Open
Description
When using ARCH.X86_64, attempting to simplify an AST with LLVM causes a segmentation fault during processing of ROL/ROR instructions that operate on 32-bit registers.
Minimal Reproduction:
from triton import TritonContext, Instruction, ARCH
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.symbolizeRegister(ctx.registers.rcx, 'sym_rcx')
# ror ecx, 8
inst = Instruction(b"\xC1\xC9\x08")
ctx.processing(inst)
print(inst)
sym_reg = ctx.getSymbolicRegister(ctx.registers.rcx)
ast = ctx.getAstContext()
expr = ast.unroll(sym_reg.getAst())
print(f"AST before simplification: {expr}")
# Attempting to simplify w/ LLVM simplification causes a segfault:
simplified_llvm = ctx.simplify(expr, llvm=True)
print(f"Simplified (LLVM): {simplified_llvm}")Output:
❯ python crash.py
0x0: ror ecx, 8
AST before simplification: ((_ zero_extend 32) ((_ rotate_right 8) ((_ extract 31 0) sym_rcx )))
[1] 65127 segmentation fault (core dumped) python crash.py
The following is a list of symbolized registers + instruction sets I have tested this with:
| Symbolized Reg | Instruction | Bytes | Arch | Status |
|---|---|---|---|---|
| RCX | ROR RCX, 8 | 48 C1 C9 08 | x86_64 | OK |
| RCX | ROR ECX, 8 | C1 C9 08 | x86_64 | Crash |
| ECX | ROR ECX, 8 | C1 C9 08 | x86_64 | Crash |
| CX | ROR ECX, 8 | C1 C9 08 | x86_64 | Crash |
| ECX | ROR ECX, 8 | C1 C9 08 | x86 | OK |
| CX | ROR ECX, 8 | C1 C9 08 | x86 | OK |
| RCX | ROL RCX, 8 | 48 C1 C1 08 | x86_64 | OK |
| RCX | ROL ECX, 8 | C1 C1 08 | x86_64 | Crash |
| ECX | ROL ECX, 8 | C1 C1 08 | x86_64 | Crash |
| CX | ROL ECX, 8 | C1 C1 08 | x86_64 | OK |
| ECX | ROL ECX, 8 | C1 C1 08 | x86 | OK |
| CX | ROL ECX, 8 | C1 C1 08 | x86 | OK |
(I've only listed RCX/ECX/CX above, but I was also able to reproduce this segfault with RAX/EAX/AX)
Triton Version: 1.0.1597