Reopt VCG is a companion-tool to Reopt, designed to demonstrate functional equivalence between Reopt-generated LLVM bitcode and the original binary. This is done by simulating execution of each in tandem, block-by-block, and generating verification conditions which are dispatched to an external SMT solver (CVC4) intended to prove their behavioral equivalence.
Reopt VCG relies on an annotations file generated by Reopt for the binary in
question (see Reopt's --annotations flag). This annotations file contains the
locations of the original binary and generated LLVM bitcode files along with
annotations intended to provide context for basic blocks which assist
verification condition generation.
By default Reopt VCG will generate verification conditions and dispatch them
to CVC4 to verify them. The --export flag can be used to instead emit
each verification condition as an .smt2 file for manual inspection/verification.
Example usage:
$ reopt-vcg test_fib_diet_reopt.ann
Generating verification conditions for LLVM module...
.............................................................................
.............................................................................
.....
All 2 functions were assigned verification conditions without error.
====================== GOAL VERIFICATION SUMMARY =======================
All 159 generated verification goals successfully proven.
Note: on non-trivial binaries, some verification conditions may fail to be proven. This does not necessarily indicate that the lifting to LLVM was erroneous, as some verification conditions are inherently difficult to prove in practice. E.g., they may rely on non-trivial semantic properties which are under active development/research (e.g., invariants regarding memory safety, memory layout, pointer semantics, etc). Manual inspection of failed verification conditions can be useful in these instances.
The verification conditions generated for checking the equivalence of a binary
basic block and the corresponding LLVM bitcode generated by reopt fall into
one of the following categories, focusing on the equivalence of externally
observable events that occur during execution:
- Machine code reads/writes only from unreserved stack space.
- LLVM writes targets intended allocation.
- Machine code write targets intended allocation.
- Read heap address not in stack space.
- Block is unreachable.
- Instruction pointer is expected value.
- Reopt-infered pre/post-condition holds.
- LLVM and machine code read from same allocation offset.
- LLVM and machine code load from same heap address.
- LLVM and machine code store to same heap address.
- LLVM and machine code store the same value to the heap.
- LLVM and machine code branch to the same function address.
- Stack height preserved.
- Return address preserved.
- Register value preserved.
- Return address is next instruction.
- LLVM and machine code return values match.
- Argument matches register.
- Direction flag is expected value.
add, fib, and nweb have been the running examples this tool was developed
against. Annotations files for these live in the test-programs directory of
this repository.