binary/elf/elf_binaries

elf_section_type(Name:symbol, Code:unsigned)

This module defines predicates and rules specific of ELF binaries

• Used by: data_section, function_pointer_section

elf_pointer_array_section_type(SectionTypeName:symbol)

ELF section types that contain an array of code pointers.

• Used by: function_pointer_section

plt_section(name:symbol)

• Used by: plt_block, plt_entry, plt_entry_arm_candidate

got_section(name:symbol)

• Used by: reg_has_got

plt_entry(EA:address, function:symbol)

There is a PLT jump at address ‘EA’ to external function ‘Function’.

• Uses: arch.jump, arch.load_operation, arch.reg_arithmetic_operation, best_ifunc_symbol, got_reference_pointer, hi_load, indirect_jump, instruction, instruction_get_op, instruction_get_src_op, loaded_section, next, op_indirect, op_indirect_mapped, op_regdirect_contains_reg, pc_relative_jump, plt_entry_arm_candidate, plt_entry_candidate, plt_section, reg_jump, relocation, symbol

• Used by: resolved_transfer, resolved_transfer_to_symbol

• Recursive: const_value_reg_used, function_inference.function_entry_initial, no_return_call_propagated, next_end, may_fallthrough, jump_table_candidate, block_candidate_boundaries, unresolved_interval_order, inferred_main_in_reg, reg_def_use.return_val_used, inter_procedural_edge, compare_and_jump_immediate, block_limit, value_reg_edge, block_next, reg_has_base_image, stack_def_use.block_last_def, possible_target_from, no_return_block, indefinite_litpool_ref, stack_def_use.used_in_block, adjusts_stack_in_block, split_load_total_points, jump_table_candidate_refined, overlap_with_litpool, value_reg_limit, code_in_block_candidate, candidate_block_is_not_padding, likely_fallthrough, arch.reg_relative_load, arm_jump_table_cmp_limit, value_reg_unsupported, nop_in_padding_candidate, arm_jump_table_block_start, __agg_subclause2, transition_block_limit, block_overlap, no_return_call, data_segment, jump_table_element_access, reg_def_use.flow_def, arm_jump_table_skip_first_entry, block_total_points, stack_def_use.defined_in_block, reg_def_use.ambiguous_last_def_in_block, straight_line_def_used, basic_target, symbol_minus_symbol_litpool_access_pattern, value_reg, reg_def_use.live_var_used, compare_and_jump_indirect_op_valid, litpool_ref, padding_block_candidate, self_contained_segment, data_in_code_propagate, unresolved_interval, unlikely_have_symbolic_immediate, symbolic_expr_from_relocation, hi_load_prop, block_points, wis_memo, split_load_for_symbolization, arm_jump_table_data_block_limit, adrp_used, known_block, wis_has_prior, candidate_block_is_padding, no_return_call_refined, data_in_code, reg_def_use.used, is_padding, reg_def_use.ref_in_block, base_relative_operand, def_used_for_address, reg_def_use.live_var_at_prior_used, block_heuristic, relative_address_start, tls_get_addr, __agg_subclause6, instruction_memory_access_size, start_function, arm_jump_table_candidate, first_block_in_byte_interval, stack_base_reg_move, __agg_subclause3, jump_table_target, base_relative_operation, resolved_reaches, next_start, reg_def_use.live_var_def, must_fallthrough, next_type, arm_jump_table_candidate_start, next_block_in_byte_interval, __agg_single3, split_load, indexed_pc_relative_load_relative, block_instruction_next, stack_def_use.live_var_used_in_block, cmp_defines, block, reg_def_use.block_last_def, overlapping_instruction, code_in_block, no_value_reg_limit, jump_table_signed, impossible_block, block_boundaries, wis_prior, composite_data_access, relocation_adjustment_total, discarded_block, stack_def_use.last_def_in_block, indexed_pc_relative_load, __agg_single6, stack_def_use.live_var_at_block_end, after_end, split_load_candidate, incomplete_block, straight_line_last_def, jump_table_max, block_points_proportional, wis_schedule, arm_jump_table_data_block, compare_and_jump_register, block_candidate_dependency_edge, reg_has_got, data_block_candidate, got_relative_operand, contains_plausible_instr_seq, reg_def_use.ambiguous_block_last_def, invalid_jump_table_candidate, possible_target, relative_address, cmp_reg_to_reg, reg_def_use.def_used, cinf_ldr_add_pc, block_implies_block, contains_implausible_instr_seq, split_load_point, call_tls_get_addr, unresolved_block, split_load_operand, inferred_main_dispatch, gp_relative_operand, code_in_block_candidate_refined, reg_reg_arithmetic_operation_defs, litpool_symbolic_operand, data_access, init_symbol_minus_symbol_candidate_arm, plt_block, invalid, litpool_boundaries, segment_target_range, correlated_live_reg, arm_jump_table_block_instruction, simple_data_access_pattern, reg_def_use.live_var_at_block_end, reg_def_use.defined_in_block, block_last_instruction, flags_and_jump_pair, split_load_conflict, data_block_limit, last_value_reg_limit, reg_used_for, initialized_data_segment, __agg_subclause7, stack_def_use.live_var_at_prior_used, jump_table_start, unresolved_block_overlap, arch.extend_load, stack_def_use.def_used, init_ldr_add_pc, litpool_confidence, tls_desc_call, common_tail, stack_def_use.ref_in_block, arch.simple_data_load, reg_def_use.used_in_block, base_relative_jump, branch_to_calculated_pc_rel_addr, stack_def_use.live_var_def, wis_schedule_iter, jump_table_prelude, negative_block_heuristic, relocation_adjustment, compare_and_jump_indirect, reg_def_use.last_def_in_block, relative_jump_table_entry_candidate, discarded_split_load, __agg_single2, padding_block_limit, reg_def_use.return_block_end, plt_entry, stack_def_use.live_var_used

get_pc_thunk(EA:address, Reg:register)

• Uses: arch.move_operation, arch.return, binary_format, direct_call, instruction, op_indirect_mapped, op_regdirect_contains_reg

• Used by: arch.pc_relative_addr, basic_reg_def_use.def, reg_def_use.def

cie_entry(CieAddr: address, Length:unsigned, CodeAlignmentFactor:unsigned, DataAlignmentFactor:number)

A CIE can be associated to multiple FDEs and it contains information common to all of them. ‘CieAddr’ uniquely identifies the CIE.

• Used by: cfi_directive, fde_instruction_ref, last_fde, moved_pc_relative_candidate, symbol_minus_symbol

cie_encoding(CieAddr: address, FdeEncoding:unsigned, LsdaEncoding:unsigned)

cie_encoding complements cie_entry and defines the encodings of the pointers in the FDEs and in the LSDAs associated to this CIE.

• Used by: cfi_directive, symbol_minus_symbol, symbol_special_encoding, symbolic_data

cie_personality(CieAddr:address, Personality:address, PersonalityPos:address, PersonalitySize:unsigned, Encoding:unsigned)

The personality routine associated to a CIE entry. This is the procedure that takes care of unwinding the stack and exceptions. For C++ it is typically: ‘__gxx_personality_v0’.

• Used by: cfi_directive, labeled_ea, symbol_special_encoding, symbolic_data

fde_entry(FdeAddr: address, Length:unsigned, Cie:address, Start:address, End:address, Lsda:address)

A FDE entry defines how stack unwinding is done in a region of code from ‘start’ to ‘end’. Each FDE points to a parent CIE that contains properties common to multiple FDEs. ‘FdeAddr’ and ‘Length’ determine the location of the FDE entry in the eh_frame section. A FDE entry can have ‘Lsda’ associated that contains exception handling information.

• Used by: cfi_directive, endproc_local_index, fde_addresses, fde_block_addresses, fde_instruction_ref, labeled_ea, last_fde, moved_pc_relative_candidate, symbol_minus_symbol, symbol_special_encoding, symbolic_data

fde_pointer_locations(addr:address, startLocation:address, endLocation:address, endSize:unsigned, lsdaLocation:address, lsdaSize:unsigned)

Ancillary predicate that specifies the actual locations of the symbolic expressions in the FDE entry.

• Used by: symbol_minus_symbol, symbol_special_encoding, symbolic_data

fde_instruction(FdeAddr:address, Index:unsigned, Size:unsigned, InsnAddr:address, Insn:symbol, Op1:number, Op2:number)

The instructions for stack unwinding are encoded into a dwarf program formed by a list of instructions. Each FDE corresponds to a region in the code and it has its own program. This predicate captures one instruction in that program.

• FdeAddr is the address of the FDE and indentifies it uniquely.

• Index identifies the instruction within the FDE uniquely.

• Size is the size of the instruction in bytes.

• InsnAddr is the address where the instruction is located

• Insn is the actual opcode of the instruction

• Op1 and Op2 are the operands of the instruction.

• Used by: cfi_directive, fde_instruction_ref, last_fde_instruction, symbol_minus_symbol

lsda(lsdaAddress:address, callsiteTable:address, callsiteTableEncoding:unsigned, callSiteTableLength:unsigned, typeTable:address, typeTableEncoding:unsigned, landingPadBaseAddress: address)

A LSDA defines the exception information of a region of code (typically a procedure). This is located in section ‘.gcc_except_table’. A LSDA entry contains two main elements a callsite table (see lsda_callsite) and a type table (see lsda_type_entry).

• Used by: lsda_symbol_minus_symbol, symbol_special_encoding, symbolic_data

lsda_pointer_locations(lsdaAddress:address, typeTablePointerLocation:address, callsiteTablePointerLoc:address)

Complementary predicate with the locations of the various pointers in a LSDA used for symbolization.

• Used by: lsda_symbol_minus_symbol, symbol_special_encoding

lsda_callsite(CallSiteTable_address:address, EA_start:address, Start:address, EA_end:address, End:address, EA_landingPad:address, LandingPad:address, EA_endLandindPad:address)

The range [Start,End) corresponds to the try block and ‘LandingPad’ to the location where the catch block is located. ‘EA_start’, ‘EA_end’ and ‘EA_landingPad’ a the locations of the symbolic expressions in the .gcc_except_table that point to ‘Start’, ‘End’ and ‘LandingPad’ respectively.

• Used by: boundary_sym_expr, lsda_callsite_addresses, lsda_symbol_minus_symbol, symbol_special_encoding

lsda_type_entry(lsdaTypeTableAddress:address, index:unsigned, address:address)

The exception handling mechanism chooses which catch block catches an given exception based on the type of the exception. This is done by having references to the types which are encoded in the type table. A lsda_type_entry is an entry in the type table. The “type” is represented as a symbolic expression pointing to ‘address’.

• Used by: lsda_symbol_minus_symbol, symbolic_data

arm_exidx_entry(FunctionStart:address, CantUnwind:unsigned)

Address where a function starts according to the ARM exidx table.

This address does not set the low bit for Thumb functions.

• Used by: basic_target, block_limit, impossible_block, known_block, negative_block_heuristic

fde_addresses(start:address, end:address)

• Uses: fde_entry

• Used by: basic_target, block_heuristic, block_limit, block_needs_merging, function_inference.function_entry, function_inference.function_entry_initial, function_inference.function_without_callframe, function_inference.in_function_initial, known_block, misaligned_fde_start, reg_def_use.return_block_end, split_load_point

misaligned_fde_start(start:address, start_adjusted:address)

FDE start points can on occasion be misaligned with the actual start of the function. This has been seen on glibc restore_rt which generates code as follows:

.text .align 16 __restore_rt:

movl $15, %rax syscall

• Uses: fde_addresses, instruction, next

• Used by: basic_target, fde_block_addresses, known_block

lsda_callsite_addresses(Start:address, End:address, LandingPad:address)

• Uses: lsda_callsite

• Used by: basic_target, block_heuristic, block_limit, block_next

special_encoding(Code:unsigned, Name:symbol)

• Used by: symbol_special_encoding