angr 9.2.131__py3-none-manylinux2014_aarch64.whl → 9.2.133__py3-none-manylinux2014_aarch64.whl

angr/analyses/variable_recovery/engine_vex.py

@@ -1,15 +1,16 @@
 # pylint:disable=unused-argument
 from __future__ import annotations
-from typing import TYPE_CHECKING
+from typing import cast, TYPE_CHECKING
 
 import claripy
 import pyvex
 from archinfo.arch_arm import is_arm_arch
 
+from angr.block import Block
 from angr.errors import SimMemoryMissingError
 from angr.calling_conventions import SimRegArg, SimStackArg, default_cc
 from angr.engines.vex.claripy.datalayer import value as claripy_value
-from angr.engines.light import SimEngineLightVEXMixin
+from angr.engines.light import SimEngineNostmtVEX
 from angr.knowledge_plugins import Function
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.analyses.typehoon import typevars, typeconsts
@@ -17,43 +18,49 @@ from .engine_base import SimEngineVRBase, RichR
 from .irsb_scanner import VEXIRSBScanner
 
 if TYPE_CHECKING:
-    from .variable_recovery_base import VariableRecoveryStateBase
+    pass
+
+binop_handler = SimEngineNostmtVEX[
+    "VariableRecoveryFastState", RichR[claripy.ast.BV | claripy.ast.FP], None
+].binop_handler
 
 
 class SimEngineVRVEX(
-    SimEngineLightVEXMixin,
-    SimEngineVRBase,
+    SimEngineNostmtVEX["VariableRecoveryFastState", RichR[claripy.ast.BV | claripy.ast.FP], None],
+    SimEngineVRBase["VariableRecoveryFastState", Block],
 ):
     """
     Implements the VEX engine for variable recovery analysis.
     """
 
-    state: VariableRecoveryStateBase
+    reg_read_stmts_to_ignore: set[int]
+    stmts_to_lower: set[int]
 
     def __init__(self, *args, call_info=None, **kwargs):
         super().__init__(*args, **kwargs)
 
         self.call_info = call_info or {}
-        self.stmts_to_lower = None
-        self.reg_read_stmts_to_ignore = None
 
     # Statement handlers
 
     def _is_top(self, expr: RichR) -> bool:
         return self.state.is_top(expr)
 
-    def _top(self, size: int) -> RichR:
-        return RichR(self.state.top(size))
+    def _top(self, bits: int) -> RichR[claripy.ast.BV]:
+        return RichR(self.state.top(bits))
 
-    def _process_Stmt(self, whitelist=None):
-        scanner = VEXIRSBScanner(logger=self.l)
-        scanner._process(None, None, block=self.block)
+    def _process_block(self, whitelist=None):
+        scanner = VEXIRSBScanner(self.project, logger=self.l)
+        scanner._process(None, block=self.block)
         self.stmts_to_lower = scanner.stmts_to_lower
         self.reg_read_stmts_to_ignore = scanner.reg_read_stmts_to_ignore
 
-        super()._process_Stmt(whitelist=whitelist)
+        return super()._process_block(whitelist=whitelist)
+
+    def _handle_stmt_WrTmp(self, stmt):
+        self.tmps[stmt.tmp] = self._expr(stmt.data)
 
-    def _handle_Put(self, stmt):
+    def _handle_stmt_Put(self, stmt):
         offset = stmt.offset
         r = self._expr(stmt.data)
         size = stmt.data.result_size(self.tyenv) // 8
@@ -62,47 +69,45 @@ class SimEngineVRVEX(
             return
         self._assign_to_register(offset, r, size)
 
-    def _handle_PutI(self, stmt):
-        pass
-
-    def _handle_Store(self, stmt):
-        addr_r = self._expr(stmt.addr)
+    def _handle_stmt_Store(self, stmt):
+        addr_r = self._expr_bv(stmt.addr)
         size = stmt.data.result_size(self.tyenv) // 8
         r = self._expr(stmt.data)
 
         self._store(addr_r, r, size, stmt=stmt)
 
-    def _handle_StoreG(self, stmt):
+    def _handle_stmt_StoreG(self, stmt):
         guard = self._expr(stmt.guard)
         if guard is True:
-            addr = self._expr(stmt.addr)
+            addr = self._expr_bv(stmt.addr)
             size = stmt.data.result_size(self.tyenv) // 8
             data = self._expr(stmt.data)
             self._store(addr, data, size, stmt=stmt)
 
-    def _handle_LoadG(self, stmt):
+    def _handle_stmt_LoadG(self, stmt):
         guard = self._expr(stmt.guard)
         if guard is True:
-            addr = self._expr(stmt.addr)
+            addr = self._expr_bv(stmt.addr)
             if addr is not None:
                 self.tmps[stmt.dst] = self._load(addr, self.tyenv.sizeof(stmt.dst) // 8)
         elif guard is False:
             data = self._expr(stmt.alt)
             self.tmps[stmt.dst] = data
         else:
-            self.tmps[stmt.dst] = None
+            self.tmps[stmt.dst] = self._top(pyvex.get_type_size(self.tyenv.lookup(stmt.dst)))
 
-    def _handle_LLSC(self, stmt: pyvex.IRStmt.LLSC):
+    def _handle_stmt_LLSC(self, stmt: pyvex.IRStmt.LLSC):
         if stmt.storedata is None:
             # load-link
-            addr = self._expr(stmt.addr)
+            addr = self._expr_bv(stmt.addr)
             size = self.tyenv.sizeof(stmt.result) // self.arch.byte_width
             data = self._load(addr, size)
             self.tmps[stmt.result] = data
         else:
             # store-conditional
+            assert isinstance(stmt.storedata, pyvex.expr.RdTmp)
             storedata = self._expr(stmt.storedata)
-            addr = self._expr(stmt.addr)
+            addr = self._expr_bv(stmt.addr)
             size = self.tyenv.sizeof(stmt.storedata.tmp) // self.arch.byte_width
 
             self._store(addr, storedata, size)
@@ -110,26 +115,19 @@ class SimEngineVRVEX(
             result_size = self.tyenv.sizeof(stmt.result)
             self.tmps[stmt.result] = RichR(claripy.BVV(1, result_size))
 
-    def _handle_NoOp(self, stmt):
-        pass
-
     # Expression handlers
 
-    def _expr(self, expr) -> RichR:
-        """
+    def _expr_bv(self, expr) -> RichR[claripy.ast.BV]:
+        result = self._expr(expr)
+        assert isinstance(result.data, claripy.ast.BV)
+        return cast(RichR[claripy.ast.BV], result)
 
-        :param expr:
-        :return:
-        :rtype: RichR
-        """
+    def _expr_fp(self, expr) -> RichR[claripy.ast.FP]:
+        result = self._expr(expr)
+        assert isinstance(result.data, claripy.ast.FP)
+        return cast(RichR[claripy.ast.FP], result)
 
-        r = super()._expr(expr)
-        if r is None:
-            bits = expr.result_size(self.tyenv)
-            return RichR(self.state.top(bits))
-        return r
-
-    def _handle_Get(self, expr):
+    def _handle_expr_Get(self, expr):
         reg_offset = expr.offset
         reg_size = expr.result_size(self.tyenv) // 8
 
@@ -161,22 +159,31 @@ class SimEngineVRVEX(
             create_variable=self.stmt_idx not in self.reg_read_stmts_to_ignore,
         )
 
-    def _handle_GetI(self, expr: pyvex.IRExpr.GetI):
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
+    def _handle_expr_GetI(self, expr):
+        return self._top(expr.result_size(self.tyenv))
+
+    def _handle_expr_ITE(self, expr):
+        return self._top(expr.result_size(self.tyenv))
 
-    def _handle_Load(self, expr: pyvex.IRExpr.Load) -> RichR:
-        addr = self._expr(expr.addr)
+    def _handle_expr_GSPTR(self, expr):
+        return self._top(expr.result_size(self.tyenv))
+
+    def _handle_expr_VECRET(self, expr):
+        return self._top(expr.result_size(self.tyenv))
+
+    def _handle_expr_Load(self, expr: pyvex.IRExpr.Load) -> RichR:
+        addr = self._expr_bv(expr.addr)
         size = expr.result_size(self.tyenv) // 8
 
         return self._load(addr, size)
 
-    def _handle_CCall(self, expr):  # pylint:disable=useless-return
+    def _handle_expr_CCall(self, expr):  # pylint:disable=useless-return
         # ccalls don't matter
         return RichR(self.state.top(expr.result_size(self.tyenv)))
 
-    def _handle_Conversion(self, expr: pyvex.IRExpr.Unop) -> RichR:
-        _ = self._expr(expr.args[0])
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
+    def _handle_conversion(self, from_size, to_size, signed, operand) -> RichR:
+        _ = self._expr(operand)
+        return RichR(self.state.top(to_size))
 
     # Function handlers
 
@@ -208,7 +215,7 @@ class SimEngineVRVEX(
                             addr = RichR(loc.stack_offset + one_sp)
                             self._load(addr, loc.size)
 
-    def _process_block_end(self):
+    def _process_block_end(self, stmt_result, whitelist):
         # handles block-end calls
         current_addr = self.state.block_addr
         for target_func in self.call_info.get(current_addr, []):
@@ -235,7 +242,9 @@ class SimEngineVRVEX(
             # TODO: Handle multiple return registers
             cc = self.state.function.calling_convention
             if cc is None:
-                cc = default_cc(self.arch.name, platform=self.project.simos.name)(self.arch)
+                cc_cls = default_cc(self.arch.name, platform=self.project.simos.name)
+                assert cc_cls is not None
+                cc = cc_cls(self.arch)
             if isinstance(cc.RETURN_VAL, SimRegArg):
                 ret_val_size = 0
                 reg_offset = cc.RETURN_VAL.check_offset(self.arch)
@@ -249,27 +258,40 @@ class SimEngineVRVEX(
                     ret_val_size if self.state.ret_val_size is None else max(self.state.ret_val_size, ret_val_size)
                 )
 
-    def _handle_Const(self, expr):
+    def _handle_expr_Const(self, expr):
         return RichR(
             claripy_value(expr.con.type, expr.con.value, size=expr.con.size), typevar=typeconsts.int_type(expr.con.size)
         )
 
-    def _handle_Add(self, expr):
-        arg0, arg1 = expr.args
+    def _handle_expr_RdTmp(self, expr):
+        try:
+            return self.tmps[expr.tmp]
+        except KeyError:
+            return self._top(expr.result_size(self.tyenv))
+
+    def _expr_pair(
+        self, arg0: pyvex.expr.IRExpr, arg1: pyvex.expr.IRExpr
+    ) -> tuple[RichR[claripy.ast.BV], RichR[claripy.ast.BV]] | tuple[RichR[claripy.ast.FP], RichR[claripy.ast.FP]]:
         r0 = self._expr(arg0)
         r1 = self._expr(arg1)
+        assert type(r0) is type(r1)
+        return r0, r1  # type: ignore
+
+    @binop_handler
+    def _handle_binop_Add(self, expr):
+        r0, r1 = self._expr_pair(expr.args[0], expr.args[1])
+        sum_ = r0.data + r1.data  # type: ignore
 
         result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
             # constants
-            return RichR(r0.data + r1.data, typevar=typeconsts.int_type(result_size), type_constraints=None)
+            return RichR(sum_, typevar=typeconsts.int_type(result_size), type_constraints=None)
 
         typevar = None
         if r0.typevar is not None and r1.data.concrete:
             typevar = typevars.DerivedTypeVariable(r0.typevar, typevars.AddN(r1.data.concrete_value))
 
-        sum_ = r0.data + r1.data
-        tc = set()
+        tc: set[typevars.TypeConstraint] = set()
         if r0.typevar is not None and r1.typevar is not None:
             tc.add(typevars.Subtype(r0.typevar, r1.typevar))
         return RichR(
@@ -278,32 +300,30 @@ class SimEngineVRVEX(
             type_constraints=tc,
         )
 
-    def _handle_Sub(self, expr):
-        arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+    @binop_handler
+    def _handle_binop_Sub(self, expr):
+        r0, r1 = self._expr_pair(expr.args[0], expr.args[1])
+        diff = r0.data - r1.data  # type: ignore
 
         result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
             # constants
-            return RichR(r0.data - r1.data, typevar=typeconsts.int_type(result_size), type_constraints=None)
+            return RichR(diff, typevar=typeconsts.int_type(result_size), type_constraints=None)
 
         typevar = None
         if r0.typevar is not None and r1.data.concrete:
             typevar = typevars.DerivedTypeVariable(r0.typevar, typevars.SubN(r1.data.concrete_value))
 
-        diff = r0.data - r1.data
         return RichR(
             diff,
             typevar=typevar,
         )
 
-    def _handle_And(self, expr):
-        arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+    @binop_handler
+    def _handle_binop_And(self, expr):
+        r0 = self._expr_bv(expr.args[0])
+        r1 = self._expr_bv(expr.args[1])
 
-        result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
             # constants
             return RichR(r0.data & r1.data)
@@ -313,38 +333,40 @@ class SimEngineVRVEX(
         elif self.state.is_stack_address(r1.data):
             r = r1.data
         else:
+            result_size = expr.result_size(self.tyenv)
             r = self.state.top(result_size)
         return RichR(r)
 
