public static void AreEqual(BitVecExpr expr, Tv[] expectedTvArray, State state)
{
Contract.Requires(expr != null);
Contract.Requires(expectedTvArray != null);
Contract.Requires(state != null);
int nBits = (int)expr.SortSize;
Assert.AreEqual(nBits, expectedTvArray.Length);
Tv[] actualTvArray = ToolsZ3.GetTvArray(expr, (int)expr.SortSize, state.Solver, state.Solver_U, state.Ctx);
Assert.AreEqual(actualTvArray.Length, nBits);
Assert.AreEqual(expectedTvArray.Length, nBits);
ulong?actualLong = ToolsZ3.ToUlong(actualTvArray);
ulong?expectedLong = ToolsZ3.ToUlong(expectedTvArray);
if (actualLong.HasValue && expectedLong.HasValue)
{
Assert.AreEqual(actualLong.Value, expectedLong.Value, "Expr " + expr + ": Expected value " + expectedLong.Value + " while actual value is " + actualLong.Value);
}
else
{
for (int i = 0; i < nBits; ++i)
{
Assert.AreEqual(expectedTvArray[i], actualTvArray[i], "Expr " + expr + ": Pos " + i + ": expected value " + ToolsZ3.ToStringBin(expectedTvArray) + " while actual value is " + ToolsZ3.ToStringBin(actualTvArray));
}
}
}
public static void AreEqual(Rn name, Tv[] expectedTvArray, State state)
{
Contract.Requires(state != null);
Contract.Requires(expectedTvArray != null);
Assert.IsNotNull(state);
int nBits = RegisterTools.NBits(name);
Assert.AreEqual(nBits, expectedTvArray.Length);
Tv[] actualTvArray = state.GetTvArray(name);
Assert.AreEqual(nBits, actualTvArray.Length);
ulong?actualLong = ToolsZ3.ToUlong(actualTvArray);
ulong?expectedLong = ToolsZ3.ToUlong(expectedTvArray);
if (actualLong.HasValue && expectedLong.HasValue)
{
Assert.AreEqual(expectedLong.Value, actualLong.Value, "Reg " + name + ": Expected value " + expectedLong.Value + " while actual value is " + actualLong.Value);
}
else
{
AreEqual(expectedTvArray, actualTvArray);
}
}
public void Test_Z3_MemWithArray_2()
{
#region Definitions
uint nBits = 8;
Context ctx = new Context();
BitVecExpr bv_0 = ctx.MkBV(0, nBits);
BitVecExpr bv_16 = ctx.MkBV(16, nBits);
BitVecExpr bv_32 = ctx.MkBV(32, nBits);
BitVecExpr rax = ctx.MkBVConst("RAX!0", nBits);
BitVecExpr rbx = ctx.MkBVConst("RBX!0", nBits);
BitVecExpr rcx = ctx.MkBVConst("RCX!0", nBits);
BitVecExpr rdx = ctx.MkBVConst("RDX!0", nBits);
ArrayExpr mem = ctx.MkArrayConst("mem", ctx.MkBitVecSort(nBits), ctx.MkBitVecSort(nBits));
Goal state = ctx.MkGoal();
#endregion
//Test possible memory overwrite
Console.WriteLine("mov qword ptr[16], 0 ; store at address=16 value=0");
mem = ctx.MkStore(mem, bv_16, bv_0);
Console.WriteLine("mov rax, qword ptr[16] ; load rax with the value at address=16");
state.Assert(ctx.MkEq(rax, ctx.MkSelect(mem, bv_16)));
Console.WriteLine("mov qword ptr[rcx], 32 ; store at unknown address rcx value 32, appreciate that address 16 could be overwritten");
mem = ctx.MkStore(mem, rcx, bv_32);
Console.WriteLine("mov rbx, qword ptr[16] ; load rbx with value at address 16, appreciate that rbx need not be equal to rax");
state.Assert(ctx.MkEq(rbx, ctx.MkSelect(mem, bv_16)));
if (true)
{
Console.WriteLine("cmp rcx, 16 ;");
Console.WriteLine("jnz label1: ");
state.Assert(ctx.MkEq(rcx, bv_16));
}
#region Write to console
Console.WriteLine("mem=" + mem);
Solver solver = ctx.MkSolver();
Solver solver_U = ctx.MkSolver();
solver.Assert(state.Formulas);
Console.WriteLine("state1=" + state);
if (true)
{
Tactic tactic1 = ctx.MkTactic("propagate-values");
Goal state2 = tactic1.Apply(state).Subgoals[0];
Console.WriteLine("state2=" + state2.ToString());
}
Console.WriteLine("");
Tv[] raxTV = ToolsZ3.GetTvArray(rax, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rax = " + ToolsZ3.ToStringBin(raxTV) + " = " + ToolsZ3.ToStringHex(raxTV));
Tv[] rbxTV = ToolsZ3.GetTvArray(rbx, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rbx = " + ToolsZ3.ToStringBin(rbxTV) + " = " + ToolsZ3.ToStringHex(rbxTV));
Tv[] rcxTV = ToolsZ3.GetTvArray(rcx, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rcx = " + ToolsZ3.ToStringBin(rcxTV) + " = " + ToolsZ3.ToStringHex(rcxTV));
//Tv5[] rdxTV = ToolsZ3.getTvArray(rdx, nBits, solver, ctx);
//Console.WriteLine("rdx = " + ToolsZ3.toStringBin(rdxTV) + " = " + ToolsZ3.toStringHex(rdxTV));
#endregion
}
public static void AreEqual(BitVecExpr expr, ulong expected, State state)
{
Contract.Requires(expr != null);
Tv[] expectedTvArray = ToolsZ3.GetTvArray(expected, (int)expr.SortSize);
Assert.IsNotNull(expectedTvArray);
AreEqual(expr, expectedTvArray, state);
}
public static void AreEqual(BitVecExpr expr, string expected, State state)
{
Contract.Requires(expr != null);
Tv[] expectedTvArray = ToolsZ3.GetTvArray(expected);
Assert.AreEqual(expr.SortSize, (uint)expectedTvArray.Length);
AreEqual(expr, expectedTvArray, state);
}
public string GetRegisterValue(Rn name, IState_R state)
{
if (state == null)
{
return("");
}
Tv5[] reg = state.GetTv5Array(name);
return(string.Format("{0} = {1}", ToolsZ3.ToStringBin(reg), ToolsZ3.ToStringHex(reg)));
}
public static void AreEqual(Tv expected, Tv actual)
{
if ((actual == Tv.UNDETERMINED) && (expected != Tv.UNDETERMINED))
{
Assert.Inconclusive("Expected value " + ToolsZ3.ToStringBin(expected) + " while actual value is " + ToolsZ3.ToStringBin(actual));
}
else
{
Assert.AreEqual(expected, actual, "Expected value " + ToolsZ3.ToStringBin(expected) + " while actual value is " + ToolsZ3.ToStringBin(actual));
}
}
public void Test_Z3_MemWithArray_3()
{
#region Definitions
uint nBits = 8;
Context ctx = new Context();
BitVecExpr bv_0 = ctx.MkBV(0, nBits);
BitVecExpr bv_16 = ctx.MkBV(16, nBits);
BitVecExpr bv_32 = ctx.MkBV(32, nBits);
BitVecExpr rax = ctx.MkBVConst("RAX!0", nBits);
BitVecExpr rbx = ctx.MkBVConst("RBX!0", nBits);
BitVecExpr rcx = ctx.MkBVConst("RCX!0", nBits);
BitVecExpr rdx = ctx.MkBVConst("RDX!0", nBits);
ArrayExpr mem = ctx.MkArrayConst("mem", ctx.MkBitVecSort(nBits), ctx.MkBitVecSort(nBits));
Goal state = ctx.MkGoal();
#endregion
// Test if loading from two unknown addresses and then learning that the addresses were equal yields the same result
// mov rcx, qword ptr[rax]
state.Assert(ctx.MkEq(rcx, ctx.MkSelect(mem, rax)));
// mov rdx, qword ptr[rbx]
state.Assert(ctx.MkEq(rdx, ctx.MkSelect(mem, rbx)));
// cmp rax, rbx;
// jnz label1:
state.Assert(ctx.MkEq(rax, rbx));
// cmp rax, 0
// jnz label2:
state.Assert(ctx.MkEq(rcx, bv_16));
#region Write to console
Console.WriteLine("mem=" + mem);
Solver solver = ctx.MkSolver();
Solver solver_U = ctx.MkSolver();
solver.Assert(state.Formulas);
Console.WriteLine("state1=" + state);
Console.WriteLine(string.Empty);
Tv[] raxTV = ToolsZ3.GetTvArray(rax, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rax = " + ToolsZ3.ToStringBin(raxTV) + " = " + ToolsZ3.ToStringHex(raxTV));
Tv[] rbxTV = ToolsZ3.GetTvArray(rbx, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rbx = " + ToolsZ3.ToStringBin(rbxTV) + " = " + ToolsZ3.ToStringHex(rbxTV));
Tv[] rcxTV = ToolsZ3.GetTvArray(rcx, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rcx = " + ToolsZ3.ToStringBin(rcxTV) + " = " + ToolsZ3.ToStringHex(rcxTV));
Tv[] rdxTV = ToolsZ3.GetTvArray(rdx, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rdx = " + ToolsZ3.ToStringBin(rdxTV) + " = " + ToolsZ3.ToStringHex(rdxTV));
#endregion
}
public void Test_Z3_MemWithArray_1()
{
#region Definitions
uint nBits = 8;
Context ctx = new Context();
BitVecExpr bv_0 = ctx.MkBV(0, nBits);
BitVecExpr bv_10 = ctx.MkBV(10, nBits);
BitVecExpr bv_20 = ctx.MkBV(20, nBits);
BitVecExpr rax = ctx.MkBVConst("RAX!0", nBits);
BitVecExpr rbx = ctx.MkBVConst("RBX!0", nBits);
BitVecExpr rcx = ctx.MkBVConst("RCX!0", nBits);
BitVecExpr rdx = ctx.MkBVConst("RDX!0", nBits);
ArrayExpr mem = ctx.MkArrayConst("mem", ctx.MkBitVecSort(nBits), ctx.MkBitVecSort(nBits));
Goal state = ctx.MkGoal();
#endregion
// Test chaining with memory loads
// mov qword ptr[0], 10
mem = ctx.MkStore(mem, bv_0, bv_10);
// mov qword ptr[10], 20
mem = ctx.MkStore(mem, bv_10, bv_20);
// mov rbx, qword ptr[rax]
state.Assert(ctx.MkEq(rbx, ctx.MkSelect(mem, rax)));
// mov rcx, qword ptr[rbx]
