angr 9.2.131__py3-none-manylinux2014_aarch64.whl → 9.2.133__py3-none-manylinux2014_aarch64.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of angr might be problematic. Click here for more details.
- angr/__init__.py +128 -128
- angr/analyses/__init__.py +38 -38
- angr/analyses/analysis.py +6 -2
- angr/analyses/backward_slice.py +3 -4
- angr/analyses/binary_optimizer.py +5 -12
- angr/analyses/bindiff.py +3 -6
- angr/analyses/calling_convention.py +3 -4
- angr/analyses/cfg/__init__.py +3 -3
- angr/analyses/cfg/cfg_base.py +1 -1
- angr/analyses/cfg/cfg_emulated.py +5 -5
- angr/analyses/cfg/cfg_fast.py +19 -17
- angr/analyses/cfg/indirect_jump_resolvers/__init__.py +5 -5
- angr/analyses/cfg/indirect_jump_resolvers/amd64_elf_got.py +1 -1
- angr/analyses/cfg/indirect_jump_resolvers/jumptable.py +148 -101
- angr/analyses/cfg/indirect_jump_resolvers/x86_elf_pic_plt.py +1 -1
- angr/analyses/data_dep/__init__.py +4 -4
- angr/analyses/datagraph_meta.py +1 -1
- angr/analyses/ddg.py +16 -17
- angr/analyses/decompiler/__init__.py +12 -12
- angr/analyses/decompiler/ail_simplifier.py +24 -12
- angr/analyses/decompiler/block_similarity.py +2 -4
- angr/analyses/decompiler/block_simplifier.py +10 -21
- angr/analyses/decompiler/callsite_maker.py +1 -1
- angr/analyses/decompiler/ccall_rewriters/rewriter_base.py +1 -1
- angr/analyses/decompiler/clinic.py +122 -41
- angr/analyses/decompiler/condition_processor.py +57 -39
- angr/analyses/decompiler/counters/__init__.py +3 -3
- angr/analyses/decompiler/decompilation_cache.py +7 -7
- angr/analyses/decompiler/dephication/__init__.py +1 -1
- angr/analyses/decompiler/dephication/graph_rewriting.py +1 -1
- angr/analyses/decompiler/dephication/graph_vvar_mapping.py +11 -3
- angr/analyses/decompiler/dephication/rewriting_engine.py +169 -45
- angr/analyses/decompiler/dephication/seqnode_dephication.py +5 -4
- angr/analyses/decompiler/expression_narrower.py +1 -1
- angr/analyses/decompiler/graph_region.py +8 -8
- angr/analyses/decompiler/optimization_passes/__init__.py +20 -20
- angr/analyses/decompiler/optimization_passes/const_derefs.py +1 -0
- angr/analyses/decompiler/optimization_passes/deadblock_remover.py +1 -2
- angr/analyses/decompiler/optimization_passes/div_simplifier.py +41 -16
- angr/analyses/decompiler/optimization_passes/duplication_reverter/duplication_reverter.py +8 -7
- angr/analyses/decompiler/optimization_passes/duplication_reverter/utils.py +1 -3
- angr/analyses/decompiler/optimization_passes/engine_base.py +262 -84
- angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py +175 -39
- angr/analyses/decompiler/optimization_passes/ite_region_converter.py +2 -5
- angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py +5 -5
- angr/analyses/decompiler/optimization_passes/mod_simplifier.py +12 -3
- angr/analyses/decompiler/optimization_passes/optimization_pass.py +42 -19
- angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py +9 -5
- angr/analyses/decompiler/peephole_optimizations/__init__.py +1 -1
- angr/analyses/decompiler/peephole_optimizations/base.py +6 -6
- angr/analyses/decompiler/peephole_optimizations/remove_noop_conversions.py +2 -0
- angr/analyses/decompiler/peephole_optimizations/rewrite_bit_extractions.py +1 -1
- angr/analyses/decompiler/presets/__init__.py +1 -1
- angr/analyses/decompiler/region_simplifiers/expr_folding.py +3 -3
- angr/analyses/decompiler/region_simplifiers/switch_cluster_simplifier.py +8 -12
- angr/analyses/decompiler/ssailification/rewriting.py +1 -2
- angr/analyses/decompiler/ssailification/rewriting_engine.py +139 -56
- angr/analyses/decompiler/ssailification/ssailification.py +2 -1
- angr/analyses/decompiler/ssailification/traversal.py +4 -6
- angr/analyses/decompiler/ssailification/traversal_engine.py +125 -42
- angr/analyses/decompiler/structured_codegen/__init__.py +5 -5
- angr/analyses/decompiler/structured_codegen/base.py +3 -3
- angr/analyses/decompiler/structured_codegen/c.py +39 -40
- angr/analyses/decompiler/structuring/__init__.py +3 -3
- angr/analyses/decompiler/structuring/phoenix.py +45 -29
- angr/analyses/decompiler/structuring/structurer_base.py +2 -2
- angr/analyses/decompiler/structuring/structurer_nodes.py +23 -14
- angr/analyses/deobfuscator/__init__.py +3 -3
- angr/analyses/deobfuscator/irsb_reg_collector.py +29 -60
- angr/analyses/deobfuscator/string_obf_finder.py +2 -2
- angr/analyses/deobfuscator/string_obf_opt_passes.py +1 -1
- angr/analyses/disassembly.py +4 -4
- angr/analyses/forward_analysis/__init__.py +1 -1
- angr/analyses/forward_analysis/visitors/graph.py +6 -6
- angr/analyses/init_finder.py +47 -22
- angr/analyses/loop_analysis.py +1 -1
- angr/analyses/loopfinder.py +1 -1
- angr/analyses/propagator/engine_base.py +21 -14
- angr/analyses/propagator/engine_vex.py +149 -179
- angr/analyses/propagator/outdated_definition_walker.py +12 -6
- angr/analyses/propagator/propagator.py +10 -28
- angr/analyses/propagator/top_checker_mixin.py +211 -5
- angr/analyses/propagator/vex_vars.py +4 -4
- angr/analyses/reaching_definitions/__init__.py +9 -9
- angr/analyses/reaching_definitions/call_trace.py +2 -2
- angr/analyses/reaching_definitions/dep_graph.py +1 -1
- angr/analyses/reaching_definitions/engine_ail.py +304 -329
- angr/analyses/reaching_definitions/engine_vex.py +243 -229
- angr/analyses/reaching_definitions/function_handler.py +3 -3
- angr/analyses/reaching_definitions/function_handler_library/__init__.py +1 -1
- angr/analyses/reaching_definitions/rd_state.py +47 -42
- angr/analyses/reassembler.py +26 -31
- angr/analyses/s_liveness.py +8 -0
- angr/analyses/s_propagator.py +18 -3
- angr/analyses/s_reaching_definitions/s_rda_view.py +2 -5
- angr/analyses/s_reaching_definitions/s_reaching_definitions.py +9 -5
- angr/analyses/stack_pointer_tracker.py +4 -4
- angr/analyses/typehoon/simple_solver.py +14 -14
- angr/analyses/typehoon/translator.py +10 -2
- angr/analyses/typehoon/typeconsts.py +11 -3
- angr/analyses/typehoon/typevars.py +26 -26
- angr/analyses/unpacker/__init__.py +1 -1
- angr/analyses/variable_recovery/engine_ail.py +299 -259
- angr/analyses/variable_recovery/engine_base.py +138 -121
- angr/analyses/variable_recovery/engine_vex.py +175 -185
- angr/analyses/variable_recovery/irsb_scanner.py +49 -38
- angr/analyses/variable_recovery/variable_recovery.py +28 -5
- angr/analyses/variable_recovery/variable_recovery_base.py +33 -34
- angr/analyses/variable_recovery/variable_recovery_fast.py +4 -8
- angr/analyses/veritesting.py +2 -2
- angr/analyses/vfg.py +5 -5
- angr/analyses/xrefs.py +46 -19
- angr/angrdb/serializers/__init__.py +1 -1
- angr/annocfg.py +20 -15
- angr/blade.py +2 -2
- angr/block.py +20 -25
- angr/calling_conventions.py +12 -14
