Compare commits
2 commits
420eeb6a30
...
f0d2f6bca5
| Author | SHA1 | Date | |
|---|---|---|---|
 Théophile Bastian
|
f0d2f6bca5 | ||
|
Théophile Bastian
|
31587ff8bb |
123
slides.tex
123
slides.tex
|
|
@ -13,6 +13,7 @@
|
|||
\usepackage{ifthen}
|
||||
\usepackage{colortbl}
|
||||
\usepackage{tabularx}
|
||||
\usepackage{pifont}
|
||||
|
||||
\usepackage{texlib/my_listings}
|
||||
\usepackage{texlib/specific}
|
||||
|
|
@ -38,6 +39,9 @@
|
|||
{}
|
||||
{\Roman{section}~-- \insertsection}}
|
||||
|
||||
\newcommand{\cmark}{\color{OliveGreen}\ding{52}}
|
||||
\newcommand{\xmark}{\color{BrickRed}\ding{56}}
|
||||
|
||||
\AtBeginSection[]{
|
||||
\begin{frame}
|
||||
\vfill
|
||||
|
|
@ -341,14 +345,7 @@ $1 = 84
|
|||
\newcommand{\tblhl}{\rowcolor{Tan}}
|
||||
|
||||
\begin{frame}{Example}
|
||||
\begin{table}
|
||||
\ttfamily\large
|
||||
\begin{tabularx}{0.9\linewidth}{
|
||||
l
|
||||
b
|
||||
>{\columncolor{SkyBlue}}s
|
||||
>{\columncolor{SkyBlue}}s
|
||||
}
|
||||
\newcommand{\firsttblrows}{
|
||||
\tblrowval{\hspace{-2ex}<{\bf foo}>:}{}{\textbf{CFA}}{\textbf{ra}}
|
||||
\rowonly<3>{\tblhl{}} \tblrowval{push}{\%r15}{rsp+8}{c-8}
|
||||
\rowonly<4>{\tblhl{}} \tblrowval{push}{\%r14}{rsp+16}{c-8}
|
||||
|
|
@ -359,36 +356,62 @@ $1 = 84
|
|||
\tblrowval{push}{\%rbx}{rsp+48}{c-8}
|
||||
\tblrowval{sub}{\$0x68,\%rsp}{rsp+56}{c-8}
|
||||
\rowonly<9>{\tblhl{}} \tblrowval{cmp}{\$0x1,\%edi}{rsp+160}{c-8}%
|
||||
\only<-8>{%
|
||||
}
|
||||
|
||||
\only<-8>{
|
||||
\begin{table}
|
||||
\ttfamily\large
|
||||
\begin{tabularx}{0.9\linewidth}{
|
||||
l
|
||||
b
|
||||
>{\columncolor{SkyBlue}}s
|
||||
>{\columncolor{SkyBlue}}s
|
||||
}
|
||||
\firsttblrows{}%
|
||||
\tblrowval{add}{\$0x68,\%rsp}{rsp+160}{c-8}
|
||||
\tblrowval{pop}{\%rbx}{rsp+56}{c-8}
|
||||
\tblrowval{pop}{\%rbp}{rsp+48}{c-8}}
|
||||
\end{tabularx}
|
||||
\end{table}
|
||||
|
||||
\only<-8> {
|
||||
\only<3>{\blknote{Upon function call, \alert{ra = *(\reg{rsp})} (ABI)}}
|
||||
\only<4>{\blknote{\texttt{push} decreases \reg{rsp} by 8: %
|
||||
\alert{ra = *(\reg{rsp} + 8)}}}
|
||||
\only<5>{\blknote{and again: %
|
||||
\alert{ra = *(\reg{rsp} + 16)}}}
|
||||
\only<6>{\blknote{This \texttt{mov} leaves \reg{rsp} untouched: %
|
||||
\alert{ra = *(\reg{rsp} + 16)}}}
|
||||
\only<7>{\blknote{The unwinding table can actually be seen as\\
|
||||
an \alert{abstract interpretation} of the code\ldots}}
|
||||
\only<8>{\blknote{\ldots and thus, for a given run, be
|
||||
\alert{re-computed for verification}}}
|
||||
\tblrowval{pop}{\%rbp}{rsp+48}{c-8}
|
||||
\end{tabularx}
|
||||
\end{table}
|
||||
\blknote{
|
||||
\centering
|
||||
\begin{overlayarea}{0.9\textwidth}{4.8ex}
|
||||
\only<3>{Upon function call, \alert{ra = *(\reg{rsp})} (ABI)}
|
||||
\only<4>{\texttt{push} decreases \reg{rsp} by 8: %
|
||||
\alert{ra = *(\reg{rsp} + 8)}}
|
||||
\only<5>{and again: %
|
||||
\alert{ra = *(\reg{rsp} + 16)}}
