about summary refs log tree commit diff stats
path: root/miasm2/analysis/dse.py
diff options
context:
space:
mode:
authorWilliam Bruneau <william.bruneau@epfedu.fr>2017-10-09 15:20:55 +0200
committerWilliam Bruneau <william.bruneau@epfedu.fr>2018-03-12 10:36:52 +0100
commit76edc6ab9708f07d6423c1eb10e626dfa09faab4 (patch)
tree2d9cb7d20452f85263fd94c18a7996ae61c30f1c /miasm2/analysis/dse.py
parentc446bdf327ae279b18596c750db45d93618f7269 (diff)
downloadmiasm-76edc6ab9708f07d6423c1eb10e626dfa09faab4.tar.gz
miasm-76edc6ab9708f07d6423c1eb10e626dfa09faab4.zip
Compute branches using the previous address
'destination' is the address that we could have reached instead of the
current address. Therefore the new branch that can be reach with the new
solution is 'previous_addr -> destination'.
Diffstat (limited to 'miasm2/analysis/dse.py')
-rw-r--r--miasm2/analysis/dse.py11
1 files changed, 9 insertions, 2 deletions
diff --git a/miasm2/analysis/dse.py b/miasm2/analysis/dse.py
index 4762dd08..d0f71b5d 100644
--- a/miasm2/analysis/dse.py
+++ b/miasm2/analysis/dse.py
@@ -484,6 +484,7 @@ class DSEPathConstraint(DSEEngine):
         self._known_solutions = set() # set of solution identifiers
         self.z3_trans = Translator.to_language("z3")
         self._produce_solution_strategy = produce_solution
+        self._previous_addr = None
         self._history = None
         if produce_solution == self.PRODUCE_SOLUTION_PATH_COV:
             self._history = [] # List of addresses in the current path
@@ -495,6 +496,8 @@ class DSEPathConstraint(DSEEngine):
         snap["cur_constraints"] = self.cur_solver.assertions()
         if self._produce_solution_strategy == self.PRODUCE_SOLUTION_PATH_COV:
             snap["_history"] = list(self._history)
+        if self._produce_solution_strategy == self.PRODUCE_SOLUTION_BRANCH_COV:
+            snap["_previous_addr"] = self._previous_addr
         return snap
 
     def restore_snapshot(self, snapshot, keep_known_solutions=True, **kwargs):
@@ -511,6 +514,8 @@ class DSEPathConstraint(DSEEngine):
             self._known_solutions.clear()
         if self._produce_solution_strategy == self.PRODUCE_SOLUTION_PATH_COV:
             self._history = list(snapshot["_history"])
+        if self._produce_solution_strategy == self.PRODUCE_SOLUTION_BRANCH_COV:
+            self._previous_addr = snapshot["_previous_addr"]
 
     def _key_for_solution_strategy(self, destination):
         """Return the associated identifier for the current solution strategy"""
@@ -525,8 +530,7 @@ class DSEPathConstraint(DSEEngine):
         elif self._produce_solution_strategy == self.PRODUCE_SOLUTION_BRANCH_COV:
             # Decision based on branch coverage
             # -> produce a solution if the current branch has never been take
-            cur_addr = ExprInt(self.jitter.pc, self.ir_arch.IRDst.size)
-            key = (cur_addr, destination)
+            key = (self._previous_addr, destination)
 
         elif self._produce_solution_strategy == self.PRODUCE_SOLUTION_PATH_COV:
             # Decision based on path coverage
@@ -632,3 +636,6 @@ class DSEPathConstraint(DSEEngine):
             # Update current solver
             for cons in cur_path_constraint:
                 self.cur_solver.add(self.z3_trans.from_expr(cons))
+
+        if self._produce_solution_strategy == self.PRODUCE_SOLUTION_BRANCH_COV:
+            self._previous_addr = cur_addr