angr 9.2.114__py3-none-macosx_11_0_arm64.whl → 9.2.115__py3-none-macosx_11_0_arm64.whl

angr/analyses/reaching_definitions/function_handler.py

@@ -254,15 +254,25 @@ class FunctionCallDataUnwrapped(FunctionCallData):
         return inner
 
 
+def _mk_wrapper(func, iself):
+    return lambda *args, **kwargs: func(iself, *args, **kwargs)
+
+
 # pylint: disable=unused-argument, no-self-use
 class FunctionHandler:
     """
     A mechanism for summarizing a function call's effect on a program for ReachingDefinitionsAnalysis.
     """
 
-    def __init__(self, interfunction_level: int = 0):
+    def __init__(self, interfunction_level: int = 0, extra_impls: Iterable["FunctionHandler"] | None = None):
         self.interfunction_level: int = interfunction_level
 
+        if extra_impls is not None:
+            for extra_handler in extra_impls:
+                for name, func in vars(extra_handler).items():
+                    if name.startswith("handle_impl_"):
+                        setattr(self, name, _mk_wrapper(func, self))
+
     def hook(self, analysis: "ReachingDefinitionsAnalysis") -> "FunctionHandler":
         """
         Attach this instance of the function handler to an instance of RDA.

angr/analyses/reaching_definitions/function_handler_library/stdio.py

@@ -0,0 +1,260 @@
+import re
+import random
+import logging
+from collections.abc import Iterable
+
+import archinfo
+import claripy
+
+from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
+from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+from angr.knowledge_plugins.key_definitions.atoms import Atom
+from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
+from angr.sim_type import SimType, SimTypeBottom, SimTypeChar, SimTypeFunction, SimTypeInt, SimTypePointer
+from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
+
+# pylint: disable=no-self-use,missing-class-docstring,unused-argument
+
+_l = logging.getLogger(__name__)
+
+
+class StdoutAtom(Atom):
+    def __init__(self, sink: str):
+        self.nonce = random.randint(0, 999999999999)
+        self.sink = sink
+        super().__init__(1)
+
+    def _identity(self):
+        return (self.nonce,)
+
+    def __repr__(self):
+        return f"<StdoutAtom {self.sink}>"
+
+
+class StdinAtom(Atom):
+    def __init__(self, source: str):
+        self.nonce = random.randint(0, 999999999999)
+        self.source = source
+        super().__init__(1)
+
+    def _identity(self):
+        return (self.nonce,)
+
+    def __repr__(self):
+        return f"<StdinAtom {self.source}>"
+
+
+def parse_format_string(format_string: str) -> tuple[list[str | int], list[SimType], list[str]]:
+    result_pieces: list[str | int] = []
+    result_types: list[SimType] = []
+    result_specs: list[str] = []
+
+    last_piece = 0
+    idx = 0
+    for argspec in re.finditer(r"\%([0 #+-]?[0-9*]*\.?\d*([hl]{0,2}|[jztL])?[diuoxXeEfgGaAcpsSn%])", format_string):
+        start, end = argspec.span()
+        if format_string[end - 1] == "%":
+            continue
+        if start != last_piece:
+            result_pieces.append(format_string[last_piece:start])
+        result_pieces.append(idx)
+        idx += 1
+        fmt = format_string[start:end]
+        if fmt == "%s":
+            arg = SimTypePointer(SimTypeChar())
+        elif fmt == "%d":
+            arg = SimTypeInt(signed=True)
+        elif fmt == "%u":
+            arg = SimTypeInt(signed=False)
+        elif fmt == "%c":
+            arg = SimTypeChar(signed=True)
+        else:
+            arg = SimTypeBottom()
+        result_types.append(arg)
+        result_specs.append(fmt)
+        last_piece = end
+    if last_piece != len(format_string):
+        result_pieces.append(format_string[last_piece:])
+
+    return result_pieces, result_types, result_specs
+
+
+class LibcStdioHandlers(FunctionHandler):
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_printf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        result, source_atoms = handle_printf(state, data, 0)
+        dst_atoms = StdoutAtom("printf")
+        data.depends(dst_atoms, source_atoms, value=result)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_dprintf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        result, source_atoms = handle_printf(state, data, 1)
+        dst_atoms = StdoutAtom("dprintf")
+        data.depends(dst_atoms, source_atoms, value=result)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_fprintf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        result, source_atoms = handle_printf(state, data, 1)
+        dst_atoms = StdoutAtom("fprintf")
+        data.depends(dst_atoms, source_atoms, value=result)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_sprintf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        result, source_atoms = handle_printf(state, data, 1)
+        dst_atoms = state.deref(data.args_atoms[0], size=len(result) // 8 if result is not None else 1)
+        data.depends(dst_atoms, source_atoms, value=result)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_snprintf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        result, source_atoms = handle_printf(state, data, 2)
+        size = state.get_concrete_value(data.args_atoms[1]) or 2
+        dst_atoms = state.deref(data.args_atoms[0], size=size)
+        data.depends(dst_atoms, source_atoms, value=result)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl___sprintf_chk(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        result, source_atoms = handle_printf(state, data, 3)
+        dst_atoms = state.deref(data.args_atoms[0], size=len(result) // 8 if result is not None else 1)
+        data.depends(dst_atoms, source_atoms, value=result)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl___snprintf_chk(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        result, source_atoms = handle_printf(state, data, 4)
+        size = state.get_concrete_value(data.args_atoms[1]) or 2
+        dst_atoms = state.deref(data.args_atoms[0], size=size)
+        data.depends(dst_atoms, source_atoms, value=result)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_scanf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        handle_scanf(state, data, 0, {StdinAtom("scanf")})
+
+    handle_impl___isoc99_scanf = handle_impl_scanf
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_sscanf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        handle_scanf(state, data, 1, state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE))
+
+    handle_impl___isoc99_sscanf = handle_impl_sscanf
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_fgets(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[1]) or 2
+        dst_atom = state.deref(data.args_atoms[0], size)
+        input_value = claripy.BVS("weh", 8).concat(claripy.BVV(0, 8))
+        data.depends(dst_atom, StdinAtom("fgets"), value=input_value)
+        data.depends(data.ret_atoms, data.args_atoms[0])
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_fgetc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        data.depends(data.ret_atoms, StdinAtom(data.function.name))
+
+    handle_impl_getchar = handle_impl_getc = handle_impl_fgetc
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_fread(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[1]) or 1
+        nmemb = state.get_concrete_value(data.args_atoms[1]) or 2
+        dst_atom = state.deref(data.args_atoms[0], size * nmemb)
+        data.depends(dst_atom, StdinAtom("fread"))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_fwrite(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[1]) or 1
+        nmemb = state.get_concrete_value(data.args_atoms[1]) or 2
+        src_atom = state.deref(data.args_atoms[0], size * nmemb)
+        data.depends(StdoutAtom("fwrite"), src_atom, value=state.get_values(src_atom))
+
+
+def handle_printf(
+    state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped, fmt_idx: int
+) -> tuple[MultiValues | None, Iterable[Atom]]:
+    format_str = state.get_concrete_value(
+        state.deref(data.args_atoms[fmt_idx], DerefSize.NULL_TERMINATE), cast_to=bytes
+    )
+    if format_str is None:
+        _l.info("Hmmm.... non-constant format string")
+        return None, set()
+
+    format_str = format_str.strip(b"\0").decode()
+    arg_pieces, arg_types, formats = parse_format_string(format_str)
+    data.reset_prototype(SimTypeFunction(data.prototype.args + tuple(arg_types), data.prototype.returnty), state)
+
+    result = MultiValues(claripy.BVV(b""))
+    source_atoms: set[Atom] = set()
+    for piece in arg_pieces:
+        if isinstance(piece, str):
+            if result is not None:
+                result = result.concat(piece.encode())
+            continue
+        atom = data.args_atoms[fmt_idx + 1 + piece]
+        fmt = formats[piece]
+
+        if fmt == "%s":
+            buf_atoms = state.deref(atom, DerefSize.NULL_TERMINATE)
+            buf_data = state.get_values(buf_atoms)
+            if buf_data is not None:
+                buf_data = buf_data.extract(0, len(buf_data) // 8 - 1, archinfo.Endness.BE)
+        elif fmt == "%u":
+            buf_atoms = atom
+            buf_data = state.get_concrete_value(buf_atoms)
+            if buf_data is not None:
+                buf_data = str(buf_data).encode()
+        elif fmt == "%d":
+            buf_atoms = atom
+            buf_data = state.get_concrete_value(buf_atoms)
+            if buf_data is not None:
+                if buf_data >= 2**31:
+                    buf_data -= 2**32
+                buf_data = str(buf_data).encode()
+        elif fmt == "%c":
+            buf_atoms = atom
+            buf_data = state.get_concrete_value(atom)
+            if buf_data is not None:
+                buf_data = chr(buf_data).encode()
+        else:
+            _l.warning("Unimplemented printf format string %s", fmt)
+            buf_atoms = set()
+            buf_data = None
+        if result is not None:
+            if buf_data is not None:
+                result = result.concat(buf_data)
+        source_atoms.update(buf_atoms)
+    if result is not None:
+        result = result.concat(b"\0")
+
+    return result, source_atoms
+
+
+def handle_scanf(
+    state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped, fmt_idx: int, source_atoms: Iterable[Atom]
+):
+    format_str = state.get_concrete_value(
+        state.deref(data.args_atoms[fmt_idx], DerefSize.NULL_TERMINATE), cast_to=bytes
+    )
+    if format_str is None:
+        _l.info("Hmmm.... non-constant format string")
+        return
+    format_str = format_str.strip(b"\0").decode()
+    arg_pieces, arg_types, formats = parse_format_string(format_str)
+    data.reset_prototype(SimTypeFunction(data.prototype.args + tuple(arg_types), data.prototype.returnty), state)
+
+    for piece in arg_pieces:
+        if isinstance(piece, str):
+            continue
+        atom = data.args_atoms[fmt_idx + 1 + piece]
+        fmt = formats[piece]
+        buf_data = None
+
+        if fmt == "%s":
+            buf_atom = state.deref(atom, 1)
+            buf_data = b"\0"
+        elif fmt == "%u":
+            buf_atom = state.deref(atom, 4, state.arch.memory_endness)
+        elif fmt == "%d":
+            buf_atom = state.deref(atom, 4, state.arch.memory_endness)
+        elif fmt == "%c":
+            buf_atom = state.deref(atom, 1, state.arch.memory_endness)
+        else:
+            _l.warning("Unimplemented scanf format string %s", fmt)
+            continue
+        data.depends(buf_atom, source_atoms, value=buf_data)