-    def _handle_Xor(self, expr):
-        arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+    @binop_handler
+    def _handle_binop_Xor(self, expr):
+        r0 = self._expr_bv(expr.args[0])
+        r1 = self._expr_bv(expr.args[1])
 
-        result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
             # constants
             return RichR(r0.data ^ r1.data)
 
+        result_size = expr.result_size(self.tyenv)
         r = self.state.top(result_size)
         return RichR(r)
 
-    def _handle_Or(self, expr):
-        arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+    @binop_handler
+    def _handle_binop_Or(self, expr):
+        r0 = self._expr_bv(expr.args[0])
+        r1 = self._expr_bv(expr.args[1])
 
-        result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
             # constants
             return RichR(r0.data | r1.data)
 
+        result_size = expr.result_size(self.tyenv)
         r = self.state.top(result_size)
         return RichR(r)
 
-    def _handle_Not(self, expr):
+    @binop_handler
+    def _handle_binop_Not(self, expr):
         arg = expr.args[0]
-        r0 = self._expr(arg)
+        r0 = self._expr_bv(arg)
 
         result_size = expr.result_size(self.tyenv)
         if r0.data.concrete:
@@ -354,25 +376,53 @@ class SimEngineVRVEX(
         r = self.state.top(result_size)
         return RichR(r)
 
-    def _handle_Mul(self, expr):
-        arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+    @binop_handler
+    def _handle_binop_Mul(self, expr):
+        r0, r1 = self._expr_pair(expr.args[0], expr.args[1])
+
+        if r0.data.concrete and r1.data.concrete:
+            # constants
+            mul = r0.data * r1.data  # type: ignore
+            return RichR(mul)
 
         result_size = expr.result_size(self.tyenv)
+        r = self.state.top(result_size)
+        return RichR(r)
+
+    @binop_handler
+    def _handle_binop_MullS(self, expr):
+        r0, r1 = self._expr_pair(expr.args[0], expr.args[1])
+
         if r0.data.concrete and r1.data.concrete:
             # constants
-            return RichR(r0.data * r1.data)
+            xt = r0.data.size()
+            mul = r0.data.sign_extend(xt) * r1.data.sign_extend(xt)  # type: ignore
+            return RichR(mul)
 
+        result_size = expr.result_size(self.tyenv)
         r = self.state.top(result_size)
         return RichR(r)
 
-    def _handle_DivMod(self, expr):
-        arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+    @binop_handler
+    def _handle_binop_MullU(self, expr):
+        r0, r1 = self._expr_pair(expr.args[0], expr.args[1])
+
+        if r0.data.concrete and r1.data.concrete:
+            # constants
+            xt = r0.data.size()
+            mul = r0.data.zero_extend(xt) * r1.data.zero_extend(xt)  # type: ignore
+            return RichR(mul)
 
         result_size = expr.result_size(self.tyenv)
+        r = self.state.top(result_size)
+        return RichR(r)
+
+    @binop_handler
+    def _handle_binop_DivMod(self, expr):
+        arg0, arg1 = expr.args
+        r0 = self._expr_bv(arg0)
+        r1 = self._expr_bv(arg1)
+
         if r0.data.concrete and r1.data.concrete:
             # constants
             try:
@@ -402,29 +452,31 @@ class SimEngineVRVEX(
             except ZeroDivisionError:
                 pass
 
+        result_size = expr.result_size(self.tyenv)
         r = self.state.top(result_size)
         return RichR(r)
 
-    def _handle_Div(self, expr):
-        arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+    @binop_handler
+    def _handle_binop_Div(self, expr):
+        r0, r1 = self._expr_pair(expr.args[0], expr.args[1])
 
-        result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
             # constants
             try:
-                return RichR(r0.data / r1.data)
+                div = r0.data / r1.data  # type: ignore
+                return RichR(div)
             except ZeroDivisionError:
                 pass
 
+        result_size = expr.result_size(self.tyenv)
         r = self.state.top(result_size)
         return RichR(r)
 
-    def _handle_Mod(self, expr):
+    @binop_handler
+    def _handle_binop_Mod(self, expr):
         arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+        r0 = self._expr_bv(arg0)
+        r1 = self._expr_bv(arg1)
 
         result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete and r1.data.concrete_value != 0:
@@ -441,10 +493,11 @@ class SimEngineVRVEX(
         r = self.state.top(result_size)
         return RichR(r)
 
