Merge branch 'junghee/value_reg_limit_cmov' into 'main'

Do not create value_reg_limit when there are multiple correlated-reg relations in a block

Closes #614

See merge request rewriting/ddisasm!1209

CHANGELOG.md

@@ -1,5 +1,7 @@
 # 1.9.1 (Unreleased)
 
+* Fix a hang due to incorrect jump-table boundaries inferred from irrelevant register correlations to the index register
+
 # 1.9.0
 
 * Stop generating debian metapackages and packages with the version attached

examples/asm_examples/ex_relative_jump_tables4/Makefile

@@ -0,0 +1,10 @@
+
+all: ex_original.s
+ gcc ex_original.s -o ex
+ @./ex > out.txt
+clean:
+ rm -f ex out.txt
+ rm -fr ex.unstripped ex.s *.old* dl_files *.gtirb
+check:
+ ./ex > /tmp/res.txt
+ @ diff out.txt /tmp/res.txt && echo TEST OK

examples/asm_examples/ex_relative_jump_tables4/ex_original.s

@@ -0,0 +1,312 @@
+// Similar to ex_relative_jump_tables except that this example uses
+// `cmov` in computing the value for the bound variable, and the `cmov`
+// is associated with ambiguous last defs (from the two incoming edges).
+//
+// To prevent potential overhead, Ddisasm uses a conservative way of
+// finding `jump_table_max` by not creating `value_reg_limit` when there
+// are multiple correlated reg relations.
+//
+// This example is to make sure that Ddisasm is not too aggressive in
+// finding `jump_table_max` by considering all the ambiguous last defs.
+//
+// Note that if Ddisasm is aggressive, it will find `jump_table_max`
+// for `jump_table_A`, and identify entries for `jump_table_B`
+// in this example.
+// However, we have observed a hang in spec2006/tonto, etc.
+
+ .text
+ .intel_syntax noprefix
+ .file "ex.c"
+
+# -- Begin function one
+ .globl one
+ .p2align 4, 0x90
+ .type one,@function
+one:
+ push rbx
+ mov ebx, edi
+ lea rdi, [rip + .L.str]
+ call puts@PLT
+ mov eax, ebx
+ pop rbx
+ ret
+.Lfunc_end0:
+.size one, .Lfunc_end0-one
+# -- End function
+
+# -- Begin function two
+ .globl two
+ .p2align 4, 0x90
+ .type two,@function
+two:
+ push rbx
+ mov ebx, edi
+ lea rdi, [rip + .L.str.1]
+ call puts@PLT
+ mov eax, ebx
+ pop rbx
+ ret
+.Lfunc_end1:
+.size two, .Lfunc_end1-two
+# -- End function
+
+# -- Begin function three
+ .globl three
+ .p2align 4, 0x90
+ .type three,@function
+three:
+ push rbx
+ mov ebx, edi
+ lea rdi, [rip + .L.str.2]
+ call puts@PLT
+ lea eax, [rbx + 1]
+ pop rbx
+ ret
+.Lfunc_end2:
+.size three, .Lfunc_end2-three
+# -- End function
+
+# -- Begin function four
+ .globl four
+ .p2align 4, 0x90
+ .type four,@function
+four:
+ push rbx
+ mov ebx, edi
+ lea rdi, [rip + .L.str.3]
+ call puts@PLT
+ mov eax, ebx
+ pop rbx
+ ret
+.Lfunc_end3:
+.size four, .Lfunc_end3-four
+# -- End function
+
+# -- Begin function five
+ .globl five
+ .p2align 4, 0x90
+ .type five,@function
+five:
+ push rbx
+ mov ebx, edi
+ lea rdi, [rip + .L.str.4]
+ call puts@PLT
+ mov eax, ebx
+ pop rbx
+ ret
+.Lfunc_end4:
+.size five, .Lfunc_end4-five
+# -- End function
+
+# -- Begin function six
+ .globl six
+ .p2align 4, 0x90
+ .type six,@function
+six:
+ push rbx
+ mov ebx, edi
+ lea rdi, [rip + .L.str.5]
+ call puts@PLT
+ mov eax, ebx
+ pop rbx
+ ret
+.Lfunc_end5:
+.size six, .Lfunc_end5-six
+# -- End function
+
+# -- Begin function def
+ .globl def
+ .p2align 4, 0x90
+ .type def,@function
+def:
+ push rbx
+ mov ebx, edi
+ lea rdi, [rip + .L.str.6]
+ call puts@PLT
+ mov eax, ebx
+ pop rbx
+ ret
+.Lfunc_end6:
+.size def, .Lfunc_end6-def
+# -- End function
+
+# -- Begin function fun
+ .globl fun
+ .p2align 4, 0x90
+ .type fun,@function
+fun:
+ push rbp
+ push r9
+ push r10
+ push r12
+ push r13
+ push rbx
+ mov rbp, rsp
+ mov r13d, esi
+ mov ebx, edi
+ cmp ebx, r13d
+ jge .LBB5_10
+.LBB5_2:
+ lea r9, [rip + .jump_table_A]
+ lea eax, [rbx - 1]
+ cmp eax, 1
+ ja .LBB5_9
+ jbe .target1
+ jmp .target2
+.target1:
+ mov edi, ebx
+ call one
+ test rbx, 1
+ jnz .L_odd1
+ mov r12, 33
+ jmp .L_end1
+.L_odd1:
+ mov r12, 34
+.L_end1:
+ lea rax, dword ptr [r12-32]
+ test rax, rax
+ cmove rax, r12
+ cmp al, 4
+ jbe .L_jump1
+ jmp .LBB5_9
+.L_jump1:
+ sub r12, 32
+ lea r10, [rip + .jump_table_B]
+ movsxd rax, dword ptr [r9 + 4*r12]
+ add rax, r9
+ jmp rax
+ .p2align 4, 0x90
+.target2:
+ mov edi, ebx
+ call two
+ lea r10, [rip + .jump_table_B]
+ test rbx, 1
+ jnz .L_odd2
+ mov r12, 0
+ jmp .L_end2
+.L_odd2:
+ mov r12, 1
+.L_end2:
+ movsxd rax, dword ptr [r9 + 4*r12]
+ add rax, r9
+ jmp rax
+ .p2align 4, 0x90
+.jump_table_target3:
+ mov edi, ebx
+ call three
+ test rbx, 1
+ jnz .L_odd3
+ mov r12, 32
+ jmp .L_end3
+.L_odd3:
+ mov r12, 33
+.L_end3:
+ sub r12, 32
+ movsxd rax, dword ptr [r10 + 4*r12]
+ add rax, r10
+ jmp rax
+ .p2align 4, 0x90
+.jump_table_target4:
+ mov edi, ebx
+ call four
+ jmp .LBB5_9
+ .p2align 4, 0x90
+.jump_table_target5:
+ mov edi, ebx
+ call five
+ jmp .LBB5_9
+ .p2align 4, 0x90
+.jump_table_target6:
+ mov edi, ebx
+ call six
+.LBB5_9:
+ add ebx, 1
+ cmp r13d, ebx
+ jne .LBB5_2
+.LBB5_10:
+ pop rbx
+ pop r13
+ pop r12
+ pop r10
+ pop r9
+ pop rbp
+ ret
+.Lfunc_end8:
+ .size fun, .Lfunc_end8-fun
+ .section .rodata,"a",@progbits
+ .p2align 2
+
+// here we have tables of relative offsets (symbol minus symbol)
+.jump_table_A:
+ .long .target1-.jump_table_A
+ .long .jump_table_target3-.jump_table_A
+ .long .jump_table_target4-.jump_table_A
+.jump_table_B:
+ .long .jump_table_target5-.jump_table_B
+ .long .jump_table_target6-.jump_table_B
+# -- End function
+
+ .text
+# -- Begin function main
+ .globl main
+ .p2align 4, 0x90
+ .type main,@function
+main:
+ push rax
+ lea rdi, [rip + .L.str.7]
+ call puts@PLT
+ mov edi, 1
+ mov esi, 6
+ call fun
+ xor eax, eax
+ pop rcx
+ ret
+.Lfunc_end7:
+ .size main, .Lfunc_end7-main
+# -- End function
+
+
+ .type .L.str,@object # @.str
+ .section .rodata.str1.1,"aMS",@progbits,1
+.L.str:
+ .asciz "one"
+ .size .L.str, 4
+
+ .type .L.str.1,@object # @.str.1
+.L.str.1:
+ .asciz "two"
+ .size .L.str.1, 4
+
+ .type .L.str.2,@object # @.str.2
+.L.str.2:
+ .asciz "three"
+ .size .L.str.2, 6
+
+ .type .L.str.3,@object # @.str.3
+.L.str.3:
+ .asciz "four"
+ .size .L.str.3, 5
+
+ .type .L.str.4,@object # @.str.4
+.L.str.4:
+ .asciz "five"
+ .size .L.str.4, 5
+
+ .type .L.str.5,@object # @.str.5
+.L.str.5:
+ .asciz "six"
+ .size .L.str.5, 5
+
+ .type .L.str.6,@object # @.str.6
+.L.str.6:
+ .asciz "last"
+ .size .L.str.6, 5
+
+ .type .L.str.7,@object # @.str.7
+.L.str.7:
+ .asciz "!!!Hello World!!!"
+ .size .L.str.7, 18
+
+
+ .ident "clang version 6.0.0 (tags/RELEASE_600/final)"
+ .section ".note.GNU-stack","",@progbits

