PyPI - angr - Versions diffs - 9.2.117__py3-none-win_amd64.whl → 9.2.118__py3-none-win_amd64.whl - Mend

angr 9.2.117__py3-none-win_amd64.whl → 9.2.118__py3-none-win_amd64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (1317) hide show

angr/__init__.py +2 -1
angr/__main__.py +21 -1
angr/analyses/__init__.py +4 -0
angr/analyses/analysis.py +45 -45
angr/analyses/backward_slice.py +15 -18
angr/analyses/binary_optimizer.py +29 -34
angr/analyses/bindiff.py +35 -44
angr/analyses/boyscout.py +1 -0
angr/analyses/callee_cleanup_finder.py +3 -4
angr/analyses/calling_convention.py +98 -98
angr/analyses/cdg.py +5 -12
angr/analyses/cfg/__init__.py +1 -0
angr/analyses/cfg/cfb.py +14 -20
angr/analyses/cfg/cfg.py +2 -1
angr/analyses/cfg/cfg_arch_options.py +4 -1
angr/analyses/cfg/cfg_base.py +122 -165
angr/analyses/cfg/cfg_emulated.py +60 -92
angr/analyses/cfg/cfg_fast.py +273 -314
angr/analyses/cfg/cfg_fast_soot.py +10 -17
angr/analyses/cfg/cfg_job_base.py +6 -7
angr/analyses/cfg/indirect_jump_resolvers/__init__.py +1 -0
angr/analyses/cfg/indirect_jump_resolvers/amd64_elf_got.py +2 -3
angr/analyses/cfg/indirect_jump_resolvers/amd64_pe_iat.py +2 -3
angr/analyses/cfg/indirect_jump_resolvers/arm_elf_fast.py +6 -8
angr/analyses/cfg/indirect_jump_resolvers/const_resolver.py +3 -5
angr/analyses/cfg/indirect_jump_resolvers/default_resolvers.py +1 -0
angr/analyses/cfg/indirect_jump_resolvers/jumptable.py +97 -112
angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py +26 -32
angr/analyses/cfg/indirect_jump_resolvers/propagator_utils.py +1 -0
angr/analyses/cfg/indirect_jump_resolvers/resolver.py +7 -7
angr/analyses/cfg/indirect_jump_resolvers/x86_elf_pic_plt.py +3 -8
angr/analyses/cfg/indirect_jump_resolvers/x86_pe_iat.py +2 -3
angr/analyses/cfg_slice_to_sink/__init__.py +1 -0
angr/analyses/cfg_slice_to_sink/cfg_slice_to_sink.py +4 -4
angr/analyses/cfg_slice_to_sink/graph.py +4 -1
angr/analyses/cfg_slice_to_sink/transitions.py +4 -2
angr/analyses/class_identifier.py +1 -0
angr/analyses/code_tagging.py +9 -9
angr/analyses/complete_calling_conventions.py +28 -36
angr/analyses/congruency_check.py +6 -11
angr/analyses/data_dep/__init__.py +1 -0
angr/analyses/data_dep/data_dependency_analysis.py +38 -48
angr/analyses/data_dep/dep_nodes.py +13 -12
angr/analyses/data_dep/sim_act_location.py +3 -0
angr/analyses/datagraph_meta.py +7 -7
angr/analyses/ddg.py +48 -69
angr/analyses/decompiler/__init__.py +3 -0
angr/analyses/decompiler/ail_simplifier.py +929 -400
angr/analyses/decompiler/ailgraph_walker.py +1 -0
angr/analyses/decompiler/block_io_finder.py +13 -4
angr/analyses/decompiler/block_similarity.py +28 -18
angr/analyses/decompiler/block_simplifier.py +40 -104
angr/analyses/decompiler/callsite_maker.py +124 -82
angr/analyses/decompiler/ccall_rewriters/__init__.py +1 -0
angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py +115 -105
angr/analyses/decompiler/ccall_rewriters/rewriter_base.py +2 -1
angr/analyses/decompiler/clinic.py +348 -172
angr/analyses/decompiler/condition_processor.py +86 -100
angr/analyses/decompiler/counters/__init__.py +5 -0
angr/analyses/decompiler/counters/boolean_counter.py +27 -0
angr/analyses/decompiler/{call_counter.py → counters/call_counter.py} +5 -4
angr/analyses/decompiler/{expression_counters.py → counters/expression_counters.py} +5 -4
angr/analyses/decompiler/counters/seq_cf_structure_counter.py +63 -0
angr/analyses/decompiler/decompilation_cache.py +2 -1
angr/analyses/decompiler/decompilation_options.py +1 -0
angr/analyses/decompiler/decompiler.py +47 -27
angr/analyses/decompiler/dephication/__init__.py +6 -0
angr/analyses/decompiler/dephication/dephication_base.py +87 -0
angr/analyses/decompiler/dephication/graph_dephication.py +63 -0
angr/analyses/decompiler/dephication/graph_rewriting.py +116 -0
angr/analyses/decompiler/dephication/graph_vvar_mapping.py +313 -0
angr/analyses/decompiler/dephication/rewriting_engine.py +247 -0
angr/analyses/decompiler/dephication/seqnode_dephication.py +106 -0
angr/analyses/decompiler/empty_node_remover.py +1 -0
angr/analyses/decompiler/expression_narrower.py +12 -17
angr/analyses/decompiler/goto_manager.py +43 -4
angr/analyses/decompiler/graph_region.py +19 -31
angr/analyses/decompiler/jump_target_collector.py +1 -0
angr/analyses/decompiler/jumptable_entry_condition_rewriter.py +1 -0
angr/analyses/decompiler/optimization_passes/__init__.py +7 -3
angr/analyses/decompiler/optimization_passes/base_ptr_save_simplifier.py +23 -18
angr/analyses/decompiler/optimization_passes/call_stmt_rewriter.py +46 -0
angr/analyses/decompiler/optimization_passes/code_motion.py +4 -2
angr/analyses/decompiler/optimization_passes/const_derefs.py +36 -36
angr/analyses/decompiler/optimization_passes/const_prop_reverter.py +6 -9
angr/analyses/decompiler/optimization_passes/cross_jump_reverter.py +4 -3
angr/analyses/decompiler/optimization_passes/deadblock_remover.py +1 -0
angr/analyses/decompiler/optimization_passes/div_simplifier.py +78 -72
angr/analyses/decompiler/optimization_passes/duplication_reverter/__init__.py +2 -0
angr/analyses/decompiler/optimization_passes/duplication_reverter/ail_merge_graph.py +500 -0
angr/analyses/decompiler/optimization_passes/duplication_reverter/duplication_reverter.py +1211 -0
angr/analyses/decompiler/optimization_passes/duplication_reverter/errors.py +16 -0
angr/analyses/decompiler/optimization_passes/duplication_reverter/similarity.py +126 -0
angr/analyses/decompiler/optimization_passes/duplication_reverter/utils.py +169 -0
angr/analyses/decompiler/optimization_passes/engine_base.py +60 -63
angr/analyses/decompiler/optimization_passes/expr_op_swapper.py +6 -7
angr/analyses/decompiler/optimization_passes/flip_boolean_cmp.py +1 -0
angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py +88 -23
angr/analyses/decompiler/optimization_passes/ite_expr_converter.py +8 -10
angr/analyses/decompiler/optimization_passes/ite_region_converter.py +128 -18
angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py +142 -145
angr/analyses/decompiler/optimization_passes/mod_simplifier.py +27 -23
angr/analyses/decompiler/optimization_passes/multi_simplifier.py +30 -34
angr/analyses/decompiler/optimization_passes/optimization_pass.py +108 -47
angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py +10 -3
angr/analyses/decompiler/optimization_passes/ret_addr_save_simplifier.py +5 -6
angr/analyses/decompiler/optimization_passes/ret_deduplicator.py +3 -2
angr/analyses/decompiler/optimization_passes/return_duplicator_base.py +125 -13
angr/analyses/decompiler/optimization_passes/return_duplicator_high.py +1 -0
angr/analyses/decompiler/optimization_passes/return_duplicator_low.py +3 -2
angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py +52 -21
angr/analyses/decompiler/optimization_passes/switch_default_case_duplicator.py +3 -2
angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py +47 -36
angr/analyses/decompiler/optimization_passes/x86_gcc_getpc_simplifier.py +2 -1
angr/analyses/decompiler/peephole_optimizations/__init__.py +2 -0
angr/analyses/decompiler/peephole_optimizations/a_div_const_add_a_mul_n_div_const.py +26 -22
angr/analyses/decompiler/peephole_optimizations/a_mul_const_div_shr_const.py +2 -2
angr/analyses/decompiler/peephole_optimizations/a_shl_const_sub_a.py +1 -0
angr/analyses/decompiler/peephole_optimizations/a_sub_a_div.py +2 -2
angr/analyses/decompiler/peephole_optimizations/a_sub_a_div_const_mul_const.py +1 -0
angr/analyses/decompiler/peephole_optimizations/a_sub_a_sub_n.py +8 -4
angr/analyses/decompiler/peephole_optimizations/arm_cmpf.py +28 -27
angr/analyses/decompiler/peephole_optimizations/base.py +17 -20
angr/analyses/decompiler/peephole_optimizations/basepointeroffset_add_n.py +1 -0
angr/analyses/decompiler/peephole_optimizations/basepointeroffset_and_mask.py +1 -0
angr/analyses/decompiler/peephole_optimizations/bitwise_or_to_logical_or.py +2 -2
angr/analyses/decompiler/peephole_optimizations/bool_expr_xor_1.py +2 -2
angr/analyses/decompiler/peephole_optimizations/bswap.py +29 -22
angr/analyses/decompiler/peephole_optimizations/cmpord_rewriter.py +3 -4
angr/analyses/decompiler/peephole_optimizations/coalesce_adjacent_shrs.py +39 -0
angr/analyses/decompiler/peephole_optimizations/coalesce_same_cascading_ifs.py +2 -1
angr/analyses/decompiler/peephole_optimizations/const_mull_a_shift.py +94 -29
angr/analyses/decompiler/peephole_optimizations/constant_derefs.py +1 -0
angr/analyses/decompiler/peephole_optimizations/conv_a_sub0_shr_and.py +48 -49
angr/analyses/decompiler/peephole_optimizations/conv_shl_shr.py +1 -0
angr/analyses/decompiler/peephole_optimizations/eager_eval.py +41 -34
angr/analyses/decompiler/peephole_optimizations/extended_byte_and_mask.py +2 -1
angr/analyses/decompiler/peephole_optimizations/inlined_strcpy.py +28 -18
angr/analyses/decompiler/peephole_optimizations/inlined_strcpy_consolidation.py +8 -4
angr/analyses/decompiler/peephole_optimizations/inlined_wstrcpy.py +28 -18
angr/analyses/decompiler/peephole_optimizations/invert_negated_logical_conjuction_disjunction.py +32 -32
angr/analyses/decompiler/peephole_optimizations/one_sub_bool.py +2 -2
angr/analyses/decompiler/peephole_optimizations/remove_cascading_conversions.py +23 -3
angr/analyses/decompiler/peephole_optimizations/remove_empty_if_body.py +2 -1
angr/analyses/decompiler/peephole_optimizations/remove_noop_conversions.py +4 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_bitmasks.py +1 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_conversions.py +4 -6
angr/analyses/decompiler/peephole_optimizations/remove_redundant_ite_branch.py +14 -13
angr/analyses/decompiler/peephole_optimizations/remove_redundant_ite_comparisons.py +2 -2
angr/analyses/decompiler/peephole_optimizations/remove_redundant_nots.py +1 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_reinterprets.py +3 -2
angr/analyses/decompiler/peephole_optimizations/remove_redundant_shifts.py +2 -2
angr/analyses/decompiler/peephole_optimizations/remove_redundant_shifts_around_comparators.py +20 -16
angr/analyses/decompiler/peephole_optimizations/rewrite_bit_extractions.py +3 -3
angr/analyses/decompiler/peephole_optimizations/rewrite_mips_gp_loads.py +4 -2
angr/analyses/decompiler/peephole_optimizations/rol_ror.py +66 -40
angr/analyses/decompiler/peephole_optimizations/sar_to_signed_div.py +64 -57
angr/analyses/decompiler/peephole_optimizations/simplify_pc_relative_loads.py +14 -14
angr/analyses/decompiler/peephole_optimizations/single_bit_cond_to_boolexpr.py +1 -0
angr/analyses/decompiler/peephole_optimizations/single_bit_xor.py +8 -5
angr/analyses/decompiler/peephole_optimizations/tidy_stack_addr.py +4 -6
angr/analyses/decompiler/redundant_label_remover.py +20 -19
angr/analyses/decompiler/region_identifier.py +64 -77
angr/analyses/decompiler/region_simplifiers/__init__.py +1 -0
angr/analyses/decompiler/region_simplifiers/cascading_cond_transformer.py +2 -1
angr/analyses/decompiler/region_simplifiers/cascading_ifs.py +1 -0
angr/analyses/decompiler/region_simplifiers/expr_folding.py +43 -29
angr/analyses/decompiler/region_simplifiers/goto.py +1 -0
angr/analyses/decompiler/region_simplifiers/if_.py +29 -36
angr/analyses/decompiler/region_simplifiers/ifelse.py +1 -0
angr/analyses/decompiler/region_simplifiers/loop.py +27 -13
angr/analyses/decompiler/region_simplifiers/node_address_finder.py +1 -0
angr/analyses/decompiler/region_simplifiers/region_simplifier.py +1 -0
angr/analyses/decompiler/region_simplifiers/switch_cluster_simplifier.py +12 -16
angr/analyses/decompiler/region_simplifiers/switch_expr_simplifier.py +36 -32
angr/analyses/decompiler/region_walker.py +1 -0
angr/analyses/decompiler/return_maker.py +1 -0
angr/analyses/decompiler/seq_to_blocks.py +1 -0
angr/analyses/decompiler/sequence_walker.py +5 -10
angr/analyses/decompiler/ssailification/__init__.py +4 -0
angr/analyses/decompiler/ssailification/rewriting.py +325 -0
angr/analyses/decompiler/ssailification/rewriting_engine.py +601 -0
angr/analyses/decompiler/ssailification/rewriting_state.py +60 -0
angr/analyses/decompiler/ssailification/ssailification.py +213 -0
angr/analyses/decompiler/ssailification/traversal.py +97 -0
angr/analyses/decompiler/ssailification/traversal_engine.py +131 -0
angr/analyses/decompiler/ssailification/traversal_state.py +42 -0
angr/analyses/decompiler/structured_codegen/__init__.py +1 -0
angr/analyses/decompiler/structured_codegen/base.py +2 -2
angr/analyses/decompiler/structured_codegen/c.py +163 -158
angr/analyses/decompiler/structured_codegen/dummy.py +1 -0
angr/analyses/decompiler/structured_codegen/dwarf_import.py +1 -0
