angr 9.2.112__py3-none-macosx_11_0_arm64.whl → 9.2.114__py3-none-macosx_11_0_arm64.whl

angr/analyses/reaching_definitions/reaching_definitions.py

@@ -76,6 +76,7 @@ class ReachingDefinitionsAnalysis(
         track_liveness: bool = True,
         func_addr: int | None = None,
         element_limit: int = 5,
+        merge_into_tops: bool = True,
     ):
         """
         :param subject:                         The subject of the analysis: a function, or a single basic block
@@ -110,6 +111,10 @@ class ReachingDefinitionsAnalysis(
         :param track_liveness:                  Whether to track liveness information. This can consume
                                                 sizeable amounts of RAM on large functions. (e.g. ~15GB for a function
                                                 with 4k nodes)
+        :param merge_into_tops:                 Merge known values into TOP if TOP is present.
+                                                If True: {TOP} V {0xabc} = {TOP}
+                                                If False: {TOP} V {0xabc} = {TOP, 0xabc}
+
 
         """
 
@@ -134,6 +139,7 @@ class ReachingDefinitionsAnalysis(
         self._use_callee_saved_regs_at_return = use_callee_saved_regs_at_return
         self._func_addr = func_addr
         self._element_limit = element_limit
+        self._merge_into_tops = merge_into_tops
 
         if dep_graph is None or dep_graph is False:
             self._dep_graph = None
@@ -473,6 +479,7 @@ class ReachingDefinitionsAnalysis(
                 canonical_size=self._canonical_size,
                 initializer=self._state_initializer,
                 element_limit=self._element_limit,
+                merge_into_tops=self._merge_into_tops,
             )
 
     # pylint: disable=no-self-use,arguments-differ

angr/angrdb/serializers/loader.py

@@ -1,4 +1,9 @@
+from __future__ import annotations
+from typing import Any
 from io import BytesIO
+import json
+import binascii
+import logging
 
 import cle
 
@@ -6,15 +11,85 @@ from ...errors import AngrCorruptDBError, AngrDBError
 from ..models import DbObject
 
 
+_l = logging.getLogger(__name__)
+
+
+class LoadArgsJSONEncoder(json.JSONEncoder):
+    """
+    A JSON encoder that supports serializing bytes.
+    """
+
+    def default(self, o):
+        if isinstance(o, bytes):
+            return {
+                "__custom_type__": "bytes",
+                "__v__": binascii.hexlify(o).decode("ascii"),
+            }
+        return super().default(o)
+
+
+class LoadArgsJSONDecoder(json.JSONDecoder):
+    """
+    A JSON decoder that supports unserializing into bytes.
+    """
+
+    def __init__(self):
+        super().__init__(object_hook=self._objhook)
+
+    def _objhook(self, d: dict):  # pylint:disable=no-self-use
+        if "__custom_type__" in d:
+            match d["__custom_type__"]:
+                case "bytes":
+                    if "__v__" in d:
+                        return binascii.unhexlify(d["__v__"])
+        return d
+
+
 class LoaderSerializer:
     """
     Serialize/unserialize a CLE Loader object into/from an angr DB.
+
+    Corner cases:
+    - For certain backends (e.g., CART), we do not store the data of the main object. angr will unpack the CART file
+      again after loading the database.
     """
 
+    NO_MAINBIN_BACKENDS = [cle.backends.CARTFile]
+    LOAD_ARG_BLACKLIST = {"loader", "is_main_bin"}
+
     backend2name = {v: k for k, v in cle.ALL_BACKENDS.items()}
 
+    @staticmethod
+    def json_serialize_load_args(load_args: dict[str, Any]) -> str:
+        serializable_keys = []
+        encoder = LoadArgsJSONEncoder()
+        for key, argv in load_args.items():
+            if key in LoaderSerializer.LOAD_ARG_BLACKLIST:
+                continue
+            try:
+                encoder.encode(argv)
+            except TypeError:
+                _l.warning("Cannot serialize %s: %s", key, argv)
+            else:
+                serializable_keys.append(key)
+
+        return encoder.encode({k: load_args[k] for k in serializable_keys})
+
+    @staticmethod
+    def should_skip_main_binary(loader) -> tuple[bool, cle.backends.Backend | None]:
+        for obj in loader.all_objects:
+            for cls in LoaderSerializer.NO_MAINBIN_BACKENDS:
+                if isinstance(obj, cls):
+                    return True, obj
+        return False, None
+
     @staticmethod
     def dump(session, loader):
+        main_object_in_db = loader.main_object
+        skip_mainbin, new_main_obj = LoaderSerializer.should_skip_main_binary(loader)
+        if skip_mainbin and new_main_obj is not None:
+            main_object_in_db = new_main_obj
+
         for obj in loader.all_objects:
             if isinstance(
                 obj,
@@ -27,6 +102,10 @@ class LoaderSerializer:
                 # skip dynamically created objects
                 continue
 
