Hi,
I suspect you ran into the under tainting problem. You may have
indirect dependency between the first and the second buffer. In the
following case, buf2 would contain only concrete data, although its
content depends on buf1. This dependency is encoded in path
constraints.
char *f(char *buf1) {
char *buf2 = malloc(...)
if (buf2[0]) {
buf2[0] = 1;
} else {
buf2[0] = 2;
}
return buf2;
}
You can have the opposite problem, where the output seems to be
derived from the input, when it is actually not. For example buf2[0] =
buf1[0] xor buf1[0]. Unless the symbolic execution engine is smart
enough to figure out that the result is always 0, it will build an
expression derived from the input.
These two issues are known as under and over tainting. Unfortunately,
I don't have an easy solution for that.
Vitaly
> --
> --
> You received this message because you are a member of the S2E Developer Forum.
> To post to this group, send email to
s2e...@googlegroups.com
> To unsubscribe from this group, send email to
s2e-dev+u...@googlegroups.com
> For more options, visit this group at
http://groups.google.com/group/s2e-dev
>
> ---
> You received this message because you are subscribed to the Google Groups "S2E Developer Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
s2e-dev+u...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/s2e-dev/8ee51d05-0ee7-41d5-8fd2-112bce102914n%40googlegroups.com.