coreutils: cksum produces incomplete trace

[ameily]

It looks like recovered cksum is not complete and always segfaults because there are several conditional branches that are not hit during the initial capture. In the recovered bitcode, after a read operation has completed, via fread(), there are a bunch of nop instructions and then an instruction that will always segfault (esi will always be 0 because of the xor):

   # call to __fread_unlocked 
   0x0904958f <+991>:	call   0x9049150 <helper_stub_trampoline>
   # instructions, no branches
   0x090495c0 <+1040>:	xor    esi,esi
   0x090495c2 <+1042>:	nop
   # More nop's
   0x090495ce <+1054>:	nop
   0x090495cf <+1055>:	nop
=> 0x090495d0 <+1056>:	movzx  esi,BYTE PTR [esi]

Based on the assembly, I think this is referring to the read and sum loop in cksum (see cksum.c.

My hunch is that binrec is operating correctly, based on the captured bitcode, and the actual problem is that the trace is incomplete. I’ve tried running more traces on additional files without any luck. So, I don't think this problem is specific to cksum and we will see more sample affected by this.

[ameily]

Interestingly, the sum coreutils sample works now and operates very similarly to cksum. The main difference appears to be that cksum operates on strings (fread) and sum operates on characters (fgetc) (see sum.c)