+            # should we skip the main object?
+            if skip_mainbin and loader.main_object is obj:
+                continue
+
             # does the object exist?
             exists = session.query(DbObject.id).filter_by(path=obj.binary).scalar() is not None
             if exists:
@@ -44,11 +123,11 @@ class LoaderSerializer:
 
             # save the object
             o = DbObject(
-                main_object=loader.main_object is obj,
+                main_object=main_object_in_db is obj,
                 path=obj.binary,
                 content=content,
                 backend=LoaderSerializer.backend2name.get(obj.__class__),
-                backend_args="",  # TODO: We will need support from CLE to store loader arguments
+                backend_args=LoaderSerializer.json_serialize_load_args(obj.load_args),
             )
             session.add(o)
 
@@ -58,11 +137,15 @@ class LoaderSerializer:
         main_object = None
 
         db_objects: list[DbObject] = session.query(DbObject)
+        load_args = {}
+
+        decoder = LoadArgsJSONDecoder()
 
         for db_o in db_objects:
             all_objects[db_o.path] = db_o
             if db_o.main_object:
                 main_object = db_o
+            load_args[db_o] = decoder.decode(db_o.backend_args) if db_o.backend_args else {}
 
         if main_object is None:
             raise AngrCorruptDBError("Corrupt database: No main object.")
@@ -70,12 +153,13 @@ class LoaderSerializer:
         # build params
         # FIXME: Load other objects
 
-        loader = cle.Loader(
-            BytesIO(main_object.content),
-        )
+        loader = cle.Loader(BytesIO(main_object.content), main_opts=load_args[main_object])
+
+        skip_mainbin, _ = LoaderSerializer.should_skip_main_binary(loader)
 
-        # fix the binary name of the main binary
         loader._main_binary_path = main_object.path
-        loader.main_object.binary = main_object.path
+        if not skip_mainbin:
+            # fix the binary name of the main binary
+            loader.main_object.binary = main_object.path
 
         return loader

angr/calling_conventions.py

@@ -1,6 +1,6 @@
 # pylint:disable=line-too-long,missing-class-docstring,no-self-use
 import logging
-from typing import Optional, Union
+from typing import Optional, Union, cast
 from collections import defaultdict
 
 import claripy
@@ -768,16 +768,16 @@ class SimCC:
         result = prototype if prototype is not None else SimTypeFunction([], charp)
         for arg in args[len(result.args) :]:
             if type(arg) in (int, bytes, PointerWrapper):
-                result.args.append(charp)
+                result.args += (charp,)
             elif type(arg) is float:
-                result.args.append(SimTypeDouble())
+                result.args += (SimTypeDouble(),)
             elif isinstance(arg, claripy.ast.BV):
-                result.args.append(SimTypeNum(len(arg), False))
+                result.args += (SimTypeNum(len(arg), False),)
             elif isinstance(arg, claripy.ast.FP):
                 if arg.sort == claripy.FSORT_FLOAT:
-                    result.args.append(SimTypeFloat())
+                    result.args += (SimTypeFloat(),)
                 elif arg.sort == claripy.FSORT_DOUBLE:
-                    result.args.append(SimTypeDouble())
+                    result.args += (SimTypeDouble(),)
                 else:
                     raise TypeError("WHAT kind of floating point is this")
             else:
@@ -797,6 +797,8 @@ class SimCC:
 
     def set_return_val(self, state, val, ty, stack_base=None, perspective_returned=False):
         loc = self.return_val(ty, perspective_returned=perspective_returned)
+        if loc is None:
+            raise ValueError("Cannot set return value - there is no return value location")
         loc.set_value(state, val, stack_base=stack_base)
 
     def setup_callsite(self, state, ret_addr, args, prototype, stack_base=None, alloc_base=None, grow_like_stack=True):
@@ -919,7 +921,7 @@ class SimCC:
         TODO: support the stack_base parameter from setup_callsite...? Does that make sense in this context?
         Maybe it could make sense by saying that you pass it in as something like the "saved base pointer" value?
         """
-        if return_val is not None and not isinstance(prototype.returnty, SimTypeBottom):
+        if return_val is not None and prototype is not None and not isinstance(prototype.returnty, SimTypeBottom):
             self.set_return_val(state, return_val, prototype.returnty)
             # ummmmmmmm hack
             loc = self.return_val(prototype.returnty)
@@ -928,11 +930,11 @@ class SimCC:
 
         ret_addr = self.return_addr.get_value(state)
 
-        if state.arch.sp_offset is not None:
+        if state.arch.sp_offset is not None and prototype is not None:
             if force_callee_cleanup or self.CALLEE_CLEANUP:
                 session = self.arg_session(prototype.returnty)
                 if self.return_in_implicit_outparam(prototype.returnty):
-                    extra = [self.return_val(prototype.returnty).ptr_loc]
+                    extra = [cast(SimReferenceArgument, self.return_val(prototype.returnty)).ptr_loc]
                 else:
                     extra = []
                 state.regs.sp += self.stack_space(extra + [self.next_arg(session, x) for x in prototype.args])
@@ -2245,7 +2247,7 @@ ARCH_NAME_ALIASES = {
     "ARMEL": [],
     "ARMHF": [],
     "ARMCortexM": [],
-    "AARCH64": ["arm64"],
+    "AARCH64": ["arm64", "aarch64"],
     "MIPS32": [],
     "MIPS64": [],
     "PPC32": ["powerpc32"],
@@ -2313,10 +2315,16 @@ def unify_arch_name(arch: str) -> str:
         # Sleigh architecture names
         chunks = arch.lower().split(":")
         if len(chunks) >= 3:
-            arch_base, endianness, bits = chunks[:3]  # pylint:disable=unused-variable
-            arch = f"{arch_base}{bits}"
+            arch_base, _, bits = chunks[:3]
+
+            if arch_base in ALIAS_TO_ARCH_NAME:
+                return ALIAS_TO_ARCH_NAME[arch_base]
+
+            base_with_bits = f"{arch_base}{bits}"
+            if base_with_bits in ALIAS_TO_ARCH_NAME:
+                return ALIAS_TO_ARCH_NAME[base_with_bits]
 
-    return ALIAS_TO_ARCH_NAME.get(arch, arch)
+    return arch
 
 
 SYSCALL_CC: dict[str, dict[str, type[SimCCSyscall]]] = {

angr/knowledge_plugins/key_definitions/live_definitions.py

@@ -128,6 +128,7 @@ class LiveDefinitions:
         tmp_uses=None,
         other_uses=None,
         element_limit=5,
+        merge_into_tops: bool = True,
     ):
         self.project: Optional["Project"] = None
         self.arch = arch
@@ -143,6 +144,7 @@ class LiveDefinitions:
                 page_kwargs={"mo_cmp": self._mo_cmp},
                 endness=self.arch.register_endness,
                 element_limit=element_limit,
+                merge_into_top=merge_into_tops,
             )
             if registers is None
             else registers
@@ -155,6 +157,7 @@ class LiveDefinitions:
                 skip_missing_values_during_merging=False,
                 page_kwargs={"mo_cmp": self._mo_cmp},
                 element_limit=element_limit,
+                merge_into_top=merge_into_tops,
             )
             if stack is None
             else stack
@@ -167,6 +170,7 @@ class LiveDefinitions:
                 skip_missing_values_during_merging=False,
                 page_kwargs={"mo_cmp": self._mo_cmp},
                 element_limit=element_limit,
+                merge_into_top=merge_into_tops,
             )
             if memory is None
             else memory
@@ -179,6 +183,7 @@ class LiveDefinitions:
                 skip_missing_values_during_merging=False,
                 page_kwargs={"mo_cmp": self._mo_cmp},
                 element_limit=element_limit,
+                merge_into_top=merge_into_tops,
             )
             if heap is None
             else heap

angr/knowledge_plugins/propagations/states.py

@@ -519,8 +519,9 @@ class PropagatorVEXState(PropagatorState):
 
     def load_register(self, offset, size):
         # TODO: Fix me
-        if size != self.gpr_size:
-            return self.top(size * self.arch.byte_width).annotate(RegisterAnnotation(offset, size))
+        # load register even if size != self.gpr_size
+        # if size != self.gpr_size:
+        #     return self.top(size * self.arch.byte_width).annotate(RegisterAnnotation(offset, size))
 
         try:
             v = self._registers.load(offset, size=size)

angr/procedures/stubs/ReturnUnconstrained.py

@@ -11,8 +11,7 @@ class ReturnUnconstrained(angr.SimProcedure):
         if return_val is None:
             # code duplicated to syscall_stub
             size = self.prototype.returnty.size
-            # ummmmm do we really want to rely on this behavior?
-            if size is NotImplemented:
+            if size is None:
                 o = None
             else:
                 o = self.state.solver.Unconstrained(

angr/procedures/stubs/syscall_stub.py

@@ -11,8 +11,7 @@ class syscall(angr.SimProcedure):
 
         # code duplicated from ReturnUnconstrained
         size = self.prototype.returnty.size
-        # ummmmm do we really want to rely on this behavior?
-        if size is NotImplemented:
+        if size is None:
             return None
         else:
             return self.state.solver.Unconstrained(