tritonToZ3 seg fault #1024

sh4m2hwz · 2021-06-18T11:50:13Z

>>> Triton = TritonContext()
>>> astctx = Triton.getAstContext()
>>> 
>>> Triton.setArchitecture(ARCH.X86_64)
>>> insn = Instruction()
>>> insn.setOpcode(b"\x48\x01\xD8")
>>> Triton.processing(insn)
True
>>> sexpr = insn.getSymbolicExpressions()[0]
>>> ast = sexpr.getAst()
>>> ast
(bvadd (_ bv0 64) (_ bv0 64))
>>> astctx.tritonToZ3(ast)
Segmentation fault (core dumped)```

The text was updated successfully, but these errors were encountered:

JonathanSalwan · 2021-06-18T12:10:02Z

I've just tried.

>>> from triton import *
>>> Triton = TritonContext()
>>> astctx = Triton.getAstContext()
>>> 
>>> Triton.setArchitecture(ARCH.X86_64)
>>> insn = Instruction()
>>> insn.setOpcode(b"\x48\x01\xD8")
>>> Triton.processing(insn)
True
>>> sexpr = insn.getSymbolicExpressions()[0]
>>> ast = sexpr.getAst()
>>> ast
(bvadd (_ bv0 64) (_ bv0 64))
>>> astctx.tritonToZ3(ast)
0 + 0
>>>

Make sure your z3 headers used at the compile are the same as the libz3.so linked to libtriton.so

JonathanSalwan · 2021-06-18T12:11:06Z

Also, make sure that import z3 are the same lib than the one linked to triton and used at the compile.

JonathanSalwan · 2021-06-18T13:44:55Z

4.8.11 is not 4.8.10. I repeat it's not a Triton issue, it's related to the way you compile triton with different z3 versions on your system.

sh4m2hwz · 2021-06-18T14:51:33Z

versions are equal:
$ z3 --version
Z3 version 4.8.10 - 64 bit
$ python3 -c "import z3;print(z3.get_version_string())"
4.8.10

also throws a seg fault

JonathanSalwan · 2021-06-18T15:01:31Z

Is the version you used to compile triton is also the 4.8.10?

sh4m2hwz · 2021-06-18T16:53:41Z

Is the version you used to compile triton is also the 4.8.10? - yes

gdb state:

astctx = t.getAstContext()
zf = astctx.unroll(t.getRegisterAst(t.registers.zf))
astctx.tritonToZ3(zf)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2bcdb10 in ast_manager::copy_families_plugins(ast_manager const&) () from /lib/x86_64-linux-gnu/libz3.so.4
(gdb) bt
#0 0x00007ffff2bcdb10 in ast_manager::copy_families_plugins(ast_manager const&) () from /lib/x86_64-linux-gnu/libz3.so.4
#1 0x00007ffff1b35a58 in Z3_translate ()
from /lib/x86_64-linux-gnu/libz3.so.4
#2 0x00007ffff39abdc1 in triton::bindings::python::AstContext_tritonToZ3(_object*, _object*) () from /usr/lib/python3/dist-packages/triton.so
#3 0x0000000000504186 in ?? ()
#4 0x000000000056b3fe in _PyEval_EvalFrameDefault ()
#5 0x000000000056951a in _PyEval_EvalCodeWithName ()
#6 0x000000000068be87 in PyEval_EvalCode ()
#7 0x000000000067b671 in ?? ()
#8 0x000000000067b6ef in ?? ()
#9 0x00000000004a3172 in ?? ()
#10 0x00000000004a41e6 in PyRun_InteractiveLoopFlags ()
#11 0x000000000067da39 in PyRun_AnyFileExFlags ()
#12 0x00000000004eeb41 in ?? ()
#13 0x00000000006b5a0d in Py_BytesMain ()
#14 0x00007ffff7de70b3 in __libc_start_main (main=0x4eee60

,
argc=1, argv=0x7fffffffe018, init=,
fini=, rtld_fini=,
stack_end=0x7fffffffe008) at ../csu/libc-start.c:308
#15 0x00000000005f9ece in _start ()

SweetVishnya · 2021-06-19T14:29:09Z

Maybe building with z3 from master will help?

JonathanSalwan · 2021-06-23T07:37:30Z

Ok. I've pulled the version 4.8.11 of z3 and I can reproduce the crash. The bug is not present for version <=4.8.8. I will investigate what change between 4.8.8 and 4.8.11.

JonathanSalwan · 2021-07-02T07:22:29Z

@sh4m2hwz can you try this following patch?

diff --git a/src/libtriton/bindings/python/objects/pyAstContext.cpp b/src/libtriton/bindings/python/objects/pyAstContext.cpp
index 1b0b422c..b65289d4 100644
--- a/src/libtriton/bindings/python/objects/pyAstContext.cpp
+++ b/src/libtriton/bindings/python/objects/pyAstContext.cpp
@@ -1592,20 +1592,17 @@ namespace triton {
           return PyErr_Format(PyExc_TypeError, "tritonToZ3(): z3 module not found.");
         }
 
-        // z3.main_ctx().ctx.value
         PyObject* z3MainCtx = PyObject_CallObject(PyObject_GetAttrString(z3mod, "main_ctx"), nullptr);
-        PyObject* z3CtxPtr  = PyObject_GetAttrString(PyObject_GetAttrString(z3MainCtx, "ctx"), "value");
-        Z3_context z3Ctx    = reinterpret_cast<Z3_context>(PyLong_AsVoidPtr(z3CtxPtr));
-        Py_DECREF(z3CtxPtr);
-        Py_DECREF(z3MainCtx);
+        z3::context* z3Ctx = new z3::context(); // FIXME: memory leak
+        PyObject_SetAttrString(PyObject_GetAttrString(z3MainCtx, "ctx"), "value", PyLong_FromVoidPtr(z3Ctx));
 
         // Convert the node to a Z3++ expression and translate it into
         // python's z3 main context
         z3::expr expr = tritonToZ3Ast.convert(PyAstNode_AsAstNode(node));
-        Z3_ast ast    = Z3_translate(expr.ctx(), expr, z3Ctx);
+        Z3_ast ast    = Z3_translate(expr.ctx(), expr, *z3Ctx);
 
         // Check that everything went fine
-        if (Z3_get_error_code(z3Ctx) != Z3_OK) {
+        if (Z3_get_error_code(*z3Ctx) != Z3_OK) {
           Py_DECREF(z3mod);
           return PyErr_Format(PyExc_RuntimeError, "tritonToZ3(): Z3 AST translation failed.");
         }
@@ -1626,7 +1623,6 @@ namespace triton {
 
         // Cleanup
         Py_DECREF(z3mod);
-
         return retExpr;
       }

sh4m2hwz · 2021-07-02T11:43:41Z

patch don't work for smaller constraints, medium or bigger size constraints:
small constraint:

>>> t = TritonContext()
>>> t.setArchitecture(ARCH.X86_64)
>>> var0 = t.newSymbolicVariable(64)
>>> var0 = t.variable(var0)
>>> e = var0*var0 > 0
>>> astctx.tritonToZ3(e)
Program received signal SIGSEGV, Segmentation fault.
> bt 
#0  0x00007ffff65230cb in ast_manager::is_unique_value(expr*) const () from /home/c4h-/.local/lib/python3.8/site-packages/z3/lib/libz3.so
#1  0x00007ffff55d30ee in Z3_get_ast_kind () from /home/c4h-/.local/lib/python3.8/site-packages/z3/lib/libz3.so
#2  0x00007ffff7fb1ff5 in ?? () from /lib/x86_64-linux-gnu/libffi.so.7
#3  0x00007ffff7fb140a in ?? () from /lib/x86_64-linux-gnu/libffi.so.7
#4  0x00007ffff752929c in _ctypes_callproc () from /usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-x86_64-linux-gnu.so
#5  0x00007ffff75298a4 in ?? () from /usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-x86_64-linux-gnu.so
#6  0x00000000005f66f6 in _PyObject_MakeTpCall ()
#7  0x000000000057094b in _PyEval_EvalFrameDefault ()
#8  0x000000000056951a in _PyEval_EvalCodeWithName ()
#9  0x00000000005f60b3 in _PyFunction_Vectorcall ()
#10 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#11 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#12 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#13 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#14 0x0000000000570296 in _PyEval_EvalFrameDefault ()
#15 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#16 0x000000000056b3fe in _PyEval_EvalFrameDefault ()
#17 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#18 0x000000000056b3fe in _PyEval_EvalFrameDefault ()
#19 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#20 0x000000000059cc9d in ?? ()
#21 0x00000000005f66f6 in _PyObject_MakeTpCall ()
#22 0x00000000005704c3 in _PyEval_EvalFrameDefault ()
#23 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#24 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#25 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#26 0x00000000005a6e11 in ?? ()
#27 0x000000000069d5c8 in ?? ()
#28 0x00000000005c4b2d in PyObject_Repr ()
#29 0x00000000006133cf in PyFile_WriteObject ()
#30 0x000000000067919b in ?? ()
#31 0x00000000005c4730 in ?? ()
#32 0x00000000005f3311 in ?? ()
#33 0x00000000005f35d5 in PyObject_CallFunctionObjArgs ()
#34 0x000000000056f1ee in _PyEval_EvalFrameDefault ()
#35 0x000000000056951a in _PyEval_EvalCodeWithName ()
#36 0x000000000068be87 in PyEval_EvalCode ()
#37 0x000000000067b671 in ?? ()
#38 0x000000000067b6ef in ?? ()
#39 0x00000000004a3172 in ?? ()
#40 0x00000000004a41e6 in PyRun_InteractiveLoopFlags ()
#41 0x000000000067da39 in PyRun_AnyFileExFlags ()
#42 0x00000000004eeb41 in ?? ()
#43 0x00000000006b5a0d in Py_BytesMain ()
#44 0x00007ffff7dde0b3 in __libc_start_main (main=0x4eee60 <main>, argc=1, argv=0x7fffffffde48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde38) at ../csu/libc-start.c:308
#45 0x00000000005f9ece in _start ()
medium constraint:
>>> t = TritonContext()
>>> t.setArchitecture(ARCH.X86_64)
>>> var0 = t.newSymbolicVariable(64)
>>> var1 = t.newSymbolicVariable(64)
>>> var2 = t.newSymbolicVariable(32)
>>> 
>>> astctx = t.getAstContext()
>>> var0 = astctx.variable(var0)
>>> var1 = astctx.variable(var1)
>>> var2 = astctx.variable(var2)
>>>
>>> t1 = astctx.bvadd(var0,var1)
>>> t2 = astctx.bvnot(var2)
>>> t3 = astctx.bv(0xd41c,32)
>>> t4 = astctx.bvsub(var2,t3)
>>> t5 = astctx.sx(32,t4)
>>> t6 = astctx.bvmul(t1,t5)
>>> t7 = astctx.bvsgt(t6,astctx.bv(0,64))
>>> t7
(bvsgt (bvmul (bvadd SymVar_0 SymVar_1) ((_ sign_extend 32) (bvsub SymVar_2 (_ bv54300 32)))) (_ bv0 64))
>>> astctx.tritonToZ3(t7)
Program received signal SIGSEGV, Segmentation fault.
> bt
#0  0x00007ffff2ee40cb in ast_manager::is_unique_value(expr*) const () from /home/user/.local/lib/python3.8/site-packages/z3/lib/libz3.so
#1  0x00007ffff1f940ee in Z3_get_ast_kind () from /home/c4h-/.local/lib/python3.8/site-packages/z3/lib/libz3.so
#2  0x00007ffff411aff5 in ?? () from /lib/x86_64-linux-gnu/libffi.so.7
#3  0x00007ffff411a40a in ?? () from /lib/x86_64-linux-gnu/libffi.so.7
#4  0x00007ffff3a5f29c in _ctypes_callproc () from /usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-x86_64-linux-gnu.so
#5  0x00007ffff3a5f8a4 in ?? () from /usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-x86_64-linux-gnu.so
#6  0x00000000005f66f6 in _PyObject_MakeTpCall ()
#7  0x000000000057094b in _PyEval_EvalFrameDefault ()
#8  0x000000000056951a in _PyEval_EvalCodeWithName ()
#9  0x00000000005f60b3 in _PyFunction_Vectorcall ()
#10 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#11 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#12 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#13 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#14 0x0000000000570296 in _PyEval_EvalFrameDefault ()
#15 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#16 0x000000000056b3fe in _PyEval_EvalFrameDefault ()
#17 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#18 0x000000000056b3fe in _PyEval_EvalFrameDefault ()
#19 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#20 0x000000000059cc9d in ?? ()
#21 0x00000000005f66f6 in _PyObject_MakeTpCall ()
#22 0x00000000005704c3 in _PyEval_EvalFrameDefault ()
#23 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#24 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#25 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#26 0x00000000005a6e11 in ?? ()
#27 0x000000000069d5c8 in ?? ()
#28 0x00000000005c4b2d in PyObject_Repr ()
#29 0x00000000006133cf in PyFile_WriteObject ()
#30 0x000000000067919b in ?? ()
#31 0x00000000005c4730 in ?? ()
#32 0x00000000005f3311 in ?? ()
#33 0x00000000005f35d5 in PyObject_CallFunctionObjArgs ()
#34 0x000000000056f1ee in _PyEval_EvalFrameDefault ()
#35 0x000000000056951a in _PyEval_EvalCodeWithName ()
#36 0x000000000068be87 in PyEval_EvalCode ()
#37 0x000000000067b671 in ?? ()
#38 0x000000000067b6ef in ?? ()
#39 0x00000000004a3172 in ?? ()
#40 0x00000000004a41e6 in PyRun_InteractiveLoopFlags ()
#41 0x000000000067da39 in PyRun_AnyFileExFlags ()
#42 0x00000000004eeb41 in ?? ()
#43 0x00000000006b5a0d in Py_BytesMain ()
#44 0x00007ffff7dde0b3 in __libc_start_main (main=0x4eee60 <main>, argc=1, argv=0x7fffffffde48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde38) at ../csu/libc-start.c:308
#45 0x00000000005f9ece in _start ()


big constraint:
>>> t = TritonContext()
>>> t.setArchitecture(ARCH.X86_64)
>>> t.enableSymbolicEngine(True)
>>> t.enableTaintEngine(True)
... (*t.processing() x86 insns*)
>>> astctx = t.getAstContext()
>>> c1ref = t.getPathPredicate()
>>> c1full = astctx.unroll(c1ref)
>>> c1full
(and (= (_ bv1 1) (_ bv1 1)) (not (= (bvxor ((_ extract 31 31) ((_ zero_extend 32) (bvand ((_ extract 31 0) ((_ zero_extend 32) ((_ extract 31 0) (bvurem (concat ((_ extract 31 0) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16)))))) ((_ extract 31 0) ((_ zero_extend 32) (concat ((_ extract 7 0) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 15 8) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 23 16) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 31 24) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))))))) ((_ zero_extend 32) ((_ extract 31 0) ((_ zero_extend 32) (bvxor ((_ extract 31 0) ((_ zero_extend 32) (bvor ((_ extract 31 0) ((_ zero_extend 32) (bvmul ((_ extract 31 0) ((_ zero_extend 32) (concat ((_ extract 7 0) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 15 8) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 23 16) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 31 24) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))))) (_ bv17969 32)))) ((_ extract 31 0) ((_ zero_extend 32) (concat ((_ extract 7 0) (concat ((_ extract 31 24) SymVar_1) ((_ extract 23 16) SymVar_1) ((_ extract 15 8) SymVar_1) ((_ extract 7 0) SymVar_1))) ((_ extract 15 8) (concat ((_ extract 31 24) SymVar_1) ((_ extract 23 16) SymVar_1) ((_ extract 15 8) SymVar_1) ((_ extract 7 0) SymVar_1))) ((_ extract 23 16) (concat ((_ extract 31 24) SymVar_1) ((_ extract 23 16) SymVar_1) ((_ extract 15 8) SymVar_1) ((_ extract 7 0) SymVar_1))) ((_ extract 31 24) (concat ((_ extract 31 24) SymVar_1) ((_ extract 23 16) SymVar_1) ((_ extract 15 8) SymVar_1) ((_ extract 7 0) SymVar_1))))))))) ((_ extract 31 0) ((_ zero_extend 32) (bvnot (_ bv0 32)))))))))))) ((_ extract 31 0) ((_ zero_extend 32) ((_ extract 31 0) (bvudiv (concat ((_ extract 31 0) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16)))))) ((_ extract 31 0) ((_ zero_extend 32) (concat ((_ extract 7 0) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 15 8) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 23 16) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 31 24) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))))))) ((_ zero_extend 32) ((_ extract 31 0) ((_ zero_extend 32) (bvxor ((_ extract 31 0) ((_ zero_extend 32) (bvor ((_ extract 31 0) ((_ zero_extend 32) (bvmul ((_ extract 31 0) ((_ zero_extend 32) (concat ((_ extract 7 0) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 15 8) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 23 16) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))))))) ((_ extract 31 24) ((_ extract 31 0) (concat ((_ extract 63 16) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvxor ((_ extract 15 8) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ extract 15 8) (concat ((_ extract 63 16) (_ bv0 64)) ((_ extract 15 0) ((_ rotate_left 8) (concat ((_ extract 15 0) (concat ((_ extract 63 16) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (concat (bvsub ((_ extract 15 8) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvadd ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) ((_ zero_extend 7) ((_ extract 63 63) (bvxor (bvand SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvand (bvxor (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8)))) (bvxor SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))) ((_ extract 7 0) (bvnot (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))) (_ bv0 16))))))) ((_ extract 7 0) (bvadd SymVar_0 (concat ((_ extract 63 8) (_ bv0 64)) (_ bv85 8))))))))))) (_ bv17969 32)))) ((_ extract 31 0) ((_ zero_extend 32) (concat ((_ extract 7 0) (concat ((_ extract 31 24) SymVar_1) ((_ extract 23 16) SymVar_1) ((_ extract 15 8) SymVar_1) ((_ extract 7 0) SymVar_1))) ((_ extract 15 8) (concat ((_ extract 31 24) SymVar_1) ((_ extract 23 16) SymVar_1) ((_ extract 15 8) SymVar_1) ((_ extract 7 0) SymVar_1))) ((_ extract 23 16) (concat ((_ extract 31 24) SymVar_1) ((_ extract 23 16) SymVar_1) ((_ extract 15 8) SymVar_1) ((_ extract 7 0) SymVar_1))) ((_ extract 31 24) (concat ((_ extract 31 24) SymVar_1) ((_ extract 23 16) SymVar_1) ((_ extract 15 8) SymVar_1) ((_ extract 7 0) SymVar_1))))))))) ((_ extract 31 0) ((_ zero_extend 32) (bvnot (_ bv0 32))))))))))))))) (_ bv0 1)) (_ bv1 1))))
>>> astctx.tritonToZ3(c1full)
Segmentation fault (core dumped)

> bt
#0  0x00007ffff35d60cb in ast_manager::is_unique_value(expr*) const () from /home/c4h-/.local/lib/python3.8/site-packages/z3/lib/libz3.so
#1  0x00007ffff26860ee in Z3_get_ast_kind () from /home/c4h-/.local/lib/python3.8/site-packages/z3/lib/libz3.so
#2  0x00007ffff7fb1ff5 in ?? () from /lib/x86_64-linux-gnu/libffi.so.7
#3  0x00007ffff7fb140a in ?? () from /lib/x86_64-linux-gnu/libffi.so.7
#4  0x00007ffff752929c in _ctypes_callproc () from /usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-x86_64-linux-gnu.so
#5  0x00007ffff75298a4 in ?? () from /usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-x86_64-linux-gnu.so
#6  0x00000000005f66f6 in _PyObject_MakeTpCall ()
#7  0x000000000057094b in _PyEval_EvalFrameDefault ()
#8  0x000000000056951a in _PyEval_EvalCodeWithName ()
#9  0x00000000005f60b3 in _PyFunction_Vectorcall ()
#10 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#11 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#12 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#13 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#14 0x0000000000570296 in _PyEval_EvalFrameDefault ()
#15 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#16 0x000000000056b3fe in _PyEval_EvalFrameDefault ()
#17 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#18 0x000000000056b3fe in _PyEval_EvalFrameDefault ()
#19 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#20 0x000000000059cc9d in ?? ()
#21 0x00000000005f66f6 in _PyObject_MakeTpCall ()
#22 0x00000000005704c3 in _PyEval_EvalFrameDefault ()
#23 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#24 0x000000000056b21e in _PyEval_EvalFrameDefault ()
#25 0x00000000005f5ed6 in _PyFunction_Vectorcall ()
#26 0x00000000005a6e11 in ?? ()
#27 0x000000000069d5c8 in ?? ()
#28 0x00000000005c4b2d in PyObject_Repr ()
#29 0x00000000006133cf in PyFile_WriteObject ()
#30 0x000000000067919b in ?? ()
#31 0x00000000005c4730 in ?? ()
#32 0x00000000005f3311 in ?? ()
#33 0x00000000005f35d5 in PyObject_CallFunctionObjArgs ()
#34 0x000000000056f1ee in _PyEval_EvalFrameDefault ()
#35 0x000000000056951a in _PyEval_EvalCodeWithName ()
#36 0x000000000068be87 in PyEval_EvalCode ()
#37 0x000000000067b671 in ?? ()
#38 0x000000000067b6ef in ?? ()
#39 0x00000000004a3172 in ?? ()
#40 0x00000000004a41e6 in PyRun_InteractiveLoopFlags ()
#41 0x000000000067da39 in PyRun_AnyFileExFlags ()
#42 0x00000000004eeb41 in ?? ()
#43 0x00000000006b5a0d in Py_BytesMain ()
#44 0x00007ffff7dde0b3 in __libc_start_main (main=0x4eee60 <main>, argc=1, argv=0x7fffffffde48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde38) at ../csu/libc-start.c:308
#45 0x00000000005f9ece in _start ()

JonathanSalwan · 2021-07-02T11:52:10Z

Ok, well i don't know how to fix this as Z3 do not provides CPython API... So translating a z3 C++ object to a python object (PyObject*) is kind of hacky. Everything is done here, if you have some ideas...

RobinDavid · 2022-02-07T16:40:09Z

Hi captain!
I am up'ing that issue as it is also crashing for me. The Z3 version against which I am compiled is 4.8.12.0.
Unfortunately I would really need using that it at the moment (unless we can do a Bitwuzla equivalent).

My snippet to reproduce it:

from triton import *

ctx = TritonContext(ARCH.X86_64)

actx = ctx.getAstContext()

rax = ctx.symbolizeRegister(ctx.registers.rax)

expr = ctx.newSymbolicExpression(actx.variable(rax) == 12)

e_z3 = actx.tritonToZ3(expr.getAst())

Note: that liftToSMT is not really suitable as I need to push / pop constaints by reusing the same SMT solver object.

JonathanSalwan · 2022-02-07T17:14:30Z

Hey Admiral.

Mmmmh, ok fun fact but since this issue was opened it looks like they fixed the issue on z3 side. All PoC posted in this thread work with Z3 version 4.8.15 - 64 bit.

So to resume it looks like Z3 team changed something on their API from >4.8.8 and <4.8.15 which do not allowed us to build Z3 Python objects from C++. This issue seems resolved if you use the last version of Z3 and I can't do anything on the Triton side to get it working for version between 4.8.8 and 4.8.15.

RobinDavid · 2022-02-09T13:30:13Z

For the record, @cnheitman pinpointed the issue. The libz3.so used between triton and the z3 python module should be the same library !

JonathanSalwan self-assigned this Jun 18, 2021

JonathanSalwan added this to the v0.9 milestone Jun 23, 2021

JonathanSalwan added Bug External tool labels Jun 23, 2021

JonathanSalwan added AST Evaluation libTriton AST and removed AST Evaluation labels Jun 23, 2021

JonathanSalwan modified the milestones: v0.9, v0.x Feb 7, 2022

JonathanSalwan removed this from the v0.x milestone Feb 7, 2022

JonathanSalwan removed libTriton AST labels Feb 7, 2022

JonathanSalwan closed this as completed Feb 7, 2022

JonathanSalwan mentioned this issue Jun 10, 2022

Python bindings for tritonToZ3 segfault #1136

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tritonToZ3 seg fault #1024

tritonToZ3 seg fault #1024

sh4m2hwz commented Jun 18, 2021 •

edited by JonathanSalwan

Loading

JonathanSalwan commented Jun 18, 2021

JonathanSalwan commented Jun 18, 2021

JonathanSalwan commented Jun 18, 2021

sh4m2hwz commented Jun 18, 2021

JonathanSalwan commented Jun 18, 2021

sh4m2hwz commented Jun 18, 2021

SweetVishnya commented Jun 19, 2021

JonathanSalwan commented Jun 23, 2021

JonathanSalwan commented Jul 2, 2021

sh4m2hwz commented Jul 2, 2021 •

edited by JonathanSalwan

Loading

JonathanSalwan commented Jul 2, 2021

RobinDavid commented Feb 7, 2022

JonathanSalwan commented Feb 7, 2022 •

edited

Loading

RobinDavid commented Feb 9, 2022

tritonToZ3 seg fault #1024

tritonToZ3 seg fault #1024

Comments

sh4m2hwz commented Jun 18, 2021 • edited by JonathanSalwan Loading

JonathanSalwan commented Jun 18, 2021

JonathanSalwan commented Jun 18, 2021

JonathanSalwan commented Jun 18, 2021

sh4m2hwz commented Jun 18, 2021

JonathanSalwan commented Jun 18, 2021

sh4m2hwz commented Jun 18, 2021

SweetVishnya commented Jun 19, 2021

JonathanSalwan commented Jun 23, 2021

JonathanSalwan commented Jul 2, 2021

sh4m2hwz commented Jul 2, 2021 • edited by JonathanSalwan Loading

JonathanSalwan commented Jul 2, 2021

RobinDavid commented Feb 7, 2022

JonathanSalwan commented Feb 7, 2022 • edited Loading

RobinDavid commented Feb 9, 2022

sh4m2hwz commented Jun 18, 2021 •

edited by JonathanSalwan

Loading

sh4m2hwz commented Jul 2, 2021 •

edited by JonathanSalwan

Loading

JonathanSalwan commented Feb 7, 2022 •

edited

Loading