angr 9.2.118__py3-none-manylinux2014_aarch64.whl → 9.2.119__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py

@@ -60,12 +60,12 @@ class InlinedStringTransformationState:
     def _get_weakref(self):
         return self
 
-    def reg_store(self, reg: Register, value: claripy.Bits) -> None:
+    def reg_store(self, reg: Register, value: claripy.ast.Bits) -> None:
         self.registers.store(
             reg.reg_offset, value, size=value.size() // self.arch.byte_width, endness=str(self.arch.register_endness)
         )
 
-    def reg_load(self, reg: Register) -> claripy.Bits | None:
+    def reg_load(self, reg: Register) -> claripy.ast.Bits | None:
         try:
             return self.registers.load(
                 reg.reg_offset, size=reg.size, endness=self.arch.register_endness, fill_missing=False
@@ -73,19 +73,19 @@ class InlinedStringTransformationState:
         except SimMemoryMissingError:
             return None
 
-    def mem_store(self, addr: int, value: claripy.Bits, endness: str) -> None:
+    def mem_store(self, addr: int, value: claripy.ast.Bits, endness: str) -> None:
         self.memory.store(addr, value, size=value.size() // self.arch.byte_width, endness=endness)
 
-    def mem_load(self, addr: int, size: int, endness) -> claripy.Bits | None:
+    def mem_load(self, addr: int, size: int, endness) -> claripy.ast.Bits | None:
         try:
             return self.memory.load(addr, size=size, endness=str(endness), fill_missing=False)
         except SimMemoryMissingError:
             return None
 
-    def vvar_store(self, vvar: VirtualVariable, value: claripy.Bits | None) -> None:
+    def vvar_store(self, vvar: VirtualVariable, value: claripy.ast.Bits | None) -> None:
         self.virtual_variables[vvar.varid] = value
 
-    def vvar_load(self, vvar: VirtualVariable) -> claripy.Bits | None:
+    def vvar_load(self, vvar: VirtualVariable) -> claripy.ast.Bits | None:
         if vvar.varid in self.virtual_variables:
             return self.virtual_variables[vvar.varid]
         return None
@@ -109,7 +109,7 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
         self.MASK = 0xFFFF_FFFF if self.arch.bits == 32 else 0xFFFF_FFFF_FFFF_FFFF
 
         state = InlinedStringTransformationState(project)
-        self.stack_accesses: defaultdict[int, list[tuple[str, CodeLocation, claripy.Bits]]] = defaultdict(list)
+        self.stack_accesses: defaultdict[int, list[tuple[str, CodeLocation, claripy.ast.Bits]]] = defaultdict(list)
         self.finished: bool = False
 
         i = 0
@@ -140,7 +140,7 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
             if v0_and_type is not None:
                 v0 = v0_and_type[0]
                 v1 = self._expr(addr.operands[1])
-                if isinstance(v1, claripy.Bits) and v1.concrete:
+                if isinstance(v1, claripy.ast.Bits) and v1.concrete:
                     return (v0 + v1.concrete_value) & self.MASK, "stack"
         return None
 
@@ -148,7 +148,7 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
         if isinstance(stmt.dst, VirtualVariable):
             if stmt.dst.was_reg:
                 val = self._expr(stmt.src)
-                if isinstance(val, claripy.Bits):
+                if isinstance(val, claripy.ast.Bits):
                     self.state.vvar_store(stmt.dst, val)
             elif stmt.dst.was_stack:
                 addr = (stmt.dst.stack_offset + self.STACK_BASE) & self.MASK
@@ -190,9 +190,9 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
         if isinstance(stmt.true_target, Const) and isinstance(stmt.false_target, Const):
             cond = self._expr(stmt.condition)
             if cond is not None:
-                if isinstance(cond, claripy.Bits) and cond.concrete_value == 1:
+                if isinstance(cond, claripy.ast.Bits) and cond.concrete_value == 1:
                     self.pc = stmt.true_target.value
-                elif isinstance(cond, claripy.Bits) and cond.concrete_value == 0:
+                elif isinstance(cond, claripy.ast.Bits) and cond.concrete_value == 0:
                     self.pc = stmt.false_target.value
 
     def _handle_Const(self, expr):
@@ -220,7 +220,7 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
         if expr.was_stack:
             addr = (expr.stack_offset + self.STACK_BASE) & self.MASK
             v = self.state.mem_load(addr, expr.size, self.arch.memory_endness)
-            if isinstance(v, claripy.Bits):
+            if isinstance(v, claripy.ast.Bits):
                 # log it
                 for i in range(expr.size):
                     byte_off = i
@@ -240,7 +240,7 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
 
     def _handle_Convert(self, expr: Convert):
         v = self._expr(expr.operand)
-        if isinstance(v, claripy.Bits):
+        if isinstance(v, claripy.ast.Bits):
             if expr.to_bits > expr.from_bits:
                 if not expr.is_signed:
                     return claripy.ZeroExt(expr.to_bits - expr.from_bits, v)
@@ -252,37 +252,37 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
 
     def _handle_CmpEQ(self, expr):
         op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
-        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+        if isinstance(op0, claripy.ast.Bits) and isinstance(op1, claripy.ast.Bits) and op0.concrete and op1.concrete:
             return claripy.BVV(1, 1) if op0.concrete_value == op1.concrete_value else claripy.BVV(0, 1)
         return None
 
     def _handle_CmpNE(self, expr):
         op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
-        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+        if isinstance(op0, claripy.ast.Bits) and isinstance(op1, claripy.ast.Bits) and op0.concrete and op1.concrete:
             return claripy.BVV(1, 1) if op0.concrete_value != op1.concrete_value else claripy.BVV(0, 1)
         return None
 
     def _handle_CmpLT(self, expr):
         op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
-        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+        if isinstance(op0, claripy.ast.Bits) and isinstance(op1, claripy.ast.Bits) and op0.concrete and op1.concrete:
             return claripy.BVV(1, 1) if op0.concrete_value < op1.concrete_value else claripy.BVV(0, 1)
         return None
 
     def _handle_CmpLE(self, expr):
         op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
-        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+        if isinstance(op0, claripy.ast.Bits) and isinstance(op1, claripy.ast.Bits) and op0.concrete and op1.concrete:
             return claripy.BVV(1, 1) if op0.concrete_value <= op1.concrete_value else claripy.BVV(0, 1)
         return None
 
     def _handle_CmpGT(self, expr):
         op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
-        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+        if isinstance(op0, claripy.ast.Bits) and isinstance(op1, claripy.ast.Bits) and op0.concrete and op1.concrete:
             return claripy.BVV(1, 1) if op0.concrete_value > op1.concrete_value else claripy.BVV(0, 1)
         return None
 
     def _handle_CmpGE(self, expr):
         op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
-        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+        if isinstance(op0, claripy.ast.Bits) and isinstance(op1, claripy.ast.Bits) and op0.concrete and op1.concrete:
             return claripy.BVV(1, 1) if op0.concrete_value >= op1.concrete_value else claripy.BVV(0, 1)
         return None
 

angr/analyses/decompiler/structured_codegen/c.py

@@ -31,6 +31,8 @@ from ....sim_type import (
     SimTypeLength,
     SimTypeReg,
     dereference_simtype,
+    SimTypeInt128,
+    SimTypeInt256,
 )
 from ....knowledge_plugins.functions import Function
 from ....sim_variable import SimVariable, SimTemporaryVariable, SimStackVariable, SimMemoryVariable
@@ -3479,8 +3481,13 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
     def _handle_Expr_Convert(self, expr: Expr.Convert, **kwargs):
         # width of converted type is easy
-        if 64 >= expr.to_bits > 32:
-            dst_type: SimTypeInt | SimTypeChar = SimTypeLongLong()
+        dst_type: SimTypeInt | SimTypeChar
+        if 258 >= expr.to_bits > 128:
+            dst_type = SimTypeInt256()
+        elif 128 >= expr.to_bits > 64:
+            dst_type = SimTypeInt128()
+        elif 64 >= expr.to_bits > 32:
+            dst_type = SimTypeLongLong()
         elif 32 >= expr.to_bits > 16:
             dst_type = SimTypeInt()
         elif 16 >= expr.to_bits > 8:

angr/analyses/decompiler/structuring/dream.py

@@ -767,7 +767,7 @@ class DreamStructurer(StructurerBase):
                 if (
                     arg.op == "__eq__"
                     and arg.args[0] is jumptable_var
-                    and isinstance(arg.args[1], claripy.Bits)
+                    and isinstance(arg.args[1], claripy.ast.Bits)
                     and arg.args[1].concrete
                 ):
                     # found it
@@ -780,7 +780,7 @@ class DreamStructurer(StructurerBase):
                 # unsupported
                 return None
         elif cond.op == "__eq__":
-            if cond.args[0] is jumptable_var and isinstance(cond.args[1], claripy.Bits) and cond.args[1].concrete:
+            if cond.args[0] is jumptable_var and isinstance(cond.args[1], claripy.ast.Bits) and cond.args[1].concrete:
                 # found it
                 eq_condition = cond
                 true_node = cond_node.true_node
@@ -800,7 +800,8 @@ class DreamStructurer(StructurerBase):
             return None
 
         return CodeNode(
-            ConditionNode(cond_node.addr, claripy.true, remaining_cond, true_node, false_node=false_node), eq_condition
+            ConditionNode(cond_node.addr, claripy.true(), remaining_cond, true_node, false_node=false_node),
+            eq_condition,
         )
 
     def _switch_check_existence_of_jumptable_entries(
@@ -942,11 +943,11 @@ class DreamStructurer(StructurerBase):
                         )
                     ],
                 )
-                case_node = SequenceNode(0, nodes=[CodeNode(case_inner_node, claripy.true)])
+                case_node = SequenceNode(0, nodes=[CodeNode(case_inner_node, claripy.true())])
                 converted_nodes[entry_addr] = case_node
                 continue
 
-            case_node = SequenceNode(entry_node.addr, nodes=[CodeNode(entry_node.node, claripy.true)])
+            case_node = SequenceNode(entry_node.addr, nodes=[CodeNode(entry_node.node, claripy.true())])
             to_remove.add(entry_node)
             entry_node_idx = seq.nodes.index(entry_node)
 
@@ -966,7 +967,7 @@ class DreamStructurer(StructurerBase):
                         )
                     ],
                 )
-                case_node = SequenceNode(0, nodes=[CodeNode(case_inner_node, claripy.true)])
+                case_node = SequenceNode(0, nodes=[CodeNode(case_inner_node, claripy.true())])
                 converted_nodes[entry_addr] = case_node
                 continue
 
@@ -1097,7 +1098,7 @@ class DreamStructurer(StructurerBase):
     def _nodes_guarded_by_common_subexpr(seq, common_subexpr, starting_idx):
         candidates = []
 
-        if common_subexpr is claripy.true:
+        if common_subexpr is claripy.true():
             return []
         for j, node_1 in enumerate(seq.nodes[starting_idx:]):
             rcond_1 = getattr(node_1, "reaching_condition", None)

angr/analyses/decompiler/structuring/phoenix.py

@@ -368,7 +368,7 @@ class PhoenixStructurer(StructurerBase):
                         jump_node = Block(last_stmt.ins_addr, None, statements=[cond_jump])
                         cond_jump_node = ConditionNode(last_stmt.ins_addr, None, edge_cond_right, jump_node)
                         new_node = SequenceNode(node.addr, nodes=[node, cond_jump_node, left])
-                        loop_node = LoopNode("while", claripy.true, new_node, addr=node.addr)
+                        loop_node = LoopNode("while", claripy.true(), new_node, addr=node.addr)
 
                         # on the original graph
                         self.replace_nodes(graph, node, loop_node, old_node_1=left, self_loop=False)
@@ -392,7 +392,7 @@ class PhoenixStructurer(StructurerBase):
                             self._remove_last_statement_if_jump(head_block)
                             cond_break = ConditionalBreakNode(node.addr, edge_cond_right, right.addr)
                             new_node = SequenceNode(node.addr, nodes=[node, cond_break, left])
-                            loop_node = LoopNode("while", claripy.true, new_node, addr=node.addr)
+                            loop_node = LoopNode("while", claripy.true(), new_node, addr=node.addr)
 
                             # on the original graph
                             self.replace_nodes(graph, node, loop_node, old_node_1=left, self_loop=False)
@@ -572,7 +572,7 @@ class PhoenixStructurer(StructurerBase):
             seen_nodes.add(next_node)
             seq_node.nodes.append(next_node)
 
-        loop_node = LoopNode("while", claripy.true, seq_node, addr=node.addr)
+        loop_node = LoopNode("while", claripy.true(), seq_node, addr=node.addr)
 
         # on the original graph
         for node_ in seq_node.nodes:

angr/analyses/propagator/engine_ail.py

@@ -141,13 +141,14 @@ class SimEnginePropagatorAIL(
                 size = data_v.size() // self.arch.byte_width
                 to_store = PropValue.from_value_and_details(data_v, size, expr, self._codeloc())
             else:
+                expr = data.one_expr
                 size = stmt.size
                 to_store = data.with_details(
                     stmt.size, data.one_expr if data.one_expr is not None else stmt.data, self._codeloc()
                 )
 
             # ensure there isn't a Tmp variable in the data
-            if not self.has_tmpexpr(expr):
+            if expr is None or not self.has_tmpexpr(expr):
                 # Storing data to a stack variable
                 self.state.store_stack_variable(sp_offset, to_store, endness=stmt.endness)
 

angr/analyses/reaching_definitions/function_handler.py

@@ -370,10 +370,14 @@ class FunctionHandler:
             data.prototype = state.analysis.project.factory.function_prototype()
             data.guessed_prototype = True
 
-        if data.prototype is not None and data.function is not None:
+        if data.prototype is not None:
             # make sure the function prototype is resolved.
             # TODO: Cache resolved function prototypes globally
-            prototype_libname = data.function.prototype_libname or hook_libname
+            prototype_libname = (
+                data.function.prototype_libname
+                if data.function is not None and data.function.prototype_libname
+                else hook_libname
+            )
             type_collections = []
             if prototype_libname is not None:
                 prototype_lib = SIM_LIBRARIES[prototype_libname]

angr/analyses/stack_pointer_tracker.py

@@ -1,7 +1,7 @@
 # pylint:disable=abstract-method,ungrouped-imports
 from __future__ import annotations
 
-from typing import TYPE_CHECKING
+from typing import Any, TYPE_CHECKING
 import re
 import logging
 from collections import defaultdict
@@ -179,7 +179,13 @@ class FrozenStackPointerTrackerState:
 
     __slots__ = "regs", "memory", "is_tracking_memory", "resilient"
 
-    def __init__(self, regs, memory, is_tracking_memory, resilient):
+    def __init__(
+        self,
+        regs,
+        memory,
+        is_tracking_memory,
+        resilient,
+    ):
         self.regs = regs
         self.memory = memory
         self.is_tracking_memory = is_tracking_memory
@@ -193,8 +199,10 @@ class FrozenStackPointerTrackerState:
             return hash((FrozenStackPointerTrackerState, self.regs, self.memory, self.is_tracking_memory))
         return hash((FrozenStackPointerTrackerState, self.regs, self.is_tracking_memory))
 
-    def merge(self, other):
-        return self.unfreeze().merge(other.unfreeze()).freeze()
+    def merge(
+        self, other, addr: int, reg_merge_cache: dict[tuple[int, int], Any], mem_merge_cache: dict[tuple[int, int], Any]
+    ):
+        return self.unfreeze().merge(other.unfreeze(), addr, reg_merge_cache, mem_merge_cache).freeze()
 
     def __eq__(self, other):
         if type(other) is FrozenStackPointerTrackerState or isinstance(other, FrozenStackPointerTrackerState):
@@ -278,16 +286,18 @@ class StackPointerTrackerState:
             return hash((StackPointerTrackerState, self.regs, self.memory, self.is_tracking_memory))
         return hash((StackPointerTrackerState, self.regs, self.is_tracking_memory))
 
