angr 9.2.116__py3-none-macosx_10_9_x86_64.whl → 9.2.117__py3-none-macosx_10_9_x86_64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.116"
+__version__ = "9.2.117"
 
 if bytes is str:
     raise Exception(

angr/analyses/cfg/cfg_emulated.py

@@ -1016,7 +1016,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
             state = self._initial_state.copy()
             state.history.jumpkind = jumpkind
             self._reset_state_mode(state, "fastpath")
-            state._ip = state.solver.BVV(ip, self.project.arch.bits)
+            state._ip = claripy.BVV(ip, self.project.arch.bits)
 
         if jumpkind is not None:
             state.history.jumpkind = jumpkind
@@ -1095,7 +1095,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
             f = self._pending_function_hints.pop()
             if f not in analyzed_addrs:
                 new_state = self.project.factory.entry_state(mode="fastpath")
-                new_state.ip = new_state.solver.BVV(f, self.project.arch.bits)
+                new_state.ip = claripy.BVV(f, self.project.arch.bits)
 
                 # TOOD: Specially for MIPS
                 if new_state.arch.name in ("MIPS32", "MIPS64"):
@@ -1783,7 +1783,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
             if suc_jumpkind == "Ijk_Ret":
                 target_addr = job.call_stack.current_return_target
                 if target_addr is not None:
-                    new_state.ip = new_state.solver.BVV(target_addr, new_state.arch.bits)
+                    new_state.ip = claripy.BVV(target_addr, new_state.arch.bits)
 
         if target_addr is None:
             # Unlucky...
@@ -2445,7 +2445,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                             resolved = True
                             for t in targets:
                                 new_ex = suc.copy()
-                                new_ex.ip = suc.solver.BVV(t, suc.ip.size())
+                                new_ex.ip = claripy.BVV(t, suc.ip.size())
                                 all_successors.append(new_ex)
                         else:
                             break

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -634,7 +634,7 @@ class StoreHook:
             write_length = len(state.inspect.mem_write_expr)
         else:
             write_length = write_length * state.arch.byte_width
-        state.inspect.mem_write_expr = state.solver.BVS("instrumented_store", write_length)
+        state.inspect.mem_write_expr = claripy.BVS("instrumented_store", write_length)
 
 
 class LoadHook:
@@ -648,7 +648,7 @@ class LoadHook:
     def hook_before(self, state):
         addr = state.inspect.mem_read_address
         size = state.solver.eval(state.inspect.mem_read_length)
-        self._var = state.solver.BVS("instrumented_load", size * 8)
+        self._var = claripy.BVS("instrumented_load", size * 8)
         state.memory.store(addr, self._var, endness=state.arch.memory_endness)
 
     def hook_after(self, state):
@@ -662,7 +662,7 @@ class PutHook:
 
     @staticmethod
     def hook(state):
-        state.inspect.reg_write_expr = state.solver.BVS(
+        state.inspect.reg_write_expr = claripy.BVS(
             "instrumented_put", state.solver.eval(state.inspect.reg_write_length) * 8
         )
 
@@ -678,7 +678,7 @@ class RegisterInitializerHook:
         self.value = value
 
     def hook(self, state):
-        state.registers.store(self.reg_offset, state.solver.BVV(self.value, self.reg_bits))
+        state.registers.store(self.reg_offset, claripy.BVV(self.value, self.reg_bits))
 
 
 class BSSHook:
@@ -2106,7 +2106,7 @@ class JumpTableResolver(IndirectJumpResolver):
                 read_length = claripy.backends.vsa.convert(read_length).upper_bound
             if read_length > 16:
                 return
-            new_read_addr = state.solver.BVV(UninitReadMeta.uninit_read_base, state.arch.bits)
+            new_read_addr = claripy.BVV(UninitReadMeta.uninit_read_base, state.arch.bits)
             UninitReadMeta.uninit_read_base += read_length
 
