Fix AST optimization bug incorrectly eliminating symbolic expressions#1432
Merged
JonathanSalwan merged 1 commit intoJonathanSalwan:dev-v1.0from Nov 20, 2025
Merged
Conversation
Owner
|
Thx a lot for this reporting! Do we have to apply this patch also for these two ones?
|
Author
|
Yes should patch both! I have just tested and confirmed that "A - A = 0" is an identical issue and it occurs a lot in Arch64. |
Owner
|
Can you add those two in your patch and then I will merge :) |
Author
|
Yes, already planning to do but after testing. Will test and update the patch first thing tomorrow. Thanks for your fast response on this! |
Three optimizations (A^A=0, A|A=A, A-A=0) were using equalTo() to detect identical operands. However, equalTo() compares concrete values rather than AST structure, causing different symbolic expressions with the same concrete value to be incorrectly identified as equal. This caused the optimizer to eliminate symbolic information: - bvxor: A^A=0 replaced symbolic XOR with concrete 0 - bvsub: A-A=0 replaced symbolic SUB with concrete 0 - bvor: A|A=A returned one operand, losing the other's dependency Example: In AArch64 cfSub_s(), the carry flag computation would lose symbolic status when symbolic operands evaluated to 0, breaking conditional branch symbolization (e.g., b.lo not recognized as symbolic). The fix adds isSymbolized() checks to ensure these optimizations only apply when both operands are concrete, preserving symbolic information. Note: bvand already had the correct check; this fix makes bvor, bvsub, and bvxor consistent with that pattern.
1420e2a to
a34d106
Compare
Author
|
Done! |
9ce30cc
into
JonathanSalwan:dev-v1.0
25 of 26 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AST Optimization Bug
Three AST optimizations (
A^A=0,A-A=0,A|A=A) useequalTo()to detect when both operandsare identical. However,
equalTo()compares concrete evaluation values rather than AST structure:This causes different symbolic expressions to be considered "equal" if they happen to have the same
concrete value, hash, size, and level at evaluation time, leading to incorrect symbolic
information elimination.
Affected Operations
Note: bvand already had the correct check (!expr1->isSymbolized() && !expr2->isSymbolized()). This
fix makes the other three operations consistent with that pattern.
Impact
When symbolic expressions are incorrectly replaced with concrete values or have dependencies
removed, downstream symbolic analysis breaks.
Real-World Reproduction (AArch64)
In the cfSub_s() semantics for the carry flag computation:
cf = (MSB(((op1 ^ op2 ^ result) ^ ((op1 ^ result) & (op1 ^ op2))))) ^ 1
When op1 (symbolic, eval=0) is XORed with other expressions that also evaluate to 0, the A^A=0
optimization incorrectly triggers:
Result: The carry flag becomes concrete instead of symbolic, causing the conditional branch b.lo to
not be recognized as symbolized, breaking path exploration.
Solution
Add isSymbolized() checks to ensure these optimizations only apply when both operands are concrete:
This preserves symbolic information while still allowing optimizations for concrete expressions.
Systematic Fix
This PR fixes a systematic bug across three AST operations. The pattern was:
All three now follow the same safe pattern as bvand.
Testing