hase-project / hase Goto Github PK

Timeless debugging with symbolic execution and processor trace

License: BSD 2-Clause "Simplified" License

Python 90.82% C 4.19% Assembly 0.19% Nix 0.52% Makefile 0.11% C++ 2.87% Shell 1.30%

hase's Introduction

HASE

Hase provides record-replay debugging suitable for all-ways-on in-production recording. It leverages intel processor trace and core dumps that can be recorded with little overhead. On top of that data it performs symbolic execution to recover states prior to the crash.

System design figure

Workshop presentation on Klee Workshop 2018

INSTALL

Setup virtual environment with python3.6 or pypy6

$ python3 -m venv venv
$ . venv/bin/activate

or for pypy:

$ pypy3 -m venv venv
$ . venv/bin/activate

Get the Intel processor-trace decoder library
Install project into the virtual environment

Make sure you pip is version >= 18.1 and setuptools >= 38.3:

$ ./venv/bin/pip install "pip>=18.1" "setuptools>=38.3"

$ ./venv/bin/pip install -e .

Trouble Shooting: New version of make may break the installation of pyvex, consult this upstream commit to resolve the issue manually.

Additionally pyqt5 is required and cannot be installed via pip.

Install test dependencies

$ python3 -m pip install -e '.[test]'

Testing examples

The integration test needs root.

make -C tests
sudo nosetests tests/test_record.py

The other tests work without root: Note that the test traces are stored via git-lfs

nosetests tests/test_replay.py

Record crashes

$ sudo ./bin/hase record <some crash program> <args>

Example crash:

$ sudo ./bin/hase record ./tests/bin/loopy
$ ls -la /var/lib/hase
.rw-rw-rw- 244 root  9 May  3:22 coredump.log
.rw-r--r--   4 root  9 May  3:22 hase-record.pid
.rw-r--r-- 41M root  9 May  3:22 loopy-20180509T022227.tar.gz

No crash:

$ sudo ./bin/hase record -- ls -al

Benchmarks

Benchmarks require Pandas, which cannot be installed via pip3. Use https://pandas.pydata.org/pandas-docs/stable/install.html instead or install it using your system package manager.

Making changes

To avoid breaking mypy use the following steps:

Create a feature branch:

$ git checkout -b <branch-name> 
$ git push origin <branch-name>

Make a pull request by visiting https://github.com/hase-project/hase/pull/new/<branch-name> or use hub:

$ git pull-request

hase's People

Contributors

Stargazers

Watchers

Forkers

fuzzamos chubbymaggie manouchehri ufwt airtnp bet4it efeslab amesianx

hase's Issues

What is 'hase'?

Something about recording/processing crashed programs?

I'm dying to know! :). I can maybe guess from source and commits but since repo is public maybe a description is in order! :)

Also, are angr bits available in Nixpkgs?

Data constraints are not enabled due to rsp and rip mismatch

strstr passes None to solver.

Traceback (most recent call last):
  File "/local/incoop/hase/hase/symbex/tracer.py", line 371, in execute
    state, num_inst=1  # , force_addr=addr
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/factory.py", line 49, in successors
    return self.project.engines.successors(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hub.py", line 128, in successors
    r = engine.process(state, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hook.py", line 51, in process
    return self.project.factory.procedure_engine.process(state, procedure, force_addr=force_addr, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 31, in process
    force_addr=force_addr)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/engine.py", line 55, in process
    self._process(new_state, successors, *args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 65, in _process
    inst = procedure.execute(state, successors, ret_to=ret_to)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strstr.py", line 78, in run
    super().run(haystack_strlen, needle_addr, haystack_strlen, needle_strlen)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strstr.py", line 19, in run
    haystack_strlen = self.inline_call(strlen, haystack_addr) if haystack_strlen is None else haystack_strlen
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 289, in inline_call
    return p.execute(self.state, None, arguments=e_args)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strlen.py", line 81, in run
    return super().run(s, wchar)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strlen.py", line 56, in run
    r, c, i = self.state.memory.find(s, null_seq, search_len, max_symbolic_bytes=max_symbolic_bytes, step=step, chunk_size=chunk_size)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/storage/memory.py", line 869, in find
    step=step, disable_actions=disable_actions, inspect=inspect, chunk_size=chunk_size)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/symbolic_memory.py", line 592, in _find
    disable_actions=disable_actions, inspect=inspect)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/storage/memory.py", line 764, in load
    events=not disable_actions, ret_on_segv=ret_on_segv)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/symbolic_memory.py", line 531, in _load
    if self.state.solver.symbolic(dst) and options.AVOID_MULTIVALUED_READS in self.state.options:
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 814, in symbolic
    return e.symbolic
AttributeError: 'NoneType' object has no attribute 'symbolic'

Re-Implement recording single processes

hase should support recording single processes again

$ ./bin/hase record command arg1 arg2 arg3 ...

Replay Evaluation

For each trace

Completely replay in full trace
Reconstruct key variables for bug diagnosis
Variable constraints coverage
Stack constraints improvement

BugID - Type
https://gist.github.com/Mic92/495a2c3238a0c14e7ee348d7893a9a4c

BugID - Commit
https://docs.google.com/spreadsheets/u/1/d/1T2k2XsmJ4GE__PnfjaIGRHjlO7re8QiyNWTJYiW4sz8/edit?usp=sharing

w3m-27 trace misses valid sections (maybe library)

gdb ./w3m
b __interceptor___getdelim
r -T text/html -dump '../ID-27/crash.html'
bt

In my OS
#0 0x00007ffff6e98630 in __interceptor___getdelim () from /lib64/libasan.so.4
#1 0x00007ffff2e019ac in selinuxfs_exists () from /lib64/libselinux.so.1
#2 0x00007ffff2df9c28 in init_lib () from /lib64/libselinux.so.1
#3 0x00007ffff7dea903 in _dl_init_internal () from /lib64/ld-linux-x86-64.so.2
#4 0x00007ffff7ddc15a in _dl_start_user () from /lib64/ld-linux-x86-64.so.2

In hase, the section containing 0x00007ffff2e019ac is missing (not exactly this address, just the function calling __interceptor__getdelim)

I cannot have exact function frame in NixOS for #1

Multithreading issues?

Evaluate recording overhead of system calls

Either take a look at apache benchmark or redis benchmark
and measure what the overhead is, when perf records system calls:

$ perf record -g -e cycles -e raw_syscalls:*/call-graph=no/ \
                  -e sched:sched_switch/call-graph=no/ \
                  --switch-output --overwrite -a

https://lwn.net/Articles/694140/

hase: cannot return from a system call loopy

Currently fails to replay our integration test: https://github.com/hase-project/hase/blob/master/tests/test_record.py

look for jump: 0x4000e8 -> 0x4000ec
                  se The name state.se is deprecated; please use state.solver.
look for jump: 0x4000ec -> 0x4000f0
look for jump: 0x4000f0 -> 0x4000f2
look for jump: 0x4000f2 -> 0x4000f9
look for jump: 0x4000f9 -> 0x400100
look for jump: 0x400100 -> 0x400107
look for jump: 0x400107 -> 0x40010e
look for jump: 0x40010e -> 0x400110
[<SimState @ 0x300016b>] <SimState @ 0x300016b> <Instruction[ptic_other] @ 400110>
E
======================================================================
ERROR: Full integration test
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/joerg/git/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/nose/case.py", line 198, in runTest
    self.test(*self.arg)
  File "/mnt/data/joerg/hase/tests/test_record.py", line 82, in test_record_command
    states = main(["hase", "replay", str(archives[0])])
  File "/mnt/data/joerg/hase/hase/__init__.py", line 16, in main
    return args.func(args)
  File "/mnt/data/joerg/hase/hase/cli.py", line 59, in lazy_import_replay_command
    return replay_command(args)
  File "/mnt/data/joerg/hase/hase/replay.py", line 136, in replay_command
    return rt.run()
  File "/mnt/data/joerg/hase/hase/replay.py", line 102, in run
    return self.tracer.run()
  File "/mnt/data/joerg/hase/hase/symbex/tracer.py", line 932, in run
    old_simstate, new_simstate = self.execute(simstate, previous_instruction, instruction, cnt)
  File "/mnt/data/joerg/hase/hase/symbex/tracer.py", line 869, in execute
    raise HaseError("Unable to continue")
hase.errors.HaseError: Unable to continue

It fails at this instruction: 0x40010e -> 0x400110

which is the system call from

hase/tests/src/loopy/loopy.S

Line 22 in 49ef94b

syscall

hase/tests/src/loopy/loopy.S

Line 25 in 49ef94b

dec r8

The archive in question is attached:

loopy-20181109T183320.tar.gz

cc @Airtnp

WrTmp object has no attribute 'guard'

tcpdump-142-a9e4211.tar.gz,failed,'WrTmp' object has no attribute 'guard'
tcpdump-146-a9e4211.tar.gz,failed,'WrTmp' object has no attribute 'guard'
tcpdump-180-a9e4211.tar.gz,failed,'WrTmp' object has no attribute 'guard'
tcpdump-158-a9e4211.tar.gz,failed,'WrTmp' object has no attribute 'guard'

Sorry no stacktrace yet.

