angr 9.2.131__py3-none-manylinux2014_aarch64.whl → 9.2.133__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/structuring/phoenix.py

@@ -306,7 +306,8 @@ class PhoenixStructurer(StructurerBase):
                     and isinstance(head_block.nodes[0], Block)
                     and head_block.nodes[0].statements
                     and isinstance(first_nonlabel_nonphi_statement(head_block.nodes[0]), ConditionalJump)
-                    or isinstance(head_block, Block)
+                ) or (
+                    isinstance(head_block, Block)
                     and head_block.statements
                     and isinstance(first_nonlabel_nonphi_statement(head_block), ConditionalJump)
                 ):
@@ -1569,6 +1570,15 @@ class PhoenixStructurer(StructurerBase):
 
         return case_and_entry_addrs
 
+    def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
+        jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+        if node.addr in jump_tables:
+            return True
+        for succ in graph.successors(node):
+            if succ.addr in jump_tables:
+                return True
+        return node in self.switch_case_known_heads
+
     # other acyclic schemas
 
     def _match_acyclic_sequence(self, graph, full_graph, start_node) -> bool:
@@ -1578,14 +1588,12 @@ class PhoenixStructurer(StructurerBase):
         succs = list(graph.successors(start_node))
         if len(succs) == 1:
             end_node = succs[0]
-            jump_tables = self.kb.cfgs["CFGFast"].jump_tables
             if (
                 full_graph.out_degree[start_node] == 1
                 and full_graph.in_degree[end_node] == 1
                 and not full_graph.has_edge(end_node, start_node)
-                and end_node.addr not in jump_tables
-                and end_node not in self.switch_case_known_heads
-                and start_node not in self.switch_case_known_heads
+                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, end_node)
+                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, start_node)
                 and end_node not in self.dowhile_known_tail_nodes
             ):
                 # merge two blocks
@@ -1606,7 +1614,9 @@ class PhoenixStructurer(StructurerBase):
         succs = list(full_graph.successors(start_node))
         if len(succs) == 2:
             left, right = succs
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 # structure the switch-case first before we wrap them into an ITE. give up
                 return False
 
@@ -1738,10 +1748,8 @@ class PhoenixStructurer(StructurerBase):
                 and right not in graph
                 and full_graph.in_degree[left] == 1
                 and (
-                    full_graph.in_degree[right] == 2
-                    and left_succs == [right]
-                    or full_graph.in_degree[right] == 1
-                    and not left_succs
+                    (full_graph.in_degree[right] == 2 and left_succs == [right])
+                    or (full_graph.in_degree[right] == 1 and not left_succs)
                 )
             ):
                 edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
@@ -2039,7 +2047,9 @@ class PhoenixStructurer(StructurerBase):
                 left, right = right, left
 
             # ensure left and right nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 return None
 
             if (
@@ -2086,7 +2096,9 @@ class PhoenixStructurer(StructurerBase):
                 left, right = right, left
 
             # ensure left and right nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 return None
 
             if (
@@ -2127,7 +2139,9 @@ class PhoenixStructurer(StructurerBase):
                 left, successor = successor, left
 
             # ensure left and successor nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or successor in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, successor):
                 return None
 
             if (
@@ -2175,7 +2189,9 @@ class PhoenixStructurer(StructurerBase):
                 left, else_node = else_node, left
 
             # ensure left and else nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or else_node in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, else_node):
                 return None
 
             if (
@@ -2367,17 +2383,19 @@ class PhoenixStructurer(StructurerBase):
                     and last_stmt.target.value == dst_addr
                     and (dst_idx is ... or last_stmt.target_idx == dst_idx)
                 )
-                or isinstance(last_stmt, ConditionalJump)
-                and (
-                    (
-                        isinstance(last_stmt.true_target, Const)
-                        and last_stmt.true_target.value == dst_addr
-                        and (dst_idx is ... or last_stmt.true_target_idx == dst_idx)
-                    )
-                    or (
-                        isinstance(last_stmt.false_target, Const)
-                        and last_stmt.false_target.value == dst_addr
-                        and (dst_idx is ... or last_stmt.false_target_idx == dst_idx)
+                or (
+                    isinstance(last_stmt, ConditionalJump)
+                    and (
+                        (
+                            isinstance(last_stmt.true_target, Const)
+                            and last_stmt.true_target.value == dst_addr
+                            and (dst_idx is ... or last_stmt.true_target_idx == dst_idx)
+                        )
+                        or (
+                            isinstance(last_stmt.false_target, Const)
+                            and last_stmt.false_target.value == dst_addr
+                            and (dst_idx is ... or last_stmt.false_target_idx == dst_idx)
+                        )
                     )
                 )
                 or (
@@ -2414,10 +2432,8 @@ class PhoenixStructurer(StructurerBase):
 
         def _handle_BreakNode(break_node: BreakNode, parent=None, **kwargs):  # pylint:disable=unused-argument
             walker.block_id += 1
-            if (
-                break_node.target == dst_addr
-                or isinstance(break_node.target, Const)
-                and break_node.target.value == dst_addr
+            if break_node.target == dst_addr or (
+                isinstance(break_node.target, Const) and break_node.target.value == dst_addr
             ):
                 # FIXME: idx is ignored
                 walker.parent_and_block.append((walker.block_id, parent, break_node))

angr/analyses/decompiler/structuring/structurer_base.py

@@ -150,7 +150,7 @@ class StructurerBase(Analysis):
                 if isinstance(stmt, ailment.Stmt.Jump):
                     targets = extract_jump_targets(stmt)
                     for t in targets:
-                        if t in cases or default is not None and t == default.addr:
+                        if t in cases or (default is not None and t == default.addr):
                             # the node after switch cannot be one of the nodes in the switch-case construct
                             continue
                         goto_addrs[t] += 1
@@ -863,7 +863,7 @@ class StructurerBase(Analysis):
         addr = node_0.addr if node_0.addr is not None else node_1.addr
 
         # fix the last block of node_0 and remove useless goto statements
-        if isinstance(node_0, SequenceNode) and node_0.nodes or isinstance(node_0, MultiNode) and node_0.nodes:
+        if (isinstance(node_0, SequenceNode) and node_0.nodes) or (isinstance(node_0, MultiNode) and node_0.nodes):
             last_node = node_0.nodes[-1]
         elif isinstance(node_0, ailment.Block):
             last_node = node_0

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -17,9 +17,9 @@ class EmptyBlockNotice(Exception):
 
 class MultiNode:
     __slots__ = (
-        "nodes",
         "addr",
         "idx",
+        "nodes",
     )
 
     def __init__(self, nodes, addr=None, idx=None):
@@ -48,7 +48,7 @@ class MultiNode:
                 addrs.append(node.addr)
             s = f": {min(addrs):#x}-{max(addrs):#x}"
 
-        return "<MultiNode %#x of %d nodes%s>" % (self.addr, len(self.nodes), s)
+        return f"<MultiNode {self.addr:#x} of {len(self.nodes)} nodes{s}>"
 
     def __hash__(self):
         # changing self.nodes does not change the hash, which enables in-place editing
@@ -110,8 +110,8 @@ class SequenceNode(BaseNode):
 
     def __repr__(self):
         if self.addr is None:
-            return "<SequenceNode, %d nodes>" % len(self.nodes)
-        return "<SequenceNode %#x, %d nodes>" % (self.addr, len(self.nodes))
+            return f"<SequenceNode, {len(self.nodes)} nodes>"
+        return f"<SequenceNode {self.addr:#x}, {len(self.nodes)} nodes>"
 
     def add_node(self, node):
         self.nodes.append(node)
@@ -192,11 +192,11 @@ class CodeNode(BaseNode):
 class ConditionNode(BaseNode):
     __slots__ = (
         "addr",
+        "condition",
+        "false_node",
         "node",
         "reaching_condition",
-        "condition",
         "true_node",
-        "false_node",
     )
 
     def __init__(self, addr, reaching_condition, condition, true_node, false_node=None):
@@ -238,13 +238,13 @@ class CascadingConditionNode(BaseNode):
 
 class LoopNode(BaseNode):
     __slots__ = (
-        "sort",
+        "_addr",
+        "_continue_addr",
         "condition",
-        "sequence_node",
         "initializer",
         "iterator",
-        "_addr",
-        "_continue_addr",
+        "sequence_node",
+        "sort",
     )
 
     def __init__(
@@ -351,10 +351,10 @@ class ConditionalBreakNode(BreakNode):
 
 class SwitchCaseNode(BaseNode):
     __slots__ = (
-        "switch_expr",
+        "addr",
         "cases",
         "default_node",
-        "addr",
+        "switch_expr",
     )
 
     def __init__(self, switch_expr, cases: OrderedDict[int | tuple[int, ...], SequenceNode], default_node, addr=None):
@@ -370,7 +370,7 @@ class IncompleteSwitchCaseNode(BaseNode):
     into a SwitchCaseNode by the end of structuring. Only used in Phoenix structurer.
     """
 
-    __slots__ = ("addr", "head", "cases")
+    __slots__ = ("addr", "cases", "head")
 
     def __init__(self, addr, head, cases: list):
         self.addr = addr
@@ -388,7 +388,7 @@ class IncompleteSwitchCaseHeadStatement(ailment.statement.Statement):
     Describes a switch-case head. This is only created by LoweredSwitchSimplifier.
     """
 
-    __slots__ = ("addr", "switch_variable", "case_addrs", "_case_addrs_str")
+    __slots__ = ("_case_addrs_str", "addr", "case_addrs", "switch_variable")
 
     def __init__(self, idx, switch_variable, case_addrs, **kwargs):
         super().__init__(idx, **kwargs)
@@ -411,3 +411,12 @@ class IncompleteSwitchCaseHeadStatement(ailment.statement.Statement):
         return ailment.utils.stable_hash(
             (IncompleteSwitchCaseHeadStatement, self.idx, self.switch_variable, self._case_addrs_str)
         )
+
+    def replace(self, old_expr, new_expr):
+        return self
+
+    def likes(self, other):
+        return self == other
+
+    def matches(self, other):
+        return self == other

angr/analyses/deobfuscator/__init__.py

@@ -10,9 +10,9 @@ from .api_obf_peephole_optimizer import APIObfType1PeepholeOptimizer
 
 
 __all__ = (
-    "StringObfuscationFinder",
+    "APIObfType1PeepholeOptimizer",
+    "APIObfuscationFinder",
     "StringObfType1PeepholeOptimizer",
     "StringObfType3Rewriter",
-    "APIObfuscationFinder",
-    "APIObfType1PeepholeOptimizer",
+    "StringObfuscationFinder",
 )

angr/analyses/deobfuscator/irsb_reg_collector.py

@@ -1,85 +1,54 @@
-# pylint:disable=no-self-use,unused-argument,attribute-defined-outside-init
+# pylint:disable=no-self-use,unused-argument
 from __future__ import annotations
 
-import pyvex
+from angr.engines.light import SimEngineNostmtVEX
 
-from angr.engines.light import SimEngineLightVEXMixin
 
-
-class IRSBRegisterCollector(SimEngineLightVEXMixin):
+class IRSBRegisterCollector(SimEngineNostmtVEX[None, None, None]):
     """
     Scan the VEX IRSB to collect all registers that are read.
     """
 
-    def __init__(self, block, *args, **kwargs):
+    def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
-        self.block = block
         self.reg_reads: set[tuple[int, int]] = set()
 
-    def process(self):
-        self.tmps = {}
-        self.tyenv = self.block.vex.tyenv
-
-        self._process_Stmt()
-
-        self.stmt_idx = None
-        self.ins_addr = None
-
-    def _handle_Put(self, stmt):
-        pass
-
-    def _handle_Load(self, expr):
-        pass
+    def _top(self, bits):
+        return None
 
-    def _handle_Store(self, stmt):
-        pass
+    def _is_top(self, expr):
+        return True
 
-    def _handle_LoadG(self, stmt):
-        pass
-
-    def _handle_LLSC(self, stmt: pyvex.IRStmt.LLSC):
-        pass
-
-    def _handle_StoreG(self, stmt):
-        pass
-
-    def _handle_Get(self, expr: pyvex.IRExpr.Get):
+    def _handle_expr_Get(self, expr):
         self.reg_reads.add((expr.offset, expr.result_size(self.tyenv)))
 
-    def _handle_RdTmp(self, expr):
-        pass
-
-    def _handle_Conversion(self, expr: pyvex.IRExpr.Unop):
-        pass
+    def _handle_stmt_WrTmp(self, stmt):
+        self._expr(stmt.data)
 
-    def _handle_16HLto32(self, expr):
-        pass
+    def _handle_conversion(self, from_size, to_size, signed, operand):
+        return None
 
-    def _handle_Cmp_v(self, expr, _vector_size, _vector_count):
-        pass
+    def _process_block_end(self, stmt_result, whitelist):
+        return None
 
-    _handle_CmpEQ_v = _handle_Cmp_v
-    _handle_CmpNE_v = _handle_Cmp_v
-    _handle_CmpLE_v = _handle_Cmp_v
-    _handle_CmpLT_v = _handle_Cmp_v
-    _handle_CmpGE_v = _handle_Cmp_v
-    _handle_CmpGT_v = _handle_Cmp_v
+    def _handle_expr_VECRET(self, expr):
+        return None
 
-    def _handle_ExpCmpNE64(self, expr):
-        pass
+    def _handle_expr_GSPTR(self, expr):
+        return None
 
-    def _handle_CCall(self, expr):
-        pass
+    def _handle_expr_RdTmp(self, expr):
+        return None
 
-    def _handle_function(self, func_addr):
-        pass
+    def _handle_expr_GetI(self, expr):
+        return None
 
-    def _handle_Unop(self, expr):
-        pass
+    def _handle_expr_Load(self, expr):
+        return None
 
-    def _handle_Binop(self, expr: pyvex.IRExpr.Binop):
-        pass
+    def _handle_expr_ITE(self, expr):
+        return None
 
-    def _handle_Triop(self, expr: pyvex.IRExpr.Triop):
-        pass
+    def _handle_expr_Const(self, expr):
+        return None

angr/analyses/deobfuscator/string_obf_finder.py

@@ -669,8 +669,8 @@ class StringObfuscationFinder(Analysis):
         # take a look at the call-site block to see what registers are used
         reg_reads = set()
         for block_addr in blocks_at_callsite:
-            reg_collector = IRSBRegisterCollector(self.project.factory.block(block_addr))
-            reg_collector.process()
+            reg_collector = IRSBRegisterCollector(self.project)
+            reg_collector.process(state=None, block=self.project.factory.block(block_addr))
             reg_reads |= set(reg_collector.reg_reads)
 
         # run constant propagation to track constant registers

angr/analyses/deobfuscator/string_obf_opt_passes.py

@@ -44,7 +44,7 @@ class StringObfType3Rewriter(OptimizationPass):
 
     @staticmethod
     def is_call_or_call_assignment(stmt) -> bool:
-        return isinstance(stmt, Call) or isinstance(stmt, Assignment) and isinstance(stmt.src, Call)
+        return isinstance(stmt, Call) or (isinstance(stmt, Assignment) and isinstance(stmt.src, Call))
 
     def _analyze(self, cache=None):
 

angr/analyses/disassembly.py

@@ -119,9 +119,9 @@ class Label(DisassemblyPiece):
 class IROp(DisassemblyPiece):
     __slots__ = (
         "addr",
-        "seq",
-        "obj",
         "irsb",
+        "obj",
+        "seq",
     )
 
     addr: int
@@ -444,7 +444,7 @@ class SootExpressionTarget(SootExpression):
         self.target_stmt_idx = target_stmt_idx
 
