Fix #1210: Dead memory store elimination

JonathanSalwan · Nov 20, 2022 · 2ea88a6 · 2ea88a6
1 parent ae619d4
commit 2ea88a6
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 4 deletions.
diff --git a/.build_number b/.build_number
@@ -1 +1 @@
-1588
+1589
diff --git a/src/libtriton/engines/symbolic/symbolicSimplification.cpp b/src/libtriton/engines/symbolic/symbolicSimplification.cpp
@@ -234,9 +234,6 @@ namespace triton {
 
         /* Define a temporary Context */
         triton::Context tmpctx(this->architecture->getArchitecture());
-        tmpctx.setMode(triton::modes::MEMORY_ARRAY, true);
-        tmpctx.setMode(triton::modes::SYMBOLIZE_LOAD, true);
-        tmpctx.setMode(triton::modes::SYMBOLIZE_STORE, true);
 
         /* Synch the concrete state */
         tmpctx.setConcreteState(*this->architecture);
@@ -258,6 +255,33 @@ namespace triton {
           }
         }
 
+        /* Keep instructions that build effective addresses (see #1174) */
+        for (auto& inst : in.getInstructions()) {
+          std::set<std::pair<triton::arch::MemoryAccess, triton::ast::SharedAbstractNode>> access;
+          if (inst.isMemoryWrite()) {
+            access = inst.getStoreAccess();
+          }
+          if (inst.isMemoryRead()) {
+            access.insert(inst.getLoadAccess().begin(), inst.getLoadAccess().end());
+          }
+          for (const auto& x : access) {
+            auto refs = triton::ast::search(x.second, triton::ast::REFERENCE_NODE);
+            for (const auto& ref : refs) {
+              auto expr = reinterpret_cast<triton::ast::ReferenceNode*>(ref.get())->getSymbolicExpression();
+              auto eid = expr->getId();
+              lifetime[eid] = expr;
+            }
+            if (x.first.getLeaAst()) {
+              auto refs = triton::ast::search(x.first.getLeaAst(), triton::ast::REFERENCE_NODE);
+              for (const auto& ref : refs) {
+                auto expr = reinterpret_cast<triton::ast::ReferenceNode*>(ref.get())->getSymbolicExpression();
+                auto eid = expr->getId();
+                lifetime[eid] = expr;
+              }
+            }
+          }
+        }
+
         /* Get back the origin assembly of expressions that still alive */
         for (auto& se : lifetime) {
           if (se.second->getDisassembly().empty()) {

diff --git a/src/testers/unittests/test_dead_store_elimination.py b/src/testers/unittests/test_dead_store_elimination.py
@@ -473,3 +473,15 @@ def test_inst9(self):
         self.assertEqual(str(sblock), '0x0: mov rsi, 0\n'
                                       '0x7: mov qword ptr [rsi], rdx\n'
                                       '0xa: pop rsi')
+
+    def test_inst10(self):
+        self.ctx.setArchitecture(ARCH.X86_64)
+        block = BasicBlock([
+            Instruction(b"\x89\x2c\x24"), # mov dword ptr [rsp], ebp
+            Instruction(b"\x89\x1c\x24"), # mov dword ptr [rsp], ebx
+            Instruction(b"\x89\x04\x24"), # mov dword ptr [rsp], eax
+        ])
+        self.ctx.disassembly(block)
+        sblock = self.ctx.simplify(block)
+        self.ctx.disassembly(sblock)
+        self.assertEqual(str(sblock), '0x0: mov dword ptr [rsp], eax')