angr/analyses/decompiler/structuring/__init__.py +1 -0
angr/analyses/decompiler/structuring/dream.py +19 -36
angr/analyses/decompiler/structuring/phoenix.py +199 -199
angr/analyses/decompiler/structuring/recursive_structurer.py +4 -3
angr/analyses/decompiler/structuring/sailr.py +5 -4
angr/analyses/decompiler/structuring/structurer_base.py +26 -23
angr/analyses/decompiler/structuring/structurer_nodes.py +14 -24
angr/analyses/decompiler/utils.py +112 -52
angr/analyses/disassembly.py +75 -77
angr/analyses/disassembly_utils.py +10 -13
angr/analyses/dominance_frontier.py +25 -7
angr/analyses/find_objects_static.py +3 -2
angr/analyses/flirt.py +7 -10
angr/analyses/forward_analysis/__init__.py +1 -0
angr/analyses/forward_analysis/forward_analysis.py +9 -6
angr/analyses/forward_analysis/job_info.py +3 -3
angr/analyses/forward_analysis/visitors/__init__.py +1 -0
angr/analyses/forward_analysis/visitors/call_graph.py +1 -0
angr/analyses/forward_analysis/visitors/function_graph.py +3 -2
angr/analyses/forward_analysis/visitors/graph.py +9 -9
angr/analyses/forward_analysis/visitors/loop.py +1 -0
angr/analyses/forward_analysis/visitors/single_node_graph.py +2 -2
angr/analyses/identifier/__init__.py +1 -0
angr/analyses/identifier/custom_callable.py +2 -2
angr/analyses/identifier/errors.py +1 -0
angr/analyses/identifier/func.py +6 -3
angr/analyses/identifier/functions/__init__.py +2 -1
angr/analyses/identifier/functions/atoi.py +2 -4
angr/analyses/identifier/functions/based_atoi.py +3 -6
angr/analyses/identifier/functions/fdprintf.py +1 -0
angr/analyses/identifier/functions/free.py +3 -5
angr/analyses/identifier/functions/int2str.py +11 -26
angr/analyses/identifier/functions/malloc.py +4 -6
angr/analyses/identifier/functions/memcmp.py +2 -4
angr/analyses/identifier/functions/memcpy.py +2 -2
angr/analyses/identifier/functions/memset.py +2 -2
angr/analyses/identifier/functions/printf.py +1 -0
angr/analyses/identifier/functions/recv_until.py +3 -6
angr/analyses/identifier/functions/skip_calloc.py +2 -1
angr/analyses/identifier/functions/skip_realloc.py +4 -6
angr/analyses/identifier/functions/skip_recv_n.py +4 -6
angr/analyses/identifier/functions/snprintf.py +2 -4
angr/analyses/identifier/functions/sprintf.py +1 -0
angr/analyses/identifier/functions/strcasecmp.py +1 -0
angr/analyses/identifier/functions/strcmp.py +2 -1
angr/analyses/identifier/functions/strcpy.py +2 -2
angr/analyses/identifier/functions/strlen.py +1 -0
angr/analyses/identifier/functions/strncmp.py +2 -1
angr/analyses/identifier/functions/strncpy.py +2 -2
angr/analyses/identifier/functions/strtol.py +2 -4
angr/analyses/identifier/identify.py +35 -54
angr/analyses/identifier/runner.py +6 -5
angr/analyses/init_finder.py +17 -17
angr/analyses/loop_analysis.py +10 -14
angr/analyses/loopfinder.py +9 -13
angr/analyses/propagator/__init__.py +1 -0
angr/analyses/propagator/engine_ail.py +159 -165
angr/analyses/propagator/engine_base.py +3 -2
angr/analyses/propagator/engine_vex.py +47 -48
angr/analyses/propagator/outdated_definition_walker.py +18 -23
angr/analyses/propagator/propagator.py +8 -12
angr/analyses/propagator/tmpvar_finder.py +1 -0
angr/analyses/propagator/top_checker_mixin.py +2 -4
angr/analyses/propagator/values.py +1 -0
angr/analyses/propagator/vex_vars.py +3 -2
angr/analyses/proximity_graph.py +12 -20
angr/analyses/reaching_definitions/__init__.py +5 -4
angr/analyses/reaching_definitions/call_trace.py +7 -6
angr/analyses/reaching_definitions/dep_graph.py +18 -23
angr/analyses/reaching_definitions/engine_ail.py +89 -121
angr/analyses/reaching_definitions/engine_vex.py +20 -32
angr/analyses/reaching_definitions/function_handler.py +32 -33
angr/analyses/reaching_definitions/function_handler_library/__init__.py +1 -0
angr/analyses/reaching_definitions/function_handler_library/stdio.py +4 -6
angr/analyses/reaching_definitions/function_handler_library/stdlib.py +1 -2
angr/analyses/reaching_definitions/function_handler_library/string.py +2 -4
angr/analyses/reaching_definitions/function_handler_library/unistd.py +1 -0
angr/analyses/reaching_definitions/heap_allocator.py +7 -6
angr/analyses/reaching_definitions/rd_initializer.py +27 -25
angr/analyses/reaching_definitions/rd_state.py +14 -16
angr/analyses/reaching_definitions/reaching_definitions.py +27 -36
angr/analyses/reaching_definitions/subject.py +3 -2
angr/analyses/reassembler.py +189 -253
angr/analyses/s_liveness/__init__.py +2 -0
angr/analyses/s_liveness/s_liveness.py +153 -0
angr/analyses/s_propagator/__init__.py +2 -0
angr/analyses/s_propagator/s_propagator.py +250 -0
angr/analyses/s_reaching_definitions/__init__.py +2 -0
angr/analyses/s_reaching_definitions/s_rda.py +479 -0
angr/analyses/soot_class_hierarchy.py +15 -24
angr/analyses/stack_pointer_tracker.py +83 -93
angr/analyses/static_hooker.py +3 -2
angr/analyses/typehoon/__init__.py +1 -0
angr/analyses/typehoon/dfa.py +5 -5
angr/analyses/typehoon/lifter.py +5 -4
angr/analyses/typehoon/simple_solver.py +80 -64
angr/analyses/typehoon/translator.py +7 -14
angr/analyses/typehoon/typeconsts.py +14 -12
angr/analyses/typehoon/typehoon.py +8 -10
angr/analyses/typehoon/typevars.py +37 -49
angr/analyses/typehoon/variance.py +1 -0
angr/analyses/variable_recovery/__init__.py +1 -0
angr/analyses/variable_recovery/annotations.py +1 -0
angr/analyses/variable_recovery/engine_ail.py +78 -32
angr/analyses/variable_recovery/engine_base.py +233 -59
angr/analyses/variable_recovery/engine_vex.py +10 -11
angr/analyses/variable_recovery/irsb_scanner.py +1 -0
angr/analyses/variable_recovery/variable_recovery.py +14 -16
angr/analyses/variable_recovery/variable_recovery_base.py +12 -14
angr/analyses/variable_recovery/variable_recovery_fast.py +67 -47
angr/analyses/veritesting.py +10 -16
angr/analyses/vfg.py +102 -148
angr/analyses/vsa_ddg.py +3 -5
angr/analyses/vtable.py +6 -6
angr/analyses/xrefs.py +9 -13
angr/angrdb/__init__.py +4 -2
angr/angrdb/db.py +51 -53
angr/angrdb/models.py +1 -0
angr/angrdb/serializers/__init__.py +1 -0
angr/angrdb/serializers/cfg_model.py +2 -2
angr/angrdb/serializers/comments.py +1 -0
angr/angrdb/serializers/funcs.py +4 -3
angr/angrdb/serializers/kb.py +3 -2
angr/angrdb/serializers/labels.py +1 -0
angr/angrdb/serializers/structured_code.py +5 -10
angr/angrdb/serializers/variables.py +6 -6
angr/angrdb/serializers/xrefs.py +2 -2
angr/annocfg.py +17 -25
angr/blade.py +19 -23
angr/block.py +11 -13
angr/callable.py +4 -3
angr/calling_conventions.py +79 -124
angr/code_location.py +12 -13
angr/codenode.py +2 -1
angr/concretization_strategies/__init__.py +6 -6
angr/concretization_strategies/any.py +5 -4
angr/concretization_strategies/any_named.py +1 -0
angr/concretization_strategies/controlled_data.py +1 -0
angr/concretization_strategies/eval.py +2 -2
angr/concretization_strategies/logging.py +1 -0
angr/concretization_strategies/max.py +6 -6
angr/concretization_strategies/nonzero.py +1 -0
angr/concretization_strategies/nonzero_range.py +4 -3
angr/concretization_strategies/norepeats.py +2 -1
angr/concretization_strategies/norepeats_range.py +1 -0
angr/concretization_strategies/range.py +1 -0
angr/concretization_strategies/signed_add.py +13 -9
angr/concretization_strategies/single.py +2 -0
angr/concretization_strategies/solutions.py +1 -0
angr/concretization_strategies/unlimited_range.py +1 -0
angr/distributed/__init__.py +1 -0
angr/distributed/server.py +2 -2
angr/distributed/worker.py +3 -3
angr/engines/__init__.py +1 -0
angr/engines/concrete.py +1 -0
angr/engines/engine.py +4 -6
angr/engines/failure.py +2 -1
angr/engines/hook.py +1 -0
angr/engines/light/__init__.py +1 -0
angr/engines/light/data.py +221 -255
angr/engines/light/engine.py +66 -74
angr/engines/pcode/__init__.py +1 -0
angr/engines/pcode/behavior.py +3 -3
angr/engines/pcode/cc.py +1 -0
angr/engines/pcode/emulate.py +13 -16
angr/engines/pcode/engine.py +5 -3
angr/engines/pcode/lifter.py +62 -79
angr/engines/procedure.py +1 -0
angr/engines/soot/__init__.py +1 -0
angr/engines/soot/engine.py +41 -47
angr/engines/soot/exceptions.py +3 -0
angr/engines/soot/expressions/__init__.py +1 -0
angr/engines/soot/expressions/arrayref.py +1 -0
angr/engines/soot/expressions/base.py +4 -5
angr/engines/soot/expressions/binop.py +1 -0
angr/engines/soot/expressions/cast.py +1 -0
angr/engines/soot/expressions/condition.py +1 -0
angr/engines/soot/expressions/constants.py +1 -0
angr/engines/soot/expressions/instanceOf.py +1 -0
angr/engines/soot/expressions/instancefieldref.py +1 -0
angr/engines/soot/expressions/invoke.py +7 -9
angr/engines/soot/expressions/length.py +1 -0
angr/engines/soot/expressions/local.py +1 -0
angr/engines/soot/expressions/new.py +1 -0
angr/engines/soot/expressions/newArray.py +1 -0
angr/engines/soot/expressions/newMultiArray.py +3 -3
angr/engines/soot/expressions/paramref.py +1 -0
angr/engines/soot/expressions/phi.py +1 -0
angr/engines/soot/expressions/staticfieldref.py +1 -0
angr/engines/soot/expressions/thisref.py +1 -0
angr/engines/soot/expressions/unsupported.py +1 -0
angr/engines/soot/field_dispatcher.py +5 -8
angr/engines/soot/method_dispatcher.py +4 -7
angr/engines/soot/statements/__init__.py +4 -4
angr/engines/soot/statements/assign.py +1 -0
angr/engines/soot/statements/base.py +6 -7
angr/engines/soot/statements/goto.py +1 -0
angr/engines/soot/statements/identity.py +1 -0
angr/engines/soot/statements/if_.py +1 -0
angr/engines/soot/statements/invoke.py +1 -0
angr/engines/soot/statements/return_.py +1 -0
angr/engines/soot/statements/switch.py +1 -0
angr/engines/soot/statements/throw.py +1 -0
angr/engines/soot/values/__init__.py +4 -2
angr/engines/soot/values/arrayref.py +8 -10
angr/engines/soot/values/base.py +4 -1
angr/engines/soot/values/constants.py +1 -0
angr/engines/soot/values/instancefieldref.py +1 -0
angr/engines/soot/values/local.py +1 -0
angr/engines/soot/values/paramref.py +1 -0
angr/engines/soot/values/staticfieldref.py +1 -0
angr/engines/soot/values/strref.py +3 -2
angr/engines/soot/values/thisref.py +1 -0
angr/engines/successors.py +20 -23
angr/engines/syscall.py +9 -9
angr/engines/unicorn.py +12 -7
angr/engines/vex/__init__.py +1 -0
angr/engines/vex/claripy/__init__.py +1 -0
angr/engines/vex/claripy/ccall.py +86 -112
angr/engines/vex/claripy/datalayer.py +12 -16
angr/engines/vex/claripy/irop.py +85 -104
angr/engines/vex/heavy/__init__.py +1 -0
angr/engines/vex/heavy/actions.py +1 -0
angr/engines/vex/heavy/concretizers.py +8 -9
angr/engines/vex/heavy/dirty.py +6 -5
angr/engines/vex/heavy/heavy.py +13 -12
angr/engines/vex/heavy/inspect.py +1 -0
angr/engines/vex/heavy/resilience.py +2 -2
angr/engines/vex/heavy/super_fastpath.py +2 -2
angr/engines/vex/lifter.py +28 -35
angr/engines/vex/light/__init__.py +1 -0
angr/engines/vex/light/light.py +2 -4
angr/engines/vex/light/resilience.py +1 -0
angr/engines/vex/light/slicing.py +1 -0
angr/errors.py +2 -1
angr/exploration_techniques/__init__.py +3 -2
angr/exploration_techniques/bucketizer.py +2 -3
angr/exploration_techniques/common.py +3 -3
angr/exploration_techniques/dfs.py +1 -0
angr/exploration_techniques/director.py +17 -19
angr/exploration_techniques/driller_core.py +2 -5
angr/exploration_techniques/explorer.py +7 -3
angr/exploration_techniques/lengthlimiter.py +1 -0
angr/exploration_techniques/local_loop_seer.py +2 -2
angr/exploration_techniques/loop_seer.py +11 -14
angr/exploration_techniques/manual_mergepoint.py +3 -2
angr/exploration_techniques/memory_watcher.py +1 -0
angr/exploration_techniques/oppologist.py +4 -4
angr/exploration_techniques/slicecutor.py +1 -0
angr/exploration_techniques/spiller.py +8 -8
angr/exploration_techniques/spiller_db.py +1 -0
angr/exploration_techniques/stochastic.py +3 -4
angr/exploration_techniques/stub_stasher.py +1 -0
angr/exploration_techniques/suggestions.py +3 -2
angr/exploration_techniques/symbion.py +1 -0
angr/exploration_techniques/tech_builder.py +1 -0
angr/exploration_techniques/threading.py +1 -0
angr/exploration_techniques/timeout.py +1 -0
angr/exploration_techniques/tracer.py +34 -39
angr/exploration_techniques/unique.py +1 -0
angr/exploration_techniques/veritesting.py +1 -0
angr/factory.py +9 -9
angr/flirt/__init__.py +1 -0
angr/flirt/build_sig.py +8 -12
angr/keyed_region.py +10 -17
angr/knowledge_base/__init__.py +1 -0
angr/knowledge_base/knowledge_base.py +17 -17
angr/knowledge_plugins/__init__.py +1 -0
angr/knowledge_plugins/callsite_prototypes.py +1 -0
angr/knowledge_plugins/cfg/__init__.py +2 -0
angr/knowledge_plugins/cfg/cfg_manager.py +2 -1
angr/knowledge_plugins/cfg/cfg_model.py +25 -42
angr/knowledge_plugins/cfg/cfg_node.py +8 -19
angr/knowledge_plugins/cfg/indirect_jump.py +3 -5
angr/knowledge_plugins/cfg/memory_data.py +3 -3
angr/knowledge_plugins/comments.py +1 -0
angr/knowledge_plugins/custom_strings.py +1 -0
angr/knowledge_plugins/data.py +1 -0
angr/knowledge_plugins/debug_variables.py +18 -23
angr/knowledge_plugins/functions/__init__.py +1 -0
angr/knowledge_plugins/functions/function.py +49 -53
angr/knowledge_plugins/functions/function_manager.py +14 -14
angr/knowledge_plugins/functions/function_parser.py +38 -42
angr/knowledge_plugins/functions/soot_function.py +5 -6
angr/knowledge_plugins/indirect_jumps.py +1 -0
angr/knowledge_plugins/key_definitions/__init__.py +1 -0
angr/knowledge_plugins/key_definitions/atoms.py +65 -17
angr/knowledge_plugins/key_definitions/constants.py +6 -0
angr/knowledge_plugins/key_definitions/definition.py +22 -25
angr/knowledge_plugins/key_definitions/environment.py +18 -14
angr/knowledge_plugins/key_definitions/heap_address.py +4 -3
angr/knowledge_plugins/key_definitions/key_definition_manager.py +5 -4
angr/knowledge_plugins/key_definitions/live_definitions.py +36 -45
angr/knowledge_plugins/key_definitions/liveness.py +18 -23
angr/knowledge_plugins/key_definitions/rd_model.py +29 -34
angr/knowledge_plugins/key_definitions/tag.py +7 -6
angr/knowledge_plugins/key_definitions/undefined.py +3 -0
angr/knowledge_plugins/key_definitions/unknown_size.py +3 -0
angr/knowledge_plugins/key_definitions/uses.py +21 -23
angr/knowledge_plugins/labels.py +3 -2
angr/knowledge_plugins/patches.py +2 -1
angr/knowledge_plugins/plugin.py +2 -1
angr/knowledge_plugins/propagations/__init__.py +1 -0
angr/knowledge_plugins/propagations/prop_value.py +25 -27
angr/knowledge_plugins/propagations/propagation_manager.py +2 -2
angr/knowledge_plugins/propagations/propagation_model.py +5 -4
angr/knowledge_plugins/propagations/states.py +71 -81
angr/knowledge_plugins/structured_code/__init__.py +1 -0
angr/knowledge_plugins/structured_code/manager.py +5 -4
angr/knowledge_plugins/sync/__init__.py +1 -0
angr/knowledge_plugins/sync/sync_controller.py +10 -15
angr/knowledge_plugins/types.py +1 -0
angr/knowledge_plugins/variables/__init__.py +1 -0
angr/knowledge_plugins/variables/variable_access.py +9 -10
angr/knowledge_plugins/variables/variable_manager.py +84 -55
angr/knowledge_plugins/xrefs/__init__.py +1 -0
angr/knowledge_plugins/xrefs/xref.py +7 -11
angr/knowledge_plugins/xrefs/xref_manager.py +1 -0
angr/knowledge_plugins/xrefs/xref_types.py +3 -0
angr/lib/angr_native.dll +0 -0
angr/misc/__init__.py +1 -0
angr/misc/ansi.py +1 -0
angr/misc/autoimport.py +3 -2
angr/misc/bug_report.py +6 -5
angr/misc/hookset.py +3 -2
angr/misc/loggers.py +2 -2
angr/misc/picklable_lock.py +1 -0
angr/misc/plugins.py +11 -13
angr/misc/range.py +3 -0
angr/misc/testing.py +2 -1
angr/misc/ux.py +5 -5
angr/misc/weakpatch.py +1 -0
angr/procedures/__init__.py +1 -0
angr/procedures/cgc/_terminate.py +1 -0
angr/procedures/cgc/allocate.py +1 -0
angr/procedures/cgc/deallocate.py +1 -0
angr/procedures/cgc/fdwait.py +1 -0
angr/procedures/cgc/random.py +1 -0
angr/procedures/cgc/receive.py +26 -26
angr/procedures/cgc/transmit.py +1 -0
angr/procedures/definitions/__init__.py +9 -10
angr/procedures/definitions/cgc.py +1 -0
angr/procedures/definitions/glibc.py +1 -0
angr/procedures/definitions/gnulib.py +1 -0
angr/procedures/definitions/libstdcpp.py +1 -0
angr/procedures/definitions/linux_kernel.py +1 -0
angr/procedures/definitions/linux_loader.py +1 -0
angr/procedures/definitions/msvcr.py +1 -0
angr/procedures/definitions/parse_syscalls_from_local_system.py +2 -1
angr/procedures/definitions/parse_win32json.py +27 -30
angr/procedures/definitions/types_win32.py +1 -0
angr/procedures/definitions/wdk_api-ms-win-dx-d3dkmt-l1-1-4.py +1 -0
angr/procedures/definitions/wdk_api-ms-win-dx-d3dkmt-l1-1-6.py +1 -0
angr/procedures/definitions/wdk_clfs.py +1 -0
angr/procedures/definitions/wdk_fltmgr.py +1 -0
angr/procedures/definitions/wdk_fwpkclnt.py +1 -0
angr/procedures/definitions/wdk_fwpuclnt.py +1 -0
angr/procedures/definitions/wdk_gdi32.py +1 -0
angr/procedures/definitions/wdk_hal.py +1 -0
angr/procedures/definitions/wdk_ksecdd.py +1 -0
angr/procedures/definitions/wdk_ndis.py +1 -0
angr/procedures/definitions/wdk_ntoskrnl.py +1 -0
angr/procedures/definitions/wdk_offreg.py +1 -0
angr/procedures/definitions/wdk_pshed.py +1 -0
angr/procedures/definitions/wdk_secur32.py +1 -0
angr/procedures/definitions/wdk_vhfum.py +1 -0
angr/procedures/definitions/win32_aclui.py +1 -0
angr/procedures/definitions/win32_activeds.py +1 -0
angr/procedures/definitions/win32_advapi32.py +1 -0
angr/procedures/definitions/win32_advpack.py +1 -0
angr/procedures/definitions/win32_amsi.py +1 -0
angr/procedures/definitions/win32_api-ms-win-appmodel-runtime-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-appmodel-runtime-l1-1-3.py +1 -0
angr/procedures/definitions/win32_api-ms-win-appmodel-runtime-l1-1-6.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-apiquery-l2-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-backgroundtask-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-comm-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-comm-l1-1-2.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-enclave-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-errorhandling-l1-1-3.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-featurestaging-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-featurestaging-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-file-fromapp-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-handle-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-ioring-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-marshal-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-3.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-4.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-5.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-6.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-7.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-8.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-path-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-psm-appnotify-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-psm-appnotify-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-realtime-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-realtime-l1-1-2.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-slapi-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-state-helpers-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-synch-l1-2-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-sysinfo-l1-2-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-sysinfo-l1-2-3.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-sysinfo-l1-2-4.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-sysinfo-l1-2-6.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-util-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-error-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-error-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-registration-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-robuffer-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-roparameterizediid-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-string-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-string-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-core-wow64-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-devices-query-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-devices-query-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-dx-d3dkmt-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-gaming-deviceinformation-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-gaming-expandedresources-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-2.py +1 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-3.py +1 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-4.py +1 -0
angr/procedures/definitions/win32_api-ms-win-mm-misc-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-net-isolation-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-security-base-l1-2-2.py +1 -0
angr/procedures/definitions/win32_api-ms-win-security-isolatedcontainer-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-security-isolatedcontainer-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-service-core-l1-1-3.py +1 -0
angr/procedures/definitions/win32_api-ms-win-service-core-l1-1-4.py +1 -0
angr/procedures/definitions/win32_api-ms-win-service-core-l1-1-5.py +1 -0
angr/procedures/definitions/win32_api-ms-win-shcore-scaling-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-shcore-scaling-l1-1-1.py +1 -0
angr/procedures/definitions/win32_api-ms-win-shcore-scaling-l1-1-2.py +1 -0
angr/procedures/definitions/win32_api-ms-win-shcore-stream-winrt-l1-1-0.py +1 -0
angr/procedures/definitions/win32_api-ms-win-wsl-api-l1-1-0.py +1 -0
angr/procedures/definitions/win32_apphelp.py +1 -0
angr/procedures/definitions/win32_authz.py +1 -0
angr/procedures/definitions/win32_avicap32.py +1 -0
angr/procedures/definitions/win32_avifil32.py +1 -0
angr/procedures/definitions/win32_avrt.py +1 -0
angr/procedures/definitions/win32_bcp47mrm.py +1 -0
angr/procedures/definitions/win32_bcrypt.py +1 -0
angr/procedures/definitions/win32_bcryptprimitives.py +1 -0
angr/procedures/definitions/win32_bluetoothapis.py +1 -0
angr/procedures/definitions/win32_bthprops.py +1 -0
angr/procedures/definitions/win32_bthprops_cpl.py +1 -0
angr/procedures/definitions/win32_cabinet.py +1 -0
angr/procedures/definitions/win32_certadm.py +1 -0
angr/procedures/definitions/win32_certpoleng.py +1 -0
angr/procedures/definitions/win32_cfgmgr32.py +1 -0
angr/procedures/definitions/win32_chakra.py +1 -0
angr/procedures/definitions/win32_cldapi.py +1 -0
angr/procedures/definitions/win32_clfsw32.py +1 -0
angr/procedures/definitions/win32_clusapi.py +1 -0
angr/procedures/definitions/win32_comctl32.py +1 -0
angr/procedures/definitions/win32_comdlg32.py +1 -0
angr/procedures/definitions/win32_compstui.py +1 -0
angr/procedures/definitions/win32_computecore.py +1 -0
angr/procedures/definitions/win32_computenetwork.py +1 -0
angr/procedures/definitions/win32_computestorage.py +1 -0
angr/procedures/definitions/win32_comsvcs.py +1 -0
angr/procedures/definitions/win32_coremessaging.py +1 -0
angr/procedures/definitions/win32_credui.py +1 -0
angr/procedures/definitions/win32_crypt32.py +1 -0
angr/procedures/definitions/win32_cryptnet.py +1 -0
angr/procedures/definitions/win32_cryptui.py +1 -0
angr/procedures/definitions/win32_cryptxml.py +1 -0
angr/procedures/definitions/win32_cscapi.py +1 -0
angr/procedures/definitions/win32_d2d1.py +1 -0
angr/procedures/definitions/win32_d3d10.py +1 -0
angr/procedures/definitions/win32_d3d10_1.py +1 -0
angr/procedures/definitions/win32_d3d11.py +1 -0
angr/procedures/definitions/win32_d3d12.py +1 -0
angr/procedures/definitions/win32_d3d9.py +1 -0
angr/procedures/definitions/win32_d3dcompiler_47.py +1 -0
angr/procedures/definitions/win32_d3dcsx.py +1 -0
angr/procedures/definitions/win32_davclnt.py +1 -0
angr/procedures/definitions/win32_dbgeng.py +1 -0
angr/procedures/definitions/win32_dbghelp.py +1 -0
angr/procedures/definitions/win32_dbgmodel.py +1 -0
angr/procedures/definitions/win32_dciman32.py +1 -0
angr/procedures/definitions/win32_dcomp.py +1 -0
angr/procedures/definitions/win32_ddraw.py +1 -0
angr/procedures/definitions/win32_deviceaccess.py +1 -0
angr/procedures/definitions/win32_dflayout.py +1 -0
angr/procedures/definitions/win32_dhcpcsvc.py +1 -0
angr/procedures/definitions/win32_dhcpcsvc6.py +1 -0
angr/procedures/definitions/win32_dhcpsapi.py +1 -0
angr/procedures/definitions/win32_diagnosticdataquery.py +1 -0
angr/procedures/definitions/win32_dinput8.py +1 -0
angr/procedures/definitions/win32_directml.py +1 -0
angr/procedures/definitions/win32_dmprocessxmlfiltered.py +1 -0
angr/procedures/definitions/win32_dnsapi.py +1 -0
angr/procedures/definitions/win32_drt.py +1 -0
angr/procedures/definitions/win32_drtprov.py +1 -0
angr/procedures/definitions/win32_drttransport.py +1 -0
angr/procedures/definitions/win32_dsound.py +1 -0
angr/procedures/definitions/win32_dsparse.py +1 -0
angr/procedures/definitions/win32_dsprop.py +1 -0
angr/procedures/definitions/win32_dssec.py +1 -0
angr/procedures/definitions/win32_dsuiext.py +1 -0
angr/procedures/definitions/win32_dwmapi.py +1 -0
angr/procedures/definitions/win32_dwrite.py +1 -0
angr/procedures/definitions/win32_dxcompiler.py +1 -0
angr/procedures/definitions/win32_dxcore.py +1 -0
angr/procedures/definitions/win32_dxgi.py +1 -0
angr/procedures/definitions/win32_dxva2.py +1 -0
angr/procedures/definitions/win32_eappcfg.py +1 -0
angr/procedures/definitions/win32_eappprxy.py +1 -0
angr/procedures/definitions/win32_efswrt.py +1 -0
angr/procedures/definitions/win32_elscore.py +1 -0
angr/procedures/definitions/win32_esent.py +1 -0
angr/procedures/definitions/win32_evr.py +1 -0
angr/procedures/definitions/win32_faultrep.py +1 -0
angr/procedures/definitions/win32_fhsvcctl.py +1 -0
angr/procedures/definitions/win32_firewallapi.py +1 -0
angr/procedures/definitions/win32_fltlib.py +1 -0
angr/procedures/definitions/win32_fontsub.py +1 -0
angr/procedures/definitions/win32_forceinline.py +1 -0
angr/procedures/definitions/win32_fwpuclnt.py +1 -0
angr/procedures/definitions/win32_fxsutility.py +1 -0
angr/procedures/definitions/win32_gdi32.py +1 -0
angr/procedures/definitions/win32_gdiplus.py +1 -0
angr/procedures/definitions/win32_glu32.py +1 -0
angr/procedures/definitions/win32_gpedit.py +1 -0
angr/procedures/definitions/win32_hhctrl_ocx.py +1 -0
angr/procedures/definitions/win32_hid.py +1 -0
angr/procedures/definitions/win32_hlink.py +1 -0
angr/procedures/definitions/win32_hrtfapo.py +1 -0
angr/procedures/definitions/win32_httpapi.py +1 -0
angr/procedures/definitions/win32_icm32.py +1 -0
angr/procedures/definitions/win32_icmui.py +1 -0
angr/procedures/definitions/win32_icu.py +1 -0
angr/procedures/definitions/win32_ieframe.py +1 -0
angr/procedures/definitions/win32_imagehlp.py +1 -0
angr/procedures/definitions/win32_imgutil.py +1 -0
angr/procedures/definitions/win32_imm32.py +1 -0
angr/procedures/definitions/win32_infocardapi.py +1 -0
angr/procedures/definitions/win32_inkobjcore.py +1 -0
angr/procedures/definitions/win32_iphlpapi.py +1 -0
angr/procedures/definitions/win32_iscsidsc.py +1 -0
angr/procedures/definitions/win32_isolatedwindowsenvironmentutils.py +1 -0
angr/procedures/definitions/win32_kernel32.py +1 -0
angr/procedures/definitions/win32_kernelbase.py +1 -0
angr/procedures/definitions/win32_keycredmgr.py +1 -0
angr/procedures/definitions/win32_ksproxy_ax.py +1 -0
angr/procedures/definitions/win32_ksuser.py +1 -0
angr/procedures/definitions/win32_ktmw32.py +1 -0
angr/procedures/definitions/win32_licenseprotection.py +1 -0
angr/procedures/definitions/win32_loadperf.py +1 -0
angr/procedures/definitions/win32_magnification.py +1 -0
angr/procedures/definitions/win32_mapi32.py +1 -0
angr/procedures/definitions/win32_mdmlocalmanagement.py +1 -0
angr/procedures/definitions/win32_mdmregistration.py +1 -0
angr/procedures/definitions/win32_mf.py +1 -0
angr/procedures/definitions/win32_mfcore.py +1 -0
angr/procedures/definitions/win32_mfplat.py +1 -0
angr/procedures/definitions/win32_mfplay.py +1 -0
angr/procedures/definitions/win32_mfreadwrite.py +1 -0
angr/procedures/definitions/win32_mfsensorgroup.py +1 -0
angr/procedures/definitions/win32_mfsrcsnk.py +1 -0
angr/procedures/definitions/win32_mgmtapi.py +1 -0
angr/procedures/definitions/win32_mi.py +1 -0
angr/procedures/definitions/win32_mmdevapi.py +1 -0
angr/procedures/definitions/win32_mpr.py +1 -0
angr/procedures/definitions/win32_mprapi.py +1 -0
angr/procedures/definitions/win32_mqrt.py +1 -0
angr/procedures/definitions/win32_mrmsupport.py +1 -0
angr/procedures/definitions/win32_msacm32.py +1 -0
angr/procedures/definitions/win32_msajapi.py +1 -0
angr/procedures/definitions/win32_mscms.py +1 -0
angr/procedures/definitions/win32_mscoree.py +1 -0
angr/procedures/definitions/win32_msctfmonitor.py +1 -0
angr/procedures/definitions/win32_msdelta.py +1 -0
angr/procedures/definitions/win32_msdmo.py +1 -0
angr/procedures/definitions/win32_msdrm.py +1 -0
angr/procedures/definitions/win32_msi.py +1 -0
angr/procedures/definitions/win32_msimg32.py +1 -0
angr/procedures/definitions/win32_mspatcha.py +1 -0
angr/procedures/definitions/win32_mspatchc.py +1 -0
angr/procedures/definitions/win32_msports.py +1 -0
angr/procedures/definitions/win32_msrating.py +1 -0
angr/procedures/definitions/win32_mssign32.py +1 -0
angr/procedures/definitions/win32_mstask.py +1 -0
angr/procedures/definitions/win32_msvfw32.py +1 -0
angr/procedures/definitions/win32_mswsock.py +1 -0
angr/procedures/definitions/win32_mtxdm.py +1 -0
angr/procedures/definitions/win32_ncrypt.py +1 -0
angr/procedures/definitions/win32_ndfapi.py +1 -0
angr/procedures/definitions/win32_netapi32.py +1 -0
angr/procedures/definitions/win32_netsh.py +1 -0
angr/procedures/definitions/win32_netshell.py +1 -0
angr/procedures/definitions/win32_newdev.py +1 -0
angr/procedures/definitions/win32_ninput.py +1 -0
angr/procedures/definitions/win32_normaliz.py +1 -0
angr/procedures/definitions/win32_ntdll.py +1 -0
angr/procedures/definitions/win32_ntdllk.py +1 -0
angr/procedures/definitions/win32_ntdsapi.py +1 -0
angr/procedures/definitions/win32_ntlanman.py +1 -0
angr/procedures/definitions/win32_odbc32.py +1 -0
angr/procedures/definitions/win32_odbcbcp.py +1 -0
angr/procedures/definitions/win32_ole32.py +1 -0
angr/procedures/definitions/win32_oleacc.py +1 -0
angr/procedures/definitions/win32_oleaut32.py +1 -0
angr/procedures/definitions/win32_oledlg.py +1 -0
angr/procedures/definitions/win32_ondemandconnroutehelper.py +1 -0
angr/procedures/definitions/win32_opengl32.py +1 -0
angr/procedures/definitions/win32_opmxbox.py +1 -0
angr/procedures/definitions/win32_p2p.py +1 -0
angr/procedures/definitions/win32_p2pgraph.py +1 -0
angr/procedures/definitions/win32_pdh.py +1 -0
angr/procedures/definitions/win32_peerdist.py +1 -0
angr/procedures/definitions/win32_powrprof.py +1 -0
angr/procedures/definitions/win32_prntvpt.py +1 -0
angr/procedures/definitions/win32_projectedfslib.py +1 -0
angr/procedures/definitions/win32_propsys.py +1 -0
angr/procedures/definitions/win32_psapi.py +1 -0
angr/procedures/definitions/win32_quartz.py +1 -0
angr/procedures/definitions/win32_query.py +1 -0
angr/procedures/definitions/win32_qwave.py +1 -0
angr/procedures/definitions/win32_rasapi32.py +1 -0
angr/procedures/definitions/win32_rasdlg.py +1 -0
angr/procedures/definitions/win32_resutils.py +1 -0
angr/procedures/definitions/win32_rometadata.py +1 -0
angr/procedures/definitions/win32_rpcns4.py +1 -0
angr/procedures/definitions/win32_rpcproxy.py +1 -0
angr/procedures/definitions/win32_rpcrt4.py +1 -0
angr/procedures/definitions/win32_rstrtmgr.py +1 -0
angr/procedures/definitions/win32_rtm.py +1 -0
angr/procedures/definitions/win32_rtutils.py +1 -0
angr/procedures/definitions/win32_rtworkq.py +1 -0
angr/procedures/definitions/win32_sas.py +1 -0
angr/procedures/definitions/win32_scarddlg.py +1 -0
angr/procedures/definitions/win32_schannel.py +1 -0
angr/procedures/definitions/win32_sechost.py +1 -0
angr/procedures/definitions/win32_secur32.py +1 -0
angr/procedures/definitions/win32_sensapi.py +1 -0
angr/procedures/definitions/win32_sensorsutilsv2.py +1 -0
angr/procedures/definitions/win32_setupapi.py +1 -0
angr/procedures/definitions/win32_sfc.py +1 -0
angr/procedures/definitions/win32_shdocvw.py +1 -0
angr/procedures/definitions/win32_shell32.py +1 -0
angr/procedures/definitions/win32_shlwapi.py +1 -0
angr/procedures/definitions/win32_slc.py +1 -0
angr/procedures/definitions/win32_slcext.py +1 -0
angr/procedures/definitions/win32_slwga.py +1 -0
angr/procedures/definitions/win32_snmpapi.py +1 -0
angr/procedures/definitions/win32_spoolss.py +1 -0
angr/procedures/definitions/win32_srclient.py +1 -0
angr/procedures/definitions/win32_srpapi.py +1 -0
angr/procedures/definitions/win32_sspicli.py +1 -0
angr/procedures/definitions/win32_sti.py +1 -0
angr/procedures/definitions/win32_t2embed.py +1 -0
angr/procedures/definitions/win32_tapi32.py +1 -0
angr/procedures/definitions/win32_tbs.py +1 -0
angr/procedures/definitions/win32_tdh.py +1 -0
angr/procedures/definitions/win32_tokenbinding.py +1 -0
angr/procedures/definitions/win32_traffic.py +1 -0
angr/procedures/definitions/win32_txfw32.py +1 -0
angr/procedures/definitions/win32_ualapi.py +1 -0
angr/procedures/definitions/win32_uiautomationcore.py +1 -0
angr/procedures/definitions/win32_urlmon.py +1 -0
angr/procedures/definitions/win32_user32.py +1 -0
angr/procedures/definitions/win32_userenv.py +1 -0
angr/procedures/definitions/win32_usp10.py +1 -0
angr/procedures/definitions/win32_uxtheme.py +1 -0
angr/procedures/definitions/win32_verifier.py +1 -0
angr/procedures/definitions/win32_version.py +1 -0
angr/procedures/definitions/win32_vertdll.py +1 -0
angr/procedures/definitions/win32_virtdisk.py +1 -0
angr/procedures/definitions/win32_vmdevicehost.py +1 -0
angr/procedures/definitions/win32_vmsavedstatedumpprovider.py +1 -0
angr/procedures/definitions/win32_vssapi.py +1 -0
angr/procedures/definitions/win32_wcmapi.py +1 -0
angr/procedures/definitions/win32_wdsbp.py +1 -0
angr/procedures/definitions/win32_wdsclientapi.py +1 -0
angr/procedures/definitions/win32_wdsmc.py +1 -0
angr/procedures/definitions/win32_wdspxe.py +1 -0
angr/procedures/definitions/win32_wdstptc.py +1 -0
angr/procedures/definitions/win32_webauthn.py +1 -0
angr/procedures/definitions/win32_webservices.py +1 -0
angr/procedures/definitions/win32_websocket.py +1 -0
angr/procedures/definitions/win32_wecapi.py +1 -0
angr/procedures/definitions/win32_wer.py +1 -0
angr/procedures/definitions/win32_wevtapi.py +1 -0
angr/procedures/definitions/win32_winbio.py +1 -0
angr/procedures/definitions/win32_windows_ai_machinelearning.py +1 -0
angr/procedures/definitions/win32_windows_data_pdf.py +1 -0
angr/procedures/definitions/win32_windows_media_mediacontrol.py +1 -0
angr/procedures/definitions/win32_windows_networking.py +1 -0
angr/procedures/definitions/win32_windows_ui_xaml.py +1 -0
angr/procedures/definitions/win32_windowscodecs.py +1 -0
angr/procedures/definitions/win32_winfax.py +1 -0
angr/procedures/definitions/win32_winhttp.py +1 -0
angr/procedures/definitions/win32_winhvemulation.py +1 -0
angr/procedures/definitions/win32_winhvplatform.py +1 -0
angr/procedures/definitions/win32_wininet.py +1 -0
angr/procedures/definitions/win32_winml.py +1 -0
angr/procedures/definitions/win32_winmm.py +1 -0
angr/procedures/definitions/win32_winscard.py +1 -0
angr/procedures/definitions/win32_winspool.py +1 -0
angr/procedures/definitions/win32_winspool_drv.py +1 -0
angr/procedures/definitions/win32_wintrust.py +1 -0
angr/procedures/definitions/win32_winusb.py +1 -0
angr/procedures/definitions/win32_wlanapi.py +1 -0
angr/procedures/definitions/win32_wlanui.py +1 -0
angr/procedures/definitions/win32_wldap32.py +1 -0
angr/procedures/definitions/win32_wldp.py +1 -0
angr/procedures/definitions/win32_wmvcore.py +1 -0
angr/procedures/definitions/win32_wnvapi.py +1 -0
angr/procedures/definitions/win32_wofutil.py +1 -0
angr/procedures/definitions/win32_ws2_32.py +1 -0
angr/procedures/definitions/win32_wscapi.py +1 -0
angr/procedures/definitions/win32_wsclient.py +1 -0
angr/procedures/definitions/win32_wsdapi.py +1 -0
angr/procedures/definitions/win32_wsmsvc.py +1 -0
angr/procedures/definitions/win32_wsnmp32.py +1 -0
angr/procedures/definitions/win32_wtsapi32.py +1 -0
angr/procedures/definitions/win32_xaudio2_8.py +1 -0
angr/procedures/definitions/win32_xinput1_4.py +1 -0
angr/procedures/definitions/win32_xinputuap.py +1 -0
angr/procedures/definitions/win32_xmllite.py +1 -0
angr/procedures/definitions/win32_xolehlp.py +1 -0
angr/procedures/definitions/win32_xpsprint.py +1 -0
angr/procedures/glibc/__ctype_b_loc.py +2 -3
angr/procedures/glibc/__ctype_tolower_loc.py +2 -3
angr/procedures/glibc/__ctype_toupper_loc.py +2 -3
angr/procedures/glibc/__errno_location.py +1 -0
angr/procedures/glibc/__libc_init.py +1 -0
angr/procedures/glibc/__libc_start_main.py +2 -3
angr/procedures/glibc/dynamic_loading.py +1 -0
angr/procedures/glibc/scanf.py +1 -0
angr/procedures/glibc/sscanf.py +1 -0
angr/procedures/gnulib/xalloc_die.py +1 -0
angr/procedures/gnulib/xstrtol_fatal.py +1 -0
angr/procedures/java/__init__.py +1 -0
angr/procedures/java/unconstrained.py +3 -2
angr/procedures/java_io/read.py +1 -0
angr/procedures/java_io/write.py +1 -0
angr/procedures/java_jni/__init__.py +4 -5
angr/procedures/java_jni/array_operations.py +1 -0
angr/procedures/java_jni/class_and_interface_operations.py +3 -3
angr/procedures/java_jni/field_access.py +3 -6
angr/procedures/java_jni/global_and_local_refs.py +1 -0
angr/procedures/java_jni/method_calls.py +3 -2
angr/procedures/java_jni/not_implemented.py +2 -1
angr/procedures/java_jni/object_operations.py +3 -4
angr/procedures/java_jni/string_operations.py +1 -0
angr/procedures/java_jni/version_information.py +1 -0
angr/procedures/java_lang/character.py +2 -3
angr/procedures/java_lang/double.py +2 -2
angr/procedures/java_lang/exit.py +1 -0
