def get_trace(state):
trace = []
son_father = son_father_process.get_son_father()
father = str(state)
while father:
trace.insert(0, son_father[father][0])
father = son_father[father][1]
return trace
def get_last_block_addr(state):
son_father = son_father_process.get_son_father()
father = son_father[str(state)][1]
if father:
last_block_addr = son_father[father][0]
else:
last_block_addr = None
return last_block_addr
def detect_with_new_cons(state):
print '\n\n>>>>>>>>> Step, Add cons and Detect errors >>>>>>>>>'
global path_uninit_var, block_cons
state_ip = state.se.any_int(state.ip)
print 'state_ip:', hex(state_ip), state
son_father_process.set_state(state)
p = proj2.factory.path(state)
p.step()
if p.next_run is None:
print 'Something wrong happen! Fail to step!'
return []
succ_states = p.next_run.successors
if not succ_states:
succ_states = p.next_run.unconstrained_successors
if succ_states:
succ = succ_states[0]
else:
succ = None
path_uninit_var = get_path_uninit_var(path_uninit_var, state_ip, succ,
binary2)
trace = get_trace(state)
print 'trace:', [hex(i) for i in trace]
uninit_var_list = reduce(lambda x, y: x + y,
[path_uninit_var[i] for i in trace])
#print_uninit_var(uninit_var_list)
new_cons = cons_transfer(block_cons[str(state)], uninit_var_list)
satisfy_succ = []
for s in succ_states:
succ = s.copy()
son_father = son_father_process.get_son_father()
while son_father.has_key(str(succ)):
succ = succ.copy()
succ_ip = succ.se.any_int(succ.ip)
son_father_process.set_son_father(str(succ), (succ_ip, str(state)))
block_cons[str(succ)] = new_cons
for con in new_cons:
succ.add_constraints(con)
if not succ.se.symbolic(succ.ip) and succ.satisfiable():
satisfy_succ.append(succ)
return satisfy_succ
def detect_with_new_cons(state):
print '\n\n>>>>>>>>> Step, Add cons and Detect errors >>>>>>>>>'
global path_uninit_var, block_cons
state_ip = state.se.any_int(state.ip)
print 'state_ip:', hex(state_ip), state
son_father_process.set_state(state)
p = proj2.factory.path(state)
p.step()
if p.next_run is None:
print 'Something wrong happen! Fail to step!'
return []
succ_states = p.next_run.successors
if not succ_states:
succ_states = p.next_run.unconstrained_successors
if succ_states:
succ = succ_states[0]
else:
succ = None
path_uninit_var = get_path_uninit_var(path_uninit_var, state_ip, succ,
binary2)
trace = get_trace(state)
print 'trace:', [hex(i) for i in trace]
uninit_var_list = reduce(lambda x, y: x + y,
[path_uninit_var[i] for i in trace])
print_uninit_var(uninit_var_list)
new_cons = cons_transfer(block_cons[str(state)], uninit_var_list)
satisfy_succ = []
for s in succ_states:
succ = s.copy()
#print 'succ ip:',succ.ip
son_father = son_father_process.get_son_father()
while son_father.has_key(str(succ)):
succ = succ.copy()
succ_ip = succ.se.any_int(succ.ip)
son_father_process.set_son_father(str(succ), (succ_ip, str(state)))
block_cons[str(succ)] = new_cons
#update name in constraints (to remove 'taint')
new_succ_state = succ.copy()
succ_cons = new_succ_state.se.constraints
#print 'succ cons:',succ_cons
rename_cons = []
for con in succ_cons:
rename_con = con
for ast in rename_con.recursive_leaf_asts:
if ast.symbolic:
ast_name = list(ast.variables)[0]
if 'taint' in ast_name:
i = ast_name.index('taint')
new_ast = claripy.BVS(ast_name[:i - 1],
ast.length,
explicit_name=True)
rename_con = rename_con.replace(ast, new_ast)
rename_cons.append(rename_con)
#print 'succ rename cons:',rename_cons
all_cons = new_cons + rename_cons
#print 'all_cons:',all_cons
if not succ.se.symbolic(
succ.ip) and new_succ_state.se.satisfiable(all_cons):
#print 'satisfy succ:',succ.ip
satisfy_succ.append(succ)
return satisfy_succ