- angr/code_location.py +6 -10
- angr/codenode.py +3 -3
- angr/engines/__init__.py +12 -14
- angr/engines/engine.py +24 -61
- angr/engines/light/__init__.py +13 -5
- angr/engines/light/data.py +1 -1
- angr/engines/light/engine.py +1003 -1185
- angr/engines/pcode/__init__.py +1 -1
- angr/engines/pcode/behavior.py +1 -1
- angr/engines/pcode/cc.py +2 -0
- angr/engines/pcode/lifter.py +13 -15
- angr/engines/soot/expressions/__init__.py +12 -12
- angr/engines/soot/statements/__init__.py +6 -6
- angr/engines/soot/values/__init__.py +6 -6
- angr/engines/soot/values/arrayref.py +2 -2
- angr/engines/soot/values/constants.py +1 -1
- angr/engines/soot/values/instancefieldref.py +1 -1
- angr/engines/soot/values/paramref.py +1 -1
- angr/engines/soot/values/staticfieldref.py +1 -1
- angr/engines/successors.py +15 -14
- angr/engines/vex/__init__.py +5 -5
- angr/engines/vex/claripy/ccall.py +2 -2
- angr/engines/vex/claripy/datalayer.py +1 -1
- angr/engines/vex/claripy/irop.py +19 -19
- angr/engines/vex/heavy/__init__.py +2 -2
- angr/engines/vex/heavy/actions.py +1 -3
- angr/engines/vex/heavy/heavy.py +4 -6
- angr/engines/vex/lifter.py +2 -4
- angr/engines/vex/light/light.py +0 -2
- angr/engines/vex/light/slicing.py +5 -5
- angr/exploration_techniques/__init__.py +19 -142
- angr/exploration_techniques/base.py +126 -0
- angr/exploration_techniques/bucketizer.py +1 -1
- angr/exploration_techniques/dfs.py +3 -1
- angr/exploration_techniques/director.py +2 -3
- angr/exploration_techniques/driller_core.py +1 -1
- angr/exploration_techniques/explorer.py +4 -2
- angr/exploration_techniques/lengthlimiter.py +2 -1
- angr/exploration_techniques/local_loop_seer.py +2 -1
- angr/exploration_techniques/loop_seer.py +5 -5
- angr/exploration_techniques/manual_mergepoint.py +2 -1
- angr/exploration_techniques/memory_watcher.py +3 -1
- angr/exploration_techniques/oppologist.py +4 -5
- angr/exploration_techniques/slicecutor.py +4 -2
- angr/exploration_techniques/spiller.py +1 -1
- angr/exploration_techniques/stochastic.py +2 -1
- angr/exploration_techniques/stub_stasher.py +2 -1
- angr/exploration_techniques/suggestions.py +3 -1
- angr/exploration_techniques/symbion.py +3 -1
- angr/exploration_techniques/tech_builder.py +2 -1
- angr/exploration_techniques/threading.py +2 -11
- angr/exploration_techniques/timeout.py +4 -2
- angr/exploration_techniques/tracer.py +4 -3
- angr/exploration_techniques/unique.py +3 -2
- angr/exploration_techniques/veritesting.py +1 -1
- angr/factory.py +36 -6
- angr/keyed_region.py +4 -4
- angr/knowledge_base.py +1 -1
- angr/knowledge_plugins/__init__.py +11 -11
- angr/knowledge_plugins/cfg/__init__.py +5 -5
- angr/knowledge_plugins/cfg/cfg_manager.py +2 -2
- angr/knowledge_plugins/cfg/cfg_model.py +8 -8
- angr/knowledge_plugins/cfg/cfg_node.py +19 -19
- angr/knowledge_plugins/cfg/indirect_jump.py +6 -6
- angr/knowledge_plugins/cfg/memory_data.py +5 -7
- angr/knowledge_plugins/functions/function.py +48 -52
- angr/knowledge_plugins/functions/function_parser.py +4 -4
- angr/knowledge_plugins/key_definitions/__init__.py +3 -3
- angr/knowledge_plugins/key_definitions/atoms.py +8 -8
- angr/knowledge_plugins/key_definitions/definition.py +1 -1
- angr/knowledge_plugins/key_definitions/live_definitions.py +30 -27
- angr/knowledge_plugins/labels.py +1 -1
- angr/knowledge_plugins/propagations/__init__.py +1 -1
- angr/knowledge_plugins/propagations/prop_value.py +2 -2
- angr/knowledge_plugins/propagations/propagation_model.py +7 -8
- angr/knowledge_plugins/propagations/states.py +44 -39
- angr/knowledge_plugins/variables/variable_access.py +2 -2
- angr/knowledge_plugins/variables/variable_manager.py +24 -10
- angr/knowledge_plugins/xrefs/xref.py +5 -8
- angr/misc/__init__.py +4 -4
- angr/misc/hookset.py +4 -5
- angr/misc/loggers.py +2 -2
- angr/misc/telemetry.py +1 -1
- angr/procedures/__init__.py +1 -1
- angr/procedures/cgc/fdwait.py +2 -2
- angr/procedures/definitions/__init__.py +2 -2
- angr/procedures/definitions/linux_kernel.py +0 -1
- angr/procedures/definitions/parse_syscalls_from_local_system.py +1 -1
- angr/procedures/definitions/parse_win32json.py +0 -1
- angr/procedures/ntdll/exceptions.py +1 -1
- angr/procedures/stubs/format_parser.py +3 -3
- angr/procedures/win32/dynamic_loading.py +1 -1
- angr/protos/__init__.py +3 -3
- angr/sim_manager.py +3 -5
- angr/sim_state.py +40 -42
- angr/sim_state_options.py +3 -3
- angr/sim_type.py +15 -14
- angr/sim_variable.py +42 -45
- angr/simos/__init__.py +4 -4
- angr/simos/cgc.py +1 -1
- angr/simos/simos.py +1 -1
- angr/simos/userland.py +1 -1
- angr/slicer.py +4 -7
- angr/state_plugins/__init__.py +34 -34
- angr/state_plugins/callstack.py +5 -12
- angr/state_plugins/heap/__init__.py +2 -2
- angr/state_plugins/heap/heap_brk.py +2 -4
- angr/state_plugins/heap/heap_ptmalloc.py +1 -1
- angr/state_plugins/jni_references.py +3 -2
- angr/state_plugins/scratch.py +1 -1
- angr/state_plugins/sim_action.py +1 -4
- angr/state_plugins/sim_event.py +1 -1
- angr/state_plugins/solver.py +7 -9
- angr/state_plugins/uc_manager.py +1 -1
- angr/state_plugins/view.py +2 -2
- angr/storage/__init__.py +1 -1
- angr/storage/file.py +10 -10
- angr/storage/memory_mixins/__init__.py +46 -46
- angr/storage/memory_mixins/default_filler_mixin.py +1 -3
- angr/storage/memory_mixins/javavm_memory_mixin.py +2 -2
- angr/storage/memory_mixins/name_resolution_mixin.py +2 -2
- angr/storage/memory_mixins/paged_memory/paged_memory_mixin.py +1 -3
- angr/storage/memory_mixins/paged_memory/pages/__init__.py +6 -6
- angr/storage/memory_mixins/paged_memory/pages/list_page.py +1 -1
- angr/storage/memory_mixins/paged_memory/pages/multi_values.py +1 -1
- angr/storage/memory_mixins/paged_memory/pages/mv_list_page.py +1 -1
- angr/storage/memory_mixins/paged_memory/pages/ultra_page.py +2 -4
- angr/storage/memory_mixins/regioned_memory/__init__.py +3 -3
- angr/storage/memory_mixins/regioned_memory/region_data.py +5 -5
- angr/storage/memory_mixins/regioned_memory/region_meta_mixin.py +7 -9
- angr/storage/memory_mixins/regioned_memory/regioned_memory_mixin.py +4 -4
- angr/storage/memory_object.py +4 -4
- angr/utils/__init__.py +3 -3
- angr/utils/bits.py +12 -0
- angr/utils/dynamic_dictlist.py +1 -1
- angr/utils/graph.py +1 -1
- angr/utils/orderedset.py +4 -1
- angr/utils/segment_list.py +2 -2
- angr/utils/ssa/__init__.py +33 -8
- {angr-9.2.131.dist-info → angr-9.2.133.dist-info}/METADATA +6 -6
- {angr-9.2.131.dist-info → angr-9.2.133.dist-info}/RECORD +262 -263
- angr/analyses/propagator/engine_ail.py +0 -1562
- angr/storage/memory_mixins/__init__.pyi +0 -48
- {angr-9.2.131.dist-info → angr-9.2.133.dist-info}/LICENSE +0 -0
- {angr-9.2.131.dist-info → angr-9.2.133.dist-info}/WHEEL +0 -0