angr/analyses/reaching_definitions/function_handler_library/stdlib.py

@@ -0,0 +1,151 @@
+from __future__ import annotations
+from typing import TYPE_CHECKING
+import random
+
+import claripy
+
+from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
+from angr.knowledge_plugins.key_definitions.atoms import Atom
+from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
+
+
+if TYPE_CHECKING:
+    from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+
+# pylint: disable=no-self-use,missing-class-docstring,unused-argument
+
+
+class EnvironAtom(Atom):
+    def __init__(self, name: str | None):
+        self.name = name
+        super().__init__(1)
+
+    def _identity(self):
+        if self.name is not None:
+            return (self.name,)
+        else:
+            return ()
+
+    def __repr__(self):
+        return f'<EnvironAtom {self.name if self.name is not None else "(dynamic)"}>'
+
+
+class SystemAtom(Atom):
+    def __init__(self):
+        self.nonce = random.randint(0, 999999999999)
+        super().__init__(1)
+
+    def _identity(self):
+        return (self.nonce,)
+
+    def __repr__(self):
+        return "<SystemAtom>"
+
+
+class ExecveAtom(Atom):
+    def __init__(self, nonce: int, idx: int, size: int):
+        self.nonce = nonce
+        self.idx = idx
+        super().__init__(size)
+
+    def _identity(self):
+        return (self.nonce,)
+
+    def __repr__(self):
+        return f"<ExecveAtom {self.idx}>"
+
+
+class LibcStdlibHandlers(FunctionHandler):
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_atoi(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        buf_atoms = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        buf_value = state.get_concrete_value(buf_atoms, cast_to=bytes)
+        if buf_value is not None:
+            buf_value = int(buf_value.decode().strip("\0"))
+        data.depends(data.ret_atoms, buf_atoms, value=buf_value)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_malloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        malloc_size = state.get_concrete_value(data.args_atoms[0]) or 48
+        heap_ptr = state.heap_allocator.allocate(malloc_size)
+        data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_calloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        nmemb = state.get_concrete_value(data.args_atoms[0]) or 48
+        size = state.get_concrete_value(data.args_atoms[0]) or 1
+        heap_ptr = state.heap_address(state.heap_allocator.allocate(nmemb * size))
+        data.depends(state.deref(heap_ptr, nmemb * size), value=0)
+        data.depends(data.ret_atoms, value=heap_ptr)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_getenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        name_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        name_value = state.get_concrete_value(name_atom, cast_to=bytes)
+        if name_value is not None:
+            name_value = name_value.strip(b"\0").decode()
+        data.depends(None, name_atom)
+
+        # store a buffer, registering it as an output of this function
+        # we store this two-byte mixed value because we don't want the value to be picked up by get_concrete_value()
+        # but also it should be able to be picked up by NULL_TERMINATE reads
+        heap_ptr = state.heap_allocator.allocate(2)
+        heap_atom = state.deref(heap_ptr, 2)
+        heap_value = claripy.BVS("weh", 8).concat(claripy.BVV(0, 8))
+        data.depends(heap_atom, EnvironAtom(name_value), value=heap_value)
+        data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_setenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        name_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        name_value = state.get_concrete_value(name_atom, cast_to=bytes)
+        if name_value is not None:
+            name_value = name_value.strip(b"\0").decode()
+        data.depends(None, name_atom)
+
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_value = state.get_values(src_atom)
+        data.depends(EnvironAtom(name_value), src_atom, value=src_value)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_system(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        buf_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        data.depends(SystemAtom(), buf_atom)
+
+    handle_impl_popen = handle_impl_execl = handle_impl_system
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_execve(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        argv_value = state.get_one_value(data.args_atoms[1])
+        if argv_value is None:
+            return
+
+        nonce = random.randint(1, 999999999)
+
+        # Iterate through each pointer in the array to collect argument strings
+        idx = 0
+        while True:
+            # Read the concrete string pointer value
+            argv_deref_atom = state.deref(argv_value, state.arch.bytes, state.arch.memory_endness)
+            if argv_deref_atom is None:
+                # unknown if array continues
+                break
+
+            argv_deref_concrete = state.get_concrete_value(argv_deref_atom)
+            if argv_deref_concrete is None:
+                # unknown if array continues
+                break
+
+            if argv_deref_concrete == 0:
+                # End of array
+                break
+
+            string_atom = state.deref(argv_deref_concrete, DerefSize.NULL_TERMINATE)
+            string_val = None if string_atom is None else state.get_values(string_atom)
+
+            atom = ExecveAtom(nonce, idx, len(string_val) // 8 if string_val is not None else 1)
+            data.depends(atom, [] if string_atom is None else [string_atom], value=string_val)
+
+            # Increment by size of pointer for this arch
+            argv_value += state.arch.bytes
+            idx += 1

angr/analyses/reaching_definitions/function_handler_library/string.py

@@ -0,0 +1,93 @@
+import archinfo
+from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
+from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
+
+# pylint: disable=no-self-use,missing-class-docstring,unused-argument
+
+
+class LibcUnistdHandlers(FunctionHandler):
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strcat(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        src0_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        src1_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src0_value = state.get_values(src0_atom)
+        src1_value = state.get_values(src1_atom)
+        if src0_value is not None and src1_value is not None:
+            src0_value = src0_value.extract(0, len(src0_value) // 8 - 1, archinfo.Endness.BE)
+            dest_value = src0_value.concat(src1_value)
+            dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
+        else:
+            dest_value = None
+            dest_atom = src0_atom
+        data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
+        data.depends(data.ret_atoms, data.args_atoms[0], value=src0_value)
+
+    handle_impl_strncat = handle_impl_strcat
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strlen(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        src_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom)
+        if src_str is not None:
+            data.depends(data.ret_atoms, src_atom, value=len(src_str) // 8 - 1)
+        else:
+            data.depends(data.ret_atoms, src_atom)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strcpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom)
+        if src_str is not None:
+            dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+            data.depends(dst_atom, src_atom, value=src_str)
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strncpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        n = state.get_concrete_value(data.args_atoms[1])
+        src_atom = state.deref(data.args_atoms[2], DerefSize.NULL_TERMINATE if n is None else n)
+        src_str = state.get_values(src_atom)
+        if src_str is not None:
+            dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+            data.depends(dst_atom, src_atom, value=src_str)
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strdup(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom)
+        if src_str is not None:
+            malloc_size = len(src_str) // 8
+        else:
+            malloc_size = 1
+        heap_ptr = state.heap_allocator.allocate(malloc_size)
+        dst_atom = state.deref(heap_ptr, malloc_size)
+        data.depends(dst_atom, src_atom, value=src_str)
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_memcpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[2])
+        if size is not None:
+            src_atom = state.deref(data.args_atoms[1], size)
+            dst_atom = state.deref(data.args_atoms[0], size)
+            data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_memset(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[2])
+        if size is not None:
+            dst_atom = state.deref(data.args_atoms[0], size)
+            data.depends(dst_atom, data.args_atoms[1])
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strtok(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        # stub: just return the haystack pointer
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    handle_impl_strtok_r = handle_impl_strstr = handle_impl_strcasestr = handle_impl_strchr = handle_imple_strrchr = (
+        handle_impl_strchrnul
+    ) = handle_impl_strtok

angr/analyses/reaching_definitions/function_handler_library/unistd.py

@@ -0,0 +1,23 @@
+from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
+from angr.analyses.reaching_definitions.function_handler_library.stdio import StdinAtom, StdoutAtom
+from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+
+# pylint: disable=no-self-use,missing-class-docstring,unused-argument
+
+
+class LibcUnistdHandlers(FunctionHandler):
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_read(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[2]) or 1
+        dst_atom = state.deref(data.args_atoms[1], size)
+        data.depends(dst_atom, StdinAtom(data.function.name))
+
+    handle_impl_recv = handle_impl_recvfrom = handle_impl_read
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_write(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[2]) or 1
+        src_atom = state.deref(data.args_atoms[1], size)
+        data.depends(StdoutAtom(data.function.name), src_atom, value=state.get_values(src_atom))
+
+    handle_impl_send = handle_impl_write

angr/analyses/reaching_definitions/rd_state.py

@@ -504,7 +504,9 @@ class ReachingDefinitionsState:
     def get_values(self, spec: Atom | Definition | Iterable[Atom]) -> MultiValues | None:
         return self.live_definitions.get_values(spec)
 
-    def get_one_value(self, spec: Atom | Definition, strip_annotations: bool = False) -> claripy.ast.bv.BV | None:
+    def get_one_value(
+        self, spec: Atom | Definition | Iterable[Atom] | Iterable[Definition], strip_annotations: bool = False
+    ) -> claripy.ast.bv.BV | None:
         return self.live_definitions.get_one_value(spec, strip_annotations=strip_annotations)
 
     @overload

angr/analyses/vfg.py

@@ -1572,11 +1572,11 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
                     # FIXME: Now we are assuming the sp is restored to its original value
                     reg_sp_expr = successor_state.regs.sp
 
-                    if isinstance(reg_sp_expr._model_vsa, claripy.vsa.StridedInterval):  # type: ignore
-                        reg_sp_si = reg_sp_expr._model_vsa
+                    if isinstance(claripy.backends.vsa.convert(reg_sp_expr), claripy.vsa.StridedInterval):
+                        reg_sp_si = claripy.backends.vsa.convert(reg_sp_expr)
                         # reg_sp_si.min  # reg_sp_val
-                    elif isinstance(reg_sp_expr._model_vsa, claripy.vsa.ValueSet):  # type: ignore
-                        reg_sp_si = next(iter(reg_sp_expr._model_vsa.items()))[1]  # type: ignore
+                    elif isinstance(claripy.backends.vsa.convert(reg_sp_expr), claripy.vsa.ValueSet):
+                        reg_sp_si = next(iter(claripy.backends.vsa.convert(reg_sp_expr).items()))[1]
                         # reg_sp_si.min  # reg_sp_val
                         # TODO: Finish it!
 
@@ -1717,21 +1717,20 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
         reg_sp_offset = arch.sp_offset
         reg_sp_expr = successor_state.registers.load(reg_sp_offset, size=arch.bytes, endness=arch.register_endness)
 
-        if type(reg_sp_expr._model_vsa) is claripy.BVV:  # pylint:disable=unidiomatic-typecheck
+        reg_sp_expr_vsa = claripy.backends.vsa.convert(reg_sp_expr)
+        if isinstance(reg_sp_expr_vsa, claripy.bv.BVV):
             reg_sp_val = successor_state.solver.eval(reg_sp_expr)
             reg_sp_si = successor_state.solver.SI(to_conv=reg_sp_expr)
-            reg_sp_si = reg_sp_si._model_vsa
-        elif type(reg_sp_expr._model_vsa) is int:  # pylint:disable=unidiomatic-typecheck
-            reg_sp_val = reg_sp_expr._model_vsa
+            reg_sp_si = claripy.backends.vsa.convert(reg_sp_si)
+        elif isinstance(reg_sp_expr_vsa, int):
+            reg_sp_val = claripy.backends.vsa.convert(reg_sp_expr)
             reg_sp_si = successor_state.solver.SI(bits=successor_state.arch.bits, to_conv=reg_sp_val)
-            reg_sp_si = reg_sp_si._model_vsa
-        elif (
-            type(reg_sp_expr._model_vsa) is claripy.vsa.StridedInterval
-        ):  # pylint:disable=unidiomatic-typecheck # type: ignore
-            reg_sp_si = reg_sp_expr._model_vsa
+            reg_sp_si = claripy.backends.vsa.convert(reg_sp_si)
+        elif isinstance(reg_sp_expr_vsa, claripy.vsa.StridedInterval):
+            reg_sp_si = reg_sp_expr_vsa
             reg_sp_val = reg_sp_si.min
         else:
-            reg_sp_si = next(iter(reg_sp_expr._model_vsa.items()))[1]
+            reg_sp_si = next(iter(reg_sp_expr_vsa.items()))[1]
             reg_sp_val = reg_sp_si.min
 
         reg_sp_val = reg_sp_val - arch.bytes  # TODO: Is it OK?

angr/code_location.py

@@ -20,12 +20,12 @@ class CodeLocation:
 
     def __init__(
         self,
-        block_addr: int,
+        block_addr: int | None,
         stmt_idx: int | None,
         sim_procedure=None,
         ins_addr: int | None = None,
         context: Any = None,
-        block_idx: int = None,
+        block_idx: int | None = None,
         **kwargs,
     ):
         """
@@ -41,12 +41,12 @@ class CodeLocation:
         :param kwargs:              Optional arguments, will be stored, but not used in __eq__ or __hash__.
         """
 
-        self.block_addr: int = block_addr
+        self.block_addr: int | None = block_addr
         self.stmt_idx: int | None = stmt_idx
         self.sim_procedure = sim_procedure
         self.ins_addr: int | None = ins_addr
         self.context: tuple[int] | None = context
-        self.block_idx = block_idx
+        self.block_idx: int | None = block_idx
         self._hash = None
 
         self.info: dict | None = None

angr/engines/vex/heavy/heavy.py

@@ -349,7 +349,7 @@ class HeavyVEXMixin(SuccessorsMixin, ClaripyDataMixin, SimStateStorageMixin, VEX
     def _perform_vex_expr_Load(self, addr, ty, endness, **kwargs):
         result = super()._perform_vex_expr_Load(addr, ty, endness, **kwargs)
         if o.UNINITIALIZED_ACCESS_AWARENESS in self.state.options:
-            if getattr(addr._model_vsa, "uninitialized", False):
+            if getattr(claripy.backends.vsa.convert(addr), "uninitialized", False):
                 raise errors.SimUninitializedAccessError("addr", addr)
         return result