SMPStaticAnalyzer.cpp

/*
 * SMPStaticAnalyzer.cpp - <see below>.
 *
 * Copyright (c) 2000, 2001, 2010 - University of Virginia 
 *
 * This file is part of the Memory Error Detection System (MEDS) infrastructure.
 * This file may be used and modified for non-commercial purposes as long as 
 * all copyright, permission, and nonwarranty notices are preserved.  
 * Redistribution is prohibited without prior written consent from the University 
 * of Virginia.
 *
 * Please contact the authors for restrictions applying to commercial use.
 *
 * THIS SOURCE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 * MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
 * Author: University of Virginia
 * e-mail: jwd@virginia.com
 * URL   : http://www.cs.virginia.edu/
 *
 * Additional copyrights 2010, 2011 by Zephyr Software LLC
 * e-mail: {clc,jwd}@zephyr-software.com
 * URL   : http://www.zephyr-software.com/
 */

//
// SMPStaticAnalyzer.cpp
//
// This plugin performs the static analyses needed for the SMP project
//   (Software Memory Protection).
//

using namespace std;

#include <list>
#include <vector>
#include <set>

#include <string>
#include <ctime>

#include "SMPDBInterface.h"
#include "SMPStaticAnalyzer.h"
#include "SMPDataFlowAnalysis.h"
#include "SMPProgram.h"
#include "SMPFunction.h"
#include "SMPInstr.h"
#include "ProfilerInformation.h"

#define SMP_DEBUG_DELAY 0   // for setting an early breakpoint

// Set to 1 for debugging output
#define SMP_DEBUG 1
#define SMP_DEBUG2 0   // verbose
#define SMP_DEBUG3 0   // verbose
#define SMP_DEBUG_MEM 0 // print memory operands
#define SMP_DEBUG_TYPE0 0 // Output instr info for OptType = 0
#define SMP_DEBUG_CHUNKS 0 // restructuring tail chunks, shared chunks, etc.
#define SMP_DEBUG_DATA_ONLY 0  // Find & fix data addresses in code segments

// Set to 1 when doing a binary search using SMP_DEBUG_COUNT to find
//  which function is causing a problem.
#define SMP_BINARY_DEBUG 0
#define SMP_DEBUG_COUNT 356  // How many funcs to process in problem search
int FuncsProcessed = 0;

#define SMP_FIXUP_IDB 0  // Try to fix the IDA database?
#define SMP_DEBUG_FIXUP_IDB 0  // debugging output for FixupIDB chain
#define SMP_FIND_ORPHANS 1  // find code outside of functions
#define SMP_DEBUG_CODE_ORPHANS 1 // Detect whether we are causing code to be orphaned

#define SMP_IDAP_RUN_DELAY 0  // Delay in IDAP_run() so we can attach debugger to process.

#define STARS_GENERATE_ASM_FILE 1  // Generate ASM file at end of processing?
#define STARS_GENERATE_DIF_FILE STARS_SCCP_CONVERT_UNREACHABLE_BLOCKS  // If we optimize, generate DIF file

static SMPProgram *CurrProg = NULL;
STARS_Interface_t* global_stars_interface=NULL;

#if SMP_DEBUG_CODE_ORPHANS
set<ea_t> CodeOrphans;
#endif

// Lock prefix for x86 code; jumping around this prefix conditionally looks like jumping
//  into the middle of an instruction to IDA Pro, causing it to not collect instructions
//  into a procedure. We replace these bytes with no-op opcodes because none of our analyses
//  care about LOCK prefices. We store the addresses where we have done the replacement in a 
//  set in case we ever care.
#define X86_LOCK_PREFIX 0xF0
set<ea_t> LockPreficesRemoved; // Addresses where x86 LOCK prefix byte was turned into a no-op by STARS_custom_ana() callback.
static unsigned long CustomAnaCallCount = 0;

// Define optimization categories for instructions.
int OptCategory[NN_last + 1];
// Initialize the OptCategory[] array.
void InitOptCategory(void);

// Flag to force reduced analysis so we don't run out of virtual memory
bool STARS_PerformReducedAnalysis;

// Indentation level when emitting SPARK Ada translation of the RTLs.
unsigned short STARS_SPARK_IndentCount;

// Record which opcodes change the stack pointer, and by how many
//  bytes up (reduction in stack size for stacks that grow downward)
//  or down (increase in stack size for stacks that grow downward).
sval_t StackAlteration[NN_last + 1];
// Initialize the StackAlteration[] array.
void InitStackAlteration(void);

// Keep statistics on how many instructions we saw in each optimization
//  category, and how many optimizing annotations were emitted for
//  each category.
int OptCount[LAST_OPT_CATEGORY + 1];
int AnnotationCount[LAST_OPT_CATEGORY + 1];

// Unique data referent number to use in data annotations.
unsigned long DataReferentID;

// Debugging counters for analyzing memory usage.
unsigned long UnusedInstrCount;
unsigned long UnusedBlockCount;
unsigned long UnusedStructCount;
unsigned long UnusedIntCount;

