crashrustler/

exploitability.rs

use crate::types::{AccessType, CpuType, ExploitabilityRating};

/// Result of exploitability classification.
#[derive(Debug, Clone)]
pub struct ExploitabilityResult {
    /// The exploitability rating.
    pub rating: ExploitabilityRating,
    /// POSIX signal number derived from the exception.
    pub signal: u32,
    /// The real exception type (after EXC_CRASH demux).
    pub real_exception: i32,
    /// Memory access type of the crashing instruction.
    pub access_type: AccessType,
    /// Address being accessed at crash time.
    pub access_address: u64,
    /// Program counter at crash time.
    pub pc: u64,
    /// Disassembly of the crashing instruction.
    pub disassembly: String,
    /// Human-readable analysis messages.
    pub messages: Vec<String>,
}

/// Configuration for exploitability classification.
#[derive(Debug, Clone, Default)]
pub struct ClassifyConfig {
    /// If true, read-access crashes are considered exploitable (CR_EXPLOITABLE_READS).
    pub exploitable_reads: bool,
    /// If true, crashes in JIT code (frame 0 in ???) are exploitable (CR_EXPLOITABLE_JIT).
    pub exploitable_jit: bool,
    /// If true, frame pointer inconsistency is ignored (CR_IGNORE_FRAME_POINTER).
    pub ignore_frame_pointer: bool,
}

/// Verdict from stack/backtrace analysis.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum StackVerdict {
    /// No change to the exploitability rating.
    NoChange,
    /// Override to exploitable based on suspicious backtrace.
    ChangeToExploitable,
    /// Override to not exploitable based on known-safe pattern.
    ChangeToNotExploitable,
}

/// Functions whose presence at frame 0 (or nearby) suggests exploitability
/// (heap corruption, stack smashing, use-after-free, etc.).
const SUSPICIOUS_FUNCTIONS: &[&str] = &[
    "__stack_chk_fail",
    "szone_error",
    "CFRelease",
    "CFRetain",
    "malloc",
    "calloc",
    "realloc",
    "objc_msgSend",
    "objc_msgSend_stret",
    "objc_msgSendSuper",
    "objc_msgSendSuper_stret",
    "objc_msgSend_fpret",
    "szone_free",
    "free_small",
    "tiny_free_list_add_ptr",
    "small_free_list_add_ptr",
    "large_entries_free_no_lock",
    "free",
    "CSMemDisposeHandle",
    "CSMemDisposePtr",
    "WTF::fastFree",
    "WTF::fastMalloc",
    "WTFCrashWithSecurityImplication",
    "__chk_fail_overflow",
];

/// Functions whose presence means the crash is NOT exploitable.
const NON_EXPLOITABLE_FUNCTIONS: &[&str] = &["ABORTING_DUE_TO_OUT_OF_MEMORY"];

/// WTFCrash marker address (WebKit intentional crash).
const WTFCRASH_ADDR: u64 = 0xbbad_beef;

/// Returns the page size for the given CPU type.
/// ARM64 uses 16 KB pages (0x4000), x86/x86_64 uses 4 KB pages (0x1000).
fn page_size_for_cpu(cpu_type: CpuType) -> u64 {
    if cpu_type == CpuType::ARM64 || cpu_type == CpuType::ARM {
        0x4000
    } else {
        0x1000
    }
}

/// Returns true if the CPU type is an x86 variant (32-bit or 64-bit).
fn is_x86(cpu_type: CpuType) -> bool {
    cpu_type == CpuType::X86 || cpu_type == CpuType::X86_64
}

/// Returns true if the CPU type is an ARM variant (32-bit or 64-bit).
fn is_arm(cpu_type: CpuType) -> bool {
    cpu_type == CpuType::ARM || cpu_type == CpuType::ARM64
}

/// Core exploitability analysis from exception + disassembly.
///
/// Ported from CrashWrangler's `catch_mach_exception_raise_state_identity`
/// (exc_handler.m lines 461-782).
pub fn classify_exception(
    exception_type: i32,
    exception_codes: &[i64],
    disassembly: &str,
    pc: u64,
    cpu_type: CpuType,
    config: &ClassifyConfig,
) -> ExploitabilityResult {
    let mut result = ExploitabilityResult {
        rating: ExploitabilityRating::Unknown,
        signal: 0,
        real_exception: exception_type,
        access_type: AccessType::Unknown,
        access_address: 0,
        pc,
        disassembly: disassembly.to_string(),
        messages: Vec::new(),
    };