- {angr-9.2.131.dist-info → angr-9.2.133.dist-info}/entry_points.txt +0 -0
- {angr-9.2.131.dist-info → angr-9.2.133.dist-info}/top_level.txt +0 -0
|
@@ -1,23 +1,22 @@
|
|
|
1
1
|
# pylint:disable=arguments-differ,invalid-unary-operand-type
|
|
2
2
|
from __future__ import annotations
|
|
3
|
-
from typing import TYPE_CHECKING
|
|
3
|
+
from typing import TYPE_CHECKING, cast
|
|
4
4
|
import logging
|
|
5
5
|
|
|
6
6
|
import ailment
|
|
7
7
|
import claripy
|
|
8
8
|
from unique_log_filter import UniqueLogFilter
|
|
9
9
|
|
|
10
|
+
from angr.engines.light.engine import SimEngineNostmtAIL
|
|
10
11
|
from angr.procedures import SIM_LIBRARIES, SIM_TYPE_COLLECTIONS
|
|
11
12
|
from angr.utils.constants import MAX_POINTSTO_BITS
|
|
12
|
-
from angr.calling_conventions import SimRegArg
|
|
13
13
|
from angr.sim_type import SimTypeFunction, dereference_simtype
|
|
14
|
-
from angr.engines.light import SimEngineLightAILMixin
|
|
15
14
|
from angr.analyses.typehoon import typeconsts, typevars
|
|
16
15
|
from angr.analyses.typehoon.lifter import TypeLifter
|
|
17
16
|
from .engine_base import SimEngineVRBase, RichR
|
|
18
17
|
|
|
19
18
|
if TYPE_CHECKING:
|
|
20
|
-
|
|
19
|
+
pass
|
|
21
20
|
|
|
22
21
|
|
|
23
22
|
l = logging.getLogger(name=__name__)
|
|
@@ -25,16 +24,13 @@ l.addFilter(UniqueLogFilter())
|
|
|
25
24
|
|
|
26
25
|
|
|
27
26
|
class SimEngineVRAIL(
|
|
28
|
-
|
|
29
|
-
SimEngineVRBase,
|
|
27
|
+
SimEngineNostmtAIL["VariableRecoveryFastState", RichR[claripy.ast.BV | claripy.ast.FP], None, None],
|
|
28
|
+
SimEngineVRBase["VariableRecoveryFastState", ailment.Block],
|
|
30
29
|
):
|
|
31
30
|
"""
|
|
32
31
|
The engine for variable recovery on AIL.
|
|
33
32
|
"""
|
|
34
33
|
|
|
35
|
-
state: VariableRecoveryFastState
|
|
36
|
-
block: ailment.Block
|
|
37
|
-
|
|
38
34
|
def __init__(self, *args, call_info=None, vvar_to_vvar: dict[int, int] | None, **kwargs):
|
|
39
35
|
super().__init__(*args, **kwargs)
|
|
40
36
|
|
|
@@ -47,9 +43,12 @@ class SimEngineVRAIL(
|
|
|
47
43
|
return self.vvar_to_vvar[vvar_id]
|
|
48
44
|
return None
|
|
49
45
|
|
|
46
|
+
def _process_block_end(self, block, stmt_data, whitelist):
|
|
47
|
+
pass
|
|
48
|
+
|
|
50
49
|
# Statement handlers
|
|
51
50
|
|
|
52
|
-
def
|
|
51
|
+
def _handle_stmt_Assignment(self, stmt):
|
|
53
52
|
dst_type = type(stmt.dst)
|
|
54
53
|
|
|
55
54
|
if dst_type is ailment.Expr.Register:
|
|
@@ -91,19 +90,89 @@ class SimEngineVRAIL(
|
|
|
91
90
|
else:
|
|
92
91
|
l.warning("Unsupported dst type %s.", dst_type)
|
|
93
92
|
|
|
94
|
-
def
|
|
95
|
-
addr_r = self.
|
|
93
|
+
def _handle_stmt_Store(self, stmt: ailment.Stmt.Store):
|
|
94
|
+
addr_r = self._expr_bv(stmt.addr)
|
|
96
95
|
data = self._expr(stmt.data)
|
|
97
96
|
size = stmt.size
|
|
98
97
|
self._store(addr_r, data, size, stmt=stmt)
|
|
99
98
|
|
|
100
|
-
def
|
|
99
|
+
def _handle_stmt_Jump(self, stmt):
|
|
101
100
|
pass
|
|
102
101
|
|
|
103
|
-
def
|
|
102
|
+
def _handle_stmt_ConditionalJump(self, stmt):
|
|
104
103
|
self._expr(stmt.condition)
|
|
105
104
|
|
|
106
|
-
def
|
|
105
|
+
def _handle_expr_Tmp(self, expr):
|
|
106
|
+
try:
|
|
107
|
+
return self.tmps[expr.tmp_idx]
|
|
108
|
+
except KeyError:
|
|
109
|
+
return self._top(expr.bits)
|
|
110
|
+
|
|
111
|
+
def _handle_expr_MultiStatementExpression(self, expr):
|
|
112
|
+
for stmt in expr.statements:
|
|
113
|
+
self._stmt(stmt)
|
|
114
|
+
return self._expr(expr.expr)
|
|
115
|
+
|
|
116
|
+
def _handle_expr_Call(self, expr):
|
|
117
|
+
target = expr.target
|
|
118
|
+
args = []
|
|
119
|
+
if expr.args:
|
|
120
|
+
for arg in expr.args:
|
|
121
|
+
self._reference_spoffset = True
|
|
122
|
+
richr = self._expr(arg)
|
|
123
|
+
self._reference_spoffset = False
|
|
124
|
+
args.append(richr)
|
|
125
|
+
|
|
126
|
+
ret_expr_bits = expr.bits
|
|
127
|
+
|
|
128
|
+
if isinstance(target, ailment.Expr.Expression) and not isinstance(
|
|
129
|
+
target, (ailment.Expr.Const, ailment.Expr.DirtyExpression)
|
|
130
|
+
):
|
|
131
|
+
# this is a dynamically calculated call target
|
|
132
|
+
target_expr = self._expr(target)
|
|
133
|
+
funcaddr_typevar = target_expr.typevar
|
|
134
|
+
assert funcaddr_typevar is not None
|
|
135
|
+
load_typevar = self._create_access_typevar(funcaddr_typevar, False, self.arch.bytes, 0)
|
|
136
|
+
self.state.add_type_constraint(typevars.Subtype(funcaddr_typevar, load_typevar))
|
|
137
|
+
|
|
138
|
+
# discover the prototype
|
|
139
|
+
prototype: SimTypeFunction | None = None
|
|
140
|
+
prototype_libname: str | None = None
|
|
141
|
+
if expr.prototype is not None:
|
|
142
|
+
prototype = expr.prototype
|
|
143
|
+
if isinstance(expr.target, ailment.Expr.Const):
|
|
144
|
+
func_addr = expr.target.value
|
|
145
|
+
if isinstance(func_addr, self.kb.functions.address_types) and func_addr in self.kb.functions:
|
|
146
|
+
func = self.kb.functions[func_addr]
|
|
147
|
+
if prototype is None:
|
|
148
|
+
prototype = func.prototype
|
|
149
|
+
prototype_libname = func.prototype_libname
|
|
150
|
+
|
|
151
|
+
# dump the type of the return value
|
|
152
|
+
ret_ty = typevars.TypeVariable() if prototype is not None else typevars.TypeVariable()
|
|
153
|
+
if isinstance(ret_ty, typeconsts.BottomType):
|
|
154
|
+
ret_ty = typevars.TypeVariable()
|
|
155
|
+
|
|
156
|
+
if prototype is not None and args:
|
|
157
|
+
# add type constraints
|
|
158
|
+
|
|
159
|
+
type_collections = []
|
|
160
|
+
if prototype_libname is not None:
|
|
161
|
+
prototype_lib = SIM_LIBRARIES[prototype_libname]
|
|
162
|
+
if prototype_lib.type_collection_names:
|
|
163
|
+
for typelib_name in prototype_lib.type_collection_names:
|
|
164
|
+
type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
|
|
165
|
+
|
|
166
|
+
for arg, arg_type in zip(args, prototype.args):
|
|
167
|
+
if arg.typevar is not None:
|
|
168
|
+
arg_type = dereference_simtype(arg_type, type_collections).with_arch(arg_type._arch)
|
|
169
|
+
arg_ty = TypeLifter(self.arch.bits).lift(arg_type)
|
|
170
|
+
type_constraint = typevars.Subtype(arg.typevar, arg_ty)
|
|
171
|
+
self.state.add_type_constraint(type_constraint)
|
|
172
|
+
|
|
173
|
+
return RichR(self.state.top(ret_expr_bits), typevar=ret_ty)
|
|
174
|
+
|
|
175
|
+
def _handle_stmt_Call(self, stmt):
|
|
107
176
|
target = stmt.target
|
|
108
177
|
args = []
|
|
109
178
|
if stmt.args:
|
|
@@ -113,38 +182,26 @@ class SimEngineVRAIL(
|
|
|
113
182
|
self._reference_spoffset = False
|
|
114
183
|
args.append(richr)
|
|
115
184
|
|
|
116
|
-
ret_expr = None
|
|
117
185
|
ret_expr_bits = self.state.arch.bits
|
|
118
|
-
ret_val = None # stores the value that this method should return to its caller when this is a call expression.
