package bap-std

All visitors provide some information about the current position of the visitor

Visitor. Visits AST providing lots of hooks.

A visitor with a shortcut. Finder is a specialization of a visitor, that uses return as its folding argument. At any time you can stop the traversing by calling return function of the provided argument (which is by itself is a record with one field - a function accepting argument of type 'a option).

AST transformation. mapper allows one to map AST, performing some limited amount of transformations on it. Mapper provides extra flexibility by mapping stmt to stmt list, thus allowing to remove statements from the output (by mapping to empty list) or to map one statement to several. This is particularly useful when you map if or while statements.

constant_folder is a class that implements the fold_consts

fold ~init visitor stmt folds a stmt with a visitor. See Bil.fold and Exp.fold for more details.

iter visitor stmt iters over a stmt with a visitor. See Bil.iter and Exp.iter for more details.

map mapper bil applies mapper to the program bil

find finder stmt performs a lookup into the Bil statement. See Bil.find and Exp.find for more details.

exists finder stmt is true iff find finder stmt <> None. See Bil.exists and Exp.exists for more details.

is_referenced x stmt is true is x is used in the stmt in any place other then right hand side of the assignment. E.g., is_referenced x Bil.(x := var x) is true, but is_referenced x Bil.(x := var y) is false. see Bil.is_referenced for more details.

normalize xs produces a normalized BIL program with the same^1 semantics but in the BIL normalized form. Precondition: xs is well-typed.

The BIL Normalized Form (BNF) is a subset of the BIL language, where expressions have the following properties:

• No let expressions - new variable can be created only with a Move instruction.

• All memory operations have sizes equal to one byte. Thus the size and endiannes can be ignored in analysis. During the normalization, the following rewrites are performed

• Memory load expressions can be only applied to a memory. This effectively disallows creation of temporary memory regions, and requires all store operations to be commited via the assignemnt operation. Also, this provides a guarantee, that store expressions will not occur in integer assigments, jmp destinations, and conditional expressions, leaving them valid only in an assignment statment where the rhs has type mem_t.

       let x = <expr> in ... x ... => ... <expr> ...
       x[a,el]:n => x[a+n-1] @ ... @ x[a]
       x[a,be]:n => x[a] @ ... @ x[a+n-1]
       m[a,el]:n <- x => (...((m[a] <- x<0>)[a+1] <- x<1>)...)[a+n-1] <- x<n-1>
       m[a,be]:n <- x => (...((m[a] <- x<n-1>)[a+1] <- x<n>)...)[a+n-1] <- x<0>
       ... ite c ? x : y ... => if c \{ ... x ... } \{ ... y ... }
       (x[a] <- b)[c] => m := x[a] <- b; m[c]

^1: The normalization procedure may duplicate expressions that might be considered non-generative. For example,

let x = m[a] in x + x

is rewritten to m[a] + m[a]. Given a concrete semantics of a memory (for example, if memory is mapped to a device register that changes every times it is read) this expression may have different value. It will also have different effect (such as two memory accesses, page faults etc).

However, in the formal semantics of BAP we do not consider effects, and treat all expressions as side-effect free, thus the above transformation, as well as

• since 1.3

simpl ?ignore xs recursively applies Exp.simpl and also simplifies if and while expressions with statically known conditionals, e.g., if (true) xs ys is simplified to xs, while (false) xs is simplified to xs.

• since 1.3

fixpoint f x applies transformation f until it reaches fixpoint. See Bil.fixpoint and Exp.fixpoint

free_vars stmt returns a set of all unbound variables, that occurs in the stmt.

eval prog eval BIL program under given context. Returns the context which contains all effects of computations.