[chc4]

Thinking about it more, a lot of bugs come around downstream of your initial function inputs, and you'd still be able to catch things like "heap allocation and then out of bounds read from that allocation with an offset derived from input" just fine since your least-constrained model only infers for the inputs. That probably covers a lot of the normal use-cases for Angr plus automatically harnessing inputs to reach that, which sounds pretty useful

[thinkmoore]

Yes, that's a good way to think of it---we need to come up with a valid / reasonable context in which to explore the function at all, which will subsequently let us look for other bugs (like the divide by zero in the blog post).