Fix AST optimizations incorrectly eliminating symbolic expressions

JexAmro · JexAmro · commit a34d106338e8 · 2025-11-20T10:16:41.000-05:00
Three optimizations (A^A=0, A|A=A, A-A=0) were using equalTo() to
detect identical operands. However, equalTo() compares concrete values
rather than AST structure, causing different symbolic expressions with
the same concrete value to be incorrectly identified as equal.

This caused the optimizer to eliminate symbolic information:
- bvxor: A^A=0 replaced symbolic XOR with concrete 0
- bvsub: A-A=0 replaced symbolic SUB with concrete 0
- bvor: A|A=A returned one operand, losing the other's dependency

Example: In AArch64 cfSub_s(), the carry flag computation would lose
symbolic status when symbolic operands evaluated to 0, breaking
conditional branch symbolization (e.g., b.lo not recognized as symbolic).

The fix adds isSymbolized() checks to ensure these optimizations only
apply when both operands are concrete, preserving symbolic information.

Note: bvand already had the correct check; this fix makes bvor, bvsub,
and bvxor consistent with that pattern.
diff --git a/src/libtriton/ast/astContext.cpp b/src/libtriton/ast/astContext.cpp
@@ -353,7 +353,9 @@ namespace triton {
           return this->bv(expr2->getBitvectorMask(), expr2->getBitvectorSize());
 
         /* Optimization: A | A = A */
-        if (expr1->equalTo(expr2))
+        /* Only apply when both operands are concrete. Two different symbolic expressions
+         * may evaluate to the same value but represent distinct computations. */
+        if (!expr1->isSymbolized() && !expr2->isSymbolized() && expr1->equalTo(expr2))
           return expr1;
       }
 
@@ -603,7 +605,9 @@ namespace triton {
           return this->bvneg(expr2);
 
         /* Optimization: A - A = 0 */
-        if (expr1->equalTo(expr2))
+        /* Only apply when both operands are concrete to preserve symbolic information.
+         * Different symbolic expressions may evaluate equal but must remain distinct. */
+        if (!expr1->isSymbolized() && !expr2->isSymbolized() && expr1->equalTo(expr2))
           return this->bv(0, expr1->getBitvectorSize());
       }
 
@@ -732,7 +736,10 @@ namespace triton {
           return expr2;
 
         /* Optimization: A ^ A = 0 */
-        if (expr1->equalTo(expr2))
+        /* Only apply when both operands are concrete to avoid losing symbolic information.
+         * Two different symbolic expressions may have the same concrete value temporarily,
+         * but they represent different symbolic computations that must be preserved. */
+        if (!expr1->isSymbolized() && !expr2->isSymbolized() && expr1->equalTo(expr2))
           return this->bv(0, expr1->getBitvectorSize());
       }
 