             # replace the expression in registers
@@ -2238,7 +2238,7 @@ class JumpTableResolver(IndirectJumpResolver):
                 #  blx r0
                 # It's not a jump table, but we resolve it anyway
                 jump_target_addr = load_stmt.data.addr.con.value
-                return state.solver.BVV(jump_target_addr, state.arch.bits)
+                return claripy.BVV(jump_target_addr, state.arch.bits)
         elif isinstance(load_stmt, pyvex.IRStmt.LoadG):
             if type(load_stmt.addr) is pyvex.IRExpr.RdTmp:
                 load_addr_tmp = load_stmt.addr.tmp
@@ -2254,7 +2254,7 @@ class JumpTableResolver(IndirectJumpResolver):
                 # Note that this block has two branches: One goes to 45450, the other one goes to whatever the original
                 # value of R3 is. Some intensive data-flow analysis is required in this case.
                 jump_target_addr = load_stmt.addr.con.value
-                return state.solver.BVV(jump_target_addr, state.arch.bits)
+                return claripy.BVV(jump_target_addr, state.arch.bits)
         else:
             raise TypeError("Unsupported address loading statement type %s." % type(load_stmt))
 

angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py

@@ -2,8 +2,9 @@
 from typing import TYPE_CHECKING
 import logging
 
-import pyvex
 import archinfo
+import claripy
+import pyvex
 
 
 from .... import options, BP_BEFORE
@@ -45,7 +46,7 @@ class OverwriteTmpValueCallback:
         self.gp_value = gp_value
 
     def overwrite_tmp_value(self, state):
-        state.inspect.tmp_write_expr = state.solver.BVV(self.gp_value, state.arch.bits)
+        state.inspect.tmp_write_expr = claripy.BVV(self.gp_value, state.arch.bits)
 
 
 class MipsElfFastResolver(IndirectJumpResolver):

angr/analyses/identifier/functions/free.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from ..func import Func, TestData
 from ..errors import IdentifierException
 
@@ -52,7 +54,7 @@ class free(Func):
             test_input = [malloc_vals[-1]]
             test_output = [None]
             return_val = None
-            state.memory.store(malloc_vals[-1], state.solver.BVS("some_data", 0x80 * 8))
+            state.memory.store(malloc_vals[-1], claripy.BVS("some_data", 0x80 * 8))
             free_test = TestData(test_input, test_output, return_val, max_steps)
             state = runner.get_out_state(func, free_test, initial_state=state)
             if state is None:

angr/analyses/identifier/identify.py

@@ -1,10 +1,10 @@
+import logging
 from collections import defaultdict
 from itertools import chain
-import logging
-
-from networkx import NetworkXError
 
+import claripy
 from cle.backends.cgc import CGC
+from networkx import NetworkXError
 
 from .errors import IdentifierException
 from .functions import Functions
@@ -75,9 +75,7 @@ class Identifier(Analysis):
 
         self.base_symbolic_state = self.make_symbolic_state(self.project, self._reg_list)
         self.base_symbolic_state.options.discard(options.SUPPORT_FLOATING_POINT)
-        self.base_symbolic_state.regs.bp = self.base_symbolic_state.solver.BVS(
-            "sreg_" + "ebp" + "-", self.project.arch.bits
-        )
+        self.base_symbolic_state.regs.bp = claripy.BVS("sreg_" + "ebp" + "-", self.project.arch.bits)
 
         for f in self._cfg.functions.values():
             if f.is_syscall:
@@ -308,7 +306,7 @@ class Identifier(Analysis):
 
         func_info = self.func_info[self.block_to_func[addr_trace[0]]]
         for i in range(func_info.frame_size // self.project.arch.bytes + 5):
-            s.stack_push(s.solver.BVS("var_" + hex(i), self.project.arch.bits))
+            s.stack_push(claripy.BVS("var_" + hex(i), self.project.arch.bits))
 
         if func_info.bp_based:
             s.regs.bp = s.regs.sp + func_info.bp_sp_diff
@@ -322,7 +320,7 @@ class Identifier(Analysis):
             for ss in simgr.active:
                 # todo could write symbolic data to pointers passed to functions
                 if ss.history.jumpkind == "Ijk_Call":
-                    ss.regs.eax = ss.solver.BVS("unconstrained_ret_%#x" % ss.addr, ss.arch.bits)
+                    ss.regs.eax = claripy.BVS("unconstrained_ret_%#x" % ss.addr, ss.arch.bits)
                     ss.regs.ip = ss.stack_pop()
                     ss.history.jumpkind = "Ijk_Ret"
                 if ss.addr == addr_trace[0]:
@@ -333,7 +331,7 @@ class Identifier(Analysis):
                 if len(simgr.unconstrained) > 0:
                     s = simgr.unconstrained[0]
                     if s.history.jumpkind == "Ijk_Call":
-                        s.regs.eax = s.solver.BVS("unconstrained_ret", s.arch.bits)
+                        s.regs.eax = claripy.BVS("unconstrained_ret", s.arch.bits)
                         s.regs.ip = s.stack_pop()
                         s.history.jumpkind = "Ijk_Ret"
                     s.regs.ip = addr_trace[0]
@@ -437,7 +435,7 @@ class Identifier(Analysis):
         state = input_state.copy()
         # overwrite all registers
         for reg in reg_list:
-            state.registers.store(reg, state.solver.BVS("sreg_" + reg + "-", project.arch.bits, explicit_name=True))
+            state.registers.store(reg, claripy.BVS("sreg_" + reg + "-", project.arch.bits, explicit_name=True))
         # restore sp
         state.regs.sp = input_state.regs.sp
         # restore bp
@@ -600,11 +598,11 @@ class Identifier(Analysis):
         for bl_addr in func.block_addrs:
             all_addrs.update(set(self._cfg.model.get_any_node(bl_addr).instruction_addrs))
 
-        sp = main_state.solver.BVS("sym_sp", self.project.arch.bits, explicit_name=True)
+        sp = claripy.BVS("sym_sp", self.project.arch.bits, explicit_name=True)
         main_state.regs.sp = sp
         bp = None
         if bp_based:
-            bp = main_state.solver.BVS("sym_bp", self.project.arch.bits, explicit_name=True)
+            bp = claripy.BVS("sym_bp", self.project.arch.bits, explicit_name=True)
             main_state.regs.bp = bp
 
         stack_vars = set()
@@ -731,7 +729,7 @@ class Identifier(Analysis):
     def _sets_ebp_from_esp(self, state, addr):
         state = state.copy()
         state.regs.ip = addr
-        state.regs.sp = state.solver.BVS("sym_sp", 32, explicit_name=True)
+        state.regs.sp = claripy.BVS("sym_sp", 32, explicit_name=True)
         succ = self.project.factory.successors(state).all_successors[0]
 
         diff = state.regs.sp - succ.regs.bp
@@ -818,7 +816,7 @@ class Identifier(Analysis):
                 options.TRACK_CONSTRAINT_ACTIONS,
             }
         )
-        symbolic_stack = initial_state.solver.BVS("symbolic_stack", project.arch.bits * stack_length)
+        symbolic_stack = claripy.BVS("symbolic_stack", project.arch.bits * stack_length)
         initial_state.memory.store(initial_state.regs.sp, symbolic_stack)
         if initial_state.arch.bp_offset != initial_state.arch.sp_offset:
             initial_state.regs.bp = initial_state.regs.sp + 20 * initial_state.arch.bytes
@@ -835,7 +833,7 @@ class Identifier(Analysis):
         symbolic_state = input_state.copy()
         # overwrite all registers
         for reg in reg_list:
-            symbolic_state.registers.store(reg, symbolic_state.solver.BVS("sreg_" + reg + "-", project.arch.bits))
+            symbolic_state.registers.store(reg, claripy.BVS("sreg_" + reg + "-", project.arch.bits))
         # restore sp
         symbolic_state.regs.sp = input_state.regs.sp
         # restore bp

angr/analyses/identifier/runner.py

@@ -52,7 +52,7 @@ class Runner:
             entry_state = self.project.factory.entry_state(add_options=add_options, remove_options=remove_options)
 
             # map the CGC flag page
-            fake_flag_data = entry_state.solver.BVV(FLAG_DATA)
+            fake_flag_data = claripy.BVV(FLAG_DATA)
             entry_state.memory.store(0x4347C000, fake_flag_data)
             # map the place where I put arguments
             entry_state.memory.map_region(0x2000, 0x10000, 7)
@@ -176,7 +176,7 @@ class Runner:
             buf = state.solver.eval(state.regs.ebx)
             for i in range(count):
                 a = random.randint(0, 255)
-                state.memory.store(buf + i, state.solver.BVV(a, 8))
+                state.memory.store(buf + i, claripy.BVV(a, 8))
 
     def get_base_call_state(self, function, test_data, initial_state=None, concrete_rand=False):
         curr_buf_loc = 0x2000

angr/analyses/vfg.py

@@ -1303,7 +1303,7 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
         # TODO: the following code is totally untested other than X86 and AMD64. Don't freak out if you find bugs :)
         # TODO: Test it
 
-        ret_bvv = state.solver.BVV(ret_addr, self.project.arch.bits)
+        ret_bvv = claripy.BVV(ret_addr, self.project.arch.bits)
 
         if self.project.arch.name in ("X86", "AMD64"):
             state.stack_push(ret_bvv)
@@ -1524,13 +1524,13 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
                 successor_state.registers.store(arch.sp_offset, reg_sp_expr)
 
                 # Clear the return value with a TOP
-                top_si = successor_state.solver.TSI(arch.bits)
+                top_si = claripy.TSI(arch.bits)
                 successor_state.registers.store(arch.ret_offset, top_si)
 
             if job.call_skipped:
                 # TODO: Make sure the return values make sense
                 # if self.project.arch.name == "X86":
-                #     successor_state.regs.eax = successor_state.solver.BVS(
+                #     successor_state.regs.eax = claripy.BVS(
                 #         "ret_val", 32, min=0, max=0xFFFFFFFF, stride=1
                 #     )
 
@@ -1564,7 +1564,7 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
                     reg_sp_si = self._create_stack_region(successor_state, successor_addr)
 
                     # Save the new sp register
-                    new_reg_sp_expr = successor_state.solver.ValueSet(successor_state.arch.bits, "global", 0, reg_sp_si)
+                    new_reg_sp_expr = claripy.ValueSet(successor_state.arch.bits, "global", 0, reg_sp_si)
                     successor_state.regs.sp = new_reg_sp_expr
 
                 elif successor.history.jumpkind == "Ijk_Ret":

angr/calling_conventions.py

@@ -413,7 +413,7 @@ class SimComboArg(SimFunctionArgument):
         vals = []
         for loc in reversed(self.locations):
             vals.append(loc.get_value(state, **kwargs))
-        return self.check_value_get(state.solver.Concat(*vals))
+        return self.check_value_get(claripy.Concat(*vals))
 
 
 class SimStructArg(SimFunctionArgument):
@@ -1031,7 +1031,7 @@ class SimCC:
             if isinstance(ty, SimTypeFloat):
                 return SimCC._standardize_value(float(arg), ty, state, alloc)
 
-            val = state.solver.BVV(arg, ty.size)
+            val = claripy.BVV(arg, ty.size)
             return val
 
         elif isinstance(arg, float):
@@ -2300,6 +2300,8 @@ def default_cc(  # pylint:disable=unused-argument
     if alias not in cc_map or platform not in cc_map[alias]:
         if default is not ...:
             return default
+        else:
+            return None
     return cc_map[alias][platform]
 
 

angr/concretization_strategies/any_named.py

@@ -1,3 +1,5 @@
+import claripy
+
 from . import SimConcretizationStrategy
 
 
@@ -24,7 +26,7 @@ class SimConcretizationStrategyAnyNamed(SimConcretizationStrategy):
         target = self._any(memory, addr, extra_constraints=child_constraints, **kwargs)
         # Create new BVS
         old_name = " ".join(repr(addr)[:-1].split(" ")[1:])
-        new_BVS = memory.state.solver.BVS(f"[{old_name}]", memory.state.arch.bits, explicit_name=True)
+        new_BVS = claripy.BVS(f"[{old_name}]", memory.state.arch.bits, explicit_name=True)
         memory.store(target, new_BVS, endness=memory.state.arch.memory_endness)
         # Enforce the address
         memory.state.solver.add(addr == target)

angr/concretization_strategies/controlled_data.py

@@ -1,5 +1,7 @@
 from itertools import groupby
 
+import claripy
+
 from . import SimConcretizationStrategy
 
 
@@ -40,10 +42,10 @@ class SimConcretizationStrategyControlledData(SimConcretizationStrategy):
 
         # create constraints from intervals
         for base, length in intervals:
-            constraints.append(memory.state.solver.And(addr >= base, addr < base + length))
+            constraints.append(claripy.And(addr >= base, addr < base + length))
 
         # try to get solutions for controlled memory
-        ored_constraints = memory.state.solver.Or(*constraints)
+        ored_constraints = claripy.Or(*constraints)
         child_constraints = (ored_constraints,)
         extra_constraints = kwargs.pop("extra_constraints", None)
         if extra_constraints is not None:

angr/concretization_strategies/signed_add.py

@@ -1,3 +1,5 @@
+import claripy
+
 from . import SimConcretizationStrategy
 
 
@@ -21,4 +23,4 @@ class SimConcretizationStrategySignedAdd(SimConcretizationStrategy):
                     new_arg = (1 << addr.args[1].size()) - memory.state.solver.eval(addr.args[1])
                     if new_arg < self._substraction_limit:
                         addr.op = "__sub__"
-                        addr.args = (addr.args[0], memory.state.solver.BVV(new_arg, addr.args[1].size()))
+                        addr.args = (addr.args[0], claripy.BVV(new_arg, addr.args[1].size()))

angr/engines/concrete.py

@@ -1,6 +1,8 @@
 import logging
 import threading
 
+import claripy
+
 from angr.errors import AngrError
 from .engine import SuccessorsMixin
 from ..errors import SimConcreteRegisterError
@@ -58,7 +60,7 @@ class SimEngineConcrete(SuccessorsMixin):
 
         successors.engine = "SimEngineConcrete"
         successors.sort = "SimEngineConcrete"
-        successors.add_successor(new_state, new_state.ip, new_state.solver.true, new_state.unicorn.jumpkind)
+        successors.add_successor(new_state, new_state.ip, claripy.true, new_state.unicorn.jumpkind)
         successors.description = "Concrete Successors"
         successors.processed = True
 

angr/engines/pcode/behavior.py

@@ -868,6 +868,8 @@ class OpBehaviorSubpiece(OpBehavior):
     def evaluate_binary(self, size_out: int, size_in: int, in1: BV, in2: BV) -> BV:
         if in2.size() < in1.size():
             in2 = in2.sign_extend(in1.size() - in2.size())
+        if in1.size() < in2.size():
+            in1 = in1.sign_extend(in2.size() - in1.size())
         return (in1 >> (in2 * 8)) & (2 ** (size_out * 8) - 1)
 
 

angr/engines/pcode/emulate.py

@@ -187,7 +187,7 @@ class PcodeEmulatorMixin(SimEngineBase):
         elif space.name == "unique":
             self._pcode_tmps[varnode.offset] = value
 
-        elif space.name in ("ram", "mem"):
+        elif space.name.lower() in ("ram", "mem"):
             l.debug("Storing %s to offset %s", value, varnode.offset)
             self.state.memory.store(varnode.offset, value, endness=self.project.arch.memory_endness)
 
@@ -225,7 +225,7 @@ class PcodeEmulatorMixin(SimEngineBase):
                 self._pcode_tmps[varnode.offset] = claripy.BVV(0, size * 8)
             return self._pcode_tmps[varnode.offset]
 
-        elif space_name in ("ram", "mem"):
+        elif space_name.lower() in ("ram", "mem"):
             val = self.state.memory.load(varnode.offset, endness=self.project.arch.memory_endness, size=size)
             l.debug("Loaded %s from offset %s", val, varnode.offset)
             return val
@@ -285,7 +285,7 @@ class PcodeEmulatorMixin(SimEngineBase):
         space = self._current_op.inputs[0].getSpaceFromConst()
         offset = self._get_value(self._current_op.inputs[1])
         out = self._current_op.output
-        if space.name in ("ram", "mem"):
+        if space.name.lower() in ("ram", "mem"):
             res = self.state.memory.load(offset, out.size, endness=self.project.arch.memory_endness)
         elif space.name in "register":
             res = self.state.registers.load(offset, size=out.size, endness=self.project.arch.register_endness)
@@ -304,7 +304,7 @@ class PcodeEmulatorMixin(SimEngineBase):
         offset = self._get_value(self._current_op.inputs[1])
         data = self._get_value(self._current_op.inputs[2])
         l.debug("Storing %s at offset %s", data, offset)
-        if space.name in ("ram", "mem"):
+        if space.name.lower() in ("ram", "mem"):
             self.state.memory.store(offset, data, endness=self.project.arch.memory_endness)
         elif space.name == "register":
             self.state.registers.store(offset, data, endness=self.project.arch.register_endness)

