forked from OSchip/llvm-project
				
			
		
			
				
	
	
		
			587 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			C++
		
	
	
	
			
		
		
	
	
			587 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			C++
		
	
	
	
| //===- llvm/unittests/llvm-cfi-verify/GraphBuilder.cpp --------------===//
 | |
| //
 | |
| //                     The LLVM Compiler Infrastructure
 | |
| //
 | |
| // This file is distributed under the University of Illinois Open Source
 | |
| // License. See LICENSE.TXT for details.
 | |
| //
 | |
| //===----------------------------------------------------------------------===//
 | |
| 
 | |
| #include "../tools/llvm-cfi-verify/lib/GraphBuilder.h"
 | |
| #include "../tools/llvm-cfi-verify/lib/FileAnalysis.h"
 | |
| #include "gmock/gmock.h"
 | |
| #include "gtest/gtest.h"
 | |
| 
 | |
| #include "llvm/BinaryFormat/ELF.h"
 | |
| #include "llvm/MC/MCAsmInfo.h"
 | |
| #include "llvm/MC/MCContext.h"
 | |
| #include "llvm/MC/MCDisassembler/MCDisassembler.h"
 | |
| #include "llvm/MC/MCInst.h"
 | |
| #include "llvm/MC/MCInstPrinter.h"
 | |
| #include "llvm/MC/MCInstrAnalysis.h"
 | |
| #include "llvm/MC/MCInstrDesc.h"
 | |
| #include "llvm/MC/MCInstrInfo.h"
 | |
| #include "llvm/MC/MCObjectFileInfo.h"
 | |
| #include "llvm/MC/MCRegisterInfo.h"
 | |
| #include "llvm/MC/MCSubtargetInfo.h"
 | |
| #include "llvm/Object/Binary.h"
 | |
| #include "llvm/Object/COFF.h"
 | |
| #include "llvm/Object/ELFObjectFile.h"
 | |
| #include "llvm/Object/ObjectFile.h"
 | |
| #include "llvm/Support/Casting.h"
 | |
| #include "llvm/Support/CommandLine.h"
 | |
| #include "llvm/Support/Error.h"
 | |
| #include "llvm/Support/MemoryBuffer.h"
 | |
| #include "llvm/Support/TargetRegistry.h"
 | |
| #include "llvm/Support/TargetSelect.h"
 | |
| #include "llvm/Support/raw_ostream.h"
 | |
| 
 | |
| #include <cstdlib>
 | |
| #include <sstream>
 | |
| 
 | |
| using Instr = ::llvm::cfi_verify::FileAnalysis::Instr;
 | |
| using ::testing::AllOf;
 | |
| using ::testing::Each;
 | |
| using ::testing::ElementsAre;
 | |
| using ::testing::Eq;
 | |
| using ::testing::Field;
 | |
| using ::testing::IsEmpty;
 | |
| using ::testing::Matches;
 | |
| using ::testing::Pair;
 | |
| using ::testing::PrintToString;
 | |
| using ::testing::Property;
 | |
| using ::testing::SizeIs;
 | |
| using ::testing::UnorderedElementsAre;
 | |
| using ::testing::Value;
 | |
| 
 | |
| namespace llvm {
 | |
| namespace cfi_verify {
 | |
| // Printing helpers for gtest.
 | |
| std::string HexStringifyContainer(const std::vector<uint64_t> &C) {
 | |
|   std::stringstream Stream;
 | |
|   if (C.empty()) {
 | |
|     return "{ }";
 | |
|   }
 | |
| 
 | |
|   Stream << "{ ";
 | |
|   const auto &LastElemIt = std::end(C) - 1;
 | |
| 
 | |
|   for (auto It = std::begin(C); It != LastElemIt; ++It) {
 | |
|     Stream << "0x" << std::hex << *It << ", ";
 | |
|   }
 | |
|   Stream << "0x" << std::hex << *LastElemIt << " }";
 | |
|   return Stream.str();
 | |
| }
 | |
| 
 | |
| void PrintTo(const ConditionalBranchNode &BranchNode, ::std::ostream *os) {
 | |
|   *os << "ConditionalBranchNode<Address: 0x" << std::hex << BranchNode.Address
 | |
|       << ", Target: 0x" << BranchNode.Target << ", Fallthrough: 0x"
 | |
|       << BranchNode.Fallthrough
 | |
|       << ", CFIProtection: " << BranchNode.CFIProtection << ">";
 | |
| }
 | |
| 
 | |
| void PrintTo(const GraphResult &Result, ::std::ostream *os) {
 | |
|   *os << "Result BaseAddress: 0x" << std::hex << Result.BaseAddress << "\n";
 | |
| 
 | |
|   if (Result.ConditionalBranchNodes.empty())
 | |
|     *os << "  (No conditional branch nodes)\n";
 | |
| 
 | |
|   for (const auto &Node : Result.ConditionalBranchNodes) {
 | |
|     *os << "  ";
 | |
|     PrintTo(Node, os);
 | |
|     *os << "\n    Fallthrough Path: " << std::hex
 | |
|         << HexStringifyContainer(Result.flattenAddress(Node.Fallthrough))
 | |
|         << "\n";
 | |
|     *os << "    Target Path: " << std::hex
 | |
|         << HexStringifyContainer(Result.flattenAddress(Node.Target)) << "\n";
 | |
|   }
 | |
| 
 | |
|   if (Result.OrphanedNodes.empty())
 | |
|     *os << "  (No orphaned nodes)";
 | |
| 
 | |
|   for (const auto &Orphan : Result.OrphanedNodes) {
 | |
|     *os << "  Orphan (0x" << std::hex << Orphan
 | |
|         << ") Path: " << HexStringifyContainer(Result.flattenAddress(Orphan))
 | |
|         << "\n";
 | |
|   }
 | |
| }
 | |
| 
 | |
| namespace {
 | |
| class ELFx86TestFileAnalysis : public FileAnalysis {
 | |
| public:
 | |
|   ELFx86TestFileAnalysis()
 | |
|       : FileAnalysis(Triple("x86_64--"), SubtargetFeatures()) {}
 | |
| 
 | |
|   // Expose this method publicly for testing.
 | |
|   void parseSectionContents(ArrayRef<uint8_t> SectionBytes,
 | |
|                             uint64_t SectionAddress) {
 | |
|     FileAnalysis::parseSectionContents(SectionBytes, SectionAddress);
 | |
|   }
 | |
| 
 | |
|   Error initialiseDisassemblyMembers() {
 | |
|     return FileAnalysis::initialiseDisassemblyMembers();
 | |
|   }
 | |
| };
 | |
| 
 | |
| class BasicGraphBuilderTest : public ::testing::Test {
 | |
| protected:
 | |
|   virtual void SetUp() {
 | |
|     IgnoreDWARFFlag = true;
 | |
|     SuccessfullyInitialised = true;
 | |
|     if (auto Err = Analysis.initialiseDisassemblyMembers()) {
 | |
|       handleAllErrors(std::move(Err), [&](const UnsupportedDisassembly &E) {
 | |
|         SuccessfullyInitialised = false;
 | |
|         outs()
 | |
|             << "Note: CFIVerifyTests are disabled due to lack of x86 support "
 | |
|                "on this build.\n";
 | |
|       });
 | |
|     }
 | |
|   }
 | |
| 
 | |
|   bool SuccessfullyInitialised;
 | |
|   ELFx86TestFileAnalysis Analysis;
 | |
| };
 | |
| 
 | |
| MATCHER_P2(HasPath, Result, Matcher, "has path " + PrintToString(Matcher)) {
 | |
|   const auto &Path = Result.flattenAddress(arg);
 | |
|   *result_listener << "the path is " << PrintToString(Path);
 | |
|   return Matches(Matcher)(Path);
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphTestSinglePathFallthroughUd2) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x02, // 0: jne 4 [+2]
 | |
|           0x0f, 0x0b, // 2: ud2
 | |
|           0xff, 0x10, // 4: callq *(%rax)
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   const auto Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 4);
 | |
| 
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, SizeIs(1));
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes,
 | |
|               Each(Field(&ConditionalBranchNode::CFIProtection, Eq(true))));
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF)),
 | |
|                      Field(&ConditionalBranchNode::Target,
 | |
|                            HasPath(Result, ElementsAre(0xDEADBEEF + 4))),
 | |
|                      Field(&ConditionalBranchNode::Fallthrough,
 | |
|                            HasPath(Result, ElementsAre(0xDEADBEEF + 2))))))
 | |
|       << PrintToString(Result);
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphTestSinglePathJumpUd2) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x02, // 0: jne 4 [+2]
 | |
|           0xff, 0x10, // 2: callq *(%rax)
 | |
|           0x0f, 0x0b, // 4: ud2
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   const auto Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 2);
 | |
| 
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, SizeIs(1));
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes,
 | |
|               Each(Field(&ConditionalBranchNode::CFIProtection, Eq(true))));
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF)),
 | |
|                      Field(&ConditionalBranchNode::Target,
 | |
|                            HasPath(Result, ElementsAre(0xDEADBEEF + 4))),
 | |
|                      Field(&ConditionalBranchNode::Fallthrough,
 | |
|                            HasPath(Result, ElementsAre(0xDEADBEEF + 2))))))
 | |
|       << PrintToString(Result);
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphTestDualPathDualUd2) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x03, // 0: jne 5 [+3]
 | |
|           0x90,       // 2: nop
 | |
|           0xff, 0x10, // 3: callq *(%rax)
 | |
|           0x0f, 0x0b, // 5: ud2
 | |
|           0x75, 0xf9, // 7: jne 2 [-7]
 | |
|           0x0f, 0x0b, // 9: ud2
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   const auto Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 3);
 | |
| 
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, SizeIs(2));
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes,
 | |
|               Each(Field(&ConditionalBranchNode::CFIProtection, Eq(true))));
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(
 | |
|           Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF)),
 | |
|           Field(&ConditionalBranchNode::Fallthrough,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 2, 0xDEADBEEF + 3))),
 | |
|           Field(&ConditionalBranchNode::Target,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 5))))))
 | |
|       << PrintToString(Result);
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(
 | |
|           Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF + 7)),
 | |
|           Field(&ConditionalBranchNode::Fallthrough,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 9))),
 | |
|           Field(&ConditionalBranchNode::Target,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 2, 0xDEADBEEF + 3))))))
 | |
|       << PrintToString(Result);
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphTestDualPathSingleUd2) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x05, // 0: jne 7 [+5]
 | |
|           0x90,       // 2: nop
 | |
|           0xff, 0x10, // 3: callq *(%rax)
 | |
|           0x75, 0xfb, // 5: jne 2 [-5]
 | |
|           0x0f, 0x0b, // 7: ud2
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 3);
 | |
| 
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, SizeIs(2));
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes,
 | |
|               Each(Field(&ConditionalBranchNode::CFIProtection, Eq(true))));
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(
 | |
|           Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF)),
 | |
|           Field(&ConditionalBranchNode::Fallthrough,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 2, 0xDEADBEEF + 3))),
 | |
|           Field(&ConditionalBranchNode::Target,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 7))))))
 | |
|       << PrintToString(Result);
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(
 | |
|           Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF + 5)),
 | |
|           Field(&ConditionalBranchNode::Fallthrough,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 7))),
 | |
|           Field(&ConditionalBranchNode::Target,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 2, 0xDEADBEEF + 3))))))
 | |
|       << PrintToString(Result);
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphFailures) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x90,       // 0: nop
 | |
|           0x75, 0xfe, // 1: jne 1 [-2]
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, IsEmpty());
 | |
| 
 | |
|   Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 1);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, IsEmpty());
 | |
| 
 | |
|   Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADC0DE);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, IsEmpty());
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphNoXrefs) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0xeb, 0xfe, // 0: jmp 0 [-2]
 | |
|           0xff, 0x10, // 2: callq *(%rax)
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 2);
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.OrphanedNodes, ElementsAre(0xDEADBEEF + 2));
 | |
|   EXPECT_THAT(Result.IntermediateNodes, IsEmpty());
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphConditionalInfiniteLoop) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0xfe, // 0: jne 0 [-2]
 | |
|           0xff, 0x10, // 2: callq *(%rax)
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 2);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, SizeIs(1));
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Each(AllOf(Field(&ConditionalBranchNode::CFIProtection, Eq(false)),
 | |
|                  Field(&ConditionalBranchNode::Target,
 | |
|                        HasPath(Result, ElementsAre(0xDEADBEEF))),
 | |
|                  Field(&ConditionalBranchNode::Fallthrough,
 | |
|                        HasPath(Result, ElementsAre(0xDEADBEEF + 2))))))
 | |
|       << PrintToString(Result);
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphUnconditionalInfiniteLoop) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x02, // 0: jne 4 [+2]
 | |
|           0xeb, 0xfc, // 2: jmp 0 [-4]
 | |
|           0xff, 0x10, // 4: callq *(%rax)
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 4);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, SizeIs(1));
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(
 | |
|           AllOf(Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF)),
 | |
|                 Field(&ConditionalBranchNode::Fallthrough,
 | |
|                       HasPath(Result, ElementsAre(0xDEADBEEF + 2, 0xDEADBEEF))),
 | |
|                 Field(&ConditionalBranchNode::Target,
 | |
|                       HasPath(Result, ElementsAre(0xDEADBEEF + 4))))))
 | |
|       << PrintToString(Result);
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphNoFlowsToIndirection) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x00, // 0: jne 2 [+0]
 | |
|           0xeb, 0xfc, // 2: jmp 0 [-4]
 | |
|           0xff, 0x10, // 4: callq *(%rax)
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 4);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, ElementsAre(0xDEADBEEF + 4));
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, IsEmpty());
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphLengthExceededUpwards) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x06, // 0: jne 8 [+6]
 | |
|           0x90,       // 2: nop
 | |
|           0x90,       // 3: nop
 | |
|           0x90,       // 4: nop
 | |
|           0x90,       // 5: nop
 | |
|           0xff, 0x10, // 6: callq *(%rax)
 | |
|           0x0f, 0x0b, // 8: ud2
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   uint64_t PrevSearchLengthForConditionalBranch =
 | |
|       SearchLengthForConditionalBranch;
 | |
|   SearchLengthForConditionalBranch = 2;
 | |
| 
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 6);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, SizeIs(1));
 | |
|   EXPECT_THAT(Result.OrphanedNodes,
 | |
|               Each(HasPath(Result, ElementsAre(0xDEADBEEF + 4, 0xDEADBEEF + 5,
 | |
|                                                0xDEADBEEF + 6))))
 | |
|       << PrintToString(Result);
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, IsEmpty());
 | |
| 
 | |
|   SearchLengthForConditionalBranch = PrevSearchLengthForConditionalBranch;
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphLengthExceededDownwards) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x02, // 0: jne 4 [+2]
 | |
|           0xff, 0x10, // 2: callq *(%rax)
 | |
|           0x90,       // 4: nop
 | |
|           0x90,       // 5: nop
 | |
|           0x90,       // 6: nop
 | |
|           0x90,       // 7: nop
 | |
|           0x0f, 0x0b, // 8: ud2
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   uint64_t PrevSearchLengthForUndef = SearchLengthForUndef;
 | |
|   SearchLengthForUndef = 2;
 | |
| 
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 2);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Each(AllOf(
 | |
|           Field(&ConditionalBranchNode::CFIProtection, Eq(false)),
 | |
|           Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF)),
 | |
|           Field(&ConditionalBranchNode::Target,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 4, 0xDEADBEEF + 5))),
 | |
|           Field(&ConditionalBranchNode::Fallthrough,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 2))))))
 | |
|       << PrintToString(Result);
 | |
| 
 | |
|   SearchLengthForUndef = PrevSearchLengthForUndef;
 | |
| }
 | |
| 
 | |
| // This test ensures when avoiding doing repeated work we still generate the
 | |
| // paths correctly. We don't need to recalculate the flow from 0x2 -> 0x3 as it
 | |
| // should only need to be generated once.
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphWithRepeatedWork) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x05, // 0: jne 7 [+5]
 | |
|           0x90,       // 2: nop
 | |
|           0xff, 0x10, // 3: callq *(%rax)
 | |
|           0x75, 0xfb, // 5: jne 2 [-5]
 | |
|           0x0f, 0x0b, // 7: ud2
 | |
|       },
 | |
|       0xDEADBEEF);
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 3);
 | |
|   EXPECT_THAT(Result.OrphanedNodes, IsEmpty());
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, SizeIs(2));
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(
 | |
|           Field(&ConditionalBranchNode::CFIProtection, Eq(true)),
 | |
|           Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF)),
 | |
|           Field(&ConditionalBranchNode::Target,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 7))),
 | |
|           Field(&ConditionalBranchNode::Fallthrough,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 2, 0xDEADBEEF + 3))))))
 | |
|       << PrintToString(Result);
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(
 | |
|           Field(&ConditionalBranchNode::CFIProtection, Eq(true)),
 | |
|           Field(&ConditionalBranchNode::Address, Eq(0xDEADBEEF + 5)),
 | |
|           Field(&ConditionalBranchNode::Target,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 2, 0xDEADBEEF + 3))),
 | |
|           Field(&ConditionalBranchNode::Fallthrough,
 | |
|                 HasPath(Result, ElementsAre(0xDEADBEEF + 7))))))
 | |
|       << PrintToString(Result);
 | |
|   EXPECT_THAT(Result.IntermediateNodes, SizeIs(1));
 | |
|   EXPECT_THAT(Result.IntermediateNodes,
 | |
|               UnorderedElementsAre(Pair(0xDEADBEEF + 2, 0xDEADBEEF + 3)));
 | |
| }
 | |
| 
 | |
| TEST_F(BasicGraphBuilderTest, BuildFlowGraphComplexExample) {
 | |
|   if (!SuccessfullyInitialised)
 | |
|     return;
 | |
|   // The following code has this graph:
 | |
|   //  +----------+      +--------------+
 | |
|   //  |    20    | <--- |      0       |
 | |
|   //  +----------+      +--------------+
 | |
|   //    |                 |
 | |
|   //    v                 v
 | |
|   //  +----------+      +--------------+
 | |
|   //  |    21    |      |      2       |
 | |
|   //  +----------+      +--------------+
 | |
|   //    |                 |
 | |
|   //    v                 v
 | |
|   //  +----------+      +--------------+
 | |
|   //  | 22 (ud2) |  +-> |      7       |
 | |
|   //  +----------+  |   +--------------+
 | |
|   //    ^           |     |
 | |
|   //    |           |     v
 | |
|   //  +----------+  |   +--------------+
 | |
|   //  |    4     |  |   |      8       |
 | |
|   //  +----------+  |   +--------------+
 | |
|   //    |           |     |
 | |
|   //    v           |     v
 | |
|   //  +----------+  |   +--------------+    +------------+
 | |
|   //  |    6     | -+   | 9 (indirect) | <- |     13     |
 | |
|   //  +----------+      +--------------+    +------------+
 | |
|   //                      ^                   |
 | |
|   //                      |                   v
 | |
|   //                    +--------------+    +------------+
 | |
|   //                    |      11      |    | 15 (error) |
 | |
|   //                    +--------------+    +------------+
 | |
|   // Or, in image format: https://i.imgur.com/aX5fCoi.png
 | |
| 
 | |
|   Analysis.parseSectionContents(
 | |
|       {
 | |
|           0x75, 0x12,                   // 0: jne 20 [+18]
 | |
|           0xeb, 0x03,                   // 2: jmp 7 [+3]
 | |
|           0x75, 0x10,                   // 4: jne 22 [+16]
 | |
|           0x90,                         // 6: nop
 | |
|           0x90,                         // 7: nop
 | |
|           0x90,                         // 8: nop
 | |
|           0xff, 0x10,                   // 9: callq *(%rax)
 | |
|           0xeb, 0xfc,                   // 11: jmp 9 [-4]
 | |
|           0x75, 0xfa,                   // 13: jne 9 [-6]
 | |
|           0xe8, 0x78, 0x56, 0x34, 0x12, // 15: callq OUTOFBOUNDS [+0x12345678]
 | |
|           0x90,                         // 20: nop
 | |
|           0x90,                         // 21: nop
 | |
|           0x0f, 0x0b,                   // 22: ud2
 | |
|       },
 | |
|       0x1000);
 | |
|   uint64_t PrevSearchLengthForUndef = SearchLengthForUndef;
 | |
|   SearchLengthForUndef = 5;
 | |
| 
 | |
|   GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0x1000 + 9);
 | |
| 
 | |
|   EXPECT_THAT(Result.OrphanedNodes, SizeIs(1));
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes, SizeIs(3));
 | |
| 
 | |
|   EXPECT_THAT(
 | |
|       Result.OrphanedNodes,
 | |
|       Each(AllOf(Eq(0x1000u + 11),
 | |
|                  HasPath(Result, ElementsAre(0x1000 + 11, 0x1000 + 9)))))
 | |
|       << PrintToString(Result);
 | |
| 
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes,
 | |
|               Contains(AllOf(
 | |
|                   Field(&ConditionalBranchNode::CFIProtection, Eq(true)),
 | |
|                   Field(&ConditionalBranchNode::Address, Eq(0x1000u)),
 | |
|                   Field(&ConditionalBranchNode::Target,
 | |
|                         HasPath(Result, ElementsAre(0x1000 + 20, 0x1000 + 21,
 | |
|                                                     0x1000 + 22))),
 | |
|                   Field(&ConditionalBranchNode::Fallthrough,
 | |
|                         HasPath(Result, ElementsAre(0x1000 + 2, 0x1000 + 7,
 | |
|                                                     0x1000 + 8, 0x1000 + 9))))))
 | |
|       << PrintToString(Result);
 | |
| 
 | |
|   EXPECT_THAT(Result.ConditionalBranchNodes,
 | |
|               Contains(AllOf(
 | |
|                   Field(&ConditionalBranchNode::CFIProtection, Eq(true)),
 | |
|                   Field(&ConditionalBranchNode::Address, Eq(0x1000u + 4)),
 | |
|                   Field(&ConditionalBranchNode::Target,
 | |
|                         HasPath(Result, ElementsAre(0x1000 + 22))),
 | |
|                   Field(&ConditionalBranchNode::Fallthrough,
 | |
|                         HasPath(Result, ElementsAre(0x1000 + 6, 0x1000 + 7,
 | |
|                                                     0x1000 + 8, 0x1000 + 9))))))
 | |
|       << PrintToString(Result);
 | |
| 
 | |
|   EXPECT_THAT(
 | |
|       Result.ConditionalBranchNodes,
 | |
|       Contains(AllOf(Field(&ConditionalBranchNode::CFIProtection, Eq(false)),
 | |
|                      Field(&ConditionalBranchNode::Address, Eq(0x1000u + 13)),
 | |
|                      Field(&ConditionalBranchNode::Target,
 | |
|                            HasPath(Result, ElementsAre(0x1000 + 9))),
 | |
|                      Field(&ConditionalBranchNode::Fallthrough,
 | |
|                            HasPath(Result, ElementsAre(0x1000 + 15))))))
 | |
|       << PrintToString(Result);
 | |
| 
 | |
|   SearchLengthForUndef = PrevSearchLengthForUndef;
 | |
| }
 | |
| 
 | |
| } // anonymous namespace
 | |
| } // end namespace cfi_verify
 | |
| } // end namespace llvm
 |