Ghidra 11.4.2
Ghidra internal decompiler documentation.
|
Infer and propagate data-types. More...
#include <coreaction.hh>
Public Member Functions | |
ActionInferTypes (const string &g) | |
Constructor. | |
virtual void | reset (Funcdata &data) |
Reset the Action for a new function. | |
virtual Action * | clone (const ActionGroupList &grouplist) const |
Clone the Action. | |
virtual int4 | apply (Funcdata &data) |
Make a single attempt to apply this Action. | |
![]() | |
Action (uint4 f, const string &nm, const string &g) | |
Base constructor for an Action. | |
virtual | ~Action (void) |
Destructor. | |
virtual void | printStatistics (ostream &s) const |
Dump statistics to stream. | |
int4 | perform (Funcdata &data) |
Perform this action (if necessary) | |
bool | setBreakPoint (uint4 tp, const string &specify) |
Set a breakpoint on this action. | |
virtual void | clearBreakPoints (void) |
Clear all breakpoints set on this Action. | |
bool | setWarning (bool val, const string &specify) |
Set a warning on this action. | |
bool | disableRule (const string &specify) |
Disable a specific Rule within this. | |
bool | enableRule (const string &specify) |
Enable a specific Rule within this. | |
const string & | getName (void) const |
Get the Action's name. | |
const string & | getGroup (void) const |
Get the Action's group. | |
uint4 | getStatus (void) const |
Get the current status of this Action. | |
uint4 | getNumTests (void) |
Get the number of times apply() was invoked. | |
uint4 | getNumApply (void) |
virtual void | resetStats (void) |
Reset all the counts to zero. | |
virtual int4 | print (ostream &s, int4 num, int4 depth) const |
Print a description of this Action to stream. | |
virtual void | printState (ostream &s) const |
Print status to stream. | |
virtual Action * | getSubAction (const string &specify) |
Retrieve a specific sub-action by name. | |
virtual Rule * | getSubRule (const string &specify) |
Retrieve a specific sub-rule by name. | |
Static Private Member Functions | |
static void | buildLocaltypes (Funcdata &data) |
Assign initial data-type based on local info. | |
static bool | writeBack (Funcdata &data) |
Commit the final propagated data-types to Varnodes. | |
static bool | propagateTypeEdge (TypeFactory *typegrp, PcodeOp *op, int4 inslot, int4 outslot) |
Attempt to propagate a data-type across a single PcodeOp edge. | |
static void | propagateOneType (TypeFactory *typegrp, Varnode *vn) |
Propagate a data-type starting from one Varnode across the function. | |
static void | propagateRef (Funcdata &data, Varnode *vn, const Address &addr) |
Try to propagate a pointer data-type to known aliases. | |
static void | propagateSpacebaseRef (Funcdata &data, Varnode *spcvn) |
Search for pointers and propagate its data-type to known aliases. | |
static PcodeOp * | canonicalReturnOp (Funcdata &data) |
static void | propagateAcrossReturns (Funcdata &data) |
Give data-types a chance to propagate between CPUI_RETURN operations. | |
Private Attributes | |
int4 | localcount |
Number of passes performed for this function. | |
Additional Inherited Members | |
![]() | |
enum | ruleflags { rule_repeatapply = 4 , rule_onceperfunc = 8 , rule_oneactperfunc = 16 , rule_debug = 32 , rule_warnings_on = 64 , rule_warnings_given = 128 } |
Boolean behavior properties governing this particular Action. More... | |
enum | statusflags { status_start =1 , status_breakstarthit =2 , status_repeat =4 , status_mid =8 , status_end =16 , status_actionbreak =32 } |
Boolean properties describing the status of an action. More... | |
enum | breakflags { break_start = 1 , tmpbreak_start = 2 , break_action = 4 , tmpbreak_action = 8 } |
Break points associated with an Action. More... | |
![]() | |
void | issueWarning (Architecture *glb) |
Warn that this Action has applied. | |
bool | checkStartBreak (void) |
Check start breakpoint. | |
bool | checkActionBreak (void) |
Check action breakpoint. | |
void | turnOnWarnings (void) |
Enable warnings for this Action. | |
void | turnOffWarnings (void) |
Disable warnings for this Action. | |
![]() | |
int4 | lcount |
Changes not including last call to apply() | |
int4 | count |
Number of changes made by this action so far. | |
uint4 | status |
Current status. | |
uint4 | breakpoint |
Breakpoint properties. | |
uint4 | flags |
Behavior properties. | |
uint4 | count_tests |
Number of times apply() has been called. | |
uint4 | count_apply |
Number of times apply() made changes. | |
string | name |
Name of the action. | |
string | basegroup |
Base group this action belongs to. | |
Infer and propagate data-types.
