Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WrTmp object has no attribute 'guard' #41

Open
Mic92 opened this issue Nov 28, 2018 · 15 comments
Open

WrTmp object has no attribute 'guard' #41

Mic92 opened this issue Nov 28, 2018 · 15 comments

Comments

@Mic92
Copy link
Contributor

Mic92 commented Nov 28, 2018

tcpdump-142-a9e4211.tar.gz,failed,'WrTmp' object has no attribute 'guard'
tcpdump-146-a9e4211.tar.gz,failed,'WrTmp' object has no attribute 'guard'
tcpdump-180-a9e4211.tar.gz,failed,'WrTmp' object has no attribute 'guard'
tcpdump-158-a9e4211.tar.gz,failed,'WrTmp' object has no attribute 'guard'

Sorry no stacktrace yet.
@Airtnp
Copy link
Collaborator

Airtnp commented Nov 28, 2018

angr vex error, no idea now

@Mic92
Copy link
Contributor Author

Mic92 commented Nov 28, 2018

Is this some compatibility issue?

@Airtnp
Copy link
Collaborator

Airtnp commented Nov 28, 2018

I would say it's angr internal bug/feature for my first impression

@Airtnp
Copy link
Collaborator

Airtnp commented Nov 28, 2018

I actually cannot replay it due to limited memory... Can you give me the stacktrace?

@Airtnp
Copy link
Collaborator

Airtnp commented Nov 29, 2018

Hmmm not a easy-to-solve problem. Open a issue at angr repo.
I can have a temporary fix and make less-accurate CFG for now.

@Airtnp
Copy link
Collaborator

Airtnp commented Nov 29, 2018

hase-project/angr@767777a
This might be fix, the consequence is not well-considered.

@Mic92
Copy link
Contributor Author

Mic92 commented Nov 30, 2018
edited
Loading

I have not tried you're workaround yet, but this is the stacktrace:

hase replay recordings/tcpdump-142-a9e4211.tar.gz failed
Traceback (most recent call last):
  File "./replay.py", line 54, in process_trace
    except Exception as e:
  File "/local/incoop/hase/hase/__init__.py", line 14, in main
    return args.func(args)
  File "/local/incoop/hase/hase/cli.py", line 56, in lazy_import_replay_command
    return replay_command(args)
  File "/local/incoop/hase/hase/replay.py", line 136, in replay_command
    with replay_trace(args.report) as rt:
  File "/local/incoop/hase/hase/replay.py", line 109, in __enter__
    self.tracer = create_tracer(self.report, self.tempdir)
  File "/local/incoop/hase/hase/replay.py", line 99, in create_tracer
    return Tracer(executable, trace, coredump, loader.load_options(), name=report)
  File "/local/incoop/hase/hase/symbex/tracer.py", line 97, in __init__
    self.elf.statically_linked,
  File "/local/incoop/hase/hase/symbex/filter.py", line 167, in __init__
    super().__init__(project, trace, hooked_symbol, gdb, omitted_section)
  File "/local/incoop/hase/hase/symbex/filter.py", line 53, in __init__
    self.main_cfg = self.project.analyses.CFGFast(show_progressbar=True)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/analyses/analysis.py", line 108, in __call__
    oself.__init__(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/analyses/cfg/cfg_fast.py", line 1013, in __init__
    self._analyze()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/analyses/forward_analysis.py", line 552, in _analyze
    self._analysis_core_baremetal()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/analyses/forward_analysis.py", line 653, in _analysis_core_baremetal
    self._job_queue_empty()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/analyses/cfg/cfg_fast.py", line 1484, in _job_queue_empty
    self._process_unresolved_indirect_jumps()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/analyses/cfg/cfg_base.py", line 2171, in _process_unresolved_indirect_jumps
    all_targets |= self._process_one_indirect_jump(jump)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/analyses/cfg/cfg_base.py", line 2197, in _process_one_indirect_jump
    resolved, targets = resolver.resolve(self, jump.addr, jump.func_addr, block, jump.jumpkind)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/analyses/cfg/indirect_jump_resolvers/jumptable.py", line 70, in resolve
    max_level=3, base_state=self.base_state)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/blade.py", line 62, in __init__
    self._backward_slice()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/blade.py", line 275, in _backward_slice
    data.get('stmt_idx', None)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/blade.py", line 297, in _backward_slice_recursive
    if type(exit_stmt.guard) is pyvex.IRExpr.RdTmp:
AttributeError: 'WrTmp' object has no attribute 'guard'

@Airtnp
Copy link
Collaborator

Airtnp commented Dec 10, 2018

Should fixed in hase-project/angr#4
Need to update archinfo to latest version

@Mic92
Copy link
Contributor Author

Mic92 commented Dec 11, 2018

Unfortunately the latest rebasing also brought the following error:

$ hase replay recordings/coreutils-6.10-paste.tar.gz
ERROR   | 2018-12-11 13:40:03,361 | hase.symbex.procedures.file_operation | <claripy.backends.backend_concrete.BackendConcrete object at 0x7f893bd587b8> can't handle operation __eq__ (Bool) due to a failed conversion on a child node
Traceback (most recent call last):
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/frontends/light_frontend.py", line 40, in eval
    return tuple(self._solver_backend.eval(e, n))
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/backends/__init__.py", line 492, in eval
    self.convert(expr), n, extra_constraints=self.convert_list(extra_constraints),
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/backends/__init__.py", line 154, in convert
    converted = self._convert(ast)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/backends/backend_concrete.py", line 87, in _convert
    raise BackendError("can't handle AST of type %s" % type(a))
claripy.errors.BackendError: can't handle AST of type <class 'str'>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 85, in wrapped_f
    return f(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 484, in _eval
    return self._solver.eval(e, n, extra_constraints=self._adjust_constraint_list(extra_constraints), exact=exact)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/frontend_mixins/concrete_handler_mixin.py", line 7, in eval
    return super(ConcreteHandlerMixin, self).eval(e, n, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/frontend_mixins/constraint_filter_mixin.py", line 40, in eval
    return super(ConstraintFilterMixin, self).eval(e, n, extra_constraints=ec, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/frontends/light_frontend.py", line 42, in eval
    raise ClaripyFrontendError("Light solver can't handle this eval().")
claripy.errors.ClaripyFrontendError: Light solver can't handle this eval().

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/posix.py", line 350, in get_fd
    fd = self.state.solver.eval_one(fd)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 724, in eval_one
    return self.eval_exact(e, 1, **{k: v for (k, v) in kwargs.items() if k != 'default'})[0]
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 775, in eval_exact
    r = self.eval_upto(e, n + 1, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 692, in eval_upto
    cast_vals = [self._cast_to(e, v, cast_to) for v in self._eval(e, n, **kwargs)]
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 152, in concrete_shortcut_tuple
    return f(self, *args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/sim_action_object.py", line 55, in ast_stripper
    return f(*new_args, **new_kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 89, in wrapped_f
    raise SimSolverModeError("Claripy threw an error") from e
angr.errors.SimSolverModeError: Claripy threw an error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/backends/__init__.py", line 333, in is_false
    return self._false_cache[e.cache_key]
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/weakref.py", line 394, in __getitem__
    return self.data[ref(key)]
KeyError: <weakref at 0x7f892e2caae8; to 'ASTCacheKey' at 0x7f890c38f668>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/local/incoop/hase/hase/symbex/procedures/file_operation.py", line 53, in run
    ret_expr = self.inline_call(fputc, ch, file_ptr).ret_expr
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/sim_procedure.py", line 289, in inline_call
    return p.execute(self.state, None, arguments=e_args)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/procedures/libc/fputc.py", line 15, in run
    simfd = self.state.posix.get_fd(fileno)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/posix.py", line 355, in get_fd
    if not self.state.solver.satisfiable():
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/sim_action_object.py", line 55, in ast_stripper
    return f(*new_args, **new_kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 85, in wrapped_f
    return f(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 625, in satisfiable
    return self._solver.satisfiable(extra_constraints=self._adjust_constraint_list(extra_constraints), exact=exact)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/frontend_mixins/constraint_filter_mixin.py", line 34, in satisfiable
    return super(ConstraintFilterMixin, self).satisfiable(extra_constraints=ec, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/frontends/light_frontend.py", line 85, in satisfiable
    reversed(self.constraints + list(extra_constraints))
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/frontends/light_frontend.py", line 84, in <genexpr>
    self._solver_backend.is_false(c) for c in
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/backends/backend_concrete.py", line 161, in is_false
    return super().is_false(e, extra_constraints=extra_constraints, solver=solver, model_callback=model_callback)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/backends/__init__.py", line 335, in is_false
    f = self._is_false(self.convert(e), extra_constraints=extra_constraints, solver=solver, model_callback=model_callback)
  File "/local/incoop/hase/.direnv/python-3.6.7/lib/python3.6/site-packages/claripy/backends/__init__.py", line 160, in convert
    "conversion on a child node" % (self, ast.op, ast.__class__.__name__))
claripy.errors.BackendError: <claripy.backends.backend_concrete.BackendConcrete object at 0x7f893bd587b8> can't handle operation __eq__ (Bool) due to a failed conversion on a child node

@Airtnp
Copy link
Collaborator

Airtnp commented Dec 11, 2018

Again the angr CFG utilities are broken. Another issue then.
Actually the bug presents in angr-8.18.10.25
And I found my __underflow/__uflow calling is buggy (however even for buggy code it should work)
After fix it, the CFG will still be incorrect and cause a AssertionError on merging two CFG nodes (that's the new bug introduced by rebasing).

@Mic92
Copy link
Contributor Author

Mic92 commented Dec 11, 2018

Can we slice our own CFG with the trace we have?

@Airtnp
Copy link
Collaborator

Airtnp commented Dec 11, 2018

The CFG is actually not used. It's just Angr needs to analyze CFG to get all function/symbol/address information in binary and library. Without Angr's analysis on functions, I don't know how to get enough information for our filtering (gdb message passing is too slow).

@Airtnp
Copy link
Collaborator

Airtnp commented Dec 15, 2018

It says that latest commit of angr master fixed this issue. But it also states that CFG generation is far more slower here. If you accept it, can you do a new rebasing to latest angr version?

@Mic92
Copy link
Contributor Author

Mic92 commented Dec 16, 2018

Seems they have also optimized performance afterwards: https://github.com/angr/angr/commits/master

@Airtnp Airtnp mentioned this issue Dec 26, 2018
Merged
@ltfish
Copy link

ltfish commented Feb 2, 2019

I think this bug has been fixed in angr master. Please ping me if you still see it happening in your project.

But it also states that CFG generation is far more slower here.

@Airtnp I do intend to optimize angr's CFG generation even more. Let me know if the speed is a problem for you right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mic92 @ltfish @Airtnp