arch/arch

This module provides a generic implementation of arch component. This allows declaring all relations of the interface, and defining default rules for some of them.

arch(Name:symbol)

The name of the active architecture

WARNING: Predicate not present in compiled Datalog program (Dead Code)

float_operation(Operation:symbol)

Define a set of floating point operations

WARNING: Predicate not present in compiled Datalog program (Dead Code)

interrupt_operation(Operation:symbol)

• Used by: must_fallthrough

jump_operation(Operation:symbol)

An operation that may be a jump, depending on context. Use arch.jump(EA) for a defintive list of jumps.

• Uses: arch.conditional_branch, arch.jump_comp_operation, arch.jump_condition_code, arch.jump_equal_operation, arch.jump_operation_may_have_cc, arch.jump_unequal_operation, arch.loop_operation, arch.test_jump_operation, condition_code_map

• Used by: arch.delay_slot, arch.jump, arch.jump_operation_op_index, arch.op_access_override

move_operation(Operation:symbol)

Define all variants of the move operation.

• Uses: instruction

• Used by: arch.extend_reg, arch.jump_operation_op_index, arch.memory_access, arch.move_reg_imm, arch.move_reg_reg, arch.store_immediate, get_pc_thunk

load_operation(Operation:symbol)

• Uses: instruction

• Used by: arch.data_access_size, arch.jump_operation_op_index, arch.memory_access, arch.reg_arithmetic_operation, arch.reg_reg_arithmetic_operation, base_addr_offset_operand, cinf_ldr_add_pc, gp_relative_operand, init_ldr_add_pc, litpool_symbolic_operand, plt_entry, plt_entry_arm_candidate, split_load

load_word_operation(Operation:symbol)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

store_operation(Operation:symbol)

• Uses: instruction

• Used by: arch.memory_access, arch.reg_arithmetic_operation, arch.reg_reg_arithmetic_operation, gp_relative_operand, split_load

conditional_operation(Operation:symbol, CC:condition_code)

• Uses: arch.conditional_branch, arch.jump_comp_operation, arch.jump_condition_code, arch.jump_equal_operation, arch.jump_unequal_operation, arch.loop_operation, arch.test_jump_operation, instruction

• Used by: arch.conditional

conditional(EA:address, CC:condition_code)

• Uses: arch.conditional_operation, arch.it_conditional, condition_code_map, instruction, instruction_cond_code, instruction_get_op, op_special

• Used by: arch.register_access_override, arm_jump_table_cmp_limit, cfg_edge, cfg_edge_to_symbol, compare_and_jump_immediate, compare_and_jump_register, conditional_jump, conditional_return, flags_and_jump_pair, reg_def_use.block_last_def, reg_def_use.flow_def, reg_def_use.last_def_in_block, stack_def_use.block_last_def, stack_def_use.last_def_in_block, straight_line_last_def, unconditional_jump, unconditional_return

multiplication_operation(Operation:symbol)

This can include any multiplication operations, including shift-left operation.

• Uses: instruction

• Used by: def_register_is_not_base_address

shift_rotate_operation(Operation:symbol)

This can include shift and rotation (right/left, arithmetic/logical) operations.

• Uses: instruction

• Used by: def_register_is_not_base_address

arithmetic_operation(Operation:symbol)

This can include any kinds of arithmetic operations including arithmetic shifts and multiplications.

WARNING: Predicate not present in compiled Datalog program (Dead Code)

logic_operation(Operation:symbol)

This can include logical operations including bitwise operations.

• Uses: instruction

• Used by: may_have_symbolic_immediate, symbolic_operand_point, unlikely_have_symbolic_immediate

call_operation(Operation:symbol)

• Uses: arch.call_operation_1op, arch.call_operation_2op

• Used by: arch.call, arch.call_operation_op_index, arch.delay_slot, must_fallthrough

syscall_operation(Operation:symbol)

• Used by: must_fallthrough

return_operation(Operation:symbol)

• Used by: arch.delay_slot, arch.jump, arch.return

halt_operation(Operation:symbol)

• Used by: halt

cmp_operation(Operation:symbol)

May include operations that:

• compare two values and implicitly set flags, e.g, Intel “CMP”

• compare two values in a manner other than subtraction, e.g, Intel “TEST”

• make a comparison and branch, e.g., mips32 “BEQZ”

• Uses: arch.jump_comp_operation, arch.jump_equal_operation, arch.jump_unequal_operation, instruction

• Used by: cmp_immediate_to_reg, cmp_reg_to_reg, compare_and_jump_immediate, compare_and_jump_indirect, contains_plausible_instr_seq, moved_label_candidate, moved_label_class, no_value_reg_limit, symbolic_operand_point

cmp_zero_operation(Operation:symbol)

Comparison operations where a value is implicitly compared to zero.