angr/procedures/java_lang/getsimplename.py +2 -2
angr/procedures/java_lang/integer.py +1 -0
angr/procedures/java_lang/load_library.py +1 -0
angr/procedures/java_lang/math.py +1 -0
angr/procedures/java_lang/string.py +2 -2
angr/procedures/java_lang/stringbuilder.py +1 -0
angr/procedures/java_lang/system.py +1 -0
angr/procedures/java_util/collection.py +1 -0
angr/procedures/java_util/iterator.py +1 -0
angr/procedures/java_util/list.py +1 -0
angr/procedures/java_util/map.py +3 -4
angr/procedures/java_util/random.py +1 -0
angr/procedures/java_util/scanner_nextline.py +1 -0
angr/procedures/libc/abort.py +1 -0
angr/procedures/libc/access.py +1 -0
angr/procedures/libc/atoi.py +2 -2
angr/procedures/libc/atol.py +1 -0
angr/procedures/libc/calloc.py +1 -0
angr/procedures/libc/closelog.py +1 -0
angr/procedures/libc/err.py +1 -0
angr/procedures/libc/error.py +2 -3
angr/procedures/libc/exit.py +1 -0
angr/procedures/libc/fclose.py +2 -3
angr/procedures/libc/feof.py +1 -0
angr/procedures/libc/fflush.py +1 -0
angr/procedures/libc/fgetc.py +1 -0
angr/procedures/libc/fgets.py +19 -19
angr/procedures/libc/fopen.py +6 -8
angr/procedures/libc/fprintf.py +1 -0
angr/procedures/libc/fputc.py +1 -0
angr/procedures/libc/fputs.py +1 -0
angr/procedures/libc/fread.py +1 -0
angr/procedures/libc/free.py +1 -0
angr/procedures/libc/fscanf.py +2 -2
angr/procedures/libc/fseek.py +3 -2
angr/procedures/libc/ftell.py +1 -0
angr/procedures/libc/fwrite.py +1 -0
angr/procedures/libc/getchar.py +2 -2
angr/procedures/libc/getdelim.py +25 -25
angr/procedures/libc/getegid.py +1 -0
angr/procedures/libc/geteuid.py +1 -0
angr/procedures/libc/getgid.py +1 -0
angr/procedures/libc/gets.py +18 -18
angr/procedures/libc/getuid.py +1 -0
angr/procedures/libc/malloc.py +1 -0
angr/procedures/libc/memcmp.py +3 -6
angr/procedures/libc/memcpy.py +1 -0
angr/procedures/libc/memset.py +1 -0
angr/procedures/libc/openlog.py +1 -0
angr/procedures/libc/perror.py +1 -0
angr/procedures/libc/printf.py +1 -0
angr/procedures/libc/putchar.py +1 -0
angr/procedures/libc/puts.py +1 -0
angr/procedures/libc/rand.py +1 -0
angr/procedures/libc/realloc.py +1 -0
angr/procedures/libc/rewind.py +2 -1
angr/procedures/libc/scanf.py +2 -2
angr/procedures/libc/setbuf.py +1 -0
angr/procedures/libc/setvbuf.py +1 -0
angr/procedures/libc/snprintf.py +1 -0
angr/procedures/libc/sprintf.py +1 -0
angr/procedures/libc/srand.py +1 -0
angr/procedures/libc/sscanf.py +2 -2
angr/procedures/libc/stpcpy.py +2 -2
angr/procedures/libc/strcat.py +1 -0
angr/procedures/libc/strchr.py +1 -0
angr/procedures/libc/strcmp.py +1 -0
angr/procedures/libc/strcpy.py +2 -2
angr/procedures/libc/strlen.py +35 -31
angr/procedures/libc/strncat.py +1 -0
angr/procedures/libc/strncmp.py +9 -11
angr/procedures/libc/strncpy.py +1 -0
angr/procedures/libc/strnlen.py +2 -2
angr/procedures/libc/strstr.py +8 -4
angr/procedures/libc/strtol.py +9 -9
angr/procedures/libc/strtoul.py +2 -2
angr/procedures/libc/system.py +1 -0
angr/procedures/libc/time.py +2 -2
angr/procedures/libc/tmpnam.py +1 -0
angr/procedures/libc/tolower.py +1 -0
angr/procedures/libc/toupper.py +1 -0
angr/procedures/libc/ungetc.py +1 -0
angr/procedures/libc/vsnprintf.py +1 -0
angr/procedures/libc/wchar.py +1 -0
angr/procedures/libstdcpp/_unwind_resume.py +1 -0
angr/procedures/libstdcpp/std____throw_bad_alloc.py +1 -0
angr/procedures/libstdcpp/std____throw_bad_cast.py +1 -0
angr/procedures/libstdcpp/std____throw_length_error.py +1 -0
angr/procedures/libstdcpp/std____throw_logic_error.py +1 -0
angr/procedures/libstdcpp/std__terminate.py +1 -0
angr/procedures/linux_kernel/access.py +1 -0
angr/procedures/linux_kernel/arch_prctl.py +1 -0
angr/procedures/linux_kernel/arm_user_helpers.py +1 -0
angr/procedures/linux_kernel/brk.py +1 -0
angr/procedures/linux_kernel/cwd.py +1 -0
angr/procedures/linux_kernel/fstat.py +2 -1
angr/procedures/linux_kernel/fstat64.py +2 -1
angr/procedures/linux_kernel/futex.py +3 -3
angr/procedures/linux_kernel/getegid.py +1 -0
angr/procedures/linux_kernel/geteuid.py +1 -0
angr/procedures/linux_kernel/getgid.py +1 -0
angr/procedures/linux_kernel/getpid.py +1 -0
angr/procedures/linux_kernel/getrlimit.py +3 -3
angr/procedures/linux_kernel/gettid.py +1 -0
angr/procedures/linux_kernel/getuid.py +1 -0
angr/procedures/linux_kernel/iovec.py +1 -0
angr/procedures/linux_kernel/lseek.py +1 -0
angr/procedures/linux_kernel/mmap.py +1 -0
angr/procedures/linux_kernel/mprotect.py +7 -6
angr/procedures/linux_kernel/munmap.py +1 -0
angr/procedures/linux_kernel/openat.py +3 -5
angr/procedures/linux_kernel/set_tid_address.py +1 -0
angr/procedures/linux_kernel/sigaction.py +1 -0
angr/procedures/linux_kernel/sigprocmask.py +1 -0
angr/procedures/linux_kernel/stat.py +3 -2
angr/procedures/linux_kernel/sysinfo.py +1 -0
angr/procedures/linux_kernel/tgkill.py +1 -0
angr/procedures/linux_kernel/time.py +2 -1
angr/procedures/linux_kernel/uid.py +1 -0
angr/procedures/linux_kernel/uname.py +1 -0
angr/procedures/linux_kernel/unlink.py +2 -2
angr/procedures/linux_kernel/vsyscall.py +1 -0
angr/procedures/linux_loader/_dl_initial_error_catch_tsd.py +1 -0
angr/procedures/linux_loader/_dl_rtld_lock.py +1 -0
angr/procedures/linux_loader/sim_loader.py +1 -0
angr/procedures/linux_loader/tls.py +2 -2
angr/procedures/msvcr/__getmainargs.py +1 -0
angr/procedures/msvcr/_initterm.py +1 -0
angr/procedures/msvcr/fmode.py +1 -0
angr/procedures/ntdll/exceptions.py +4 -3
angr/procedures/posix/accept.py +2 -2
angr/procedures/posix/bind.py +1 -0
angr/procedures/posix/bzero.py +1 -0
angr/procedures/posix/chroot.py +1 -0
angr/procedures/posix/close.py +2 -2
angr/procedures/posix/closedir.py +1 -0
angr/procedures/posix/dup.py +4 -3
angr/procedures/posix/fcntl.py +1 -0
angr/procedures/posix/fdopen.py +16 -19
angr/procedures/posix/fileno.py +1 -0
angr/procedures/posix/fork.py +1 -0
angr/procedures/posix/getenv.py +1 -0
angr/procedures/posix/gethostbyname.py +1 -0
angr/procedures/posix/getpass.py +1 -0
angr/procedures/posix/getsockopt.py +1 -0
angr/procedures/posix/htonl.py +2 -2
angr/procedures/posix/htons.py +2 -2
angr/procedures/posix/inet_ntoa.py +3 -5
angr/procedures/posix/listen.py +1 -0
angr/procedures/posix/mmap.py +2 -1
angr/procedures/posix/open.py +1 -0
angr/procedures/posix/opendir.py +1 -0
angr/procedures/posix/poll.py +3 -3
angr/procedures/posix/pread64.py +1 -0
angr/procedures/posix/pthread.py +3 -3
angr/procedures/posix/pwrite64.py +1 -0
angr/procedures/posix/read.py +1 -0
angr/procedures/posix/readdir.py +1 -1
angr/procedures/posix/recv.py +1 -0
angr/procedures/posix/recvfrom.py +1 -0
angr/procedures/posix/select.py +7 -7
angr/procedures/posix/send.py +2 -2
angr/procedures/posix/setsockopt.py +1 -0
angr/procedures/posix/sigaction.py +1 -0
angr/procedures/posix/sim_time.py +1 -0
angr/procedures/posix/sleep.py +1 -0
angr/procedures/posix/socket.py +2 -2
angr/procedures/posix/strcasecmp.py +1 -0
angr/procedures/posix/strdup.py +1 -0
angr/procedures/posix/strtok_r.py +32 -36
angr/procedures/posix/syslog.py +1 -0
angr/procedures/posix/tz.py +1 -0
angr/procedures/posix/unlink.py +1 -0
angr/procedures/posix/usleep.py +1 -0
angr/procedures/posix/write.py +1 -0
angr/procedures/procedure_dict.py +1 -0
angr/procedures/stubs/CallReturn.py +1 -0
angr/procedures/stubs/NoReturnUnconstrained.py +1 -0
angr/procedures/stubs/Nop.py +1 -0
angr/procedures/stubs/PathTerminator.py +1 -0
angr/procedures/stubs/Redirect.py +2 -1
angr/procedures/stubs/ReturnChar.py +1 -0
angr/procedures/stubs/ReturnUnconstrained.py +2 -1
angr/procedures/stubs/UnresolvableCallTarget.py +1 -0
angr/procedures/stubs/UnresolvableJumpTarget.py +1 -0
angr/procedures/stubs/UserHook.py +1 -0
angr/procedures/stubs/b64_decode.py +1 -0
angr/procedures/stubs/caller.py +1 -0
angr/procedures/stubs/crazy_scanf.py +1 -0
angr/procedures/stubs/format_parser.py +11 -15
angr/procedures/stubs/syscall_stub.py +6 -7
angr/procedures/testing/manyargs.py +1 -0
angr/procedures/testing/retreg.py +2 -2
angr/procedures/tracer/random.py +1 -0
angr/procedures/tracer/receive.py +4 -4
angr/procedures/tracer/transmit.py +4 -4
angr/procedures/uclibc/__uClibc_main.py +1 -0
angr/procedures/win32/EncodePointer.py +1 -0
angr/procedures/win32/ExitProcess.py +1 -0
angr/procedures/win32/GetCommandLine.py +1 -0
angr/procedures/win32/GetCurrentProcessId.py +1 -0
angr/procedures/win32/GetCurrentThreadId.py +1 -0
angr/procedures/win32/GetLastInputInfo.py +1 -0
angr/procedures/win32/GetModuleHandle.py +3 -4
angr/procedures/win32/GetProcessAffinityMask.py +1 -0
angr/procedures/win32/InterlockedExchange.py +2 -1
angr/procedures/win32/IsProcessorFeaturePresent.py +1 -0
angr/procedures/win32/VirtualAlloc.py +2 -1
angr/procedures/win32/VirtualProtect.py +1 -0
angr/procedures/win32/critical_section.py +1 -0
angr/procedures/win32/dynamic_loading.py +2 -1
angr/procedures/win32/file_handles.py +4 -4
angr/procedures/win32/gethostbyname.py +2 -2
angr/procedures/win32/heap.py +1 -0
angr/procedures/win32/is_bad_ptr.py +1 -0
angr/procedures/win32/local_storage.py +7 -6
angr/procedures/win32/mutex.py +1 -0
angr/procedures/win32/sim_time.py +7 -10
angr/procedures/win32/system_paths.py +5 -4
angr/procedures/win32_kernel/ExAllocatePool.py +1 -0
angr/procedures/win32_kernel/ExFreePoolWithTag.py +1 -0
angr/procedures/win_user32/chars.py +1 -0
angr/procedures/win_user32/keyboard.py +1 -0
angr/procedures/win_user32/messagebox.py +2 -4
angr/project.py +15 -22
angr/protos/__init__.py +1 -0
angr/serializable.py +6 -3
angr/sim_manager.py +18 -18
angr/sim_options.py +5 -7
angr/sim_procedure.py +11 -10
angr/sim_state.py +40 -54
angr/sim_state_options.py +9 -15
angr/sim_type.py +93 -123
angr/sim_variable.py +23 -38
angr/simos/__init__.py +3 -1
angr/simos/cgc.py +2 -1
angr/simos/javavm.py +77 -83
angr/simos/linux.py +53 -63
angr/simos/simos.py +13 -22
angr/simos/snimmuc_nxp.py +3 -6
angr/simos/userland.py +6 -6
angr/simos/windows.py +13 -10
angr/slicer.py +13 -11
angr/state_hierarchy.py +3 -3
angr/state_plugins/__init__.py +1 -0
angr/state_plugins/callstack.py +19 -18
angr/state_plugins/cgc.py +5 -4
angr/state_plugins/concrete.py +7 -8
angr/state_plugins/debug_variables.py +15 -17
angr/state_plugins/filesystem.py +13 -19
angr/state_plugins/gdb.py +3 -2
angr/state_plugins/globals.py +5 -1
angr/state_plugins/heap/__init__.py +1 -0
angr/state_plugins/heap/heap_base.py +1 -0
angr/state_plugins/heap/heap_brk.py +9 -6
angr/state_plugins/heap/heap_freelist.py +12 -9
angr/state_plugins/heap/heap_libc.py +1 -0
angr/state_plugins/heap/heap_ptmalloc.py +27 -36
angr/state_plugins/heap/utils.py +1 -0
angr/state_plugins/history.py +7 -10
angr/state_plugins/inspect.py +1 -0
angr/state_plugins/javavm_classloader.py +3 -2
angr/state_plugins/jni_references.py +2 -1
angr/state_plugins/libc.py +4 -4
angr/state_plugins/light_registers.py +6 -8
angr/state_plugins/log.py +1 -0
angr/state_plugins/loop_data.py +1 -0
angr/state_plugins/plugin.py +7 -8
angr/state_plugins/posix.py +14 -22
angr/state_plugins/preconstrainer.py +2 -1
angr/state_plugins/scratch.py +5 -4
angr/state_plugins/sim_action.py +15 -20
angr/state_plugins/sim_action_object.py +205 -82
angr/state_plugins/sim_event.py +1 -0
angr/state_plugins/solver.py +64 -92
angr/state_plugins/symbolizer.py +5 -6
angr/state_plugins/trace_additions.py +24 -34
angr/state_plugins/uc_manager.py +16 -9
angr/state_plugins/unicorn_engine.py +21 -37
angr/state_plugins/view.py +20 -19
angr/storage/__init__.py +1 -0
angr/storage/file.py +19 -21
angr/storage/memory_mixins/__init__.py +12 -15
angr/storage/memory_mixins/__init__.pyi +13 -14
angr/storage/memory_mixins/actions_mixin.py +1 -0
angr/storage/memory_mixins/address_concretization_mixin.py +11 -15
angr/storage/memory_mixins/bvv_conversion_mixin.py +10 -11
angr/storage/memory_mixins/clouseau_mixin.py +1 -0
angr/storage/memory_mixins/conditional_store_mixin.py +1 -0
angr/storage/memory_mixins/convenient_mappings_mixin.py +1 -0
angr/storage/memory_mixins/default_filler_mixin.py +12 -14
angr/storage/memory_mixins/dirty_addrs_mixin.py +1 -0
angr/storage/memory_mixins/hex_dumper_mixin.py +6 -9
angr/storage/memory_mixins/javavm_memory/__init__.py +1 -0
angr/storage/memory_mixins/javavm_memory/javavm_memory_mixin.py +16 -23
angr/storage/memory_mixins/keyvalue_memory/__init__.py +1 -0
angr/storage/memory_mixins/keyvalue_memory/keyvalue_memory_mixin.py +2 -1
angr/storage/memory_mixins/label_merger_mixin.py +2 -2
angr/storage/memory_mixins/multi_value_merger_mixin.py +1 -0
angr/storage/memory_mixins/name_resolution_mixin.py +12 -15
angr/storage/memory_mixins/paged_memory/page_backer_mixins.py +6 -6
angr/storage/memory_mixins/paged_memory/paged_memory_mixin.py +22 -36
angr/storage/memory_mixins/paged_memory/paged_memory_multivalue_mixin.py +1 -0
angr/storage/memory_mixins/paged_memory/pages/__init__.py +1 -2
angr/storage/memory_mixins/paged_memory/pages/cooperation.py +4 -3
angr/storage/memory_mixins/paged_memory/pages/history_tracking_mixin.py +4 -4
angr/storage/memory_mixins/paged_memory/pages/ispo_mixin.py +1 -0
angr/storage/memory_mixins/paged_memory/pages/list_page.py +12 -20
angr/storage/memory_mixins/paged_memory/pages/multi_values.py +14 -19
angr/storage/memory_mixins/paged_memory/pages/mv_list_page.py +26 -32
angr/storage/memory_mixins/paged_memory/pages/permissions_mixin.py +1 -0
angr/storage/memory_mixins/paged_memory/pages/refcount_mixin.py +2 -2
angr/storage/memory_mixins/paged_memory/pages/ultra_page.py +37 -41
angr/storage/memory_mixins/paged_memory/privileged_mixin.py +1 -0
angr/storage/memory_mixins/paged_memory/stack_allocation_mixin.py +1 -0
angr/storage/memory_mixins/regioned_memory/__init__.py +1 -0
angr/storage/memory_mixins/regioned_memory/abstract_address_descriptor.py +5 -4
angr/storage/memory_mixins/regioned_memory/abstract_merger_mixin.py +6 -21
angr/storage/memory_mixins/regioned_memory/region_category_mixin.py +1 -0
angr/storage/memory_mixins/regioned_memory/region_data.py +4 -5
angr/storage/memory_mixins/regioned_memory/region_meta_mixin.py +129 -13
angr/storage/memory_mixins/regioned_memory/regioned_address_concretization_mixin.py +2 -1
angr/storage/memory_mixins/regioned_memory/regioned_memory_mixin.py +34 -44
angr/storage/memory_mixins/regioned_memory/static_find_mixin.py +7 -9
angr/storage/memory_mixins/simple_interface_mixin.py +8 -11
angr/storage/memory_mixins/simplification_mixin.py +1 -0
angr/storage/memory_mixins/size_resolution_mixin.py +4 -3
angr/storage/memory_mixins/slotted_memory.py +3 -3
angr/storage/memory_mixins/smart_find_mixin.py +1 -0
angr/storage/memory_mixins/symbolic_merger_mixin.py +1 -0
angr/storage/memory_mixins/top_merger_mixin.py +2 -2
angr/storage/memory_mixins/underconstrained_mixin.py +12 -14
angr/storage/memory_mixins/unwrapper_mixin.py +1 -0
angr/storage/memory_object.py +30 -28
angr/storage/pcap.py +3 -3
angr/tablespecs.py +1 -0
angr/utils/__init__.py +1 -0
angr/utils/ail.py +30 -0
angr/utils/algo.py +1 -0
angr/utils/bits.py +12 -0
angr/utils/constants.py +2 -0
angr/utils/cowdict.py +3 -4
angr/utils/dynamic_dictlist.py +4 -7
angr/utils/endness.py +1 -0
angr/utils/enums_conv.py +1 -0
angr/utils/env.py +1 -0
angr/utils/formatting.py +1 -0
angr/utils/funcid.py +15 -14
angr/utils/graph.py +52 -19
angr/utils/lazy_import.py +1 -0
angr/utils/library.py +10 -13
angr/utils/loader.py +6 -6
angr/utils/mp.py +4 -3
angr/utils/orderedset.py +1 -0
angr/utils/segment_list.py +7 -9
angr/utils/ssa/__init__.py +198 -0
angr/utils/ssa/tmp_uses_collector.py +23 -0
angr/utils/ssa/vvar_uses_collector.py +37 -0
angr/utils/timing.py +2 -2
angr/utils/typing.py +1 -0
angr/vaults.py +7 -8
{angr-9.2.117.dist-info → angr-9.2.118.dist-info}/METADATA +7 -8
angr-9.2.118.dist-info/RECORD +1344 -0
{angr-9.2.117.dist-info → angr-9.2.118.dist-info}/WHEEL +1 -1
angr/analyses/decompiler/optimization_passes/spilled_register_finder.py +0 -18
angr/analyses/decompiler/seq_cf_structure_counter.py +0 -37
angr/service.py +0 -35
angr-9.2.117.dist-info/RECORD +0 -1310
{angr-9.2.117.dist-info → angr-9.2.118.dist-info}/LICENSE +0 -0
{angr-9.2.117.dist-info → angr-9.2.118.dist-info}/entry_points.txt +0 -0
{angr-9.2.117.dist-info → angr-9.2.118.dist-info}/top_level.txt +0 -0

angr/analyses/decompiler/clinic.py CHANGED Viewed

@@ -1,11 +1,11 @@
 from __future__ import annotations
+from typing import Any, NamedTuple, TYPE_CHECKING
 import copy
-from collections import defaultdict, namedtuple
 import logging
 import enum
-from dataclasses import dataclass
-from typing import Any, NamedTuple, TYPE_CHECKING
+from collections import defaultdict, namedtuple
 from collections.abc import Iterable
+from dataclasses import dataclass
 import networkx
 import capstone
@@ -17,7 +17,7 @@ from ...knowledge_plugins.functions import Function
 from ...knowledge_plugins.cfg.memory_data import MemoryDataSort
 from ...codenode import BlockNode
 from ...utils import timethis
-from ...calling_conventions import SimRegArg, SimStackArg, SimStructArg, SimFunctionArgument
+from ...calling_conventions import SimRegArg, SimStackArg, SimFunctionArgument
 from ...sim_type import (
     SimTypeChar,
     SimTypeInt,
@@ -30,7 +30,6 @@ from ...sim_type import (
 )
 from ..stack_pointer_tracker import Register, OffsetVal
 from ...sim_variable import SimVariable, SimStackVariable, SimRegisterVariable, SimMemoryVariable
-from ...knowledge_plugins.key_definitions.constants import OP_BEFORE
 from ...procedures.stubs.UnresolvableCallTarget import UnresolvableCallTarget
 from ...procedures.stubs.UnresolvableJumpTarget import UnresolvableJumpTarget
 from .. import Analysis, register_analysis
@@ -43,10 +42,10 @@ from .optimization_passes import (
     OptimizationPassStage,
     RegisterSaveAreaSimplifier,
     StackCanarySimplifier,
-    SpilledRegisterFinder,
     DUPLICATING_OPTS,
     CONDENSING_OPTS,
 )
+from .utils import first_nonlabel_statement_id
 if TYPE_CHECKING:
     from angr.knowledge_plugins.cfg import CFGModel
@@ -110,6 +109,7 @@ class Clinic(Analysis):
         inline_functions: set[Function] | None = frozenset(),
         inlined_counts: dict[int, int] | None = None,
         inlining_parents: set[int] | None = None,
+        vvar_id_start: int = 0,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -120,6 +120,7 @@ class Clinic(Analysis):
         self.cc_graph: networkx.DiGraph | None = None
         self.unoptimized_graph: networkx.DiGraph | None = None
         self.arg_list = None
+        self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimRegArg]] | None = None
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
         self.data_refs: dict[int, int] = {}  # data address to instruction address
@@ -127,6 +128,7 @@ class Clinic(Analysis):
         self._func_graph: networkx.DiGraph | None = None
         self._ail_manager = None
         self._blocks_by_addr_and_size = {}
+        self._entry_node_addr: tuple[int, int | None] = self.function.addr, None
         self._fold_callexprs_into_conditions = fold_callexprs_into_conditions
         self._insert_labels = insert_labels
@@ -141,6 +143,8 @@ class Clinic(Analysis):
         self.reaching_definitions: ReachingDefinitionsAnalysis | None = None
         self._cache = cache
         self._mode = mode
+        self.vvar_id_start = vvar_id_start
+        self.vvar_to_vvar: dict[int, int] | None = None
         # inlining help
         self._sp_shift = sp_shift
@@ -296,11 +300,13 @@ class Clinic(Analysis):
             callee,
             mode=ClinicMode.DECOMPILE,
             inline_functions=self._inline_functions,
-            inlining_parents=self._inlining_parents + (self.function.addr,),
+            inlining_parents=(*self._inlining_parents, self.function.addr),
             inlined_counts=self._inlined_counts,
-            optimization_passes=[StackCanarySimplifier, SpilledRegisterFinder],
+            optimization_passes=[StackCanarySimplifier],
             sp_shift=self._max_stack_depth,
+            vvar_id_start=self.vvar_id_start,
         )
+        self.vvar_id_start = callee_clinic.vvar_id_start + 1
         self._max_stack_depth = callee_clinic._max_stack_depth
         callee_graph = callee_clinic.copy_graph()
@@ -318,34 +324,29 @@ class Clinic(Analysis):
         ail_graph.remove_edge(caller_block, caller_successor)
         # update all callee return nodes with caller successor
-        # and rewrite pseudoreg-tagged spills to actually use pseudoregs
         ail_graph = networkx.union(ail_graph, callee_graph)
         for blk in callee_graph.nodes():
             for idx, stmt in enumerate(list(blk.statements)):
                 if isinstance(stmt, ailment.Stmt.Return):
-                    blk.statements[idx] = ailment.Stmt.Jump(
-                        None,
-                        ailment.Expr.Const(None, None, caller_successor.addr, self.project.arch.bits),
-                        caller_successor.idx,
-                        **blk.statements[idx].tags,
-                    )
+                    # replace the return statement with an assignment to the return register
                     blk.statements.pop(idx)
+                    if stmt.ret_exprs:
+                        assign_to_retreg = ailment.Stmt.Assignment(
+                            self._ail_manager.next_atom(),
+                            ailment.Expr.Register(
+                                self._ail_manager.next_atom(),
+                                None,
+                                self.project.arch.ret_offset,
+                                self.project.arch.bits,
+                            ),
+                            stmt.ret_exprs[0],
+                            **stmt.tags,
+                        )
+                        blk.statements.insert(idx, assign_to_retreg)
+                        idx += 1
                     ail_graph.add_edge(blk, caller_successor)
                     break
-                if "pseudoreg" in stmt.tags and isinstance(stmt, ailment.Stmt.Store):
-                    new_stmt = ailment.Stmt.Assignment(
-                        stmt.idx, ailment.Expr.Register(None, None, stmt.pseudoreg, stmt.size * 8), stmt.data
-                    )
-                    new_stmt.tags.update(stmt.tags)
-                    new_stmt.tags.pop("pseudoreg")
-                    blk.statements[idx] = new_stmt
-                if "pseudoreg" in stmt.tags and isinstance(stmt, ailment.Stmt.Assignment):
-                    new_stmt = ailment.Stmt.Assignment(
-                        stmt.idx, stmt.dst, ailment.Expr.Register(None, None, stmt.pseudoreg, stmt.src.size * 8)
-                    )
-                    new_stmt.tags.update(stmt.tags)
-                    new_stmt.tags.pop("pseudoreg")
-                    blk.statements[idx] = new_stmt
         # update the call edge
         caller_block.statements[call_idx] = ailment.Stmt.Jump(
@@ -372,6 +373,20 @@ class Clinic(Analysis):
             and caller_block.statements[call_idx - 1].data.value == caller_successor.addr
         ):
             caller_block.statements.pop(call_idx - 1)  # s_10 =L 0x401225<64><8>
+        # update caller_block to setup parameters
+        if callee_clinic.arg_vvars:
+            for arg_idx in sorted(callee_clinic.arg_vvars.keys()):
+                param_vvar, reg_arg = callee_clinic.arg_vvars[arg_idx]
+                reg_offset = reg_arg.reg
+                stmt = ailment.Stmt.Assignment(
+                    self._ail_manager.next_atom(),
+                    param_vvar,
+                    ailment.Expr.Register(self._ail_manager.next_atom(), None, reg_offset, reg_arg.bits),
+                    ins_addr=caller_block.addr + caller_block.original_size,
+                )
+                caller_block.statements.append(stmt)
         ail_graph.add_edge(caller_block, callee_start)
         return ail_graph
@@ -398,8 +413,22 @@ class Clinic(Analysis):
         if self.function.prototype is None or not isinstance(self.function.prototype.returnty, SimTypeBottom):
             ail_graph = self._make_returns(ail_graph)
+        ail_graph = self._run_simplification_passes(
+            ail_graph, stage=OptimizationPassStage.BEFORE_SSA_LEVEL0_TRANSFORMATION
+        )
+        # Make function arguments
+        self._update_progress(33.0, text="Making argument list")
+        arg_list = self._make_argument_list()
+        arg_vvars = {}
+        ail_graph = self._create_argument_accessing_statements(arg_list, ail_graph, arg_vvars)
+        # Transform the graph into partial SSA form
+        self._update_progress(35.0, text="Transforming to partial-SSA form")
+        ail_graph = self._transform_to_ssa_level0(ail_graph)
         # full-function constant-only propagation
-        self._update_progress(33.0, text="Constant propagation")
+        self._update_progress(36.0, text="Constant propagation")
         self._simplify_function(
             ail_graph,
             remove_dead_memdefs=False,
@@ -414,13 +443,13 @@ class Clinic(Analysis):
         block_simplification_cache: dict[ailment.Block, NamedTuple] | None = {}
         # Track stack pointers
-        self._update_progress(15.0, text="Tracking stack pointers")
+        self._update_progress(37.0, text="Tracking stack pointers")
         spt = self._track_stack_pointers()
         # Simplify blocks
         # we never remove dead memory definitions before making callsites. otherwise stack arguments may go missing
         # before they are recognized as stack arguments.
-        self._update_progress(35.0, text="Simplifying blocks 1")
+        self._update_progress(38.0, text="Simplifying blocks 1")
         ail_graph = self._simplify_blocks(
             ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
         )
@@ -440,6 +469,7 @@ class Clinic(Analysis):
             unify_variables=False,
             narrow_expressions=True,
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
+            arg_vvars=arg_vvars,
         )
         # Run simplification passes again. there might be more chances for peephole optimizations after function-level
@@ -449,13 +479,16 @@ class Clinic(Analysis):
             ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
         )
+        # rewrite (qualified) stack variables into SSA form
+        ail_graph = self._transform_to_ssa_level1(ail_graph)
         # clear _blocks_by_addr_and_size so no one can use it again
         # TODO: Totally remove this dict
         self._blocks_by_addr_and_size = None
         # Make call-sites
         self._update_progress(50.0, text="Making callsites")
-        _, stackarg_offsets = self._make_callsites(ail_graph, stack_pointer_tracker=spt)
+        _, stackarg_offsets, removed_vvar_ids = self._make_callsites(ail_graph, stack_pointer_tracker=spt)
         # Run simplification passes
         self._update_progress(53.0, text="Running simplifications 2")
@@ -470,6 +503,8 @@ class Clinic(Analysis):
             unify_variables=True,
             narrow_expressions=True,
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
+            removed_vvar_ids=removed_vvar_ids,
+            arg_vvars=arg_vvars,
         )
         # After global optimization, there might be more chances for peephole optimizations.
@@ -495,9 +530,10 @@ class Clinic(Analysis):
             unify_variables=True,
             narrow_expressions=True,
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
+            arg_vvars=arg_vvars,
         )
-        self._update_progress(72.0, text="Simplifying blocks 4")
+        self._update_progress(75.0, text="Simplifying blocks 4")
         ail_graph = self._simplify_blocks(
             ail_graph,
             remove_dead_memdefs=self._remove_dead_memdefs,
@@ -505,31 +541,47 @@ class Clinic(Analysis):
             cache=block_simplification_cache,
         )
-        # Make function arguments
-        self._update_progress(75.0, text="Making argument list")
-        arg_list = self._make_argument_list()
+        # Simplify the entire function for the fourth time
+        self._update_progress(78.0, text="Simplifying function 4")
+        self._simplify_function(
+            ail_graph,
+            remove_dead_memdefs=self._remove_dead_memdefs,
+            stack_arg_offsets=stackarg_offsets,
+            unify_variables=True,
+            narrow_expressions=True,
+            fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
+            arg_vvars=arg_vvars,
+        )
+        # update arg_list
+        arg_list = []
+        for idx in sorted(arg_vvars):
+            arg_list.append(arg_vvars[idx][1])
+        # Get virtual variable mapping that can de-phi the SSA representation
+        vvar2vvar = self._collect_dephi_vvar_mapping_and_rewrite_blocks(ail_graph)
         # Recover variables on AIL blocks
         self._update_progress(80.0, text="Recovering variables")
-        variable_kb = self._recover_and_link_variables(ail_graph, arg_list)
+        variable_kb = self._recover_and_link_variables(ail_graph, arg_list, arg_vvars, vvar2vvar)
+        # Run simplification passes
+        self._update_progress(85.0, text="Running simplifications 4")
+        ail_graph = self._run_simplification_passes(ail_graph, stage=OptimizationPassStage.AFTER_VARIABLE_RECOVERY)
         # Make function prototype
         self._update_progress(90.0, text="Making function prototype")
         self._make_function_prototype(arg_list, variable_kb)
-        # Run simplification passes
-        self._update_progress(95.0, text="Running simplifications 4")
-        ail_graph = self._run_simplification_passes(
-            ail_graph, stage=OptimizationPassStage.AFTER_VARIABLE_RECOVERY, variable_kb=variable_kb
-        )
         # remove empty nodes from the graph
         ail_graph = self.remove_empty_nodes(ail_graph)
         self.arg_list = arg_list
+        self.arg_vvars = arg_vvars
         self.variable_kb = variable_kb
         self.cc_graph = self.copy_graph(ail_graph)
         self.externs = self._collect_externs(ail_graph, variable_kb)
+        self.vvar_to_vvar = vvar2vvar
         return ail_graph
     def _analyze_for_data_refs(self):
@@ -660,6 +712,14 @@ class Clinic(Analysis):
             if self._func_graph.in_degree(node) == 0 and CFGBase._is_noop_block(
                 self.project.arch, self.project.factory.block(node.addr, node.size)
             ):
+                if (node.addr, None) == self._entry_node_addr:
+                    # this is the entry node. after removing this node, the new entry node will be its successor
+                    if self._func_graph.out_degree[node] == 1:
+                        succ = next(iter(self._func_graph.successors(node)))
+                        self._entry_node_addr = succ.addr, None
+                    else:
+                        # we just don't remove this node...
+                        continue
                 self._func_graph.remove_node(node)
     @timethis
@@ -756,17 +816,21 @@ class Clinic(Analysis):
                         )
                         if callsite_ail_block is not None and callsite_ail_block.statements:
                             last_stmt = callsite_ail_block.statements[-1]
-                            if isinstance(last_stmt, ailment.Stmt.Call) and last_stmt.ret_expr is None:
-                                if isinstance(cc.cc.RETURN_VAL, SimRegArg):
-                                    reg_offset, reg_size = self.project.arch.registers[cc.cc.RETURN_VAL.reg_name]
-                                    last_stmt.ret_expr = ailment.Expr.Register(
-                                        None,
-                                        None,
-                                        reg_offset,
-                                        reg_size * 8,
-                                        ins_addr=callsite_ins_addr,
-                                        reg_name=cc.cc.RETURN_VAL.reg_name,
-                                    )
+                            if (
+                                isinstance(last_stmt, ailment.Stmt.Call)
+                                and last_stmt.ret_expr is None
+                                and isinstance(cc.cc.RETURN_VAL, SimRegArg)
+                            ):
+                                reg_offset, reg_size = self.project.arch.registers[cc.cc.RETURN_VAL.reg_name]
+                                last_stmt.ret_expr = ailment.Expr.Register(
+                                    None,
+                                    None,
+                                    reg_offset,
+                                    reg_size * 8,
+                                    ins_addr=callsite_ins_addr,
+                                    reg_name=cc.cc.RETURN_VAL.reg_name,
+                                )
+                                last_stmt.bits = reg_size * 8
         # finally, recover the calling convention of the current function
         if self.function.prototype is None or self.function.calling_convention is None:
@@ -862,11 +926,9 @@ class Clinic(Analysis):
                     ins_addr=block_node.addr,
                 )
             ]
-            ail_block = ailment.Block(block_node.addr, block_node.size, statements=statements)
-            return ail_block
+            return ailment.Block(block_node.addr, block_node.size, statements=statements)
-        ail_block = ailment.IRSBConverter.convert(block.vex, self._ail_manager)
-        return ail_block
+        return ailment.IRSBConverter.convert(block.vex, self._ail_manager)
     @timethis
     def _replace_single_target_indirect_transitions(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
@@ -965,8 +1027,7 @@ class Clinic(Analysis):
     @timethis
     def _make_ailgraph(self) -> networkx.DiGraph:
-        graph = self._function_graph_to_ail_graph(self._func_graph)
-        return graph
+        return self._function_graph_to_ail_graph(self._func_graph)
     @timethis
     def _simplify_blocks(
@@ -1055,6 +1116,8 @@ class Clinic(Analysis):
         only_consts=False,
         fold_callexprs_into_conditions=False,
         rewrite_ccalls=True,
+        removed_vvar_ids: set[int] | None = None,
+        arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None,
     ) -> None:
         """
         Simplify the entire function until it reaches a fixed point.
@@ -1071,6 +1134,8 @@ class Clinic(Analysis):
                 only_consts=only_consts,
                 fold_callexprs_into_conditions=fold_callexprs_into_conditions,
                 rewrite_ccalls=rewrite_ccalls,
+                removed_vvar_ids=removed_vvar_ids,
+                arg_vvars=arg_vvars,
             )
             if not simplified:
                 break
@@ -1086,6 +1151,8 @@ class Clinic(Analysis):
         only_consts=False,
         fold_callexprs_into_conditions=False,
         rewrite_ccalls=True,
+        removed_vvar_ids: set[int] | None = None,
+        arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None,
     ):
         """
         Simplify the entire function once.
@@ -1106,6 +1173,8 @@ class Clinic(Analysis):
             fold_callexprs_into_conditions=fold_callexprs_into_conditions,
             use_callee_saved_regs_at_return=not self._register_save_areas_removed,
             rewrite_ccalls=rewrite_ccalls,
+            removed_vvar_ids=removed_vvar_ids,
+            arg_vvars=arg_vvars,
         )
         # cache the simplifier's RDA analysis
         self.reaching_definitions = simp._reaching_definitions
@@ -1133,7 +1202,7 @@ class Clinic(Analysis):
         # Run each pass
         for pass_ in self._optimization_passes:
-            if pass_.STAGE != stage:
+            if stage != pass_.STAGE:
                 continue
             if pass_ in DUPLICATING_OPTS + CONDENSING_OPTS and self.unoptimized_graph is None:
@@ -1147,6 +1216,7 @@ class Clinic(Analysis):
                 blocks_by_addr_and_idx=addr_and_idx_to_blocks,
                 graph=ail_graph,
                 variable_kb=variable_kb,
+                vvar_id_start=self.vvar_id_start,
                 **kwargs,
             )
             if a.out_graph:
@@ -1157,9 +1227,107 @@ class Clinic(Analysis):
                     self._register_save_areas_removed = True
                     # clear the cached RDA result
                     self.reaching_definitions = None
+                self.vvar_id_start = a.vvar_id_start
         return ail_graph
+    @timethis
+    def _create_argument_accessing_statements(
+        self,
+        arg_list: list[SimVariable],
+        ail_graph: networkx.DiGraph,
+        arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]],
+    ) -> networkx.DiGraph:
+        entrypoint = next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self._entry_node_addr))
+        new_stmts = []
+        for arg in arg_list:
+            if not isinstance(arg, SimRegisterVariable):
+                continue
+            # get the full register if needed
+            basereg_offset, basereg_size = self.project.arch.get_base_register(arg.reg, size=arg.size)
+            arg_vvar = ailment.Expr.VirtualVariable(
+                self._ail_manager.next_atom(),
+                self.vvar_id_start,
+                arg.bits,
+                ailment.Expr.VirtualVariableCategory.PARAMETER,
+                oident=arg.reg,
+                ins_addr=self.function.addr,
+            )
+            self.vvar_id_start += 1
+            arg_vvars[arg_vvar.varid] = arg_vvar, arg
+            if basereg_size != arg.size:
+                # extend the value to the full register
+                arg_vvar = ailment.Expr.Convert(
+                    self._ail_manager.next_atom(),
+                    arg.size * self.project.arch.byte_width,
+                    basereg_size * self.project.arch.byte_width,
+                    False,
+                    arg_vvar,
+                    ins_addr=self.function.addr,
+                )
+            fullreg_dst = ailment.Expr.Register(
+                self._ail_manager.next_atom(),
+                None,
+                basereg_offset,
+                basereg_size * self.project.arch.byte_width,
+                ins_addr=self.function.addr,
+            )
+            stmt = ailment.Stmt.Assignment(
+                self._ail_manager.next_atom(),
+                fullreg_dst,
+                arg_vvar,
+                ins_addr=self.function.addr,
+            )
+            new_stmts.append(stmt)
+        non_label_stmt_idx = first_nonlabel_statement_id(entrypoint)
+        # update the ail block in-place
+        entrypoint.statements = (
+            entrypoint.statements[:non_label_stmt_idx] + new_stmts + entrypoint.statements[non_label_stmt_idx:]
+        )
+        return ail_graph
+    @timethis
+    def _transform_to_ssa_level0(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+        ssailification = self.project.analyses.Ssailification(
+            self.function,
+            ail_graph,
+            entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self._entry_node_addr)),
+            ail_manager=self._ail_manager,
+            ssa_stackvars=False,
+            vvar_id_start=self.vvar_id_start,
+        )
+        self.vvar_id_start = ssailification.max_vvar_id + 1
+        return ssailification.out_graph
+    @timethis
+    def _transform_to_ssa_level1(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+        ssailification = self.project.analyses.Ssailification(
+            self.function,
+            ail_graph,
+            entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self._entry_node_addr)),
+            ail_manager=self._ail_manager,
+            ssa_stackvars=True,
+            vvar_id_start=self.vvar_id_start,
+        )
+        self.vvar_id_start = ssailification.max_vvar_id + 1
+        return ssailification.out_graph
+    @timethis
+    def _collect_dephi_vvar_mapping_and_rewrite_blocks(self, ail_graph: networkx.DiGraph) -> dict[int, int]:
+        dephication = self.project.analyses.GraphDephicationVVarMapping(
+            self.function,
+            ail_graph,
+            entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self._entry_node_addr)),
+            vvar_id_start=self.vvar_id_start,
+        )
+        self.vvar_id_start = dephication.vvar_id_start + 1
+        return dephication.vvar_to_vvar_mapping
     @timethis
     def _make_argument_list(self) -> list[SimVariable]:
         if self.function.calling_convention is not None and self.function.prototype is not None:
@@ -1185,15 +1353,13 @@ class Clinic(Analysis):
                             name=arg_names[idx],
                             region=self.function.addr,
                         )
-                    elif isinstance(arg, SimStructArg):
+                    else:
                         argvar = SimVariable(
                             ident="arg_%d" % idx,
                             name=arg_names[idx],
                             region=self.function.addr,
                             size=arg.size,
                         )
-                    else:
-                        raise TypeError("Unsupported function argument type %s." % type(arg))
                     arg_vars.append(argvar)
             return arg_vars
         return []
@@ -1202,20 +1368,18 @@ class Clinic(Analysis):
     def _make_callsites(self, ail_graph, stack_pointer_tracker=None):
         """
         Simplify all function call statements.