|
||||
\only<6>{This \texttt{mov} leaves \reg{rsp} untouched: %
|
||||
\alert{ra = *(\reg{rsp} + 16)}}
|
||||
\only<7>{The unwinding table can actually be seen as\\
|
||||
an \alert{abstract interpretation} of the code\ldots}
|
||||
\only<8>{\ldots and thus, for a given run, be
|
||||
\alert{re-computed for verification}}
|
||||
\end{overlayarea}
|
||||
}
|
||||
}
|
||||
\only<9->{
|
||||
\begin{table}
|
||||
\ttfamily\large
|
||||
\begin{tabularx}{0.9\linewidth}{
|
||||
l
|
||||
b
|
||||
>{\columncolor{SkyBlue}}s
|
||||
>{\columncolor{SkyBlue}}s
|
||||
}
|
||||
\firsttblrows{}%
|
||||
\end{tabularx}
|
||||
\end{table}
|
||||
|
||||
\vspace{-0.8em}
|
||||
\only<9>{\blklnote{If, within an execution,
|
||||
\begin{itemize}
|
||||
\item ra = \texttt{*(0xFFFF1098)}
|
||||
\item \reg{rsp} = \texttt{0xFFFF1000}
|
||||
\end{itemize}
|
||||
We can \alert{evaluate both expressions} and \alert{compare}
|
||||
}}
|
||||
}
|
||||
\only<9-> {
|
||||
\vspace{-2em}
|
||||
\only<9>{\blklnote{If, within an execution,
|
||||
\begin{itemize}
|
||||
\item ra = \texttt{*(0xFFFF1098)}
|
||||
\item \reg{rsp} = \texttt{0xFFFF1000}
|
||||
\end{itemize}
|
||||
We can \alert{evaluate both expressions} and \alert{compare}
|
||||
}}
|
||||
}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Dynamic validation}
|
||||
|
|
@ -450,18 +473,27 @@ $1 = 84
|
|||
\renewcommand{\tblrowval}[5]{#1 & #2 & #3 & #4 & #5 \\}
|
||||
\begin{frame}{A real bug!}
|
||||
|
||||
\begin{columns}[T]
|
||||
\begin{columns}[c]
|
||||
\column{0.7\textwidth}
|
||||
\begin{align*}
|
||||
\only<2->{\textbf{Abstract state} \qquad &
|
||||
\left[\texttt{0xFFFF1000}\right]\\}
|
||||
\only<3->{\reg{rsp} \qquad &
|
||||
\texttt{0xFFFF1000}}
|
||||
\onslide<2->{\textbf{Abstract state} \qquad &
|
||||
\left[\texttt{0xFFFF1000}\right]} \\
|
||||
\onslide<3->{\reg{rsp} \qquad & %
|
||||
~\,\texttt{%
|
||||
\only<3-4>{0xFFFF1000}%
|
||||
\only<5-8>{0xFFFF0FF8}%
|
||||
\only<9->{0xFFFF1000}%
|
||||
}
|
||||
}
|
||||
\end{align*}
|
||||
|
||||
\column{0.3\textwidth}
|
||||
Blah ?
|
||||
% Add check - cross
|
||||
{\vspace{-4mm}\bf \fontsize{2cm}{5.5cm}\selectfont %
|
||||
\only<4>{\cmark}%
|
||||
\only<6>{\cmark}%
|
||||
\only<8>{\cmark}%
|
||||
\only<10->{\xmark}%
|
||||
}
|
||||
\end{columns}
|
||||
|
||||
|
||||
|
|
@ -483,10 +515,15 @@ $1 = 84
|
|||
\tblrowval{}{[\ldots]}{}{}{}
|
||||
\tblrowval{}{}{}{}{}
|
||||
\rowonly<7-8>{\tblhl{}} \tblrowval{40061d}{pop}{\%rbx}{rsp+16}{c-8}
|
||||
\rowonly<9-10>{\tblhl{}} \tblrowval{40061e}{retq}{}{rsp+16}{c-8}
|
||||
\rowonly<9->{\tblhl{}} \tblrowval{40061e}{retq}{}{rsp+16}{c-8}
|
||||
\end{tabularx}
|
||||
\end{table}
|
||||
|
||||
\begin{center}
|
||||
\bf\Large %
|
||||
\onslide<11>{$\leadsto$ LLVM bug \#13161}
|
||||
\end{center}
|
||||
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{TODO}
|
||||
|
|
|
|||
Loading…
Reference in a new issue