Merge branch 'false_positive_symexpr' into 'main'

Add more heuristics to avoid false-positive symbolic operands

Closes #633

See merge request rewriting/ddisasm!1254

Author: jdorn-gt

CHANGELOG.md

@@ -3,6 +3,7 @@
 * Enhance MIPS32 support:
     - Fix several issues that could result in missing symbolic expressions
     - Improve resolution of TLS-related symbolic expression
+* Fix bug that could lead to functional errors due to false-positive symbolic operands or data.
 
 # 1.9.2
 

examples/asm_examples/ex_symbolic_operand_heuristics/Makefile

@@ -1,6 +1,6 @@
 
 all: ex_original.s
-	gcc ex_original.s -no-pie  -o ex
+	gcc ex_original.s -no-pie -Wl,-T,link.ld -o ex
 	@./ex > out.txt
 clean:
 	rm -f ex out.txt

examples/asm_examples/ex_symbolic_operand_heuristics/ex_original.s

@@ -25,6 +25,17 @@ rip_lea_misleading_call_rdx:
 # These should NOT be symbolized
 # We use "message" in the original to ensure it looks like an address
 
+mov_immediate:
+    # 0x712300 + 0x10 + 974064 = 0x800000
+    # NOTE: 0x10 accounts for two extra 8-byte variables inserted at the
+    #       beginning of the .data section by the linker.
+    mov rdi, OFFSET message+974064
+    call aux_fun_print_imm
+    imul rdi, 3
+print_peer:
+    lea rdi, qword ptr [rip+str_peer]
+    call aux_fun
+    imul rdi, 3
 lea_multiplied:
     lea rax, qword ptr [rax+message]
     imul rax, 3
@@ -47,6 +58,62 @@ aux_fun_rdx:
     mov rdx, 0
     ret
 
+aux_fun_print_imm:
+    mov rsi, rdi
+    lea rdi, qword ptr [rip+fmt_str]
+    xor eax, eax
+    call printf@plt
+    ret
+
+# This section is pinned at 0x712300 (see link.dl).
 .data
 message:
     .asciz "Hello"
+
+fmt_str:
+    .asciz "Hello: 0x%x\n"
+
+.align 8
+# 0x712328
+    .quad .L_726560
+numeric_data:
+# This is numeric and should NOT be symbolized as .L_800000.
+    .byte 0x00  # 0x800000
+    .byte 0x00
+    .byte 0x80
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+str_peer:
+# This is a string and should NOT be symbolized as .L_726565 or .L_726560+5.
+    .byte 0x70 # .string "peer"
+    .quad .L_726560+5
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+    .byte 0x00
+# 0x712350
+    .zero 82448
+# 0x726560
+.L_726560:
+    .byte 0x77
+    .zero 0x100
+
+.align 8
+    .quad str_peer
+
+dummy:
+    .fill 0x100000, 1, 0

examples/asm_examples/ex_symbolic_operand_heuristics/link.ld

@@ -0,0 +1,9 @@
+SECTIONS
+{
+    /* place message at fixed address */
+    . = 0x712300;
+    .data : {
+        *(.data*)
+    }
+}
+INSERT AFTER .rodata;

src/datalog/pointer_reattribution.dl

@@ -89,6 +89,7 @@ point to an 'at-end' symbol.
 
 ////////////////////////////////////////////////////////////////////////////////////
 
+moved_label_class(EA,0,"overlapping label"),
 moved_data_label(EA,Size,Dest,NewDest):-
     symbolic_data(EA,Size,Dest),
     arch.pointer_size(Pt_size),
@@ -97,6 +98,7 @@ moved_data_label(EA,Size,Dest,NewDest):-
 
 //if something points to the middle of a known symbol we express it as symbol+constant
 //as long as it is not code
+moved_label_class(EA,0,"middle of symbol"),
 moved_data_label(EA,SizePointer,Dest,Address):-
     symbolic_data(EA,SizePointer,Dest),
     !code(Dest),
@@ -106,6 +108,7 @@ moved_data_label(EA,SizePointer,Dest,Address):-
     Dest < Address+Size.
 
 // create a symbol+constant for overlapping instructions
+moved_label_class(EA,0,"overlapping instruction"),
 moved_data_label(EA,SizePointer,Dest,Address):-
     symbolic_data(EA,SizePointer,Dest),
     overlapping_instruction(Dest,Address).

src/datalog/self_diagnose.dl

@@ -1,9 +1,30 @@
-.decl false_negative(EA:address)
-.decl false_positive(EA:address)
-.output false_negative
-.output false_positive
-.decl relocation_in_operand(EA:address,Index:operand_index,Rel:address,InsnOffset:unsigned)
+//===- self_diagnose.dl ------------------------------------*- datalog -*-===//
+//
+//  Copyright (C) 2019-2026 GrammaTech, Inc.
+//
+//  This code is licensed under the GNU Affero General Public License
+//  as published by the Free Software Foundation, either version 3 of
+//  the License, or (at your option) any later version. See the
+//  LICENSE.txt file in the project root for license terms or visit
+//  https://www.gnu.org/licenses/agpl.txt.
+//
+//  This program is distributed in the hope that it will be useful,
+//  but WITHOUT ANY WARRANTY; without even the implied warranty of
+//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+//  GNU Affero General Public License for more details.
+//
+//  This project is sponsored by the Office of Naval Research, One Liberty
+//  Center, 875 N. Randolph Street, Arlington, VA 22203 under contract #
+//  N68335-17-C-0700.  The content of the information does not necessarily
+//  reflect the position or policy of the Government and no official
+//  endorsement should be inferred.
+//
+//===---------------------------------------------------------------------===//
+
+// Predicates for self diagnosis
+
 
+.decl relocation_in_operand(EA:address,Index:operand_index,Rel:address,InsnOffset:unsigned)
 
 relocation_in_operand(EA,Index,Location,Offset):-
     code(EA),
@@ -84,7 +105,20 @@ bad_symbol_constant(EA,Cnt):-
     Orig_minus_cnt2 != End.
 
 
-false_negative(Location):-
+/**
+Potentially false-positive / false-negative symbolic operand or data
+
+EA: The address of instruction or data object containing FP/FN symbolic expression
+Location: The exact address of FP/FN symbolic expression within instruction or data
+Type: code or data
+*/
+.decl false_negative_symexpr(EA:address, Location:address, Type:symbol)
+.output false_negative_symexpr
+
+.decl false_positive_symexpr(EA:address, Location:address, Type:symbol)
+.output false_positive_symexpr
+
+false_negative_symexpr(EA,Location,"code"):-
     relocation_in_operand(EA,Index,Rel,_),
     !trivial_relocation(Rel),
     !symbolic_operand(EA,Index,_,_),
@@ -95,7 +129,7 @@ false_negative(Location):-
     ),
     Location = EA+Offset.
 
-false_positive(Location):-
+false_positive_symexpr(EA,Location,"code"):-
     code(EA),
     (
         symbolic_operand(EA,Index,_,_);
@@ -111,13 +145,7 @@ false_positive(Location):-
     ),
     Location=EA+Offset.
 
-.decl zero_relocation(EA:address)
-
-zero_relocation(EA):-
-    relocation(EA,_,_,_,_,_,_),
-    data_word(EA,8,0).
-
-false_negative(EA):-
+false_negative_symexpr(EA,EA,"data"):-
     data_byte(EA,_),
     relocation(EA,_,_,_,_,_,_),
     !zero_relocation(EA),
@@ -128,7 +156,7 @@ false_negative(EA):-
     EA >= BegSect,
     EA < EndSect.
 
-false_positive(EA):-
+false_positive_symexpr(EA,EA,"data"):-
     (
         symbolic_data(EA,_,_);
         // it looks like jump tables where each entry 4 or less bytes do not have
@@ -141,3 +169,47 @@ false_positive(EA):-
     loaded_section(BegSect,EndSect,Sect),
     EA >= BegSect,
     EA < EndSect.
+
+
+.decl zero_relocation(EA:address)
+
+zero_relocation(EA):-
+    relocation(EA,_,_,_,_,_,_),
+    data_word(EA,8,0).
+
+
+/**
+Output is the absolute value of Input.
+*/
+.decl abs_val(Input:number,Output:number) inline
+
+abs_val(X,X):- X >= 0.
+abs_val(X,Y):- X < 0, Y = 0 - X.
+
+
+/**
+Moved labels with large offset (> 64), which are likely false positives.
+
+moved_label_with_large_offset: symbolic operand in instruction
+moved_data_label_with_large_offset: symbolic expression in data
+*/
+.decl moved_label_with_large_offset(EA:address,Offset:number,Reason:symbol)
+.output moved_label_with_large_offset
+
+.decl moved_data_label_with_large_offset(EA:address,Offset:number,Reason:symbol)
+.output moved_data_label_with_large_offset
+
+moved_label_with_large_offset(EA,Offset,Reason):-
+    moved_label(EA,Index,Dest,NewDest),
+    !pc_relative_operand(EA,Index,Dest),
+    Offset = as(Dest - NewDest,number),
+    abs_val(Offset,AbsOffset),
+    AbsOffset > 64,
+    moved_label_class(EA,Index,Reason).
+
+moved_data_label_with_large_offset(EA,Offset,Reason):-
+    moved_data_label(EA,_,Dest,NewDest),
+    Offset = as(Dest - NewDest,number),
+    abs_val(Offset,AbsOffset),
+    AbsOffset > 64,
+    moved_label_class(EA,_,Reason).

src/datalog/symbolization.dl

@@ -303,6 +303,23 @@ symbolic_operand_point(EA,Imm_index,-1,"immediate is bitmask"):-
     instruction_get_operation(EA,Operation),
     arch.logic_operation(Operation).
 
