Add initial_function_containing_return and refactor rules

Author: Junghee Lim

src/datalog/code_inference.dl

@@ -179,6 +179,26 @@ likely_fallthrough(From,To):-
         conditional_jump(From)
     ).
 
+/**
+A block `Block` falls through a NOP/padding sled to the next real block `NextBlock`.
+`From` is the source instruction of the edge leading to `NextBlock`.
+*/
+.decl fallthrough_over_padding(Block:address, From:address, NextBlock:address)
+
+fallthrough_over_padding(Block, From, NextBlock):-
+    block_last_instruction(Block, BlockLast),
+    may_fallthrough(BlockLast, NextBlock),
+    !candidate_block_is_padding(NextBlock),
+    From = BlockLast.
+
+fallthrough_over_padding(Block, From, NextBlock):-
+    block_last_instruction(Block, Inst),
+    may_fallthrough(Inst, PadBlock),
+    candidate_block_is_padding(PadBlock),
+    block_last_instruction(PadBlock, PadLast),
+    may_fallthrough(PadLast, NextBlock),
+    From = PadLast.
+
 //////////////////////////////////////////////////////////////
 // This is a small refinement for discarding immediates as targets
 // in some obvious cases. This is specially useful for PIE code where

src/datalog/code_inference_postprocess.dl

@@ -226,3 +226,22 @@ padding_prefix_end(EA,Block):-
     !arch.is_nop(EA),
     next(PrevEA,EA),
     padding_prefix(PrevEA,Block).
+
+/**
+A refined block `Block` contains at least one `return` instruction.
+*/
+.decl refined_block_contains_return(Block:address)
+
+refined_block_contains_return(Block):-
+    refined_block(Block),
+    code_in_refined_block(EA,Block),
+    arch.return(EA).
+
+/**
+A function `Func` contains at least one `return` instruction.
+*/
+.decl refined_block_contains_return_in_func(Func:address)
+
+refined_block_contains_return_in_func(Func) :-
+    function_inference.in_function(Block, Func),
+    refined_block_contains_return(Block).

src/datalog/noreturn.dl

@@ -128,32 +128,48 @@ no_return_block(Block,"no-fallthrough"):-
         no_return_call_propagated(BlockEnd,_)
     ),
     block_boundaries(Block,Beg,EndBlock),
-    EndBlock <= End,
-    !plt_block(Block,_).
-
+    EndBlock <= End.
 
 /**
-A function `Func` is called at `Call`, and the call falls through
-interprocedurally.
-There may be NOP paddings after the function call.
+A function `Func` is called at instruction `Call` and the call may fall through
+to the next instruction interprocedurally.
+NOP or padding instructions may follow the call.
 */
-.decl call_may_fallthrough_inter(Call:address,Func:address,From:address)
-.output call_may_fallthrough_inter
+.decl call_may_fallthrough_inter(Call:address,Func:address)
 
-call_may_fallthrough_inter(Call,Func,From):-
+call_may_fallthrough_inter(Call,Func):-
     direct_call(Call,Func),
-    may_fallthrough(Call,Fallthrough),
-    (
-        !candidate_block_is_padding(Fallthrough),
-        Next = Fallthrough,
-        From = Call
-        ;
-        candidate_block_is_padding(Fallthrough),
-        block_last_instruction(Fallthrough,From),
-        may_fallthrough(From,Next)
-    ),
+    block_last_instruction(CallBlock,Call),
+    fallthrough_over_padding(CallBlock,From,Next),
     inter_procedural_edge(From,Next).
 
+/**
+Represents the next initial function following `Func`
+(from `function_entry_initial`, before use-def and value analysis).
+`NextFunc` is the immediate successor of `Func`.
+*/
+.decl next_function_entry_initial(Func:address,NextFunc:address)
+
+next_function_entry_initial(Func, NextFunc) :-
+    function_inference.function_entry_initial(Func),
+    NextFunc = min F : {
+        function_inference.function_entry_initial(F),
+        F > Func
+    }.
+
+/**
+An initial function (`function_entry_initial`, prior to use-def
+and value analysis) contains one or more `return` instructions.
+This is a heuristic and may generate false positives.
+*/
+.decl initial_function_containing_return(Func:address,ReturnEA:address)
+
+initial_function_containing_return(Func,EA):-
+    next_function_entry_initial(Func, NextFunc),
+    EA >= Func,
+    EA < NextFunc,
+    arch.return(EA).
+
 /**
 Calls to known no return functions or their PLT blocks.
 */
@@ -173,6 +189,17 @@ no_return_block(Block,"no_return_call_refined"):-
     no_return_call_refined(BlockEnd),
     block_last_instruction(Block,BlockEnd).
 
+/**
+A call `Call` targets a function `CallTarget` that has another call-site
+which falls through interprocedurally.
+*/
+.decl call_target_has_other_fallthrough_inter(Call:address,CallTarget:address)
+
+call_target_has_other_fallthrough_inter(Call,CallTarget):-
+    call_may_fallthrough_inter(OtherCall,CallTarget),
+    direct_call(Call,CallTarget),
+    OtherCall != Call.
+
 /**
 Calls to noreturn blocks.
 */
@@ -192,7 +219,7 @@ no_return_call_propagated(EA,"direct_call to no_return_block"):-
 // it's interprocedural.
 no_return_call_propagated(Call,"interprocedural fallthrough"):-
     direct_call(Call,CallTarget),
-    call_may_fallthrough_inter(Call,CallTarget,_),
+    call_may_fallthrough_inter(Call,CallTarget),
     !no_return_call_refined(Call),
     !pc_load_call(Call,CallTarget).
 
@@ -204,22 +231,31 @@ no_return_call_propagated(Call,"interprocedural fallthrough"):-
 // To avoid incorrectly removing legitimate fallthrough CFG edges, this rule
 // conservatively checks whether `Next` is a `possible_target`, and if not,
 // we do not classify the function call as noreturn function call.
-no_return_call_propagated(Call,"call possiblly_no_return_func and fallthrough-next is a possible target"):-
-    direct_call(Call,CallTarget),
-    !call_may_fallthrough_inter(Call,CallTarget,_),
+no_return_call_propagated(
+    Call,
+    "call possiblly_no_return_func and fallthrough-next is a possible target"
+):-
+    call_target_has_other_fallthrough_inter(Call,CallTarget),
+    !call_may_fallthrough_inter(Call,CallTarget),
     !pc_load_call(Call,CallTarget),
     !no_return_call_refined(Call),
-    0 != count : {
-        call_may_fallthrough_inter(OtherCall,CallTarget,_),
-        OtherCall != Call
-    },
-    may_fallthrough(Call,Fallthrough),
+    block_last_instruction(CallBlock,Call),
+    fallthrough_over_padding(CallBlock,_,Next),
     (
-        !candidate_block_is_padding(Fallthrough),
-        Next = Fallthrough
+        // No return instruction appears in the target function (internal).
+        !initial_function_containing_return(CallTarget,_), UNUSED(Next),
+        !plt_block(CallTarget,_)
         ;
-        candidate_block_is_padding(Fallthrough),
-        block_last_instruction(Fallthrough,From),
-        may_fallthrough(From,Next)
-    ),
-    possible_target(Next).
+        // If the target is external, there is not enough information to
+        // determine whether it is conditionally non-returning.
+        // As a heuristic, classify it as a no-return call only when
+        // Next is a possible target.
+        plt_block(CallTarget,_),
+        possible_target(Next)
+        ;
+        // The call target function may contain a return, which may
+        // indicate that it is a conditionally non-returning function.
+        // Further check whether Next is a possible target.
+        initial_function_containing_return(CallTarget,_),
+        possible_target(Next)
+    ).

src/datalog/self_diagnose.dl

@@ -225,3 +225,13 @@ no_return_func_with_return(Func):-
     function_inference.function_entry(Func),
     function_inference.in_function(Ret,Func),
     cfg_edge_to_top(Ret,_,"return").
+
+/**
+Functions marked as initial_function_with_return, but without a return
+*/
+.decl false_positive_initial_function_with_return(Func:address,ReturnEA:address)
+.output false_positive_initial_function_with_return
+
+false_positive_initial_function_with_return(Func,ReturnEA) :-
+    initial_function_containing_return(Func,ReturnEA),
+    !refined_block_contains_return_in_func(Func).

