symbolization

ELF-specific rules and relations for symbolization

elf_relocation_size(ISA:symbol, Type:symbol, Size:unsigned)

Table maps ELF relocation types to a size in bits.

Used by: relocation_size, symbolic_expr_from_relocation, symbolic_operand_attribute

reg_has_got(EA:address, Reg:register)

Value of register ‘Reg’ at address ‘EA’ is a GOT-relative base reference.

Uses: got_section, loaded_section

Used by: symbol_minus_symbol, symbolic_expr, symbolic_operand_attribute

Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

got_reference_pointer(EA:address)

Address ‘EA’ is used as a GOT-relative base reference. ‘EA’ is the beginning of either the .got or .got.plt section.

Uses: loaded_section

Used by: got_relative_operand, inferred_special_symbol, jump_table_start, plt_entry, symbol_minus_symbol, symbolic_expr, symbolic_operand_attribute

got_relative_operand(EA:address, Index:operand_index, Dest:address)

Operand instruction at ‘EA’ at index ‘Index’ is a GOT-relative reference to an address ‘Dest’.

Uses: arch.reg_reg_arithmetic_operation, got_reference_pointer, instruction_displacement_offset, instruction_get_op, op_immediate_and_reg, op_indirect_mapped, relocation, symbol

Used by: moved_label_candidate, moved_label_class, symbolic_operand_attribute, symbolic_operand_candidate, tls_global_dynamic

Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

start_function(ea:address)

do_infer_main_function()

Decide whether the main function should be inferred.

WARNING: Predicate not present in compiled Datalog program (Dead Code)

inferred_main_dispatch(EA:address)

Locate where main() is dispatched (i.e., where __libc_start_main is called.)

Uses: binary_format, binary_type, function_symbol

Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

inferred_main_in_reg(EA:address, Reg:register)

The location and register where the address of main is loaded.

Uses: arch.integer_reg_param, instruction, instruction_get_src_op, next, op_indirect_contains_reg, op_regdirect_contains_reg

Used by: inferred_main_function

Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

inferred_main_function(Main_location:address)

Infer the location of the main function.

Uses: address_in_data, code_in_block, inferred_main_in_reg, instruction_get_op, op_indirect_contains_reg, reg_def_use.def_used, value_reg

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

reloc_type_relpc(Type:symbol)

Type of relocation relevant to pc-relative attribute

Used by: relocation_adjustment

reloc_type_with_name(Type:symbol)

Type of relocation possibly with non-empty Symbol name

Used by: symbolic_expr_from_relocation

reloc_type_nameless(Type:symbol)

Type of relocation possibly with empty Symbol name

Used by: symbolic_expr_from_relocation

copy_relocated_symbol(EA:address, Name:symbol)

Collect all the symbols whose address, size and type are the same as the symbol with COPY relocation.

Uses: relocation, symbol

Recursive: copy_relocated_symbol

best_ifunc_symbol(EA:address, SymbolName:symbol)

Best GNU_IFUNC symbol for plt entries. Uses ifunc_symbol_score to deterministically select a single ifunc symbol for each EA.

Uses: ifunc_symbol_score, relocation, symbol

Used by: plt_entry

ifunc_symbol_score(EA:address, SymbolName:symbol, Score:unsigned)

Provide a score to GNU_IFUNC symbols based on scope, visibility, and their table index.

Uses: defined_symbol, ifunc_scope_score, symbol_visibility_score

Used by: best_ifunc_symbol

ifunc_scope_score(Scope:symbol, Score:unsigned)

Auxiliary predicate to define ifunc_symbol_score Prefer symbols with LOCAL over GLOBAL, and with GLOBAl over anything else (WEAK).

Uses: symbol

Used by: ifunc_symbol_score