Showing preview only (2,884K chars total). Download the full file or copy to clipboard to get everything.
Repository: microsoft/sca-fuzzer
Branch: main
Commit: 7cc132332d6a
Files: 378
Total size: 2.7 MB
Directory structure:
gitextract_198ykafh/
├── .editorconfig
├── .github/
│ ├── CODEOWNERS
│ └── workflows/
│ ├── kmodule-build.yaml
│ └── python-lint-and-test.yaml
├── .gitignore
├── .gitmodules
├── .pylintrc
├── AUTHORS
├── CHANGELOG.md
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── SECURITY.md
├── demo/
│ ├── README.md
│ ├── big-fuzz.yaml
│ ├── detect-foreshadow.yaml
│ ├── detect-mds.yaml
│ ├── detect-sco.yaml
│ ├── detect-v1-store.yaml
│ ├── detect-v1-var.yaml
│ ├── detect-v1.yaml
│ ├── detect-v4.yaml
│ ├── detect-zdi.yaml
│ ├── tsa-l1d/
│ │ ├── config.yaml
│ │ └── template.asm
│ └── tsa-sq/
│ ├── config.yaml
│ └── template.asm
├── docs/
│ ├── assets/
│ │ ├── branches.drawio
│ │ ├── dr-instrumentation.drawio
│ │ ├── dr-model.drawio
│ │ ├── fuzzing-flow.drawio
│ │ ├── tsa-sq-template.drawio
│ │ └── unicorn-model-state-machine.drawio
│ ├── faq/
│ │ └── general.md
│ ├── glossary.md
│ ├── howto/
│ │ ├── ask-a-question.md
│ │ ├── choose-contract.md
│ │ ├── design-campaign.md
│ │ ├── interpret-results.md
│ │ ├── minimize.md
│ │ ├── root-cause-a-violation.md
│ │ ├── use-macros.md
│ │ └── use-templates.md
│ ├── index.md
│ ├── internals/
│ │ ├── architecture/
│ │ │ ├── analysis.md
│ │ │ ├── code.md
│ │ │ ├── data.md
│ │ │ ├── exec.md
│ │ │ ├── fuzz.md
│ │ │ ├── isa.md
│ │ │ ├── logging.md
│ │ │ ├── mini.md
│ │ │ ├── model.md
│ │ │ └── overview.md
│ │ ├── code-structure.md
│ │ ├── contributing/
│ │ │ ├── code-style.md
│ │ │ ├── general.md
│ │ │ ├── git.md
│ │ │ └── overview.md
│ │ ├── index.md
│ │ └── model-backends/
│ │ ├── model-dr.md
│ │ └── model-unicorn.md
│ ├── intro/
│ │ ├── 01-overview.md
│ │ ├── 02-install.md
│ │ ├── 03-primer.md
│ │ ├── 04-tutorials.md
│ │ ├── start-here.md
│ │ └── tutorials/
│ │ ├── 01-first-fuzz.md
│ │ ├── 02-first-vuln.md
│ │ ├── 03-faults.md
│ │ ├── 04-isolation.md
│ │ ├── 05-extending.md
│ │ └── tsa-sq.md
│ ├── ref/
│ │ ├── artifact-file-formats.md
│ │ ├── binary-formats.md
│ │ ├── cli.md
│ │ ├── config.md
│ │ ├── index.md
│ │ ├── macros.md
│ │ ├── minimization-passes.md
│ │ ├── modes.md
│ │ ├── papers.md
│ │ ├── registers.md
│ │ ├── runtime-statistic.md
│ │ └── sandbox.md
│ ├── structure.md
│ ├── stylesheets/
│ │ └── extra.css
│ └── topics/
│ ├── actors.md
│ ├── contracts.md
│ ├── models.md
│ ├── test-case-generation.md
│ └── trace-analysis.md
├── mkdocs.yml
├── pyproject.toml
├── revizor.py
├── rvzr/
│ ├── __init__.py
│ ├── analyser.py
│ ├── arch/
│ │ ├── __init__.py
│ │ ├── arm64/
│ │ │ ├── __init__.py
│ │ │ ├── asm_parser.py
│ │ │ ├── config.py
│ │ │ ├── executor.py
│ │ │ ├── fuzzer.py
│ │ │ ├── generator.py
│ │ │ ├── get_spec.py
│ │ │ └── target_desc.py
│ │ └── x86/
│ │ ├── __init__.py
│ │ ├── asm_parser.py
│ │ ├── config.py
│ │ ├── executor.py
│ │ ├── fuzzer.py
│ │ ├── generator.py
│ │ ├── get_spec.py
│ │ └── target_desc.py
│ ├── asm_parser.py
│ ├── cli.py
│ ├── code_generator.py
│ ├── config.py
│ ├── data_generator.py
│ ├── elf_parser.py
│ ├── executor.py
│ ├── executor_km/
│ │ ├── .clang-format
│ │ ├── .gitignore
│ │ ├── Makefile
│ │ ├── arm64/
│ │ │ ├── asm_snippets.h
│ │ │ ├── entry_exit_points.h
│ │ │ ├── exception.S
│ │ │ ├── fault_handler.c
│ │ │ ├── macros.c
│ │ │ ├── page_tables_guest.c
│ │ │ ├── perf_counters.c
│ │ │ ├── registers.h
│ │ │ └── special_registers.c
│ │ ├── code_loader.c
│ │ ├── data_loader.c
│ │ ├── include/
│ │ │ ├── actor.h
│ │ │ ├── asm_snippets.h
│ │ │ ├── code_loader.h
│ │ │ ├── data_loader.h
│ │ │ ├── fault_handler.h
│ │ │ ├── hardware_desc.h
│ │ │ ├── input_parser.h
│ │ │ ├── macro_expansion.h
│ │ │ ├── main.h
│ │ │ ├── measurement.h
│ │ │ ├── page_tables_common.h
│ │ │ ├── page_tables_guest.h
│ │ │ ├── page_tables_host.h
│ │ │ ├── perf_counters.h
│ │ │ ├── sandbox_constants.h
│ │ │ ├── sandbox_manager.h
│ │ │ ├── shortcuts.h
│ │ │ ├── special_registers.h
│ │ │ ├── svm.h
│ │ │ ├── svm_constants.h
│ │ │ ├── test_case_parser.h
│ │ │ ├── vmx.h
│ │ │ └── vmx_config.h
│ │ ├── input_parser.c
│ │ ├── macro_expansion.c
│ │ ├── main.c
│ │ ├── measurement.c
│ │ ├── page_tables_host.c
│ │ ├── readme.md
│ │ ├── sandbox_manager.c
│ │ ├── test_case_parser.c
│ │ └── x86/
│ │ ├── asm_snippets.h
│ │ ├── entry_exit_points.h
│ │ ├── fault_handlers.S
│ │ ├── idt.c
│ │ ├── macros.c
│ │ ├── page_tables_guest.c
│ │ ├── perf_counters.c
│ │ ├── registers.h
│ │ ├── special_registers.c
│ │ ├── svm.c
│ │ └── vmx.c
│ ├── factory.py
│ ├── fuzzer.py
│ ├── instruction_spec.py
│ ├── isa_spec.py
│ ├── logs.py
│ ├── model.py
│ ├── model_dynamorio/
│ │ ├── Makefile
│ │ ├── __init__.py
│ │ ├── adapter/
│ │ │ ├── .clang-format
│ │ │ ├── .clang-tidy
│ │ │ ├── CMakeLists.txt
│ │ │ ├── main.c
│ │ │ ├── parser.c
│ │ │ ├── parser.h
│ │ │ ├── rcbf.h
│ │ │ ├── rdbf.h
│ │ │ ├── sandbox.c
│ │ │ ├── sandbox.h
│ │ │ ├── sandbox_const.h
│ │ │ └── test_case_entry.S
│ │ ├── backend/
│ │ │ ├── .clang-format
│ │ │ ├── .clang-tidy
│ │ │ ├── CMakeLists.txt
│ │ │ ├── cli.cpp
│ │ │ ├── dispatcher.cpp
│ │ │ ├── factory.cpp
│ │ │ ├── include/
│ │ │ │ ├── cli.hpp
│ │ │ │ ├── dispatcher.hpp
│ │ │ │ ├── factory.hpp
│ │ │ │ ├── logger.hpp
│ │ │ │ ├── observables.hpp
│ │ │ │ ├── speculator_abc.hpp
│ │ │ │ ├── speculators/
│ │ │ │ │ ├── cond.hpp
│ │ │ │ │ └── seq.hpp
│ │ │ │ ├── taint_tracker.hpp
│ │ │ │ ├── tracer_abc.hpp
│ │ │ │ ├── tracers/
│ │ │ │ │ ├── ct.hpp
│ │ │ │ │ ├── ind.hpp
│ │ │ │ │ └── pc.hpp
│ │ │ │ ├── types/
│ │ │ │ │ ├── debug_trace.hpp
│ │ │ │ │ ├── decoder.hpp
│ │ │ │ │ ├── file_buffer.hpp
│ │ │ │ │ ├── input_taint.hpp
│ │ │ │ │ ├── store_log.hpp
│ │ │ │ │ └── trace.hpp
│ │ │ │ └── util.hpp
│ │ │ ├── logger.cpp
│ │ │ ├── model.cpp
│ │ │ ├── speculator_abc.cpp
│ │ │ ├── speculators/
│ │ │ │ ├── cond.cpp
│ │ │ │ └── seq.cpp
│ │ │ ├── taint_tracker.cpp
│ │ │ ├── tracer_abc.cpp
│ │ │ ├── tracers/
│ │ │ │ ├── ct.cpp
│ │ │ │ ├── ind.cpp
│ │ │ │ └── pc.cpp
│ │ │ └── util.cpp
│ │ ├── model.py
│ │ └── trace_decoder.py
│ ├── model_unicorn/
│ │ ├── __init__.py
│ │ ├── coverage.py
│ │ ├── execution_context.py
│ │ ├── interpreter.py
│ │ ├── model.py
│ │ ├── speculator_abc.py
│ │ ├── speculators_basic.py
│ │ ├── speculators_fault.py
│ │ ├── speculators_vs.py
│ │ ├── taint_tracker.py
│ │ └── tracer.py
│ ├── postprocessing/
│ │ ├── __init__.py
│ │ ├── analysis_passes.py
│ │ ├── input_passes.py
│ │ ├── instruction_passes.py
│ │ ├── minimizer.py
│ │ ├── pass_abc.py
│ │ └── progress_printer.py
│ ├── py.typed
│ ├── sandbox.py
│ ├── stats.py
│ ├── target_desc.py
│ ├── tc_components/
│ │ ├── __init__.py
│ │ ├── actor.py
│ │ ├── instruction.py
│ │ ├── test_case_binary.py
│ │ ├── test_case_code.py
│ │ └── test_case_data.py
│ ├── traces.py
│ └── unicorn.pyi
└── tests/
├── .coveragerc
├── .gitignore
├── __init__.py
├── acceptance.bats
├── arm64/
│ ├── asm/
│ │ ├── actor_switch.asm
│ │ ├── asm_basic.asm
│ │ ├── asm_multiactor.asm
│ │ ├── asm_symbol.asm
│ │ ├── calls.asm
│ │ ├── direct_jumps.asm
│ │ ├── fault-div-zero-speculation.asm
│ │ ├── fault_undefined_opcode.asm
│ │ ├── macro_fault_handler.asm
│ │ ├── model_flags_match.asm
│ │ ├── model_match.asm
│ │ ├── model_match_memory.asm
│ │ ├── model_match_xmm.asm
│ │ └── spectre_v1.asm
│ ├── configs/
│ │ ├── arch-actors.yaml
│ │ ├── arch-faults.yaml
│ │ ├── arch.yaml
│ │ ├── archdiff.yaml
│ │ ├── base-and-simd-categories.yaml
│ │ ├── common.yaml
│ │ ├── ct-cond.yaml
│ │ ├── ct-seq.yaml
│ │ ├── exceptions.yaml
│ │ └── fault-handler.yaml
│ ├── min_arm64.json
│ ├── model_common.py
│ ├── unit_generators.py
│ └── unit_isa_loader.py
├── kernel_module.bats
├── pre-release.sh
├── quick-test.sh
├── runtests.sh
├── scripts/
│ ├── create_rcbf_file.py
│ └── create_rdbf_file.py
├── unit_analyser.py
├── unit_docs.py
├── unit_fuzzer.py
├── unit_isa_loader.py
├── unit_stats.py
├── unit_tc_components.py
├── unit_traces.py
└── x86_tests/
├── __init__.py
├── asm/
│ ├── actor_switch.asm
│ ├── asm_basic.asm
│ ├── asm_multiactor.asm
│ ├── asm_symbol.asm
│ ├── calls.asm
│ ├── direct_jumps.asm
│ ├── fault-div-overflow-speculation.asm
│ ├── fault-div-zero-speculation.asm
│ ├── fault_INT1.asm
│ ├── fault_INT3.asm
│ ├── fault_UD.asm
│ ├── fault_load.asm
│ ├── fault_ooo_mem_access.asm
│ ├── fault_rmw.asm
│ ├── macro_fault_handler.asm
│ ├── minimization-after.asm
│ ├── minimization-before.asm
│ ├── model_flags_match.asm
│ ├── model_match.asm
│ ├── model_match_memory.asm
│ ├── model_match_xmm.asm
│ ├── spectre_ret.asm
│ ├── spectre_v1.1.asm
│ ├── spectre_v1.asm
│ ├── spectre_v1_arch.asm
│ ├── spectre_v1_independent.asm
│ ├── spectre_v1_n2.asm
│ ├── spectre_v2.asm
│ ├── spectre_v4.asm
│ └── vm_switch.asm
├── configs/
│ ├── arch-actors.yaml
│ ├── arch-dr.yaml
│ ├── arch-faults.yaml
│ ├── arch.yaml
│ ├── archdiff.yaml
│ ├── base-and-simd-categories.yaml
│ ├── base-categories.yaml
│ ├── common.yaml
│ ├── copy.yaml
│ ├── ct-cond.yaml
│ ├── ct-deh.yaml
│ ├── ct-seq.yaml
│ ├── div-detect.yaml
│ ├── div-verif.yaml
│ ├── exceptions.yaml
│ ├── fault-handler.yaml
│ ├── l1tf-p-verif.yaml
│ ├── l1tf-p.yaml
│ ├── l1tf-w-verif.yaml
│ ├── l1tf-w.yaml
│ ├── meltdown-verif.yaml
│ ├── meltdown.yaml
│ ├── mpx-verif.yaml
│ ├── mpx.yaml
│ ├── ssbp-detect.yaml
│ ├── ssbp-verif.yaml
│ └── vm-switch.yaml
├── min_x86.json
├── model_common.py
├── unit_dr_decoder.py
├── unit_fuzzer.py
├── unit_generators.py
├── unit_isa_loader.py
├── unit_model.py
└── unit_taint_tracker.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .editorconfig
================================================
# https://editorconfig.org/
root = true
[*]
indent_style = space
indent_size = 4
insert_final_newline = true
trim_trailing_whitespace = true
end_of_line = lf
charset = utf-8
max_line_length = 100
[*.json]
indent_size = 2
keep_blank_lines_in_code = 0
keep_indents_on_empty_lines = false
keep_line_breaks = true
space_after_colon = true
space_after_comma = true
space_before_colon = true
space_before_comma = false
spaces_within_braces = false
spaces_within_brackets = false
wrap_long_lines = false
insert_final_newline = ignore
[Makefile]
indent_style = tab
[{*.bash,*.zsh,*.sh,*.bats}]
tab_width = 4
binary_ops_start_line = false
keep_column_alignment_padding = false
minify_program = false
redirect_followed_by_space = false
switch_cases_indented = false
[{*.yml,*.yaml}]
indent_size = 2
keep_indents_on_empty_lines = false
keep_line_breaks = true
================================================
FILE: .github/CODEOWNERS
================================================
* @OleksiiOleksenko
================================================
FILE: .github/workflows/kmodule-build.yaml
================================================
# This workflow will build the kernel module on multiple Ubuntu versions
name: Kmodule Build
on:
push:
branches:
- main
- main-fixes
- pre-release
- dev
pull_request:
branches:
- main
- main-fixes
- pre-release
- dev
jobs:
km_build:
permissions:
contents: read
strategy:
fail-fast: false
matrix:
include:
- runner: ubuntu-latest
name: x86_latest
- runner: ubuntu-22.04
name: x86_backward_compatible
- runner: ubuntu-24.04-arm
name: arm_latest
- runner: ubuntu-22.04-arm
name: arm_backward_compatible
runs-on: ${{ matrix.runner }}
name: km_build_${{ matrix.name }}
steps:
- uses: actions/checkout@v4
- name: Install kernel headers
run: sudo apt-get update && sudo apt-get install -y linux-headers-$(uname -r) linux-headers-generic
- name: Build kernel module
run: |
set -o pipefail
cd rvzr/executor_km
make VMBUILD=1 2>&1 | tee build.log
if grep -q "Error" build.log; then
echo "Build failed"
exit 1
fi
================================================
FILE: .github/workflows/python-lint-and-test.yaml
================================================
# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
name: Python Lint and Test
permissions:
contents: read
on:
push:
branches:
- main
- main-fixes
- pre-release
- dev
pull_request:
branches:
- main
- main-fixes
- pre-release
- dev
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.9", "3.13"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install flake8 mypy pylint
python -m pip install .
- name: Run
run: |
./tests/runtests.sh --skip-km-tests
================================================
FILE: .gitignore
================================================
cmake-build-*/
build/
.vscode/
.mypy_cache/
.lsync*
venv/
**/__pycache__/
base.json
rvzr/arch/x86/*.json
*.code-workspace
*.o
rvzr/generated.asm
generated.asm
generated
rvzr/executor_km/.cache.mk
rvzr/executor_km/measurement.o.ur-safe
dbg/
site
dist/
.cache/
.claude/
================================================
FILE: .gitmodules
================================================
================================================
FILE: .pylintrc
================================================
[MAIN]
# Analyse import fallback blocks. This can be used to support both Python 2 and
# 3 compatible code, which means that the block might have code that exists
# only in one or another interpreter, leading to false positives when analysed.
analyse-fallback-blocks=no
# Clear in-memory caches upon conclusion of linting. Useful if running pylint
# in a server-like mode.
clear-cache-post-run=no
# Load and enable all available extensions. Use --list-extensions to see a list
# all available extensions.
#enable-all-extensions=
# In error mode, messages with a category besides ERROR or FATAL are
# suppressed, and no reports are done by default. Error mode is compatible with
# disabling specific errors.
#errors-only=
# Always return a 0 (non-error) status code, even if lint errors are found.
# This is primarily useful in continuous integration scripts.
#exit-zero=
# A comma-separated list of package or module names from where C extensions may
# be loaded. Extensions are loading into the active Python interpreter and may
# run arbitrary code.
extension-pkg-allow-list=
# A comma-separated list of package or module names from where C extensions may
# be loaded. Extensions are loading into the active Python interpreter and may
# run arbitrary code. (This is an alternative name to extension-pkg-allow-list
# for backward compatibility.)
extension-pkg-whitelist=
# Return non-zero exit code if any of these messages/categories are detected,
# even if score is above --fail-under value. Syntax same as enable. Messages
# specified are enabled, while categories only check already-enabled messages.
fail-on=
# Specify a score threshold under which the program will exit with error.
fail-under=10
# Interpret the stdin as a python script, whose filename needs to be passed as
# the module_or_package argument.
#from-stdin=
# Files or directories to be skipped. They should be base names, not paths.
ignore=CVS
# Add files or directories matching the regular expressions patterns to the
# ignore-list. The regex matches against paths and can be in Posix or Windows
# format. Because '\\' represents the directory delimiter on Windows systems,
# it can't be used as an escape character.
ignore-paths=
# Files or directories matching the regular expression patterns are skipped.
# The regex matches against base names, not paths. The default value ignores
# Emacs file locks
ignore-patterns=^\.#
# List of module names for which member attributes should not be checked and
# will not be imported (useful for modules/projects where namespaces are
# manipulated during runtime and thus existing member attributes cannot be
# deduced by static analysis). It supports qualified module names, as well as
# Unix pattern matching.
ignored-modules=
# Python code to execute, usually for sys.path manipulation such as
# pygtk.require().
#init-hook=
# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the
# number of processors available to use, and will cap the count on Windows to
# avoid hangs.
jobs=1
# Control the amount of potential inferred values when inferring a single
# object. This can help the performance when dealing with large functions or
# complex, nested conditions.
limit-inference-results=100
# List of plugins (as comma separated values of python module names) to load,
# usually to register additional checkers.
load-plugins=
# Pickle collected data for later comparisons.
persistent=yes
# Resolve imports to .pyi stubs if available. May reduce no-member messages and
# increase not-an-iterable messages.
prefer-stubs=no
# Minimum Python version to use for version dependent checks. Will default to
# the version used to run pylint.
py-version=3.12
# Discover python modules and packages in the file system subtree.
recursive=no
# Add paths to the list of the source roots. Supports globbing patterns. The
# source root is an absolute path or a path relative to the current working
# directory used to determine a package namespace for modules located under the
# source root.
source-roots=
# Allow loading of arbitrary C extensions. Extensions are imported into the
# active Python interpreter and may run arbitrary code.
unsafe-load-any-extension=no
# In verbose mode, extra non-checker-related info will be displayed.
#verbose=
[BASIC]
# Naming style matching correct argument names.
argument-naming-style=snake_case
# Regular expression matching correct argument names. Overrides argument-
# naming-style. If left empty, argument names will be checked with the set
# naming style.
#argument-rgx=
# Naming style matching correct attribute names.
attr-naming-style=snake_case
# Regular expression matching correct attribute names. Overrides attr-naming-
# style. If left empty, attribute names will be checked with the set naming
# style.
#attr-rgx=
# Bad variable names which should always be refused, separated by a comma.
bad-names=foo,
bar,
baz,
toto,
tutu,
tata
# Bad variable names regexes, separated by a comma. If names match any regex,
# they will always be refused
bad-names-rgxs=
# Naming style matching correct class attribute names.
class-attribute-naming-style=any
# Regular expression matching correct class attribute names. Overrides class-
# attribute-naming-style. If left empty, class attribute names will be checked
# with the set naming style.
#class-attribute-rgx=
# Naming style matching correct class constant names.
class-const-naming-style=UPPER_CASE
# Regular expression matching correct class constant names. Overrides class-
# const-naming-style. If left empty, class constant names will be checked with
# the set naming style.
#class-const-rgx=
# Naming style matching correct class names.
class-naming-style=PascalCase
# Regular expression matching correct class names. Overrides class-naming-
# style. If left empty, class names will be checked with the set naming style.
#class-rgx=
# Naming style matching correct constant names.
const-naming-style=UPPER_CASE
# Regular expression matching correct constant names. Overrides const-naming-
# style. If left empty, constant names will be checked with the set naming
# style.
#const-rgx=
# Minimum line length for functions/classes that require docstrings, shorter
# ones are exempt.
docstring-min-length=-1
# Naming style matching correct function names.
function-naming-style=snake_case
# Regular expression matching correct function names. Overrides function-
# naming-style. If left empty, function names will be checked with the set
# naming style.
#function-rgx=
# Good variable names which should always be accepted, separated by a comma.
good-names=i,
j,
k,
ex,
Run,
_
# Good variable names regexes, separated by a comma. If names match any regex,
# they will always be accepted
good-names-rgxs=
# Include a hint for the correct naming format with invalid-name.
include-naming-hint=no
# Naming style matching correct inline iteration names.
inlinevar-naming-style=any
# Regular expression matching correct inline iteration names. Overrides
# inlinevar-naming-style. If left empty, inline iteration names will be checked
# with the set naming style.
#inlinevar-rgx=
# Naming style matching correct method names.
method-naming-style=snake_case
# Regular expression matching correct method names. Overrides method-naming-
# style. If left empty, method names will be checked with the set naming style.
#method-rgx=
# Naming style matching correct module names.
module-naming-style=snake_case
# Regular expression matching correct module names. Overrides module-naming-
# style. If left empty, module names will be checked with the set naming style.
#module-rgx=
# Colon-delimited sets of names that determine each other's naming style when
# the name regexes allow several styles.
name-group=
# Regular expression which should only match function or class names that do
# not require a docstring.
no-docstring-rgx=^_
# List of decorators that produce properties, such as abc.abstractproperty. Add
# to this list to register other decorators that produce valid properties.
# These decorators are taken in consideration only for invalid-name.
property-classes=abc.abstractproperty
# Regular expression matching correct type alias names. If left empty, type
# alias names will be checked with the set naming style.
#typealias-rgx=
# Regular expression matching correct type variable names. If left empty, type
# variable names will be checked with the set naming style.
#typevar-rgx=
# Naming style matching correct variable names.
variable-naming-style=snake_case
# Regular expression matching correct variable names. Overrides variable-
# naming-style. If left empty, variable names will be checked with the set
# naming style.
#variable-rgx=
[CLASSES]
# Warn about protected attribute access inside special methods
check-protected-access-in-special-methods=no
# List of method names used to declare (i.e. assign) instance attributes.
defining-attr-methods=__init__,
__new__,
setUp,
asyncSetUp,
__post_init__
# List of member names, which should be excluded from the protected access
# warning.
exclude-protected=_asdict,_fields,_replace,_source,_make,os._exit
# List of valid names for the first argument in a class method.
valid-classmethod-first-arg=cls
# List of valid names for the first argument in a metaclass class method.
valid-metaclass-classmethod-first-arg=mcs
[DESIGN]
# List of regular expressions of class ancestor names to ignore when counting
# public methods (see R0903)
exclude-too-few-public-methods=
# List of qualified class names to ignore when counting class parents (see
# R0901)
ignored-parents=
# Maximum number of arguments for function / method.
max-args=9 # NOTE: non-default (5) because we rely on data classes with many attributes
# Maximum number of attributes for a class (see R0902).
max-attributes=12 # NOTE: non-default (5) because we rely on data classes with many attributes
# Maximum number of boolean expressions in an if statement (see R0916).
max-bool-expr=5
# Maximum number of branch for function / method body.
max-branches=12
# Maximum number of locals for function / method body.
max-locals=15
# Maximum number of parents for a class (see R0901).
max-parents=7
# Maximum number of public methods for a class (see R0904).
max-public-methods=20
# Maximum number of return / yield for function / method body.
max-returns=6
# Maximum number of statements in function / method body.
max-statements=50
# Minimum number of public methods for a class (see R0903).
min-public-methods=1
[EXCEPTIONS]
# Exceptions that will emit a warning when caught.
overgeneral-exceptions=builtins.BaseException,builtins.Exception
[FORMAT]
# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
expected-line-ending-format=
# Regexp for a line that is allowed to be longer than the limit.
ignore-long-lines=^\s*(# )?<?https?://\S+>?$
# Number of spaces of indent required inside a hanging or continued line.
indent-after-paren=4
# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1
# tab).
indent-string=' '
# Maximum number of characters on a single line.
max-line-length=100
# Maximum number of lines in a module.
max-module-lines=1000
# Allow the body of a class to be on the same line as the declaration if body
# contains single statement.
single-line-class-stmt=no
# Allow the body of an if to be on the same line as the test if there is no
# else.
single-line-if-stmt=no
[IMPORTS]
# List of modules that can be imported at any level, not just the top level
# one.
allow-any-import-level=
# Allow explicit reexports by alias from a package __init__.
allow-reexport-from-package=no
# Allow wildcard imports from modules that define __all__.
allow-wildcard-with-all=no
# Deprecated modules which should not be used, separated by a comma.
deprecated-modules=
# Output a graph (.gv or any supported image format) of external dependencies
# to the given file (report RP0402 must not be disabled).
ext-import-graph=
# Output a graph (.gv or any supported image format) of all (i.e. internal and
# external) dependencies to the given file (report RP0402 must not be
# disabled).
import-graph=
# Output a graph (.gv or any supported image format) of internal dependencies
# to the given file (report RP0402 must not be disabled).
int-import-graph=
# Force import order to recognize a module as part of the standard
# compatibility libraries.
known-standard-library=
# Force import order to recognize a module as part of a third party library.
known-third-party=enchant
# Couples of modules and preferred modules, separated by a comma.
preferred-modules=
[LOGGING]
# The type of string formatting that logging methods do. `old` means using %
# formatting, `new` is for `{}` formatting.
logging-format-style=old
# Logging modules to check that the string format arguments are in logging
# function parameter format.
logging-modules=logging
[MESSAGES CONTROL]
# Only show warnings with the listed confidence levels. Leave empty to show
# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE,
# UNDEFINED.
confidence=HIGH,
CONTROL_FLOW,
INFERENCE,
INFERENCE_FAILURE,
UNDEFINED
# Disable the message, report, category or checker with the given id(s). You
# can either give multiple identifiers separated by comma (,) or put this
# option multiple times (only on the command line, not in the configuration
# file where it should appear only once). You can also use "--disable=all" to
# disable everything first and then re-enable specific checks. For example, if
# you want to run only the similarities checker, you can use "--disable=all
# --enable=similarities". If you want to run only the classes checker, but have
# no Warning level messages displayed, use "--disable=all --enable=classes
# --disable=W".
disable=W0511, # disable warnings on FIXME tag
# invalid-name: we actively use Final to define read-only attributes,
# so using UPPERCASE everywhere would lead to messy code
c0103,
# use-yield-from: the replacement does not always produce the same result functionally
# and it breaks the code, so we disable this warning
r1737,
# unspecified-encoding: Revizor runs only on Linux, so we don't need to specify encoding
w1514,
# too-many-positional-arguments # NOTE: we use data classes with many attributes
r0917,
# too-few-public-methods: we use data classes with many attributes
r0903,
# rise-missing-from
w0707,
# consider-using-sys-exit: just meh
r1722,
# Enable the message, report, category or checker with the given id(s). You can
# either give multiple identifier separated by comma (,) or put this option
# multiple time (only on the command line, not in the configuration file where
# it should appear only once). See also the "--disable" option for examples.
enable=
[METHOD_ARGS]
# List of qualified names (i.e., library.method) which require a timeout
# parameter e.g. 'requests.api.get,requests.api.post'
timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.api.options,requests.api.patch,requests.api.post,requests.api.put,requests.api.request
[MISCELLANEOUS]
# List of note tags to take in consideration, separated by a comma.
notes=FIXME,
XXX,
TODO
# Regular expression of note tags to take in consideration.
notes-rgx=
[REFACTORING]
# Maximum number of nested blocks for function / method body
max-nested-blocks=5
# Complete name of functions that never returns. When checking for
# inconsistent-return-statements if a never returning function is called then
# it will be considered as an explicit return statement and no message will be
# printed.
never-returning-functions=sys.exit,argparse.parse_error
# Let 'consider-using-join' be raised when the separator to join on would be
# non-empty (resulting in expected fixes of the type: ``"- " + " -
# ".join(items)``)
suggest-join-with-non-empty-separator=yes
[REPORTS]
# Python expression which should return a score less than or equal to 10. You
# have access to the variables 'fatal', 'error', 'warning', 'refactor',
# 'convention', and 'info' which contain the number of messages in each
# category, as well as 'statement' which is the total number of statements
# analyzed. This score is used by the global evaluation report (RP0004).
evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10))
# Template used to display messages. This is a python new-style format string
# used to format the message information. See doc for all details.
msg-template=
# Set the output format. Available formats are: text, parseable, colorized,
# json2 (improved json format), json (old json format) and msvs (visual
# studio). You can also give a reporter class, e.g.
# mypackage.mymodule.MyReporterClass.
#output-format=
# Tells whether to display a full report or only the messages.
reports=no
# Activate the evaluation score.
score=yes
[SIMILARITIES]
# Comments are removed from the similarity computation
ignore-comments=yes
# Docstrings are removed from the similarity computation
ignore-docstrings=yes
# Imports are removed from the similarity computation
ignore-imports=yes
# Signatures are removed from the similarity computation
ignore-signatures=yes
# Minimum lines number of a similarity.
min-similarity-lines=8
[SPELLING]
# Limits count of emitted suggestions for spelling mistakes.
max-spelling-suggestions=4
# Spelling dictionary name. No available dictionaries : You need to install
# both the python package and the system dependency for enchant to work.
spelling-dict=
# List of comma separated words that should be considered directives if they
# appear at the beginning of a comment and should not be checked.
spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy:
# List of comma separated words that should not be checked.
spelling-ignore-words=
# A path to a file that contains the private dictionary; one word per line.
spelling-private-dict-file=
# Tells whether to store unknown words to the private dictionary (see the
# --spelling-private-dict-file option) instead of raising a message.
spelling-store-unknown-words=no
[STRING]
# This flag controls whether inconsistent-quotes generates a warning when the
# character used as a quote delimiter is used inconsistently within a module.
check-quote-consistency=no
# This flag controls whether the implicit-str-concat should generate a warning
# on implicit string concatenation in sequences defined over several lines.
check-str-concat-over-line-jumps=no
[TYPECHECK]
# List of decorators that produce context managers, such as
# contextlib.contextmanager. Add to this list to register other decorators that
# produce valid context managers.
contextmanager-decorators=contextlib.contextmanager
# List of members which are set dynamically and missed by pylint inference
# system, and so shouldn't trigger E1101 when accessed. Python regular
# expressions are accepted.
generated-members=
# Tells whether to warn about missing members when the owner of the attribute
# is inferred to be None.
ignore-none=yes
# This flag controls whether pylint should warn about no-member and similar
# checks whenever an opaque object is returned when inferring. The inference
# can return multiple potential results while evaluating a Python object, but
# some branches might not be evaluated, which results in partial inference. In
# that case, it might be useful to still emit no-member and other checks for
# the rest of the inferred objects.
ignore-on-opaque-inference=yes
# List of symbolic message names to ignore for Mixin members.
ignored-checks-for-mixins=no-member,
not-async-context-manager,
not-context-manager,
attribute-defined-outside-init
# List of class names for which member attributes should not be checked (useful
# for classes with dynamically set attributes). This supports the use of
# qualified names.
ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace
# Show a hint with possible names when a member name was not found. The aspect
# of finding the hint is based on edit distance.
missing-member-hint=yes
# The minimum edit distance a name should have in order to be considered a
# similar match for a missing member name.
missing-member-hint-distance=1
# The total number of similar names that should be taken in consideration when
# showing a hint for a missing member.
missing-member-max-choices=1
# Regex pattern to define which classes are considered mixins.
mixin-class-rgx=.*[Mm]ixin
# List of decorators that change the signature of a decorated function.
signature-mutators=
[VARIABLES]
# List of additional names supposed to be defined in builtins. Remember that
# you should avoid defining new builtins when possible.
additional-builtins=
# Tells whether unused global variables should be treated as a violation.
allow-global-unused-variables=yes
# List of names allowed to shadow builtins
allowed-redefined-builtins=
# List of strings which can identify a callback function by name. A callback
# name must start or end with one of those strings.
callbacks=cb_,
_cb
# A regular expression matching the name of dummy variables (i.e. expected to
# not be used).
dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_
# Argument names that match this expression will be ignored.
ignored-argument-names=_.*|^ignored_|^unused_
# Tells whether we should check for unused import in __init__ files.
init-import=no
# List of qualified module names which can have objects that can redefine
# builtins.
redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io
================================================
FILE: AUTHORS
================================================
Here is an inevitably incomplete list of MUCH-APPRECIATED CONTRIBUTORS:
Oleksii Oleksenko
Boris Koepf
Emanuele Vannacci
Jana Hofmann
Connor Shugg
Marco Guarnieri
Flavien Solt
Brian Fu
Alvise de Faveri Tron
================================================
FILE: CHANGELOG.md
================================================
# Changelog
All notable changes to Revizor will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [2.0.0] - 2026-01-10
### TL;DR
This release contains a major refactoring of the codebase, including many of the core modules. This breaks compatibility with previous versions, hence the major version bump.
In addition, several significant enhancements have been made:
- ARM64 is now fully supported.
- New DynamoRIO-based model backend has been added, which vastly improves ISA coverage on x86.
- The documentation has been fully restructured and expanded.
### Added
#### ARM64 Support
- Full hardware tracing support for ARM64 CPUs (#137)
- ARM64 executor, fuzzer, and code generator implementations
- ARM64 test suite with acceptance and unit tests
- ARM64 ISA specification and target description
#### DynamoRIO Model Backend
- New DynamoRIO-based model backend added, which completely re-implements the leakage modeling functionality
- New tracers: indirect memory access (IND) tracer and poisoning of faulty loads (#133)
- Contract-based input generation for DynamoRIO backend (#138)
#### Documentation
- Complete documentation restructure with tutorials, reference guides, and topic guides
- Five comprehensive tutorials covering first fuzzing campaign, vulnerability detection, fault handling, isolation, and extending Revizor
- Detailed primer on contracts and leakage models
- In-depth guides on choosing contracts, designing campaigns, interpreting results, and root-causing violations
- Architecture overview with detailed diagrams
- DynamoRIO backend instrumentation diagrams
- Sandbox and binary format documentation
- Actor and test case generation topics
- Glossary of key terms
#### Demos and Examples
- TSA-L1D demo configuration and template
- TSA-SQ demo files
- Improved detection demos for various Spectre variants
#### Testing and Development
- Unified tests for Unicorn and DynamoRIO backends
- Unit tests for traces, stats, and test case components
- Utility scripts for generating RCBF/RDBF test files
- Interface to run individual testing stages
- Improved test coverage and CI integration
#### Misc. Features
- Special value generation option for input data (not just random values)
- More verbose configuration error messages
- Better visibility for warnings in logger output
- Support for FS/GS segment register instructions in ISA specification
- Input differential minimization for observer actors
### Changed
**WARNING**: This release contains breaking changes! The release introduces a complete refactoring of the code structure, including many of the core modules. See docs/internals/architecture/overview.md for details.
#### Code Structure
- Renamed source directory from src/ to rvzr/ for better compliance with Python packaging standards
- Encapsulated all core components into dedicated modules (sandbox.py, actor.py, etc)
- Moved all test case components into a dedicated directory rvzr/tc_components
- Refactored fuzzer.py to isolate the multi-stage filtering logic into a dedicated class
- Isolated utility classes into dedicated modules stats.py and logs.py
- Unicorn-based backend split into logical classes: Tracer, Speculator, TaintTracker, etc. (rvzr/model_unicorn)
- Reorganized into architecture-specific subdirectories (rvzr/arch/x86, rvzr/arch/arm64)
- Minimizer refactored to encapsulate each pass into a separate class (rvzr/postprocessing)
- Executor KM is now shared between x86 and ARM to avoid code duplication
- Consistent naming conventions for generators across architectures
- Improved code style and formatting
#### Configuration Options
- Many config options have been renamed during the refactoring process
- Refer to the updated documentation (`docs/ref/config.md`)for the new option names and their usage.
#### ISA Spec Format
- Renamed several fields in the json produced by the download_spec command
#### Testing Infrastructure
- Cleaner interface for test scripts
- GitHub Actions aligned with internal test scripts
#### Documentation Structure
- Reorganized into intro/, howto/, ref/, topics/, and internals/ sections
- Split architecture documentation into per-module pages
- Updated navigation structure in MkDocs
### Deprecated
- MPX support
---
## [1.3.2] - 2024-09-12
See git history for changes in version 1.3.2 and earlier.
[1.3.3]: https://github.com/microsoft/side-channel-fuzzer/compare/v1.3.2...v1.3.3
[1.3.2]: https://github.com/microsoft/side-channel-fuzzer/releases/tag/v1.3.2
================================================
FILE: CODE_OF_CONDUCT.md
================================================
# Microsoft Open Source Code of Conduct
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
Resources:
- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing
As an open source project, Revizor welcomes contributions and suggestions.
## Contributor License Agreement and Code of Conduct
Most contributions require you to agree to a
Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide
a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
## Contribution Guidelines
Please refer to the [Guide to Contributing](https://microsoft.github.io/side-channel-fuzzer/internals/contributing/overview/) for an overview of how to contribute.
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) Microsoft Corporation.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE
================================================
FILE: README.md
================================================
# Revizor
Revizor is a security-oriented fuzzer for detecting information leaks in CPUs, such as [Spectre and Meltdown](https://meltdownattack.com/).
It tests CPUs against [Leakage Contracts](https://arxiv.org/abs/2006.03841) and searches for unexpected leaks.
<!-- For more details, see our [Paper](https://dl.acm.org/doi/10.1145/3503222.3507729) (open access [here](https://arxiv.org/abs/2105.06872)), and the follow-up papers ([1](https://arxiv.org/pdf/2301.07642.pdf), [2](https://www.usenix.org/conference/usenixsecurity23/presentation/hofmann)). -->
## Getting Started and Documentation
You can find a quick start guide at [Quick Start](https://microsoft.github.io/side-channel-fuzzer/intro/start-here/).
For detailed information on how to use Revizor, see [Documentation Pages](https://microsoft.github.io/side-channel-fuzzer/structure/).
For information on how to contribute to Revizor, see [CONTRIBUTING.md](CONTRIBUTING.md).
## Need Help with Revizor?
If you find a bug in Revizor, don't hesitate to [open an issue](https://github.com/microsoft/side-channel-fuzzer/issues).
If something is confusing or you need help in using Revizor, we have a [discussion page](https://github.com/microsoft/side-channel-fuzzer/discussions).
## Citing Revizor
To cite this project, you can use any of the following references:
1. Original paper that introduced the concept of Model-based Relation Testing as well as the Revizor tool:
Oleksii Oleksenko, Christof Fetzer, Boris Köpf, Mark Silberstein. "[Revizor: Testing Black-box CPUs against Speculation Contracts](https://www.microsoft.com/en-us/research/publication/revizor-testing-black-box-cpus-against-speculation-contracts/)" in Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2022.
2. Theoretical foundations of leakage contract:
Marco Guarnieri, Boris Köpf, Jan Reineke, and Pepe Vila. "[Hardware-software contracts for secure speculation](https://www.microsoft.com/en-us/research/publication/hardware-software-contracts-for-secure-speculation/)" in Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP), 2021.
3. Accessible summary of the two papers above, in a journal format:
Oleksii Oleksenko, Christof Fetzer, Boris Köpf, Mark Silberstein. "Revizor: Testing Black-box CPUs against Speculation Contracts". In IEEE Micro, 2023.
4. Paper that introduced speculation filtering, observation filtering, and contract-based input generation:
Oleksii Oleksenko, Marco Guarnieri, Boris Köpf, and Mark Silberstein. "[Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing](https://www.microsoft.com/en-us/research/publication/hide-and-seek-with-spectres-efficient-discovery-of-speculative-information-leaks-with-random-testing/)" in Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), 2022.
5. Paper that introduced exception-based testing (i.e., focus on Meltdown, Foreshadow) into Revizor:
Jana Hofmann, Emanuele Vannacci, Cédric Fournet, Boris Köpf, and Oleksii Oleksenko. "[Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions.](https://www.usenix.org/conference/usenixsecurity23/presentation/hofmann)" in Proceedings of 32nd USENIX Security Symposium (USENIX Security), 2023.
6. Paper that introduced testing of cross-VM and user-kernel leaks in Revizor, as well as presented TSA attacks on AMD CPUs:
Oleksii Oleksenko, Flavien Solt, Cédric Fournet, Jana Hofmann, Boris Köpf, and Stavros Volos. "[Enter, Exit, Page Fault, Leak: Testing Isolation Boundaries for Microarchitectural Leaks](https://www.microsoft.com/en-us/research/wp-content/uploads/2025/07/Enter-Exit-SP26.pdf)" (to be published) in Proceedings of the 2026 IEEE Symposium on Security and Privacy (SP), 2026.
## Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
trademarks or logos is subject to and must follow
[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).
Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
Any use of third-party trademarks or logos are subject to those third-party's policies.
================================================
FILE: SECURITY.md
================================================
<!-- BEGIN MICROSOFT SECURITY.MD V0.0.5 BLOCK -->
## Security
Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below.
## Reporting Security Issues
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report).
If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
* Full paths of source file(s) related to the manifestation of the issue
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs.
## Preferred Languages
We prefer all communications to be in English.
## Policy
Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
<!-- END MICROSOFT SECURITY.MD BLOCK -->
================================================
FILE: demo/README.md
================================================
This directory contains a set of demo configurations for fuzzing various known CPU vulnerabilities using Revizor.
Each config here is intentionally made to detect only one type of vulnerabilities.
For example, if you fuzz an Intel CPU with `detect-v1.yaml`, you will likely detect an instance of Spectre V1.
(of course, there is always a chance that you will find a new previously-unknown vulnerability with this config, but the likelihood is rather low).
The commands below assume that the ISA spec (downloaded via `rvzr download_spec`) is stored in `base.json`.
## [Spectre V1](https://meltdownattack.com/)
```
rvzr fuzz -s base.json -c demo/detect-v1.yaml -i 50 -n 10000
```
Expected duration - several seconds.
## Spectre V1 (store variant)
```
rvzr fuzz -s base.json -c demo/detect-v1-store.yaml -i 50 -n 10000
```
Expected duration - several seconds.
## Spectre V1-Var ([description](https://dl.acm.org/doi/10.1145/3503222.3507729) and [here](https://eprint.iacr.org/2022/715.pdf))
```
rvzr fuzz -s base.json -c demo/detect-v1-var.yaml -i 50 -n 10000
```
Expected duration - several hours.
## [MDS](https://mdsattacks.com/) or [LVI-Null](https://lviattack.eu/), depending on the CPU model
Note: only Intel CPUs.
```
rvzr fuzz -s base.json -c demo/detect-mds.yaml -i 50 -n 10000
```
Expected duration - several minutes.
## Spectre V4 ([description](https://www.cyberus-technology.de/posts/2018-05-22-intel-store-load-spectre-vulnerability.html))
```
rvzr fuzz -s base.json -c demo/detect-v4.yaml -i 50 -n 10000
```
Expected duration - 5-20 minutes.
## Zero Divisor Injection (ZDI)
Note: only Intel CPUs.
```
rvzr fuzz -s base.json -c demo/detect-zdi.yaml -i 50 -n 10000
```
Expected duration - several minutes.
## String Comparison Overrun (SCO)
```
rvzr fuzz -s base.json -c demo/detect-sco.yaml -i 50 -n 10000
```
Expected duration - several minutes.
## Foreshadow (simplified version)
Note: only Intel CPUs.
```
rvzr fuzz -s base.json -c demo/detect-foreshadow.yaml -i 50 -n 10000
```
Expected duration - several minutes.
## Transient Scheduler Attack, Store Queue variant (TSA-SQ)
Note: only AMD CPUs vulnerable to TSA.
```
rvzr tfuzz -s base.json -c demo/tsa-sq/config.yaml -t demo/tsa-sq/template.asm -i 50 -n 10000
```
Expected duration - several minutes.
## Transient Scheduler Attack, L1D Cache variant (TSA-L1D)
Note: only AMD CPUs vulnerable to TSA.
```
rvzr tfuzz -s base.json -c demo/tsa-l1d/config.yaml -t demo/tsa-l1d/template.asm -i 50 -n 10000
``
Expected duration - several minutes.
================================================
FILE: demo/big-fuzz.yaml
================================================
instruction_set: x86-64
# Model
contract_observation_clause: ct
contract_execution_clause:
- seq
# Actors
actors:
- main:
- data_properties:
- present: true
# Executor
executor_mode: P+P
x86_executor_enable_ssbp_patch: true
# Program generator
program_size: 64
avg_mem_accesses: 16
max_bb_per_function: 1 # straight-line code only
min_bb_per_function: 1
min_successors_per_bb: 1
max_successors_per_bb: 1
instruction_categories:
- BASE-BINARY
- BASE-BITBYTE
- BASE-CMOV
- BASE-COND_BR
- BASE-CONVERT
- BASE-DATAXFER
- BASE-FLAGOP
- BASE-LOGICAL
- BASE-MISC
- BASE-NOP
- BASE-WIDENOP
- BASE-POP
- BASE-PUSH
- BASE-SEMAPHORE
- BASE-SETCC
# - BASE-STRINGOP # commented out as it triggers a known information leak
- LONGMODE-CONVERT
- LONGMODE-DATAXFER
- LONGMODE-SEMAPHORE
# - LONGMODE-STRINGOP # commented out as it triggers a known information leak
- SSE-DATAXFER
- SSE-LOGICAL_FP
- SSE-MISC
- SSE-SSE
# Input generator
data_generator_entropy_bits: 24
inputs_per_class: 2
# Fuzzer
enable_speculation_filter: true
enable_observation_filter: true
enable_fast_path_model: true
coverage_type: model_instructions
# Output
color: true
logging_modes:
- info
- stat
- dbg_generator
# - dbg_timestamp
# - dbg_violation
# - dbg_dump_htraces
# - dbg_dump_ctraces
# - dbg_dump_traces_unlimited
# - dbg_model
- dbg_coverage
# - dbg_priming
# - dbg_executor_raw
================================================
FILE: demo/detect-foreshadow.yaml
================================================
# This demo illustrates detection of Foreshadow
# contract
contract_observation_clause: loads+stores+pc
contract_execution_clause:
- delayed-exception-handling
# tested instructions
instruction_categories:
- BASE-BINARY
- BASE-BITBYTE
- BASE-CMOV
- BASE-CONVERT
- BASE-DATAXFER
- BASE-LOGICAL
- BASE-MISC
- BASE-NOP
- BASE-POP
- BASE-PUSH
- BASE-SETCC
instruction_blocklist_append:
- DIV
- IDIV
actors:
- main:
- data_properties:
- present: false
- writable: false
# misc. fuzzing configuration
enable_speculation_filter: true
enable_observation_filter: true
program_size: 16
avg_mem_accesses: 8
inputs_per_class: 2
executor_warmups: 2
x86_disable_div64: false
================================================
FILE: demo/detect-mds.yaml
================================================
# contract
contract_observation_clause: ct
contract_execution_clause:
- seq-assist
# tested instructions
instruction_categories:
- BASE-BITBYTE
- BASE-CMOV
- BASE-LOGICAL
# environment
actors:
- main:
- data_properties:
- accessed: False
# fuzzing configuration
enable_speculation_filter: true
enable_observation_filter: true
program_size: 20
avg_mem_accesses: 10
inputs_per_class: 2
program_generator_seed: 955240
================================================
FILE: demo/detect-sco.yaml
================================================
# contract
contract_observation_clause: ct
contract_execution_clause:
- seq
# tested instructions
instruction_categories:
- BASE-BITBYTE
- BASE-CMOV
- BASE-LOGICAL
- BASE-STRINGOP
- BASE-FLAGOP
# fuzzing configuration
enable_speculation_filter: true
enable_observation_filter: true
program_size: 20
avg_mem_accesses: 10
inputs_per_class: 2
program_generator_seed: 910000
================================================
FILE: demo/detect-v1-store.yaml
================================================
file: !include detect-v1.yaml
# prevent speculative stores from being observed
contract_observation_clause: ct-nonspecstore
contract_execution_clause:
- cond
================================================
FILE: demo/detect-v1-var.yaml
================================================
file: !include detect-v1.yaml
# contract
# contract_observation_clause: ct
contract_execution_clause:
- cond
# analyser_subsets_is_violation: false
# # tested instructions
# instruction_categories:
# - BASE-BITBYTE
# - BASE-COND_BR
# - BASE-CMOV
# - BASE-LOGICAL
# # fuzzing configuration
# enable_speculation_filter: true
# enable_observation_filter: true
# data_generator_entropy_bits: 16
# min_bb_per_function: 2
# max_bb_per_function: 2
# program_size: 20
# avg_mem_accesses: 10
# inputs_per_class: 2
================================================
FILE: demo/detect-v1.yaml
================================================
# contract
contract_observation_clause: loads+stores+pc
contract_execution_clause:
- no_speculation
# tested instructions
instruction_categories:
- BASE-BINARY
- BASE-BITBYTE
- BASE-CMOV
- BASE-COND_BR
- BASE-CONVERT
- BASE-DATAXFER
- BASE-LOGICAL
- BASE-MISC
- BASE-NOP
- BASE-POP
- BASE-PUSH
- BASE-SETCC
# fuzzing configuration
enable_speculation_filter: true
enable_observation_filter: true
program_size: 16
avg_mem_accesses: 8
inputs_per_class: 2
program_generator_seed: 100
================================================
FILE: demo/detect-v4.yaml
================================================
# contract
contract_observation_clause: ct
contract_execution_clause:
- seq
# tested instructions
instruction_categories:
- BASE-BITBYTE
- BASE-CMOV
- BASE-LOGICAL
# environment
x86_executor_enable_ssbp_patch: false
# fuzzing configuration
enable_speculation_filter: true
enable_observation_filter: true
program_size: 20
avg_mem_accesses: 10
inputs_per_class: 2
# reduce entropy (not strictly required for detection, but makes the demo finish faster)
data_generator_entropy_bits: 10
program_generator_seed: 1000000
================================================
FILE: demo/detect-zdi.yaml
================================================
# contract
contract_observation_clause: ct
contract_execution_clause:
- seq
# tested instructions
instruction_categories:
- BASE-BITBYTE
- BASE-BINARY
- BASE-CMOV
- BASE-LOGICAL
# fuzzing configuration
enable_speculation_filter: true
enable_observation_filter: true
program_size: 64
avg_mem_accesses: 24
inputs_per_class: 2
program_generator_seed: 252633
x86_disable_div64: false
================================================
FILE: demo/tsa-l1d/config.yaml
================================================
instruction_set: x86-64
instruction_categories:
- BASE-BINARY
- BASE-BITBYTE
- BASE-CMOV
- BASE-COND_BR
- BASE-CONVERT
- BASE-DATAXFER
- BASE-FLAGOP
- BASE-LOGICAL
- BASE-MISC
- BASE-NOP
- BASE-POP
- BASE-PUSH
- BASE-SEMAPHORE
- BASE-SETCC
- BASE-WIDENOP
actors:
- main:
- mode: "host"
- privilege_level: "kernel"
- vmvictim:
- mode: "guest"
- privilege_level: "kernel"
- vm:
- mode: "guest"
- observer: true
- privilege_level: "kernel"
- data_properties:
- writable: false
contract_observation_clause: ct-ni
max_bb_per_function: 1
executor_mode: F+R
executor_sample_sizes:
- 15
- 40
- 160
- 320
executor_filtering_repetitions: 5
x86_enable_hpa_gpa_collisions: true
program_generator_seed: 20000000
data_generator_seed: 1000000
inputs_per_class: 2
analyser_stat_threshold: 0.1
# enable_speculation_filter: true
enable_observation_filter: true
enable_fast_path_model: true
# color: true
logging_modes:
- info
# - stat
================================================
FILE: demo/tsa-l1d/template.asm
================================================
.intel_syntax noprefix
# ----------------------------- Hypervisor (Host) ----------------------------
.section .data.main
.function_main_0:
# observer start
.macro.set_h2g_target.vm.function_vm_0:
.macro.set_g2h_target.main.function_main_1:
.macro.switch_h2g.vm.0:
.function_main_1:
.macro.landing_g2h.main_1:
.macro.set_h2g_target.vmvictim.function_vmvictim_0:
.macro.set_g2h_target.main.function_main_2:
.macro.switch_h2g.vmvictim.0:
.function_main_2:
.macro.landing_g2h.main_2:
.macro.set_h2g_target.vm.function_vm_1:
.macro.set_g2h_target.main.function_main_3:
xor rax, rax # noremove
xor rbx, rbx # noremove
xor rcx, rcx # noremove
xor rdx, rdx # noremove
xor rsi, rsi # noremove
xor rdi, rdi # noremove
# insert flushing patches here
.patch_placeholder:
.macro.switch_h2g.vm.1:
.function_main_3:
.macro.landing_g2h.main_3:
.macro.fault_handler:
.patch_placeholder_fault_handler:
.macro.set_h2g_target.vm.function_vm_2:
.macro.set_g2h_target.main.function_main_4:
.macro.switch_h2g.vm.2:
.function_main_4:
.macro.landing_g2h.main_4:
nop
# ----------------------------- VM - Victim ----------------------------------
.section .data.vmvictim
.function_vmvictim_0:
.macro.landing_h2g.vmvictim_0:
# secret injection
.macro.random_instructions.64.32.main_1:
.macro.switch_g2h.main.vmvictim_0:
lfence
# ----------------------------- VM - Observer --------------------------------
.section .data.vm
.function_vm_0:
.macro.landing_h2g.vm_0:
.macro.measurement_start:
.macro.switch_g2h.main.vm_0:
lfence
.function_vm_1:
.macro.landing_h2g.vm_1:
xor rax, rax # noremove
mov rax, qword ptr [r14 + 0x2000] # noremove
mov rbx, qword ptr [r14 + 0x2008] # noremove
mov rcx, qword ptr [r14 + 0x2010] # noremove
mov rdx, qword ptr [r14 + 0x2018] # noremove
mov rsi, qword ptr [r14 + 0x2020] # noremove
mov rdi, qword ptr [r14 + 0x2028] # noremove
mfence # noremove
# secret retrieval
.macro.random_instructions.64.32.vm_1:
# make sure the model doesn't attempt to go further than this point
lfence # noremove
.macro.measurement_end.vm_1:
.macro.switch_g2h.main.1:
lfence
.function_vm_2:
.macro.landing_h2g.vm_2:
.macro.measurement_end.vm_2:
.macro.switch_g2h.main.2:
lfence
# ----------------------------- Exit -----------------------------------------
.section .data.main
.test_case_exit:
================================================
FILE: demo/tsa-sq/config.yaml
================================================
instruction_set: x86-64
instruction_categories:
- BASE-BINARY
- BASE-BITBYTE
- BASE-CMOV
- BASE-COND_BR
- BASE-CONVERT
- BASE-DATAXFER
- BASE-FLAGOP
- BASE-LOGICAL
- BASE-MISC
- BASE-NOP
- BASE-POP
- BASE-PUSH
- BASE-SEMAPHORE
- BASE-SETCC
- BASE-WIDENOP
faults_allowlist:
- user-to-kernel-access
actors:
- main:
- mode: "host"
- privilege_level: "kernel"
- fault_blocklist:
- user-to-kernel-access
- user:
- mode: "host"
- observer: true
- privilege_level: "user"
- data_properties:
- present: true
contract_observation_clause: ct-ni
max_bb_per_function: 1
executor_mode: F+R
executor_sample_sizes:
- 15
- 40
- 160
- 320
executor_filtering_repetitions: 5
x86_enable_hpa_gpa_collisions: true
program_generator_seed: 20000000
data_generator_seed: 1000000
inputs_per_class: 2
analyser_stat_threshold: 0.2
# enable_speculation_filter: true
enable_observation_filter: true
enable_fast_path_model: true
# color: true
logging_modes:
- info
# - stat
================================================
FILE: demo/tsa-sq/template.asm
================================================
.intel_syntax noprefix
# ----------------------------- Kernel-mode Actor (Victim) -------------------
.section .data.main
.function_main_0:
# observer start
.macro.set_k2u_target.user.function_user_0:
.macro.set_u2k_target.main.function_main_1:
.macro.switch_k2u.user.0:
.function_main_1:
.macro.landing_u2k.main_1:
# secret injection
.macro.random_instructions.64.32.main_1:
.macro.set_k2u_target.user.function_user_1:
.macro.set_u2k_target.main.function_main_2:
.macro.switch_k2u.user.1:
.function_main_2:
.macro.landing_u2k.main_2:
.macro.fault_handler:
.macro.set_k2u_target.user.function_user_2:
.macro.set_u2k_target.main.function_main_3:
.macro.switch_k2u.user.2:
.function_main_3:
.macro.landing_u2k.main_3:
nop
# ----------------------------- User-mode Actor ------------------------------
.section .data.user
.function_user_0:
.macro.landing_k2u.user_0:
.macro.measurement_start:
.macro.switch_u2k.main.user_0:
lfence
.function_user_1:
.macro.landing_k2u.user_1:
xor rax, rax # noremove
mov rax, qword ptr [r14 + 0x2000] # noremove
mov rbx, qword ptr [r14 + 0x2008] # noremove
mov rcx, qword ptr [r14 + 0x2010] # noremove
mov rdx, qword ptr [r14 + 0x2018] # noremove
mov rsi, qword ptr [r14 + 0x2020] # noremove
mov rdi, qword ptr [r14 + 0x2028] # noremove
lfence
# secret retrieval
.macro.random_instructions.64.32.user_1:
# make sure the model doesn't attempt to go further than this point
lfence # noremove
.macro.measurement_end.user_1:
.macro.switch_u2k.main.1:
lfence
.function_user_2:
.macro.landing_k2u.user_2:
.macro.measurement_end.user_2:
.macro.switch_u2k.main.2:
lfence
# ----------------------------- Exit -----------------------------------------
.section .data.main
.test_case_exit:
================================================
FILE: docs/assets/branches.drawio
================================================
<mxfile host="Electron" modified="2024-07-30T08:53:34.216Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/16.5.1 Chrome/96.0.4664.110 Electron/16.0.7 Safari/537.36" etag="Hyny0YfqRxkr2HCByzIt" version="16.5.1" type="device"><diagram id="RTthD5nFo_tmHNPfYv7S" name="Page-1">3VlZj5swEP41kdpKWQVzJPvYPdqqdxVVbR6d4IBXgFNjNqS/vkMYMARytJtC2pfEHt8z830zNgPzNkxfS7ryPwiXBQMyctOBeTcgxHIM+M0Em1wwGdu5wJPczUWGFkz5T4bCEUoT7rK41lEJESi+qgsXIorYQtVkVEqxrndbiqC+6op6rCGYLmjQlH7jrvJR6tiWbnjDuOfj0sQ0nbwlpEVvPErsU1esKyLzfmDeSiFUXgrTWxZkyisUk497tae13JlkkTplwHRKPw4d/vbNbDE22dcv3rvw8xBneaRBgiceECeA+W6WAqaFXasN6sL5kYiiYRhvLfUSOhjjVaoboeTh/3aWeSEIKY8KIexxvtsRZPmKO+NlIXkWKzqHrZBbWFSygNGYuc9RteUmiRRJ5LLsyAYMWvtcsemKLrLWNXgoyHwVBtjcVGGhDyYVSysiVOlrJkKm5Aa6YKtpoXnRwc0R1tcVdylcwK94ygRlFD3UK6fWNoQCmvE3THrd0AlzwaexKqTyhSciGtxr6Y3W2ghqus97IVaoqwem1AYBShMl6poEBcrN92z8FbGL+qzaeJfi7Hltg7W9JohFIhfswDkJ0gGVHlPHXTxTwkGDgk9RxR/rwD+7dUgTcSGPhGw6PPp4qzXf0znwbM0CNOBeBOUFKJJJEGQ+zIHJXmJDyF03NzYD9G6xlJtgJXiktue0bwb2HUIcTW2MW410yPMa4CnpGRetEWAbqIajK9MgSKQn2wWn+5wdpzIXMWsALevFFGK5jMGBdg1b7uokW8/u0iEXE/fTw718HKbfflzbaeF5HSMx5ep7pTzbgtLGmkZhVilAqNFbhS6OOgBel8Z+ybWtMPu70DZ7RXKXoXO45CnkQQcCqCaOPSH1WRLnARTQGIYcEJ/lUvATsVRtExbAzZUOrr2HVuLUQ6tF+g6tRVbaW2wddxRbzX8ztjYhGdKH/yO2Fq53luBKRrtB0ThLrCXXHYTaQw7bQsYNonwaO68kG5bec+LVpY2229h4mbmqpuOt5xZs3P9Np6Tfy6HjXhKsP2dV63fSmothVasraLns8WmQikS2+jIJgkw7isUK7JwBaq1h1j+O7ItLawqa7ueioi8ns0rLkYtKmfrkFxVy7KZyPOqeCmL7RBBbFwViey+Iz3xZWTKqEoiRL5722Jf5lsxzm1jJZKG4iEoo4xrlBQaIo39YO9c7D4FW77Du57bSCuvRQVjvonMfzMfHYP7nsHb6gnV7Jm1N6t7kjHa8JN8ojjp/Pu10xRfzxPtLXIEvJhdMEXbv3wqMSZ8U0cUT5fkC//hEhiAXFfjHXQHZFwoQp7F8OFff+0Z5Apazh8r+wWwY3aXxUNXfiXOK11/bzftf</diagram></mxfile>
================================================
FILE: docs/assets/dr-instrumentation.drawio
================================================
<mxfile host="Electron" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/27.0.9 Chrome/134.0.6998.205 Electron/35.4.0 Safari/537.36" version="27.0.9">
<diagram name="Page-1" id="Q5S100K9i7V5bAyz_BIk">
<mxGraphModel dx="1376" dy="1102" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
<root>
<mxCell id="0" />
<mxCell id="1" parent="0" />
<mxCell id="VMTqDSAsTNkDB5RHAwfX-28" value="Dispatcher.cpp" style="rounded=1;whiteSpace=wrap;html=1;arcSize=5;verticalAlign=top;fontFamily=JetBrains Mono;fontSize=15;fontStyle=1" parent="1" vertex="1">
<mxGeometry x="560" y="110" width="380" height="290" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-5" value="Model.cpp" style="rounded=1;whiteSpace=wrap;html=1;arcSize=5;verticalAlign=top;fontFamily=JetBrains Mono;fontSize=15;fontStyle=1" parent="1" vertex="1">
<mxGeometry x="40" y="110" width="470" height="290" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-7" value="namespace dr_model" style="rounded=1;whiteSpace=wrap;html=1;arcSize=7;verticalAlign=top;fontFamily=JetBrains Mono;fontStyle=1;fillColor=#FFF2CC;" parent="1" vertex="1">
<mxGeometry x="70" y="180" width="430" height="160" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-27" style="edgeStyle=orthogonalEdgeStyle;rounded=1;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;endArrow=none;endFill=1;fontFamily=JetBrains Mono;curved=0;dashed=1;dashPattern=1 1;strokeColor=#666666;startArrow=blockThin;startFill=0;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-10" target="VMTqDSAsTNkDB5RHAwfX-19" edge="1">
<mxGeometry relative="1" as="geometry">
<Array as="points">
<mxPoint x="160" y="276" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-72" value="reads" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="VMTqDSAsTNkDB5RHAwfX-27" vertex="1" connectable="0">
<mxGeometry x="0.1613" relative="1" as="geometry">
<mxPoint as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-10" value="<div>instrumented_func.exit_pc</div>" style="rounded=1;whiteSpace=wrap;html=1;align=center;fontFamily=JetBrains Mono;fontSize=9;fontStyle=2" parent="1" vertex="1">
<mxGeometry x="80" y="235" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-23" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=none;endFill=1;fontFamily=JetBrains Mono;dashed=1;dashPattern=1 1;strokeColor=#666666;startArrow=blockThin;startFill=0;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-11" target="VMTqDSAsTNkDB5RHAwfX-18" edge="1">
<mxGeometry relative="1" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-68" value="reads" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="VMTqDSAsTNkDB5RHAwfX-23" vertex="1" connectable="0">
<mxGeometry x="-0.4408" relative="1" as="geometry">
<mxPoint x="11" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-11" value="<div>instrumented_func.name</div>" style="rounded=1;whiteSpace=wrap;html=1;align=center;fontFamily=JetBrains Mono;fontSize=9;fontStyle=2" parent="1" vertex="1">
<mxGeometry x="80" y="215" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-12" value="<div>glob_dispatcher</div>" style="rounded=1;whiteSpace=wrap;html=1;align=center;fontFamily=JetBrains Mono;fontSize=9;fontStyle=2" parent="1" vertex="1">
<mxGeometry x="80" y="150" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-14" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;fontFamily=JetBrains Mono;dashed=1;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-13" target="VMTqDSAsTNkDB5RHAwfX-12" edge="1">
<mxGeometry relative="1" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-16" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;fontFamily=JetBrains Mono;dashed=1;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-13" target="VMTqDSAsTNkDB5RHAwfX-11" edge="1">
<mxGeometry relative="1" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-17" value="initializes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontFamily=JetBrains Mono;fontStyle=2;fontSize=9;" parent="VMTqDSAsTNkDB5RHAwfX-16" vertex="1" connectable="0">
<mxGeometry x="-0.3834" y="-2" relative="1" as="geometry">
<mxPoint x="31" y="11" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-26" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.75;entryY=1;entryDx=0;entryDy=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;endArrow=blockThin;endFill=1;dashed=1;" edge="1" parent="1" source="VMTqDSAsTNkDB5RHAwfX-13" target="VMTqDSAsTNkDB5RHAwfX-7">
<mxGeometry relative="1" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-13" value="<div>dr_client_main()</div>" style="rounded=1;whiteSpace=wrap;html=1;align=center;fontFamily=JetBrains Mono;fontStyle=1" parent="1" vertex="1">
<mxGeometry x="90" y="360" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-25" style="edgeStyle=orthogonalEdgeStyle;rounded=1;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;fontFamily=JetBrains Mono;curved=0;dashed=1;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-18" target="VMTqDSAsTNkDB5RHAwfX-20" edge="1">
<mxGeometry relative="1" as="geometry">
<Array as="points">
<mxPoint x="490" y="225" />
<mxPoint x="490" y="245" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-73" value="inserts" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="VMTqDSAsTNkDB5RHAwfX-25" vertex="1" connectable="0">
<mxGeometry x="-0.1333" y="1" relative="1" as="geometry">
<mxPoint y="-13" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-18" value="<div>event_module_load()</div>" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#FFCE9F;" parent="1" vertex="1">
<mxGeometry x="310" y="215" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-82" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;endArrow=blockThin;endFill=1;" parent="1" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="578.4444444444445" y="261" as="targetPoint" />
<Array as="points">
<mxPoint x="470" y="276" />
<mxPoint x="504" y="276" />
<mxPoint x="504" y="261" />
</Array>
<mxPoint x="470" y="280" as="sourcePoint" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-83" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;" parent="1" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="577.8888888888889" y="276.33333333333337" as="targetPoint" />
<Array as="points">
<mxPoint x="470" y="276" />
</Array>
<mxPoint x="470" y="278" as="sourcePoint" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-19" value="<div>event_bb_instrumentation()</div>" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#FFCE9F;" parent="1" vertex="1">
<mxGeometry x="310" y="266" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-26" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;fontFamily=JetBrains Mono;dashed=1;dashPattern=1 1;strokeColor=#666666;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-20" target="VMTqDSAsTNkDB5RHAwfX-10" edge="1">
<mxGeometry relative="1" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-71" value="writes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="VMTqDSAsTNkDB5RHAwfX-26" vertex="1" connectable="0">
<mxGeometry x="0.0599" y="-3" relative="1" as="geometry">
<mxPoint as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-20" value="<div>event_instrumentation_start()</div>" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#FFD966;" parent="1" vertex="1">
<mxGeometry x="310" y="235" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-21" value="<div>event_signal()</div>" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#FFCE9F;" parent="1" vertex="1">
<mxGeometry x="310" y="286" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-22" value="<div>event_exit()</div>" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#FFCE9F;" parent="1" vertex="1">
<mxGeometry x="310" y="306" width="160" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-38" value="Dispatcher" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;whiteSpace=wrap;html=1;fontFamily=JetBrains Mono;" parent="1" vertex="1">
<mxGeometry x="572" y="151" width="160" height="190" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-39" value="+ logger<div>+ tracer</div><div>+ speculator</div>" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;whiteSpace=wrap;html=1;fontFamily=JetBrains Mono;fontSize=9;" parent="VMTqDSAsTNkDB5RHAwfX-38" vertex="1">
<mxGeometry y="26" width="160" height="44" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-40" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;strokeColor=inherit;fontFamily=JetBrains Mono;" parent="VMTqDSAsTNkDB5RHAwfX-38" vertex="1">
<mxGeometry y="70" width="160" height="8" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-61" value="" style="endArrow=blockThin;html=1;rounded=0;endFill=1;fontFamily=JetBrains Mono;entryX=0;entryY=0.5;entryDx=0;entryDy=0;dashed=1;" parent="VMTqDSAsTNkDB5RHAwfX-38" target="VMTqDSAsTNkDB5RHAwfX-45" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="110" y="125" as="sourcePoint" />
<mxPoint x="207" y="117" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-41" value="<div>+ start()</div><div><br></div>+ instrument_instruction()<div>+ instrument_exit()</div><div><br></div><div>+ handle_exception()</div><div><br></div><div>+ finalize()</div>" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;whiteSpace=wrap;html=1;fontFamily=JetBrains Mono;fontSize=9;" parent="VMTqDSAsTNkDB5RHAwfX-38" vertex="1">
<mxGeometry y="78" width="160" height="112" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-63" style="edgeStyle=orthogonalEdgeStyle;rounded=1;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;entryX=1.003;entryY=0.896;entryDx=0;entryDy=0;entryPerimeter=0;fontFamily=JetBrains Mono;curved=0;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-44" target="VMTqDSAsTNkDB5RHAwfX-39" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="653.5999999999999" y="198.60000000000002" as="targetPoint" />
<Array as="points">
<mxPoint x="860" y="217" />
<mxPoint x="732" y="217" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-44" value="<div>dispatch_callback()</div>" style="rounded=1;whiteSpace=wrap;html=1;align=center;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#F19C99;" parent="1" vertex="1">
<mxGeometry x="780" y="250.5" width="120" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-62" style="edgeStyle=orthogonalEdgeStyle;rounded=1;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontFamily=JetBrains Mono;curved=0;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-45" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="646" y="319" as="targetPoint" />
<Array as="points">
<mxPoint x="840" y="319" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-64" style="edgeStyle=orthogonalEdgeStyle;rounded=1;orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;fontFamily=JetBrains Mono;curved=0;endArrow=blockThin;endFill=1;" parent="1" source="VMTqDSAsTNkDB5RHAwfX-45" target="VMTqDSAsTNkDB5RHAwfX-39" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="659.2" y="210.20000000000005" as="targetPoint" />
<Array as="points">
<mxPoint x="840" y="318" />
<mxPoint x="920" y="318" />
<mxPoint x="920" y="199" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-45" value="<div>exit_callback()</div>" style="rounded=1;whiteSpace=wrap;html=1;align=center;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#F19C99;" parent="1" vertex="1">
<mxGeometry x="780" y="270.5" width="120" height="20" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-59" value="" style="endArrow=blockThin;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endFill=1;fontFamily=JetBrains Mono;dashed=1;" parent="1" target="VMTqDSAsTNkDB5RHAwfX-44" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="721" y="264" as="sourcePoint" />
<mxPoint x="782" y="240" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-75" value="exit_pc?" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="544" y="266" as="geometry">
<mxPoint x="-7" y="10" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-76" value="calls" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="543" y="250" as="geometry">
<mxPoint x="-3" y="73" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-77" value="<font color="#ffffff">3</font>" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#000000;fontFamily=JetBrains Mono;strokeWidth=6;" parent="1" vertex="1">
<mxGeometry x="470" y="200" width="10" height="10" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-80" value="<font style="color: rgb(255, 255, 255);">4</font>" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#000000;fontFamily=JetBrains Mono;strokeWidth=6;" parent="1" vertex="1">
<mxGeometry x="295" y="238" width="10" height="10" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-85" value="" style="endArrow=blockThin;html=1;rounded=0;endFill=1;fontFamily=JetBrains Mono;" parent="1" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="470" y="297" as="sourcePoint" />
<mxPoint x="575" y="296" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-88" value="<font style="color: rgb(255, 255, 255);">5</font>" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#000000;fontFamily=JetBrains Mono;strokeWidth=6;" parent="1" vertex="1">
<mxGeometry x="479" y="270" width="10" height="10" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-89" value="" style="endArrow=blockThin;html=1;rounded=0;endFill=1;fontFamily=JetBrains Mono;" parent="1" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="470" y="317" as="sourcePoint" />
<mxPoint x="576" y="317" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-90" value="calls" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="541" y="296" as="geometry">
<mxPoint y="5" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-91" value="inserts" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="750" y="237" as="geometry">
<mxPoint x="1" y="52" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-92" value="inserts" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="752" y="255" as="geometry" />
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-93" value="uses" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="262" y="227" as="geometry">
<mxPoint x="555" y="-2" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-96" value="n: finalize()" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="780" y="305" as="geometry">
<mxPoint x="-8" y="11" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-97" value="y: rollback()" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="900" y="306" as="geometry">
<mxPoint x="-18" y="13" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="VMTqDSAsTNkDB5RHAwfX-98" value="is speculative?" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" parent="1" vertex="1" connectable="0">
<mxGeometry x="907" y="306" as="geometry">
<mxPoint x="-48" y="-6" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;dashed=1;" edge="1" parent="1" source="VMTqDSAsTNkDB5RHAwfX-12">
<mxGeometry relative="1" as="geometry">
<mxPoint x="574" y="159" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-2" value="<i>points to</i>" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontFamily=JetBrains Mono;fontSize=9;" vertex="1" connectable="0" parent="jZhf56UUiF3wu5g5-CzG-1">
<mxGeometry x="-0.5431" y="4" relative="1" as="geometry">
<mxPoint x="23" y="-5" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-3" value="<font style="color: rgb(255, 255, 255);">2</font>" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#000000;fontFamily=JetBrains Mono;strokeWidth=6;" vertex="1" parent="1">
<mxGeometry x="45" y="345" width="10" height="10" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-15" value="" style="endArrow=blockThin;html=1;rounded=0;endFill=1;" edge="1" parent="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="470" y="251" as="sourcePoint" />
<mxPoint x="578" y="243" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-16" value="calls" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" vertex="1" connectable="0" parent="1">
<mxGeometry x="541" y="232.5" as="geometry">
<mxPoint y="5" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-17" value="started?" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontStyle=2;fontFamily=JetBrains Mono;fontSize=8;" vertex="1" connectable="0" parent="1">
<mxGeometry x="544" y="250" as="geometry">
<mxPoint x="-7" y="10" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-18" value="" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#FFCE9F;" vertex="1" parent="1">
<mxGeometry x="70" y="430" width="20" height="20" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-19" value="" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#FFD966;" vertex="1" parent="1">
<mxGeometry x="210" y="430" width="20" height="20" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-20" value="" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=#F19C99;" vertex="1" parent="1">
<mxGeometry x="360" y="430" width="20" height="20" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-21" value="" style="rounded=1;whiteSpace=wrap;html=1;align=left;fontFamily=JetBrains Mono;fontSize=9;fontStyle=1;fillColor=none;" vertex="1" parent="1">
<mxGeometry x="500" y="430" width="20" height="20" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-22" value="initial callbacks" style="edgeLabel;html=1;align=left;verticalAlign=middle;resizable=0;points=[];fontFamily=JetBrains Mono;fontStyle=2;fontSize=9;" vertex="1" connectable="0" parent="1">
<mxGeometry x="100" y="440" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-23" value="dynamically-added<div>callbacks</div>" style="edgeLabel;html=1;align=left;verticalAlign=middle;resizable=0;points=[];fontFamily=JetBrains Mono;fontStyle=2;fontSize=9;" vertex="1" connectable="0" parent="1">
<mxGeometry x="240" y="440" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-24" value="execution-time<div>clean calls</div>" style="edgeLabel;html=1;align=left;verticalAlign=middle;resizable=0;points=[];fontFamily=JetBrains Mono;fontStyle=2;fontSize=9;" vertex="1" connectable="0" parent="1">
<mxGeometry x="391" y="440" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-25" value="other components" style="edgeLabel;html=1;align=left;verticalAlign=middle;resizable=0;points=[];fontFamily=JetBrains Mono;fontStyle=2;fontSize=9;" vertex="1" connectable="0" parent="1">
<mxGeometry x="531" y="440" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-27" value="installs callbacks" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontFamily=JetBrains Mono;fontStyle=2;fontSize=9;" vertex="1" connectable="0" parent="1">
<mxGeometry x="337" y="361" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-28" value="<font style="color: rgb(255, 255, 255);">1</font>" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#000000;fontFamily=JetBrains Mono;strokeWidth=6;" vertex="1" parent="1">
<mxGeometry x="270" y="356" width="10" height="10" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-29" value="<font style="color: rgb(255, 255, 255);">6</font>" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#000000;fontFamily=JetBrains Mono;strokeWidth=6;" vertex="1" parent="1">
<mxGeometry x="840" y="232.5" width="10" height="10" as="geometry" />
</mxCell>
<mxCell id="jZhf56UUiF3wu5g5-CzG-30" value="<font style="color: rgb(255, 255, 255);">7</font>" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#000000;fontFamily=JetBrains Mono;strokeWidth=6;" vertex="1" parent="1">
<mxGeometry x="804" y="295" width="10" height="10" as="geometry" />
</mxCell>
</root>
</mxGraphModel>
</diagram>
</mxfile>
================================================
FILE: docs/assets/dr-model.drawio
================================================
<mxfile host="Electron" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/27.0.9 Chrome/134.0.6998.205 Electron/35.4.0 Safari/537.36" version="27.0.9">
<diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">
<mxGraphModel dx="1678" dy="2377" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
<root>
<mxCell id="WIyWlLk6GJQsqaUBKTNV-0" />
<mxCell id="WIyWlLk6GJQsqaUBKTNV-1" parent="WIyWlLk6GJQsqaUBKTNV-0" />
<mxCell id="QmN-cfn-Gxa06QFyi7zT-14" value="<font style="font-size: 18px">DynamoRIO Tool</font>" style="rounded=1;whiteSpace=wrap;html=1;fontSize=11;verticalAlign=top;arcSize=6;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="260" y="320" width="930" height="580" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-70" value="" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;arcSize=8;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="840" y="360" width="330" height="520" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-12" value="<font style="font-size: 18px">Python Adapter</font>" style="rounded=1;whiteSpace=wrap;html=1;fontSize=11;verticalAlign=top;arcSize=11;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="201" y="-100" width="550" height="370" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-1" value="DynamoRIOModel" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="391" y="60" width="300" height="90" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-3" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;" parent="QmN-cfn-Gxa06QFyi7zT-1" vertex="1">
<mxGeometry y="26" width="300" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-4" value="+ configure_clauses(...)
+ load_test_case(TestCaseProgram)
+ trace_test_case(List[InputData],...) -> List[CTrace]
" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;" parent="QmN-cfn-Gxa06QFyi7zT-1" vertex="1">
<mxGeometry y="34" width="300" height="56" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-10" value="<b><font style="font-size: 18px">Fuzzer</font></b>" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="241" y="-80" width="60" height="30" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-11" value="<font style="font-size: 11px">TestCaseProgram<br>List[InputData]</font>" style="html=1;verticalAlign=bottom;endArrow=block;rounded=0;fontSize=25;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-10" target="QmN-cfn-Gxa06QFyi7zT-4" edge="1">
<mxGeometry x="0.0186" y="13" width="80" relative="1" as="geometry">
<mxPoint x="381" y="-50" as="sourcePoint" />
<mxPoint x="461" y="-50" as="targetPoint" />
<mxPoint as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-13" value="<font style="font-size: 18px">Test Case Loader</font>" style="rounded=1;whiteSpace=wrap;html=1;fontSize=11;verticalAlign=top;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="843" y="-100" width="300" height="350" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-46" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=1;entryDx=0;entryDy=0;fontSize=12;dashed=1;exitX=0.588;exitY=0.001;exitDx=0;exitDy=0;exitPerimeter=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" target="QmN-cfn-Gxa06QFyi7zT-13" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="869.8400000000001" y="320.62000000000035" as="sourcePoint" />
<Array as="points">
<mxPoint x="870" y="290" />
<mxPoint x="993" y="290" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-47" value="Instrument Binary" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-46" vertex="1" connectable="0">
<mxGeometry x="0.2028" y="-2" relative="1" as="geometry">
<mxPoint x="-22" y="-7" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-19" value="parser.c" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="873" y="-20" width="230" height="70" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-21" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-19" vertex="1">
<mxGeometry y="26" width="230" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-22" value="+ parse_rcbf(file): rcbf_t*
+ parse_rdbf(file): rdbf_t*" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-19" vertex="1">
<mxGeometry y="34" width="230" height="36" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-26" value="sandbox.c" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="873" y="70" width="230" height="70" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-27" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-26" vertex="1">
<mxGeometry y="26" width="230" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-28" value="+ load_code_in_sandbox(rcbf_t*)
+ load_data_in_sandbox(rdbf_t*)" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-26" vertex="1">
<mxGeometry y="34" width="230" height="36" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-30" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;fontSize=12;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-22" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="873" y="110" as="targetPoint" />
<Array as="points">
<mxPoint x="853" y="32" />
<mxPoint x="853" y="110" />
<mxPoint x="873" y="110" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-31" value="test_case_entry.c" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="873" y="160" width="230" height="60" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-32" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-31" vertex="1">
<mxGeometry y="26" width="230" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-33" value="+ test_case_entry(sandbox_t*)" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-31" vertex="1">
<mxGeometry y="34" width="230" height="26" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-38" value="<b><font style="font-size: 18px">Postprocessor</font></b>" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="241" y="200" width="60" height="30" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-39" value="<font style="font-size: 11px">TestCaseProgram<br>List[InputData]</font>" style="html=1;verticalAlign=bottom;endArrow=block;rounded=0;fontSize=25;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-38" target="QmN-cfn-Gxa06QFyi7zT-4" edge="1">
<mxGeometry x="-0.2384" y="-12" width="80" relative="1" as="geometry">
<mxPoint x="281" y="-40" as="sourcePoint" />
<mxPoint x="351" y="121.02400000000034" as="targetPoint" />
<mxPoint y="-1" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-40" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.25;entryDx=0;entryDy=0;fontSize=12;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-4" target="QmN-cfn-Gxa06QFyi7zT-13" edge="1">
<mxGeometry relative="1" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-42" value="RCBF File<br>RDBF File" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=12;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="690" y="90" width="60" height="30" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-48" value="model.cpp" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="934" y="405" width="200" height="110" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-49" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-48" vertex="1">
<mxGeometry y="26" width="200" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-50" value="+ event_bb_instrumentation(...)
+ event_instrumentation_start(...)
+ event_instrumentation_end(...)
+ event_signal()" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-48" vertex="1">
<mxGeometry y="34" width="200" height="76" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-52" value="Dispatcher" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="934" y="565" width="200" height="110" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-53" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-52" vertex="1">
<mxGeometry y="26" width="200" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-54" value="+ instrument_instruction(...)
+ start(...)
+ finalize(...)
+ handle_exception(...)" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-52" vertex="1">
<mxGeometry y="34" width="200" height="76" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-57" value="Instrumentation Components" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=15;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="907" y="360" width="210" height="30" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-61" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;fontSize=15;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-28" target="QmN-cfn-Gxa06QFyi7zT-33" edge="1">
<mxGeometry relative="1" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-62" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;fontSize=15;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-50" target="QmN-cfn-Gxa06QFyi7zT-52" edge="1">
<mxGeometry relative="1" as="geometry">
<Array as="points">
<mxPoint x="1150" y="467" />
<mxPoint x="1150" y="530" />
<mxPoint x="1034" y="530" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-69" value="" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;arcSize=7;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="280" y="360" width="550" height="520" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-63" value="Execution-time Components" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=15;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="460" y="360" width="210" height="30" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-64" value="dispatcher.cpp" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="633" y="390" width="170" height="100" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-65" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-64" vertex="1">
<mxGeometry y="26" width="170" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-66" value="+ dispatch_callback(...)
+ mem_access_dispatch(...)
+ instruction_dispatch(...)" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-64" vertex="1">
<mxGeometry y="34" width="170" height="66" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-68" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;fontSize=15;dashed=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-54" target="QmN-cfn-Gxa06QFyi7zT-66" edge="1">
<mxGeometry relative="1" as="geometry">
<Array as="points">
<mxPoint x="934" y="587" />
<mxPoint x="850" y="587" />
<mxPoint x="850" y="457" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-71" value="<font style="font-size: 8px;">add calls to<br style="font-size: 8px;">dispatch_callback()<br style="font-size: 8px;">forevery instruction<br style="font-size: 8px;"></font>" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=8;" parent="QmN-cfn-Gxa06QFyi7zT-68" vertex="1" connectable="0">
<mxGeometry x="-0.6126" y="1" relative="1" as="geometry">
<mxPoint x="-44" y="-37" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-74" value="TracerABC" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="301" y="537" width="230" height="120" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-75" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-74" vertex="1">
<mxGeometry y="26" width="230" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-76" value="+ tracing_star(...)
+ tracing_finalize(...)
+ observe_instruction(...)
+ observe_mem_access(...)
+ observe_exception(...)" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-74" vertex="1">
<mxGeometry y="34" width="230" height="86" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-77" value="SpeculatorABC" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="590" y="540" width="170" height="120" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-78" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-77" vertex="1">
<mxGeometry y="26" width="170" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-79" value="+ handle_instruction(...)
+ handle_mem_access(...)
+ handle_exception(...)
- checkpoint()
- rollback()" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-77" vertex="1">
<mxGeometry y="34" width="170" height="86" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-81" value="" style="html=1;verticalAlign=bottom;endArrow=block;rounded=0;fontSize=8;exitX=0.235;exitY=1.031;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;curved=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-66" target="QmN-cfn-Gxa06QFyi7zT-74" edge="1">
<mxGeometry width="80" relative="1" as="geometry">
<mxPoint x="660" y="560" as="sourcePoint" />
<mxPoint x="740" y="560" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-82" value="dispatch instruction/mem. access" style="html=1;verticalAlign=bottom;endArrow=block;rounded=0;fontSize=9;exitX=0.245;exitY=1.01;exitDx=0;exitDy=0;exitPerimeter=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-66" target="QmN-cfn-Gxa06QFyi7zT-77" edge="1">
<mxGeometry x="-0.2193" y="-25" width="80" relative="1" as="geometry">
<mxPoint x="699.94" y="512.0160000000001" as="sourcePoint" />
<mxPoint x="445" y="550" as="targetPoint" />
<mxPoint as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-83" value="TracerCT" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="301" y="697" width="230" height="80" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-84" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-83" vertex="1">
<mxGeometry y="26" width="230" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-85" value="+ observe_instruction(...)
+ observe_mem_access(...)" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=top;spacingLeft=4;spacingRight=4;overflow=hidden;rotatable=0;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-83" vertex="1">
<mxGeometry y="34" width="230" height="46" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-86" value="" style="endArrow=block;dashed=1;endFill=0;endSize=12;html=1;rounded=0;fontSize=8;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-83" target="QmN-cfn-Gxa06QFyi7zT-74" edge="1">
<mxGeometry width="160" relative="1" as="geometry">
<mxPoint x="461" y="607" as="sourcePoint" />
<mxPoint x="621" y="607" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-90" value="SpeculatorSeq" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="566" y="713" width="140" height="34" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-91" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-90" vertex="1">
<mxGeometry y="26" width="140" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-93" value="SpeculatorCond" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="588" y="763" width="160" height="34" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-94" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-93" vertex="1">
<mxGeometry y="26" width="160" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-95" value="SpeculatorBpas" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="643" y="813" width="160" height="34" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-96" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="QmN-cfn-Gxa06QFyi7zT-95" vertex="1">
<mxGeometry y="26" width="160" height="8" as="geometry" />
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-97" value="" style="endArrow=block;dashed=1;endFill=0;endSize=12;html=1;rounded=0;fontSize=8;exitX=0.5;exitY=0;exitDx=0;exitDy=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-90" edge="1">
<mxGeometry width="160" relative="1" as="geometry">
<mxPoint x="680.71" y="660" as="sourcePoint" />
<mxPoint x="676" y="660" as="targetPoint" />
<Array as="points">
<mxPoint x="636" y="680" />
<mxPoint x="676" y="680" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-98" value="" style="endArrow=block;dashed=1;endFill=0;endSize=12;html=1;rounded=0;fontSize=8;exitX=0.829;exitY=0.013;exitDx=0;exitDy=0;exitPerimeter=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-93" edge="1">
<mxGeometry width="160" relative="1" as="geometry">
<mxPoint x="646" y="670" as="sourcePoint" />
<mxPoint x="676" y="660" as="targetPoint" />
<Array as="points">
<mxPoint x="721" y="680" />
<mxPoint x="676" y="680" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-99" value="" style="endArrow=block;dashed=1;endFill=0;endSize=12;html=1;rounded=0;fontSize=8;exitX=0.75;exitY=0;exitDx=0;exitDy=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="QmN-cfn-Gxa06QFyi7zT-95" edge="1">
<mxGeometry width="160" relative="1" as="geometry">
<mxPoint x="731" y="720" as="sourcePoint" />
<mxPoint x="676" y="660" as="targetPoint" />
<Array as="points">
<mxPoint x="766" y="680" />
<mxPoint x="676" y="680" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-100" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=12;dashed=1;exitX=0.004;exitY=0.379;exitDx=0;exitDy=0;exitPerimeter=0;endArrow=block;endFill=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="296.97999999999985" y="603.594" as="sourcePoint" />
<mxPoint x="534.06" y="150" as="targetPoint" />
<Array as="points">
<mxPoint x="245.06" y="604" />
<mxPoint x="245.06" y="297" />
<mxPoint x="534.06" y="297" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="QmN-cfn-Gxa06QFyi7zT-101" value="&nbsp; &nbsp; &nbsp; &nbsp; TRACE File&nbsp;&nbsp;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=12;" parent="QmN-cfn-Gxa06QFyi7zT-100" vertex="1" connectable="0">
<mxGeometry x="0.2028" y="-2" relative="1" as="geometry">
<mxPoint x="66" y="-3" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-20" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;dashed=1;endArrow=none;startFill=0;strokeColor=#666666;" parent="WIyWlLk6GJQsqaUBKTNV-1" target="uKMc0L07USMBdFAgg4Kt-19" edge="1">
<mxGeometry relative="1" as="geometry">
<Array as="points">
<mxPoint x="421" y="340" />
<mxPoint x="585" y="340" />
</Array>
<mxPoint x="421" y="410" as="sourcePoint" />
</mxGeometry>
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-3" value="Logger" style="swimlane;fontStyle=1;align=center;verticalAlign=top;childLayout=stackLayout;horizontal=1;startSize=26;horizontalStack=0;resizeParent=1;resizeParentMax=0;resizeLast=0;collapsible=1;marginBottom=0;fontSize=18;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="379" y="410" width="120" height="34" as="geometry" />
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-4" value="" style="line;strokeWidth=1;fillColor=none;align=left;verticalAlign=middle;spacingTop=-1;spacingLeft=3;spacingRight=3;rotatable=0;labelPosition=right;points=[];portConstraint=eastwest;fontSize=18;" parent="uKMc0L07USMBdFAgg4Kt-3" vertex="1">
<mxGeometry y="26" width="120" height="8" as="geometry" />
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-11" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;dashed=1;endArrow=block;endFill=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" edge="1">
<mxGeometry relative="1" as="geometry">
<Array as="points">
<mxPoint x="550" y="416" />
<mxPoint x="550" y="416" />
</Array>
<mxPoint x="633" y="416" as="sourcePoint" />
<mxPoint x="499" y="416" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-12" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.042;entryDx=0;entryDy=0;dashed=1;endArrow=block;endFill=1;entryPerimeter=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" edge="1">
<mxGeometry relative="1" as="geometry">
<Array as="points">
<mxPoint x="549" y="616" />
<mxPoint x="549" y="438" />
<mxPoint x="499" y="438" />
</Array>
<mxPoint x="531" y="616" as="sourcePoint" />
<mxPoint x="499" y="438.336" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-13" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;dashed=1;endArrow=block;endFill=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="499" y="427" as="targetPoint" />
<Array as="points">
<mxPoint x="569" y="617" />
<mxPoint x="569" y="427" />
</Array>
<mxPoint x="589" y="617" as="sourcePoint" />
</mxGeometry>
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-15" value="<font>Log Events</font>" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=9;" parent="uKMc0L07USMBdFAgg4Kt-13" vertex="1" connectable="0">
<mxGeometry x="-0.4384" y="-2" relative="1" as="geometry">
<mxPoint x="-31" y="-153" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-16" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;fillColor=#232F3D;strokeColor=none;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;pointerEvents=1;shape=mxgraph.aws4.document;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="386" y="285" width="17.54" height="24" as="geometry" />
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-19" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;fillColor=#666666;strokeColor=none;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;pointerEvents=1;shape=mxgraph.aws4.document;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="578" y="285" width="16.08" height="22" as="geometry" />
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-21" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;dashed=1;endArrow=block;endFill=1;strokeColor=#666666;" parent="WIyWlLk6GJQsqaUBKTNV-1" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="585.8" y="150.5" as="targetPoint" />
<mxPoint x="585.8" y="283.5" as="sourcePoint" />
</mxGeometry>
</mxCell>
<mxCell id="uKMc0L07USMBdFAgg4Kt-22" value="<span style="background-color: rgb(255, 255, 255);">Debug Trace</span><div><span style="background-color: rgb(255, 255, 255);">(optional)</span></div>" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;fontColor=#666666;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
<mxGeometry x="594.08" y="276" width="90" height="40" as="geometry" />
</mxCell>
</root>
</mxGraphModel>
</diagram>
</mxfile>
================================================
FILE: docs/assets/fuzzing-flow.drawio
================================================
<mxfile host="Electron" modified="2025-02-14T10:47:35.820Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/16.5.1 Chrome/96.0.4664.110 Electron/16.0.7 Safari/537.36" etag="RKLjlPN-6zBEMbTxfot0" version="16.5.1" type="device"><diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">7V1bd+K2Fv41rJXzQJav4DwGkplOD+1JJ5mm85Sl2ALcMRa1RQLz64+EZWNL8gWwIEnd1dViIWRb37582tra6ZnjxfpzBJbz35AHg56heeueedMzDMOxHfI/2rJJWnTD1pKWWeR7rG3XcO//hKwx7bbyPRgXOmKEAuwvi40uCkPo4kIbiCL0Wuw2RUHxrkswg0LDvQsCsfXR9/A8aXWM4a79F+jP5umd9cFV8s0CpJ3Zm8Rz4KHXXJN52zPHEUI4+bRYj2FAZy+dl8cvm8dg8mPw+dc/4n/At9F/H37/s58M9mmfn2SvEMEQHzz094enyQj8sL3RYGpF3vL201pjP9FeQLBi8+UG/uVyw94Yb9JpjF/9RQBCcjWaohDfs290cg0CfxaSzy55OhiRhhcYYZ8gcM2+wGhJWt25H3gTsEEr+g4xBu6P9Go0R5H/kwwLAjYm+TrCTJiMQaHHPf0ladZIawRj0ucunRida/oNrAsdJyDGrMFFQQCWsf+cvcYCRDM/HCGM0YJ1ajjvDB/62nCdkzqGw2eIFhBHZE619FuLzTtTqvTydSeghsba5jnhHLA2wHRilo28w518YNDvIQamIAY9Y7TVAT+8+I8gDOQ18RakCP2AYxQggvpNiBLp8IOAa0oFJIBTXCoe8RK4fjibbPvcWLuWr+z9aRMiv50GWyWc+54HQwotwgCDBEcK2hL5Id5OkD0i/5IpG2uXds8mDz4m1/rumvxLu0d4jELyLuRd6X0gEZJXSAVFgn+lEtXjz/AmEt0I77Rf63gbErw5jAN/i12CcWo59YMAXhCoArhD9IECftPXBdRNEXVTgnAAnmFwh2If+4iOHyV9OeTPBa5tNAPXUYStNagHF3rER7JLMkVzNEMhCG53rWTOV6EHPTbjuz4TtAWPYvc3xHjDbDRYYUStNF6kFpzMarT5K3/xnQ52adjp9U1qnJOrDbvaupdkVH2wtxGmb9bEBPfJkxjpzDDk+ilniWAAsP9SZBAyoNjwd1Twys17RpnSIWK0ilzIfpV32fxA2qWW+8dISUs67hU3LnGaM4iFca+jCGxy3Zie7P38pY/J978q9Ccfkifgfp0+DppOY4h7vNxnmDVThWB95/cfvz0+j/94+Pb39Ffv6jp1aycW/LWP/9qKus2uvue+2Qk9vZDIvJPXHTZGpj01qiNVgea6k4hPhWnRbblOHakvhu60oy/8QLauRkH4+5iDagVxtKruRf1oS/ZFL9Anlw/E941BDO8iNIvAomcMAuoLnyPyaZZ4xaTF818KmjP4Z0XXOSNK/frM31+THluXn32bjkJvNfGJm7VHX8LlCt8Q/71lYMng5IW246e3lCjphPr4omLVrjMynrFl+6WU8EZUuBIfn61K2Vi9bC1YoA2lpqfK+9jDYdGa6634nr5V9GmWWRxBnbHVB2elGVrvYJrhnMB0ltGRI+E2D6Qa+1q8svuUWTyhfxUlaEsC0+njbB4zROOHCLgwZ4V2Ri/X65ddrw9olRIdrSTF2qBVs9Su3ZGudwTQp6ufP2FEo1jm9aftZwHMLpzVZjjLLCq77kjiWYZkCTxUFc8aCjKRxLO2OFxcXl52Ma2asIfVWAgqYloyzE1VMa0GYY8upnUguANJTEsGrrKY1llX8unnhFmmq/ralfwB0auErVVMhN40zHXsMmJwqQ9zoaehWbDwpnZoRItzFVlIq+0QVsl9lPLPK8ECCcvtd84py3WzOtB6HIdMR7oq/kIdpXQEIF3kwacZDGEEMGLUckzaPqdNHcNUyTD7GVWsopiOxCMp2zJNQ4sd36g3EU5jvCvIpAxdVXxDFyMJyQLCjSDA8AmT139yiWFnawmtvwtmijHWbqXRqnCYVjPhaGX3XObnNQHSN0pGc/tIRmEjKYucqtlIqqexDMLasKmlhN1myWllUdO2WKhjF2kz8xFKWajMdCUBT8pDerJNHfpFP95KHt3TcZZrcUunejsnGfp8+znH0dpSJa9itUPrWF6bpR2citfqhiAbHoGSJ7YU3o7YnojY8qZoaIveTRZqqSK27HZfqeCHM/Jeu/vZxdtZRsNQLe9MQUAQDgkXGlHHFiuRVllWYsewqzW79XitMoot7tskFJsZI3jB82qpB+q4dbtiISPXTexBa+TaPie5Jl49n7SVEeo6dr0XuW4386CeaytK2uIirEKuVeOkLT5Uq4qMc67PLKYk1D6XeYoUBjHyKGYvvPMYcqnSV5Ftx3CuCmi0lC1lFAdVkixVrpQFoBf07FVCwNkxrI54KyTeA54IX4mOTxpyVBZQLktaCBDwchFHLrxIWBJxxaaeTBbtj6mlyP1AwptKqFW5kel4lVx9W49oW6rSI/QuP0IhvEOjofVQha5IHOAauqsspnPLrjqvotKrGG/Pq4hJCZ3a1ynRu9mnTAn2GTlDecJ0xxmOlK6mG53KOIMkoR6EINhk2dXX9Cru8qvVehVrWL9HYO67R3CcYIgbSZ1XqVOiY7yKFF5lXqWsHARBjqjs04uPaNSFTMuFuHAc51wDLrRKUmX+TEfqnEfbQiRxHlIhUldjQtzgCdAs3h3LmaDZrHMdp3UdsrxJqVgoO5pjiJHPznXUqdD7cR2yKNNoG6in87FzHReZ6e+OYrUuBU1tv7KzWGaD1A0Yete0vhu15wGIY9/tFTawipu6h5bEOKQax37GuHYDlk18s1xHo/5oTw5VWwJq2nbs/i53gls/dH+Xd0GZJNbs77a11WaKPISe9/5yT1Md4yV0t1iTGc0dCz8wR5KO66Jw6s+yMeWmLSfmLVm5zM+9zn0M75dgK5KvEVgKqiTdzVUQC+UFSBOphyyaYapiHuZ5ClQwA9SntZyMXj5529CHlXaorCrQvhW16KB3MPLJNFLWrMLGNc3ndhrauGMrcHGid2Wf1uTItnJzdXUSa+HH4Inan2RF9IVyhJVLGdE9zTloo1JOSk7bTv2opSypqjXOEanK/Ui5A5cufaSIWFbxF+pyPUxxb04XkQwCfxmXGfActvwBY36NnHcdPcOcOi50XcHPkG+eHduylW6GaZwWGpKw5UkdgLgXJqGlHw8IblNSt0+Ig7ROjwCD5Hj/uWGQmK5myJTCoFtc+caBJBZzShxEYmz9K3DQuFNZsu2UU+KgS9yBemL6XmpOOkoYIm8UD6/RynHNLOWj7ZqTJQ9cmr7M9a+rUWlplf0VnVUUXUFXpfKU9eBqiyQrKlNp6UWl4ZRPYZXKM9cENpqfLzn1ORE1hlbnU+JMzj42Pidi11jslgytWX3uo/a59u3PGXJFhlbkev+Ogpe1xYne88kS6RuL+6uSI3Ufj9WbvBoOJVuhJ2X1w7N6mkKkuXGZkOFbPsmYhgmUVw05Lroh7n3m0py0/30l//md7ul8SHs7rLO3A61Vc3sCgyqGbyUbSR/QoHJhEsMWzzKcNmwochiJif2AQHBVhLKqQmcD4jxn9Esq/b+1Qv8lJdaPLfTPrxpMozhE43QM/o+R8KVc21pGlTyw2r8AIKaflacYfwR/a9SenH9LBf3J5e7PZSbdd3911Lz9Pw==</diagram></mxfile>
================================================
FILE: docs/assets/tsa-sq-template.drawio
================================================
<mxfile host="Electron" modified="2025-07-21T10:25:41.035Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/16.5.1 Chrome/96.0.4664.110 Electron/16.0.7 Safari/537.36" etag="BbGekvxkDWImu01GMpuU" version="16.5.1" type="device"><diagram id="VUT32xMhq3pvxhd0Flhl" name="Page-1">7Vtdc5s4FP01nmkfkjESYPvRcZJmptnZzma7m33qyCAbpoBcIcf2/vqVQHxJ2CYOJiTZvsS6EgKde+7RvYIO4CzcfqFo5f1GXBwMwNDdDuD1AADDHkH+R1h20jIEk9SypL4rbYXhwf8XZwOlde27OK4MZIQEzF9VjQ6JIuywig1RSjbVYQsSVO+6QkusGR4cFOjWv32XednCLLPouMP+0pO3BhDaaU+IstFyKbGHXLIpmeDNAM4oISz9FW5nOBDwZcCk193u6c2fjOKINblgeDe9uDccYzeZjR7t9TSOx8sLMEqneULBWi5ZPi3bZRhQso5cLGYxBvBq4/kMP6yQI3o33O3c5rEwkN0LPwhmJCA0uRYuFgvgONweM0p+4lKPa89ty+Y9+jrk0p4wZXhbMsl1fcEkxIzu+BDZC22JcUazDPNN4TMwlDav5C4zuxBJnizzuQsk+Q8J5nOAtc8LrGvhsWvWATsGc2i3BKzRP2ANDdevmEaJ7qTgATvgD3E1p/zXUvz6hBwmwJkmUelHnzVHcDRYFe0qqhGJsOICaUKBv4x40+EYY26/Etj6XD+msiP0XVfcpta9BQGGYnoSsQf5UDXR/Wzn5cqTOQ+amvPGNb6DZ4sJzXXfYw4aGIqN47Df1nzgR/GbaRz3m1EXdGdznFWjZdJbmbNEYP0YZmZ+l7zngOwNj8veUUcxsmpH63Id2yntMuygS9jrtpAUX9d/KuBNTfEKRaot94EIn33eyW11M3Bz6V63998f7hJnirRJD9gVxcIFIh9DjofTkQzrgdtTCpgqBWBDCpxtt2uQnuHInYpMVyAUoDj2nSp8Vaw5OHT3WG78IxqXVta83pY7r3eytRddhugSswNLkOKB3UqmrfughLFVA3FmozhAzH+q5ud1uMs7fCM+f+Iio1HEFRhWdYqYrKmD5VXldFqdCFrVicYKB1JgtIkSGuTLPp0ZY40Zf+JYPN8MxSLybqKMf/3bMVsI1bGyR471SLW71OqJ5o5kRzR0lawKdsk59q+1qAWTfOJiIx9aJD8RoSEKigHZTH/5DvPDpPqtzZ8oilwS8pra/bxX5jsQ5tbzWlWlJ6+t0pmmqN4/VPK9HXzzfPT18NWLvgRf+C7wtZpmGWcTL0OvzJKMEbShXklSpUrXHzf3v0+v96eSR9LSl2vnJ74RUl5gCmiihRjEfBK9K51Us1lz9OpxrBeSC7QO2A+P71SBOAp4gzBrcmm+eji3XDgag5cWjlPGkPOzYabyNmtFaL16dLVfLG599ih7xO9SqchbRaUoGlmhuK/ABCdXmGlFdmDhUlWOVqIyLHpSidpgjzw/txK1R8pEQJnozJWooZeiLfFuWOHdqCHxjM6IZzck3qRXxINQUa7hiUcg6kE1BMpE5yaeXnSfRfCaEq87xZs0JJ7RL8lTmZfvoS9lXteSl93u40me0VTzMg/1lHoQtiV6ZreiB/SzkLNQ7zTmHSOe9rXC7S3k/0RlgmIv/xaiC372672ERqvRifzUNbZjfupnSRo/s6LsHs1x8I3Evjh74V1zwhgJ91Zt5bcWHlqJycLtUnx5djlHnOSXC052b6B9K5NzbC+tnlP2mYqfBOnVwm+k88SA+ynxsq8q4EfNgoymhV92vvl/rLcc62Yf9qIXEMjoFS+AUsgbp54IqC+5ra5zFP2cV3k5zf2nMeW9vpu2at6fdfpuGpytTu59tQKa7hD9UgJN2EfgsqV6xZy0pQW8WXy9ng4v/hcAvPkP</diagram></mxfile>
================================================
FILE: docs/assets/unicorn-model-state-machine.drawio
================================================
<mxfile host="Electron" modified="2024-11-12T17:35:30.054Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/16.5.1 Chrome/96.0.4664.110 Electron/16.0.7 Safari/537.36" etag="H7DxQGuZ2p2YCU2e7pUZ" version="16.5.1" type="device"><diagram id="Uj5UJ1iNXtTnnK9jLXeE" name="Page-1">7Vxbc5s4FP41nml3phmQuD4mTtzONOtmm3S23ZeOYmSbLUZeITdxf/0KEBcDBmyMgaTuTApHEhyk7zs6R7cRHK+e31O0Xv5JLOyMgGQ9j+D1CAAgQZn/50u2oUQGqhRKFtS2hCwR3Nu/sBBG2Ta2hb2djIwQh9nrXeGMuC6esR0ZopQ87WabE2f3rWu0wDnB/Qw5eenftsWWQqqpSpLwAduLpXg1gFALU1Yoyi0+xVsiizylRPBmBMeUEBZerZ7H2PGrL6qYsNxkT2qsGcUuq1Pgr6+f7pzF9uP0++zLP9PF+8ndVnkn60I5to0+GVu8BsQtoWxJFsRFzk0ivaJk41rYf6zE75I8t4SsuVDmwn8xY1vRnGjDCBct2coRqfjZZl/94hequPuWSrl+Fk8ObrbRjcvoNiwE1Oj+WzoxKRfcRQU9RskPPCYOocEHwskE8h9PCT/d/969VSpEHtnQGS6rR4FNRBeYleTT4obnnMFkhbmmvBzFDmL2z109kMDuIs6XtC6/EA18SGOHz/2JnI140x/89o4/TJoSukL8AZrDtb96pPxq4V/5GS5dX8X7NZ7lsLKLhKelzfD9GgU19cQtwm6rI8deuPzawXMW1/5PTBl+Lq//fH2JAtAU8BXmRYm49pTiaiRbpmiqSS1VsV9+cHxqRidJmkwk6bR0AjXppHdJJ7CfTje8povJ1EcaGVFv2xsaRX7DgGgkNyIR5DTStNOSCNYkkaw0ZFFQ9JJStE1lWBPbZV7qyXe+IAGdLIFd1KlSxn/JFlDkhgUMpaIA0EBZAX4RfmUC7Li6GmD9GDMyJe47r4emxNT6ZkqUIfbIDT3cNrpkZQhdsrKfSx+QazmYDqdX1vS+UQkMr1du6ty2ESuqNZnUaayoHsmkvnZMKuwdm7TfbDoBm7SabDK7cHLVjA3X5HIPVDFBWf52HFAwxDHA4QJRlnqBRLUciZoBy/K3hERjKEjsF6L2dH1nRhSsiK5lGZYVaAlS5m9IHQMp2AtIVQzYmFlEnWW8RhoKol5Gdwl6gcTs5GrWuMEsFMEZoCjqMBWkff4yzaEzwZ5cHXnNbcdJtfx8PgezWREmLO1RU5MR62bBWXZkF3YdnCmd+sRyiuLRYOBAhw31mjTvpL8x1QzuFLW8v8nkVypmIEyzNH87RkHp1Ik+Frr6cKHbSQfVFLrQqICuVJq/Jeh26qy/Quh2MvPbGLpaOXR1rTR/O9BVO40KXiF01UFCt2L8VwOl+VuCbqfTeq8Qup0M1zWFLjArpi4MvSx/O9AVr0wHwJ9ub68uxx9zkO5/FKzD3kXBPRrqkuoahoZBsKZdgcnktIbB6LM7BjOwgxWDrno2MjjHoKswVsNC4nCB2IlzlQNihZ+vmh34+UqPVm28BpPYia+UQ2LFYIkC9LL87SDRyPk+X+6uLx9uRuEyrSbuj4MesXOFZj8WQbGdmaDJZDzuykMCet88JKD0xxwcNxkoH2oN/N+prYFZ0xoYDa1Bo7Y2c4QLlkRi17LdBb+aoI2zZ7n+Mlgy+X0e5pBc4v+1Xf7nDUemv6jSb6u3Z91/l2WwMcPFDH40eKwonYbB2S0ZmlHAYA2ek8E98iyP3B9wMIXbGPyIGrb1DQJH9ejZ5Wz6gWPI+jl8y6gKT2Bh6tqWl2FVtDpWRdEu1DPaFQUOz640ihLa2MIo191X39EexuySRl2vWgOpG2UFWrIrezb+t2hXWtkG0oltkSWlf8YFDtC4NBwOa8W8gHOZl2bndoBC/k6J/9kxief7SfyC2Aj6yMbXNwjQSgRR98CCTiKI7FrzygjC7CKCKD5MoL6leBnxgNFDIyHn96bfTK/zhsNx7LWHq+u5YJTe/xVUuer/8+XEZZlxvNSi/mZmWc7Ey3ELVI3MGq3FX4M3ykfM0/hO0omNct3d6k0napqRK79d/f7h8vPDC6FX9pyzmG2dsUvNdzS3eMF7mBG8LO5Z+PV/G/+sw6vdA+eEkIve+TBb4qDBEGVhXxVktnm/LLnY5qk0zoSDw3EkZFkUe0EGkiQmUjKPhVEQuyw7wCCjZ3LYQR1FV4jNltg7vRriJKBjdMjVU0oVhj0/bYY4JSrUSM9CFOvBkzac7EErBC0WN1gwaoBSeXyDwBWhQuyK+CRJ4h/FKlU6SJk9OtR6URI/HfqyI78sPzSTey/F0ctQkXMnoTlLk2UVK+gxsvaqv7jooXu0QMFft6CI11iR+jNnRS1DMdtQN7ZTAvseduYX39NPfvM2b2Wk2KQE/Kmi1UGfUfEBxyq/o3t91fe6+8cvFeC4x6W9aEWYUNWpelwhjrPboPS1LJ+mnwU6vIjmAyNHVs53tdzNKgodgHR4b8tvkxOAwygwOUkZ3vwP</diagram></mxfile>
================================================
FILE: docs/faq/general.md
================================================
# General FAQ
## Overview
#### What is Revizor? {#what-is-revizor}
: Revizor is a security-oriented fuzzer designed to detect microarchitectural information leaks in CPUs. It automatically generates random test programs, executes them on real hardware, and compares the observed behavior against a formal model to identify unexpected information leakage through side channels like those exploited by Spectre and Meltdown attacks.
#### Who is Revizor for? {#who-uses-revizor}
: Revizor is primarily designed for CPU security researchers and hardware vendors interested in identifying and mitigating microarchitectural vulnerabilities. It may also be useful for system developers and security professionals who want to assess the security of the hardware platforms they work with.
#### How does Revizor differ from other hardware fuzzers (e.g., SiliFuzz)? {#how-does-revizor-differ-from-other-hardware-fuzzers}
: Most of the existing hardware fuzzers focus on finding functional bugs, such as incorrect instruction execution or crashes. Revizor, on the other hand, is specifically designed to find security vulnerabilities related to microarchitectural side channels. It uses a model-based approach to define what information is allowed to leak and tests whether the CPU adheres to these specifications.
: See [Revizor at a Glance](../intro/01-overview.md) for a more detailed introduction.
#### How is Revizor different from constant-time testing tools (e.g., Microwalk)? {#how-does-revizor-differ-from-ct-testing-tools}
: Constant-time testing tools like Microwalk focus on verifying that software implementations do not leak sensitive information through timing variations. They analyze the execution of programs to ensure that their timing behavior is independent of secret data.
: Revizor, in contrast, tests the CPU hardware itself for microarchitectural information leaks. It tests whether the CPU behaves as expected, regardless of the software running on it.
#### What CPUs does Revizor support? {#supported-cpus}
: Revizor currently supports testing on x86-64 CPUs from Intel and AMD, as well as ARM CPUs.
#### Does Revizor detect only those leaks that are described in the contract? {#leaks-described-in-contract}
: No! It is a common misconception that Revizor can only find leaks that are explicitly described in the contract. In reality, it is the opposite: The contract defines what the Revizor should *not* report as a leak, which allows the tool to filter out the known types of leakage and focus on finding unexpected leaks that violate the contract. This is how Revizor is able to discover new vulnerabilities even in completely black-box CPUs.
---
## Installing Revizor
#### What operating system is required to run Revizor? {#required-os}
: You will need Linux.
#### Do I need a specific Linux distribution/version? {#specific-linux-distro}
: No, Revizor should work on any reasonably recent Linux. If you encounter issues, that's most likely a bug that we would like to hear about. Please report any problems on our [GitHub Issues page](https://github.com/microsoft/side-channel-fuzzer/issues).
#### Does Revizor require root or administrator privileges? {#requires-root}
: Yes. Revizor's executor is implemented as a kernel module that requires loading into the kernel and accessing hardware performance counters. Both operations require root privileges. Additionally, some system configuration steps recommended for optimal performance (like disabling hyperthreading) require administrative access.
#### Can I run Revizor in a virtual machines? {#run-on-vms}
: Unfortunately, not. Revizor requires direct access to the CPU's PMU to accurately measure side-channel leakage. Running Revizor inside a virtual machine would introduce additional layers of abstraction and interference that could distort the measurements and lead to inaccurate results. You need to run Revizor on a bare-metal installation of Linux.
---
## Running Revizor
#### Can Revizor affect system stability? {#safety}
: Although extremely unlikely, Revizor could potentially affect the host operating system. Revizor executes randomly-generated code in kernel space, which means that a misconfiguration or bug can crash the system and potentially lead to data loss. However, it does not intentionally perform any operations that would damage hardware.
: You should never run Revizor on production machines or systems containing important data without backups. Always use a dedicated testing machine.
#### How long does it take to find a vulnerability? {#time-to-find}
: This varies significantly, based on the complexity of the experiment. Typical numbers range from minutes to weeks.
#### Can Revizor test my own assembly programs or does it only generate random ones? {#test-custom-programs}
: Yes, Revizor can test custom assembly programs using the `-t` flag. You can provide your own test case program in assembly format, and Revizor will execute it with randomly-generated inputs to check for contract violations. This is useful when you want to verify specific code patterns or investigate potential vulnerabilities in particular instruction sequences.
: See the [CLI Reference](../ref/cli.md) for details on the `-t` option.
#### How much computational resources does a typical fuzzing campaign require? {#resource-requirements}
: Resource requirements vary significantly based on the fuzzing configuration. A typical campaign runs continuously for hours to weeks. The primary variables affecting performance are the number of inputs per test case, sample sizes for hardware measurements, and the complexity of the ISA subset being tested. Larger sample sizes increase accuracy but reduce throughput. Most campaigns run on standard server or workstation hardware without specialized requirements beyond the supported CPU architecture.
: See [How to Design a Fuzzing Campaign](../howto/design-campaign.md) for guidance on balancing performance and detection effectiveness.
---
## Violations
#### Are false positives common? How does Revizor handle them? {#false-positives}
: No, unless it is misconfigured. Revizor uses a multi-stage filtering pipeline to eliminate false positives caused by noise and non-deterministic hardware behavior. This removes the vast majority of spurious violations. However, if Revizor is misconfigured (e.g., insufficient sample sizes), false positives can still occur due to noise in hardware measurements. These are relatively easy to identify as they tend to be unstable and non-reproducible.
: See [How to Interpret Violation Results](../howto/interpret-results.md#evaluating-violation-quality) for guidance on evaluating violation quality and handling false positives.
#### Can Revizor automatically generate exploits or proof-of-concept code? {#generate-exploits}
: No. Revizor detects violations of the leakage contract by identifying test cases where hardware behavior differs from the contract's predictions. While it provides the test program and inputs that trigger the violation, it does not automatically generate working exploits. The violation artifacts serve as evidence of unexpected leakage and a starting point for manual security analysis. You can use the minimization feature to simplify the test case, making it easier to understand and potentially develop into a proof-of-concept.
: See [How to Minimize Test Cases](../howto/minimize.md) for details on simplifying violations.
#### How do I know if a detected violation is actually exploitable? {#exploitability}
: Determining exploitability requires manual analysis of the violation. Start by reproducing the violation to confirm it's stable, then use the minimization feature to simplify the test case. Next, analyze the minimized program to understand what information is leaking and through which side channel. Root-cause analysis involves examining the assembly code, understanding the data dependencies, and determining whether an attacker could control the leaked information to extract sensitive data. Not all violations are practically exploitable, but all indicate deviation from the specified security contract.
: See [How to Root-Cause a Violation](../howto/root-cause-a-violation.md) for systematic analysis techniques.
#### Is Revizor deterministic? Can I reproduce results? {#reproducibility}
: Contract traces are fully deterministic—the same program with the same inputs always produces identical contract traces. Hardware traces, however, contain inherent non-determinism due to timing variations, cache state, and other microarchitectural effects. Revizor handles this through statistical analysis of multiple samples. Violations are reproducible when the same test program and inputs consistently show the same distributional differences in hardware traces. The violation artifact includes all necessary files (program, inputs, configuration) to reproduce detected violations, and Revizor provides a dedicated reproduce mode for verification.
: See [Execution Modes](../ref/modes.md) for details on the reproduce mode.
---
## Development and Contribution
#### Is Revizor actively maintained? {#maintenance-status}
: Yes. Revizor is actively maintained and continues to receive updates, bug fixes, and new features. The project has an active GitHub repository with recent commits and ongoing development.
#### Can I contribute to Revizor? {#contributing}
: Yes, we welcome contributions from the community! You can contribute by reporting issues, suggesting new features, improving documentation, or submitting code changes through pull requests. Please refer to our [Contribution Guidelines](../internals/index.md) for instructions on how to get started.
================================================
FILE: docs/glossary.md
================================================
# Glossary
This glossary defines key terms used throughout the Revizor documentation. The entries are ordered in such a way that more fundamental concepts appear first, building up to more complex ideas. So, you can should be able to get a good understanding of the terminology by reading the glossary top-down.
---
####<a name="noninterference"></a>Noninterference
: A formal property that captures perfect confidentiality, stating that changes in secret data have no observable effect on public outputs. A program satisfies noninterference if variations in secret inputs cause no differences in public outputs. In Revizor's context, this property is checked with respect to side-channel observations and speculation contracts.
!!! info "Related Documentation"
- [Primer: Information-Flow Properties](intro/03-primer.md#information-flow-properties)
- [Primer: Noninterference Definition](intro/03-primer.md#noninterference-definition-and-examples)
---
####<a name="information-flow"></a>Information Flow
: The movement of data through a computation. Information-flow security is concerned with how data moves through a system and how it can be observed by an attacker. For example, if a program contains a data-dependent memory access `array[secret_index]`, the value of `secret_index` influences which memory location is accessed. In turn, if the attacker can observe the cache lines being accessed by this program, the execution of the array access will reveal (leak) information about `secret_index` through side channels. This creates an information flow from the secret data (`secret_index`) to the attacker's observations (cache state).
!!! info "Related Documentation"
- [Primer: Information-Flow Properties](intro/03-primer.md#information-flow-properties)
- [Primer: Side Channels](intro/03-primer.md#beyond-direct-outputs-side-channels)
---
####<a name="speculation-contract"></a>Speculation Contract (aka Leakage Contract)
: A formalization of how we expect the CPU to behave and what information we expect it to leak when any given program is executed. A simplified and deterministic model of CPU hardware designed to capture the information that a given program could leak over side channels when executed with given inputs. A speculation contract defines two key aspects for every instruction: an observation clause (describing what data is exposed) and an execution clause (describing how hardware optimizations like speculative execution affect the instruction). Speculation contracts intentionally overestimate possible leaks to ensure conservative and deterministic traces.
!!! info "Related Documentation"
- [Topic: Contracts](topics/contracts.md)
- [Primer: Speculation Contracts](intro/03-primer.md#speculation-contracts-dealing-with-the-complexity-of-modern-hardware)
- [How-to: Choose a Contract](howto/choose-contract.md)
---
####<a name="observation-clause"></a>Observation Clause
: Part of a speculation contract that specifies what information an instruction exposes through side channels when executed. For example, an observation clause might specify that a load instruction exposes the memory address it accesses.
!!! info "Related Documentation"
- [Topic: Contracts - Contract Structure](topics/contracts.md#contract-structure)
- [Primer: Speculation Contracts](intro/03-primer.md#speculation-contracts-dealing-with-the-complexity-of-modern-hardware)
---
####<a name="execution-clause"></a>Execution Clause
: Part of a speculation contract that specifies how hardware optimizations (particularly speculative execution) affect an instruction's semantics. For example, an execution clause might specify that a conditional branch may mispredict its target and execute down the wrong path.
!!! info "Related Documentation"
- [Topic: Contracts - Contract Structure](topics/contracts.md#contract-structure)
- [Primer: Speculation Contracts](intro/03-primer.md#speculation-contracts-dealing-with-the-complexity-of-modern-hardware)
---
####<a name="leakage-model"></a>Leakage Model
: An implementation of a speculation contract. This model is used to compare the actual CPU behavior against the specification defined by the contract. It predicts what information flow is allowed through side channels for any given test case.
!!! info "Related Documentation"
- [Topic: Leakage Models](topics/models.md)
- [Internals: Model Architecture](internals/architecture/model.md)
- [Internals: Unicorn Backend](internals/model-backends/model-unicorn.md)
- [Internals: DynamoRIO Backend](internals/model-backends/model-dr.md)
---
####<a name="contract-trace"></a>Contract Trace (CTrace)
: The output of a leakage model. A CTrace is a recording of all exposed information when a given program is executed on the leakage model (e.g., a sequence of memory addresses accessed). This trace represents the expected information flow according to the contract.
!!! info "Related Documentation"
- [Topic: Contracts - Contract Traces](topics/contracts.md#contract-traces)
- [Topic: Leakage Models - Trace Representation](topics/models.md#trace-representation)
- [Topic: Trace Analysis](topics/trace-analysis.md)
---
####<a name="executor"></a>Executor
: The component responsible for running programs on real hardware and collecting attacker-observable microarchitectural changes. This component acts as the counterpart to the leakage model; that is, while the model represents our expectations of the CPU behavior, the executor captures the actual behavior of the CPU under test.
!!! info "Related Documentation"
- [Internals: Executor Architecture](internals/architecture/exec.md)
- [Reference: Configuration Options](ref/config.md)
---
####<a name="hardware-trace"></a>Hardware Trace (HTrace)
: The output of the executor. An HTrace is a recording of microarchitectural state changes (like cache evictions, readings of the time stamp counter, etc.) observed during a program execution. These traces are used to capture the information flows on the CPU under test, both the expected and unexpected ones.
!!! info "Related Documentation"
- [Topic: Trace Analysis](topics/trace-analysis.md)
- [Internals: Executor Architecture](internals/architecture/exec.md)
---
####<a name="test-case-program"></a>Test Case Program
: A small assembly program, either generated automatically by Revizor or written manually by the user. Test case programs are intended to be executed on the target CPU to collect hardware traces, and on the leakage model to collect contract traces.
!!! info "Related Documentation"
- [Topic: Test Case Generation](topics/test-case-generation.md)
- [Internals: Code Generator Architecture](internals/architecture/code.md)
- [Reference: Binary Formats - RCBF](ref/binary-formats.md)
---
####<a name="test-case-data"></a>Test Case Data (aka Test Case Input)
: A blob of data used to initialize memory and registers for the execution of a test case program. Test case data can be generated automatically by Revizor or provided manually by the user.
!!! info "Related Documentation"
- [Topic: Test Case Generation](topics/test-case-generation.md)
- [Internals: Data Generator Architecture](internals/architecture/data.md)
- [Reference: Binary Formats - RDBF](ref/binary-formats.md)
---
####<a name="sandbox"></a>Sandbox (or Test Case Sandbox)
: An isolated execution environment where test case programs are run on the target CPU and on the model. On the technical level, a sandbox constitutes of a dedicated region of memory where the test case program and data are loaded, as well as a set of mechanisms to isolate the test case execution from the rest of the system (e.g., by disabling interrupts, overriding MSRs, etc.).
!!! info "Related Documentation"
- [Reference: Sandbox](ref/sandbox.md)
- [Reference: Registers](ref/registers.md)
---
####<a name="model-based-relational-testing"></a>Model-based Relational Testing (MRT)
: The core methodology of Revizor. It involves randomly generating test programs and inputs to them, executing them with the executor and the model, collecting the corresponding hardware and contract traces, identifying the information flows in both, and comparing them to find unexpected leaks.
!!! info "Related Documentation"
- [Primer: Model-Based Relational Testing](intro/03-primer.md#model-based-relational-testing-and-revizor)
- [Topic: Trace Analysis](topics/trace-analysis.md)
- [Internals: Fuzzer Architecture](internals/architecture/fuzz.md)
---
####<a name="violation"></a>Violation
: A situation where hardware traces expose some information that is not exposed in the contract traces for the same test case. This indicates that the CPU is leaking some information not specified by the contract, which may represent a security vulnerability.
!!! info "Related Documentation"
- [Topic: Trace Analysis](topics/trace-analysis.md)
- [Primer: Contract Violation](intro/03-primer.md#building-and-testing-speculation-contracts)
- [How-to: Root-Cause a Violation](howto/root-cause-a-violation.md)
---
####<a name="violation-artifact"></a>Violation Artifact (aka Contract Counterexample)
: A bundle consisting of a test case program, two inputs that trigger the violation (plus extra inputs to set the uarch state, if needed), the corresponding hardware and contract traces, and a collection of configuration files to reproduce the violation. Violation artifacts are generated automatically by Revizor when a violation is detected.
!!! info "Related Documentation"
- [Reference: Binary Formats](ref/binary-formats.md)
- [How-to: Root-Cause a Violation](howto/root-cause-a-violation.md)
- [How-to: Minimize Test Cases](howto/minimize.md)
---
####<a name="minimization"></a>Minimization
: A post-processing mode that takes a violation artifact and performs transformation passes to simplify the program and data while preserving the violation. The goal is to produce a minimal artifact that is easier to understand and analyze, using program passes (instruction removal/simplification), input passes (sequence/diff minimization), and analysis passes (source analysis).
!!! info "Related Documentation"
- [How-to: Minimize Test Cases](howto/minimize.md)
- [Reference: Minimization Passes](ref/minimization-passes.md)
- [Internals: Minimization Architecture](internals/architecture/mini.md)
---
####<a name="multi-stage-filtering"></a>Multi-stage Filtering
: A pipeline of validation stages applied to potential violations to rule out false positives. A violation must survive all stages to be reported.
!!! info "Related Documentation"
- [Internals: Fuzzer Architecture](internals/architecture/fuzz.md)
- [Reference: Configuration Options](ref/config.md)
---
####<a name="priming-test"></a>Priming Test
: One of the most important validation stages. It is motivated by the following problem: when hardware traces are collected for a sequence of many inputs, the execution of the program with earlier inputs will affect the microarchitectural state for later inputs (e.g., the branch predictor state). This can lead to false positives, where two inputs that should be indistinguishable according to the contract produce different hardware traces simply because they were executed in different microarchitectural states (e.g., one input triggered a misprediction while the other did not). These case don't actually represent a violation because the difference in traces is not caused by the data difference, but rather by the sequence of executions.
The priming test mitigates this problem by re-executing the violating inputs in a different sequence, by swapping the order of inputs that trigger a violation. If the violation disappears when the order is swapped, it indicates that the difference in traces was due to inconsistent microarchitectural state rather than a true violation. Otherwise, we have evidence that the violation is genuine.
!!! info "Related Documentation"
- [Reference: Configuration Options - enable_priming](ref/config.md#enable_priming)
- [Internals: Fuzzer Architecture](internals/architecture/fuzz.md)
---
####<a name="contract-compliance"></a>Contract Compliance
: A CPU complies with a speculation contract if, for all possible programs and input pairs that produce identical contract traces, the corresponding hardware traces are also identical. This ensures that the contract captures all information that the hardware can leak. While testing all possible programs is infeasible, Revizor approximates this by randomly sampling the search space with a large number of test cases.
!!! info "Related Documentation"
- [Topic: Trace Analysis - Contract Compliance Property](topics/trace-analysis.md#contract-compliance-property)
- [Topic: Contracts - Contract Compliance](topics/contracts.md#contract-compliance)
- [Primer: Contract Compliance](intro/03-primer.md#building-and-testing-speculation-contracts)
---
####<a name="contract-equivalence-class"></a>Contract Equivalence Class (ContractEqClass)
: A group of inputs that produce identical contract traces for a given test case program. According to the leakage model, these inputs should be indistinguishable when executed.
!!! info "Related Documentation"
- [Topic: Trace Analysis - Deterministic Trace Comparison](topics/trace-analysis.md#deterministic-trace-comparison)
- [Internals: Analyser Architecture](internals/architecture/analysis.md)
---
####<a name="hardware-equivalence-class"></a>Hardware Equivalence Class (HardwareEqClass)
: A group of inputs that produce statistically similar hardware traces for a given test case program. These inputs are actually indistinguishable on real hardware.
!!! info "Related Documentation"
- [Topic: Trace Analysis - Statistical Trace Comparison](topics/trace-analysis.md#statistical-trace-comparison)
- [Internals: Analyser Architecture](internals/architecture/analysis.md)
---
####<a name="boosting"></a>Boosting (aka Contract-driven Input Generation)
: A data generation optimization technique that uses taint analysis to generate inputs more likely to trigger contract violations. The boosted generator identifies which input bytes affect the contract trace and generates new inputs by mutating the non-tainted bytes. This way, we can deterministically and efficiently create any number of inputs that produce the same contract trace (i.e., form one ContractEqClass), increasing the chances of finding violations.
!!! info "Related Documentation"
- [Internals: Data Generator Architecture](internals/architecture/data.md)
- [Reference: Configuration Options](ref/config.md)
---
####<a name="fuzzer"></a>Fuzzer
: The main orchestrator in Revizor that manages core components (CodeGenerator, DataGenerator, Model, Executor, and Analyser) and coordinates the fuzzing loop. When a potential violation is found, the Fuzzer runs it through a multi-stage filtering pipeline to eliminate false positives.
!!! info "Related Documentation"
- [Internals: Fuzzer Architecture](internals/architecture/fuzz.md)
- [Reference: Configuration Options](ref/config.md)
---
####<a name="analyser"></a>Analyser
: The component that compares contract traces with hardware traces to detect violations. It uses an equivalence class approach where it groups inputs by contract traces (ContractEqClasses) and then checks if they split into multiple hardware equivalence classes (HardwareEqClasses), which would indicate a violation.
!!! info "Related Documentation"
- [Topic: Trace Analysis](topics/trace-analysis.md)
- [Internals: Analyser Architecture](internals/architecture/analysis.md)
- [Reference: Configuration Options - analyser](ref/config.md)
---
####<a name="actor"></a>Actor
: A partition of the sandbox representing a distinct execution context with specific isolation properties (e.g., a VM). An actor encompasses a code region, a data region with configurable permissions, and an execution context (CPU mode, privilege level, and system configuration). Actors enable testing for information leaks across different security domains.
!!! info "Related Documentation"
- [Topic: Actors](topics/actors.md)
- [Reference: Sandbox](ref/sandbox.md)
---
####<a name="actor-non-interference"></a>Actor Non-Interference
: A specialized type mode of testing in Revizor, where, on top of testing for standard contract violations, the tool also checks that there are no information flows between different actors in a multi-actor test case. This mode is used to verify isolation properties between security domains, ensuring that secret data in one actor does not influence observable behavior in another actor.
!!! info "Related Documentation"
- [Topic: Actors](topics/actors.md)
---
####<a name="observer-actor"></a>Observer Actor
: An actor marked as an observer in the configuration, representing an attacker that can observe data leaks in multi-actor testing scenarios. This is used in conjunction with the Actor Non-Interference mode to check that secret data in other actors does not influence the traces in the observer actor.
!!! info "Related Documentation"
- [Topic: Actors](topics/actors.md)
- [Reference: Configuration Options](ref/config.md)
---
####<a name="rcbf"></a>RCBF (Revizor Code Binary Format)
: A custom binary format used to transfer test case programs between Revizor components. The format contains a header, actor table, symbol table, metadata, and code sections for each actor.
!!! info "Related Documentation"
- [Reference: Binary Formats - RCBF](ref/binary-formats.md)
---
####<a name="rdbf"></a>RDBF (Revizor Data Binary Format)
: A custom binary format used to transfer input data between Revizor components. The format contains initialization data for sandbox memory and registers, and can combine multiple inputs into a single file for batch processing.
!!! info "Related Documentation"
- [Reference: Binary Formats - RDBF](ref/binary-formats.md)
---
####<a name="template"></a>Template
: An assembly file that combines regular assembly instructions with placeholders to define a test case structure for the code generator. Such templates are used in a special template mode of Revizor, where the programs are generated by populating the placeholders with random instructions instead of generating programs from scratch.
!!! info "Related Documentation"
- [How-to: Use Templates](howto/use-templates.md)
- [Reference: Configuration Options](ref/config.md)
---
####<a name="macro"></a>Macro
: A special pseudo-instruction in test case programs that can be treated differently depending on whether the test case is executed by the model or the executor. One prominent example is VM transition macros, which handle switching between actors. A special type of macro is also used to implement the placeholders in templates.
!!! info "Related Documentation"
- [How-to: Use Macros](howto/use-macros.md)
- [Reference: Macro Reference](ref/macros.md)
---
================================================
FILE: docs/howto/ask-a-question.md
================================================
# Ask a Question
If you have a question about Revizor, there are several ways to reach out to us:
* For **any questions, no matter how big or small,** feel free to post them in our community [Zulip chat](https://rvzr.zulipchat.com/) where the community and developers can assist you.
* Alternatively, you can start a discussion on our [GitHub Discussions page](https://github.com/microsoft/side-channel-fuzzer/discussions) (this is preferable for longer questions that may require more in-depth answers).
Bug reports should be submitted to our [GitHub Issues page](https://github.com/microsoft/side-channel-fuzzer/issues).
For general information about Revizor, please refer to our [FAQ](../faq/general.md) page.
================================================
FILE: docs/howto/choose-contract.md
================================================
# How to Choose a Contract
This guide helps you select the appropriate [contract](../glossary.md#speculation-contract) for your fuzzing campaign. The contract determines which microarchitectural leaks Revizor will report as violations, making it a critical configuration choice that affects both what you find and how efficiently you find it.
!!! note "Prerequisites"
Before choosing a contract, you should understand what contracts are and how they work. Read the [Contracts](../topics/contracts.md) topic guide if you need background on contract structure and purpose.
## Standard Fuzzing with CT-SEQ
Use CT-SEQ for most fuzzing campaigns. This contract assumes nothing about the target CPU except the presence of CPU caches, making it a zero-knowledge baseline for detecting unknown vulnerabilities. With CT-SEQ, Revizor reports any information leaks beyond the most trivial non-speculative cache accesses.
Configure CT-SEQ by setting the [observation clause](../glossary.md#observation-clause) to `ct` and the [execution clause](../glossary.md#execution-clause) to `seq`:
```yaml
contract_observation_clause: ct
contract_execution_clause:
- seq
```
CT-SEQ provides the strictest security guarantees and will detect the widest range of vulnerabilities. Start with this contract unless you have specific reasons to use a different one.
## Continuing After Finding a Violation
When you find a violation with CT-SEQ and want to continue testing for additional vulnerabilities, you have two approaches.
The simpler and more efficient approach is to blocklist the instruction that triggered the violation. Use the [`instruction_blocklist_append`](../ref/config.md#instruction_blocklist_append) configuration option to exclude specific instructions from testing. For example, if a branch misprediction caused the violation, blocklist all conditional branch instructions:
```yaml
contract_observation_clause: ct
contract_execution_clause:
- seq
instruction_blocklist_append:
- jne
- je
# add other branch instructions
```
This approach lets you continue using CT-SEQ's fast and efficient detection while avoiding repeated reports of the same root cause.
Alternatively, you can incorporate the newly discovered speculation source into the contract by switching to a different execution clause. For violations caused by branch mispredictions, switch to the COND execution clause:
```yaml
contract_observation_clause: ct
contract_execution_clause:
- cond
```
The CT-COND contract models speculative execution from branch mispredictions as expected behavior. Revizor will no longer report violations from this source, allowing you to search for other types of leaks in the same instruction set.
## Testing with Exceptions
If your fuzzing campaign includes code that may raise exceptions such as page faults or general protection faults, these exceptions will likely cause trivial violations under CT-SEQ. Modern CPUs implement out-of-order execution, which means instructions after a faulting instruction may begin executing before the CPU recognizes the exception. These subsequent instructions can leak information not predicted by CT-SEQ's strictly sequential model.
These violations typically represent known artifacts of out-of-order execution rather than genuine security issues. To suppress such trivial reports, use the CT-DEH contract instead. This contract models delayed exception handling, allowing instructions after a faulting instruction to execute transiently before the exception is handled:
```yaml
contract_observation_clause: ct
contract_execution_clause:
- deh
```
CT-DEH remains strict about other speculation sources while accommodating the expected behavior around exceptions.
## Testing Cross-Domain Isolation
When testing isolation between security domains such as kernel versus user mode or host versus guest execution, use the Actor Non-Interference contract (CT-NI). This contract changes the security property being tested. Instead of only checking that inputs with identical [contract traces](../glossary.md#contract-trace) produce equivalent [hardware traces](../glossary.md#hardware-trace), CT-NI adds an additional requirement: the hardware traces observed by attacker actors must not depend on data from victim actors.
Configure CT-NI with the following observation clause:
```yaml
contract_observation_clause: ct-ni
```
You must also configure actors properly, designating which actors are observers (attackers) and which are victims. See [Actors](../topics/actors.md) for details on actor configuration.
## Investigating Known Vulnerabilities
When investigating variants of known vulnerabilities, use a contract that models the specific vulnerability class you are studying.
For Spectre V1 variant analysis, use the COND execution clause to model branch mispredictions as expected behavior:
```yaml
contract_observation_clause: ct
contract_execution_clause:
- cond
```
This configuration lets you explore whether other instructions or gadget patterns can be exploited through branch misprediction without being distracted by the original Spectre V1 finding.
For other vulnerability classes, choose the execution clause that models the corresponding speculation mechanism. See the [Configuration Reference](../ref/config.md#contract_execution_clause) for a list of available execution clauses and their intended use cases.
## What's Next?
- Topic: [Contracts](../topics/contracts.md) - Understanding contract structure and behavior
- How-to: [Design a Fuzzing Campaign](design-campaign.md) - Complete campaign planning including contract selection
- Reference: [Configuration Options](../ref/config.md) - Complete list of contract and configuration parameters
- Glossary: [Contract](../glossary.md#speculation-contract), [Observation Clause](../glossary.md#observation-clause), [Execution Clause](../glossary.md#execution-clause)
================================================
FILE: docs/howto/design-campaign.md
================================================
# How to Design a Fuzzing Campaign
This guide shows you how to design and configure a fuzzing campaign for detecting speculative execution vulnerabilities. A campaign consists of three components: a configuration file (YAML), command-line arguments, and optionally a template file (ASM).
!!! note "Prerequisites"
- Revizor installed and the executor kernel module loaded
- Basic understanding of [contracts](../topics/contracts.md) and what you want to test
## Select Instruction Set
Choose which instruction subset to test. Smaller subsets are more effective because violations are found faster and root-cause analysis is simpler. For comprehensive ISA coverage, split testing into multiple targeted campaigns rather than running a single large campaign.
Specify instruction categories in your configuration file using `instruction_categories`:
```yaml
instruction_categories:
- BASE-BINARY # arithmetic instructions
- BASE-STRINGOP # string operations
- BASE-LOGIC # logical operations
```
Verify which instructions are included by enabling debug logging:
```yaml
logging_modes: ['info', 'stat', 'dbg_generator']
```
For fine-grained control over the instruction set, see the [Configuration Reference](../ref/config.md#instruction_categories).
## Configure Exception Testing
Enable exception testing using the `faults_allowlist` option:
```yaml
faults_allowlist:
- div-by-zero # division by zero exceptions
```
Ensure the corresponding instructions are included in your instruction set. For example, `div-by-zero` requires division instructions in the tested pool.
For testing Meltdown or Foreshadow-like vulnerabilities, configure memory access permissions through actor-specific `data_properties` and `data_ept_properties`:
```yaml
actors:
- main:
data_properties:
present: false # trigger page faults
writable: false # trigger write protection faults
```
See the [Sandbox Reference](../ref/sandbox.md) for details on memory permissions and the [Configuration Reference](../ref/config.md#faults_allowlist) for all exception handling options.
## Configure Actors for Multi-Domain Testing
For cross-domain leakage testing, define [actors](../glossary.md#actor) to represent different security domains:
```yaml
actors:
- main:
mode: host
privilege_level: kernel
- guest:
mode: guest
privilege_level: kernel
observer: true
```
Create corresponding template files to specify transition sequences between actors. See [Actors](../topics/actors.md) for detailed instructions.
## Select Contract
Choose a [contract](../glossary.md#speculation-contract) that defines what execution behavior constitutes a violation. Contract selection depends on whether you are testing cross-domain leakage and which known vulnerabilities you want to filter out.
For detailed guidance on selecting the appropriate contract for your testing scenario, see [How to Choose a Contract](choose-contract.md).
Example configuration:
```yaml
contract_observation_clause: ct
contract_execution_clause:
- seq
```
See the [Configuration Reference](../ref/config.md#contract_observation_clause) for all available contract options.
## Configure Noise Threshold
Adjust noise tolerance based on your system characteristics. Higher thresholds and larger sample sizes reduce false positives but may miss subtle leaks and decrease performance. Lower thresholds increase sensitivity but may produce false positives on noisy systems.
For high-noise systems:
```yaml
analyser_stat_threshold: 0.5 # conservative threshold
executor_sample_sizes: [50, 100, 500, 1000]
```
For low-noise systems:
```yaml
analyser_stat_threshold: 0.1 # sensitive threshold
executor_sample_sizes: [10, 50, 100]
```
Start with low-noise settings and increase thresholds if you encounter non-reproducible violations. See the [Trace Analysis Guide](../topics/trace-analysis.md#statistical-trace-comparison) for more information on noise handling.
## Enable Reproducibility
Set deterministic seeds to make the campaign reproducible:
```yaml
program_generator_seed: 12345 # deterministic program generation
data_generator_seed: 67890 # deterministic input generation
```
Reproducible campaigns are essential for debugging and comparing results across different runs.
## Configure Test Case Shape
Control the structure of generated test cases:
```yaml
program_size: 64 # instructions per program
avg_mem_accesses: 32 # average memory accesses
min_bb_per_function: 1 # minimum basic blocks per function
max_bb_per_function: 2 # maximum basic blocks per function
min_successors_per_bb: 1 # minimum successors per basic block
max_successors_per_bb: 1 # maximum successors per basic block
```
Larger programs may find more complex interactions but require longer analysis time. Start with smaller programs and increase size if needed.
## Use Templates for Targeted Testing
Use templates when targeting specific microarchitectural scenarios. Templates define fixed assembly structures with random instruction insertion, allowing you to focus on specific patterns while maintaining variability.
Example template:
```asm
.section .data.main
.function_main_0:
# Fixed initialization
mov rax, 0
# Random instruction sequence
.macro.random_instructions.32.0:
# Fixed measurement
.macro.measurement_start:
mov rbx, [r14]
.macro.measurement_end:
.test_case_exit:
```
See [How to Use Templates](use-templates.md) for detailed template syntax and the [Macro Reference](../ref/macros.md) for available macros.
## Complete Example
This campaign tests whether division-by-zero exceptions cause unexpected information leakage on the target CPU. It focuses on simple arithmetic instructions to isolate exception handling behavior and answers the question: "Does division by zero on this CPU leak information through microarchitectural side channels?"
The configuration assumes a CPU with relatively low non-determinism, using moderate sample sizes and a conservative statistical threshold. The campaign uses the DEH (Delay Exception Handling) contract to filter out trivial cases of out-of-order handling of the exception. Test cases are kept small (32 instructions, no branches) to simplify analysis and accelerate violation detection. Each campaign iteration generates 100 different inputs per test case to explore various data-dependent behaviors around division operations.
```yaml
# Instruction selection
instruction_categories:
- BASE-BINARY
# Exception handling
faults_allowlist:
- div-by-zero
# Contract
contract_observation_clause: ct
contract_execution_clause:
- deh
# Noise handling
analyser_stat_threshold: 0.2
executor_sample_sizes: [10, 50, 100, 500]
# Reproducibility
program_generator_seed: 12345
data_generator_seed: 67890
# Test case shape: 32 instructions with no branches
program_size: 32
avg_mem_accesses: 16
min_bb_per_function: 1
max_bb_per_function: 1
# Single actor
actors:
- main:
mode: host
privilege_level: kernel
data_properties: # no page faults
present: true
writable: true
# Debugging
logging_modes: ['info', 'stat', 'dbg_generator']
```
Launch the campaign:
```bash
rvzr fuzz -s base.json -c config.yaml -n 100000 -i 100 -w ./violations --timeout 3600
```
## What's Next?
- How-to: [Choose a Contract](choose-contract.md) - Select the appropriate contract for your testing scenario
- How-to: [Use Templates](use-templates.md) - Create targeted test cases
- How-to: [Interpret Results](interpret-results.md) - Understand fuzzing output
- Topic: [Actors](../topics/actors.md) - Configure multi-domain testing
- Topic: [Contracts](../topics/contracts.md) - Understanding leakage contracts
- Topic: [Test Case Generation](../topics/test-case-generation.md) - How test cases are generated
- Reference: [Configuration Options](../ref/config.md) - Complete configuration reference
- Reference: [CLI Reference](../ref/cli.md) - Command-line interface reference
================================================
FILE: docs/howto/interpret-results.md
================================================
# How to Interpret Violation Results
So you've run a fuzzing campaign and found a violation. Now what?
This guide will help you understand and validate violations detected by Revizor. This guide explains the structure of violation artifacts, how to reproduce violations, and how to interpret the output to determine whether a violation is genuine and worth investigating.
!!! info "Prerequisites"
Before starting, ensure you have:
- Revizor installed and functional on the target system
- A violation directory (`violation-<timestamp>`) produced during fuzzing
- The configuration file (`config.yaml`) used in the original fuzzing campaign
- Access to the same hardware where the violation was detected
## Violation Message
When Revizor detects a violation during fuzzing, it prints a summary message to the console similar to this:
```plaintext
(venv-3.12) main ➜ revizor ./revizor.py fuzz -s base.json -c demo/detect-v1.yaml -n 1000 -i 100 -w ./
INFO: [prog_gen] Setting program_generator_seed to random value: 599740
INFO: [fuzzer] Starting at 15:39:42
17 ( 2%)| Stats: Cls:0/0,In:200,R:7,SF:10,OF:7,Fst:0,CN:0,CT:0,P1:0,CS:0,P2:0,V:0> Priming 27 . to 500
================================ Violations detected ==========================
Violation Details:
-----------------------------------------------------------------------------------
HTrace | ID:92 | ID:192|
-----------------------------------------------------------------------------------
^...^...................^...........^.........^................. | 497 | 0 |
^...^........................................................... | 3 | 2 |
^^..^...........................................^.........^..... | 0 | 498 |
================================ Statistics ===================================
Test Cases: 18
Inputs per test case: 200.0
Violations: 1
Effectiveness:
Total Cls: 98.0
Effective Cls: 98.0
Discarded Test Cases:
Speculation Filter: 10
Observation Filter: 7
Fast Path: 0
Max Nesting Check: 0
Tainting Check: 0
Early Priming Check: 0
Large Sample Check: 0
Priming Check: 0
Duration: 40.5
Finished at 15:40:23
```
Most of the output is statistics, and they are mostly irrelevant for interpreting the violation itself. You can find a detailed explanation of the runtime statistics in the [Statistics Reference](../ref/runtime-statistic.md).
The relevant part for interpreting the violation is the `Violation Details` section:
```
-----------------------------------------------------------------------------------
HTrace | ID:92 | ID:192|
-----------------------------------------------------------------------------------
^...^...................^...........^.........^................. | 497 | 0 |
^...^........................................................... | 3 | 2 |
^^..^...........................................^.........^..... | 0 | 498 |
```
This section summarizes the hardware trace samples recorded for the inputs that triggered the violation.
Let's break it down.
### Violating Inputs
```
| ID:92 | ID:192|
```
This block tells us which inputs produced the violation. In this case, it's inputs 92 and 192. You can find them in the violation artifact directory as `input_92.bin` and `input_192.bin`.
### Hardware Traces
```
^...^...................^...........^.........^.................
^...^...........................................................
^^..^...........................................^.........^.....
```
This block shows a visual representation of all observed hardware traces for these inputs. In this example, we used Revizor's default P+P (Prime+Probe) cache side channel tracer, which records the state of L1D cache after a test case execution. The `^` character indicates that a cache line was accessed (evicted by the test case program), while the `.` character indicates that the cache line was not accessed. The complete line is a bitmap of all 64 L1D cache sets available on the target machine, numbered left to right from 0 to 63.
Accordingly, the first line is interpreted as follows:
```
Set 4 accessed Set 36 accessed
| | Set 46 accessed
| | |
^...^...................^...........^.........^.................
| |
Set 0 accessed Set 24 accessed
```
meaning that cache sets with IDs 0, 4, 24, 36, and 46 were accessed in this hardware trace.
!!! tip "Colors!"
Enable `color: true` in the configuration file to improve readability of hardware trace visualizations.
### Trace Distribution
```
... | 497 | 0 |
... | 3 | 2 |
... | 0 | 498 |
```
Finally, this block shows the [statistical distribution](../topics/trace-analysis.md#statistical-trace-comparison) of hardware traces for each input. For example, input 92 produced the first hardware trace 497 times (out of the total of 500 measurements), while input 192 never produced that trace. Instead, input 192 produced the third hardware trace 498 times.
### Analysis
By looking at this table, we can deduce two important facts about the violation:
1. There is a clear difference in the sample distributions for the two inputs. This indicates a genuine violation rather than random noise.
2. The dominant (most frequently observed) hardware trace for each input have evicted distinct sets of cache lines. This is an indirect clue that the test case had a data-dependent memory accesses pattern that was not predicted by the contract (likely due to speculative execution).
## Violation Artifact
When Revizor detects a violation, it creates a directory named `violation-<timestamp>`, with the following structure:
```
violation-<timestamp>/
├── program.asm
├── input_0.bin
├── input_1.bin
├── ...
├── report.txt
├── org-config.yaml
├── reproduce.yaml
└── minimize.yaml
```
The `program.asm` file holds the test case program that triggered the violation. The `input_*.bin` files contain the input sequence that exposed the leak. The `report.txt` file provides additional details including hardware and contract traces. The configuration files include `org-config.yaml` (the original configuration), `reproduce.yaml` (for reproducing the violation), and `minimize.yaml` (for test case minimization).
Before proceeding with analysis, locate this directory and verify that all required files are present.
## Reproducing the Violation
It is usually a good idea to first reproduce the violation outside of the fuzzing campaign. This confirms that the violation is stable and not a transient artifact of noise or a misconfiguration of the fuzzer.
```bash
rvzr reproduce -s base.json -c ./violation-<timestamp>/reproduce.yaml \
-t ./violation-<timestamp>/program.asm -i ./violation-<timestamp>/input_*.bin
```
If Revizor prints "Violation detected" in the output, the violation reproduced successfully. The distribution of hardware traces should roughly match the original violation. Significant differences may indicate a bug or misconfiguration in the fuzzer (e.g., random seeds).
Non-reproducible violations should be rare, typically no more than one or two per machine per week of fuzzing. If your campaign produces more, adjust the configuration file to increase noise tolerance. See the [configuration options reference](../ref/config.md) for details on noise-related parameters.
## Evaluating Violation Quality
Several factors determine whether a violation is worth investigating further.
*Reproducibility* is the most important criterion. Violations that consistently reproduce across multiple runs indicate stable, genuine leaks. Sporadic violations that appear and disappear may be false positives caused by noise. In such cases, consider adjusting noise tolerance settings ([`analyser_stat_threshold`](../ref/config.md#analyser_stat_threshold) and/or [`executor_sample_sizes`](../ref/config.md#executor_sample_sizes)) in the configuration file and rerunning the fuzzing campaign.
*Trace distribution* provides additional insight. Clean violations show clear separation between inputs with consistent occurrence counts. Messy violations with overlapping traces or highly variable counts suggest non-determinism and may be harder to analyze. In such cases, consider collecting more samples per input by increasing the [`executor_sample_sizes`](../ref/config.md#executor_sample_sizes) configuration option (note: this will slow down fuzzing).
Finally, *the hardware trace pattern* can be informative as well. There is no hard rule here, but if you see lots of accessed cache sets while the configuration is supposed to limit the number of memory accesses to only a few, that may indicate that some CPU feature creates additional noise, beyond the ability of the statistical analyzer to filter it out. In practice, this is often due to prefetchers. It is typically a good idea to disable them, unless you are specifically testing for prefetcher-related leaks.
## Next Steps
Once you have confirmed that a violation is reproducible and worth investigating, proceed to minimize the violation artifacts and root-cause the leak. See the [How to Minimize Test Cases](minimize.md) and [How to Root-Cause a Violation](root-cause-a-violation.md) guides for detailed instructions.
## See Also
- [How to Root-Cause a Violation](root-cause-a-violation.md) - Systematic analysis of confirmed violations
- [How to Design a Fuzzing Campaign](design-campaign.md) - Tuning fuzzer parameters for better results
- [How to Minimize Test Cases](minimize.md) - Simplifying violation artifacts for analysis
- [Configuration Options](../ref/config.md) - Detailed configuration parameter reference
- [Execution Modes](../ref/modes.md) - Understanding reproduce mode and other execution modes
- [Trace Analysis and Violation Detection](../topics/trace-analysis.md) - How Revizor detects and analyzes violations
- [Contracts and Leakage Models](../topics/contracts.md) - Understanding contract semantics
================================================
FILE: docs/howto/minimize.md
================================================
# How to Minimize Test Cases
This guide discussed a process of test case minimization, which aims to reduce complexity of violation artifacts by simplifying test programs and input sequences while preserving the violation. This is typically a post-processing step performed after a fuzzing campaign has detected a violation, with the goal of producing a minimal test case suitable for human analysis and root-cause investigation.
The minimization is done by using Revizor's `minimize` mode, which post-processes a violation through a series of transformation passes that simplify both the test program and input sequence.
!!! note "Related Documentation"
For a complete list of available passes and their detailed descriptions, see the [Minimization Passes reference](../ref/minimization-passes.md).
!!! info "Prerequisites"
Before starting, ensure you have:
- Revizor installed and functional on the target system
- A violation directory (`violation-<timestamp>`) produced during fuzzing
- The configuration file (`config.yaml`) used in the original fuzzing campaign
- Access to the same hardware where the violation was detected
## Basic Usage
Run the minimizer with the following syntax:
```bash
rvzr minimize -s <spec_file> -c <config_file> -t <program_file> -o <output_file> \
-i <num_inputs> --input-outdir <input_outdir> --num-attempts <num_attempts> \
[pass_options]
```
Parameters:
- `-s`: Path to ISA specification (e.g., `base.json`)
- `-c`: Path to configuration file (typically `minimize.yaml` from violation directory)
- `-t`: Path to test program (typically `program.asm` from violation directory)
- `-o`: Output path for minimized program
- `-i`: Number of inputs in the sequence (must match the original fuzzing campaign)
- `--input-outdir`: Directory to store minimized input files
- `--num-attempts`: Number of minimization iterations to perform
- `[pass_options]`: Enable specific minimization passes (see [Minimization Passes](../ref/minimization-passes.md))
Example command (assuming a violation directory named `violation-0000-0000`):
```bash
rvzr minimize -s base.json -c violation-0000-0000/minimize.yaml -t violation-0000-0000/program.asm \
-i 25 --input-outdir ./min-inputs --num-attempts 10 --enable-instruction-pass 1 \
-o min.asm
```
This command generates an input sequence of 25 inputs based on the seed in `violation-0000-0000/minimize.yaml`, applies the instruction removal pass 10 times to simplify `program.asm`, and writes the minimized program to `min.asm`. The simplified input sequence is stored in `./min-inputs`.
## Interpreting the Output
Each minimization pass prints progress indicators to the console as it executes. Understanding this output helps verify that minimization is progressing correctly.
### Program Pass Output
Program passes display one character per instruction to indicate success or failure:
- `.` indicates the pass succeeded on this instruction (e.g., instruction was successfully removed)
- `-` indicates the pass failed on this instruction (e.g., removing this instruction breaks the violation)
Example output when running `--enable-instruction-pass`:
```
[Pass 2] Instruction Removal Pass
.............-.....--.-------..----
```
Interpret this output by reading from right to left, since the pass iterates from the end of the program to the beginning. In this example, the pass successfully removed the last 13 instructions, failed on the 14th instruction from the end, succeeded on the 15th, and so on.
### Input Pass Output
The `input-diff` pass uses a memory-map visualization to show minimization progress. Each character represents one byte in the input sequence:
- `.` indicates zeroing the byte succeeded
- `+` indicates copying the byte from the first input to the second succeeded
- `=` indicates the byte was already identical in both inputs
- `^` indicates the pass could not minimize this byte (it remains different between inputs)
Example output from `--enable-input-diff-pass`:
```
Address +0x0 +0x40 +0x80 +0xc0 +0x100 +0x140 +0x180 +0x1c0
0x00000000 ........ ........ ........ ........ ........ ........ ........ ........
0x00000200 ........ ........ ........ ........ ........ ........ ........ ........
0x00000400 ........ ........ ........ ........ ........ ........ ........ ........
0x00000600 ........ ........ ........ ........ ........ ........ ........ ........
0x00000800 ........ ........ ........ ........ ........ ........ ........ ........
0x00000a00 ........ ........ ........ ........ ........ ........ ........ ........
0x00000c00 ........ ........ ........ ........ ........ ........ ........ ........
0x00000e00 ........ ........ ........ ........ ........ ........ ........ ........
0x00001000 ........ ........ ........ ........ ........ ........ ........ ........
0x00001200 ........ ........ ........ ........ ........ ........ ........ ........
0x00001400 ........ ........ ........ ........ ........ ........ ........ ........
0x00001600 ........ ........ ........ ........ ........ ........ ........ ........
0x00001800 ........ ........ ........ ........ ........ ........ ........ ........
0x00001a00 ........ ........ ........ ........ ........ ........ ........ ........
0x00001c00 ........ ........ ........ ........ ........ ........ ........ ........
0x00001e00 ........ ........ ........ ........ ........ ........ ........ ........
0x00002000 ====^=..
0x00002040 ........ ........ ........ ........
> Result: Leaked 1 bytes
> Addresses: ['0x2020']
```
This output shows that the pass successfully minimized most input differences. The byte at address `0x2020` (marked with `^`) remains different between the two inputs and likely contributes to the violation. Bytes at addresses `0x2000-0x2018` and `0x2028` (marked with `=`) were already identical.
### Comment Pass Output
Enable `--enable-comment-pass` to annotate the minimized program with analysis information. The pass inserts comments indicating which memory accesses contributed to the violation, making it easier to identify the root cause.
Comment format:
```
# mem access: [input1_id] [load_addr]-[store_addr]
CL [cache_set_id]:[cache_line_offset] | [input2_id] [load_addr]-[store_addr]
CL [cache_set_id]:[cache_line_offset]
```
Each comment shows the memory addresses accessed by an instruction when executed with the two inputs that triggered the violation. The comment includes both virtual addresses and their corresponding L1D cache set IDs and line offsets.
Example comment:
```asm
# mem access: [1] 0x800-0x800 CL 32:0 | [11] 0x710-0x710 CL 28:10
```
This indicates that when executed with input 1, the instruction accessed address `0x800` (cache set 32, offset 0), and when executed with input 11, it accessed address `0x710` (cache set 28, offset 10). These different cache set accesses likely contributed to the violation.
## Complete Workflow Example
This example demonstrates a typical minimization workflow. Assume a fuzzing campaign detected a violation:
```bash
rvzr fuzz -s base.json -c config.yaml -n 1000 -i 25 -w .
```
The fuzzer created a violation directory (e.g., `violation-000000-000000`) containing the test case artifacts.
### Step 1: Minimize the Program
Apply all program passes to simplify the test case while preserving the violation:
```bash
rvzr minimize -s base.json -c ./violation-000000-000000/minimize.yaml \
-t ./violation-000000-000000/program.asm \
-o min.asm -i 25 --num-attempts 3 \
--enable-instruction-pass 1 \
--enable-simplification-pass 1 \
--enable-nop-pass 1 \
--enable-constant-pass 1 \
--enable-mask-pass 1 \
--enable-label-pass 1
```
### Step 2: Verify Program Minimization
Confirm the minimized program still triggers the violation:
```bash
rvzr fuzz -s base.json -c ./violation-000000-000000/minimize.yaml -t min.asm -i 25
```
If the violation is no longer detected, reduce `--num-attempts` or disable some passes, then retry step 1.
### Step 3: Minimize Inputs and Add Annotations
Apply input passes and analysis passes to further simplify the test case and add helpful comments:
```bash
rvzr minimize -s base.json -c ./violation-000000-000000/minimize.yaml \
-t min.asm -o commented.asm -i 25 \
--input-outdir ./inputs \
--enable-input-diff-pass 1 \
--enable-input-seq-pass 1 \
--enable-comment-pass 1
```
### Step 4: Verify Complete Minimization
Reproduce the violation with the minimized program and inputs:
```bash
rvzr reproduce -s base.json -c ./violation-000000-000000/reproduce.yaml \
-t commented.asm -i ./inputs/min_input*.bin
```
If successful, the minimized test case in `commented.asm` and `./inputs/` is ready for detailed analysis. The annotated comments will help identify the root cause of the violation.
!!! tip "Troubleshooting Failed Minimization"
If minimization breaks the violation, try these adjustments:
- Reduce `--num-attempts` to perform fewer iterations
- Disable aggressive passes like `--enable-simplification-pass`
- Minimize the program before minimizing inputs
- Check that `data_generator_seed` matches the original fuzzing campaign
## What's Next?
Once a violation is minimized, the next step is typically to analyze it manually to understand the root cause. The [How to Root-Cause a Violation](root-cause-a-violation.md) guide is dedicated to this topic.
## See Also
- [Minimization Passes](../ref/minimization-passes.md) - Complete list of available passes and their options
- [CLI Reference](../ref/cli.md) - Full command-line interface documentation
- [Execution Modes](../ref/modes.md) - Overview of all Revizor execution modes
- [Configuration Options](../ref/config.md) - Configuration file reference including `data_generator_seed`
- [How to Design a Fuzzing Campaign](design-campaign.md) - Set up effective fuzzing campaigns
- [How to Interpret Results](interpret-results.md) - Understand fuzzing outputs and violation reports
- [Trace Analysis and Violation Detection](../topics/trace-analysis.md) - Understanding how violations are detected
================================================
FILE: docs/howto/root-cause-a-violation.md
================================================
# How to Root-Cause a Violation
This guide discussed in detail how to identify the root cause of confirmed contract violations. This guide shows a typical workflow and some useful techniques for analyzing violation artifacts and isolating the specific CPU behavior that leads to information leakage.
!!! warning "Art, Not Science"
Root-causing violations is more art than science. The techniques described here are not guaranteed to work in every situation because violations can arise from a wide variety of complex CPU behaviors. Use your intuition and knowledge of microarchitecture to guide your analysis. Experiment with different approaches and document what works best for you.
!!! info "Prerequisites"
The guide assume you have already finished a [fuzzing campaign](design-campaign.md) and [minimized the violation artifacts](minimize.md).
## Locate the Violation Files
We will explore the root-cause analysis through a concrete example. The example will demonstrate a CT-SEQ contract violation on an x86-64 CPU.
We will be working with:
- The violation artifact in `violation-0000-0000/` produced during fuzzing
- A minimized version of the violation program in `min.asm` produced by the minimizer
- A set of minimized input files in `./inputs/min_input_*.bin` produced by the minimizer
- The configuration file `config.yaml` used during fuzzing
## Gather Insights from Minimizer
A good starting point is to examine the output of the minimizer, especially from input minimization passes. These passes attempt to reduce the differences between inputs that trigger the violation, and thus they often highlight the specific data values that leak and that impact the violation.
Below is an example of the printed summary from the differential input minimizer:
```
[PASS 2] Differential Input Minimizer
> Minimizing the difference between inputs 1 and 11
Address +0x0 +0x40 +0x80 +0xc0 +0x100 +0x140 +0x180 +0x1c0
0x00000000 ........ ........ ........ ........ ........ ........ ........ ........
0x00000200 ........ =....... ........ ........ ........ ........ ........ ........
0x00000400 ........ ........ ........ ........ ........ ........ ........ ........
0x00000600 ........ ........ ........ ........ ........ ........ ........ ........
0x00000800 ........ ........ ........ ........ ........ ........ ........ ........
0x00000a00 ........ ........ ........ ........ ........ ........ ........ ........
0x00000c00 ........ ........ ........ ........ ........ ........ ........ ........
0x00000e00 ........ ........ ........ ........ ........ ........ ........ ........
0x00001000 ........ ........ ........ ........ ........ ........ ........ ........
0x00001200 ........ ........ ........ .
gitextract_198ykafh/
├── .editorconfig
├── .github/
│ ├── CODEOWNERS
│ └── workflows/
│ ├── kmodule-build.yaml
│ └── python-lint-and-test.yaml
├── .gitignore
├── .gitmodules
├── .pylintrc
├── AUTHORS
├── CHANGELOG.md
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── SECURITY.md
├── demo/
│ ├── README.md
│ ├── big-fuzz.yaml
│ ├── detect-foreshadow.yaml
│ ├── detect-mds.yaml
│ ├── detect-sco.yaml
│ ├── detect-v1-store.yaml
│ ├── detect-v1-var.yaml
│ ├── detect-v1.yaml
│ ├── detect-v4.yaml
│ ├── detect-zdi.yaml
│ ├── tsa-l1d/
│ │ ├── config.yaml
│ │ └── template.asm
│ └── tsa-sq/
│ ├── config.yaml
│ └── template.asm
├── docs/
│ ├── assets/
│ │ ├── branches.drawio
│ │ ├── dr-instrumentation.drawio
│ │ ├── dr-model.drawio
│ │ ├── fuzzing-flow.drawio
│ │ ├── tsa-sq-template.drawio
│ │ └── unicorn-model-state-machine.drawio
│ ├── faq/
│ │ └── general.md
│ ├── glossary.md
│ ├── howto/
│ │ ├── ask-a-question.md
│ │ ├── choose-contract.md
│ │ ├── design-campaign.md
│ │ ├── interpret-results.md
│ │ ├── minimize.md
│ │ ├── root-cause-a-violation.md
│ │ ├── use-macros.md
│ │ └── use-templates.md
│ ├── index.md
│ ├── internals/
│ │ ├── architecture/
│ │ │ ├── analysis.md
│ │ │ ├── code.md
│ │ │ ├── data.md
│ │ │ ├── exec.md
│ │ │ ├── fuzz.md
│ │ │ ├── isa.md
│ │ │ ├── logging.md
│ │ │ ├── mini.md
│ │ │ ├── model.md
│ │ │ └── overview.md
│ │ ├── code-structure.md
│ │ ├── contributing/
│ │ │ ├── code-style.md
│ │ │ ├── general.md
│ │ │ ├── git.md
│ │ │ └── overview.md
│ │ ├── index.md
│ │ └── model-backends/
│ │ ├── model-dr.md
│ │ └── model-unicorn.md
│ ├── intro/
│ │ ├── 01-overview.md
│ │ ├── 02-install.md
│ │ ├── 03-primer.md
│ │ ├── 04-tutorials.md
│ │ ├── start-here.md
│ │ └── tutorials/
│ │ ├── 01-first-fuzz.md
│ │ ├── 02-first-vuln.md
│ │ ├── 03-faults.md
│ │ ├── 04-isolation.md
│ │ ├── 05-extending.md
│ │ └── tsa-sq.md
│ ├── ref/
│ │ ├── artifact-file-formats.md
│ │ ├── binary-formats.md
│ │ ├── cli.md
│ │ ├── config.md
│ │ ├── index.md
│ │ ├── macros.md
│ │ ├── minimization-passes.md
│ │ ├── modes.md
│ │ ├── papers.md
│ │ ├── registers.md
│ │ ├── runtime-statistic.md
│ │ └── sandbox.md
│ ├── structure.md
│ ├── stylesheets/
│ │ └── extra.css
│ └── topics/
│ ├── actors.md
│ ├── contracts.md
│ ├── models.md
│ ├── test-case-generation.md
│ └── trace-analysis.md
├── mkdocs.yml
├── pyproject.toml
├── revizor.py
├── rvzr/
│ ├── __init__.py
│ ├── analyser.py
│ ├── arch/
│ │ ├── __init__.py
│ │ ├── arm64/
│ │ │ ├── __init__.py
│ │ │ ├── asm_parser.py
│ │ │ ├── config.py
│ │ │ ├── executor.py
│ │ │ ├── fuzzer.py
│ │ │ ├── generator.py
│ │ │ ├── get_spec.py
│ │ │ └── target_desc.py
│ │ └── x86/
│ │ ├── __init__.py
│ │ ├── asm_parser.py
│ │ ├── config.py
│ │ ├── executor.py
│ │ ├── fuzzer.py
│ │ ├── generator.py
│ │ ├── get_spec.py
│ │ └── target_desc.py
│ ├── asm_parser.py
│ ├── cli.py
│ ├── code_generator.py
│ ├── config.py
│ ├── data_generator.py
│ ├── elf_parser.py
│ ├── executor.py
│ ├── executor_km/
│ │ ├── .clang-format
│ │ ├── .gitignore
│ │ ├── Makefile
│ │ ├── arm64/
│ │ │ ├── asm_snippets.h
│ │ │ ├── entry_exit_points.h
│ │ │ ├── exception.S
│ │ │ ├── fault_handler.c
│ │ │ ├── macros.c
│ │ │ ├── page_tables_guest.c
│ │ │ ├── perf_counters.c
│ │ │ ├── registers.h
│ │ │ └── special_registers.c
│ │ ├── code_loader.c
│ │ ├── data_loader.c
│ │ ├── include/
│ │ │ ├── actor.h
│ │ │ ├── asm_snippets.h
│ │ │ ├── code_loader.h
│ │ │ ├── data_loader.h
│ │ │ ├── fault_handler.h
│ │ │ ├── hardware_desc.h
│ │ │ ├── input_parser.h
│ │ │ ├── macro_expansion.h
│ │ │ ├── main.h
│ │ │ ├── measurement.h
│ │ │ ├── page_tables_common.h
│ │ │ ├── page_tables_guest.h
│ │ │ ├── page_tables_host.h
│ │ │ ├── perf_counters.h
│ │ │ ├── sandbox_constants.h
│ │ │ ├── sandbox_manager.h
│ │ │ ├── shortcuts.h
│ │ │ ├── special_registers.h
│ │ │ ├── svm.h
│ │ │ ├── svm_constants.h
│ │ │ ├── test_case_parser.h
│ │ │ ├── vmx.h
│ │ │ └── vmx_config.h
│ │ ├── input_parser.c
│ │ ├── macro_expansion.c
│ │ ├── main.c
│ │ ├── measurement.c
│ │ ├── page_tables_host.c
│ │ ├── readme.md
│ │ ├── sandbox_manager.c
│ │ ├── test_case_parser.c
│ │ └── x86/
│ │ ├── asm_snippets.h
│ │ ├── entry_exit_points.h
│ │ ├── fault_handlers.S
│ │ ├── idt.c
│ │ ├── macros.c
│ │ ├── page_tables_guest.c
│ │ ├── perf_counters.c
│ │ ├── registers.h
│ │ ├── special_registers.c
│ │ ├── svm.c
│ │ └── vmx.c
│ ├── factory.py
│ ├── fuzzer.py
│ ├── instruction_spec.py
│ ├── isa_spec.py
│ ├── logs.py
│ ├── model.py
│ ├── model_dynamorio/
│ │ ├── Makefile
│ │ ├── __init__.py
│ │ ├── adapter/
│ │ │ ├── .clang-format
│ │ │ ├── .clang-tidy
│ │ │ ├── CMakeLists.txt
│ │ │ ├── main.c
│ │ │ ├── parser.c
│ │ │ ├── parser.h
│ │ │ ├── rcbf.h
│ │ │ ├── rdbf.h
│ │ │ ├── sandbox.c
│ │ │ ├── sandbox.h
│ │ │ ├── sandbox_const.h
│ │ │ └── test_case_entry.S
│ │ ├── backend/
│ │ │ ├── .clang-format
│ │ │ ├── .clang-tidy
│ │ │ ├── CMakeLists.txt
│ │ │ ├── cli.cpp
│ │ │ ├── dispatcher.cpp
│ │ │ ├── factory.cpp
│ │ │ ├── include/
│ │ │ │ ├── cli.hpp
│ │ │ │ ├── dispatcher.hpp
│ │ │ │ ├── factory.hpp
│ │ │ │ ├── logger.hpp
│ │ │ │ ├── observables.hpp
│ │ │ │ ├── speculator_abc.hpp
│ │ │ │ ├── speculators/
│ │ │ │ │ ├── cond.hpp
│ │ │ │ │ └── seq.hpp
│ │ │ │ ├── taint_tracker.hpp
│ │ │ │ ├── tracer_abc.hpp
│ │ │ │ ├── tracers/
│ │ │ │ │ ├── ct.hpp
│ │ │ │ │ ├── ind.hpp
│ │ │ │ │ └── pc.hpp
│ │ │ │ ├── types/
│ │ │ │ │ ├── debug_trace.hpp
│ │ │ │ │ ├── decoder.hpp
│ │ │ │ │ ├── file_buffer.hpp
│ │ │ │ │ ├── input_taint.hpp
│ │ │ │ │ ├── store_log.hpp
│ │ │ │ │ └── trace.hpp
│ │ │ │ └── util.hpp
│ │ │ ├── logger.cpp
│ │ │ ├── model.cpp
│ │ │ ├── speculator_abc.cpp
│ │ │ ├── speculators/
│ │ │ │ ├── cond.cpp
│ │ │ │ └── seq.cpp
│ │ │ ├── taint_tracker.cpp
│ │ │ ├── tracer_abc.cpp
│ │ │ ├── tracers/
│ │ │ │ ├── ct.cpp
│ │ │ │ ├── ind.cpp
│ │ │ │ └── pc.cpp
│ │ │ └── util.cpp
│ │ ├── model.py
│ │ └── trace_decoder.py
│ ├── model_unicorn/
│ │ ├── __init__.py
│ │ ├── coverage.py
│ │ ├── execution_context.py
│ │ ├── interpreter.py
│ │ ├── model.py
│ │ ├── speculator_abc.py
│ │ ├── speculators_basic.py
│ │ ├── speculators_fault.py
│ │ ├── speculators_vs.py
│ │ ├── taint_tracker.py
│ │ └── tracer.py
│ ├── postprocessing/
│ │ ├── __init__.py
│ │ ├── analysis_passes.py
│ │ ├── input_passes.py
│ │ ├── instruction_passes.py
│ │ ├── minimizer.py
│ │ ├── pass_abc.py
│ │ └── progress_printer.py
│ ├── py.typed
│ ├── sandbox.py
│ ├── stats.py
│ ├── target_desc.py
│ ├── tc_components/
│ │ ├── __init__.py
│ │ ├── actor.py
│ │ ├── instruction.py
│ │ ├── test_case_binary.py
│ │ ├── test_case_code.py
│ │ └── test_case_data.py
│ ├── traces.py
│ └── unicorn.pyi
└── tests/
├── .coveragerc
├── .gitignore
├── __init__.py
├── acceptance.bats
├── arm64/
│ ├── asm/
│ │ ├── actor_switch.asm
│ │ ├── asm_basic.asm
│ │ ├── asm_multiactor.asm
│ │ ├── asm_symbol.asm
│ │ ├── calls.asm
│ │ ├── direct_jumps.asm
│ │ ├── fault-div-zero-speculation.asm
│ │ ├── fault_undefined_opcode.asm
│ │ ├── macro_fault_handler.asm
│ │ ├── model_flags_match.asm
│ │ ├── model_match.asm
│ │ ├── model_match_memory.asm
│ │ ├── model_match_xmm.asm
│ │ └── spectre_v1.asm
│ ├── configs/
│ │ ├── arch-actors.yaml
│ │ ├── arch-faults.yaml
│ │ ├── arch.yaml
│ │ ├── archdiff.yaml
│ │ ├── base-and-simd-categories.yaml
│ │ ├── common.yaml
│ │ ├── ct-cond.yaml
│ │ ├── ct-seq.yaml
│ │ ├── exceptions.yaml
│ │ └── fault-handler.yaml
│ ├── min_arm64.json
│ ├── model_common.py
│ ├── unit_generators.py
│ └── unit_isa_loader.py
├── kernel_module.bats
├── pre-release.sh
├── quick-test.sh
├── runtests.sh
├── scripts/
│ ├── create_rcbf_file.py
│ └── create_rdbf_file.py
├── unit_analyser.py
├── unit_docs.py
├── unit_fuzzer.py
├── unit_isa_loader.py
├── unit_stats.py
├── unit_tc_components.py
├── unit_traces.py
└── x86_tests/
├── __init__.py
├── asm/
│ ├── actor_switch.asm
│ ├── asm_basic.asm
│ ├── asm_multiactor.asm
│ ├── asm_symbol.asm
│ ├── calls.asm
│ ├── direct_jumps.asm
│ ├── fault-div-overflow-speculation.asm
│ ├── fault-div-zero-speculation.asm
│ ├── fault_INT1.asm
│ ├── fault_INT3.asm
│ ├── fault_UD.asm
│ ├── fault_load.asm
│ ├── fault_ooo_mem_access.asm
│ ├── fault_rmw.asm
│ ├── macro_fault_handler.asm
│ ├── minimization-after.asm
│ ├── minimization-before.asm
│ ├── model_flags_match.asm
│ ├── model_match.asm
│ ├── model_match_memory.asm
│ ├── model_match_xmm.asm
│ ├── spectre_ret.asm
│ ├── spectre_v1.1.asm
│ ├── spectre_v1.asm
│ ├── spectre_v1_arch.asm
│ ├── spectre_v1_independent.asm
│ ├── spectre_v1_n2.asm
│ ├── spectre_v2.asm
│ ├── spectre_v4.asm
│ └── vm_switch.asm
├── configs/
│ ├── arch-actors.yaml
│ ├── arch-dr.yaml
│ ├── arch-faults.yaml
│ ├── arch.yaml
│ ├── archdiff.yaml
│ ├── base-and-simd-categories.yaml
│ ├── base-categories.yaml
│ ├── common.yaml
│ ├── copy.yaml
│ ├── ct-cond.yaml
│ ├── ct-deh.yaml
│ ├── ct-seq.yaml
│ ├── div-detect.yaml
│ ├── div-verif.yaml
│ ├── exceptions.yaml
│ ├── fault-handler.yaml
│ ├── l1tf-p-verif.yaml
│ ├── l1tf-p.yaml
│ ├── l1tf-w-verif.yaml
│ ├── l1tf-w.yaml
│ ├── meltdown-verif.yaml
│ ├── meltdown.yaml
│ ├── mpx-verif.yaml
│ ├── mpx.yaml
│ ├── ssbp-detect.yaml
│ ├── ssbp-verif.yaml
│ └── vm-switch.yaml
├── min_x86.json
├── model_common.py
├── unit_dr_decoder.py
├── unit_fuzzer.py
├── unit_generators.py
├── unit_isa_loader.py
├── unit_model.py
└── unit_taint_tracker.py
SYMBOL INDEX (2014 symbols across 145 files)
FILE: rvzr/analyser.py
class Analyser (line 33) | class Analyser(ABC):
method filter_violations (line 37) | def filter_violations(self,
method htraces_are_equivalent (line 55) | def htraces_are_equivalent(self, htrace1: HTrace, htrace2: HTrace) -> ...
class EquivalenceAnalyserCommon (line 67) | class EquivalenceAnalyserCommon(Analyser):
method filter_violations (line 85) | def filter_violations(self,
class MergedBitmapAnalyser (line 152) | class MergedBitmapAnalyser(EquivalenceAnalyserCommon):
method __init__ (line 162) | def __init__(self) -> None:
method htraces_are_equivalent (line 167) | def htraces_are_equivalent(self, htrace1: HTrace, htrace2: HTrace) -> ...
class SetAnalyser (line 202) | class SetAnalyser(EquivalenceAnalyserCommon):
method htraces_are_equivalent (line 209) | def htraces_are_equivalent(self, htrace1: HTrace, htrace2: HTrace) -> ...
class MWUAnalyser (line 226) | class MWUAnalyser(EquivalenceAnalyserCommon):
method __init__ (line 233) | def __init__(self) -> None:
method htraces_are_equivalent (line 244) | def htraces_are_equivalent(self, htrace1: HTrace, htrace2: HTrace) -> ...
class ChiSquaredAnalyser (line 250) | class ChiSquaredAnalyser(EquivalenceAnalyserCommon):
method __init__ (line 255) | def __init__(self) -> None:
method homogeneity_test (line 263) | def homogeneity_test(self, x: IntArrayLike, y: IntArrayLike) -> float:
method htraces_are_equivalent (line 277) | def htraces_are_equivalent(self, htrace1: HTrace, htrace2: HTrace) -> ...
FILE: rvzr/arch/arm64/asm_parser.py
class _ARM646LineParser (line 27) | class _ARM646LineParser(AsmLineParser):
method __init__ (line 32) | def __init__(self, isa_spec: InstructionSet, target_desc: ARM64TargetD...
method _tokenize (line 42) | def _tokenize(self, line: str) -> List[str]:
method _get_instruction_name (line 79) | def _get_instruction_name(self, line: str, tokens: List[str]) -> str:
method _get_instruction_operands (line 82) | def _get_instruction_operands(self, _: str, __: str, tokens: List[str]...
method _get_initial_candidate_specs (line 86) | def _get_initial_candidate_specs(self, _: str, name: str) -> List[Inst...
method _check_if_spec_matches (line 90) | def _check_if_spec_matches(self, spec: InstructionSpec, operands_raw: ...
class ARM64AsmParser (line 146) | class ARM64AsmParser(AsmParser):
method __init__ (line 149) | def __init__(self, isa_spec: InstructionSet, target_desc: TargetDesc) ...
FILE: rvzr/arch/arm64/executor.py
class ARM64Executor (line 13) | class ARM64Executor(Executor):
method __init__ (line 16) | def __init__(self, enable_mismatch_check_mode: bool = False):
method _set_vendor_specific_features (line 24) | def _set_vendor_specific_features(self) -> None:
FILE: rvzr/arch/arm64/fuzzer.py
class ARM64Fuzzer (line 34) | class ARM64Fuzzer(Fuzzer):
method _filter (line 47) | def _filter(self, test_case: TestCaseProgram, inputs: List[InputData])...
method _observation_filter (line 76) | def _observation_filter(self, test_case: TestCaseProgram, inputs: List...
class ARM64ArchitecturalFuzzer (line 116) | class ARM64ArchitecturalFuzzer(ArchitecturalFuzzer):
class ARM64ArchDiffFuzzer (line 123) | class ARM64ArchDiffFuzzer(ArchDiffFuzzer):
method _create_fenced_test_case (line 129) | def _create_fenced_test_case(original_asm: str, fenced_asm: str, asm_p...
function _quick_and_dirty_mode (line 139) | def _quick_and_dirty_mode(executor: Executor) -> Generator[None, None, N...
function _create_fenced_test_case (line 150) | def _create_fenced_test_case(original_asm: str, fenced_asm: str, asm_par...
FILE: rvzr/arch/arm64/generator.py
class _ARM64Printer (line 32) | class _ARM64Printer(Printer):
method __init__ (line 34) | def __init__(self, target_desc: ARM64TargetDesc) -> None:
method _instruction_to_str (line 42) | def _instruction_to_str(self, inst: Instruction) -> str:
method _operand_to_str (line 65) | def _operand_to_str(self, op: Operand) -> str:
method _macro_to_str (line 75) | def _macro_to_str(self, inst: Instruction) -> str:
method _is_digit_extended (line 82) | def _is_digit_extended(s: str) -> bool:
class _ARM64SandboxPass (line 109) | class _ARM64SandboxPass(Pass):
method __init__ (line 125) | def __init__(self, target_desc: TargetDesc) -> None:
method run_on_test_case (line 134) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
method _sandbox_memory_access (line 156) | def _sandbox_memory_access(self, node: InstructionNode, parent: BasicB...
method requires_sandbox (line 194) | def requires_sandbox(inst: InstructionSpec) -> bool:
class _ARM64PatchUndefinedLoadsPass (line 201) | class _ARM64PatchUndefinedLoadsPass(Pass):
method __init__ (line 203) | def __init__(self, target_desc: TargetDesc) -> None:
method run_on_test_case (line 207) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
method _is_post_index (line 231) | def _is_post_index(self, inst: Instruction) -> bool:
class ARM64Generator (line 250) | class ARM64Generator(CodeGenerator):
method __init__ (line 253) | def __init__(self, seed: int, instruction_set: InstructionSet, target_...
FILE: rvzr/arch/arm64/get_spec.py
class Downloader (line 14) | class Downloader:
method __init__ (line 17) | def __init__(self, extensions: List[str], out_file: str) -> None:
method run (line 24) | def run(self) -> None:
FILE: rvzr/arch/arm64/target_desc.py
class ARM64TargetDesc (line 15) | class ARM64TargetDesc(TargetDesc):
method __init__ (line 118) | def __init__(self) -> None:
method is_unconditional_branch (line 129) | def is_unconditional_branch(inst: Instruction) -> bool:
method is_call (line 133) | def is_call(inst: Instruction) -> bool:
method _build_cpu_desc (line 136) | def _build_cpu_desc(self) -> CPUDesc:
class ARM64UnicornTargetDesc (line 157) | class ARM64UnicornTargetDesc(UnicornTargetDesc): # pylint: disable=too-...
FILE: rvzr/arch/x86/asm_parser.py
class _X86IntelLineParser (line 89) | class _X86IntelLineParser(AsmLineParser):
method __init__ (line 92) | def __init__(self, isa_spec: InstructionSet, target_desc: TargetDesc) ...
method _tokenize (line 98) | def _tokenize(self, line: str) -> List[str]:
method _get_instruction_name (line 101) | def _get_instruction_name(self, line: str, _: List[str]) -> str:
method _get_instruction_operands (line 112) | def _get_instruction_operands(self, line: str, name: str, tokens: List...
method _get_initial_candidate_specs (line 120) | def _get_initial_candidate_specs(self, line: str, _: str) -> List[Inst...
method _check_if_spec_matches (line 137) | def _check_if_spec_matches(self, spec: InstructionSpec, operands_raw: ...
class X86AsmParser (line 190) | class X86AsmParser(AsmParser):
method __init__ (line 193) | def __init__(self, isa_spec: InstructionSet, target_desc: TargetDesc) ...
FILE: rvzr/arch/x86/executor.py
class X86Executor (line 38) | class X86Executor(Executor):
method __init__ (line 41) | def __init__(self, enable_mismatch_check_mode: bool = False):
method _set_vendor_specific_features (line 45) | def _set_vendor_specific_features(self) -> None:
method _identify_handled_faults (line 54) | def _identify_handled_faults(self) -> int:
class X86IntelExecutor (line 62) | class X86IntelExecutor(X86Executor):
method __init__ (line 65) | def __init__(self, enable_mismatch_check_mode: bool = False):
class X86AMDExecutor (line 74) | class X86AMDExecutor(X86Executor):
method __init__ (line 77) | def __init__(self, enable_mismatch_check_mode: bool = False):
FILE: rvzr/arch/x86/fuzzer.py
class X86Fuzzer (line 37) | class X86Fuzzer(Fuzzer):
method start (line 50) | def start(self, num_test_cases: int, num_inputs: int, timeout: int, no...
method _filter (line 57) | def _filter(self, test_case: TestCaseProgram, inputs: List[InputData])...
method _speculation_filter (line 90) | def _speculation_filter(htraces: List[HTrace]) -> bool:
method _observation_filter (line 110) | def _observation_filter(self, test_case: TestCaseProgram, inputs: List...
method _adjust_config (line 146) | def _adjust_config(self, existing_test_case: str) -> None:
class X86ArchitecturalFuzzer (line 154) | class X86ArchitecturalFuzzer(ArchitecturalFuzzer):
method _adjust_config (line 161) | def _adjust_config(self, existing_test_case: str) -> None:
method start (line 165) | def start(self, num_test_cases: int, num_inputs: int, timeout: int, no...
class X86ArchDiffFuzzer (line 171) | class X86ArchDiffFuzzer(ArchDiffFuzzer):
method _adjust_config (line 181) | def _adjust_config(self, existing_test_case: str) -> None:
method start (line 185) | def start(self, num_test_cases: int, num_inputs: int, timeout: int, no...
method _create_fenced_test_case (line 191) | def _create_fenced_test_case(original_asm: str, fenced_asm: str, asm_p...
function _update_instruction_list (line 200) | def _update_instruction_list() -> None:
function _check_instruction_list (line 214) | def _check_instruction_list(instruction_set: InstructionSet) -> None:
function _quick_and_dirty_mode (line 239) | def _quick_and_dirty_mode(executor: Executor) -> Generator[None, None, N...
function _create_fenced_test_case (line 250) | def _create_fenced_test_case(original_asm: str, fenced_asm: str, asm_par...
FILE: rvzr/arch/x86/generator.py
class _FaultFilter (line 40) | class _FaultFilter:
method __init__ (line 43) | def __init__(self) -> None:
class _X86Printer (line 53) | class _X86Printer(Printer):
method __init__ (line 56) | def __init__(self, target_desc: X86TargetDesc) -> None:
method _instruction_to_str (line 64) | def _instruction_to_str(self, inst: Instruction) -> str:
method _operand_to_str (line 77) | def _operand_to_str(self, op: Operand) -> str:
method _macro_to_str (line 84) | def _macro_to_str(self, inst: Instruction) -> str:
class _X86NonCanonicalAddressPass (line 94) | class _X86NonCanonicalAddressPass(Pass):
method __init__ (line 101) | def __init__(self, target_desc: X86TargetDesc) -> None:
method run_on_test_case (line 105) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
method _instrument (line 130) | def _instrument(self, node: InstructionNode, parent: BasicBlock) -> None:
method _find_mask_register (line 183) | def _find_mask_register(self, src_operands: List[RegisterOp]) -> str:
method _find_offset_register (line 195) | def _find_offset_register(self, inst: Instruction) -> str:
class _X86U2KAccessPass (line 208) | class _X86U2KAccessPass(Pass):
method run_on_test_case (line 224) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
method _instrument (line 264) | def _instrument(self, node: InstructionNode, _: BasicBlock, owner_id: ...
class _X86SandboxPass (line 312) | class _X86SandboxPass(Pass):
method __init__ (line 326) | def __init__(self, target_desc: TargetDesc, faults: _FaultFilter) -> N...
method run_on_test_case (line 336) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
method _sandbox_memory_access (line 378) | def _sandbox_memory_access(self, node: InstructionNode, parent: BasicB...
method _sandbox_division (line 444) | def _sandbox_division(self, node: InstructionNode, parent: BasicBlock)...
method _sandbox_bit_test (line 611) | def _sandbox_bit_test(self, node: InstructionNode, parent: BasicBlock)...
method _sandbox_repeated_instruction (line 649) | def _sandbox_repeated_instruction(self, node: InstructionNode, parent:...
method _sandbox_corrupted_cf (line 661) | def _sandbox_corrupted_cf(self, node: InstructionNode, parent: BasicBl...
method _sandbox_enclu (line 668) | def _sandbox_enclu(self, node: InstructionNode, parent: BasicBlock) ->...
method requires_sandbox (line 684) | def requires_sandbox(inst: InstructionSpec) -> bool:
class _X86PatchUndefinedFlagsPass (line 697) | class _X86PatchUndefinedFlagsPass(Pass):
method __init__ (line 717) | def __init__(self, instruction_set: InstructionSet, generator: CodeGen...
method run_on_test_case (line 745) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
method _patch_flags_in_bb (line 749) | def _patch_flags_in_bb(self, bb: BasicBlock) -> None:
method _find_flags_patch (line 811) | def _find_flags_patch(self, undef_flags: List[str],
class _X86PatchUndefinedResultPass (line 850) | class _X86PatchUndefinedResultPass(Pass):
method run_on_test_case (line 856) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
method _patch_bit_scan (line 870) | def _patch_bit_scan(node: InstructionNode, parent: BasicBlock) -> None:
class _X86PatchOpcodesPass (line 897) | class _X86PatchOpcodesPass(Pass):
method run_on_test_case (line 935) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
method _instrument (line 950) | def _instrument(self, node: InstructionNode, parent: BasicBlock) -> None:
class X86Generator (line 962) | class X86Generator(CodeGenerator):
method __init__ (line 967) | def __init__(self, seed: int, instruction_set: InstructionSet, target_...
FILE: rvzr/arch/x86/get_spec.py
class _XMLOperandSpec (line 182) | class _XMLOperandSpec:
method to_json (line 196) | def to_json(self) -> str:
class _XMLInstructionSpec (line 205) | class _XMLInstructionSpec:
method __init__ (line 213) | def __init__(self) -> None:
method __str__ (line 217) | def __str__(self) -> str:
method to_json (line 221) | def to_json(self) -> str:
class _ParseFailed (line 242) | class _ParseFailed(Exception):
class XMLSpecParser (line 246) | class XMLSpecParser:
method __init__ (line 253) | def __init__(self, extensions: List[str]) -> None:
method __len__ (line 257) | def __len__(self) -> int:
method parse_file (line 260) | def parse_file(self, filename: str) -> None:
method save_as_json (line 281) | def save_as_json(self, filename: str) -> None:
method _parse_node (line 288) | def _parse_node(self, node: ET.Element) -> Optional[_XMLInstructionSpec]:
method _node_is_not_supported (line 350) | def _node_is_not_supported(self, node: ET.Element) -> bool:
method _parse_reg_operand (line 355) | def _parse_reg_operand(self, op: ET.Element) -> _XMLOperandSpec:
method _parse_mem_operand (line 377) | def _parse_mem_operand(op: ET.Element) -> _XMLOperandSpec:
method _parse_agen_operand (line 400) | def _parse_agen_operand(_: ET.Element) -> _XMLOperandSpec:
method _parse_imm_operand (line 410) | def _parse_imm_operand(op: ET.Element) -> _XMLOperandSpec:
method _parse_label_operand (line 428) | def _parse_label_operand(_: ET.Element) -> _XMLOperandSpec:
method _parse_flags_operand (line 438) | def _parse_flags_operand(op: ET.Element) -> _XMLOperandSpec:
method add_missing (line 457) | def add_missing(self) -> None: # pylint: disable=too-many-statements
method _check_extension_list (line 504) | def _check_extension_list(self) -> None:
class Downloader (line 518) | class Downloader:
method __init__ (line 521) | def __init__(self, extensions: List[str], out_file: str) -> None:
method run (line 538) | def run(self) -> None:
FILE: rvzr/arch/x86/target_desc.py
class X86TargetDesc (line 16) | class X86TargetDesc(TargetDesc):
method __init__ (line 251) | def __init__(self) -> None:
method is_unconditional_branch (line 270) | def is_unconditional_branch(inst: Instruction) -> bool:
method is_call (line 274) | def is_call(inst: Instruction) -> bool:
method _build_cpu_desc (line 277) | def _build_cpu_desc(self) -> CPUDesc:
class X86UnicornTargetDesc (line 300) | class X86UnicornTargetDesc(UnicornTargetDesc): # pylint: disable=too-fe...
FILE: rvzr/asm_parser.py
class AsmParserError (line 35) | class AsmParserError(Exception):
method __init__ (line 38) | def __init__(self, line_num: int, message: str) -> None:
function asm_parser_assert (line 43) | def asm_parser_assert(condition: bool, line_number: int, explanation: st...
class _ASMLine (line 51) | class _ASMLine:
method __init__ (line 54) | def __init__(self, str_: str, line_num: int) -> None:
class _CodeMapBuilder (line 74) | class _CodeMapBuilder:
method create_code_map (line 86) | def create_code_map(self, lines: List[_ASMLine]) -> _CodeMap:
method _get_line_type (line 132) | def _get_line_type(self, line: _ASMLine) -> str:
method _start_section (line 154) | def _start_section(self, line: _ASMLine) -> None:
method _start_function (line 180) | def _start_function(self, line: _ASMLine) -> None:
method _create_default_main_function (line 198) | def _create_default_main_function(self) -> None:
method _start_basic_block (line 211) | def _start_basic_block(self, line: _ASMLine) -> None:
method _add_instruction (line 237) | def _add_instruction(self, line: _ASMLine) -> None:
method _macro_label_to_instr (line 247) | def _macro_label_to_instr(self, line: str, line_num: int) -> str:
class _AsmPatcher (line 274) | class _AsmPatcher:
method set_macro_placeholder (line 278) | def set_macro_placeholder(self, macro_placeholder_str: str) -> None:
method patch_asm (line 288) | def patch_asm(self, asm_file: str, patched_asm_file: str) -> None:
method _is_instruction (line 305) | def _is_instruction(self, line: str) -> bool:
method _pre_clean (line 311) | def _pre_clean(self, asm_file: str, patched_asm_file: str) -> None:
method _add_exit_section (line 318) | def _add_exit_section(self, patched_asm_file: str) -> None:
method _add_default_main (line 333) | def _add_default_main(self, patched_asm_file: str) -> None:
method _add_macro_placeholders (line 371) | def _add_macro_placeholders(self, patched_asm_file: str) -> None:
method _add_default_measurements (line 391) | def _add_default_measurements(self, patched_asm_file: str) -> None:
class AsmLineParser (line 439) | class AsmLineParser(ABC):
method __init__ (line 450) | def __init__(self, isa_spec: InstructionSet, target_desc: TargetDesc) ...
method _tokenize (line 458) | def _tokenize(self, line: str) -> List[str]:
method _get_instruction_name (line 462) | def _get_instruction_name(self, line: str, tokens: List[str]) -> str:
method _get_instruction_operands (line 466) | def _get_instruction_operands(self, line: str, name: str, tokens: List...
method _get_initial_candidate_specs (line 470) | def _get_initial_candidate_specs(self, line: str, name: str) -> List[I...
method _check_if_spec_matches (line 474) | def _check_if_spec_matches(self, spec: InstructionSpec, operands_raw: ...
method _build_instruction_map (line 480) | def _build_instruction_map(isa_spec: InstructionSet) -> Dict[str, List...
method parse_line (line 501) | def parse_line(self, line: str, line_num: int) -> Instruction:
method _find_matching_spec (line 528) | def _find_matching_spec(self, line: str, name: str, operands_raw: List...
method _create_instruction (line 554) | def _create_instruction(self, spec: InstructionSpec, operands_raw: Lis...
class AsmParser (line 602) | class AsmParser(ABC):
method __init__ (line 614) | def __init__(self, isa_spec: InstructionSet, target_desc: TargetDesc) ...
method parse_file (line 621) | def parse_file(self,
method _patch_asm (line 678) | def _patch_asm(self, asm_file: str, patched_asm_file: str) -> None:
method _update_lines_after_patch (line 681) | def _update_lines_after_patch(self, patched_asm_file: str,
method _get_clean_lines (line 708) | def _get_clean_lines(self, org_lines: List[_ASMLine]) -> List[_ASMLine]:
method _validate_dirty_lines (line 733) | def _validate_dirty_lines(self, lines: List[_ASMLine]) -> None:
method _parse_line (line 752) | def _parse_line(self, line: str, line_num: int) -> Instruction:
method _fill_test_case_structure (line 757) | def _fill_test_case_structure(self, test_case: TestCaseProgram, code_m...
method _connect_control_flow (line 791) | def _connect_control_flow(self, test_case: TestCaseProgram) -> None:
method _handle_empty_test_case (line 826) | def _handle_empty_test_case(self, test_case: TestCaseProgram) -> None:
method _check_test_case_correctness (line 839) | def _check_test_case_correctness(self, test_case: TestCaseProgram) -> ...
method _check_landing_sites (line 845) | def _check_landing_sites(self, test_case: TestCaseProgram) -> None:
method _check_fault_handler (line 887) | def _check_fault_handler(self, test_case: TestCaseProgram) -> None:
method _check_set_data_permission (line 898) | def _check_set_data_permission(self, test_case: TestCaseProgram) -> None:
FILE: rvzr/cli.py
function _arg2bool (line 24) | def _arg2bool(arg: Any) -> bool:
function _parse_args (line 34) | def _parse_args() -> Any: # pylint: disable=r0915
function main (line 373) | def main() -> int: # pylint: disable=r0911,r0912,r0915 # this function...
FILE: rvzr/code_generator.py
class Pass (line 37) | class Pass(ABC):
method run_on_test_case (line 43) | def run_on_test_case(self, test_case: TestCaseProgram) -> None:
class Printer (line 49) | class Printer(ABC):
method __init__ (line 61) | def __init__(self, target_desc: TargetDesc) -> None:
method print (line 64) | def print(self, test_case: TestCaseProgram) -> None:
method _print_section (line 81) | def _print_section(self, sec: CodeSection, file_: TextIO) -> None:
method _print_function (line 86) | def _print_function(self, func: Function, file_: TextIO) -> None:
method _print_basic_block (line 93) | def _print_basic_block(self, bb: BasicBlock, file_: TextIO) -> None:
method _instruction_to_str (line 101) | def _instruction_to_str(self, inst: Instruction) -> str:
method _operand_to_str (line 105) | def _operand_to_str(self, op: AnyOperand) -> str:
method _macro_to_str (line 109) | def _macro_to_str(self, inst: Instruction) -> str:
class CodeGenerator (line 116) | class CodeGenerator(ABC):
method __init__ (line 138) | def __init__(self, seed: int, instruction_set: InstructionSet, target_...
method create_test_case (line 155) | def create_test_case(self, asm_file: str, disable_assembler: bool = Fa...
method create_test_case_from_template (line 202) | def create_test_case_from_template(self, template_file: str) -> TestCa...
method generate_actors_with_sections (line 246) | def generate_actors_with_sections(self, test_case: TestCaseProgram,
method generate_instruction (line 268) | def generate_instruction(self,
method _set_seed (line 285) | def _set_seed(self, seed: int) -> None:
method _update_state (line 296) | def _update_state(self) -> None:
method _add_required_symbols (line 302) | def _add_required_symbols(self, test_case: TestCaseProgram) -> None:
method _expand_template (line 320) | def _expand_template(self, test_case: TestCaseProgram, actors_config: ...
function assemble (line 362) | def assemble(test_case: TestCaseProgram) -> None:
class _FunctionGenerator (line 410) | class _FunctionGenerator:
method __init__ (line 416) | def __init__(self, target_desc: TargetDesc, isa_spec: InstructionSet) ...
method generate_empty (line 420) | def generate_empty(self, label: str, parent: CodeSection) -> Function:
method fill_function (line 478) | def fill_function(self, func: Function) -> None:
method _add_terminators_in_function (line 489) | def _add_terminators_in_function(self, func: Function) -> None:
method _add_instructions_in_function (line 531) | def _add_instructions_in_function(self, func: Function) -> None:
class _InstructionGenerator (line 548) | class _InstructionGenerator:
method __init__ (line 555) | def __init__(self, target_desc: TargetDesc) -> None:
method generate (line 558) | def generate(self, spec: InstructionSpec, is_instrumentation: bool = F...
method generate_from_random_spec (line 581) | def generate_from_random_spec(self,
class _OperandGenerator (line 614) | class _OperandGenerator:
method __init__ (line 619) | def __init__(self, target_desc: TargetDesc) -> None:
method generate (line 622) | def generate(self, spec: OperandSpec, parent: Instruction) -> AnyOperand:
method _generate_reg_operand (line 637) | def _generate_reg_operand(self, spec: OperandSpec, _: Instruction) -> ...
method _generate_mem_operand (line 642) | def _generate_mem_operand(self, spec: OperandSpec, _: Instruction) -> ...
method _generate_imm_operand (line 649) | def _generate_imm_operand(self, spec: OperandSpec, inst: Instruction) ...
method _generate_bitmask_operand (line 686) | def _generate_bitmask_operand(self, spec: OperandSpec, _: Instruction)...
method _generate_label_operand (line 709) | def _generate_label_operand(self, _: OperandSpec, __: Instruction) -> ...
method _generate_agen_operand (line 712) | def _generate_agen_operand(self, spec: OperandSpec, __: Instruction) -...
method _generate_flags_operand (line 725) | def _generate_flags_operand(self, spec: OperandSpec, parent: Instructi...
method _generate_cond_operand (line 763) | def _generate_cond_operand(self, _: OperandSpec, __: Instruction) -> C...
FILE: rvzr/config.py
class ActorConf (line 26) | class ActorConf(TypedDict):
class IncludeLoader (line 49) | class IncludeLoader(yaml.SafeLoader):
method __init__ (line 56) | def __init__(self, stream: TextIO, include_dir: str = "") -> None:
method __del__ (line 63) | def __del__(self) -> None:
method include (line 67) | def include(self, node: yaml.Node) -> Any:
method construct_yaml_map (line 87) | def construct_yaml_map(self, node: yaml.MappingNode) -> Dict[Any, Any]:
class ConfigException (line 104) | class ConfigException(SystemExit):
method __init__ (line 106) | def __init__(self, message: str) -> None:
function _get_architecture (line 110) | def _get_architecture() -> Architecture:
function _get_cpu_vendor (line 120) | def _get_cpu_vendor() -> str:
class Conf (line 135) | class Conf:
method __init__ (line 372) | def __init__(self) -> None:
method load (line 378) | def load(self, config_path: str, include_dir: str = "") -> None:
method _load_from_dict (line 393) | def _load_from_dict(self, config_update: Dict[str, Any]) -> None:
method safe_set (line 434) | def safe_set(self, name: str, value: Any, options_name: str = "") -> N...
method _check_options (line 453) | def _check_options(self, name: str, value: Any) -> None:
method _value_sanity_check (line 481) | def _value_sanity_check(self) -> None:
method set_to_arch_defaults (line 490) | def set_to_arch_defaults(self) -> None:
method update_handled_faults_with_generator_faults (line 529) | def update_handled_faults_with_generator_faults(self, new: List[str]) ...
method set_actor_properties (line 539) | def set_actor_properties(self, new: List[Dict[str, List[Dict[ActorConf...
method disable_generation (line 589) | def disable_generation(self) -> None:
method is_generation_enabled (line 593) | def is_generation_enabled(self) -> bool:
method get_actors_conf (line 597) | def get_actors_conf(self) -> ActorsConf:
FILE: rvzr/data_generator.py
class DataGenerator (line 24) | class DataGenerator:
method __init__ (line 31) | def __init__(self, seed: int):
method get_state (line 41) | def get_state(self) -> int:
method _reset_boosting_state (line 48) | def _reset_boosting_state(self) -> None:
method generate (line 52) | def generate(self, count: int, n_actors: int) -> List[InputData]:
method generate_boosted (line 72) | def generate_boosted(self, inputs: List[InputData], taints: List[Input...
method load (line 116) | def load(self, input_paths: List[str]) -> List[InputData]:
method _generate_one (line 146) | def _generate_one(self, state: int, n_actors: int) -> Tuple[InputData,...
FILE: rvzr/elf_parser.py
class _ParsingError (line 25) | class _ParsingError(Exception):
method __init__ (line 27) | def __init__(self, message: str):
class _ELFData (line 35) | class _ELFData(TypedDict):
class _SectionData (line 40) | class _SectionData(TypedDict):
class _FunctionData (line 48) | class _FunctionData(TypedDict):
class _SymtabParser (line 54) | class _SymtabParser:
method parse (line 56) | def parse(self, obj_file: str) -> _ELFData:
method _get_unsorted_data (line 67) | def _get_unsorted_data(self, obj_file: str) -> _ELFData:
method _sort_elf_data (line 107) | def _sort_elf_data(self, elf_data: _ELFData) -> None:
class _ObjdumpSectionDesc (line 137) | class _ObjdumpSectionDesc(NamedTuple):
class _ObjdumpOutputParser (line 142) | class _ObjdumpOutputParser:
method __init__ (line 144) | def __init__(self) -> None:
method parse (line 149) | def parse(self, obj_file: str) -> _InstrAddrMap:
method _parse_section_header (line 190) | def _parse_section_header(self, line: str) -> _ObjdumpSectionDesc:
class ELFParser (line 210) | class ELFParser:
method __init__ (line 220) | def __init__(self, target_desc: TargetDesc) -> None:
method populate_elf_data (line 226) | def populate_elf_data(self, test_case_bin: TestCaseBinary,
method _assign_bin_metadata (line 248) | def _assign_bin_metadata(self, obj_file: str,
method _assign_section_metadata (line 310) | def _assign_section_metadata(section_data: _SectionData, section_obj: ...
method _assign_function_metadata (line 315) | def _assign_function_metadata(func_data: _FunctionData, section_data: ...
method _assign_instruction_metadata (line 325) | def _assign_instruction_metadata(self, inst: Instruction, instr_addr_m...
method _assign_macro_metadata (line 353) | def _assign_macro_metadata(self, inst: Instruction, sections_data: Lis...
method _validate_sections (line 431) | def _validate_sections(self, sections: List[CodeSection],
method _validate_macros (line 451) | def _validate_macros(self, test_case: TestCaseProgram, symbol_table: S...
FILE: rvzr/executor.py
function km_write (line 38) | def km_write(value: str, path: str) -> None:
function _is_smt_enabled (line 46) | def _is_smt_enabled() -> bool:
function _can_set_reserved (line 65) | def _can_set_reserved() -> bool:
function _is_kernel_module_installed (line 99) | def _is_kernel_module_installed() -> bool:
function _configure_kernel_module (line 103) | def _configure_kernel_module() -> None:
function _read_trace (line 109) | def _read_trace(n_reps: int,
function _rewind_km_output_to_end (line 195) | def _rewind_km_output_to_end() -> None:
class Executor (line 209) | class Executor(ABC):
method __init__ (line 231) | def __init__(self, enable_mismatch_check_mode: bool = False, skip_setu...
method load_test_case (line 258) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method trace_test_case (line 282) | def trace_test_case(self, inputs: List[InputData], n_reps: int) -> Lis...
method _identify_trace_type (line 326) | def _identify_trace_type(self) -> HTraceType:
method _raw_readings_to_traces (line 334) | def _raw_readings_to_traces(self, all_readings: ReadingsArray, n_input...
method read_base_addresses (line 360) | def read_base_addresses(self) -> BaseAddrTuple:
method set_ignore_list (line 377) | def set_ignore_list(self, ignore_list: List[int]) -> None:
method extend_ignore_list (line 387) | def extend_ignore_list(self, ignore_list: List[int]) -> None:
method set_quick_and_dirty (line 397) | def set_quick_and_dirty(self, state: bool) -> None:
method _set_vendor_specific_features (line 409) | def _set_vendor_specific_features(self) -> None:
FILE: rvzr/executor_km/arm64/entry_exit_points.h
function prologue (line 23) | static inline void prologue(void)
function epilogue (line 84) | static inline void epilogue(void)
function epilogue_dbg_gpr (line 125) | static inline void epilogue_dbg_gpr(void)
function main_segment_template (line 167) | static void main_segment_template(void)
function main_segment_template_dbg_gpr (line 189) | static void main_segment_template_dbg_gpr(void)
FILE: rvzr/executor_km/arm64/fault_handler.c
type opcode_t (line 17) | typedef uint32_t opcode_t;
type vector_table_entry_t (line 19) | typedef struct {
type vector_table_t (line 23) | typedef struct {
function vector_table_t (line 39) | static inline vector_table_t *vbar_el1_read(void)
function vbar_el1_write (line 46) | static inline void vbar_el1_write(vector_table_t *vbar_el1)
function set_outer_fault_handlers (line 51) | void set_outer_fault_handlers(void)
function unset_outer_fault_handlers (line 60) | void unset_outer_fault_handlers(void)
function set_inner_fault_handlers (line 66) | void set_inner_fault_handlers(void)
function unset_inner_fault_handlers (line 72) | void unset_inner_fault_handlers(void) { vbar_el1_write(&outer_vector_tab...
function init_fault_handler (line 75) | int init_fault_handler(void)
function free_fault_handler (line 82) | void free_fault_handler(void) {}
FILE: rvzr/executor_km/arm64/macros.c
function movz (line 47) | static inline uint32_t movz(uint8_t rd, uint16_t imm16, uint8_t shift)
function movk (line 56) | static inline uint32_t movk(uint8_t rd, uint16_t imm16, uint8_t shift)
function mov_to_sp (line 65) | static inline uint32_t mov_to_sp(uint8_t rd) { return 0x9100001f | (rd <...
function b_imm (line 67) | static inline uint32_t b_imm(uint32_t offset)
function mov_reg (line 80) | static inline uint32_t mov_reg(uint8_t rd, uint8_t rn)
function add_reg (line 89) | static inline uint32_t add_reg(uint8_t rd, uint8_t rn, uint8_t rm)
function str_reg (line 99) | static inline uint32_t str_reg(uint8_t rt, uint8_t rn)
function ldr_reg (line 108) | static inline uint32_t ldr_reg(uint8_t rt, uint8_t rn)
function mov_uint64_to_reg (line 126) | static inline uint64_t mov_uint64_to_reg(uint8_t rd, uint64_t value, uin...
function get_function_addr (line 148) | static uint64_t get_function_addr(int section_id, int function_id)
function update_memory_base_reg (line 167) | static uint64_t update_memory_base_reg(int section_id, uint8_t *dest, ui...
function update_mem_base_and_sp (line 186) | static uint64_t update_mem_base_and_sp(int section_id, uint8_t *dest, ui...
function update_util_base_reg (line 209) | static uint64_t update_util_base_reg(int section_id, uint8_t *dest, uint...
function body_macro_prime (line 235) | static void __attribute__((noipa)) body_macro_prime(void)
function body_macro_fast_prime (line 251) | static void __attribute__((noipa)) body_macro_fast_prime(void)
function body_macro_probe (line 267) | static void __attribute__((noipa)) body_macro_probe(void)
function body_macro_flush (line 295) | static void __attribute__((noipa)) body_macro_flush(void)
function body_macro_reload (line 310) | static void __attribute__((noipa)) body_macro_reload(void)
function start_macro_fault_handler (line 337) | static inline size_t start_macro_fault_handler(macro_args_t args, uint8_...
function start_macro_switch (line 356) | static inline size_t start_macro_switch(macro_args_t args, uint8_t *dest)
FILE: rvzr/executor_km/arm64/page_tables_guest.c
function map_sandbox_to_guest_memory (line 23) | int map_sandbox_to_guest_memory(void)
function set_faulty_page_guest_permissions (line 32) | void set_faulty_page_guest_permissions(void) { return; }
function restore_faulty_page_guest_permissions (line 34) | void restore_faulty_page_guest_permissions(void) { return; }
function set_faulty_page_ept_permissions (line 38) | void set_faulty_page_ept_permissions(void) { return; }
function restore_faulty_page_ept_permissions (line 40) | void restore_faulty_page_ept_permissions(void) { return; }
function dbg_dump_guest_page_tables (line 49) | int dbg_dump_guest_page_tables(int actor_id) { return 0; }
function dbg_dump_ept (line 51) | int dbg_dump_ept(int actor_id) { return 0; }
function allocate_guest_page_tables (line 54) | int allocate_guest_page_tables(void) { return 0; }
function free_guest_page_tables (line 56) | void free_guest_page_tables(void) {}
FILE: rvzr/executor_km/arm64/perf_counters.c
function get_current_exception_level (line 48) | static inline int get_current_exception_level(void)
function pmu_enable_el2 (line 59) | static inline int pmu_enable_el2(void)
function pmu_enable (line 72) | static inline int pmu_enable(void)
function pmu_reset (line 83) | static inline int pmu_reset(void)
function enable_all_counters (line 94) | static inline int enable_all_counters(void)
function disable_filtering (line 112) | static inline int disable_filtering(void)
function configure_events (line 125) | static inline int configure_events(void)
function pfc_configure (line 147) | int pfc_configure(void)
function init_perf_counters (line 182) | int init_perf_counters(void) { return 0; }
function free_perf_counters (line 183) | void free_perf_counters(void) {}
FILE: rvzr/executor_km/arm64/special_registers.c
function store_special_registers (line 15) | static int store_special_registers(void)
function set_special_registers (line 27) | int set_special_registers(void)
function restore_special_registers (line 34) | void restore_special_registers(void)
function init_special_register_manager (line 52) | int init_special_register_manager(void)
function free_special_register_manager (line 58) | void free_special_register_manager(void) { SAFE_FREE(orig_special_regist...
FILE: rvzr/executor_km/code_loader.c
function load_sandbox_code (line 39) | int load_sandbox_code(void)
function load_section (line 57) | static int load_section(uint64_t section_id)
function load_section_main (line 68) | static int load_section_main(void)
function tc_symbol_entry_t (line 162) | static tc_symbol_entry_t *get_section_macros_start(uint64_t section_id)
function expand_section (line 181) | static int expand_section(uint64_t section_id, uint8_t *dest, uint8_t *m...
function init_code_loader (line 245) | int init_code_loader(void)
function free_code_loader (line 251) | void free_code_loader(void) {}
FILE: rvzr/executor_km/data_loader.c
function load_sandbox_data (line 23) | int load_sandbox_data(int input_id)
function init_data_loader (line 101) | int init_data_loader(void) { return 0; }
function free_data_loader (line 103) | void free_data_loader(void) {}
FILE: rvzr/executor_km/include/actor.h
type actor_id_t (line 13) | typedef uint64_t actor_id_t;
type actor_mode_t (line 14) | typedef uint64_t actor_mode_t;
type actor_pl_t (line 15) | typedef uint64_t actor_pl_t;
type actor_metadata_t (line 27) | typedef struct {
FILE: rvzr/executor_km/include/fault_handler.h
type idt_data (line 14) | struct idt_data {
type desc_ptr (line 40) | struct desc_ptr
FILE: rvzr/executor_km/include/hardware_desc.h
type cpuinfo_t (line 40) | typedef struct cpuinfo_x86 cpuinfo_t;
type cpuinfo_t (line 42) | typedef struct {
FILE: rvzr/executor_km/include/input_parser.h
type input_fragment_size_t (line 13) | typedef uint64_t input_fragment_size_t;
type input_fragment_reserved_field_t (line 14) | typedef uint64_t input_fragment_reserved_field_t;
type input_fragment_metadata_entry_t (line 16) | typedef struct {
type input_fragment_t (line 21) | typedef struct {
type input_batch_t (line 27) | typedef struct {
FILE: rvzr/executor_km/include/macro_expansion.h
type macro_name_e (line 18) | typedef enum {
type macro_subtype_e (line 40) | typedef enum {
type macro_args_t (line 76) | typedef struct {
type macro_descr_t (line 85) | typedef struct {
FILE: rvzr/executor_km/include/main.h
type measurement_mode_e (line 15) | typedef enum {
FILE: rvzr/executor_km/include/measurement.h
type measurement_status_t (line 19) | typedef struct measurement_status {
type measurement_t (line 25) | typedef struct Measurement {
FILE: rvzr/executor_km/include/page_tables_common.h
type pml4e_t (line 55) | typedef struct {
type pdpte_t (line 75) | typedef struct {
type pdte_t (line 94) | typedef struct {
type pte_t_ (line 113) | typedef struct {
type eptp_t (line 138) | typedef struct {
type epml4e_t (line 153) | typedef struct {
type pml4e_t (line 169) | typedef pml4e_t epml4e_t;
type epdpte_t (line 174) | typedef struct {
type pdpte_t (line 191) | typedef pdpte_t epdpte_t;
type epdte_t (line 195) | typedef struct {
type pdte_t (line 212) | typedef pdte_t epdte_t;
type epte_t_ (line 216) | typedef struct {
type pte_t_ (line 241) | typedef pte_t_ epte_t_;
function set_user_bit (line 244) | static inline void set_user_bit(pte_t_ *pte) { pte->user_supervisor = 1; }
type l1_descr_t (line 258) | typedef struct {
type l2_descr_t (line 274) | typedef struct {
type l3_descr_t (line 287) | typedef struct {
function set_user_bit (line 306) | static inline void set_user_bit(l3_descr_t *pte)
type l3_descr_t (line 311) | typedef l3_descr_t pte_t_;
FILE: rvzr/executor_km/include/page_tables_guest.h
type actor_page_table_t (line 33) | typedef struct {
type actor_ept_t (line 40) | typedef struct {
type actor_gdt_t (line 47) | typedef struct {
type guest_memory_t (line 52) | typedef struct {
type hgpa_t (line 62) | typedef struct {
type guest_memory_translations_t (line 70) | typedef struct {
FILE: rvzr/executor_km/include/page_tables_host.h
type sandbox_ptes_t (line 12) | typedef struct {
type sandbox_pteps_t (line 18) | typedef struct {
FILE: rvzr/executor_km/include/sandbox_manager.h
type util_vars_t (line 22) | typedef struct {
type util_t (line 38) | typedef struct {
type actor_data_t (line 44) | typedef struct {
type actor_code_t (line 56) | typedef struct {
type sandbox_t (line 64) | typedef struct {
FILE: rvzr/executor_km/include/shortcuts.h
function vmalloc_to_phys (line 200) | static inline uint64_t vmalloc_to_phys(void *hva)
function native_page_invalidate (line 209) | static inline void native_page_invalidate(uint64_t hva)
FILE: rvzr/executor_km/include/special_registers.h
type special_registers_t (line 16) | typedef struct {
FILE: rvzr/executor_km/include/svm.h
type vmcb_control_t (line 18) | typedef struct {
type seg_t (line 61) | typedef struct {
type vmcb_save_t (line 68) | typedef struct {
type vmcb_t (line 127) | typedef struct {
FILE: rvzr/executor_km/include/test_case_parser.h
type section_size_t (line 17) | typedef uint64_t section_size_t;
type section_metadata_reserved_t (line 18) | typedef uint64_t section_metadata_reserved_t;
type section_id_t (line 19) | typedef uint64_t section_id_t;
type symbol_offset_t (line 20) | typedef uint64_t symbol_offset_t;
type symbol_id_t (line 21) | typedef uint64_t symbol_id_t;
type symbol_args_t (line 22) | typedef uint64_t symbol_args_t;
type tc_section_metadata_entry_t (line 24) | typedef struct {
type tc_section_t (line 30) | typedef struct {
type tc_symbol_entry_t (line 34) | typedef struct {
type tc_features_t (line 41) | typedef struct {
type test_case_t (line 47) | typedef struct {
FILE: rvzr/executor_km/include/vmx.h
type vmxon_region_t (line 47) | typedef struct {
type vmcs_t (line 53) | typedef struct {
FILE: rvzr/executor_km/input_parser.c
function start_batch_input_parsing (line 31) | static int start_batch_input_parsing(const char *buf)
function parse_input_buffer (line 90) | ssize_t parse_input_buffer(const char *buf, size_t count, bool *finished)
function input_fragment_t (line 154) | input_fragment_t *get_input_fragment(uint64_t input_id, uint64_t actor_id)
function input_fragment_t (line 173) | input_fragment_t *get_input_fragment_unsafe(uint64_t input_id, uint64_t ...
function input_parsing_completed (line 180) | bool input_parsing_completed(void) { return !is_receiving_inputs; }
function init_input_parser (line 183) | int init_input_parser(void)
function free_input_parser (line 198) | void free_input_parser(void)
FILE: rvzr/executor_km/macro_expansion.c
function set_main_prologue_size (line 33) | void set_main_prologue_size(size_t size) { main_prologue_size = size; }
function get_main_prologue_size (line 34) | size_t get_main_prologue_size(void) { return main_prologue_size; }
function macro_descr_t (line 39) | static macro_descr_t *get_macro_subtype_from_id(uint64_t macro_id)
function is_macro_start (line 173) | static inline bool is_macro_start(uint8_t *ptr)
function is_macro_end (line 184) | static inline bool is_macro_end(uint8_t *ptr)
function insert_relative_jmp_n_fence (line 197) | static inline uint64_t insert_relative_jmp_n_fence(uint8_t *dest, int32_...
function inject_macro_configurable_part (line 252) | static uint64_t inject_macro_configurable_part(macro_descr_t *descr, uin...
function inject_macro_static_part (line 273) | static uint64_t inject_macro_static_part(macro_descr_t *descr, uint8_t *...
function expand_macro (line 305) | int expand_macro(tc_symbol_entry_t *macro, uint8_t *code_dest, uint8_t *...
FILE: rvzr/executor_km/main.c
type kprobe (line 58) | struct kprobe
type mm_struct (line 69) | struct mm_struct
type kobject (line 98) | struct kobject
type kobject (line 115) | struct kobject
type kobj_attribute (line 115) | struct kobj_attribute
type kobj_attribute (line 116) | struct kobj_attribute
type kobject (line 120) | struct kobject
type kobj_attribute (line 120) | struct kobj_attribute
type kobj_attribute (line 122) | struct kobj_attribute
type file (line 124) | struct file
type kobject (line 124) | struct kobject
type bin_attribute (line 126) | struct bin_attribute
type kobject (line 130) | struct kobject
type kobj_attribute (line 130) | struct kobj_attribute
type kobject (line 132) | struct kobject
type kobj_attribute (line 132) | struct kobj_attribute
type kobj_attribute (line 133) | struct kobj_attribute
type kobject (line 137) | struct kobject
type kobj_attribute (line 137) | struct kobj_attribute
type kobject (line 138) | struct kobject
type kobj_attribute (line 138) | struct kobj_attribute
type kobj_attribute (line 140) | struct kobj_attribute
type kobject (line 144) | struct kobject
type kobj_attribute (line 144) | struct kobj_attribute
type kobj_attribute (line 145) | struct kobj_attribute
type kobject (line 150) | struct kobject
type kobj_attribute (line 150) | struct kobj_attribute
type kobj_attribute (line 151) | struct kobj_attribute
type kobject (line 156) | struct kobject
type kobj_attribute (line 156) | struct kobj_attribute
type kobj_attribute (line 158) | struct kobj_attribute
type kobject (line 163) | struct kobject
type kobj_attribute (line 163) | struct kobj_attribute
type kobj_attribute (line 165) | struct kobj_attribute
type kobject (line 170) | struct kobject
type kobj_attribute (line 170) | struct kobj_attribute
type kobj_attribute (line 172) | struct kobj_attribute
type kobject (line 176) | struct kobject
type kobj_attribute (line 176) | struct kobj_attribute
type kobj_attribute (line 178) | struct kobj_attribute
type kobject (line 183) | struct kobject
type kobj_attribute (line 183) | struct kobj_attribute
type kobj_attribute (line 185) | struct kobj_attribute
type kobject (line 190) | struct kobject
type kobj_attribute (line 190) | struct kobj_attribute
type kobj_attribute (line 192) | struct kobj_attribute
type kobject (line 197) | struct kobject
type kobj_attribute (line 197) | struct kobj_attribute
type kobject (line 198) | struct kobject
type kobj_attribute (line 198) | struct kobj_attribute
type kobj_attribute (line 200) | struct kobj_attribute
type kobject (line 205) | struct kobject
type kobj_attribute (line 205) | struct kobj_attribute
type kobj_attribute (line 207) | struct kobj_attribute
type kobject (line 212) | struct kobject
type kobj_attribute (line 212) | struct kobj_attribute
type kobj_attribute (line 213) | struct kobj_attribute
type kobject (line 215) | struct kobject
type kobj_attribute (line 215) | struct kobj_attribute
type kobj_attribute (line 217) | struct kobj_attribute
type attribute (line 220) | struct attribute
type bin_attribute (line 240) | struct bin_attribute
function trace_show (line 249) | static ssize_t trace_show(struct kobject *kobj, struct kobj_attribute *a...
function check_test_case_compat (line 291) | static int check_test_case_compat(void)
function test_case_store (line 316) | static ssize_t test_case_store(struct kobject *kobj, struct kobj_attribu...
function test_case_bin_read (line 344) | static ssize_t test_case_bin_read(struct file *file, struct kobject *kob...
function inputs_store (line 359) | static ssize_t inputs_store(struct kobject *kobj, struct kobj_attribute ...
function inputs_show (line 372) | static ssize_t inputs_show(struct kobject *kobj, struct kobj_attribute *...
function warmups_show (line 378) | static ssize_t warmups_show(struct kobject *kobj, struct kobj_attribute ...
function warmups_store (line 383) | static ssize_t warmups_store(struct kobject *kobj, struct kobj_attribute...
function print_data_base_show (line 390) | static ssize_t print_data_base_show(struct kobject *kobj, struct kobj_at...
function print_code_base_show (line 395) | static ssize_t print_code_base_show(struct kobject *kobj, struct kobj_at...
function enable_ssbp_patch_store (line 400) | static ssize_t enable_ssbp_patch_store(struct kobject *kobj, struct kobj...
function enable_prefetcher_store (line 409) | static ssize_t enable_prefetcher_store(struct kobject *kobj, struct kobj...
function enable_pre_run_flush_store (line 418) | static ssize_t enable_pre_run_flush_store(struct kobject *kobj, struct k...
function enable_hpa_gpa_collisions_store (line 427) | static ssize_t enable_hpa_gpa_collisions_store(struct kobject *kobj, str...
function measurement_mode_store (line 436) | static ssize_t measurement_mode_store(struct kobject *kobj, struct kobj_...
function enable_quick_and_dirty_mode (line 464) | static ssize_t enable_quick_and_dirty_mode(struct kobject *kobj, struct ...
function enable_dbg_gpr_mode (line 498) | static ssize_t enable_dbg_gpr_mode(struct kobject *kobj, struct kobj_att...
function handled_faults_show (line 507) | static ssize_t handled_faults_show(struct kobject *kobj, struct kobj_att...
function handled_faults_store (line 512) | static ssize_t handled_faults_store(struct kobject *kobj, struct kobj_at...
function dbg_dump_show (line 525) | static ssize_t dbg_dump_show(struct kobject *kobj, struct kobj_attribute...
function dbg_guest_page_tables_show (line 550) | static ssize_t dbg_guest_page_tables_show(struct kobject *kobj, struct k...
function _get_required_kernel_functions (line 572) | static inline void _get_required_kernel_functions(void)
function cpuinfo_t (line 591) | static inline cpuinfo_t *get_cpuinfo(void)
function check_cpu_compat (line 616) | static int check_cpu_compat(void)
function executor_init (line 645) | static int __init executor_init(void)
function executor_exit (line 725) | static void __exit executor_exit(void)
FILE: rvzr/executor_km/measurement.c
function uarch_flush (line 48) | static inline int uarch_flush(void)
function check_test_case_entry (line 69) | static int check_test_case_entry(void)
function check_measurement_status (line 87) | static int check_measurement_status(measurement_status_t *status)
function pre_run (line 122) | static int pre_run(unsigned long *irq_flags)
function post_run (line 155) | static inline void post_run(unsigned long *irq_flags)
function set_execution_environment (line 176) | static int set_execution_environment(void)
function recover_orig_state (line 212) | void recover_orig_state(void)
function run_experiment (line 245) | int run_experiment(void)
function trace_test_case (line 324) | int trace_test_case(void)
function alloc_measurements (line 348) | int alloc_measurements(void)
function init_measurements (line 361) | int init_measurements(void)
function free_measurements (line 369) | void free_measurements(void) { SAFE_VFREE(measurements); }
FILE: rvzr/executor_km/page_tables_host.c
type mm_struct (line 23) | struct mm_struct
function pte_t (line 25) | pte_t *get_pte(uint64_t hva)
function cache_host_pteps (line 82) | int cache_host_pteps(void)
function store_orig_host_permissions (line 129) | int store_orig_host_permissions(void)
function restore_pte (line 172) | static void restore_pte(pte_t_ *ptep, pte_t_ old_pte, uint64_t vaddr)
function restore_orig_host_permissions (line 186) | int restore_orig_host_permissions(void)
function set_user_pages (line 220) | int set_user_pages(void)
function set_faulty_page_host_permissions (line 259) | void set_faulty_page_host_permissions(void)
function restore_faulty_page_host_permissions (line 283) | void restore_faulty_page_host_permissions(void)
function init_page_table_manager (line 293) | int init_page_table_manager(void)
function free_page_table_manager (line 309) | void free_page_table_manager(void)
FILE: rvzr/executor_km/sandbox_manager.c
type page (line 24) | struct page
function safe_free_util_data (line 32) | static void safe_free_util_data(void)
function safe_free_code (line 48) | static void safe_free_code(void)
function init_sandbox_pointers (line 59) | static int init_sandbox_pointers(void)
function allocate_util_and_data (line 85) | static int allocate_util_and_data(size_t n_actors)
function allocate_code (line 139) | static int allocate_code(size_t n_actors)
function reset_code_area (line 156) | void reset_code_area(void)
function allocate_sandbox (line 174) | int allocate_sandbox(void)
function get_sandbox_size_pages (line 213) | int get_sandbox_size_pages(void)
function set_sandbox_page_tables (line 226) | int set_sandbox_page_tables(void)
function restore_orig_sandbox_page_tables (line 238) | void restore_orig_sandbox_page_tables(void) { restore_orig_host_permissi...
function set_faulty_page_permissions (line 242) | void set_faulty_page_permissions(void)
function restore_faulty_page_permissions (line 250) | void restore_faulty_page_permissions(void)
function init_sandbox_manager (line 258) | int init_sandbox_manager(void)
function free_sandbox_manager (line 294) | void free_sandbox_manager(void)
FILE: rvzr/executor_km/test_case_parser.c
function __batch_tc_parsing_start (line 36) | static int __batch_tc_parsing_start(const char *buf)
function __batch_tc_parsing_end (line 110) | static int __batch_tc_parsing_end(void)
function parse_test_case_buffer (line 189) | ssize_t parse_test_case_buffer(const char *buf, size_t count, bool *fini...
function tc_parsing_completed (line 305) | bool tc_parsing_completed(void) { return !_is_receiving_test_case; }
function new_test_case (line 312) | static int new_test_case(test_case_t **test_case_p)
function init_test_case_parser (line 334) | int init_test_case_parser(void)
function free_test_case_parser (line 354) | void free_test_case_parser(void)
FILE: rvzr/executor_km/x86/entry_exit_points.h
function prologue (line 29) | static inline void prologue(void)
function epilogue (line 81) | static inline void epilogue(void)
function epilogue_dbg_gpr (line 120) | static inline void epilogue_dbg_gpr(void)
function main_segment_template (line 158) | static void main_segment_template(void)
function main_segment_template_dbg_gpr (line 181) | static void main_segment_template_dbg_gpr(void)
FILE: rvzr/executor_km/x86/idt.c
type desc_ptr (line 21) | struct desc_ptr
type desc_ptr (line 26) | struct desc_ptr
type desc_ptr (line 27) | struct desc_ptr
function native_sidt (line 63) | inline static void native_sidt(void *dtr)
function native_lidt (line 68) | inline static void native_lidt(void *dtr)
function set_intr_gate_default (line 73) | static void set_intr_gate_default(gate_desc *idt, int interrupt_id, void...
function idt_set_custom_handlers (line 86) | static void idt_set_custom_handlers(gate_desc *idt, struct desc_ptr *idt...
function set_outer_fault_handlers (line 121) | void set_outer_fault_handlers(void)
function unset_outer_fault_handlers (line 128) | void unset_outer_fault_handlers(void)
function set_inner_fault_handlers (line 137) | void set_inner_fault_handlers(void)
function unset_inner_fault_handlers (line 143) | void unset_inner_fault_handlers(void)
function init_fault_handler (line 153) | int init_fault_handler(void)
function free_fault_handler (line 163) | void free_fault_handler(void)
FILE: rvzr/executor_km/x86/macros.c
function movabs (line 56) | static inline void movabs(uint8_t *dest, size_t *cursor_, uint8_t reg_id...
function get_function_addr (line 80) | static uint64_t get_function_addr(uint64_t section_id, uint64_t function...
function update_r14 (line 105) | static uint64_t update_r14(uint64_t section_id, uint8_t *dest, uint64_t ...
function update_mem_base_and_sp (line 130) | static uint64_t update_mem_base_and_sp(uint64_t section_id, uint8_t *des...
function update_r15 (line 156) | static uint64_t update_r15(uint64_t section_id, uint8_t *dest, uint64_t ...
function body_macro_prime (line 188) | static void __attribute__((noipa)) body_macro_prime(void)
function body_macro_fast_prime (line 203) | static void __attribute__((noipa)) body_macro_fast_prime(void)
function body_macro_partial_prime (line 218) | static void __attribute__((noipa)) body_macro_partial_prime(void)
function body_macro_fast_partial_prime (line 233) | static void __attribute__((noipa)) body_macro_fast_partial_prime(void)
function body_macro_probe (line 248) | static void __attribute__((noipa)) body_macro_probe(void)
function body_macro_flush (line 272) | static void __attribute__((noipa)) body_macro_flush(void)
function body_macro_reload (line 287) | static void __attribute__((noipa)) body_macro_reload(void)
function body_macro_tsc_start (line 310) | static void __attribute__((noipa)) body_macro_tsc_start(void)
function body_macro_tsc_end (line 329) | static void __attribute__((noipa)) body_macro_tsc_end(void)
function start_macro_fault_handler (line 351) | static inline size_t start_macro_fault_handler(macro_args_t args, uint8_...
function start_macro_fault_handler_with_measurement (line 385) | static inline size_t start_macro_fault_handler_with_measurement(macro_ar...
function start_macro_switch (line 394) | static inline size_t start_macro_switch(macro_args_t args, uint8_t *dest)
function start_macro_set_k2u_target (line 412) | static inline size_t start_macro_set_k2u_target(macro_args_t args, uint8...
function start_macro_switch_k2u (line 425) | static inline size_t start_macro_switch_k2u(macro_args_t /*args*/, uint8...
function body_macro_switch_k2u (line 427) | static void __attribute__((noipa)) body_macro_switch_k2u(void)
function start_macro_set_u2k_target (line 444) | static inline size_t start_macro_set_u2k_target(macro_args_t args, uint8...
function body_macro_switch_u2k (line 499) | static void __attribute__((noipa)) body_macro_switch_u2k(void)
function start_macro_set_h2g_target (line 507) | static inline size_t start_macro_set_h2g_target(macro_args_t args, uint8...
function body_macro_set_h2g_target (line 549) | static void __attribute__((noipa)) body_macro_set_h2g_target(void)
function start_macro_switch_h2g (line 566) | static inline size_t start_macro_switch_h2g(macro_args_t args, uint8_t *...
function body_macro_switch_h2g (line 579) | static void __attribute__((noipa)) body_macro_switch_h2g(void)
function start_macro_set_g2h_target (line 599) | static inline size_t start_macro_set_g2h_target(macro_args_t args, uint8...
function body_macro_set_g2h_target (line 613) | static void __attribute__((noipa)) body_macro_set_g2h_target(void)
function body_macro_switch_g2h (line 630) | static void __attribute__((noipa)) body_macro_switch_g2h(void)
function start_macro_landing_k2u (line 642) | static inline size_t start_macro_landing_k2u(macro_args_t args, uint8_t ...
function start_macro_landing_u2k (line 653) | static inline size_t start_macro_landing_u2k(macro_args_t args, uint8_t ...
function start_macro_landing_h2g (line 667) | static inline size_t start_macro_landing_h2g(macro_args_t args, uint8_t ...
function start_macro_landing_g2h (line 681) | static inline size_t start_macro_landing_g2h(macro_args_t args, uint8_t ...
function start_macro_set_data_permissions (line 696) | static inline size_t start_macro_set_data_permissions(macro_args_t args,...
FILE: rvzr/executor_km/x86/page_tables_guest.c
function gpa_is_valid (line 107) | static inline bool gpa_is_valid(hgpa_t *translations, uint64_t gpa)
function set_last_pt_level (line 117) | static inline int set_last_pt_level(pte_t_ *pt, hgpa_t *translation, uin...
function set_ept_entry (line 129) | static inline int set_ept_entry(actor_ept_t *actor_ept_base, hgpa_t *tra...
function set_guest_page_tables (line 171) | static int set_guest_page_tables(void)
function set_extended_page_tables (line 273) | static int set_extended_page_tables(void)
function update_eptp (line 342) | static int update_eptp(void)
function map_sandbox_to_guest_memory (line 359) | int map_sandbox_to_guest_memory(void)
function set_faulty_page_guest_permissions (line 380) | void set_faulty_page_guest_permissions(void)
function restore_faulty_page_guest_permissions (line 407) | void restore_faulty_page_guest_permissions(void)
function set_faulty_page_ept_permissions (line 424) | void set_faulty_page_ept_permissions(void)
function restore_faulty_page_ept_permissions (line 451) | void restore_faulty_page_ept_permissions(void)
function dbg_dump_guest_page_tables (line 473) | int dbg_dump_guest_page_tables(int actor_id)
function dbg_dump_ept (line 548) | int dbg_dump_ept(int actor_id)
function allocate_guest_page_tables (line 615) | int allocate_guest_page_tables()
function free_guest_page_tables (line 662) | void free_guest_page_tables(void)
FILE: rvzr/executor_km/x86/perf_counters.c
type pfc_config (line 15) | struct pfc_config {
type pfc_name_e (line 24) | typedef enum {
function get_pfc_config_by_name (line 34) | static int get_pfc_config_by_name(pfc_name_e pfc_name, struct pfc_config...
function pfc_write (line 154) | static int pfc_write(unsigned int id, struct pfc_config *config, unsigne...
function pfc_configure (line 197) | int pfc_configure(void)
function init_perf_counters (line 247) | int init_perf_counters(void) { return 0; }
function free_perf_counters (line 248) | void free_perf_counters(void) {}
FILE: rvzr/executor_km/x86/special_registers.c
function _read_cr0 (line 23) | static inline unsigned long _read_cr0(void)
function _write_cr0 (line 30) | static inline void _write_cr0(unsigned long val) { asm volatile("mov %0,...
function _read_cr4 (line 32) | static inline unsigned long _read_cr4(void)
function _write_cr4 (line 39) | static inline void _write_cr4(unsigned long val) { asm volatile("mov %0,...
function set_msrs_for_user_actors (line 47) | static int set_msrs_for_user_actors(void)
function set_msrs_for_vmx (line 63) | static int set_msrs_for_vmx(void)
function set_msrs_for_svm (line 90) | static int set_msrs_for_svm(void)
function get_ssbp_patch_msr_ctrls (line 106) | static int get_ssbp_patch_msr_ctrls(uint64_t *msr_id, uint64_t *msr_mask)
function get_prefetcher_msr_ctrls (line 137) | static int get_prefetcher_msr_ctrls(uint64_t *msr_id, uint64_t *msr_mask)
function apply_msr_mask (line 168) | static int apply_msr_mask(uint64_t msr_id, uint64_t msr_mask, bool enable)
function set_special_registers (line 188) | int set_special_registers(void)
function store_orig_msr_state (line 239) | static int store_orig_msr_state(void)
function restore_special_registers (line 259) | void restore_special_registers(void)
function init_special_register_manager (line 311) | int init_special_register_manager(void)
function free_special_register_manager (line 317) | void free_special_register_manager(void) { SAFE_FREE(orig_special_regist...
FILE: rvzr/executor_km/x86/svm.c
type page (line 23) | struct page
type page (line 27) | struct page
function init_seg (line 46) | inline static void init_seg(seg_t *seg, uint16_t selector, uint64_t base...
function init_sys_seg (line 59) | static void init_sys_seg(seg_t *seg, uint32_t type)
function svm_check_cpu_compatibility (line 74) | int svm_check_cpu_compatibility(void)
function start_svm_operation (line 100) | int start_svm_operation(void)
function stop_svm_operation (line 121) | void stop_svm_operation(void)
function store_orig_vmcb_state (line 132) | int store_orig_vmcb_state(void) { return 0; }
function restore_orig_vmcb_state (line 138) | void restore_orig_vmcb_state(void) {}
function set_vmcb_state (line 143) | int set_vmcb_state(void)
function set_vmcb_guest_state (line 176) | static int set_vmcb_guest_state(vmcb_t *vmcb_hva)
function set_vmcb_control (line 254) | static int set_vmcb_control(vmcb_t *vmcb_hva, uint64_t actor_id)
function print_svm_exit_info (line 377) | int print_svm_exit_info(void)
function init_svm (line 408) | int init_svm(void)
function free_svm (line 442) | void free_svm(void)
FILE: rvzr/executor_km/x86/vmx.c
type vmx_basic_exit_reason_t (line 86) | typedef struct {
function vmxon (line 99) | static inline void vmxon(uint64_t phys, uint8_t *err_inv, uint8_t *err_val)
function vmxoff (line 113) | static inline void vmxoff(uint8_t *err_inv, uint8_t *err_val)
function vmptrst (line 124) | static inline void vmptrst(uint64_t *dest, uint8_t *err_inv, uint8_t *er...
function vmptrld (line 137) | static inline void vmptrld(uint64_t vmcs_hpa, uint8_t *err_inv, uint8_t ...
function vmclear (line 148) | static inline void vmclear(uint64_t vmcs_hpa, uint8_t *err_inv, uint8_t ...
function vmread (line 159) | static inline void vmread(uint64_t field, uint64_t *dest, uint8_t *err_i...
function vmwrite (line 172) | static inline void vmwrite(uint64_t field, uint64_t value, uint8_t *err_...
function check_vmx_controls (line 188) | static int check_vmx_controls(uint32_t options, uint32_t msr)
function vmx_check_cpu_compatibility (line 218) | int vmx_check_cpu_compatibility(void)
function start_vmx_operation (line 266) | int start_vmx_operation(void)
function stop_vmx_operation (line 311) | void stop_vmx_operation(void)
function store_orig_vmcs_state (line 335) | int store_orig_vmcs_state(void)
function restore_orig_vmcs_state (line 350) | void restore_orig_vmcs_state(void)
function set_vmcs_state (line 372) | int set_vmcs_state(void)
function set_vmcs_guest_state (line 433) | static int set_vmcs_guest_state(void)
function set_vmcs_host_state (line 494) | static int set_vmcs_host_state(void)
function set_vmcs_exec_control (line 548) | static int set_vmcs_exec_control(int actor_id)
function set_vmcs_exit_control (line 632) | static int set_vmcs_exit_control(void)
function set_vmcs_entry_control (line 648) | static int set_vmcs_entry_control(void)
function make_vmcs_launched (line 667) | static int make_vmcs_launched(int actor_id)
function print_vmlaunch_error_info (line 727) | static void print_vmlaunch_error_info(int err_inv, int err_val, int acto...
function print_vmx_exit_info (line 741) | int print_vmx_exit_info(void)
function init_vmx (line 820) | int init_vmx(void)
function free_vmx (line 840) | void free_vmx(void)
FILE: rvzr/factory.py
class FactoryException (line 32) | class FactoryException(SystemExit):
method __init__ (line 35) | def __init__(self, options: Dict[str, Type[Any]], key: str, conf_optio...
function get_fuzzer (line 53) | def get_fuzzer(instruction_set_path: str, working_directory: str, existi...
function get_executor (line 94) | def get_executor(enable_mismatch_check_mode: bool = False) -> executor.E...
function _get_exec_clause_name (line 153) | def _get_exec_clause_name() -> str:
function _get_x86_unicorn_model (line 168) | def _get_x86_unicorn_model(bases: BaseAddrTuple, obs_clause_name: str, e...
function _get_arm64_unicorn_model (line 179) | def _get_arm64_unicorn_model(bases: BaseAddrTuple, obs_clause_name: str,...
function _get_dr_model (line 190) | def _get_dr_model(bases: BaseAddrTuple, obs_clause_name: str, exec_claus...
function get_model (line 208) | def get_model(bases: BaseAddrTuple, enable_mismatch_check_mode: bool = F...
function get_program_generator (line 258) | def get_program_generator(seed: int, instruction_set: InstructionSet) ->...
function get_asm_parser (line 270) | def get_asm_parser(instruction_set: InstructionSet) -> AsmParser:
function get_elf_parser (line 278) | def get_elf_parser() -> elf_parser.ELFParser:
function get_data_generator (line 294) | def get_data_generator(seed: int) -> data_generator.DataGenerator:
function get_analyser (line 313) | def get_analyser() -> analyser.Analyser:
function get_minimizer (line 329) | def get_minimizer(fuzzer_: fuzzer.Fuzzer, instruction_set: InstructionSe...
function get_downloader (line 348) | def get_downloader(arch: str, extensions: List[str], out_file: str) -> D...