src/datalog/boundary_value_analysis.dl

@@ -266,10 +266,13 @@ correlated_live_reg(Block,DstReg,SrcReg,Offset):-
  // simple arithmetic operation derives DstReg from SrcReg at OpEA
  limit_reg_op(OpEA,DstReg,SrcReg,Offset),
  reg_def_use.last_def_in_block(Block,OpEA,DstReg),
+ !reg_def_use.ambiguous_last_def_in_block(Block,DstReg),
  (
  // SrcReg defined in block, same def live at end of block and OpEA
  reg_def_use.block_last_def(OpEA,SrcFrom,SrcReg),
- reg_def_use.last_def_in_block(Block,SrcFrom,SrcReg)
+ !reg_def_use.ambiguous_block_last_def(OpEA,SrcReg),
+ reg_def_use.last_def_in_block(Block,SrcFrom,SrcReg),
+ !reg_def_use.ambiguous_last_def_in_block(Block,SrcReg)
  ;
  // SrcReg not defined in block
  !reg_def_use.last_def_in_block(Block,_,SrcReg)

src/datalog/use_def_analysis.dl

@@ -155,6 +155,8 @@ analysis for both registers and stack variables.
 
  /**
  The last address prior to EA where Var was defined within the block
+
+ Multiple are possible in conditional cases.
  */
  .decl block_last_def(EA:address,EA_def:address,Var:T)
 
@@ -168,6 +170,17 @@ analysis for both registers and stack variables.
  ea_propagates_def(EA,Var),
  local_next(EA,EA_next).
 
+ /**
+ Indicates at EA, Var has multiple possible last definitions in the block
+ due to conditional def(s).
+ */
+ .decl ambiguous_block_last_def(EA:address,Var:T)
+
+ ambiguous_block_last_def(EA,Var):-
+ block_last_def(EA,EA_def,Var),
+ block_last_def(EA,EA_other,Var),
+ EA_def != EA_other.
+
  /**
  The last definition(s) of <T> in a given block.
 
@@ -186,6 +199,17 @@ analysis for both registers and stack variables.
  block_last_def(BlockEnd,EA_def,Var)
  ).
 
+ /**
+ Indicates at the end of Block, Var has multiple possible last definitions
+ in the block due to conditional def(s).
+ */
+ .decl ambiguous_last_def_in_block(Block:address,Var:T)
+
+ ambiguous_last_def_in_block(EA,Var):-
+ last_def_in_block(EA,EA_def,Var),
+ last_def_in_block(EA,EA_other,Var),
+ EA_def != EA_other.
+
  /**
  A <T> is referenced in a block
  */