Open l-kent opened 1 year ago
l-kent
commented
1 year ago One part of the issue is that we need to keep track of what is actually being pointed to by a static address, not just the name - is it a function (external or not)? is it a global variable? something else (most likely a section of memory known to contain a pointer to a set location)? Currently no distinction is made between a pointer to some function add() and a pointer to a pointer to add(), for example.
yousifpatti
commented
1 year ago Hi Liam, this is the current progress. I will investigate jump tables next week. (please note you may have issues visualising calls that can be resolved to multiple jumps as there is an issue in the CFG (not related to the analysis).
arrays/arrays: call R0 at statement 00000662 is resolved to be either stck_chk_guard() or stack_chk_fail(), when it can only be __stack_chk_fail $${\color{red}(FIXED)}$$
arrays_simple/arrays_simple: call R0 at statement 00000607 is resolved to be either stck_chk_guard() or stack_chk_fail(), when it can only be __stack_chk_fail() $${\color{red}(FIXED)}$$
function_got/function_got: call R0 at statement 000003ed is resolved to be a "call" to the global variable x, when is actually a call to the function get_two() $${\color{red}(FIXED)}$$
functionpointer/functionpointer: call R0 at statement 000004f3 is unresolved, when it could be to set_seven(), set_six(), or set_two() $${\color{red}(FIXED)}$$
functionpointer/functionpointer_clang: call R8 at statement 000004fd is unresolved, when it could be to set_seven(), set_six, or set_two $${\color{red}(FIXED)}$$
jumptable/jumptable: call R0 at statements:
jumptable/jumptable_clang: call R8 is unresolved at statements
jumptable2/jumptable2_clang: call R8 at statements:
jumptable2/jumptable2: call R0 is unresolved at statements:
indirect_call/indirect_call
switch2_clang and jumptable3_clang also do not successfully resolve indirect calls, but those examples do not appear to be possible to resolve at present due to an issue with the lifter.
l-kent
commented
1 year ago There are still issues with some examples: jumptable (all variations) - fails to resolve all indirect calls jumptable2 (all variations) - incorrectly resolves all indirect calls to be to the global variable 'jump_table' instead of to the functions that 'jump_table' contains pointers to indirect_call_out_param - fails to resolve all indirect calls
l-kent
commented
5 months ago Current status - the following test cases in test/correct do not resolve indirect calls correctly:
l-kent
commented
5 months ago I think reverting the solver optimisation has changed this a bit so I'll have to test everything again
Currently most indirect calls that occur in the main program body (so, not boilerplate initialisation etc. code) are resolved incorrectly or not resolved at all: in /examples:
switch2_clang and jumptable3_clang also do not successfully resolve indirect calls, but those examples do not appear to be possible to resolve at present due to an issue with the lifter.