[CFG] SimValueError: VEX temp variable (x) does not exist

tyb0807 commented 7 years ago

Hello,

First of all, I'd like to wish you all a happy new year.

So I am trying to understand how VFG works, so I want to test it on an ARM thumb 2 binary. Here's the script:

    cfg = p.analyses.CFG()
    function = p.kb.functions.function(name='main').addr

    vfg = p.analyses.VFG(cfg, start=function, context_sensitivity_level=2, interfunction_level=4)

I have to use CFGFast becauseCFGAccurate can't find the function, even it is main(). And here's what I get:

WARNING | 2017-01-04 11:13:14,823 | simuvex.vex.irsb | <SimIRSB 0x102e9> hit an error while analyzing statement 38
Traceback (most recent call last):
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/irsb.py", line 102, in _handle_irsb
    self._handle_statements()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/irsb.py", line 237, in _handle_statements
    s_stmt = translate_stmt(self.irsb, stmt_idx, self.last_imark, self.state)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/statements/__init__.py", line 31, in translate_stmt
    s.process()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/statements/base.py", line 26, in process
    self._execute()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/statements/wrtmp.py", line 6, in _execute
    data = self._translate_expr(self.stmt.data)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/statements/base.py", line 36, in _translate_expr
    e = translate_expr(expr, self.imark, self.stmt_idx, self.state)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/expressions/__init__.py", line 14, in translate_expr
    e.process()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/expressions/base.py", line 38, in process
    self._execute()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/expressions/ite.py", line 5, in _execute
    cond = self._translate_expr(self._expr.cond)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/expressions/base.py", line 75, in _translate_expr
    e = translate_expr(expr, self.imark, self.stmt_idx, self.state)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/expressions/__init__.py", line 14, in translate_expr
    e.process()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/expressions/base.py", line 38, in process
    self._execute()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/vex/expressions/rdtmp.py", line 11, in _execute
    self.expr = self.state.scratch.tmp_expr(self._expr.tmp)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/simuvex/plugins/scratch.py", line 92, in tmp_expr
    'slicing.' % tmp
SimValueError: VEX temp variable 84 does not exist. This is usually the result of an incorrect slicing.
Traceback (most recent call last):
  File "test.py", line 642, in <module>
    vfg_test()
  File "test.py", line 45, in vfg_test
    cfg = p.analyses.CFG()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/angr/analysis.py", line 99, in make_analysis
    oself.__init__(*args, **kwargs)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/angr/analyses/cfg.py", line 56, in __init__
    CFGFast.__init__(self, **kwargs)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/angr/analyses/cfg_fast.py", line 679, in __init__
    self._analyze()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/angr/analyses/forward_analysis.py", line 219, in _analyze
    self._entry_list_empty()
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/angr/analyses/cfg_fast.py", line 1005, in _entry_list_empty
    jump_targets = list(set(self._process_indirect_jumps()))
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/angr/analyses/cfg_fast.py", line 2028, in _process_indirect_jumps
    resolvable, targets = self._resolve_jump_table_fast(jump.addr, jump.jumpkind)
  File "/users/cao/vusontuan/.virtualenvs/angr/lib/python2.7/site-packages/angr/analyses/cfg_fast.py", line 2259, in _resolve_jump_table_fast
    state = all_states[0] # Just take the first state
IndexError: list index out of range

I tried to test it on the same program compiled for x86, both CFGFast and CFGAccurate work. Can anyone tell me what I did wrong please?

Thanks in advance.

rhelmot commented 7 years ago

You haven't anything wrong, this is definitely a bug :)

rhelmot commented 7 years ago

Can you please attach the binary you are trying to analyze?

tyb0807 commented 7 years ago

Since I cannot attach binaries here, here is the link to download it. Sorry for the inconvenience. (Please copy and paste the links.)

ARM binary (code_ptc) https://drive.google.com/file/d/0B6kQrUHxoH56OEdKd0JTRl9TUDQ/view
x86 binary (code_ptc_x86) https://drive.google.com/file/d/0B6kQrUHxoH56V1JwQVdEeGcyUjA/edit

frapik99 commented 7 years ago

Hi, I would mention that the same error happend to me using binaries taken from this github repo: https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/arm, in the present case I cannot remember which one but I think ar or nm and. Once fixed I'm happy to verify it for you.

Thanks

frapik99 commented 7 years ago

Hi, I'm doing some testing on my ARM tablet so I'll put here my comments:

for sure you will have that error analysing /bin/true on the ARM env and also ar using the previously posted github repo
syscall 218 is not found for arch AMD64 I was analysing ag but for x86_64

packmad commented 7 years ago

I have the same problem with this ARM binary (it's Android stuff)

angr / angr

[CFG] SimValueError: VEX temp variable (x) does not exist #310