[docs]classSimHeapBrk(SimHeapBase):""" SimHeapBrk represents a trivial heap implementation based on the Unix `brk` system call. This type of heap stores virtually no metadata, so it is up to the user to determine when it is safe to release memory. This also means that it does not properly support standard heap operations like `realloc`. This heap implementation is a holdover from before any more proper implementations were modelled. At the time, various libc (or win32) SimProcedures handled the heap in the same way that this plugin does now. To make future heap implementations plug-and-playable, they should implement the necessary logic themselves, and dependent SimProcedures should invoke a method by the same name as theirs (prepended with an underscore) upon the heap plugin. Depending on the heap implementation, if the method is not supported, an error should be raised. Out of consideration for the original way the heap was handled, this plugin implements functionality for all relevant SimProcedures (even those that would not normally be supported together in a single heap implementation). :ivar heap_location: the address of the top of the heap, bounding the allocations made starting from `heap_base` """
[docs]defallocate(self,sim_size):""" The actual allocation primitive for this heap implementation. Increases the position of the break to allocate space. Has no guards against the heap growing too large. :param sim_size: a size specifying how much to increase the break pointer by :returns: a pointer to the previous break position, above which there is now allocated space """size=self._conc_alloc_size(sim_size)whilesize%16!=0:size+=1addr=self.state.heap.heap_locationself.state.heap.heap_location+=sizel.debug("Allocating %d bytes at address %#08x",size,addr)returnaddr
[docs]defrelease(self,sim_size):""" The memory release primitive for this heap implementation. Decreases the position of the break to deallocate space. Guards against releasing beyond the initial heap base. :param sim_size: a size specifying how much to decrease the break pointer by (may be symbolic or not) """requested=self._conc_alloc_size(sim_size)used=self.heap_location-self.heap_basereleased=min(requested,used)self.heap_location-=releasedl.debug("Releasing %d bytes from the heap (%d bytes were requested to be released)",released,requested)
def_malloc(self,sim_size):returnself.allocate(sim_size)def_free(self,ptr):# pylint:disable=unused-argumentreturnself.state.solver.Unconstrained("free",self.state.arch.bits)def_calloc(self,sim_nmemb,sim_size):plugin=self.state.get_plugin("libc")ifself.state.solver.symbolic(sim_nmemb):# TODO: find a better waynmemb=self.state.solver.max_int(sim_nmemb)else:nmemb=self.state.solver.eval(sim_nmemb)ifself.state.solver.symbolic(sim_size):# TODO: find a better waysize=self.state.solver.max_int(sim_size)else:size=self.state.solver.eval(sim_size)final_size=size*nmembifself.state.solver.symbolic(sim_nmemb)or(self.state.solver.symbolic(sim_size)andfinal_size>plugin.max_variable_size):final_size=plugin.max_variable_sizeaddr=self.state.heap.allocate(final_size)v=claripy.BVV(0,final_size*8)self.state.memory.store(addr,v)returnaddrdef_realloc(self,ptr,size):ifsize.symbolic:try:size_int=self.state.solver.max(size,extra_constraints=(size<self.state.libc.max_variable_size,))exceptSimSolverError:size_int=self.state.solver.min(size)self.state.add_constraints(size_int==size)else:size_int=self.state.solver.eval(size)addr=self.state.heap.allocate(size_int)ifself.state.solver.eval(ptr)!=0:v=self.state.memory.load(ptr,size_int)self.state.memory.store(addr,v)returnaddrdef_combine(self,others):new_heap_location=max(o.heap_locationforoinothers)ifself.heap_location!=new_heap_location:self.heap_location=new_heap_locationreturnTruereturnFalse