-        :return:    None
         """
         # Computing reaching definitions
-        rd = self.project.analyses.ReachingDefinitions(
+        rd = self.project.analyses.SReachingDefinitions(
             subject=self.function,
             func_graph=ail_graph,
-            observe_callback=self._make_callsites_rd_observe_callback,
-            use_callee_saved_regs_at_return=not self._register_save_areas_removed,
+            # use_callee_saved_regs_at_return=not self._register_save_areas_removed,  FIXME
         )
         class TempClass:  # pylint:disable=missing-class-docstring
             stack_arg_offsets = set()
+            removed_vvar_ids = set()
         def _handler(block):
             csm = self.project.analyses.AILCallSiteMaker(
@@ -1226,35 +1390,30 @@ class Clinic(Analysis):
             )
             if csm.stack_arg_offsets is not None:
                 TempClass.stack_arg_offsets |= csm.stack_arg_offsets
-            if csm.result_block:
-                if csm.result_block != block:
-                    ail_block = csm.result_block
-                    simp = self.project.analyses.AILBlockSimplifier(
-                        ail_block,
-                        self.function.addr,
-                        stack_pointer_tracker=stack_pointer_tracker,
-                        peephole_optimizations=self.peephole_optimizations,
-                        stack_arg_offsets=csm.stack_arg_offsets,
-                    )
-                    return simp.result_block
+            if csm.removed_vvar_ids:
+                TempClass.removed_vvar_ids |= csm.removed_vvar_ids
+            if csm.result_block and csm.result_block != block:
+                ail_block = csm.result_block
+                simp = self.project.analyses.AILBlockSimplifier(
+                    ail_block,
+                    self.function.addr,
+                    stack_pointer_tracker=stack_pointer_tracker,
+                    peephole_optimizations=self.peephole_optimizations,
+                )
+                return simp.result_block
             return None
         # rewriting call-sites at this point, pre-inlining, causes issues with incorrect call signatures
         if not self._inlining_parents:
             AILGraphWalker(ail_graph, _handler, replace_nodes=True).walk()
-        return ail_graph, TempClass.stack_arg_offsets
+        return ail_graph, TempClass.stack_arg_offsets, TempClass.removed_vvar_ids
     @timethis
     def _make_returns(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
         """
         Work on each return statement and fill in its return expressions.
         """
-        if self._inlining_parents:
-            # for inlining, we want to keep the return statement separate from the return value, so that
-            # the former can be removed while preserving the latter
-            return ail_graph
         if self.function.calling_convention is None:
             # unknown calling convention. cannot do much about return expressions.
             return ail_graph
@@ -1309,7 +1468,13 @@ class Clinic(Analysis):
         self.function.is_prototype_guessed = False
     @timethis
-    def _recover_and_link_variables(self, ail_graph, arg_list):
+    def _recover_and_link_variables(
+        self,
+        ail_graph,
+        arg_list: list,
+        arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]],
+        vvar2vvar: dict[int, int],
+    ):
         # variable recovery
         tmp_kb = KnowledgeBase(self.project) if self.variable_kb is None else self.variable_kb
         tmp_kb.functions = self.kb.functions
@@ -1320,6 +1485,8 @@ class Clinic(Analysis):
             track_sp=False,
             func_args=arg_list,
             unify_variables=False,
+            func_arg_vvars=arg_vvars,
+            vvar_to_vvar=vvar2vvar,
         )
         # get ground-truth types
         var_manager = tmp_kb.variables[self.function.addr]
@@ -1382,6 +1549,7 @@ class Clinic(Analysis):
             labels=self.kb.labels,
             arg_names=self.function.prototype.arg_names if self.function.prototype else None,
             reset=self._reset_variable_names,
+            func_blocks=list(ail_graph),
         )
         # Link variables to each statement
@@ -1406,6 +1574,14 @@ class Clinic(Analysis):
                 offset = var.offset
                 if offset in variable_manager.stack_offset_to_struct_member_info:
                     stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[offset]
+            elif (
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                and stmt.dst.was_stack
+            ):
+                offset = stmt.dst.stack_offset
+                if offset in variable_manager.stack_offset_to_struct_member_info:
+                    stmt.dst.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[offset]
     def _link_variables_on_block(self, block, kb):
         """
@@ -1499,6 +1675,13 @@ class Clinic(Analysis):
                 expr.variable = reg_var
                 expr.variable_offset = offset
+        elif type(expr) is ailment.Expr.VirtualVariable:
+            vars_ = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
+            if len(vars_) >= 1:
+                var, offset = next(iter(vars_))
+                expr.variable = var
+                expr.variable_offset = offset
         elif type(expr) is ailment.Expr.Load:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
             if len(variables) == 0:
@@ -1510,10 +1693,11 @@ class Clinic(Analysis):
                     self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, base_addr)
                 # if we are accessing the variable directly (offset == 0), we link the variable onto this expression
-                if offset == 0 or (isinstance(offset, ailment.Expr.Const) and offset.value == 0):
-                    if "reference_variable" in base_addr.tags:
-                        expr.variable = base_addr.reference_variable
-                        expr.variable_offset = base_addr.reference_variable_offset
+                if (
+                    offset == 0 or (isinstance(offset, ailment.Expr.Const) and offset.value == 0)
+                ) and "reference_variable" in base_addr.tags:
+                    expr.variable = base_addr.reference_variable
+                    expr.variable_offset = base_addr.reference_variable_offset
                 if base_addr is None and offset is None:
                     # this is a local variable
@@ -1588,17 +1772,16 @@ class Clinic(Analysis):
             else:
                 # global variable?
                 global_vars = global_variables.get_global_variables(expr.value)
-                if not global_vars:
-                    # detect if there is a related symbol
-                    if self.project.loader.find_object_containing(expr.value):
-                        symbol = self.project.loader.find_symbol(expr.value)
-                        if symbol is not None:
-                            # Create a new global variable if there isn't one already
-                            global_vars = global_variables.get_global_variables(symbol.rebased_addr)
-                            if not global_vars:
-                                global_var = SimMemoryVariable(symbol.rebased_addr, symbol.size, name=symbol.name)
-                                global_variables.add_variable("global", global_var.addr, global_var)
-                                global_vars = {global_var}
+                # detect if there is a related symbol
+                if not global_vars and self.project.loader.find_object_containing(expr.value):
+                    symbol = self.project.loader.find_symbol(expr.value)
+                    if symbol is not None:
+                        # Create a new global variable if there isn't one already
+                        global_vars = global_variables.get_global_variables(symbol.rebased_addr)
+                        if not global_vars:
+                            global_var = SimMemoryVariable(symbol.rebased_addr, symbol.size, name=symbol.name)
+                            global_variables.add_variable("global", global_var.addr, global_var)
+                            global_vars = {global_var}
                 if global_vars:
                     global_var = next(iter(global_vars))
                     expr.tags["reference_variable"] = global_var
@@ -1638,9 +1821,12 @@ class Clinic(Analysis):
             ite_ins_addrs = []
             for stmt in block.statements:
-                if isinstance(stmt, ailment.Stmt.Assignment) and isinstance(stmt.src, ailment.Expr.ITE):
-                    if stmt.ins_addr not in ite_ins_addrs:
-                        ite_ins_addrs.append(stmt.ins_addr)
+                if (
+                    isinstance(stmt, ailment.Stmt.Assignment)
+                    and isinstance(stmt.src, ailment.Expr.ITE)
+                    and stmt.ins_addr not in ite_ins_addrs
+                ):
+                    ite_ins_addrs.append(stmt.ins_addr)
             if ite_ins_addrs:
                 block_addr = block.addr
@@ -1968,31 +2154,22 @@ class Clinic(Analysis):
     def _next_atom(self) -> int:
         return self._ail_manager.next_atom()
-    @staticmethod
-    def _make_callsites_rd_observe_callback(ob_type, **kwargs):
-        if ob_type != "insn":
-            return False
-        stmt = kwargs.pop("stmt")
-        op_type = kwargs.pop("op_type")
-        return isinstance(stmt, ailment.Stmt.Call) and op_type == OP_BEFORE
     def parse_variable_addr(self, addr: ailment.Expr.Expression) -> tuple[Any, Any] | None:
         if isinstance(addr, ailment.Expr.Const):
             return addr, 0
-        if isinstance(addr, ailment.Expr.BinaryOp):
-            if addr.op == "Add":
-                op0, op1 = addr.operands
-                if (
-                    isinstance(op0, ailment.Expr.Const)
-                    and self.project.loader.find_object_containing(op0.value) is not None
-                ):
-                    return op0, op1
-                elif (
-                    isinstance(op1, ailment.Expr.Const)
-                    and self.project.loader.find_object_containing(op1.value) is not None
-                ):
-                    return op1, op0
-                return op0, op1  # best-effort guess
+        if isinstance(addr, ailment.Expr.BinaryOp) and addr.op == "Add":
+            op0, op1 = addr.operands
+            if (
+                isinstance(op0, ailment.Expr.Const)
+                and self.project.loader.find_object_containing(op0.value) is not None
+            ):
+                return op0, op1
+            if (
+                isinstance(op1, ailment.Expr.Const)
+                and self.project.loader.find_object_containing(op1.value) is not None
+            ):
+                return op1, op0
+            return op0, op1  # best-effort guess
         return None, None
     def new_block_addr(self) -> int:
@@ -2013,8 +2190,8 @@ class Clinic(Analysis):
     def remove_empty_nodes(graph: networkx.DiGraph) -> networkx.DiGraph:
         def handle_node(node: ailment.Block):
             if not node.statements:
-                preds = list(pred for pred in graph.predecessors(node) if pred is not node)
-                succs = list(succ for succ in graph.successors(node) if succ is not node)
+                preds = [pred for pred in graph.predecessors(node) if pred is not node]
+                succs = [succ for succ in graph.successors(node) if succ is not node]
                 if len(preds) == 1 and len(succs) == 1:
                     pred = preds[0]
                     succ = succs[0]
@@ -2037,7 +2214,7 @@ class Clinic(Analysis):
                     if value_updated:
                         graph.add_edge(pred, succ)
-                        raise RemoveNodeNotice()
+                        raise RemoveNodeNotice
                 elif len(preds) >= 1 and len(succs) == 1:
                     succ = succs[0]
                     branch_updates = 0
@@ -2072,9 +2249,9 @@ class Clinic(Analysis):
                                     and last_stmt.false_target.value == node.addr
                                 ):
                                     last_stmt.false_target.value = succ.addr
-                        raise RemoveNodeNotice()
+                        raise RemoveNodeNotice
                 elif not preds or not succs:
-                    raise RemoveNodeNotice()
+                    raise RemoveNodeNotice
         AILGraphWalker(graph, handle_node, replace_nodes=True).walk()
         return graph
@@ -2115,50 +2292,49 @@ class Clinic(Analysis):
         for node in ail_graph:
             if ail_graph.in_degree[node] == 2 and ail_graph.out_degree[node] == 2:
                 succs = ail_graph.successors(node)
-                if node in succs:
+                if node in succs and len(node.statements) >= 6:
                     # self loop!
-                    if len(node.statements) >= 6:
-                        stmt0 = node.statements[1]  # skip the LABEL statement
-                        stmt1 = node.statements[2]
-                        last_stmt = node.statements[-1]
-                        if (
+                    stmt0 = node.statements[1]  # skip the LABEL statement
+                    stmt1 = node.statements[2]
+                    last_stmt = node.statements[-1]
+                    if (
+                        (
                             isinstance(stmt0, ailment.Stmt.Assignment)
                             and isinstance(stmt0.dst, ailment.Expr.Register)
                             and isinstance(stmt0.src, ailment.Expr.StackBaseOffset)
                             and stmt0.src.offset == -0x1000
-                        ):
-                            if (
-                                isinstance(stmt1, ailment.Stmt.Store)
-                                and isinstance(stmt1.addr, ailment.Expr.StackBaseOffset)
-                                and stmt1.addr.offset == -0x1000
-                                and isinstance(stmt1.data, ailment.Expr.Load)
-                                and isinstance(stmt1.data.addr, ailment.Expr.StackBaseOffset)
-                                and stmt1.data.addr.offset == -0x1000
-                            ):
-                                if (
-                                    isinstance(last_stmt, ailment.Stmt.ConditionalJump)
-                                    and isinstance(last_stmt.condition, ailment.Expr.BinaryOp)
-                                    and last_stmt.condition.op == "CmpEQ"
-                                    and isinstance(last_stmt.condition.operands[0], ailment.Expr.StackBaseOffset)
-                                    and last_stmt.condition.operands[0].offset == -0x1000
-                                    and isinstance(last_stmt.condition.operands[1], ailment.Expr.Register)
-                                    and isinstance(last_stmt.false_target, ailment.Expr.Const)
-                                    and last_stmt.false_target.value == node.addr
-                                ):
-                                    # found it!
-                                    alloca_node = node
-                                    sp_equal_to = ailment.Expr.BinaryOp(
-                                        None,
-                                        "Sub",
-                                        [
-                                            ailment.Expr.Register(
-                                                None, None, self.project.arch.sp_offset, self.project.arch.bits
-                                            ),
-                                            last_stmt.condition.operands[1],
-                                        ],
-                                        False,
-                                    )
-                                    break
+                        )
+                        and (
+                            isinstance(stmt1, ailment.Stmt.Store)
+                            and isinstance(stmt1.addr, ailment.Expr.StackBaseOffset)
+                            and stmt1.addr.offset == -0x1000
+                            and isinstance(stmt1.data, ailment.Expr.Load)
+                            and isinstance(stmt1.data.addr, ailment.Expr.StackBaseOffset)
+                            and stmt1.data.addr.offset == -0x1000
+                        )
+                        and (
+                            isinstance(last_stmt, ailment.Stmt.ConditionalJump)
+                            and isinstance(last_stmt.condition, ailment.Expr.BinaryOp)
+                            and last_stmt.condition.op == "CmpEQ"
+                            and isinstance(last_stmt.condition.operands[0], ailment.Expr.StackBaseOffset)
+                            and last_stmt.condition.operands[0].offset == -0x1000
+                            and isinstance(last_stmt.condition.operands[1], ailment.Expr.Register)
+                            and isinstance(last_stmt.false_target, ailment.Expr.Const)
+                            and last_stmt.false_target.value == node.addr
+                        )
+                    ):
+                        # found it!
+                        alloca_node = node
+                        sp_equal_to = ailment.Expr.BinaryOp(
+                            None,
+                            "Sub",
+                            [
+                                ailment.Expr.Register(None, None, self.project.arch.sp_offset, self.project.arch.bits),
+                                last_stmt.condition.operands[1],
+                            ],
+                            False,
+                        )
+                        break
         if alloca_node is not None:
             stmt0 = alloca_node.statements[1]