REP: first version of patch candidates

Author: sipma

chb/app/InstrXData.py

@@ -334,7 +334,9 @@ def has_indirect_call_target_exprs(self) -> bool:
         return (len(self.tags) == 2 and self.tags[1] == "u" and len(self.args) > 1)
 
     def call_target(self, ixd: "InterfaceDictionary") -> "CallTarget":
-        if self.has_call_target():
+        if self.has_call_target() and self.is_bx_call:
+            return ixd.call_target(self.args[-5])
+        elif self.has_call_target():
             return ixd.call_target(self.args[-1])
         else:
             raise UF.CHBError(

chb/buffer/LibraryCallCallsites.py

@@ -51,16 +51,22 @@ class LibraryCallSideeffect:
     def __init__(
             self,
             summary: "FunctionSummary",
+            faddr: str,
             instr: "Instruction",
             pre: "PreDerefWrite") -> None:
         self._summary = summary
+        self._faddr = faddr
         self._instr = instr
         self._pre = pre
 
     @property
     def summary(self) -> "FunctionSummary":
         return self._summary
 
+    @property
+    def faddr(self) -> str:
+        return self._faddr
+
     @property
     def instr(self) -> "Instruction":
         return self._instr
@@ -286,7 +292,8 @@ def derefwrites(self) -> List[LibraryCallSideeffect]:
         for pre in self.preconditions:
             if pre.is_deref_write:
                 pre = cast("PreDerefWrite", pre)
-                lcwrite = LibraryCallSideeffect(self.summary, self.instr, pre)
+                lcwrite = LibraryCallSideeffect(
+                    self.summary, self.faddr, self.instr, pre)
                 result.append(lcwrite)
         return result
 
@@ -446,6 +453,13 @@ def patch_candidates(self) -> List["Instruction"]:
                     result.append(c.instr)
         return result
 
+    def patch_callsites(self) -> List[LibraryCallSideeffect]:
+        result: List[LibraryCallSideeffect] = []
+        for (_, ics) in self.callsites.items():
+            for cs in ics.values():
+                result.extend(cs.patch_candidates)
+        return result
+
     def patch_candidates_distribution(self) -> Dict[str, int]:
         result: Dict[str, int] = {}
         for (_, ics) in self.callsites.items():

chb/cmdline/chkx

@@ -1171,6 +1171,41 @@ def parse() -> argparse.Namespace:
     report_bufferbounds.set_defaults(func=REP.report_buffer_bounds)
 
 
+    # --- report patch candidates
+    report_patchcandidates = reportparsers.add_parser("patchcandidates")
+    report_patchcandidates.add_argument("xname", help="name of executable")
+    report_patchcandidates.add_argument(
+        "--output", "-o",
+        help="name of output file (without extension)")
+    report_patchcandidates.add_argument(
+        "--json",
+        action="store_true",
+        help="output results in json format")
+    report_patchcandidates.add_argument(
+        "--targets",
+        nargs="*",
+        default=[],
+        help="list of target library functions to include")
+    report_patchcandidates.add_argument(
+        "--verbose", "-v",
+        action="store_true",
+        help="print functions examined")
+    report_patchcandidates.add_argument(
+        "--loglevel", "-log",
+        choices=UL.LogLevel.options(),
+        default="NONE",
+        help="activate logging with the given level (default to stderr)")
+    report_patchcandidates.add_argument(
+        "--logfilename",
+        help="name of file to write log messages")
+    report_patchcandidates.add_argument(
+        "--logfilemode",
+        choices=["a", "w"],
+        default="a",
+        help="file mode for log file: append (a, default), or write (w)")
+
+    report_patchcandidates.set_defaults(func=REP.report_patch_candidates)
+
     '''
 
     # -- report application calls --
@@ -1195,7 +1230,7 @@ def parse() -> argparse.Namespace:
     report_iocs.set_defaults(func=reportiocs)
     '''
 
-    # -------------------------------------------------------------- summaries subcommand
+    # ----------------------------------------------------- summaries subcommand
 
     parser_summaries = subparsers.add_parser("summaries")
     parser_summaries.set_defaults(func=SC.summariescommand)

chb/cmdline/reportcmds.py

@@ -988,8 +988,6 @@ def perc(v: float) -> str:
     exit(0)
 
 
-
-
 def report_buffer_bounds(args: argparse.Namespace) -> NoReturn:
 
     # arguments
@@ -1122,3 +1120,84 @@ def write_json_result(
             reverse=True):
         print(name.ljust(24) + str(count).rjust(5))
     exit(0)
+
+
+def report_patch_candidates(args: argparse.Namespace) -> NoReturn:
+
+    # arguments
+    xname = args.xname
+    xoutput: Optional[str] = args.output
+    xjson: bool = args.json
+    xverbose: bool = args.verbose
+    xtargets: List[str] = args.targets
+    loglevel: str = args.loglevel
+    logfilename: Optional[str] = args.logfilename
+    logfilemode: str = args.logfilemode
+
+    try:
+        (path, xfile) = UC.get_path_filename(xname)
+        UF.check_analysis_results(path, xfile)
+    except UF.CHBError as e:
+        print(str(e.wrap()))
+        exit(1)
+
+    UC.set_logging(
+        loglevel,
+        path,
+        logfilename=logfilename,
+        mode=logfilemode,
+        msg="report_patch_candidates invoked")
+
+    xinfo = XI.XInfo()
+    xinfo.load(path, xfile)
+
+    app = UC.get_app(path, xfile, xinfo)
+
+    n_calls: int = 0
+    libcalls = LibraryCallCallsites()
+
+    for (faddr, blocks) in app.call_instructions().items():
+        fn = app.function(faddr)
+
+        for (baddr, instrs) in blocks.items():
+            for instr in instrs:
+                n_calls += 1
+                calltgt = instr.call_target
+                if calltgt.is_so_target and calltgt.name in xtargets:
+                    libcalls.add_library_callsite(faddr, instr)
+
+    print("Number of calls: " + str(n_calls))
+
+    patchcallsites = libcalls.patch_callsites()
+
+    for pc in sorted(patchcallsites, key=lambda pc:pc.faddr):
+        instr = cast("ARMInstruction", pc.instr)
+        dstarg = pc.dstarg
+        if dstarg is None:
+            chklogger.logger.warning(
+                "No expression found for destination argument: %s",
+                str(instr))
+            continue
+        dstoffset = dstarg.stack_address_offset()
+        fn = instr.armfunction
+        stackframe = fn.stackframe
+        stackbuffer = stackframe.get_stack_buffer(dstoffset)
+        if stackbuffer is None:
+            chklogger.logger.warning(
+                "No stackbuffer found for %s at offset %s",
+                str(instr), str(dstoffset))
+            continue
+        buffersize = stackbuffer.size
+
+        print("  " + pc.instr.iaddr + "  " + pc.instr.annotation)
+        print("  - faddr: " + pc.faddr)
+        print("  - iaddr: " + pc.instr.iaddr)
+        print("  - target function: " + str(pc.summary.name))
+        print("  - stack offset: " + str(dstoffset))
+        print("  - length argument: " + str(pc.lenarg))
+        print("  - buffersize: " + str(buffersize))
+        print("")
+
+    print("Number of patch callsites: " + str(len(patchcallsites)))
+
+    exit(0)

chb/models/FunctionSummary.py

@@ -6,7 +6,7 @@
 #
 # Copyright (c) 2016-2020 Kestrel Technology LLC
 # Copyright (c) 2020      Henny Sipma
-# Copyright (c) 2021-2023 Aarno Labs LLC
+# Copyright (c) 2021-2024 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -42,7 +42,7 @@
 
 
 class FunctionSummary:
-    "Signature and summary semantics for a function."""
+    """Signature and summary semantics for a function."""
 
     def __init__(self,
                  library: "FunctionSummaryLibrary",