GitHub/Mergen
1
0
Fork 0
mirror of https://github.com/NaC-L/Mergen.git synced 2026-05-12 09:40:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: ret-to-IAT chain retry findings under shape-aware defaults (#189)

Browse Source 
Updates the tombstone comment in lift_ret with what this iteration
discovered when re-attempting the chained-continuation variant under
the post-#188 shape-aware defaults (T=16 on IndirectJump, 0 elsewhere):

- At effective T=16: chain safely fires once at 0x14017fa77
  (GetStdHandle, continuation 0x1401c888e) and explores 40 more blocks
  (359 -> 399), but does not surface any additional imports. Still 1/4.
- At T>=32: still crashes at ~1891 blocks deep, same as #187.

Two reasons chaining is not wired in:
1. T>=32 crash blocks broader use.
2. Safe T=16 chain does not reach other import ret sites within the
   generalization-bounded exploration budget.

The chain block is left as a guarded diagnostic (requires MERGEN_RET_
CHAIN=1) so researchers can reproduce the T=16 exploration envelope
and the T>=32 crash, but the default path remains just the PathSolver
hook with 'call @import(); unreachable' leaves.

Comment-only change. No code-behaviour change.

Co-authored-by: Claude <claude@anthropic.com>
This commit is contained in:
naci
2026-04-24 18:16:18 +03:00
committed by GitHub
parent 90d5ca23b6
commit f340c8186a
1 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lifter/semantics/Semantics_ControlFlow.ipp
+10 -8
View File
@@ -510,14 +510,16 @@ MERGEN_LIFTER_DEFINITION_TEMPLATES(void)::lift_ret() { // fix
// the import VA for further lifting.
//
// A chained-continuation variant (pop the pre-staged continuation and
// feed it to solvePath so exploration continues to the next VM handler)
// was tried here, including a mapped-address safety guard on the first
// chain step. Chaining reliably crashes the lifter on T>=32 runs of
// example2-virt.bin after exploring past the first import call. The
// crash is downstream of the chain itself (in one of the additional
// blocks that chaining unlocks), so the guard does not catch it. Needs
// a deeper root-cause investigation before chaining is safe to land.
// feed it to solvePath) was tried again at the current shape-aware
// defaults: at effective T=16 on IndirectJump it safely fires once
// (GetStdHandle @ 0x14017fa77, continuation 0x1401c888e) and explores
// 40 more blocks, but does not surface any additional imports (still
// 1/4). At T>=32 it still crashes at ~1891 blocks deep. The chain is
// not wired in because: (a) the T>=32 crash blocks broader use, and
// (b) at safe T=16 the post-chain exploration does not reach other
// import ret sites within the generalization-bounded budget. See #187
// for the chain tombstone.
ScopedPathSolveContext pathSolveContext(this, PathSolveContext::Ret);
auto pathResult = solvePath(function, destination, realval);
if (pathResult == PATH_unsolved) {