// Counters for dead metadata analysis.
unsigned long DeadMetadataCount;
unsigned long LiveMetadataCount;

// Counters for indirect jump resolution.
unsigned long ResolvedIndirectJumpCount;
unsigned long UnresolvedIndirectJumpCount;

// Counters for measuring SCCP success in finding constant DEFs.
unsigned long ConstantDEFCount;
unsigned long AlwaysTakenBranchCount;
unsigned long NeverTakenBranchCount;

// Counters for accessing less than machine register width.
unsigned long SubwordRegCount;
unsigned long SubwordMemCount;
unsigned long SubwordAddressRegCount;
unsigned long SPARKOperandCount; // total operands printed

#if SMP_COUNT_MEMORY_ALLOCATIONS
// Counters for analyzing memory use for allocated and used objects.
unsigned long SMPInstCount;
unsigned long SMPBlockCount;
unsigned long SMPFuncCount;
unsigned long SMPGlobalVarCount;
unsigned long SMPLocalVarCount;
unsigned long SMPDefUseChainCount;
unsigned long SMPInstBytes;
unsigned long SMPDefUseChainBytes;
#endif

#if SMP_MEASURE_NUMERIC_ANNOTATIONS
unsigned long NumericAnnotationsCount12; // cases 1 and 2
unsigned long NumericAnnotationsCount3;  // case 3
unsigned long TruncationAnnotationsCount; // case 4
unsigned long SignednessWithoutTruncationCount; // case 5
unsigned long LeaInstOverflowCount; // case 6
unsigned long WidthDoublingTruncationCount; // case 7
unsigned long BenignOverflowInstCount;
unsigned long BenignOverflowDefCount;
unsigned long SuppressStackPtrOverflowCount;
unsigned long SuppressLiveFlagsOverflowCount;
unsigned long LiveMultiplyBitsCount;
unsigned long BenignTruncationCount;
unsigned long SuppressTruncationRegPiecesAllUsed;
unsigned long SuppressSignednessOnTruncation;
#endif

#if STARS_SCCP_GATHER_STATISTICS
// Counters for analyzing Sparse Conditional Constant Propagation effectiveness.
unsigned long SCCPFuncsWithArgWriteCount;
unsigned long SCCPFuncsWithConstantArgWriteCount;
unsigned long SCCPOutgoingArgWriteCount;
unsigned long SCCPConstantOutgoingArgWriteCount;
#endif

// Is the binary a 32-bit, 64-bit, etc. instruction set architecture
size_t STARS_ISA_Bitwidth;
size_t STARS_ISA_Bytewidth;
char STARS_ISA_dtyp;
int STARS_MD_LAST_SAVED_REG_NUM;


// The types of data objects based on their first operand flags.
const char *DataTypes[] = { "VOID", "NUMHEX", "NUMDEC", "CHAR",
		"SEG", "OFFSET", "NUMBIN", "NUMOCT", "ENUM", "FORCED", 
		"STRUCTOFFSET", "STACKVAR", "NUMFLOAT", "UNKNOWN", 
		"UNKNOWN", "UNKNOWN", 0};

// Filename (not including path) of executable being analyzed.
char RootFileName[MAXSTR];

// strings for printing ZST_SysCallType
const char *CallTypeNames[4] = { "Unrestricted", "High-Privilege", "File-Access", "Network-Access" };

DisAsmString DisAsmText;

// Operand type that can have all fields initialized to o_void and zero
//  values, to be used to copy-initialize operands that we are adding to
//  RTLs and DEF and USE lists.
op_t InitOp; 

// File foo.exe.alarms for Zephyr Security Toolkit security alarm messages.
FILE *ZST_AlarmFile;

// File for code xref targets (helps ILR, makes IRDB more complete)
FILE *STARS_XrefsFile;

// File to provide details on fast returns, safe and unsafe return-address functions, etc.
FILE *STARS_CallReturnFile;

FILE *ZST_SPARKSourceFile;
FILE *ZST_SPARKHeaderFile;

// Code addresses identified by a disassembler, such as objdump on
//  Linux. These can be used to improve the code vs. data identification
//  of IDA Pro.
vector<ea_t> DisasmLocs;
// Code addresses as identified by IDA Pro, to be compared to DisasmLocs.
vector<ea_t> IDAProLocs;

// Bit masks for extracting bits from a STARSBitSet unsigned char.
const unsigned char STARSBitMasks[8] = { 1, 2, 4, 8, 16, 32, 64, 128 };

// Function start and end addresses (for function entry chunks only).
//  Kept here because IDA Pro 5.1 seems to have a memory overwriting
//  problem when iterating through all functions in the program. An existing
//  STARS_Function_t *ChunkInfo data structure was getting overwritten by one of the 
//  function STARS_Function_t data structures, causing changes of startEA and endEA among
//  other things.

vector<SMP_bounds_t> FuncBounds;

// List of functions that need to be reanalyzed after all the code fixup
//  and code discovery is complete. Kept as a list of addresses; any address
//  within the function is good enough to designate it.
list<ea_t> FuncReanalyzeList;