    // Extract access address from exception codes
    if exception_codes.len() > 1 {
        result.access_address = exception_codes[1] as u64;
    }

    // Determine signal and access type based on exception type
    match exception_type {
        1 => {
            // EXC_BAD_ACCESS
            result.signal = 11; // SIGSEGV (or SIGBUS)
            if !exception_codes.is_empty() {
                match exception_codes[0] {
                    1 => {
                        // KERN_INVALID_ADDRESS
                        result.signal = 11; // SIGSEGV
                    }
                    2 => {
                        // KERN_PROTECTION_FAILURE
                        result.signal = 10; // SIGBUS
                    }
                    _ => {}
                }
            }

            // Determine access type from disassembly using arch-specific logic
            result.access_type = get_access_type(disassembly, cpu_type);

            // Check for null deref (address < page_size * 8)
            let page_size = page_size_for_cpu(cpu_type);
            if result.access_address < page_size * 8 {
                result.rating = ExploitabilityRating::NotExploitable;
                result.messages.push(format!(
                    "Near-null dereference at 0x{:x} — not exploitable",
                    result.access_address
                ));
                return result;
            }

            // WTFCrash marker
            if result.access_address == WTFCRASH_ADDR {
                result.rating = ExploitabilityRating::NotExploitable;
                result
                    .messages
                    .push("WTFCrash (0xbbadbeef) — not exploitable".into());
                return result;
            }

            // Write access → exploitable
            if result.access_type == AccessType::Write {
                result.rating = ExploitabilityRating::Exploitable;
                result.messages.push(format!(
                    "Write to 0x{:x} — exploitable",
                    result.access_address
                ));
                return result;
            }

            // Exec access → exploitable
            if result.access_type == AccessType::Exec {
                result.rating = ExploitabilityRating::Exploitable;
                result.messages.push(format!(
                    "Execution at 0x{:x} — exploitable",
                    result.access_address
                ));
                return result;
            }

            // Read access — depends on config
            if result.access_type == AccessType::Read {
                if config.exploitable_reads {
                    result.rating = ExploitabilityRating::Exploitable;
                    result.messages.push(format!(
                        "Read from 0x{:x} — exploitable (CR_EXPLOITABLE_READS)",
                        result.access_address
                    ));
                } else {
                    result.rating = ExploitabilityRating::NotExploitable;
                    result.messages.push(format!(
                        "Read from 0x{:x} — not exploitable",
                        result.access_address
                    ));
                }
                return result;
            }

            // Unknown access type — conservatively mark as unknown
            result.rating = ExploitabilityRating::Unknown;
            result
                .messages
                .push("Could not determine access type".into());
        }
        2 => {
            // EXC_BAD_INSTRUCTION
            result.signal = 4; // SIGILL
            result.rating = ExploitabilityRating::Exploitable;
            result.messages.push("Bad instruction — exploitable".into());
        }
        3 => {
            // EXC_ARITHMETIC
            result.signal = 8; // SIGFPE
            result.rating = ExploitabilityRating::NotExploitable;
            result
                .messages
                .push("Arithmetic exception — not exploitable".into());
        }
        5 => {
            // EXC_SOFTWARE
            result.signal = 6; // SIGABRT
            result.rating = ExploitabilityRating::NotExploitable;
            result
                .messages
                .push("Software exception (abort) — not exploitable".into());
        }
        6 => {
            // EXC_BREAKPOINT
            result.signal = 5; // SIGTRAP

            // Check for explicit trap instruction matching the target architecture:
            // ARM64 uses `brk`, x86 uses `int3`.
            let is_trap = if !disassembly.is_empty() {
                if is_arm(cpu_type) {
                    disassembly.contains("brk")
                } else if is_x86(cpu_type) {
                    disassembly.contains("int3")
                } else {
                    disassembly.contains("brk") || disassembly.contains("int3")
                }
            } else {
                false
            };

            if is_trap {
                result.rating = ExploitabilityRating::NotExploitable;
                result
                    .messages
                    .push("Breakpoint trap — not exploitable".into());
            } else {
                result.rating = ExploitabilityRating::Exploitable;
                result
                    .messages
                    .push("EXC_BREAKPOINT (non-trap) — exploitable".into());
            }
        }
        10 => {
            // EXC_CRASH — should have been demuxed by init, but handle gracefully
            result.signal = 6; // SIGABRT
            result.rating = ExploitabilityRating::NotExploitable;
            result
                .messages
                .push("EXC_CRASH (undemuxed) — not exploitable".into());
        }
        _ => {
            // Unknown exception type
            result.signal = 6; // default to SIGABRT
            result.rating = ExploitabilityRating::Unknown;
            result.messages.push(format!(
                "Unknown exception type {} — unknown exploitability",
                exception_type
            ));
        }
    }

