salls
commented
7 years ago I haven't checked recently but this has been heavily tested on CGC binaries and the count is correct there. I'm not sure if it's wrong on linux binaries or if it's another problem.
I would suggest making a simple c file that uses an inline assembly syscall and check if it's wrong there or not.
The code in tracer looks like it should only increment bb_cnt once out of the two steps that angr will take for the system call.
# angr steps through the same basic block twice when a syscall
# occurs
elif current.addr == self.previous_addr or \
self._p._simos.syscall_table.get_by_addr(self.previous_addr) is not None:
pass
elif current.jumpkind.startswith("Ijk_Sys"):
self.bb_cnt += 1
github-actions[bot]
Hello! I'm facing a problem when using driller, and wonder if you could give me some help! Thank you! I use the next_branch function in Tracer to find new paths. When facing "calloc" function, which would not be simulated as a function summary in tracer because of "self.exclude_sim_procedures_list = ["malloc","free","calloc","realloc"]", it is very strange that the condition of "current.jumpkind.startswith("Ijk_Sys")" would be True, and the statement "self.bb_cnt += 1" would be executed. Because of this, it make the bb_cnt point to the next Basic address in the dynamic trace, making the dynamic trace and the symbolic trace disagreed.
In detail, some of the trace is as follow:
Thank you, very much!