CHB:ARM: add ADDLS PC, PC jumptable

Author: sipma

CodeHawk/CHB/bchlibarm32/bCHARMAssemblyInstructions.ml

@@ -382,17 +382,18 @@ object (self)
     let saddr = jumptable#get_start_address in
     let eaddr = jumptable#get_end_address in
     let len = saddr#value - eaddr#value in
-    let startinstr =
-      make_arm_assembly_instruction
-        saddr true (NotCode (Some (JumpTable jumptable))) "" in
-    begin
-      set_instruction saddr startinstr;
-      for i = 1 to (len - 1) do
-        let va = saddr#add_int i in
-        set_instruction
-          va (make_arm_assembly_instruction va true (NotCode None) "")
-      done
-    end
+    if len > 0 then
+      let startinstr =
+        make_arm_assembly_instruction
+          saddr true (NotCode (Some (JumpTable jumptable))) "" in
+      begin
+        set_instruction saddr startinstr;
+        for i = 1 to (len - 1) do
+          let va = saddr#add_int i in
+          set_instruction
+            va (make_arm_assembly_instruction va true (NotCode None) "")
+        done
+      end
 
   method get_next_valid_instruction_address
            (va: doubleword_int): doubleword_int TR.traceresult =

CodeHawk/CHB/bchlibarm32/bCHARMInstructionAggregate.ml

@@ -1,9 +1,9 @@
 (* =============================================================================
-   CodeHawk Binary Analyzer 
+   CodeHawk Binary Analyzer
    Author: Henny Sipma
    ------------------------------------------------------------------------------
    The MIT License (MIT)
- 
+
    Copyright (c) 2022-2024  Aarno Labs, LLC
 
    Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -12,10 +12,10 @@
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:
- 
+
    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.
-  
+
    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -117,7 +117,9 @@ object (self)
     LBLOCK [
         STR "Aggregate of ";
         INT (List.length self#instrs);
-        STR " instructions: ";
+        STR " with anchor ";
+        self#anchor#toPretty;
+        STR " and instructions: ";
         STR (arm_aggregate_kind_to_string self#kind)]
 
 end
@@ -203,6 +205,9 @@ let identify_jumptable
   | Add (_, ACCAlways, rd, rn, _, false)
        when rd#is_pc_register && rn#is_pc_register ->
      create_arm_add_pc_jumptable ch instr
+  | Add (_, ACCNotUnsignedHigher, rd, rn, _, false)
+       when rd#is_pc_register && rn#is_pc_register ->
+     create_addls_pc_jumptable ch instr
   | BranchExchange (ACCAlways, regop) when regop#is_register ->
      create_arm_bx_jumptable ch instr
   | _ -> None
@@ -225,7 +230,7 @@ let identify_ldmstm_sequence
        when List.length rl#get_register_list > 1 ->
      create_ldm_stm_sequence ch instr
   | _ -> None
-  
+
 
 let identify_arm_aggregate
       (ch: pushback_stream_int)

CodeHawk/CHB/bchlibarm32/bCHARMJumptable.ml

@@ -586,6 +586,74 @@ let create_arm_ldrls_jumptable
       | _ -> None)
 
 
+(* ADDLS pattern (in ARM)
+
+   [4 bytes] CMP    indexreg, maxcase
+   [4 bytes] ADDLS  PC, PC, indexreg, LSL#2
+   [4 bytes] B      default case
+   [4 bytes] B      case 0
+   [...]     B
+   [4 bytes] B      case maxcase
+ *)
+let is_addls_pc_jumptable
+      (addpcinstr: arm_assembly_instruction_int):
+      (arm_assembly_instruction_int               (* CMP instr *)
+       * arm_assembly_instruction_int) option =   (* ADDLS instr *)
+  match addpcinstr#get_opcode with
+  | Add (_, ACCNotUnsignedHigher, rd, rn, baseregop, false)
+       when rd#is_pc_register
+            && rn#is_pc_register
+            && baseregop#is_shifted_register ->
+     let addr = addpcinstr#get_address in
+     let cmptestf (instr: arm_assembly_instruction_int) =
+       match instr#get_opcode with
+       | Compare (_, rn, imm, _) -> rn#is_register && imm#is_immediate
+       | _ -> false in
+     let optcmpinstr = find_instr cmptestf [(-4)] addr in
+     (match optcmpinstr with
+      | Some cmpinstr ->
+         (match cmpinstr#get_opcode with
+          | Compare (_, indexregop, _, _) ->
+             let indexreg = indexregop#get_register in
+             (match baseregop#get_kind with
+              | ARMShiftedReg (basereg, ARMImmSRT (SRType_LSL, 2)) ->
+                 if basereg = indexreg then
+                   Some (cmpinstr, addpcinstr)
+                 else
+                   None
+              | _ -> None)
+          | _ -> None)
+      | _ -> None)
+  | _ -> None
+
+
+let create_addls_pc_jumptable
+      (ch: pushback_stream_int)
+      (addpcinstr: arm_assembly_instruction_int):
+      (arm_assembly_instruction_int list * arm_jumptable_int) option =
+  match is_addls_pc_jumptable addpcinstr with
+  | None -> None
+  | Some (cmpinstr, addlspcinstr) ->
+     match cmpinstr#get_opcode with
+     | Compare (_, index_operand, imm, _) ->
+        let maxcase = imm#to_numerical#toInt in
+        let iaddr = addlspcinstr#get_address in
+        let default_target = iaddr#add_int 4 in
+        let start_address = default_target in
+        let end_address = default_target in
+        let targets =
+          List.init (maxcase + 1) (fun i -> (iaddr#add_int (8 + (4 * i)), i)) in
+        let jt =
+          make_arm_jumptable
+            ~end_address
+            ~start_address
+            ~default_target
+            ~targets
+            ~index_operand () in
+        Some ([cmpinstr; addlspcinstr], jt)
+     | _ -> None
+
+
 (* ADD-PC-LDRB patterns (in Thumb-2)
 
    size is obtained from CMP instruction's immediate value

CodeHawk/CHB/bchlibarm32/bCHARMJumptable.mli

@@ -62,6 +62,15 @@ val create_arm_ldrls_jumptable:
   -> (arm_assembly_instruction_int list * arm_jumptable_int) option
 
 
+(** [create_addls_pc_jumptable ch instr] creates a jump table targeted by an
+    ADDLS instruction [instr] by processing the associated list of branch
+    instructions from stream [ch] (ARM pattern).*)
+val create_addls_pc_jumptable:
+  pushback_stream_int
+  -> arm_assembly_instruction_int
+  -> (arm_assembly_instruction_int list * arm_jumptable_int) option
+
+
 (** [create_arm_add_pc_jumptable ch instr] creates a jump table targeted by
     an ADD PC, PC, _ instruction [instr] by processing  the associated list of
     (byte-sized or halfword-sized) offsets from stream [ch] (Thumb-2 pattern).*)

CodeHawk/CHB/bchlibarm32/bCHARMOperand.ml

@@ -760,6 +760,11 @@ object (self:'a)
     | ARMShiftedReg (_, ARMImmSRT (SRType_LSL, 0)) -> true
     | _ -> false
 
+  method is_shifted_register =
+    match kind with
+    | ARMShiftedReg _ -> true
+    | _ -> false
+
   method is_pc_register =
     match kind with ARMReg ARPC -> true | _ -> false
 

CodeHawk/CHB/bchlibarm32/bCHARMTypes.mli

@@ -200,6 +200,7 @@ class type arm_operand_int =
     method is_immediate: bool
     method is_small_immediate: bool
     method is_register: bool
+    method is_shifted_register: bool
     method is_pc_register: bool
     method is_double_register: bool
     method is_extension_register: bool

CodeHawk/CHB/bchlibarm32/bCHConstructARMFunction.ml

@@ -472,6 +472,15 @@ let construct_arm_assembly_block
       (* aggregate is linear unit *)
       find_last_instruction (nextva ()) va
 
+    else if Option.is_some instr#is_in_aggregate
+            && instr#is_aggregate_exit
+            && (match instr#get_opcode with
+                | Add (_, ACCNotUnsignedHigher, _, _, _, _) -> true
+                | _ -> false) then
+      (* the ADDLS aggregate must be forced to appear at the end of a block
+         to ensure successors are connected.*)
+      (None, va, [])
+
     else if has_next_instr va then
       (* continue tracing the block *)
       find_last_instruction (nextva ()) va

CodeHawk/CHT/CHB_tests/bchlibarm32_tests/txbchlibarm32/bCHARMJumptableTest.ml

@@ -61,7 +61,7 @@ open BCHARMInstructionAggregate
 
 
 let testname = "bCHARMJumptableTest"
-let lastupdated = "2024-01-02"
+let lastupdated = "2024-10-24"
 
 
 let make_dw (s: string) = TR.tget_ok (string_to_doubleword s)
@@ -136,6 +136,7 @@ let jt_setup_arm hexbase bytes: arm_jumptable_int TR.traceresult =
       let instrlen = currentpos - prevpos in
       let instrbytes = String.sub bytestring prevpos instrlen in
       let instr = add_instruction prevpos iaddr opcode instrbytes in
+      (* let _ = CHPretty.pr_debug [instr#toPretty; NL; NL] in *)
       let optagg = identify_arm_aggregate ch instr in
       match optagg with
       | Some agg -> aggregate := Some agg
@@ -144,7 +145,9 @@ let jt_setup_arm hexbase bytes: arm_jumptable_int TR.traceresult =
     match !aggregate with
     | Some agg ->
        (match agg#kind with
-          | ARMJumptable jt -> Ok jt
+        | ARMJumptable jt ->
+           (* let _ = CHPretty.pr_debug [jt#toPretty; NL; NL] in *)
+           Ok jt
           | _ -> Error ["other aggregate found"])
     | _ ->
        Error ["no aggregate found:" ^ (string_of_int ch#pos)]
@@ -292,6 +295,60 @@ let ldrls_jumptable () =
   end
 
 
+(*
+    0xa0132664  05 00 55 e3       CMP          R5, #5
+    0xa0132668  05 f1 8f 90       ADDLS        PC, PC, R5,LSL#2
+    0xa013266c  20 00 00 ea       B            0xa01326f4
+  B 0xa0132670  04 00 00 ea       B            0xa0132688
+  B 0xa0132674  09 00 00 ea       B            0xa01326a0
+  B 0xa0132678  0e 00 00 ea       B            0xa01326b8
+  B 0xa013267c  13 00 00 ea       B            0xa01326d0
+  B 0xa0132680  18 00 00 ea       B            0xa01326e8
+  B 0xa0132684  19 00 00 ea       B            0xa01326f0
+ *)
+let addls_pc_jumptable () =
+  let tests = [
+      ("addls", "0xa0132664", "0xa013266c",
+       "050055e305f18f90200000ea040000ea090000ea0e0000ea130000ea180000ea190000ea",
+       [("0xa0132670", [0]);
+        ("0xa0132674", [1]);
+        ("0xa0132678", [2]);
+        ("0xa013267c", [3]);
+        ("0xa0132680", [4]);
+        ("0xa0132684", [5])])
+    ] in
+  begin
+    TS.new_testsuite (testname ^ "_ldrls_jumptable") lastupdated;
+
+    system_info#set_elf_is_code_address wordzero codemax;
+    ARMU.arm_instructions_setup (make_dw "0xa0132000") 0x10000;
+    List.iter (fun (title, hexbase, expecteddefault, bytes, expectedtargets) ->
+        let jtresult = jt_setup_arm hexbase bytes in
+
+        TS.add_simple_test
+          ~title:(title ^ "-targets")
+          (fun () ->
+            match jtresult with
+            | Ok jt ->
+               ARMA.equal_jumptable_targets
+                 ~msg:"" ~expected:expectedtargets ~received:jt ()
+            | Error e ->
+               A.fail_msg (String.concat "; " e));
+
+        TS.add_simple_test
+          ~title:(title ^ "-default")
+          (fun () ->
+            match jtresult with
+            | Ok jt ->
+               A.equal_string expecteddefault jt#default_target#to_hex_string
+            | Error e ->
+               A.fail_msg (String.concat "; " e))
+      ) tests;
+
+    TS.launch_tests ()
+  end
+
+
 let bx_table_branch () =
   let tests = [
       ("bx-w", "0x6c0d0", "0x6c080",
@@ -350,6 +407,7 @@ let () =
     tb_table_branch ();
     ldr_table_branch ();
     ldrls_jumptable ();
+    addls_pc_jumptable ();
     bx_table_branch ();
     TS.exit_file ()
   end