static-analysis-engineering
diff --git a/‎CodeHawk/CH/xprlib/xsimplify.ml‎
Lines changed: 4 additions & 1 deletion b/‎CodeHawk/CH/xprlib/xsimplify.ml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎CodeHawk/CHB/bchlibarm32/bCHARMInstructionAggregate.ml‎
Lines changed: 99 additions & 1 deletion b/‎CodeHawk/CHB/bchlibarm32/bCHARMInstructionAggregate.ml‎
Lines changed: 99 additions & 1 deletion
diff --git a/‎CodeHawk/CHB/bchlibarm32/bCHARMInstructionAggregate.mli‎
Lines changed: 168 additions & 17 deletions b/‎CodeHawk/CHB/bchlibarm32/bCHARMInstructionAggregate.mli‎
Lines changed: 168 additions & 17 deletions
@@ -175,14 +175,17 @@ and reduce_neg (m: bool) (e1: xpr_t): (bool * xpr_t) =
   | _ -> default ()
 
 
-(* Note that for values other than zero the result depends on word size.*)
+(* Note that, in general, for values other than zero the result depends on word
+   size. Here we assume that the word is at least 8 bits wide. *)
 and reduce_bitwise_not (m: bool) (e1: xpr_t): (bool * xpr_t) =
   let default () = (m, XOp (XBNot, [e1])) in
   match e1 with
   | XConst (IntConst num) when num#equal numerical_zero ->
      (true, XConst (IntConst numerical_one#neg))
   | XConst (IntConst num) when num#equal numerical_one ->
      (true, XConst (IntConst (mkNumerical 2)#neg))
+  | XConst (IntConst n) when n#lt numerical_e8 ->
+     (true, XConst (IntConst (n#neg#sub numerical_one)))
   | _ -> default ()
 
 
 
@@ -4,7 +4,7 @@
    ------------------------------------------------------------------------------
    The MIT License (MIT)
 
-   Copyright (c) 2022-2024  Aarno Labs, LLC
+   Copyright (c) 2022-2025  Aarno Labs, LLC
 
    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
@@ -66,6 +66,13 @@ let arm_aggregate_kind_to_string (k: arm_aggregate_kind_t) =
   | ARMPredicateAssignment (inverse, op) ->
      let inv = if inverse then " (inverse)" else "" in
      "predicate assignment to " ^ op#toString ^ inv
+  | ARMTernaryAssignment (dst, op1, op2) ->
+     "ternary assignment: "
+     ^ dst#toString
+     ^ " = cond ? "
+     ^ op1#toString
+     ^ " : "
+     ^ op2#toString
   | BXCall (_, i2) -> "BXCall at " ^ i2#get_address#to_hex_string
 
 
@@ -140,6 +147,11 @@ object (self)
     | ARMPredicateAssignment _ -> true
     | _ -> false
 
+  method is_ternary_assign =
+    match self#kind with
+    | ARMTernaryAssignment _ -> true
+    | _ -> false
+
   method write_xml (_node: xml_element_int) = ()
 
   method toCHIF (_faddr: doubleword_int) = []
@@ -258,6 +270,21 @@ let make_predassign_aggregate
     ~anchor:mov2
 
 
+let make_ternassign_aggregate
+      (mov1: arm_assembly_instruction_int)
+      (mov2: arm_assembly_instruction_int)
+      (dstop: arm_operand_int)
+      (n1: numerical_t)
+      (n2: numerical_t): arm_instruction_aggregate_int =
+  let kind = ARMTernaryAssignment(dstop, n1, n2) in
+  make_arm_instruction_aggregate
+    ~kind
+    ~instrs:[mov1; mov2]
+    ~entry:mov1
+    ~exitinstr:mov2
+    ~anchor:mov2
+
+
 let disassemble_arm_instructions
       (ch: pushback_stream_int) (iaddr: doubleword_int) (n: int) =
   for _i = 1 to n do
@@ -293,6 +320,8 @@ let identify_jumptable
   | Add (_, ACCNotUnsignedHigher, rd, rn, _, false)
        when rd#is_pc_register && rn#is_pc_register ->
      create_addls_pc_jumptable ch instr
+  | Add (_, ACCAlways, rd, _, _, false) when rd#is_pc_register ->
+     create_arm_add_pc_adr_jumptable ch instr
   | BranchExchange (ACCAlways, regop) when regop#is_register ->
      create_arm_bx_jumptable ch instr
   | _ -> None
@@ -494,6 +523,67 @@ let identify_predicate_assignment
   | _ -> None
 
 
+(* format of ternary assignment (in ARM): assigns one value or another depending
+   on the result of a test:
+
+  MOVNE Rx, imm1
+  MOVEQ Rx, imm2
+
+or
+
+  MVNEQ Rx, imm1
+  MOVNE Rx, imm2
+ *)
+let identify_ternary_assignment
+      (_ch: pushback_stream_int)
+      (instr: arm_assembly_instruction_int):
+      (arm_assembly_instruction_int
+       * arm_assembly_instruction_int
+       * arm_operand_int
+       * numerical_t
+       * numerical_t) option =
+  let negval (n: numerical_t) =
+    match Xsimplify.simplify_xpr (XOp (XBNot, [Xprt.num_constant_expr n])) with
+    | XConst (IntConst nn) -> Some nn
+    | _ -> None in
+  match instr#get_opcode with
+  | Move (false, c2, rd, imm2, _, _)
+    | BitwiseNot (false, c2, rd, imm2, _)
+       when imm2#is_immediate && (has_inverse_cc c2) ->
+     let optn2 =
+       let n2 = imm2#to_numerical in
+       match instr#get_opcode with
+       | Move _ -> Some n2
+       | BitwiseNot _ -> negval n2
+       | _ -> None in
+     (match optn2 with
+      | Some n2 ->
+         let rdreg = rd#get_register in
+         let addr = instr#get_address in
+         let movinstr_r = get_arm_assembly_instruction (addr#add_int (-4)) in
+         (match TR.to_option movinstr_r with
+          | Some movinstr ->
+             (match movinstr#get_opcode with
+              | Move (false, c1, rd, imm1, _, _)
+                   when imm1#is_immediate
+                        && (rd#get_register = rdreg)
+                        && (has_inverse_cc c1)
+                        && ((Option.get (get_inverse_cc c1)) = c2) ->
+                 Some (movinstr, instr, rd, imm1#to_numerical, n2)
+              | BitwiseNot (false, c1, rd, imm1, _)
+                   when imm1#is_immediate
+                        && (rd#get_register = rdreg)
+                        && (has_inverse_cc c1)
+                        && ((Option.get (get_inverse_cc c1)) = c2) ->
+                 (match (negval imm1#to_numerical) with
+                  | Some n1 -> Some (movinstr, instr, rd, n1, n2)
+                  | _ -> None)
+              | _ -> None)
+          | _ -> None)
+      | _ -> None)
+  | _ -> None
+
+
 let identify_arm_aggregate
       (ch: pushback_stream_int)
       (instr: arm_assembly_instruction_int):
@@ -558,4 +648,12 @@ let identify_arm_aggregate
        | Some (inverse, mov1, mov2, dstop) ->
           Some (make_predassign_aggregate inverse mov1 mov2 dstop)
        | _ -> None in
+  let result =
+    match result with
+    | Some _ -> result
+    | _ ->
+       match identify_ternary_assignment ch instr with
+       | Some (mov1, mov2, dstop, n1, n2) ->
+          Some (make_ternassign_aggregate mov1 mov2 dstop n1 n2)
+       | _ -> None in
   result
@@ -1,21 +1,21 @@
 (* =============================================================================
-   CodeHawk Binary Analyzer 
+   CodeHawk Binary Analyzer
    Author: Henny Sipma
    ------------------------------------------------------------------------------
    The MIT License (MIT)
- 
-   Copyright (c) 2022-2024  Aarno Labs, LLC
+
+   Copyright (c) 2022-2025  Aarno Labs, LLC
 
    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:
- 
+
    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.
-  
+
    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -25,18 +25,169 @@
    SOFTWARE.
    ============================================================================= *)
 
