angr 9.2.130__py3-none-manylinux2014_x86_64.whl → 9.2.132__py3-none-manylinux2014_x86_64.whl

angr/analyses/reaching_definitions/function_handler.py

@@ -86,7 +86,7 @@ class FunctionCallData:
 
     callsite_codeloc: CodeLocation
     function_codeloc: CodeLocation
-    address_multi: MultiValues | None
+    address_multi: MultiValues[claripy.ast.BV | claripy.ast.FP] | None
     address: int | None = None
     symbol: Symbol | None = None
     function: Function | None = None
@@ -94,12 +94,12 @@ class FunctionCallData:
     cc: SimCC | None = None
     prototype: SimTypeFunction | None = None
     args_atoms: list[set[Atom]] | None = None
-    args_values: list[MultiValues] | None = None
+    args_values: list[MultiValues[claripy.ast.BV | claripy.ast.FP]] | None = None
     ret_atoms: set[Atom] | None = None
     redefine_locals: bool = True
     visited_blocks: set[int] | None = None
     effects: list[FunctionEffect] = field(default_factory=list)
-    ret_values: MultiValues | None = None
+    ret_values: MultiValues[claripy.ast.BV | claripy.ast.FP] | None = None
     ret_values_deps: set[Definition] | None = None
     caller_will_handle_single_ret: bool = False
     guessed_cc: bool = False

angr/analyses/reaching_definitions/rd_state.py

@@ -1,7 +1,8 @@
 from __future__ import annotations
-from typing import Any, TYPE_CHECKING, overload
+from typing import Any, TYPE_CHECKING, cast, overload
 from collections.abc import Iterable, Iterator
 import logging
+from typing_extensions import Self
 
 import archinfo
 import claripy
@@ -13,7 +14,7 @@ from angr.knowledge_plugins.key_definitions.heap_address import HeapAddress
 from angr.knowledge_plugins.key_definitions.definition import A
 from angr.engines.light import SpOffset
 from angr.code_location import CodeLocation
-from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
+from angr.storage.memory_mixins.paged_memory.pages.multi_values import MVType, MultiValues
 from angr.storage.memory_mixins import MultiValuedMemory
 from angr.knowledge_plugins.key_definitions import LiveDefinitions, DerefSize, Definition
 from angr.knowledge_plugins.key_definitions.atoms import Atom, GuardUse, Register, MemoryLocation, ConstantSrc
@@ -77,14 +78,14 @@ class ReachingDefinitionsState:
         codeloc: CodeLocation,
         arch: archinfo.Arch,
         subject: Subject,
+        analysis: ReachingDefinitionsAnalysis,
         track_tmps: bool = False,
         track_consts: bool = False,
-        analysis: ReachingDefinitionsAnalysis | None = None,
         rtoc_value=None,
         live_definitions: LiveDefinitions | None = None,
         canonical_size: int = 8,
-        heap_allocator: HeapAllocator = None,
-        environment: Environment = None,
+        heap_allocator: HeapAllocator | None = None,
+        environment: Environment | None = None,
         sp_adjusted: bool = False,
         all_definitions: set[Definition[A]] | None = None,
         initializer: RDAStateInitializer | None = None,
@@ -102,12 +103,12 @@ class ReachingDefinitionsState:
         self._sp_adjusted: bool = sp_adjusted
         self._element_limit: int = element_limit
 
-        self.all_definitions: set[Definition[A]] = set() if all_definitions is None else all_definitions
+        self.all_definitions: set[Definition[Any]] = set() if all_definitions is None else all_definitions
 
         self.heap_allocator = heap_allocator or HeapAllocator(canonical_size)
         self._environment: Environment = environment or Environment()
 
-        self.codeloc_uses: set[Definition[A]] = set()
+        self.codeloc_uses: set[Definition[Any]] = set()
 
         # have we observed an exit statement or not during the analysis of the *last instruction* of a block? we should
         # not perform any sp updates if it is the case. this is for handling conditional returns in ARM binaries.
@@ -184,7 +185,7 @@ class ReachingDefinitionsState:
             return n - 2**self.arch.bits
         return n
 
-    def annotate_with_def(self, symvar: claripy.ast.Base, definition: Definition[A]) -> claripy.ast.Base:
+    def annotate_with_def(self, symvar: MVType, definition: Definition[Any]) -> MVType:
         """
 
         :param symvar:
@@ -193,14 +194,14 @@ class ReachingDefinitionsState:
         """
         return self.live_definitions.annotate_with_def(symvar, definition)
 
-    def annotate_mv_with_def(self, mv: MultiValues, definition: Definition[A]) -> MultiValues:
+    def annotate_mv_with_def(self, mv: MultiValues[MVType], definition: Definition[A]) -> MultiValues[MVType]:
         return MultiValues(
             offset_to_values={
                 offset: {self.annotate_with_def(value, definition) for value in values} for offset, values in mv.items()
             }
         )
 
-    def extract_defs(self, symvar: claripy.ast.Base) -> Iterator[Definition[A]]:
+    def extract_defs(self, symvar: claripy.ast.Base) -> Iterator[Definition[Any]]:
         yield from self.live_definitions.extract_defs(symvar)
 
     #
@@ -254,7 +255,7 @@ class ReachingDefinitionsState:
     def get_sp(self) -> int:
         return self.live_definitions.get_sp()
 
-    def get_stack_address(self, offset: claripy.ast.Base) -> int:
+    def get_stack_address(self, offset: claripy.ast.Base) -> int | None:
         return self.live_definitions.get_stack_address(offset)
 
     @property
@@ -300,8 +301,8 @@ class ReachingDefinitionsState:
 
         return self
 
-    def copy(self, discard_tmpdefs=False) -> ReachingDefinitionsState:
-        return ReachingDefinitionsState(
+    def copy(self, discard_tmpdefs=False) -> Self:
+        return type(self)(
             self.codeloc,
             self.arch,
             self._subject,
@@ -317,9 +318,8 @@ class ReachingDefinitionsState:
             element_limit=self._element_limit,
         )
 
-    def merge(self, *others) -> tuple[ReachingDefinitionsState, bool]:
+    def merge(self, *others: Self) -> tuple[Self, bool]:
         state = self.copy()
-        others: Iterable[ReachingDefinitionsState]
 
         state.live_definitions, merged_0 = state.live_definitions.merge(*[other.live_definitions for other in others])
         state._environment, merged_1 = state.environment.merge(*[other.environment for other in others])
@@ -419,10 +419,12 @@ class ReachingDefinitionsState:
                         for def_ in defs:
                             if not def_.dummy:
                                 self._dep_graph.add_edge(used, def_)
+
+                        cfg = self.analysis.project.kb.cfgs.get_most_accurate()
                         self._dep_graph.add_dependencies_for_concrete_pointers_of(
                             values,
                             used,
-                            self.analysis.project.kb.cfgs.get_most_accurate(),
+                            cfg,
                             self.analysis.project.loader,
                         )
         else:
@@ -491,7 +493,9 @@ class ReachingDefinitionsState:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
-    def get_definitions(self, atom: A | Definition[A] | Iterable[A] | Iterable[Definition[A]]) -> set[Definition[A]]:
+    def get_definitions(
+        self, atom: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]]
+    ) -> set[Definition[Atom]]:
         return self.live_definitions.get_definitions(atom)
 
     def get_values(self, spec: A | Definition[A] | Iterable[A]) -> MultiValues | None:
@@ -503,13 +507,15 @@ class ReachingDefinitionsState:
         return self.live_definitions.get_one_value(spec, strip_annotations=strip_annotations)
 
     @overload
-    def get_concrete_value(self, spec: A | Definition[A] | Iterable[A], cast_to: type[int] = ...) -> int | None: ...
+    def get_concrete_value(self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[int]) -> int | None: ...
 
     @overload
-    def get_concrete_value(self, spec: A | Definition[A] | Iterable[A], cast_to: type[bytes] = ...) -> bytes | None: ...
+    def get_concrete_value(
+        self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[bytes]
+    ) -> bytes | None: ...
 
     def get_concrete_value(
-        self, spec: A | Definition[A] | Iterable[A], cast_to: type[int] | type[bytes] = int
+        self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[int] | type[bytes] = int
     ) -> int | bytes | None:
         return self.live_definitions.get_concrete_value(spec, cast_to)
 
@@ -551,11 +557,10 @@ class ReachingDefinitionsState:
         return result
 
     @deprecated("deref")
-    def pointer_to_atom(self, value: claripy.ast.base.Base, size: int, endness: str) -> MemoryLocation | None:
+    def pointer_to_atom(self, value: claripy.ast.BV, size: int, endness: str) -> MemoryLocation | None:
         if self.is_top(value):
             return None
 