Atomic data-types are ordered from most specified to least specified. This is extended rescursively to an ordering on composite data-types via Datatype::typeOrder(). A local data-type is calculated for each Varnode by looking at the data-types expected by the PcodeOps it is directly involved in (as input or output). Every Varnode has 1 chance to propagate its information throughout the graph along COPY,LOAD,STORE,ADD,MULTIEQUAL,and INDIRECT edges. The propagation is done with a depth first search along propagating edges. If the propagated data-type is the same, less than, or if the varnode had been propagated through already, that branch is trimmed. Every edge can theoretically get traversed once, i.e. the search allows the type to propagate through a looping edge, but immediately truncates. This is probably quadratic in the worst case, if each Varnode has a higher type and propagates it to the entire graph. But it is linear in practice, because there are generally only two or three levels of type, so only one or two Varnodes are likely to propagate widely within a component, and the others get truncated immediately. An initial sort on the data-type level of the Varnodes, so that the highest-level types are propagated first, would probably fix the worst-case, but this seems unnecessary. Complications: TYPE_SPACEBASE is a problem because we have to make sure that it doesn't propagate. Also, offsets off of pointers to TYPE_SPACEBASE look up the data-type in the local map. Then ActionRestructure uses data-type information recovered by this algorithm to reconstruct the local map. This causes a feedback loop which allows type information recovered about mapped Varnodes to be propagated to pointer Varnodes which point to the mapped object. Unfortunately under rare circumstances, this feedback-loop does not converge for some reason. Rather than hunt this down, I've put an arbitrary iteration limit on the data-type propagation algorithm, which reports a warning if the limit is reached and then aborts additional propagation so that decompiling can terminate.
|
virtual |
Make a single attempt to apply this Action.
This is the main entry point for applying changes to a function that are specific to this Action. The method can inspect whatever it wants to decide if the Action does or does not apply. Changes are indicated by incrementing the count field.
data | is the function to inspect/modify |
Implements ghidra::Action.
References ghidra::ScopeLocal::applyTypeRecommendations(), ghidra::Funcdata::beginLoc(), ghidra::Funcdata::endLoc(), ghidra::Funcdata::findSpacebaseInput(), ghidra::Funcdata::getArch(), ghidra::Funcdata::getScopeLocal(), ghidra::ScopeLocal::getSpaceId(), ghidra::Varnode::hasNoDescend(), ghidra::Funcdata::hasTypeRecoveryStarted(), ghidra::Varnode::isAnnotation(), ghidra::Varnode::isWritten(), ghidra::Funcdata::setTypeRecoveryExceeded(), ghidra::Architecture::types, and ghidra::Funcdata::warningHeader().
|
staticprivate |
Assign initial data-type based on local info.
