Chess changes breakout for upstream

.coveragerc

@@ -17,3 +17,5 @@ exclude_lines =
 
     # We don't bother testing code that's explicitly unimplemented
     raise NotImplementedError
+    raise AssertionError
+    raise Aarch64InvalidInstruction

.github/workflows/ci.yml

@@ -3,7 +3,7 @@ name: CI
 on:
   push:
     branches:
-      - master
+      - chess
   pull_request:
   schedule:
     # run CI every day even if no PRs/merges occur

manticore/__main__.py

@@ -29,6 +29,9 @@ def main() -> None:
     """
     Dispatches execution into one of Manticore's engines: evm or native.
     """
+    # Only print with Manticore's logger
+    logging.getLogger().handlers = []
+    log.init_logging()
     args = parse_arguments()
 
     if args.no_colors:
@@ -101,13 +104,13 @@ def positive(value):
         help=("A folder name for temporaries and results." "(default mcore_?????)"),
     )
 
-    current_version = pkg_resources.get_distribution("manticore").version
-    parser.add_argument(
-        "--version",
-        action="version",
-        version=f"Manticore {current_version}",
-        help="Show program version information",
-    )
+    # current_version = pkg_resources.get_distribution("manticore").version
+    # parser.add_argument(
+    #    "--version",
+    #    action="version",
+    #    version=f"Manticore {current_version}",
+    #    help="Show program version information",
+    # )
     parser.add_argument(
         "--config",
         type=str,

manticore/core/smtlib/solver.py

@@ -254,8 +254,16 @@ def send(self, cmd: str) -> None:
         """
         if self._debug:
             logger.debug(">%s", cmd)
-        self._proc.stdout.flush()  # type: ignore
-        self._proc.stdin.write(f"{cmd}\n")  # type: ignore
+        try:
+            self._proc.stdout.flush()  # type: ignore
+            self._proc.stdin.write(f"{cmd}\n")  # type: ignore
+        except (BrokenPipeError, IOError) as e:
+            logger.critical(
+                f"Solver encountered an error trying to send commands: {e}.\n"
+                f"\tOutput: {self._proc.stdout}\n\n"
+                f"\tStderr: {self._proc.stderr}"
+            )
+            raise e
 
     def recv(self, wait=True) -> Optional[str]:
         """Reads the response from the smtlib solver

manticore/core/state.py

@@ -238,6 +238,7 @@ def __enter__(self):
         new_state._input_symbols = list(self._input_symbols)
         new_state._context = copy.copy(self._context)
         new_state._id = None
+        new_state.manticore = self.manticore
         new_state._total_exec = self._total_exec
         self.copy_eventful_state(new_state)
 

manticore/core/worker.py

@@ -188,6 +188,9 @@ def run(self, *args):
                         m._kill_state(current_state.id)
                         m._publish("did_kill_state", current_state, exc)
                         current_state = None
+                    # Kill Manticore if _any_ state encounters unrecoverable
+                    # exception/assertion
+                    m.kill()
                     break
 
             # Getting out.

manticore/native/cpu/aarch64.py

@@ -1,4 +1,5 @@
-import warnings
+from typing import NamedTuple
+from inspect import signature as inspect_signature
 
 import capstone as cs
 import collections
@@ -16,7 +17,6 @@
     Operand,
     instruction,
 )
-from .arm import HighBit, Armv7Operand
 from .bitwise import SInt, UInt, ASR, LSL, LSR, ROR, Mask, GetNBits
 from .register import Register
 from ...core.smtlib import Operators
@@ -299,45 +299,7 @@ def canonicalize_instruction_name(insn):
         # work for B.cond.  Instead of being set to something like 'b.eq',
         # it just returns 'b'.
         name = insn.mnemonic.upper()
-        name = OP_NAME_MAP.get(name, name)
-        ops = insn.operands
-        name_list = name.split(".")
-
-        # Make sure MOV (bitmask immediate) and MOV (register) go through 'MOV'.
-        if (
-            name == "ORR"
-            and len(ops) == 3
-            and ops[1].type == cs.arm64.ARM64_OP_REG
-            and ops[1].reg in ["WZR", "XZR"]
-            and not ops[2].is_shifted()
-        ):
-            name = "MOV"
-            insn._raw.mnemonic = name.lower().encode("ascii")
-            del ops[1]
-
-        # Map all B.cond variants to a single implementation.
-        elif len(name_list) == 2 and name_list[0] == "B" and insn.cc != cs.arm64.ARM64_CC_INVALID:
-            name = "B_cond"
-
-        # XXX: BFI is only valid when Rn != 11111:
-        # https://github.com/aquynh/capstone/issues/1441
-        elif (
-            name == "BFI"
-            and len(ops) == 4
-            and ops[1].type == cs.arm64.ARM64_OP_REG
-            and ops[1].reg in ["WZR", "XZR"]
-        ):
-            name = "BFC"
-            insn._raw.mnemonic = name.lower().encode("ascii")
-            del ops[1]
-
-        # XXX: CMEQ incorrectly sets the type to 'ARM64_OP_FP' for
-        # 'cmeq v0.16b, v1.16b, #0':
-        # https://github.com/aquynh/capstone/issues/1443
-        elif name == "CMEQ" and len(ops) == 3 and ops[2].type == cs.arm64.ARM64_OP_FP:
-            ops[2]._type = cs.arm64.ARM64_OP_IMM
-
-        return name
+        return OP_NAME_MAP.get(name, name)
 
