Description
Constraints are lazily propagated and assigned to state during select statement processing, but operand constraints may not be propagated along the way.
e.g. r0, r1 original constraints are not included in final RichR constraint set
|
def _handle_binop_Add(self, expr): |
|
arg0, arg1 = expr.operands |
|
r0, r1 = self._expr_pair(arg0, arg1) |
|
compute = r0.data + r1.data if r0.data.size() == r1.data.size() else self.state.top(expr.bits) # type: ignore |
|
|
|
type_constraints = set() |
|
# create a new type variable and add constraints accordingly |
|
r0_typevar = r0.typevar if r0.typevar is not None else typevars.TypeVariable() |
|
|
|
typevar = None |
|
if r1.data.concrete: |
|
# addition with constants. create a derived type variable |
|
if isinstance(r0_typevar, typevars.TypeVariable): |
|
typevar = typevars.new_dtv(r0_typevar, label=typevars.AddN(r1.data.concrete_value)) |
|
elif r1.typevar is not None: |
|
typevar = typevars.TypeVariable() |
|
type_constraints.add(typevars.Add(r0_typevar, r1.typevar, typevar)) |
|
else: |
|
typevar = None |
|
|
|
return RichR(compute, typevar=typevar, type_constraints=type_constraints) |
Steps to reproduce the bug
N/A
Environment
angr @ fac1d22
Additional context
No response