-(** Sequence of consecutive assembly instructions that represents a semantic unit.
-    
-    Examples:
-    - switch statement constructed by 
-      - table branch instructions (TBB/TBH), or
-      - load from table into pc
-      - indirect jump from table
-      
-    - question expression constructed by Thumb-2 if-then instruction
-    
-    In translation to CHIF, semantics are obtained from the anchor, all other
-    instructions belonging to the aggregate are ignored.
+
+(** {1 Instruction aggregates: Overview} *)
+
+(** {2 Description}
+
+    An instruction aggregate is a (usually, but not always, contiguous)
+    sequence of two or more instructions that is treated as a single
+    semantic unit. The semantics for the entire sequence is assigned to
+    one of the instructions (often the last one in the sequence) and all
+    other instructions are considere no-ops by all subsequent analyses.
+
+    Instruction aggregates cover a variety of constructs ranging from
+    predicate and ternary assignments to jump tables.
+
+    {2 Motivation}
+
+    The rationale behind combining a sequence of instructions into an
+    aggregate is that the collective action of the individual instructions
+    combined is not easily apparent from considering their semantics in
+    isolation. The instructions usually collaborate in a very specific
+    way to achieve a particular result, with operands from different instructions
+    playing playing a specific role. This is especially true of the jump
+    table aggregates. For some of the other aggregate kinds the semantics
+    of the individual instructions combined would be similar, but analysis
+    of the aggregate is more efficient and precise. For example, this is
+    the case with the predicate assignment:
+    {[
+    <test>
+    MOVcc   Rx, #1
+    MOVcc'  Rx, #0   where cc' is (not cc)
+    ]}
+    The two MOV instructions can be combined into one assignment of the
+    boolean <test-cc>:
+    {[
+    Rx := <test-cc>
+    ]}
+    Translating and analyzing the two instructions in isolation produces
+    two joins, and potentially three reaching definitions for a subsequent
+    use of Rx. In contrast, the two instructions combined into one
+    predicate assignment produces zero joins, and only a single reaching
+    definition for a subsequent use of Rx, a considerable improvement.
+
+    {2 Identification}
+
+    Instruction aggregates are identified during disassembly by pattern
+    matching. Identification is entirely syntactic, so only the information
+    present in the instructions themselves, such as opcode and operands,
+    are used; not the possible values that those operands may have, unless
+    they are immediates.
+
+    {2 Representation}
+
+    The aggregate is represented by objects of the class type
+    [arm_instruction_aggregate_int]. These objects contain the kind of
+    aggregate, a list of the contributing instructions, and information
+    about its entry, exit, and anchor address. The anchor is the
+    instruction to which the full semantics of the aggregate is assigned.
+
+    Cross references to instances are recorded in the [arm_assembly_instruction_int]
+    instances of the instructions that make up the aggregate to enable
+    triggering proper translation and analysis. The collection of all
+    aggregates themselves is maintained in the singleton object of type
+    [arm_assembly_instructions_int].
+
+    Most aggregates are contained within a single basic block and do not
+    affect control flow. The exceptions are jump tables, whose components
+    are directly incorporated into the CFG during disassembly and require
+    no further semantic handling.
+
+    {2 Translation into CHIF}
+
+    The semantics of the aggregate is explicated in the translation into
+    CHIF. In general, instructions are individually translated into CHIF
+    (in the function [translate_arm_instruction]). In the case of aggregates
+    CHIF is generated for the full semantics at the anchor instruction,
+    while all other other instructions in the aggregate are treated as
+    no-ops. In the case of jump tables the full semantics is already
+    incorporated in the CFG during disassembly and all instructions in
+    the aggregate are treated as no-ops.
+
+    {2 Transfer to front end}
+
+    The kind and structure of aggregates and analysis results involving
+    their components are communicated to the (python) front end in the
+    instruction results data contained in the function opcode dictionary
+    (see bCHFnARMDictionary). The format varies with the kind of aggregate,
+    as each kind has different types of values that characterize its
+    operation. In the (python) front end these values are made accessible
+    to the various instructions in the [InstrXData] objects created for
+    each instruction. The documentation of each aggregate kind below and
+    elsewhere presents more details on the actual format for each of these.
+
+    {2 Tests}
+
+    Currenly only two of the kinds of aggregates have associated unit tests:
+    - bCHARMJumpTableTest
+    - bCHThumbITSequenceTest
+    These tests contain instances of code fragments encountered in actual
+    binaries and give some insight in their use.
+
+
+    {1 Predicate Assignments}
+
+    {2 Description}
+
+    A predicate assignment aggregate consists of two assignment instructions
+    that combine into a single assignment of a boolean predicate. The pattern
+    for the aggregate is two adjacent MOV instructions of the form:
+    {[
+    <test>
+    MOVcc  Rx, #1
+    MOVcc' Rx, #0  where cc' is (not cc)
+    ]}
+    or
+    {[
+    <test>
+    MOVcc' Rx, #0
+    MOVcc  Rx, #1  where cc is not (cc')
+    ]}
+    In all executions exactly one of these two MOV instructions is executed.
+    If the joint condition <test-cc> is true Rx is assigned 1, if it is false
+    Rx is assigned 0, and thus the postcondition of these two instructions
+    is essentially the assignment of the boolean <test-cc>.
+
+    {3 Example}
+
+    {[
+    <CMP R0, #5>
+    MOVNE  R1, #0
+    MOVEQ  R1, #1
+    ]}
+    is translated into
+    {[ R1 := (R0 == 5)  ]}
+
+    {2 Representation}
+
+    The [arm_instruction_aggregate] instance of the predicate assignment
+    records the address of the second instruction as the anchor, the
+    destination operand, and whether the <test-cc> predicate is to be
+    inverted, where cc is the condition code for the anchor instruction.
+    The predicate is to be inverted if the anchor instruction assigns 0.
+
+    {2 Translation to CHIF}
+
+    The first MOV instruction is translated into a no-op. The second
+    MOV instruction is translated into the assignment
+    {[ Rx := [not] predicate ]}
+    with the single defined variable Rx, and with variables used all
+    variables referenced in the predicate.
+
+    If a predicate cannot be constructed or derived, the destination
+    variable Rx is abstracted.
+
+    {2 Transfer to front end}
+
+    The first instruction is tagged as 'subsumed' by the second
+    instruction, and thus to be treated as a no-op. The second
+    instruction is tagged with 'agg:predassign' with a list of
+    dependents (the first instruction in this case). It lists as
+    a variable the destination operand, along with its (high)
+    uses. If a predicate was construction, it lists
+    (the possibly inverse of) the predicate in its original and
+    rewritten form, along with its reaching definitions.
  *)
 
 (* bchlib *)