yetangitu/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2025-10-04 18:29:37 +02:00
Code Issues Releases Wiki Activity
ghidra/Ghidra/Features/Decompiler/src/decompile/cpp/merge.cc

1695 lines
59 KiB
C++
Raw Blame History

/* ###
* IP: GHIDRA
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "merge.hh"
#include "funcdata.hh"
namespace ghidra {
/// This instance assumes the identity of the given Varnode and the defining index is
/// cached to facilitate quick sorting.
/// \param v is the given Varnode
void BlockVarnode::set(Varnode *v)
{
vn = v;
const PcodeOp *op = vn->getDef();
if (op == (const PcodeOp *)0)
index = 0;
else
index = op->getParent()->getIndex();
}
/// \brief Find the first Varnode defined in the BlockBasic of the given index
///
/// A BlockVarnode is identified from a sorted \b list. The position of the first BlockVarnode
/// in this list that has the given BlockBasic \e index is returned.
/// \param blocknum is the index of the BlockBasic to search for
/// \param list is the sorted list of BlockVarnodes
/// \return the index of the BlockVarnode within the list or -1 if no Varnode in the block is found
int4 BlockVarnode::findFront(int4 blocknum,const vector<BlockVarnode> &list)
{
int4 min = 0;
int4 max = list.size()-1;
while(min < max) {
int4 cur = (min + max)/2;
int4 curblock = list[cur].getIndex();
if (curblock >= blocknum)
max = cur;
else
min = cur + 1;
}
if (min > max)
return -1;
if (list[min].getIndex() != blocknum)
return -1;
return min;
}
void StackAffectingOps::populate(void)
{
for(int4 i=0;i<data.numCalls();++i) {
PcodeOp *op = data.getCallSpecs(i)->getOp();
addOp(op);
}
const list<LoadGuard> &storeGuard( data.getStoreGuards() );
for(list <LoadGuard>::const_iterator iter=storeGuard.begin();iter!=storeGuard.end();++iter) {
if ((*iter).isValid(CPUI_STORE))
addOp((*iter).getOp());
}
finalize();
}
bool StackAffectingOps::affectsTest(PcodeOp *op,Varnode *vn) const
{
if (op->code() == CPUI_STORE) {
const LoadGuard *loadGuard = data.getStoreGuard(op);
if (loadGuard == (const LoadGuard *)0)
return true;
return loadGuard->isGuarded(vn->getAddr());
}
// We could conceivably do secondary testing of CALL ops here
return true;
}
/// \brief Required tests to merge HighVariables that are not Cover related
///
/// This is designed to short circuit merge tests, when we know properties of the
/// two HighVariables preclude merging. For example, you can't merge HighVariables if:
/// - They are locked to different data-types
/// - They are both mapped to different address ranges
/// - One is a parameter one is a global
///
/// \param high_out is the first HighVariable to test
/// \param high_in is the second HighVariable to test
/// \return \b true if tests pass and the HighVariables are not forbidden to merge
bool Merge::mergeTestRequired(HighVariable *high_out,HighVariable *high_in)
{
if (high_in == high_out) return true; // Already merged
if (high_in->isTypeLock()) // If types are locked
if (high_out->isTypeLock()) // dont merge unless
if (high_in->getType() != high_out->getType()) return false; // both types are the same
if (high_out->isAddrTied()) { // Do not merge address tied input
if (high_in->isAddrTied()) {
if (high_in->getTiedVarnode()->getAddr() != high_out->getTiedVarnode()->getAddr())
return false; // with an address tied output of different address
}
}
if (high_in->isInput()) {
// Input and persist must be different vars
// as persists inherently have their own input
if (high_out->isPersist()) return false;
// If we don't prevent inputs and addrtieds from
// being merged. Inputs can get merged with the
// internal parts of structures on the stack
if ((high_out->isAddrTied())&&(!high_in->isAddrTied())) return false;
}
else if (high_in->isExtraOut())
return false;
if (high_out->isInput()) {
if (high_in->isPersist()) return false;
if ((high_in->isAddrTied())&&(!high_out->isAddrTied())) return false;
}
else if (high_out->isExtraOut())
return false;
if (high_in->isProtoPartial()) {
if (high_out->isProtoPartial()) return false;
if (high_out->isInput()) return false;
if (high_out->isAddrTied()) return false;
if (high_out->isPersist()) return false;
}
if (high_out->isProtoPartial()) {
if (high_in->isInput()) return false;
if (high_in->isAddrTied()) return false;
if (high_in->isPersist()) return false;
}
if (high_in->piece != (VariablePiece *)0 && high_out->piece != (VariablePiece *)0) {
VariableGroup *groupIn = high_in->piece->getGroup();
VariableGroup *groupOut = high_out->piece->getGroup();
if (groupIn == groupOut)
return false;
// At least one of the pieces must represent its whole group
if (high_in->piece->getSize() != groupIn->getSize() && high_out->piece->getSize() != groupOut->getSize())
return false;
}
Symbol *symbolIn = high_in->getSymbol();
Symbol *symbolOut = high_out->getSymbol();
if (symbolIn != (Symbol *) 0 && symbolOut != (Symbol *) 0) {
if (symbolIn != symbolOut)
return false; // Map to different symbols
if (high_in->getSymbolOffset() != high_out->getSymbolOffset())
return false; // Map to different parts of same symbol
}
return true;
}
/// \brief Adjacency tests for merging Varnodes that are input or output to the same p-code op
///
/// All the required tests (mergeTestRequired()) are performed, and then some additional tests
/// are performed. This does not perform any Cover tests.
/// \param high_out is the \e output HighVariable to test
/// \param high_in is the \e input HighVariable to test
/// \return \b true if tests pass and the HighVariables are not forbidden to merge
bool Merge::mergeTestAdjacent(HighVariable *high_out,HighVariable *high_in)
{
if (!mergeTestRequired(high_out,high_in)) return false;
if (high_in->isNameLock() && high_out->isNameLock())
return false;
// Make sure variables have the same type
if (high_out->getType() != high_in->getType())
return false;
// We want to isolate the use of illegal inputs
// as much as possible. See we don't do any speculative
// merges with them, UNLESS the illegal input is only
// used indirectly
if (high_out->isInput()) {
Varnode *vn = high_out->getInputVarnode();
if (vn->isIllegalInput()&&(!vn->isIndirectOnly())) return false;
}
if (high_in->isInput()) {
Varnode *vn = high_in->getInputVarnode();
if (vn->isIllegalInput()&&(!vn->isIndirectOnly())) return false;
}
Symbol *symbol = high_in->getSymbol();
if (symbol != (Symbol *)0)
if (symbol->isIsolated())
return false;
symbol = high_out->getSymbol();
if (symbol != (Symbol *)0)
if (symbol->isIsolated())
return false;
// Currently don't allow speculative merging of variables that are in separate overlapping collections
if (high_out->piece != (VariablePiece *)0 && high_in->piece != (VariablePiece *)0)
return false;
return true;
}
/// \brief Speculative tests for merging HighVariables that are not Cover related
///
/// This does all the \e required and \e adjacency merge tests and then performs additional
/// tests required for \e speculative merges.
/// \param high_out is the first HighVariable to test
/// \param high_in is the second HighVariable to test
/// \return \b true if tests pass and the HighVariables are not forbidden to merge
bool Merge::mergeTestSpeculative(HighVariable *high_out,HighVariable *high_in)
{
if (!mergeTestAdjacent(high_out,high_in)) return false;
// Don't merge anything with a global speculatively
if (high_out->isPersist()) return false;
if (high_in->isPersist()) return false;
// Don't merge anything speculatively with input
if (high_out->isInput()) return false;
if (high_in->isInput()) return false;
// Don't merge anything speculatively with addrtied
if (high_out->isAddrTied()) return false;
if (high_in->isAddrTied()) return false;
return true;
}
/// \brief Test if the given Varnode that \e must be merged, \e can be merged.
