Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AngrTracerError: Could not step to the first address of the trace - state split

See original GitHub issue

When attempting to test against a real (albeit incredibly simple - just a tiny message deserialization test, though the same happens on much more complicated targets too) Rust target, after cle loads and does a run, angr gets mad immediately upon calling simgr.use_technique(t) (see stack trace below).

WARNING | 2019-12-11 03:05:52,461 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
WARNING | 2019-12-11 03:05:54,099 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
Traceback (most recent call last):
  File "run_driller.py", line 68, in <module>
    main()
  File "run_driller.py", line 55, in main
    for _, new_input in Driller(binary, seed).drill_generator():
  File "/root/driller/venv/lib/python3.7/site-packages/driller/driller_main.py", line 101, in drill_generator
    for i in self._drill_input():
  File "/root/driller/venv/lib/python3.7/site-packages/driller/driller_main.py", line 131, in _drill_input
    simgr.use_technique(t)
  File "/root/driller/venv/lib/python3.7/site-packages/angr/sim_manager.py", line 188, in use_technique
    tech.setup(self)
  File "/root/driller/venv/lib/python3.7/site-packages/angr/exploration_techniques/tracer.py", line 192, in setup
    raise AngrTracerError("Could not step to the first address of the trace - state split")
angr.errors.AngrTracerError: Could not step to the first address of the trace - state split

Issue Analytics

State:
Created 4 years ago
Comments:14 (7 by maintainers)

Top GitHub Comments

1reaction

rhelmotcommented, Jul 14, 2020

The point of the algorithm I referenced which identifies the entry point (the find the entry point comment) is that it works regardless of the base address used by qemu, by assuming that the page-alignment must be the same and that the block prior to it will be very far away, a jump from a different mapped image.

1reaction

rhelmotcommented, Jul 10, 2020

Yes, the goal is to create the list - a list which indicates that for the nth initializer, its presence in the trace starts at the specified index.

So for example the trace looks like this

---------------------------------------------------------------------
   ^initiializer 1        ^initializer 2                     ^entry point

And what we want to find out is what indices correspond to each of those points so we can correctly keep track of where in the trace our execution corresponds to when we’re executing with angr’s simplified model of running initializers (the LinuxLoader simprocedure).

We already use heuristics to determine the entry point trace index, we just need to do the same thing to figure out where the initializers are, too. The result of that computation will be a list of trace indices, one corresponding to each initializer. Then, we need to store that list and do the thing I described earlier (only 7 months ago? yikes) where we use it to update the current index while executing.