angr 9.2.114__py3-none-win_amd64.whl → 9.2.116__py3-none-win_amd64.whl

angr/analyses/reaching_definitions/function_handler_library/stdlib.py

@@ -0,0 +1,157 @@
+from __future__ import annotations
+from typing import TYPE_CHECKING
+import random
+
+import claripy
+
+from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
+from angr.knowledge_plugins.key_definitions.atoms import Atom
+from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
+
+
+if TYPE_CHECKING:
+    from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+
+# pylint: disable=no-self-use,missing-class-docstring,unused-argument
+
+
+class EnvironAtom(Atom):
+    def __init__(self, size: int, name: str | None):
+        self.name = name
+        super().__init__(size)
+
+    def _identity(self):
+        if self.name is not None:
+            return (self.name,)
+        else:
+            return ()
+
+    def __repr__(self):
+        return f'<EnvironAtom {self.name if self.name is not None else "(dynamic)"}>'
+
+
+class SystemAtom(Atom):
+    def __init__(self, size: int = 1):
+        self.nonce = random.randint(0, 999999999999)
+        super().__init__(size)
+
+    def _identity(self):
+        return (self.nonce,)
+
+    def __repr__(self):
+        return "<SystemAtom>"
+
+
+class ExecveAtom(Atom):
+    def __init__(self, nonce: int, idx: int, size: int):
+        self.nonce = nonce
+        self.idx = idx
+        super().__init__(size)
+
+    def _identity(self):
+        return (self.nonce, self.idx)
+
+    def __repr__(self):
+        return f"<ExecveAtom {self.idx}>"
+
+
+class LibcStdlibHandlers(FunctionHandler):
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_atoi(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        buf_atoms = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        buf_value = state.get_concrete_value(buf_atoms, cast_to=bytes)
+        if buf_value is not None:
+            try:
+                buf_value = int(buf_value.decode().strip("\0"))
+            except ValueError:
+                buf_value = 0
+        data.depends(data.ret_atoms, buf_atoms, value=buf_value)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_malloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        malloc_size = state.get_concrete_value(data.args_atoms[0]) or 48
+        heap_ptr = state.heap_allocator.allocate(malloc_size)
+        data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_calloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        nmemb = state.get_concrete_value(data.args_atoms[0]) or 48
+        size = state.get_concrete_value(data.args_atoms[0]) or 1
+        heap_ptr = state.heap_address(state.heap_allocator.allocate(nmemb * size))
+        data.depends(state.deref(heap_ptr, nmemb * size), value=0)
+        data.depends(data.ret_atoms, value=heap_ptr)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_getenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        name_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        name_value = state.get_concrete_value(name_atom, cast_to=bytes)
+        if name_value is not None:
+            name_value = name_value.strip(b"\0").decode()
+        data.depends(None, name_atom)
+
+        # store a buffer, registering it as an output of this function
+        # we store this two-byte mixed value because we don't want the value to be picked up by get_concrete_value()
+        # but also it should be able to be picked up by NULL_TERMINATE reads
+        heap_ptr = state.heap_allocator.allocate(2)
+        heap_atom = state.deref(heap_ptr, 2)
+        heap_value = claripy.BVS("weh", 8).concat(claripy.BVV(0, 8))
+        data.depends(heap_atom, EnvironAtom(2, name_value), value=heap_value)
+        data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_setenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        name_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        name_value = state.get_concrete_value(name_atom, cast_to=bytes)
+        if name_value is not None:
+            name_value = name_value.strip(b"\0").decode()
+        data.depends(None, name_atom)
+
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_value = state.get_values(src_atom)
+        data.depends(
+            EnvironAtom(len(src_value) // 8 if src_value is not None else 1, name_value), src_atom, value=src_value
+        )
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_system(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        buf_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        buf_value = state.get_values(buf_atom)
+        data.depends(SystemAtom(len(buf_value) // 8 if buf_value is not None else 1), buf_atom, value=buf_value)
+
+    handle_impl_popen = handle_impl_execl = handle_impl_system
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_execve(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        argv_value = state.get_one_value(data.args_atoms[1])
+        if argv_value is None:
+            return
+
+        nonce = random.randint(1, 999999999)
+
+        # Iterate through each pointer in the array to collect argument strings
+        idx = 0
+        while True:
+            # Read the concrete string pointer value
+            argv_deref_atom = state.deref(argv_value, state.arch.bytes, state.arch.memory_endness)
+            if argv_deref_atom is None:
+                # unknown if array continues
+                break
+
+            argv_deref_concrete = state.get_one_value(argv_deref_atom)
+            if argv_deref_concrete is None:
+                # unknown if array continues
+                break
+
+            if (argv_deref_concrete == 0).is_true():
+                # End of array
+                break
+
+            string_atom = state.deref(argv_deref_concrete, DerefSize.NULL_TERMINATE)
+            string_val = None if string_atom is None else state.get_values(string_atom)
+
+            atom = ExecveAtom(nonce, idx, len(string_val) // 8 if string_val is not None else 1)
+            data.depends(atom, [] if string_atom is None else [string_atom], value=string_val)
+
+            # Increment by size of pointer for this arch
+            argv_value += state.arch.bytes
+            idx += 1

angr/analyses/reaching_definitions/function_handler_library/string.py

@@ -0,0 +1,93 @@
+import archinfo
+from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
+from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
+
+# pylint: disable=no-self-use,missing-class-docstring,unused-argument
+
+
+class LibcStringHandlers(FunctionHandler):
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strcat(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        src0_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        src1_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src0_value = state.get_values(src0_atom)
+        src1_value = state.get_values(src1_atom)
+        if src0_value is not None and src1_value is not None:
+            src0_value = src0_value.extract(0, len(src0_value) // 8 - 1, archinfo.Endness.BE)
+            dest_value = src0_value.concat(src1_value)
+            dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
+        else:
+            dest_value = None
+            dest_atom = src0_atom
+        data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
+        data.depends(data.ret_atoms, data.args_atoms[0], value=src0_value)
+
+    handle_impl_strncat = handle_impl_strcat
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strlen(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        src_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom)
+        if src_str is not None:
+            data.depends(data.ret_atoms, src_atom, value=len(src_str) // 8 - 1)
+        else:
+            data.depends(data.ret_atoms, src_atom)
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strcpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom)
+        if src_str is not None:
+            dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+            data.depends(dst_atom, src_atom, value=src_str)
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strncpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        n = state.get_concrete_value(data.args_atoms[1])
+        src_atom = state.deref(data.args_atoms[2], DerefSize.NULL_TERMINATE if n is None else n)
+        src_str = state.get_values(src_atom)
+        if src_str is not None:
+            dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+            data.depends(dst_atom, src_atom, value=src_str)
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strdup(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom)
+        if src_str is not None:
+            malloc_size = len(src_str) // 8
+        else:
+            malloc_size = 1
+        heap_ptr = state.heap_allocator.allocate(malloc_size)
+        dst_atom = state.deref(heap_ptr, malloc_size)
+        data.depends(dst_atom, src_atom, value=src_str)
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_memcpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[2])
+        if size is not None:
+            src_atom = state.deref(data.args_atoms[1], size)
+            dst_atom = state.deref(data.args_atoms[0], size)
+            data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_memset(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[2])
+        if size is not None:
+            dst_atom = state.deref(data.args_atoms[0], size)
+            data.depends(dst_atom, data.args_atoms[1])
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_strtok(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        # stub: just return the haystack pointer
+        data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
+
+    handle_impl_strtok_r = handle_impl_strstr = handle_impl_strcasestr = handle_impl_strchr = handle_imple_strrchr = (
+        handle_impl_strchrnul
+    ) = handle_impl_strtok