state.Assert(ctx.MkEq(rcx, ctx.MkSelect(mem, rbx)));
// cmp rax, 10;
// jnz label1:
state.Assert(ctx.MkEq(rax, bv_0));
#region Write to console
Console.WriteLine("mem=" + mem);
Solver solver = ctx.MkSolver();
Solver solver_U = ctx.MkSolver();
solver.Assert(state.Formulas);
Console.WriteLine("state1=" + state);
Console.WriteLine(string.Empty);
Tv[] raxTV = ToolsZ3.GetTvArray(rax, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rax = " + ToolsZ3.ToStringBin(raxTV) + " = " + ToolsZ3.ToStringHex(raxTV));
Tv[] rbxTV = ToolsZ3.GetTvArray(rbx, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rbx = " + ToolsZ3.ToStringBin(rbxTV) + " = " + ToolsZ3.ToStringHex(rbxTV));
Tv[] rcxTV = ToolsZ3.GetTvArray(rcx, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rcx = " + ToolsZ3.ToStringBin(rcxTV) + " = " + ToolsZ3.ToStringHex(rcxTV));
Tv[] rdxTV = ToolsZ3.GetTvArray(rdx, (int)nBits, solver, solver_U, ctx);
Console.WriteLine("rdx = " + ToolsZ3.ToStringBin(rdxTV) + " = " + ToolsZ3.ToStringHex(rdxTV));
#endregion
}
public void Test_Z3_MemWithImplies()
{
Context ctx = new Context();
BitVecExpr bv_0 = ctx.MkBV(0, 64);
BitVecExpr bv_10 = ctx.MkBV(10, 64);
BitVecExpr bv_20 = ctx.MkBV(20, 64);
BitVecExpr addr = ctx.MkBVConst("ADDR", 64);
BitVecExpr value = ctx.MkBVConst("VALUE", 64);
BitVecExpr value1 = ctx.MkBVConst("value1", 64);
BitVecExpr value2 = ctx.MkBVConst("value2", 64);
BitVecExpr rax = ctx.MkBVConst("RAX!0-1955042C05A090D2", 64);
BitVecExpr rbx = ctx.MkBVConst("RBX!1-5000C87A5EB2FB98", 64);
BitVecExpr rcx = ctx.MkBVConst("RCX!1-68FC98BF6AFBF63E", 64);
BitVecExpr rdx = ctx.MkBVConst("RDX!0-231D57E228F579AD", 64);
Goal state = ctx.MkGoal();
// mov qword ptr[0], 10
state.Assert(ctx.MkImplies(ctx.MkEq(addr, bv_0), ctx.MkEq(value, bv_10)));
// mov qword ptr[10], 20
state.Assert(ctx.MkImplies(ctx.MkEq(addr, bv_10), ctx.MkEq(value, bv_20)));
// mov rbx, qword ptr[rax]
//state.Assert(ctx.MkEq(rbx, ctx.MkEq(addr, value1));
// mov rcx, qword ptr[rbx]
//state.Assert(ctx.MkEq(rcx, ctx.MkEq(addr, value2));
// cmp rax, 10;
// jnz label1:
state.Assert(ctx.MkEq(rax, bv_0));
Tactic tactic1 = ctx.MkTactic("propagate-values");
Console.WriteLine("state1=" + state);
Console.WriteLine("state2=" + tactic1.Apply(state).ToString());
Solver solver = ctx.MkSolver();
Solver solver_U = ctx.MkSolver();
solver.Assert(state.Formulas);
Tv[] f = ToolsZ3.GetTvArray(value, 64, solver, solver_U, ctx);
Console.WriteLine("Value = 0b" + ToolsZ3.ToStringBin(f) + " = 0x" + ToolsZ3.ToStringHex(f));
}
public static void AreEqual(Tv[] expectedArray, Tv[] actualArray)
{
Assert.AreEqual(expectedArray.Length, actualArray.Length);
for (int i = 0; i < actualArray.Length; ++i)
{
Tv actual = actualArray[i];
Tv expected = expectedArray[i];
if ((actual == Tv.UNDETERMINED) && (expected != Tv.UNDETERMINED))
{
Assert.Inconclusive("Pos " + i + ": expected value " + ToolsZ3.ToStringBin(expectedArray) + " while actual value is " + ToolsZ3.ToStringBin(actualArray));
}
else
{
Assert.AreEqual(expected, actual, "Pos " + i + ": expected value " + ToolsZ3.ToStringBin(expectedArray) + " while actual value is " + ToolsZ3.ToStringBin(actualArray));
}
}
}
/// <summary>
/// Test whether the provided registers are equal in the provided state
/// </summary>
/// <param name="reg1"></param>
/// <param name="reg2"></param>
/// <param name="state"></param>
public static void AreEqual(Rn reg1, Rn reg2, State state)
{
using (BoolExpr eq = state.Ctx.MkEq(state.Create(reg1), state.Create(reg2)))
{
Tv tv = ToolsZ3.GetTv(eq, state.Solver, state.Ctx);
if (tv == Tv.UNDETERMINED)
{
Assert.Inconclusive("Could not determine whether " + reg1 + " and " + reg2 + " are equal");
}
else
{
if (tv != Tv.ONE)
{
Console.WriteLine("TestTools:AreEqual: state:");
Console.WriteLine(state);
}
Assert.AreEqual(Tv.ONE, tv);
}
}
}
/// <summary>
/// Test whether the provided registers are unrelated in the provided state. That is, whether the
/// equality of the two registers is unknown in the provided state.
/// </summary>
/// <param name="reg1"></param>
/// <param name="reg2"></param>
/// <param name="state"></param>
public static void AreUnrelated(Rn reg1, Rn reg2, State state)
{
using (BoolExpr eq = state.Ctx.MkEq(state.Create(reg1), state.Create(reg2)))
{
Tv tv = ToolsZ3.GetTv(eq, state.Solver, state.Ctx);
Console.WriteLine("TestTools:AreUnrelated: tv:" + tv);
if (tv == Tv.UNDETERMINED)
{
Assert.Inconclusive("Could not determine whether " + reg1 + " and " + reg2 + " are unrelated");
}
else
{
if (tv != Tv.UNKNOWN)
{
Console.WriteLine("TestTools:AreUnrelated: state:");
Console.WriteLine(state);
Assert.Fail();
}
}
}
}
public void Test_FPTools_BV_2_Doubles()
{
Context ctx = new Context(); // housekeeping OK!
Solver solver = ctx.MkSolver();
FPSort fpSort64 = ctx.MkFPSort64();
FPExpr[] values_FP = new FPExpr[] { ctx.MkFP(2, fpSort64), ctx.MkFP(4, fpSort64) };
BitVecExpr value_BV = ToolsFloatingPoint.FP_2_BV(values_FP, ctx);
Console.WriteLine(ToolsZ3.ToStringBin(ToolsZ3.GetTvArray(value_BV, 128, solver, ctx)));
IList <FPExpr> results_FP = new List <FPExpr>(ToolsFloatingPoint.BV_2_Doubles(value_BV, ctx));
for (int i = 0; i < values_FP.Length; ++i)
{
string expected = ToolsZ3.ToStringBin(ToolsZ3.GetTvArray(ctx.MkFPToIEEEBV(values_FP[i]), 64, solver, ctx));
string actual = ToolsZ3.ToStringBin(ToolsZ3.GetTvArray(ctx.MkFPToIEEEBV(results_FP[i]), 64, solver, ctx));
Assert.AreEqual(expected, actual);
}
ctx.Dispose();
}
public void Test_ToStringHex_2()
{
{
string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(0xFF, 8));
Console.WriteLine(str);
Assert.AreEqual("0xFF", str);
}
{
string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(0xFFFF, 16));
Console.WriteLine(str);
Assert.AreEqual("0xFFFF", str);
}
{
string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(0xFFFF_FFFF, 32));
Console.WriteLine(str);
Assert.AreEqual("0xFFFF_FFFF", str);
}
{
string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(0xFFFF_FFFF_FFFF_FFFF, 64));
Console.WriteLine(str);
Assert.AreEqual("0xFFFF_FFFF_FFFF_FFFF", str);
}
}
public void Test_ToStringHex_1()
{
{
string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(10, 8));
Console.WriteLine(str);
Assert.AreEqual("0x0A", str);
}
{
string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(10, 16));
Console.WriteLine(str);
Assert.AreEqual("0x000A", str);
}
{
string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(10, 32));
Console.WriteLine(str);
Assert.AreEqual("0x0000_000A", str);
}
{
string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(10, 64));
Console.WriteLine(str);
Assert.AreEqual("0x0000_0000_0000_000A", str);
}
}
public void Test_ToStringDec_1()
{
{
string str = ToolsZ3.ToStringDec(ToolsZ3.GetTvArray(10, 8));
Assert.AreEqual(str, "10d");
Console.WriteLine(str);
}
{
string str = ToolsZ3.ToStringDec(ToolsZ3.GetTvArray(200, 8));
Assert.AreEqual(str, "200d");
Console.WriteLine(str);
}
{
string str = ToolsZ3.ToStringDec(ToolsZ3.GetTvArray(511, 16));
Assert.AreEqual(str, "511d");
Console.WriteLine(str);
}
{
string str = ToolsZ3.ToStringDec(ToolsZ3.GetTvArray(512, 10));
Assert.AreEqual(str, "512d");
Console.WriteLine(str);
}
}
public void Test_ToStringBin_1()
{
{
string str = ToolsZ3.ToStringBin(ToolsZ3.GetTvArray(10, 8));
Assert.AreEqual(str, "0b00001010");
Console.WriteLine(str);
}
{
string str = ToolsZ3.ToStringBin(ToolsZ3.GetTvArray(10, 16));
Assert.AreEqual(str, "0b00000000_00001010");
Console.WriteLine(str);
}
{
string str = ToolsZ3.ToStringBin(ToolsZ3.GetTvArray(10, 32));
Assert.AreEqual(str, "0b00000000_00000000_00000000_00001010");
Console.WriteLine(str);
}
{
string str = ToolsZ3.ToStringBin(ToolsZ3.GetTvArray(10, 64));
Assert.AreEqual(str, "0b00000000_00000000_00000000_00000000_00000000_00000000_00000000_00001010");
Console.WriteLine(str);
}
}
public void Test_ToStringOct_1()
{
{
string str = ToolsZ3.ToStringOct(ToolsZ3.GetTvArray(10, 8));
Console.WriteLine(str);
Assert.AreEqual(str, "0o012");
}
{
string str = ToolsZ3.ToStringOct(ToolsZ3.GetTvArray(200, 8));
Console.WriteLine(str);
Assert.AreEqual(str, "0o310");
}
{
string str = ToolsZ3.ToStringOct(ToolsZ3.GetTvArray(511, 16));
Console.WriteLine(str);
Assert.AreEqual(str, "0o000_777");
}
{
string str = ToolsZ3.ToStringOct(ToolsZ3.GetTvArray(512, 10));
Console.WriteLine(str);
Assert.AreEqual(str, "0o1_000");
}
}
public void Test_BitTricks_Min_Unsigned()
{
Tools tools = this.CreateTools();
tools.StateConfig.Set_All_Reg_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.StateConfig.RDX = true;
tools.StateConfig.CF = true;
string line1 = "sub rax, rbx";
string line2 = "sbb rdx, rdx"; // copy CF to all bits of edx
string line3 = "and rdx, rax";
string line4 = "add rbx, rdx";
{ // forward
State state = this.CreateState(tools);
BitVecExpr rax0 = state.Create(Rn.RAX);
BitVecExpr rbx0 = state.Create(Rn.RBX);
state = Runner.SimpleStep_Forward(line1, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line1 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line2, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line2 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line3, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line3 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line4, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line4 + "\", we know:\n" + state);
}
// ebx is minimum of ebx and eax
Context ctx = state.Ctx;
BitVecExpr rbx1 = state.Create(Rn.RBX);
rax0 = rax0.Translate(ctx) as BitVecExpr;
rbx0 = rbx0.Translate(ctx) as BitVecExpr;
BoolExpr t = ctx.MkEq(rbx1, ctx.MkITE(ctx.MkBVUGT(rax0, rbx0), rbx0, rax0));
{
state.Solver.Push();
state.Solver.Assert(t);
if (state.Solver.Check() != Status.SATISFIABLE)
{
if (LogToDisplay)
{
Console.WriteLine("UnsatCore has " + state.Solver.UnsatCore.Length + " elements");
}
foreach (BoolExpr b in state.Solver.UnsatCore)
{
if (LogToDisplay)
{
Console.WriteLine("UnsatCore=" + b);
}
}
Assert.Fail();
}
state.Solver.Pop();
}
{
state.Solver.Push();
state.Solver.Assert(ctx.MkNot(t));
if (state.Solver.Check() == Status.SATISFIABLE)
{
if (LogToDisplay)
{
Console.WriteLine("Model=" + state.Solver.Model);
}
Assert.Fail();
}
state.Solver.Pop();
}
Assert.AreEqual(Tv.ONE, ToolsZ3.GetTv(t, state.Solver, state.Ctx));
}
}
public static void AreEqual(BitVecExpr expr, ulong expected, State state)
{
Tv[] expectedTvArray = ToolsZ3.GetTvArray(expected, (int)expr.SortSize);
Assert.IsNotNull(expectedTvArray);
TestTools.AreEqual(expr, expectedTvArray, state);
}
public static void AreEqual(BitVecExpr expr, string expected, State state)
{
Tv[] expectedTvArray = ToolsZ3.GetTvArray(expected);
Assert.AreEqual(expr.SortSize, (uint)expectedTvArray.Length);
TestTools.AreEqual(expr, expectedTvArray, state);
}
public static void AreEqual(ulong expected, Tv[] actualArray)
{
Contract.Requires(actualArray != null);
AreEqual(ToolsZ3.GetTvArray(expected, actualArray.Length), actualArray);
}
public static void AreEqual(Rn name, string expected, State state)
{
Tv[] expectedTvArray = ToolsZ3.GetTvArray(expected);
Assert.AreEqual(RegisterTools.NBits(name), expectedTvArray.Length);
AreEqual(name, expectedTvArray, state);
}
public static void AreEqual(ulong expected, Tv[] actualArray)
{
TestTools.AreEqual(ToolsZ3.GetTvArray(expected, actualArray.Length), actualArray);
}
public static void AreEqual(Rn name, ulong expected, State state)
{
Tv[] expectedTvArray = ToolsZ3.GetTvArray(expected, RegisterTools.NBits(name));
AreEqual(name, expectedTvArray, state);
}
public void Test_BitTricks_Parallel_Search_GPR_2()
{
Tools tools = this.CreateTools();
tools.StateConfig.Set_All_Reg_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.StateConfig.RCX = true;
tools.StateConfig.RSP = true;
string line1 = "mov rax, 0x80_80_80_80_80_80_80_80";
string line2 = "mov rsp, 0x01_01_01_01_01_01_01_01";
string line3 = "mov rbx, 0x01_02_03_04_05_06_07_08"; // EBX contains 8 bytes
string line4a = "mov rcx, rbx"; // cannot substract with lea, now we need an extra mov
string line4b = "sub rcx, rsp"; // substract 1 from each byte