Collect local data-type information on each Varnode inferred from the PcodeOps that read and write to it.
data | is the function being analyzed |
References ghidra::Funcdata::beginLoc(), ghidra::Funcdata::endLoc(), ghidra::SymbolEntry::getAddr(), ghidra::Varnode::getAddr(), ghidra::Funcdata::getArch(), ghidra::TypeFactory::getExactPiece(), ghidra::Varnode::getLocalType(), ghidra::Datatype::getMetatype(), ghidra::Address::getOffset(), ghidra::SymbolEntry::getOffset(), ghidra::Varnode::getSize(), ghidra::SymbolEntry::getSymbol(), ghidra::Varnode::getSymbolEntry(), ghidra::Symbol::getType(), ghidra::Varnode::hasNoDescend(), ghidra::Varnode::isAnnotation(), ghidra::Varnode::isTypeLock(), ghidra::Symbol::isTypeLocked(), ghidra::Varnode::isWritten(), ghidra::Varnode::setStopUpPropagation(), ghidra::Varnode::setTempType(), ghidra::TYPE_UNKNOWN, and ghidra::Architecture::types.
Return the CPUI_RETURN op with the most specialized data-type, which is not dead and is not a special halt.
data | is the function |
References ghidra::Funcdata::beginOp(), ghidra::CPUI_RETURN, ghidra::Funcdata::endOp(), ghidra::PcodeOp::getHaltType(), ghidra::PcodeOp::getIn(), ghidra::Varnode::getTempType(), ghidra::PcodeOp::isDead(), ghidra::PcodeOp::numInput(), and ghidra::Datatype::typeOrder().
|
inlinevirtual |
Clone the Action.
If this Action is a member of one of the groups in the grouplist, this returns a clone of the Action, otherwise NULL is returned.
grouplist | is the list of groups being cloned |
Implements ghidra::Action.
References ghidra::ActionGroupList::contains(), and ghidra::Action::getGroup().
|
staticprivate |
Give data-types a chance to propagate between CPUI_RETURN operations.
Since a function is intended to return a single data-type, data-types effectively propagate between the input Varnodes to CPUI_RETURN ops, if there are more than one.
References ghidra::Funcdata::beginOp(), ghidra::CPUI_RETURN, ghidra::Funcdata::endOp(), ghidra::Funcdata::getArch(), ghidra::TypeFactory::getArch(), ghidra::Funcdata::getFuncProto(), ghidra::PcodeOp::getHaltType(), ghidra::PcodeOp::getIn(), ghidra::Datatype::getMetatype(), ghidra::Varnode::getNZMask(), ghidra::Varnode::getSize(), ghidra::Varnode::getTempType(), ghidra::PcodeOp::isDead(), ghidra::FuncProto::isOutputLocked(), ghidra::PcodeOp::numInput(), ghidra::Varnode::setTempType(), ghidra::TYPE_BOOL, and ghidra::Architecture::types.
|
staticprivate |
Propagate a data-type starting from one Varnode across the function.
Given a starting Varnode, propagate its Datatype as far as possible through the data-flow graph, transforming the data-type through PcodeOps as necessary. The data-type is push through all possible propagating edges, but each Varnode is visited at most once. Propagation is trimmed along any particular path if the pushed data-type isn't more specific than the current data-type on a Varnode, under the data-type ordering.
typegrp | is the TypeFactory for constructing transformed data-types |
vn | is the Varnode holding the root data-type to push |
References ghidra::Varnode::clearMark(), ghidra::PcodeOp::getIn(), ghidra::PcodeOp::getOut(), ghidra::PropagationState::inslot, ghidra::PropagationState::op, ghidra::Varnode::setMark(), ghidra::PropagationState::slot, ghidra::PropagationState::step(), ghidra::PropagationState::valid(), and ghidra::PropagationState::vn.
|
staticprivate |
Try to propagate a pointer data-type to known aliases.
Given a Varnode which is a likely pointer and an Address that is a known alias of the pointer, attempt to propagate the Varnode's data-type to Varnodes at that address.
data | is the function being analyzed |
vn | is the given Varnode |
addr | is the aliased address |
References ghidra::Funcdata::beginLoc(), ghidra::Funcdata::endLoc(), ghidra::Funcdata::getArch(), ghidra::TypeFactory::getExactPiece(), ghidra::Datatype::getMetatype(), ghidra::Address::getOffset(), ghidra::Varnode::getOffset(), ghidra::Datatype::getSize(), ghidra::Varnode::getSize(), ghidra::Address::getSpace(), ghidra::Varnode::getSymbolEntry(), ghidra::Varnode::getTempType(), ghidra::Varnode::hasNoDescend(), ghidra::Varnode::isAnnotation(), ghidra::Varnode::isTypeLock(), ghidra::Varnode::isWritten(), ghidra::Varnode::setTempType(), ghidra::TYPE_PTR, ghidra::TYPE_SPACEBASE, ghidra::TYPE_UNKNOWN, ghidra::Datatype::typeOrder(), and ghidra::Architecture::types.
|
staticprivate |
Search for pointers and propagate its data-type to known aliases.
This routine looks for ADD operations off of a specific spacebase register that produce output Varnodes with a known data-type. The offset of the ADD is calculated into the corresponding address space, and an attempt is made to propagate the Varnodes data-type to other Varnodes in the address space at that offset.
data | is the function being analyzed |
spcvn | is the spacebase register |
References ghidra::Varnode::beginDescend(), ghidra::PcodeOp::code(), ghidra::CPUI_COPY, ghidra::CPUI_INT_ADD, ghidra::CPUI_PTRADD, ghidra::CPUI_PTRSUB, ghidra::Varnode::endDescend(), ghidra::PcodeOp::getAddr(), ghidra::TypeSpacebase::getAddress(), ghidra::PcodeOp::getIn(), ghidra::Datatype::getMetatype(), ghidra::Varnode::getOffset(), ghidra::PcodeOp::getOut(), ghidra::Varnode::getSize(), ghidra::Varnode::getType(), ghidra::Varnode::isConstant(), ghidra::TYPE_PTR, and ghidra::TYPE_SPACEBASE.
|
staticprivate |
Attempt to propagate a data-type across a single PcodeOp edge.
Given an input Varnode and an output Varnode defining a directed edge through a PcodeOp, determine if and how the input data-type propagates to the output. Update the output Varnode's (temporary) data-type. An input to the edge may either an input or output to the PcodeOp. A slot value of -1 indicates the PcodeOp output, a non-negative value indicates a PcodeOp input index.
typegrp | is the TypeFactory for building a possibly transformed data-type |
op | is the PcodeOp through which the propagation edge flows |
inslot | indicates the edge's input Varnode |
outslot | indicates the edge's output Varnode |
References ghidra::TypeFactory::getArch(), ghidra::PcodeOp::getIn(), ghidra::Datatype::getMetatype(), ghidra::Varnode::getNZMask(), ghidra::PcodeOp::getOpcode(), ghidra::PcodeOp::getOut(), ghidra::Varnode::getTempType(), ghidra::Varnode::isAnnotation(), ghidra::Varnode::isMark(), ghidra::Varnode::isTypeLock(), ghidra::Datatype::needsResolution(), ghidra::TypeOp::propagateType(), ghidra::Datatype::resolveInFlow(), ghidra::Varnode::setTempType(), ghidra::Varnode::stopsUpPropagation(), ghidra::TYPE_BOOL, and ghidra::Datatype::typeOrder().
|
inlinevirtual |
Reset the Action for a new function.
data | is the new function this Action may affect |
Reimplemented from ghidra::Action.
References localcount.
|
staticprivate |
Commit the final propagated data-types to Varnodes.
For each Varnode copy the temporary data-type to the permament field, taking into account previous locks.
data | is the function being analyzed |
References ghidra::Funcdata::beginLoc(), ghidra::Funcdata::endLoc(), ghidra::Varnode::getTempType(), ghidra::Varnode::hasNoDescend(), ghidra::Varnode::isAnnotation(), ghidra::Varnode::isWritten(), and ghidra::Varnode::updateType().