|
|
119
186
|
create_variable = True
|
|
120
|
-
if not is_expr:
|
|
121
|
-
# this is a call statement. we need to update the return value register later
|
|
122
|
-
ret_expr: ailment.Expr.VirtualVariable | None = stmt.ret_expr
|
|
123
|
-
if ret_expr is not None:
|
|
124
|
-
if ret_expr.category == ailment.Expr.VirtualVariableCategory.REGISTER:
|
|
125
|
-
ret_expr_bits = ret_expr.bits
|
|
126
|
-
else:
|
|
127
|
-
# the return expression is not used, so we treat this call as not returning anything
|
|
128
|
-
if stmt.calling_convention is not None:
|
|
129
|
-
# we only set the ret_expr if prototype must be guessed. otherwise ret_expr should just be None
|
|
130
|
-
if stmt.prototype is None:
|
|
131
|
-
ret_expr: SimRegArg = stmt.calling_convention.RETURN_VAL
|
|
132
|
-
else:
|
|
133
|
-
l.debug(
|
|
134
|
-
"Unknown calling convention for function %s. Fall back to default calling convention.", target
|
|
135
|
-
)
|
|
136
|
-
ret_expr: SimRegArg = self.project.factory.cc().RETURN_VAL
|
|
137
187
|
|
|
138
|
-
|
|
188
|
+
# this is a call statement. we need to update the return value register later
|
|
189
|
+
ret_expr = stmt.ret_expr
|
|
190
|
+
if ret_expr is not None:
|
|
191
|
+
if ret_expr.category == ailment.Expr.VirtualVariableCategory.REGISTER:
|
|
192
|
+
ret_expr_bits = ret_expr.bits
|
|
139
193
|
else:
|
|
140
|
-
#
|
|
141
|
-
|
|
194
|
+
# the return expression is not used, so we treat this call as not returning anything
|
|
195
|
+
create_variable = False
|
|
142
196
|
|
|
143
|
-
if isinstance(target, ailment.Expr.Expression) and not isinstance(
|
|
197
|
+
if isinstance(target, ailment.Expr.Expression) and not isinstance(
|
|
198
|
+
target, (ailment.Expr.Const, ailment.Expr.DirtyExpression)
|
|
199
|
+
):
|
|
144
200
|
# this is a dynamically calculated call target
|
|
145
201
|
target_expr = self._expr(target)
|
|
146
202
|
funcaddr_typevar = target_expr.typevar
|
|
147
|
-
|
|
203
|
+
assert funcaddr_typevar is not None
|
|
204
|
+
load_typevar = self._create_access_typevar(funcaddr_typevar, False, self.arch.bytes, 0)
|
|
148
205
|
self.state.add_type_constraint(typevars.Subtype(funcaddr_typevar, load_typevar))
|
|
149
206
|
|
|
150
207
|
# discover the prototype
|
|
@@ -168,30 +225,26 @@ class SimEngineVRAIL(
|
|
|
168
225
|
# TODO: Expose it as an option
|
|
169
226
|
return_value_use_full_width_reg = True
|
|
170
227
|
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
expr_bits
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
expr_bits // self.arch.byte_width,
|
|
192
|
-
dst=ret_expr,
|
|
193
|
-
create_variable=create_variable,
|
|
194
|
-
)
|
|
228
|
+
# update the return value register
|
|
229
|
+
if isinstance(ret_expr, ailment.Expr.VirtualVariable):
|
|
230
|
+
expr_bits = ret_expr_bits
|
|
231
|
+
self._assign_to_vvar(
|
|
232
|
+
ret_expr,
|
|
233
|
+
RichR(self.state.top(expr_bits), typevar=ret_ty),
|
|
234
|
+
dst=ret_expr,
|
|
235
|
+
create_variable=create_variable,
|
|
236
|
+
vvar_id=self._mapped_vvarid(ret_expr.varid),
|
|
237
|
+
)
|
|
238
|
+
elif isinstance(ret_expr, ailment.Expr.Register):
|
|
239
|
+
l.warning("Left-over register found in call.ret_expr.")
|
|
240
|
+
expr_bits = self.state.arch.bits if return_value_use_full_width_reg else ret_expr_bits
|
|
241
|
+
self._assign_to_register(
|
|
242
|
+
ret_expr.reg_offset,
|
|
243
|
+
RichR(self.state.top(expr_bits), typevar=ret_ty),
|
|
244
|
+
expr_bits // self.arch.byte_width,
|
|
245
|
+
dst=ret_expr,
|
|
246
|
+
create_variable=create_variable,
|
|
247
|
+
)
|
|
195
248
|
|
|
196
249
|
if prototype is not None and args:
|
|
197
250
|
# add type constraints
|
|
@@ -210,20 +263,12 @@ class SimEngineVRAIL(
|
|
|
210
263
|
type_constraint = typevars.Subtype(arg.typevar, arg_ty)
|
|
211
264
|
self.state.add_type_constraint(type_constraint)
|
|
212
265
|
|
|
213
|
-
|
|
214
|
-
# call expression mode: return the actual return value
|
|
215
|
-
return ret_val
|
|
216
|
-
return None
|
|
217
|
-
|
|
218
|
-
def _ail_handle_CallExpr(self, expr: ailment.Stmt.Call) -> RichR:
|
|
219
|
-
return self._ail_handle_Call(expr, is_expr=True)
|
|
220
|
-
|
|
221
|
-
def _ail_handle_Return(self, stmt: ailment.Stmt.Return):
|
|
266
|
+
def _handle_stmt_Return(self, stmt):
|
|
222
267
|
if stmt.ret_exprs:
|
|
223
268
|
for ret_expr in stmt.ret_exprs:
|
|
224
269
|
self._expr(ret_expr)
|
|
225
270
|
|
|
226
|
-
def
|
|
271
|
+
def _handle_expr_DirtyExpression(self, expr: ailment.Expr.DirtyExpression) -> RichR:
|
|
227
272
|
for op in expr.operands:
|
|
228
273
|
self._expr(op)
|
|
229
274
|
if expr.guard:
|
|
@@ -232,45 +277,47 @@ class SimEngineVRAIL(
|
|
|
232
277
|
self._expr(expr.maddr)
|
|
233
278
|
return RichR(self.state.top(expr.bits))
|
|
234
279
|
|
|
235
|
-
def
|
|
280
|
+
def _handle_expr_VEXCCallExpression(self, expr: ailment.Expr.VEXCCallExpression) -> RichR:
|
|
236
281
|
for op in expr.operands:
|
|
237
282
|
self._expr(op)
|
|
238
283
|
return RichR(self.state.top(expr.bits))
|
|
239
284
|
|
|
240
285
|
# Expression handlers
|
|
241
286
|
|
|
242
|
-
def
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
287
|
+
def _expr_bv(self, expr: ailment.expression.Expression) -> RichR[claripy.ast.BV]:
|
|
288
|
+
result = self._expr(expr)
|
|
289
|
+
assert isinstance(result.data, claripy.ast.BV)
|
|
290
|
+
return cast(RichR[claripy.ast.BV], result)
|
|
291
|
+
|
|
292
|
+
def _expr_fp(self, expr: ailment.expression.Expression) -> RichR[claripy.ast.FP]:
|
|
293
|
+
result = self._expr(expr)
|
|
294
|
+
assert isinstance(result.data, claripy.ast.FP)
|
|
295
|
+
return cast(RichR[claripy.ast.FP], result)
|
|
296
|
+
|
|
297
|
+
def _expr_pair(
|
|
298
|
+
self, expr1: ailment.expression.Expression, expr2: ailment.expression.Expression
|
|
299
|
+
) -> tuple[RichR[claripy.ast.BV], RichR[claripy.ast.BV]] | tuple[RichR[claripy.ast.FP], RichR[claripy.ast.FP]]:
|
|
300
|
+
result1 = self._expr(expr1)
|
|
301
|
+
result2 = self._expr(expr2)
|
|
302
|
+
assert type(result1.data) is type(result2.data)
|
|
303
|
+
return result1, result2 # type: ignore
|
|
304
|
+
|
|
305
|
+
def _handle_expr_Register(self, expr):
|
|
259
306
|
offset = expr.reg_offset
|
|
260
307
|
size = expr.bits // 8
|
|
261
308
|
|
|
262
309
|
return self._read_from_register(offset, size, expr=expr)
|
|
263
310
|
|
|
264
|
-
def
|
|
265
|
-
addr_r = self.
|
|
311
|
+
def _handle_expr_Load(self, expr):
|
|
312
|
+
addr_r = self._expr_bv(expr.addr)
|
|
266
313
|
size = expr.size
|
|
267
314
|
|
|
268
315
|
return self._load(addr_r, size, expr=expr)
|
|
269
316
|
|
|
270
|
-
def
|
|
317
|
+
def _handle_expr_VirtualVariable(self, expr: ailment.Expr.VirtualVariable):
|
|
271
318
|
return self._read_from_vvar(expr, expr=expr, vvar_id=self._mapped_vvarid(expr.varid))
|
|
272
319
|
|
|
273
|
-
def
|
|
320
|
+
def _handle_expr_Phi(self, expr: ailment.Expr.Phi):
|
|
274
321
|
tvs = set()
|
|
275
322
|
for _, vvar in expr.src_and_vvars:
|
|
276
323
|
if vvar is not None:
|
|
@@ -283,9 +330,9 @@ class SimEngineVRAIL(
|
|
|
283
330
|
self.state.add_type_constraint(typevars.Subtype(tv, tv_))
|
|
284
331
|
return RichR(self.state.top(expr.bits), typevar=tv)
|
|
285
332
|
|
|
286
|
-
def
|
|
333
|
+
def _handle_expr_Const(self, expr: ailment.Expr.Const):
|
|
287
334
|
if isinstance(expr.value, float):
|
|
288
|
-
v = claripy.FPV(expr.value, claripy.FSORT_DOUBLE if expr.bits == 64 else claripy.FSORT_FLOAT)
|
|
335
|
+
v = claripy.FPV(expr.value, claripy.FSORT_DOUBLE if expr.bits == 64 else claripy.FSORT_FLOAT).to_bv()
|
|
289
336
|
ty = typeconsts.float_type(expr.bits)
|
|
290
337
|
else:
|
|
291
338
|
if self.project.loader.find_segment_containing(expr.value) is not None:
|
|
@@ -299,7 +346,7 @@ class SimEngineVRAIL(
|
|
|
299
346
|
else typeconsts.Pointer32(typeconsts.TopType())
|
|
300
347
|
)
|
|
301
348
|
else:
|
|
302
|
-
ty = typeconsts.int_type(expr.
|
|
349
|
+
ty = typeconsts.int_type(expr.bits)
|
|
303
350
|
v = claripy.BVV(expr.value, expr.bits)
|
|
304
351
|
r = RichR(v, typevar=ty)
|
|
305
352
|
codeloc = self._codeloc()
|
|
@@ -307,17 +354,7 @@ class SimEngineVRAIL(
|
|
|
307
354
|
self._reference(r, codeloc)
|
|
308
355
|
return r
|
|
309
356
|
|
|
310
|
-
def
|
|
311
|
-
r = super()._ail_handle_BinaryOp(expr)
|
|
312
|
-
if r is None:
|
|
313
|
-
# Treat it as a normal binaryop expression
|
|
314
|
-
self._expr(expr.operands[0])
|
|
315
|
-
self._expr(expr.operands[1])
|
|
316
|
-
# still return a RichR instance
|
|
317
|
-
r = RichR(self.state.top(expr.bits))
|
|
318
|
-
return r
|
|
319
|
-
|
|
320
|
-
def _ail_handle_Convert(self, expr: ailment.Expr.Convert):
|
|
357
|
+
def _handle_expr_Convert(self, expr: ailment.Expr.Convert):
|
|
321
358
|
r = self._expr(expr.operand)
|
|
322
359
|
typevar = None
|
|
323
360
|
if r.typevar is not None:
|
|
@@ -333,7 +370,7 @@ class SimEngineVRAIL(
|
|
|
333
370
|
|
|
334
371
|
return RichR(self.state.top(expr.to_bits), typevar=typevar)
|
|
335
372
|
|
|
336
|
-
def
|
|
373
|
+
def _handle_expr_Reinterpret(self, expr: ailment.Expr.Reinterpret):
|
|
337
374
|
r = self._expr(expr.operand)
|
|
338
375
|
typevar = None
|
|
339
376
|
if r.typevar is not None:
|
|
@@ -349,7 +386,7 @@ class SimEngineVRAIL(
|
|
|
349
386
|
|
|
350
387
|
return RichR(self.state.top(expr.to_bits), typevar=typevar)
|
|
351
388
|
|
|
352
|
-
def
|
|
389
|
+
def _handle_expr_StackBaseOffset(self, expr: ailment.Expr.StackBaseOffset):
|
|
353
390
|
ref_typevar = self.state.stack_offset_typevars.get(expr.offset, None)
|
|
354
391
|
|
|
355
392
|
if ref_typevar is None:
|
|
@@ -374,37 +411,21 @@ class SimEngineVRAIL(
|
|
|
374
411
|
|
|
375
412
|
return richr
|
|
376
413
|
|
|
377
|
-
def
|
|
414
|
+
def _handle_expr_BasePointerOffset(self, expr):
|
|
415
|
+
# TODO
|
|
416
|
+
return self._top(expr.bits)
|
|
417
|
+
|
|
418
|
+
def _handle_expr_ITE(self, expr: ailment.Expr.ITE):
|
|
378
419
|
self._expr(expr.cond) # cond
|
|
379
420
|
self._expr(expr.iftrue) # r0
|
|
380
421
|
self._expr(expr.iffalse) # r1
|
|
381
422
|
|
|
382
423
|
return RichR(self.state.top(expr.bits))
|
|
383
424
|
|
|
384
|
-
def
|
|
385
|
-
self._expr(expr.operands[0])
|
|
386
|
-
self._expr(expr.operands[1])
|
|
387
|
-
return RichR(self.state.top(expr.bits))
|
|
388
|
-
|
|
389
|
-
_ail_handle_CmpF = _ail_handle_Cmp
|
|
390
|
-
_ail_handle_CmpEQ = _ail_handle_Cmp
|
|
391
|
-
_ail_handle_CmpNE = _ail_handle_Cmp
|
|
392
|
-
_ail_handle_CmpLT = _ail_handle_Cmp
|
|
393
|
-
_ail_handle_CmpLE = _ail_handle_Cmp
|
|
394
|
-
_ail_handle_CmpGT = _ail_handle_Cmp
|
|
395
|
-
_ail_handle_CmpGE = _ail_handle_Cmp
|
|
396
|
-
_ail_handle_CasCmpEQ = _ail_handle_Cmp
|
|
397
|
-
_ail_handle_CasCmpNE = _ail_handle_Cmp
|
|
398
|
-
_ail_handle_CasCmpLT = _ail_handle_Cmp
|
|
399
|
-
_ail_handle_CasCmpLE = _ail_handle_Cmp
|
|
400
|
-
_ail_handle_CasCmpGT = _ail_handle_Cmp
|
|
401
|
-
_ail_handle_CasCmpGE = _ail_handle_Cmp
|
|
402
|
-
|
|
403
|
-
def _ail_handle_Add(self, expr):
|
|
425
|
+
def _handle_binop_Add(self, expr):
|
|
404
426
|
arg0, arg1 = expr.operands
|
|
405
|
-
|
|
406
|
-
|
|
407
|
-
r1 = self._expr(arg1)
|
|
427
|
+
r0, r1 = self._expr_pair(arg0, arg1)
|
|
428
|
+
compute = r0.data + r1.data # type: ignore
|
|
408
429
|
|
|
409
430
|
type_constraints = set()
|
|
410
