nil pointer of _sym_expr

[Learner0x5a]

I'm currently reading the source code of symqemu to understand how it works by printing some information about the instrumented symbolic expressions.

// In accel/tcg/tcg-runtime-sym.c
// Here I try to print arg1_expr and arg2_expr
static void *sym_setcond_internal(CPUArchState *env,
                                  uint64_t arg1, void *arg1_expr,
                                  uint64_t arg2, void *arg2_expr,
                                  int32_t cond, uint64_t result,
                                  uint8_t result_bits)
{
    printf("[debug] In Runtime: pc:0x%lx,expr1:%p,expr2:%p\n",get_pc(env),arg1_expr,arg2_expr);
    BINARY_HELPER_ENSURE_EXPRESSIONS;
    printf("[debug] calling sym_setcond_internal...success!\n");
    printf("[debug] After ensure_expr: expr1:%p,expr2:%p\n",arg1_expr,arg2_expr);
    printf("arg1 expr:%s\n",_sym_expr_to_string(arg1_expr));
    printf("arg2 expr:%s\n",_sym_expr_to_string(arg2_expr));
...

However, when I run the modified symqemu on arbitrary binary, I noticed there are lots of nil pointers:

I wonder why would that happen? What does it mean when a sym_expr is nil? Does it mean that symqemu fails to build symbolic expressions for some variables in tcg ir?

[aurelf]

Hi,
Well late answer, but this may be useful to someone else.
When an expression is null, it means that the value is concrete, there is no symbolic state attached to this value.