-        # TODO this can be simplified with the walrus operator
         stack_offset = self.get_stack_offset(value)
         if stack_offset is not None:
             addr = SpOffset(len(value), stack_offset)
@@ -564,7 +569,7 @@ class ReachingDefinitionsState:
             if heap_offset is not None:
                 addr = HeapAddress(heap_offset)
             elif value.op == "BVV":
-                addr = value.args[0]
+                addr = cast(int, value.args[0])
             else:
                 # cannot resolve
                 return None
@@ -574,9 +579,9 @@ class ReachingDefinitionsState:
     @overload
     def deref(
         self,
-        pointer: int | claripy.ast.bv.BV | HeapAddress | SpOffset,
+        pointer: int | claripy.ast.BV | HeapAddress | SpOffset,
         size: int | DerefSize,
-        endness: str = ...,
+        endness: archinfo.Endness = ...,
     ) -> MemoryLocation | None: ...
 
     @overload
@@ -584,23 +589,23 @@ class ReachingDefinitionsState:
         self,
         pointer: MultiValues | A | Definition | Iterable[A] | Iterable[Definition[A]],
         size: int | DerefSize,
-        endness: str = ...,
+        endness: archinfo.Endness = ...,
     ) -> set[MemoryLocation]: ...
 
     def deref(
         self,
         pointer: (
-            MultiValues
-            | A
-            | Definition
-            | Iterable[A]
-            | Iterable[Definition[A]]
+            MultiValues[claripy.ast.BV]
+            | Atom
+            | Definition[Atom]
+            | Iterable[Atom]
+            | Iterable[Definition[Atom]]
             | int
             | claripy.ast.BV
             | HeapAddress
             | SpOffset
         ),
         size: int | DerefSize,
-        endness: str = archinfo.Endness.BE,
+        endness: archinfo.Endness = archinfo.Endness.BE,
     ):
         return self.live_definitions.deref(pointer, size, endness)

angr/analyses/s_propagator.py

@@ -1,10 +1,19 @@
 from __future__ import annotations
 
 import contextlib
+from collections.abc import Mapping
 from collections import defaultdict
 
 from ailment.block import Block
-from ailment.expression import Const, VirtualVariable, VirtualVariableCategory, StackBaseOffset, Load, Convert
+from ailment.expression import (
+    Const,
+    VirtualVariable,
+    VirtualVariableCategory,
+    StackBaseOffset,
+    Load,
+    Convert,
+    Expression,
+)
 from ailment.statement import Assignment, Store, Return, Jump
 
 from angr.knowledge_plugins.functions import Function
@@ -31,7 +40,7 @@ class SPropagatorModel:
     """
 
     def __init__(self):
-        self.replacements = {}
+        self.replacements: Mapping[CodeLocation, Mapping[Expression, Expression]] = {}
 
 
 class SPropagatorAnalysis(Analysis):
@@ -41,7 +50,7 @@ class SPropagatorAnalysis(Analysis):
 
     def __init__(  # pylint: disable=too-many-positional-arguments
         self,
-        subject,
+        subject: Block | Function,
         func_graph=None,
         only_consts: bool = True,
         immediate_stmt_removal: bool = False,
@@ -86,10 +95,13 @@ class SPropagatorAnalysis(Analysis):
         return self.model.replacements
 
     def _analyze(self):
+        blocks: dict[tuple[int, int | None], Block]
         match self.mode:
             case "block":
+                assert self.block is not None
                 blocks = {(self.block.addr, self.block.idx): self.block}
             case "function":
+                assert self.func_graph is not None
                 blocks = {(block.addr, block.idx): block for block in self.func_graph}
             case _:
                 raise NotImplementedError
@@ -120,11 +132,14 @@ class SPropagatorAnalysis(Analysis):
 
             vvarid_to_vvar[vvar.varid] = vvar
             defloc = vvar_deflocs[vvar]
+            assert defloc.block_addr is not None
+            assert defloc.stmt_idx is not None
             block = blocks[(defloc.block_addr, defloc.block_idx)]
             stmt = block.statements[defloc.stmt_idx]
             r, v = is_const_assignment(stmt)
             if r:
                 # replace wherever it's used
+                assert v is not None
                 const_vvars[vvar.varid] = v
                 for vvar_at_use, useloc in vvar_uselocs[vvar.varid]:
                     replacements[useloc][vvar_at_use] = v
@@ -214,16 +229,34 @@ class SPropagatorAnalysis(Analysis):
 