     def _render(self, formatting=None):
-        return ["Goto %d" % self.target_stmt_idx]
+        return [f"Goto {self.target_stmt_idx}"]
 
 
 class SootExpressionStaticFieldRef(SootExpression):
@@ -898,7 +898,7 @@ class Value(OperandPiece):
                     return [f"{self.val:#x}"]
                 if style[0] == "dec":
                     if self.render_with_sign:
-                        return ["%+d" % self.val]
+                        return [f"{self.val:+d}"]
                     return [str(self.val)]
                 if style[0] == "label":
                     labeloffset = style[1]

angr/analyses/forward_analysis/__init__.py

@@ -4,8 +4,8 @@ from .forward_analysis import ForwardAnalysis
 from .visitors import CallGraphVisitor, FunctionGraphVisitor, LoopVisitor, SingleNodeGraphVisitor
 
 __all__ = (
-    "ForwardAnalysis",
     "CallGraphVisitor",
+    "ForwardAnalysis",
     "FunctionGraphVisitor",
     "LoopVisitor",
     "SingleNodeGraphVisitor",

angr/analyses/forward_analysis/visitors/graph.py

@@ -16,14 +16,14 @@ class GraphVisitor(Generic[NodeType]):
     """
 
     __slots__ = (
-        "_sorted_nodes",
-        "_worklist",
-        "_nodes_set",
-        "_node_to_index",
-        "_reached_fixedpoint",
-        "_back_edges_by_src",
         "_back_edges_by_dst",
+        "_back_edges_by_src",
+        "_node_to_index",
+        "_nodes_set",
         "_pending_nodes",
+        "_reached_fixedpoint",
+        "_sorted_nodes",
+        "_worklist",
     )
 
     def __init__(self):

angr/analyses/init_finder.py

@@ -1,33 +1,36 @@
 from __future__ import annotations
 from collections import defaultdict
+from typing import cast
 
 from cle.loader import MetaELF
-from cle.backends import Section, Segment
 import pyvex
 import claripy
 
 from angr.analyses import visitors, ForwardAnalysis
-from angr.engines.light import SimEngineLight, SimEngineLightVEXMixin
+from angr.code_location import CodeLocation
+from angr.engines.light import SimEngineNostmtVEX
 from . import register_analysis, PropagatorAnalysis
 from .analysis import Analysis
 from .propagator.vex_vars import VEXTmp
 
 
-class SimEngineInitFinderVEX(
-    SimEngineLightVEXMixin,
-    SimEngineLight,
-):
+class SimEngineInitFinderVEX(SimEngineNostmtVEX[None, claripy.ast.Base | int | None, None]):
     """
     The VEX engine class for InitFinder.
     """
 
     def __init__(self, project, replacements, overlay, pointers_only=False):
-        super().__init__()
-        self.project = project
-        self.replacements = replacements
+        super().__init__(project)
+        self.replacements: dict[CodeLocation, dict[int, claripy.ast.Base | int]] = replacements
         self.overlay = overlay
         self.pointers_only = pointers_only
 
+    def _top(self, bits):
+        return None
+
+    def _is_top(self, expr):
+        return expr is None
+
     #
     # Utils
     #
@@ -38,18 +41,19 @@ class SimEngineInitFinderVEX(
             return True
         return bool(isinstance(expr, int))
 
-    def _is_addr_uninitialized(self, addr):
+    def _is_addr_uninitialized(self, addr: int | claripy.ast.Base):
         # is it writing to a global, uninitialized region?
 
         if isinstance(addr, claripy.ast.Base):
-            addr = addr.args[0]
+            assert addr.op == "BVV"
+            addr = cast(int, addr.args[0])
 
         obj = self.project.loader.find_object_containing(addr)
         if obj is not None:
             if not obj.has_memory:
                 # Objects without memory are definitely uninitialized
                 return True
-            section: Section = obj.find_section_containing(addr)
+            section = obj.find_section_containing(addr)
             if section is not None:
                 return section.name in {
                     ".bss",
@@ -58,7 +62,7 @@ class SimEngineInitFinderVEX(
             if isinstance(obj, MetaELF):
                 # for ELFs, if p_memsz >= p_filesz, the extra bytes are considered NOBITS
                 # https://docs.oracle.com/cd/E19120-01/open.solaris/819-0690/gjpww/index.html
-                segment: Segment = obj.find_segment_containing(addr)
+                segment = obj.find_segment_containing(addr)
                 if segment is not None and segment.memsize > segment.filesize:
                     return segment.vaddr + segment.filesize <= addr < segment.vaddr + segment.memsize
         return False
@@ -71,6 +75,9 @@ class SimEngineInitFinderVEX(
             return self.project.loader.find_object_containing(addr) is not None
         return False
 
+    def _process_block_end(self, stmt_result, whitelist):
+        return None
+
     #
     # Statement handlers
     #
@@ -78,15 +85,15 @@ class SimEngineInitFinderVEX(
     def _handle_function(self, *args, **kwargs):
         pass
 
-    def _handle_WrTmp(self, stmt):
+    def _handle_stmt_WrTmp(self, stmt):
         # Don't do anything since constant propagation has already processed it
         return
 
-    def _handle_Put(self, stmt):
+    def _handle_stmt_Put(self, stmt):
         # Don't do anything since constant propagation has already processed it
         return
 
-    def _handle_Store(self, stmt):
+    def _handle_stmt_Store(self, stmt):
         blockloc = self._codeloc(block_only=True)
 
         if type(stmt.addr) is pyvex.IRExpr.RdTmp:
@@ -107,7 +114,7 @@ class SimEngineInitFinderVEX(
                         if not self.pointers_only or self._is_pointer(data_v):
                             self.overlay.store(addr_v, data_v, endness=self.project.arch.memory_endness)
 
-    def _handle_StoreG(self, stmt):
+    def _handle_stmt_StoreG(self, stmt):
         blockloc = self._codeloc(block_only=True)
         repl = self.replacements[blockloc]
 
@@ -144,16 +151,16 @@ class SimEngineInitFinderVEX(
     # Expression handlers
     #
 
-    def _handle_Get(self, expr):
+    def _handle_expr_Get(self, expr):
         return None
 
-    def _handle_Load(self, expr):
+    def _handle_expr_Load(self, expr):
         return None
 
-    def _handle_LoadG(self, stmt):
+    def _handle_stmt_LoadG(self, stmt):
         return None
 
-    def _handle_RdTmp(self, expr):
+    def _handle_expr_RdTmp(self, expr):
         blockloc = self._codeloc(block_only=True)
 
         tmp = VEXTmp(expr.tmp)
@@ -161,6 +168,24 @@ class SimEngineInitFinderVEX(
             return self.replacements[blockloc][tmp]
         return None
 
+    def _handle_expr_VECRET(self, expr):
+        return None
+
+    def _handle_expr_GSPTR(self, expr):
+        return None
+
+    def _handle_expr_GetI(self, expr):
+        return None
+
+    def _handle_expr_ITE(self, expr):
+        return None
+
+    def _handle_conversion(self, from_size, to_size, signed, operand):
+        return None
+
+    def _handle_expr_Const(self, expr):
+        return None
+
 
 class InitializationFinder(ForwardAnalysis, Analysis):  # pylint:disable=abstract-method
     """
@@ -238,7 +263,7 @@ class InitializationFinder(ForwardAnalysis, Analysis):  # pylint:disable=abstrac
         return None
 
     def _merge_states(self, node, *states):
-        return None
+        return None, False
 
     def _run_on_node(self, node, state):
         block = self.project.factory.block(node.addr, node.size, opt_level=1, cross_insn_opt=False)

angr/analyses/loop_analysis.py

@@ -19,7 +19,7 @@ class VariableTypes:
 
 
 class AnnotatedVariable:
-    __slots__ = ["variable", "type"]
+    __slots__ = ["type", "variable"]
 
     def __init__(self, variable, type_):
         self.variable = variable