A function prototype. More...

#include <fspec.hh>

Inheritance diagram for FuncProto:

Public Member Functions
	FuncProto (void)
	Constructor.

	~FuncProto (void)
	Destructor.

void	copy (const FuncProto &op2)
	Copy another function prototype. More...

void	copyFlowEffects (const FuncProto &op2)
	Copy properties that affect data-flow.

void	getPieces (PrototypePieces &pieces) const
	Get the raw pieces of the prototype. More...

void	setPieces (const PrototypePieces &pieces)
	Set this prototype based on raw pieces. More...

void	setScope (Scope *s, const Address &startpoint)
	Set a backing symbol Scope for this. More...

void	setInternal (ProtoModel m, Datatype vt)
	Set internal backing storage for this. More...

void	setModel (ProtoModel *m)
	Set the prototype model for this. More...

bool	isInputLocked (void) const
	Are input data-types locked.

void	setInputLock (bool val)
	Toggle the data-type lock on input parameters. More...

void	setOutputLock (bool val)
	Toggle the data-type lock on the return value. More...

void	setModelLock (bool val)
	Toggle the lock on the prototype model for this. More...

void	setInline (bool val)
	Toggle the in-line setting for functions with this prototype. More...

int4	getInjectId (void) const
	Get the injection id associated with this. More...

int4	getReturnBytesConsumed (void) const
	Get an estimate of the number of bytes consumed by callers of this prototype. More...

bool	setReturnBytesConsumed (int4 val)
	Set the number of bytes consumed by callers of this. More...

bool	isNoReturn (void) const
	Does a function with this prototype never return.

void	setNoReturn (bool val)
	Toggle the no-return setting for functions with this prototype. More...

bool	hasThisPointer (void) const
	Is this a prototype for a class method, taking a this pointer.

bool	isConstructor (void) const
	Is this prototype for a class constructor method.

void	setConstructor (bool val)
	Toggle whether this prototype is a constructor method. More...

bool	isDestructor (void) const
	Is this prototype for a class destructor method.

void	setDestructor (bool val)
	Toggle whether this prototype is a destructor method. More...

bool	hasInputErrors (void) const
	Has this prototype been marked as having an incorrect input parameter descriptions.

bool	hasOutputErrors (void) const
	Has this prototype been marked as having an incorrect return value description.

void	setInputErrors (bool val)
	Toggle the input error setting for this prototype. More...

void	setOutputErrors (bool val)
	Toggle the output error setting for this prototype. More...

void	resolveExtraPop (void)
	Assuming this prototype is locked, calculate the extrapop. More...

void	clearUnlockedInput (void)
	Clear input parameters that have not been locked.

void	clearUnlockedOutput (void)
	Clear the return value if it has not been locked.

void	clearInput (void)
	Clear all input parameters regardless of lock.

void	cancelInjectId (void)
	Turn-off any in-lining for this function.

void	resolveModel (ParamActive *active)
	If this has a merged model, pick the most likely model (from the merged set) More...

void	deriveInputMap (ParamActive *active) const
	Given a list of input trials, derive the most likely inputs for this prototype. More...

void	deriveOutputMap (ParamActive *active) const
	Given a list of output trials, derive the most likely return value for this prototype. More...

bool	checkInputJoin (const Address &hiaddr, int4 hisz, const Address &loaddr, int4 losz) const
	Check if the given two input storage locations can represent a single logical parameter. More...

bool	checkInputSplit (const Address &loc, int4 size, int4 splitpoint) const
	Check if it makes sense to split a single storage location into two input parameters. More...

void	updateInputTypes (Funcdata &data, const vector< Varnode * > &triallist, ParamActive *activeinput)
	Update input parameters based on Varnode trials. More...

void	updateInputNoTypes (Funcdata &data, const vector< Varnode * > &triallist, ParamActive *activeinput)
	Update input parameters based on Varnode trials, but do not store the data-type. More...

void	updateOutputTypes (const vector< Varnode * > &triallist)
	Update the return value based on Varnode trials. More...

void	updateOutputNoTypes (const vector< Varnode * > &triallist, TypeFactory *factory)
	Update the return value based on Varnode trials, but don't store the data-type. More...