// A code region that has been converted from data but has code addresses that
//  need to be reanalyzed. This is usually because a former data address is
//  now a jump to a code target that is still a data address. We have to wait
//  until the target has become code before IDA will accept the jump as valid.
class FixupRegion {
public:
	FixupRegion(SMP_bounds_t);
	inline ea_t GetStart(void) const { return CodeRegion.startEA; };
	inline ea_t GetEnd(void) const { return CodeRegion.endEA; };
	inline void SetStart(ea_t addr) { CodeRegion.startEA = addr; };
	list<ea_t> FixupInstrs; // easier to expose than to encapsulate
private:
	SMP_bounds_t CodeRegion;
};

FixupRegion::FixupRegion(SMP_bounds_t Range) {
	this->CodeRegion = Range;
	return;
}

// List of code regions that were not completely analysed because of jump to
//  data considerations.
list<FixupRegion> CodeReanalyzeList;

// Map library function names to their system call type.
map<string, ZST_SysCallType> ZST_FuncTypeMap;

// Map system call types to their Zephyr Security Toolkit security policy.
map<ZST_SysCallType, ZST_Policy> ZST_TypePolicyMap;

// Set of whitelisted file locations.
set<string> ZST_FileLocWhitelist;

// Set of whitelisted network locations.
set<string> ZST_NetworkLocWhitelist;

// Set of blacklisted file locations.
set<string> ZST_FileLocBlacklist;

// Set of blacklisted network locations.
set<string> ZST_NetworkLocBlacklist;

// Set of system call names whose returned values should be trusted to have only benign numeric errors.
set<string> ZST_SystemCallNumericWhitelist;

void IDAP_run(int);

// Functions for diagnosing and/or fixing problems in the IDA database.
void FixupIDB(void);  // Driver for all other fixing functions.
void FindDataInCode(void);
void AuditTailChunkOwnership(void);
void FindOrphanedCode(STARS_Segment_t *, FILE *, FILE *);
void Debug_FindOrphanedCode(STARS_Segment_t *, bool);
void FixCodeIdentification(void);
int FixupNewCodeChunks(void);
void AuditCodeTargets(void);
void SpecialDebugOutput(void);
void RemoveIDACodeAddr(ea_t);
void ZST_InitPolicies(const char *);

static unsigned long DebugCounter = 0;

// Turn LOCK prefix into no-op when detected. Each is one byte in length.
bool STARS_custom_ana(ea_t CurrentAddr) {
	int code = get_byte(CurrentAddr);
	++CustomAnaCallCount;
	if (X86_LOCK_PREFIX != code) {
		return false;
	}
	else {
#define STARS_ANA_DEBUG_DELAY 0
#if STARS_ANA_DEBUG_DELAY
		if (DebugCounter == 0) {
			time_t start;
			time_t current;

			time(&start);
			printf("delay for 15 seconds.\n");
			do {
				time(&current);
			} while(difftime(current,start) < 15.0);
			++DebugCounter;
		}
#endif		
		pair<set<ea_t>::iterator, bool> InsertResult;
		InsertResult = LockPreficesRemoved.insert(CurrentAddr);
		assert(InsertResult.second);
		cmd.itype = NN_nop; // make it a no-op
		cmd.size = 1; // one-byte no-op
#if 0
		cmd.auxpref = 0; // clear prefix and flags fields
		cmd.segpref = 0;
		cmd.insnpref = 0;
		cmd.flags = 0;
#endif
		return true;
	}
} // end of STARS_custom_ana()

static int idaapi idp_callback(void *, int event_id, va_list va) {
#if STARS_REMOVE_LOCK_PREFIX
	if (event_id == processor_t::custom_ana) {
		ea_t CurrentAddr = cmd.ea;
#if 1
		int code = ua_next_byte();
		++CustomAnaCallCount;
		if (X86_LOCK_PREFIX == code) {
			pair<set<ea_t>::iterator, bool> InsertResult;
			InsertResult = LockPreficesRemoved.insert(CurrentAddr);
			cmd.itype = NN_nop; // make it a no-op
			return (int) (cmd.size + 1);
		}
		else {
			return 0;
		}
#else
		if (STARS_custom_ana(CurrentAddr)) {
			return 1; // handled event
		}
#endif
	}
#endif // STARS_REMOVE_LOCK_PREFIX

	if (event_id == ph.auto_empty_finally) {   // IDA analysis is done
		// Ensure correct working environment.
		// Handle Cyber Grand Challenge project variant of ELF.
#define STARS_CGC_FILETYPE 16705
		if ((inf.filetype != f_ELF) && (inf.filetype != f_PE) && (inf.filetype != STARS_CGC_FILETYPE)) {
			error("Executable format must be PE or ELF.");
			return 0;
		}
		IDAP_run(0);
#if STARS_REMOVE_LOCK_PREFIX
		SMP_msg("INFO: Calls to STARS_custom_ana: %lu \n", CustomAnaCallCount);
		SMP_msg("INFO: Number of LOCK prefices eliminated: %zu \n", LockPreficesRemoved.size());
		LockPreficesRemoved.clear();
#endif // STARS_REMOVE_LOCK_PREFIX
		qexit(0);
	}

	return 0;  // did not process any event
} // end of idp_callback()

int IDAP_init(void) {

	/* init the interface */
	global_stars_interface=new STARS_IDA_Interface_t;


#if 0 // We are now calling from the SMP.idc script.
	// Skip this plugin if it was not specified by the user on the
	//  command line.
	if (get_plugin_options("SMPStaticAnalyzer") == NULL) {
		SMP_msg("IDAP_init point 2.\n");
		return PLUGIN_SKIP;
	}
#endif
	// Ensure correct working environment.
	if (ph.id != PLFM_386) {
		error("Processor must be x86.");
 		return PLUGIN_SKIP;
	}
#if 0 // too early to detect 64-bit; moved to IDAP_run()
	if (inf.is_64bit()) {
		STARS_ISA_Bitwidth = 64;
		STARS_ISA_dtyp = dt_qword;
		SMP_msg("INFO: 64-bit binary detected.\n");
	}
	else {
		STARS_ISA_Bitwidth = 32;
		STARS_ISA_dtyp = dt_dword;
		SMP_msg("INFO: 32-bit binary detected.\n");
	}
	STARS_ISA_Bytewidth = (STARS_ISA_Bitwidth / 8);
#endif

	hook_to_notification_point(HT_IDP, idp_callback, NULL);
	STARS_PerformReducedAnalysis = false;
	STARS_SPARK_IndentCount = 1;
	DataReferentID = 1;
	UnusedStructCount = 0;
	UnusedIntCount = 0;
	DeadMetadataCount = 0;
	LiveMetadataCount = 0;
	ResolvedIndirectJumpCount = 0;
	UnresolvedIndirectJumpCount = 0;
	ConstantDEFCount = 0;
	AlwaysTakenBranchCount = 0;
	NeverTakenBranchCount = 0;
	SubwordRegCount = 0;
	SubwordMemCount = 0;
	SubwordAddressRegCount = 0;
	SPARKOperandCount = 0;
#if SMP_COUNT_MEMORY_ALLOCATIONS
	SMPInstCount = 0;
	SMPBlockCount = 0;
	SMPDefUseChainCount = 0;
	SMPFuncCount = 0;
	SMPGlobalVarCount = 0;
	SMPLocalVarCount = 0;
	SMPInstBytes = 0;
	SMPDefUseChainBytes = 0;
#endif
#if SMP_MEASURE_NUMERIC_ANNOTATIONS
	NumericAnnotationsCount12 = 0; 
	NumericAnnotationsCount3 = 0; 
	TruncationAnnotationsCount = 0;
	SignednessWithoutTruncationCount = 0;
	LeaInstOverflowCount = 0; 
	WidthDoublingTruncationCount = 0;
	BenignOverflowInstCount = 0;
	BenignOverflowDefCount = 0;
	SuppressStackPtrOverflowCount = 0;
	SuppressLiveFlagsOverflowCount = 0;
	LiveMultiplyBitsCount = 0;
	BenignTruncationCount = 0;
	SuppressTruncationRegPiecesAllUsed = 0;
	SuppressSignednessOnTruncation = 0;
#endif
#if STARS_SCCP_GATHER_STATISTICS
	SCCPFuncsWithArgWriteCount = 0;
	SCCPFuncsWithConstantArgWriteCount = 0;
	SCCPOutgoingArgWriteCount = 0;
	SCCPConstantOutgoingArgWriteCount = 0;
#endif
	InitOp.n = 0;
	InitOp.type = o_void;
	InitOp.offb = 0;
	InitOp.offo = 0;
	InitOp.flags = 0;
	InitOp.set_showed();
	// NOTE: InitOp.dtyp field is initialized in IDAP_run() to 32 or 64 bits.
	InitOp.reg = R_none;
	InitOp.value = 0;
	InitOp.addr = 0;
	InitOp.specval = 0;
	InitOp.specflag1 = 0;
	InitOp.specflag2 = 0;
	InitOp.specflag3 = 0;
	InitOp.specflag4 = 0;
	ZST_AlarmFile = NULL;
	ZST_SPARKSourceFile = NULL;
	ZST_SPARKHeaderFile = NULL;
#ifdef STARS_IRDB_INTERFACE
	SMPLogFile = NULL;
#endif
	return PLUGIN_KEEP;
} // end of IDAP_init

void IDAP_term(void) {
	unhook_from_notification_point(HT_IDP, idp_callback, NULL);
	return;
}

void IDAP_run(int arg) {
	FILE *AnnotFile;
	FILE *InfoAnnotFile;
	FILE *AsmFile;
	FILE *DifFile;

	// For debugging, we can add a delay loop so we have time to attach gdb to the
	// running process and set a breakpoint.
#if SMP_DEBUG_DELAY
	time_t start;
	time_t current;

	time(&start);
	printf("delay for 15 seconds.\n");
	do {
		time(&current);
	} while(difftime(current,start) < 15.0);
#endif

	if (inf.is_64bit()) {
		STARS_ISA_Bitwidth = 64;
		STARS_ISA_dtyp = dt_qword;
		STARS_MD_LAST_SAVED_REG_NUM = R_r15;
		SMP_msg("INFO: 64-bit binary detected.\n");
	}
	else {
		STARS_ISA_Bitwidth = 32;
		STARS_ISA_dtyp = dt_dword;
		STARS_MD_LAST_SAVED_REG_NUM = R_di;
		SMP_msg("INFO: 32-bit binary detected.\n");
	}
	STARS_ISA_Bytewidth = (STARS_ISA_Bitwidth / 8);
	InitOp.dtyp = STARS_ISA_dtyp;

    InitOptCategory();
	InitDFACategory();
	InitTypeCategory();
	InitSMPDefsFlags();
	InitSMPUsesFlags();
	InitLibFuncFGInfoMaps();
	InitIntegerErrorCallSinkMap();
	InitUnsignedArgPositionMap();
	InitTaintWarningArgPositionMap();
	InitPointerArgPositionMap();
	InitStackAlteration();
	MDInitializeCallerSavedRegs();
	MDInitializeArgumentRegs();

#ifdef STARS_IRDB_INTERFACE
	string ZSTLogFileName(RootFileName);
	string LogFileSuffix(".STARSlog");
	ZSTLogFileName += LogFileSuffix;
	SMPLogFile = SMP_fopen(ZSTLogFileName.c_str(), "w");
	if (NULL == SMPLogFile) {
		error("ERROR: Cannot open STARS log file %s\n", ZSTLogFileName.c_str());
		error("Redirecting to stderr.\n");
		SMPLogFile = stderr;
	}
#endif

#if SMP_DEBUG
	SMP_msg("Beginning IDAP_run.\n");
#endif

	SMP_msg("IDA SDK version: %d \n", IDA_SDK_VERSION);

#if 1
	DefOrUse DummyRef;
	op_t DummyOperand;
	size_t RefObjectSize = sizeof(DummyRef), OpndSize = sizeof(DummyOperand);
	SMP_msg("INFO: Size of DefOrUse: %zu Size of op_t: %zu \n", RefObjectSize, OpndSize);
#endif

	// Open the output file.
	ssize_t FileLen;
	FileLen = get_root_filename(RootFileName, sizeof(RootFileName) - 1);
	string AnnotFileName(RootFileName);
	string FileSuffix(".annot");
	AnnotFileName += FileSuffix;
	string InfoAnnotFileName(RootFileName);
	string InfoFileSuffix(".infoannot");
	InfoAnnotFileName += InfoFileSuffix;
	string ZSTPolicyFileName(RootFileName);
	string PolicyFileSuffix(".policy");
	ZSTPolicyFileName += PolicyFileSuffix;
	string ZSTAlarmFileName(RootFileName);
	string AlarmFileSuffix(".alarms");
	ZSTAlarmFileName += AlarmFileSuffix;
	string AsmFileName(RootFileName);
	string AsmFileSuffix(".asm");
	AsmFileName += AsmFileSuffix;
	string DifFileName(RootFileName);
	string DifFileSuffix(".dif");
	DifFileName += DifFileSuffix;
	string XrefsFileName(RootFileName);
	string XrefsFileSuffix(".STARSxrefs");
	XrefsFileName += XrefsFileSuffix;
	string CallRetFileName(RootFileName);
	string CallRetFileSuffix(".STARScallreturn");
	CallRetFileName += CallRetFileSuffix;
#if ZST_EMIT_SPARK_ADA_TRANSLATION
	string SPARKSourceFileName(RootFileName);
	string SPARKSourceFileSuffix(".ZSTSPARK.adb");
	SPARKSourceFileName += SPARKSourceFileSuffix;
	string SPARKHeaderFileName(RootFileName);
	string SPARKHeaderFileSuffix(".ZSTSPARK.ads");
	SPARKHeaderFileName += SPARKHeaderFileSuffix;
#endif

	// For debugging, we can add a delay loop so we have time to attach gdb to the
	// running process and set a breakpoint.
#if SMP_IDAP_RUN_DELAY
	time_t start;
	time_t current;

	time(&start);
	printf("delay for 15 seconds.\n");
	do {
		time(&current);
	} while(difftime(current,start) < 15.0);
#endif

	ea_t RecentAddr;
#if SMP_DEBUG_CODE_ORPHANS
	CodeOrphans.clear();
	RecentAddr = BADADDR;
	for (STARS_Segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
		RecentAddr = seg->get_startEA();
		if (seg->IsCodeSegment())
			Debug_FindOrphanedCode(seg, true);
	}
#endif

	STARS_XrefsFile = SMP_fopen(XrefsFileName.c_str(), "w");
	if (NULL == STARS_XrefsFile) {
		error("FATAL ERROR: Cannot open STARS code xrefs file %s\n", XrefsFileName.c_str());
		return;
	}

	STARS_CallReturnFile = SMP_fopen(CallRetFileName.c_str(), "w");
	if (NULL == STARS_CallReturnFile) {
		error("FATAL ERROR: Cannot open STARS calls and returns info file %s\n", CallRetFileName.c_str());
		SMP_fclose(STARS_XrefsFile);
		return;
	}

	CurrProg = new SMPProgram();
	CurrProg->AnalyzeData(); // Analyze static data in the executable

	// read the Profiler generated information into a new prof_info class 
	ProfilerInformation *prof_info = new ProfilerInformation(AnnotFileName.c_str(), CurrProg);

	AnnotFile = SMP_fopen(AnnotFileName.c_str(), "w");
	if (NULL == AnnotFile) {
		error("FATAL ERROR: Cannot open output file %s\n", AnnotFileName.c_str());
		SMP_fclose(STARS_XrefsFile);
		SMP_fclose(STARS_CallReturnFile);
		delete prof_info;
		return;
	}
	InfoAnnotFile = SMP_fopen(InfoAnnotFileName.c_str(), "w");
	if (NULL == InfoAnnotFile) {
		error("FATAL ERROR: Cannot open output file %s\n", InfoAnnotFileName.c_str());
		SMP_fclose(STARS_XrefsFile);
		SMP_fclose(STARS_CallReturnFile);
		SMP_fclose(AnnotFile);
		delete prof_info;
		return;
	}
	ZST_AlarmFile = SMP_fopen(ZSTAlarmFileName.c_str(), "w");
	if (NULL == ZST_AlarmFile) {
		error("FATAL ERROR: Cannot open security alarms file %s\n", ZSTAlarmFileName.c_str());
		SMP_fclose(STARS_XrefsFile);
		SMP_fclose(STARS_CallReturnFile);
		SMP_fclose(AnnotFile);
		SMP_fclose(InfoAnnotFile);
		delete prof_info;
		return;
	}
#if ZST_EMIT_SPARK_ADA_TRANSLATION
	ZST_SPARKSourceFile = SMP_fopen(SPARKSourceFileName.c_str(), "w");
	if (NULL == ZST_SPARKSourceFile) {
		error("FATAL ERROR: Cannot open SPARK-Ada source output file %s\n", SPARKSourceFileName.c_str());
		SMP_fclose(STARS_XrefsFile);
		SMP_fclose(STARS_CallReturnFile);
		SMP_fclose(AnnotFile);
		SMP_fclose(InfoAnnotFile);
		SMP_fclose(ZST_AlarmFile);
		delete prof_info;
		return;
	}
	ZST_SPARKHeaderFile = SMP_fopen(SPARKHeaderFileName.c_str(), "w");
	if (NULL == ZST_SPARKHeaderFile) {
		error("FATAL ERROR: Cannot open SPARK-Ada header output file %s\n", SPARKHeaderFileName.c_str());
		SMP_fclose(STARS_XrefsFile);
		SMP_fclose(STARS_CallReturnFile);
		SMP_fclose(AnnotFile);
		SMP_fclose(InfoAnnotFile);
		SMP_fclose(ZST_AlarmFile);
		SMP_fclose(ZST_SPARKSourceFile);
		delete prof_info;
		return;
	}
#endif

	// Read the Zephyr Security Toolkit system call security policies, if available.
	ZST_InitPolicies(ZSTPolicyFileName.c_str());

	(void) memset(OptCount, 0, sizeof(OptCount));
	(void) memset(AnnotationCount, 0, sizeof(AnnotationCount));

	try { // We will catch memory exhaustion errors.

	// Record the start and end addresses for all function entry
	//  chunks in the program.
	FuncBounds.reserve(10 + get_func_qty());
	for (size_t FuncIndex = 0; FuncIndex < SMP_get_func_qty(); ++FuncIndex) {
		STARS_Function_t *FuncInfo = SMP_getn_func(FuncIndex);
		SMP_bounds_t temp;
		temp.startEA = FuncInfo->get_startEA();
		temp.endEA = FuncInfo->get_endEA();
		FuncBounds.push_back(temp);
	}

#if SMP_DEBUG_DATA_ONLY
	FindDataInCode();
	FixCodeIdentification();
	SMP_fclose(SymsFile);
	delete prof_info;
	return;
#endif

	// Pre-audit the IDA database by seeing if the distinction
	//  between code and data can be improved, and if all branches
	//  and calls have proper code targets and code cross references.
#if SMP_FIXUP_IDB
	FixupIDB();
#endif

	if (0 < prof_info->GetProfilerAnnotationCount()) {
		SMP_msg("Calling InferDataGranularity\n");
		SMP_msg("ptr to MemoryAccessInfo: %p\n", prof_info->GetMemoryAccessInfo());
		prof_info->GetMemoryAccessInfo()->InferDataGranularity();
		SMP_msg("Returned from InferDataGranularity\n");
	}
	CurrProg->ProfGranularityFinished(AnnotFile, InfoAnnotFile);
	CurrProg->Analyze(prof_info, AnnotFile, InfoAnnotFile);
	if (!STARS_PerformReducedAnalysis) {
		CurrProg->EmitAnnotations(AnnotFile, InfoAnnotFile);
	}

