Skip to content

ASTgen : arm32 : jc3lite cfg #49

Open
Open
ASTgen : arm32 : jc3lite cfg#49
@brk

Description

@brk
brk
opened on May 12, 2022

CodeHawk generates an incorrect AST for the target function in the attached binary (run codehawk.sh).

(This is a loop-free version of JPL Challenge 3)

The generated AST is

void target(int A, int B, struct x * p){

   rtn_0x10764 = open(gv_0x10894, gv_0x10890, p);  // 51
   if (temp6){
      rtn_0x107c8 = __errno_location();  // 90
      rtn_0x107d4 = strerror(rtn_0x107c8[0]);  // 120
      rtn_0x107f8 = __fprintf_chk();  // 185
      exit(1);  // 197
      rtn_0x1080c = __errno_location();  // 304
      rtn_0x10818 = strerror(rtn_0x1080c[0]);  // 333
      rtn_0x1083c = __fprintf_chk();  // 391
      exit(1);  // 402
   } else {
      rtn_0x1078c = mmap(0, 4096, 3, 1, rtn_0x10764, rtn_0x10764);  // 262
      if (temp5){
         rtn_0x1080c = __errno_location();  // 304
         rtn_0x10818 = strerror(rtn_0x1080c[0]);  // 333
         rtn_0x1083c = __fprintf_chk();  // 391
         exit(1);  // 402
      } else {
         rtn_0x1078c[1024] = gv_0x10898; //  0x1079c, STR
         rtn_0x107a4 = munmap(rtn_0x1078c, 4096);  // 441
         if (temp4){
            rtn_0x107b4 = 0x104a4((rtn_0x10764 - 0), R1, R2, R3);  // 612
            return;
         }
      }
   }
   rtn_0x10850 = __errno_location();  // 483
   rtn_0x1085c = strerror(rtn_0x10850[0]);  // 512
   rtn_0x10880 = __fprintf_chk();  // 570
   exit(1);  // 581
}

A few things that seem incorrect:

  • The repetition of nodes 310, 339, 337, and 408
  • Missing arguments to __fprintf_chk -- would it be worth having CodeHawk recognize this as an alias of fprintf?
  • The last argument to mmap shouldn't be the return value from open.
  • The call to 0x104a4 wasn't recognized as a call to close

The original source was

void target(int A, int B) {
        int fd;
	void *map_base, *virt_addr; 
	unsigned long read_result, writeval;
	off_t targeto;
	targeto = start_physicaladdress;

	if (targeto <= (off_t) B){

		if((fd = open("/dev/mem", O_RDWR | O_SYNC)) < 0) FATAL

		map_base = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, targeto & ~MAP_MASK);
		if(((intptr_t) map_base) < 0) FATAL;

		virt_addr = map_base + (targeto & MAP_MASK);

		writeval = targeto;
		*((unsigned long *) virt_addr) = writeval;
		read_result = *((unsigned long *) virt_addr);

		if(read_result != writeval){
			printf("Error: read physical addres 0x%lX; write physical address 0x%lX \n", read_result, writeval);
		}
		if((intptr_t)munmap(map_base, MAP_SIZE) < 0) FATAL
		close(fd);
	}
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions