Fixes one egregious bug in how we alias registers. What would happen …

…is that AL/AH, DL/DH, etc. would all map to the same alias because their containing register and types would be the same. Modified register aliases to have the form <name>_<offset>_<type>. Also fixed an issue in mcsema-disass where the main function wouldn't be recognized as a function, and thus not lifted. (#710)

mcsema/BC/Function.cpp

@@ -90,7 +90,7 @@ DEFINE_string(
 DEFINE_bool(add_pc_tracer, false,
             "Add a debug function that is invoked just before every lifted "
             "instruction, where the PC of the instruction is passed into the "
-            "tracer. This is similar to --add_reg_tracer, but it doesn't "
+            "tracer. This is similar to --trace_reg_values, but it doesn't "
             "negatively impact optimizations.");
 
 DEFINE_bool(
@@ -263,7 +263,7 @@ static llvm::Function *GetRegTracer(void) {
 // function handler, then the second argument is the emulated program counter,
 // and a logical stack trace feature can be implemented by recording these
 // program counters into a KLEE execution state.
-static llvm::Function *GetPCTracer(uint64_t pc) {
+static llvm::Function *GetPCTracer(void) {
   static llvm::Function *gPCTracer = nullptr;
   if (!gPCTracer) {
     gPCTracer = gModule->getFunction("__mcsema_pc_tracer");
@@ -274,12 +274,11 @@ static llvm::Function *GetPCTracer(uint64_t pc) {
       gPCTracer =
           llvm::Function::Create(func_type, llvm::GlobalValue::ExternalLinkage,
                                  "__mcsema_pc_tracer", gModule.get());
-      gPCTracer->addFnAttr(llvm::Attribute::NoDuplicate);
       gPCTracer->removeFnAttr(llvm::Attribute::AlwaysInline);
       gPCTracer->removeFnAttr(llvm::Attribute::InlineHint);
+      gPCTracer->addFnAttr(llvm::Attribute::NoDuplicate);
       gPCTracer->addFnAttr(llvm::Attribute::OptimizeNone);
       gPCTracer->addFnAttr(llvm::Attribute::NoInline);
-      gPCTracer->addFnAttr(llvm::Attribute::ReadNone);
     }
   }
   return gPCTracer;
@@ -951,9 +950,8 @@ static void Instrument(const TranslationContext &ctx, llvm::BasicBlock *block,
   }
 
   if (FLAGS_add_pc_tracer) {
-    auto tracer = GetPCTracer(inst_ea);
     llvm::Value *args[1] = {llvm::ConstantInt::get(gWordType, inst_ea)};
-    (void) llvm::CallInst::Create(tracer, args, "", block);
+    (void) llvm::CallInst::Create(GetPCTracer(), args, "", block);
   }
 }
 

mcsema/BC/Optimize.cpp

@@ -1392,7 +1392,8 @@ static llvm::Value *TryGetRegAlias(llvm::Value *ptr, unsigned offset) {
   const auto elem_type = ptr_type->getPointerElementType();
 
   std::stringstream ss;
-  ss << reg->name << "_" << std::hex << reinterpret_cast<uintptr_t>(elem_type);
+  ss << reg->name << '_' << offset << '_'
+     << std::hex << reinterpret_cast<uintptr_t>(elem_type);
   auto alias_name = ss.str();
   SanitizeNameForLinking(alias_name);
 
@@ -1629,7 +1630,6 @@ void OptimizeModule(const NativeModule *cfg_module) {
 
   remill::RemoveDeadStores(gArch.get(), gModule.get(), bb_func, slots);
 
-
   // If some of the restores are *not* dead, then we will have eliminated
   // some loads and subsequent uses (in the `__remill_restore.*` argument lists)
   // that made those registers look live. The addition of restoring stores thus

tools/mcsema_disass/ida7/flow.py

@@ -52,6 +52,23 @@ def try_mark_as_function(address):
   idaapi.auto_wait()
   return True
 
+
+def is_start_of_function(ea):
+  """Returns `True` if `ea` is the start of a function."""
+  global _FUNC_HEAD_EAS
+
+  if ea in _FUNC_HEAD_EAS:
+    return True
+
+  if not is_code(ea):
+    return False
+
+  func = ida_funcs.get_func(ea)
+  if not func:
+    return False
+
+  return ea == func.start_ea
+
 def find_linear_terminator(ea, max_num=256):
   """Find the terminating instruction of a basic block, without actually
   associating the instructions with the block. This scans linearly until

tools/mcsema_disass/ida7/get_cfg.py

@@ -17,6 +17,7 @@
 
 import idautils
 import idaapi
+import ida_funcs
 import idc
 import sys
 import os
@@ -461,16 +462,6 @@ def try_get_thunk_name(ea):
     _ELF_THUNKS[ea] = ret
     return ret
 
-def is_start_of_function(ea):
-  """Returns `True` if `ea` is the start of a function."""
-  if not is_code(ea):
-    return False
-
-  # originally name = idc.GetTrueName(ea) or idc.get_func_name(ea)
-  # removed since ida 7.4 not supported
-  name = idc.get_func_name(ea)
-  return ea == idc.get_name_ea_simple(name)
-
 _REFERENCE_OPERAND_TYPE = {
   Reference.IMMEDIATE: CFG_pb2.CodeReference.ImmediateOperand,
   Reference.DISPLACEMENT: CFG_pb2.CodeReference.MemoryDisplacementOperand,
@@ -1478,7 +1469,7 @@ def identify_program_entrypoints(func_eas):
   DEBUG("Looking for entrypoints")
   DEBUG_PUSH()
 
-  exclude = set(["_start", "__libc_csu_fini", "__libc_csu_init", "main",
+  exclude = set(["_start", "__libc_csu_fini", "__libc_csu_init", 
                  "__data_start", "__dso_handle", "_IO_stdin_used",
                  "_dl_relocate_static_pie", "__DTOR_END__", "__ashlsi3",
                  "__ashldi3", "__ashlti3", "__ashrsi3", "__ashrdi3", "__ashrti3",
@@ -1582,6 +1573,11 @@ def recover_module(entrypoint, gvar_infile = None):
       if "main" == args.entrypoint and IS_ELF:
         entry_ea = find_main_in_ELF_file()
 
+    if not is_invalid_ea(entry_ea):
+      DEBUG("Found {} at {:x}".format(args.entrypoint, entry_ea))
+      if not is_start_of_function(entry_ea):
+        try_mark_as_function(entry_ea)
+
   if RECOVER_EHTABLE:
     recover_exception_table()
 

tools/mcsema_disass/ida7/util.py

@@ -22,6 +22,7 @@
 import inspect
 import ida_ua
 import ida_bytes
+import ida_funcs
 import sys
 
 _DEBUG_FILE = None