angr/engines/pcode/engine.py

@@ -224,7 +224,7 @@ class HeavyPcodeMixin(
                             "return value in Call-less mode.",
                             exit_state.arch.name,
                         )
-                exit_state.scratch.target = exit_state.solver.BVV(
+                exit_state.scratch.target = claripy.BVV(
                     successors.addr + self.state.scratch.irsb.size, exit_state.arch.bits
                 )
                 exit_state.history.jumpkind = "Ijk_Ret"
@@ -238,12 +238,8 @@ class HeavyPcodeMixin(
                 l.debug("%s adding postcall exit.", self)
 
                 ret_state = exit_state.copy()
-                guard = (
-                    ret_state.solver.true
-                    if o.TRUE_RET_EMULATION_GUARD in self.state.options
-                    else ret_state.solver.false
-                )
-                ret_target = ret_state.solver.BVV(successors.addr + self.state.scratch.irsb.size, ret_state.arch.bits)
+                guard = claripy.true if o.TRUE_RET_EMULATION_GUARD in self.state.options else claripy.false
+                ret_target = claripy.BVV(successors.addr + self.state.scratch.irsb.size, ret_state.arch.bits)
                 if ret_state.arch.call_pushes_ret and not exit_jumpkind.startswith("Ijk_Sys"):
                     ret_state.regs.sp = ret_state.regs.sp + ret_state.arch.bytes
                 successors.add_successor(

angr/engines/soot/engine.py

@@ -1,5 +1,6 @@
 import logging
 
+import claripy
 from archinfo.arch_soot import (
     ArchSoot,
     SootAddressDescriptor,
@@ -134,7 +135,7 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
                 next_addr = self._get_next_linear_instruction(state, stmt_idx)
                 l.debug("Advancing execution linearly to %s", next_addr)
                 if next_addr is not None:
-                    successors.add_successor(state.copy(), next_addr, state.solver.true, "Ijk_Boring")
+                    successors.add_successor(state.copy(), next_addr, claripy.true, "Ijk_Boring")
 
     def _handle_soot_stmt(self, state, successors, stmt_idx, stmt):
         # execute statement
@@ -172,7 +173,7 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
             # add invoke state as the successor and terminate execution
             # prematurely, since Soot does not guarantee that an invoke stmt
             # terminates a block
-            successors.add_successor(invoke_state, addr, state.solver.true, "Ijk_Call")
+            successors.add_successor(invoke_state, addr, claripy.true, "Ijk_Call")
             return True
 
         # add jmp exit
@@ -198,7 +199,7 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
     def _add_return_exit(cls, state, successors, return_val=None):
         ret_state = state.copy()
         cls.prepare_return_state(ret_state, return_val)
-        successors.add_successor(ret_state, state.callstack.ret_addr, ret_state.solver.true, "Ijk_Ret")
+        successors.add_successor(ret_state, state.callstack.ret_addr, claripy.true, "Ijk_Ret")
         successors.processed = True
 
     def _get_sim_procedure(self, addr):
@@ -321,9 +322,9 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
         if type(statement) is SimSootStmt_Return:
             exit_code = statement.return_value
             # TODO symbolic exit code?
-            exit_code = state.solver.BVV(exit_code, state.arch.bits)
+            exit_code = claripy.BVV(exit_code, state.arch.bits)
         state.history.add_event("terminate", exit_code=exit_code)
-        successors.add_successor(state, state.regs.ip, state.solver.true, "Ijk_Exit")
+        successors.add_successor(state, state.regs.ip, claripy.true, "Ijk_Exit")
         successors.processed = True
         raise BlockTerminationNotice()
 
@@ -345,7 +346,7 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
 
         # set successor flags
         ret_state.regs._ip = ret_state.callstack.ret_addr
-        ret_state.scratch.guard = ret_state.solver.true
+        ret_state.scratch.guard = claripy.true
         ret_state.history.jumpkind = "Ijk_Ret"
 
         # if available, lookup the return value in native memory

angr/engines/soot/expressions/constants.py

@@ -1,3 +1,4 @@
+import claripy
 from archinfo.arch_soot import SootClassDescriptor, SootNullConstant
 from claripy import FSORT_DOUBLE, FSORT_FLOAT
 
@@ -7,28 +8,28 @@ from .base import SimSootExpr
 
 class SimSootExpr_IntConstant(SimSootExpr):
     def _execute(self):
-        self.expr = self.state.solver.BVV(self.expr.value, 32)
+        self.expr = claripy.BVV(self.expr.value, 32)
 
 
 class SimSootExpr_LongConstant(SimSootExpr):
     def _execute(self):
-        self.expr = self.state.solver.BVV(self.expr.value, 64)
+        self.expr = claripy.BVV(self.expr.value, 64)
 
 
 class SimSootExpr_FloatConstant(SimSootExpr):
     def _execute(self):
-        self.expr = self.state.solver.FPV(self.expr.value, FSORT_FLOAT)
+        self.expr = claripy.FPV(self.expr.value, FSORT_FLOAT)
 
 
 class SimSootExpr_DoubleConstant(SimSootExpr):
     def _execute(self):
-        self.expr = self.state.solver.FPV(self.expr.value, FSORT_DOUBLE)
+        self.expr = claripy.FPV(self.expr.value, FSORT_DOUBLE)
 
 
 class SimSootExpr_StringConstant(SimSootExpr):
     def _execute(self):
         # strip away quotes introduced by soot
-        str_val = self.state.solver.StringV(self.expr.value.strip('"'))
+        str_val = claripy.StringV(self.expr.value.strip('"'))
         str_ref = SimSootValue_StringRef(self.state.memory.get_new_uuid())
         self.state.memory.store(str_ref, str_val)
         self.expr = str_ref

angr/engines/soot/expressions/newArray.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from ..values import SimSootValue_ArrayBaseRef
 from .base import SimSootExpr
 
@@ -27,7 +29,7 @@ class SimSootExpr_NewArray(SimSootExpr):
     @staticmethod
     def _bound_array_size(state, array_size):
         # check if array size can exceed MAX_ARRAY_SIZE
-        max_array_size = state.solver.BVV(state.javavm_memory.max_array_size, 32)
+        max_array_size = claripy.BVV(state.javavm_memory.max_array_size, 32)
         size_stays_below_maximum = state.solver.eval_upto(max_array_size.SGE(array_size), 2)
 
         # overwrite size, if it *always* exceeds the maximum

angr/engines/soot/expressions/newMultiArray.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from .base import SimSootExpr
 from .newArray import SimSootExpr_NewArray
 from ..values import SimSootValue_ArrayBaseRef
@@ -39,7 +41,7 @@ class SimSootExpr_NewMultiArray(SimSootExpr):
     @staticmethod
     def _bound_multi_array_size(state, multi_array_size):
         # check if array size can exceed MAX_ARRAY_SIZE
-        max_multi_array_size = state.solver.BVV(state.javavm_memory.max_array_size, 32)
+        max_multi_array_size = claripy.BVV(state.javavm_memory.max_array_size, 32)
         size_stays_below_maximum = state.solver.eval_upto(max_multi_array_size.SGE(multi_array_size), 2)
 
         # overwrite size, if it *always* exceeds the maximum

angr/engines/soot/statements/goto.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from .base import SimSootStmt
 
 l = logging.getLogger("angr.engines.soot.statements.goto")
@@ -8,4 +10,4 @@ l = logging.getLogger("angr.engines.soot.statements.goto")
 class SimSootStmt_Goto(SimSootStmt):
     def _execute(self):
         jmp_target = self._get_bb_addr_from_instr(instr=self.stmt.target)
-        self._add_jmp_target(target=jmp_target, condition=self.state.solver.true)
+        self._add_jmp_target(target=jmp_target, condition=claripy.true)

angr/engines/soot/statements/if_.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from .base import SimSootStmt
 
 l = logging.getLogger("angr.engines.soot.statements.if")
@@ -12,5 +14,5 @@ class SimSootStmt_If(SimSootStmt):
         self._add_jmp_target(target=jmp_target, condition=jmp_condition)
         self._add_jmp_target(
             target=None,  # if target is None, engine goes on linearly
-            condition=(jmp_condition == self.state.solver.false),
+            condition=(jmp_condition == claripy.false),
         )

angr/engines/soot/statements/switch.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from .base import SimSootStmt
 
 l = logging.getLogger("angr.engines.soot.statements.switch")
@@ -26,7 +28,7 @@ class SwitchBase(SimSootStmt):
 
         # add default target
         default_jmp_target = self._get_bb_addr_from_instr(self.stmt.default_target)
-        default_jmp_cond = self.state.solver.And(*default_jmp_conditions)
+        default_jmp_cond = claripy.And(*default_jmp_conditions)
         self._add_jmp_target(default_jmp_target, default_jmp_cond)