Automated Control Flow Reconstruction from Assembler Programs

Abstract

As software permeates more and more aspects of daily life and becomes a central component of critical systems around the world,
software quality and effective methods to ensure it are paramount.
There is a huge variety of both static and dynamic analyses that aim to provide such guarantees.
Typically, such analyses are based on the analysed program's control flow graph (CFG).
Given the source code of the program in a high-level, structured programming language, this graph can easily be constructed.
However, in some cases the analysis must instead be based directly on the binary program,
e.g. if the source code is not available (in security contexts), contains insufficient information (e.g. for low-level analyses such as execution time) or the compiler is not trusted to translate the source code faithfully to a binary format.
However, extracting the control flow graph from a binary program is a non-trivial task,
as the binary code is unstructured and contains indirect branches that transfer control to a program location dynamically computed at runtime.

This thesis defines a formal notion of a CFG for a binary program and proposes several quality requirements such CFGs should meet
in order to be considered a sufficiently precise approximation of the program.
A more precise CFG improves the efficiency and potentially the accuracy of subsequent analyses.
In particular, we define the property of being free from control flow errors and postulate that precise CFGs should satisfy this property.
The CFGs produced by existing approaches to control flow reconstruction from binary programs do not meet all of these requirements.

A new approach to control flow reconstruction is thus presented, based on the formal verification technique trace abstraction refinement.
This verification technique is adapted to the field of control flow reconstruction,
and the computed CFGs are shown to be sound over-approximations of the program behaviour.
A sufficient condition is presented under which the CFGs are furthermore free from control flow errors.
We evaluate the new approach empirically on a set of standard benchmark programs.

Full text

WEBSTYLEGUIDE
REFERAT IIIA6 (INTERNET)
Email edv.internet@verwaltung.uni-muenchen.de
Servicetelefon 089 / 2180 – 9898
Mo./Di./Do./Fr. 09:00 Uhr bis 12:00 Uhr
Di./Do. 14:00 Uhr bis 17:00 Uhr

WEBSTYLEGUIDE
REFERAT IIIA6 (INTERNET)
Email edv.internet@verwaltung.uni-muenchen.de
Servicetelefon 089 / 2180 – 9898
Mo./Di./Do./Fr. 09:00 Uhr bis 12:00 Uhr
Di./Do. 14:00 Uhr bis 17:00 Uhr

pc

p
τ1
true lr “0004 pc “0004
t0004 u
pτ2
true true true lr “0008 pc “0008
t0008 u
pτ1
p
τ1
pτ1pτ2
pc1“0000
looooomooooon^"lr1“pc1`4
pc2“0040 *
looooooooooomooooooooooon
^pc3“lr1
loooomoooon
pc1“0000
looooomooooon^"lr1“pc1`4
pc2“0040 *
looooooooooomooooooooooon
^pc3“lr1
loooomoooon
^"lr2“pc3`4
pc4“0040 *
looooooooooomooooooooooon
^pc5“lr2
loooomoooon

0000 ?
0040
bl 0040 bx lr
0000
0040
0040
bl 0040 0004
bx lr
bl 0040
bl 0040
0000
0008
0040
bl 0040
bx lr
0004
bx lr
bl 0040
0000
0040
0008
bx lr
0040
bl 0040 0004
bx lr
bl 0040
b 0008
pτ1pc3
pcn
t0004 u
pτ2t0008 u
pτ2

0
0
p
τ3
pc

true lr “0004 lr “0004 lr “0004 lr “0004 pc “0004
Rp
τ3
true lr “0004 pc “0004
t0004 u
pτ3LpRx
τ3q
pτ3
Rpτ3pτ3
LpRpτ3q
pτ3
pc

pC
v
RÐRbRv
C
C
R
v
Rv
v
v
Lv
RvÐRHLvĎp
LpRvqRv
Rpτ
RvÐRvbRpτpτPLvzp
LpRvq
v Lvv
v
b
C R
v

v
vpρ
v
Lvp
τp
ρ
v Rv
Rpτ
RvLvRv
pτ3
Rp
τ3Lv
Rv
Rp
τ3

•nPN0
•f:MãN f M N
fpxq“K f x
•M˚M
M ε
w1, w2PM˚
w1¨w2
•f1:M1ÑN1f2:M2ÑN2M1XM2“ H
f1‘f2:M1YM2ÑN1YN2
pf1‘f2qpxq “ #f1pxqxPM1
f2pxq
M“ pV,pc,Loc,Dq
VLoc pc PV
D DvvPV
Dpc “Loc
MARM “ pV,pc,t0,1u32,DqV
•rP t r0, . . . , r15 uDr“ t0,1u32

•fP tN,C,Z,VuDf“ t0,1u
•mem Dmem “ t0,1u32 Ñ t0,1u8
pc “r15 r14
lr sp “r13
Ms:VÑŤvPVDvspvq P Dv
vPVState
MpI, v¨wq
Iv¨w :IÑState ãState
V
ιPIvιw
cmp
N C Z V
addeq
bgt
nop pc
halt
bx r0
K“ pI, v¨wq M
K τ “ pι1, . . . , ιnq P
I˚τ σ “

ps1, . . . , sn`1q P State˚si`1“ vιiw psiqiP t 1, . . . , n u
σ τ σ $τ τ
InfeasKK
ε
InfeasKτ
τ¨τ1
K“ pI, v¨wq
M
pc
p
K“ pLoc ˆI , v¨wq
vpl, ιqw psq “ #vιw psq vιw psq ‰ K ^ sppcq “ l
K
pc
ι
l:ι
pl, ιqpτ“ pl1:ι1, . . . , ln:ιnq
Kpι1, . . . , ιnqτ
p
τ“ pl1:ι1, . . . , ln:ιnqp
τ
iP t 1, . . . , n u pl1:ι1, . . . , li´1:ιi´1q
s li:ιivli:ιiw psq “ K
sppcq ‰ li
vιiw psq“K

pc
K
lr
lr nop
s
sppcq “ 0004
pc
K p “ pLocp, linit ,instr , Sinit q
•LocpĎLoc

•linit PLocp
•instr :LocpÑI
•Sinit ‰ H
Sinit Ď t sPState |sppcq “ linit u
p“ pLocp, linit ,instr , Sinit q
•Locp“ t0000,0004,0008,000c,0010,0014,0018u
•linit “0000
•instr
•Sinit “ t sPState |sppcq “ 0000 ^spmemqp0020q “ 0xFF u
pc
K p “
pLocp, linit ,instr , Sinit q

Σppq “ im instr “ t instrplq | lPLocpu
p
Σppq“tl:instrplq | lPLocpu
Σppqp
Σppq
Kp
K
p
Σppq ‰ z
Σppq
pτ“ pl1:ι1, . . . , ln:ιnqp
p
Σppqσ“ ps1, . . . , sn`1q
σ$pτ s1PSinit σ p pτ
σ$pp
τEppqp p
pp
Lppq“tp
τPp
Σppq˚| Dσ . σ $ppτu
p
Lppq“tτ|pτPp
Lppq u
p
ppτ
p
τ p p
τp
τ
p
LppqLppq
p
pc
pτp
K
ppτ
locppp
τq“tlPLocp| Dps1, . . . , sn`1q. l “sn`1ppcq^ps1, . . . , sn`1q $pp
τu

pc
pτRp
Lppq
locpppτq“H
pτ“ pl1:ι1, . . . , ln:ιnqp
ΣppqkP t 0, . . . , n upτ|k
pl1:ι1, . . . , lk:ιkqpτ p
@kP t 0, . . . , n ´1u.p
τ|kPp
Lppq ùñ lk`1Plocppp
τ|kq
p
τ
pτp
Lppq
ε
p
Lppq
p
Lppqpτ|ks
vιk`1w psq “ K Sinit
pτ“ pl1:ι1, . . . , ln:ιnqp
Σppq
pp
τRp
LppqkP t 0, . . . , n ´1u
pτ|kPp
Lppqσ“ ps1, . . . , sk`1qσ$pp
τ|k
sk`1ppcq “ lk`1σ
vιk`1w psk`1q“K
|pτ|ε
p
Lppqpτpτ“
pl1:ι1, . . . , ln`1:ιn`1qpτRp
Lppqpτ
ppρ“ pl1:ι1, . . . , ln:ιnq
pp
ρRp
Lppq
pρPp
Lppqσ“ ps1, . . . , sn`1qσ$pp
ρ
sn`1ppcq “ ln`1vιn`1w psn`1q ‰ K vln`1:ιn`1w ‰ K pτPp
Lppq
vιn`1w psn`1q“K
k“nP t 0, . . . , pn`1q ´ 1u
pp
Lppq
K

ppV, Vinit , E , `q
•V
•Vinit ĎV
•EĎVˆV
•`:VÑLocp

C“ pV, Vinit , E , `q
K p p
Kpτ“ pl1:ι1, . . . , ln:ιnqC
pv1, . . . , vn`1q P V˚
v1PVinit
`pviq “ liinstrpliq “ ιiiP t 1, . . . , n u
pvi, vi`1q P E i P t 1, . . . , n u
v1p
τ
ÝÑ
Cvn`1
Cp
LpCqpτ C
K
LpCq “ t τ|p
τPp
LpCq u
C“ pV, Vinit , E , `q
p
|V|ă8
Cp
LpCq
C
C
p
C p
p
Lppq Ď p
LpCq

p
C“ pV, Vinit , E , `q
ppτ“ pl1:ι1, . . . , ln:ιnqp
K
Cpτ
locCppτq“tlPLocp| DvPVinit , v1PV . v p
τ
ÝÑ
Cv1^`pv1q “ lu
C“ pV, Vinit , E , `q
p
@pτPp
LpCq X p
Lppq.locCpp
τq Ď locppp
τq
pτPp
LpCqp
pτ“ pl1:ι1, . . . , ln:ιnq P p
LpCq
kP t 0, . . . , n ´1upτ|k“ pl1:ι1, . . . , lk:ιkqp
LpCq
p
LpCqlk`1PlocCpp
τ|kq
pτ|kPp
Lppqlk`1Plocpppτ|kq
C“ pV, Vinit , E , `qp
vPV v1PVpv, v1q P Ep
τPp
LpCq
p
pτPp
LpCq X p
LppqC
vPVinit v1PV v p
τ
ÝÑ
Cv1
v2PVpv1, v2q P Epτ¨``pv1q:instr p`pv1qq˘Pp
LpCq
p

pτPp
Lppq`pv1q`pv1q P locpppτq
lPlocCppτqlPlocpppτq
p
Lppq
p
Lppq
L
Lmin L
Lmin Lmin zL‰ H L
Lfin ĎLmin zL
Lmin zLfin ĂLmin L
Lppqp

0000
0004
mov r0,#0
0010 b 00100008
000C
cmp r0,#10000
0008
000C
cmp r0,#10000
0008
000C
cmp r0,#10000
add r0,r0,#1
0004
add r0,r0,#1
0004
add r0,r0,#1
(not z) / b 0004 ...
(not z) / b 0004 (not (not z)) / nop
(not z) / b 0004
0000 0004
mov r0,#0 0010
b 0010
0008
000C
cmp r0,#10000
add r0,r0,#1
(not (not z)) / nop
(not z) / b 0004

pc
C
pτn,xτmn
m m ąn v1C
pτn¨p
τ1
nxτm¨p
τ1
nC
v2p
τ1
nn
p
τn¨p
τ1
nv2
x
τm¨p
τ1
n
m´ną0pτnxτmv1
v1
npτnn
C
p
pc
Tppq
pTppq “ pS, Sinit , E, `q
S“ t sPState |sppcq P Locpu
`psq “ sppcq
E“ t ps, vιw psqq | sPS^ι“instrpsppcqq u
p
LpTppqq “ p
Lppq

pc
pc
pc
pc pc p
CFGpc ppq “ pLocp,tlinit u, E , idq
E“ t psippcq, si`1ppcqq | ps1, . . . , sn`1q P Eppq ^ iP t 1, . . . , n u u
pc
pc
pc
pc
pc

pτlocpppτq
Ωlocppp
τq Ď Ωp
τ
ΩĎLoc
locpppτq Ď Ωpτ
pτ“ pl1:ι1, . . . , ln:ιnqp
K
ΩĎLoc pS1, . . . , Sn`1qSiĎState
pΩ,pτq
Sinit ĎS1
t vli:ιiw psq | sPSi^ vli:ιiw psq‰KuĎSi`1
Sn`1Ď t sPState |sppcq P Ωu
iP t 1, . . . , n u
pp
τ
p
p
Si“ t si| ps1, . . . , sn`1q $ppτu

pτp
K
ΩĎLoc pΩ,pτqlocpppτq Ď
Ω
pτ“ pl1:ι1, . . . , ln:ιnqσ“ ps1, . . . , sn`1qσ$ppτ
pS1, . . . , Sn`1q ppτ , Ωq
i siPSiiP t 1, . . . , n`1u
sn`1PSn`1
locpppτq Ď Ω
pp
τ , Ωq
Ω
ppτ , Ωqpτ
pc
ι
ι
degpιq “ sup
lPLoc
|t vιw psqppcq | sPState ^sppcq “ l^ vιw psq ‰ K u|
degpιq “ 8 sup H “ 0
ιdegpιq ď 1
pc

lPLoc s1, s2PState s1ppcq “ s2ppcq “
lvbeq 0020w ps1q ‰ K vbeq 0020w ps2q‰K s1
s1pNq “ 1s2
s2pNq “ 0 degpbeq 0020q ą 1 degpbeq 0020q “
2
ι
ι
successorι:Loc ãLoc
@sPState .vιw psq ‰ K ^ sppcq “ lðñ vιw psqppcq “ successorιplq
lPLoc
pτ“
pl1:ι1, . . . , ln:ιnqιn
p
K
pτ“ pl1:ι1, . . . , ln:ιnqną0 degpιnq ď 1 Ω ĎLoc
successorιnplnq ‰ K ùñ successorιnplnq P Ω
ppτ , Ωq
Si“State
Sn`1“ t sPState |sppcq P Ωu
iP t 1, . . . , n u

vPViP t 1, . . . , n `1u
pτ“ pl1:ι1, . . . , ln:ιnq
ϑipvq “ $
’
&
’
%
1i“1
ϑi´1pvq ` 1ιi´1v
ϑi´1pvq
v s
vιw psq‰K spvq‰vιw psqpvq vιw
ιpδι, µιqδιV
µιV V sPState
vιw psq ‰ K ðñ s|ù δι
vιw psq‰K
vιw psq “ s˝µι
s
Vsptqt V
t s
Sinit Φinit V
Φppτqpτ
Φpp
τq “ Φinit rϑ1sYtδιirϑis | iP t 1, . . . , n u u
Y t vϑi`1pvq“µιipvqrϑis | iP t 1, . . . , n u ^ ιivu
Y t pcϑippcq“li|iP t 1, . . . , n u u
ϑivPV
vkk“ϑipvqXV“
tvk|vPV, k PNu
p
Σppqp
τp
LppqΦpp
τq

β XVβ|ù
Φppτq ps1, . . . , sn`1q:“ pβ˝ϑ1, . . . , β ˝ϑn`1qp
p
τ ϑiv
vϑipvq
vli:ιiw pβ˝ϑiq ‰ K ðñ pβ˝ϑiq |ù pδιi^pc “liq
ðñ β|ù pδιirϑis ^ pcϑippcq“liq
βΦpp
τq
vl1:ιiw psiq “ si`1ðñ β˝ϑi˝µιi“β˝ϑi`1
ðñ @vPV.pβ˝ϑi˝µιiqpvq“pβ˝ϑi`1qpvq
ðñ β|ù t vϑi`1pvq“µιipvqrϑis | vPVu
ps1, . . . , sn`1qpτ
s1“β˝ϑ1|ù Φinit p
p σ “ ps1, . . . , sn`1q
pβ˝ϑ1, . . . , β ˝ϑn`1qβ
β|ù Φppτq
Φppτqp
Kpτ p pτ
locpppτq
θn`1ppcqβ
p
τPp
Σppq˚
ΩÐ H
ΦppτqYtϑn`1ppcq R Ωuβ
ΩÐΩY t βpϑn`1ppcqq u
Ω
pτ“`p0000 :and r1,r0,#4q,p0004 :bx r1q˘
&

pc1r01r11pc2pc3
β
β1
Φpp
τq“tpc1“0000
looooomooooon
Φinit
,pc1“0000,r11“r01& 4,pc2“pc1`4
looooooooooooooooooooooooooomooooooooooooooooooooooooooon
0000:and r1,r0,#4
,
pc2“0004,r11mod 4 “0,pc3“r11
loooooooooooooooooooooooomoooooooooooooooooooooooon
0004:bx r1
u
β
βppc3q0000 Ω Φppτq
pc3‰0000
β10004 Ω
Φppτqpc3‰0000 pc3‰0004
Ω“ t 0000,0004 u
algorithm 5.1
p
Kpτ p locpppτq
pτ
Ωpτ
Γ“ pϕ1, . . . , ϕnq
Γ

pψ1, . . . , ψn`1qiP t 1, . . . , n u
ψ1”true
ψi^ϕi|ù ψi`1
ψn`1”false
iP t 2, . . . , n uψi
tϕ1, . . . , ϕiu t ϕi`1, . . . , ϕnu
pτ“ pl1:ι1, . . . , ln:ιnqp
KΩĎLoc
iP t 1, . . . , n u
ϕ0:”ľΦinit rϑ1s
ϕi:”διirϑis ^ pcϑippcq“li^ľtvϑi`1pvq“µιipvqrϑis | ιivu
ϕn`1:”pcϑn`1ppcqRΩ
pψ0, . . . , ψn`2q pϕ0, . . . , ϕn`1q
Si“ t sPState |s˝ϑ´1
i|ù ψiu
iP t 1, . . . , n `1u pp
τ , Ωq
ψitϕ0, . . . , ϕiu
tϕi`1, . . . , ϕn`2uvk
vk1k‰k1ψivϑipvq
vPV
ψ0true ψn`2false
ψ0^ϕ0|ù ψ1ϕ0|ù ψ1ŹΦinit |ù ψ1rθ´1
1s
ψn`1^pcϑn`1ppcqRΩ|ù ψn`2
ϑ´1
i

SĎState ι
wppι, S q
S ι
wppι, S q“tsPState |vιw psq ‰ K ùñ vιw psq P Su
wppι, S q
S ι ι
assume
ι
SĎState
t vιw psq | sPwppSq^vιw psq‰KuĎS
sPwppSq vιw psq ‰ K wp
vιw psq P S
pτ“ pl1:ι1, . . . , ln:ιnq
locpppτq Ď ΩpS1, . . . , Sn`1q
Sn`1“ t sPState |sppcq P Ωu
Si“wppli:ιi, Si`1q
iP t 1, . . . , n u pp
τ , Ωq
s1PSinit si`1“ vli:ιiw psiqiP t 1, . . . , n u
sivli:ιiwpsiq ‰ K
•ps1, . . . , sn`1q $pτ
sn`1PSn`1wp siPSi
iP t 1, . . . , n us1PS1
•jvlj:ιjw psjq“K
sjPwpplj:ιj, Sj`1q “ Sj
siPSiiP t 1, . . . , j us1PS1

R“ pA, λq
A“ pQ, p
Σppq, δ, qinit , F qQ
p
Σppqδ:Qˆp
Σppq Ñ
Q qinit FĎQ
λ:FÑ℘pLocpq

R“ pA, λq
Rp
LpRq Ď p
Σppq˚A
R“ pA, λqA“ pQ, p
Σppq, δ, qinit , F qΛR:
p
LpRq Ñ ℘pLocpq
ΛRppτq “ λpδ˚pqinit ,pτqq
R
p
τPp
LpRq
locppp
τq Ď ΛRpp
τq
locpppτq
R“ pA, λqA“
pQ, p
Σppq, δ, qinit , F q
@p
τPp
LpRq X p
Lppq.ΛRpp
τq Ď locppp
τq

R“ pA, λqA“
pQ, p
Σppq, δ, qinit , F q |λpqq| ď 1qPF
pτPp
LpRq X p
Lppqlocpppτq‰H locpppτq Ď
ΛRpp
τq℘pΛRpp
τqq “ t H,ΛRpp
τq u locppp
τq “ ΛRpp
τq
R“ pN, λqN“ pQ, p
Σppq, δ, Qinit , F qQĎ℘pStateq
p
ΣppqδĎQˆp
Σppq ˆ Q
Qinit ĎQ F ĎQ
λ:FÑ℘pLocpq
@SPQinit . Sinit ĎS
@pS, ι, S1q P δ . t vιw psq | sPS^ vιw psq ‰ K u Ď S1
@SPF . S Ď t sPState |sppcq P λpSq u
R“ pN, λq
N“ pQ, p
Σppq, δ, Qinit , F q
detpRq “ pAdet , λdet qAdet N
λdet pqdet q “ č
qPqdet XF
λpqq
qdet ĎQ qdet XF‰ H

R“ pN, λqp
Kpτ
NpS0, . . . , Sn`1q
ppτ , λpSn`1qq locppτq Ď λpSn`1q
τlocppτq
pτp
K
ΩĎLoc locpppτq Ď ΩpS1, . . . , Sn`1q
pp
τ , ΩqRpp
τ , Ωq“pN, λq
N“ pt S1, . . . , Sn`1u,p
Σppq, δ, tS1u,tSn`1uq
pSi, l :ι, Sjq P δðñ t vl:ιw psq | sPSi^ vl:ιw psq‰KuĎSj
λpSn`1q “ Ω
pτ
Si, Sj
iăj Si“Sj
pli:ιi, . . . , lj´1:ιj´1qpτ
lj´1:ιj´1Sj´1
SiSj´1Si
pp, qq
p q p q

Ri“ pNi, λiq
Ni“ pQi,p
Σppq, δi, Qpiq
init , FiqiP t 1,2u
R1]R2:“ pN, λqN“ pQ1YQ2,p
Σppq, δ1Yδ2, Qp1q
init Y
Qp2q
init , F1YF2q
λpqq “ $
’
&
’
%
λ1pqq X λ2pqqqPF1XF2
λ1pqqqPF1
λ2pqq
qPF1YF2
R1R2R1]R2
R1]R2LpR1q Y LpR2q

true pc = 0004
{ 0004 }
lr = 0004
bl 0020 bx lr
cmp r0, r1
blt 002c
mov r0, r1
cmp r0, r2
blt 0038
mov r0, r2
R“ pA, λqA“
pQ, p
Σppq, δ, qinit , F qR
cfgpRq:“ pV, t pqinit , linit q u, E , `q

˜
EĎ pQˆLocpqˆpQˆLocpq
`pq, lq,pq1, l1q˘P˜
Eðñ δ`q, l :instr plq˘“q1PF^l1Pλpq1q
Vpqinit , linit q˜
E˚
E“˜
EX pVˆVq``pq, lq˘“l
pc
pq, lq P V δ`q, l :instr plq˘RF
cfgpRq
R
R“ pA, λq
A“ pQ, p
Σppq, δ, qinit , F qcfgpR, pq “ pV, Vinit , E, `q
unresolvedpRq “ t pq, lq P V|δ`q , l :instrplq˘RFu
RH“ pNH,Hq NH“ pt State u,p
Σppq, δ, tState u,Hq
δ“ t State u ˆ p
ΣppqˆtState u
ε Rε“ pNε,pxÞÑ t linit uqq
Nε“ ptS0,Stateu,p
Σppq, δ, tS0u,tS0uq
δ“ t S0,State u ˆ p
ΣppqˆtState uS0“ t sPState |sppcq “ linit u
pτ

R∅
true
l:ι ∈ Loc ⨉ I
RH
Rε
pc = linit
{ linit } true
l:ι ∈ Loc ⨉ I
l:ι ∈ Loc ⨉ I
ε Rε
pτ
p
τ
pq, lq
p
LpRi, q, lq pq, lqcfg pRiq
Ri
C p
C“ pV, Vinit , E , `qR“ pA, λq
A“ pQ, p
Σppq, δ, qinit , F qRi
p
τPp
Lppqp
LpCq
|pτ|
p
τ“ε C

p
R0ÐRε
iÐ0
unresolvedpRiq‰H
pq, lq P unresolvedpRiq
R`
iÐLpRi, q, lq¨tl:instrplq u
Ri`1ÐRi]R`
i
iÐi`1
cfgpRiq
Rp
LpRq Ě L
LĎ pLoc ˆIq˚
R0ÐRH
iÐ0
LzLpRiq‰H
τPLzLpRiq
R`
iÐτ
Ri`1ÐRi]R`
i
iÐi`1
Ri
RpτPp
LpRq
pτP pLoc ˆIq˚
wp
pqinit , linit qεPp
LpCqpτ“ pl1:ι1, . . . , ln`1:ιn`1q P p
Lppq
pρ“ pl1:ι1, . . . , ln:ιnqp
LppqpρPp
LpCq
pq1, . . . , qn`1q
q1“qinit iP t 1, . . . , n uιi“instr pliqδpqi, li:ιiq “ qi`1
iP t 2, . . . , n uliPλpqiq
l1
n`1Pλpqn`1q
unresolvedpRq “ H
δpqn, ln:instrplnqq “ qn`1PF R
E ln`1“l1
n`1
qn`2:“δ`qn`1, ln`1:instrpln`1q˘PF
pτPp
LpRqlocpppτq Ď ΛRppτqpτPp
Lppq
ln`2Plocppp
τq Ď ΛRpp
τq “ λpqn`2q pqn`2, ln`2q

pτPp
LpCq
p
τΩ“locppp
τq
locpppτ1q Ď Ω
pτ1pτpτ1Pp
Lppq
H ‰ locpppτ1q Ř locpppτq “ Ω
lPΩzlocpppτ1qpτ1
R“ pA, λq
C“cfgpRq
C R p
τPp
LpCq
locCppτq “ ΛRppτq
pτ“ pl1:ι1, . . . , ln:ιnq P p
LpCqΛRppτqp
LpCq Ď p
LpRq
A“ pQ, p
Σppq, δ, qinit , F qp
τ C
pq1, . . . , qn`1qq1“qinit δpqi, li:ιiq “ qi`1
ιi“instrpliqiP t 1, . . . , n u
ppq1, l1q, . . . , pqn`1, ln`1qq pτ
ln`1ln`1Pλpqn`1q “ ΛRppτq
ln`1PlocCpp
τq
R C
p
τPp
LpCq X p
LppqlocCpp
τq “ ΛRpp
τq
ΛRppτq Ď locpppτqC
R“ pA, λqRi
C q A |λpqq| ď 1
C

yτ10klocppyτ10kq“t4uĘH
p
τlocppp
τqĎt4u
pτRp
LppqΩĚ
locppp
τq“H
Ω
pτ1pτ1
pτ1Pp
LppqΩ“locpppτ1q
p
τ
p
Ψ Φppτq
Ψ Ψ Φpp
τqΩ
ΨĎΦppτq
pτ
pτ
Φppτqpτ
Φppτq
locpppτq
pτRp
Lppqlocpppτq“H
locppp
τq
Ψ

p
τΦppτqΨĎΦppτqΩ
H ‰ locpppτq “ Ω
H “ locpppτq Ď Ω
locpppτq
ΦppτqΨ
p
τΦppτqΩ
H ‰ locpppτq “ Ω
ΨĎΦΩ
H “ locpppτq Ď Ω
x
tβpxq | β|ù Φu“tβpxq | β|ù Ψu
pτ“ pl1:ι1, . . . , ln:ιnqx ϑn`1ppcq
ϑn`1
Ψ
pτ
Ψ
ΦppτqpτPp
Lppq

Ψ
Φppτq
x x
Φ
Φ“Φpp
τq
Φ
x, y modpΦq“tβ|β|ù Φu
ΦβΦx y Φ
xKΦy
@βx, βyPmodpΦq.Dβxy PmodpΦq. βxy pxq “ βxpxq ^ βxy pyq “ βypyq
xMΦy
x y
βxpxqβypyq
βxy Φ
x
y

Φ
Φ„Φ
X
t px, yq P X2| DϕPΦ. x, y PF V pϕq u
„Φ
xPX
rxsΦ“ t yPX|x„Φyu
Φx, y
xMΦyùñ x„Φy
x, y PX px„ΦyqΦ|x“
tϕPΦ|F V pϕqXrxsΦ‰ H u Φ1“ΦzpΦ|xqF V pΦ|xqĎrxsΦ
F V pΦ1q Ď XzrxsΦ
βx, βyPmodpΦqβxy “βx|rxsΦ‘βy|XzrxsΦβx|ù Φ|x
βxβxy F V pΦ|xqβxy |ù Φ|x
βxy |ù Φ1βxy PmodpΦqβxpxq “ βxypxq
βypyq “ βxypyq pxMΦyq
„ΦMΦMΦ
Φ
Φ
xΦ|x
Φx
xΦ
ΦxPXΦ|x“ t ϕPΦ|F V pϕqXrxsΦ‰
H u xPXΦ
tβpxq | β|ù Φu“tβpxq | β|ù Φ|xu
Ď Ě β
β|ù Φ|xΦ1“ΦzpΦ|xq
β1β1|ù Φβ1|ù Φ1˜
β“
β|F V pΦ|xq‘β1|XzF V pΦ|xqβ˜
β F V pΦ|xq
˜
β|ù Φ|xF V pΦ1q X F V pΦ|xq“H β1˜
β
F V pΦ1q˜
β|ù Φ1˜
β|ù Φ
xPF V pΦ|xqxPF V pΦq˜
βpxq “ βpxq

Φppτq|pcϑn`1ppcq
p
τPp
Lppq
pcϑn`1ppcq
mem
pcϑn`1ppcq
pcϑn`1ppcq
•διiiP
t1, . . . , n u
•
pcϑn`1ppcq
βΨβppcϑn`1ppcqq P Locp
•
Φ
Φ

Ωlocpppτqpτ
locpppτq Ď Ωlocpppτq “ H
p
τRp
Lppq
ϕPΦppτq
Ωlocpppτq Ď Ω
ϕ
p
τ“ pl1:ι1, . . . , ln:ιnq
ΨĎΦppτq
Ω
Φipp
τq“tδιirϑis,pcϑippcq“liu Y t vϑi`1pvq“µιipvqrϑis | ιivu
iP t 1, . . . , n u
ϕ0:”ľpΦinit XΨq
ϕi:”ľ`Φippτq X Ψ˘
ϕn`1:”θn`1ppcq R Ω
iP t 1, . . . , n u pψ0, . . . , ψn`2q
pϕ0, . . . , ϕn`1q
Si“ t sPState |s˝ϑ´1
i|ù ψiu
iP t 1, . . . , n `1u pp
τ , Ωq

ψi^ϕiψi`1
iP t 0, . . . , n `1uψ0”true ϕ0ψ1
Φinit ψ1
ψn`2”false
sPState s˝ϑ´1
i|ù ψis1“
vli:ιiwpsq‰K s|ù διisppcq “ lis˝ϑ´1
i|ù
tδιirϑis,pcϑippcq“liuβ“ ps˝ϑ´1
iq‘ps1˝ϑ´1
i`1qβ|ù Φippτq
β|ù ϕiβ|ù ψis
β|ù ψi`1
F V pψi`1qĎtvϑi`1pvq|vPVus1˝ϑ´1
i`1|ù ψi`1
s1PSi`1
Φppτqpτ
pc
pc
Ψ
pS1, . . . , Sn`1q
Si“ t sPState |s|ù ϕiu

ϕn`1:” ppc PΩq
ϕi:”$
’
’
’
’
&
’
’
’
’
%
ppc “li^διiq Ñ ϕi`1rµιisδιirϑis,ppcϑippcq“liq P Ψ
ppc “liq Ñ ϕi`1rµιis ppcϑippcq“liq P Ψ
διiÑϕi`1rµιisδιirϑis P Ψ
ϕi`1rµιis
iP t 1, . . . , n u ppτ , Ωq
s|ù ϕiiP t 1, . . . , n u
s1“ vli:ιiwpsq ‰ K s|ù διisppcq “ li
ϕis|ù ϕi`1rµιiss1
s1|ù ϕi`1
s1PSinit si`1“si˝µιi
iP t 1, . . . , n ukP t 1, . . . , n `1u
sk|ù ϕk
kP t 1, . . . , n `1usk|ù διiδιiPΨ
ϕk” pδιiÑϕi`1rµιisq ϕk” ppc “li^διiÑϕi`1rµιisq
sk|ù ϕk
k skppcq ‰ li
k β “ ps1˝ϑ´1
1q‘¨¨¨‘psn`1˝ϑ´1
n`1q
β|ù Ψ
sipc
Ψsn`1ppcq “ βpϑn`1ppcqq P
Ωsn`1|ù ϕn`1
si|ù ϕiiP t 1, . . . , k u
s1|ù ϕ1
siV
si

1
•
•
•

R“ pA, λqA“ pQ, p
Σppq, δ, qinit , F q
R
cfg#pRq“pV, t pqinit , linit q u, E , `q
˜
EĎ pQˆLocpqˆpQˆLocpq
`pq, lq,pq1, l1q˘P˜
Eðñ q1“δ`q, l :instr plq˘
^`pdegpιq ď 1^l1“successorιplqq
_ pdegpιq ą 1^q1PF^l1Pλpq1qq˘
Vpqinit , linit q˜
E˚
E“˜
EX pVˆVq``pq, lq˘“l
q
R“ pA, λqA“ pQ, p
Σ, δ, qinit , F q
cfg#pR, pq“pV, Vinit , E, `q
unresolved#pRq “ t pq, lq P V|δ`q , l :instrplq˘RF^degpinstr plqq ą 1u
cfgpRiqcfg#pRiq
unresolvedpRiqunresolved#pRiq
C

Ri
C
p
τPp
LpCq X p
Lppqι l
p
τPp
Lppqsuccessorιplq‰K H‰locpppτq“tsuccessor ιplq u
locCppτq“tsuccessorιplq u pτ
locCpp
τq “ ΛRpp
τq
pc
K“ pI, v¨wq
ιnop PI
CondpK, ιnop q“pIˆ℘pStateq,v¨wq
vpι, Sqw psq “ #vιw psqsPS
0ιnop8psq
CondpK, ιnop qϕĄι;ιnop
ι K ϕ V

pι, tsPState |s|ù ϕu
ιnop
Kbx 0x20 r1PVr1“0Ą
bx 0x20
K“ pI, v¨wq
K˝
K ι ϕ
Vrιsϕ
vrιsϕw psq “ #vιw psq vιw psq ‰ K ^ s|ù ϕ
K
CondpK, ιnopqK˝
K“ pI, v¨wq ιnop PI
CondpK, ιnop qτ“ pϕ1Ąι1, . . . , ϕnĄιnqrealpτq
K˝pι˝
1, . . . , ι˝
nq
@iP t 1, . . . , n u. ι˝
iP t rιisϕi,rιnops ϕiu
CondpK, ιnop qτ
τ
τ˝Prealpτqτ
K“ pI, v¨wq ιnop PI

τCondpK, ιnop q
tσPState˚|σ$τu “ ď
τ˝Preal pτq
tσPState˚|σ$τ˝u
τ K˝τ˝Prealpτq
τ“ pϕ1Ąι1, . . . , ϕnĄιnqiP t 1, . . . , n u
σ“ ps1, . . . , sn`1qτ σ $τ
τ˝“ pι˝
1, . . . , ι˝
nq
ι˝
i“#rιisϕisi|ù ϕi
rιnops ϕi
σ$τ˝
τ˝“ pι˝
1, . . . , ι˝
nq P realpτq
σ“ ps1, . . . , sn`1qσ$τ˝si|ù ϕiι˝
i“ rιisϕi
vϕiĄιiw psiq“vιiw psiq “ vrιisϕiw psiq“vι˝
iw psiq “ si`1
si|ù ϕiι˝
i“ rιnops ϕi
vϕiĄιiw psiq “ 0ιnop8psiq “ 0rιnop s ϕi8psiq “ vτ˝
iw psiq “ si`1
σ$τ
CondpK, ιnop qK˝
K“ pI, v¨wq
Kc“ pIc,v¨wq ιPI ιcPIc
ιcι ι ιcι"ιc
@s, s1PState .vιcwpsq “ s1ùñ vιw psq “ s1
K τ “ pι1, . . . , ιnq
Kcτc“ pιc
1, . . . , ιc
nqτ"τciP t 1, . . . , n uιi"ιc
i
ιcι
ι
τcτ τc
τ

K“ pI, v¨wq Kc“ pIc,v¨wq
τ K τcKcτ"τc
tσPState˚|σ$τuĚtσPState˚|σ$τcu
τcτ
•CondpK, ιnop qK˝pϕĄιq "
rιsϕpϕĄιq"rιnops ϕτ˝Prealpτqτ"τ˝
•ϕ, ψ ϕ ψ rιsψ" rιsϕ
K ι
•K ι p
K ι "
l:ι l PLoc
K
p
p“ pLocp, linit ,instr , Sinit q
K Kc“ pIc,v¨wq Kc
ppV, Vinit , E , `q
•V
•Vinit ĎV
•EĎVˆIcˆV
•`:VÑLocp
pv, ιc, v1q P E ιc
`pvqinstrp`pvqq " ιc
x
Kcp
LpCqKcLpCq
KcC“ pV, Vinit , E , `qK p

‹C
|V| ă 8 ^ |E|ă8
‹p
τPp
Lppq
Kcp
τc
1,..., p
τc
kPp
LpCqpτ"p
τc
iiP t 1, . . . , k u
tσPEppq | σ$pτu “
k
ď
i“1
tσPEppq | σ$p
τc
iu
p K
Kcp
τc
i
‹C
px
Kcpτc“ pl1:ι1, . . . , ln:ιnq
K p
@kP t 0, . . . , n ´1u.`DσPEppq. σ $pτc|k˘ùñ lk`1Plocpppτc|kq
x
Kcpτc“ pl1:ι1, . . . , ln:ιnq
locpppτcq “ t lPLocp| Dps1, . . . , sn`1q P Eppq. l “sn`1ppcq
^ ps1, . . . , sn`1q $ pτcu
C KcK p
@pτcPp
LpCq.`DσPEppq. σ $pτc˘ùñ locCppτcq Ď locpppτcq
C‹

f
f:IÑ℘pIcq
@ιPI . |fpιq| ă 8 ^ @ιcPfpιq. ι "ιc
f`Σppq˘“ď
ιPΣppq
fpιq
f`p
Σppq˘“ď
l:ιPp
Σppq
tl:ιc|ιcPfpιq u
pq, lqιcPfpinstr plqq
R“ pA, λqA“ pQ, f `p
Σppq˘, δ, qinit , F q
f R
cfg#
fpRq“pV, t pqinit , linit q u, E , `q
˜
EĎ pQˆLocpq ˆ f`Σppq˘ˆ pQˆLocpq
`pq, lq, ιc,pq1, l1q˘P˜
Eðñ ιcPf`instr plq˘^q1“δpq , l :ιcq
^`pdegpιcq ď 1^l1“successorιcplqq
_ pdegpιcq ą 1^q1PF^l1Pλpq1qq˘
Vpqinit , linit q˜
E˚
E“˜
EX pVˆf`Σppq˘ˆVq``pq, lq˘“l
pq, lq
ιcPf`instrplq˘
unresolved#
fpq, lq“tιcPf`instrplq˘|δpq , l :ιcq R F^degpιcq ą 1u
unresolved#
fpRq “ t pq, lq P V|unresolved#
fpq, lq ‰ H u
f`p
Σppq˘
p
Σppqunresolved#
fpRiq
unresolvedpRiqcfgpRiqcfg #
fpRiq
tinstrplq u unresolved#
fpq, lq
Kcp

f
ι
K“ pI, v¨wq
Kc“ pIc,v¨wq p K
f:IÑ℘pIcq
ιPI
@sPState .vιw psq ‰ K ùñ DιcPfpιq.vιcw psq‰K
p Kcp
‹
pτPp
Lppqpτ“ε
εPp
LpCqpτ“ pl1:ι1, . . . , ln`1:ιn`1q P p
Lppq
pρ“ pl1:ι1, . . . , ln:ιnqp
Lppqσ“ ps1, . . . , sn`2q P Eppq
σ$pτ σ1“ ps1, . . . , sn`1q $ pρ
p
ρiPp
LpCqσ1$p
ρisn`1ppcq “ ln`1
sn`2“ vιn`1w psn`1q‰K
ιc
n`1Pfpιn`1q0ιc
n`18psn`1q‰K ιn`1"ιc
n`1
sn`2“0ιc
n`18psn`1qσ$p
τip
τi“p
ρi¨ pln`1:ιc
n`1q
pτ"pτi
p
τiPp
LpCq
pτ C f
p
LpCqp
τ
pτ
R C ‹
K
ι Kcιcι"ιc
x
Kcpτc
pp
Kpτ

pτ
locpppτq“t000c u
C
p
τ¨ p0000 :mov r0,r0,#0q
pτp
Lppq0000 Rlocpppτq
rb 0000s ZZtrue
Z K˝
CondpK, ιnop qp
f fpϕĄιq “ t rιsϕ,rιnops ϕuK˝p
R
cfgpRq

•
•
•

•
•

|Q| |δ| |Q| |δ|

|Q| |δ| |Q| |δ|

|Q| |δ| |Q| |δ|

|Q| |δ| |Q| |δ|

pc

pc
pc

J
J

J
pc

0000
0034
0004
bx lr
0004 b 0004
0030
0024
b 0024
0020
bl 0020
mov r0,#0
0028
(= n v) / b 0034
002C
(not (= n v)) / nop
add r0,r0,#1
b 0004
cmp r0,#10
10028
1002C
ldr r3,[r3]
10054
10058
stmdb sp!,{r4,lr}
10064
1000C
ldm sp!,{r4,pc}
10034
10038
str r3,[r2]
10040
10044
cmp r3,#9
10018
1001C
mov r2,#0
1000C
b 1000C<_Reset+0xc>
1005C
10060
mov r3,#0
10000
10004
nop
10030
ldr r2,[pc,0018]
10014
bl 10014<f>
10020
b 10038<f+0x24>
10048
(not (or z (distinct n v))) / nop
10024
(or z (distinct n v)) / b 10024<f+0x10>
str r2,[r3]
1003C
ldr r3,[pc,0010]
1004C
nop
ldr r3,[pc,0024]
10008
bl 10054<main>
ldr r3,[r3]
ldr sp,[pc,0004]
bx lr
mov r0,r3
add r3,r3,#1
ldr r3,[pc,0034]
b 1000C<_Reset+0xc>

1004C
10050
mov r3,#2
10068
1006C
str r3,[sp,0004]
10090
10094
add sp,sp,#8
10064
mov r3,#8
10054
10088
b 10088<main+0x74>
10020
10024
cmp r3,#4
1008C
ldr r3,[sp,0004]
1005C
10060
str r3,[sp,0004]
1000C
bx lr
(or (not c) z) / ldr pc,[pc,r3,lsl2] (or (not c) z) / ldr pc,[pc,r3,lsl2]
10028
(not (or (not c) z)) / nop
10058
(or (not c) z) / ldr pc,[pc,r3,lsl2]
10070
(or (not c) z) / ldr pc,[pc,r3,lsl2]
10040
(or (not c) z) / ldr pc,[pc,r3,lsl2]
1007C
b 1007C<main+0x68>
mov r0,r3
mov r3,#4
b 10088<main+0x74>
10080
10084
str r3,[sp,0004]
10018
1001C
ldr r3,[pc,0078]
10014
sub sp,sp,#8
10000
10004
nop
ldr r3,[r3]
10074
mov r3,#16
nopb 10088<main+0x74>
str r3,[sp,0004]
10008
ldr sp,[pc,0004]
10078
b 10088<main+0x74>
10044
mov r3,#1
mvn r3,#0
1000C
b 1000C<_Reset+0xc>
10048
str r3,[sp,0004]str r3,[sp,0004]
b 1000C<_Reset+0xc>
bl 10014<main>
b 10088<main+0x74>

10000
100E0
100E4
cmp r2,r3
10030
10034
str r0,[sp,0004]
100E8
100EC
ldr r3,[sp,0014]
100CC
100D0
ldr r3,[sp,0008]
1001C
1002C
bl 1002C<binary_search>
10070
10074
ldr r3,[sp,0004]
100A8
100AC
ldr r3,[sp,0008]
10084
10088
str r3,[sp,0010]
10064
10068
ldr r2,[pc,008C]
1000C
1000C
b 1000C<_Reset+0xc>
100F0
mov r0,r3
10054
10058
ldr r3,[sp,0010]
100B8
(or z (distinct n v)) / b 100CC<binary_search+0xa0>
100BC
(not (or z (distinct n v))) / nop
10004 10008
ldr sp,[pc,0004]
100C8
100D8
b 100D8<binary_search+0xac>
1008C
ldr r2,[pc,0068]
10078
1007C
(not (not z)) / nop
100A4
(not z) / b 100A4<binary_search+0x78>
1005C
10060
mov r3,r3,asr1
100F4
add sp,sp,#24
100C4
str r3,[sp,0010]
10014 10018
stmdb sp!,{r4,lr}
1009C
100A0
str r3,[sp,0014]
100B4
cmp r2,r3
10094
10098
add r3,r2,r3
bl 10014<main>
10020
10024
mov r3,#0
100C0
sub r3,r3,#1
10028
ldm sp!,{r4,pc}
sub sp,sp,#24
100D4
add r3,r3,#1
bx lr
10050
ldr r2,[sp,000C]
b 1000C<_Reset+0xc>
add r3,r2,r3
ldr r3,[r3,0004]
10080
ldr r3,[sp,000C]
mov r0,r3
1006C
ldr r3,[sp,0008]
100DC
ldr r3,[sp,0010]
10090
mov r3,r3,lsl3
(not (or z (distinct n v))) / nop(or z (distinct n v)) / b 10050<binary_search+0x24>
100B0
ldr r3,[sp,0004]
mov r0,#8nop
cmp r2,r3
10048
1004C
str r3,[sp,0014]
str r3,[sp,0008]
ldr r2,[r2,r3,lsl3]
sub r3,r3,#1
10038
mov r3,#0
b 100D8<binary_search+0xac>
10044
mvn r3,#0
1003C
10040
mov r3,#14
ldr r3,[sp,0008]
b 100D8<binary_search+0xac>
ldr r2,[pc,004C]
ldr r2,[sp,000C]
ldr r3,[sp,0008]
str r3,[sp,000C]
str r3,[sp,000C]
ldr r2,[r2,r3,lsl3]
str r3,[sp,0010]

10080
10084
add r3,r2,r1
10080
10084
add r3,r2,r1
100A0
100A4
cmp r2,r1
1000C b 1000C<_Reset+0xc>
10090
10094
z / sub r2,r1,#1(not z) / nop
1008C
cmp r0,#8
1000C
b 1000C<_Reset+0xc>
10008
10074
bl 10074<main>
10090
10094
z / sub r2,r1,#1 (not z) / nop
100A8
100AC
mov r0,#0
100A0
100A4
cmp r2,r1
10088
1008C
ldr r0,[ip,r3,lsl3]
10088
ldr r0,[ip,r3,lsl3]
cmp r0,#8
(= n v) / b 10080<main+0xc> (not (= n v)) / nop
z / b 100A0<main+0x2c>
10098
(not z) / nop
1000C
bx lr
1007C
mov r2,#14
100AC
bx lr mov r3,r3,asr1
1009C
(and (not z) (= n v)) / sub r2,r3,#1 (not (and (not z) (= n v))) / nop
1000C
b 1000C<_Reset+0xc>
10078
mov r1,#0
1009C
(or z (distinct n v)) / add r1,r3,#1 (not (or z (distinct n v))) / nop
10098
(and (not z) (= n v)) / sub r2,r3,#1 (not (and (not z) (= n v))) / nop
(= n v) / b 10080<main+0xc>
100A8
(not (= n v)) / nop
10000
10004
nop
z / b 100A0<main+0x2c>
(not z) / nop
ldr sp,[pc,0004]
ldr ip,[pc,0034]
mov r3,r3,asr1
b 1000C<_Reset+0xc>
mov r0,#0
(not (or z (distinct n v))) / nop (or z (distinct n v)) / add r1,r3,#1

10088
1008C
stmdb sp!,{r4,lr}
10A10
10A14
str r3,[lr]
100C0
100CC
z / b 100CC<BubbleSort+0x44>
100C4
(not z) / nop
10A20
10A24
str r3,[r2,0004]!
1009C
100A0
mov r3,r0
100D4
100D8
subs lr,lr,#1
10A28
cmp r2,r0
10A0C
mov r1,r3
10098
mov r2,r4
100D0
(not (not z)) / nop
10A34
(not z) / ldm sp!,{r4,pc}
10008 109F4
bl 109F4<main>
100A4
ldr r1,[r3]
100C8
(or z (distinct n v)) / b 100A0<BubbleSort+0x18>
(not (or z (distinct n v))) / nop
10090
10094
mov lr,#99
100AC
100B0
cmp r1,ip
10A38
1000C
ldm sp!,{r4,pc}
109F8
ldr r2,[pc,0040]
add r0,r0,#4
100BC
cmp r2,#100
10A04
10A08
mvn r3,#0
cmp r4,#0
10000 10004
nop 109FC 10A00
ldr ip,[pc,003C]
mov r0,#0
add r0,r2,#400
100B8
(and (not z) (= n v)) / str r1,[r3](not (and (not z) (= n v))) / nop
100A8
ldr ip,[r3,0004]!
1000C
b 1000C<_Reset+0xc>
b 1000C<_Reset+0xc>
100B4
(and (not z) (= n v)) / mov r4,#0(not (and (not z) (= n v))) / nop
10A2C
10A30
ldr r0,[pc,0008]
10A18
10A1C
mul r3,r1,r3
stmdb sp!,{r4,lr}
(not (not z)) / nop (not z) / b 10A14<main+0x20>
add r2,r2,#1
cmp r2,lr
sub r1,r1,#1
ldrb r3,[ip,0001]
bl 10088<BubbleSort>
ldr sp,[pc,0004]
(and (not z) (= n v)) / str ip,[r3,-004](not (and (not z) (= n v))) / nop(not z) / b 10094<BubbleSort+0xc>
100DC
(not (not z)) / nop
mov r4,#1
ldr lr,[pc,003C]
ldm sp!,{r4,pc}

10058
1005C
(not (not z)) / nop
10030
(not z) / b 10030<fib+0x1c>
10060
10064
mov r0,#1
10018
1001C
cmp r0,#1
10024
10028
mov r2,#1
10008
10068
bl 10068<main>
10074
bx lr
1000C
1000C
b 1000C<_Reset+0xc>
1002C
10034
b 10034<fib+0x20>
1006C
10070
mov r0,#30
bx lr
10038
add r0,r2,r1
10078
mov r0,#30
b 1000C<_Reset+0xc>
mov r2,r0
10054
cmp r2,#0
stmdb sp!,{r4,lr}
1003C
10040
mov r1,r2
10014
mov ip,r0
10044
10048
(and (not z) (= n v)) / mov r2,#0(not (and (not z) (= n v))) / nop
mov r3,#2
10020
mov r1,#0
10004
ldr sp,[pc,0004]
1004C
(or z (distinct n v)) / mov r2,#1(not (or z (distinct n v))) / nop
ldm sp!,{r4,pc}
10000
nop
10050
(distinct n v) / mov r2,#0(not (distinct n v)) / nop
(or z (distinct n v)) / b 10060<fib+0x4c> (not (or z (distinct n v))) / nop
cmp r3,#30
add r3,r3,#1
bl 10014<fib>
cmp ip,r3