FILE: rvzr/fuzzer.py
class _RoundState (line 51) | class _RoundState:
method __init__ (line 90) | def __init__(self, is_speculative: bool) -> None:
class _RoundManager (line 102) | class _RoundManager:
method __init__ (line 123) | def __init__(self, fuzzer: Fuzzer, test_case: TestCaseProgram, inputs:...
method execute_stage (line 139) | def execute_stage(self, stage: RoundStage) -> None:
method finalize (line 206) | def finalize(self) -> None:
method _normal_stage (line 211) | def _normal_stage(self) -> None:
method _boost_inputs (line 226) | def _boost_inputs(self) -> None:
method _collect_ctraces (line 244) | def _collect_ctraces(self) -> None:
method _collect_htraces (line 260) | def _collect_htraces(self) -> None:
method _check_violations (line 273) | def _check_violations(self) -> None:
method _update_ignore_list (line 284) | def _update_ignore_list(self) -> None:
method _priming_check (line 296) | def _priming_check(self) -> None:
method _check_for_architectural_mismatch (line 373) | def _check_for_architectural_mismatch(self) -> None:
class Fuzzer (line 428) | class Fuzzer:
method __init__ (line 459) | def __init__(self,
method start (line 487) | def start(self, num_test_cases: int, num_inputs: int, timeout: int, no...
method fuzzing_round (line 548) | def fuzzing_round(self, test_case: TestCaseProgram, inputs: List[Input...
method standalone_filter (line 647) | def standalone_filter(self, test_case: TestCaseProgram, inputs: List[I...
method standalone_generate (line 651) | def standalone_generate(self, program_generator_seed: int, num_test_ca...
method standalone_analyse (line 682) | def standalone_analyse(self, ctrace_file: str, htrace_file: str) -> None:
method _set_generation_function (line 722) | def _set_generation_function(self, type_: FuzzingMode) -> None:
method _create_timestamped_dir (line 734) | def _create_timestamped_dir(path: str) -> str:
method _store_violation_artifact (line 741) | def _store_violation_artifact(self, violation: Violation, path: str) -...
method _report_bug_tainting (line 838) | def _report_bug_tainting(self, round_manager: _RoundManager) -> None:
method _report_bug_arch (line 850) | def _report_bug_arch(self, round_manager: _RoundManager) -> None:
method _filter (line 858) | def _filter(self, test_case: TestCaseProgram, inputs: List[InputData])...
method _adjust_config (line 871) | def _adjust_config(self, _: str) -> None:
method _asm_parser_adapter (line 874) | def _asm_parser_adapter(self, asm: str) -> TestCaseProgram:
class ArchitecturalFuzzer (line 879) | class ArchitecturalFuzzer(Fuzzer):
method __init__ (line 889) | def __init__(self,
method fuzzing_round (line 898) | def fuzzing_round(self, test_case: TestCaseProgram, inputs: List[Input...
class ArchDiffFuzzer (line 909) | class ArchDiffFuzzer(Fuzzer):
method fuzzing_round (line 917) | def fuzzing_round(self, test_case: TestCaseProgram, inputs: List[Input...
method _create_fenced_test_case (line 962) | def _create_fenced_test_case(original_asm: str, fenced_asm: str, asm_p...
FILE: rvzr/instruction_spec.py
class OT (line 13) | class OT(Enum):
method __str__ (line 25) | def __str__(self) -> str:
class OperandSpec (line 35) | class OperandSpec:
method __init__ (line 67) | def __init__(self,
method __str__ (line 85) | def __str__(self) -> str:
class InstructionSpec (line 90) | class InstructionSpec:
method __init__ (line 120) | def __init__(self, name: str, category: str, is_control_flow: bool = F...
method __str__ (line 128) | def __str__(self) -> str:
method __hash__ (line 134) | def __hash__(self) -> int:
FILE: rvzr/isa_spec.py
class InstructionSet (line 30) | class InstructionSet:
method __init__ (line 53) | def __init__(self, filename: str, include_categories: Optional[List[st...
method get_return_spec (line 62) | def get_return_spec(self) -> InstructionSpec:
method get_unconditional_jump_spec (line 70) | def get_unconditional_jump_spec(self) -> InstructionSpec:
function _read_json_spec (line 89) | def _read_json_spec(isa: InstructionSet, filename: str) -> None:
function _parse_json_operand (line 109) | def _parse_json_operand(op: Dict[str, Any], parent: InstructionSpec) -> ...
function _reduce (line 133) | def _reduce(isa: InstructionSet, include_categories: Optional[List[str]]...
function _set_isa_properties (line 228) | def _set_isa_properties(isa: InstructionSet) -> None:
function _dedup (line 245) | def _dedup(isa: InstructionSet) -> None:
function _set_categories (line 283) | def _set_categories(isa: InstructionSet) -> None:
FILE: rvzr/logs.py
class _LoggingConfig (line 52) | class _LoggingConfig: # pylint: disable=too-few-public-methods # becau...
method __init__ (line 89) | def __init__(self) -> None:
method update_logging_modes (line 96) | def update_logging_modes(self) -> None:
function update_logging_after_config_change (line 137) | def update_logging_after_config_change() -> None:
function error (line 146) | def error(msg: str, print_tb: bool = False, print_last_tb: bool = False)...
function warning (line 167) | def warning(src: str, msg: str) -> None:
function inform (line 177) | def inform(src: str, msg: str, end: str = "\n") -> None:
function dbg (line 185) | def dbg(src: str, msg: str) -> None:
class FuzzLogger (line 198) | class FuzzLogger:
method __init__ (line 209) | def __init__(self) -> None:
method reset (line 215) | def reset(self, max_iterations: int, start_time: datetime) -> None:
method start (line 223) | def start(self, iterations: int, start_time: datetime) -> None:
method start_round (line 230) | def start_round(self, round_id: int) -> None:
method priming (line 254) | def priming(self, num_violations: int) -> None:
method nesting_increased (line 262) | def nesting_increased(self) -> None:
method slow_path (line 270) | def slow_path(self) -> None:
method timeout (line 278) | def timeout(self) -> None:
method sample_size_increase (line 284) | def sample_size_increase(self, sample_size: int) -> None:
method report_violations (line 292) | def report_violations(self, violation: Violation) -> None:
method finish (line 297) | def finish(self) -> None:
method report_model_coverage (line 311) | def report_model_coverage(self, model: Model) -> None:
method dbg_dump_traces (line 321) | def dbg_dump_traces(self, inputs: List[InputData], htraces: List[HTrace],
method dbg_dump_architectural_traces (line 362) | def dbg_dump_architectural_traces(self, hardware_regs: List[List[int]],
method dbg_violation (line 383) | def dbg_violation(self, violation: Violation, model: Model) -> None:
method dbg_priming_progress (line 402) | def dbg_priming_progress(self, input_id: int, current_input_id: int) -...
method dbg_priming_fail (line 410) | def dbg_priming_fail(self, input_id: int, current_input_id: int, htrac...
class ModelLogger (line 423) | class ModelLogger:
method __init__ (line 432) | def __init__(self) -> None:
method set_model_layout (line 435) | def set_model_layout(self, layout: SandboxLayout) -> None:
method dbg_header (line 439) | def dbg_header(self, input_id: int) -> None:
method dbg_mem_access (line 448) | def dbg_mem_access(self, is_store: bool, value: int, address: int, siz...
method dbg_instruction (line 487) | def dbg_instruction(self, pc: int, model: UnicornModel, state: ModelEx...
method dbg_rollback (line 528) | def dbg_rollback(self, address: int) -> None:
method dbg_exception (line 543) | def dbg_exception(self, errno: int, descr: str) -> None:
class GeneratorLogger (line 557) | class GeneratorLogger:
method __init__ (line 560) | def __init__(self) -> None:
method dbg_dump_instruction_pool (line 563) | def dbg_dump_instruction_pool(self, instructions: List[InstructionSpec...
class ExecutorLogger (line 584) | class ExecutorLogger:
method __init__ (line 587) | def __init__(self) -> None:
method dbg_dump_raw_traces (line 590) | def dbg_dump_raw_traces(self, htraces: List[HTrace]) -> None:
class ISALogger (line 603) | class ISALogger:
method __init__ (line 606) | def __init__(self) -> None:
method dbg_dump_filtering_reason (line 609) | def dbg_dump_filtering_reason(self, instruction: InstructionSpec, reas...
FILE: rvzr/model.py
class Model (line 21) | class Model(ABC):
method __init__ (line 38) | def __init__(self,
method load_test_case (line 45) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method trace_test_case (line 54) | def trace_test_case(self, inputs: List[InputData], nesting: int) -> Li...
method trace_test_case_with_taints (line 61) | def trace_test_case_with_taints(self, inputs: List[InputData],
method report_coverage (line 70) | def report_coverage(self, path: str) -> None:
class DummyModel (line 77) | class DummyModel(Model):
method __init__ (line 87) | def __init__(self,
method load_test_case (line 93) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method trace_test_case (line 96) | def trace_test_case(self, inputs: List[InputData], nesting: int) -> Li...
method trace_test_case_with_taints (line 99) | def trace_test_case_with_taints(self, inputs: List[InputData],
method report_coverage (line 105) | def report_coverage(self, path: str) -> None:
FILE: rvzr/model_dynamorio/adapter/main.c
function parse_args (line 28) | static int parse_args(int argc, char const *argv[])
function cleanup (line 60) | static void cleanup(rcbf_t *rcbf, rdbf_t *rdbf)
function main (line 66) | int main(int argc, char const *argv[])
FILE: rvzr/model_dynamorio/adapter/parser.c
function rcbf_t (line 18) | rcbf_t *parse_rcbf(const char *filename)
function free_rcbf (line 107) | void free_rcbf(rcbf_t *rcbf)
function rdbf_t (line 119) | rdbf_t *parse_rdbf(const char *filename)
function free_rdbf (line 180) | void free_rdbf(rdbf_t *rdbf)
FILE: rvzr/model_dynamorio/adapter/rcbf.h
type rcbf_header_t (line 26) | typedef struct {
type actor_metadata_t (line 31) | typedef struct {
type symbol_entry_t (line 40) | typedef struct {
type code_section_metadata_t (line 47) | typedef struct {
type rcbf_code_section_t (line 53) | typedef struct {
type rcbf_t (line 57) | typedef struct {
FILE: rvzr/model_dynamorio/adapter/rdbf.h
type rdbf_header_t (line 14) | typedef struct {
type data_section_metadata_t (line 19) | typedef struct {
type rdbf_data_section_t (line 24) | typedef struct {
type rdbf_t (line 30) | typedef struct {
FILE: rvzr/model_dynamorio/adapter/sandbox.c
function load_code_in_sandbox (line 27) | int load_code_in_sandbox(rcbf_t *rcbf_data)
function load_data_in_sandbox (line 57) | int load_data_in_sandbox(rdbf_t *rdbf_data, int input_id)
function sandbox_t (line 84) | sandbox_t *get_sandbox() { return sandbox; }
function allocate_sandbox (line 92) | int allocate_sandbox(uint64_t n_actors)
function free_sandbox (line 113) | void free_sandbox()
FILE: rvzr/model_dynamorio/adapter/sandbox.h
type data_section_t (line 21) | typedef struct {
type code_section_t (line 35) | typedef struct {
type sandbox_t (line 46) | typedef struct {
FILE: rvzr/model_dynamorio/backend/cli.cpp
function parse_cli (line 121) | void parse_cli(int argc, const char **argv, DR_PARAM_OUT cli_args_t &par...
function validate_tracer (line 185) | bool validate_tracer(cli_args_t *parsed_args)
function validate_speculator (line 203) | bool validate_speculator(cli_args_t *parsed_args)
function validate_taint_tracker (line 250) | static bool validate_taint_tracker(cli_args_t *parsed_args)
FILE: rvzr/model_dynamorio/backend/dispatcher.cpp
function pc_t (line 40) | static pc_t instruction_dispatch(dr_mcontext_t *mc, void *dc, const Disp...
function pc_t (line 57) | static pc_t mem_access_dispatch(void *dc, dr_mcontext_t *mc, const Dispa...
function dispatch_callback (line 89) | static void dispatch_callback(uint64_t opcode, uint64_t pc, uint64_t has...
function exit_callback (line 135) | static void exit_callback()
function dr_emit_flags_t (line 220) | dr_emit_flags_t Dispatcher::instrument_instruction(void *drcontext, inst...
FILE: rvzr/model_dynamorio/backend/factory.cpp
function create_tracer (line 82) | unique_ptr<TracerABC> create_tracer(const string &tracer_type, const str...
function get_tracer_list (line 93) | vector<string> get_tracer_list()
function create_speculator (line 103) | std::unique_ptr<SpeculatorABC> create_speculator(const string &speculato...
function get_speculator_list (line 116) | vector<string> get_speculator_list()
function create_logger (line 126) | unique_ptr<Logger> create_logger(const string &out_path, int level, bool...
function create_taint_tracker (line 138) | std::unique_ptr<TaintTracker> create_taint_tracker(bool enable, const st...
FILE: rvzr/model_dynamorio/backend/include/cli.hpp
type Mode (line 15) | enum class Mode : uint8_t {
type cli_args_t (line 20) | struct cli_args_t {
FILE: rvzr/model_dynamorio/backend/include/dispatcher.hpp
class Dispatcher (line 24) | class Dispatcher
method Dispatcher (line 29) | Dispatcher(const Dispatcher &) = delete;
method Dispatcher (line 30) | Dispatcher &operator=(const Dispatcher &) = delete;
method Dispatcher (line 31) | Dispatcher(Dispatcher &&) = delete;
method Dispatcher (line 32) | Dispatcher &operator=(Dispatcher &&) = delete;
method is_instrumentation_on (line 68) | [[nodiscard]] bool is_instrumentation_on() const { return instrumentat...
FILE: rvzr/model_dynamorio/backend/include/logger.hpp
class Logger (line 23) | class Logger
type log_level_t (line 27) | enum log_level_t : uint8_t {
method Logger (line 40) | Logger(const Logger &) = delete;
method Logger (line 41) | Logger(Logger &&) = delete;
method Logger (line 42) | Logger &operator=(const Logger &) = delete;
method Logger (line 43) | Logger &operator=(Logger &&) = delete;
method is_enabled (line 46) | [[nodiscard]] bool is_enabled() const { return log_level > LOG_NONE; }
FILE: rvzr/model_dynamorio/backend/include/speculator_abc.hpp
class SpeculatorABC (line 39) | class SpeculatorABC
method SpeculatorABC (line 42) | SpeculatorABC(int max_nesting_, int max_spec_window_, Logger &logger,
method SpeculatorABC (line 50) | SpeculatorABC(const SpeculatorABC &) = delete;
method SpeculatorABC (line 51) | SpeculatorABC &operator=(const SpeculatorABC &) = delete;
method SpeculatorABC (line 52) | SpeculatorABC(SpeculatorABC &&) = delete;
method SpeculatorABC (line 53) | SpeculatorABC &operator=(SpeculatorABC &&) = delete;
method get_nesting_level (line 66) | [[nodiscard]] unsigned int get_nesting_level() const { return nesting; }
FILE: rvzr/model_dynamorio/backend/include/speculators/cond.hpp
class SpeculatorCond (line 16) | class SpeculatorCond : public SpeculatorABC
FILE: rvzr/model_dynamorio/backend/include/speculators/seq.hpp
class SpeculatorSeq (line 15) | class SpeculatorSeq : public SpeculatorABC
FILE: rvzr/model_dynamorio/backend/include/taint_tracker.hpp
type RVZRRegId (line 50) | enum class RVZRRegId : uint64_t {
type TrackedInstruction (line 70) | struct TrackedInstruction {
type Dependencies (line 83) | struct Dependencies {
class TaintTracker (line 103) | class TaintTracker
method TaintTracker (line 106) | TaintTracker(const std::string &out_path_, Logger &logger_, Decoder &d...
method TaintTracker (line 116) | TaintTracker(const TaintTracker &) = delete;
method TaintTracker (line 117) | TaintTracker &operator=(const TaintTracker &) = delete;
method TaintTracker (line 118) | TaintTracker(TaintTracker &&) = delete;
method TaintTracker (line 119) | TaintTracker &operator=(TaintTracker &&) = delete;
class NoneTaintTracker (line 243) | class NoneTaintTracker : public TaintTracker
method NoneTaintTracker (line 246) | NoneTaintTracker(const std::string &out_path_, Logger &logger_, Decode...
method NoneTaintTracker (line 251) | NoneTaintTracker(const NoneTaintTracker &) = delete;
method NoneTaintTracker (line 252) | NoneTaintTracker &operator=(const NoneTaintTracker &) = delete;
method NoneTaintTracker (line 253) | NoneTaintTracker(NoneTaintTracker &&) = delete;
method NoneTaintTracker (line 254) | NoneTaintTracker &operator=(NoneTaintTracker &&) = delete;
method enable (line 256) | void enable() override {}
method finalize (line 258) | void finalize() override {}
method checkpoint (line 260) | void checkpoint(bool include_current_inst) override {}
method rollback (line 262) | void rollback() override {}
method track_instruction (line 264) | void track_instruction(instr_obs_t instr, dr_mcontext_t *mc, void *dc)...
method track_memory_access (line 266) | void track_memory_access(bool is_write, void *address, uint64_t size) ...
method taint (line 268) | void taint(taint_entry_type_t value_type) override {}
FILE: rvzr/model_dynamorio/backend/include/tracer_abc.hpp
class TracerABC (line 31) | class TracerABC
method TracerABC (line 37) | TracerABC(const TracerABC &) = delete;
method TracerABC (line 38) | TracerABC &operator=(const TracerABC &) = delete;
method TracerABC (line 39) | TracerABC(TracerABC &&) = delete;
method TracerABC (line 40) | TracerABC &operator=(TracerABC &&) = delete;
FILE: rvzr/model_dynamorio/backend/include/tracers/ct.hpp
class TracerCT (line 16) | class TracerCT : public TracerABC
FILE: rvzr/model_dynamorio/backend/include/tracers/ind.hpp
class TracerInd (line 16) | class TracerInd : public TracerABC
FILE: rvzr/model_dynamorio/backend/include/tracers/pc.hpp
class TracerPC (line 16) | class TracerPC : public TracerABC
FILE: rvzr/model_dynamorio/backend/include/types/debug_trace.hpp
type debug_trace_entry_type_t (line 14) | enum class debug_trace_entry_type_t : uint8_t {
type debug_trace_entry_t (line 56) | struct debug_trace_entry_t {
method dump (line 126) | void dump(std::ostream &out) const
FILE: rvzr/model_dynamorio/backend/include/types/decoder.hpp
type CachedInstr (line 17) | struct CachedInstr {
class Decoder (line 35) | class Decoder
method Decoder (line 38) | Decoder() = default;
method Decoder (line 42) | Decoder(const Decoder &) = delete;
method Decoder (line 43) | Decoder &operator=(const Decoder &) = delete;
method Decoder (line 44) | Decoder(Decoder &&) = delete;
method Decoder (line 45) | Decoder &operator=(Decoder &&) = delete;
method instr_t (line 52) | instr_t *get_decoded_instr(void *drcontext, byte *pc)
method byte (line 65) | byte *get_next_pc(void *drcontext, byte *pc)
method clear (line 72) | void clear()
method size (line 80) | [[nodiscard]] size_t size() const { return cache.size(); }
method empty (line 84) | [[nodiscard]] bool empty() const { return cache.empty(); }
method CachedInstr (line 93) | CachedInstr &cache_access(void *drcontext, byte *pc)
FILE: rvzr/model_dynamorio/backend/include/types/file_buffer.hpp
class FileBackedBuf (line 22) | class FileBackedBuf
method FileBackedBuf (line 38) | FileBackedBuf(bool print) : print(print) {}
method FileBackedBuf (line 44) | FileBackedBuf(const FileBackedBuf &) = delete;
method FileBackedBuf (line 45) | FileBackedBuf(FileBackedBuf &&) = delete;
method FileBackedBuf (line 46) | FileBackedBuf &operator=(const FileBackedBuf &other) = delete;
method FileBackedBuf (line 47) | FileBackedBuf &operator=(FileBackedBuf &&other) = delete;
method open (line 51) | void open(const std::string &filename_)
method flush (line 71) | void flush()
method push_back (line 80) | void push_back(const T &elem)
method clear (line 97) | void clear()
FILE: rvzr/model_dynamorio/backend/include/types/input_taint.hpp
type taint_entry_type_t (line 16) | enum class taint_entry_type_t : uint8_t {
type taint_entry_t (line 23) | struct taint_entry_t {
class InputTaint (line 30) | class InputTaint
method InputTaint (line 33) | InputTaint() = default;
method InputTaint (line 35) | InputTaint(const InputTaint &) = delete;
method InputTaint (line 36) | InputTaint &operator=(const InputTaint &) = delete;
method InputTaint (line 37) | InputTaint(InputTaint &&) = delete;
method InputTaint (line 38) | InputTaint &operator=(InputTaint &&) = delete;
method push_back (line 44) | void push_back(const taint_entry_t &entry) { entries.push_back(entry); }
method size (line 46) | [[nodiscard]] size_t size() const { return entries.size(); }
method empty (line 48) | [[nodiscard]] bool empty() const { return entries.empty(); }
method taint_entry_t (line 51) | taint_entry_t operator[](size_t index) const { return entries[index]; }
method store_to_file (line 55) | void store_to_file(const char *file_path)
FILE: rvzr/model_dynamorio/backend/include/types/store_log.hpp
class StoreLog (line 25) | class StoreLog
method StoreLog (line 28) | StoreLog() = default;
method StoreLog (line 30) | StoreLog(const StoreLog &) = delete;
method StoreLog (line 31) | StoreLog(StoreLog &&) = delete;
method StoreLog (line 32) | StoreLog &operator=(const StoreLog &) = delete;
method StoreLog (line 33) | StoreLog &operator=(StoreLog &&) = delete;
method store_log_entry_t (line 36) | [[nodiscard]] const store_log_entry_t &back() const { return entries.b...
method pop_back (line 38) | void pop_back()
method push_back (line 47) | void push_back(const store_log_entry_t &entry) { entries.push_back(ent...
method size (line 49) | [[nodiscard]] size_t size() const { return entries.size(); }
method empty (line 51) | [[nodiscard]] bool empty() const { return entries.empty(); }
method update_committed (line 54) | void update_committed() { last_committed = entries.size(); }
method has_uncommitted (line 56) | [[nodiscard]] bool has_uncommitted() const { return entries.size() > l...
method flush_uncommitted (line 58) | void flush_uncommitted()
FILE: rvzr/model_dynamorio/backend/include/types/trace.hpp
type trace_entry_type_t (line 13) | enum class trace_entry_type_t : uint8_t {
type trace_entry_t (line 44) | struct trace_entry_t {
method dump (line 58) | void dump(std::ostream &out) const
FILE: rvzr/model_dynamorio/backend/logger.cpp
function get_module (line 26) | static std::pair<std::string, size_t> get_module(uint64_t pc)
function dst_type (line 49) | static constexpr dst_type saturate_cast(const src_type &val)
FILE: rvzr/model_dynamorio/backend/model.cpp
type dr_model (line 43) | namespace dr_model
class InstrumentationStateMachine (line 54) | class InstrumentationStateMachine
method InstrumentationStateMachine (line 57) | InstrumentationStateMachine(std::string name_) : name(std::move(name...
method InstrumentationStateMachine (line 59) | InstrumentationStateMachine(const InstrumentationStateMachine &) = d...
method InstrumentationStateMachine (line 60) | InstrumentationStateMachine &operator=(const InstrumentationStateMac...
method InstrumentationStateMachine (line 61) | InstrumentationStateMachine(InstrumentationStateMachine &&) = delete;
method InstrumentationStateMachine (line 62) | InstrumentationStateMachine &operator=(InstrumentationStateMachine &...
method register_entry_pc (line 70) | void register_entry_pc(app_pc pc)
method is_entry_pc (line 77) | bool is_entry_pc(byte const *pc) const { return entry_found and pc =...
method register_exit_pc (line 79) | void register_exit_pc(app_pc pc)
method is_exit_pc (line 86) | bool is_exit_pc(byte const *pc) const { return exit_found and pc == ...
method start_instrumentation (line 90) | bool start_instrumentation(void *drcontext)
method end_instrumentation (line 129) | void end_instrumentation(void *drcontext, instrlist_t *bb, instr_t *...
function event_module_load (line 174) | static void event_module_load(void * /*drcontext*/, const module_data_...
function dr_emit_flags_t (line 195) | static dr_emit_flags_t event_bb_app2app(void *drcontext, void * /*tag*...
function dr_emit_flags_t (line 219) | static dr_emit_flags_t event_bb_instrumentation(void *drcontext, void ...
function dr_signal_action_t (line 255) | static dr_signal_action_t event_signal(void *drcontext, dr_siginfo_t *...
function event_exit (line 267) | static void event_exit()
function dr_model_init (line 291) | static void dr_model_init()
function dr_model_del (line 320) | void dr_model_del() noexcept
function DR_EXPORT (line 348) | DR_EXPORT void dr_client_main(client_id_t /* client_id */, int argc, con...
FILE: rvzr/model_dynamorio/backend/speculator_abc.cpp
function is_speculation_barrier (line 55) | static bool is_speculation_barrier(const uint64_t opcode)
function pc_t (line 91) | pc_t SpeculatorABC::rollback(dr_mcontext_t *mc)
function pc_t (line 156) | pc_t SpeculatorABC::handle_instruction(instr_obs_t instr, dr_mcontext_t ...
function is_supported_reg (line 225) | static bool is_supported_reg(const reg_id_t reg)
function get_load_inst (line 233) | static std::pair<instr_t *, byte *> get_load_inst(void *dc, byte *pc, De...
FILE: rvzr/model_dynamorio/backend/speculators/cond.cpp
function get_branch_info (line 34) | static std::optional<BranchInfo> get_branch_info(instr_obs_t instr, dr_m...
function pc_t (line 60) | pc_t SpeculatorCond::handle_instruction(instr_obs_t instr, dr_mcontext_t...
FILE: rvzr/model_dynamorio/backend/taint_tracker.cpp
type FlagMapping (line 41) | struct FlagMapping {
function reg_id_t (line 69) | static inline reg_id_t normalize_reg(reg_id_t reg)
function track_operand (line 78) | static inline void track_operand(const bool is_src, const opnd_t opnd,
function track_flags (line 120) | static inline void track_flags(const uint eflags, struct TrackedInstruct...
function RVZRRegId (line 136) | static RVZRRegId dr_reg_id_to_rvzr_reg_id(reg_id_t reg)
function is_override_instruction (line 196) | static bool is_override_instruction(const TrackedInstruction *tracked_in...
function label_is_reg (line 229) | static bool label_is_reg(tracked_label_t label) { return label <= MAX_RE...
FILE: rvzr/model_dynamorio/backend/tracers/ind.cpp
function get_mbr_info (line 33) | static std::optional<mbr_info_t> get_mbr_info(instr_obs_t instr, dr_mcon...
FILE: rvzr/model_dynamorio/backend/util.cpp
function reserve_register_checked (line 22) | void reserve_register_checked(void *drcontext, instrlist_t *ilist, instr...
function unreserve_register_checked (line 31) | void unreserve_register_checked(void *drcontext, instrlist_t *ilist, ins...
function force_write (line 39) | bool force_write(byte *addr, size_t size, const uint64_t *val, size_t *w...
function is_illegal_jump (line 54) | bool is_illegal_jump(instr_obs_t instr, dr_mcontext_t *mc, void *dc, Dec...
function flush_bb_cache (line 102) | void flush_bb_cache()
FILE: rvzr/model_dynamorio/model.py
class DynamoRIOModel (line 48) | class DynamoRIOModel(Model):
method __init__ (line 64) | def __init__(self,
method __del__ (line 75) | def __del__(self) -> None:
method load_test_case (line 80) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method trace_test_case (line 95) | def trace_test_case(self, inputs: List[InputData], nesting: int) -> Li...
method trace_test_case_with_taints (line 101) | def trace_test_case_with_taints(self, inputs: List[InputData],
method report_coverage (line 111) | def report_coverage(self, path: str) -> None:
method configure_clauses (line 114) | def configure_clauses(self, obs_clause_name: str, exec_clause_name: st...
method get_supported_obs_clauses (line 142) | def get_supported_obs_clauses(cls, check_installation: bool = True) ->...
method get_supported_exec_clauses (line 155) | def get_supported_exec_clauses(cls, check_installation: bool = True) -...
method _check_if_installed (line 170) | def _check_if_installed(cls) -> None:
method _trace_test_case_common (line 189) | def _trace_test_case_common(self, inputs: List[InputData], nesting: int,
method _construct_drrun_cmd (line 227) | def _construct_drrun_cmd(self, enable_taints: bool, nesting: int) -> str:
method _update_layout (line 251) | def _update_layout(self) -> None:
class _DRFileManager (line 264) | class _DRFileManager:
method __init__ (line 269) | def __init__(self) -> None:
method cleanup_on_load_test_case (line 278) | def cleanup_on_load_test_case(self) -> None:
method cleanup_after_tracing (line 285) | def cleanup_after_tracing(self) -> None:
method _create_temp_files (line 296) | def _create_temp_files(self) -> None:
method delete_temp_files (line 310) | def delete_temp_files(self) -> None:
class _TraceReader (line 329) | class _TraceReader:
method __init__ (line 336) | def __init__(self, layout: SandboxLayout, test_case: TestCaseProgram) ...
method decode_traces (line 341) | def decode_traces(self, trace_path: str) -> List[CTrace]:
method _raw_to_ctrace (line 361) | def _raw_to_ctrace(self, raw_trace: _RawTrace) -> CTrace:
method _trim_traces (line 378) | def _trim_traces(self, traces: List[CTrace]) -> List[CTrace]:
class _DbgTraceReader (line 414) | class _DbgTraceReader:
method __init__ (line 419) | def __init__(self, layout: SandboxLayout, test_case: TestCaseProgram) ...
method decode_traces (line 424) | def decode_traces(self, dbg_path: str) -> List[CTrace]:
method _raw_dbg_to_ctrace (line 445) | def _raw_dbg_to_ctrace(self, raw_dbg_trace: _RawDebugTrace) -> CTrace:
method _trim_dbg_traces (line 462) | def _trim_dbg_traces(self, dbg_traces: List[CTrace]) -> List[CTrace]:
class _TaintReader (line 497) | class _TaintReader:
method __init__ (line 510) | def __init__(self, layout: SandboxLayout, test_case: TestCaseProgram) ...
method decode_taints (line 514) | def decode_taints(self, taint_path: str) -> List[InputTaint]:
method _file_to_ndarray (line 550) | def _file_to_ndarray(self, path: str) -> NDArray[np.uint64]:
FILE: rvzr/model_dynamorio/trace_decoder.py
class TraceEntryType (line 27) | class TraceEntryType(Enum):
class DebugTraceEntryType (line 62) | class DebugTraceEntryType(Enum):
class TraceDecoder (line 153) | class TraceDecoder:
method __init__ (line 162) | def __init__(self) -> None:
method read_trace_marker (line 174) | def read_trace_marker(self, f: BufferedReader) -> Union[_MarkerType, L...
method decode_trace_file (line 185) | def decode_trace_file(self, file: str) -> List[List[Any]]:
method decode_debug_trace_file (line 223) | def decode_debug_trace_file(self, file: str) -> List[List[Any]]:
method is_trace_corrupted (line 261) | def is_trace_corrupted(self, trace_path: str) -> bool:
method _decode_trace_entry (line 306) | def _decode_trace_entry(self, chunk: bytes) -> Any:
method _decode_debug_trace_entry (line 322) | def _decode_debug_trace_entry(self, chunk: bytes) -> Any:
function main (line 339) | def main() -> None:
FILE: rvzr/model_unicorn/coverage.py
function _get_instruction_signature (line 20) | def _get_instruction_signature(instruction: Instruction) -> str:
class InstructionCoverage (line 56) | class InstructionCoverage:
method __init__ (line 66) | def __init__(self) -> None:
method start_test_case (line 69) | def start_test_case(self) -> None:
method add_instruction (line 81) | def add_instruction(self, inst: Instruction) -> None:
method finish_test_case (line 89) | def finish_test_case(self) -> None:
method report (line 97) | def report(self, path: str) -> None:
FILE: rvzr/model_unicorn/execution_context.py
class ModelExecutionState (line 24) | class ModelExecutionState:
method __init__ (line 60) | def __init__(self, test_case: TestCaseProgram, layout: SandboxLayout, ...
method full_reset (line 68) | def full_reset(self) -> None:
method reset_after_em_stop (line 74) | def reset_after_em_stop(self, start_pc: int) -> None:
method is_exit_addr (line 85) | def is_exit_addr(self, address: int) -> bool:
method update_context (line 90) | def update_context(self, em: Uc, address: int) -> None:
method current_test_case (line 98) | def current_test_case(self) -> TestCaseProgram:
method _set_fault_handler_addr (line 102) | def _set_fault_handler_addr(self, fh_id: int) -> None:
FILE: rvzr/model_unicorn/interpreter.py
class ExtraInterpreter (line 37) | class ExtraInterpreter(ABC):
method __init__ (line 48) | def __init__(self, target_desc: TargetDesc, model: UnicornModel):
method load_test_case (line 54) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method load_input (line 58) | def load_input(self, input_: InputData) -> None:
method interpret_instruction (line 61) | def interpret_instruction(self, address: int, state: ModelExecutionSta...
method interpret_mem_access (line 74) | def interpret_mem_access(self, access: int, address: int, size: int, v...
method _interpret_macro (line 78) | def _interpret_macro(self, macro: Instruction, pc: int) -> None:
method _emulate_vm_execution (line 82) | def _emulate_vm_execution(self, address: int) -> None:
method _emulate_userspace_execution (line 86) | def _emulate_userspace_execution(self, address: int) -> None:
class X86ExtraInterpreter (line 93) | class X86ExtraInterpreter(ExtraInterpreter):
method __init__ (line 101) | def __init__(self, target_desc: TargetDesc, model: UnicornModel):
method load_test_case (line 108) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method load_input (line 114) | def load_input(self, input_: InputData) -> None:
method interpret_mem_access (line 117) | def interpret_mem_access(self, access: int, address: int, size: int, v...
method _interpret_macro (line 121) | def _interpret_macro(self, macro: Instruction, pc: int) -> None:
method _emulate_vm_execution (line 124) | def _emulate_vm_execution(self, address: int) -> None:
method _emulate_userspace_execution (line 127) | def _emulate_userspace_execution(self, address: int) -> None:
class ARMExtraInterpreter (line 131) | class ARMExtraInterpreter(ExtraInterpreter):
method __init__ (line 134) | def __init__(self, target_desc: TargetDesc, model: UnicornModel):
method load_test_case (line 139) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method load_input (line 143) | def load_input(self, input_: InputData) -> None:
method interpret_mem_access (line 146) | def interpret_mem_access(self, access: int, address: int, size: int, v...
method _interpret_macro (line 150) | def _interpret_macro(self, macro: Instruction, pc: int) -> None:
method _emulate_vm_execution (line 153) | def _emulate_vm_execution(self, address: int) -> None:
method _emulate_userspace_execution (line 156) | def _emulate_userspace_execution(self, address: int) -> None:
class _MacroInterpreterCommon (line 167) | class _MacroInterpreterCommon:
method __init__ (line 180) | def __init__(self, model: UnicornModel, target_desc: TargetDesc):
method load_test_case (line 198) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method interpret (line 209) | def interpret(self, macro: Instruction, pc: int) -> None:
method _get_macro_args (line 225) | def _get_macro_args(self, section_id: int, section_offset: int) -> Tup...
method _find_function_by_id (line 235) | def _find_function_by_id(self, function_id: int) -> SymbolTableEntry:
method _macro_measurement_start (line 241) | def _macro_measurement_start(self, _: int, __: int, ___: int, ____: in...
method _macro_measurement_end (line 245) | def _macro_measurement_end(self, _: int, __: int, ___: int, ____: int)...
method _macro_switch (line 249) | def _macro_switch(self, section_id: int, function_id: int, _: int, __:...
class _X86MacroInterpreter (line 273) | class _X86MacroInterpreter(_MacroInterpreterCommon):
method __init__ (line 278) | def __init__(self, model: UnicornModel, target_desc: TargetDesc):
method load_test_case (line 297) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method _macro_set_k2u_target (line 301) | def _macro_set_k2u_target(self, section_id: int, function_id: int, _: ...
method _macro_switch_k2u (line 310) | def _macro_switch_k2u(self, section_id: int, _: int, __: int, ___: int...
method _macro_set_u2k_target (line 333) | def _macro_set_u2k_target(self, section_id: int, function_id: int, _: ...
method _macro_switch_u2k (line 346) | def _macro_switch_u2k(self, section_id: int, _: int, __: int, ___: int...
method _macro_switch_h2g (line 364) | def _macro_switch_h2g(self, section_id: int, _: int, __: int, ___: int...
method _macro_switch_g2h (line 386) | def _macro_switch_g2h(self, section_id: int, _: int, __: int, ___: int...
method _macro_set_h2g_target (line 405) | def _macro_set_h2g_target(self, section_id: int, function_id: int, _: ...
method _macro_set_g2h_target (line 411) | def _macro_set_g2h_target(self, section_id: int, function_id: int, _: ...
method _macro_landing_k2u (line 417) | def _macro_landing_k2u(self, _: int, __: int, ___: int, ____: int) -> ...
method _macro_landing_u2k (line 421) | def _macro_landing_u2k(self, _: int, __: int, ___: int, ____: int) -> ...
method _macro_landing_h2g (line 425) | def _macro_landing_h2g(self, _: int, __: int, ___: int, ____: int) -> ...
method _macro_landing_g2h (line 428) | def _macro_landing_g2h(self, _: int, __: int, ___: int, ____: int) -> ...
method _macro_set_data_permissions (line 431) | def _macro_set_data_permissions(self, actor_id: int, must_set: int, mu...
class _ARM64MacroInterpreter (line 436) | class _ARM64MacroInterpreter(_MacroInterpreterCommon):
method __init__ (line 439) | def __init__(self, model: UnicornModel, target_desc: TargetDesc):
class _X86VMInterpreter (line 450) | class _X86VMInterpreter:
method __init__ (line 465) | def __init__(self, model: UnicornModel, target_desc: TargetDesc) -> None:
method reset (line 470) | def reset(self) -> None:
method interpret (line 474) | def interpret(self, inst: Instruction, address: int) -> None:
method _emulate_move (line 504) | def _emulate_move(self, inst: Instruction, _: int) -> bool:
class _X86UserspaceInterpreter (line 512) | class _X86UserspaceInterpreter(_X86VMInterpreter):
class _FaultInterpreterCommon (line 534) | class _FaultInterpreterCommon(ABC):
method __init__ (line 546) | def __init__(self, model: UnicornModel, target_desc: TargetDesc):
method load_test_case (line 551) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method load_input (line 579) | def load_input(self, _: InputData) -> None:
method induce_user_faults (line 590) | def induce_user_faults(self, current_actor: Actor, address: int) -> None:
method _page_is_readable (line 615) | def _page_is_readable(self, pet: PTEMask) -> bool:
method _page_is_writable (line 619) | def _page_is_writable(self, pet: PTEMask) -> bool:
method _page_is_user_accessible (line 623) | def _page_is_user_accessible(self, pet: PTEMask) -> bool:
method _extended_page_is_readable (line 627) | def _extended_page_is_readable(self, epet: PTEMask) -> bool:
method _extended_page_is_writable (line 631) | def _extended_page_is_writable(self, epet: PTEMask) -> bool:
class _X86FaultInterpreter (line 635) | class _X86FaultInterpreter(_FaultInterpreterCommon):
method _page_is_readable (line 638) | def _page_is_readable(self, pet: PTEMask) -> bool:
method _page_is_writable (line 648) | def _page_is_writable(self, pet: PTEMask) -> bool:
method _page_is_user_accessible (line 656) | def _page_is_user_accessible(self, pet: PTEMask) -> bool:
method _extended_page_is_readable (line 662) | def _extended_page_is_readable(self, epet: PTEMask) -> bool:
method _extended_page_is_writable (line 672) | def _extended_page_is_writable(self, epet: PTEMask) -> bool:
class _ARM64FaultInterpreter (line 681) | class _ARM64FaultInterpreter(_FaultInterpreterCommon):
method _page_is_readable (line 684) | def _page_is_readable(self, pet: PTEMask) -> bool:
method _page_is_writable (line 690) | def _page_is_writable(self, pet: PTEMask) -> bool:
method _page_is_user_accessible (line 696) | def _page_is_user_accessible(self, pet: PTEMask) -> bool:
method _extended_page_is_readable (line 699) | def _extended_page_is_readable(self, epet: PTEMask) -> bool:
method _extended_page_is_writable (line 702) | def _extended_page_is_writable(self, epet: PTEMask) -> bool:
method emulate_crossing_fault (line 705) | def emulate_crossing_fault(self, access: int, address: int, size: int)...
FILE: rvzr/model_unicorn/model.py
class _Dispatcher (line 57) | class _Dispatcher:
method __init__ (line 67) | def __init__(self, taint_tracker: UnicornTaintTracker, speculator: Uni...
method test_case_load_dispatch (line 76) | def test_case_load_dispatch(self, test_case: TestCaseProgram) -> None:
method execution_start_dispatch (line 83) | def execution_start_dispatch(self, input_: InputData) -> None:
method instruction_dispatch (line 90) | def instruction_dispatch(self, address: int, size: int, _: UnicornModel,
method mem_access_dispatch (line 105) | def mem_access_dispatch(self, access: int, address: int, size: int, va...
function _instruction_hook (line 120) | def _instruction_hook(_: Uc, address: int, size: int, model: UnicornMode...
function _mem_access_hook (line 125) | def _mem_access_hook(_: Uc, access: int, address: int, size: int, value:...
function _mem_unmapped_hook (line 131) | def _mem_unmapped_hook(_: Uc, access: int, address: int, size: int, valu...
function _err_to_str (line 162) | def _err_to_str(errno: int) -> str:
class UnicornModel (line 171) | class UnicornModel(Model, ABC):
method __init__ (line 202) | def __init__(self,
method load_test_case (line 239) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method trace_test_case (line 280) | def trace_test_case(self, inputs: List[InputData], nesting: int) -> Li...
method trace_test_case_with_taints (line 292) | def trace_test_case_with_taints(self, inputs: List[InputData],
method instruction_callback (line 308) | def instruction_callback(self, address: int, size: int) -> None:
method mem_access_callback (line 327) | def mem_access_callback(self, access: int, address: int, size: int, va...
method do_soft_fault (line 335) | def do_soft_fault(self, errno: int) -> None:
method set_faulty_area_rw (line 344) | def set_faulty_area_rw(self, actor_id: int, r: bool, w: bool) -> None:
method report_coverage (line 357) | def report_coverage(self, path: str) -> None:
method print_registers (line 362) | def print_registers(self, oneline: bool = False) -> None:
method _execute_test_case_with_inputs (line 367) | def _execute_test_case_with_inputs(
method _run_state_machine (line 401) | def _run_state_machine(self) -> None:
method _handle_fault (line 468) | def _handle_fault(self) -> int:
method _patch_context_after_fault (line 508) | def _patch_context_after_fault(self) -> None:
method _load_input (line 522) | def _load_input(self, input_: InputData) -> None:
class X86UnicornModel (line 529) | class X86UnicornModel(UnicornModel):
method __init__ (line 532) | def __init__(self,
method _load_input (line 549) | def _load_input(self, input_: InputData) -> None:
method print_registers (line 617) | def print_registers(self, oneline: bool = False) -> None:
class ARM64UnicornModel (line 678) | class ARM64UnicornModel(UnicornModel):
method __init__ (line 681) | def __init__(self,
method _load_input (line 698) | def _load_input(self, input_: InputData) -> None:
method print_registers (line 758) | def print_registers(self, oneline: bool = False) -> None:
FILE: rvzr/model_unicorn/speculator_abc.py
class UnicornSpeculator (line 38) | class UnicornSpeculator(ABC):
method __init__ (line 64) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method in_speculation (line 75) | def in_speculation(self) -> bool:
method set_max_nesting (line 79) | def set_max_nesting(self, max_nesting: int) -> None:
method nesting (line 83) | def nesting(self) -> int:
method reset (line 87) | def reset(self) -> None:
method rollback (line 96) | def rollback(self) -> int:
method handle_instruction (line 122) | def handle_instruction(self, address: int, size: int) -> None:
method handle_mem_access (line 144) | def handle_mem_access(self, access: int, address: int, size: int, valu...
method handle_fault (line 162) | def handle_fault(self, errno: int) -> int:
method _checkpoint (line 174) | def _checkpoint(self, next_instruction_addr: int, include_current_inst...
method _max_nesting_reached (line 189) | def _max_nesting_reached(self) -> bool:
method _speculate_instruction (line 193) | def _speculate_instruction(self, address: int, size: int) -> None:
method _speculate_mem_access (line 196) | def _speculate_mem_access(self, access: int, address: int, size: int, ...
method _speculate_fault (line 199) | def _speculate_fault(self, _: int) -> int:
FILE: rvzr/model_unicorn/speculators_basic.py
class SeqSpeculator (line 38) | class SeqSpeculator(UnicornSpeculator):
class X86CondSpeculator (line 53) | class X86CondSpeculator(UnicornSpeculator):
method __init__ (line 159) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _speculate_instruction (line 164) | def _speculate_instruction(self, address: int, size: int) -> None:
method decode (line 197) | def decode(self, code: bytearray, flags: int, rcx: int) -> Tuple[int, ...
class ARM64CondSpeculator (line 211) | class ARM64CondSpeculator(UnicornSpeculator):
method __init__ (line 217) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _speculate_instruction (line 222) | def _speculate_instruction(self, address: int, size: int) -> None:
method decode (line 243) | def decode(self, code: bytearray, flags: int) -> Tuple[int, bool]:
method _decode_b_cond (line 260) | def _decode_b_cond(self, instruction: int, flags: int) -> Tuple[int, b...
method _decode_cb_tb (line 290) | def _decode_cb_tb(self, instruction: int, first_byte: int) -> Tuple[in...
method _twos_complement (line 335) | def _twos_complement(n: int, n_bits: int) -> int:
class StoreBpasSpeculator (line 346) | class StoreBpasSpeculator(UnicornSpeculator):
method rollback (line 353) | def rollback(self) -> int:
method reset (line 358) | def reset(self) -> None:
method _speculate_mem_access (line 362) | def _speculate_mem_access(self, access: int, address: int, size: int, ...
method _speculate_instruction (line 385) | def _speculate_instruction(self, address: int, _: int) -> None:
class X86CondBpasSpeculator (line 407) | class X86CondBpasSpeculator(X86CondSpeculator, StoreBpasSpeculator):
method _speculate_mem_access (line 412) | def _speculate_mem_access(self, access: int, address: int, size: int, ...
method _speculate_instruction (line 415) | def _speculate_instruction(self, address: int, size: int) -> None:
FILE: rvzr/model_unicorn/speculators_fault.py
class FaultSpeculator (line 31) | class FaultSpeculator(UnicornSpeculator, ABC):
method _fault_triggers_speculation (line 44) | def _fault_triggers_speculation(self, errno: int) -> bool:
method _get_rollback_address (line 55) | def _get_rollback_address(self) -> int:
method _speculate_instruction (line 58) | def _speculate_instruction(self, address: int, size: int) -> None:
method _restore_faulty_page_permissions (line 61) | def _restore_faulty_page_permissions(self, actor_id: ActorID) -> None:
class SequentialAssistSpeculator (line 71) | class SequentialAssistSpeculator(FaultSpeculator):
method __init__ (line 74) | def __init__(
method _speculate_fault (line 83) | def _speculate_fault(self, errno: int) -> int:
class UnicornDEH (line 95) | class UnicornDEH(FaultSpeculator, ABC):
method __init__ (line 111) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _checkpoint (line 118) | def _checkpoint(self, next_instruction_addr: int, include_current_inst...
method rollback (line 122) | def rollback(self) -> int:
method _speculate_fault (line 126) | def _speculate_fault(self, errno: int) -> int:
method _speculate_instruction (line 150) | def _speculate_instruction(self, address: int, size: int) -> None:
method _handle_isa_specific_corner_cases (line 228) | def _handle_isa_specific_corner_cases(self, instruction: Instruction,
method _arm64_emulate_fault_with_post_increment (line 233) | def _arm64_emulate_fault_with_post_increment(self) -> None:
class X86UnicornDEH (line 237) | class X86UnicornDEH(UnicornDEH):
method _handle_isa_specific_corner_cases (line 247) | def _handle_isa_specific_corner_cases(self, instruction: Instruction,
class ARMUnicornDEH (line 302) | class ARMUnicornDEH(UnicornDEH):
method _handle_isa_specific_corner_cases (line 308) | def _handle_isa_specific_corner_cases(self, instruction: Instruction,
method _arm64_emulate_fault_with_post_increment (line 313) | def _arm64_emulate_fault_with_post_increment(self) -> None:
class X86UnicornNull (line 350) | class X86UnicornNull(FaultSpeculator):
method __init__ (line 370) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method reset (line 375) | def reset(self) -> None:
method rollback (line 390) | def rollback(self) -> int:
method _speculate_mem_access (line 395) | def _speculate_mem_access(self, access: int, address: int, size: int, ...
method _speculate_fault (line 403) | def _speculate_fault(self, errno: int) -> int:
method _speculate_instruction (line 429) | def _speculate_instruction(self, address: int, size: int) -> None:
class X86UnicornNullAssist (line 454) | class X86UnicornNullAssist(X86UnicornNull):
method _get_rollback_address (line 459) | def _get_rollback_address(self) -> int:
class X86Meltdown (line 463) | class X86Meltdown(FaultSpeculator):
method __init__ (line 468) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _speculate_fault (line 473) | def _speculate_fault(self, errno: int) -> int:
class X86NonCanonicalAddress (line 485) | class X86NonCanonicalAddress(FaultSpeculator):
method __init__ (line 494) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _speculate_fault (line 499) | def _speculate_fault(self, errno: int) -> int:
method _speculate_instruction (line 507) | def _speculate_instruction(self, address: int, size: int) -> None:
method reset (line 544) | def reset(self) -> None:
FILE: rvzr/model_unicorn/speculators_vs.py
class _TaintedValue (line 33) | class _TaintedValue(NamedTuple):
class _VspecBaseSpeculator (line 54) | class _VspecBaseSpeculator(FaultSpeculator, ABC):
method __init__ (line 91) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _load_input (line 109) | def _load_input(self, input_: InputData) -> None:
method _assemble_reg_values (line 130) | def _assemble_reg_values(self, regs: Set[str]) -> Tuple[Taint, bool]:
method _set_taint (line 159) | def _set_taint(self, reg: str, taint: Taint) -> None:
method _update_reg_taints (line 166) | def _update_reg_taints(self) -> None:
method _get_curr_load_taint (line 202) | def _get_curr_load_taint(self) -> _TaintedValue:
method _speculate_fault (line 210) | def _speculate_fault(self, errno: int) -> int:
method _get_next_instruction (line 262) | def _get_next_instruction(self) -> int:
method _speculate_instruction (line 268) | def _speculate_instruction(self, address: int, size: int) -> None:
method _speculate_mem_access (line 376) | def _speculate_mem_access(self, access: int, address: int, size: int, ...
method _checkpoint (line 447) | def _checkpoint(self, next_instruction_addr: int, include_current_inst...
method rollback (line 453) | def rollback(self) -> int:
method _get_rollback_address (line 459) | def _get_rollback_address(self) -> int:
class VspecDIVSpeculator (line 464) | class VspecDIVSpeculator(_VspecBaseSpeculator):
method __init__ (line 467) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
class VspecMemoryFaultsSpeculator (line 474) | class VspecMemoryFaultsSpeculator(_VspecBaseSpeculator):
method __init__ (line 480) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _get_curr_load_taint (line 486) | def _get_curr_load_taint(self) -> _TaintedValue:
method _speculate_instruction (line 493) | def _speculate_instruction(self, address: int, size: int) -> None:
method _get_next_instruction (line 511) | def _get_next_instruction(self) -> int:
class VspecMemoryAssistsSpeculator (line 525) | class VspecMemoryAssistsSpeculator(VspecMemoryFaultsSpeculator):
method __init__ (line 528) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method rollback (line 533) | def rollback(self) -> int:
method _get_rollback_address (line 541) | def _get_rollback_address(self) -> int:
class VspecGPSpeculator (line 547) | class VspecGPSpeculator(_VspecBaseSpeculator, X86NonCanonicalAddress):
method __init__ (line 553) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _speculate_fault (line 566) | def _speculate_fault(self, errno: int) -> int:
method _speculate_mem_access (line 622) | def _speculate_mem_access(self, access: int, address: int, size: int, ...
method _speculate_instruction (line 631) | def _speculate_instruction(self, address: int, size: int) -> None:
method _noncanonical_to_canonical (line 636) | def _noncanonical_to_canonical(self, address: int) -> int:
method _get_rollback_address (line 643) | def _get_rollback_address(self) -> int:
method reset (line 646) | def reset(self) -> None:
class VspecAllSpeculator (line 653) | class VspecAllSpeculator(_VspecBaseSpeculator):
method _speculate_fault (line 661) | def _speculate_fault(self, errno: int) -> int:
class VspecAllDIVSpeculator (line 694) | class VspecAllDIVSpeculator(VspecAllSpeculator):
method __init__ (line 697) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
class VspecAllMemoryFaultsSpeculator (line 704) | class VspecAllMemoryFaultsSpeculator(VspecAllSpeculator):
method __init__ (line 710) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method _speculate_instruction (line 716) | def _speculate_instruction(self, address: int, size: int) -> None:
method _get_next_instruction (line 735) | def _get_next_instruction(self) -> int:
class VspecAllMemoryAssistsSpeculator (line 749) | class VspecAllMemoryAssistsSpeculator(VspecAllSpeculator):
method __init__ (line 752) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method rollback (line 757) | def rollback(self) -> int:
method _get_rollback_address (line 764) | def _get_rollback_address(self) -> int:
FILE: rvzr/model_unicorn/taint_tracker.py
class UnicornTaintTracker (line 36) | class UnicornTaintTracker:
method __init__ (line 66) | def __init__(self, bases: BaseAddrTuple, target_desc: TargetDesc):
method set_enable_tracking (line 88) | def set_enable_tracking(self, enable: bool) -> None:
method reset (line 94) | def reset(self) -> None:
method checkpoint (line 103) | def checkpoint(self, include_current_inst: bool) -> None:
method rollback (line 115) | def rollback(self) -> None:
method track_instruction (line 130) | def track_instruction(self, instruction: Instruction) -> None:
method track_memory_access (line 157) | def track_memory_access(self, address: int, size: int, is_write: bool)...
method _finalize_instruction (line 182) | def _finalize_instruction(self) -> None:
method taint (line 217) | def taint(self, value_type: TAINTED_VALUE_TYPE) -> None:
method taint_actors (line 249) | def taint_actors(self, actor_ids: List[int]) -> None:
method get_taint (line 262) | def get_taint(self, n_actors: int) -> InputTaint:
class _TrackedInstruction (line 330) | class _TrackedInstruction:
method __init__ (line 335) | def __init__(self, instruction: Instruction) -> None:
method parse_static_operands (line 349) | def parse_static_operands(self, reg_normalizer: Dict[str, str]) -> None:
class _Dependencies (line 394) | class _Dependencies:
method __init__ (line 400) | def __init__(self) -> None:
method add_dependencies (line 405) | def add_dependencies(self, tracked_inst: _TrackedInstruction) -> None:
method remove_overwritten_dependencies (line 448) | def remove_overwritten_dependencies(self, tracked_inst: _TrackedInstru...
