angr 9.2.115__py3-none-manylinux2014_aarch64.whl → 9.2.117__py3-none-manylinux2014_aarch64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.115"
+__version__ = "9.2.117"
 
 if bytes is str:
     raise Exception(

angr/__main__.py

@@ -42,7 +42,7 @@ def main():
         "--structurer",
         help="The structuring algorithm to use for decompilation.",
         choices=STRUCTURER_CLASSES.keys(),
-        default=DEFAULT_STRUCTURER,
+        default=DEFAULT_STRUCTURER.NAME,
     )
 
     args = parser.parse_args()

angr/analyses/cfg/cfg_emulated.py

@@ -1016,7 +1016,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
             state = self._initial_state.copy()
             state.history.jumpkind = jumpkind
             self._reset_state_mode(state, "fastpath")
-            state._ip = state.solver.BVV(ip, self.project.arch.bits)
+            state._ip = claripy.BVV(ip, self.project.arch.bits)
 
         if jumpkind is not None:
             state.history.jumpkind = jumpkind
@@ -1095,7 +1095,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
             f = self._pending_function_hints.pop()
             if f not in analyzed_addrs:
                 new_state = self.project.factory.entry_state(mode="fastpath")
-                new_state.ip = new_state.solver.BVV(f, self.project.arch.bits)
+                new_state.ip = claripy.BVV(f, self.project.arch.bits)
 
                 # TOOD: Specially for MIPS
                 if new_state.arch.name in ("MIPS32", "MIPS64"):
@@ -1783,7 +1783,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
             if suc_jumpkind == "Ijk_Ret":
                 target_addr = job.call_stack.current_return_target
                 if target_addr is not None:
-                    new_state.ip = new_state.solver.BVV(target_addr, new_state.arch.bits)
+                    new_state.ip = claripy.BVV(target_addr, new_state.arch.bits)
 
         if target_addr is None:
             # Unlucky...
@@ -2445,7 +2445,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                             resolved = True
                             for t in targets:
                                 new_ex = suc.copy()
-                                new_ex.ip = suc.solver.BVV(t, suc.ip.size())
+                                new_ex.ip = claripy.BVV(t, suc.ip.size())
                                 all_successors.append(new_ex)
                         else:
                             break

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -634,7 +634,7 @@ class StoreHook:
             write_length = len(state.inspect.mem_write_expr)
         else:
             write_length = write_length * state.arch.byte_width
-        state.inspect.mem_write_expr = state.solver.BVS("instrumented_store", write_length)
+        state.inspect.mem_write_expr = claripy.BVS("instrumented_store", write_length)
 
 
 class LoadHook:
@@ -648,7 +648,7 @@ class LoadHook:
     def hook_before(self, state):
         addr = state.inspect.mem_read_address
         size = state.solver.eval(state.inspect.mem_read_length)
-        self._var = state.solver.BVS("instrumented_load", size * 8)
+        self._var = claripy.BVS("instrumented_load", size * 8)
         state.memory.store(addr, self._var, endness=state.arch.memory_endness)
 
     def hook_after(self, state):
@@ -662,7 +662,7 @@ class PutHook:
 
     @staticmethod
     def hook(state):
-        state.inspect.reg_write_expr = state.solver.BVS(
+        state.inspect.reg_write_expr = claripy.BVS(
             "instrumented_put", state.solver.eval(state.inspect.reg_write_length) * 8
         )
 
@@ -678,7 +678,7 @@ class RegisterInitializerHook:
         self.value = value
 
     def hook(self, state):
-        state.registers.store(self.reg_offset, state.solver.BVV(self.value, self.reg_bits))
+        state.registers.store(self.reg_offset, claripy.BVV(self.value, self.reg_bits))
 
 
 class BSSHook:
@@ -2106,7 +2106,7 @@ class JumpTableResolver(IndirectJumpResolver):
                 read_length = claripy.backends.vsa.convert(read_length).upper_bound
             if read_length > 16:
                 return
-            new_read_addr = state.solver.BVV(UninitReadMeta.uninit_read_base, state.arch.bits)
+            new_read_addr = claripy.BVV(UninitReadMeta.uninit_read_base, state.arch.bits)
             UninitReadMeta.uninit_read_base += read_length
 
             # replace the expression in registers
@@ -2238,7 +2238,7 @@ class JumpTableResolver(IndirectJumpResolver):
                 #  blx r0
                 # It's not a jump table, but we resolve it anyway
                 jump_target_addr = load_stmt.data.addr.con.value
-                return state.solver.BVV(jump_target_addr, state.arch.bits)
+                return claripy.BVV(jump_target_addr, state.arch.bits)
         elif isinstance(load_stmt, pyvex.IRStmt.LoadG):
             if type(load_stmt.addr) is pyvex.IRExpr.RdTmp:
                 load_addr_tmp = load_stmt.addr.tmp
@@ -2254,7 +2254,7 @@ class JumpTableResolver(IndirectJumpResolver):
                 # Note that this block has two branches: One goes to 45450, the other one goes to whatever the original
                 # value of R3 is. Some intensive data-flow analysis is required in this case.
                 jump_target_addr = load_stmt.addr.con.value
-                return state.solver.BVV(jump_target_addr, state.arch.bits)
+                return claripy.BVV(jump_target_addr, state.arch.bits)
         else:
             raise TypeError("Unsupported address loading statement type %s." % type(load_stmt))
 

angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py

@@ -2,8 +2,9 @@
 from typing import TYPE_CHECKING
 import logging
 
-import pyvex
 import archinfo
+import claripy
+import pyvex
 
 
 from .... import options, BP_BEFORE
@@ -45,7 +46,7 @@ class OverwriteTmpValueCallback:
         self.gp_value = gp_value
 
     def overwrite_tmp_value(self, state):
-        state.inspect.tmp_write_expr = state.solver.BVV(self.gp_value, state.arch.bits)
+        state.inspect.tmp_write_expr = claripy.BVV(self.gp_value, state.arch.bits)
 
 
 class MipsElfFastResolver(IndirectJumpResolver):

angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py

@@ -182,7 +182,11 @@ class StackCanarySimplifier(OptimizationPass):
 
         while True:
             traversed.add(block_addr)
-            first_block = next(self._get_blocks(block_addr))
+            try:
+                first_block = next(self._get_blocks(block_addr))
+            except StopIteration:
+                break
+
             if first_block is None:
                 break
 

angr/analyses/decompiler/structured_codegen/c.py

@@ -1,7 +1,7 @@
 # pylint:disable=missing-class-docstring,too-many-boolean-expressions,unused-argument,no-self-use
 from typing import Optional, Any, TYPE_CHECKING
 from collections.abc import Callable
-from collections import defaultdict
+from collections import defaultdict, Counter
 import logging
 import struct
 
@@ -491,19 +491,16 @@ class CFunction(CConstruct):  # pylint:disable=abstract-method
             else:
                 name = str(variable)
 
-            # sort by number of occurrences, with a preference of non-basic types
+            # sort by the following:
+            #   * if it's a a non-basic type
+            #   * the number of occurrences
+            #   * the repr of the type itself
             # TODO: The type selection should actually happen during variable unification
             vartypes = [x[1] for x in cvar_and_vartypes]
-            nonprimitive_vartypes = [
-                vt for vt in vartypes if not isinstance(vt, (SimTypeChar, SimTypeInt, SimTypeFloat))
-            ]
-            vartypes = list(dict.fromkeys(sorted(vartypes, key=vartypes.count, reverse=True)))
-            if nonprimitive_vartypes:
-                nonprimitive_vartypes = list(
-                    dict.fromkeys(sorted(nonprimitive_vartypes, key=nonprimitive_vartypes.count, reverse=True))
-                )
-                vartypes.remove(nonprimitive_vartypes[0])
-                vartypes.insert(0, nonprimitive_vartypes[0])
+            count = Counter(vartypes)
+            vartypes = sorted(
+                count.copy(), key=lambda x: (isinstance(x, (SimTypeChar, SimTypeInt, SimTypeFloat)), count[x], repr(x))
+            )
 
