Merge branch 'plt_cfg_edge' into 'main'

Fix bug that could drop inter-procedural CFG edges

Closes #635

See merge request rewriting/ddisasm!1256

Author: jdorn-gt

CHANGELOG.md

@@ -5,6 +5,7 @@
     - Improve resolution of TLS-related symbolic expression
 * Fix bug that could lead to functional errors due to false-positive symbolic operands or data.
 * Fix bug that could drop fall-through edges from calls to conditionally no-return functions
+* Fix bug that could drop inter-procedural CFG edges.
 
 # 1.9.2
 

examples/ex_plt_cfg_edge/Makefile

@@ -0,0 +1,13 @@
+CC="gcc"
+CFLAGS=
+EXEC=
+
+all: fun.c ex.c
+	$(CC) -fPIC -shared $(CFLAGS) fun.c -o fun.so
+	$(CC) ex.c -no-pie -fno-PIC $(CFLAGS) -o ex -L. -l:fun.so
+	@ LD_LIBRARY_PATH=. $(EXEC) ./ex > out.txt
+clean:
+	rm -f ex ex.gtirb fun.so *.s *.i *.o out.txt
+check:
+	@ LD_LIBRARY_PATH=. $(EXEC) ./ex > /tmp/res.txt
+	@ diff out.txt /tmp/res.txt && echo TEST OK

examples/ex_plt_cfg_edge/ex.c

@@ -0,0 +1,54 @@
+#include <stdio.h>
+
+/*
+NOTE: This example is designed to produce the following PLT entry:
+   #===================================
+   .section .plt.sec ,"ax",@progbits
+   #===================================
+   #-----------------------------------
+   .globl fun
+   .type fun, @function
+   #-----------------------------------
+   fun:
+         401070:   endbr64
+         401074:   bnd jmp QWORD PTR [RIP+.L_404020]
+   .size fun, . - fun
+
+   #===================================
+   .section .got.plt ,"wa",@progbits
+   #===================================
+   .L_404020:
+         404020: .quad fun
+
+This C program must be compiled with `-fno-PIC` and linked with `-no-pie`
+(see the Makefile).
+
+1. -fno-PIC: Forces the compiler to treat the address of `fun` as a fixed
+   absolute constant.
+
+2. -no-pie: Prevents the linker from making the binary position-independent,
+   allowing the symbol `fun` to have a static VMA (Virtual Memory Address).
+
+3. Function pointer: By taking the address `(void*)fun`, we force the Linker
+   to create a `Canonical PLT`. Because the linker doesn't know the real
+   address of `fun` (it's in fun.so), it uses the address of the PLT stub
+   as the function's identity to satisfy the absolute resolution.
+*/
+
+// External function defined in fun.so
+extern void fun();
+
+int main()
+{
+    puts("Calling fun...");
+
+    // Standard call
+    fun();
+
+    // Address-of: Forces the .dynsym address to be non-zero (Canonical PLT).
+    // The linker stamps the PLT address (e.g., 0x401070) into the symbol table
+    // so that `&fun` returns the same pointer value throughout the execution.
+    printf("Canonical PLT address of fun: %p\n", (void*)fun);
+
+    return 0;
+}

examples/ex_plt_cfg_edge/fun.c

@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+void fun()
+{
+    printf("Called fun.\n");
+}

src/passes/Disassembler.cpp

@@ -1099,6 +1099,20 @@ gtirb::EdgeType getEdgeType(const std::string &type)
     return gtirb::EdgeType::Fallthrough;
 }
 
+std::map<gtirb::Addr, std::string> getPltBlocks(gtirb::Module &Module,
+                                                souffle::SouffleProgram &Program)
+{
+    std::map<gtirb::Addr, std::string> Res;
+    for(auto &Output : *Program.getRelation("plt_block"))
+    {
+        gtirb::Addr Ea;
+        std::string Name;
+        Output >> Ea >> Name;
+        Res[Ea] = Name;
+    }
+    return Res;
+}
+
 void buildCFG(gtirb::Context &Context, gtirb::Module &Module, souffle::SouffleProgram &Program)
 {
     auto &Cfg = Module.getIR()->getCFG();
@@ -1134,6 +1148,7 @@ void buildCFG(gtirb::Context &Context, gtirb::Module &Module, souffle::SoufflePr
         auto E = addEdge(Src, TopBlock, Cfg);
         Cfg[*E] = std::make_tuple(isConditional, gtirb::DirectEdge::IsIndirect, EdgeType);
     }
+    auto PltBlocks = getPltBlocks(Module, Program);
     for(auto &T : *Program.getRelation("cfg_edge_to_symbol"))
     {
         gtirb::Addr EA;
@@ -1156,6 +1171,21 @@ void buildCFG(gtirb::Context &Context, gtirb::Module &Module, souffle::SoufflePr
         {
             gtirb::CodeBlock *TgtCodeBlock = Symbol.getReferent<gtirb::CodeBlock>();
             if(TgtCodeBlock)
+            {
+                auto TgtAddr = TgtCodeBlock->getAddress();
+                if(TgtAddr.has_value())
+                {
+                    // If TgtCodeBlock is a PltBlock, invalidate it here
+                    // so that a ProxyBlock can be created instead.
+                    // See the comment in examples/ex_plt_cfg_edge/ex.c
+                    auto PltBlockIt = PltBlocks.find(TgtAddr.value());
+                    if(PltBlockIt != PltBlocks.end())
+                    {
+                        TgtCodeBlock = nullptr;
+                    }
+                }
+            }
+            if(TgtCodeBlock)
             {
                 std::cerr
                     << "WARNING: symbol " << Name