string line5 = "not rbx"; // invert all bytes
string line6 = "and rcx, rbx"; // and these two
string line7 = "and rcx, rax";
{ // forward
State state = this.CreateState(tools);
BitVecExpr bytes = state.Create(Rn.RBX);
state = Runner.SimpleStep_Forward(line1, state);
state = Runner.SimpleStep_Forward(line2, state);
if (false)
{
state = Runner.SimpleStep_Forward(line3, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line3 + "\", we know:\n" + state);
}
}
state = Runner.SimpleStep_Forward(line4a, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line4a + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line4b, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line4b + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line5, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line5 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line6, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line6 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line7, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line7 + "\", we know:\n" + state);
}
{
// if at least one of the bytes is equal to zero, then ECX cannot be equal to zero
// if ECX is zero, then none of the bytes is equal to zero.
Context ctx = state.Ctx;
BitVecExpr zero8 = ctx.MkBV(0, 8);
bytes = bytes.Translate(ctx) as BitVecExpr;
BitVecExpr byte1 = ctx.MkExtract((1 * 8) - 1, 0 * 8, bytes);
BitVecExpr byte2 = ctx.MkExtract((2 * 8) - 1, 1 * 8, bytes);
BitVecExpr byte3 = ctx.MkExtract((3 * 8) - 1, 2 * 8, bytes);
BitVecExpr byte4 = ctx.MkExtract((4 * 8) - 1, 3 * 8, bytes);
BitVecExpr byte5 = ctx.MkExtract((5 * 8) - 1, 4 * 8, bytes);
BitVecExpr byte6 = ctx.MkExtract((6 * 8) - 1, 5 * 8, bytes);
BitVecExpr byte7 = ctx.MkExtract((7 * 8) - 1, 6 * 8, bytes);
BitVecExpr byte8 = ctx.MkExtract((8 * 8) - 1, 7 * 8, bytes);
BoolExpr property = ctx.MkEq(
ctx.MkOr(
ctx.MkEq(byte1, zero8),
ctx.MkEq(byte2, zero8),
ctx.MkEq(byte3, zero8),
ctx.MkEq(byte4, zero8),
ctx.MkEq(byte5, zero8),
ctx.MkEq(byte6, zero8),
ctx.MkEq(byte7, zero8),
ctx.MkEq(byte8, zero8)
),
ctx.MkNot(ctx.MkEq(state.Create(Rn.RCX), ctx.MkBV(0, 64)))
);
AsmTestTools.AreEqual(Tv.ONE, ToolsZ3.GetTv(property, state.Solver, ctx));
}
}
}
public void Test_BitTricks_Parallel_Search_GPR_1()
{
Tools tools = this.CreateTools();
tools.StateConfig.Set_All_Reg_Off();
tools.StateConfig.RBX = true;
tools.StateConfig.RCX = true;
tools.StateConfig.RDX = true;
string line1 = "mov ebx, 0x01_00_02_03"; // EBX contains four bytes
string line2 = "lea ecx, [ebx-0x01_01_01_01]"; // substract 1 from each byte
string line3 = "not ebx"; // invert all bytes
string line4 = "and ecx, ebx"; // and these two
string line5 = "and ecx, 80808080h";
{ // forward
State state = this.CreateState(tools);
BitVecExpr bytes = state.Create(Rn.EBX);
if (false)
{ // line 1
state = Runner.SimpleStep_Forward(line1, state);
// if (logToDisplay) Console.WriteLine("After \"" + line1 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line2, state);
// if (logToDisplay) Console.WriteLine("After \"" + line2 + "\", we know:\n" + state);
state = Runner.SimpleStep_Forward(line3, state);
// if (logToDisplay) Console.WriteLine("After \"" + line3 + "\", we know:\n" + state);
state = Runner.SimpleStep_Forward(line4, state);
// if (logToDisplay) Console.WriteLine("After \"" + line4 + "\", we know:\n" + state);
state = Runner.SimpleStep_Forward(line5, state);
// if (logToDisplay) Console.WriteLine("After \"" + line5 + "\", we know:\n" + state);
Context ctx = state.Ctx;
BitVecExpr zero = ctx.MkBV(0, 8);
bytes = bytes.Translate(ctx) as BitVecExpr;
BitVecExpr byte1 = ctx.MkExtract((1 * 8) - 1, 0 * 8, bytes);
BitVecExpr byte2 = ctx.MkExtract((2 * 8) - 1, 1 * 8, bytes);
BitVecExpr byte3 = ctx.MkExtract((3 * 8) - 1, 2 * 8, bytes);
BitVecExpr byte4 = ctx.MkExtract((4 * 8) - 1, 3 * 8, bytes);
{
// if at least one of the bytes is equal to zero, then ECX cannot be equal to zero
// if ECX is zero, then none of the bytes is equal to zero.
BoolExpr property = ctx.MkEq(
ctx.MkOr(
ctx.MkEq(byte1, zero),
ctx.MkEq(byte2, zero),
ctx.MkEq(byte3, zero),
ctx.MkEq(byte4, zero)
),
ctx.MkNot(ctx.MkEq(state.Create(Rn.ECX), ctx.MkBV(0, 32)))
);
AsmTestTools.AreEqual(Tv.ONE, ToolsZ3.GetTv(property, state.Solver, state.Ctx));
}
{
state.Solver.Push();
BoolExpr p = ctx.MkOr(ctx.MkEq(byte1, zero), ctx.MkEq(byte2, zero), ctx.MkEq(byte3, zero), ctx.MkEq(byte4, zero));
state.Solver.Assert(p);
if (LogToDisplay)
{
Console.WriteLine("After \"" + p + "\", we know:\n" + state);
}
state.Solver.Pop();
}
{
state.Solver.Push();
BoolExpr p = ctx.MkAnd(
ctx.MkEq(ctx.MkEq(byte1, zero), ctx.MkFalse()),
ctx.MkEq(ctx.MkEq(byte2, zero), ctx.MkFalse()),
ctx.MkEq(ctx.MkEq(byte3, zero), ctx.MkTrue()),
ctx.MkEq(ctx.MkEq(byte4, zero), ctx.MkFalse())
);
state.Solver.Assert(p);
if (LogToDisplay)
{
Console.WriteLine("After \"" + p + "\", we know:\n" + state);
}
// state.Solver.Pop();
}
}
}
public void Test_BitTricks_Min_Signed()
{
Tools tools = this.CreateTools();
tools.StateConfig.Set_All_Reg_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.StateConfig.RDX = true;
return; // this trick does not seem to be correct?!
string line1 = "sub rax, rbx"; // Will not work if overflow here!
string line2 = "cqo"; // rdx1 = (rax0 > rbx0) ? -1 : 0
string line3 = "and rdx, rax"; // rdx2 = (rax0 > rbx0) ? 0 : (rax0 - rbx0)
string line4 = "add rbx, rdx"; // rbx1 = (rax0 > rbx0) ? (rbx0 + 0) : (rbx0 + rax0 - rbx0)
{ // forward
State state = this.CreateState(tools);
Context ctx = state.Ctx;
if (true)
{
ulong rax_value = 0x61a4292198602827;
ulong rbx_value = 0x8739140220c24080;
StateUpdate updateState = new StateUpdate("!PREVKEY", "!NEXTKEY", state.Tools);
updateState.Set(Rn.RAX, rax_value);
updateState.Set(Rn.RBX, rbx_value);
state.Update_Forward(updateState);
if (LogToDisplay)
{
Console.WriteLine("Initially, we know:\n" + state);
}
}
BitVecExpr rax0 = state.Create(Rn.RAX);
BitVecExpr rbx0 = state.Create(Rn.RBX);
{
state.Solver.Assert(state.Ctx.MkNot(ToolsFlags.Create_OF_Sub(rax0, rbx0, rax0.SortSize, ctx))); // this code only works when there is no overflow in line1
}
{ // line 1
state = Runner.SimpleStep_Forward(line1, state);
// retrieve the overflow after line 1, OF has to be zero for the code to work
state.Solver.AssertAndTrack(ctx.MkNot(state.Create(Flags.OF)), ctx.MkBoolConst("OF-ZERO"));
Assert.AreEqual(Status.SATISFIABLE, state.Solver.Check());
if (LogToDisplay)
{
Console.WriteLine("After \"" + line1 + "\", we know:\n" + state);
}
}
{ // line 2
state = Runner.SimpleStep_Forward(line2, state);
// if (logToDisplay) Console.WriteLine("After \"" + line2 + "\", we know:\n" + state);
BoolExpr t2 = ctx.MkEq(state.Create(Rn.RDX), ctx.MkITE(ctx.MkBVSGT(rax0, rbx0), ctx.MkBV(0xFFFF_FFFF_FFFF_FFFF, 64), ctx.MkBV(0, 64)));
// Assert.AreEqual(Tv5.ONE, ToolsZ3.GetTv5(t2, state.Solver, state.Ctx));
}
{
state = Runner.SimpleStep_Forward(line3, state);
// if (logToDisplay) Console.WriteLine("After \"" + line3 + "\", we know:\n" + state);
// BoolExpr t2 = ctx.MkEq(state.Get(Rn.RDX), ctx.MkITE(ctx.MkBVSGT(rax0, rbx0), ctx.MkBV(0, 64), ctx.MkBVSub(rax0, rbx0)));
// Assert.AreEqual(Tv5.ONE, ToolsZ3.GetTv5(t2, state.Solver, state.Ctx));
}
{
state = Runner.SimpleStep_Forward(line4, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line4 + "\", we know:\n" + state);
}
}
// ebx is minimum of ebx and eax
BitVecExpr rbx1 = state.Create(Rn.RBX);
BoolExpr t = ctx.MkEq(rbx1, ctx.MkITE(ctx.MkBVSGT(rax0, rbx0), rbx0, rax0));
if (false)
{
state.Solver.Push();
state.Solver.AssertAndTrack(t, ctx.MkBoolConst("MIN_RAX_RBX"));
Status s = state.Solver.Check();
if (LogToDisplay)
{
Console.WriteLine("Status A = " + s + "; expected " + Status.SATISFIABLE);
}
if (s == Status.UNSATISFIABLE)
{
if (LogToDisplay)
{
Console.WriteLine("UnsatCore has " + state.Solver.UnsatCore.Length + " elements");
}
foreach (BoolExpr b in state.Solver.UnsatCore)
{
if (LogToDisplay)
{
Console.WriteLine("UnsatCore=" + b);
