Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bug in CFGFast

See original GitHub issue

I compiled coreutils 8.27. In the cp program, function 0x402FB0 (target_directory_operand), CFGFast doesn’t recover the CFG correctly. Below is the binary: cp.zip

The error is a very simple one. Here is the CFG recovered by angr: screenshot from 2017-08-29 17-36-44

Here is the CFG recovered by IDA, which is the correct one: screenshot from 2017-08-29 17-37-04

As you can see, there is an edge missing in the angr’s CFG, from node 0x402FEA to node 0x402FF1. Angr’s analysis basically put a duplicated node 0x402FF1 inside the node 0x402FFA (since the first one contains return statement). The node 0x402FEA suppose to be 7 byte instead of 18.

Issue Analytics

State:
Created 6 years ago
Comments:11 (6 by maintainers)

Top GitHub Comments

2reactions

ltfishcommented, Aug 30, 2017

why do you distinguish the normalized version of CFG vs the no-normalized version

Because they are different.

What’s the benefit of having this no-normalized CFG?

The normalization of a CFG is the process of breaking bigger basic blocks in case there are overlapping basic blocks. A basic block A overlaps with a another basic block B if A starts in the middle of B, and during normalization, the block B will be split into two blocks: B0 and A. However, you do not know whether you should break B or not until block A is recovered during CFG recovery. Therefore, without a full CFG of that function recovered, you cannot normalize the CFG of that function.

I agree that a normalized CFG looks more natural to human analysts, but most automated analyses do not care whether the CFG is normalized or not. CFGs in angr are intended to be used by both analysis routines and human users. Therefore, we do not normalize CFGs by default, and you can always normalize it if you need to.

PS: In the graph view of angr management, we only display normalized CFGs, which is because that view is solely intended to be read and analyzed by human analysts.

0reactions

ltfishcommented, Aug 30, 2017

You are welcome 😃