Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Signed min/max in solver
See original GitHub issueI have a simple C function that does the following psuedo code:
fun(int a) {
return a % 15 } .
It’s pretty obvious the max value returned is 15, while the minimum is 0 (it is returned to rax). I want to see this in angr. I have:
state = proj.factory.call_state(fun addr)
rax1 = claripy.BVS('rax1',64)
state.regs.rax = rax1
simgr = proj.factory.simgr(state)
simgr.run()
This gets me to the 1 and only deadened state, which is my return. I want to look at this.
So, I understand I can do state.se.max(state.regs.rax) . However, I dont understand this :
I get 18446744073709551615. Why is it giving me the max unsigned int value? It kind of makes sense, since at the moment there are no constraints. So this brings me to my question. Wouldnt I want to do something like simgr.deadened.se.max()? Because I want to look at the registers at the deadened state, aka where simgr is currently; not at state, which is just the start of the function call. Is there a way to do this? I tried doing just state.step(), but that wasnt working for me at least. Any thoughts? Thanks !
Issue Analytics
- State:
- Created 3 years ago
- Comments:18 (9 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@CharlyBVo I believe you made an error in your implementation. I’ve implemented signed min/max in https://github.com/angr/claripy/pull/219 and it finishes in a few seconds.
Hello, I began to take a look at this issue. By modifying the backend_z3, I added an option ‘signed’ using ‘<’ and ‘>’ instead of unsigned operation (hardcoded and not went through all the stack between solver and backend yet). The time required by z3 increases drastically for the simple case % hereunder (I stop it after more than 30 minutes without answers). I manually set a timeout of one second for the solver in the backend and it seems to work by giving the right answer. But it’s clearly not the best idea…
Any idea to investigate to reduce z3 solving time ? (I had already tested simplification options of angr for z3).
Small note : In the example above, I try to solve for simgr.deadened[0].regs.eax) instead of rax. I think it’s something to take into account before trying to solve for a max value --> check where the assembly put the return value to not take into account wrong bits 😃