+// Heuristic: treat values with >=20 trailing zero bits (0xFFFFF) as bitmasks.
+//
+// This threshold is empirical, not architectural. It was chosen to avoid
+// misclassifying large immediates observed in bgpd (e.g., 0x800000)
+// as addresses, while remaining more conservative than a 16-bit cutoff.
+// Using 24 trailing zeros would miss this case; using 16 would increase
+// false positives. If new binaries show misclassification in either direction,
+// this threshold should be revisited.
+//
+symbolic_operand_point(EA,Imm_index,-1,"immediate may be bitmask"):-
+    symbolic_operand_candidate(EA,Imm_index,_,_),
+    instruction_get_op(EA,Imm_index,Op),
+    op_immediate(Op,Imm,_),
+    !defined_symbol(as(Imm,address),_,_,_,_,_,_,_,_),
+    !loaded_section(as(Imm,address),_,_),
+    0 = (Imm band 0xFFFFF).
+
 symbolic_operand_point(EA,Imm_index,-2,"point to exception section"):-
     symbolic_operand_candidate(EA,Imm_index,Dest,_),
     exception_section(Name),
@@ -451,6 +468,21 @@ address_in_data_is_printable(EA):-
     address_in_data(EA,_),
     EAString <= EA, EA <= End - Pt_size.
 
+/**
+The address appearing at 'EA' overlaps with a potential
+`ascii_string` and therefore more likely to be spurious.
+*/
+.decl address_in_data_overlaps_string(EA:address, EAString:address)
+
+address_in_data_overlaps_string(EA, EAString):-
+    ascii_string(EAString,End),
+    address_in_data(EA,_),
+    (
+        EAString <= EA, EA < End;
+        arch.pointer_size(Pt_size),
+        EAString < EA+Pt_size, EA+Pt_size <= End
+    ).
+
 // address_in_data considers anything that points to the code region
 // this refinement restricts that to the beginning of the final blocks
 .decl address_in_data_refined(EA:address,Val:address)
@@ -544,6 +576,23 @@ string_candidate(EA,End,"ascii"):-
     EA >= DataBeg,
     End <= DataEnd.
 
+/**
+String at EA is followed by another string at Next.
+*/
+.decl subsequent_string_candidate(EA:address,Next:address)
+
+subsequent_string_candidate(EA,Next):-
+    string_candidate(EA,End,_),
+    string_candidate(Next,_,_),
+    End <= Next,
+    (
+        End = Next
+        ;
+        0 = count : {string_candidate(Begin,_,_), Begin >= End, Begin < Next},
+        Next - End < 8,
+        padding_block_limit(Next)
+    ).
+
 /**
 String candidate refinement projects candidate string references onto a compound
 domain of "ascii" or "string" typed data objects, where "string" typed objects
@@ -798,6 +847,29 @@ data_object_point(EA,Pt_size,"symbol",2,"aligned"):-
     data_object_candidate(EA,Pt_size,"symbol"),
     EA % Pt_size = 0.
 
+data_object_point(EA,Pt_size,"symbol",-2,"potentially bitmask"):-
+    data_object_candidate(EA,Pt_size,"symbol"),
+    EA % Pt_size = 0,
+    address_in_data_refined(EA,Dest),
+    !defined_symbol(Dest,_,_,_,_,_,_,_,_),
+    0 = (Dest band 0xFFFFF).
+
+data_object_point(EA,Pt_size,"symbol",-2,"printerable address: likely spurious"):-
+    data_object_candidate(EA,Pt_size,"symbol"),
+    EA % Pt_size = 0,
+    address_in_data_is_printable(EA),
+    address_in_data_refined(EA,Dest),
+    !defined_symbol(Dest,_,_,_,_,_,_,_,_).
+
+data_object_point(EA,Pt_size,"symbol",-1,"overlaps string: likely spurious"):-
+    data_object_candidate(EA,Pt_size,"symbol"),
+    EA % Pt_size = 0,
+    address_in_data_overlaps_string(EA,EAString),
+    ascii_string(EAString,End),
+    End - EAString > 4,
+    address_in_data_refined(EA,Dest),
+    !defined_symbol(Dest,_,_,_,_,_,_,_,_).
+
 data_object_point(EA,Pt_size,"symbol",4,"point-to-boundary-sym"):-
     data_object_candidate(EA,Pt_size,"symbol"),
     address_in_data_refined(EA,Dest),
@@ -852,6 +924,11 @@ data_object_point(EA,Size,"string",1,"string that has reference"):-
     code(Code),
     data_limit(EA).
 
+data_object_point(EA,Size,"string",1,"string has string neighbors"):-
+    data_object_candidate(EA,Size,"string"),
+    subsequent_string_candidate(EA,_),
+    subsequent_string_candidate(_,EA).
+
 // data access negative heuristic
 data_object_point(EA,Size,"other",4,"data access"):-
     data_object_candidate(EA,Size,"other"),