Jump table size exception

[avasick]

Hi,
I am trying to disassemble thttpd 2.26 built using clang 3.8 on Ubuntu 14.04. Using get_cfg.py using -march=x86. I get an Exception: Jump Table Not Size 4.

Starting insn at: 406ead
        inst: movsx   ecx, byte ptr [r8+rdx]
        Bytes: [65, 15, 190, 12, 16]
        inst: mov     eax, 2
        Bytes: [184, 2, 0, 0, 0]
        inst: jmp     ds:off_40F510[rsi*8]; switch jump
        Bytes: [255, 36, 245, 16, 245, 64, 0]
Jump table size not 4!

I tried to ignore this exception which leads to out of order symbols when calling cfg_to_bc, which is obviously not a viable workaround.

[artemdinaburg]

I can reproduce your problem.

Working on a fix, hoping it'll be quick since I think most of the internals should support 64-bit jump tables, just that the cfg recovery and some checks aren't updated to handle them.

I'm also using a build of thttpd -- but its probably too complex to re-emit and still function. If you have a smaller example that has the same behavior, I can add it to the mcsema tests.

[artemdinaburg]

Fixed the initial issue, but can't confirm how well until we can get a smaller example. Its possible to get output bitcode now, though.

So the bitcode you get for thttpd wont be re-build into a working thttpd. To get runnable bitcode mcsema will need to get better ELF support, like processing .init and add support for callbacks of translated functions, as thttpd looks like it uses threading.

to get some bitcode:

source env.sh

# foo.txt will contain the cfg recovery log
IDALOG=`pwd`/foo.txt ${BIN_DESCEND_PATH}/bin_descend_wrapper.py -d -march=x86-64 -func-map=<path to mcsema>/mc-sema/std_defs/std_defs.txt -entry-symbol=main -i=thttpd > foo.txt

#currently you need -ignore-unsupported since there's a few missing instructions, but you'll get some output bitcode
${CFG_TO_BC_PATH}/cfg_to_bc -mtriple=x86_64-pc-linux-gnu --ignore-unsupported -i thttpd.cfg -driver=mcsema_main,main,raw,return,C -o thttpd.bc

The unsupported instructions are mostly 64-bit versions of things like XOR, CMP, etc. All thats really needed is just to add them to the translation mapping. I already did a few for SUB/SBB and CMOV, which came up a lot. The new instructions also need unit tests.