Skip to content
Snippets Groups Projects
  1. Mar 23, 2017
    • Alessandro Di Federico's avatar
      Minor improvements · 8bb3a382
      Alessandro Di Federico authored
      * Introduce some additional helpers
      * Spread some `const`ness
      * Improve documentation
      * New debugging information: "osr-bv". Prints every update operation
        performed in `BVMap::update`.
      * Remove dead code
      * Whitespace fixes
      * Some new TODOs
      * Fix some typos in comments
  2. Mar 10, 2017
    • Alessandro Di Federico's avatar
      Switch `BoundedValue::merge` to `boost:icl` · 850fc09a
      Alessandro Di Federico authored
      This commit drops the original handcrafted implementation of
      `BoundedValue` merging, in favor of an implementation based on Boost
      intervals. The old implementation was the source of intermittend bugs,
      using Boost should be a more reliable solution. Moreover, this commit
      enables moves us towards supporting multiple ranges in `BoundedValues`.
  3. Mar 09, 2017
  4. Mar 08, 2017
    • Alessandro Di Federico's avatar
      OSRA: track register+constant pointers too · b21f3b18
      Alessandro Di Federico authored
      In OSRA we used to track `GlobalVariable`s and `AllocaInst` only,
      despite the `MemoryAccess` infrastructure supported memory accesses of
      the type register + constant. Enabling this, we're able to handle the
      following x86-64 snippet found in the `omnetpp` SPEC benchmark:
          cmp    DWORD PTR [rbx+0x8],0x5
          ja     elsewhere
          mov    eax,DWORD PTR [rbx+0x8]
  5. Mar 06, 2017
    • Alessandro Di Federico's avatar
      Improve handling of load insturctions in SET · 14f4cd74
      Alessandro Di Federico authored
      SET, when getting data from OSRA, used to check that the first and last
      materialized address were within a certain range, under the assumption
      that the last value would be greater that the first one. Turns out that
      this is not always the case when in the operation stack we have a load
      instruction. This commit improve the way such a situation is handled.
    • Alessandro Di Federico's avatar
      Purge translated code in post-order · d398213a
      Alessandro Di Federico authored
      This commit changes the way instruction and basic block are purged when
      re-translation is necessary. Specifically, the purge is now performed
      through a post-order visit, which should prevent the removal of any
      instructions still holding users.
      This commit also introduces the `SubGraph` class, which is useful to be
      able to navigate portions of a graph (e.g., a `Function`) in post-order
    • Alessandro Di Federico's avatar
      Reorganize OSRA · 87dc88c2
      Alessandro Di Federico authored
      The main goal of this patch is to reduce the size of
      `OSRAPass::runOnFunction()`. To do this we created the `OSRA` class
      which handles everything `runOnFunction` was taking care of but without
      the ugly lambdas nor being an endless function. Each class of
      instruction is now handled by a dedicated function.
      This also has the side effect of heavily reducing the amount of clutter
      exposed by `OSRAPass` to its users.
  6. Mar 02, 2017
    • Alessandro Di Federico's avatar
      Anticipate `cpu_loop_exit` removal · 1e9163c7
      Alessandro Di Federico authored
      Fix of another bug showing up only with LLVM in debug mode: splitting a
      malformed basic block is not allowed, and we had a function call after a
      `ret` instruction.
    • Alessandro Di Federico's avatar
      When splitting a basic block, retranslate · 04a4591f
      Alessandro Di Federico authored
      This commit should fix some bugs due to the fact that when we're
      splitting a basic block we don't retranslate the basic block at the
      split point but preserve the existing code. This lead to problems, in
      particular in x86-64 where certain QEMU local variables were not
      available. This change should fix it.