FILE: rvzr/model_unicorn/tracer.py
class UnicornTracer (line 32) | class UnicornTracer(ABC):
method __init__ (line 45) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method load_test_case (line 55) | def load_test_case(self, test_case: TestCaseProgram) -> None:
method reset (line 59) | def reset(self, input_: InputData) -> None:
method get_trace (line 68) | def get_trace(self) -> CTrace:
method observe_mem_access (line 84) | def observe_mem_access(self, access: int, address: int, size: int, val...
method observe_instruction (line 94) | def observe_instruction(self, pc: int, size: int) -> None:
method _add_mem_address_to_trace (line 105) | def _add_mem_address_to_trace(self, address: int) -> None:
method _add_pc_to_trace (line 111) | def _add_pc_to_trace(self, address: int) -> None:
method _add_dependencies_to_trace (line 117) | def _add_dependencies_to_trace(self, dependency_hash: int) -> None:
method _add_value_to_trace (line 123) | def _add_value_to_trace(self, val: int) -> None:
class NoneTracer (line 132) | class NoneTracer(UnicornTracer):
method observe_mem_access (line 138) | def observe_mem_access(self, access: int, address: int, size: int, val...
method observe_instruction (line 141) | def observe_instruction(self, pc: int, size: int) -> None:
method get_trace (line 144) | def get_trace(self) -> CTrace:
class PCTracer (line 148) | class PCTracer(UnicornTracer):
method observe_instruction (line 160) | def observe_instruction(self, pc: int, size: int) -> None:
class MemoryTracer (line 165) | class MemoryTracer(UnicornTracer):
method observe_mem_access (line 177) | def observe_mem_access(self, access: int, address: int, size: int, val...
class L1DTracer (line 182) | class L1DTracer(MemoryTracer):
method get_trace (line 188) | def get_trace(self) -> CTrace:
class CTTracer (line 194) | class CTTracer(PCTracer):
method observe_mem_access (line 199) | def observe_mem_access(self, access: int, address: int, size: int, val...
class TruncatedCTTracer (line 204) | class TruncatedCTTracer(UnicornTracer):
method observe_mem_access (line 209) | def observe_mem_access(self, access: int, address: int, size: int, val...
method observe_instruction (line 213) | def observe_instruction(self, pc: int, size: int) -> None:
class TruncatedCTWithOverflowsTracer (line 218) | class TruncatedCTWithOverflowsTracer(UnicornTracer):
method observe_mem_access (line 224) | def observe_mem_access(self, access: int, address: int, size: int, val...
method observe_instruction (line 230) | def observe_instruction(self, pc: int, size: int) -> None:
class CTNonSpecStoreTracer (line 237) | class CTNonSpecStoreTracer(PCTracer):
method observe_mem_access (line 242) | def observe_mem_access(self, access: int, address: int, size: int, val...
class ArchTracer (line 249) | class ArchTracer(CTTracer):
method reset (line 260) | def reset(self, input_: InputData) -> None:
method observe_instruction (line 264) | def observe_instruction(self, pc: int, size: int) -> None:
method observe_mem_access (line 275) | def observe_mem_access(self, access: int, address: int, size: int, val...
class ActorNITracer (line 286) | class ActorNITracer(CTTracer):
method __init__ (line 293) | def __init__(self, target_desc: TargetDesc, model: UnicornModel,
method reset (line 302) | def reset(self, input_: InputData) -> None:
method get_trace (line 309) | def get_trace(self) -> CTrace:
method _add_observer_traces (line 315) | def _add_observer_traces(self, ctrace: CTrace) -> CTrace:
FILE: rvzr/postprocessing/analysis_passes.py
function _get_seq_model (line 27) | def _get_seq_model(data_start: int, code_start: int) -> uc_model.Unicorn...
class AddViolationCommentsPass (line 52) | class AddViolationCommentsPass(BaseInstructionMinimizationPass):
method set_violation (line 60) | def set_violation(self, violation: Violation) -> None:
method run (line 63) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 143) | def modify_instruction(self, _: List[str], __: int) -> List[str]:
method verify_modification (line 146) | def verify_modification(self, _: TestCaseProgram, __: List[InputData])...
FILE: rvzr/postprocessing/input_passes.py
class BaseInputMinimizationPass (line 29) | class BaseInputMinimizationPass(BaseMinimizationPass):
method run (line 33) | def run(self, test_case: TestCaseProgram, org_inputs: List[InputData],
class InputSequenceMinimizationPass (line 43) | class InputSequenceMinimizationPass(BaseInputMinimizationPass):
method run (line 50) | def run(self, test_case: TestCaseProgram, org_inputs: List[InputData],
class DifferentialInputMinimizerPass (line 97) | class DifferentialInputMinimizerPass(BaseInputMinimizationPass):
method run (line 111) | def run(self, test_case: TestCaseProgram, _: List[InputData],
method _set_pass_context (line 146) | def _set_pass_context(self, test_case: TestCaseProgram, org_violation:...
method _reset_pass_context (line 171) | def _reset_pass_context(self) -> None:
method _process_actor (line 178) | def _process_actor(self, actor_id: int) -> None:
method _process_block (line 208) | def _process_block(self, actor_id: int, region_name: str, block_start:...
FILE: rvzr/postprocessing/instruction_passes.py
class BaseInstructionMinimizationPass (line 29) | class BaseInstructionMinimizationPass(BaseMinimizationPass):
method run (line 38) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 42) | def modify_instruction(self, instructions: List[str], cursor: int) -> ...
method verify_modification (line 49) | def verify_modification(self, test_case: TestCaseProgram, inputs: List...
method minimization_loop (line 55) | def minimization_loop(self,
method set_violation (line 122) | def set_violation(self, violation: Violation) -> None:
class InstructionRemovalPass (line 126) | class InstructionRemovalPass(BaseInstructionMinimizationPass):
method run (line 133) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 151) | def modify_instruction(self, instructions: List[str], cursor: int) -> ...
method verify_modification (line 154) | def verify_modification(self, test_case: TestCaseProgram, inputs: List...
class InstructionSimplificationPass (line 158) | class InstructionSimplificationPass(BaseInstructionMinimizationPass):
method run (line 227) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 241) | def modify_instruction(self, instructions: List[str], cursor: int) -> ...
method verify_modification (line 253) | def verify_modification(self, test_case: TestCaseProgram, inputs: List...
class ConstantSimplificationPass (line 257) | class ConstantSimplificationPass(BaseInstructionMinimizationPass):
method __init__ (line 264) | def __init__(self, fuzzer: Fuzzer, instruction_set_spec: InstructionSet,
method run (line 280) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 290) | def modify_instruction(self, instructions: List[str], cursor: int) -> ...
method verify_modification (line 305) | def verify_modification(self, test_case: TestCaseProgram, inputs: List...
class MaskSimplificationPass (line 309) | class MaskSimplificationPass(BaseInstructionMinimizationPass):
method run (line 333) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 343) | def modify_instruction(self, instructions: List[str], cursor: int) -> ...
method verify_modification (line 361) | def verify_modification(self, test_case: TestCaseProgram, inputs: List...
class NopReplacementPass (line 365) | class NopReplacementPass(BaseInstructionMinimizationPass):
method __init__ (line 387) | def __init__(self, fuzzer: Fuzzer, instruction_set_spec: InstructionSet,
method run (line 402) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 432) | def modify_instruction(self, instructions: List[str], cursor: int) -> ...
method verify_modification (line 461) | def verify_modification(self, test_case: TestCaseProgram, inputs: List...
class LabelRemovalPass (line 465) | class LabelRemovalPass(BaseInstructionMinimizationPass):
method run (line 475) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 510) | def modify_instruction(self, instructions: List[str], cursor: int) -> ...
method verify_modification (line 513) | def verify_modification(self, test_case: TestCaseProgram, inputs: List...
class FenceInsertionPass (line 517) | class FenceInsertionPass(BaseInstructionMinimizationPass):
method __init__ (line 524) | def __init__(self, fuzzer: Fuzzer, instruction_set_spec: InstructionSet,
method run (line 533) | def run(self, test_case: TestCaseProgram, inputs: List[InputData]) -> ...
method modify_instruction (line 543) | def modify_instruction(self, instructions: List[str], cursor: int) -> ...
method verify_modification (line 549) | def verify_modification(self, test_case: TestCaseProgram, inputs: List...
FILE: rvzr/postprocessing/minimizer.py
class PassDesc (line 35) | class PassDesc(NamedTuple):
class Minimizer (line 41) | class Minimizer:
method __init__ (line 57) | def __init__(self, fuzzer: Fuzzer, instruction_set_spec: InstructionSet):
method __del__ (line 81) | def __del__(self) -> None:
method run (line 86) | def run(self, test_case_asm: str, n_inputs: int, test_case_outfile: st...
method _reset (line 171) | def _reset(self, enabled_passes: Dict[str, Any]) -> None:
method _reproduce_org_violation (line 186) | def _reproduce_org_violation(self, test_case: TestCaseProgram,
method _set_passes (line 197) | def _set_passes(self, enabled_passes: Dict[str, Any]) -> None:
method _run_input_passes (line 214) | def _run_input_passes(self, test_case: TestCaseProgram, inputs: List[I...
method _run_instruction_passes (line 250) | def _run_instruction_passes(self, test_case: TestCaseProgram, inputs: ...
method _run_analysis_passes (line 267) | def _run_analysis_passes(self, test_case: TestCaseProgram, inputs: Lis...
FILE: rvzr/postprocessing/pass_abc.py
class BaseMinimizationPass (line 22) | class BaseMinimizationPass(abc.ABC):
method __init__ (line 30) | def __init__(self, fuzzer: Fuzzer, instruction_set_spec: InstructionSet,
method set_ignore_list (line 40) | def set_ignore_list(self, ignore_list: List[int]) -> None:
method _get_test_case_from_instructions (line 44) | def _get_test_case_from_instructions(self,
method _check_for_violation (line 68) | def _check_for_violation(self, test_case: TestCaseProgram, inputs: Lis...
FILE: rvzr/postprocessing/progress_printer.py
class ProgressPrinter (line 8) | class ProgressPrinter():
method pass_start (line 20) | def pass_start(self, label: str, offset: int = 2) -> None:
method pass_finish (line 28) | def pass_finish(self) -> None:
method pass_msg (line 32) | def pass_msg(self, msg: str) -> None:
method next (line 37) | def next(self, success: bool) -> None:
method global_msg (line 53) | def global_msg(self, msg: str) -> None:
FILE: rvzr/sandbox.py
class DataArea (line 29) | class DataArea(Enum):
class CodeArea (line 45) | class CodeArea(Enum):
class SandboxLayout (line 57) | class SandboxLayout:
method data_area_size (line 97) | def data_area_size(cls, area: DataArea) -> int:
method data_area_offset (line 106) | def data_area_offset(cls, area: DataArea) -> int:
method data_size_per_actor (line 121) | def data_size_per_actor(cls) -> int:
method code_area_size (line 129) | def code_area_size(cls, area: CodeArea) -> int:
method code_area_offset (line 138) | def code_area_offset(cls, area: CodeArea) -> int:
method code_size_per_actor (line 149) | def code_size_per_actor(cls) -> int:
method __init__ (line 159) | def __init__(self, bases: BaseAddrTuple, n_actors: int):
method code_start (line 186) | def code_start(self) -> CodeAddr:
method code_end (line 190) | def code_end(self) -> CodeAddr:
method data_start (line 194) | def data_start(self) -> DataAddr:
method data_end (line 198) | def data_end(self) -> DataAddr:
method get_data_addr (line 202) | def get_data_addr(self, area: DataArea, actor_id: int) -> DataAddr:
method get_code_addr (line 212) | def get_code_addr(self, area: CodeArea, actor_id: int) -> CodeAddr:
method get_exit_addr (line 222) | def get_exit_addr(self, test_case: TestCaseProgram) -> CodeAddr:
method is_data_addr (line 233) | def is_data_addr(self, addr: DataAddr) -> bool:
method is_code_addr (line 241) | def is_code_addr(self, addr: CodeAddr) -> bool:
method data_addr_to_offset (line 249) | def data_addr_to_offset(self, addr: DataAddr) -> DataAddr:
method code_addr_to_offset (line 257) | def code_addr_to_offset(self, addr: CodeAddr) -> CodeAddr:
method code_addr_to_actor_id (line 265) | def code_addr_to_actor_id(self, addr: CodeAddr) -> int:
method data_addr_to_actor_id (line 273) | def data_addr_to_actor_id(self, addr: DataAddr) -> int:
FILE: rvzr/stats.py
class FuzzingStats (line 11) | class FuzzingStats:
method __init__ (line 36) | def __init__(self) -> None:
method __str__ (line 39) | def __str__(self) -> str:
method get_brief (line 65) | def get_brief(self) -> str:
FILE: rvzr/target_desc.py
class CPUDesc (line 35) | class CPUDesc(NamedTuple):
class MacroSpec (line 44) | class MacroSpec(NamedTuple):
class UnicornTargetDesc (line 52) | class UnicornTargetDesc: # pylint: disable=too-few-public-methods
class TargetDesc (line 86) | class TargetDesc(ABC):
method get_vendor (line 190) | def get_vendor(cls) -> Vendor:
method is_unconditional_branch (line 203) | def is_unconditional_branch(inst: Instruction) -> bool:
method is_call (line 208) | def is_call(inst: Instruction) -> bool:
method get_macro_spec_from_type (line 211) | def get_macro_spec_from_type(self, type_: int) -> MacroSpec:
method _filter_blocked_registers (line 222) | def _filter_blocked_registers(self) -> Dict[RegSize, List[str]]:
FILE: rvzr/tc_components/actor.py
class ActorMode (line 28) | class ActorMode(Enum):
class ActorPL (line 34) | class ActorPL(Enum):
function _create_pte_mask (line 43) | def _create_pte_mask(pte_descriptor: _PTEDescriptor, page_properties_to_...
class Actor (line 132) | class Actor:
method __init__ (line 148) | def __init__(self,
method from_dict (line 164) | def from_dict(cls, actor_dict: ActorConf, target_desc: TargetDesc) -> ...
method create_main (line 211) | def create_main(cls) -> 'Actor':
method assign_code_section (line 220) | def assign_code_section(self, section: CodeSection) -> None:
method code_section (line 225) | def code_section(self) -> CodeSection:
method get_id (line 230) | def get_id(self) -> ActorID:
FILE: rvzr/tc_components/instruction.py
class Operand (line 24) | class Operand(ABC):
method __init__ (line 43) | def __init__(self, value: str, src: bool, dest: bool):
method from_fixed_spec (line 50) | def from_fixed_spec(cls, spec: OperandSpec) -> AnyOperand: # pylint: ...
class RegisterOp (line 83) | class RegisterOp(Operand):
method __init__ (line 88) | def __init__(self, value: str, width: int, src: bool, dest: bool):
class MemoryOp (line 94) | class MemoryOp(Operand):
method __init__ (line 99) | def __init__(self, address: str, width: int, src: bool, dest: bool) ->...
method get_base_register (line 103) | def get_base_register(self) -> Optional[RegisterOp]:
class ImmediateOp (line 124) | class ImmediateOp(Operand):
method __init__ (line 129) | def __init__(self, value: str, width: int) -> None:
class LabelOp (line 134) | class LabelOp(Operand):
method __init__ (line 137) | def __init__(self, value: str) -> None:
class AgenOp (line 141) | class AgenOp(Operand):
method __init__ (line 146) | def __init__(self, value: str, width: int) -> None:
class FlagsOp (line 151) | class FlagsOp(Operand):
method __init__ (line 157) | def __init__(self, value: Tuple[str, ...]) -> None:
method __str__ (line 162) | def __str__(self) -> str:
method _get_flag_list (line 174) | def _get_flag_list(self, types: List[FlagType]) -> List[str]:
method get_flags_by_type (line 186) | def get_flags_by_type(self, type_: Literal['read', 'write', 'overwrite...
class CondOp (line 208) | class CondOp(Operand):
method __init__ (line 211) | def __init__(self, value: str) -> None:
function copy_op_with_value_modification (line 223) | def copy_op_with_value_modification(op: _ValueModifiableOperand,
function copy_op_with_flow_modification (line 246) | def copy_op_with_flow_modification(op: _SrcDestModifiableOperand,
class Instruction (line 271) | class Instruction:
method __init__ (line 317) | def __init__(self,
method from_spec (line 333) | def from_spec(cls: Type[Instruction],
method __str__ (line 355) | def __str__(self) -> str:
method add_op (line 365) | def add_op(self, op: AnyOperand, implicit: bool = False) -> Instruction:
method has_mem_operand (line 378) | def has_mem_operand(self, include_implicit: bool) -> bool:
method has_write (line 393) | def has_write(self, include_implicit: bool = False) -> bool:
method has_read (line 408) | def has_read(self, include_implicit: bool = False) -> bool:
method get_all_operands (line 423) | def get_all_operands(self) -> List[AnyOperand]:
method get_src_operands (line 431) | def get_src_operands(self, include_implicit: bool = False) -> List[Any...
method get_dest_operands (line 447) | def get_dest_operands(self, include_implicit: bool = False) -> List[An...
method get_mem_operands (line 463) | def get_mem_operands(self,
method get_flags_operand (line 484) | def get_flags_operand(self) -> Optional[FlagsOp]:
method get_reg_operands (line 497) | def get_reg_operands(self, include_implicit: bool = False) -> List[Reg...
method get_cond_operand (line 513) | def get_cond_operand(self) -> Optional[CondOp]:
method get_label_operand (line 524) | def get_label_operand(self) -> Optional[LabelOp]:
method get_imm_operands (line 535) | def get_imm_operands(self, include_implicit: bool = False) -> List[Imm...
method get_agen_operands (line 551) | def get_agen_operands(self) -> List[AgenOp]:
method assign_line_num (line 565) | def assign_line_num(self, line_num: int) -> None:
method line_num (line 570) | def line_num(self) -> int:
method assign_binary_properties (line 577) | def assign_binary_properties(self, section_id: int, offset: int, size:...
method section_id (line 590) | def section_id(self) -> int:
method section_offset (line 596) | def section_offset(self) -> int:
method size (line 602) | def size(self) -> int:
function copy_inst_with_modification (line 609) | def copy_inst_with_modification(instruction: Instruction,
FILE: rvzr/tc_components/test_case_binary.py
class SymbolTableEntry (line 24) | class SymbolTableEntry(NamedTuple):
class TestCaseBinary (line 43) | class TestCaseBinary:
method __init__ (line 60) | def __init__(self, obj_path: str, parent: TestCaseProgram):
method mark_as_assembled (line 64) | def mark_as_assembled(self) -> None:
method to_bytes (line 68) | def to_bytes(self, padded_section_size: int = 0, padding_byte: bytes =...
method get_macro_offset (line 102) | def get_macro_offset(self, macro_type: int) -> int:
method assign_elf_data (line 115) | def assign_elf_data(self, symbol_table: List[SymbolTableEntry],
method symbol_table (line 126) | def symbol_table(self) -> List[SymbolTableEntry]:
method instruction_map (line 131) | def instruction_map(self) -> InstructionMap:
method save_rcbf (line 136) | def save_rcbf(self, path: str) -> None:
FILE: rvzr/tc_components/test_case_code.py
class InstructionNode (line 22) | class InstructionNode:
method __init__ (line 39) | def __init__(self, instruction: Instruction, parent: BasicBlock):
method __str__ (line 45) | def __str__(self) -> str:
class BasicBlock (line 49) | class BasicBlock:
method __init__ (line 70) | def __init__(self, name: str, parent: Optional[Function] = None, is_ex...
method __str__ (line 77) | def __str__(self) -> str:
method __len__ (line 80) | def __len__(self) -> int:
method __iter__ (line 91) | def __iter__(self) -> GeneratorType[Instruction, None, None]:
method iter_nodes (line 98) | def iter_nodes(self) -> GeneratorType[InstructionNode, None, None]:
method get_owner (line 105) | def get_owner(self) -> Actor:
method insert_after (line 112) | def insert_after(self, position: Optional[InstructionNode], inst: Inst...
method insert_before (line 147) | def insert_before(self, position: Optional[InstructionNode], inst: Ins...
method delete (line 182) | def delete(self, target: InstructionNode) -> None:
method get_first (line 211) | def get_first(self, exclude_macros: bool = False) -> Optional[Instruct...
method get_last (line 228) | def get_last(self) -> Optional[InstructionNode]:
method find_instruction_node (line 234) | def find_instruction_node(self, inst: Instruction) -> Optional[Instruc...
class Function (line 246) | class Function:
method __init__ (line 266) | def __init__(self, name: str, parent: CodeSection):
method __len__ (line 272) | def __len__(self) -> int:
method __iter__ (line 276) | def __iter__(self) -> GeneratorType[BasicBlock, None, None]:
method __getitem__ (line 281) | def __getitem__(self, id_: int) -> BasicBlock:
method append (line 287) | def append(self, bb: BasicBlock) -> None:
method extend (line 294) | def extend(self, bb_list: List[BasicBlock]) -> None:
method get_first_bb (line 300) | def get_first_bb(self) -> BasicBlock:
method get_exit_bb (line 306) | def get_exit_bb(self) -> BasicBlock:
method get_owner (line 314) | def get_owner(self) -> Actor:
class _ELFSectionData (line 319) | class _ELFSectionData(TypedDict):
class CodeSection (line 326) | class CodeSection:
method __init__ (line 346) | def __init__(self, owner: Actor):
method __iter__ (line 352) | def __iter__(self) -> GeneratorType[Function, None, None]:
method __len__ (line 357) | def __len__(self) -> int:
method __getitem__ (line 361) | def __getitem__(self, id_: int) -> Function:
method append (line 365) | def append(self, func: Function) -> None:
method assign_elf_data (line 371) | def assign_elf_data(self, offset: int, size: int, id_: int) -> None:
method get_elf_data (line 379) | def get_elf_data(self) -> _ELFSectionData:
class TestCaseProgram (line 392) | class TestCaseProgram:
method __init__ (line 406) | def __init__(self, asm_path: str, seed: int = 0):
method __len__ (line 414) | def __len__(self) -> int:
method __getitem__ (line 418) | def __getitem__(self, id_: int) -> CodeSection:
method get_tc_exit_bb (line 422) | def get_tc_exit_bb(self) -> BasicBlock:
method __iter__ (line 428) | def __iter__(self) -> GeneratorType[CodeSection, None, None]:
method iter_functions (line 433) | def iter_functions(self) -> GeneratorType[Function, None, None]:
method iter_basic_blocks (line 439) | def iter_basic_blocks(self) -> GeneratorType[BasicBlock, None, None]:
method assign_obj (line 451) | def assign_obj(self, obj_path: str) -> None:
method mark_as_assembled (line 461) | def mark_as_assembled(self) -> None:
method get_obj (line 467) | def get_obj(self) -> TestCaseBinary:
method reassign_asm_file (line 477) | def reassign_asm_file(self, asm_path: str) -> None:
method asm_path (line 483) | def asm_path(self) -> str:
method save (line 487) | def save(self, path: str) -> None:
method add_actor_with_section (line 497) | def add_actor_with_section(self, actor: Actor, allow_overwrite: bool =...
method get_actors (line 535) | def get_actors(self, sorted_: bool = False) -> List[Actor]:
method find_actor (line 545) | def find_actor(self,
method n_actors (line 572) | def n_actors(self) -> int:
method get_sections (line 581) | def get_sections(self) -> List[CodeSection]:
method find_section (line 585) | def find_section(self, name: str) -> CodeSection:
method find_function (line 597) | def find_function(self, name: str) -> Function:
FILE: rvzr/tc_components/test_case_data.py
class InputData (line 43) | class InputData(UINT_NDARRAY):
method __new__ (line 85) | def __new__(cls, n_actors: int = 1) -> InputData:
method __array_finalize__ (line 89) | def __array_finalize__(self, obj: Optional[UINT_NDARRAY]) -> None: # ...
method data_size_per_actor (line 98) | def data_size_per_actor(cls) -> int:
method n_data_entries_per_actor (line 106) | def n_data_entries_per_actor(cls) -> int:
method __hash__ (line 119) | def __hash__(self) -> int: # type: ignore
method __str__ (line 124) | def __str__(self) -> str:
method __repr__ (line 127) | def __repr__(self) -> str:
method set_actor_data (line 130) | def set_actor_data(self, actor_id: 'ActorID', data: UINT_NDARRAY) -> N...
method save (line 147) | def save(self, path: str) -> None:
method load (line 156) | def load(self, path: str) -> None:
method linear_view (line 170) | def linear_view(self, actor_id: ActorID) -> UINT_NDARRAY:
function save_input_sequence_as_rdbf (line 181) | def save_input_sequence_as_rdbf(inputs: List[InputData], path: str) -> N...
class InputTaint (line 225) | class InputTaint(BOOL_NDARRAY):
method __new__ (line 237) | def __new__(cls, n_actors: int = 1) -> InputTaint:
method __array_finalize__ (line 242) | def __array_finalize__(self, obj: Optional[UINT_NDARRAY]) -> None: # ...
method linear_view (line 247) | def linear_view(self, actor_id: 'ActorID') -> BOOL_NDARRAY:
method full_linear_view (line 257) | def full_linear_view(self) -> np.ndarray[Tuple[int, ...], np.dtype[np....
method taint_actor_offsets (line 266) | def taint_actor_offsets(self, actor_id: 'ActorID', offsets: List[int])...
method taint_offset_from_sandbox_address (line 279) | def taint_offset_from_sandbox_address(cls, sb_address: int) -> int:
FILE: rvzr/traces.py
class CTraceEntry (line 30) | class CTraceEntry(NamedTuple):
class CTrace (line 41) | class CTrace:
method empty_trace (line 58) | def empty_trace(cls) -> CTrace:
method __init__ (line 62) | def __init__(self, trace: List[CTraceEntry]) -> None:
method __str__ (line 70) | def __str__(self) -> str:
method full_str (line 86) | def full_str(self,
method __eq__ (line 130) | def __eq__(self, other: object) -> bool:
method __lt__ (line 135) | def __lt__(self, other: CTrace) -> bool:
method __gt__ (line 138) | def __gt__(self, other: CTrace) -> bool:
method __len__ (line 141) | def __len__(self) -> int:
method __hash__ (line 144) | def __hash__(self) -> int:
method is_empty (line 147) | def is_empty(self) -> bool:
method get_untyped (line 151) | def get_untyped(self) -> UntypedCTrace:
method get_typed (line 157) | def get_typed(self) -> List[CTraceEntry]:
method set_printed_as_l1d (line 161) | def set_printed_as_l1d(self, val: bool = True) -> None:
class HTrace (line 188) | class HTrace:
method empty_trace (line 205) | def empty_trace(cls, type_: HTraceType = "cache") -> HTrace:
method invalid_trace (line 210) | def invalid_trace(cls, type_: HTraceType = "cache") -> HTrace:
method __init__ (line 215) | def __init__(self, htrace_samples: ArrayOfSamples, type_: HTraceType =...
method __str__ (line 229) | def __str__(self) -> str:
method full_str (line 232) | def full_str(self,
method _full_arch_str (line 256) | def _full_arch_str(self, line_prefix: str) -> str:
method _full_tsc_str (line 275) | def _full_tsc_str(self, line_prefix: str) -> str:
method _full_cache_str (line 290) | def _full_cache_str(self, line_prefix: str, r1_col: str, r2_col: str, ...
method full_pair_str (line 310) | def full_pair_str(self,
method _full_tsc_pair_str (line 328) | def _full_tsc_pair_str(self, other: HTrace) -> str:
method _full_cache_pair_str (line 346) | def _full_cache_pair_str(self, other: HTrace, r1_col: str, r2_col: str...
method __eq__ (line 372) | def __eq__(self, other: object) -> bool:
method __len__ (line 377) | def __len__(self) -> int:
method __hash__ (line 380) | def __hash__(self) -> int:
method merge (line 383) | def merge(self, other: HTrace) -> HTrace:
method is_empty (line 392) | def is_empty(self) -> bool:
method is_corrupted_or_ignored (line 396) | def is_corrupted_or_ignored(self) -> bool:
method get_raw_readings (line 404) | def get_raw_readings(self) -> ArrayOfSamples:
method get_raw_traces (line 409) | def get_raw_traces(self) -> npt.NDArray[np.uint64]:
method sample_size (line 413) | def sample_size(self) -> int:
method get_max_pfc (line 417) | def get_max_pfc(self) -> PFCTuple:
class TraceBundle (line 432) | class TraceBundle(NamedTuple):
function _default_eq_function (line 447) | def _default_eq_function(htrace1: HTrace, htrace2: HTrace) -> bool:
class HardwareEqClass (line 452) | class HardwareEqClass:
method __init__ (line 468) | def __init__(self, measurements: List[TraceBundle]) -> None:
method build_hw_classes (line 473) | def build_hw_classes(
method __len__ (line 515) | def __len__(self) -> int:
method __iter__ (line 518) | def __iter__(self) -> Generator[TraceBundle, None, None]:
method __getitem__ (line 521) | def __getitem__(self, index: int) -> TraceBundle:
method __eq__ (line 524) | def __eq__(self, other: object) -> bool:
class ContractEqClass (line 534) | class ContractEqClass:
method __init__ (line 551) | def __init__(self, measurements: List[TraceBundle]) -> None:
method build_contract_classes (line 560) | def build_contract_classes(cls, measurements: List[TraceBundle]) -> Li...
method __len__ (line 582) | def __len__(self) -> int:
method set_hw_classes (line 585) | def set_hw_classes(self, hw_classes: List[HardwareEqClass]) -> None:
method set_trivial_hw_classes (line 593) | def set_trivial_hw_classes(self) -> None:
method get_hw_classes (line 601) | def get_hw_classes(self) -> List[HardwareEqClass]:
class Violation (line 610) | class Violation(ContractEqClass):
method __init__ (line 626) | def __init__(self, measurements: List[TraceBundle], input_sequence: Li...
method from_contract_eq_class (line 633) | def from_contract_eq_class(cls, eq_class: ContractEqClass, input_seque...
method pseudo_violation_from_inputs (line 646) | def pseudo_violation_from_inputs(cls, input_sequence: List[InputData],
method full_str (line 670) | def full_str(self, region1_col: str = "", region2_col: str = "", reset...
FILE: rvzr/unicorn.pyi
class Uc (line 8) | class Uc(object):
method __init__ (line 10) | def __init__(self, arch: int, mode: int):
method emu_start (line 13) | def emu_start(self, begin: int, until: int, timeout: int = 0, count: i...
method emu_stop (line 16) | def emu_stop(self) -> None:
method reg_read (line 19) | def reg_read(self, reg_id: int, opt: Optional[int] = None) -> int:
method reg_write (line 22) | def reg_write(self, reg_id: int, value: int) -> None:
method msr_read (line 25) | def msr_read(self, msr_id: int) -> int:
method msr_write (line 28) | def msr_write(self, msr_id: int, value: int) -> None:
method mem_read (line 31) | def mem_read(self, address: int, size: int) -> bytearray:
method mem_write (line 34) | def mem_write(self, address: int, data: bytes) -> None:
method mem_map (line 37) | def mem_map(self, address: int, size: int, perms: int = ...) -> None:
method mem_map_ptr (line 40) | def mem_map_ptr(self, address: int, size: int, perms: int, ptr: int) -...
method mem_unmap (line 43) | def mem_unmap(self, address: int, size: int) -> None:
method mem_protect (line 46) | def mem_protect(self, address: int, size: int, perms: int = ...) -> None:
method query (line 49) | def query(self, query_mode: int) -> int:
method hook_add (line 52) | def hook_add(self,
method hook_del (line 62) | def hook_del(self, h: int) -> None:
method context_save (line 65) | def context_save(self) -> object:
method context_update (line 68) | def context_update(self, context: object) -> None:
method context_restore (line 71) | def context_restore(self, context: object) -> None:
method mem_regions (line 74) | def mem_regions(self) -> Generator[Tuple[int, int], None, None]:
class UcError (line 78) | class UcError(BaseException):
FILE: tests/arm64/model_common.py
class Inst (line 43) | class Inst:
method __init__ (line 51) | def __init__(self, text: str, size: int, mem_address: int, mem_value: ...
class InstList (line 59) | class InstList:
method __init__ (line 63) | def __init__(self, instructions: List[Inst]):
method __iter__ (line 71) | def __iter__(self) -> Generator[Inst, None, None]:
method __getitem__ (line 74) | def __getitem__(self, index: int) -> Inst:
method set_offsets (line 78) | def set_offsets(instructions: List[Inst]) -> None:
method to_test_case (line 85) | def to_test_case(self) -> TestCaseProgram:
function get_default_input (line 109) | def get_default_input() -> InputData:
FILE: tests/arm64/unit_generators.py
class ARM64GeneratorTest (line 38) | class ARM64GeneratorTest(unittest.TestCase):
method setUpClass (line 41) | def setUpClass(cls) -> None:
method load_tc (line 46) | def load_tc(asm_str: str) -> TestCaseProgram:
method test_arm64_configuration (line 61) | def test_arm64_configuration(self) -> None:
method test_arm64_all_instructions (line 68) | def test_arm64_all_instructions(self) -> None:
method test_arm64_asm_parsing_basic (line 120) | def test_arm64_asm_parsing_basic(self) -> None:
method test_arm64_asm_parsing_opcode (line 147) | def test_arm64_asm_parsing_opcode(self) -> None:
method test_arm64_asm_parsing_section (line 158) | def test_arm64_asm_parsing_section(self) -> None:
method test_arm64_asm_parsing_symbols (line 204) | def test_arm64_asm_parsing_symbols(self) -> None:
FILE: tests/arm64/unit_isa_loader.py
class ARM64ISALoaderTest (line 16) | class ARM64ISALoaderTest(unittest.TestCase):
method test_loading (line 18) | def test_loading(self) -> None:
FILE: tests/scripts/create_rcbf_file.py
function write_actor_metadata (line 16) | def write_actor_metadata(f, entry):
function write_st_entry (line 25) | def write_st_entry(f, entry):
function write_metadata_entry (line 32) | def write_metadata_entry(f, entry):
function write_nop (line 38) | def write_nop(f, arch: str):
function get_macro_placeholder_size (line 45) | def get_macro_placeholder_size(arch: str):
function main (line 51) | def main(asm_file: str, obj_file: str, arch: str):
FILE: tests/scripts/create_rdbf_file.py
function main (line 13) | def main(dest_file: str, n_inputs: int, n_actors: int):
FILE: tests/unit_analyser.py
function _htrace_from_trace (line 19) | def _htrace_from_trace(trace_list: List[int]) -> HTrace:
function _ctrace_from_int (line 26) | def _ctrace_from_int(trace: int) -> CTrace:
class AnalyserTest (line 30) | class AnalyserTest(unittest.TestCase):
method test_merged_bitmap_analyser (line 32) | def test_merged_bitmap_analyser(self) -> None:
method test_set_analyser (line 48) | def test_set_analyser(self) -> None:
method test_chi2_analyser (line 64) | def test_chi2_analyser(self) -> None:
FILE: tests/unit_docs.py
function _is_option_name (line 21) | def _is_option_name(line: str) -> bool:
function parse_config_options_from_docs (line 26) | def parse_config_options_from_docs(doc_lines: List[str]) -> Dict[str, Li...
class DocumentationTest (line 93) | class DocumentationTest(unittest.TestCase):
method test_conf_docs (line 99) | def test_conf_docs(self) -> None:
method test_conf_options_docs (line 117) | def test_conf_options_docs(self) -> None:
FILE: tests/unit_fuzzer.py
function _mk_ctrace (line 27) | def _mk_ctrace(value: int) -> CTrace:
function _mk_htrace (line 32) | def _mk_htrace(trace_value: int, sample_size: int = 100) -> HTrace:
function _mk_violation (line 40) | def _mk_violation(n_inputs: int = 2) -> Violation:
function _temp_conf_override (line 58) | def _temp_conf_override(**kwargs: Any) -> Iterator[None]:
class _MockSetup (line 74) | class _MockSetup:
method __init__ (line 77) | def __init__(self, inputs: List[InputData]) -> None:
method configure_mocks (line 85) | def configure_mocks(
class FuzzerRoundTest (line 101) | class FuzzerRoundTest(unittest.TestCase):
method setUp (line 107) | def setUp(self) -> None:
method tearDown (line 159) | def tearDown(self) -> None:
method test_fuzzing_round_no_violation_fast_path (line 168) | def test_fuzzing_round_no_violation_fast_path(self) -> None:
method test_fuzzing_round_violation_detected_survives_all_stages (line 184) | def test_fuzzing_round_violation_detected_survives_all_stages(self) ->...
method test_fuzzing_round_fp_filtered_by_nesting (line 214) | def test_fuzzing_round_fp_filtered_by_nesting(self) -> None:
method test_fuzzing_round_fp_filtered_by_taint_mistake (line 231) | def test_fuzzing_round_fp_filtered_by_taint_mistake(self) -> None:
method test_fuzzing_round_fp_filtered_by_priming (line 256) | def test_fuzzing_round_fp_filtered_by_priming(self) -> None:
method test_fuzzing_round_noise_stage_extends_htraces (line 274) | def test_fuzzing_round_noise_stage_extends_htraces(self) -> None:
method test_fuzzing_round_architectural_mismatch_detected (line 306) | def test_fuzzing_round_architectural_mismatch_detected(self) -> None:
method test_fuzzing_round_executor_error_handled (line 343) | def test_fuzzing_round_executor_error_handled(self) -> None:
method test_fuzzing_round_with_ignore_list (line 361) | def test_fuzzing_round_with_ignore_list(self) -> None:
method test_fuzzing_round_empty_inputs (line 375) | def test_fuzzing_round_empty_inputs(self) -> None:
method test_round_state_configuration (line 393) | def test_round_state_configuration(self) -> None:
method test_round_manager_stage_execution_order (line 407) | def test_round_manager_stage_execution_order(self) -> None:
class FuzzerStartTest (line 432) | class FuzzerStartTest(unittest.TestCase):
method setUp (line 435) | def setUp(self) -> None:
method tearDown (line 461) | def tearDown(self) -> None:
method test_start_no_violations_found (line 465) | def test_start_no_violations_found(self) -> None:
method test_start_violation_found_stop (line 480) | def test_start_violation_found_stop(self) -> None:
method test_start_violation_found_nonstop (line 497) | def test_start_violation_found_nonstop(self) -> None:
FILE: tests/unit_isa_loader.py
class InstructionSetParserTest (line 52) | class InstructionSetParserTest(unittest.TestCase):
method test_parsing (line 54) | def test_parsing(self) -> None:
method test_dedup_identical (line 88) | def test_dedup_identical(self) -> None:
FILE: tests/unit_stats.py
class StatsTest (line 15) | class StatsTest(unittest.TestCase):
method test_borg (line 17) | def test_borg(self) -> None:
method test_str (line 23) | def test_str(self) -> None:
method test_get_brief (line 37) | def test_get_brief(self) -> None:
FILE: tests/unit_tc_components.py
function _get_dummy_actor_dict (line 30) | def _get_dummy_actor_dict() -> ActorConf:
function _get_mock_target_desc (line 50) | def _get_mock_target_desc() -> MagicMock:
class ActorTest (line 63) | class ActorTest(unittest.TestCase):
method test_dict_constructor (line 65) | def test_dict_constructor(self) -> None:
method test_create_main (line 95) | def test_create_main(self) -> None:
method test_get_id (line 104) | def test_get_id(self) -> None:
method test_is_main (line 120) | def test_is_main(self) -> None:
method test_pte_constructor (line 132) | def test_pte_constructor(self) -> None:
class InstructionSpecTest (line 154) | class InstructionSpecTest(unittest.TestCase):
method test_OT_str (line 156) | def test_OT_str(self) -> None:
method test_operand_str (line 165) | def test_operand_str(self) -> None:
method test_instruction_spec_str (line 176) | def test_instruction_spec_str(self) -> None:
method test_instruction_spec_hash (line 185) | def test_instruction_spec_hash(self) -> None:
class OperandTest (line 195) | class OperandTest(unittest.TestCase):
method test_operand_from_spec (line 197) | def test_operand_from_spec(self) -> None:
method test_flag_print (line 214) | def test_flag_print(self) -> None:
method test_flag_accessors (line 218) | def test_flag_accessors(self) -> None:
method test_operand_copy_methods (line 227) | def test_operand_copy_methods(self) -> None:
class InstructionTest (line 259) | class InstructionTest(unittest.TestCase):
method test_instruction_from_spec (line 261) | def test_instruction_from_spec(self) -> None:
method test_instruction_str (line 280) | def test_instruction_str(self) -> None:
method test_instr_add_op (line 289) | def test_instr_add_op(self) -> None:
method test_instr_properties (line 304) | def test_instr_properties(self) -> None:
method test_operand_accessors (line 354) | def test_operand_accessors(self) -> None:
method test_copy_with_modification (line 410) | def test_copy_with_modification(self) -> None:
method test_line_num_interface (line 460) | def test_line_num_interface(self) -> None:
class TestCaseBinaryTest (line 471) | class TestCaseBinaryTest(unittest.TestCase):
method test_get_macro_offset (line 473) | def test_get_macro_offset(self) -> None:
class TestCaseCodeTest (line 496) | class TestCaseCodeTest(unittest.TestCase):
method test_basic_block_str (line 498) | def test_basic_block_str(self) -> None:
method test_basic_block_get_owner (line 502) | def test_basic_block_get_owner(self) -> None:
class InputDataTest (line 517) | class InputDataTest(unittest.TestCase):
method test_data_sizes (line 519) | def test_data_sizes(self) -> None:
method test_hash (line 526) | def test_hash(self) -> None:
method test_str (line 530) | def test_str(self) -> None:
method test_set_actor_data (line 536) | def test_set_actor_data(self) -> None:
method test_save (line 552) | def test_save(self) -> None:
method test_load (line 573) | def test_load(self) -> None:
method test_linear_view (line 590) | def test_linear_view(self) -> None:
FILE: tests/unit_traces.py
class TestCTrace (line 25) | class TestCTrace(unittest.TestCase):
method test_empty_constructor (line 28) | def test_empty_constructor(self) -> None:
method test_str (line 35) | def test_str(self) -> None:
method test_full_str (line 49) | def test_full_str(self) -> None:
method test_default_methods (line 76) | def test_default_methods(self) -> None:
method test_accessors (line 100) | def test_accessors(self) -> None:
class TestHTrace (line 119) | class TestHTrace(unittest.TestCase):
method test_empty_constructor (line 122) | def test_empty_constructor(self) -> None:
method test_invalid_constructor (line 129) | def test_invalid_constructor(self) -> None:
method test_printers (line 135) | def test_printers(self) -> None:
method test_pair_printers (line 163) | def test_pair_printers(self) -> None:
method test_default_methods (line 189) | def test_default_methods(self) -> None:
method test_merge (line 208) | def test_merge(self) -> None:
method test_accessors (line 217) | def test_accessors(self) -> None:
function _get_bundle_set (line 238) | def _get_bundle_set() -> list[TraceBundle]:
class TestHardwareEqClass (line 262) | class TestHardwareEqClass(unittest.TestCase):
method test_hw_class_builder (line 265) | def test_hw_class_builder(self) -> None:
method test_default_methods (line 278) | def test_default_methods(self) -> None:
class TestContractEqClass (line 299) | class TestContractEqClass(unittest.TestCase):
method test_contract_class_builder (line 302) | def test_contract_class_builder(self) -> None:
method test_accessors (line 315) | def test_accessors(self) -> None:
class TestViolation (line 340) | class TestViolation(unittest.TestCase):
method test_constructors (line 343) | def test_constructors(self) -> None:
FILE: tests/x86_tests/model_common.py
class Inst (line 56) | class Inst:
class InstList (line 65) | class InstList:
method __init__ (line 69) | def __init__(self, instructions: List[Inst], backend: Backend):
method _wrap_instructions_for_backend (line 78) | def _wrap_instructions_for_backend(self, instructions: List[Inst]) -> ...
method _wrap_instructions_for_dr (line 84) | def _wrap_instructions_for_dr(self, instructions: List[Inst]) -> List[...
method _wrap_instructions_for_uc (line 95) | def _wrap_instructions_for_uc(self, instructions: List[Inst]) -> List[...
method __iter__ (line 105) | def __iter__(self) -> Generator[Inst, None, None]:
method __getitem__ (line 108) | def __getitem__(self, index: int) -> Inst:
method set_offsets (line 111) | def set_offsets(self, instructions: List[Inst]) -> None:
method to_test_case (line 118) | def to_test_case(self) -> TestCaseProgram:
method get_expected_observations (line 148) | def get_expected_observations(self, execution_order: List[int], observ...
method _adjust_execution_order_for_backend (line 161) | def _adjust_execution_order_for_backend(self, execution_order: List[in...
method _adjust_order_for_dr (line 170) | def _adjust_order_for_dr(self, execution_order: List[int], last_org_id...
method _adjust_order_for_uc (line 184) | def _adjust_order_for_uc(self, execution_order: List[int], last_org_id...
method _collect_observations (line 197) | def _collect_observations(self, execution_order: List[int], observe_pc...
class InputBuilder (line 215) | class InputBuilder:
method get_default_input (line 218) | def get_default_input(self) -> InputData:
method get_input_with_zeroed_gprs (line 232) | def get_input_with_zeroed_gprs(self, *gpr_indices: int) -> InputData:
method get_input_with_zeroed_memory (line 243) | def get_input_with_zeroed_memory(self, **memory_regions: int) -> Input...