///
/// If it cannot be merged, throw an exception.
/// \param vn is the given Varnode
void Merge::mergeTestMust(Varnode *vn)
{
if (vn->hasCover() && !vn->isImplied())
return;
throw LowlevelError("Cannot force merge of range");
}
/// \brief Test if the given Varnode can ever be merged.
///
/// Some Varnodes (constants, annotations, implied, spacebase) are never merged with another
/// Varnode.
/// \param vn is the Varnode to test
/// \return \b true if the Varnode is not forbidden from ever merging
bool Merge::mergeTestBasic(Varnode *vn)
{
if (vn == (Varnode *)0) return false;
if (!vn->hasCover()) return false;
if (vn->isImplied()) return false;
if (vn->isProtoPartial()) return false;
if (vn->isSpacebase()) return false;
return true;
}
/// \brief Speculatively merge all HighVariables in the given list as well as possible
///
/// The variables are first sorted by the index of the earliest block in their range.
/// Then proceeding in order, an attempt is made to merge each variable with the first.
/// The attempt fails if the \e speculative test doesn't pass or if there are Cover
/// intersections, in which case that particular merge is skipped.
void Merge::mergeLinear(vector<HighVariable *> &highvec)
{
vector<HighVariable *> highstack;
vector<HighVariable *>::iterator initer,outiter;
HighVariable *high;
if (highvec.size() <= 1) return;
for(initer=highvec.begin();initer!=highvec.end();++initer)
testCache.updateHigh(*initer);
sort(highvec.begin(),highvec.end(),compareHighByBlock);
for(initer=highvec.begin();initer!=highvec.end();++initer) {
high = *initer;
for(outiter=highstack.begin();outiter!=highstack.end();++outiter) {
if (mergeTestSpeculative(*outiter,high))
if (merge(*outiter,high,true)) break;
}
if (outiter==highstack.end())
highstack.push_back(high);
}
}
/// \brief Force the merge of a ranges of Varnodes with the same size and storage address
///
/// The list of Varnodes to be merged is provided as a range in the main location sorted
/// container. Any Cover intersection is assumed to already be \b snipped, so any problems
/// with merging cause an exception to be thrown.
/// \param startiter is the beginning of the range of Varnodes with the same storage address
/// \param enditer is the end of the range
void Merge::mergeRangeMust(VarnodeLocSet::const_iterator startiter,VarnodeLocSet::const_iterator enditer)
{
HighVariable *high;
Varnode *vn;
vn = *startiter++;
mergeTestMust(vn);
high = vn->getHigh();
for(;startiter!=enditer;++startiter) {
vn = *startiter;
if (vn->getHigh() == high) continue;
mergeTestMust(vn);
if (!merge(high,vn->getHigh(),false))
throw LowlevelError("Forced merge caused intersection");
}
}
/// \brief Try to force merges of input to output for all p-code ops of a given type
///
/// For a given opcode, run through all ops in the function in block/address order and
/// try to merge each input HighVariable with the output HighVariable. If this would
/// introduce Cover intersections, the merge is skipped. This is generally used to try to
/// merge the input and output of COPY ops if possible.
/// \param opc is the op-code type to merge
void Merge::mergeOpcode(OpCode opc)
{
BlockBasic *bl;
list<PcodeOp *>::iterator iter;
PcodeOp *op;
Varnode *vn1,*vn2;
const BlockGraph &bblocks(data.getBasicBlocks());
for(int4 i=0;i<bblocks.getSize();++i) { // Do merges in linear block order
bl = (BlockBasic *) bblocks.getBlock(i);
for(iter=bl->beginOp();iter!=bl->endOp();++iter) {
op = *iter;
if (op->code() != opc) continue;
vn1 = op->getOut();
if (!mergeTestBasic(vn1)) continue;
for(int4 j=0;j<op->numInput();++j) {
vn2 = op->getIn(j);
if (!mergeTestBasic(vn2)) continue;
if (mergeTestRequired(vn1->getHigh(),vn2->getHigh()))
merge(vn1->getHigh(),vn2->getHigh(),false); // This is a required merge
}
}
}
}
/// \brief Try to merge all HighVariables in the given range that have the same data-type
///
/// HighVariables that have an instance within the given Varnode range are sorted into groups
/// based on their data-type. Then an attempt is made to merge all the HighVariables within
/// a group. If a particular merge causes Cover intersection, it is skipped.
/// \param startiter is the start of the given range of Varnodes
/// \param enditer is the end of the given range
void Merge::mergeByDatatype(VarnodeLocSet::const_iterator startiter,VarnodeLocSet::const_iterator enditer)
{
vector<HighVariable *> highvec;
list<HighVariable *> highlist;
list<HighVariable *>::iterator hiter;
VarnodeLocSet::const_iterator iter;
Varnode *vn;
HighVariable *high;
Datatype *ct = (Datatype *)0;
for(iter=startiter;iter!=enditer;++iter) { // Gather all the highs
vn = *iter;
if (vn->isFree()) continue;
high = (*iter)->getHigh();
if (high->isMark()) continue; // dedup
if (!mergeTestBasic(vn)) continue;
high->setMark();
highlist.push_back(high);
}
for(hiter=highlist.begin();hiter!=highlist.end();++hiter)
(*hiter)->clearMark();
while(!highlist.empty()) {
highvec.clear();
hiter = highlist.begin();
high = *hiter;
ct = high->getType();
highvec.push_back(high);
highlist.erase(hiter++);
while(hiter != highlist.end()) {
high = *hiter;
if (ct == high->getType()) { // Check for exact same type
highvec.push_back(high);
highlist.erase(hiter++);
}
else
++hiter;
}
mergeLinear(highvec); // Try to merge all highs of the same type
}
}
/// \brief Allocate COPY PcodeOp designed to trim an overextended Cover
///
/// A COPY is allocated with the given input and data-type. A \e unique space
/// output is created.
/// \param inVn is the given input Varnode for the new COPY
/// \param addr is the address associated with the new COPY
/// \param trimOp is an exemplar PcodeOp whose read is being trimmed
/// \return the newly allocated COPY
PcodeOp *Merge::allocateCopyTrim(Varnode *inVn,const Address &addr,PcodeOp *trimOp)
{
PcodeOp *copyOp = data.newOp(1,addr);
data.opSetOpcode(copyOp,CPUI_COPY);
Datatype *ct = inVn->getType();
if (ct->needsResolution()) { // If the data-type needs resolution
if (inVn->isWritten()) {
int4 fieldNum = data.inheritResolution(ct, copyOp, -1, inVn->getDef(), -1);
data.forceFacingType(ct, fieldNum, copyOp, 0);
}
else {
int4 slot = trimOp->getSlot(inVn);
const ResolvedUnion *resUnion = data.getUnionField(ct, trimOp, slot);
int4 fieldNum = (resUnion == (const ResolvedUnion *)0) ? -1 : resUnion->getFieldNum();
data.forceFacingType(ct, fieldNum, copyOp, 0);
}
}
Varnode *outVn = data.newUnique(inVn->getSize(),ct);
data.opSetOutput(copyOp,outVn);
data.opSetInput(copyOp,inVn,0);
copyTrims.push_back(copyOp);
return copyOp;
}
/// \brief Snip off set of \e read p-code ops for a given Varnode
///
/// The data-flow for the given Varnode is truncated by creating a COPY p-code from the Varnode
/// into a new temporary Varnode, then replacing the Varnode reads for a specific set of
/// p-code ops with the temporary.
/// \param vn is the given Varnode
/// \param markedop is the specific set of PcodeOps reading the Varnode
void Merge::snipReads(Varnode *vn,list<PcodeOp *> &markedop)
{
if (markedop.empty()) return;
PcodeOp *copyop,*op;
BlockBasic *bl;
Address pc;
PcodeOp *afterop;
// Figure out where copy is inserted
if (vn->isInput()) {
bl = (BlockBasic *) data.getBasicBlocks().getBlock(0);
pc = bl->getStart();
afterop = (PcodeOp *)0;
}
else {
bl = vn->getDef()->getParent();
pc = vn->getDef()->getAddr();
if (vn->getDef()->code() == CPUI_INDIRECT) // snip must come after OP CAUSING EFFECT
// Not the indirect op itself
afterop = PcodeOp::getOpFromConst(vn->getDef()->getIn(1)->getAddr());
else
afterop = vn->getDef();
}
copyop = allocateCopyTrim(vn, pc, markedop.front());
if (afterop == (PcodeOp *)0)
data.opInsertBegin(copyop,bl);
else
data.opInsertAfter(copyop,afterop);
list<PcodeOp *>::iterator iter;
for(iter=markedop.begin();iter!=markedop.end();++iter) {
op = *iter;
int4 slot = op->getSlot(vn);
data.opSetInput(op,copyop->getOut(),slot);
}
}
/// \brief Eliminate intersections of given Varnode with other Varnodes in a list
///
/// Both the given Varnode and those in the list are assumed to be at the same storage address.
/// For any intersection, identify the PcodeOp reading the given Varnode which causes the
/// intersection and \e snip the read by inserting additional COPY ops.
/// \param vn is the given Varnode
/// \param blocksort is the list of other Varnodes sorted by their defining basic block
void Merge::eliminateIntersect(Varnode *vn,const vector<BlockVarnode> &blocksort)
{
list<PcodeOp *> markedop;
list<PcodeOp *>::const_iterator oiter;
map<int4,CoverBlock>::const_iterator iter,enditer;
Varnode *vn2;
int4 boundtype;
int4 overlaptype;
bool insertop;
for(oiter=vn->beginDescend();oiter!=vn->endDescend();++oiter) {
insertop = false;
Cover single;
single.addDefPoint(vn);
PcodeOp *op = *oiter;
single.addRefPoint(op,vn); // Build range for a single read
iter = single.begin();
enditer = single.end();
while(iter != enditer) {
int4 blocknum = (*iter).first;
++iter;
int4 slot = BlockVarnode::findFront(blocknum,blocksort);
if (slot == -1) continue;
while(slot < blocksort.size()) {
if (blocksort[slot].getIndex() != blocknum)
break;
vn2 = blocksort[slot].getVarnode();
slot += 1;
if (vn2 == vn) continue;
boundtype = single.containVarnodeDef(vn2);
if (boundtype == 0) continue;
overlaptype = vn->characterizeOverlap(*vn2);
if (overlaptype == 0) continue; // No overlap in storage
if (overlaptype == 1) { // Partial overlap
int4 off = (int4)(vn->getOffset() - vn2->getOffset());
if (vn->partialCopyShadow(vn2,off))
continue; // SUBPIECE shadow, not a new value
}
if (boundtype == 2) { // We have to resolve things defined at same place
if (vn2->getDef() == (PcodeOp *)0) {
if (vn->getDef() == (PcodeOp *)0) {
if (vn < vn2) continue; // Choose an arbitrary order if both are inputs
}
else
continue;
}
else {
if (vn->getDef() != (PcodeOp *)0) {
if (vn2->getDef()->getSeqNum().getOrder() < vn->getDef()->getSeqNum().getOrder())
continue;
}
}
}
else if (boundtype == 3) { // intersection on the tail of the range
// For most operations if the READ and WRITE happen on the same op, there is really no cover
// intersection because the READ happens before the op and the WRITE happens after, but
// if the WRITE is for an INDIRECT that is marking the READING (call) op, and the WRITE is to
// an address forced varnode, then because the write varnode must exist just before the op
// there really is an intersection.
if (!vn2->isAddrForce()) continue;
if (!vn2->isWritten()) continue;
PcodeOp *indop = vn2->getDef();
if (indop->code() != CPUI_INDIRECT) continue;
// The vn2 INDIRECT must be linked to the read op
if (op != PcodeOp::getOpFromConst(indop->getIn(1)->getAddr())) continue;
if (overlaptype != 1) {
if (vn->copyShadow(indop->getIn(0))) continue; // If INDIRECT input shadows vn, don't consider as intersection
}
else {
int4 off = (int4)(vn->getOffset() - vn2->getOffset());
if (vn->partialCopyShadow(indop->getIn(0),off)) continue;
}
}
insertop = true;
break; // No need to continue iterating through varnodes in block
}
if (insertop) break; // No need to continue iterating through blocks
}
if (insertop)
markedop.push_back(op);
}
snipReads(vn,markedop);
}
/// \brief Make sure all Varnodes with the same storage address and size can be merged
///
/// The list of Varnodes to be merged is provided as a range in the main location sorted
/// container. Any discovered intersection is \b snipped by splitting data-flow for one of
/// the Varnodes into two or more flows, which involves inserting new COPY ops and temporaries.
/// \param startiter is the beginning of the range of Varnodes with the same storage address
/// \param enditer is the end of the range
void Merge::unifyAddress(VarnodeLocSet::const_iterator startiter,VarnodeLocSet::const_iterator enditer)
{
VarnodeLocSet::const_iterator iter;
Varnode *vn;
vector<Varnode *> isectlist;
vector<BlockVarnode> blocksort;
for(iter=startiter;iter!=enditer;++iter) {
vn = *iter;
if (vn->isFree()) continue;
isectlist.push_back(vn);
}
blocksort.resize(isectlist.size());
for(int4 i=0;i<isectlist.size();++i)
blocksort[i].set(isectlist[i]);
stable_sort(blocksort.begin(),blocksort.end());
for(int4 i=0;i<isectlist.size();++i)
eliminateIntersect(isectlist[i],blocksort);
}
/// \brief Force the merge of \e address \e tried Varnodes
///
/// For each set of address tied Varnodes with the same size and storage address, merge
/// them into a single HighVariable. The merges are \e forced, so any Cover intersections must
/// be resolved by altering data-flow, which involves inserting additional COPY ops and
/// \e unique Varnodes.
void Merge::mergeAddrTied(void)
{
VarnodeLocSet::const_iterator startiter;
vector<VarnodeLocSet::const_iterator> bounds;
for(startiter=data.beginLoc();startiter!=data.endLoc();) {
AddrSpace *spc = (*startiter)->getSpace();
spacetype type = spc->getType();
if (type != IPTR_PROCESSOR && type != IPTR_SPACEBASE) {
startiter = data.endLoc(spc); // Skip over the whole space
continue;
}
VarnodeLocSet::const_iterator finaliter = data.endLoc(spc);
while(startiter != finaliter) {
Varnode *vn = *startiter;
if (vn->isFree()) {
startiter = data.endLoc(vn->getSize(),vn->getAddr(),0); // Skip over any free Varnodes
continue;
}
bounds.clear();
uint4 flags = data.overlapLoc(startiter,bounds); // Collect maximally overlapping range of Varnodes
int4 max = bounds.size() - 1; // Index of last iterator
if ((flags & Varnode::addrtied) != 0) {
unifyAddress(startiter,bounds[max]);
for(int4 i=0;i<max;i+=2) { // Skip last iterator
mergeRangeMust(bounds[i],bounds[i+1]);
}
if (max > 2) {
Varnode *vn1 = *bounds[0];
for(int4 i=2;i<max;i+=2) {
Varnode *vn2 = *bounds[i];
int4 off = (int4)(vn2->getOffset() - vn1->getOffset());
vn2->getHigh()->groupWith(off, vn1->getHigh());
}
}
}
startiter = bounds[max];
}
}
}
/// \brief Trim the output HighVariable of the given PcodeOp so that its Cover is tiny
///
/// The given PcodeOp is assumed to force merging so that input and output Covers shouldn't
/// intersect. The original PcodeOp output is \e moved so that it becomes the output of a new
/// COPY, disassociating the original output Varnode from the inputs.
/// \param op is the given PcodeOp
void Merge::trimOpOutput(PcodeOp *op)
{
PcodeOp *copyop;
Varnode *uniq,*vn;
PcodeOp *afterop;
if (op->code() == CPUI_INDIRECT)
afterop = PcodeOp::getOpFromConst(op->getIn(1)->getAddr()); // Insert copyop AFTER source of indirect
else
afterop = op;
vn = op->getOut();
Datatype *ct = vn->getType();
copyop = data.newOp(1,op->getAddr());
data.opSetOpcode(copyop,CPUI_COPY);
if (ct->needsResolution()) {
int4 fieldNum = data.inheritResolution(ct, copyop, -1, op, -1);
data.forceFacingType(ct, fieldNum, copyop, 0);
if (ct->getMetatype() == TYPE_PARTIALUNION)
ct = vn->getTypeDefFacing();
}
uniq = data.newUnique(vn->getSize(),ct);
data.opSetOutput(op,uniq); // Output of op is now stubby uniq
data.opSetOutput(copyop,vn); // Original output is bumped forward slightly
data.opSetInput(copyop,uniq,0);
data.opInsertAfter(copyop,afterop);
}
/// \brief Trim the input HighVariable of the given PcodeOp so that its Cover is tiny
///
/// The given PcodeOp is assumed to force merging so that input and output Covers shouldn't
/// intersect. A new COPY is inserted right before the given PcodeOp with a new
/// \e unique output that replaces the specified input, disassociating it from the
/// other original inputs and output.
/// \param op is the given PcodeOp
/// \param slot is the specified slot of the input Varnode to be trimmed
void Merge::trimOpInput(PcodeOp *op,int4 slot)
{
PcodeOp *copyop;
Varnode *vn;
Address pc;
if (op->code() == CPUI_MULTIEQUAL) {
BlockBasic *bb = (BlockBasic *)op->getParent()->getIn(slot);
pc = bb->getStop();
}
else
pc = op->getAddr();
vn = op->getIn(slot);
copyop = allocateCopyTrim(vn, pc, op);
data.opSetInput(op,copyop->getOut(),slot);
if (op->code() == CPUI_MULTIEQUAL)
data.opInsertEnd(copyop,(BlockBasic *)op->getParent()->getIn(slot));
else
data.opInsertBefore(copyop,op);
}
/// \brief Force the merge of all input and output Varnodes for the given PcodeOp
///
/// Data-flow for specific input and output Varnodes are \e snipped until everything
/// can be merged.
/// \param op is the given PcodeOp
void Merge::mergeOp(PcodeOp *op)
{
vector<HighVariable *> testlist;
HighVariable *high_out;
int4 i,nexttrim,max;
max = (op->code() == CPUI_INDIRECT) ? 1 : op->numInput();
high_out = op->getOut()->getHigh();
// First try to deal with non-cover related merge
// restrictions
for(i=0;i<max;++i) {
HighVariable *high_in = op->getIn(i)->getHigh();
if (!mergeTestRequired(high_out,high_in)) {
trimOpInput(op,i);
continue;
}
for(int4 j=0;j<i;++j)
if (!mergeTestRequired(op->getIn(j)->getHigh(),high_in)) {
trimOpInput(op,i);
break;
}
}
// Now test if a merge violates cover restrictions
mergeTest(high_out,testlist);
for(i=0;i<max;++i)
if (!mergeTest(op->getIn(i)->getHigh(),testlist)) break;
if (i != max) { // If there are cover restrictions
nexttrim = 0;
while(nexttrim < max) {
trimOpInput(op,nexttrim); // Trim one of the branches
testlist.clear();
// Try the merge restriction test again
mergeTest(high_out,testlist);
for(i=0;i<max;++i)
if (!mergeTest(op->getIn(i)->getHigh(),testlist)) break;
if (i==max) break; // We successfully test merged everything
nexttrim += 1;
}
if (nexttrim == max) // One last trim we can try
trimOpOutput(op);
}
for(i=0;i<max;++i) { // Try to merge everything for real now
if (!mergeTestRequired(op->getOut()->getHigh(),op->getIn(i)->getHigh()))
throw LowlevelError("Non-cover related merge restriction violated, despite trims");
if (!merge(op->getOut()->getHigh(),op->getIn(i)->getHigh(),false)) {
ostringstream errstr;
errstr << "Unable to force merge of op at " << op->getSeqNum();
throw LowlevelError(errstr.str());
}
}
}
/// \brief Collect Varnode instances or pieces from a specific HighVariable that are inputs to a given PcodeOp
///
/// A Varnode is considered an input if it is a \e direct input to the PcodeOp or if it is
/// \e indirectly affected by the PcodeOp. The specific \e read of the Varnode is passed back as
/// a PcodeOp and slot pair (PcodeOpNode). The passed back PcodeOp will either be the given PcodeOp or
/// an INDIRECT caused by the given PcodeOp.
/// \param high is the specific HighVariable through which to search for input instances
/// \param oplist will hold the PcodeOpNodes being passed back
/// \param op is the given PcodeOp
void Merge::collectInputs(HighVariable *high,vector<PcodeOpNode> &oplist,PcodeOp *op)
{
VariableGroup *group = (VariableGroup *)0;
if (high->piece != (VariablePiece *)0)
group = high->piece->getGroup();
for(;;) {
for(int4 i=0;i<op->numInput();++i) {
Varnode *vn = op->getIn(i);
if (vn->isAnnotation()) continue;
HighVariable *testHigh = vn->getHigh();
if (testHigh == high || (testHigh->piece != (VariablePiece *)0 && testHigh->piece->getGroup() == group)) {
oplist.emplace_back(op, i);
}
}
op = op->previousOp();
if (op == (PcodeOp *)0 || op->code() != CPUI_INDIRECT)
break;
}
}
/// \brief Snip instances of the output of an INDIRECT that are also inputs to to the underlying PcodeOp
///
/// Examine the output HighVariable for the given INDIRECT op. Varnode instances (or pieces) that are also
/// inputs to the underlying PcodeOp causing the INDIRECT are snipped by creating a new COPY op from the
/// Varnode to a new temporary and then replacing the \e read with the temporary.
/// \param indop is the given INDIRECT op
/// \return \b true if specific instances are snipped
bool Merge::snipOutputInterference(PcodeOp *indop)
{
PcodeOp *op = PcodeOp::getOpFromConst(indop->getIn(1)->getAddr()); // Indirect effect op
// Collect instances of output->high that are defined
// before (and right up to) op. These need to be snipped.
vector<PcodeOpNode> correctable;
collectInputs(indop->getOut()->getHigh(), correctable, op);
if (correctable.empty())
return false;
sort(correctable.begin(),correctable.end(),PcodeOpNode::compareByHigh);
PcodeOp *snipop = (PcodeOp *)0;
HighVariable *curHigh = (HighVariable *)0;
for(int4 i=0;i<correctable.size();++i) {
PcodeOp *insertop = correctable[i].op;
int4 slot = correctable[i].slot;
Varnode *vn = insertop->getIn(slot);
if (vn->getHigh() != curHigh) {
// NOTE: the covers for any input to op which is an instance of the output high must
// all intersect so the varnodes must all be traceable via COPY to the same root
snipop = allocateCopyTrim(vn, insertop->getAddr(), insertop);
data.opInsertBefore(snipop,insertop);
curHigh = vn->getHigh();
}
data.opSetInput(insertop,snipop->getOut(),slot);
}
return true;
}
/// \brief Force the merge of all input and output Varnodes to a given INDIRECT op
///
/// Merging INDIRECTs take a little care if their output is address forced because by convention
/// the value must be present at the address BEFORE the indirect effect operation takes place.
/// \param indop is the given INDIRECT
void Merge::mergeIndirect(PcodeOp *indop)
{
Varnode *outvn = indop->getOut();
if (!outvn->isAddrForce()) { // If the output is NOT address forced
mergeOp(indop); // We can merge in the same way as a MULTIEQUAL
return;
}
Varnode *invn0 = indop->getIn(0);
if (mergeTestRequired(outvn->getHigh(),invn0->getHigh())) {
if (merge(invn0->getHigh(),outvn->getHigh(),false))
return;
}
// If we cannot merge, the only thing that can go wrong with an input trim, is if the output of
// indop is involved in the input to the op causing the indirect effect. So test for this.
if (snipOutputInterference(indop)) {
// If we found (and snipped) something related to the output, try merging again before snipping the INDIRECT
if (mergeTestRequired(outvn->getHigh(), invn0->getHigh())) {
if (merge(invn0->getHigh(),outvn->getHigh(),false))
return;
}
}
// Snip the INDIRECT itself
PcodeOp *newop = allocateCopyTrim(invn0, indop->getAddr(), indop);
SymbolEntry *entry = outvn->getSymbolEntry();
if (entry != (SymbolEntry *)0 && entry->getSymbol()->getType()->needsResolution()) {
data.inheritResolution(entry->getSymbol()->getType(), newop, -1, indop, -1);
}
data.opSetInput(indop,newop->getOut(),0);
data.opInsertBefore(newop,indop);
if (!mergeTestRequired(outvn->getHigh(),indop->getIn(0)->getHigh()) ||
(!merge(indop->getIn(0)->getHigh(),outvn->getHigh(),false))) // Try merge again
// if (!merge(indop->Input(0)->High(),outvn->High()))
throw LowlevelError("Unable to merge address forced indirect");
}
/// \brief Force the merge of input and output Varnodes to MULTIEQUAL and INDIRECT ops
///
/// Run through all MULTIEQUAL and INDIRECT ops in the function. Force the merge of each
/// input Varnode with the output Varnode, doing data-flow modification if necessary to
/// resolve Cover intersections.
void Merge::mergeMarker(void)
{
PcodeOp *op;
list<PcodeOp *>::const_iterator iter;
for(iter=data.beginOpAlive();iter!=data.endOpAlive();++iter) {
op = *iter;
if ((!op->isMarker())||op->isIndirectCreation()) continue;
if (op->code() == CPUI_INDIRECT)
mergeIndirect(op);
else
mergeOp(op);
}
}
/// \brief Merge together Varnodes mapped to SymbolEntrys from the same Symbol
///
/// Symbols that have more than one SymbolEntry may attach to more than one Varnode.
/// These Varnodes need to be merged to properly represent a single variable.
void Merge::mergeMultiEntry(void)
{
SymbolNameTree::const_iterator iter = data.getScopeLocal()->beginMultiEntry();
SymbolNameTree::const_iterator enditer = data.getScopeLocal()->endMultiEntry();
for(;iter!=enditer;++iter) {
vector<Varnode *> mergeList;
Symbol *symbol = *iter;
int4 numEntries = symbol->numEntries();
int4 mergeCount = 0;
int4 skipCount = 0;
int4 conflictCount = 0;
for(int4 i=0;i<numEntries;++i) {
int4 prevSize = mergeList.size();
SymbolEntry *entry = symbol->getMapEntry(i);
if (entry->getSize() != symbol->getType()->getSize())
continue;
data.findLinkedVarnodes(entry, mergeList);
if (mergeList.size() == prevSize)
skipCount += 1; // Did not discover any Varnodes corresponding to a particular SymbolEntry
}
if (mergeList.empty()) continue;
HighVariable *high = mergeList[0]->getHigh();
testCache.updateHigh(high);
for(int4 i=0;i<mergeList.size();++i) {
HighVariable *newHigh = mergeList[i]->getHigh();
if (newHigh == high) continue; // Varnodes already merged
testCache.updateHigh(newHigh);
if (!mergeTestRequired(high, newHigh)) {
symbol->setMergeProblems();
newHigh->setUnmerged();
conflictCount += 1;
continue;
}
if (!merge(high,newHigh,false)) { // Attempt the merge
symbol->setMergeProblems();
newHigh->setUnmerged();
conflictCount += 1;
continue;
}
mergeCount += 1;
}
if (skipCount != 0 || conflictCount !=0) {
ostringstream s;
s << "Unable to";
if (mergeCount != 0)
s << " fully";
s << " merge symbol: " << symbol->getName();
if (skipCount > 0)
s << " -- Some instance varnodes not found.";
if (conflictCount > 0)
s << " -- Some merges are forbidden";
data.warningHeader(s.str());
}
}
}
/// \brief Run through CONCAT tree roots and group each tree
///
void Merge::groupPartials(void)
{
for(int4 i=0;i<protoPartial.size();++i) {
PcodeOp *op = protoPartial[i];
if (op->isDead()) continue;
if (!op->isPartialRoot()) continue;
groupPartialRoot(op->getOut());
}
}
/// \brief Speculatively merge Varnodes that are input/output to the same p-code op
///
/// If a single p-code op has an input and output HighVariable that share the same data-type,
/// attempt to merge them. Each merge is speculative and is skipped if it would introduce Cover
/// intersections.
void Merge::mergeAdjacent(void)
{
list<PcodeOp *>::const_iterator oiter;
PcodeOp *op;
int4 i;
HighVariable *high_in,*high_out;
Varnode *vn1,*vn2;
const Datatype *ct;
for(oiter=data.beginOpAlive();oiter!=data.endOpAlive();++oiter) {
op = *oiter;
if (op->isCall()) continue;
vn1 = op->getOut();
if (!mergeTestBasic(vn1)) continue;
high_out = vn1->getHigh();
ct = op->outputTypeLocal();
for(i=0;i<op->numInput();++i) {
if (ct != op->inputTypeLocal(i)) continue; // Only merge if types should be the same
vn2 = op->getIn(i);
if (!mergeTestBasic(vn2)) continue;
if (vn1->getSize() != vn2->getSize()) continue;
if ((vn2->getDef()==(PcodeOp *)0)&&(!vn2->isInput())) continue;
high_in = vn2->getHigh();
if (!mergeTestAdjacent(high_out,high_in)) continue;
if (!testCache.intersection(high_in,high_out)) // If no interval intersection
merge(high_out,high_in,true);
}
}
}
/// \brief Find instance Varnodes that copied to from outside the given HighVariable
///
/// Find all Varnodes in the HighVariable which are defined by a COPY from another
/// Varnode which is \e not part of the same HighVariable.
/// \param high is the given HighVariable
/// \param singlelist will hold the resulting list of copied instances
void Merge::findSingleCopy(HighVariable *high,vector<Varnode *> &singlelist)
{
int4 i;
Varnode *vn;
PcodeOp *op;
for(i=0;i<high->numInstances();++i) {
vn = high->getInstance(i);
if (!vn->isWritten()) continue;
op = vn->getDef();
if (op->code() != CPUI_COPY) continue; // vn must be defineed by copy
if (op->getIn(0)->getHigh() == high) continue; // From something NOT in same high
singlelist.push_back(vn);
}
}
/// \brief Compare COPY ops first by Varnode input, then by block containing the op
///
/// A sort designed to group COPY ops from the same Varnode together. Then within a group,
/// COPYs are sorted by their containing basic block (so that dominating ops come first).
/// \param op1 is the first PcodeOp being compared
/// \param op2 is the second PcodeOp being compared
/// \return \b true if the first PcodeOp should be ordered before the second
bool Merge::compareCopyByInVarnode(PcodeOp *op1,PcodeOp *op2)
{
Varnode *inVn1 = op1->getIn(0);
Varnode *inVn2 = op2->getIn(0);
if (inVn1 != inVn2) // First compare by Varnode inputs
return (inVn1->getCreateIndex() < inVn2->getCreateIndex());
int4 index1 = op1->getParent()->getIndex();
int4 index2 = op2->getParent()->getIndex();
if (index1 != index2)
return (index1 < index2);
return (op1->getSeqNum().getOrder() < op2->getSeqNum().getOrder());
}
/// \brief Hide \e shadow Varnodes related to the given HighVariable by consolidating COPY chains
///
/// If two Varnodes are copied from the same common ancestor then they will always contain the
/// same value and can be considered \b shadows of the same variable. If the paths from the
/// ancestor to the two Varnodes aren't properly nested, the two Varnodes will still look like
/// distinct variables. This routine searches for this situation, relative to a single
/// HighVariable, and alters data-flow so that copying from ancestor to first Varnode to
/// second Varnode becomes a single path. Both Varnodes then ultimately become instances of the
/// same HighVariable.
/// \param high is the given HighVariable to search near
/// \return \b true if a change was made to data-flow
bool Merge::hideShadows(HighVariable *high)
{
vector<Varnode *> singlelist;
Varnode *vn1,*vn2;
int4 i,j;
bool res = false;
findSingleCopy(high,singlelist); // Find all things copied into this high
if (singlelist.size() <= 1) return false;
for(i=0;i<singlelist.size()-1;++i) {
vn1 = singlelist[i];
if (vn1 == (Varnode *)0) continue;
for(j=i+1;j<singlelist.size();++j) {
vn2 = singlelist[j];
if (vn2 == (Varnode *)0) continue;
if (!vn1->copyShadow(vn2)) continue;
if (vn2->getCover()->containVarnodeDef(vn1)==1) {
data.opSetInput(vn1->getDef(),vn2,0);
res = true;
break;
}
else if (vn1->getCover()->containVarnodeDef(vn2)==1) {
data.opSetInput(vn2->getDef(),vn1,0);
singlelist[j] = (Varnode *)0;
res = true;
}
}
}
return res;
}
/// \brief Check if the given PcodeOp COPYs are redundant
///
/// Both the given COPYs assign to the same HighVariable. One is redundant if there is no other
/// assignment to the HighVariable between the first COPY and the second COPY.
/// The first COPY must come from a block with a smaller or equal index to the second COPY.
/// If the indices are equal, the first COPY must come before the second within the block.
/// \param high is the HighVariable being assigned to
/// \param domOp is the first COPY
/// \param subOp is the second COPY
/// \return \b true if the second COPY is redundant
bool Merge::checkCopyPair(HighVariable *high,PcodeOp *domOp,PcodeOp *subOp)
{
FlowBlock *domBlock = domOp->getParent();
FlowBlock *subBlock = subOp->getParent();
if (!domBlock->dominates(subBlock))
return false;
Cover range;
range.addDefPoint(domOp->getOut());
range.addRefPoint(subOp,subOp->getIn(0));
Varnode *inVn = domOp->getIn(0);
// Look for high Varnodes in the range
for(int4 i=0;i<high->numInstances();++i) {
Varnode *vn = high->getInstance(i);
if (!vn->isWritten()) continue;
PcodeOp *op = vn->getDef();
if (op->code() == CPUI_COPY) { // If the write is not a COPY
if (op->getIn(0) == inVn) continue; // from the same Varnode as domOp and subOp
}
if (range.contain(op, 1)) { // and if write is contained in range between domOp and subOp
return false; // it is intervening and subOp is not redundant
}
}
return true;
}
/// \brief Try to replace a set of COPYs from the same Varnode with a single dominant COPY
///
/// All the COPY outputs must be instances of the same HighVariable (not the same Varnode).
/// Either an existing COPY dominates all the others, or a new dominating COPY is constructed.
/// The read locations of all other COPY outputs are replaced with the output of the dominating
/// COPY, if it does not cause intersections in the HighVariable's Cover. Because of
/// intersections, replacement may fail or partially succeed. Replacement only happens with
/// COPY outputs that are temporary registers. The cover of the HighVariable may be extended
/// because of a new COPY output instance.
/// \param high is the HighVariable being copied to
/// \param copy is the list of COPY ops into the HighVariable
/// \param pos is the index of the first COPY from the specific input Varnode
/// \param size is the number of COPYs (in sequence) from the same specific Varnode
void Merge::buildDominantCopy(HighVariable *high,vector<PcodeOp *> &copy,int4 pos,int4 size)
{
vector<FlowBlock *> blockSet;
for(int4 i=0;i<size;++i)
blockSet.push_back(copy[pos+i]->getParent());
BlockBasic *domBl = (BlockBasic *)FlowBlock::findCommonBlock(blockSet);
PcodeOp *domCopy = copy[pos];
Varnode *rootVn = domCopy->getIn(0);
Varnode *domVn = domCopy->getOut();
bool domCopyIsNew;
if (domBl == domCopy->getParent()) {
domCopyIsNew = false;
}
else {
domCopyIsNew = true;
PcodeOp *oldCopy = domCopy;
domCopy = data.newOp(1,domBl->getStop());
data.opSetOpcode(domCopy, CPUI_COPY);
Datatype *ct = rootVn->getType();
if (ct->needsResolution()) {
const ResolvedUnion *resUnion = data.getUnionField(ct, oldCopy, 0);
int4 fieldNum = (resUnion == (const ResolvedUnion *)0) ? -1 : resUnion->getFieldNum();
data.forceFacingType(ct, fieldNum, domCopy, 0);
data.forceFacingType(ct, fieldNum, domCopy, -1);
if (ct->getMetatype() == TYPE_PARTIALUNION)
ct = rootVn->getTypeReadFacing(oldCopy);
}
domVn = data.newUnique(rootVn->getSize(), ct);
data.opSetOutput(domCopy,domVn);
data.opSetInput(domCopy,rootVn,0);
data.opInsertEnd(domCopy, domBl);
}
// Cover created by removing all the COPYs from rootVn
Cover bCover;
for(int4 i=0;i<high->numInstances();++i) {
Varnode *vn = high->getInstance(i);
if (vn->isWritten()) {
PcodeOp *op = vn->getDef();
if (op->code() == CPUI_COPY) {
if (op->getIn(0)->copyShadow(rootVn)) continue;
}
}
bCover.merge(*vn->getCover());
}
int4 count = size;
for(int4 i=0;i<size;++i) {
PcodeOp *op = copy[pos+i];
if (op == domCopy) continue; // No intersections from domVn already proven
Varnode *outVn = op->getOut();
list<PcodeOp *>::const_iterator iter;
Cover aCover;
aCover.addDefPoint(domVn);
for(iter=outVn->beginDescend();iter!=outVn->endDescend();++iter)
aCover.addRefPoint(*iter, outVn);
if (bCover.intersect(aCover)>1) {
count -= 1;
op->setMark();
}
}
if (count <= 1) { // Don't bother if we only replace one COPY with another
for (int4 i = 0; i < size; ++i)
copy[pos + i]->setMark();
count = 0;
if (domCopyIsNew) {
data.opDestroy(domCopy);
}
}
// Replace all non-intersecting COPYs with read of dominating Varnode
for(int4 i=0;i<size;++i) {
PcodeOp *op = copy[pos+i];
if (op->isMark())
op->clearMark();
else {
Varnode *outVn = op->getOut();
if (outVn != domVn) {
outVn->getHigh()->remove(outVn);
data.totalReplace(outVn, domVn);
data.opDestroy(op);
}
}
}
if (count > 0 && domCopyIsNew) {
high->merge(domVn->getHigh(),(HighIntersectTest *)0,true);
}
}
/// \brief Search for and mark redundant COPY ops into the given high as \e non-printing
///
/// Trimming during the merge process can insert multiple COPYs from the same source. In some
/// cases, one or more COPYs may be redundant and shouldn't be printed. This method searches
/// for redundancy among COPY ops that assign to the given HighVariable.
/// \param high is the given HighVariable
/// \param copy is the list of COPYs coming from the same source HighVariable
/// \param pos is the starting index of a set of COPYs coming from the same Varnode
/// \param size is the number of Varnodes in the set coming from the same Varnode
void Merge::markRedundantCopies(HighVariable *high,vector<PcodeOp *> &copy,int4 pos,int4 size)
{
for (int4 i = size - 1; i > 0; --i) {
PcodeOp *subOp = copy[pos + i];
if (subOp->isDead()) continue;
for (int4 j = i - 1; j >= 0; --j) {
// Make sure earlier index provides dominant op
PcodeOp *domOp = copy[pos + j];
if (domOp->isDead()) continue;
if (checkCopyPair(high, domOp, subOp)) {
data.opMarkNonPrinting(subOp);
break;
}
}
}
}
/// \brief Determine if given Varnode is shadowed by another Varnode in the same HighVariable
///
/// \param vn is the Varnode to check for shadowing
/// \return \b true if \b vn is shadowed by another Varnode in its high-level variable
bool Merge::shadowedVarnode(const Varnode *vn)
{
const Varnode *othervn;
const HighVariable *high = vn->getHigh();
int4 num,i;
num = high->numInstances();
for(i=0;i<num;++i) {
othervn = high->getInstance(i);
if (othervn == vn) continue;
if (vn->getCover()->intersect(*othervn->getCover()) == 2) return true;
}
return false;
}
/// \brief Find all the COPY ops into the given HighVariable
///
/// Collect all the COPYs whose output is the given HighVariable but
/// the input is from a different HighVariable. Returned COPYs are sorted
/// first by the input Varnode then by block order.
/// \param high is the given HighVariable
/// \param copyIns will hold the list of COPYs
/// \param filterTemps is \b true if COPYs must have a temporary output
void Merge::findAllIntoCopies(HighVariable *high,vector<PcodeOp *> &copyIns,bool filterTemps)
{
for(int4 i=0;i<high->numInstances();++i) {
Varnode *vn = high->getInstance(i);
if (!vn->isWritten()) continue;
PcodeOp *op = vn->getDef();
if (op->code() != CPUI_COPY) continue;
if (op->getIn(0)->getHigh() == high) continue;
if (filterTemps && op->getOut()->getSpace()->getType() != IPTR_INTERNAL) continue;
copyIns.push_back(op);
}
// Group COPYs based on the incoming Varnode then block order
sort(copyIns.begin(),copyIns.end(),compareCopyByInVarnode);
}
/// \brief Try to replace COPYs into the given HighVariable with a single dominant COPY
///
/// Find groups of COPYs into the given HighVariable that come from a single source Varnode,
/// then try to replace them with a COPY.
/// \param high is the given HighVariable
void Merge::processHighDominantCopy(HighVariable *high)
{
vector<PcodeOp *> copyIns;
findAllIntoCopies(high,copyIns,true); // Get all COPYs into this with temporary output
if (copyIns.size() < 2) return;
int4 pos = 0;
while(pos < copyIns.size()) {
// Find a group of COPYs coming from the same Varnode
Varnode *inVn = copyIns[pos]->getIn(0);
int4 sz = 1;
while(pos + sz < copyIns.size()) {
Varnode *nextVn = copyIns[pos+sz]->getIn(0);
if (nextVn != inVn) break;
sz += 1;
}
if (sz > 1) // If there is more than one COPY in a group
buildDominantCopy(high, copyIns, pos, sz); // Try to construct a dominant COPY
pos += sz;
}
}
/// \brief Mark COPY ops into the given HighVariable that are redundant
///
/// A COPY is redundant if another COPY performs the same action and has
/// dominant control flow. The redundant COPY is not removed but is marked so that
/// it doesn't print in the final source output.
/// \param high is the given HighVariable
void Merge::processHighRedundantCopy(HighVariable *high)
{
vector<PcodeOp *> copyIns;
findAllIntoCopies(high,copyIns,false);
if (copyIns.size() < 2) return;
int4 pos = 0;
while(pos < copyIns.size()) {
// Find a group of COPYs coming from the same Varnode
Varnode *inVn = copyIns[pos]->getIn(0);
int4 sz = 1;
while(pos + sz < copyIns.size()) {
Varnode *nextVn = copyIns[pos+sz]->getIn(0);
if (nextVn != inVn) break;
sz += 1;
}
if (sz > 1) { // If there is more than one COPY in a group
markRedundantCopies(high, copyIns, pos, sz);
}
pos += sz;
}
}
/// \brief Group the different nodes of a CONCAT tree into a VariableGroup
///
/// This formally labels all the Varnodes in the tree as overlapping pieces of the same variable.
/// The tree is reconstructed from the root Varnode.
/// \param vn is the root Varnode
void Merge::groupPartialRoot(Varnode *vn)
{
HighVariable *high = vn->getHigh();
if (high->numInstances() != 1) return;
vector<PieceNode> pieces;
int4 baseOffset = 0;
SymbolEntry *entry = vn->getSymbolEntry();
if (entry != (SymbolEntry *)0) {
baseOffset = entry->getOffset();
}
PieceNode::gatherPieces(pieces, vn, vn->getDef(), baseOffset, baseOffset);
bool throwOut = false;
for(int4 i=0;i<pieces.size();++i) {
Varnode *nodeVn = pieces[i].getVarnode();
// Make sure each node is still marked and hasn't merged with anything else
if (!nodeVn->isProtoPartial() || nodeVn->getHigh()->numInstances() != 1) {
throwOut = true;
break;
}
}
if (throwOut) {
for(int4 i=0;i<pieces.size();++i)
pieces[i].getVarnode()->clearProtoPartial();
}
else {
for(int4 i=0;i<pieces.size();++i) {
Varnode *nodeVn = pieces[i].getVarnode();
nodeVn->getHigh()->groupWith(pieces[i].getTypeOffset() - baseOffset,high);
}
}
}
/// \brief Try to reduce/eliminate COPYs produced by the merge trimming process
///
/// In order to force merging of certain Varnodes, extra COPY operations may be inserted
/// to reduce their Cover ranges, and multiple COPYs from the same Varnode can be created this way.
/// This method collects sets of COPYs generated in this way that have the same input Varnode
/// and then tries to replace the COPYs with fewer or a single COPY.
void Merge::processCopyTrims(void)
{
vector<HighVariable *> multiCopy;
for(int4 i=0;i<copyTrims.size();++i) {
HighVariable *high = copyTrims[i]->getOut()->getHigh();
if (!high->hasCopyIn1()) {
multiCopy.push_back(high);
high->setCopyIn1();
}
else
high->setCopyIn2();
}
copyTrims.clear();
for(int4 i=0;i<multiCopy.size();++i) {
HighVariable *high = multiCopy[i];
if (high->hasCopyIn2()) // If the high has at least 2 COPYs into it
processHighDominantCopy(high); // Try to replace with a dominant copy
high->clearCopyIns();
}
}
/// \brief Mark redundant/internal COPY PcodeOps
///
/// Run through all COPY, SUBPIECE, and PIECE operations (PcodeOps that copy data) and
/// characterize those that are \e internal (copy data between storage locations representing
/// the same variable) or \e redundant (perform the same copy as an earlier operation).
/// These, as a result, are not printed in the final source code representation.
void Merge::markInternalCopies(void)
{
vector<HighVariable *> multiCopy;
list<PcodeOp *>::const_iterator iter;
PcodeOp *op;
HighVariable *h1;
Varnode *v1,*v2,*v3;
VariablePiece *p1,*p2,*p3;
int4 val;
for(iter=data.beginOpAlive();iter!=data.endOpAlive();++iter) {
op = *iter;
switch(op->code()) {
case CPUI_COPY:
v1 = op->getOut();
h1 = v1->getHigh();
if (h1 == op->getIn(0)->getHigh()) {
data.opMarkNonPrinting(op);
}
else { // COPY between different HighVariables
if (!h1->hasCopyIn1()) { // If this is the first COPY we've seen for this high
h1->setCopyIn1(); // Mark it
multiCopy.push_back(h1);
}
else
h1->setCopyIn2(); // This is at least the second COPY we've seen
if (v1->hasNoDescend()) { // Don't print shadow assignments
if (shadowedVarnode(v1)) {
data.opMarkNonPrinting(op);
}
}
}
break;
case CPUI_PIECE: // Check if output is built out of pieces of itself
v1 = op->getOut();
v2 = op->getIn(0);
v3 = op->getIn(1);
p1 = v1->getHigh()->piece;
p2 = v2->getHigh()->piece;
p3 = v3->getHigh()->piece;
if (p1 == (VariablePiece *)0) break;
if (p2 == (VariablePiece *)0) break;
if (p3 == (VariablePiece *)0) break;
if (p1->getGroup() != p2->getGroup()) break;
if (p1->getGroup() != p3->getGroup()) break;
if (v1->getSpace()->isBigEndian()) {
if (p2->getOffset() != p1->getOffset()) break;
if (p3->getOffset() != p1->getOffset() + v2->getSize()) break;
}
else {
if (p3->getOffset() != p1->getOffset()) break;
if (p2->getOffset() != p1->getOffset() + v3->getSize()) break;
}
data.opMarkNonPrinting(op);
if (v2->isImplied()) {
v2->clearImplied();
v2->setExplicit();
}
if (v3->isImplied()) {
v3->clearImplied();
v3->setExplicit();
}
break;
case CPUI_SUBPIECE:
v1 = op->getOut();
v2 = op->getIn(0);
p1 = v1->getHigh()->piece;
p2 = v2->getHigh()->piece;
if (p1 == (VariablePiece *)0) break;
if (p2 == (VariablePiece *)0) break;
if (p1->getGroup() != p2->getGroup()) break;
val = op->getIn(1)->getOffset();
if (v1->getSpace()->isBigEndian()) {
if (p2->getOffset() + (v2->getSize() - v1->getSize() - val) != p1->getOffset()) break;
}
else {
if (p2->getOffset() + val != p1->getOffset()) break;
}
data.opMarkNonPrinting(op);
if (v2->isImplied()) {
v2->clearImplied();
v2->setExplicit();
}
break;
default:
break;
}
}
for(int4 i=0;i<multiCopy.size();++i) {
HighVariable *high = multiCopy[i];
if (high->hasCopyIn2())
data.getMerge().processHighRedundantCopy(high);
high->clearCopyIns();
}
#ifdef MERGEMULTI_DEBUG
verifyHighCovers();
#endif
}
/// \brief Register an unmapped CONCAT stack with the merge process
///
/// The given Varnode must be the root of a tree of CPUI_PIECE operations as produced by
/// PieceNode::gatherPieces. These will be grouped together into a single variable.
/// \param vn is the given root Varnode
void Merge::registerProtoPartialRoot(Varnode *vn)
{
protoPartial.push_back(vn->getDef());
}
/// \brief Perform low-level details of merging two HighVariables if possible
///
/// This routine only fails (returning \b false) if there is a Cover intersection between
/// the two variables. Otherwise, all the Varnode instances from the second HighVariable
/// are merged into the first and its Cover is updated. The second variable is deleted.
/// The cached intersection tests are also updated to reflect the merge.
/// \param high1 is the first HighVariable being merged
/// \param high2 is the second
/// \param isspeculative is \b true if the desired merge is speculative
/// \return \b true if the merge was successful
bool Merge::merge(HighVariable *high1,HighVariable *high2,bool isspeculative)
{
if (high1 == high2) return true; // Already merged
if (testCache.intersection(high1,high2)) return false;
high1->merge(high2,&testCache,isspeculative); // Do the actual merge
high1->updateCover(); // Update cover now so that updateHigh won't purge cached tests
return true;
}
/// \brief Clear the any cached data from the last merge process
///
/// Free up resources used by cached intersection tests etc.
void Merge::clear(void)
{
testCache.clear();
copyTrims.clear();
protoPartial.clear();
stackAffectingOps.clear();
}
/// \brief Mark the given Varnode as \e implied
///
/// The covers of the immediate Varnodes involved in the expression are marked as dirty.
/// This assumes covers for the whole expression are ultimately marked because all its internal Varnodes
/// are passed to this method.
/// \param vn is the given Varnode being marked as \e implied
void Merge::markImplied(Varnode *vn)
{
vn->setImplied(); // Mark as implied
PcodeOp *op = vn->getDef();
for(int4 i=0;i<op->numInput();++i) {
Varnode *defvn = op->getIn(i);
if (!defvn->hasCover()) continue;
defvn->setFlags(Varnode::coverdirty);
}
}
/// \brief Test if we can inflate the Cover of the given Varnode without incurring intersections
///
/// This routine tests whether an expression involving a HighVariable can be propagated to all
/// the read sites of the output Varnode of the expression. This is possible only if the
/// Varnode Cover can be \b inflated to include the Cover of the HighVariable, even though the
/// Varnode is not part of the HighVariable.
/// \param a is the given Varnode to inflate
/// \param high is the HighVariable being propagated
/// \return \b true if inflating the Varnode causes an intersection
bool Merge::inflateTest(Varnode *a,HighVariable *high)
{
HighVariable *ahigh = a->getHigh();
testCache.updateHigh(high);
const Cover &highCover( high->internalCover ); // Only check for intersections with cover contributing to inflate
for(int4 i=0;i<ahigh->numInstances();++i) {
Varnode *b = ahigh->getInstance(i);
if (b->copyShadow(a)) continue; // Intersection with a or shadows of a is allowed
if (2==b->getCover()->intersect( highCover )) {
return true;
}
}
VariablePiece *piece = ahigh->piece;
if (piece != (VariablePiece *)0) {
piece->updateIntersections();
for(int4 i=0;i<piece->numIntersection();++i) {
const VariablePiece *otherPiece = piece->getIntersection(i);
HighVariable *otherHigh = otherPiece->getHigh();
int4 off = otherPiece->getOffset() - piece->getOffset();
for(int4 i=0;i<otherHigh->numInstances();++i) {
Varnode *b = otherHigh->getInstance(i);
if (b->partialCopyShadow(a, off)) continue; // Intersection with partial shadow of a is allowed
if (2==b->getCover()->intersect( highCover ))
return true;
}
}
}
return false;
}
/// \brief Test for intersections between a given HighVariable and a list of other HighVariables
///
/// If there is any Cover intersection between the given HighVariable and one in the list,
/// this routine returns \b false. Otherwise, the given HighVariable is added to the end of
/// the list and \b true is returned.
/// \param high is the given HighVariable
/// \param tmplist is the list of HighVariables to test against
/// \return \b true if there are no pairwise intersections.
bool Merge::mergeTest(HighVariable *high,vector<HighVariable *> &tmplist)
{
if (!high->hasCover()) return false;
for(int4 i=0;i<tmplist.size();++i) {
HighVariable *a = tmplist[i];
if (testCache.intersection(a,high))
return false;
}
tmplist.push_back(high);
return true;
}
#ifdef MERGEMULTI_DEBUG
/// \brief Check that all HighVariable covers are consistent
///
/// For each HighVariable make sure there are no internal intersections between
/// its instance Varnodes (unless one is a COPY shadow of the other).
void Merge::verifyHighCovers(void)
{
VarnodeLocSet::const_iterator iter,enditer;
enditer = data.endLoc();
for(iter=data.beginLoc();iter!=enditer;++iter) {
Varnode *vn = *iter;
if (vn->hasCover()) {
HighVariable *high = vn->getHigh();
if (!high->hasCopyIn1()) {
high->setCopyIn1();
high->verifyCover();
}
}
}
}
#endif
} // End namespace ghidra
Reference in a new issue View git blame Copy permalink