New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

processConstraints函数中无法获取ConditionKSet #50

Open

CythZ opened this issue Jul 25, 2022 · 3 comments

CythZ commented Jul 25, 2022

processConstraints()中只传入了inOutEnv，当conditionVarnode是tmp变量时，无法从inOutEnv中获取相应的值集。或许应该把tmpEnv传进函数，然后调用KSet conditionKSet = getKSet(conditionVarnode,inOutEnv,tmpEnv,pcode);？

Collaborator

MatthewShao commented Jul 28, 2022

从设计上讲，tmp变量属于PCode层面的中间运算结果，程序实际运行状态中并无对应的变量；而程序运行状态中变量的抽象值（寄存器值集、内存值集）都是绑定到inOutEnv当中，因此约束求解应该只对inOutEnv中的值集进行。

Author

CythZ commented Jul 29, 2022

我遇到的情况是这样的，以JLE指令为例，它的pcode如下：
0x000011e3: JLE 0x11c4
(unique,0xd000,1) = INT_NOTEQUAL OF, SF
(unique,0xd100,1) = BOOL_OR ZF, (unique,0xd000,1)
CBRANCH qword_ptr(0x000011c4), (unique,0xd100,1)
ZF的比较结果是存在tmp变量中的，在processConstraints中从inOutEnv中获取不到，导致即便在条件不满足的情况下，0x11c4这个基本块也一直在遍历，因此我觉得可能要传入tmpEnv来获取(unique,0xd100,1)。可能这是一种比较粗暴的做法。
如果不应该传入tmpEnv的话，请问还有什么别的方法解决0x11c4被重复遍历吗？

Collaborator

MatthewShao commented Aug 9, 2022

就条件跳转的求解来说，目前的constraint solver模块尚不完善。对于0x11c4被重复遍历的问题，可以降低K参数值来加速达到不动点。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment