Add heuristics analysis
This commit is contained in:
parent
c74ec873eb
commit
b2cf0a77df
1 changed files with 99 additions and 0 deletions
99
HEURISTICS.md
Normal file
99
HEURISTICS.md
Normal file
|
|
@ -0,0 +1,99 @@
|
||||||
|
# Heuristics used for synthesis
|
||||||
|
|
||||||
|
This file lists the major heuristics used for synthesis.
|
||||||
|
|
||||||
|
## Initial row
|
||||||
|
|
||||||
|
Initial row is always assumed as
|
||||||
|
CFA rbp ra
|
||||||
|
rsp+8 u c-8
|
||||||
|
|
||||||
|
## With or without %rbp?
|
||||||
|
|
||||||
|
When synthesizing a FDE, there is sometimes a choice between using %rbp or
|
||||||
|
not. For instance, it is possible that the original program uses %rbp for
|
||||||
|
something entirely different than keeping a base pointer, without it being
|
||||||
|
obvious: the synthesis must then avoid using %rbp.
|
||||||
|
|
||||||
|
When synthesizing a FDE, two passes are applied on the function: a first pass
|
||||||
|
that tracks %rbp to generate a correct table, but is denied using %rbp as an
|
||||||
|
indexing mean for CFA. If this first pass fails by losing track of its CFA at
|
||||||
|
some point, we fall back to a second phase that does the same, but switches its
|
||||||
|
CFA indexing to %rbp if possible.
|
||||||
|
|
||||||
|
This method works in practice because
|
||||||
|
* if the first pass succeeded, then a correct CFA indexing was found,
|
||||||
|
* if not, the original compiler could not generate a correct CFA indexing
|
||||||
|
either and was forced to use %rbp as a base pointer (except corner cases,
|
||||||
|
eg. clang sometimes generate code without possible correct unwinding data in
|
||||||
|
pre-abort error handling paths)
|
||||||
|
|
||||||
|
## Lossy merge
|
||||||
|
|
||||||
|
When two or more code branches merge at some point, we require that the
|
||||||
|
unwinding data propagated by all of the branches can be merged into
|
||||||
|
consistent data.
|
||||||
|
|
||||||
|
Most of the time, *consistent* means strictly equivalent, but it can be
|
||||||
|
weakened by allowing rows with %rbp undefined on one side and defined on the
|
||||||
|
other to be merged — thus assuming the merged data is %rbp undefined, allowing
|
||||||
|
a information loss.
|
||||||
|
|
||||||
|
We actually process the control flow graph of a subroutine by walking it
|
||||||
|
depth-first. When first encountering a new block, the propagated row is saved
|
||||||
|
as the initial data for this block. When we encounter it again from another
|
||||||
|
predecessor, the propagated row is merged if possible, or aborts with
|
||||||
|
inconsistency. This merge operation is thus algorithmically free if the data
|
||||||
|
first stored in the block is %rbp undefined — it is possible to just erase the
|
||||||
|
data on the newly merged unwinding data. The other way around, changing the
|
||||||
|
data already present, with which subsequent computations have already been
|
||||||
|
made, would require recomputing a lot of data. We thus *only allow it* if the
|
||||||
|
block is a leaf block in the control flow graph of the subroutine.
|
||||||
|
|
||||||
|
This restriction in the application conditions works well in practice because
|
||||||
|
gcc does not generate such lossy merges, and clang generates those only for the
|
||||||
|
exit block of a function — just before `retq`.
|
||||||
|
|
||||||
|
## CFA state tracking
|
||||||
|
|
||||||
|
### When CFA is an offset of %rsp
|
||||||
|
|
||||||
|
If the CFA is an offset of %rsp, it must be kept up to date when %rsp changes.
|
||||||
|
In the BAP IR, every such change will generate some instruction `%rsp <- EXPR`.
|
||||||
|
|
||||||
|
* If the expression is just `%rsp <- %rsp + offset`, the CFA is updated with
|
||||||
|
this offset (most cases).
|
||||||
|
* If not, the analysis loses track and aborts. This case did not occur during
|
||||||
|
our testing while the CFA was indexed by %rsp.
|
||||||
|
|
||||||
|
### When CFA is offset of %rbp
|
||||||
|
|
||||||
|
If the CFA is an offset of %rbp, nothing special is required to track the CFA.
|
||||||
|
|
||||||
|
### Switching between the modes: %rsp to %rbp indexing
|
||||||
|
|
||||||
|
If the CFA is currently an offset of %rsp, an indexing mode change is detected
|
||||||
|
when %rip is saved to %rbp. If the synthesis is currently allowed to use %rbp
|
||||||
|
indexing (see *With or without %rbp?*), the indexing mode is then switched. If
|
||||||
|
not, the current CFA indexing is kept.
|
||||||
|
|
||||||
|
### Switching between the modes: %rbp to %rsp indexing
|
||||||
|
|
||||||
|
The only event that triggers a revert to %rsp-based indexing is when %rbp gets
|
||||||
|
overwritten with something while %rbp indexing.
|
||||||
|
|
||||||
|
It is non-trivial to decide which %rsp offset should be used when switching
|
||||||
|
back. So far, we have only encountered switches back to %rsp at the very end of
|
||||||
|
functions — when %rbp was popped from the stack. Thus, we thus assume that upon
|
||||||
|
restore, CFA=%rsp+8. This only works in practice since in the observed cases,
|
||||||
|
compilers tend to stick to %rbp indexing when they decide to use it in a
|
||||||
|
function.
|
||||||
|
|
||||||
|
## %rbp state tracking
|
||||||
|
|
||||||
|
Tracking the state of %rbp (or any other callee-saved register) can be done by
|
||||||
|
tracking the program points at which
|
||||||
|
|
||||||
|
* %rbp is undefined and an instruction saves %rbp to the stack,
|
||||||
|
* %rbp is defined and an instruction overwrites %rbp with the data initially
|
||||||
|
saved on the stack
|
||||||
Loading…
Reference in a new issue