Skip to content

DWARF load fails when reference is a DW_FORM_ref_addr instead of DW_FORM_ref4 #589

New issue
New issue
Open
Open
DWARF load fails when reference is a DW_FORM_ref_addr instead of DW_FORM_ref4#589
Labels
bugneeds-triage
@calebh

Description

@calebh
calebh
opened on Jul 7, 2025

Description

I have a very simple Rust program that I have compiled in release mode with DWARF debug information turned on. When I attempt to load into cle via

ld = cle.Loader("is-rust/target/release-with-debug/is-rust", load_debug_info=True)

I get the following traceback:

Traceback (most recent call last):
  File "/home/cqh0620/Documents/tractorproject/cle/cle/loader.py", line 1007, in _load_object_isolated
    result = backend_cls(binary, binary_stream, is_main_bin=self._main_object is None, loader=self, **options)
  File "/home/cqh0620/Documents/tractorproject/cle/cle/backends/elf/elf.py", line 216, in __init__
    self._load_dies(dwarf)
  File "/home/cqh0620/Documents/tractorproject/cle/cle/backends/elf/elf.py", line 789, in _load_dies
    self._load_die_namespace(top_die, dwarf, aranges, cu_, expr_parser, type_list, cu, [])
  File "/home/cqh0620/Documents/tractorproject/cle/cle/backends/elf/elf.py", line 822, in _load_die_namespace
    self._load_die_namespace(die_child, dwarf, aranges, cu_, expr_parser, type_list, cu, new_namespace)
  File "/home/cqh0620/Documents/tractorproject/cle/cle/backends/elf/elf.py", line 822, in _load_die_namespace
    self._load_die_namespace(die_child, dwarf, aranges, cu_, expr_parser, type_list, cu, new_namespace)
  File "/home/cqh0620/Documents/tractorproject/cle/cle/backends/elf/elf.py", line 822, in _load_die_namespace
    self._load_die_namespace(die_child, dwarf, aranges, cu_, expr_parser, type_list, cu, new_namespace)
  [Previous line repeated 1 more time]
  File "/home/cqh0620/Documents/tractorproject/cle/cle/backends/elf/elf.py", line 813, in _load_die_namespace
    sub_prog = self._load_die_lex_block(
  File "/home/cqh0620/Documents/tractorproject/cle/cle/backends/elf/elf.py", line 879, in _load_die_lex_block
    origin = cu.get_DIE_from_refaddr(cu.cu_offset + sub_die.attributes["DW_AT_abstract_origin"].value)
  File "/home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/elftools/dwarf/compileunit.py", line 126, in get_DIE_from_refaddr
    dwarf_assert(
  File "/home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/elftools/common/utils.py", line 86, in dwarf_assert
    _assert_with_exception(cond, msg, DWARFError)
  File "/home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/elftools/common/utils.py", line 143, in _assert_with_exception
    raise exception_type(msg)
elftools.common.exceptions.DWARFError: refaddr 2104006 not in DIE range of CU 1051790
python-BaseException

Tracking down the cause of this issue was fairly straightforward. In the CLE elf.py file, _load_die_lex_block function, the code that resolves an abstract_origin does not account for the possibility that the reference could be an absolute reference, pointing to a different compilation unit. It seems that most of the time the form property of the abstract_origin attribute is equal to "DW_FORM_ref4", which is a relative offset. In this case form is equal to "DW_FORM_ref_addr", so an error is thrown.

Fixing the problem was fairly easy, I defined the following inner function to handle the "DW_FORM_ref_addr" case:

def resolve_abstract_origin(die):
    abstract_origin_attribute = die.attributes["DW_AT_abstract_origin"]
    if abstract_origin_attribute.form == "DW_FORM_ref_addr":
        abstract_origin = abstract_origin_attribute.value
        origin_cu = dwarf.get_CU_containing(abstract_origin)
        return origin_cu.get_DIE_from_refaddr(abstract_origin)
    else:
        return cu.get_DIE_from_refaddr(cu.cu_offset + die.attributes["DW_AT_abstract_origin"].value)

I will be opening a pull request shortly to resolve this issue.

Steps to reproduce the bug

I have attached my Rust program that reproduces this issue. The binary in question is located at is-rust/target/release-with-debug/is-rust

is-rust.zip

Simply attempt to load using cle to reproduce:

import cle
ld = cle.Loader("is-rust/target/release-with-debug/is-rust", load_debug_info=True)

Environment

/home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/unicorn/unicorn.py:8: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
angr environment report
=============================
Date: 2025-07-07 15:10:16.674873
Running in virtual environment at /home/cqh0620/Documents/tractorproject/venv
Platform: linux-x86_64
Python version: 3.10.12 (main, Feb  4 2025, 14:57:36) [GCC 11.4.0]
######## angr #########
Python found it in /home/cqh0620/Documents/tractorproject/angr/angr/__init__.py
Pip version 9.2.164.dev0
Git info:
	Current commit 46a72dfeb623addd9348afa2f39a9843df92771b from branch master
	Checked out from remote origin: https://github.com/draperlaboratory/angr.git
######## ailment #########
Python found it in /home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/ailment/__init__.py
Pip version 9.2.130
Couldn't find git info
######## cle #########
Python found it in /home/cqh0620/Documents/tractorproject/cle/cle/__init__.py
Pip version 9.2.164.dev0
Git info:
	Current commit 6938a6a7b6d8d111b9b8c4406c08e1632624bc58 from branch bug_fix_ref_addr
	Checked out from remote origin: https://github.com/draperlaboratory/cle.git
######## pyvex #########
Python found it in /home/cqh0620/Documents/tractorproject/pyvex/pyvex/__init__.py
Pip version 9.2.164.dev0
Git info:
	Current commit 8de569cca80357e023769dda4cf3c2cac763dc42 from branch master
	Checked out from remote origin: https://github.com/angr/pyvex.git
######## claripy #########
Python found it in /home/cqh0620/Documents/tractorproject/claripy/claripy/__init__.py
Pip version 9.2.164.dev0
Git info:
	Current commit 3ddc0679aea6501cd957a86743cd3b717ce25972 from branch master
	Checked out from remote origin: https://github.com/angr/claripy.git
######## archinfo #########
Python found it in /home/cqh0620/Documents/tractorproject/archinfo/archinfo/__init__.py
Pip version 9.2.164.dev0
Git info:
	Current commit 15347083ee1bddf9deb2148515115ef9fa2b5588 from branch master
	Checked out from remote origin: https://github.com/angr/archinfo.git
######## z3 #########
Python found it in /home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/z3/__init__.py
Pip version 4.13.0.0
Couldn't find git info
######## unicorn #########
Python found it in /home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/unicorn/__init__.py
Pip version 2.0.1.post1
Couldn't find git info
######### Native Module Info ##########
angr: <CDLL '/home/cqh0620/Documents/tractorproject/angr/angr/unicornlib.so', handle 56b374b238d0 at 0x7ec6d7518610>
unicorn: <CDLL '/home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2', handle 56b374418fc0 at 0x7ec6db0e2a70>
pyvex: <cffi.api._make_ffi_library.<locals>.FFILibrary object at 0x7ec6dbcc4370>
z3: <CDLL '/home/cqh0620/Documents/tractorproject/venv/lib/python3.10/site-packages/z3/lib/libz3.so', handle 56b3740af630 at 0x7ec6ddd02a70>

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugneeds-triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions