PyPI - angr - Versions diffs - 9.2.122__py3-none-macosx_11_0_arm64.whl → 9.2.124__py3-none-macosx_11_0_arm64.whl - Mend

angr 9.2.122__py3-none-macosx_11_0_arm64.whl → 9.2.124__py3-none-macosx_11_0_arm64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (96) hide show

angr/analyses/decompiler/structured_codegen/c.py CHANGED Viewed

@@ -1408,7 +1408,7 @@ class CUnsupportedStatement(CStatement):
 class CDirtyStatement(CExpression):
     __slots__ = ("dirty",)
-    def __init__(self, dirty, **kwargs):
+    def __init__(self, dirty: CDirtyExpression, **kwargs):
         super().__init__(**kwargs)
         self.dirty = dirty
@@ -1420,7 +1420,7 @@ class CDirtyStatement(CExpression):
         indent_str = self.indent_str(indent=indent)
         yield indent_str, None
-        yield str(self.dirty), None
+        yield from self.dirty.c_repr_chunks()
         yield "\n", None
@@ -2303,6 +2303,38 @@ class CMultiStatementExpression(CExpression):
         yield ")", paren
+class CVEXCCallExpression(CExpression):
+    """
+    ccall_name(arg0, arg1, ...)
+    """
+    __slots__ = (
+        "callee",
+        "operands",
+        "tags",
+    )
+    def __init__(self, callee: str, operands: list[CExpression], tags=None, **kwargs):
+        super().__init__(**kwargs)
+        self.callee = callee
+        self.operands = operands
+        self.tags = tags
+    @property
+    def type(self):
+        return SimTypeInt().with_arch(self.codegen.project.arch)
+    def c_repr_chunks(self, indent=0, asexpr=False):
+        paren = CClosingObject("(")
+        yield f"{self.callee}", self
+        yield "(", paren
+        for idx, operand in enumerate(self.operands):
+            if idx != 0:
+                yield ", ", None
+            yield from operand.c_repr_chunks()
+        yield ")", paren
 class CDirtyExpression(CExpression):
     """
     Ideally all dirty expressions should be handled and converted to proper conversions during conversion from VEX to
@@ -2424,6 +2456,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             Expr.BinaryOp: self._handle_Expr_BinaryOp,
             Expr.Convert: self._handle_Expr_Convert,
             Expr.StackBaseOffset: self._handle_Expr_StackBaseOffset,
+            Expr.VEXCCallExpression: self._handle_Expr_VEXCCallExpression,
             Expr.DirtyExpression: self._handle_Expr_Dirty,
             Expr.ITE: self._handle_Expr_ITE,
             Expr.Reinterpret: self._handle_Reinterpret,
@@ -3318,7 +3351,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         return clabel
     def _handle_Stmt_Dirty(self, stmt: Stmt.DirtyStatement, **kwargs):
-        return CDirtyStatement(stmt, codegen=self)
+        dirty = self._handle(stmt.dirty)
+        return CDirtyStatement(dirty, codegen=self)
     #
     # AIL expression handlers
@@ -3519,7 +3553,11 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         return CTypeCast(None, dst_type.with_arch(self.project.arch), child, tags=expr.tags, codegen=self)
-    def _handle_Expr_Dirty(self, expr, **kwargs):
+    def _handle_Expr_VEXCCallExpression(self, expr: Expr.VEXCCallExpression, **kwargs):
+        operands = [self._handle(arg) for arg in expr.operands]
+        return CVEXCCallExpression(expr.callee, operands, tags=expr.tags, codegen=self)
+    def _handle_Expr_Dirty(self, expr: Expr.DirtyExpression, **kwargs):
         return CDirtyExpression(expr, codegen=self)
     def _handle_Expr_ITE(self, expr: Expr.ITE, **kwargs):

angr/analyses/decompiler/structuring/phoenix.py CHANGED Viewed

@@ -566,6 +566,9 @@ class PhoenixStructurer(StructurerBase):
             if next_node is node:
                 break
+            if next_node is head:
+                # we don't want a loop with region head not as the first node of the body!
+                return False, None
             if next_node is not node and next_node in seen_nodes:
                 return False, None

angr/analyses/propagator/engine_ail.py CHANGED Viewed

@@ -740,9 +740,16 @@ class SimEnginePropagatorAIL(
         return PropValue.from_value_and_details(v, expr.size, expr, self._codeloc())
     def _ail_handle_DirtyExpression(self, expr: Expr.DirtyExpression) -> PropValue | None:  # pylint:disable=no-self-use
-        if isinstance(expr.dirty_expr, Expr.VEXCCallExpression):
-            for operand in expr.dirty_expr.operands:
-                _ = self._expr(operand)
+        for operand in expr.operands:
+            _ = self._expr(operand)
+        return PropValue.from_value_and_details(self.state.top(expr.bits), expr.size, expr, self._codeloc())
+    def _ail_handle_VEXCCallExpression(
+        self, expr: Expr.VEXCCallExpression
+    ) -> PropValue | None:  # pylint:disable=no-self-use
+        for operand in expr.operands:
+            _ = self._expr(operand)
         return PropValue.from_value_and_details(self.state.top(expr.bits), expr.size, expr, self._codeloc())

angr/analyses/reaching_definitions/engine_ail.py CHANGED Viewed

@@ -7,7 +7,6 @@ import logging
 import archinfo
 import claripy
 import ailment
-import pyvex
 from claripy import FSORT_DOUBLE, FSORT_FLOAT
 from angr.engines.light import SimEngineLight, SimEngineLightAILMixin, SpOffset
@@ -364,17 +363,7 @@ class SimEngineRDAIL(
         # self.state.add_use(Register(self.project.arch.sp_offset, self.project.arch.bits // 8))
     def _ail_handle_DirtyStatement(self, stmt: ailment.Stmt.DirtyStatement):
-        # TODO: The logic below is subject to change when ailment.Stmt.DirtyStatement is changed
-        if isinstance(stmt.dirty_stmt, pyvex.stmt.Dirty):
-            # TODO: We need dirty helpers for a more complete understanding of clobbered registers
-            tmp = stmt.dirty_stmt.tmp
-            if tmp in (-1, 0xFFFFFFFF):
-                return
-            size = 32  # FIXME: We don't know the size.
-            self.state.kill_and_add_definition(Tmp(tmp, size), MultiValues(self.state.top(size)))
-        else:
-            l.warning("Unexpected type of dirty statement %s.", type(stmt.dirty_stmt))
+        self._expr(stmt.dirty)
     #
     # AIL expression handlers
@@ -1125,12 +1114,18 @@ class SimEngineRDAIL(
         stack_addr = self.state.stack_address(expr.offset)
         return MultiValues(stack_addr)
+    def _ail_handle_VEXCCallExpression(self, expr: ailment.Expr.VEXCCallExpression) -> MultiValues:
+        for operand in expr.operands:
+            self._expr(operand)
+        top = self.state.top(expr.bits)
+        return MultiValues(top)
     def _ail_handle_DirtyExpression(
         self, expr: ailment.Expr.DirtyExpression
     ) -> MultiValues:  # pylint:disable=no-self-use
-        if isinstance(expr.dirty_expr, ailment.Expr.VEXCCallExpression):
-            for operand in expr.dirty_expr.operands:
-                self._expr(operand)
+        for operand in expr.operands:
+            self._expr(operand)
         top = self.state.top(expr.bits)
         return MultiValues(top)

angr/analyses/s_propagator.py CHANGED Viewed

@@ -5,7 +5,7 @@ from collections import defaultdict
 from ailment.block import Block
 from ailment.expression import Const, VirtualVariable, VirtualVariableCategory, StackBaseOffset
-from ailment.statement import Assignment, Store, Return
+from ailment.statement import Assignment, Store, Return, Jump
 from angr.knowledge_plugins.functions import Function
 from angr.code_location import CodeLocation
@@ -98,11 +98,15 @@ class SPropagatorAnalysis(Analysis):
         # find all vvar uses
         vvar_uselocs = get_vvar_uselocs(blocks.values())
-        # find all ret sites
+        # find all ret sites and indirect jump sites
         retsites: set[tuple[int, int | None, int]] = set()
+        jumpsites: set[tuple[int, int | None, int]] = set()
         for bb in blocks.values():
-            if bb.statements and isinstance(bb.statements[-1], Return):
-                retsites.add((bb.addr, bb.idx, len(bb.statements) - 1))
+            if bb.statements:
+                if isinstance(bb.statements[-1], Return):
+                    retsites.add((bb.addr, bb.idx, len(bb.statements) - 1))
+                elif isinstance(bb.statements[-1], Jump):
+                    jumpsites.add((bb.addr, bb.idx, len(bb.statements) - 1))
         replacements = defaultdict(dict)
@@ -169,13 +173,13 @@ class SPropagatorAnalysis(Analysis):
                         {
                             loc
                             for _, loc in vvar_uselocs[vvar.varid]
-                            if (loc.block_addr, loc.block_idx, loc.stmt_idx) not in retsites
+                            if (loc.block_addr, loc.block_idx, loc.stmt_idx) not in (retsites | jumpsites)
                         }
                     )
                     == 1
                 ):
                     if is_const_and_vvar_assignment(stmt):
-                        # this vvar is used once if we exclude its uses at ret sites. we can propagate it
+                        # this vvar is used once if we exclude its uses at ret sites or jump sites. we can propagate it
                         for vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
                             replacements[vvar_useloc][vvar_used] = stmt.src
@@ -234,15 +238,22 @@ class SPropagatorAnalysis(Analysis):
                     if len(tmp_uses) <= 2:
                         tmp_used, tmp_use_stmtidx = next(iter(tmp_uses))
-                        if is_const_vvar_load_dirty_assignment(stmt) and not any(
-                            isinstance(stmt_, Store)
-                            for stmt_ in block.statements[tmp_def_stmtidx + 1 : tmp_use_stmtidx]
-                        ):
-                            # we can propagate this load because there is no store between its def and use
-                            replacements[
-                                CodeLocation(block_loc.block_addr, tmp_use_stmtidx, block_idx=block_loc.block_idx)
-                            ][tmp_used] = stmt.src
-                            continue
+                        if is_const_vvar_load_dirty_assignment(stmt):
+                            same_inst = (
+                                block.statements[tmp_def_stmtidx].ins_addr == block.statements[tmp_use_stmtidx].ins_addr
+                            )
+                            has_store = any(
+                                isinstance(stmt_, Store)
+                                for stmt_ in block.statements[tmp_def_stmtidx + 1 : tmp_use_stmtidx]
+                            )
+                            if same_inst or not has_store:
+                                # we can propagate this load because either we do not consider memory aliasing problem
+                                # within the same instruction (blocks must be originally lifted with
+                                # CROSS_INSN_OPT=False), or there is no store between its def and use.
+                                replacements[
+                                    CodeLocation(block_loc.block_addr, tmp_use_stmtidx, block_idx=block_loc.block_idx)
+                                ][tmp_used] = stmt.src
+                                continue
         self.model.replacements = replacements

angr/analyses/s_reaching_definitions/s_rda_view.py CHANGED Viewed

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 from collections import defaultdict
-from ailment.statement import Assignment, Call, Label
+from ailment.statement import Statement, Assignment, Call, Label
 from ailment.expression import VirtualVariable, Expression
 from angr.utils.ail import is_phi_assignment
@@ -17,27 +17,141 @@ from .s_rda_model import SRDAModel
 log = logging.getLogger(__name__)
-class SRDAView:
+class RegVVarPredicate:
     """
-    A view of SRDA model that provides various functionalities for querying the model.
+    Implements a predicate that is used in get_reg_vvar_by_stmt_idx and get_reg_vvar_by_insn.
     """
-    def __init__(self, model: SRDAModel):
-        self.model = model
+    def __init__(self, reg_offset: int, vvars: set[VirtualVariable], arch):
+        self.reg_offset = reg_offset
+        self.vvars = vvars
+        self.arch = arch
     def _get_call_clobbered_regs(self, stmt: Call) -> set[int]:
         cc = stmt.calling_convention
         if cc is None:
             # get the default calling convention
-            cc = default_cc(self.model.arch.name)  # TODO: platform and language
+            cc = default_cc(self.arch.name)  # TODO: platform and language
         if cc is not None:
             reg_list = cc.CALLER_SAVED_REGS
             if isinstance(cc.RETURN_VAL, SimRegArg):
                 reg_list.append(cc.RETURN_VAL.reg_name)
-            return {self.model.arch.registers[reg_name][0] for reg_name in reg_list}
+            return {self.arch.registers[reg_name][0] for reg_name in reg_list}
         log.warning("Cannot determine registers that are clobbered by call statement %r.", stmt)
         return set()
+    def predicate(self, stmt: Statement) -> bool:
+        if (
+            isinstance(stmt, Assignment)
+            and isinstance(stmt.dst, VirtualVariable)
+            and stmt.dst.was_reg
+            and stmt.dst.reg_offset == self.reg_offset
+        ):
+            self.vvars.add(stmt.dst)
+            return True
+        if isinstance(stmt, Call):
+            if (
+                isinstance(stmt.ret_expr, VirtualVariable)
+                and stmt.ret_expr.was_reg
+                and stmt.ret_expr.reg_offset == self.reg_offset
+            ):
+                self.vvars.add(stmt.ret_expr)
+                return True
+            # is it clobbered maybe?
+            clobbered_regs = self._get_call_clobbered_regs(stmt)
+            if self.reg_offset in clobbered_regs:
+                return True
+        return False
+class StackVVarPredicate:
+    """
+    Implements a predicate that is used in get_stack_vvar_by_stmt_idx and get_stack_vvar_by_insn.
+    """
+    def __init__(self, stack_offset: int, size: int, vvars: set[VirtualVariable]):
+        self.stack_offset = stack_offset
+        self.size = size
+        self.vvars = vvars
+    def predicate(self, stmt: Statement) -> bool:
+        if (
+            isinstance(stmt, Assignment)
+            and isinstance(stmt.dst, VirtualVariable)
+            and stmt.dst.was_stack
+            and stmt.dst.stack_offset == self.stack_offset
+            and stmt.dst.size == self.size
+        ):
+            self.vvars.add(stmt.dst)
+            return True
+        return False
+class SRDAView:
+    """
+    A view of SRDA model that provides various functionalities for querying the model.
+    """
+    def __init__(self, model: SRDAModel):
+        self.model = model
+    def _get_vvar_by_stmt(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, op_type: ObservationPointType, predicate
+    ):
+        # find the starting block
+        for block in self.model.func_graph:
+            if block.addr == block_addr and block.idx == block_idx:
+                the_block = block
+                break
+        else:
+            return
+        traversed = set()
+        queue = [(the_block, stmt_idx if op_type == ObservationPointType.OP_BEFORE else stmt_idx + 1)]
+        while queue:
+            block, start_stmt_idx = queue.pop(0)
+            traversed.add(block)
+            stmts = block.statements[:start_stmt_idx] if start_stmt_idx is not None else block.statements
+            for stmt in reversed(stmts):
+                should_break = predicate(stmt)
+                if should_break:
+                    break
+            else:
+                # not found
+                for pred in self.model.func_graph.predecessors(block):
+                    if pred not in traversed:
+                        traversed.add(pred)
+                        queue.append((pred, None))
+    def get_reg_vvar_by_stmt(
+        self, reg_offset: int, block_addr: int, block_idx: int | None, stmt_idx: int, op_type: ObservationPointType
+    ) -> VirtualVariable | None:
+        reg_offset = get_reg_offset_base(reg_offset, self.model.arch)
+        vvars = set()
+        predicater = RegVVarPredicate(reg_offset, vvars, self.model.arch)
+        self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate)
+        assert len(vvars) <= 1
+        return next(iter(vvars), None)
+    def get_stack_vvar_by_stmt(  # pylint: disable=too-many-positional-arguments
+        self,
+        stack_offset: int,
+        size: int,
+        block_addr: int,
+        block_idx: int | None,
+        stmt_idx: int,
+        op_type: ObservationPointType,
+    ) -> VirtualVariable | None:
+        vvars = set()
+        predicater = StackVVarPredicate(stack_offset, size, vvars)
+        self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate)
+        assert len(vvars) <= 1
+        return next(iter(vvars), None)
     def _get_vvar_by_insn(self, addr: int, op_type: ObservationPointType, predicate, block_idx: int | None = None):
         # find the starting block
         for block in self.model.func_graph:
@@ -47,6 +161,7 @@ class SRDAView:
         else:
             return
+        # determine the starting stmt_idx
         starting_stmt_idx = len(the_block.statements) if op_type == ObservationPointType.OP_AFTER else 0
         for stmt_idx, stmt in enumerate(the_block.statements):
             # skip all labels and phi assignments
@@ -65,55 +180,16 @@ class SRDAView:
                 starting_stmt_idx = stmt_idx
                 break
-        traversed = set()
-        queue = [(the_block, starting_stmt_idx)]
-        while queue:
-            block, start_stmt_idx = queue.pop(0)
-            traversed.add(block)
-            stmts = block.statements[:start_stmt_idx] if start_stmt_idx is not None else block.statements
-            for stmt in reversed(stmts):
-                should_break = predicate(stmt)
-                if should_break:
-                    break
-            else:
-                # not found
-                for pred in self.model.func_graph.predecessors(block):
-                    if pred not in traversed:
-                        traversed.add(pred)
-                        queue.append((pred, None))
+        self._get_vvar_by_stmt(the_block.addr, the_block.idx, starting_stmt_idx, op_type, predicate)
     def get_reg_vvar_by_insn(
         self, reg_offset: int, addr: int, op_type: ObservationPointType, block_idx: int | None = None
     ) -> VirtualVariable | None:
         reg_offset = get_reg_offset_base(reg_offset, self.model.arch)
         vvars = set()
+        predicater = RegVVarPredicate(reg_offset, vvars, self.model.arch)
-        def _predicate(stmt) -> bool:
-            if (
-                isinstance(stmt, Assignment)
-                and isinstance(stmt.dst, VirtualVariable)
-                and stmt.dst.was_reg
-                and stmt.dst.reg_offset == reg_offset
-            ):
-                vvars.add(stmt.dst)
-                return True
-            if isinstance(stmt, Call):
-                if (
-                    isinstance(stmt.ret_expr, VirtualVariable)
-                    and stmt.ret_expr.was_reg
-                    and stmt.ret_expr.reg_offset == reg_offset
-                ):
-                    vvars.add(stmt.ret_expr)
-                    return True
-                # is it clobbered maybe?
-                clobbered_regs = self._get_call_clobbered_regs(stmt)
-                if reg_offset in clobbered_regs:
-                    return True
-            return False
-        self._get_vvar_by_insn(addr, op_type, _predicate, block_idx=block_idx)
+        self._get_vvar_by_insn(addr, op_type, predicater.predicate, block_idx=block_idx)
         assert len(vvars) <= 1
         return next(iter(vvars), None)
@@ -122,20 +198,8 @@ class SRDAView:
         self, stack_offset: int, size: int, addr: int, op_type: ObservationPointType, block_idx: int | None = None
     ) -> VirtualVariable | None:
         vvars = set()
-        def _predicate(stmt) -> bool:
-            if (
-                isinstance(stmt, Assignment)
-                and isinstance(stmt.dst, VirtualVariable)
-                and stmt.dst.was_stack
-                and stmt.dst.stack_offset == stack_offset
-                and stmt.dst.size == size
-            ):
-                vvars.add(stmt.dst)
-                return True
-            return False
-        self._get_vvar_by_insn(addr, op_type, _predicate, block_idx=block_idx)
+        predicater = StackVVarPredicate(stack_offset, size, vvars)
+        self._get_vvar_by_insn(addr, op_type, predicater.predicate, block_idx=block_idx)
         assert len(vvars) <= 1
         return next(iter(vvars), None)

angr/analyses/variable_recovery/engine_ail.py CHANGED Viewed

@@ -223,6 +223,20 @@ class SimEngineVRAIL(
             for ret_expr in stmt.ret_exprs:
                 self._expr(ret_expr)
+    def _ail_handle_DirtyExpression(self, expr: ailment.Expr.DirtyExpression) -> RichR:
+        for op in expr.operands:
+            self._expr(op)
+        if expr.guard:
+            self._expr(expr.guard)
+        if expr.maddr:
+            self._expr(expr.maddr)
+        return RichR(self.state.top(expr.bits))
+    def _ail_handle_VEXCCallExpression(self, expr: ailment.Expr.VEXCCallExpression) -> RichR:
+        for op in expr.operands:
+            self._expr(op)
+        return RichR(self.state.top(expr.bits))
     # Expression handlers
     def _expr(self, expr: ailment.Expr.Expression):

angr/analyses/variable_recovery/engine_base.py CHANGED Viewed

@@ -435,6 +435,14 @@ class SimEngineVRBase(SimEngineLight):
                     region=self.func_addr,
                 )
                 self.variable_manager[self.func_addr].add_variable("register", vvar.oident, variable)
+            elif vvar.was_tmp:
+                # FIXME: we treat all tmp vvars as registers
+                variable = SimRegisterVariable(
+                    4096 + vvar.tmp_idx,
+                    vvar.size,
+                    ident=self.variable_manager[self.func_addr].next_variable_ident("register"),
+                    region=self.func_addr,
+                )
             else:
                 raise NotImplementedError
         else:
@@ -1071,6 +1079,9 @@ class SimEngineVRBase(SimEngineLight):
                     self.variable_manager[self.func_addr].add_variable("stack", vvar.stack_offset, variable)
                 elif vvar.category == ailment.Expr.VirtualVariableCategory.PARAMETER:
                     raise KeyError(f"Missing virtual variable for parameter {vvar}")
+                elif vvar.category == ailment.Expr.VirtualVariableCategory.TMP:
+                    # we don't track variables for tmps
+                    pass
                 else:
                     raise NotImplementedError

angr/calling_conventions.py CHANGED Viewed

@@ -1212,7 +1212,7 @@ class SimCCCdecl(SimCC):
         if isinstance(arg_type, (SimTypeArray, SimTypeFixedSizeArray)):  # hack
             arg_type = SimTypePointer(arg_type.elem_type).with_arch(self.arch)
         locs_size = 0
-        byte_size = arg_type.size // self.arch.byte_width
+        byte_size = arg_type.size // self.arch.byte_width if arg_type.size is not None else self.arch.bytes
         locs = []
         while locs_size < byte_size:
             locs.append(next(session.both_iter))
@@ -1293,7 +1293,7 @@ class SimCCMicrosoftAMD64(SimCC):
         except StopIteration:
             int_loc = fp_loc = next(session.both_iter)
-        byte_size = arg_type.size // self.arch.byte_width
+        byte_size = arg_type.size // self.arch.byte_width if arg_type.size is not None else self.arch.bytes
         if isinstance(arg_type, SimTypeFloat):
             return fp_loc.refine(size=byte_size, is_fp=True, arch=self.arch)

angr/engines/light/engine.py CHANGED Viewed

@@ -604,6 +604,9 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if self._is_top(expr_0) or self._is_top(expr_1):
             return self._top(expr.result_size(self.tyenv))
+        if expr_1.concrete and expr_1.concrete_value == 0:
+            return self._top(expr.result_size(self.tyenv))
         signed = "U" in expr.op  # Iop_DivModU64to32 vs Iop_DivMod
         from_size = expr_0.size()
         to_size = expr_1.size()
@@ -632,10 +635,13 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if self._is_top(expr_0) or self._is_top(expr_1):
             return self._top(expr_0.size())
+        if expr_1.concrete and expr_1.concrete_value == 0:
+            return self._top(expr.result_size(self.tyenv))
         try:
             return expr_0 / expr_1
         except ZeroDivisionError:
-            return self._top(expr_0.size())
+            return self._top(expr.result_size(self.tyenv))
     def _handle_Mod(self, expr):
         args, r = self._binop_get_args(expr)
@@ -646,6 +652,9 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if self._is_top(expr_0) or self._is_top(expr_1):
             return self._top(expr_0.size())
+        if expr_1.concrete and expr_1.concrete_value == 0:
+            return self._top(expr.result_size(self.tyenv))
         try:
             return expr_0 - (expr_1 // expr_1) * expr_1
         except ZeroDivisionError:
@@ -948,6 +957,9 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
     def _ail_handle_Return(self, stmt):
         pass
+    def _ail_handle_DirtyStatement(self, stmt):
+        self._expr(stmt.dirty)
     #
     # Expression handlers
     #
@@ -974,7 +986,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         return expr
     def _ail_handle_CallExpr(self, expr: ailment.Stmt.Call):
-        self._expr(expr.target)
+        if not isinstance(expr.target, str):
+            self._expr(expr.target)
         return expr
     def _ail_handle_Reinterpret(self, expr: ailment.Expr.Reinterpret):
@@ -999,6 +1012,15 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         return expr
+    def _ail_handle_DirtyExpression(self, expr: ailment.Expr.DirtyExpression):
+        for operand in expr.operands:
+            self._expr(operand)
+        if expr.guard is not None:
+            self._expr(expr.guard)
+        if expr.maddr is not None:
+            self._expr(expr.maddr)
+        return expr
     def _ail_handle_UnaryOp(self, expr):
         handler_name = f"_handle_{expr.op}"
         try:

angr/engines/soot/expressions/instanceOf.py CHANGED Viewed

@@ -1,6 +1,9 @@
 from __future__ import annotations
 import logging
+import claripy
 from .base import SimSootExpr
 l = logging.getLogger(name=__name__)
@@ -9,4 +12,4 @@ l = logging.getLogger(name=__name__)
 class SimSootExpr_InstanceOf(SimSootExpr):
     def _execute(self):
         obj = self._translate_value(self.expr.value)
-        self.expr = self.state.solver.StringV(obj.type) == self.state.solver.StringV(self.expr.check_type)
+        self.expr = claripy.StringV(obj.type) == claripy.StringV(self.expr.check_type)

angr/engines/successors.py CHANGED Viewed

@@ -504,7 +504,7 @@ class SimSuccessors:
                 fallback = True
                 break
-            cond_and_targets.append((cond, target if not outer_reverse else state.solver.Reverse(target)))
+            cond_and_targets.append((cond, target if not outer_reverse else claripy.Reverse(target)))
         if reached_sentinel is False:
             # huh?