|
From: Julian S. <js...@ac...> - 2007-05-10 15:26:15
|
> So basicly, it goes 'wrong' for the artificial case. I don't think you can reliably establish what you want by looking at the post-optimisation IR. Whether or not bbOut->next is Iex_RdTmp or Iex_Const depends a lot on what the IR optimiser (iropt) was able to do. In your artificial example, you construct a value in a register and jump to that, but iropt folds the computation out so it looks like a direct jump at the IR level. Conversely, it could happen (maybe ..) that the program does a jump to a constant location, but CSEing of the IR causes bbOut->next to be an Iex_RdTmp. IR is designed to make explicit the program's semantics and allow easy optimisation and instrumentation. But it is not good for answering questions about the original instruction forms. There is a solution, though. Ignore all the IR except the IRStmt_IMarks. These tell you the start address of each instruction. Your instrumentation code can use that to read the instructions and detect for themselves the branches and branch kinds. This is not ideal, but in fact there are not many forms of branches (read guest-amd64/toIR.c) and so it is not so much work. Remember that you will quite often get a REX prefix in the range 0x40 .. 0x4F before the primary opcode. J |