431
|
# create a new type variable and add constraints accordingly
|
|
@@ -419,21 +440,12 @@ class SimEngineVRAIL(
|
|
|
419
440
|
else:
|
|
420
441
|
typevar = None
|
|
421
442
|
|
|
422
|
-
|
|
423
|
-
if r0.data is not None and r1.data is not None:
|
|
424
|
-
sum_ = r0.data + r1.data
|
|
425
|
-
|
|
426
|
-
return RichR(
|
|
427
|
-
sum_,
|
|
428
|
-
typevar=typevar,
|
|
429
|
-
type_constraints=type_constraints,
|
|
430
|
-
)
|
|
443
|
+
return RichR(compute, typevar=typevar, type_constraints=type_constraints)
|
|
431
444
|
|
|
432
|
-
def
|
|
445
|
+
def _handle_binop_Sub(self, expr):
|
|
433
446
|
arg0, arg1 = expr.operands
|
|
434
|
-
|
|
435
|
-
|
|
436
|
-
r1 = self._expr(arg1)
|
|
447
|
+
r0, r1 = self._expr_pair(arg0, arg1)
|
|
448
|
+
compute = r0.data - r1.data # type: ignore
|
|
437
449
|
|
|
438
450
|
type_constraints = set()
|
|
439
451
|
if r0.typevar is not None and r1.data.concrete:
|
|
@@ -443,39 +455,34 @@ class SimEngineVRAIL(
|
|
|
443
455
|
if r0.typevar is not None and r1.typevar is not None:
|
|
444
456
|
type_constraints.add(typevars.Sub(r0.typevar, r1.typevar, typevar))
|
|
445
457
|
|
|
446
|
-
sub = None
|
|
447
|
-
if r0.data is not None and r1.data is not None:
|
|
448
|
-
sub = r0.data - r1.data
|
|
449
|
-
|
|
450
458
|
return RichR(
|
|
451
|
-
|
|
459
|
+
compute,
|
|
452
460
|
typevar=typevar,
|
|
453
461
|
type_constraints=type_constraints,
|
|
454
462
|
)
|
|
455
463
|
|
|
456
|
-
def
|
|
464
|
+
def _handle_binop_Mul(self, expr):
|
|
457
465
|
arg0, arg1 = expr.operands
|
|
458
|
-
|
|
459
|
-
r0 = self._expr(arg0)
|
|
460
|
-
r1 = self._expr(arg1)
|
|
466
|
+
r0, r1 = self._expr_pair(arg0, arg1)
|
|
461
467
|
|
|
462
468
|
result_size = arg0.bits
|
|
463
|
-
if r0.data.concrete
|
|
464
|
-
|
|
465
|
-
|
|
466
|
-
|
|
467
|
-
|
|
468
|
-
tv = typeconsts.int_type(result_size)
|
|
469
|
-
else:
|
|
470
|
-
v = self.state.top(expr.bits)
|
|
471
|
-
tv = typeconsts.int_type(result_size)
|
|
472
|
-
return RichR(v, typevar=tv, type_constraints=None)
|
|
469
|
+
if r0.data.concrete or r1.data.concrete:
|
|
470
|
+
# constants
|
|
471
|
+
result_size = arg0.bits
|
|
472
|
+
compute = r0.data * r1.data # type: ignore
|
|
473
|
+
return RichR(compute, typevar=typeconsts.int_type(result_size), type_constraints=None)
|
|
473
474
|
|
|
474
|
-
|
|
475
|
+
r = self.state.top(expr.bits)
|
|
476
|
+
return RichR(
|
|
477
|
+
r,
|
|
478
|
+
typevar=r0.typevar,
|
|
479
|
+
)
|
|
480
|
+
|
|
481
|
+
def _handle_binop_Mull(self, expr):
|
|
475
482
|
arg0, arg1 = expr.operands
|
|
476
483
|
|
|
477
|
-
r0 = self.
|
|
478
|
-
r1 = self.
|
|
484
|
+
r0 = self._expr_bv(arg0)
|
|
485
|
+
r1 = self._expr_bv(arg1)
|
|
479
486
|
|
|
480
487
|
if r0.data.concrete and r1.data.concrete:
|
|
481
488
|
# constants
|
|
@@ -498,11 +505,11 @@ class SimEngineVRAIL(
|
|
|
498
505
|
typevar=r0.typevar, # FIXME: the size is probably changed
|
|
499
506
|
)
|
|
500
507
|
|
|
501
|
-
def
|
|
508
|
+
def _handle_binop_Div(self, expr):
|
|
502
509
|
arg0, arg1 = expr.operands
|
|
503
510
|
|
|
504
|
-
r0 = self.
|
|
505
|
-
r1 = self.
|
|
511
|
+
r0 = self._expr_bv(arg0)
|
|
512
|
+
r1 = self._expr_bv(arg1)
|
|
506
513
|
from_size = expr.bits
|
|
507
514
|
to_size = r1.bits
|
|
508
515
|
|
|
@@ -521,66 +528,37 @@ class SimEngineVRAIL(
|
|
|
521
528
|
# | typevar=r0.typevar, # FIXME: Handle typevars for Div
|
|
522
529
|
)
|
|
523
530
|
|
|
524
|
-
def
|
|
525
|
-
arg0, arg1 = expr.operands
|
|
526
|
-
|
|
527
|
-
r0 = self._expr(arg0)
|
|
528
|
-
r1 = self._expr(arg1)
|
|
529
|
-
from_size = expr.from_bits
|
|
530
|
-
to_size = expr.to_bits
|
|
531
|
-
|
|
532
|
-
if (r1.data == 0).is_true():
|
|
533
|
-
r = self.state.top(to_size * 2)
|
|
534
|
-
elif expr.signed:
|
|
535
|
-
quotient = r0.data.SDiv(claripy.SignExt(from_size - to_size, r1.data))
|
|
536
|
-
remainder = r0.data.SMod(claripy.SignExt(from_size - to_size, r1.data))
|
|
537
|
-
quotient_size = to_size
|
|
538
|
-
remainder_size = to_size
|
|
539
|
-
r = claripy.Concat(
|
|
540
|
-
claripy.Extract(remainder_size - 1, 0, remainder), claripy.Extract(quotient_size - 1, 0, quotient)
|
|
541
|
-
)
|
|
542
|
-
else:
|
|
543
|
-
quotient = r0.data // claripy.ZeroExt(from_size - to_size, r1.data)
|
|
544
|
-
remainder = r0.data % claripy.ZeroExt(from_size - to_size, r1.data)
|
|
545
|
-
quotient_size = to_size
|
|
546
|
-
remainder_size = to_size
|
|
547
|
-
r = claripy.Concat(
|
|
548
|
-
claripy.Extract(remainder_size - 1, 0, remainder), claripy.Extract(quotient_size - 1, 0, quotient)
|
|
549
|
-
)
|
|
550
|
-
|
|
551
|
-
return RichR(
|
|
552
|
-
r,
|
|
553
|
-
# | typevar=r0.typevar, # FIXME: Handle typevars for DivMod
|
|
554
|
-
)
|
|
555
|
-
|
|
556
|
-
def _ail_handle_Mod(self, expr):
|
|
531
|
+
def _handle_binop_Mod(self, expr):
|
|
557
532
|
arg0, arg1 = expr.operands
|
|
558
533
|
|
|
559
|
-
r0 = self.
|
|
560
|
-
r1 = self.
|
|
561
|
-
|
|
562
|
-
to_size = r1.bits
|
|
534
|
+
r0 = self._expr_bv(arg0)
|
|
535
|
+
r1 = self._expr_bv(arg1)
|
|
536
|
+
result_size = expr.bits
|
|
563
537
|
|
|
564
538
|
if expr.floating_point:
|
|
565
|
-
remainder = self.state.top(
|
|
539
|
+
remainder = self.state.top(result_size)
|
|
566
540
|
else:
|
|
567
541
|
if (r1.data == 0).is_true():
|
|
568
|
-
remainder = self.state.top(
|
|
542
|
+
remainder = self.state.top(result_size)
|
|
569
543
|
elif expr.signed:
|
|
570
|
-
remainder = r0.data.SMod(
|
|
544
|
+
remainder = r0.data.SMod(r1.data)
|
|
571
545
|
else:
|
|
572
|
-
remainder = r0.data %
|
|
546
|
+
remainder = r0.data % r1.data
|
|
547
|
+
|
|
548
|
+
# truncation if necessary
|
|
549
|
+
if remainder.size() > result_size:
|
|
550
|
+
remainder = claripy.Extract(result_size - 1, 0, remainder)
|
|
573
551
|
|
|
574
552
|
return RichR(
|
|
575
553
|
remainder,
|
|
576
554
|
# | typevar=r0.typevar, # FIXME: Handle typevars for Mod
|
|
577
555
|
)
|
|
578
556
|
|
|
579
|
-
def
|
|
557
|
+
def _handle_binop_Xor(self, expr):
|
|
580
558
|
arg0, arg1 = expr.operands
|
|
581
559
|
|
|
582
|
-
r0 = self.
|
|
583
|
-
r1 = self.
|
|
560
|
+
r0 = self._expr_bv(arg0)
|
|
561
|
+
r1 = self._expr_bv(arg1)
|
|
584
562
|
|
|
585
563
|
if r0.data.concrete and r1.data.concrete:
|
|
586
564
|
# constants
|
|
@@ -593,11 +571,11 @@ class SimEngineVRAIL(
|
|
|
593
571
|
typevar=r0.typevar,
|
|
594
572
|
)
|
|
595
573
|
|
|
596
|
-
def
|
|
574
|
+
def _handle_binop_Shl(self, expr):
|
|
597
575
|
arg0, arg1 = expr.operands
|
|
598
576
|
|
|
599
|
-
r0 = self.
|
|
600
|
-
r1 = self.
|
|
577
|
+
r0 = self._expr_bv(arg0)
|
|
578
|
+
r1 = self._expr_bv(arg1)
|
|
601
579
|
result_size = arg0.bits
|
|
602
580
|
|
|
603
581
|
if not r1.data.concrete:
|
|
@@ -611,11 +589,11 @@ class SimEngineVRAIL(
|
|
|
611
589
|
shiftamount = r1.data.concrete_value
|
|
612
590
|
return RichR(r0.data << shiftamount, typevar=typeconsts.int_type(result_size), type_constraints=None)
|
|
613
591
|
|
|
614
|
-
def
|
|
592
|
+
def _handle_binop_Shr(self, expr):
|
|
615
593
|
arg0, arg1 = expr.operands
|
|
616
594
|
|
|
617
|
-
r0 = self.
|
|
618
|
-
r1 = self.
|
|
595
|
+
r0 = self._expr_bv(arg0)
|
|
596
|
+
r1 = self._expr_bv(arg1)
|
|
619
597
|
result_size = arg0.bits
|
|
620
598
|
|
|
621
599
|
if not r1.data.concrete:
|
|
@@ -632,11 +610,11 @@ class SimEngineVRAIL(
|
|
|
632
610
|
claripy.LShR(r0.data, shiftamount), typevar=typeconsts.int_type(result_size), type_constraints=None
|
|
633
611
|
)
|
|
634
612
|
|
|
635
|
-
def
|
|
613
|
+
def _handle_binop_Sal(self, expr):
|
|
636
614
|
arg0, arg1 = expr.operands
|
|
637
615
|
|
|
638
|
-
r0 = self.
|
|
639
|
-
r1 = self.
|
|
616
|
+
r0 = self._expr_bv(arg0)
|
|
617
|
+
r1 = self._expr_bv(arg1)
|
|
640
618
|
result_size = arg0.bits
|
|
641
619
|
|
|
642
620
|
if not r1.data.concrete:
|
|
@@ -651,11 +629,11 @@ class SimEngineVRAIL(
|
|
|
651
629
|
|
|
652
630
|
return RichR(r0.data << shiftamount, typevar=typeconsts.int_type(result_size), type_constraints=None)
|
|
653
631
|
|
|
654
|
-
def
|
|
632
|
+
def _handle_binop_Sar(self, expr):
|
|
655
633
|
arg0, arg1 = expr.operands
|
|
656
634
|
|
|
657
|
-
r0 = self.
|
|
658
|
-
r1 = self.
|
|
635
|
+
r0 = self._expr_bv(arg0)
|
|
636
|
+
r1 = self._expr_bv(arg1)
|
|
659
637
|
result_size = arg0.bits
|
|
660
638
|
|
|
661
639
|
if not r1.data.concrete:
|
|
@@ -670,11 +648,11 @@ class SimEngineVRAIL(
|
|
|
670
648
|
|
|
671
649
|
return RichR(r0.data >> shiftamount, typevar=typeconsts.int_type(result_size), type_constraints=None)
|
|
672
650
|
|
|
673
|
-
def
|
|
651
|
+
def _handle_binop_And(self, expr):
|
|
674
652
|
arg0, arg1 = expr.operands
|
|
675
653
|
|
|
676
|
-
r0 = self.
|
|
677
|
-
r1 = self.
|
|
654
|
+
r0 = self._expr_bv(arg0)
|
|
655
|
+
r1 = self._expr_bv(arg1)
|
|
678
656
|
|
|
679
657
|
result_size = arg0.bits
|
|
680
658
|
if r0.data.concrete and r1.data.concrete:
|
|
@@ -687,11 +665,11 @@ class SimEngineVRAIL(
|
|
|
687
665
|
r = self.state.top(expr.bits)
|
|
688
666
|
return RichR(r, typevar=typeconsts.int_type(result_size))
|
|
689
667
|
|
|
690
|
-
def
|
|
668
|
+
def _handle_binop_Or(self, expr):
|
|
691
669
|
arg0, arg1 = expr.operands
|
|
692
670
|
|
|
693
|
-
r0 = self.
|
|
694
|
-
r1 = self.
|
|
671
|
+
r0 = self._expr_bv(arg0)
|
|
672
|
+
r1 = self._expr_bv(arg1)
|
|
695
673
|
|
|
696
674
|
result_size = arg0.bits
|
|
697
675
|
if r0.data.concrete and r1.data.concrete:
|
|
@@ -704,62 +682,111 @@ class SimEngineVRAIL(
|
|
|
704
682
|
r = self.state.top(expr.bits)
|
|
705
683
|
return RichR(r, typevar=typeconsts.int_type(result_size))
|
|
706
684
|
|
|
707
|
-
def
|
|
685
|
+
def _handle_binop_LogicalAnd(self, expr):
|
|
708
686
|
arg0, arg1 = expr.operands
|
|
709
687
|
|
|
710
|
-
r0 = self.
|
|
711
|
-
_ = self.
|
|
688
|
+
r0 = self._expr_bv(arg0)
|
|
689
|
+
_ = self._expr_bv(arg1)
|
|
712
690
|
r = self.state.top(expr.bits)
|
|
713
691
|
return RichR(r, typevar=r0.typevar)
|
|
714
692
|
|
|
715
|
-
def
|
|
693
|
+
def _handle_binop_LogicalOr(self, expr):
|
|
716
694
|
arg0, arg1 = expr.operands
|
|
717
695
|
|
|
718
|
-
r0 = self.
|
|
719
|
-
_ = self.
|
|
696
|
+
r0 = self._expr_bv(arg0)
|
|
697
|
+
_ = self._expr_bv(arg1)
|
|
720
698
|
r = self.state.top(expr.bits)
|
|
721
699
|
return RichR(r, typevar=r0.typevar)
|
|
722
700
|
|
|
723
|
-
def
|
|
701
|
+
def _handle_binop_LogicalXor(self, expr):
|
|
724
702
|
arg0, arg1 = expr.operands
|
|
725
703
|
|
|
726
|
-
r0 = self.
|
|
727
|
-
_ = self.
|
|
704
|
+
r0 = self._expr_bv(arg0)
|
|
705
|
+
_ = self._expr_bv(arg1)
|
|
728
706
|
r = self.state.top(expr.bits)
|
|
729
707
|
return RichR(r, typevar=r0.typevar)
|
|
730
708
|
|
|
731
|
-
def
|
|
709
|
+
def _handle_binop_Rol(self, expr):
|
|
732
710
|
arg0, arg1 = expr.operands
|
|
733
711
|
|
|
734
|
-
r0 = self.
|
|
735
|
-
_ = self.
|
|
712
|
+
r0 = self._expr_bv(arg0)
|
|
713
|
+
_ = self._expr_bv(arg1)
|
|
736
714
|
result_size = arg0.bits
|
|
737
715
|
|
|
738
716
|
r = self.state.top(result_size)
|
|
739
717
|
return RichR(r, typevar=r0.typevar)
|
|
740
718
|
|
|
741
|
-
def
|
|
719
|
+
def _handle_binop_Ror(self, expr):
|
|
742
720
|
arg0, arg1 = expr.operands
|
|
743
721
|
|
|
744
|
-
r0 = self.
|
|
745
|
-
_ = self.
|
|
722
|
+
r0 = self._expr_bv(arg0)
|
|
723
|
+
_ = self._expr_bv(arg1)
|
|
746
724
|
result_size = arg0.bits
|
|
747
725
|
|
|
748
726
|
r = self.state.top(result_size)
|
|
749
727
|
return RichR(r, typevar=r0.typevar)
|
|
750
728
|
|
|
751
|
-
def
|
|
729
|
+
def _handle_binop_Concat(self, expr):
|
|
752
730
|
arg0, arg1 = expr.operands
|
|
753
731
|
|
|
754
|
-
_ = self.
|
|
755
|
-
_ = self.
|
|
732
|
+
_ = self._expr_bv(arg0)
|
|
733
|
+
_ = self._expr_bv(arg1)
|
|
756
734
|
|
|
757
735
|
# TODO: Model the operation. Don't lose type constraints
|
|
758
736
|
return RichR(self.state.top(expr.bits))
|
|
759
737
|
|
|
760
|
-
def
|
|
738
|
+
def _handle_binop_Default(self, expr):
|
|
739
|
+
arg0, arg1 = expr.operands
|
|
740
|
+
|
|
741
|
+
self._expr(arg0)
|
|
742
|
+
self._expr(arg1)
|
|
743
|
+
|
|
744
|
+
return RichR(self.state.top(expr.bits))
|
|
745
|
+
|
|
746
|
+
_handle_binop_AddF = _handle_binop_Default
|
|
747
|
+
_handle_binop_SubF = _handle_binop_Default
|
|
748
|
+
_handle_binop_SubV = _handle_binop_Default
|
|
749
|
+
_handle_binop_MulF = _handle_binop_Default
|
|
750
|
+
_handle_binop_DivF = _handle_binop_Default
|
|
751
|
+
_handle_binop_DivV = _handle_binop_Default
|
|
752
|
+
_handle_binop_AddV = _handle_binop_Default
|
|
753
|
+
_handle_binop_MulV = _handle_binop_Default
|
|
754
|
+
_handle_binop_MulHiV = _handle_binop_Default
|
|
755
|
+
_handle_binop_Carry = _handle_binop_Default
|
|
756
|
+
_handle_binop_Borrow = _handle_binop_Default
|
|
757
|
+
_handle_binop_SCarry = _handle_binop_Default
|
|
758
|
+
_handle_binop_SBorrow = _handle_binop_Default
|
|
759
|
+
_handle_binop_InterleaveLOV = _handle_binop_Default
|
|
760
|
+
_handle_binop_InterleaveHIV = _handle_binop_Default
|
|
761
|
+
_handle_binop_CasCmpEQ = _handle_binop_Default
|
|
762
|
+
_handle_binop_CasCmpNE = _handle_binop_Default
|
|
763
|
+
_handle_binop_ExpCmpNE = _handle_binop_Default
|
|
764
|
+
_handle_binop_SarNV = _handle_binop_Default
|
|
765
|
+
_handle_binop_ShrNV = _handle_binop_Default
|
|
766
|
+
_handle_binop_ShlNV = _handle_binop_Default
|
|
767
|
+
_handle_binop_PermV = _handle_binop_Default
|
|
768
|
+
_handle_binop_Set = _handle_binop_Default
|
|
769
|
+
_handle_binop_MaxV = _handle_binop_Default
|
|
770
|
+
_handle_binop_MinV = _handle_binop_Default
|
|
771
|
+
_handle_binop_QAddV = _handle_binop_Default
|
|
772
|
+
_handle_binop_QNarrowBinV = _handle_binop_Default
|
|
773
|
+
_handle_binop_CmpEQ = _handle_binop_Default
|
|
774
|
+
_handle_binop_CmpNE = _handle_binop_Default
|
|
775
|
+
_handle_binop_CmpLT = _handle_binop_Default
|
|
776
|
+
_handle_binop_CmpLE = _handle_binop_Default
|
|
777
|
+
_handle_binop_CmpGT = _handle_binop_Default
|
|
778
|
+
_handle_binop_CmpGE = _handle_binop_Default
|
|
779
|
+
_handle_binop_CmpEQV = _handle_binop_Default
|
|
780
|
+
_handle_binop_CmpNEV = _handle_binop_Default
|
|
781
|
+
_handle_binop_CmpGEV = _handle_binop_Default
|
|
782
|
+
_handle_binop_CmpGTV = _handle_binop_Default
|
|
783
|
+
_handle_binop_CmpLEV = _handle_binop_Default
|
|
784
|
+
_handle_binop_CmpLTV = _handle_binop_Default
|
|
785
|
+
_handle_binop_CmpF = _handle_binop_Default
|
|
786
|
+
|
|
787
|
+
def _handle_unop_Not(self, expr):
|
|
761
788
|
arg = expr.operands[0]
|
|
762
|
-
expr = self.
|
|
789
|
+
expr = self._expr_bv(arg)
|
|
763
790
|
|
|
764
791
|
result_size = arg.bits
|
|
765
792
|
|
|
@@ -773,9 +800,9 @@ class SimEngineVRAIL(
|
|
|
773
800
|
r = self.state.top(result_size)
|
|
774
801
|
return RichR(r, typevar=expr.typevar)
|
|
775
802
|
|
|
776
|
-
def
|
|
803
|
+
def _handle_unop_Neg(self, expr):
|
|
777
804
|
arg = expr.operands[0]
|
|
778
|
-
expr = self.
|
|
805
|
+
expr = self._expr_bv(arg)
|
|
779
806
|
|
|
780
807
|
result_size = arg.bits
|
|
781
808
|
|
|
@@ -789,9 +816,9 @@ class SimEngineVRAIL(
|
|
|
789
816
|
r = self.state.top(result_size)
|
|
790
817
|
return RichR(r, typevar=expr.typevar)
|
|
791
818
|
|
|
792
|
-
def
|
|
819
|
+
def _handle_unop_BitwiseNeg(self, expr):
|
|
793
820
|
arg = expr.operands[0]
|
|
794
|
-
expr = self.
|
|
821
|
+
expr = self._expr_bv(arg)
|
|
795
822
|
|
|
796
823
|
result_size = arg.bits
|
|
797
824
|
|
|
@@ -804,3 +831,16 @@ class SimEngineVRAIL(
|
|
|
804
831
|
|
|
805
832
|
r = self.state.top(result_size)
|
|
806
833
|
return RichR(r, typevar=expr.typevar)
|
|
834
|
+
|
|
835
|
+
def _handle_unop_Default(self, expr):
|
|
836
|
+
self._expr(expr.operands[0])
|
|
837
|
+
return RichR(self.state.top(expr.bits))
|
|
838
|
+
|
|
839
|
+
_handle_unop_Reference = _handle_unop_Default
|
|
840
|
+
_handle_unop_Dereference = _handle_unop_Default
|
|
841
|
+
_handle_unop_Clz = _handle_unop_Default
|
|
842
|
+
_handle_unop_Ctz = _handle_unop_Default
|
|
843
|
+
_handle_unop_GetMSBs = _handle_unop_Default
|
|
844
|
+
_handle_unop_unpack = _handle_unop_Default
|
|
845
|
+
_handle_unop_Sqrt = _handle_unop_Default
|
|
846
|
+
_handle_unop_RSqrtEst = _handle_unop_Default
|