/// <summary>Returns Forward, Backward State</summary>
private State Equal_Forward_Backward(string programStr, bool logToDispay2, Tools tools)
{
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
if (logToDispay2)
{
Console.WriteLine(sFlow.ToString());
}
DynamicFlow dFlow0 = Runner.Construct_DynamicFlow_Forward(sFlow, tools);
DynamicFlow dFlow1 = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
//Console.WriteLine("Forward:" + tree0.ToString(dFlow0));
//Console.WriteLine("Backward:" + tree1.ToString(dFlow1));
State state0 = dFlow0.EndState;
State state1 = dFlow1.EndState;
if (logToDispay2)
{
Console.WriteLine("=================================================================");
Console.WriteLine("Forward:");
Console.WriteLine(state0);
Console.WriteLine("=================================================================");
Console.WriteLine("Backward:");
Console.WriteLine(state1);
Console.WriteLine("=================================================================");
}
TestTools.AreEqual(state0, state1);
return(state0);
}
public void Test_Runner_Jmp_5b()
{
string programStr =
" mov rax, 0 " + Environment.NewLine +
" cmp rax, 0 " + Environment.NewLine +
" jz label1 " + Environment.NewLine +
" mov rax, 10 " + Environment.NewLine +
" jmp label2 " + Environment.NewLine +
"label1: " + Environment.NewLine +
" mov rax, 20 " + Environment.NewLine +
"label2: ";
Tools tools = this.CreateTools();
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
tools.StateConfig = sFlow.Create_StateConfig();
//var dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Forward(sFlow, tools);
State state0 = dFlow.Create_States_Before(0, 0);
Assert.IsNotNull(state0);
State state = dFlow.EndState;
Assert.IsNotNull(state);
if (logToDisplay)
{
Console.WriteLine("state:\n" + state);
}
TestTools.IsTrue(state.IsConsistent);
TestTools.AreEqual(Rn.RAX, 10, state);
}
public void Test_Runner_Mem_2()
{
Tools tools = this.CreateTools();
tools.StateConfig.Set_All_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.StateConfig.RCX = true;
tools.StateConfig.Mem = true;
tools.Quiet = true;
string programStr =
" mov rax, 0 " + Environment.NewLine +
" mov qword ptr[0], 10 " + Environment.NewLine +
" mov qword ptr[10], 20 " + Environment.NewLine +
" mov rbx, qword ptr [rax] " + Environment.NewLine +
" mov rcx, qword ptr [rbx] ";
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
State state = dFlow.EndState;
TestTools.AreEqual(Rn.RAX, 0, state);
TestTools.AreEqual(Rn.RBX, 10, state);
TestTools.AreEqual(Rn.RCX, 20, state);
}
public void Test_Runner_Jmp_4()
{
string programStr =
" jz label1 " + Environment.NewLine +
" mov rax, 10 " + Environment.NewLine +
" jmp label2 " + Environment.NewLine +
"label1: " + Environment.NewLine +
" mov rax, 10 " + Environment.NewLine +
"label2: " + Environment.NewLine +
" mov rax, 20 ";
Tools tools = this.CreateTools();
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
tools.StateConfig = sFlow.Create_StateConfig();
//var dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Forward(sFlow, tools);
//if (logToDisplay) Console.WriteLine(dFlow.ToString(sFlow));
State state = dFlow.EndState;
//if (logToDisplay) Console.WriteLine(state);
TestTools.IsTrue(state.IsConsistent);
TestTools.AreEqual(Rn.RAX, 20, state);
}
public void Test_Runner_Jmp_2()
{
string programStr =
" cmp rax, 0 " + Environment.NewLine +
" je label1 " + Environment.NewLine +
" mov rbx, 10 " + Environment.NewLine +
"label1: " + Environment.NewLine +
" mov rbx, 10 " + Environment.NewLine +
"label2: ";
Tools tools = this.CreateTools();
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
