angr 9.2.122__py3-none-win_amd64.whl → 9.2.123__py3-none-win_amd64.whl

angr/analyses/decompiler/optimization_passes/ite_region_converter.py

@@ -42,10 +42,8 @@ class ITERegionConverter(OptimizationPass):
             if not ite_assign_regions:
                 break
 
-            for region_head, region_tail, true_block, true_stmt, false_block, false_stmt in ite_assign_regions:
-                round_update |= self._convert_region_to_ternary_expr(
-                    region_head, region_tail, true_block, true_stmt, false_block, false_stmt
-                )
+            for region_head, region_tail, _, true_stmt, _, false_stmt in ite_assign_regions:
+                round_update |= self._convert_region_to_ternary_expr(region_head, region_tail, true_stmt, false_stmt)
 
             if not round_update:
                 break
@@ -188,9 +186,7 @@ class ITERegionConverter(OptimizationPass):
         self,
         region_head,
         region_tail,
-        true_block,
         true_stmt: Assignment | Call,
-        false_block,
         false_stmt: Assignment | Call,
     ):
         if region_head not in self._graph or region_tail not in self._graph:
@@ -242,6 +238,14 @@ class ITERegionConverter(OptimizationPass):
         #
 
         region_nodes = subgraph_between_nodes(self._graph, region_head, [region_tail])
+
+        # we must obtain the predecessors of the region tail instead of using true_block and false_block because
+        # true_block and false_block may have other successors before reaching the region tail!
+        region_tail_preds = [pred for pred in self._graph.predecessors(region_tail) if pred in region_nodes]
+        if len(region_tail_preds) != 2:
+            return False
+        region_tail_pred_srcs = {(pred.addr, pred.idx) for pred in region_tail_preds}
+
         for node in region_nodes:
             if node is region_head or node is region_tail:
                 continue
@@ -259,7 +263,7 @@ class ITERegionConverter(OptimizationPass):
                 continue
             new_src_and_vvars = []
             for src, vvar in stmt.src.src_and_vvars:
-                if src not in {(true_block.addr, true_block.idx), (false_block.addr, false_block.idx)}:
+                if src not in region_tail_pred_srcs:
                     new_src_and_vvars.append((src, vvar))
             new_vvar = new_assignment.dst.copy()
             new_src_and_vvars.append(((region_head.addr, region_head.idx), new_vvar))

angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py

@@ -396,7 +396,16 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
             default_case_candidates = {}
             last_comp = None
             stack = [(head, 0, 0xFFFF_FFFF_FFFF_FFFF)]
-            while stack:
+
+            # cursed: there is an infinite loop in the following loop that
+            # occurs rarely. we need to keep track of the nodes we've seen
+            # to break out of the loop.
+            # See https://github.com/angr/angr/pull/4953
+            #
+            # FIXME: the root cause should be fixed and this workaround removed
+            seen = set()
+            while stack and tuple(stack) not in seen:
+                seen.add(tuple(stack))
                 comp, min_, max_ = stack.pop(0)
                 (
                     comp_type,

angr/analyses/decompiler/peephole_optimizations/const_mull_a_shift.py

@@ -1,7 +1,7 @@
 # pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 
-from ailment.expression import Convert, BinaryOp, Const
+from ailment.expression import Convert, BinaryOp, Const, Expression
 
 from .base import PeepholeOptimizationExprBase
 
@@ -56,47 +56,10 @@ class ConstMullAShift(PeepholeOptimizationExprBase):
 
         elif isinstance(expr, BinaryOp) and expr.op in {"Add", "Sub"}:
             expr0, expr1 = expr.operands
-            if (
-                isinstance(expr0, BinaryOp)
-                and expr0.op in {"Shr", "Sar"}
-                and isinstance(expr0.operands[1], Const)
-                and isinstance(expr1, BinaryOp)
-                and expr1.op in {"Shr", "Sar"}
-                and isinstance(expr1.operands[1], Const)
-            ):
-                if (
-                    isinstance(expr0.operands[0], BinaryOp)
-                    and expr0.operands[0].op in {"Mull", "Mul"}
-                    and isinstance(expr0.operands[0].operands[1], Const)
-                ):
-                    a0 = expr0.operands[0].operands[0]
-                    a1 = expr1.operands[0]
-                elif (
-                    isinstance(expr1.operands[0], BinaryOp)
-                    and expr1.operands[0].op in {"Mull", "Mul"}
-                    and isinstance(expr1.operands[0].operands[1], Const)
-                ):
-                    a1 = expr0.operands[0].operands[0]
-                    a0 = expr1.operands[0]
-                else:
-                    a0, a1 = None, None
-                if a0 is not None and a1 is not None and a0.likes(a1):
-                    # (a * x >> M1) +/- (a >> M2)  ==>  a / N
-                    C = expr0.operands[0].operands[1].value
-                    X = a0
-                    V = expr0.operands[1].value
-                    ndigits = 5 if V == 32 else 6
-                    divisor = self._check_divisor(pow(2, V), C, ndigits)
-                    if divisor is not None:
-                        new_const = Const(None, None, divisor, X.bits)
-                        # we cannot drop the convert in this case
-                        return BinaryOp(
-                            expr0.operands[0].idx,
-                            "Div",
-                            [X, new_const],
-                            expr0.operands[0].signed,
-                            **expr0.operands[0].tags,
-                        )
+            if isinstance(expr1, Convert) and expr1.from_bits == 32 and expr1.to_bits == 64:
+                r = self._match_case_a(expr0, expr1)
+                if r is not None:
+                    return r
 
             # with Convert in consideration
             if (
@@ -149,6 +112,74 @@ class ConstMullAShift(PeepholeOptimizationExprBase):
 
         return None
 
+    def _match_case_a(self, expr0: Expression, expr1: Convert) -> BinaryOp | None:
+        # (
+        #   (((Conv(32->64, vvar_44{reg 32}) * 0x4325c53f<64>) >>a 0x24<8>) & 0xffffffff<64>) -
+        #   Conv(32->s64, (vvar_44{reg 32} >>a 0x1f<8>))
+        # )
+
+        expr1 = expr1.operand
+
+        if (
+            isinstance(expr0, BinaryOp)
+            and expr0.op == "And"
+            and isinstance(expr0.operands[1], Const)
+            and expr0.operands[1].value == 0xFFFFFFFF
+        ):
+            expr0 = expr0.operands[0]
+        else:
+            return None
+
+        if (
+            isinstance(expr0, BinaryOp)
+            and expr0.op in {"Shr", "Sar"}
+            and isinstance(expr0.operands[1], Const)
+            and isinstance(expr1, BinaryOp)
+            and expr1.op in {"Shr", "Sar"}
+            and isinstance(expr1.operands[1], Const)
+        ):
+            if (
+                isinstance(expr0.operands[0], BinaryOp)
+                and expr0.operands[0].op in {"Mull", "Mul"}
+                and isinstance(expr0.operands[0].operands[1], Const)
+            ):
+                a0 = expr0.operands[0].operands[0]
+                a1 = expr1.operands[0]
+            elif (
+                isinstance(expr1.operands[0], BinaryOp)
+                and expr1.operands[0].op in {"Mull", "Mul"}
+                and isinstance(expr1.operands[0].operands[1], Const)
+            ):
+                a1 = expr0.operands[0].operands[0]
+                a0 = expr1.operands[0]
+            else:
+                a0, a1 = None, None
+
+            # a0: Conv(32->64, vvar_44{reg 32})
+            # a1: vvar_44{reg 32}
+            if isinstance(a0, Convert) and a0.from_bits == a1.bits:
+                a0 = a0.operand
+
+            if a0 is not None and a1 is not None and a0.likes(a1):
+                # (a * x >> M1) +/- (a >> M2)  ==>  a / N
+                C = expr0.operands[0].operands[1].value
+                X = a0
+                V = expr0.operands[1].value
+                ndigits = 5 if V == 32 else 6
+                divisor = self._check_divisor(pow(2, V), C, ndigits)
+                if divisor is not None:
+                    new_const = Const(None, None, divisor, X.bits)
+                    # we cannot drop the convert in this case
+                    return BinaryOp(
+                        expr0.operands[0].idx,
+                        "Div",
+                        [X, new_const],
+                        expr0.operands[0].signed,
+                        **expr0.operands[0].tags,
+                    )
+
+        return None
+
     @staticmethod
     def _check_divisor(a, b, ndigits=6):
         divisor_1 = 1 + (a // b)

angr/analyses/decompiler/region_simplifiers/expr_folding.py

@@ -395,6 +395,10 @@ class ExpressionReplacer(AILBlockWalker):
 
     def _handle_Assignment(self, stmt_idx: int, stmt: Assignment, block: Block | None):
         # override the base handler and make sure we do not replace .dst with a Call expression or an ITE expression
+
+        if is_phi_assignment(stmt):
+            return None
+
         changed = False
 
         dst = self._handle_expr(0, stmt.dst, stmt_idx, stmt, block)

angr/analyses/decompiler/sequence_walker.py

@@ -216,11 +216,27 @@ class SequenceWalker:
         )
 
     def _handle_CascadingCondition(self, node: CascadingConditionNode, **kwargs):
-        for index, (_, child_node) in enumerate(node.condition_and_nodes):
-            self._handle(child_node, parent=node, index=index)
+        cond_nodes_changed = False
+        new_condition_and_nodes = []
+        for index, (cond, child_node) in enumerate(node.condition_and_nodes):
+            new_child = self._handle(child_node, parent=node, index=index)
+            if new_child is not None:
+                cond_nodes_changed = True
+                new_condition_and_nodes.append((cond, new_child))
+            else:
+                new_condition_and_nodes.append((cond, child_node))
+
+        new_else = None
         if node.else_node is not None:
-            self._handle(node.else_node, parent=node, index=-1)
-        return
+            new_else = self._handle(node.else_node, parent=node, index=-1)
+
+        if cond_nodes_changed or new_else is not None:
+            return CascadingConditionNode(
+                node.addr,
+                new_condition_and_nodes if cond_nodes_changed else node.condition_and_nodes,
+                else_node=new_else if new_else is not None else node.else_node,
+            )
+        return None
 
     def _handle_ConditionalBreak(self, node: ConditionalBreakNode, **kwargs):  # pylint:disable=no-self-use
         return None

angr/analyses/s_propagator.py

@@ -5,7 +5,7 @@ from collections import defaultdict
 
 from ailment.block import Block
 from ailment.expression import Const, VirtualVariable, VirtualVariableCategory, StackBaseOffset
-from ailment.statement import Assignment, Store, Return
+from ailment.statement import Assignment, Store, Return, Jump
 
 from angr.knowledge_plugins.functions import Function
 from angr.code_location import CodeLocation
@@ -98,11 +98,15 @@ class SPropagatorAnalysis(Analysis):
         # find all vvar uses
         vvar_uselocs = get_vvar_uselocs(blocks.values())
 
-        # find all ret sites
+        # find all ret sites and indirect jump sites
         retsites: set[tuple[int, int | None, int]] = set()
+        jumpsites: set[tuple[int, int | None, int]] = set()
         for bb in blocks.values():
-            if bb.statements and isinstance(bb.statements[-1], Return):
-                retsites.add((bb.addr, bb.idx, len(bb.statements) - 1))
+            if bb.statements:
+                if isinstance(bb.statements[-1], Return):
+                    retsites.add((bb.addr, bb.idx, len(bb.statements) - 1))
+                elif isinstance(bb.statements[-1], Jump):
+                    jumpsites.add((bb.addr, bb.idx, len(bb.statements) - 1))
 
         replacements = defaultdict(dict)
 
@@ -169,13 +173,13 @@ class SPropagatorAnalysis(Analysis):
                         {
                             loc
                             for _, loc in vvar_uselocs[vvar.varid]
-                            if (loc.block_addr, loc.block_idx, loc.stmt_idx) not in retsites
+                            if (loc.block_addr, loc.block_idx, loc.stmt_idx) not in (retsites | jumpsites)
                         }
                     )
                     == 1
                 ):
                     if is_const_and_vvar_assignment(stmt):
-                        # this vvar is used once if we exclude its uses at ret sites. we can propagate it
+                        # this vvar is used once if we exclude its uses at ret sites or jump sites. we can propagate it
                         for vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
                             replacements[vvar_useloc][vvar_used] = stmt.src
 

angr/calling_conventions.py

@@ -1212,7 +1212,7 @@ class SimCCCdecl(SimCC):
         if isinstance(arg_type, (SimTypeArray, SimTypeFixedSizeArray)):  # hack
             arg_type = SimTypePointer(arg_type.elem_type).with_arch(self.arch)
         locs_size = 0
-        byte_size = arg_type.size // self.arch.byte_width
+        byte_size = arg_type.size // self.arch.byte_width if arg_type.size is not None else self.arch.bytes
         locs = []
         while locs_size < byte_size:
             locs.append(next(session.both_iter))
@@ -1293,7 +1293,7 @@ class SimCCMicrosoftAMD64(SimCC):
         except StopIteration:
             int_loc = fp_loc = next(session.both_iter)
 
-        byte_size = arg_type.size // self.arch.byte_width
+        byte_size = arg_type.size // self.arch.byte_width if arg_type.size is not None else self.arch.bytes
 
         if isinstance(arg_type, SimTypeFloat):
             return fp_loc.refine(size=byte_size, is_fp=True, arch=self.arch)

angr/engines/light/engine.py

@@ -604,6 +604,9 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if self._is_top(expr_0) or self._is_top(expr_1):
             return self._top(expr.result_size(self.tyenv))
 
+        if expr_1.concrete and expr_1.concrete_value == 0:
+            return self._top(expr.result_size(self.tyenv))
+
         signed = "U" in expr.op  # Iop_DivModU64to32 vs Iop_DivMod
         from_size = expr_0.size()
         to_size = expr_1.size()
@@ -632,10 +635,13 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if self._is_top(expr_0) or self._is_top(expr_1):
             return self._top(expr_0.size())
 
+        if expr_1.concrete and expr_1.concrete_value == 0:
+            return self._top(expr.result_size(self.tyenv))
+
         try:
             return expr_0 / expr_1
         except ZeroDivisionError:
-            return self._top(expr_0.size())
+            return self._top(expr.result_size(self.tyenv))
 
     def _handle_Mod(self, expr):
         args, r = self._binop_get_args(expr)
@@ -646,6 +652,9 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if self._is_top(expr_0) or self._is_top(expr_1):
             return self._top(expr_0.size())
 
+        if expr_1.concrete and expr_1.concrete_value == 0:
+            return self._top(expr.result_size(self.tyenv))
+
         try:
             return expr_0 - (expr_1 // expr_1) * expr_1
         except ZeroDivisionError:
@@ -974,7 +983,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         return expr
 
     def _ail_handle_CallExpr(self, expr: ailment.Stmt.Call):
-        self._expr(expr.target)
+        if not isinstance(expr.target, str):
+            self._expr(expr.target)
         return expr
 
     def _ail_handle_Reinterpret(self, expr: ailment.Expr.Reinterpret):

angr/engines/soot/expressions/instanceOf.py

@@ -1,6 +1,9 @@
 from __future__ import annotations
+
 import logging
 
+import claripy
+
 from .base import SimSootExpr
 
 l = logging.getLogger(name=__name__)
@@ -9,4 +12,4 @@ l = logging.getLogger(name=__name__)
 class SimSootExpr_InstanceOf(SimSootExpr):
     def _execute(self):
         obj = self._translate_value(self.expr.value)
-        self.expr = self.state.solver.StringV(obj.type) == self.state.solver.StringV(self.expr.check_type)
+        self.expr = claripy.StringV(obj.type) == claripy.StringV(self.expr.check_type)

angr/engines/successors.py

@@ -504,7 +504,7 @@ class SimSuccessors:
                 fallback = True
                 break
 
-            cond_and_targets.append((cond, target if not outer_reverse else state.solver.Reverse(target)))
+            cond_and_targets.append((cond, target if not outer_reverse else claripy.Reverse(target)))
 
         if reached_sentinel is False:
             # huh?