @param reg register to find last set location
+	 * @param bval value to look for to differentiate set locations, null if don't care
+	 * 
 	 * @return address that the register was set.
 	 */
 	public Address getLastSetLocation(Register reg, BigInteger bval) {
@@ -1256,6 +1258,13 @@ public class VarnodeContext implements ProcessorContext {
 				// too big anyway,already extended as far as it will go.
 				vnodeVal = createConstantVarnode(vnodeVal.getOffset(), out.getSize());
 			}
+		} else if (vnodeVal.isRegister() && vnodeVal.getSize() < out.getSize()) {
+			Register reg = getRegister(vnodeVal);
+			if (reg == null) {
+				throw notFoundExc;
+			}
+			int spaceID = getAddressSpace(reg.getName());
+			vnodeVal = createVarnode(0,spaceID,out.getSize());
 		}
 		return vnodeVal;
 	}