search

lifting-bits / mcsema

Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode
https://www.trailofbits.com/expertise/mcsema
GNU Affero General Public License v3.0
2.62k stars 342 forks source link

mcsema lift coredump #573

Open weiwang999 opened 5 years ago

weiwang999 commented 5 years ago

E0603 10:18:40.501271 10559 Segment.cpp:329] Marking seg_aaaa0eh_frame as non-constant to support lazy initialization of reference to from abd34 E0603 10:18:40.757510 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:41.037268 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:41.037292 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4aa20 as a tail call to __remill_error E0603 10:18:41.182607 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:41.188215 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:41.200165 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:41.242596 10559 Function.cpp:347] Cannot find target of instruction at 7f286; the static target 7f28c is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:41.242616 10559 Function.cpp:370] Adding missing block 7f28c in function sub_7f270 as a tail call to remill_error E0603 10:18:41.257491 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:41.257513 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4aaf1 as a tail call to remill_error E0603 10:18:41.264683 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:41.343610 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:41.538715 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:41.676018 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:42.014658 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:42.046795 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:42.046852 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4aabb as a tail call to remill_error E0603 10:18:42.052867 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:42.052899 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4aaa2 as a tail call to remill_error E0603 10:18:42.071609 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:42.071631 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4aa89 as a tail call to remill_error E0603 10:18:42.232666 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:42.232695 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4ab11 as a tail call to remill_error E0603 10:18:42.268738 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:42.268765 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4aad4 as a tail call to remill_error E0603 10:18:42.466814 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:42.601541 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:42.647845 10559 Function.cpp:347] Cannot find target of instruction at 7a9b8; the static target 7a9be is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:42.647859 10559 Function.cpp:370] Adding missing block 7a9be in function sub_7a5c0 as a tail call to remill_error E0603 10:18:42.725867 10559 Function.cpp:347] Cannot find target of instruction at 1b5f5; the static target 1b5f7 is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:42.725885 10559 Function.cpp:370] Adding missing block 1b5f7 in function sub_1b650 as a tail call to __remill_error E0603 10:18:42.730551 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:42.785447 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:43.047399 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:43.067100 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:43.067121 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4a9d9 as a tail call to remill_error E0603 10:18:43.130329 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:43.282378 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:43.282395 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4aa70 as a tail call to __remill_error E0603 10:18:43.311010 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) E0603 10:18:43.430243 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:43.430258 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4a9fe as a tail call to remill_error E0603 10:18:43.641331 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:43.641345 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4ab85 as a tail call to remill_error E0603 10:18:43.719369 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:43.719389 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4abdd as a tail call to remill_error E0603 10:18:43.724370 10559 Function.cpp:347] Cannot find target of instruction at 4aa49; the static target 4aa4b is not associated with a lifted subroutine, and it does not have a known call target. E0603 10:18:43.724381 10559 Function.cpp:370] Adding missing block 4aa4b in function sub_4ab65 as a tail call to remill_error E0603 10:18:43.781512 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 (BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) (READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4))))) F0603 10:19:21.555703 10559 Util.cpp:342] Error writing module to file nginx.bc: Instruction does not dominate all uses! %1900 = add nuw nsw i32 %1897, %1898 %1899 = zext i32 %1900 to i64 Check failure stack trace: @ 0x861abd google::LogMessage::Fail() @ 0x863fb4 google::LogMessage::SendToLog() @ 0x86153b google::LogMessage::Flush() @ 0x864bd9 google::LogMessageFatal::~LogMessageFatal() @ 0x923dfd remill::StoreModuleToFile() ntest.sh: line 105: 10559 Aborted (core dumped) mcsema-lift-3.7 --os linux --arch ${ARCH} --cfg "$1".cfg --output "$1".bc --explicit_args

Aiethel commented 5 years ago

Hi,

original input (the CFG file and ideally binary as well if possible) will help discover the origin of error.

As can be seen from:

E0603 10:18:43.781512 10559 Lifter.cpp:123] Missing semantics for instruction (AMD64 215fc 8 
(BYTES 66 0f 57 05 9c 90 07 00) XORPD_XMMxuq_MEMxuq (WRITE_OP (REG_128 XMM0)) 
(READ_OP (REG_128 XMM0)) (READ_OP (DWORD_PTR (ADD (REG_64 PC) (SIGNED_IMM_64 0x790a4)))))

XORPD_XMMxuq_MEMxuq (and maybe others I missed in the log) does not have semantic function defined in remill. That will most likely result in the incorrect behaviour of the lifted program in case the control flow hits the instruction; otherwise, it should be ok. Solution is to implement the missing semantic function to remill.

As for the Instruction does not dominate all uses I am not sure why it happens, the original input may help. You can also try to not run any optimization with -disable_optimizer true and see if the error is introduced by some optimalization pass.

The rest of errors probably does not matter in this case as they are related to the state of the CFG file.

pgoodman commented 5 years ago

The Instruction does not dominate all uses is likely a known bug in the dse pass when it's being extra aggressive. More recent builds disable the aggressive behavior, and I think there may be a patch for it.