src/datalog/symbolization.dl

@@ -583,12 +583,13 @@ String at EA is followed by another string at Next.
 
 subsequent_string_candidate(EA,Next):-
     string_candidate(EA,End,_),
-    string_candidate(Next,_,_),
-    End <= Next,
+    Next = min Begin : {
+        string_candidate(Begin,_,_),
+        Begin >= End
+    },
     (
         End = Next
         ;
-        0 = count : {string_candidate(Begin,_,_), Begin >= End, Begin < Next},
         Next - End < 8,
         padding_block_limit(Next)
     ).

tests/cfg_test.py

@@ -88,11 +88,11 @@ def test_noreturn_conditional(self):
             ir_library = disassemble(binary).ir()
             m = ir_library.modules[0]
 
-            # check that the call blocks has fallthrough edges.
+            # Check that the call blocks have outgoing fallthrough edges.
             for call_symbol_str in ["call_1", "call_2"]:
                 call_symbol = next(m.symbols_named(call_symbol_str))
-                assert isinstance(call_symbol.referent, gtirb.CodeBlock)
                 call_block = call_symbol.referent
+                assert isinstance(call_block, gtirb.CodeBlock)
 
                 outedges = [
                     edge
@@ -101,6 +101,18 @@ def test_noreturn_conditional(self):
                 ]
                 self.assertEqual(1, len(outedges))
 
+            # Check that the labeled fallthrough symbol right after the
+            # no-return function call has no incoming fallthrough edge.
+            fallthrough_sym = next(m.symbols_named("fall_through_func"))
+            fallthrough_sym_block = fallthrough_sym.referent
+            assert isinstance(fallthrough_sym_block, gtirb.CodeBlock)
+            inedges = [
+                edge
+                for edge in fallthrough_sym_block.incoming_edges
+                if edge.label.type == EdgeType.Fallthrough
+            ]
+            self.assertEqual(0, len(inedges))
+
     @unittest.skipUnless(
         platform.system() == "Linux", "This test is linux only."
     )

tests/misc_test.py

@@ -620,15 +620,22 @@ def test_generate_resources(self):
 
 class SymbolSelectionTests(unittest.TestCase):
     def check_first_sym_expr(
-        self, m: gtirb.Module, block_name: str, target_name: str
+        self,
+        m: gtirb.Module,
+        block_name: str,
+        target_name: str,
+        code: bool = True,
     ) -> None:
         """
         Check that the first Symexpr in a block identified
         with symbol 'block_name' points to a symbol with
         name 'target_name'
         """
         sym = next(m.symbols_named(block_name))
-        self.assertIsInstance(sym.referent, gtirb.CodeBlock)
+        if code:
+            self.assertIsInstance(sym.referent, gtirb.CodeBlock)
+        else:
+            self.assertIsInstance(sym.referent, gtirb.DataBlock)
         block = sym.referent
         sexpr = sorted(
             [
@@ -724,6 +731,23 @@ def test_boundary_sym_expr(self):
             m = ir_library.modules[0]
             self.check_first_sym_expr(m, "load_end", "nums_end")
 
+    @unittest.skipUnless(
+        platform.system() == "Linux", "This test is linux only."
+    )
+    def test_noreturn_use_def(self):
+        """
+        Test that instruction referening in the middle of a symbol address
+        is correctly recognized as dead code and the symbol is correctly
+        symbolized.
+        """
+
+        binary = Path("ex")
+        with cd(ex_asm_dir / "ex_noreturn_use_def"):
+            self.assertTrue(compile("gcc", "g++", "-O0", []))
+            ir_library = disassemble(binary).ir()
+            m = ir_library.modules[0]
+            self.check_first_sym_expr(m, ".s_hello_ptr", ".s_hello", False)
+
 
 class ElfSymbolAuxdataTests(unittest.TestCase):
     @unittest.skipUnless(