JonathanSalwan
commented
8 months ago Yep indeed, Triton performs an over-approximation of tainting. At the beginning it was a choice but we can affine this granularity.
Open namreeb opened 8 months ago
JonathanSalwan
commented
8 months ago Yep indeed, Triton performs an over-approximation of tainting. At the beginning it was a choice but we can affine this granularity.
Consider the x86 instruction
JGfor example, where the jump is taken ifZF = 0andSF = OF. IfZFhas an untainted, concrete value of1, then I would have expected the instruction to be considered untainted, irrespective of the value/taint ofSFandOF, because those two registers can be considered "unused" in the instruction. But looking at https://github.com/JonathanSalwan/Triton/blob/master/src/libtriton/arch/x86/x86Semantics.cpp#L7661-L7664, it seems the taint is spread to the instruction by a simple union.I realize this may be a deliberate choice, and if so then so be it. But I was hoping to understand the reasoning.