-    def merge(self, other):
+    def merge(
+        self, other, addr: int, reg_merge_cache: dict[tuple[int, int], Any], mem_merge_cache: dict[tuple[int, int], Any]
+    ):
         return StackPointerTrackerState(
-            regs=_dict_merge(self.regs, other.regs, self.resilient),
-            memory=_dict_merge(self.memory, other.memory, self.resilient),
+            regs=_dict_merge(self.regs, other.regs, self.resilient, addr, reg_merge_cache),
+            memory=_dict_merge(self.memory, other.memory, self.resilient, addr, mem_merge_cache),
             is_tracking_memory=self.is_tracking_memory and other.is_tracking_memory,
             resilient=self.resilient or other.resilient,
         )
 
 
-def _dict_merge(d1, d2, resilient: bool):
+def _dict_merge(d1, d2, resilient: bool, addr: int, merge_cache: dict[tuple[int, int], Any]):
     all_keys = set(d1.keys()) | set(d2.keys())
     merged = {}
     for k in all_keys:
@@ -299,7 +309,12 @@ def _dict_merge(d1, d2, resilient: bool):
             merged[k] = d1[k]
         else:  # d1[k] != d2[k]
             if resilient and isinstance(d1[k], OffsetVal) and isinstance(d2[k], OffsetVal):
-                merged[k] = min(d1[k], d2[k])
+                if (addr, k) in merge_cache:
+                    merged[k] = merge_cache[(addr, k)]
+                else:
+                    v = min(d1[k], d2[k])
+                    merge_cache[(addr, k)] = v
+                    merged[k] = v
             else:
                 merged[k] = TOP
     return merged
@@ -350,6 +365,9 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
         self._reg_value_at_block_start = defaultdict(dict)
         self.cross_insn_opt = cross_insn_opt
         self._resilient = resilient
+        # in resilience mode, cache previously merged values to ensure we reach a fixed point
+        self._reg_merge_cache = {}
+        self._mem_merge_cache = {}
 
         if initial_reg_values:
             self._reg_value_at_block_start[func.addr if func is not None else block.addr] = initial_reg_values
@@ -492,7 +510,7 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
     def _set_state(self, addr, new_val, pre_or_post):
         previous_val = self._state_for(addr, pre_or_post)
         if previous_val is not None:
-            new_val = previous_val.merge(new_val)
+            new_val = previous_val.merge(new_val, addr, self._reg_merge_cache, self._mem_merge_cache)
         if addr not in self.states:
             self.states[addr] = {}
         self.states[addr][pre_or_post] = new_val
@@ -808,7 +826,7 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
     def _merge_states(self, node, *states: StackPointerTrackerState):
         merged_state = states[0]
         for other in states[1:]:
-            merged_state = merged_state.merge(other)
+            merged_state = merged_state.merge(other, node.addr, self._reg_merge_cache, self._mem_merge_cache)
         return merged_state, merged_state == states[0]
 
     def _find_callees(self, node) -> list[Function]:

angr/analyses/typehoon/translator.py

@@ -1,3 +1,4 @@
+# pylint:disable=unused-argument,no-self-use
 from __future__ import annotations
 from itertools import count
 
@@ -8,11 +9,15 @@ from .typeconsts import TypeConstant
 
 
 class SimTypeTempRef(sim_type.SimType):
+    """
+    Represents a temporary reference to another type. TypeVariableReference is translated to SimTypeTempRef.
+    """
+
     def __init__(self, typevar):
         super().__init__()
         self.typevar = typevar
 
-    def c_repr(self):
+    def c_repr(self, **kwargs):
         return "<SimTypeTempRef>"
 
 
@@ -141,7 +146,10 @@ class TypeTranslator:
         return sim_type.SimTypeLongLong(signed=False).with_arch(self.arch)
 
     def _translate_Int128(self, tc):  # pylint:disable=unused-argument
-        return sim_type.SimTypeNum(128, signed=False).with_arch(self.arch)
+        return sim_type.SimTypeInt128(signed=False).with_arch(self.arch)
+
+    def _translate_Int256(self, tc):  # pylint:disable=unused-argument
+        return sim_type.SimTypeInt256(signed=False).with_arch(self.arch)
 
     def _translate_TypeVariableReference(self, tc):
         if tc.typevar in self.translated:
@@ -176,6 +184,12 @@ class TypeTranslator:
     # SimType handlers
     #
 
+    def _translate_SimTypeInt128(self, st: sim_type.SimTypeChar) -> typeconsts.Int128:
+        return typeconsts.Int128()
+
+    def _translate_SimTypeInt256(self, st: sim_type.SimTypeChar) -> typeconsts.Int256:
+        return typeconsts.Int256()
+
     def _translate_SimTypeInt(self, st: sim_type.SimTypeInt) -> typeconsts.Int32:
         return typeconsts.Int32()
 
@@ -220,6 +234,7 @@ TypeConstHandlers = {
     typeconsts.Int32: TypeTranslator._translate_Int32,
     typeconsts.Int64: TypeTranslator._translate_Int64,
     typeconsts.Int128: TypeTranslator._translate_Int128,
+    typeconsts.Int256: TypeTranslator._translate_Int256,
     typeconsts.TypeVariableReference: TypeTranslator._translate_TypeVariableReference,
 }
 
@@ -230,6 +245,8 @@ SimTypeHandlers = {
     sim_type.SimTypeLong: TypeTranslator._translate_SimTypeLong,
     sim_type.SimTypeLongLong: TypeTranslator._translate_SimTypeLongLong,
     sim_type.SimTypeChar: TypeTranslator._translate_SimTypeChar,
+    sim_type.SimTypeInt128: TypeTranslator._translate_SimTypeInt128,
+    sim_type.SimTypeInt256: TypeTranslator._translate_SimTypeInt256,
     sim_type.SimStruct: TypeTranslator._translate_SimStruct,
     sim_type.SimTypeArray: TypeTranslator._translate_SimTypeArray,
 }

angr/analyses/typehoon/typeconsts.py

@@ -100,6 +100,13 @@ class Int128(Int):
         return "int128"
 
 
+class Int256(Int):
+    SIZE = 32
+
+    def __repr__(self, memo=None):
+        return "int256"
+
+
 class FloatBase(TypeConstant):
     def __repr__(self, memo=None):
         return "floatbase"
@@ -282,6 +289,7 @@ def int_type(bits: int) -> Int | None:
         32: Int32,
         64: Int64,
         128: Int128,
+        256: Int256,
     }
     if bits in mapping:
         return mapping[bits]()

angr/analyses/variable_recovery/engine_vex.py

@@ -254,10 +254,13 @@ class SimEngineVRVEX(
             typevar = typevars.DerivedTypeVariable(r0.typevar, typevars.AddN(r1.data.concrete_value))
 
         sum_ = r0.data + r1.data
+        tc = set()
+        if r0.typevar is not None and r1.typevar is not None:
+            tc.add(typevars.Subtype(r0.typevar, r1.typevar))
         return RichR(
             sum_,
             typevar=typevar,
-            type_constraints={typevars.Subtype(r0.typevar, r1.typevar)},
+            type_constraints=tc,
         )
 
     def _handle_Sub(self, expr):
@@ -501,6 +504,9 @@ class SimEngineVRVEX(
     def _handle_Clz(self, expr):
         return RichR(self.state.top(expr.result_size(self.tyenv)))
 
+    def _handle_Ctz(self, expr):
+        return RichR(self.state.top(expr.result_size(self.tyenv)))
+
     def _handle_Mull(self, expr):
         return RichR(self.state.top(expr.result_size(self.tyenv)))
 
@@ -553,15 +559,6 @@ class SimEngineVRVEX(
         _, _ = self._expr(expr.args[0]), self._expr(expr.args[1])
         return RichR(self.state.top(expr.result_size(self.tyenv)))
 
-    def _handle_Clz(self, expr):
-        arg0 = expr.args[0]
-        expr_0 = self._expr(arg0)
-        if expr_0 is None:
-            return None
-        if self.state.is_top(expr_0.data):
-            return RichR(self.state.top(expr_0.data.size()))
-        return RichR(self.state.top(expr_0.data.size()))
-
     _handle_CmpEQ_v = _handle_Cmp_v
     _handle_CmpNE_v = _handle_Cmp_v
     _handle_CmpLE_v = _handle_Cmp_v