print bad chains for easier debugging

angrop/rop_chain.py

@@ -1,10 +1,14 @@
+import logging
+
 from . import rop_utils
 from .errors import RopException
 from .rop_gadget import RopGadget
 from .rop_value import RopValue
 
 CHAIN_TIMEOUT_DEFAULT = 3
 
+l = logging.getLogger("angrop.chain_builder.reg_setter")
+
 class RopChain:
     """
     This class holds rop chains returned by the rop chain building methods such as rop.set_regs()
@@ -287,8 +291,15 @@ def exec(self, max_steps=None, timeout=None):
                 sum(len(gadget.bbl_addrs) for gadget in self._gadgets),
                 2 * len(self._gadgets),
             )
-        return rop_utils.step_to_unconstrained_successor(self._p, state, max_steps=max_steps,
-                                                         allow_simprocedures=True)
+        try:
+            state = rop_utils.step_to_unconstrained_successor(self._p, state, max_steps=max_steps,
+                                                              allow_simprocedures=True)
+        except RopException as e:
+            code = self.payload_code(print_instructions=True)
+            l.error("The following chain fails to execute!")
+            l.error(code)
+            raise e
+        return state
 
     def copy(self):
         cp = RopChain(self._p, self._builder)

tests/test_find_gadgets.py

@@ -197,6 +197,12 @@ def local_multiprocess_analyze_gadget_list():
     assert gadgets[0].addr == 0x4006d8
     assert gadgets[1].addr == 0x400864
 
+def test_bad_gadgets():
+    proj = angr.Project(os.path.join(tests_dir, "armel", "libc-2.31.so"), auto_load_libs=False)
+    rop = proj.analyses.ROP(fast_mode=False, only_check_near_rets=False, is_thumb=True)
+    g = rop.analyze_gadget(0x44cc95)
+    assert g is None
+
 def run_all():
     functions = globals()
     all_functions = {x:y for x, y in functions.items() if x.startswith('test_')}