tools.StateConfig = sFlow.Create_StateConfig();
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
State state = dFlow.EndState;
if (logToDisplay)
{
Console.WriteLine(state);
}
TestTools.IsTrue(state.IsConsistent);
TestTools.AreEqual(Rn.RBX, 10, state);
}
public void Test_Runner_Jmp_7()
{
string programStr =
" jz label1 " + Environment.NewLine +
" mov rax, 10 " + Environment.NewLine +
" jmp label2 " + Environment.NewLine +
"label1: " + Environment.NewLine +
" mov rax, 20 " + Environment.NewLine +
"label2: " + Environment.NewLine +
" mov rbx, rax " + Environment.NewLine +
" jz label3 " + Environment.NewLine +
"label3: ";
Tools tools = this.CreateTools();
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
tools.StateConfig = sFlow.Create_StateConfig();
//var dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Forward(sFlow, tools);
//DotVisualizer.SaveToDot(sFlow, dFlow, "test1.dot");
State state = dFlow.EndState;
Assert.IsNotNull(state);
if (logToDisplay)
{
Console.WriteLine("state:\n" + state);
}
TestTools.IsTrue(state.IsConsistent);
TestTools.AreEqual(Rn.RAX, "00000000_00000000_00000000_00000000_00000000_00000000_00000000_000????0", state);
Microsoft.Z3.BoolExpr branch_Condition = dFlow.Get_Branch_Condition(0);
{
State state2a = new State(state);
state2a.Add(new BranchInfo(branch_Condition, true));
if (logToDisplay)
{
Console.WriteLine("state with ZF = true:\n" + state2a);
}
TestTools.IsTrue(state2a.IsConsistent);
TestTools.AreEqual(Rn.RAX, 10, state2a);
}
{
State state2b = new State(state);
state2b.Add(new BranchInfo(branch_Condition, false));
if (logToDisplay)
{
Console.WriteLine("state with ZF = false:\n" + state2b);
}
TestTools.IsTrue(state2b.IsConsistent);
TestTools.AreEqual(Rn.RAX, 20, state2b);
}
}
public void Test_BitTricks_LegatosMultiplier()
{
/*
* LDX #8 ; 1; load X immediate with the 8
* LDA #0 ; 2; load A immediate with the 0
* CLC ; 3; set C to 0 LOOP
* LOOP: ROR F1 ; 4; rotate F1 right circular through C
* BCC ZCOEF ; 5; branch to ZCOEF if C = 0
* CLC ; 6; set C to 0
* ADC F2 ; 7; set A to A+F2+C and C to the carry ZCOEF
* ZCOEF: ROR A ; 8; rotate A right circular through C
* ROR LOW ; 9; rotate LOW right circular through C
* DEX ;10; set X to X-1
* BNE LOOP ;11; branch to LOOP if Z = 0
*/
#region Stateconfig
Tools tools = this.CreateTools(0);
tools.StateConfig.Set_All_Off();
tools.StateConfig.CF = true;
tools.StateConfig.ZF = true;
tools.StateConfig.RAX = true;
tools.StateConfig.RCX = true;
tools.StateConfig.RDX = true;
tools.StateConfig.R8 = true;
tools.StateConfig.R9 = true;
tools.StateConfig.R10 = true;
#endregion
string programStr =
" clc " + Environment.NewLine +
" ror al, 1 " + Environment.NewLine +
" jnc ZCOEF ";
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
if (LogToDisplay)
{
Console.WriteLine(sFlow);
}
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
if (LogToDisplay)
{
Console.WriteLine("DynamicFlow:\n" + dFlow.ToString(sFlow));
}
State state = dFlow.Create_EndState;
}
public void Test_Runner_Mem_Merge_1()
{
Tools tools = this.CreateTools();
tools.StateConfig.Set_All_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.StateConfig.ZF = true;
tools.StateConfig.Mem = true;
tools.Quiet = true;
string programStr =
" jz label1 " + Environment.NewLine +
" mov byte ptr[rax], 10 " + Environment.NewLine +
" jmp label2 " + Environment.NewLine +
"label1: " + Environment.NewLine +
" mov byte ptr[rax], 20 " + Environment.NewLine +
"label2: " + Environment.NewLine +
" mov bl, byte ptr[rax] ";
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
State state = dFlow.EndState;
