Open jnhols opened 1 year ago
All failed methods have a control flow where __stack_chk_fail
will be called after error(1,..)
in the cfg.
This control flow is not correct, because with specific optimization levels (min binary; -O1, -Os
), the compiler knows/accounts for that error(1,...)
will not return.
Therefore __stack_chk_fail
will not be called even if there is no assembly instruction between them.
Simple code + binary to reproduce:
#include <stdio.h>
#include <error.h>
int main(int argc){
if(argc < 100){
argc = 252;
}else{
error(1, 0, "Error %d", 1);
}
return 0;
}
Compiled with gcc -O1 -fstack-protector-all
to force a stack canary. a.out.zip
Still a bninja upstream issue.
The outgoing_edges
for the basic block with error are still wrong.
What happened?
The decompiler crashes with a RuntimeError in remove_stack_canary during preprocessing.
How to reproduce?
Decompile size_opt in uniq or main in one of the other samples given below.
remove_stack_canary_runtime_error.zip
Affected Binary Ninja Version(s)
3.2.3814