      Basically, every time we split a basic block in
      `JumpTargetManager::registerJT` we note down that the new basic block
      must be purged, and in `JumpTargetManager::harvest` we perform the
      purge. `harvest` has been chosen since it's a particularly quiet moment,
      i.e., there should be no pending references/iterator to code we have to
    • Alessandro Di Federico's avatar
      Fix deletion order of temporary parts in RDA · 7babafac
      Alessandro Di Federico authored
      This commit fixes a bug that appears only with debug builds of LLVM: in
      RDA we were erasing a temporary common predecessor basic block before
      removing the references to it in a `switch` statement.
    • Alessandro Di Federico's avatar
      Dismiss basic block statistics collection · d6b257dd
      Alessandro Di Federico authored
      If we need this again, we can do it in revamb-dump.
    • Alessandro Di Federico's avatar
      OSRA: ignore unknown signedness in comparisons · f8c7ebab
      Alessandro Di Federico authored
      When performing a comparison, we try to attach its signedness to the
      base OSR it's working on. However, this is not always
      effective. Typically, even after this, the OSR remains with an unknown
      signedness due to the fact that we don't have information about its
      bounded value from all the predecessors, and therefore it goes to top.
    • Alessandro Di Federico's avatar
      Reorganize the tracing system · 4789524a
      Alessandro Di Federico authored
      `support.c` used to have a basic tracing system which would print on `stderr`
      all the program counters. This commit reorganizes this system so that it has a
      buffer, whose size can be specified through the `REVAMB_TRACE_BUFFER_SIZE`
      environment variable, and it's possible to specify the output file
      `REVAMB_TRACE_PATH`. The new tracing system also supports flushing the buffers
      in case of clean exit of crash.
      We also cleaned up `support.c`.
    • Alessandro Di Federico's avatar
      Compile `support.c` to LLVM IR · dae2f7e6
      Alessandro Di Federico authored
      `support.c` used to be compiled using the system compiler and then
      linked to the module generated by `revamb` as a separate translation
      unit. This commit introduces a change that lets `clang` compile
      `support.c`. This will allow us to make the CSV static, which should
      enable more aggressive optimizations.
      * Change the signature of the `root` function so that it accepts an
        argument: the initial value of the stack pointer, which the main is
        supposed to set up. QEMU now provides us with the offset of the stack
      * Let the build system compile `support.c` for each supported
        architecture, both in normal and "tracing" mode.
      * Remove the `--tracing` option, this is now handled by `support.c`, in
        particular depending on which version of `support.c` you link, you can
        have tracing enabled or not.
      * In `support.c` drop global variables representing the stack pointer,
        we no longer need them.
      * In `support.c` fix some warnings while handling the stack on 32-bit
      * Extende the `translate` script to handle the new way we link the final
        binary and the tracing mechanism.
  7. Feb 20, 2017
  8. Jan 23, 2017
    • Alessandro Di Federico's avatar
      Handle calls with multiple successors · 3b89c5f3
      Alessandro Di Federico authored
      This commit handles the situation where we have a function call with
      more than one successor. This might be the case if there's an indirect
      call but we're able to enumerate the possible targets statically.
      This commit simply avoids an assertion, in the future we will register
      all the possible destinations in the `function_call` marker.
    • Alessandro Di Federico's avatar
      Function detection: drop normalized address space · c3fbcf31
      Alessandro Di Federico authored
      We used to have a normalized address space formed only functions,
      skipping all the holes. This was employed to identify "skipping
      jumps". However, this method was ineffective, and we changed the
      definition of skipping jump as a jump skipping over CFEPs that are
      highly likely to be actual functions.
      This commit removes the leftovers of the normalized address space
      computation, which was also the cause of a bug in function detection.
    • Alessandro Di Federico's avatar
      Register manual entry point as jump target · 6b91aeb9
      Alessandro Di Federico authored
      This commit fixes a bug triggered by specifying the `--entry` switch:
      the entry point would not be registered as a jump target, instead the
      code would try to get the basic block associated to that address,
      resulting in an assertion.
      The manually specified entry point is now registered as a jump target
      coming from global data.