    result
}

/// Backtrace-based exploitability override.
///
/// Examines the crash log backtrace for patterns that indicate exploitability
/// (or lack thereof). This can override the initial classification.
///
/// Ported from CrashWrangler's `is_stack_suspicious` (exc_handler.m lines 791-1006).
pub fn is_stack_suspicious(
    crash_log: &str,
    access_address: u64,
    exception_type: i32,
    cpu_type: CpuType,
    config: &ClassifyConfig,
) -> StackVerdict {
    // Extract only backtrace frame lines: lines whose trimmed form starts with
    // digits followed by a space (e.g. "0  libFoo ...", "10  libBar ...").
    // This excludes binary image lines ("0x1234..."), register lines ("x0: ..."), etc.
    let frame_lines: Vec<&str> = crash_log
        .lines()
        .filter(|l| {
            let trimmed = l.trim();
            let mut chars = trimmed.chars();
            // Must start with a digit
            if !matches!(chars.next(), Some(c) if c.is_ascii_digit()) {
                return false;
            }
            // Skip remaining digits, then require a space/tab
            for c in chars {
                if c == ' ' || c == '\t' {
                    return true;
                }
                if !c.is_ascii_digit() {
                    return false;
                }
            }
            false
        })
        .collect();

    // Count frames to detect recursion
    if frame_lines.len() > 300 {
        return StackVerdict::ChangeToNotExploitable;
    }

    // Concatenate frame lines for substring searches (avoids matching binary
    // image paths like "libsystem_malloc.dylib" against "malloc")
    let frame_text: String = frame_lines.join("\n");

    // Check for non-exploitable functions in backtrace
    for func in NON_EXPLOITABLE_FUNCTIONS {
        if frame_text.contains(func) {
            return StackVerdict::ChangeToNotExploitable;
        }
    }

    // Check for libdispatch/libxpc crash at frame 0
    for line in &frame_lines {
        let trimmed = line.trim();
        if trimmed.starts_with("0 ") || trimmed.starts_with("0\t") {
            if trimmed.contains("libdispatch") || trimmed.contains("libxpc") {
                return StackVerdict::ChangeToNotExploitable;
            }
            break;
        }
    }

    // Check for suspicious functions in the backtrace
    for func in SUSPICIOUS_FUNCTIONS {
        if frame_text.contains(func) {
            // __stack_chk_fail → always exploitable
            if *func == "__stack_chk_fail" || *func == "WTFCrashWithSecurityImplication" {
                return StackVerdict::ChangeToExploitable;
            }
            // szone_error, heap functions → exploitable for write access
            if exception_type == 1 {
                return StackVerdict::ChangeToExploitable;
            }
        }
    }

    // Check for JIT code (frame 0 in ???)
    if config.exploitable_jit {
        for line in &frame_lines {
            let trimmed = line.trim();
            if (trimmed.starts_with("0 ") || trimmed.starts_with("0\t")) && trimmed.contains("???")
            {
                return StackVerdict::ChangeToExploitable;
            }
        }
    }

    // Check for corrupted return addresses / control flow hijack indicators.
    // Different heuristics apply per architecture.
    if access_address != 0 {
        let addr_bytes = access_address.to_be_bytes();

        // Repeating single-byte pattern (e.g., 0x4141414141414141).
        // Architecture-independent — indicates attacker-controlled data.
        if addr_bytes[0] != 0 && addr_bytes.iter().all(|&b| b == addr_bytes[0]) {
            return StackVerdict::ChangeToExploitable;
        }

        // Repeating two-byte pattern (e.g., 0x4142414241424142).
        // Architecture-independent — another common controlled-data pattern.
        if access_address > 0xFFFF {
            let lo = (access_address & 0xFFFF) as u16;
            let hi = ((access_address >> 16) & 0xFFFF) as u16;
            let hi2 = ((access_address >> 32) & 0xFFFF) as u16;
            let hi3 = ((access_address >> 48) & 0xFFFF) as u16;
            if lo != 0 && lo == hi && lo == hi2 && lo == hi3 {
                return StackVerdict::ChangeToExploitable;
            }
        }

        // x86_64: non-canonical address check.
        // x86_64 requires bits 48-63 to match bit 47. An address that violates
        // this cannot be a valid pointer and suggests corruption.
        if cpu_type == CpuType::X86_64 {
            let bit47 = (access_address >> 47) & 1;
            let high_bits = access_address >> 48;
            if high_bits != 0 && high_bits != 0xFFFF && bit47 == 0 {
                return StackVerdict::ChangeToExploitable;
            }
        }

        // ARM64: suspicious address range checks.
        // macOS ARM64 uses a 47-bit user VA space (0x0 to 0x0000_7FFF_FFFF_FFFF)
        // and kernel addresses start at 0xFFFF_FE00_0000_0000. Addresses that
        // fall in the unmapped gap between user and kernel space, or that have
        // non-zero bits in the PAC/TBI region (bits 48-55) with an otherwise
        // user-space address, suggest pointer corruption.
        if cpu_type == CpuType::ARM64 {
            let top_byte = (access_address >> 56) as u8;
            let pac_bits = (access_address >> 48) & 0xFF;
            let user_bits = access_address & 0x0000_FFFF_FFFF_FFFF;

            // Address in the unmapped gap: above user space max but below kernel base.
            // User max: 0x0000_7FFF_FFFF_FFFF, kernel base: ~0xFFFF_FE00_0000_0000.
            // Anything with bits 47+ set that isn't all-ones in bits 48-63 is in the gap.
            if access_address > 0x0000_7FFF_FFFF_FFFF && access_address < 0xFFFF_FE00_0000_0000 {
                return StackVerdict::ChangeToExploitable;
            }

            // Non-zero top byte with low user-space address: likely corrupted pointer.
            // TBI (Top Byte Ignore) allows bits 56-63 for tagging, but bits 48-55
            // should be zero for valid user pointers. Non-zero PAC region bits on
            // a user-space address suggest a corrupted or forged pointer.
            if pac_bits != 0 && user_bits < 0x0000_8000_0000_0000 && top_byte == 0 {
                return StackVerdict::ChangeToExploitable;
            }
        }
    }

    StackVerdict::NoChange
}

/// Determines memory access type from disassembly text, dispatching to the
/// appropriate architecture-specific classifier based on the crashing process's CPU type.
fn get_access_type(disassembly: &str, cpu_type: CpuType) -> AccessType {
    if disassembly.is_empty() {
        return AccessType::Unknown;
    }

    if is_arm(cpu_type) {
        get_access_type_arm64(disassembly)
    } else if is_x86(cpu_type) {
        get_access_type_x86(disassembly)
    } else {
        AccessType::Unknown
    }
}

/// ARM64-specific access type from disassembly.
pub fn get_access_type_arm64(disassembly: &str) -> AccessType {
    if disassembly.is_empty() {
        return AccessType::Unknown;
    }

    // Extract the mnemonic (first whitespace-delimited token)
    let mnemonic = disassembly
        .split_whitespace()
        .next()
        .unwrap_or("")
        .to_lowercase();

    // Store instructions
    if mnemonic.starts_with("str")
        || mnemonic.starts_with("stp")
        || mnemonic.starts_with("stur")
        || mnemonic.starts_with("stlr")
        || mnemonic.starts_with("stxr")
        || mnemonic.starts_with("stlxr")
        || mnemonic.starts_with("st1")
        || mnemonic.starts_with("st2")
        || mnemonic.starts_with("st3")
        || mnemonic.starts_with("st4")
    {
        return AccessType::Write;
    }

    // Load instructions
    if mnemonic.starts_with("ldr")
        || mnemonic.starts_with("ldp")
        || mnemonic.starts_with("ldur")
        || mnemonic.starts_with("ldar")
        || mnemonic.starts_with("ldxr")
        || mnemonic.starts_with("ldaxr")
        || mnemonic.starts_with("ld1")
        || mnemonic.starts_with("ld2")
        || mnemonic.starts_with("ld3")
        || mnemonic.starts_with("ld4")
    {
        return AccessType::Read;
    }

    // Branch instructions → exec
    if mnemonic == "bl"
        || mnemonic == "blr"
        || mnemonic == "br"
        || mnemonic == "ret"
        || mnemonic == "b"
    {
        return AccessType::Exec;
    }

    AccessType::Unknown
}

/// x86/x86_64-specific access type from disassembly.
pub fn get_access_type_x86(disassembly: &str) -> AccessType {
    if disassembly.is_empty() {
        return AccessType::Unknown;
    }

    let lower = disassembly.to_lowercase();

    // x86 store: mov to memory operand (contains "],")
    if lower.starts_with("mov") && lower.contains("],") {
        return AccessType::Write;
    }
    // x86 load: mov from memory operand (contains "[")
    if lower.starts_with("mov") && lower.contains("[") {
        return AccessType::Read;
    }

    // push/pop
    if lower.starts_with("push") {
        return AccessType::Write;
    }
    if lower.starts_with("pop") {
        return AccessType::Read;
    }

    // call/jmp to bad address → exec
    if lower.starts_with("call") || lower.starts_with("jmp") || lower.starts_with("ret") {
        return AccessType::Exec;
    }

    AccessType::Unknown
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::types::{AccessType, ExploitabilityRating};

    mod classify {
        use super::*;

        #[test]
        fn null_deref_not_exploitable_arm64() {
            let r = classify_exception(
                1,
                &[1, 0x10],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
            assert_eq!(r.signal, 11);
        }

        #[test]
        fn near_null_deref_arm64_page_boundary() {
            // ARM64 page size = 0x4000, threshold = 0x4000 * 8 = 0x20000
            let r = classify_exception(
                1,
                &[1, 0x1_FFFF],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
        }

        #[test]
        fn near_null_deref_x86_page_boundary() {
            // x86 page size = 0x1000, threshold = 0x1000 * 8 = 0x8000
            // Address 0x7FFF is within threshold → not exploitable
            let r = classify_exception(
                1,
                &[1, 0x7FFF],
                "",
                0x1000,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);

            // Address 0x8000 is at threshold boundary → not exploitable (< 0x8000 check)
            // Actually 0x8000 < 0x8000 is false, so this should NOT be near-null
            let r2 = classify_exception(
                1,
                &[1, 0x8000],
                "mov eax, [ecx]",
                0x1000,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            // 0x8000 is not < 0x8000, so it's not near-null — should classify by access type
            assert_ne!(r2.rating, ExploitabilityRating::Unknown);
        }

        #[test]
        fn x86_higher_null_deref_not_caught_as_arm64() {
            // Address 0x9000 is within ARM64 near-null range (< 0x20000)
            // but outside x86 near-null range (< 0x8000).
            // With x86_64 cpu_type, this should NOT be classified as near-null.
            let r = classify_exception(
                1,
                &[1, 0x9000],
                "mov eax, [ecx]",
                0x1000,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            // Should be classified by access type (Read), not as near-null
            assert_eq!(r.access_type, AccessType::Read);
        }

        #[test]
        fn wtfcrash_not_exploitable() {
            let r = classify_exception(
                1,
                &[1, 0xbbad_beef],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
        }

        #[test]
        fn write_access_exploitable_arm64() {
            let r = classify_exception(
                1,
                &[2, 0x4141_4141],
                "str x0, [x1]",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
            assert_eq!(r.access_type, AccessType::Write);
        }

        #[test]
        fn write_access_exploitable_x86() {
            let r = classify_exception(
                1,
                &[2, 0x4141_4141],
                "mov dword ptr [eax], ecx",
                0x1000,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
            assert_eq!(r.access_type, AccessType::Write);
        }

        #[test]
        fn exec_access_exploitable_arm64() {
            let r = classify_exception(
                1,
                &[2, 0x4141_4141],
                "blr x8",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
            assert_eq!(r.access_type, AccessType::Exec);
        }

        #[test]
        fn exec_access_exploitable_x86() {
            let r = classify_exception(
                1,
                &[2, 0x4141_4141],
                "call rax",
                0x1000,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
            assert_eq!(r.access_type, AccessType::Exec);
        }

        #[test]
        fn read_access_not_exploitable_by_default() {
            let r = classify_exception(
                1,
                &[1, 0x4141_4141],
                "ldr x0, [x1]",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
            assert_eq!(r.access_type, AccessType::Read);
        }

        #[test]
        fn read_access_exploitable_with_config() {
            let config = ClassifyConfig {
                exploitable_reads: true,
                ..ClassifyConfig::default()
            };
            let r = classify_exception(
                1,
                &[1, 0x4141_4141],
                "ldr x0, [x1]",
                0x1000,
                CpuType::ARM64,
                &config,
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
        }

        #[test]
        fn bad_instruction_exploitable() {
            let r = classify_exception(
                2,
                &[1],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
            assert_eq!(r.signal, 4);
        }

        #[test]
        fn arithmetic_not_exploitable() {
            let r = classify_exception(
                3,
                &[1],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
            assert_eq!(r.signal, 8);
        }

        #[test]
        fn software_exception_not_exploitable() {
            let r = classify_exception(
                5,
                &[1],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
            assert_eq!(r.signal, 6);
        }

        #[test]
        fn breakpoint_brk_not_exploitable_on_arm64() {
            let r = classify_exception(
                6,
                &[1],
                "brk #0x1",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
            assert_eq!(r.signal, 5);
        }

        #[test]
        fn breakpoint_int3_not_exploitable_on_x86() {
            let r = classify_exception(
                6,
                &[1],
                "int3",
                0x1000,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
        }

        #[test]
        fn breakpoint_brk_exploitable_on_x86() {
            // "brk" is not an x86 trap instruction — should be treated as non-trap
            let r = classify_exception(
                6,
                &[1],
                "brk #0x1",
                0x1000,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
        }

        #[test]
        fn breakpoint_int3_exploitable_on_arm64() {
            // "int3" is not an ARM64 trap instruction — should be treated as non-trap
            let r = classify_exception(
                6,
                &[1],
                "int3",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
        }

        #[test]
        fn breakpoint_non_trap_exploitable() {
            let r = classify_exception(
                6,
                &[1],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Exploitable);
        }

        #[test]
        fn exc_crash_not_exploitable() {
            let r = classify_exception(
                10,
                &[0],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::NotExploitable);
        }

        #[test]
        fn unknown_exception_unknown_rating() {
            let r = classify_exception(
                99,
                &[0],
                "",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.rating, ExploitabilityRating::Unknown);
        }

        #[test]
        fn protection_failure_signal_is_sigbus() {
            let r = classify_exception(
                1,
                &[2, 0x4141_4141],
                "str x0, [x1]",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.signal, 10); // SIGBUS
        }

        #[test]
        fn arm64_disasm_not_recognized_on_x86() {
            // ARM64 instruction "str x0, [x1]" should not be recognized on x86
            let r = classify_exception(
                1,
                &[2, 0x4141_4141],
                "str x0, [x1]",
                0x1000,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.access_type, AccessType::Unknown);
        }

        #[test]
        fn x86_disasm_not_recognized_on_arm64() {
            // x86 instruction "push rbp" should not be recognized on ARM64
            let r = classify_exception(
                1,
                &[2, 0x4141_4141],
                "push rbp",
                0x1000,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(r.access_type, AccessType::Unknown);
        }
    }

    mod stack_suspicious {
        use super::*;

        // ================================================================
        // ARM64 architectural difference: integer division by zero
        // ================================================================
        // ARM64 hardware silently returns zero for integer division by zero
        // rather than raising EXC_ARITHMETIC. This means EXC_ARITHMETIC (type 3)
        // is effectively x86-only for integer operations — on ARM64, only
        // floating-point exceptions can trigger it. The classify_exception
        // handler for type 3 returns NotExploitable, which is correct for both
        // architectures: x86 integer div-by-zero is not exploitable, and ARM64
        // FP exceptions are also not exploitable.

        // ================================================================
        // ARM64 architectural difference: __builtin_trap and _FORTIFY_SOURCE
        // ================================================================
        // Security mechanisms like __builtin_trap and _FORTIFY_SOURCE generate
        // EXC_BREAKPOINT (via `brk` instruction) on ARM64 instead of EXC_CRASH
        // (via abort()) on x86. The classify_exception handler for type 6
        // (EXC_BREAKPOINT) dispatches on architecture: ARM64 checks for `brk`,
        // x86 checks for `int3`. Both are classified as NotExploitable when the
        // corresponding trap instruction is detected. See tests in mod classify:
        // breakpoint_brk_not_exploitable_on_arm64, breakpoint_int3_not_exploitable_on_x86.

        // ================================================================
        // ARM64 architectural difference: symbol resolution
        // ================================================================
        // The CrashWrangler ARM64 fork notes that CoreSymbolication may
        // mis-symbolicate __stack_chk_fail on ARM64. CrashRustler avoids this
        // class of issues entirely by resolving symbols directly via Mach-O
        // nlist parsing (image_enum.rs) rather than using CoreSymbolication.
        // The __stack_chk_fail backtrace check below works correctly regardless
        // of architecture.

        #[test]
        fn recursion_not_exploitable() {
            let mut log = String::new();
            for i in 0..301 {
                log.push_str(&format!("{i}  libfoo.dylib  0x1000  foo + 0\n"));
            }
            let v =
                is_stack_suspicious(&log, 0x4141, 1, CpuType::ARM64, &ClassifyConfig::default());
            assert_eq!(v, StackVerdict::ChangeToNotExploitable);
        }

        #[test]
        fn out_of_memory_not_exploitable() {
            let log = "0  libfoo.dylib  0x1000  ABORTING_DUE_TO_OUT_OF_MEMORY + 0\n";
            let v = is_stack_suspicious(log, 0x4141, 1, CpuType::ARM64, &ClassifyConfig::default());
            assert_eq!(v, StackVerdict::ChangeToNotExploitable);
        }

        #[test]
        fn libdispatch_frame0_not_exploitable() {
            let log = "0  libdispatch.dylib  0x1000  _dispatch_main + 0\n1  libfoo.dylib  0x2000  main + 0\n";
            let v = is_stack_suspicious(log, 0x4141, 1, CpuType::ARM64, &ClassifyConfig::default());
            assert_eq!(v, StackVerdict::ChangeToNotExploitable);
        }

        #[test]
        fn stack_chk_fail_exploitable() {
            let log = "0  libSystem.B.dylib  0x1000  __stack_chk_fail + 0\n1  libfoo.dylib  0x2000  bar + 0\n";
            let v = is_stack_suspicious(log, 0x4141, 1, CpuType::ARM64, &ClassifyConfig::default());
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn wtf_security_exploitable() {
            let log = "0  WebCore  0x1000  WTFCrashWithSecurityImplication + 0\n";
            let v = is_stack_suspicious(log, 0x4141, 1, CpuType::ARM64, &ClassifyConfig::default());
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn repeating_byte_address_exploitable() {
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x4141_4141_4141_4141,
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn normal_stack_no_change() {
            let log = "0  libfoo.dylib  0x1000  main + 0\n1  libbar.dylib  0x2000  start + 0\n";
            let v = is_stack_suspicious(
                log,
                0x7fff_1234,
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::NoChange);
        }

        #[test]
        fn jit_frame0_exploitable_with_config() {
            let config = ClassifyConfig {
                exploitable_jit: true,
                ..ClassifyConfig::default()
            };
            let log = "0  ???  0x1000  0x1000 + 0\n";
            let v = is_stack_suspicious(log, 0x7fff_1234, 1, CpuType::ARM64, &config);
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn jit_frame0_not_flagged_without_config() {
            let log = "0  ???  0x1000  0x1000 + 0\n";
            let v = is_stack_suspicious(
                log,
                0x7fff_1234,
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::NoChange);
        }

        #[test]
        fn non_canonical_x86_64_exploitable() {
            // Non-canonical address on x86_64: bits 48-63 don't match bit 47
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x0001_0000_0000_0000, // bit 47 = 0, high bits = 0x0001 (not 0 or 0xFFFF)
                1,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn non_canonical_not_checked_on_arm64() {
            // Same non-canonical x86_64 address on ARM64 falls into the ARM64
            // unmapped gap check instead (above user max, below kernel base).
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x0001_0000_0000_0000,
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            // This address is in the ARM64 unmapped gap → exploitable
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        // ================================================================
        // Two-byte repeating pattern detection
        // ================================================================

        #[test]
        fn two_byte_repeating_pattern_exploitable() {
            // 0x4142414241424142 — repeating two-byte pattern
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x4142_4142_4142_4142,
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn two_byte_non_repeating_no_match() {
            // 0x4142_4143_4142_4142 — not a perfect two-byte repeat
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x4142_4143_4142_4142,
                1,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            // Doesn't match repeating patterns, but is non-canonical on x86_64
            // (bit47=0, high_bits=0x4142, not 0 or 0xFFFF)
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        // ================================================================
        // ARM64 unmapped gap detection
        // ================================================================

        #[test]
        fn arm64_unmapped_gap_exploitable() {
            // Address above user space max (0x0000_7FFF_FFFF_FFFF) but below
            // kernel base (~0xFFFF_FE00_0000_0000) — falls in unmapped gap.
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x0000_8000_0000_0000, // just above user max
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn arm64_deep_gap_exploitable() {
            // Well into the unmapped gap
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x4141_0000_0000_0000,
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn arm64_valid_user_address_no_change() {
            // Valid user-space address — should not trigger
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x0000_0001_0000_0000,
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::NoChange);
        }

        #[test]
        fn arm64_kernel_address_no_false_positive() {
            // Valid kernel address — should not trigger gap check
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0xFFFF_FE00_0000_0000,
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            // Not in gap, but the repeating byte check doesn't apply either.
            // This is a valid kernel address — no change.
            assert_eq!(v, StackVerdict::NoChange);
        }

        // ================================================================
        // ARM64 PAC region corruption detection
        // ================================================================

        #[test]
        fn arm64_pac_bits_on_user_address_exploitable() {
            // Non-zero PAC bits (48-55) on a user-space address with zero top byte
            // suggests a corrupted or forged pointer.
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x0012_0000_1234_5678, // PAC bits 0x12, user addr, top byte 0
                1,
                CpuType::ARM64,
                &ClassifyConfig::default(),
            );
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }

        #[test]
        fn arm64_pac_bits_not_checked_on_x86() {
            // Same address on x86_64 should use non-canonical check, not PAC
            let v = is_stack_suspicious(
                "0  libfoo.dylib  0x1000  main + 0\n",
                0x0012_0000_1234_5678,
                1,
                CpuType::X86_64,
                &ClassifyConfig::default(),
            );
            // Non-canonical on x86_64 (bit47=0, high_bits=0x0012)
            assert_eq!(v, StackVerdict::ChangeToExploitable);
        }
    }

    mod access_type_detection {
        use super::*;

        #[test]
        fn arm64_store_is_write() {
            assert_eq!(get_access_type_arm64("str x0, [x1]"), AccessType::Write);
            assert_eq!(get_access_type_arm64("stp x0, x1, [sp]"), AccessType::Write);
            assert_eq!(
                get_access_type_arm64("stur x0, [x1, #-8]"),
                AccessType::Write
            );
        }

        #[test]
        fn arm64_load_is_read() {
            assert_eq!(get_access_type_arm64("ldr x0, [x1]"), AccessType::Read);
            assert_eq!(get_access_type_arm64("ldp x0, x1, [sp]"), AccessType::Read);
            assert_eq!(
                get_access_type_arm64("ldur x0, [x1, #-8]"),
                AccessType::Read
            );
        }

        #[test]
        fn arm64_branch_is_exec() {
            assert_eq!(get_access_type_arm64("blr x8"), AccessType::Exec);
            assert_eq!(get_access_type_arm64("br x16"), AccessType::Exec);
            assert_eq!(get_access_type_arm64("ret"), AccessType::Exec);
        }

        #[test]
        fn empty_is_unknown() {
            assert_eq!(get_access_type_arm64(""), AccessType::Unknown);
            assert_eq!(get_access_type_x86(""), AccessType::Unknown);
        }

        #[test]
        fn x86_store_is_write() {
            assert_eq!(
                get_access_type_x86("mov dword ptr [eax], ecx"),
                AccessType::Write
            );
            assert_eq!(get_access_type_x86("push rbp"), AccessType::Write);
        }

        #[test]
        fn x86_load_is_read() {
            assert_eq!(get_access_type_x86("mov eax, [ecx]"), AccessType::Read);
            assert_eq!(get_access_type_x86("pop rbp"), AccessType::Read);
        }

        #[test]
        fn x86_branch_is_exec() {
            assert_eq!(get_access_type_x86("call 0x1234"), AccessType::Exec);
            assert_eq!(get_access_type_x86("jmp rax"), AccessType::Exec);
            assert_eq!(get_access_type_x86("ret"), AccessType::Exec);
        }

        #[test]
        fn dispatch_uses_correct_arch() {
            // ARM64 instruction via dispatch
            assert_eq!(
                get_access_type("str x0, [x1]", CpuType::ARM64),
                AccessType::Write
            );
            // x86 instruction via dispatch
            assert_eq!(
                get_access_type("push rbp", CpuType::X86_64),
                AccessType::Write
            );
            // ARM64 instruction should not be recognized on x86
            assert_eq!(
                get_access_type("str x0, [x1]", CpuType::X86_64),
                AccessType::Unknown
            );
            // x86 instruction should not be recognized on ARM64
            assert_eq!(
                get_access_type("push rbp", CpuType::ARM64),
                AccessType::Unknown
            );
        }
    }
}