#if SMP_DEBUG_CODE_ORPHANS
	RecentAddr = BADADDR;
	for (STARS_Segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
		RecentAddr = seg->get_startEA();
		if (seg->IsCodeSegment())
			Debug_FindOrphanedCode(seg, true);
	}
#endif

#if SMP_FIND_ORPHANS
	RecentAddr = BADADDR;
	for (STARS_Segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
		RecentAddr = seg->get_startEA();
		if (seg->IsCodeSegment())
			FindOrphanedCode(seg, AnnotFile, InfoAnnotFile);
	}
#endif

	for (int OptType = 0; OptType <= LAST_OPT_CATEGORY; ++OptType) {
		SMP_msg("Optimization Category Count %d:  %d Annotations: %d\n",
			OptType, OptCount[OptType], AnnotationCount[OptType]);
	}

	SMP_fclose(AnnotFile);
	SMP_fprintf(InfoAnnotFile, "   8000000      2 SUCCESS ANALYSISCOMPLETED\n");
	SMP_fclose(InfoAnnotFile);
	SMP_fclose(ZST_AlarmFile);
	SMP_fclose(STARS_XrefsFile);
	SMP_fclose(STARS_CallReturnFile);
#if ZST_EMIT_SPARK_ADA_TRANSLATION
	SMP_fclose(ZST_SPARKSourceFile);
	SMP_fclose(ZST_SPARKHeaderFile);
#endif

#if STARS_GENERATE_ASM_FILE
	AsmFile = SMP_fopen(AsmFileName.c_str(), "w");
	if (NULL == AsmFile) {
		error("FATAL ERROR: Cannot open ASM file %s\n", AsmFileName.c_str());
	}
	else {
		int FileResult = gen_file(OFILE_ASM, AsmFile, LowestCodeAddress, 0xffffffff, (GENFLG_MAPSEG | GENFLG_ASMTYPE));
		if (0 >= FileResult) {
			SMP_msg("ERROR: Could not generate ASM file.\n");
		}
		SMP_fclose(AsmFile);
	}
#endif
#if STARS_GENERATE_DIF_FILE
	DifFile = SMP_fopen(DifFileName.c_str(), "w");
	if (NULL == DifFile) {
		error("FATAL ERROR: Cannot open DIF file %s\n", DifFileName.c_str());
	}
	else {
		int FileResult = gen_file(OFILE_DIF, DifFile, LowestCodeAddress, 0xffffffff, 0);
		if (0 >= FileResult) {
			SMP_msg("ERROR: Could not generate DIF file.\n");
		}
		SMP_fclose(DifFile);
	}
#endif
	delete CurrProg;
	delete prof_info;
	return;
	}
	catch (std::bad_alloc) {
		delete CurrProg;
		delete prof_info;
		error("FATAL ERROR: Memory exhausted.\n");
		SMP_fprintf(InfoAnnotFile, "   8000000      2 ERROR MEMORYEXHAUSTED\n");
		SMP_fclose(AnnotFile);
		SMP_fclose(InfoAnnotFile);
		SMP_fclose(ZST_AlarmFile);
		SMP_fclose(STARS_XrefsFile);
		return;
	}
} // end IDAP_run()

char IDAP_comment[] = "ZephyrSoftware STARS (Static Analyzer for Reliability and Security)";
char IDAP_help[] = "Good luck";
char IDAP_name[] = "SMPStaticAnalyzer";
char IDAP_hotkey[] = "Alt-J";

plugin_t PLUGIN = {
	IDP_INTERFACE_VERSION,
	PLUGIN_PROC | PLUGIN_MOD,
	IDAP_init,
	IDAP_term,
	IDAP_run,
	IDAP_comment,
	IDAP_help,
	IDAP_name,
	IDAP_hotkey
};

// Find all code addresses in the IDA database and enter them into
//  IDAProLocs. Find all code addresses identified by the external
//  disassembler (e.g. objdump) and enter them into DisasmLocs.
void FindCodeAddresses(void) {
	// Read in code addresses as found by an external disassembler.
	ea_t CurrDisasmAddr;
	string DisasmFileName(RootFileName);
	string FileSuffix(".SMPobjdump");
	DisasmFileName += FileSuffix;
	FILE *DisasmFile = SMP_fopen(DisasmFileName.c_str(), "r");
	if (NULL == DisasmFile) {
		error("FATAL: Cannot open input file %s\n", DisasmFileName.c_str());
		return;
	}