void	updateAllTypes (const vector< string > &namelist, const vector< Datatype * > &typelist, bool dtdtdt)
	Set this entire function prototype based on a list of names and data-types. More...

uint4	hasEffect (const Address &addr, int4 size) const
	Calculate the effect this has an a given storage location. More...

vector< EffectRecord >::const_iterator	effectBegin (void) const
	Get iterator to front of EffectRecord list.

vector< EffectRecord >::const_iterator	effectEnd (void) const
	Get iterator to end of EffectRecord list.

int4	numLikelyTrash (void) const
	Get the number of likely-trash locations. More...

const VarnodeData &	getLikelyTrash (int4 i) const
	Get the i-th likely-trash location. More...

int4	characterizeAsInputParam (const Address &addr, int4 size) const
	Decide whether a given storage location could be, or could hold, an input parameter. More...

bool	possibleInputParam (const Address &addr, int4 size) const
	Decide whether a given storage location could be an input parameter. More...

bool	possibleOutputParam (const Address &addr, int4 size) const
	Decide whether a given storage location could be a return value. More...

int4	getMaxInputDelay (void) const
	Return the maximum heritage delay across all possible input parameters. More...

int4	getMaxOutputDelay (void) const
	Return the maximum heritage delay across all possible return values. More...

bool	unjustifiedInputParam (const Address &addr, int4 size, VarnodeData &res) const
	Check if the given storage location looks like an unjustified input parameter. More...

OpCode	assumedInputExtension (const Address &addr, int4 size, VarnodeData &res) const
	Get the type of extension and containing input parameter for the given storage. More...

OpCode	assumedOutputExtension (const Address &addr, int4 size, VarnodeData &res) const
	Get the type of extension and containing return value location for the given storage. More...

bool	getBiggestContainedInputParam (const Address &loc, int4 size, VarnodeData &res) const
	Pass-back the biggest potential input parameter contained within the given range. More...

bool	isCompatible (const FuncProto &op2) const
	Decide if this can be safely restricted to match another prototype. More...

void	printRaw (const string &funcname, ostream &s) const
	Print this prototype as a single line of text. More...

uint4	getComparableFlags (void) const
	Get the comparable properties of this prototype. More...

void	saveXml (ostream &s) const
	Save this to an XML stream as a <prototype> tag. More...

void	restoreXml (const Element el, Architecture glb)
	Restore this from an XML stream. More...

Protected Member Functions
void	paramShift (int4 paramshift)
	Add parameters to the front of the input parameter list. More...

void	setParamshiftApplied (bool val)
	Toggle whether a parameter shift has been applied.

Detailed Description

A function prototype.

A description of the parameters and return value for a specific function. Parameter descriptions include both source code features like name and data-type but also give the storage location. Storage follows a specific parameter passing convention (ProtoModel), although individual parameters may be customized. The prototype describes numerous properties related to calling the specific function:

Side-effects on non-parameter storage locations (like save registers)
P-code injection associated with the function (uponentry, uponreturn, callfixup)
Additional bytes (extrapop) popped from the stack by the function
Method flags (thiscall, is_constructor, is_destructor)

Member Function Documentation

◆ assumedInputExtension()

OpCode FuncProto::assumedInputExtension	(	const Address &	addr,
		int4	size,
		VarnodeData &	res
	)		const

inline

Get the type of extension and containing input parameter for the given storage.

If the given storage is properly contained within a normal parameter and the model typically extends a small value into the full container, pass back the full container and the type of extension.

Parameters

addr	is the starting address of the given storage
size	is the number of bytes in the given storage
res	is the parameter storage to pass back

Returns: the extension operator (INT_ZEXT INT_SEXT) or INT_COPY if there is no extension. INT_PIECE indicates the extension is determined by the specific prototype.

◆ assumedOutputExtension()

OpCode FuncProto::assumedOutputExtension	(	const Address &	addr,
		int4	size,
		VarnodeData &	res
	)		const

inline

Get the type of extension and containing return value location for the given storage.

If the given storage is properly contained within a normal return value location and the model typically extends a small value into the full container, pass back the full container and the type of extension.

Parameters

addr	is the starting address of the given storage
size	is the number of bytes in the given storage
res	is the parameter storage to pass back

Returns: the extension operator (INT_ZEXT INT_SEXT) or INT_COPY if there is no extension. INT_PIECE indicates the extension is determined by the specific prototype.

◆ characterizeAsInputParam()

int4 FuncProto::characterizeAsInputParam	(	const Address &	addr,
		int4	size
	)		const

Decide whether a given storage location could be, or could hold, an input parameter.

If the input is locked, check if the location overlaps one of the current parameters. Otherwise, check if the location overlaps an entry in the prototype model. Return:

0 if the location neither contains or is contained by a parameter storage location
1 if the location is contained by a parameter storage location
2 if the location contains a parameter storage location
Parameters

addr is the starting address of the given storage location

size is the number of bytes in the storage

Returns
the characterization code

◆ checkInputJoin()

bool FuncProto::checkInputJoin	(	const Address &	hiaddr,
		int4	hisz,
		const Address &	loaddr,
		int4	losz
	)		const

inline

Check if the given two input storage locations can represent a single logical parameter.

For this prototype, do the two (hi/lo) locations represent consecutive input parameter locations that can be replaced by a single logical parameter.

Parameters

hiaddr	is the address of the most significant part of the value
hisz	is the size of the most significant part in bytes
loaddr	is the address of the least significant part of the value
losz	is the size of the least significant part in bytes

Returns: true if the two pieces can be joined

◆ checkInputSplit()

bool FuncProto::checkInputSplit	(	const Address &	loc,
		int4	size,
		int4	splitpoint
	)		const

inline

Check if it makes sense to split a single storage location into two input parameters.

A storage location and split point is provided, implying two new storage locations. Does this prototype allow these locations to be considered separate parameters.

Parameters

loc	is the starting address of provided storage location
size	is the size of the location in bytes
splitpoint	is the number of bytes to consider in the first (in address order) piece

Returns: true if the storage location can be split

◆ copy()

void FuncProto::copy ( const FuncProto & op2 )

Copy another function prototype.

Parameters

op2	is the other function prototype to copy into this

◆ deriveInputMap()

void FuncProto::deriveInputMap ( ParamActive * active ) const

inline

Given a list of input trials, derive the most likely inputs for this prototype.

Trials are sorted and marked as used or not.

Parameters

active is the collection of Varnode input trials

◆ deriveOutputMap()

void FuncProto::deriveOutputMap ( ParamActive * active ) const

inline

Given a list of output trials, derive the most likely return value for this prototype.

One trial (at most) is marked used and moved to the front of the list

Parameters

active is the collection of output trials

◆ getBiggestContainedInputParam()

bool FuncProto::getBiggestContainedInputParam	(	const Address &	loc,
		int4	size,
		VarnodeData &	res
	)		const

Pass-back the biggest potential input parameter contained within the given range.

Pass-back the biggest input parameter contained within the given range.

Parameters

loc	is the starting address of the given range
size	is the number of bytes in the range
res	will hold the parameter storage description being passed back

Returns: true if there is at least one parameter contained in the range

◆ getComparableFlags()

uint4 FuncProto::getComparableFlags ( void ) const

inline

Get the comparable properties of this prototype.

Get properties not including locking, error, and inlining flags.

Returns: the active set of flags for this prototype

◆ getInjectId()

int4 FuncProto::getInjectId ( void ) const

inline

Get the injection id associated with this.

A non-negative id indicates a call-fixup is used to in-line function's with this prototype.

Returns: the id value corresponding to the specific call-fixup or -1 if there is no call-fixup

◆ getLikelyTrash()

const VarnodeData & FuncProto::getLikelyTrash ( int4 i ) const

Get the i-th likely-trash location.

Parameters

i	is the index of the storage location

Returns: the storage location which may hold a trash value

◆ getMaxInputDelay()

int4 FuncProto::getMaxInputDelay ( void ) const

inline

Return the maximum heritage delay across all possible input parameters.

Depending on the address space, data-flow for a parameter may not be available until extra transform passes have completed. This method returns the number of passes that must occur before we can guarantee that all parameters have data-flow info.

Returns: the maximum number of passes across all input parameters in this prototype

◆ getMaxOutputDelay()

int4 FuncProto::getMaxOutputDelay ( void ) const

inline

Return the maximum heritage delay across all possible return values.

Depending on the address space, data-flow for a parameter may not be available until extra transform passes have completed. This method returns the number of passes that must occur before we can guarantee that any return value has data-flow info.

Returns: the maximum number of passes across all output parameters in this prototype

◆ getPieces()

void FuncProto::getPieces ( PrototypePieces & pieces ) const

Get the raw pieces of the prototype.

Copy out the raw pieces of this prototype as stand-alone objects, includings model, names, and data-types

Parameters

pieces will hold the raw pieces

◆ getReturnBytesConsumed()

int4 FuncProto::getReturnBytesConsumed ( void ) const

inline

Get an estimate of the number of bytes consumed by callers of this prototype.

A value of 0 means all possible bytes of the storage location are consumed.

Returns: the number of bytes or 0

◆ hasEffect()

uint4 FuncProto::hasEffect	(	const Address &	addr,
		int4	size
	)		const

Calculate the effect this has an a given storage location.

For a storage location that is active before and after a call to a function with this prototype, we determine the type of side-effect the function will have on the storage.

Parameters

addr	is the starting address of the storage location
size	is the number of bytes in the storage

Returns: the type of side-effect: EffectRecord::unaffected, EffectRecord::killedbycall, etc.

◆ isCompatible()

bool FuncProto::isCompatible ( const FuncProto & op2 ) const

Decide if this can be safely restricted to match another prototype.

Do this and another given function prototype share enough of their model, that if we restrict this to the other prototype, we know we won't miss data-flow.

Parameters

op2	is the other restricting prototype

Returns: true if the two prototypes are compatible enough to restrict

◆ numLikelyTrash()

int4 FuncProto::numLikelyTrash ( void ) const

Get the number of likely-trash locations.

Returns: the number of individual storage locations

◆ paramShift()

void FuncProto::paramShift ( int4 paramshift )

protected

Add parameters to the front of the input parameter list.

Prepend the indicated number of input parameters to this. The new parameters have a data-type of xunknown4. If they were originally locked, the existing parameters are preserved.

Parameters

paramshift is the number of parameters to add (must be >0)

◆ possibleInputParam()

bool FuncProto::possibleInputParam	(	const Address &	addr,
		int4	size
	)		const

Decide whether a given storage location could be an input parameter.

If the input is locked, check if the location matches one of the current parameters. Otherwise, check if the location could be a parameter based on the prototype model.

Parameters

addr	is the starting address of the given storage location
size	is the number of bytes in the storage

Returns: false if the location is definitely not an input parameter

◆ possibleOutputParam()

bool FuncProto::possibleOutputParam	(	const Address &	addr,
		int4	size
	)		const

Decide whether a given storage location could be a return value.

If the output is locked, check if the location matches the current return value. Otherwise, check if the location could be a return value based on the prototype model.

Parameters

addr	is the starting address of the given storage location
size	is the number of bytes in the storage

Returns: false if the location is definitely not the return value

◆ printRaw()

void FuncProto::printRaw	(	const string &	funcname,
		ostream &	s
	)		const

Print this prototype as a single line of text.

Parameters

funcname	is an identifier of the function using this prototype
s	is the output stream

◆ resolveExtraPop()

void FuncProto::resolveExtraPop ( void )

Assuming this prototype is locked, calculate the extrapop.

If extrapop is unknown and this prototype is locked, try to directly calculate what the extrapop should be. This is really only designed to work with 32-bit x86 binaries.

◆ resolveModel()

void FuncProto::resolveModel ( ParamActive * active )

If this has a merged model, pick the most likely model (from the merged set)

The given parameter trials are used to pick from among the merged ProtoModels and this prototype is changed (specialized) to the pick

Parameters

active is the set of parameter trials to evaluate with

◆ restoreXml()

void FuncProto::restoreXml	(	const Element *	el,
		Architecture *	glb
	)

Restore this from an XML stream.

The backing store for the parameters must already be established using either setStore() or setInternal().

Parameters

el	is the <prototype> XML element
glb	is the Architecture owning the prototype

◆ saveXml()

void FuncProto::saveXml ( ostream & s ) const

Save this to an XML stream as a <prototype> tag.

Save everything under the control of this prototype, which may not include input parameters, as these are typically controlled by the function's symbol table scope.

Parameters

s	is the output stream

◆ setConstructor()

void FuncProto::setConstructor ( bool val )

inline

Toggle whether this prototype is a constructor method.

Parameters

val	is true if this is a constructor, false otherwise

◆ setDestructor()

void FuncProto::setDestructor ( bool val )

inline

Toggle whether this prototype is a destructor method.

Parameters

val	is true if this is a destructor

◆ setInline()

void FuncProto::setInline ( bool val )

inline

Toggle the in-line setting for functions with this prototype.

In-lining can be based on a call-fixup, or the full body of the function can be in-lined.

Parameters

val	is true if in-lining should be performed.

◆ setInputErrors()

void FuncProto::setInputErrors ( bool val )

inline

Toggle the input error setting for this prototype.

Parameters

val	is true if input parameters should be marked as in error

◆ setInputLock()

void FuncProto::setInputLock ( bool val )

Toggle the data-type lock on input parameters.

The lock on the data-type of input parameters is set as specified. A true value indicates that future analysis will not change the number of input parameters or their data-type. Zero parameters or void can be locked.

Parameters

val	is true to indicate a lock, false for unlocked

◆ setInternal()

void FuncProto::setInternal	(	ProtoModel *	m,
		Datatype *	vt
	)

Set internal backing storage for this.

A prototype model is set, and any parameters added to this during analysis will be backed internally.

Parameters

m	is the prototype model to set
vt	is the default void data-type to use if the return-value remains unassigned

◆ setModel()

void FuncProto::setModel ( ProtoModel * m )

Set the prototype model for this.

Establish a specific prototype model for this function prototype. Some basic properties are inherited from the model, otherwise parameters are unchanged.

Parameters

m	is the new prototype model to set

◆ setModelLock()

void FuncProto::setModelLock ( bool val )

inline

Toggle the lock on the prototype model for this.

The prototype model can be locked while still leaving parameters unlocked. Parameter recovery will follow the rules of the locked model.

Parameters

val	is true to indicate a lock, false for unlocked

◆ setNoReturn()

void FuncProto::setNoReturn ( bool val )

inline

Toggle the no-return setting for functions with this prototype.

Parameters

val	is true to treat the function as never returning

◆ setOutputErrors()

void FuncProto::setOutputErrors ( bool val )

inline

Toggle the output error setting for this prototype.

Parameters

val	is true if return value should be marked as in error

◆ setOutputLock()

void FuncProto::setOutputLock ( bool val )

Toggle the data-type lock on the return value.

The lock of the data-type of the return value is set as specified. A true value indicates that future analysis will not change the presence of or the data-type of the return value. A void return value can be locked.

Parameters

val	is true to indicate a lock, false for unlocked

◆ setPieces()

void FuncProto::setPieces ( const PrototypePieces & pieces )

Set this prototype based on raw pieces.

The full function prototype is (re)set from a model, names, and data-types The new input and output parameters are both assumed to be locked.

Parameters

pieces is the raw collection of names and data-types

◆ setReturnBytesConsumed()

bool FuncProto::setReturnBytesConsumed ( int4 val )

Set the number of bytes consumed by callers of this.

This value can be used as a hint as to how much of the return value is important and is used to inform the dead code consume algorithm.

Parameters

val	is the estimated number of bytes or 0

Returns: true if the value was changed

◆ setScope()

void FuncProto::setScope	(	Scope *	s,
		const Address &	startpoint
	)

Set a backing symbol Scope for this.

Input parameters are set based on an existing function Scope and if there is no prototype model the default model is set. Parameters that are added to this during analysis will automatically be reflected in the symbol table. This should only be called during initialization of this prototype.

Parameters

s	is the Scope to set
startpoint	is a usepoint to associate with the parameters

◆ unjustifiedInputParam()

bool FuncProto::unjustifiedInputParam	(	const Address &	addr,
		int4	size,
		VarnodeData &	res
	)		const

Check if the given storage location looks like an unjustified input parameter.

The storage for a value may be contained in a normal parameter location but be unjustified within that container, i.e. the least significant bytes are not being used. If this is the case, pass back the full parameter location and return true. If the input is locked, checking is againt the set parameters, otherwise the check is against the prototype model.

Parameters

addr	is the starting address of the given storage
size	is the number of bytes in the given storage
res	is the full parameter storage to pass back

Returns: true if the given storage is unjustified within its parameter container

◆ updateAllTypes()

void FuncProto::updateAllTypes	(	const vector< string > &	namelist,
		const vector< Datatype * > &	typelist,
		bool	dtdtdt
	)

Set this entire function prototype based on a list of names and data-types.

Prototype information is provided as separate lists of names and data-types, where the first entry corresponds to the output parameter (return value) and the remaining entries correspond to input parameters. Storage locations and hidden return parameters are calculated, creating a complete function protototype. Existing locks are overridden.

Parameters

namelist	is the list of parameter names
typelist	is the list of data-types
dtdtdt	is true if the new prototype accepts variable argument lists

◆ updateInputNoTypes()

void FuncProto::updateInputNoTypes	(	Funcdata &	data,
		const vector< Varnode * > &	triallist,
		ParamActive *	activeinput
	)

Update input parameters based on Varnode trials, but do not store the data-type.

This is accomplished in the same way as if there were data-types but instead of pulling a data-type from the Varnode, only the size is used. Undefined data-types are pulled from the given TypeFactory

Parameters

data	is the function containing the trial Varnodes
triallist	is the list of Varnodes
activeinput	is the trial container

◆ updateInputTypes()

void FuncProto::updateInputTypes	(	Funcdata &	data,
		const vector< Varnode * > &	triallist,
		ParamActive *	activeinput
	)

Update input parameters based on Varnode trials.

If the input parameters are locked, don't do anything. Otherwise, given a list of Varnodes and their associated trial information, create an input parameter for each trial in order, grabbing data-type information from the Varnode. Any old input parameters are cleared.

Parameters

data	is the function containing the trial Varnodes
triallist	is the list of Varnodes
activeinput	is the trial container

◆ updateOutputNoTypes()

void FuncProto::updateOutputNoTypes	(	const vector< Varnode * > &	triallist,
		TypeFactory *	factory
	)

Update the return value based on Varnode trials, but don't store the data-type.

If the output parameter is locked, don't do anything. Otherwise, given a list of (at most 1) Varnode, create a return value, grabbing size information from the Varnode. An undefined data-type is created from the given TypeFactory. Any old return value is removed.

Parameters

triallist	is the list of Varnodes
factory	is the given TypeFactory

◆ updateOutputTypes()

void FuncProto::updateOutputTypes ( const vector< Varnode * > & triallist )

Update the return value based on Varnode trials.

If the output parameter is locked, don't do anything. Otherwise, given a list of (at most 1) Varnode, create a return value, grabbing data-type information from the Varnode. Any old return value is removed.

Parameters

triallist is the list of Varnodes

The documentation for this class was generated from the following files:

fspec.hh
fspec.cc

Public Member Functions

Protected Member Functions

Detailed Description

Member Function Documentation

◆ assumedInputExtension()

◆ assumedOutputExtension()

◆ characterizeAsInputParam()

◆ checkInputJoin()

◆ checkInputSplit()

◆ copy()

◆ deriveInputMap()

◆ deriveOutputMap()

◆ getBiggestContainedInputParam()

◆ getComparableFlags()

◆ getInjectId()

◆ getLikelyTrash()

◆ getMaxInputDelay()

◆ getMaxOutputDelay()

◆ getPieces()

◆ getReturnBytesConsumed()

◆ hasEffect()

◆ isCompatible()

◆ numLikelyTrash()

◆ paramShift()

◆ possibleInputParam()

◆ possibleOutputParam()

◆ printRaw()

◆ resolveExtraPop()

◆ resolveModel()

◆ restoreXml()

◆ saveXml()

◆ setConstructor()

◆ setDestructor()

◆ setInline()

◆ setInputErrors()

◆ setInputLock()

◆ setInternal()

◆ setModel()

◆ setModelLock()

◆ setNoReturn()

◆ setOutputErrors()

◆ setOutputLock()

◆ setPieces()

◆ setReturnBytesConsumed()

◆ setScope()

◆ unjustifiedInputParam()

◆ updateAllTypes()

◆ updateInputNoTypes()

◆ updateInputTypes()

◆ updateOutputNoTypes()

◆ updateOutputTypes()