|
|
|---|
|
|
|
|---|
A tool to lift x86 binary code into logic, unrolling loops as needed.
Lift some x86 binary code into an ACL2 representation, by symbolic execution including inlining all functions and unrolling all loops.
Usually,
To inspect the resulting DAG, you can simply enter its name at the prompt to print it.
(def-unrolled lifted-name executable &key :target ; default :entry-point :inputs ; default :skip :output ; default :all :extra-assumptions ; default nil :suppress-assumptions ; default nil :inputs-disjoint-from ; default :code :stack-slots ; default 100 :position-independent ; default :auto :type-assumptions-for-array-vars ; default t :use-internal-contextsp ; default t :prune-precise ; default 1000 :prune-approx ; default t :extra-rules ; default nil :remove-rules ; default nil :extra-assumption-rules ; default nil :remove-assumption-rules ; default nil :step-limit ; default 1000000 :step-increment ; default 100 :stop-pcs ; default nil :memoizep ; default t :monitor ; default nil :normalize-xors ; default nil :count-hits ; default nil :print ; default :brief :print-base ; default 10 :untranslatep ; default t :produce-function ; default t :non-executable ; default :auto :produce-theorem ; default nil :prove-theorem ; default nil :restrict-theory ; default t :bvp ; default nil )
A symbol, the name to use for the generated function. The name of the generated constant is created by adding stars to the front and back of this symbol.
The x86 binary executable that contains the target function. Usually a string (a filename), or this can be a parsed executable of the form created by defconst-x86.
Where to start lifting (a numeric offset, the name of a subroutine (a string), or the symbol :entry-point)
Either the special value :skip (meaning generate no additional assumptions on the input) or a doublet list pairing input names with types. Types include things like u32, u32*, and u32[2].
An indication of which state component(s) will hold the result of the computation being lifted. See output-indicatorp.
Extra assumptions for lifting, in addition to the standard-assumptions
Whether to suppress the standard assumptions. This does not suppress any assumptions generated about the :inputs.
What to assume about the inputs (specified using the :inputs option) being disjoint from the sections/segments in the executable. The value :all means assume the inputs are disjoint from all sections/segments. The value :code means assume the inputs are disjoint from the code/text section. The value nil means do not include any assumptions of this kind.
How much available stack space to assume exists.
Whether to attempt the lifting without assuming that the binary is loaded at a particular position.
Whether to put in type assumptions for the variables that represent elements of input arrays.
Whether to use contextual information from ovararching conditionals when simplifying DAG nodes.
Whether to prune DAGs using precise contexts. Either t or nil or a natural number representing the smallest dag size that we deem too large for pruning (where here the size is the number of nodes in the corresponding term). This kind of pruning can blow up if attempted for DAGs that represent huge terms.
Whether to prune DAGs using approximate contexts. Either t or nil or a natural number representing the smallest dag size that we deem too large for pruning (where here the size is the number of nodes in the corresponding term). This kind of pruning should not blow up but doesn't use fully precise contextual information.
Rules to use in addition to (unroller-rules32) or (unroller-rules64) plus a few others.
Rules to turn off.
Extra rules to be used when simplifying assumptions.
Rules to be removed when simplifying assumptions.
Limit on the total number of symbolic executions steps to allow (total number of steps over all branches, if the simulation splits).
Number of model steps to allow before pausing to simplify the DAG and remove unused nodes.
A list of program counters (natural numbers) at which to stop the execution, for debugging.
Whether to memoize during rewriting (when not using contextual information -- as doing both would be unsound).
Rule names (symbols) to be monitored when rewriting.
Whether to normalize BITXOR and BVXOR nodes when rewriting (t, nil, or :compact).
Whether to count rule hits during rewriting (t means count hits for every rule, :total means just count the total number of hits, nil means don't count hits)
Verbosity level.
Base to use when printing during lifting. Must be either 10 or 16.
Whether to untranslate term when printing.
Whether to produce a function, not just a constant DAG, representing the result of the lifting.
Whether to make the generated function non-executable, e.g., because stobj updates are not properly let-bound. Either t or nil or :auto.
Whether to try to produce a theorem (possibly skip-proofed) about the result of the lifting.
Whether to try to prove the theorem with ACL2 (rarely works, since Axe's Rewriter is different and more scalable than ACL2's rewriter).
To be deprecated...
Whether to use new-style, BV-friendly assumptions.