-    def _handle_Shr(self, expr):
+    @binop_handler
+    def _handle_binop_Shr(self, expr):
         arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+        r0 = self._expr_bv(arg0)
+        r1 = self._expr_bv(arg1)
 
         result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
@@ -461,10 +514,11 @@ class SimEngineVRVEX(
             typevar=r0.typevar,
         )
 
-    def _handle_Sar(self, expr):
+    @binop_handler
+    def _handle_binop_Sar(self, expr):
         arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+        r0 = self._expr_bv(arg0)
+        r1 = self._expr_bv(arg1)
 
         result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
@@ -476,15 +530,13 @@ class SimEngineVRVEX(
             )
 
         r = self.state.top(result_size)
-        return RichR(
-            r,
-            typevar=r0.typevar,
-        )
+        return RichR(r, typevar=r0.typevar)
 
-    def _handle_Shl(self, expr):
+    @binop_handler
+    def _handle_binop_Shl(self, expr):
         arg0, arg1 = expr.args
-        r0 = self._expr(arg0)
-        r1 = self._expr(arg1)
+        r0 = self._expr_bv(arg0)
+        r1 = self._expr_bv(arg1)
 
         result_size = expr.result_size(self.tyenv)
         if r0.data.concrete and r1.data.concrete:
@@ -501,82 +553,20 @@ class SimEngineVRVEX(
             typevar=r0.typevar,
         )
 
-    def _handle_CmpF(self, expr):
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
-
-    def _handle_16HLto32(self, expr):
-        return RichR(self.state.top(32))
-
-    def _handle_Add_v(self, expr, vector_size, vector_count):
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
-
-    def _handle_QSub_v(self, expr, vector_size, vector_count):
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
-
-    def _handle_HAdd_v(self, expr, vector_size, vector_count):
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
-
-    def _handle_Clz(self, expr):
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
-
-    def _handle_Ctz(self, expr):
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
-
-    def _handle_Mull(self, expr):
-        return RichR(self.state.top(expr.result_size(self.tyenv)))
-
-    def _handle_CmpEQ(self, expr):
-        arg0, arg1 = expr.args
-        _ = self._expr(arg0)
-        _ = self._expr(arg1)
-
-        return RichR(self.state.top(1))
-
-    def _handle_CmpNE(self, expr):
+    @binop_handler
+    def _handle_binop_CmpEQ(self, expr):
         arg0, arg1 = expr.args
-        _ = self._expr(arg0)
-        _ = self._expr(arg1)
+        self._expr(arg0)
+        self._expr(arg1)
 
         return RichR(self.state.top(1))
 
-    def _handle_CmpLE(self, expr):
-        arg0, arg1 = expr.args
-        _ = self._expr(arg0)
-        _ = self._expr(arg1)
-
-        return RichR(self.state.top(1))
-
-    def _handle_CmpLT(self, expr):
-        arg0, arg1 = expr.args
-        _ = self._expr(arg0)
-        _ = self._expr(arg1)
-
-        return RichR(self.state.top(1))
-
-    def _handle_CmpGE(self, expr):
-        arg0, arg1 = expr.args
-        _ = self._expr(arg0)
-        _ = self._expr(arg1)
-
-        return RichR(self.state.top(1))
-
-    def _handle_CmpGT(self, expr):
-        arg0, arg1 = expr.args
-        _ = self._expr(arg0)
-        _ = self._expr(arg1)
-
-        return RichR(self.state.top(1))
-
-    def _handle_Cmp_v(self, expr, vector_size, vector_count):
-        return RichR(self.state.top(1))
+    _handle_binop_CmpNE = _handle_binop_CmpEQ
+    _handle_binop_CmpLE = _handle_binop_CmpEQ
+    _handle_binop_CmpLT = _handle_binop_CmpEQ
+    _handle_binop_CmpGE = _handle_binop_CmpEQ
+    _handle_binop_CmpGT = _handle_binop_CmpEQ
 
     def _handle_ExpCmpNE64(self, expr):
         _, _ = self._expr(expr.args[0]), self._expr(expr.args[1])
         return RichR(self.state.top(expr.result_size(self.tyenv)))
-
-    _handle_CmpEQ_v = _handle_Cmp_v
-    _handle_CmpNE_v = _handle_Cmp_v
-    _handle_CmpLE_v = _handle_Cmp_v
-    _handle_CmpLT_v = _handle_Cmp_v
-    _handle_CmpGE_v = _handle_Cmp_v
-    _handle_CmpGT_v = _handle_Cmp_v