             for i, var_type in enumerate(vartypes):
                 if i == 0:
@@ -2177,8 +2174,8 @@ class CConstant(CExpression):
                     v = refval.content.decode("utf-8")
                 else:
                     # it's a string
-                    assert isinstance(v, str)
                     v = refval
+                    assert isinstance(v, str)
                 yield CConstant.str_to_c_str(v), self
             elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeWideChar):
                 refval = self.reference_values[self._type]

angr/analyses/decompiler/structuring/dream.py

@@ -1,6 +1,5 @@
 # pylint:disable=multiple-statements,line-too-long,consider-using-enumerate
 from typing import Optional, Any, TYPE_CHECKING
-from collections import OrderedDict as ODict
 import logging
 from collections import defaultdict, OrderedDict
 
@@ -661,7 +660,7 @@ class DreamStructurer(StructurerBase):
         i,
         node,
         cmp_expr,
-        cases: ODict,
+        cases: OrderedDict,
         node_default,
         addr,
         addr2nodes,
@@ -909,7 +908,7 @@ class DreamStructurer(StructurerBase):
         head_node_idx: int,
         node_b_addr: int,
         addr2nodes: dict[int, set[CodeNode]],
-    ) -> tuple[ODict, Any, Any]:
+    ) -> tuple[OrderedDict, Any, Any]:
         """
         Discover all cases for the switch-case structure and build the switch-cases dict.
 
@@ -922,7 +921,7 @@ class DreamStructurer(StructurerBase):
         :return:                    A tuple of (dict of cases, the default node if exists, nodes to remove).
         """
 
-        cases: ODict[int | tuple[int, ...], SequenceNode] = OrderedDict()
+        cases: OrderedDict[int | tuple[int, ...], SequenceNode] = OrderedDict()
         to_remove = set()
         node_default = addr2nodes.get(node_b_addr, None)
         if node_default is not None:

angr/analyses/decompiler/structuring/phoenix.py

@@ -1,7 +1,6 @@
 # pylint:disable=line-too-long,import-outside-toplevel,import-error,multiple-statements,too-many-boolean-expressions
 from typing import Any, DefaultDict, Optional, TYPE_CHECKING
-from collections import OrderedDict as ODict
-from collections import defaultdict
+from collections import defaultdict, OrderedDict
 from enum import Enum
 import logging
 
@@ -1308,8 +1307,8 @@ class PhoenixStructurer(StructurerBase):
         node_b_addr,
         graph,
         full_graph,
-    ) -> tuple[ODict, Any, set[Any]]:
-        cases: ODict[int | tuple[int], SequenceNode] = ODict()
+    ) -> tuple[OrderedDict, Any, set[Any]]:
+        cases: OrderedDict[int | tuple[int], SequenceNode] = OrderedDict()
         to_remove = set()
 
         # it is possible that the default node gets duplicated by other analyses and creates a default node (addr.a)
@@ -1418,7 +1417,7 @@ class PhoenixStructurer(StructurerBase):
         self,
         head,
         cmp_expr,
-        cases: ODict,
+        cases: OrderedDict,
         node_default_addr: int,
         node_default,
         addr,

angr/analyses/decompiler/structuring/structurer_base.py

@@ -1,6 +1,5 @@
 # pylint:disable=unused-argument
 from typing import Optional, Any, TYPE_CHECKING
-from collections import OrderedDict as ODict
 from collections import defaultdict, OrderedDict
 import logging
 
@@ -739,8 +738,8 @@ class StructurerBase(Analysis):
     #
 
     def _reorganize_switch_cases(
-        self, cases: ODict[int | tuple[int, ...], SequenceNode]
-    ) -> ODict[int | tuple[int, ...], SequenceNode]:
+        self, cases: OrderedDict[int | tuple[int, ...], SequenceNode]
+    ) -> OrderedDict[int | tuple[int, ...], SequenceNode]:
         new_cases = OrderedDict()
 
         caseid2gotoaddrs = {}

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -1,6 +1,6 @@
 # pylint:disable=missing-class-docstring
 from typing import Any
-from collections import OrderedDict as ODict
+from collections import OrderedDict
 
 import claripy
 import ailment
@@ -358,9 +358,9 @@ class SwitchCaseNode(BaseNode):
         "addr",
     )
 
-    def __init__(self, switch_expr, cases: ODict[int | tuple[int, ...], SequenceNode], default_node, addr=None):
+    def __init__(self, switch_expr, cases: OrderedDict[int | tuple[int, ...], SequenceNode], default_node, addr=None):
         self.switch_expr = switch_expr
-        self.cases: ODict[int | tuple[int, ...], SequenceNode] = cases
+        self.cases: OrderedDict[int | tuple[int, ...], SequenceNode] = cases
         self.default_node = default_node
         self.addr = addr
 

angr/analyses/identifier/functions/free.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from ..func import Func, TestData
 from ..errors import IdentifierException
 
@@ -52,7 +54,7 @@ class free(Func):
             test_input = [malloc_vals[-1]]
             test_output = [None]
             return_val = None
-            state.memory.store(malloc_vals[-1], state.solver.BVS("some_data", 0x80 * 8))
+            state.memory.store(malloc_vals[-1], claripy.BVS("some_data", 0x80 * 8))
             free_test = TestData(test_input, test_output, return_val, max_steps)
             state = runner.get_out_state(func, free_test, initial_state=state)
             if state is None:

angr/analyses/identifier/identify.py

@@ -1,10 +1,10 @@
+import logging
 from collections import defaultdict
 from itertools import chain
-import logging
-
-from networkx import NetworkXError
 
+import claripy
 from cle.backends.cgc import CGC
+from networkx import NetworkXError
 
 from .errors import IdentifierException
 from .functions import Functions
@@ -75,9 +75,7 @@ class Identifier(Analysis):
 
         self.base_symbolic_state = self.make_symbolic_state(self.project, self._reg_list)
         self.base_symbolic_state.options.discard(options.SUPPORT_FLOATING_POINT)
-        self.base_symbolic_state.regs.bp = self.base_symbolic_state.solver.BVS(
-            "sreg_" + "ebp" + "-", self.project.arch.bits
-        )
+        self.base_symbolic_state.regs.bp = claripy.BVS("sreg_" + "ebp" + "-", self.project.arch.bits)
 
         for f in self._cfg.functions.values():
             if f.is_syscall:
@@ -308,7 +306,7 @@ class Identifier(Analysis):
 
         func_info = self.func_info[self.block_to_func[addr_trace[0]]]
         for i in range(func_info.frame_size // self.project.arch.bytes + 5):
-            s.stack_push(s.solver.BVS("var_" + hex(i), self.project.arch.bits))
+            s.stack_push(claripy.BVS("var_" + hex(i), self.project.arch.bits))
 
         if func_info.bp_based:
             s.regs.bp = s.regs.sp + func_info.bp_sp_diff
@@ -322,7 +320,7 @@ class Identifier(Analysis):
             for ss in simgr.active:
                 # todo could write symbolic data to pointers passed to functions
                 if ss.history.jumpkind == "Ijk_Call":
-                    ss.regs.eax = ss.solver.BVS("unconstrained_ret_%#x" % ss.addr, ss.arch.bits)
+                    ss.regs.eax = claripy.BVS("unconstrained_ret_%#x" % ss.addr, ss.arch.bits)
                     ss.regs.ip = ss.stack_pop()
                     ss.history.jumpkind = "Ijk_Ret"
                 if ss.addr == addr_trace[0]:
@@ -333,7 +331,7 @@ class Identifier(Analysis):
                 if len(simgr.unconstrained) > 0:
                     s = simgr.unconstrained[0]
                     if s.history.jumpkind == "Ijk_Call":
-                        s.regs.eax = s.solver.BVS("unconstrained_ret", s.arch.bits)
+                        s.regs.eax = claripy.BVS("unconstrained_ret", s.arch.bits)
                         s.regs.ip = s.stack_pop()
                         s.history.jumpkind = "Ijk_Ret"
                     s.regs.ip = addr_trace[0]
@@ -437,7 +435,7 @@ class Identifier(Analysis):
         state = input_state.copy()
         # overwrite all registers
         for reg in reg_list:
-            state.registers.store(reg, state.solver.BVS("sreg_" + reg + "-", project.arch.bits, explicit_name=True))
+            state.registers.store(reg, claripy.BVS("sreg_" + reg + "-", project.arch.bits, explicit_name=True))
         # restore sp
         state.regs.sp = input_state.regs.sp
         # restore bp
@@ -600,11 +598,11 @@ class Identifier(Analysis):
         for bl_addr in func.block_addrs:
             all_addrs.update(set(self._cfg.model.get_any_node(bl_addr).instruction_addrs))
 
-        sp = main_state.solver.BVS("sym_sp", self.project.arch.bits, explicit_name=True)
+        sp = claripy.BVS("sym_sp", self.project.arch.bits, explicit_name=True)
         main_state.regs.sp = sp
         bp = None
         if bp_based:
-            bp = main_state.solver.BVS("sym_bp", self.project.arch.bits, explicit_name=True)
+            bp = claripy.BVS("sym_bp", self.project.arch.bits, explicit_name=True)
             main_state.regs.bp = bp
 
         stack_vars = set()
@@ -731,7 +729,7 @@ class Identifier(Analysis):
     def _sets_ebp_from_esp(self, state, addr):
         state = state.copy()
         state.regs.ip = addr
-        state.regs.sp = state.solver.BVS("sym_sp", 32, explicit_name=True)
+        state.regs.sp = claripy.BVS("sym_sp", 32, explicit_name=True)
         succ = self.project.factory.successors(state).all_successors[0]
 
         diff = state.regs.sp - succ.regs.bp
@@ -818,7 +816,7 @@ class Identifier(Analysis):
                 options.TRACK_CONSTRAINT_ACTIONS,
             }
         )
-        symbolic_stack = initial_state.solver.BVS("symbolic_stack", project.arch.bits * stack_length)
+        symbolic_stack = claripy.BVS("symbolic_stack", project.arch.bits * stack_length)
         initial_state.memory.store(initial_state.regs.sp, symbolic_stack)
         if initial_state.arch.bp_offset != initial_state.arch.sp_offset:
             initial_state.regs.bp = initial_state.regs.sp + 20 * initial_state.arch.bytes
@@ -835,7 +833,7 @@ class Identifier(Analysis):
         symbolic_state = input_state.copy()
         # overwrite all registers
         for reg in reg_list:
-            symbolic_state.registers.store(reg, symbolic_state.solver.BVS("sreg_" + reg + "-", project.arch.bits))
+            symbolic_state.registers.store(reg, claripy.BVS("sreg_" + reg + "-", project.arch.bits))
         # restore sp
         symbolic_state.regs.sp = input_state.regs.sp
         # restore bp

angr/analyses/identifier/runner.py

@@ -52,7 +52,7 @@ class Runner:
             entry_state = self.project.factory.entry_state(add_options=add_options, remove_options=remove_options)
 
             # map the CGC flag page
-            fake_flag_data = entry_state.solver.BVV(FLAG_DATA)
+            fake_flag_data = claripy.BVV(FLAG_DATA)
             entry_state.memory.store(0x4347C000, fake_flag_data)
             # map the place where I put arguments
             entry_state.memory.map_region(0x2000, 0x10000, 7)
@@ -176,7 +176,7 @@ class Runner:
             buf = state.solver.eval(state.regs.ebx)
             for i in range(count):
                 a = random.randint(0, 255)
-                state.memory.store(buf + i, state.solver.BVV(a, 8))
+                state.memory.store(buf + i, claripy.BVV(a, 8))
 
     def get_base_call_state(self, function, test_data, initial_state=None, concrete_rand=False):
         curr_buf_loc = 0x2000

angr/analyses/reaching_definitions/dep_graph.py

@@ -213,6 +213,68 @@ class DepGraph:
 
             self.graph.add_edge(memory_location_definition, definition)
 
+    @overload
+    def find_definitions(
+        self,
+        *,
+        kind: type[A],
+        **kwargs: Any,
+    ) -> list[Definition[A]]: ...
+
+    @overload
+    def find_definitions(
+        self,
+        *,
+        kind: Literal[AtomKind.REGISTER] = AtomKind.REGISTER,
+        **kwargs: Any,
+    ) -> list[Definition[Register]]: ...
+
+    @overload
+    def find_definitions(
+        self,
+        *,
+        kind: Literal[AtomKind.MEMORY] = AtomKind.MEMORY,
+        **kwargs: Any,
+    ) -> list[Definition[MemoryLocation]]: ...
+
+    @overload
+    def find_definitions(
+        self,
+        *,
+        kind: Literal[AtomKind.TMP] = AtomKind.TMP,
+        **kwargs: Any,
+    ) -> list[Definition[Tmp]]: ...
+
+    @overload
+    def find_definitions(
+        self,
+        *,
+        kind: Literal[AtomKind.CONSTANT] = AtomKind.CONSTANT,
+        **kwargs: Any,
+    ) -> list[Definition[ConstantSrc]]: ...
+
+    @overload
+    def find_definitions(
+        self,
+        *,
+        kind: Literal[AtomKind.GUARD] = AtomKind.GUARD,
+        **kwargs: Any,
+    ) -> list[Definition[GuardUse]]: ...
+
+    @overload
+    def find_definitions(
+        self,
+        *,
+        reg_name: int | str = ...,
+        **kwargs: Any,
+    ) -> list[Definition[Register]]: ...
+
+    @overload
+    def find_definitions(self, *, stack_offset: int = ..., **kwargs: Any) -> list[Definition[MemoryLocation]]: ...
+
+    @overload
+    def find_definitions(self, *, const_val: int = ..., **kwargs: Any) -> list[Definition[ConstantSrc]]: ...
+
     def find_definitions(self, **kwargs) -> list[Definition]:
         """
         Filter the definitions present in the graph based on various criteria.
@@ -299,11 +361,6 @@ class DepGraph:
         self, starts: Definition[Atom] | Iterable[Definition[Atom]], *, const_val: int = ..., **kwargs: Any
     ) -> list[Definition[ConstantSrc]]: ...
 
-    @overload
-    def find_all_predecessors(
-        self, starts: Definition[Atom] | Iterable[Definition[Atom]], **kwargs: Any
-    ) -> list[Definition[Atom]]: ...
-
     def find_all_predecessors(self, starts, **kwargs):
         """
         Filter the ancestors of the given start node or nodes that match various criteria.

angr/analyses/reaching_definitions/function_handler_library/__init__.py

@@ -0,0 +1,11 @@
+from .stdlib import LibcStdlibHandlers, EnvironAtom, SystemAtom, ExecveAtom
+from .stdio import LibcStdioHandlers, StdoutAtom, StdinAtom
+from .unistd import LibcUnistdHandlers
+from .string import LibcStringHandlers
+
+
+class LibcHandlers(LibcStdlibHandlers, LibcStdioHandlers, LibcUnistdHandlers, LibcStringHandlers):
+    pass
+
+
+__all__ = ["EnvironAtom", "SystemAtom", "ExecveAtom", "StdoutAtom", "StdinAtom", "LibcHandlers"]

angr/analyses/reaching_definitions/function_handler_library/stdio.py

@@ -19,10 +19,10 @@ _l = logging.getLogger(__name__)
 
 
 class StdoutAtom(Atom):
-    def __init__(self, sink: str):
+    def __init__(self, sink: str, size: int | None):
         self.nonce = random.randint(0, 999999999999)
         self.sink = sink
-        super().__init__(1)
+        super().__init__(size if size is not None else 1)
 
     def _identity(self):
         return (self.nonce,)
@@ -32,10 +32,10 @@ class StdoutAtom(Atom):
 
 
 class StdinAtom(Atom):
-    def __init__(self, source: str):
+    def __init__(self, source: str, size: int | None):
         self.nonce = random.randint(0, 999999999999)
         self.source = source
-        super().__init__(1)
+        super().__init__(size if size is not None else 1)
 
     def _identity(self):
         return (self.nonce,)
@@ -83,19 +83,19 @@ class LibcStdioHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_printf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         result, source_atoms = handle_printf(state, data, 0)
-        dst_atoms = StdoutAtom("printf")
+        dst_atoms = StdoutAtom("printf", len(result) if result is not None else None)
         data.depends(dst_atoms, source_atoms, value=result)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_dprintf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         result, source_atoms = handle_printf(state, data, 1)
-        dst_atoms = StdoutAtom("dprintf")
+        dst_atoms = StdoutAtom("dprintf", len(result) if result is not None else None)
         data.depends(dst_atoms, source_atoms, value=result)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_fprintf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         result, source_atoms = handle_printf(state, data, 1)
-        dst_atoms = StdoutAtom("fprintf")
+        dst_atoms = StdoutAtom("fprintf", len(result) if result is not None else None)
         data.depends(dst_atoms, source_atoms, value=result)
 
     @FunctionCallDataUnwrapped.decorate
@@ -108,6 +108,8 @@ class LibcStdioHandlers(FunctionHandler):
     def handle_impl_snprintf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         result, source_atoms = handle_printf(state, data, 2)
         size = state.get_concrete_value(data.args_atoms[1]) or 2
+        if result is not None:
+            size = min(size, len(result) // 8)
         dst_atoms = state.deref(data.args_atoms[0], size=size)
         data.depends(dst_atoms, source_atoms, value=result)
 
@@ -126,7 +128,7 @@ class LibcStdioHandlers(FunctionHandler):
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_scanf(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
-        handle_scanf(state, data, 0, {StdinAtom("scanf")})
+        handle_scanf(state, data, 0, {StdinAtom("scanf", None)})
 
     handle_impl___isoc99_scanf = handle_impl_scanf
 
@@ -140,13 +142,13 @@ class LibcStdioHandlers(FunctionHandler):
     def handle_impl_fgets(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[1]) or 2
         dst_atom = state.deref(data.args_atoms[0], size)
-        input_value = claripy.BVS("weh", 8).concat(claripy.BVV(0, 8))
-        data.depends(dst_atom, StdinAtom("fgets"), value=input_value)
+        input_value = claripy.BVS("weh", (size - 1) * 8).concat(claripy.BVV(0, 8))
+        data.depends(dst_atom, StdinAtom("fgets", size), value=input_value)
         data.depends(data.ret_atoms, data.args_atoms[0])
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_fgetc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
-        data.depends(data.ret_atoms, StdinAtom(data.function.name))
+        data.depends(data.ret_atoms, StdinAtom(data.function.name, 1))
 
     handle_impl_getchar = handle_impl_getc = handle_impl_fgetc
 
@@ -155,14 +157,14 @@ class LibcStdioHandlers(FunctionHandler):
         size = state.get_concrete_value(data.args_atoms[1]) or 1
         nmemb = state.get_concrete_value(data.args_atoms[1]) or 2
         dst_atom = state.deref(data.args_atoms[0], size * nmemb)
-        data.depends(dst_atom, StdinAtom("fread"))
+        data.depends(dst_atom, StdinAtom("fread", size * nmemb))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_fwrite(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[1]) or 1
         nmemb = state.get_concrete_value(data.args_atoms[1]) or 2
         src_atom = state.deref(data.args_atoms[0], size * nmemb)
-        data.depends(StdoutAtom("fwrite"), src_atom, value=state.get_values(src_atom))
+        data.depends(StdoutAtom("fwrite", size * nmemb), src_atom, value=state.get_values(src_atom))
 
 
 def handle_printf(