improves the main function discovery heurisitics (#1336)

The problem was not in heuristic per se, but cyclic dependency between
the abi pass that discovers __libc_start_main, main, abi passes, and
api passes. Ideally, we should reimplement our ABI/API infrastructure
using the Knowledge Base, which was originally designed to handle such
dependencies, but it will take much more time than we currently have.

Therefore, right now we discover `__libc_start_main` in the ABI pass,
to be sure that we have types applied to it (which we need as we will
use them later to get the storage for the first argument). And we
delay the `main` function discovery after the api pass. After we find
main we also want types to be applied. Unfortunately, we can't can
call the api pass again (which is responsible for that), but we known
the prototype of main, so we don't really need to parse the C headers
anymore and can manually apply the prototype and translate it to the
arg terms.

Now the main function discovery works perfectly for the programs that
use glibc runtime, so yeah we can finally execute `/bin/true` and
`/bin/false` :)

```
$bap /bin/false --run --primus-print-obs=call-return | grep main
(call-return (main 0 0x40000008 1))
$ bap /bin/true --run --primus-print-obs=call-return | grep main
(call-return (main 0 0x40000008 0))
```

Author: ivg

oasis/glibc-runtime

@@ -7,7 +7,7 @@ Library glibc_runtime_plugin
   Path:             plugins/glibc_runtime
   FindlibName:      bap-plugin-glibc_runtime
   CompiledObject:   best
-  BuildDepends:     core_kernel, bap-main, bap, bap-abi, bap-c, ogre
+  BuildDepends:     core_kernel, bap-main, bap, bap-abi, bap-c, ogre, bap-core-theory
   InternalModules:  Glibc_runtime_main
   XMETADescription: detects main and libc_start_main functions
   XMETAExtraLines:  tags="abi, pass"

plugins/abi/abi_main.ml

@@ -12,4 +12,5 @@ let () = Config.manpage [
     `P "$(b,bap-plugin-x86)(1), $(b,bap-plugin-arm)(1), $(b,bap-abi)(3)"
   ]
 
-let () = Config.when_ready (fun _ -> Project.register_pass ~autorun:true Bap_abi.pass)
+let () = Config.when_ready (fun _ ->
+    Project.register_pass ~autorun:true Bap_abi.pass)

plugins/glibc_runtime/glibc_runtime_main.ml

@@ -5,6 +5,7 @@ functions (and adds the latter if it is absent).
 "
 open Core_kernel
 open Bap_main
+open Bap_core_theory
 open Bap.Std
 open Bap_c.Std
 
@@ -95,20 +96,27 @@ let detect_main_address prog =
   | _ -> None
 
 
-let reinsert_args_for_new_name sub name =
-  let sub = Term.filter arg_t sub ~f:(fun _ -> false) in
-  let sub = Term.del_attr sub C.proto in
-  Sub.with_name sub name
+let reinsert_args_for_new_name ?(abi=ident) sub name =
+  List.fold ~init:sub ~f:(|>) [
+    Term.filter arg_t ~f:(fun _ -> false);
+    (fun sub -> Term.del_attr sub C.proto);
+    (fun sub -> Sub.with_name sub name);
+    abi
+  ]
 
-let rename_main prog = match detect_main_address prog with
+let rename_main abi prog = match detect_main_address prog with
   | None -> prog
-  | Some addr ->
-    Term.map sub_t prog ~f:(fun sub ->
-        match Term.get_attr sub address with
-        | Some a when Addr.equal addr a ->
-          reinsert_args_for_new_name sub "main"
-        | _ -> sub)
-
+  | Some addr -> Term.map sub_t prog ~f:(fun sub ->
+      match Term.get_attr sub address with
+      | Some a when Addr.equal addr a ->
+        reinsert_args_for_new_name ~abi sub "main"
+      | _ -> sub)
+
+let find_abi_processor proj =
+  let (let*) = Option.(>>=) in
+  let* name = Project.get proj Bap_abi.name in
+  let* proc = C.Abi.get_processor name in
+  Some proc
 
 let rename_libc_start_main prog =
   if is_sub_absent prog "__libc_start_main"
@@ -122,17 +130,75 @@ let rename_libc_start_main prog =
         reinsert_args_for_new_name sub "__libc_start_main"
   else prog
 
-let fix_glibc_runtime prog =
-  rename_libc_start_main prog |>
-  rename_main
+module Main = struct
+  let cv = C.Type.Qualifier.{
+      const = false;
+      volatile = false;
+      restrict = ();
+    }
+
+  let cvr = C.Type.Qualifier.{
+      const = false;
+      volatile = false;
+      restrict = false;
+    }
+
+  let basic t = `Basic C.Type.Spec.{t; attrs=[]; qualifier=cv}
+  let ptr t = `Pointer C.Type.Spec.{t; attrs=[]; qualifier=cvr}
+
+  let proto : C.Type.proto = C.Type.Proto.{
+      variadic = false;
+      return = basic `sint;
+      args = [
+        "argc", basic `sint;
+        "argv", ptr (ptr (basic `char));
+      ];
+    }
+
+  let var t (data : C.Data.t) name =
+    match data with
+    | Imm (sz,_) -> Var.create name (Type.Imm (Size.in_bits sz))
+    | Ptr _ ->
+      Var.create name (Type.Imm (Theory.Target.code_addr_size t))
+    | _ -> assert false
+
+  let arg intent t (data,exp) name =
+    Arg.create ~intent (var t data name) exp
+
+  let abi proj main =
+    let t = Project.target proj in
+    match find_abi_processor proj with
+    | None -> main
+    | Some {C.Abi.insert_args} ->
+      match insert_args main [] proto with
+      | Some {C.Abi.return=Some ret; params=[argc; argv]} ->
+        List.fold ~init:main ~f:(Term.append arg_t)[
+          arg In t argc "main_argc";
+          arg Both t argv "main_argv";
+          arg Out t ret "main_result";
+        ]
+      | _ -> main
+end
+
+let fix_main proj =
+  let abi = Main.abi proj in
+  Project.map_program proj ~f:(rename_main abi)
+
+let is_enabled ctxt proj =
+  Extension.Configuration.get ctxt enable || is_glibc proj
+
+let recover_main ctxt proj =
+  if is_enabled ctxt proj &&
+     is_sub_absent (Project.program proj) "main"
+  then fix_main proj
+  else proj
 
-let main ctxt proj =
-  if Extension.Configuration.get ctxt enable ||
-     is_glibc proj
-  then
-    Project.map_program proj ~f:fix_glibc_runtime
+let discover_libc_start_main ctxt proj =
+  if is_enabled ctxt proj
+  then Project.map_program proj ~f:rename_libc_start_main
   else proj
 
-let () = Extension.declare ~doc ~provides:["abi"] @@ fun ctxt ->
-  Bap_abi.register_pass (main ctxt);
+let () = Extension.declare ~doc ~provides:["abi"; "api"] @@ fun ctxt ->
+  Bap_abi.register_pass (discover_libc_start_main ctxt);
+  Project.register_pass ~autorun:true ~deps:["api"] (recover_main ctxt);
   Ok ()