#define DISASM_RESERVE_SIZE  50000
	DisasmLocs.reserve(DISASM_RESERVE_SIZE);
	unsigned long TempAddr;
	int ScanReturn = qfscanf(DisasmFile, "%lx", &TempAddr);
	CurrDisasmAddr = (ea_t) TempAddr;
	while (1 == ScanReturn) {
		int NextChar;
		DisasmLocs.push_back(CurrDisasmAddr);
		// Swallow the rest of the input line and get the next address.
		do {
			NextChar = qfgetc(DisasmFile);
		} while ((EOF != NextChar) && ('\n' != NextChar));
		ScanReturn = qfscanf(DisasmFile, "%lx", &TempAddr);
		CurrDisasmAddr = (ea_t) TempAddr;
	} // end while (1 == ScanReturn)
	if (0 >= DisasmLocs.size()) {
		SMP_msg("ERROR: No addresses read from %s\n", DisasmFileName.c_str());
		SMP_fclose(DisasmFile);
		DisasmLocs.clear();
		return;
	}
	else {
		SMP_msg("%zu Disasm addresses read from %s\n", DisasmLocs.size(),
			DisasmFileName.c_str());
		SMP_fclose(DisasmFile);
	}

	// Find all the code locs in the IDA Pro database. As we find
	//  them, store them in IDAProLocs.
	ea_t RecentAddr = BADADDR;
	for (STARS_Segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
		RecentAddr = seg->get_startEA();
		if (!seg->IsCodeSegment())
			continue;

		for (ea_t addr = seg->get_startEA(); addr < seg->get_endEA(); addr = get_item_end(addr)) {
			flags_t InstrFlags = getFlags(addr);
			if (isHead(InstrFlags) && isCode(InstrFlags)) {
				IDAProLocs.push_back(addr);
#if 0
				if ((0x806cda4 <= addr) && (0x806cf99 >= addr))
					SMP_msg("IDA code addr: %x\n", addr);
#endif
			} // end if (isHead(addr) && isCode(addr)
#if SMP_DEBUG_FIXUP_IDB
			else if ((0x806cda4 <= addr) && (0x806cf99 >= addr)) {
				if (!isHead(InstrFlags))
					SMP_msg("Weirdness: not isHead at %x\n", addr);
				if (isUnknown(InstrFlags)) {
					SMP_msg("Weirdness: isUnknown at %x\n", addr);
				}
			}
#endif
		} // end for (ea_t addr = seg->startEA; ...)
	} // end for all segments
	return;
} // end FindCodeAddresses()

// Return true if addr is not a proper beginning address for an instruction.
// Return false otherwise.
// Currently, we claim that an instruction is misaligned if DisasmLocs does
//  not contain it. This function is useful for dealing with errors in IDA
//  code identification, in which a large code section is identified as data,
//  but some instructions in the middle of the "data" are identified as
//  code but IDA often starts on the wrong boundary in these cases.
bool IsCodeMisaligned(ea_t addr) {
	// Do a binary search for addr within DisasmLocs, which is sorted
	//  in ascending address order because of the way in which it was
	//  generated.
	size_t min = 0;
	size_t max = DisasmLocs.size();  // don't access DisasmLocs[max]
	size_t index = (min + max) / 2;
	
	while (addr != DisasmLocs[index]) {
		if (min >= (max - 1))
			return true;
#if 0
		SMP_msg("min: %d max: %d index: %d\n", min, max, index);
#endif
		if (addr < DisasmLocs[index])
			max = index;
		else // must be addr > DisasmLocs[index];
			min = index;
	
		index = (min + max) / 2;
	}

	return false;
} // end of IsCodeMisaligned()

void RemoveIDACodeAddr(ea_t addr) {
	// Do a binary search for addr within IDAProLocs, which is sorted
	//  in ascending address order because of the way in which it was
	//  generated. Delete the element of IDAProLocs if found.
	size_t min = 0;
	size_t max = IDAProLocs.size();  // don't access IDAProLocs[max]
	size_t index = (min + max) / 2;
	
	while (addr != IDAProLocs[index]) {
		if (min >= (max - 1))
			return;
#if 0
		SMP_msg("min: %d max: %d index: %d\n", min, max, index);
#endif
		if (addr < IDAProLocs[index])
			max = index;
		else // must be addr > IDAProLocs[index];
			min = index;
	
		index = (min + max) / 2;
	}

	// IDAProLocs[index] contains addr.
	vector<ea_t>::iterator RemovalIterator = IDAProLocs.begin();
	RemovalIterator += index;
	RemovalIterator = IDAProLocs.erase(RemovalIterator);
	return;
} // end of RemoveIDACodeAddr()

// Driver for all other fixing functions. Upon its return, the IDA
//  database (IDB file) should be fixed up as much as we can fix it.
void FixupIDB(void) {
	FindCodeAddresses();
#if SMP_DEBUG_FIXUP_IDB
	SpecialDebugOutput();
#endif
	AuditCodeTargets();
	FindDataInCode();
	AuditTailChunkOwnership();
	if (DisasmLocs.size() > 0) {
		FixCodeIdentification();
		int fixes = FixupNewCodeChunks();
#if SMP_DEBUG_FIXUP_IDB
		SpecialDebugOutput();
#endif
	}
	DisasmLocs.clear();
	IDAProLocs.clear();
} // end of FixupIDB()

// Find and print all data head addresses in code segments. 
// If an isolated code instruction is found in the midst of a run