tests/cfg_test.py

@@ -6,7 +6,7 @@
 import subprocess
 import os
 from gtirb.cfg import EdgeType, EdgeLabel
-from typing import List, Dict, Tuple
+from typing import List, Dict, Tuple, Union
 
 
 ex_dir = Path("./examples/")
@@ -688,17 +688,24 @@ def check_edges(
     def check_plt_edges(
         self,
         module: gtirb.Module,
-        plt_calls: List[Tuple[str, EdgeLabel, EdgeLabel, str]],
+        plt_calls: List[
+            Tuple[Union[str, gtirb.CodeBlock], EdgeLabel, EdgeLabel, str]
+        ],
+        is_proxy_target: bool = False,
     ) -> None:
         """
         Check that each call represented in `plt_calls` has the right
         sequences of edges that lead to the expected target.
 
         Each element in `plt_call` is a tuple with a starting
-        symbol, two edge labels, and a target symbol.
+        symbol name or source block, two edge labels, and a target symbol.
         """
         for src, edge_label1, edge_label2, tgt in plt_calls:
-            src_block = next(module.symbols_named(src)).referent
+            src_block = (
+                next(module.symbols_named(src)).referent
+                if isinstance(src, str)
+                else src
+            )
             edges = [
                 edge
                 for edge in src_block.outgoing_edges
@@ -710,19 +717,24 @@ def check_plt_edges(
                 f"Expected one edge with label {edge_label1} from {src}",
             )
             plt_block = edges[0].target
-            self.assertEqual(plt_block.section.name, ".plt")
+            self.assertIn(plt_block.section.name, [".plt", ".plt.sec"])
             edges_plt = [
                 edge
                 for edge in plt_block.outgoing_edges
                 if edge.label == edge_label2
             ]
+
             self.assertEqual(
                 len(edges_plt),
                 1,
                 f"Expected one edge with label {edge_label2} "
                 f"from block at {plt_block.address:0x} called from {src}",
             )
             tgt_block = edges_plt[0].target
+
+            if is_proxy_target:
+                self.assertIsInstance(tgt_block, gtirb.ProxyBlock)
+
             self.assertIn(tgt, [s.name for s in tgt_block.references])
 
     @unittest.skipUnless(
@@ -1094,6 +1106,43 @@ def test_arm64_calls(self):
             ]
             self.check_plt_edges(m, plt_calls)
 
+    @unittest.skipUnless(
+        platform.system() == "Linux", "This test is linux only."
+    )
+    def test_x86_64_plt_cfg_edge(self):
+        """
+        Test that a CFG edge is created from a PLT block to its external
+        target (ProxyBlock) when the PLT block and the target have
+        the same symbol.
+        """
+        binary = Path("ex")
+        with cd(ex_dir / "ex_plt_cfg_edge"):
+            self.assertTrue(compile("gcc", "g++", "-O0", ["--save-temps"]))
+            ir_library = disassemble(binary).ir()
+            m = ir_library.modules[0]
+
+            main_sym = next(m.symbols_named("main"))
+            main_block = main_sym.referent
+
+            fallthrough = [
+                edge
+                for edge in main_block.outgoing_edges
+                if edge.label.type == EdgeType.Fallthrough
+            ]
+            self.assertEqual(1, len(fallthrough))
+
+            call_fun_block = fallthrough[0].target
+
+            plt_calls = [
+                (
+                    call_fun_block,
+                    EdgeLabel(EdgeType.Call, False, True),
+                    EdgeLabel(EdgeType.Branch, False, False),
+                    "fun",
+                ),
+            ]
+            self.check_plt_edges(m, plt_calls, True)
+
 
 if __name__ == "__main__":
     unittest.main()