State state3 = new State(state);
State state4 = new State(state);
Microsoft.Z3.BoolExpr branch_Condition = dFlow.Get_Branch_Condition(0);
state3.Add(new BranchInfo(branch_Condition, true));
if (logToDisplay)
{
Console.WriteLine("state3:\n" + state3);
}
TestTools.AreEqual(Rn.BL, 10, state3);
state4.Add(new BranchInfo(branch_Condition, false));
if (logToDisplay)
{
Console.WriteLine("state4:\n" + state4);
}
TestTools.AreEqual(Rn.BL, 20, state4);
}
public void Test_Runner_Loop_1()
{
Tools tools = this.CreateTools();
tools.StateConfig.Set_All_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.StateConfig.ZF = true;
tools.Quiet = true;
bool logToDisplay2 = false;
string programStr =
" mov rbx, 0 " + Environment.NewLine +
" mov rax, 0x3 " + Environment.NewLine +
"label1: " + Environment.NewLine +
" inc rbx " + Environment.NewLine +
" dec rax " + Environment.NewLine +
" jnz label1 ";
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
if (logToDisplay2)
{
Console.WriteLine(sFlow);
}
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Forward(sFlow, tools);
if (false)
{
State state = dFlow.EndState;
if (logToDisplay2)
{
Console.WriteLine(state);
}
TestTools.AreEqual(Rn.RAX, 0, state);
TestTools.AreEqual(Rn.RBX, 3, state);
}
else
{
Assert.Inconclusive("TODO");
}
}
public void Test_Runner_Mem_3()
{
Tools tools = this.CreateTools(); // test is slow (9min - 17min)
tools.StateConfig.Set_All_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.StateConfig.RCX = true;
tools.StateConfig.Mem = true;
tools.Quiet = true;
bool logToDisplay2 = false;// logToDisplay;
string programStr =
" mov qword ptr[0], 10 " + Environment.NewLine +
" mov qword ptr[10], 20 " + Environment.NewLine +
" mov rbx, qword ptr [rax] " + Environment.NewLine +
" mov rcx, qword ptr [rbx] ";
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
State state0 = dFlow.Create_States_Before(0, 0);
State state = dFlow.EndState;
Microsoft.Z3.Expr rax = state0.Create(Rn.RAX).Translate(state.Ctx);
state.Frozen = false;
state.Add(new BranchInfo(state.Ctx.MkEq(rax, state.Ctx.MkBV(0, 64)), true));
if (logToDisplay2)
{
Console.WriteLine("Forward:\n" + state);
}
TestTools.AreEqual(Rn.RAX, 0, state);
TestTools.AreEqual(Rn.RBX, 10, state);
TestTools.AreEqual(Rn.RCX, 20, state);
}
public void Test_DynamicFlow_Forward_1()
{
Tools tools = CreateTools();
tools.StateConfig.Set_All_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.Quiet = true;
tools.ShowUndefConstraints = false;
string programStr =
" mov rax, 0 ; line 0 " + Environment.NewLine +
" mov rbx, 10 ; line 1 " + Environment.NewLine +
" mov rbx, rax ; line 2 ";
var sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
if (logToDisplay)
{
Console.WriteLine(sFlow);
}
if (true)
{
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Forward(sFlow, tools);
if (logToDisplay)
{
Console.WriteLine(dFlow.ToString(sFlow));
}
{
int lineNumber = 0;
IList <State> states_Before = new List <State>(dFlow.Create_States_Before(lineNumber));
Assert.AreEqual(1, states_Before.Count);
State state_Before = states_Before[0];
IList <State> states_After = new List <State>(dFlow.Create_States_After(lineNumber));
Assert.AreEqual(1, states_After.Count);
State state_After = states_After[0];
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: Before lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_Before);
}
TestTools.AreEqual(Rn.RAX, "????????.????????.????????.????????.????????.????????.????????.????????", state_Before);
TestTools.AreEqual(Rn.RBX, "????????.????????.????????.????????.????????.????????.????????.????????", state_Before);
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: After lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_After);
}
TestTools.AreEqual(Rn.RAX, 0, state_After);
TestTools.AreEqual(Rn.RBX, "????????.????????.????????.????????.????????.????????.????????.????????", state_After);
}
{
int lineNumber = 1;
IList <State> states_Before = new List <State>(dFlow.Create_States_Before(lineNumber));
Assert.AreEqual(1, states_Before.Count);
State state_Before = states_Before[0];
IList <State> states_After = new List <State>(dFlow.Create_States_After(lineNumber));
Assert.AreEqual(1, states_After.Count);
State state_After = states_After[0];
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: Before lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_Before);
}
TestTools.AreEqual(Rn.RAX, 0, state_Before);
TestTools.AreEqual(Rn.RBX, "????????.????????.????????.????????.????????.????????.????????.????????", state_Before);
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: After lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_After);
}
TestTools.AreEqual(Rn.RAX, 0, state_After);
TestTools.AreEqual(Rn.RBX, 10, state_After);
}
{
int lineNumber = 2;
IList <State> states_Before = new List <State>(dFlow.Create_States_Before(lineNumber));
Assert.AreEqual(1, states_Before.Count);
State state_Before = states_Before[0];
IList <State> states_After = new List <State>(dFlow.Create_States_After(lineNumber));
Assert.AreEqual(1, states_After.Count);
State state_After = states_After[0];
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: Before lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_Before);
}
TestTools.AreEqual(Rn.RAX, 0, state_Before);
TestTools.AreEqual(Rn.RBX, 10, state_Before);
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: After lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_After);
}
TestTools.AreEqual(Rn.RAX, 0, state_After);
TestTools.AreEqual(Rn.RBX, 0, state_After);
}
}
}
public void Test_Runner_Jmp_11()
{
string programStr =
" cmp al, 0 " + Environment.NewLine +
" jp label1 " + Environment.NewLine +
" mov al, 1 " + Environment.NewLine +
" jz label1 " + Environment.NewLine +
" mov al, 2 " + Environment.NewLine +
"label1: ";
Tools tools = this.CreateTools();
StaticFlow sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
if (logToDisplay)
{
Console.WriteLine(sFlow.ToString());
}
tools.StateConfig = sFlow.Create_StateConfig();
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
State state = dFlow.EndState;
Assert.IsNotNull(state);
if (logToDisplay)
{
Console.WriteLine("state:\n" + state);
}
TestTools.IsTrue(state.IsConsistent);
Microsoft.Z3.BoolExpr branch_Condition_jp = dFlow.Get_Branch_Condition(1);
Microsoft.Z3.BoolExpr branch_Condition_jz = dFlow.Get_Branch_Condition(3);
if (true)
{
if (true)
{
State state2 = new State(state);
state2.Add(new BranchInfo(branch_Condition_jp, true));
state2.Add(new BranchInfo(branch_Condition_jz, true));
TestTools.AreEqual(Rn.AL, "00000000", state2);
}
if (true)
{
State state2 = new State(state);
state2.Add(new BranchInfo(branch_Condition_jp, true));
state2.Add(new BranchInfo(branch_Condition_jz, false));
TestTools.AreEqual(Rn.AL, "????????", state2);
}
if (true)
{
State state2 = new State(state);
state2.Add(new BranchInfo(branch_Condition_jp, false));
state2.Add(new BranchInfo(branch_Condition_jz, true));
TestTools.AreEqual(Rn.AL, "XXXXXXXX", state2);
}
if (true)
{
State state2 = new State(state);
state2.Add(new BranchInfo(branch_Condition_jp, false));
state2.Add(new BranchInfo(branch_Condition_jz, false));
TestTools.AreEqual(Rn.AL, "00000010", state2);
}
}
}