Comparison may occur within an instruction that is also a branch operation, e.g., “BEQZ” on MIPS.

• Uses: arch.loop_operation, instruction

• Used by: compare_and_jump_immediate

jump_operation_op_index(Operation:symbol, operand_index:operand_index)

• Uses: arch.jump_comp_operation_3op, arch.jump_equal_operation_3op, arch.jump_operation, arch.jump_unequal_operation_3op, arch.load_operation, arch.loop_operation, arch.move_operation, arch.test_jump_operation

• Used by: +disconnected2, branch_to_calculated_pc_rel_addr, cmp_immediate_to_reg, direct_jump, indirect_jump, plt_bx_pc, reg_jump, symbolic_operand_candidate

call_operation_op_index(Operation:symbol, operand_index:operand_index)

• Uses: arch.call_operation

• Used by: arch.call

move_reg_reg(EA:address, Dst:register, Src:register)

Moves from a register to a register; a move does not transform the value (except by sign extension).

Dst and Src may be untracked registers.

• Uses: arch.move_operation, instruction, op_regdirect_contains_reg

• Used by: arch.is_nop, arch.jump, arch.move_reg_imm, arch.return, contains_plausible_instr_seq, hi_load_prop, limit_reg_op, reg_has_base_image, stack_base_reg_move, value_reg_edge, value_reg_unsupported

move_reg_imm(EA:address, Dst:register, Imm:number, ImmIndex:operand_index)

Moves an immediate value to a register.

Dst may be an untracked register.

• Uses: arch.move_operation, arch.move_reg_reg, arch.reg_arithmetic_operation, arch.zero_reg, instruction, op_immediate, op_regdirect_contains_reg

• Used by: arch.op_access_override, boundary_sym_expr, moved_immediate_candidate, moved_label_class, no_value_reg_limit, tls_relative_operand, value_reg, value_reg_limit

move(EA:address)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

is_nop(EA:address)

• Uses: arch.delay_slot, arch.move_reg_reg, arch.reg_arithmetic_operation, instruction, op_regdirect

• Used by: block_has_non_nop, block_heuristic, is_padding, padding_prefix, padding_prefix_end

return(EA:address)

Returns

• Uses: arch.move_reg_reg, arch.return_operation, instruction, instruction_get_op, op_regdirect_contains_reg

• Used by: arch.jump, block_heuristic, conditional_return, contains_plausible_instr_seq, get_pc_thunk, incomplete_block, indirect_call, reg_def_use.return_block_end, unconditional_return

jump(EA:address)

• Uses: arch.jump_operation, arch.memory_access, arch.move_reg_reg, arch.reg_reg_arithmetic_operation, arch.return, arch.return_operation, instruction

• Used by: arm_jump_table_cmp_limit, cfg_edge, cfg_edge_to_symbol, cmp_immediate_to_reg, compare_and_jump_immediate, compare_and_jump_register, conditional_jump, contains_plausible_instr_seq, direct_jump, flags_and_jump_pair, indirect_jump, moved_label_candidate, moved_label_class, pc_relative_jump, plt_entry, reg_def_use.flow_def, reg_jump, relative_address_start, resolved_transfer, symbolic_operand_point, unconditional_jump

call(EA:address, DestOperandIndex:operand_index)

• Uses: arch.call_operation, arch.call_operation_op_index, instruction

• Used by: __agg_subclause2, __agg_subclause3, basic_reg_def_use.def, cfg_edge_to_symbol, direct_call, indirect_call, known_block, litpool_confidence, pc_relative_call, reg_call, reg_def_use.def, resolved_transfer, symbolic_operand_candidate, tls_desc_call, value_reg_unsupported

memory_access_aggregated(AccessType:symbol, EA:address, BaseReg:reg_nullable, IndexReg:reg_nullable, Mult:number, Offset:number, AccessSize:unsigned)

Represents a load or store of a given instruction at EA.

This rule can represent complex vector loads, the semantics of which memory_access cannot accommodate. E.g., vld2.32, etc., in arm neon

AccesSize: The size of the entire consecutive memory that the given

instruction at EA accesses.

• Uses: arch.aggregated_access_operation, arch.float_reg, instruction, op_indirect_mapped, op_register_bitfield, reg_map

• Used by: arch.reg_relative_load

memory_access(AccessType:symbol, EA:address, SrcOp:operand_index, DstOp:operand_index, DirectReg:register, BaseReg:reg_nullable, IndexReg:reg_nullable, Mult:number, Offset:number)

Represents a load or store of a register.