  9. Jan 11, 2017
  10. Dec 08, 2016
    • Alessandro Di Federico's avatar
    • Alessandro Di Federico's avatar
      Change the way we denote JT basic blocks · 3e8e9c23
      Alessandro Di Federico authored
      Currently we're identifying basic blocks that are a jump target by
      adding metadata on the terminator instruction. This is a problem in many
      cases, therefore we now use the third parameter of `newpc` calls to
      understand if a basic block is a jump target.
      The third argument was set only at the very end of all our analysis,
      before producing the output. We anticipate this so that is done before
      each jump target harvesting, so that this information is available
      through `GeneratedCodeBasicInfo`.
    • Alessandro Di Federico's avatar
      Fix function call identification · 00e39af8
      Alessandro Di Federico authored
      This commit fixes a couple of bugs in function call
      * Adopt a new version of `visitPredecessors` more similar to
      * If we meet a call to `newpc` which has an unexpected address (i.e.,
        it's not the previous with respect to the last we saw) give up.
      * Ensure we went through the required amount of instructions before
        finding the return address (in case the architecture has delay slots).
      * When counting the number of successors of a function call to check if
        there's a single one, ignore the dispatcher-related basic blocks.
    • Alessandro Di Federico's avatar
      OSRA: heavily reduce constraint propagation · 1bbe758e
      Alessandro Di Federico authored
      This commit reduces the amount of constraint we propagate. We do this in
      two ways. First, by computing the set of all the instruction that will
      ever be affected by the current instruction (recursively). Second, by
      preventing propagation on constraints across function calls.
      In quick test on `ls` compiled for MIPS we reduce the execution time by
      55% of the peak memory usage by 68%. This makes me quite happy.
    • Alessandro Di Federico's avatar
    • Alessandro Di Federico's avatar
    • Alessandro Di Federico's avatar
    • Alessandro Di Federico's avatar
      Introduce the GCBI and FCI passes · 5c619ab0
      Alessandro Di Federico authored
      This commit introduces two new passes:
      * `GeneratedCodeBasicInfo`: recovers from the IR some basic information
        like the size of delay slots in the input architecture, the name of
        the program counter and so on. It can also identify the type of a
        basic block (e.g., dispatcher, jump target...).  *
      * `FunctionCallIdentification`: identifies function calls and injects a
        marker before the associated terminator instruction.
      The idea of these two passes is to try to progressively move information
      we used to keep in `JumpTargetManager` into the IR, so that it is more
      easily accessible and passes do not need a reference to `JTM`.
      In particular by having markers for function calls available during jump
      target discovery we don't have to have duplicated and suboptimal
      implementation of `isCall`.
      This commit also introduce some additional helper functions and an
      helper class to quickly.
    • Alessandro Di Federico's avatar
    • Alessandro Di Federico's avatar
    • Alessandro Di Federico's avatar
      Introduce tests for the analyses · f6b61384
      Alessandro Di Federico authored
      So far we only had end-to-end functionality testing. This commit
      introduces a new part of the testsuite which allows to verify quickly if
      the results that a certain analysis should give are changed or not. This
      is vital to be able to make larger changes.
      So far the test suite is composed by the most difficult case we support
      (the uClibc ARM memset) and the typical lowering of switch statements
      for ARM, MIPS and x86-64.
      I'm so happy now.
    • Alessandro Di Federico's avatar
      Specify endianess when reading from segments · c83559fc
      Alessandro Di Federico authored
      Let functions such as `JumpTargetManager::readRawValue` take a parameter
      specifying if the value should be read from the segment using the
      endianess of the original architecture or of the target architecture.
      This commit fixes a bug with big endian architectures (i.e., MIPS) since
      when materializing a value on the operation stack of SET, the endianess
      was changed twice, once in `readRawValue` and the second time while
      applying the `bswap` instruction which is registered on the stack.
  11. Dec 03, 2016