Erroneous 'RangeNode' is emitted on enumeration
hbrodin opened this issue · comments
Compiling an instrumented version of the below program
#include <limits>
#include <iostream>
#include <unistd.h>
int main() {
int base = std::numeric_limits<int>::max() - 100;
char c1 = 0, c2 = 0;
read(0, &c1, sizeof(c1));
if ((c1 & 1) == 0)
{
printf("c1 is even %x\n", c1);
}
else
{
printf("c1 is odd %x\n", c1);
read(0, &c2, sizeof(c2));
if (c2 + base < base) {
printf( "c2 was to big for base! got %x", (c2 + base));
} else {
printf("Perfect! C: %x", c2);
}
}
return 0;
}
Yields the following node sequence, when iterating the resulting TDAG:
TDRangeNode: affects control flow False [0, 0]
TDSourceNode: affects control flow True idx 1 offset 0
TDSourceNode: affects control flow True idx 1 offset 1
using
tr = PolyTrackerTrace.load("tdagfile")
for n in tr.tdfile.nodes:
print(f"{n}")
I think the reason is that label zero is interpreted as a RangeNode when it should be omitted.
Is label 0 a result of the assignment
char c1 = 0, c2 = 0;
?
(Asking because I am not 100% sure, not because I know!!) would or could that be two labels? Sort of surprised that - if I am correct about what they refer to - they could count as a range node. Maybe because zeroed out together?
Label zero represents untainted data. The first real taint label is one. In decoding of the taint node section, there is a check if label 1
> label 2
, if so it is a UnionTaint
else it is a RangeTaint
. Except, there is one special case label1 == label2 == 0
. I'm working on a fix for this right now.