search

cisco-open / llvm-crash-analyzer

llvm crash analysis
Apache License 2.0
40 stars 17 forks source link

[TA] Improved global variables support #44

Closed niktesic closed 1 year ago

niktesic commented 1 year ago

This PR improves global variables support. The handleGlobalVar function checks if TaintInfo represents a global variable and converts Ti into expected form. Expected form is $noreg plus offset, which is the global variable symbol address or the Global Offset Table entry. Also, all SBModules, needed for searching global symbols, is derived from Decompiler's SBTarget, which make us able to search symbols from all dependencies.

In Decompiled MIR, Global variables are represented by three different types of operands:

  1. Immediate operands – value is global symbol address 

    $rdi = MOV64ri 6295592

  2. Memory operand $noreg + offset – offset is the global symbol address 

    MOV64mi32 $noreg, 1, $noreg, 6295592, $noreg, 0

  3. PC relative address – address of the global variable entry in the GOT (Global Offset Table), where the variable address is stored (extra level of indirection)

    $rax = MOV64rm $rip, 1, $noreg, 2099639, $noreg
MOV64mr $rax, 1, $noreg, 0, $noreg, $rcx

RegisterEquivalence is improved to transform PC relative address into $noreg + offset format, which is beneficial for correct calculation of Concrete Memory Address when backup (equivalent) location is used.