ARCH4.md (1884B)
1 # ARCH4: Whole-Program Inter-Procedural Fixpoint 2 3 ## Goal 4 5 Add optional inter-procedural taint propagation by computing a 6 whole-program fixpoint over the call graph. This allows taint to flow 7 across function boundaries while remaining conservative. 8 9 ## Scope 10 11 - Applies to calls with statically known labels in the same asm file. 12 - Indirect calls (blr) remain opaque unless a summary is provided. 13 - Default mode remains intra-procedural; inter-proc is opt-in. 14 15 ## Approach 16 17 1) **Function partitioning** 18 - Partition the CFG into per-function sub-CFGs using top-level labels 19 (entry labels) and call/return boundaries. 20 - Build a call graph from `bl` targets that resolve to known functions. 21 22 2) **Function summaries** 23 - For each function, compute a summary mapping: 24 - `summaryIn`: required taint assumptions for arguments (optional) 25 - `summaryOut`: taint effects on registers at function exit 26 - SummaryOut should describe, conservatively, the taint of all registers 27 that might be observed by callers. 28 29 3) **Fixpoint iteration** 30 - Initialize all function summaries to conservative defaults 31 (caller-saved Unknown, callee-saved Public/Unknown). 32 - Iterate over functions in any order, re-analyzing each function using 33 the current summaries of its callees. 34 - Update its summary until stable; repeat until no summaries change. 35 36 4) **Call-site semantics** 37 - At `bl f`, apply the callee summary to the caller’s taint state 38 instead of only invalidating caller-saved regs. 39 - Preserve fallthrough to the next instruction in the caller. 40 41 ## Correctness/Conservatism 42 43 - Summaries must never upgrade taint (Secret -> Public). 44 - Join taints across all possible return paths. 45 - If any callee summary is missing, fall back to current conservative 46 call handling for that call site. 47 48 ## Deliverables 49 50 - Optional `--interproc` mode. 51 - Summary diagnostics (e.g., JSON dump) for inspection.