             if self._sp_tracker is not None and vvar.category == VirtualVariableCategory.REGISTER:
                 if vvar.oident == self.project.arch.sp_offset:
+                    sp_bits = (
+                        (self.project.arch.registers["sp"][1] * self.project.arch.byte_width)
+                        if "sp" in self.project.arch.registers
+                        else None
+                    )
                     for vvar_at_use, useloc in vvar_uselocs[vvar.varid]:
                         sb_offset = self._sp_tracker.offset_before(useloc.ins_addr, self.project.arch.sp_offset)
                         if sb_offset is not None:
-                            replacements[useloc][vvar_at_use] = StackBaseOffset(None, self.project.arch.bits, sb_offset)
+                            v = StackBaseOffset(None, self.project.arch.bits, sb_offset)
+                            if sp_bits is not None and vvar.bits < sp_bits:
+                                # truncation needed
+                                v = Convert(None, sp_bits, vvar.bits, False, v)
+                            replacements[useloc][vvar_at_use] = v
                     continue
                 if not self._bp_as_gpr and vvar.oident == self.project.arch.bp_offset:
+                    bp_bits = (
+                        (self.project.arch.registers["bp"][1] * self.project.arch.byte_width)
+                        if "bp" in self.project.arch.registers
+                        else None
+                    )
                     for vvar_at_use, useloc in vvar_uselocs[vvar.varid]:
                         sb_offset = self._sp_tracker.offset_before(useloc.ins_addr, self.project.arch.bp_offset)
                         if sb_offset is not None:
-                            replacements[useloc][vvar_at_use] = StackBaseOffset(None, self.project.arch.bits, sb_offset)
+                            v = StackBaseOffset(None, self.project.arch.bits, sb_offset)
+                            if bp_bits is not None and vvar.bits < bp_bits:
+                                # truncation needed
+                                v = Convert(None, bp_bits, vvar.bits, False, v)
+                            replacements[useloc][vvar_at_use] = v
                     continue
 
         # find all tmp definitions

angr/analyses/s_reaching_definitions/s_reaching_definitions.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 from ailment.block import Block
 from ailment.statement import Assignment, Call, Return
+import networkx
 
 from angr.knowledge_plugins.functions import Function
 from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
@@ -22,9 +23,8 @@ class SReachingDefinitionsAnalysis(Analysis):
         self,
         subject,
         func_addr: int | None = None,
-        func_graph=None,
+        func_graph: networkx.DiGraph[Block] | None = None,
         track_tmps: bool = False,
-        stack_pointer_tracker=None,
     ):
         if isinstance(subject, Block):
             self.block = subject
@@ -40,7 +40,6 @@ class SReachingDefinitionsAnalysis(Analysis):
         self.func_graph = func_graph
         self.func_addr = func_addr if func_addr is not None else self.func.addr if self.func is not None else None
         self._track_tmps = track_tmps
-        self._sp_tracker = stack_pointer_tracker  # FIXME: Is it still used?
 
         self._bp_as_gpr = False
         if self.func is not None:
@@ -53,8 +52,10 @@ class SReachingDefinitionsAnalysis(Analysis):
     def _analyze(self):
         match self.mode:
             case "block":
+                assert self.block is not None
                 blocks = {(self.block.addr, self.block.idx): self.block}
             case "function":
+                assert self.func_graph is not None
                 blocks = {(block.addr, block.idx): block for block in self.func_graph}
             case _:
                 raise NotImplementedError
@@ -115,9 +116,10 @@ class SReachingDefinitionsAnalysis(Analysis):
                 stmt = block.statements[stmt_idx]
                 assert isinstance(stmt, (Call, Assignment, Return))
 
-                call: Call = (
+                call = (
                     stmt if isinstance(stmt, Call) else stmt.src if isinstance(stmt, Assignment) else stmt.ret_exprs[0]
                 )
+                assert isinstance(call, Call)
                 if call.prototype is None:
                     # without knowing the prototype, we must conservatively add uses to all registers that are
                     # potentially used here
@@ -126,7 +128,9 @@ class SReachingDefinitionsAnalysis(Analysis):
                     else:
                         # just use all registers in the default calling convention because we don't know anything about
                         # the calling convention yet
-                        cc = default_cc(self.project.arch.name)(self.project.arch)
+                        cc_cls = default_cc(self.project.arch.name)
+                        assert cc_cls is not None
+                        cc = cc_cls(self.project.arch)
 
                     codeloc = CodeLocation(block_addr, stmt_idx, block_idx=block_idx, ins_addr=stmt.ins_addr)
                     arg_locs = cc.ARG_REGS

