error while simplifying basic block

[archercreat]

Calling stoi on 0x140010eba: push -0x171ed crashes triton

terminate called after throwing an instance of 'std::out_of_range'
  what():  stoi
 #0 0x00007f42c99e4491 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib/x86_64-linux-gnu/libLLVM-13.so.1+0xde5491)
 #1 0x00007f42c99e2612 llvm::sys::RunSignalHandlers() (/lib/x86_64-linux-gnu/libLLVM-13.so.1+0xde3612)
 #2 0x00007f42c99e498d (/lib/x86_64-linux-gnu/libLLVM-13.so.1+0xde598d)
 #3 0x00007f42c77b1520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x00007f42c7805a7c __pthread_kill_implementation ./nptl/./nptl/pthread_kill.c:44:76
 #5 0x00007f42c7805a7c __pthread_kill_internal ./nptl/./nptl/pthread_kill.c:78:10
 #6 0x00007f42c7805a7c pthread_kill ./nptl/./nptl/pthread_kill.c:89:10
 #7 0x00007f42c77b1476 gsignal ./signal/../sysdeps/posix/raise.c:27:6
 #8 0x00007f42c77977f3 abort ./stdlib/./stdlib/abort.c:81:7
 #9 0x00007f42c7b40bfe (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa2bfe)
#10 0x00007f42c7b4c28c (/lib/x86_64-linux-gnu/libstdc++.so.6+0xae28c)
#11 0x00007f42c7b4c2f7 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xae2f7)
#12 0x00007f42c7b4c558 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xae558)
#13 0x00007f42c7b43526 std::__throw_out_of_range(char const*) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa5526)
#14 0x000000000060b7d8 int __gnu_cxx::__stoa<long, int, char, int>(long (*)(char const*, char**, int), char const*, char const*, unsigned long*, int) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ext/string_conversions.h:86:2
#15 0x000000000060b170 std::__cxx11::stoi(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long*, int) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/basic_string.h:6620:5
#16 0x000000000060aa39 triton::engines::symbolic::SymbolicSimplification::deadStoreElimination(triton::arch::BasicBlock const&, bool) const /home/archer/demo/build/_deps/triton-src/src/libtriton/engines/symbolic/symbolicSimplification.cpp:290:33
#17 0x0000000000609daa triton::engines::symbolic::SymbolicSimplification::simplify(triton::arch::BasicBlock const&, bool) const /home/archer/demo/build/_deps/triton-src/src/libtriton/engines/symbolic/symbolicSimplification.cpp:221:22
#18 0x00000000005973b3 triton::Context::simplify(triton::arch::BasicBlock const&, bool) const /home/archer/demo/build/_deps/triton-src/src/libtriton/context/context.cpp:890:28

Also I'm not sure if this is really necessary: https://github.com/JonathanSalwan/Triton/blob/005accc4f3dbbba49797f9c35bc837c533fbb6cd/src/libtriton/arch/basicBlock.cpp#L44

Although by definition basic block is a set of instruction without any branches, in real world basic blocks can be obfuscated with conditional/unconditional branches (e.g. in vmprotect, themida, etc) and it would be more useful if we could merge those blocks in one block. Right now I've solved this issue by just directly inserting instructions into the basic block:

bb.getInstructions().insert(bb.getInstructions().end(), ss.begin(), ss.end());

[JonathanSalwan]

Do you think it's doable to create a minimalist PoC that can reproduce the crash?

[Hykni]

The problem is we're using std::stoi (string->int32) to convert the string addresses from an instructions disassembly but they can be larger than 32-bit. You probably just want to replace this with std::stoull, but ideally you should have a reference to the Instruction corresponding to a SymbolicExpression instead of only the disassembly. I'm guessing it's not that simple because the lifetime of an Instruction object seems to be managed by the user.

[archercreat]

Indeed, stoull fixes the issue, thanks!