dfsan_label problem

[p0l42]

Hello, I've tried to dump dfsan_label when tracing to see it's 0 or not. I've modified the code __taint_trace_cmp@fastgen as follows:

__taint_trace_cmp(dfsan_label op1, dfsan_label op2, uint32_t size, uint32_t predicate,
                  uint64_t c1, uint64_t c2, uint32_t cid) {
  printf("op1: %d\top2: %d\n", op1, op2);
  if ((op1 == 0 && op2 == 0))
...

Also, I modified code in taint pass to see whether getShadow return a zero shadow when instrumenting switchinst. It seems it's not zero shadow. However, when I run the instrumented prog, the result show all of labels are 0, I don't know what happen, should I set some envs else? (I've set KO_USE_FASTGEN=1)

$ ./1 1.txt
op1: 0  op2: 0
op1: 0  op2: 0
op1: 0  op2: 0
op1: 0  op2: 0

I've post my test file here, looking forward to your reply, thanks. 1.zip

[mingjun97]

Could you provide an instrumented LLVM-IR?

/path/to/ko-clang [... other args] -S -emit-llvm -o 1.ll

[ChengyuSong]

SymSan does not automatically symbolize everything. If you want to symbolize bytes read from 1.txt, you need to tell SymSayn:

TAINT_OPTIONS="taint_file=1.txt" ./1 1.txt

[p0l42]

Thanks a lot! It works!