wmkhoo
commented
10 years ago The format is Address Location | VEX-ID VEX-IRStmt | Runtime value(s) | Taint value(s) | Information flow The VEX-ID, e.g. 0x15003 and 0x15008, are the IRExprTag/IRStmtTag values defined in VEX/pub/libvex_ir.h. The VEX-IRStmt tries to follow the output of the ppIRExpr() VEX pretty-printer. LD is short for Load, I64 is the 64-bit type and t0 is the address. Runtime values usually refers to the value of the assigned variable, i.e. t7 of the assignment, and t11 of the load. The second runtime value in the load statement refers to t0. Ditto for the taint values. The '<-' in the info flow refers to an explicit data dependency, '<*-' is taken to mean a control-flow dependency in the case of a load, and '<&-' in the case of a store, if that makes sense. This borrows from the dereference/reference operators in C. The variables are appended with a second index so that it is in static single assignment (SSA) form. The reason being that the index '7' in 't7' is the SSA index in the VEX basic block, but when printed by taintgrind it is no longer unique. Hope that helps.
msoos
A friend and me are trying to understand the output of taintgrind, but are having trouble. Could you please tell us what every part of the line
Means? I promise to update the github wiki to describe in detail once I understood from your description.
Another line:
Here I see the
<*--- what does the*mean?Another question: how does the original tainted data appear?
t0? By the way, there is also a small bug, if we are tainting one byte, we are getting:Where the data is only
0x89, but it's printed as a 4B value.Thanks for the description in advance!