Documentation for different paths

[P1kachu]

This might sound obvious, but there is no real section where each kind of path is at least defined. What is a ${type} path ? In which case is it useful ?
It can be interesting to clearly have an explanation on that, to avoid looking for example only at found path when your answer is in a deadended one.

I would have taken care of it myself if I wasn't one of the people that don't know what these types are :)

[ltfish]

A path goes to deadended when we cannot continue the execution for some reason, including no more valid instructions, the state becomes unsat, or invalid instruction pointer.

A path goes to found when the execution reaches a basic block which begins at the address that you specified with the find argument in PathGroup.explorer().

looking for example only at found path when your answer is in a deadended one

That means the path you are looking for never had a basic block that starts at the address that you specified. Note that PathGroup.explorer() only checks if the beginning of the basic block is one of the given addresses. If the address appears in the middle of a basic block, it won't be counted as found right now.

Saying that, we will change this behavior some time in the near future, so that you can put any address in the middle of the target basic block as the address to find. I believe this is way friendlier!

[P1kachu]

Well, I am very interested in your last ppoint! Is it tricky to change ?

[ltfish]

No, it should be very easy. In fact, it's already doing that in angr.surveyors.Explorer. We were just too lazy to implement it in PathGroup :-)

Give us a PR if you want to help! I'll appreciate that.

[P1kachu]

And about path, as zardus was saying earlier for example with the pruned path that are not worth keeping, it would still be interesting to have some documentation about that (I only know active, found, and now deadended :p)

[ltfish]

as zardus was saying earlier for example with the pruned path that are not worth keeping, it would still be interesting to have some documentation about that

Sorry, I didn't understand what you mean. Are you asking for documentation about what paths can be pruned?

[P1kachu]

Give us a PR if you want to help! I'll appreciate that.

Tell me where to look, and I'll give it a try !

Are you asking for documentation about what paths can be pruned?

No, I just say that it would be a good idea to have an array or something where each kind of path (pruned, errored, deadended, etc) is quickly described in the same fashion as you did in your previous message:

• Deadended: A path goes to deadended when we cannot continue the execution for some reason, including no more valid instructions, the state becomes unsat, or invalid instruction pointer.
• Found: A path goes to found when the execution reaches a basic block which begins at the address that you specified with the find argument
• Pruned: ...

This could be helpful in understanding how angr represents its analysis :)

[ltfish]

Sure thing. It will be put into angr-docs. Hopefully I'll have time for it tomorrow.

[ltfish]

Tell me where to look, and I'll give it a try !

See method Explorer.filter_path() in angr/surveyors/explorer.py. That's how Explorer does it.

You will need to modify how find and avoid is handled in PathGroup.explorer. Right now they are converted to lambdas by PathGroup._condition_to_lambda(), and then passed to stash(). You may want to replace them.

[P1kachu]

Nice thank you

Okay, I'll take a look at it !

[ltfish]

No problem! Waiting for your PR :-)

[P1kachu]

https://github.com/angr/angr-doc/blob/master/docs/paths.md#path-types

[zardus]

Thank you for these docs, @P1kachu!

I moved the path types discussion into pathgroups.md (as, other than errored, the only thing that influences the "type" of the path is what stash it's in in the pathgroup) and expanded on it. The result is here: https://github.com/angr/angr-doc/blob/master/docs/pathgroups.md#stash-types. What do you think? Is this what you were looking for for the rest of them?

[P1kachu]

Yep seems great !

It will be easier for new users to know what each kind of path means now.

On detail, there might be a missing parenthesis in the pruned sections. But else it's what I was looking for yes!

Thanks a lot @zardus !

[zardus]

Sweet!