fuzzball: unrecognized instruction

[lin zhou]

Hi , there is a problem in fuzzball about the unrecognized instructions. The unrecognized instructions is like that "(((T_33:reg16_t&4:reg16_t)==0:reg16_t) ? T5:reg32_t : T4:reg32_t)". 

Thanks very much!

[Stephen McCamant]

>>>>> "LZ" == lin zhou <zhoul...@gmail.com> writes:

LZ> Hi , there is a problem in fuzzball about the unrecognized instructions.
LZ> The unrecognized instructions is like that
LZ> "(((T_33:reg16_t&4:reg16_t)==0:reg16_t) ? T5:reg32_t : T4:reg32_t)".

LZ> Thanks very much!

Could you provide some more context about the problem you're
encountering? Normally I think "unrecognized instruction" would refer
to an instruction in the guest-CPU (e.g., x86) machine code that was
not recognized, but the thing you quoted is an expression of Vine IR
(specifically it looks like the ASMIR version), which was recognized
at least by the code that just printed it.

The fact that your example contains an occurrence of the "? :" ternary
operator suggests that your problem might have been triggered by the
recent change adding that operator to the ASMIR and Vine IRs. So you
could check whether reverting to before e87785c works around the
issue. Of course we'd still want to find a different permanent fix.

One kind of problem that I think fairly likely does exist in this area
is that the ARM-specific sections of VEX-IR to ASMIR translation
haven't been updated for the new ternary operator representation, so
they probably need a change analogous to the one made to the x86 code
in bdf77c4.

If you're running into a problem with the ASMIR instruction
translation code, often the best way to make a short reproducible test
case for it is with the libasmir/apps/insn_test program.

Hope this helps,

-- Stephen

[lin zhou]

This error occured at AbstractInterpreter.h:256. The error message is "assertion `false && "Unhandled expression type."' failed.".

Thanks very much!

在 2014年9月30日星期二UTC+8上午11时07分57秒，lin zhou写道：

[Stephen McCamant]

>>>>> "LZ" == lin zhou <zhoul...@gmail.com> writes:

LZ> Hi , there is a problem in fuzzball about the unrecognized instructions.
LZ> The unrecognized instructions is like that
LZ> "(((T_33:reg16_t&4:reg16_t)==0:reg16_t) ? T5:reg32_t : T4:reg32_t)".

[...]

LZ> This error occured at AbstractInterpreter.h:256. The error message
LZ> is "assertion `false && "Unhandled expression type."' failed.".

LZ> Thanks very much!

Ah, I see now, the failure is happening in the d-s-se-directed-tests
static analysis code rather than in FuzzBALL proper. This code has
also not been updated to support the new ITE construct, so in
retrospect it's not surprising that it does not work. The easiest
workaround, similar to what I alluded to in the other message, would
be to link this code with a slightly older version of Vine before that
expression type was introduced.

Updating this code to work correctly with the ITE expression type also
shouldn't be too difficult, though I don't know that I or anyone else
has any immediate plans to do so. I think the new code would mostly be
analogous to the existing code for binary operators. In VSA, you could
statically evaluate the choice if the condition is know to be constant
true or false, but otherwise you'd just union the representations of
the two sides.

If you decide to go in this direction and want to send a patch, I
think the other users of this code would appreciate it (though I don't
know how many there are).

-- Stephen

[lin zhou]

Thanks very much! I will try it!

在 2014年9月30日星期二UTC+8下午11时57分40秒，Stephen McCamant写道：

[Senke Zhoulinpx]

When static.cc construct the CFG, it will invoke the AbstractInterpreter.h. This causes the " unrecognized instructions" error. When we fix this problem,we must ensure the modified CFG that adds the ITE expression can be recognized by the following analyzing tools. What is the format of CFG?

[Stephen McCamant]

LZ> Hi , there is a problem in fuzzball about the unrecognized

LZ> instructions.

LZ> The unrecognized instructions is like that
LZ> "(((T_33:reg16_t&4:reg16_t)==0:reg16_t) ? T5:reg32_t :

LZ> T4:reg32_t)".

>>>>> "SZ" == Senke Zhoulinpx <zhou...@gmail.com> writes:

SZ> When static.cc construct the CFG, it will invoke the
SZ> AbstractInterpreter.h. This causes the " unrecognized
SZ> instructions" error. When we fix this problem,we must ensure the
SZ> modified CFG that adds the ITE expression can be recognized by the
SZ> following analyzing tools. What is the format of CFG?

I don't believe that this problem affects the process of building the
CFG itself, which is complete by the time the abstract interpreter
starts to run. So it's not really about the format of the CFG per se,
but about the translation of instructions in a particular basic block
of the CFG into the Vine IR, which the abstract interpreter interprets
to analyze their semantics.

The C++ version of the Vine IR (also called the "ASMIR", from an older
generic description of it as an Intermediate Representation for
ASseMbly language) is declared in "libasmir/src/include" in the
FuzzBALL (and before it, Vine) source code: the most relevant file
here is "exp.h", which defines the AST structures that represent
expressions. If you look in change e87785c3 in the GIT history you can
see the change that the abstract interpreter needs be updated to
reflect: the addition of a new expression time "ITE", which is printed
like a C "? :" ternary operator in the example.

[Senke Zhoulinpx]

Hi, I got a new problem. Like this "VSAInterpreter.h 1056: visitTempExpr Assertion 'vsp.get()' failed. undefined temporary T_29".

I try to bypass this problem by checking vsp.get(). But when I do this, I get another question.

Thanks!