1ed00cc67e
Refactor: reorganize lifter/ into subdirectories with PascalCase naming
...
Directory structure:
lifter/core/ - LifterClass, pipeline, drivers, application, utils
lifter/semantics/ - Semantics*.ipp, OperandUtils.ipp, opcodes
lifter/disasm/ - Disassembler backends, mnemonic/register mappings
lifter/memory/ - GEPTracker, MemoryPolicy, FileReader
lifter/analysis/ - PathSolver, CustomPasses
lifter/test/ - TestInstructions, Tester, test_vectors/
Naming convention standardized to PascalCase:
fileReader.hpp -> FileReader.hpp
lifterClass.hpp -> LifterClass.hpp
icedDisassembler* -> IcedDisassembler*
utils.h/cpp -> Utils.h/cpp
includes.h -> Includes.h
pp_macros.hpp -> PPMacros.hpp
test_instructions* -> TestInstructions*
tester.hpp -> Tester.hpp
Include resolution uses cmake include-directories so no
path prefixes needed in #include directives. All script
paths updated for new test_vectors and opcodes locations.
2026-03-06 18:07:26 +03:00
7362486e82
Address PR review: fail-fast oracle pipeline, stable shift vectors, stricter validation
...
- Workflow: enforce per-package choco install exit-code checks in rewrite gate
- Seed builder:
- make sar/shl/shr overrides use immediate count=1 (stable OF semantics)
- merge DEFAULT_INITIAL into all smoke cases
- define explicit default flag state (CF/PF/AF/ZF/SF/OF/DF=0, IF=1)
- Enrichment:
- validate seed schema and cases array
- validate expected payload type
- strict computed-helper input checks (required RSI/RDI/RBP where needed)
- reject malformed initial/register/flag objects
- Oracle generation:
- fail fast on emulation errors (no silent skip downgrade)
- validate expected.registers/expected.flags are objects for none/computed
- Lifter/tests:
- reset hadConditionalBranch/lastBranchTaken per testcase
- disambiguate branchHelper when true/false destinations are equal
- reject invalid expected.branch_taken types and non {0,1} ints
- Coverage/reporting:
- count covered handlers only within opcode universe
- guard text coverage percentage against divide-by-zero
- normalize test.py report --vectors path relative to repo root
- Regenerated oracle seeds/vectors and updated full-handler vectors
- oracle_vectors_full_handlers.json now: 130 cases, 3 skipped (cpuid, rdtsc, ret)
2026-03-04 12:08:00 +03:00
2fec84f38c
Cover remaining handlers: stack/call/jmp/string/cli + fix movs_X RSI/RDI swap
...
Bug fix:
- lift_movs_X (Semantics.ipp:405-406): non-REP path swapped RSI/RDI updates.
sourceReg (RSI+Direction) was written to RDI and vice versa.
REP path (lines 392-393) was already correct.
New test coverage (10 handlers):
- Stack: push, pop, pushfq, popfq, leave (assert RSP delta)
- Control flow: call (assert RSP-8), jmp (assert no crash)
- String: movs_x/movsq (assert RSI/RDI +8), stosx/stosq (assert RDI +8)
- System: cli (assert FLAG_IF=0)
Pipeline changes:
- enrich_seed.py: add COMPUTED_HANDLERS dict with register-effect lambdas;
remove stack/string/control-flow from SKIP_HANDLERS; add _parse_int helper
- build_full_handler_seed.py: add manual cases for all 10 handlers with
appropriate initial state (leave: RBP=0x200000, ret: RSP=0x14FF00)
- report_coverage.py: count any non-skipped active case as coverage
(not just cases with register/flag assertions)
Excluded:
- ret: crashes in solvePath when return address is symbolic (GEPTracker
UNREACHABLE with max_unknown=0). Requires framework-level fix.
- cpuid/rdtsc: nondeterministic, cannot test.
Coverage: 98/111 (88%) -> 108/111 (97%)
Test cases: 118 -> 127 (9 new)
Remaining: 3 skipped (ret, cpuid, rdtsc), 0 uncovered
2026-03-04 11:07:14 +03:00
05b2e562f8
Add jcc conditional branch testing (16 handlers, taken+not-taken)
...
- Add hadConditionalBranch/lastBranchTaken tracking to lifterClass.hpp
- Instrument branchHelper in Semantics.ipp to record branch outcome
- Add expectedBranchTaken field to InstructionTestCase (tester.hpp)
- Parse expected.branch_taken from oracle vectors JSON (test_instructions.cpp)
- Add branch-taken assertion in runTestCase after flag checks
- Add all 16 jcc handlers to MANUAL_HANDLER_CASES with taken variants
- Add VARIANT_HANDLER_CASES with not-taken variants for full coverage
- Add JCC_HANDLERS condition map to enrich_seed.py (flag -> branch_taken)
- Add oracle=computed mode to generate_oracle_vectors.py (no Unicorn needed)
- Fix report_coverage.py to count branch_taken as coverage evidence
Coverage: 82/111 (74%) -> 98/111 (88%)
Test cases: 86 -> 118 (32 new jcc: 16 taken + 16 not-taken)
Remaining uncovered: 1 (cli), 12 skipped (stack/call/ret/string/nondeterministic)
2026-03-04 10:37:47 +03:00
9ecd4b68e0
Expand handler test coverage to 75/111 and fix lzcnt/tzcnt/xadd bugs
...
Semantic fixes:
- lzcnt/tzcnt: inline constant-fold ctlz/cttz intrinsics when source is
ConstantInt (bypasses dead simplifyValue function)
- xadd: fix register aliasing bug when src==dest by swapping write order
(write SRC=original first, then DEST=sum last)
Test infrastructure:
- Add enrich_seed.py: auto-populates expected registers/flags for all
auto-discovered handler cases based on Capstone disassembly analysis
- Add report_coverage.py: handler coverage report (text + JSON)
- Promote full handler oracle vectors as default oracle_vectors.json
- Update run_all_handlers.cmd pipeline with enrichment step
- Add 'report' subcommand to test.py
Coverage: 75/111 handlers tested with oracle (68%), 35 skipped (control
flow/stack/system instructions requiring special setup), 1 uncovered (cli).
79 active test cases pass register checks, 11 have flag mismatches (tracked).
2026-03-04 09:40:33 +03:00
yusufcanislek