The address of the accessed memory is of the form:

BaseReg + IndexReg * Mult + Offset

Complex memory accesses may be represented with multiple members of this relation at the same address. For example, the arm64 instruction:

0x1000: ldp x7, x8, [x0, #10]

generates two arch.memory_access members:

memory_access(“LOAD”,0x1000,2,3,”X7”,”X0”,”NONE”,0,10) memory_access(“LOAD”,0x1000,2,1,”X8”,”X0”,”NONE”,0,18)

AccessType is either “LOAD” or “STORE” DirectReg, BaseReg, and IndexReg may be untracked registers or unstandardized names.

• Uses: arch.load_operation, arch.move_operation, arch.non_mult_shift, arch.register_size_bytes, arch.stack_pointer, arch.store_operation, instruction, instruction_writeback, op_immediate, op_indirect_mapped, op_regdirect, op_regdirect_contains_reg, op_register_bitfield, reg_map

• Used by: __agg_subclause7, arch.extend_load, arch.jump, arch.op_access_override, arch.reg_arithmetic_operation, arch.reg_reg_arithmetic_operation, arch.reg_relative_load, arch.simple_data_load, arm_jump_table_cmp_limit, block_heuristic, compare_and_jump_indirect_op_valid, data_block_candidate, def_used_for_address, hi_load_prop, indexed_pc_relative_load, invalid, litpool_confidence, reg_has_base_image, relative_address_start, resolved_transfer_to_symbol, split_load_candidate, split_load_tail, stack_def_use.def, stack_def_use.used, symbolic_expr_from_relocation, value_reg, value_reg_edge, value_reg_limit, value_reg_unsupported

load(EA:address, SrcOp:operand_index, DstOp:operand_index, DstReg:register, BaseReg:reg_nullable, IndexReg:reg_nullable, Mult:number, Offset:number)

Represents a load from memory to a register.

See arch.memory_access().

WARNING: Predicate not present in compiled Datalog program (Dead Code)

store(EA:address, SrcOp:operand_index, DstOp:operand_index, SrcReg:register, BaseReg:reg_nullable, IndexReg:reg_nullable, Mult:number, Offset:number)

Represents a store from a register to memory.

See arch.memory_access().

WARNING: Predicate not present in compiled Datalog program (Dead Code)

store_immediate(EA:address, SrcOp:operand_index, DstOp:operand_index, Immediate:number, BaseReg:reg_nullable, IndexReg:reg_nullable, Mult:number, Offset:number)

Represents the store of an immediate to memory. The address of the written memory is: BaseReg + IndexReg * Mult + Offset. The immediate stored to memory is Immediate.

This is not instantiatied for all architectures but it is defined here to maintain a uniform interface. E.g. It is possible in x86 but not in ARM.

• Uses: arch.move_operation, arch.stack_pointer, instruction, op_immediate, op_indirect_mapped

• Used by: compare_and_jump_indirect_op_valid, stack_def_use.def, value_reg

delay_slot(BranchEA:address, EA:address)

• Uses: arch.call_operation, arch.compact_branch_operation, arch.jump_operation, arch.return_operation, binary_type, direct_call, direct_jump, instruction, next

• Used by: arch.is_nop, block_next, may_fallthrough, must_fallthrough, refined_block_control_instruction, reg_def_use.def

data_access_size(Operation:symbol, DestReg:register, Size:unsigned)

These operations are either special like LEA (does not read memory) or are not decoded correctly from capstone

• Operation: Operation name

• DestReg: The destination register of the operation

• Size: Data-access size in bytes

• Uses: arch.float_reg, arch.load_operation, arch.register_size_bytes, condition_code_map, instruction, op_regdirect

• Used by: instruction_memory_access_size

• Recursive: arch.data_access_size

reg_arithmetic_operation(EA:address, Dst:register, Src:register, Mult:number, Offset:number)

Arithmetic operation on one source register of the form Dst = Src * Mult + Offset

• Uses: arch.load_operation, arch.memory_access, arch.non_mult_shift, arch.reg_reg_arithmetic_operation, arch.register_size_bytes, arch.stack_pointer, arch.store_operation, instruction, instruction_writeback, op_immediate, op_indirect, op_indirect_mapped, op_regdirect, op_regdirect_contains_reg

• Used by: adjusts_stack_in_block, arch.is_nop, arch.move_reg_imm, base_addr_offset_operand, contains_plausible_instr_seq, limit_reg_op, plt_entry, plt_entry_arm_candidate, split_load_candidate, split_load_tail, value_reg, value_reg_address_before, value_reg_edge

reg_reg_arithmetic_operation(EA:address, Dst:register, Src1:register, Src2:register, Mult:number, Offset:number)

Arithmetic operation on two source registers of the form Dst = Src1 + Src2 * Mult + Offset

Note: Src1 and Src2 may be the same register.