FILE: tests/x86_tests/unit_dr_decoder.py
class DRTraceDecodeTest (line 145) | class DRTraceDecodeTest(unittest.TestCase):
method _find_entry_of_type (line 153) | def _find_entry_of_type(self, t: TraceEntryType) -> dict[str, Any]:
method _encode_from_dict (line 160) | def _encode_from_dict(self, entry: dict[str, Any]) -> bytes:
method _check_trace_equivalence (line 163) | def _check_trace_equivalence(self, expected: dict[str, Any], decoded: ...
method test_trace_decoding (line 171) | def test_trace_decoding(self) -> None:
method test_is_corrupted (line 193) | def test_is_corrupted(self) -> None:
class DRDebugTraceDecodeTest (line 222) | class DRDebugTraceDecodeTest(unittest.TestCase):
method _find_entry_of_type (line 230) | def _find_entry_of_type(self, t: DebugTraceEntryType) -> dict[str, Any]:
method _encode_from_dict (line 237) | def _encode_from_dict(self, entry: dict[str, Any]) -> bytes:
method _check_dbg_trace_equivalence (line 257) | def _check_dbg_trace_equivalence(self, expected: dict[str, Any], decod...
method test_debug_entry_decoding (line 320) | def test_debug_entry_decoding(self) -> None:
method test_debug_trace_decoding (line 331) | def test_debug_trace_decoding(self) -> None:
method test_is_corrupted (line 353) | def test_is_corrupted(self) -> None:
FILE: tests/x86_tests/unit_fuzzer.py
class X86FuzzerTest (line 30) | class X86FuzzerTest(unittest.TestCase):
method setUpClass (line 33) | def setUpClass(cls) -> None:
method test__create_fenced_test_case (line 37) | def test__create_fenced_test_case(self) -> None:
FILE: tests/x86_tests/unit_generators.py
class X86GeneratorTest (line 66) | class X86GeneratorTest(unittest.TestCase):
method setUpClass (line 69) | def setUpClass(cls) -> None:
method load_tc (line 74) | def load_tc(asm_str: str) -> TestCaseProgram:
method test_x86_configuration (line 89) | def test_x86_configuration(self) -> None:
method _test_all_instructions (line 96) | def _test_all_instructions(self, instruction_set: InstructionSet) -> N...
method test_x86_all_instructions_reduced (line 143) | def test_x86_all_instructions_reduced(self) -> None:
method test_x86_all_instructions_full (line 148) | def test_x86_all_instructions_full(self) -> None:
method test_x86_asm_parsing_basic (line 156) | def test_x86_asm_parsing_basic(self) -> None:
method test_x86_asm_parsing_opcode (line 183) | def test_x86_asm_parsing_opcode(self) -> None:
method test_x86_asm_parsing_section (line 194) | def test_x86_asm_parsing_section(self) -> None:
method test_x86_asm_parsing_symbols (line 240) | def test_x86_asm_parsing_symbols(self) -> None:
method test_x86_undef_flag_patch (line 265) | def test_x86_undef_flag_patch(self) -> None:
FILE: tests/x86_tests/unit_isa_loader.py
class x86ISALoaderTest (line 16) | class x86ISALoaderTest(unittest.TestCase):
method test_instruction_filtering (line 18) | def test_instruction_filtering(self) -> None:
FILE: tests/x86_tests/unit_model.py
function skip_for_backend (line 46) | def skip_for_backend(backend: Backend, reason: str = "not supported") ->...
class _SharedX86Model (line 71) | class _SharedX86Model(unittest.TestCase):
method setUpClass (line 83) | def setUpClass(cls) -> None:
method _configure_class (line 88) | def _configure_class(cls,
method _teardown_class (line 109) | def _teardown_class(cls) -> None:
method __init__ (line 115) | def __init__(self, methodName: str = "runTest") -> None:
method setUp (line 119) | def setUp(self) -> None:
method tearDown (line 123) | def tearDown(self) -> None:
method _get_default_ct_trace (line 128) | def _get_default_ct_trace() -> List[int]:
method _save_conf (line 133) | def _save_conf(self) -> None:
method _restore_conf (line 138) | def _restore_conf(self) -> None:
method _get_model (line 146) | def _get_model(self,
method _get_trace (line 153) | def _get_trace(self,
method test_no_trace (line 173) | def test_no_trace(self) -> None:
method test_mismatch_check_mode (line 188) | def test_mismatch_check_mode(self) -> None:
method test_mismatch_check_mode_2 (line 218) | def test_mismatch_check_mode_2(self) -> None:
method test_l1d_seq (line 244) | def test_l1d_seq(self) -> None:
method test_ct_seq (line 262) | def test_ct_seq(self) -> None:
method test_checkpoint_rollback_registers (line 282) | def test_checkpoint_rollback_registers(self) -> None:
method test_checkpoint_rollback_memory (line 303) | def test_checkpoint_rollback_memory(self) -> None:
method test_checkpoint_rollback_nested (line 326) | def test_checkpoint_rollback_nested(self) -> None:
method test_ct_cond (line 357) | def test_ct_cond(self) -> None:
method test_ct_cond_double (line 396) | def test_ct_cond_double(self) -> None:
method test_rollback_on_fence (line 438) | def test_rollback_on_fence(self) -> None:
method test_ct_bpas (line 463) | def test_ct_bpas(self) -> None:
method test_fault_handling (line 501) | def test_fault_handling(self) -> None:
method test_ct_deh (line 520) | def test_ct_deh(self) -> None:
method test_ct_nullinj_assist (line 549) | def test_ct_nullinj_assist(self) -> None:
method test_ct_nullinj_term (line 595) | def test_ct_nullinj_term(self) -> None:
method test_ct_meltdown (line 633) | def test_ct_meltdown(self) -> None:
method test_arch_seq (line 667) | def test_arch_seq(self) -> None:
method test_ind (line 691) | def test_ind(self) -> None:
method test_ind_spec (line 722) | def test_ind_spec(self) -> None:
method test_ind_poison (line 761) | def test_ind_poison(self) -> None:
class X86DRModelTest (line 812) | class X86DRModelTest(_SharedX86Model):
method __init__ (line 815) | def __init__(self, methodName: str) -> None:
method setUpClass (line 821) | def setUpClass(cls) -> None:
method tearDownClass (line 825) | def tearDownClass(cls) -> None:
method setUp (line 828) | def setUp(self) -> None:
method _skip_if_not_installed (line 832) | def _skip_if_not_installed(self) -> None:
method _get_model (line 838) | def _get_model(self,
method test_clause_configuration (line 850) | def test_clause_configuration(self) -> None:
method test_load_test_case (line 876) | def test_load_test_case(self) -> None:
method test_tc_dispatch (line 896) | def test_tc_dispatch(self) -> None:
class UnicornModelTest (line 957) | class UnicornModelTest(_SharedX86Model): # pylint: disable=too-many-pub...
method __init__ (line 960) | def __init__(self, methodName: str) -> None:
method setUpClass (line 966) | def setUpClass(cls) -> None:
method tearDownClass (line 973) | def tearDownClass(cls) -> None:
method _get_model (line 976) | def _get_model(self,
FILE: tests/x86_tests/unit_taint_tracker.py
class _SharedTaintTrackerTest (line 31) | class _SharedTaintTrackerTest(ABC, unittest.TestCase):
method setUpClass (line 45) | def setUpClass(cls) -> None:
method tearDownClass (line 61) | def tearDownClass(cls) -> None:
method __init__ (line 66) | def __init__(self, methodName: str) -> None:
method _get_model (line 70) | def _get_model(self) -> Union[DynamoRIOModel, X86UnicornModel]:
method _trace_with_taints (line 79) | def _trace_with_taints(self, test_case: InstList,
method _run_taint_test (line 88) | def _run_taint_test(self, instructions: List[Inst], input_: InputData)...
method test_basic_taint (line 99) | def test_basic_taint(self) -> None:
method test_reg_to_reg (line 107) | def test_reg_to_reg(self) -> None:
method test_mem_to_reg (line 117) | def test_mem_to_reg(self) -> None:
method test_load_to_store (line 130) | def test_load_to_store(self) -> None:
method test_unaligned_memory_access_taints_both_qwords (line 141) | def test_unaligned_memory_access_taints_both_qwords(self) -> None:
method test_simd_register_dependencies_are_tracked (line 153) | def test_simd_register_dependencies_are_tracked(self) -> None:
method test_32bit_writes_preserve_64bit_dependencies (line 166) | def test_32bit_writes_preserve_64bit_dependencies(self) -> None:
method test_lea_address_computation_propagates_taint (line 179) | def test_lea_address_computation_propagates_taint(self) -> None:
method test_control_flow_dependency_taints_condition (line 190) | def test_control_flow_dependency_taints_condition(self) -> None:
class X86DRTaintTrackerTest (line 205) | class X86DRTaintTrackerTest(_SharedTaintTrackerTest):
method _skip_if_not_installed (line 211) | def _skip_if_not_installed(self) -> None:
method setUp (line 217) | def setUp(self) -> None:
class UnicornTaintTrackerTest (line 221) | class UnicornTaintTrackerTest(_SharedTaintTrackerTest): # pylint: disab...
Condensed preview — 378 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (3,026K chars).
[
{
"path": ".editorconfig",
"chars": 855,
"preview": "# https://editorconfig.org/\n\nroot = true\n\n[*]\nindent_style = space\nindent_size = 4\ninsert_final_newline = true\ntrim_trai"
},
{
"path": ".github/CODEOWNERS",
"chars": 26,
"preview": "* @OleksiiOleksenko\n"
},
{
"path": ".github/workflows/kmodule-build.yaml",
"chars": 1184,
"preview": "# This workflow will build the kernel module on multiple Ubuntu versions\nname: Kmodule Build\n\non:\n push:\n branches:\n"
},
{
"path": ".github/workflows/python-lint-and-test.yaml",
"chars": 1044,
"preview": "# This workflow will install Python dependencies, run tests and lint with a variety of Python versions\n# For more inform"
},
{
"path": ".gitignore",
"chars": 268,
"preview": "cmake-build-*/\nbuild/\n.vscode/\n.mypy_cache/\n.lsync*\nvenv/\n**/__pycache__/\nbase.json\nrvzr/arch/x86/*.json\n*.code-workspac"
},
{
"path": ".gitmodules",
"chars": 0,
"preview": ""
},
{
"path": ".pylintrc",
"chars": 22149,
"preview": "[MAIN]\n\n# Analyse import fallback blocks. This can be used to support both Python 2 and\n# 3 compatible code, which means"
},
{
"path": "AUTHORS",
"chars": 207,
"preview": "Here is an inevitably incomplete list of MUCH-APPRECIATED CONTRIBUTORS:\n\nOleksii Oleksenko\nBoris Koepf\nEmanuele Vannacci"
},
{
"path": "CHANGELOG.md",
"chars": 4638,
"preview": "# Changelog\n\nAll notable changes to Revizor will be documented in this file.\n\nThe format is based on [Keep a Changelog]("
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 443,
"preview": "# Microsoft Open Source Code of Conduct\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://op"
},
{
"path": "CONTRIBUTING.md",
"chars": 1202,
"preview": "# Contributing\n\nAs an open source project, Revizor welcomes contributions and suggestions.\n\n## Contributor License Agree"
},
{
"path": "LICENSE",
"chars": 1141,
"preview": " MIT License\n\n Copyright (c) Microsoft Corporation.\n\n Permission is hereby granted, free of charge, to any pers"
},
{
"path": "README.md",
"chars": 4834,
"preview": "# Revizor\n\n\n![GitHub all releases](https:/"
},
{
"path": "SECURITY.md",
"chars": 2780,
"preview": "<!-- BEGIN MICROSOFT SECURITY.MD V0.0.5 BLOCK -->\n\n## Security\n\nMicrosoft takes the security of our software products an"
},
{
"path": "demo/README.md",
"chars": 2532,
"preview": "This directory contains a set of demo configurations for fuzzing various known CPU vulnerabilities using Revizor.\nEach c"
},
{
"path": "demo/big-fuzz.yaml",
"chars": 1444,
"preview": "instruction_set: x86-64\n\n# Model\ncontract_observation_clause: ct\ncontract_execution_clause:\n - seq\n\n# Actors\nactors:\n "
},
{
"path": "demo/detect-foreshadow.yaml",
"chars": 712,
"preview": "# This demo illustrates detection of Foreshadow\n\n# contract\ncontract_observation_clause: loads+stores+pc\ncontract_execut"
},
{
"path": "demo/detect-mds.yaml",
"chars": 439,
"preview": "# contract\ncontract_observation_clause: ct\ncontract_execution_clause:\n - seq-assist\n\n# tested instructions\ninstruction_"
},
{
"path": "demo/detect-sco.yaml",
"chars": 387,
"preview": "# contract\ncontract_observation_clause: ct\ncontract_execution_clause:\n - seq\n\n# tested instructions\ninstruction_categor"
},
{
"path": "demo/detect-v1-store.yaml",
"chars": 161,
"preview": "file: !include detect-v1.yaml\n\n# prevent speculative stores from being observed\ncontract_observation_clause: ct-nonspecs"
},
{
"path": "demo/detect-v1-var.yaml",
"chars": 518,
"preview": "file: !include detect-v1.yaml\n\n# contract\n# contract_observation_clause: ct\ncontract_execution_clause:\n - cond\n# analys"
},
{
"path": "demo/detect-v1.yaml",
"chars": 509,
"preview": "# contract\ncontract_observation_clause: loads+stores+pc\ncontract_execution_clause:\n - no_speculation\n\n# tested instruct"
},
{
"path": "demo/detect-v4.yaml",
"chars": 528,
"preview": "# contract\ncontract_observation_clause: ct\ncontract_execution_clause:\n - seq\n\n# tested instructions\ninstruction_categor"
},
{
"path": "demo/detect-zdi.yaml",
"chars": 393,
"preview": "# contract\ncontract_observation_clause: ct\ncontract_execution_clause:\n - seq\n\n# tested instructions\ninstruction_categor"
},
{
"path": "demo/tsa-l1d/config.yaml",
"chars": 1012,
"preview": "instruction_set: x86-64\ninstruction_categories:\n - BASE-BINARY\n - BASE-BITBYTE\n - BASE-CMOV\n - BASE-COND_BR\n - BASE"
},
{
"path": "demo/tsa-l1d/template.asm",
"chars": 2527,
"preview": ".intel_syntax noprefix\n\n# ----------------------------- Hypervisor (Host) ----------------------------\n.section .data.ma"
},
{
"path": "demo/tsa-sq/config.yaml",
"chars": 1042,
"preview": "instruction_set: x86-64\ninstruction_categories:\n - BASE-BINARY\n - BASE-BITBYTE\n - BASE-CMOV\n - BASE-COND_BR\n - BASE"
},
{
"path": "demo/tsa-sq/template.asm",
"chars": 1889,
"preview": ".intel_syntax noprefix\n\n# ----------------------------- Kernel-mode Actor (Victim) -------------------\n.section .data.ma"
},
{
"path": "docs/assets/branches.drawio",
"chars": 1696,
"preview": "<mxfile host=\"Electron\" modified=\"2024-07-30T08:53:34.216Z\" agent=\"5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li"
},
{
"path": "docs/assets/dr-instrumentation.drawio",
"chars": 27730,
"preview": "<mxfile host=\"Electron\" agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/"
},
{
"path": "docs/assets/dr-model.drawio",
"chars": 34889,
"preview": "<mxfile host=\"Electron\" agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/"
},
{
"path": "docs/assets/fuzzing-flow.drawio",
"chars": 3884,
"preview": "<mxfile host=\"Electron\" modified=\"2025-02-14T10:47:35.820Z\" agent=\"5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li"
},
{
"path": "docs/assets/tsa-sq-template.drawio",
"chars": 2080,
"preview": "<mxfile host=\"Electron\" modified=\"2025-07-21T10:25:41.035Z\" agent=\"5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li"
},
{
"path": "docs/assets/unicorn-model-state-machine.drawio",
"chars": 2692,
"preview": "<mxfile host=\"Electron\" modified=\"2024-11-12T17:35:30.054Z\" agent=\"5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li"
},
{
"path": "docs/faq/general.md",
"chars": 9792,
"preview": "# General FAQ\n\n## Overview\n\n#### What is Revizor? {#what-is-revizor}\n\n: Revizor is a security-oriented fuzzer designed"
},
{
"path": "docs/glossary.md",
"chars": 19115,
"preview": "# Glossary\n\nThis glossary defines key terms used throughout the Revizor documentation. The entries are ordered in such a"
},
{
"path": "docs/howto/ask-a-question.md",
"chars": 717,
"preview": "# Ask a Question\n\nIf you have a question about Revizor, there are several ways to reach out to us:\n\n* For **any question"
},
{
"path": "docs/howto/choose-contract.md",
"chars": 5912,
"preview": "# How to Choose a Contract\n\nThis guide helps you select the appropriate [contract](../glossary.md#speculation-contract) "
},
{
"path": "docs/howto/design-campaign.md",
"chars": 8135,
"preview": "# How to Design a Fuzzing Campaign\n\nThis guide shows you how to design and configure a fuzzing campaign for detecting sp"
},
{
"path": "docs/howto/interpret-results.md",
"chars": 10193,
"preview": "# How to Interpret Violation Results\n\nSo you've run a fuzzing campaign and found a violation. Now what?\n\nThis guide will"
},
{
"path": "docs/howto/minimize.md",
"chars": 10129,
"preview": "# How to Minimize Test Cases\n\nThis guide discussed a process of test case minimization, which aims to reduce complexity "
},
{
"path": "docs/howto/root-cause-a-violation.md",
"chars": 16724,
"preview": "# How to Root-Cause a Violation\n\nThis guide discussed in detail how to identify the root cause of confirmed contract vio"
},
{
"path": "docs/howto/use-macros.md",
"chars": 5271,
"preview": "# How To Use Macros\n\nThis document explains the concept of macros in Revizor and describes how to create test cases that"
},
{
"path": "docs/howto/use-templates.md",
"chars": 2141,
"preview": "# How to Use Templates\n\nTemplate-based mode (`tfuzz`) enables targeted testing of specific CPU scenarios by using predef"
},
{
"path": "docs/index.md",
"chars": 10983,
"preview": "---\ntitle: \"Revizor\"\nhide:\n - navigation\n - toc\n---\n\n<style>\n.md-typeset h1,\n.md-content__button {\n display: none;\n"
},
{
"path": "docs/internals/architecture/analysis.md",
"chars": 1008,
"preview": "| | |\n| ---------------- | ------------------ |\n| Module | `rvzr/analyser."
},
{
"path": "docs/internals/architecture/code.md",
"chars": 1801,
"preview": "# Test Case Code Generation\n\n| | |\n| ---------------- | ----------------------"
},
{
"path": "docs/internals/architecture/data.md",
"chars": 2564,
"preview": "# Test Case Data Generation\n\n| | |\n| ---------------- | ----------------------"
},
{
"path": "docs/internals/architecture/exec.md",
"chars": 1689,
"preview": "# Hardware Tracing\n\n| | |\n| ---------------- | ----------------"
},
{
"path": "docs/internals/architecture/fuzz.md",
"chars": 2964,
"preview": "# Orchestration Module\n\n| | |\n| ---------------- | -----------"
},
{
"path": "docs/internals/architecture/isa.md",
"chars": 862,
"preview": "# Instruction Set Specification\n\n| | |\n| ---------------- | ------------------ |\n| M"
},
{
"path": "docs/internals/architecture/logging.md",
"chars": 791,
"preview": "# Logging\n\n| | |\n| ---------------- | ----------------------------- |\n| M"
},
{
"path": "docs/internals/architecture/mini.md",
"chars": 1611,
"preview": "# Post-violation Analysis\n\n| | |\n| ---------------- | -----------------"
},
{
"path": "docs/internals/architecture/model.md",
"chars": 1646,
"preview": "# Contract Tracing\n\n| | |\n| ---------------- | -------------------------"
},
{
"path": "docs/internals/architecture/overview.md",
"chars": 6790,
"preview": "# Architecture Overview & Code Structure\n\nThis document introduces Revizor's architecture and key components. It is desi"
},
{
"path": "docs/internals/code-structure.md",
"chars": 939,
"preview": "# Code Structure\n\nThe Revizor codebase is organized into the following main directories:\n\n```text\nrvzr/ "
},
{
"path": "docs/internals/contributing/code-style.md",
"chars": 1860,
"preview": "# Code Style\n\nPlease follow these coding standards when writing code for inclusion in Revizor.\n\n## Python\n\n* Unless othe"
},
{
"path": "docs/internals/contributing/general.md",
"chars": 1668,
"preview": "# General Development Guidelines\n\n## Testing\n\nTo run automated tests you will need to install a few more dependencies:\n\n"
},
{
"path": "docs/internals/contributing/git.md",
"chars": 4020,
"preview": "# Git Workflow Guidelines\n\n## Git Messages\n\nWe practice the following conventions for commit messages:\n\n```\n<scope>: [<t"
},
{
"path": "docs/internals/contributing/overview.md",
"chars": 8382,
"preview": "# Guide to Contributing\n\nThis document provides an overview of how to contribute to the Revizor project.\n\n## What can I "
},
{
"path": "docs/internals/index.md",
"chars": 2209,
"preview": "# Developer Documentation\n\nThis section provides technical documentation for developers contributing to Revizor.\n\n## Dev"
},
{
"path": "docs/internals/model-backends/model-dr.md",
"chars": 11662,
"preview": "# DynamoRIO-based Model Backend\n\nThis document describes the DynamoRIO-based model.\nAs any other model, this backend is "
},
{
"path": "docs/internals/model-backends/model-unicorn.md",
"chars": 1225,
"preview": "# Unicorn Backend\n\nUnicorn backend architecture:\n\n```text\nUnicornModel (main orchestrator)\n ├─ UnicornTracer "
},
{
"path": "docs/intro/01-overview.md",
"chars": 7549,
"preview": "# Revizor at a Glance\n\n## What is Revizor?\n\nRevizor is a security-oriented fuzzer that detects microarchitectural inform"
},
{
"path": "docs/intro/02-install.md",
"chars": 3461,
"preview": "# Installation\n\n**Warning**:\nRevizor runs randomly-generated code in kernel space.\nThis means that a misconfiguration (o"
},
{
"path": "docs/intro/03-primer.md",
"chars": 30685,
"preview": "# Primer: Speculation Contracts and Model-Based Relational Testing\n\nBelow is a brief primer on the theoretical foundatio"
},
{
"path": "docs/intro/04-tutorials.md",
"chars": 1358,
"preview": "# Starting with Tutorials\n\nLet's learn by example.\n\nThis is a starting point for a tutorial series that will teach you h"
},
{
"path": "docs/intro/start-here.md",
"chars": 1154,
"preview": "# Getting started\n\nNew to Revizor? Or to side-channel testing in general? You came to the right\nplace: read this materia"
},
{
"path": "docs/intro/tutorials/01-first-fuzz.md",
"chars": 7436,
"preview": "# Tutorial 1: Your First Fuzz\n\nThis is the first part of the tutorial on the basic usage of Revizor.\n\n### Overview\n\nIn t"
},
{
"path": "docs/intro/tutorials/02-first-vuln.md",
"chars": 23914,
"preview": "# Tutorial 2: Detecting Your First Vulnerability\n\nThis tutorial is the first step into actual vulnerability detection. Y"
},
{
"path": "docs/intro/tutorials/03-faults.md",
"chars": 20570,
"preview": "# Tutorial 3: Testing faults with Revizor\n\nHaving detected Spectre V1, let's now apply the same methodology to find a di"
},
{
"path": "docs/intro/tutorials/04-isolation.md",
"chars": 16043,
"preview": "# Tutorial 4: Testing Security Domain Isolation with Revizor\n\nIn the previous tutorials, we used random test generation "
},
{
"path": "docs/intro/tutorials/05-extending.md",
"chars": 7609,
"preview": "# Tutorial 5: Extending Revizor\n\nIn this tutorial, we will switch gears: instead of using Revizor's existing components,"
},
{
"path": "docs/intro/tutorials/tsa-sq.md",
"chars": 12545,
"preview": "# Tutorial: Detecting TSA-SQ with Revizor\n\nThis tutorial demonstrates how we used Revizor to detect TSA-SQ (Transient Sc"
},
{
"path": "docs/ref/artifact-file-formats.md",
"chars": 2212,
"preview": "# Artifact File Formats\n\nThis document describes the structure of violations artifact files stored by Revizor when it de"
},
{
"path": "docs/ref/binary-formats.md",
"chars": 5890,
"preview": "# Binary Formats in Revizor\n\n!!! info \"Advanced Topic\"\n This is an advanced topic describing internal implementation "
},
{
"path": "docs/ref/cli.md",
"chars": 8745,
"preview": "# Command-Line Interface\n\nThis document provides a complete reference for all command-line options accepted by the `rvzr"
},
{
"path": "docs/ref/config.md",
"chars": 44186,
"preview": "# Configuration Options\n\nBelow is a list of the available configuration options for Revizor, which are passed down to Re"
},
{
"path": "docs/ref/index.md",
"chars": 1444,
"preview": "# Reference Documentation\n\nComplete technical reference for all Revizor components, commands, configuration options, and"
},
{
"path": "docs/ref/macros.md",
"chars": 10059,
"preview": "# Macros\n\nThis document provides a complete reference for all macros available in Revizor.\n\n!!! note \"Related Documentat"
},
{
"path": "docs/ref/minimization-passes.md",
"chars": 3311,
"preview": "# Minimization Passes\n\nThis document provides a detailed list of all available minimization features (passes) supported "
},
{
"path": "docs/ref/modes.md",
"chars": 5067,
"preview": "# Execution Modes\n\nRevizor supports several modes of operation, each targeting a different use cases.\nThe selection of t"
},
{
"path": "docs/ref/papers.md",
"chars": 4216,
"preview": "# Research Papers\n\nRevizor is a result of extensive academic research in the field of hardware security and microarchite"
},
{
"path": "docs/ref/registers.md",
"chars": 4436,
"preview": "# Register Allocation\n\nThe test cases are executed in a sandboxed environment, where some of the registers are reserved "
},
{
"path": "docs/ref/runtime-statistic.md",
"chars": 4317,
"preview": "# Fuzzing Statistics\n\nThis document provides a complete reference on how to interpret the runtime statistics output of R"
},
{
"path": "docs/ref/sandbox.md",
"chars": 6358,
"preview": "# Test Case Sandbox\n\nThis document describes the isolated environment for executing test cases, which is referred to as "
},
{
"path": "docs/structure.md",
"chars": 5453,
"preview": "# Revizor Documentation\n\nEverything you need to know about using, understanding, and contributing to Revizor.\n\n## First "
},
{
"path": "docs/stylesheets/extra.css",
"chars": 305,
"preview": "/* Custom styles for mkdocs-material */\n\n/* Inline box for default values and highlighted inline content */\n.inline-box "
},
{
"path": "docs/topics/actors.md",
"chars": 5668,
"preview": "# Actors\n\nActors represent distinct security domains within a test case. They could be thought as sub-test-cases, each w"
},
{
"path": "docs/topics/contracts.md",
"chars": 8592,
"preview": "# Contracts\n\nA speculation contract is a formal specification of known microarchitectural leakage in CPUs.\nA contract se"
},
{
"path": "docs/topics/models.md",
"chars": 9894,
"preview": "# Leakage Models\n\nA leakage model is an executable implementation of a speculation contract. The model takes a\nprogram a"
},
{
"path": "docs/topics/test-case-generation.md",
"chars": 12523,
"preview": "# Test Case Generation\n\n[Test case](../glossary.md#test-case-program) generation is the process of creating executable p"
},
{
"path": "docs/topics/trace-analysis.md",
"chars": 9598,
"preview": "# Trace Analysis\n\nThis document describes Revizor's trace analysis techniques for detecting microarchitectural\ncontract "
},
{
"path": "mkdocs.yml",
"chars": 5290,
"preview": "---\nsite_name: Revizor\nsite_url: https://github.com/microsoft/side-channel-fuzzer\nsite_author: Microsoft\nsite_descriptio"
},
{
"path": "pyproject.toml",
"chars": 1489,
"preview": "[build-system]\nrequires = [\"hatchling\"]\nbuild-backend = \"hatchling.build\"\n\n[project]\nname = \"revizor-fuzzer\"\nversion = \""
},
{
"path": "revizor.py",
"chars": 235,
"preview": "#!/usr/bin/env python3\n\"\"\"\nFile: Command Line Interface to Revizor\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Ide"
},
{
"path": "rvzr/__init__.py",
"chars": 430,
"preview": "# flake8: noqa\n# pylint: skip-file\n\nfrom .isa_spec import *\nfrom .executor import *\nfrom .analyser import *\nfrom .data_g"
},
{
"path": "rvzr/analyser.py",
"chars": 11362,
"preview": "\"\"\"\nFile: various ways to compare collected ctraces with htraces\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Ident"
},
{
"path": "rvzr/arch/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "rvzr/arch/arm64/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "rvzr/arch/arm64/asm_parser.py",
"chars": 5790,
"preview": "\"\"\"\nFile: Parsing of assembly files into our internal representation (TestCaseCode).\n This file contains arm64-spec"
},
{
"path": "rvzr/arch/arm64/config.py",
"chars": 3089,
"preview": "\"\"\"\nFile: arm64-specific Configuration Options\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MIT\n\"\"\"\nfro"
},
{
"path": "rvzr/arch/arm64/executor.py",
"chars": 813,
"preview": "\"\"\"\nFile: Implementation of executor for arm64 architecture\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier"
},
{
"path": "rvzr/arch/arm64/fuzzer.py",
"chars": 6437,
"preview": "\"\"\"\nFile: arm64 implementation of the test case generator\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: "
},
{
"path": "rvzr/arch/arm64/generator.py",
"chars": 10421,
"preview": "\"\"\"\nFile: arm64 implementation of the test case generator\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: "
},
{
"path": "rvzr/arch/arm64/get_spec.py",
"chars": 917,
"preview": "\"\"\"\nFile: A script that downloads the ARM64 instruction set\n and parses it into a JSON file that can be used by the"
},
{
"path": "rvzr/arch/arm64/target_desc.py",
"chars": 7727,
"preview": "\"\"\"\nFile: arm64-specific constants and lists\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MIT\n\"\"\"\nfrom "
},
{
"path": "rvzr/arch/x86/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "rvzr/arch/x86/asm_parser.py",
"chars": 6540,
"preview": "\"\"\"\nFile: Parsing of assembly files into our internal representation (TestCaseCode).\n This file contains x86-specif"
},
{
"path": "rvzr/arch/x86/config.py",
"chars": 10741,
"preview": "\"\"\"\nFile: x86-specific Configuration Options\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MIT\n\"\"\"\nfrom "
},
{
"path": "rvzr/arch/x86/executor.py",
"chars": 2783,
"preview": "\"\"\"\nFile: Implementation of executor for x86 architecture\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: "
},
{
"path": "rvzr/arch/x86/fuzzer.py",
"chars": 12413,
"preview": "\"\"\"\nFile: x86 implementation of the test case generator\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MI"
},
{
"path": "rvzr/arch/x86/generator.py",
"chars": 44818,
"preview": "\"\"\"\nFile: x86 implementation of the test case generator\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MI"
},
{
"path": "rvzr/arch/x86/get_spec.py",
"chars": 21335,
"preview": "\"\"\"\nFile: A script that downloads the x86 instruction set from the Side Channel Fuzzer repository\n and parses it in"
},
{
"path": "rvzr/arch/x86/target_desc.py",
"chars": 15323,
"preview": "\"\"\"\nFile: x86-specific constants and lists\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MIT\n\"\"\"\nfrom ty"
},
{
"path": "rvzr/asm_parser.py",
"chars": 40254,
"preview": "\"\"\"\nFile: Parsing of assembly files into our internal representation (TestCaseCode).\n This file contains ISA-indepe"
},
{
"path": "rvzr/cli.py",
"chars": 16262,
"preview": "\"\"\"\nFile: Function definitions for using Revizor as command-line tool\n(Note: the actual CLI is accessed via revizor.py)\n"
},
{
"path": "rvzr/code_generator.py",
"chars": 31412,
"preview": "\"\"\"\nFile: Test Case Generation\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MIT\n\"\"\"\nfrom __future__ imp"
},
{
"path": "rvzr/config.py",
"chars": 26574,
"preview": "\"\"\"\nFile: Fuzzing Configuration Options\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MIT\n\"\"\"\nimport os\n"
},
{
"path": "rvzr/data_generator.py",
"chars": 7187,
"preview": "\"\"\"\nFile: Input Generation.\n\n An input is a sequence of bytes that is used to initialize memory and registers in\n "
},
{
"path": "rvzr/elf_parser.py",
"chars": 21322,
"preview": "\"\"\"\nFile: Parsing of ELF files to populate sections of a TestCaseCode object.\n\nCopyright (C) Microsoft Corporation\nSPDX-"
},
{
"path": "rvzr/executor.py",
"chars": 16528,
"preview": "\"\"\"\nFile: Architecture-independent parts of the adaptor to the executor kernel module\n\nCopyright (C) Microsoft Corporati"
},
{
"path": "rvzr/executor_km/.clang-format",
"chars": 190,
"preview": "ColumnLimit: 100\nIndentWidth: 4\nBreakBeforeBraces: Linux\nAllowShortIfStatementsOnASingleLine: false\nAlignConsecutiveMacr"
},
{
"path": "rvzr/executor_km/.gitignore",
"chars": 83,
"preview": ".tmp*\n*.o\n*.cmd\n*.symvers\n*.order\n*.ko\n*.mod\n*.mod.c\nstart_qemu.sh\nupdate_module.sh"
},
{
"path": "rvzr/executor_km/Makefile",
"chars": 5391,
"preview": "NAME = rvzr_executor\nKDIR=/lib/modules/$(shell uname -r)/build\n\n# ======================================================"
},
{
"path": "rvzr/executor_km/arm64/asm_snippets.h",
"chars": 10520,
"preview": "/// File: Building blocks for creating macros; ARM64 version\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-"
},
{
"path": "rvzr/executor_km/arm64/entry_exit_points.h",
"chars": 6121,
"preview": "/// File: Test case entry and exit points; used by code_loader.c\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-Lice"
},
{
"path": "rvzr/executor_km/arm64/exception.S",
"chars": 8426,
"preview": "// File: Low-level exception handling code for ARM64\n//\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifie"
},
{
"path": "rvzr/executor_km/arm64/fault_handler.c",
"chars": 2185,
"preview": "/// File: Fault handling and vector table management on ARM64 (i.e., aarch64)\n///\n// Copyright (C) Microsoft Corporation"
},
{
"path": "rvzr/executor_km/arm64/macros.c",
"chars": 18662,
"preview": "/// File: Management of test case macros\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#in"
},
{
"path": "rvzr/executor_km/arm64/page_tables_guest.c",
"chars": 1820,
"preview": "/// File:\n/// - Guest page table management\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n"
},
{
"path": "rvzr/executor_km/arm64/perf_counters.c",
"chars": 5226,
"preview": "/// File: Configuration and use of performance counters\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Ident"
},
{
"path": "rvzr/executor_km/arm64/registers.h",
"chars": 1259,
"preview": "/// File: Symbolic names for pre-allocated registers; ARM64 version\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-L"
},
{
"path": "rvzr/executor_km/arm64/special_registers.c",
"chars": 1941,
"preview": "/// File:\n/// - Management of model-specific registers (MSRs)\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-Licens"
},
{
"path": "rvzr/executor_km/code_loader.c",
"chars": 9374,
"preview": "/// File: Multiple variants of test case entry and exit points, for ARM64 architecture\n/// used exclusively by code"
},
{
"path": "rvzr/executor_km/data_loader.c",
"chars": 3993,
"preview": "/// File:\n/// - Parsing inputs and test cases\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MI"
},
{
"path": "rvzr/executor_km/include/actor.h",
"chars": 665,
"preview": "/// File: Header describing actor metadata\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#"
},
{
"path": "rvzr/executor_km/include/asm_snippets.h",
"chars": 427,
"preview": "/// File: Building blocks for creating macros;\n/// This file re-directs to the correct architecture-specific file."
},
{
"path": "rvzr/executor_km/include/code_loader.h",
"chars": 341,
"preview": "/// File: Header for code_loader.c\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef _"
},
{
"path": "rvzr/executor_km/include/data_loader.h",
"chars": 308,
"preview": "/// File: Header for data_loader.c\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef _"
},
{
"path": "rvzr/executor_km/include/fault_handler.h",
"chars": 1117,
"preview": "/// File: Header for fault handling\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef "
},
{
"path": "rvzr/executor_km/include/hardware_desc.h",
"chars": 2695,
"preview": "/// File: Header for hardware configuration\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n"
},
{
"path": "rvzr/executor_km/include/input_parser.h",
"chars": 1409,
"preview": "/// File: Header for the input parser\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifnde"
},
{
"path": "rvzr/executor_km/include/macro_expansion.h",
"chars": 3339,
"preview": "/// File: Header for test case macro loader\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n"
},
{
"path": "rvzr/executor_km/include/main.h",
"chars": 1372,
"preview": "/// File: Main Header\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef _RVZR_EXECUTOR"
},
{
"path": "rvzr/executor_km/include/measurement.h",
"chars": 942,
"preview": "/// File: Header for the measurement manager\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n"
},
{
"path": "rvzr/executor_km/include/page_tables_common.h",
"chars": 9925,
"preview": "/// File: Dispatch header that includes the correct page tables definitions for the architecture\n///\n// Copyright (C) Mi"
},
{
"path": "rvzr/executor_km/include/page_tables_guest.h",
"chars": 3300,
"preview": "/// File: Dispatch header that includes the guest page table definitions for the architecture\n///\n// Copyright (C) Micro"
},
{
"path": "rvzr/executor_km/include/page_tables_host.h",
"chars": 839,
"preview": "/// File: Header for page table functions\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#i"
},
{
"path": "rvzr/executor_km/include/perf_counters.h",
"chars": 282,
"preview": "/// File: Header for perf_counters.c\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef"
},
{
"path": "rvzr/executor_km/include/sandbox_constants.h",
"chars": 2647,
"preview": "/// File: Collection of constants that define the layout of the sandbox;\n/// This file is intentionally separate f"
},
{
"path": "rvzr/executor_km/include/sandbox_manager.h",
"chars": 3731,
"preview": "/// File: Header for sandbox management\n/// See docs/sandbox.md for the description of the sandboxing mechanism.\n/"
},
{
"path": "rvzr/executor_km/include/shortcuts.h",
"chars": 13469,
"preview": "/// File: Header for common macros\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef K"
},
{
"path": "rvzr/executor_km/include/special_registers.h",
"chars": 1190,
"preview": "/// File: Header for msr.c\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef _MSR_H_\n#"
},
{
"path": "rvzr/executor_km/include/svm.h",
"chars": 3603,
"preview": "/// File: Header for svm.c\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef _RVZR_EXE"
},
{
"path": "rvzr/executor_km/include/svm_constants.h",
"chars": 4984,
"preview": "/// File: Definitions of constants used by AMD SVM (Secure Virtual Machine) technology\n///\n// Copyright (C) Microsoft Co"
},
{
"path": "rvzr/executor_km/include/test_case_parser.h",
"chars": 1717,
"preview": "/// File: Header for the test case parser and manager\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identif"
},
{
"path": "rvzr/executor_km/include/vmx.h",
"chars": 2281,
"preview": "/// File: Header for vmx.c\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#ifndef _RVZR_EXE"
},
{
"path": "rvzr/executor_km/include/vmx_config.h",
"chars": 6819,
"preview": "/// File: Configuration constants for VMX\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#i"
},
{
"path": "rvzr/executor_km/input_parser.c",
"chars": 7422,
"preview": "/// File:\n/// - Parsing inputs\n/// - Management of input-related data structures\n/// - Accessors to the input data"
},
{
"path": "rvzr/executor_km/macro_expansion.c",
"chars": 12455,
"preview": "/// File: Expansion of macros in the test case; used primarily by code_loader.c\n/// This file contains architectur"
},
{
"path": "rvzr/executor_km/main.c",
"chars": 25748,
"preview": "/// File: Kernel module interface\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n// clang-f"
},
{
"path": "rvzr/executor_km/measurement.c",
"chars": 12059,
"preview": "/// File:\n/// - Test case execution\n/// - Ensuring an isolated environment\n///\n// Copyright (C) Microsoft Corporation\n"
},
{
"path": "rvzr/executor_km/page_tables_host.c",
"chars": 11941,
"preview": "/// File:\n/// - Page Table management\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#incl"
},
{
"path": "rvzr/executor_km/readme.md",
"chars": 508,
"preview": "# Install\n\nSee https://microsoft.github.io/side-channel-fuzzer/quick-start/ or `README.md` in the project root.\n\n# Using"
},
{
"path": "rvzr/executor_km/sandbox_manager.c",
"chars": 10137,
"preview": "/// File: Sandbox memory management\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#include"
},
{
"path": "rvzr/executor_km/test_case_parser.c",
"chars": 13298,
"preview": "/// File:\n/// - Parsing of test cases in RCBF format (see docs/devel/binary-formats.md)\n/// - Management of TC-relat"
},
{
"path": "rvzr/executor_km/x86/asm_snippets.h",
"chars": 21076,
"preview": "/// File: Building blocks for creating macros; x86-64\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identif"
},
{
"path": "rvzr/executor_km/x86/entry_exit_points.h",
"chars": 5903,
"preview": "/// File: Multiple variants of test case entry and exit points, for x86-64 architecture\n/// used exclusively by cod"
},
{
"path": "rvzr/executor_km/x86/fault_handlers.S",
"chars": 14988,
"preview": "// File: Low-level exception handling code for x86-64\n//\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifi"
},
{
"path": "rvzr/executor_km/x86/idt.c",
"chars": 5426,
"preview": "/// File:\n/// - Fault handling and IDT management\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier"
},
{
"path": "rvzr/executor_km/x86/macros.c",
"chars": 32549,
"preview": "/// File: x86 implementation of various macros as well as x86-specific code for\n/// the macro loader (macro_expans"
},
{
"path": "rvzr/executor_km/x86/page_tables_guest.c",
"chars": 29034,
"preview": "/// File:\n/// - Guest page table management\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n"
},
{
"path": "rvzr/executor_km/x86/perf_counters.c",
"chars": 8157,
"preview": "/// File: Configuration and use of performance counters\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Ident"
},
{
"path": "rvzr/executor_km/x86/registers.h",
"chars": 1053,
"preview": "/// File: Symbolic names for pre-allocated registers; x86-64 version\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-"
},
{
"path": "rvzr/executor_km/x86/special_registers.c",
"chars": 10043,
"preview": "/// File:\n/// - Management of model-specific registers (MSRs)\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-Licens"
},
{
"path": "rvzr/executor_km/x86/svm.c",
"chars": 16587,
"preview": "/// File: Configuration and use of AMD SVM\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n\n#"
},
{
"path": "rvzr/executor_km/x86/vmx.c",
"chars": 33118,
"preview": "/// File: Configuration and use of Intel VMX\n///\n// Copyright (C) Microsoft Corporation\n// SPDX-License-Identifier: MIT\n"
},
{
"path": "rvzr/factory.py",
"chars": 16497,
"preview": "\"\"\"\nFile: Configuration factory; constructs objects based on the configuration options.\n\nCopyright (C) Microsoft Corpora"
},
{
"path": "rvzr/fuzzer.py",
"chars": 42695,
"preview": "\"\"\"\nFile: Fuzzing Orchestration\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MIT\n\"\"\"\n# pylint: disable="
},
{
"path": "rvzr/instruction_spec.py",
"chars": 4185,
"preview": "\"\"\"\nFile: Collection of classes that represent instruction specifications.\nThe specifications typically originate from a"
},
{
"path": "rvzr/isa_spec.py",
"chars": 11674,
"preview": "\"\"\"\nFile:\n\nCopyright (C) Microsoft Corporation\nSPDX-License-Identifier: MIT\n\"\"\"\nfrom __future__ import annotations\nimpor"
},
{
"path": "rvzr/logs.py",
"chars": 23600,
"preview": "\"\"\"\nFile: Global classes that provide service to all Revizor modules\n\nCopyright (C) Microsoft Corporation\nSPDX-License-I"
},
{
"path": "rvzr/model.py",
"chars": 3856,
"preview": "\"\"\"\nFile: Model Interface (Backend- and ISA-independent)\n A model is a module that can execute a test case accordin"
},
{
"path": "rvzr/model_dynamorio/Makefile",
"chars": 1753,
"preview": "mkfile_path = $(abspath $(lastword $(MAKEFILE_LIST)))\ncurrent_dir = $(dir $(mkfile_path))\n\ndr_path := $(HOME)/.local/dyn"
},
{
"path": "rvzr/model_dynamorio/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "rvzr/model_dynamorio/adapter/.clang-format",
"chars": 190,
"preview": "ColumnLimit: 100\nIndentWidth: 4\nBreakBeforeBraces: Linux\nAllowShortIfStatementsOnASingleLine: false\nAlignConsecutiveMacr"
},
{
"path": "rvzr/model_dynamorio/adapter/.clang-tidy",
"chars": 529,
"preview": "Checks: >\n -*,\n bugprone-*,\n cert-*,\n clang-analyzer-*,\n llvm-*,\n misc-*,\n modernize-*,\n perform"
},
{
"path": "rvzr/model_dynamorio/adapter/CMakeLists.txt",
"chars": 518,
"preview": "cmake_minimum_required(VERSION 3.10)\nproject(adapter C ASM)\n\n# Set compile flags\nset(CMAKE_C_FLAGS \"${CMAKE_C_FLAGS} -gg"
},
{
"path": "rvzr/model_dynamorio/adapter/main.c",
"chars": 3619,
"preview": "///\n/// File: Module responsible for loading binary test cases produced by\n/// the Revizor generator, and executin"
},
{
"path": "rvzr/model_dynamorio/adapter/parser.c",
"chars": 5819,
"preview": "///\n/// File: RCBF and RDBF parsing functions for the DynamoRIO backend adapter\n///\n// Copyright (C) Microsoft Corporati"
},
{
"path": "rvzr/model_dynamorio/adapter/parser.h",
"chars": 359,
"preview": "/// File: Interface to the RCBF/RDBF parser\n///\n/// Copyright (C) Microsoft Corporation\n/// SPDX-License-Identifier: MIT"
},
{
"path": "rvzr/model_dynamorio/adapter/rcbf.h",
"chars": 1241,
"preview": "/// File: Representation of a RCBF binary\n/// (see docs/devel/binary-formats.md for format description)\n///\n// Copyright"
},
{
"path": "rvzr/model_dynamorio/adapter/rdbf.h",
"chars": 761,
"preview": "/// File: Representation of a RDBF binary\n/// (see docs/devel/binary-formats.md for format description)\n///\n/// Copyrigh"
},
{
"path": "rvzr/model_dynamorio/adapter/sandbox.c",
"chars": 4324,
"preview": "/// File: Allocation and management of the sandbox memory for test cases\n///\n// Copyright (C) Microsoft Corporation\n// S"
},
{
"path": "rvzr/model_dynamorio/adapter/sandbox.h",
"chars": 2604,
"preview": "/// File: Sandbox layout\n/// (see docs/sandbox.md for layout description)\n///\n// Copyright (C) Microsoft Corporation\n// "
},
{
"path": "rvzr/model_dynamorio/adapter/sandbox_const.h",
"chars": 1149,
"preview": "/// File: Constants for the sandbox layout\n/// (see docs/sandbox.md for layout description)\n///\n// Copyright (C) Microso"
},
{
"path": "rvzr/model_dynamorio/adapter/test_case_entry.S",
"chars": 2803,
"preview": ".intel_syntax noprefix\n\n#include \"sandbox_const.h\"\n#define xstr(s) _str(s)\n#define _str(s) str(s)\n#define str(s) #s\n\n//"
},
{
"path": "rvzr/model_dynamorio/backend/.clang-format",
"chars": 190,
"preview": "ColumnLimit: 100\nIndentWidth: 4\nBreakBeforeBraces: Linux\nAllowShortIfStatementsOnASingleLine: false\nAlignConsecutiveMacr"
},
{
"path": "rvzr/model_dynamorio/backend/.clang-tidy",
"chars": 3002,
"preview": "# Reasoning behind excluding some checks:\n# - `misc-include-cleaner`: This is incompatible with the DR headers, where dr"
}
]
// ... and 178 more files (download for full content)
About this extraction
This page contains the full source code of the microsoft/sca-fuzzer GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 378 files (2.7 MB), approximately 721.5k tokens, and a symbol index with 2014 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.