VEX IR是一种更加接近于compiler使用的中间语言/中间表示,它是不依赖于特定体系架构的。
1. Code Blocks
code blocks是VEX处理代码的一个单元,使用IRSB结构体表示:
/* Code blocks, which in proper compiler terminology are superblocks (single entry, multiple exit code sequences) contain:
【与Intel Pin中的概念trace是相似的】 - A table giving a type for each temp (the "type environment") - An expandable array of statements - An expression of type 32 or 64 bits, depending on the guest's word size, indicating the next destination if the block executes all the way to the end, without a side exit - An indication of any special actions (JumpKind) needed for this final jump. "IRSB" stands for "IR Super Block". */ typedef struct { IRTypeEnv* tyenv; IRStmt** stmts; Int stmts_size; Int stmts_used; IRExpr* next; IRJumpKind jumpkind; } IRSB;
Each IRSB contains three things:
- a type environment, which indicates the type of each temporary
value present in the IRSB
- a list of statements, which represent code
- a jump that exits from the end the IRSB
2. Statements and Expressions
Statements (type 'IRStmt') represent operations with side-effects, eg. guest register writes, stores, and assignments to temporaries. Expressions (type 'IRExpr') represent operations without side-effects, eg. arithmetic operations, loads, constants. Expressions can contain sub-expressions, forming expression trees, eg. (3 + (4 * load(addr1)).
Statements: IRStmt
代表着有side-effect的操作;
Expressions: IRExpr
代表着没有side-effect的操作;
3. Storage of guest state
guest state,其实就是代表目标机器寄存器的一片连续的缓存。
在这片缓存上可以进行Put/Get操作。
Put/Get操作需要提供两个参数:
在代表guest state的缓存中的offset 代表操作数长度的type