mirror of
https://github.com/NaC-L/Mergen.git
synced 2026-05-12 09:40:34 +00:00
naci
aed80b8655
Introduces the infrastructure needed to keep Themida's control-slot-driven indirect dispatch symbolic through the late cursor-manipulation chain at 0x140023741..0x1400237dc.
Core pieces:
- activeGeneralizedLoopControlFieldState: per-loop snapshot of {canonical,backedge}*{control,buffer,source}, populated on load_generalized_backup and cleared on load_backup, consumed by the retrieve_* helpers below.
- retrieve_generalized_loop_control_field_value / retrieve_generalized_loop_control_slot_value / retrieve_generalized_loop_target_slot_value / retrieve_generalized_loop_phi_address_value / retrieve_generalized_loop_local_phi_address_value: CRTP dispatch into concrete implementations that either (a) emit a two-incoming phi of the canonical and backedge values at the loop header, or (b) return nullptr so the caller falls back to the existing load path. Symbolic mode stubs them to nullptr so symbolic analysis behavior is unchanged.
- PHINode handling in computePossibleValues: enumerate incoming operand value sets and union them, so downstream callers get the full set instead of an empty result on phis that previously fell through the default path.
- solvePath: prefer mapped targets over null for indirect jumps, plus supporting control-field hookups.
- mergeValue in make_generalized_loop_backup gains a widenFirstBackedge parameter and a shouldPreserveGeneralizedBackedgeRegisterIndex predicate. RSP is now preserved through the first backedge; other GPRs and flags continue to widen to Undef, matching main's prior behavior.
Explicitly NOT landed from the original research branch:
- The local-buffer snapshot merge in save_backup (5 lines that copied activeGeneralizedLoopLocalBuffer entries into every snapshot). Bisection against main showed this alone regresses dummy_vm_loop / bytecode_vm_loop / stack_vm_loop / calc_sum_to_n by collapsing their generalized-loop bodies to 'bb3: br label %bb3'. The control-field/slot machinery does not depend on it; the research-stack benchmark gains are preserved without it.
- runGeneralizedPhiAddressCreatesPhiOfLoadedValues: aspirational microtest from the research stack that never passed there either.
- Session-scratch files (internal_0x140001000*, linked_target.txt, themidahandoff.md, vlizer_stub.txt) and the autoresearch shell harness.
Adds microtests covering: control-field / control-slot / target-slot / phi-address / local-phi-address retrieve paths, solvePath null-vs-mapped preference, rolled arithmetic chain enumeration, byte-test join preservation, and supporting structured-loop invariants. All pass on a fresh build_iced/.
Verification: python test.py baseline -> 0 failures; python test.py micro -> 0 failures.
Co-authored-by: yusufcanislek <yusuf.canislek@meetdandy.com>