• Uses: arch.load_operation, arch.memory_access, arch.non_mult_shift, arch.store_operation, instruction, instruction_writeback, op_indirect_mapped, op_regdirect_contains_reg, op_shifted

• Used by: arch.jump, arch.reg_arithmetic_operation, base_relative_operand, branch_to_calculated_pc_rel_addr, cinf_ldr_add_pc, got_relative_operand, indexed_pc_relative_load_relative, init_ldr_add_pc, invalid, jump_table_element_access, jump_table_start, missed_jump_table, plt_entry_arm_candidate, reg_has_base_image, reg_reg_arithmetic_operation_defs, split_load_candidate, split_load_point, symbol_minus_symbol_litpool_access_pattern

• Recursive: arch.reg_reg_arithmetic_operation

reg_reg_bitwise_binary_op(EA:address, Dst:register, Src1:register, Src2:register, Op:symbol)

Bitwise operation on two source of the form Dst = Src1 op Src2

op—– ASR: Arithmetic Shift Right LSR: Logical Shift Right LSL: Logical Shift Left AND: Bitwise AND OR: Bitwise OR XOR: Bitwise Exclusive OR

Note: The second source is either a register or an immediate.

• Uses: instruction, op_regdirect_contains_reg, op_shifted

• Used by: value_reg

reg_imm_bitwise_binary_op(EA:address, Dst:register, Src:register, Imm:number, Op:symbol)

• Uses: instruction, op_immediate, op_regdirect_contains_reg, op_shifted

• Used by: value_reg

extend_reg(EA:address, Reg:register, Signed:unsigned, SrcBits:unsigned)

A value in a register is zero/sign-extended.

The initial value to be extended is SrcBits wide.

A value of 0 for Signed indicates the value is zero-extended, while 1 indicates that it is sign-extended.

If the register is used for other operations in the instruction, it is assumed the sign extension occurs first.

• Uses: arch.extend_type, arch.move_operation, arch.register_size_bytes, instruction, instruction_get_op, op_regdirect, op_regdirect_contains_reg, op_shifted, reg_map

• Used by: jump_table_signed

extend_load(EA:address, Signed:unsigned, SrcBits:unsigned)

A value loaded from memory is zero/sign-extended.

• Uses: arch.memory_access, instruction

• Recursive: const_value_reg_used, function_inference.function_entry_initial, no_return_call_propagated, next_end, may_fallthrough, jump_table_candidate, block_candidate_boundaries, unresolved_interval_order, inferred_main_in_reg, reg_def_use.return_val_used, inter_procedural_edge, compare_and_jump_immediate, block_limit, value_reg_edge, block_next, reg_has_base_image, stack_def_use.block_last_def, possible_target_from, no_return_block, indefinite_litpool_ref, stack_def_use.used_in_block, adjusts_stack_in_block, split_load_total_points, jump_table_candidate_refined, overlap_with_litpool, value_reg_limit, code_in_block_candidate, candidate_block_is_not_padding, likely_fallthrough, arch.reg_relative_load, arm_jump_table_cmp_limit, value_reg_unsupported, nop_in_padding_candidate, arm_jump_table_block_start, __agg_subclause2, transition_block_limit, block_overlap, no_return_call, data_segment, jump_table_element_access, reg_def_use.flow_def, arm_jump_table_skip_first_entry, block_total_points, stack_def_use.defined_in_block, reg_def_use.ambiguous_last_def_in_block, straight_line_def_used, basic_target, symbol_minus_symbol_litpool_access_pattern, value_reg, reg_def_use.live_var_used, compare_and_jump_indirect_op_valid, litpool_ref, padding_block_candidate, self_contained_segment, data_in_code_propagate, unresolved_interval, unlikely_have_symbolic_immediate, symbolic_expr_from_relocation, hi_load_prop, block_points, wis_memo, split_load_for_symbolization, arm_jump_table_data_block_limit, adrp_used, known_block, wis_has_prior, candidate_block_is_padding, no_return_call_refined, data_in_code, reg_def_use.used, is_padding, reg_def_use.ref_in_block, base_relative_operand, def_used_for_address, reg_def_use.live_var_at_prior_used, block_heuristic, relative_address_start, tls_get_addr, __agg_subclause6, instruction_memory_access_size, start_function, arm_jump_table_candidate, first_block_in_byte_interval, stack_base_reg_move, __agg_subclause3, jump_table_target, base_relative_operation, resolved_reaches, next_start, reg_def_use.live_var_def, must_fallthrough, next_type, arm_jump_table_candidate_start, next_block_in_byte_interval, __agg_single3, split_load, indexed_pc_relative_load_relative, block_instruction_next, stack_def_use.live_var_used_in_block, cmp_defines, block, reg_def_use.block_last_def, overlapping_instruction, code_in_block, no_value_reg_limit, jump_table_signed, impossible_block, block_boundaries, wis_prior, composite_data_access, relocation_adjustment_total, discarded_block, stack_def_use.last_def_in_block, indexed_pc_relative_load, __agg_single6, stack_def_use.live_var_at_block_end, after_end, split_load_candidate, incomplete_block, straight_line_last_def, jump_table_max, block_points_proportional, wis_schedule, arm_jump_table_data_block, compare_and_jump_register, block_candidate_dependency_edge, reg_has_got, data_block_candidate, got_relative_operand, contains_plausible_instr_seq, reg_def_use.ambiguous_block_last_def, invalid_jump_table_candidate, possible_target, relative_address, cmp_reg_to_reg, reg_def_use.def_used, cinf_ldr_add_pc, block_implies_block, contains_implausible_instr_seq, split_load_point, call_tls_get_addr, unresolved_block, split_load_operand, inferred_main_dispatch, gp_relative_operand, code_in_block_candidate_refined, reg_reg_arithmetic_operation_defs, litpool_symbolic_operand, data_access, init_symbol_minus_symbol_candidate_arm, plt_block, invalid, litpool_boundaries, segment_target_range, correlated_live_reg, arm_jump_table_block_instruction, simple_data_access_pattern, reg_def_use.live_var_at_block_end, reg_def_use.defined_in_block, block_last_instruction, flags_and_jump_pair, split_load_conflict, data_block_limit, last_value_reg_limit, reg_used_for, initialized_data_segment, __agg_subclause7, stack_def_use.live_var_at_prior_used, jump_table_start, unresolved_block_overlap, arch.extend_load, stack_def_use.def_used, init_ldr_add_pc, litpool_confidence, tls_desc_call, common_tail, stack_def_use.ref_in_block, arch.simple_data_load, reg_def_use.used_in_block, base_relative_jump, branch_to_calculated_pc_rel_addr, stack_def_use.live_var_def, wis_schedule_iter, jump_table_prelude, negative_block_heuristic, relocation_adjustment, compare_and_jump_indirect, reg_def_use.last_def_in_block, relative_jump_table_entry_candidate, discarded_split_load, __agg_single2, padding_block_limit, reg_def_use.return_block_end, plt_entry, stack_def_use.live_var_used

register_access_override(EA:address, Register:register, Access:access_mode, Enable:unsigned)

Override the register access mode reported by Capstone

The Enable field indicates if the (EA,Register,Access) tuple should be a logical addition to register_access (Enable = 1) or ignored if it is in register_access (Enable = 0).

• Uses: arch.conditional, arch.op_access_override, instruction_get_op, op_indirect_contains_reg, op_regdirect_contains_reg

• Used by: basic_reg_def_use.def, basic_reg_def_use.used, reg_def_use.def, reg_def_use.used

op_access_override(EA:address, Index:operand_index, Access:access_mode, Enable:unsigned)

Override the operand access mode reported by Capstone.

The Enable field indicates if the (EA,Register,Access) tuple should be a logical addition to instruction_op_access (Enable = 1) or ignored if it is in instruction_op_access (Enable = 0).

• Uses: arch.jump_operation, arch.memory_access, arch.move_reg_imm, instruction, instruction_get_op, op_regdirect_contains_reg

• Used by: arch.register_access_override, instruction_get_dest_op, instruction_get_src_op

reg_relative_load(LoadEA:address, Reg:register, Offset:number, Size:unsigned)

Data is loaded from a register-relative address.

• Uses: arch.memory_access, arch.memory_access_aggregated, instruction, instruction_get_dest_op, op_register_bitfield

• Recursive: const_value_reg_used, function_inference.function_entry_initial, no_return_call_propagated, next_end, may_fallthrough, jump_table_candidate, block_candidate_boundaries, unresolved_interval_order, inferred_main_in_reg, reg_def_use.return_val_used, inter_procedural_edge, compare_and_jump_immediate, block_limit, value_reg_edge, block_next, reg_has_base_image, stack_def_use.block_last_def, possible_target_from, no_return_block, indefinite_litpool_ref, stack_def_use.used_in_block, adjusts_stack_in_block, split_load_total_points, jump_table_candidate_refined, overlap_with_litpool, value_reg_limit, code_in_block_candidate, candidate_block_is_not_padding, likely_fallthrough, arch.reg_relative_load, arm_jump_table_cmp_limit, value_reg_unsupported, nop_in_padding_candidate, arm_jump_table_block_start, __agg_subclause2, transition_block_limit, block_overlap, no_return_call, data_segment, jump_table_element_access, reg_def_use.flow_def, arm_jump_table_skip_first_entry, block_total_points, stack_def_use.defined_in_block, reg_def_use.ambiguous_last_def_in_block, straight_line_def_used, basic_target, symbol_minus_symbol_litpool_access_pattern, value_reg, reg_def_use.live_var_used, compare_and_jump_indirect_op_valid, litpool_ref, padding_block_candidate, self_contained_segment, data_in_code_propagate, unresolved_interval, unlikely_have_symbolic_immediate, symbolic_expr_from_relocation, hi_load_prop, block_points, wis_memo, split_load_for_symbolization, arm_jump_table_data_block_limit, adrp_used, known_block, wis_has_prior, candidate_block_is_padding, no_return_call_refined, data_in_code, reg_def_use.used, is_padding, reg_def_use.ref_in_block, base_relative_operand, def_used_for_address, reg_def_use.live_var_at_prior_used, block_heuristic, relative_address_start, tls_get_addr, __agg_subclause6, instruction_memory_access_size, start_function, arm_jump_table_candidate, first_block_in_byte_interval, stack_base_reg_move, __agg_subclause3, jump_table_target, base_relative_operation, resolved_reaches, next_start, reg_def_use.live_var_def, must_fallthrough, next_type, arm_jump_table_candidate_start, next_block_in_byte_interval, __agg_single3, split_load, indexed_pc_relative_load_relative, block_instruction_next, stack_def_use.live_var_used_in_block, cmp_defines, block, reg_def_use.block_last_def, overlapping_instruction, code_in_block, no_value_reg_limit, jump_table_signed, impossible_block, block_boundaries, wis_prior, composite_data_access, relocation_adjustment_total, discarded_block, stack_def_use.last_def_in_block, indexed_pc_relative_load, __agg_single6, stack_def_use.live_var_at_block_end, after_end, split_load_candidate, incomplete_block, straight_line_last_def, jump_table_max, block_points_proportional, wis_schedule, arm_jump_table_data_block, compare_and_jump_register, block_candidate_dependency_edge, reg_has_got, data_block_candidate, got_relative_operand, contains_plausible_instr_seq, reg_def_use.ambiguous_block_last_def, invalid_jump_table_candidate, possible_target, relative_address, cmp_reg_to_reg, reg_def_use.def_used, cinf_ldr_add_pc, block_implies_block, contains_implausible_instr_seq, split_load_point, call_tls_get_addr, unresolved_block, split_load_operand, inferred_main_dispatch, gp_relative_operand, code_in_block_candidate_refined, reg_reg_arithmetic_operation_defs, litpool_symbolic_operand, data_access, init_symbol_minus_symbol_candidate_arm, plt_block, invalid, litpool_boundaries, segment_target_range, correlated_live_reg, arm_jump_table_block_instruction, simple_data_access_pattern, reg_def_use.live_var_at_block_end, reg_def_use.defined_in_block, block_last_instruction, flags_and_jump_pair, split_load_conflict, data_block_limit, last_value_reg_limit, reg_used_for, initialized_data_segment, __agg_subclause7, stack_def_use.live_var_at_prior_used, jump_table_start, unresolved_block_overlap, arch.extend_load, stack_def_use.def_used, init_ldr_add_pc, litpool_confidence, tls_desc_call, common_tail, stack_def_use.ref_in_block, arch.simple_data_load, reg_def_use.used_in_block, base_relative_jump, branch_to_calculated_pc_rel_addr, stack_def_use.live_var_def, wis_schedule_iter, jump_table_prelude, negative_block_heuristic, relocation_adjustment, compare_and_jump_indirect, reg_def_use.last_def_in_block, relative_jump_table_entry_candidate, discarded_split_load, __agg_single2, padding_block_limit, reg_def_use.return_block_end, plt_entry, stack_def_use.live_var_used

simple_data_load(EA:address, Data:address, Size:unsigned)

A single instruction reads data with a predetermined size and location

• Uses: arch.memory_access, pc_relative_operand

• Recursive: const_value_reg_used, function_inference.function_entry_initial, no_return_call_propagated, next_end, may_fallthrough, jump_table_candidate, block_candidate_boundaries, unresolved_interval_order, inferred_main_in_reg, reg_def_use.return_val_used, inter_procedural_edge, compare_and_jump_immediate, block_limit, value_reg_edge, block_next, reg_has_base_image, stack_def_use.block_last_def, possible_target_from, no_return_block, indefinite_litpool_ref, stack_def_use.used_in_block, adjusts_stack_in_block, split_load_total_points, jump_table_candidate_refined, overlap_with_litpool, value_reg_limit, code_in_block_candidate, candidate_block_is_not_padding, likely_fallthrough, arch.reg_relative_load, arm_jump_table_cmp_limit, value_reg_unsupported, nop_in_padding_candidate, arm_jump_table_block_start, __agg_subclause2, transition_block_limit, block_overlap, no_return_call, data_segment, jump_table_element_access, reg_def_use.flow_def, arm_jump_table_skip_first_entry, block_total_points, stack_def_use.defined_in_block, reg_def_use.ambiguous_last_def_in_block, straight_line_def_used, basic_target, symbol_minus_symbol_litpool_access_pattern, value_reg, reg_def_use.live_var_used, compare_and_jump_indirect_op_valid, litpool_ref, padding_block_candidate, self_contained_segment, data_in_code_propagate, unresolved_interval, unlikely_have_symbolic_immediate, symbolic_expr_from_relocation, hi_load_prop, block_points, wis_memo, split_load_for_symbolization, arm_jump_table_data_block_limit, adrp_used, known_block, wis_has_prior, candidate_block_is_padding, no_return_call_refined, data_in_code, reg_def_use.used, is_padding, reg_def_use.ref_in_block, base_relative_operand, def_used_for_address, reg_def_use.live_var_at_prior_used, block_heuristic, relative_address_start, tls_get_addr, __agg_subclause6, instruction_memory_access_size, start_function, arm_jump_table_candidate, first_block_in_byte_interval, stack_base_reg_move, __agg_subclause3, jump_table_target, base_relative_operation, resolved_reaches, next_start, reg_def_use.live_var_def, must_fallthrough, next_type, arm_jump_table_candidate_start, next_block_in_byte_interval, __agg_single3, split_load, indexed_pc_relative_load_relative, block_instruction_next, stack_def_use.live_var_used_in_block, cmp_defines, block, reg_def_use.block_last_def, overlapping_instruction, code_in_block, no_value_reg_limit, jump_table_signed, impossible_block, block_boundaries, wis_prior, composite_data_access, relocation_adjustment_total, discarded_block, stack_def_use.last_def_in_block, indexed_pc_relative_load, __agg_single6, stack_def_use.live_var_at_block_end, after_end, split_load_candidate, incomplete_block, straight_line_last_def, jump_table_max, block_points_proportional, wis_schedule, arm_jump_table_data_block, compare_and_jump_register, block_candidate_dependency_edge, reg_has_got, data_block_candidate, got_relative_operand, contains_plausible_instr_seq, reg_def_use.ambiguous_block_last_def, invalid_jump_table_candidate, possible_target, relative_address, cmp_reg_to_reg, reg_def_use.def_used, cinf_ldr_add_pc, block_implies_block, contains_implausible_instr_seq, split_load_point, call_tls_get_addr, unresolved_block, split_load_operand, inferred_main_dispatch, gp_relative_operand, code_in_block_candidate_refined, reg_reg_arithmetic_operation_defs, litpool_symbolic_operand, data_access, init_symbol_minus_symbol_candidate_arm, plt_block, invalid, litpool_boundaries, segment_target_range, correlated_live_reg, arm_jump_table_block_instruction, simple_data_access_pattern, reg_def_use.live_var_at_block_end, reg_def_use.defined_in_block, block_last_instruction, flags_and_jump_pair, split_load_conflict, data_block_limit, last_value_reg_limit, reg_used_for, initialized_data_segment, __agg_subclause7, stack_def_use.live_var_at_prior_used, jump_table_start, unresolved_block_overlap, arch.extend_load, stack_def_use.def_used, init_ldr_add_pc, litpool_confidence, tls_desc_call, common_tail, stack_def_use.ref_in_block, arch.simple_data_load, reg_def_use.used_in_block, base_relative_jump, branch_to_calculated_pc_rel_addr, stack_def_use.live_var_def, wis_schedule_iter, jump_table_prelude, negative_block_heuristic, relocation_adjustment, compare_and_jump_indirect, reg_def_use.last_def_in_block, relative_jump_table_entry_candidate, discarded_split_load, __agg_single2, padding_block_limit, reg_def_use.return_block_end, plt_entry, stack_def_use.live_var_used

reg_map_rule(RegIn:input_reg, Reg:register)

Defines explicit register mappings.

• Used by: reg_map_nullable

function_non_maintained_reg(Reg:register)

This specifies the registers whose value is not kept through a function call according to the architecture’s calling convention.

WARNING: Predicate not present in compiled Datalog program (Dead Code)

pc_reg(Reg:register)

The PC register, if architecturally accessible.

WARNING: Predicate not present in compiled Datalog program (Dead Code)

frame_pointer(Reg:register)

Register that may hold the stack frame pointer.

The frame pointer is often also a general_purpose_reg.

• Used by: adjusts_stack_in_block, contains_plausible_instr_seq, moved_label_candidate, moved_label_class, stack_base_reg_move, stack_def_use.def, stack_def_use.used, track_register

stack_pointer(Reg:register)

Register that may hold the stack pointer.

• Used by: adjusts_stack_in_block, arch.memory_access, arch.reg_arithmetic_operation, arch.store_immediate, arm_jump_table_cmp_limit, basic_reg_def_use.def, contains_plausible_instr_seq, invalid, reg_def_use.def, stack_base_reg_move, stack_def_use.def, stack_def_use.live_var_used_in_block, stack_def_use.used, track_register

return_reg(Reg:register)

Registers that hold the return value of a function.

• Used by: basic_reg_def_use.def, contains_plausible_instr_seq, reg_def_use.def, reg_def_use.return_val_used, track_register, value_reg

general_purpose_reg(Reg:register)

Registers that may be used for general purpose calculations.

• Used by: arch.register_size_bytes, track_register

zero_reg(Reg:register)

A register with a constant value of zero.

• Used by: arch.move_reg_imm

integer_reg_param(Reg:register, Index:unsigned)

Registers used for passing function arguments by calling convention: e.g., {r0-r3} for ARM32, {rcx,rdx,r8,r9} for Microsoft x64, etc.

• Uses: binary_format

• Used by: inferred_main_in_reg, litpool_confidence

float_reg(Reg:register, Size:unsigned)

Floating-point registers

• Used by: alignment, arch.data_access_size, arch.memory_access_aggregated, litpool_confidence

condition_flags_reg(Reg:register)

The register that holds condition flags.

• Used by: contains_plausible_instr_seq, flags_and_jump_pair, track_register

pc_relative_addr(EA:address, Reg:register, Target:address)

A pc-relative address ‘Target’ is loaded into ‘Reg’ at address ‘EA’.

• Uses: direct_call, get_pc_thunk, instruction, instruction_get_dest_op, instruction_get_op, instruction_get_src_op, op_immediate, op_regdirect_contains_reg, pc_load_call, pc_relative_operand

• Used by: arm_jump_table_candidate_start, block_heuristic, block_limit, branch_to_calculated_pc_rel_addr, composite_data_access, data_block_candidate, def_used_for_address, indefinite_litpool_ref, indexed_pc_relative_load, indexed_pc_relative_load_relative, litpool_confidence, litpool_ref, straight_line_last_def, symbol_minus_symbol_litpool_access_pattern, symbolic_operand_candidate, value_reg

instruction_at(EA:address, Instruction:address)

Maps instruction identifier address to the instruction’s real memory address.

While this is a simple one-to-one mapping on most architectures, Thumb instructions on ARM are offset by 1 byte. This relation makes it easier to write portable rules.

Maps all instructions in the instruction input relation, regardless of invalid(), etc.

• Uses: instruction

• Used by: arm_jump_table_candidate, arm_jump_table_data_block_limit, arm_jump_table_skip_first_entry, basic_target, block_candidate_boundaries, block_information, block_limit, branch_to_calculated_pc_rel_addr, data_block_limit, invalid, invalid_jump_table_candidate, known_block, negative_block_heuristic, padding_block_limit

alignment_required(EA:address, AlignInBits:unsigned)

Instruction at EA requires alignment on the referenced memory.

• Uses: arch.operation_alignment_required, instruction, instruction_memory_access_size

• Used by: alignment_candidate

register_size_bytes(Reg:input_reg, Size:unsigned)

The size of a register, in bytes.

• Uses: arch.general_purpose_reg, reg_map

• Used by: arch.data_access_size, arch.extend_reg, arch.memory_access, arch.reg_arithmetic_operation, jump_table_signed

loop_prefix(Prefix:symbol)

• Used by: instruction_has_loop_prefix

pointer_size(N:unsigned)

WARNING: Predicate not present in compiled Datalog program (Dead Code)