Skip to content

ASTgen : arm32 : jc3lite cfg #49

New issue
New issue
Open
Open
ASTgen : arm32 : jc3lite cfg#49
@brk

Description

@brk
brk
opened on May 12, 2022

CodeHawk generates an incorrect AST for the target function in the attached binary (run codehawk.sh).

(This is a loop-free version of JPL Challenge 3)

The generated AST is

void target(int A, int B, struct x * p){

   rtn_0x10764 = open(gv_0x10894, gv_0x10890, p);  // 51
   if (temp6){
      rtn_0x107c8 = __errno_location();  // 90
      rtn_0x107d4 = strerror(rtn_0x107c8[0]);  // 120
      rtn_0x107f8 = __fprintf_chk();  // 185
      exit(1);  // 197
      rtn_0x1080c = __errno_location();  // 304
      rtn_0x10818 = strerror(rtn_0x1080c[0]);  // 333
      rtn_0x1083c = __fprintf_chk();  // 391
      exit(1);  // 402
   } else {
      rtn_0x1078c = mmap(0, 4096, 3, 1, rtn_0x10764, rtn_0x10764);  // 262
      if (temp5){
         rtn_0x1080c = __errno_location();  // 304
         rtn_0x10818 = strerror(rtn_0x1080c[0]);  // 333
         rtn_0x1083c = __fprintf_chk();  // 391
         exit(1);  // 402
      } else {
         rtn_0x1078c[1024] = gv_0x10898; //  0x1079c, STR
         rtn_0x107a4 = munmap(rtn_0x1078c, 4096);  // 441
         if (temp4){
            rtn_0x107b4 = 0x104a4((rtn_0x10764 - 0), R1, R2, R3);  // 612
            return;
         }
      }
   }
   rtn_0x10850 = __errno_location();  // 483
   rtn_0x1085c = strerror(rtn_0x10850[0]);  // 512
   rtn_0x10880 = __fprintf_chk();  // 570
   exit(1);  // 581
}

A few things that seem incorrect:

  • The repetition of nodes 310, 339, 337, and 408
  • Missing arguments to __fprintf_chk -- would it be worth having CodeHawk recognize this as an alias of fprintf?
  • The last argument to mmap shouldn't be the return value from open.
  • The call to 0x104a4 wasn't recognized as a call to close

The original source was

void target(int A, int B) {
        int fd;
	void *map_base, *virt_addr; 
	unsigned long read_result, writeval;
	off_t targeto;
	targeto = start_physicaladdress;

	if (targeto <= (off_t) B){

		if((fd = open("/dev/mem", O_RDWR | O_SYNC)) < 0) FATAL

		map_base = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, targeto & ~MAP_MASK);
		if(((intptr_t) map_base) < 0) FATAL;

		virt_addr = map_base + (targeto & MAP_MASK);

		writeval = targeto;
		*((unsigned long *) virt_addr) = writeval;
		read_result = *((unsigned long *) virt_addr);

		if(read_result != writeval){
			printf("Error: read physical addres 0x%lX; write physical address 0x%lX \n", read_result, writeval);
		}
		if((intptr_t)munmap(map_base, MAP_SIZE) < 0) FATAL
		close(fd);
	}
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions