Critical Error：Stopped at unexpected location inside the concrete process: 0x7ffff7eda1f2

[jiliguluss]

Description

I have a binary named "example_new" and I want to analyze it using symbion. However, I encountered the following issue. To facilitate comparison, I wrote two functions with the same processing logic. When I used AvatarGDBConcreteTarget, the code that used to run successfully now throws an error: "Stopped at unexpected location inside the concrete process: 0x7ffff7eda1f2"

Here is my code :

import subprocess
import logging

import angr
import claripy
import avatar2
from angr_targets import AvatarGDBConcreteTarget

logging.getLogger('angr').setLevel(logging.INFO)

GDB_SERVER_IP = '127.0.0.1'
GDB_SERVER_PORT = 9999

start_addr = 0x40129c
end_addr = 0x4012eb

def explore_binary_without_symbion(binary_path, initial_input, from_address, to_address):
    p = angr.Project(binary_path, load_options={'auto_load_libs': False})
    entry_state = p.factory.entry_state(args=[initial_input])
    simgr = p.factory.simgr(entry_state)
    simgr.use_technique(angr.exploration_techniques.Explorer(find=from_address))
    simgr.run()
    print(f'found state: {simgr.found}')
    assert(simgr.found[0].addr == from_address)

def explore_binary_with_symbion(binary_path, initial_input, from_address, to_address):
    subprocess.Popen(f"gdbserver {GDB_SERVER_IP}:{GDB_SERVER_PORT} '{binary_path}'", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
    avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT)
    p = angr.Project(binary_path, concrete_target=avatar_gdb, use_sim_procedures=True)

    entry_state = p.factory.entry_state(args=[initial_input])
    simgr = p.factory.simgr(entry_state)
    simgr.use_technique(angr.exploration_techniques.Symbion(find=[from_address]))
    simgr.run()
    print(f'found state: {simgr.found}')

if __name__ == '__main__':
    binary_path = 'example_new'
    initial_input = 'fix:234'
    explore_binary_without_symbion(binary_path, initial_input, start_addr, end_addr)
    explore_binary_with_symbion(binary_path, initial_input, start_addr, end_addr)

Here is the error:

2024-03-28 16:16:26,816 | angr.sim_manager.INFO | Stepping active of <SimulationManager with 1 active>
CRITICAL | 2024-03-28 16:16:27,092 | angr.engines.concrete | Stopped at unexpected location inside the concrete process: 0x7ffff7eda1f2
2024-03-28 16:16:27,092 | angr.engines.concrete.CRITICAL | Stopped at unexpected location inside the concrete process: 0x7ffff7eda1f2
Traceback (most recent call last):
  File "/home/Fuzz/angr/symbion_usage.py", line 106, in <module>
    explore_binary_with_symbion(binary_path, initial_input, entry_addr, main_addr)
  File "/home/Fuzz/angr/symbion_usage.py", line 38, in explore_binary_with_symbion
    simgr.run()
  File "/home/angr/lib/python3.8/site-packages/angr/sim_manager.py", line 360, in run
    self.step(stash=stash, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/exploration_techniques/symbion.py", line 54, in step
    return simgr.step(stash=stash, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/exploration_techniques/suggestions.py", line 43, in step
    simgr.step(stash=stash, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/misc/hookset.py", line 101, in __call__
    return self.func(*args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/sim_manager.py", line 469, in step
    successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
  File "/home/angr/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/exploration_techniques/symbion.py", line 58, in step_state
    ss = self.successors(
  File "/home/angr/lib/python3.8/site-packages/angr/exploration_techniques/__init__.py", line 109, in successors
    return simgr.successors(state, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/sim_manager.py", line 560, in successors
    return self._project.factory.successors(state, **run_args)
  File "/home/angr/lib/python3.8/site-packages/angr/factory.py", line 78, in successors
    return engine.process(*args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/engines/concrete.py", line 53, in process_successors
    self.to_engine(new_state, extra_stop_points, memory_concretize, register_concretize, timeout)
  File "/home/angr/lib/python3.8/site-packages/angr/engines/concrete.py", line 151, in to_engine
    raise AngrError
angr.errors.AngrError

I am a beginner in angr and I referred to not_packed_elf64 to use symbion. The binary “example_new” requires external input from stdin, so I passed the args parameter in the code. However, I encountered the aforementioned error and I'm not sure what caused it or how to resolve it.

Steps to reproduce the bug

No response

Environment

Python: 3.8.10 Ubuntu: 20.04.6 GDB: 9.2 angr: 9.2.92

Additional context

No response

[ltfish]

Just as a friendly heads up: We are not actively maintaining the AvatarGDBConcreteTarget or Symbion as of now, so it may take a while for someone from the community to answer this issue.

[jiliguluss]

Just as a friendly heads up: We are not actively maintaining the AvatarGDBConcreteTarget or Symbion as of now, so it may take a while for someone from the community to answer this issue.

ok, Thanks