}
}
if (LogToDisplay)
{
Console.WriteLine(state.Solver);
}
Assert.Fail();
}
state.Solver.Pop();
}
if (true)
{
state.Solver.Push();
state.Solver.Assert(ctx.MkNot(t), ctx.MkBoolConst("NOT_MIN_RAX_RBX"));
Status s = state.Solver.Check();
if (LogToDisplay)
{
Console.WriteLine("Status B = " + s + "; expected " + Status.UNSATISFIABLE);
}
if (s == Status.SATISFIABLE)
{
if (LogToDisplay)
{
Console.WriteLine("Model=" + state.Solver.Model);
}
Assert.Fail();
}
state.Solver.Pop();
}
Assert.AreEqual(Tv.ONE, ToolsZ3.GetTv(t, state.Solver, state.Ctx));
}
}
public void Test_BitTricks_Mod3()
{
/*
* mod3_A PROC
* ; parameter 1: rcx
* mov r8, 0aaaaaaaaaaaaaaabH ;; (scaled) reciprocal of 3
* mov rax, rcx
* mul r8 ;; multiply with reciprocal
* shr rdx, 1 ;; quotient
* lea r9, QWORD PTR [rdx+rdx*2] ;; back multiply with 3
* neg r9
* add rcx, r9 ;; subtract from dividend
* mov rax, rcx ;; remainder
* ret
* mod3_A ENDP
*
* mod3_B PROC
* ; parameter 1: rcx
* mov r8, 3
* mov rax, rcx
* xor rdx, rdx
* idiv r8
* mov rax, rdx
* ret
* mod3_B ENDP
*/
Tools tools = this.CreateTools(0);
tools.StateConfig.Set_All_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RCX = true;
tools.StateConfig.RDX = true;
tools.StateConfig.R8 = true;
tools.StateConfig.R9 = true;
tools.StateConfig.R10 = true;
string line0 = "mov rcx, r10";
string line1 = "mov r8, 0aaaaaaaaaaaaaaabH";
string line2 = "mov rax, rcx";
string line3 = "mul r8";
string line4 = "shr rdx, 1";
string line5 = "lea r9, QWORD PTR [rdx+rdx*2]";
string line6 = "neg r9";
string line7 = "add rcx, r9"; // rcx has result of
string line8 = "mov r8, 3";
string line9 = "mov rax, r10";
string line10 = "mov rdx, 0";
string line11 = "idiv r8";
if (false)
{
State state = this.CreateState(tools);
state = Runner.SimpleStep_Forward(line0, state);
state = Runner.SimpleStep_Forward(line1, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line1 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line2, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line2 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line3, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line3 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line4, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line4 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line5, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line5 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line6, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line6 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line7, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line7 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line8, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line8 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line9, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line9 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line10, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line10 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line11, state);
if (LogToDisplay)
{
Console.WriteLine("After \"" + line11 + "\", we know:\n" + state);
}
Context ctx = state.Ctx;
BoolExpr t = ctx.MkEq(state.Create(Rn.RCX), state.Create(Rn.RDX));
if (false)
{// this test does not seem to terminate
state.Solver.Push();
state.Solver.Assert(t);
if (state.Solver.Check() != Status.SATISFIABLE)
{
if (LogToDisplay)
{
Console.WriteLine("UnsatCore has " + state.Solver.UnsatCore.Length + " elements");
}
foreach (BoolExpr b in state.Solver.UnsatCore)
{
if (LogToDisplay)
{
Console.WriteLine("UnsatCore=" + b);
}
}
Assert.Fail();
}
state.Solver.Pop();
}
if (true)
{ // this test does not seem to terminate
state.Solver.Push();
state.Solver.Assert(ctx.MkNot(t));
if (state.Solver.Check() == Status.SATISFIABLE)
{
if (LogToDisplay)
{
Console.WriteLine("Model=" + state.Solver.Model);
}
Assert.Fail();
}
state.Solver.Pop();
}
Assert.AreEqual(Tv.ONE, ToolsZ3.GetTv(t, state.Solver, state.Ctx));
}
}