     @property
     def insn_bit_str(self):
@@ -2366,13 +2328,15 @@ def _CMEQ_zero(cpu, res_op, reg_op, imm_op):
         cpu._cmeq(res_op, reg_op, imm_op, register=False)
 
     @instruction
-    def CMEQ(cpu, res_op, reg_op, reg_imm_op):
+    def CMEQ(cpu, res_op, reg_op, reg_imm_op, _bug=0):
         """
         Combines CMEQ (register) and CMEQ (zero).
 
         :param res_op: destination register.
         :param reg_op: source register.
         :param reg_imm_op: source register or immediate (zero).
+
+        :param bug: Buggy extra operand https://github.com/aquynh/capstone/issues/1629
         """
         assert res_op.type is cs.arm64.ARM64_OP_REG
         assert reg_op.type is cs.arm64.ARM64_OP_REG
@@ -3648,17 +3612,6 @@ def _MOV_to_general(cpu, res_op, reg_op):
 
         # XXX: Check if trapped.
 
-        # XXX: Capstone doesn't set 'vess' for this alias:
-        # https://github.com/aquynh/capstone/issues/1452
-        if res_op.size == 32:
-            reg_op.op.vess = cs.arm64.ARM64_VESS_S
-
-        elif res_op.size == 64:
-            reg_op.op.vess = cs.arm64.ARM64_VESS_D
-
-        else:
-            raise Aarch64InvalidInstruction
-
         # The 'instruction' decorator advances PC, so call the original
         # method.
         cpu.UMOV.__wrapped__(cpu, res_op, reg_op)
@@ -3851,7 +3804,7 @@ def MRS(cpu, res_op, reg_op):
         :param reg_op: source system register.
         """
         assert res_op.type is cs.arm64.ARM64_OP_REG
-        assert reg_op.type is cs.arm64.ARM64_OP_REG_MRS
+        assert reg_op.type is cs.arm64.ARM64_OP_SYS
 
         insn_rx = "1101010100"
         insn_rx += "1"  # L
@@ -3877,7 +3830,7 @@ def MSR(cpu, res_op, reg_op):
         :param res_op: destination system register.
         :param reg_op: source register.
         """
-        assert res_op.type is cs.arm64.ARM64_OP_REG_MSR
+        assert res_op.type is cs.arm64.ARM64_OP_SYS
         assert reg_op.type is cs.arm64.ARM64_OP_REG
 
         insn_rx = "1101010100"
@@ -5168,18 +5121,18 @@ def UMOV(cpu, res_op, reg_op):
 
         reg = reg_op.read()
         index = reg_op.op.vector_index
-        vess = reg_op.op.vess
+        vas = reg_op.op.vas
 
-        if vess == cs.arm64.ARM64_VESS_B:
+        if vas == cs.arm64.ARM64_VAS_1B:
             elem_size = 8
 
-        elif vess == cs.arm64.ARM64_VESS_H:
+        elif vas == cs.arm64.ARM64_VAS_1H:
             elem_size = 16
 
-        elif vess == cs.arm64.ARM64_VESS_S:
+        elif vas == cs.arm64.ARM64_VAS_1S:
             elem_size = 32
 
-        elif vess == cs.arm64.ARM64_VESS_D:
+        elif vas == cs.arm64.ARM64_VAS_1D:
             elem_size = 64
 
         else:
@@ -5302,6 +5255,9 @@ def get_arguments(self):
         for address in self.values_from(self._cpu.STACK):
             yield address
 
+    def get_return_reg(self):
+        return "X0"
+
     def write_result(self, result):
         self._cpu.X0 = result
 
@@ -5339,6 +5295,7 @@ def __init__(self, cpu, op, **kwargs):
             cs.arm64.ARM64_OP_MEM,
             cs.arm64.ARM64_OP_IMM,
             cs.arm64.ARM64_OP_FP,
+            cs.arm64.ARM64_OP_SYS,
             cs.arm64.ARM64_OP_BARRIER,
         ):
             raise NotImplementedError(f"Unsupported operand type: '{self.op.type}'")
@@ -5386,7 +5343,7 @@ def is_extended(self):
     def read(self):
         if self.type == cs.arm64.ARM64_OP_REG:
             return self.cpu.regfile.read(self.reg)
-        elif self.type == cs.arm64.ARM64_OP_REG_MRS:
+        elif self.type == cs.arm64.ARM64_OP_REG_MRS or self.type == cs.arm64.ARM64_OP_SYS:
             name = SYS_REG_MAP.get(self.op.sys)
             if not name:
                 raise NotImplementedError(f"Unsupported system register: '0x{self.op.sys:x}'")
@@ -5399,7 +5356,7 @@ def read(self):
     def write(self, value):
         if self.type == cs.arm64.ARM64_OP_REG:
             self.cpu.regfile.write(self.reg, value)
-        elif self.type == cs.arm64.ARM64_OP_REG_MSR:
+        elif self.type == cs.arm64.ARM64_OP_REG_MSR or cs.arm64.ARM64_OP_SYS:
             name = SYS_REG_MAP.get(self.op.sys)
             if not name:
                 raise NotImplementedError(f"Unsupported system register: '0x{self.op.sys:x}'")

manticore/native/cpu/abstractcpu.py

@@ -294,6 +294,15 @@ def get_arguments(self):
         """
         raise NotImplementedError
 
+    def get_return_reg(self):
+        """
+        Extract the location a return value will be written to. Produces
+        a string describing a register where the return value is written to.
+        :return: return register name
+        :rtype: string
+        """
+        raise NotImplementedError
+
     def write_result(self, result):
         """
         Write the result of a model back to the environment.
@@ -521,6 +530,7 @@ def __init__(self, regfile: RegisterFile, memory: Memory, **kwargs):
         self._instruction_cache: Dict[int, Any] = {}
         self._icount = 0
         self._last_pc = None
+        self._last_executed_pc = None
         self._concrete = kwargs.pop("concrete", False)
         self.emu = None
         self._break_unicorn_at: Optional[int] = None
@@ -537,6 +547,7 @@ def __getstate__(self):
         state["memory"] = self._memory
         state["icount"] = self._icount
         state["last_pc"] = self._last_pc
+        state["last_executed_pc"] = self._last_executed_pc
         state["disassembler"] = self._disasm
         state["concrete"] = self._concrete
         state["break_unicorn_at"] = self._break_unicorn_at
@@ -553,6 +564,7 @@ def __setstate__(self, state):
         )
         self._icount = state["icount"]
         self._last_pc = state["last_pc"]
+        self._last_executed_pc = state["last_executed_pc"]
         self._disasm = state["disassembler"]
         self._concrete = state["concrete"]
         self._break_unicorn_at = state["break_unicorn_at"]
@@ -563,6 +575,14 @@ def __setstate__(self, state):
     def icount(self):
         return self._icount
 
+    @property
+    def last_executed_pc(self) -> Optional[int]:
+        return self._last_executed_pc
+
+    @property
+    def last_executed_insn(self):
+        return self.decode_instruction(self.last_executed_pc)
+
     ##############################
     # Register access
     @property
@@ -723,7 +743,7 @@ def _raw_read(self, where: int, size: int = 1, force: bool = False) -> bytes:
         assert len(data) == size, "Raw read resulted in wrong data read which should never happen"
         return data
 
-    def read_int(self, where, size=None, force=False):
+    def read_int(self, where, size=None, force=False, publish=True):
         """
         Reads int from memory
 
@@ -736,13 +756,15 @@ def read_int(self, where, size=None, force=False):
         if size is None:
             size = self.address_bit_size
         assert size in SANE_SIZES
-        self._publish("will_read_memory", where, size)
+        if publish:
+            self._publish("will_read_memory", where, size)
 
         data = self._memory.read(where, size // 8, force)
         assert (8 * len(data)) == size
         value = Operators.CONCAT(size, *map(Operators.ORD, reversed(data)))
 
-        self._publish("did_read_memory", where, value, size)
+        if publish:
+            self._publish("did_read_memory", where, value, size)
         return value
 
     def write_bytes(self, where: int, data, force: bool = False) -> None:
@@ -777,7 +799,7 @@ def write_bytes(self, where: int, data, force: bool = False) -> None:
             for i in range(len(data)):
                 self.write_int(where + i, Operators.ORD(data[i]), 8, force)
 
-    def read_bytes(self, where: int, size: int, force: bool = False):
+    def read_bytes(self, where: int, size: int, force: bool = False, publish=True):
         """
         Read from memory.
 
@@ -789,7 +811,7 @@ def read_bytes(self, where: int, size: int, force: bool = False):
         """
         result = []
         for i in range(size):
-            result.append(Operators.CHR(self.read_int(where + i, 8, force)))
+            result.append(Operators.CHR(self.read_int(where + i, 8, force, publish=publish)))
         return result
 
     def write_string(
@@ -976,6 +998,7 @@ def execute(self):
         """
         curpc = self.PC
         if self._delayed_event:
+            self._last_executed_pc = self._last_pc
             self._icount += 1
             self._publish(
                 "did_execute_instruction",
@@ -1000,6 +1023,7 @@ def execute(self):
         # FIXME (theo) why just return here?
         # hook changed PC, so we trust that there is nothing more to do
         if insn.address != self.PC:
+            self._last_executed_pc = self.PC
             return
 
         name = self.canonicalize_instruction_name(insn)
@@ -1047,6 +1071,7 @@ def _publish_instruction_as_executed(self, insn):
         """
         Notify listeners that an instruction has been executed.
         """
+        self._last_executed_pc = self._last_pc
         self._icount += 1
         self._publish("did_execute_instruction", self._last_pc, self.PC, insn)