angr/analyses/typehoon/simple_solver.py

@@ -127,8 +127,8 @@ class SketchNode(SketchNodeBase):
 
     def __init__(self, typevar: TypeVariable | DerivedTypeVariable):
         self.typevar: TypeVariable | DerivedTypeVariable = typevar
-        self.upper_bound = TopType()
-        self.lower_bound = BottomType()
+        self.upper_bound: TypeConstant = TopType()
+        self.lower_bound: TypeConstant = BottomType()
 
     def __repr__(self):
         return f"{self.lower_bound} <: {self.typevar} <: {self.upper_bound}"
@@ -190,7 +190,11 @@ class Sketch:
                 for _, dst, data in self.graph.out_edges(node, data=True):
                     if "label" in data and data["label"] == label:
                         succs.append(dst)
-                assert len(succs) <= 1
+                if len(succs) > 1:
+                    _l.warning(
+                        "Multiple successors found for node %s with label %s. Picking the first one.", node, label
+                    )
+                    succs = succs[:1]
                 if not succs:
                     return None
                 node = succs[0]
@@ -198,7 +202,7 @@ class Sketch:
                     node = self.lookup(node.target)
         return node
 
-    def add_edge(self, src: SketchNodeBase, dst: SketchNodeBase, label):
+    def add_edge(self, src: SketchNodeBase, dst: SketchNodeBase, label) -> None:
         self.graph.add_edge(src, dst, label=label)
 
     def add_constraint(self, constraint: TypeConstraint) -> None:
@@ -210,13 +214,15 @@ class Sketch:
         if SimpleSolver._typevar_inside_set(subtype, PRIMITIVE_TYPES) and not SimpleSolver._typevar_inside_set(
             supertype, PRIMITIVE_TYPES
         ):
-            super_node: SketchNode | None = self.lookup(supertype)
+            super_node = self.lookup(supertype)
+            assert super_node is None or isinstance(super_node, SketchNode)
             if super_node is not None:
                 super_node.lower_bound = self.solver.join(super_node.lower_bound, subtype)
         elif SimpleSolver._typevar_inside_set(supertype, PRIMITIVE_TYPES) and not SimpleSolver._typevar_inside_set(
             subtype, PRIMITIVE_TYPES
         ):
-            sub_node: SketchNode | None = self.lookup(subtype)
+            sub_node = self.lookup(subtype)
+            assert sub_node is None or isinstance(sub_node, SketchNode)
             # assert sub_node is not None
             if sub_node is not None:
                 sub_node.upper_bound = self.solver.meet(sub_node.upper_bound, supertype)
@@ -1166,7 +1172,10 @@ class SimpleSolver:
             for labels, succ in path_and_successors:
                 last_label = labels[-1] if labels else None
                 if isinstance(last_label, HasField):
-                    candidate_bases[last_label.offset].add(last_label.bits // 8)
+                    # TODO: Really determine the maximum possible size of the field when MAX_POINTSTO_BITS is in use
+                    candidate_bases[last_label.offset].add(
+                        1 if last_label.bits == MAX_POINTSTO_BITS else (last_label.bits // 8)
+                    )
 
             node_to_base = {}
 

angr/analyses/typehoon/translator.py

@@ -151,6 +151,9 @@ class TypeTranslator:
     def _translate_Int256(self, tc):  # pylint:disable=unused-argument
         return sim_type.SimTypeInt256(signed=False).with_arch(self.arch)
 
+    def _translate_Int512(self, tc):  # pylint:disable=unused-argument
+        return sim_type.SimTypeInt512(signed=False).with_arch(self.arch)
+
     def _translate_TypeVariableReference(self, tc):
         if tc.typevar in self.translated:
             return self.translated[tc.typevar]
@@ -190,6 +193,9 @@ class TypeTranslator:
     def _translate_SimTypeInt256(self, st: sim_type.SimTypeChar) -> typeconsts.Int256:
         return typeconsts.Int256()
 
+    def _translate_SimTypeInt512(self, st: sim_type.SimTypeChar) -> typeconsts.Int512:
+        return typeconsts.Int512()
+
     def _translate_SimTypeInt(self, st: sim_type.SimTypeInt) -> typeconsts.Int32:
         return typeconsts.Int32()
 
@@ -235,6 +241,7 @@ TypeConstHandlers = {
     typeconsts.Int64: TypeTranslator._translate_Int64,
     typeconsts.Int128: TypeTranslator._translate_Int128,
     typeconsts.Int256: TypeTranslator._translate_Int256,
+    typeconsts.Int512: TypeTranslator._translate_Int512,
     typeconsts.TypeVariableReference: TypeTranslator._translate_TypeVariableReference,
 }
 
