Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provides liveness analysis and uses liveness for Sub.free_vars #1051

Merged
merged 3 commits into from
Feb 14, 2020
Merged

provides liveness analysis and uses liveness for Sub.free_vars #1051

merged 3 commits into from
Feb 14, 2020

Conversation

ivg
Copy link
Member

@ivg ivg commented Feb 13, 2020

  1. implements liveness analysis for subroutines and provides it
    as [Sub.compute_liveness] which returns a fixed point solution to
    the variable liveness property.

  2. uses liveness to compute free variables when a subroutime is not
    in the SSA form

  3. Sub.to_graph now returns a fully connected graph with two
    pseudo-nodes, [start], and [exit] (we keep doing every time we need to
    do some graph computation, so let's make it official). This
    pseudo-nodes are constants defined in the [Graphs.Tid] interface.

Context

We used to rely on the dominators tree to compute the set of free
variables when the SSA form is not available. It was an optimization,
as by that time we didn't have the fixpoint function and didn't want
to compute SSA just for getting free vars. It was also returning an
underapproximation, rather than overapproximation (i.e., was a must free
analysis), which was fine with some existing uses of the
[Sub.free_vars] function, but wasn't sufficient/correct for other
uses, e.g., in the promiscuous mode we were relying on it to turn a
subroutine into a closed form, to prevent failures in runtime with
undefined variable (we probably could just define all vars used in the
program, but this is a different story). Since [Sub.free_vars] were
returning an under-approximation we still experiences some runtime
failures, which were halting our machines that resulted in non-visited
code and missing vulnerabilities.

@ivg
uses liveness analysis for free variable when no SSA available
9c2e0a3 
An approximation with dominators doesn't really work well, and since
we have the fixpoint function for quite a few time there is no reason
not to implement it using the classical dataflow.
@ivg
provides liveness analysis and uses liveness for Sub.free_vars
9183677 
1. implements liveness analysis for subroutines and provides it
as [Sub.compute_liveness] which returns a fixed point solution to
the variable liveness property.

2. uses liveness to compute free variables when a subroutime is not
in the SSA form

3. Sub.to_graph now returns a fully connected graph with two
pseudo-nodes, [start], and [exit] (we keep doing every time we need to
do some graph computation, so let's make it official). This
pseudo-nodes are constants defined in the [Graphs.Tid] interface.

Context
=======

We used to rely on the dominators tree to compute the set of free
variables when the SSA form is not available. It was an optimization,
as by that time we didn't have the fixpoint function and didn't want
to compute SSA just for getting free vars. It was also returning an
underapproximation, rather than overapproximation (i.e., was a must free
analysis), which was fine with some existing uses of the
[Sub.free_vars] function, but wasn't sufficient/correct for other
uses, e.g., in the promiscuous mode we were relying on it to turn a
subroutine into a closed form, to prevent failures in runtime with
undefined variable (we probably could just define all vars used in the
program, but this is a different story). Since [Sub.free_vars] were
returning an under-approximation we still experiences some runtime
failures, which were halting our machines that resulted in non-visited
code and missing vulnerabilities.
@ivg ivg mentioned this pull request Feb 13, 2020
Closed
@ivg
fixes the SSA algorithm after the Tid graph change
bffc6f9 
The SSA transformation algorithm assumes that [Sub.to_graph] function
returns a graph with the set of nodes that are equal to the set of
term identifiers of the subroutine. This is no longer true, as this
set is now extended with two artifical nodes, start and exit,
therefore the algorithm was failing.

Now, it expects those artificial nodes and handles them correctly.
@ivg ivg merged commit ebcfd29 into BinaryAnalysisPlatform:master Feb 14, 2020
ivg added a commit to ivg/bap that referenced this pull request Feb 19, 2020
@ivg
fixes start and exit insertion for singleton graphs
ac868c0 
In BinaryAnalysisPlatform#1051 we begun inserting `start` and `exit` pseudonodes and
introduced a small bug, when the graph is singleton and has a node
with both indegree and outdegree equal to zero. For that graphs,
instead of
```
digraph {
start -> n -> exit
}
```
we got
```
digraph {
start -> n;
start -> exit;
}
```

since we didn't insert an edge from `n` to `exit`.
@ivg ivg mentioned this pull request Feb 19, 2020
Merged
ivg added a commit that referenced this pull request Feb 20, 2020
@ivg
fixes start and exit insertion for singleton graphs (#1060)
2ad537a 
In #1051 we begun inserting `start` and `exit` pseudonodes and
introduced a small bug, when the graph is singleton and has a node
with both indegree and outdegree equal to zero. For that graphs,
instead of
```
digraph {
start -> n -> exit
}
```
we got
```
digraph {
start -> n;
start -> exit;
}
```

since we didn't insert an edge from `n` to `exit`.
@ivg ivg deleted the use-liveness-for-free-vars branch June 10, 2020 12:33
@ivg ivg mentioned this pull request Mar 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ivg