Support partial trace

Exception: target of reg_concrete is symbolic!

hase replay recordings/file-6-b6e8437.tar.gz failed
Traceback (most recent call last):
  File "../bug-db/bin/bugdb-replay", line 49, in process_trace
    hase.main(["hase", "replay", trace])
  File "/local/incoop/hase/hase/__init__.py", line 14, in main
    return args.func(args)
  File "/local/incoop/hase/hase/cli.py", line 56, in lazy_import_replay_command
    return replay_command(args)
  File "/local/incoop/hase/hase/replay.py", line 140, in replay_command
    states.major_states[-1].simstate.reg_concrete("rsp")
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_state.py", line 593, in reg_concrete
    raise SimValueError("target of reg_concrete is symbolic!")

hase replay recordings/file-2-4a51454.tar.gz failed
Traceback (most recent call last):
  File "../bug-db/bin/bugdb-replay", line 49, in process_trace
    hase.main(["hase", "replay", trace])
  File "/local/incoop/hase/hase/__init__.py", line 14, in main
    return args.func(args)
  File "/local/incoop/hase/hase/cli.py", line 56, in lazy_import_replay_command
    return replay_command(args)
  File "/local/incoop/hase/hase/replay.py", line 140, in replay_command
    states.major_states[-1].simstate.reg_concrete("rsp")
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_state.py", line 593, in reg_concrete
    raise SimValueError("target of reg_concrete is symbolic!")

hase replay recordings/jasper-13-b702259.tar.gz failed
Traceback (most recent call last):
  File "../bug-db/bin/bugdb-replay", line 49, in process_trace
    hase.main(["hase", "replay", trace])
  File "/local/incoop/hase/hase/__init__.py", line 14, in main
    return args.func(args)
  File "/local/incoop/hase/hase/cli.py", line 56, in lazy_import_replay_command
    return replay_command(args)
  File "/local/incoop/hase/hase/replay.py", line 140, in replay_command
    states.major_states[-1].simstate.reg_concrete("rsp")
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_state.py", line 593, in reg_concrete
    raise SimValueError("target of reg_concrete is symbolic!")
angr.errors.SimValueError: target of reg_concrete is symbolic!

coreutils-7.2-sort.tar.gz trace seems not complete

The last call in the trace is create_temp_file->mkstemp->__gen_tempname
while the actual segfault should ends with main -> merge -> open_input_files -> open_temp -> wait_proc -> hash_lookup

SimZeroDivisionException: divide by zero!

ERROR   | 2018-11-29 19:27:51,615 | root | Error while finding successor for recordings/w3m-27-02ba3d6.tar.gz
Traceback (most recent call last):
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/irop.py", line 377, in calculate
    return self.extend_size(self._calculate(args))
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/irop.py", line 740, in _op_divmod
    quotient = (args[0] // claripy.ZeroExt(self._from_size - self._to_size, args[1]))
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/claripy/operations.py", line 73, in _op
    return return_type(name, fixed_args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/claripy/ast/base.py", line 131, in __new__
    r = operations._handle_annotations(eb._abstract(eb.call(op, args)), args)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/claripy/backends/__init__.py", line 207, in call
    obj = getattr(operator, op)(*converted)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/claripy/bv.py", line 40, in normalize_helper
    return f(self, o)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/claripy/bv.py", line 15, in compare_guard
    return f(self, o)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/claripy/bv.py", line 116, in __floordiv__
    raise ClaripyZeroDivisionError()
claripy.errors.ClaripyZeroDivisionError

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/local/incoop/hase/hase/symbex/tracer.py", line 385, in execute
    state, num_inst=1  # , force_addr=addr
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/factory.py", line 49, in successors
    return self.project.engines.successors(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hub.py", line 128, in successors
    r = engine.process(state, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/engine.py", line 135, in process
    opt_level=opt_level)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/engine.py", line 55, in process
    self._process(new_state, successors, *args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/engine.py", line 185, in _process
    self._handle_irsb(state, successors, irsb, skip_stmts, last_stmt, whitelist)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/engine.py", line 264, in _handle_irsb
    cont = self._handle_statement(state, successors, stmt)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/engine.py", line 372, in _handle_statement
    s_stmt = translate_stmt(stmt, state)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/statements/__init__.py", line 29, in translate_stmt
    s.process()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/statements/base.py", line 37, in process
    self._execute()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/statements/wrtmp.py", line 6, in _execute
    data = self._translate_expr(self.stmt.data)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/statements/base.py", line 44, in _translate_expr
    e = translate_expr(expr, self.state)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/expressions/__init__.py", line 14, in translate_expr
    e.process()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/expressions/base.py", line 36, in process
    self._execute()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/expressions/op.py", line 15, in _execute
    self.expr = translate(self.state, self._expr.op, [ e.expr for e in exprs ])
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/irop.py", line 939, in translate
    return translate_inner(state, operations[op], s_args)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/irop.py", line 960, in translate_inner
    return irop.calculate(*s_args)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/irop.py", line 379, in calculate
    raise SimZeroDivisionException("divide by zero!") from e
angr.errors.SimZeroDivisionException: divide by zero!

Evaluation status

https://gist.github.com/Mic92/f633a06d361dbd972fabb7207cb47070

How about a closer collaboration?

I stumbled upon hase today when I was googling for an VEX IROp. This is a really cool project, and I like it (it actually killed one of my project ideas).

I wonder what the status of hase is, and what plan you have in mind for hase to move forward in the near future. We have some research projects that can really benefit from hase.

It seems that some angr updates broke hase in the past. One way to solve this problem gracefully is to add hase to angr CI, so we can make sure that new commits and PRs to master will not break hase (or at least, you will get a notification from us if we really have to break compatibility).

Also, it would be great if we can incorporate your "angr hacks" in your angr fork to angr master. Most of the code there looks legitimate to me.

Looking forward to your reply!

Some traces are not correctly decoded

sanity_check_order error:
Traceback (most recent call last):
File "./bin/hase", line 11, in
main()
File "/home/lrxiao/hase/hase/init.py", line 16, in main
return args.func(args)
File "/home/lrxiao/hase/hase/cli.py", line 59, in lazy_import_replay_command
return replay_command(args)
File "/home/lrxiao/hase/hase/replay.py", line 135, in replay_command
with replay_trace(args.report) as rt:
File "/home/lrxiao/hase/hase/replay.py", line 68, in enter
self.prepare_tracer()
File "/home/lrxiao/hase/hase/replay.py", line 85, in prepare_tracer
trace = decode_trace(manifest, coredump.mappings, str(vdso_x64), str(binaries))
File "/home/lrxiao/hase/hase/replay.py", line 55, in decode_trace
vdso_x64=vdso_x64,
File "/home/lrxiao/hase/hase/pt/decode.py", line 378, in decode
sanity_check_order(instructions)
File "/home/lrxiao/hase/hase/pt/decode.py", line 141, in sanity_check_order
assert return_ip == instruction.ip
AssertionError

cannot_add_shared_object error:
Traceback (most recent call last):
File "./bin/hase", line 11, in
main()
File "/home/lrxiao/hase/hase/init.py", line 16, in main
return args.func(args)
File "/home/lrxiao/hase/hase/cli.py", line 59, in lazy_import_replay_command
return replay_command(args)
File "/home/lrxiao/hase/hase/replay.py", line 135, in replay_command
with replay_trace(args.report) as rt:
File "/home/lrxiao/hase/hase/replay.py", line 68, in enter
self.prepare_tracer()
File "/home/lrxiao/hase/hase/replay.py", line 85, in prepare_tracer
trace = decode_trace(manifest, coredump.mappings, str(vdso_x64), str(binaries))
File "/home/lrxiao/hase/hase/replay.py", line 55, in decode_trace
vdso_x64=vdso_x64,
File "/home/lrxiao/hase/hase/pt/decode.py", line 368, in decode
shared_objects=shared_objects,
hase.errors.PtError: cannot add shared object /tmp/tmp1mi26bwk/binaries/run/nscd/dbbVEQzG (deleted) to instruction image: invalid argument

sanity_check_order: file-1, tcpdump-144
cannot_add_shared_object: tcpdump-72

Missing the last instruction

Check RIP and find that (if not hooked) the instruction pointer from core dump is always the next instruction after last instruction in recorded instructions.

mprotect cannot handle symbolic addresses

Traceback (most recent call last):
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/linux_kernel/mprotect.py", line 11, in run
addr = self.state.solver.eval_one(addr)
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 721, in eval_one
return self.eval_exact(e, 1, **{k: v for (k, v) in kwargs.items() if k != 'default'})[0]
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 774, in eval_exact
raise SimValueError("Concretized %d values (must be exactly %d) in eval_exact" % (len(r), n))
angr.errors.SimValueError: Concretized 2 values (must be exactly 1) in eval_exact

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/local/incoop/hase/hase/symbex/tracer.py", line 371, in execute
state, num_inst=1 # , force_addr=addr
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/factory.py", line 49, in successors
return self.project.engines.successors(*args, **kwargs)
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hub.py", line 128, in successors
r = engine.process(state, **kwargs)
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hook.py", line 51, in process
return self.project.factory.procedure_engine.process(state, procedure, force_addr=force_addr, **kwargs)
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 31, in process
force_addr=force_addr)
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/engine.py", line 55, in process
self._process(new_state, successors, *args, **kwargs)
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 65, in _process
inst = procedure.execute(state, successors, ret_to=ret_to)
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/linux_kernel/mprotect.py", line 13, in run
raise angr.errors.SimValueError("mprotect can't handle symbolic addr")
angr.errors.SimValueError: mprotect can't handle symbolic addr

sym_struct has no c_cls attribute

Traceback (most recent call last):
  File "/local/incoop/hase/hase/symbex/tracer.py", line 371, in execute
    state, num_inst=1  # , force_addr=addr
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/factory.py", line 49, in successors
    return self.project.engines.successors(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hub.py", line 128, in successors
    r = engine.process(state, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hook.py", line 51, in process
    return self.project.factory.procedure_engine.process(state, procedure, force_addr=force_addr, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 31, in process
    force_addr=force_addr)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/engine.py", line 55, in process
    self._process(new_state, successors, *args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 65, in _process
    inst = procedure.execute(state, successors, ret_to=ret_to)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
  File "/local/incoop/hase/hase/symbex/procedures/syscall.py", line 315, in run
    stat_t(stat_buf).store_all(self)
  File "/local/incoop/hase/hase/symbex/procedures/sym_struct.py", line 95, in store_all
    for sym, _ in self.c_cls._fields_:
AttributeError: 'stat_t' object has no attribute 'c_cls'

Unsupported operation: Iop_MAddF64

ERROR   | 2018-11-28 23:40:25,281 | root | Error while finding successor for recordings/libtiff-212-9ec1d40.tar.gz
Traceback (most recent call last):
  File "/local/incoop/hase/hase/symbex/tracer.py", line 378, in execute
    state, num_inst=1  # , force_addr=addr
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/factory.py", line 49, in successors
    return self.project.engines.successors(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hub.py", line 128, in successors
    r = engine.process(state, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/engine.py", line 135, in process
    opt_level=opt_level)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/engine.py", line 55, in process
    self._process(new_state, successors, *args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/engine.py", line 185, in _process
    self._handle_irsb(state, successors, irsb, skip_stmts, last_stmt, whitelist)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/engine.py", line 264, in _handle_irsb
    cont = self._handle_statement(state, successors, stmt)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/engine.py", line 372, in _handle_statement
    s_stmt = translate_stmt(stmt, state)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/statements/__init__.py", line 29, in translate_stmt
    s.process()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/statements/base.py", line 37, in process
    self._execute()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/statements/wrtmp.py", line 6, in _execute
    data = self._translate_expr(self.stmt.data)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/statements/base.py", line 44, in _translate_expr
    e = translate_expr(expr, self.state)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/expressions/__init__.py", line 14, in translate_expr
    e.process()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/expressions/base.py", line 36, in process
    self._execute()
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/expressions/op.py", line 15, in _execute
    self.expr = translate(self.state, self._expr.op, [ e.expr for e in exprs ])
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/vex/irop.py", line 954, in translate
    raise UnsupportedIROpError("Unsupported operation: %s" % op)
angr.errors.UnsupportedIROpError: Unsupported operation: Iop_MAddF64