angr/analyses/reaching_definitions/function_handler_library/unistd.py

@@ -0,0 +1,23 @@
+from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
+from angr.analyses.reaching_definitions.function_handler_library.stdio import StdinAtom, StdoutAtom
+from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+
+# pylint: disable=no-self-use,missing-class-docstring,unused-argument
+
+
+class LibcUnistdHandlers(FunctionHandler):
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_read(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[2]) or 1
+        dst_atom = state.deref(data.args_atoms[1], size)
+        data.depends(dst_atom, StdinAtom(data.function.name, size))
+
+    handle_impl_recv = handle_impl_recvfrom = handle_impl_read
+
+    @FunctionCallDataUnwrapped.decorate
+    def handle_impl_write(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
+        size = state.get_concrete_value(data.args_atoms[2]) or 1
+        src_atom = state.deref(data.args_atoms[1], size)
+        data.depends(StdoutAtom(data.function.name, size), src_atom, value=state.get_values(src_atom))
+
+    handle_impl_send = handle_impl_write

angr/analyses/reaching_definitions/rd_state.py

@@ -9,6 +9,7 @@ from angr.misc.ux import deprecated
 from angr.knowledge_plugins.key_definitions.environment import Environment
 from angr.knowledge_plugins.key_definitions.tag import Tag
 from angr.knowledge_plugins.key_definitions.heap_address import HeapAddress
+from angr.knowledge_plugins.key_definitions.definition import A
 from angr.engines.light import SpOffset
 from angr.code_location import CodeLocation
 from ...storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
@@ -90,7 +91,7 @@ class ReachingDefinitionsState:
         heap_allocator: HeapAllocator = None,
         environment: Environment = None,
         sp_adjusted: bool = False,
-        all_definitions: set[Definition] | None = None,
+        all_definitions: set[Definition[A]] | None = None,
         initializer: Optional["RDAStateInitializer"] = None,
         element_limit: int = 5,
         merge_into_tops: bool = True,
@@ -106,12 +107,12 @@ class ReachingDefinitionsState:
         self._sp_adjusted: bool = sp_adjusted
         self._element_limit: int = element_limit
 
-        self.all_definitions: set[Definition] = set() if all_definitions is None else all_definitions
+        self.all_definitions: set[Definition[A]] = set() if all_definitions is None else all_definitions
 
         self.heap_allocator = heap_allocator or HeapAllocator(canonical_size)
         self._environment: Environment = environment or Environment()
 
-        self.codeloc_uses: set[Definition] = set()
+        self.codeloc_uses: set[Definition[A]] = set()
 
         # have we observed an exit statement or not during the analysis of the *last instruction* of a block? we should
         # not perform any sp updates if it is the case. this is for handling conditional returns in ARM binaries.
@@ -189,7 +190,7 @@ class ReachingDefinitionsState:
             return n - 2**self.arch.bits
         return n
 
-    def annotate_with_def(self, symvar: claripy.ast.Base, definition: Definition) -> claripy.ast.Base:
+    def annotate_with_def(self, symvar: claripy.ast.Base, definition: Definition[A]) -> claripy.ast.Base:
         """
 
         :param symvar:
@@ -198,14 +199,14 @@ class ReachingDefinitionsState:
         """
         return self.live_definitions.annotate_with_def(symvar, definition)
 
-    def annotate_mv_with_def(self, mv: MultiValues, definition: Definition) -> MultiValues:
+    def annotate_mv_with_def(self, mv: MultiValues, definition: Definition[A]) -> MultiValues:
         return MultiValues(
             offset_to_values={
                 offset: {self.annotate_with_def(value, definition) for value in values} for offset, values in mv.items()
             }
         )
 
-    def extract_defs(self, symvar: claripy.ast.Base) -> Iterator[Definition]:
+    def extract_defs(self, symvar: claripy.ast.Base) -> Iterator[Definition[A]]:
         yield from self.live_definitions.extract_defs(symvar)
 
     #
@@ -364,9 +365,9 @@ class ReachingDefinitionsState:
         tags: set[Tag] = None,
         endness=None,  # XXX destroy
         annotated: bool = False,
-        uses: set[Definition] | None = None,
+        uses: set[Definition[A]] | None = None,
         override_codeloc: CodeLocation | None = None,
-    ) -> tuple[MultiValues | None, set[Definition]]:
+    ) -> tuple[MultiValues | None, set[Definition[A]]]:
         codeloc = override_codeloc or self.codeloc
         existing_defs = self.live_definitions.get_definitions(atom)
         mv = self.live_definitions.kill_and_add_definition(
@@ -446,7 +447,7 @@ class ReachingDefinitionsState:
         self.codeloc_uses.update(self.get_definitions(atom))
         self.live_definitions.add_use(atom, self.codeloc, expr=expr)
 
-    def add_use_by_def(self, definition: Definition, expr: Any | None = None) -> None:
+    def add_use_by_def(self, definition: Definition[A], expr: Any | None = None) -> None:
         self.codeloc_uses.add(definition)
         self.live_definitions.add_use_by_def(definition, self.codeloc, expr=expr)
 
@@ -455,7 +456,7 @@ class ReachingDefinitionsState:
         self.add_tmp_use_by_defs(defs, expr=expr)
 
     def add_tmp_use_by_defs(
-        self, defs: Iterable[Definition], expr: Any | None = None
+        self, defs: Iterable[Definition[A]], expr: Any | None = None
     ) -> None:  # pylint:disable=unused-argument
         for definition in defs:
             self.codeloc_uses.add(definition)
@@ -466,7 +467,7 @@ class ReachingDefinitionsState:
         defs = self.live_definitions.get_register_definitions(reg_offset, size)
         self.add_register_use_by_defs(defs, expr=expr)
 
-    def add_register_use_by_defs(self, defs: Iterable[Definition], expr: Any | None = None) -> None:
+    def add_register_use_by_defs(self, defs: Iterable[Definition[A]], expr: Any | None = None) -> None:
         for definition in defs:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_register_use_by_def(definition, self.codeloc, expr=expr)
@@ -475,7 +476,7 @@ class ReachingDefinitionsState:
         defs = self.live_definitions.get_stack_definitions(stack_offset, size)
         self.add_stack_use_by_defs(defs, expr=expr)
 
-    def add_stack_use_by_defs(self, defs: Iterable[Definition], expr: Any | None = None):
+    def add_stack_use_by_defs(self, defs: Iterable[Definition[A]], expr: Any | None = None):
         for definition in defs:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_stack_use_by_def(definition, self.codeloc, expr=expr)
@@ -484,41 +485,39 @@ class ReachingDefinitionsState:
         defs = self.live_definitions.get_heap_definitions(heap_offset, size)
         self.add_heap_use_by_defs(defs, expr=expr)
 
-    def add_heap_use_by_defs(self, defs: Iterable[Definition], expr: Any | None = None):
+    def add_heap_use_by_defs(self, defs: Iterable[Definition[A]], expr: Any | None = None):
         for definition in defs:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_heap_use_by_def(definition, self.codeloc, expr=expr)
 
-    def add_memory_use_by_def(self, definition: Definition, expr: Any | None = None):
+    def add_memory_use_by_def(self, definition: Definition[A], expr: Any | None = None):
         self.codeloc_uses.add(definition)
         self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
-    def add_memory_use_by_defs(self, defs: Iterable[Definition], expr: Any | None = None):
+    def add_memory_use_by_defs(self, defs: Iterable[Definition[A]], expr: Any | None = None):
         for definition in defs:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
-    def get_definitions(self, atom: Atom | Definition | Iterable[Atom] | Iterable[Definition]) -> set[Definition]:
+    def get_definitions(self, atom: A | Definition[A] | Iterable[A] | Iterable[Definition[A]]) -> set[Definition[A]]:
         return self.live_definitions.get_definitions(atom)
 
-    def get_values(self, spec: Atom | Definition | Iterable[Atom]) -> MultiValues | None:
+    def get_values(self, spec: A | Definition[A] | Iterable[A]) -> MultiValues | None:
         return self.live_definitions.get_values(spec)
 
-    def get_one_value(self, spec: Atom | Definition, strip_annotations: bool = False) -> claripy.ast.bv.BV | None:
+    def get_one_value(
+        self, spec: A | Definition[A] | Iterable[A] | Iterable[Definition[A]], strip_annotations: bool = False
+    ) -> claripy.ast.bv.BV | None:
         return self.live_definitions.get_one_value(spec, strip_annotations=strip_annotations)
 
     @overload
-    def get_concrete_value(
-        self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[int] = ...
-    ) -> int | None: ...
+    def get_concrete_value(self, spec: A | Definition[A] | Iterable[A], cast_to: type[int] = ...) -> int | None: ...
 
     @overload
-    def get_concrete_value(
-        self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[bytes] = ...
-    ) -> bytes | None: ...
+    def get_concrete_value(self, spec: A | Definition[A] | Iterable[A], cast_to: type[bytes] = ...) -> bytes | None: ...
 
     def get_concrete_value(
-        self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[int] | type[bytes] = int
+        self, spec: A | Definition[A] | Iterable[A], cast_to: type[int] | type[bytes] = int
     ) -> int | bytes | None:
         return self.live_definitions.get_concrete_value(spec, cast_to)
 
@@ -591,7 +590,7 @@ class ReachingDefinitionsState:
     @overload
     def deref(
         self,
-        pointer: MultiValues | Atom | Definition | Iterable[Atom] | Iterable[Definition],
+        pointer: MultiValues | A | Definition | Iterable[A] | Iterable[Definition[A]],
         size: int | DerefSize,
         endness: str = ...,
     ) -> set[MemoryLocation]: ...
@@ -600,10 +599,10 @@ class ReachingDefinitionsState:
         self,
         pointer: (
             MultiValues
-            | Atom
+            | A
             | Definition
-            | Iterable[Atom]
-            | Iterable[Definition]
+            | Iterable[A]
+            | Iterable[Definition[A]]
             | int
             | claripy.ast.BV
             | HeapAddress

angr/analyses/variable_recovery/engine_vex.py

@@ -563,15 +563,6 @@ class SimEngineVRVEX(
             return RichR(self.state.top(expr_0.data.size()))
         return RichR(self.state.top(expr_0.data.size()))
 
-    def _handle_Ctz(self, expr):
-        arg0 = expr.args[0]
-        expr_0 = self._expr(arg0)
-        if expr_0 is None:
-            return None
-        if self.state.is_top(expr_0.data):
-            return RichR(self.state.top(expr_0.data.size()))
-        return RichR(self.state.top(expr_0.data.size()))
-
     _handle_CmpEQ_v = _handle_Cmp_v
     _handle_CmpNE_v = _handle_Cmp_v
     _handle_CmpLE_v = _handle_Cmp_v

angr/analyses/vfg.py

@@ -1572,11 +1572,11 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
                     # FIXME: Now we are assuming the sp is restored to its original value
                     reg_sp_expr = successor_state.regs.sp
 
-                    if isinstance(reg_sp_expr._model_vsa, claripy.vsa.StridedInterval):  # type: ignore
-                        reg_sp_si = reg_sp_expr._model_vsa
+                    if isinstance(claripy.backends.vsa.convert(reg_sp_expr), claripy.vsa.StridedInterval):
+                        reg_sp_si = claripy.backends.vsa.convert(reg_sp_expr)
                         # reg_sp_si.min  # reg_sp_val
-                    elif isinstance(reg_sp_expr._model_vsa, claripy.vsa.ValueSet):  # type: ignore
-                        reg_sp_si = next(iter(reg_sp_expr._model_vsa.items()))[1]  # type: ignore
+                    elif isinstance(claripy.backends.vsa.convert(reg_sp_expr), claripy.vsa.ValueSet):
+                        reg_sp_si = next(iter(claripy.backends.vsa.convert(reg_sp_expr).items()))[1]
                         # reg_sp_si.min  # reg_sp_val
                         # TODO: Finish it!
 
@@ -1717,21 +1717,20 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
         reg_sp_offset = arch.sp_offset
         reg_sp_expr = successor_state.registers.load(reg_sp_offset, size=arch.bytes, endness=arch.register_endness)
 
-        if type(reg_sp_expr._model_vsa) is claripy.BVV:  # pylint:disable=unidiomatic-typecheck
+        reg_sp_expr_vsa = claripy.backends.vsa.convert(reg_sp_expr)
+        if isinstance(reg_sp_expr_vsa, claripy.bv.BVV):
             reg_sp_val = successor_state.solver.eval(reg_sp_expr)
             reg_sp_si = successor_state.solver.SI(to_conv=reg_sp_expr)
-            reg_sp_si = reg_sp_si._model_vsa
-        elif type(reg_sp_expr._model_vsa) is int:  # pylint:disable=unidiomatic-typecheck
-            reg_sp_val = reg_sp_expr._model_vsa
+            reg_sp_si = claripy.backends.vsa.convert(reg_sp_si)
+        elif isinstance(reg_sp_expr_vsa, int):
+            reg_sp_val = claripy.backends.vsa.convert(reg_sp_expr)
             reg_sp_si = successor_state.solver.SI(bits=successor_state.arch.bits, to_conv=reg_sp_val)
-            reg_sp_si = reg_sp_si._model_vsa
-        elif (
-            type(reg_sp_expr._model_vsa) is claripy.vsa.StridedInterval
-        ):  # pylint:disable=unidiomatic-typecheck # type: ignore
-            reg_sp_si = reg_sp_expr._model_vsa
+            reg_sp_si = claripy.backends.vsa.convert(reg_sp_si)
+        elif isinstance(reg_sp_expr_vsa, claripy.vsa.StridedInterval):
+            reg_sp_si = reg_sp_expr_vsa
             reg_sp_val = reg_sp_si.min
         else:
-            reg_sp_si = next(iter(reg_sp_expr._model_vsa.items()))[1]
+            reg_sp_si = next(iter(reg_sp_expr_vsa.items()))[1]
             reg_sp_val = reg_sp_si.min
 
         reg_sp_val = reg_sp_val - arch.bytes  # TODO: Is it OK?

angr/code_location.py

@@ -20,12 +20,12 @@ class CodeLocation:
 
     def __init__(
         self,
-        block_addr: int,
+        block_addr: int | None,
         stmt_idx: int | None,
         sim_procedure=None,
         ins_addr: int | None = None,
         context: Any = None,
-        block_idx: int = None,
+        block_idx: int | None = None,
         **kwargs,
     ):
         """
@@ -41,12 +41,12 @@ class CodeLocation:
         :param kwargs:              Optional arguments, will be stored, but not used in __eq__ or __hash__.
         """
 
-        self.block_addr: int = block_addr
+        self.block_addr: int | None = block_addr
         self.stmt_idx: int | None = stmt_idx
         self.sim_procedure = sim_procedure
         self.ins_addr: int | None = ins_addr
         self.context: tuple[int] | None = context
-        self.block_idx = block_idx
+        self.block_idx: int | None = block_idx
         self._hash = None
 
         self.info: dict | None = None

angr/engines/pcode/cc.py

@@ -10,6 +10,7 @@ from ...calling_conventions import (
     register_default_cc,
     SimCCUnknown,
     default_cc,
+    SimCCO32,
 )
 
 
@@ -107,6 +108,7 @@ def register_pcode_arch_default_cc(arch: ArchPcode):
             "PowerPC:BE:32:e200": SimCCPowerPC,
             "PowerPC:BE:32:MPC8270": SimCCPowerPC,
             "Xtensa:LE:32:default": SimCCXtensa,
+            "MIPS:LE:32:default": SimCCO32,
         }
         if arch.name in manual_cc_mapping:
             # first attempt: manually specified mappings

angr/engines/vex/heavy/heavy.py

@@ -349,7 +349,7 @@ class HeavyVEXMixin(SuccessorsMixin, ClaripyDataMixin, SimStateStorageMixin, VEX
     def _perform_vex_expr_Load(self, addr, ty, endness, **kwargs):
         result = super()._perform_vex_expr_Load(addr, ty, endness, **kwargs)
         if o.UNINITIALIZED_ACCESS_AWARENESS in self.state.options:
-            if getattr(addr._model_vsa, "uninitialized", False):
+            if getattr(claripy.backends.vsa.convert(addr), "uninitialized", False):
                 raise errors.SimUninitializedAccessError("addr", addr)
         return result
 

angr/knowledge_plugins/key_definitions/live_definitions.py

@@ -14,6 +14,7 @@ from angr.misc.ux import deprecated
 from angr.errors import SimMemoryMissingError, SimMemoryError
 from angr.storage.memory_mixins import MultiValuedMemory
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
+from angr.knowledge_plugins.key_definitions.definition import A
 from angr.engines.light import SpOffset
 from angr.code_location import CodeLocation, ExternalCodeLocation
 from .atoms import Atom, Register, MemoryLocation, Tmp, ConstantSrc
@@ -660,7 +661,7 @@ class LiveDefinitions:
             self.other_uses.add_use(definition, code_loc, expr)
 
     def get_definitions(
-        self, thing: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]] | MultiValues
+        self, thing: A | Definition[A] | Iterable[A] | Iterable[Definition[A]] | MultiValues
     ) -> set[Definition[Atom]]:
         if isinstance(thing, MultiValues):
             defs = set()
@@ -693,9 +694,9 @@ class LiveDefinitions:
             return self.get_tmp_definitions(thing.tmp_idx)
         else:
             defs = set()
-            for mvs in self.others.get(thing, {}).values():
-                for mv in mvs:
-                    defs |= self.get_definitions(mv)
+            mv = self.others.get(thing, None)
+            if mv is not None:
+                defs |= self.get_definitions(mv)
             return defs
 
     def get_tmp_definitions(self, tmp_idx: int) -> set[Definition]:
@@ -749,7 +750,7 @@ class LiveDefinitions:
         return LiveDefinitions.extract_defs_from_annotations(annotations)
 
     @deprecated("get_definitions")
-    def get_definitions_from_atoms(self, atoms: Iterable[Atom]) -> Iterable[Definition]:
+    def get_definitions_from_atoms(self, atoms: Iterable[A]) -> Iterable[Definition]:
         result = set()
         for atom in atoms:
             result |= self.get_definitions(atom)
@@ -813,9 +814,7 @@ class LiveDefinitions:
             return None
         return r.concrete_value
 
-    def get_values(
-        self, spec: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]]
-    ) -> MultiValues | None:
+    def get_values(self, spec: A | Definition[A] | Iterable[A] | Iterable[Definition[A]]) -> MultiValues | None:
         if isinstance(spec, Definition):
             atom = spec.atom
         elif isinstance(spec, Atom):
@@ -874,7 +873,7 @@ class LiveDefinitions:
 
     def get_one_value(
         self,
-        spec: Atom | Definition | Iterable[Atom] | Iterable[Definition[Atom]],
+        spec: A | Definition[A] | Iterable[A] | Iterable[Definition[A]],
         strip_annotations: bool = False,
     ) -> claripy.ast.bv.BV | None:
         r = self.get_values(spec)
@@ -884,19 +883,19 @@ class LiveDefinitions:
 
     @overload
     def get_concrete_value(
-        self, spec: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]], cast_to: type[int] = ...
+        self, spec: A | Definition[A] | Iterable[A] | Iterable[Definition[A]], cast_to: type[int] = ...
     ) -> int | None: ...
 
     @overload
     def get_concrete_value(
         self,
-        spec: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]],
+        spec: A | Definition[A] | Iterable[A] | Iterable[Definition[A]],
         cast_to: type[bytes] = ...,
     ) -> bytes | None: ...
 
     def get_concrete_value(
         self,
-        spec: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]],
+        spec: A | Definition[A] | Iterable[A] | Iterable[Definition[A]],
         cast_to: type[int] | type[bytes] = int,
     ) -> int | bytes | None:
         r = self.get_one_value(spec, strip_annotations=True)
@@ -983,7 +982,7 @@ class LiveDefinitions:
     @overload
     def deref(
         self,
-        pointer: MultiValues | Atom | Definition | Iterable[Atom] | Iterable[Definition],
+        pointer: MultiValues | A | Definition[A] | Iterable[A] | Iterable[Definition[A]],
         size: int | DerefSize,
         endness: archinfo.Endness = ...,
     ) -> set[MemoryLocation]: ...