@@ -247,6 +254,7 @@ SimTypeHandlers = {
     sim_type.SimTypeChar: TypeTranslator._translate_SimTypeChar,
     sim_type.SimTypeInt128: TypeTranslator._translate_SimTypeInt128,
     sim_type.SimTypeInt256: TypeTranslator._translate_SimTypeInt256,
+    sim_type.SimTypeInt512: TypeTranslator._translate_SimTypeInt512,
     sim_type.SimStruct: TypeTranslator._translate_SimStruct,
     sim_type.SimTypeArray: TypeTranslator._translate_SimTypeArray,
 }

angr/analyses/typehoon/typeconsts.py

@@ -107,6 +107,13 @@ class Int256(Int):
         return "int256"
 
 
+class Int512(Int):
+    SIZE = 32
+
+    def __repr__(self, memo=None):
+        return "int512"
+
+
 class FloatBase(TypeConstant):
     def __repr__(self, memo=None):
         return "floatbase"
@@ -281,7 +288,7 @@ class TypeVariableReference(TypeConstant):
 #
 
 
-def int_type(bits: int) -> Int | None:
+def int_type(bits: int) -> Int:
     mapping = {
         1: Int1,
         8: Int8,
@@ -290,10 +297,11 @@ def int_type(bits: int) -> Int | None:
         64: Int64,
         128: Int128,
         256: Int256,
+        512: Int512,
     }
     if bits in mapping:
         return mapping[bits]()
-    return None
+    raise TypeError(f"Not a known size of int: {bits}")
 
 
 def float_type(bits: int) -> FloatBase | None:

angr/analyses/typehoon/typehoon.py

@@ -103,8 +103,11 @@ class Typehoon(Analysis):
         print(f"### {sum(map(len, self._constraints.values()))} constraints")
         for func_var in self._constraints:
             print(f"{func_var}:")
+            lst = []
             for constraint in self._constraints[func_var]:
-                print("    " + constraint.pp_str(typevar_to_var))
+                lst.append("    " + constraint.pp_str(typevar_to_var))
+            lst = sorted(lst)
+            print("\n".join(lst))
         print("### end of constraints ###")
 
     def pp_solution(self) -> None:

angr/analyses/typehoon/typevars.py

@@ -316,12 +316,12 @@ class TypeVariable:
 class DerivedTypeVariable(TypeVariable):
     __slots__ = ("type_var", "labels")
 
-    type_var: TypeVariable | TypeConstant
+    labels: tuple[BaseLabel, ...]
 
     def __init__(
         self,
-        type_var: TypeVariable | DerivedTypeVariable | None,
-        label,
+        type_var: TypeType,
+        label: BaseLabel | None,
         labels: Iterable[BaseLabel] | None = None,
         idx=None,
     ):
@@ -339,8 +339,10 @@ class DerivedTypeVariable(TypeVariable):
 
         if label is not None:
             self.labels = (*existing_labels, label)
+        elif labels is not None:
+            self.labels = existing_labels + tuple(labels)
         else:
-            self.labels: tuple[BaseLabel] = existing_labels + tuple(labels)
+            self.labels = existing_labels
 
         if not self.labels:
             raise ValueError("A DerivedTypeVariable must have at least one label")
@@ -350,10 +352,10 @@ class DerivedTypeVariable(TypeVariable):
     def one_label(self) -> BaseLabel | None:
         return self.labels[0] if len(self.labels) == 1 else None
 
-    def path(self) -> tuple[BaseLabel]:
+    def path(self) -> tuple[BaseLabel, ...]:
         return self.labels
 
-    def longest_prefix(self) -> TypeVariable | DerivedTypeVariable | None:
+    def longest_prefix(self) -> TypeType | None:
         if not self.labels:
             return None
         if len(self.labels) == 1:
@@ -418,7 +420,7 @@ class TypeVariables:
         # )
         return "{TypeVars: %d items}" % len(self._typevars)
 
-    def add_type_variable(self, var: SimVariable, codeloc, typevar: TypeVariable):  # pylint:disable=unused-argument
+    def add_type_variable(self, var: SimVariable, codeloc, typevar: TypeType):  # pylint:disable=unused-argument
         if var not in self._typevars:
             self._typevars[var] = set()
         elif typevar in self._typevars[var]: