angr-management: Python crashes during CFG generation
I’ve got a current git checkout on my Ubuntu box. First, is there a recommended pypy3 version that has PySide2? Mine (python 3.5.2, PyPy 5.8.0-beta0) can’t find a version.
Anyway, even with CPython, angr-management crashes when I load a binary. I get a segfault after setting CFG options (no changes, left at default) for any binary:
(angrdev) steve@xubuntudev:~/code/angr-dev/angr-management$ ./start.py ~/code/a.out
WARNING | 2019-02-07 08:29:33,256 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
WARNING | 2019-02-07 08:30:56,596 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
WARNING | 2019-02-07 08:30:56,842 | angr.analyses.calling_convention | Please run variable recovery on <Function _init (0x4006a0)> before analyzing its calling conventions.
WARNING | 2019-02-07 08:30:56,843 | angr.analyses.calling_convention | Cannot determine calling convention.
WARNING | 2019-02-07 08:30:56,843 | angr.analyses.calling_convention | Please run variable recovery on <Function sub_4006c0 (0x4006c0)> before analyzing its calling conventions.
WARNING | 2019-02-07 08:30:56,843 | angr.analyses.calling_convention | Cannot determine calling convention.
Segmentation fault (core dumped)
While tinkering, I commented out app.exec() in __main__.py and I get this:
(angrdev) steve@xubuntudev:~/code/angr-dev/angr-management$ ./start.py ~/code/a.out
WARNING | 2019-02-07 07:37:42,871 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
WARNING | 2019-02-07 07:37:44,258 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
Exception in thread angr Management Worker Thread:
Traceback (most recent call last):
File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "/usr/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "/home/steve/code/angr-dev/angr-management/angrmanagement/data/instance.py", line 178, in _worker
result = job.run(self)
File "/home/steve/code/angr-dev/angr-management/angrmanagement/data/jobs/cfg_generation.py", line 41, in run
**self.cfg_args
File "/home/steve/code/angr-dev/angr/angr/analyses/analysis.py", line 109, in __call__
oself.__init__(*args, **kwargs)
File "/home/steve/code/angr-dev/angr/angr/analyses/cfg/cfg.py", line 55, in __init__
CFGFast.__init__(self, **kwargs)
File "/home/steve/code/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 1040, in __init__
self._analyze()
File "/home/steve/code/angr-dev/angr/angr/analyses/forward_analysis.py", line 552, in _analyze
self._analysis_core_baremetal()
File "/home/steve/code/angr-dev/angr/angr/analyses/forward_analysis.py", line 677, in _analysis_core_baremetal
self._process_job_and_get_successors(job_info)
File "/home/steve/code/angr-dev/angr/angr/analyses/forward_analysis.py", line 695, in _process_job_and_get_successors
successors = self._get_successors(job)
File "/home/steve/code/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 1430, in _get_successors
jobs = self._scan_block(job)
File "/home/steve/code/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 1684, in _scan_block
entries = self._scan_irsb(cfg_job, current_func_addr)
File "/home/steve/code/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 1871, in _scan_irsb
stmt_idx
File "/home/steve/code/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 1968, in _create_jobs
resolved_as_plt = self._resolve_plt(addr, irsb, ij)
File "/home/steve/code/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 2636, in _resolve_plt
simsucc = self.project.engines.default_engine.process(self._initial_state, irsb, force_addr=addr)
File "/home/steve/code/angr-dev/angr/angr/engines/vex/engine.py", line 142, in process
opt_level=opt_level)
File "/home/steve/code/angr-dev/angr/angr/engines/engine.py", line 35, in process
new_state = state.copy()
File "/home/steve/code/angr-dev/angr/angr/sim_state.py", line 449, in copy
mode=self.mode, os_name=self.os_name)
File "/home/steve/code/angr-dev/angr/angr/sim_state.py", line 89, in __init__
p.init_state()
File "/home/steve/code/angr-dev/angr/angr/state_plugins/history.py", line 63, in init_state
self.successor_ip = self.state._ip
File "/home/steve/code/angr-dev/angr/angr/sim_state.py", line 216, in _ip
return self.regs._ip
File "/home/steve/code/angr-dev/angr/angr/state_plugins/view.py", line 30, in __getattr__
return state.registers.load(k, inspect=inspect, disable_actions=disable_actions)
File "/home/steve/code/angr-dev/angr/angr/storage/memory.py", line 796, in load
r = r.reversed
File "/home/steve/code/angr-dev/claripy/claripy/operations.py", line 67, in _op
return return_type(name, fixed_args, **kwargs)
File "/home/steve/code/angr-dev/claripy/claripy/ast/base.py", line 152, in __new__
r = operations._handle_annotations(eb._abstract(eb.call(op, args)), args)
File "/home/steve/code/angr-dev/claripy/claripy/backends/backend_concrete.py", line 94, in _abstract
return BVV(e.value, e.size())
File "/home/steve/code/angr-dev/claripy/claripy/ast/bv.py", line 251, in BVV
try: return _bvv_cache[(value, size)]
NameError: name '_bvv_cache' is not defined
I can’t figure this out… the way the imports are written in claripy just confuses me so I’m not sure how this global var is undefined (or getting deleted?).
EDIT: I should point out that this happens for any and every binary.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 23 (23 by maintainers)
Commits related to this issue
- Pin to shiboken2 5.12.0 and PySide2 5.12.0. Handles #59. — committed to angr/angr-management by ltfish 5 years ago
- Pin to shiboken2 5.12.0 and PySide2 5.12.0. Handles #59. — committed to angr/angr-management by ltfish 5 years ago
Solution:
Looks to me that PySide2 5.12.1 has an incorrect Python object reference counting somewhere. I will pin PySide2 version in angr management for now.