angr 9.2.134__py3-none-macosx_11_0_arm64.whl → 9.2.136__py3-none-macosx_11_0_arm64.whl

angr/engines/__init__.py

@@ -8,13 +8,10 @@ from .procedure import ProcedureMixin, ProcedureEngine
 from .unicorn import SimEngineUnicorn
 from .failure import SimEngineFailure
 from .syscall import SimEngineSyscall
-from .concrete import SimEngineConcrete
 from .hook import HooksMixin
 from .soot import SootMixin
 
 
-# The default execution engine
-# You may remove unused mixins from this default engine to speed up execution
 class UberEngine(
     SimEngineFailure,
     SimEngineSyscall,
@@ -27,7 +24,14 @@ class UberEngine(
     SootMixin,
     HeavyVEXMixin,
 ):
-    pass
+    """
+    The default execution engine for angr. This engine includes mixins for most
+    common functionality in angr, including VEX IR, unicorn, syscall handling,
+    and simprocedure handling.
+
+    For some performance-sensitive applications, you may want to create a custom
+    engine with only the necessary mixins.
+    """
 
 
 __all__ = [
@@ -37,7 +41,6 @@ __all__ = [
     "ProcedureEngine",
     "ProcedureMixin",
     "SimEngine",
-    "SimEngineConcrete",
     "SimEngineFailure",
     "SimEngineSyscall",
     "SimEngineUnicorn",

angr/engines/engine.py

@@ -32,9 +32,7 @@ class SimEngineBase(Generic[StateType]):
 
     state: StateType
 
-    def __init__(self, project: angr.Project, **kwargs):
-        if kwargs:
-            raise TypeError("Unused initializer args: " + ", ".join(kwargs.keys()))
+    def __init__(self, project: angr.Project):
         self.project = project
         self.arch = self.project.arch
 
@@ -66,8 +64,8 @@ class SuccessorsMixin(SimEngine[HeavyState, SimSuccessors]):
     and dispatches to a ``process_successors`` method to fill a SimSuccessors object with the results.
     """
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
+    def __init__(self, project: angr.Project):
+        super().__init__(project)
 
         self.successors: SimSuccessors | None = None
 

angr/engines/failure.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
-from .engine import SuccessorsMixin
-from .procedure import ProcedureMixin
 
 import logging
 
+from angr.errors import AngrExitError
+from .engine import SuccessorsMixin
+from .procedure import ProcedureMixin
+
 l = logging.getLogger(name=__name__)
 
 
@@ -23,6 +25,3 @@ class SimEngineFailure(SuccessorsMixin, ProcedureMixin):
             return self.process_procedure(state, successors, terminator, **kwargs)
 
         return super().process_successors(successors, **kwargs)
-
-
-from angr.errors import AngrExitError

angr/engines/procedure.py

@@ -1,10 +1,13 @@
 from __future__ import annotations
 import logging
 
-l = logging.getLogger(name=__name__)
-
+from angr import sim_options as o
+from angr import errors
+from angr.state_plugins.inspect import BP_BEFORE, BP_AFTER
 from .engine import SuccessorsMixin
 
+
+l = logging.getLogger(name=__name__)
 # pylint: disable=arguments-differ
 
 
@@ -65,8 +68,3 @@ class ProcedureEngine(ProcedureMixin, SuccessorsMixin):
         if procedure is None:
             raise errors.SimEngineError("Must provide the procedure explicitly to use ProcedureEngine")
         self.process_procedure(self.state, successors, procedure, **kwargs)
-
-
-from angr import sim_options as o
-from angr import errors
-from angr.state_plugins.inspect import BP_BEFORE, BP_AFTER

angr/engines/soot/expressions/__init__.py

@@ -2,29 +2,6 @@ from __future__ import annotations
 
 import logging
 
-l = logging.getLogger("angr.engines.soot.expressions")
-
-
-def translate_expr(expr, state):
-    expr_name = expr.__class__.__name__.split(".")[-1]
-    if expr_name.startswith("Soot"):
-        expr_name = expr_name[4:]
-    if expr_name.endswith("Expr"):
-        expr_name = expr_name[:-4]
-    expr_cls_name = "SimSootExpr_" + expr_name
-
-    g = globals()
-    if expr_cls_name in g:
-        expr_cls = g[expr_cls_name]
-    else:
-        l.warning("Unsupported Soot expression %s.", expr_cls_name)
-        expr_cls = SimSootExpr_Unsupported
-
-    expr = expr_cls(expr, state)
-    expr.process()
-    return expr
-
-
 from .arrayref import SimSootExpr_ArrayRef
 from .binop import SimSootExpr_Binop
 from .cast import SimSootExpr_Cast
@@ -57,6 +34,28 @@ from .paramref import SimSootExpr_ParamRef
 from .unsupported import SimSootExpr_Unsupported
 from .instanceOf import SimSootExpr_InstanceOf
 
+l = logging.getLogger("angr.engines.soot.expressions")
+
+
+def translate_expr(expr, state):
+    expr_name = expr.__class__.__name__.split(".")[-1]
+    if expr_name.startswith("Soot"):
+        expr_name = expr_name[4:]
+    if expr_name.endswith("Expr"):
+        expr_name = expr_name[:-4]
+    expr_cls_name = "SimSootExpr_" + expr_name
+
+    g = globals()
+    if expr_cls_name in g:
+        expr_cls = g[expr_cls_name]
+    else:
+        l.warning("Unsupported Soot expression %s.", expr_cls_name)
+        expr_cls = SimSootExpr_Unsupported
+
+    expr = expr_cls(expr, state)
+    expr.process()
+    return expr
+
 
 __all__ = (
     "SimSootExpr_ArrayRef",

angr/engines/soot/expressions/base.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
-from . import translate_expr
-from angr.engines.soot.values import translate_value
+
+import angr
 
 
 class SimSootExpr:
@@ -15,7 +15,7 @@ class SimSootExpr:
         raise NotImplementedError
 
     def _translate_expr(self, expr):
-        return translate_expr(expr, self.state)
+        return angr.engines.soot.expressions.translate_expr(expr, self.state)
 
     def _translate_value(self, value):
-        return translate_value(value, self.state)
+        return angr.engines.soot.values.translate_value(value, self.state)

angr/engines/soot/expressions/invoke.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 from archinfo.arch_soot import SootArgument, SootMethodDescriptor
 
-from . import translate_expr
 from angr.engines.soot.method_dispatcher import resolve_method
 from angr.engines.soot.exceptions import SootMethodNotLoadedException
 from .base import SimSootExpr
@@ -56,7 +55,7 @@ class SimSootExpr_VirtualInvoke(InvokeBase):
 
     def _resolve_invoke_target(self, expr, state):
         # get the type of the base object
-        base = translate_expr(self.expr.base, self.state).expr
+        base = self._translate_expr(self.expr.base).expr
         # if the base is not set, for example if we process an invocation of an
         # unloaded library function
         # => fallback: use the statically retrieved type

angr/engines/soot/statements/__init__.py

@@ -2,6 +2,15 @@ from __future__ import annotations
 
 import logging
 
+from .assign import SimSootStmt_Assign
+from .return_ import SimSootStmt_Return, SimSootStmt_ReturnVoid
+from .identity import SimSootStmt_Identity
+from .goto import SimSootStmt_Goto
+from .invoke import SimSootStmt_Invoke
+from .if_ import SimSootStmt_If
+from .switch import SimSootStmt_TableSwitch, SimSootStmt_LookupSwitch
+from .throw import SimSootStmt_Throw
+
 l = logging.getLogger("angr.engines.soot.statements")
 
 
@@ -21,16 +30,6 @@ def translate_stmt(stmt, state):
     return None
 
 
-from .assign import SimSootStmt_Assign
-from .return_ import SimSootStmt_Return, SimSootStmt_ReturnVoid
-from .identity import SimSootStmt_Identity
-from .goto import SimSootStmt_Goto
-from .invoke import SimSootStmt_Invoke
-from .if_ import SimSootStmt_If
-from .switch import SimSootStmt_TableSwitch, SimSootStmt_LookupSwitch
-from .throw import SimSootStmt_Throw
-
-
 __all__ = (
     "SimSootStmt_Assign",
     "SimSootStmt_Goto",

angr/engines/soot/values/__init__.py

@@ -1,5 +1,14 @@
 from __future__ import annotations
 
+from .local import SimSootValue_Local
+from .paramref import SimSootValue_ParamRef
+from .arrayref import SimSootValue_ArrayRef, SimSootValue_ArrayBaseRef
+from .thisref import SimSootValue_ThisRef
+from .staticfieldref import SimSootValue_StaticFieldRef
+from .instancefieldref import SimSootValue_InstanceFieldRef
+from .constants import SimSootValue_IntConstant
+from .strref import SimSootValue_StringRef
+
 
 def translate_value(value, state):
     value_name = value.__class__.__name__
@@ -16,16 +25,6 @@ def translate_value(value, state):
     return value_cls.from_sootvalue(value, state)
 
 
-from .local import SimSootValue_Local
-from .paramref import SimSootValue_ParamRef
-from .arrayref import SimSootValue_ArrayRef, SimSootValue_ArrayBaseRef
-from .thisref import SimSootValue_ThisRef
-from .staticfieldref import SimSootValue_StaticFieldRef
-from .instancefieldref import SimSootValue_InstanceFieldRef
-from .constants import SimSootValue_IntConstant
-from .strref import SimSootValue_StringRef
-
-
 __all__ = (
     "SimSootValue_ArrayBaseRef",
     "SimSootValue_ArrayRef",

angr/engines/soot/values/arrayref.py

@@ -3,7 +3,7 @@ import logging
 
 import claripy
 
-from . import translate_value
+import angr
 from angr.errors import SimEngineError
 from .base import SimSootValue
 from .constants import SimSootValue_IntConstant
@@ -60,7 +60,7 @@ class SimSootValue_ArrayRef(SimSootValue):
 
     @classmethod
     def from_sootvalue(cls, soot_value, state):
-        base_local = translate_value(soot_value.base, state)
+        base_local = angr.engines.soot.values.translate_value(soot_value.base, state)
         base = state.memory.load(base_local)
         idx = cls.translate_array_index(soot_value.index, state)
         cls.check_array_bounds(idx, base, state)
@@ -68,7 +68,7 @@ class SimSootValue_ArrayRef(SimSootValue):
 
     @staticmethod
     def translate_array_index(idx, state):
-        idx_value = translate_value(idx, state)
+        idx_value = angr.engines.soot.values.translate_value(idx, state)
         if isinstance(idx_value, SimSootValue_IntConstant):
             # idx is a constant
             return idx_value.value

angr/engines/soot/values/instancefieldref.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import translate_value
+
+import angr
 from .base import SimSootValue
 from angr.engines.soot.field_dispatcher import resolve_field
 
@@ -25,7 +26,7 @@ class SimSootValue_InstanceFieldRef(SimSootValue):
         field_name, field_class_name = soot_value.field
         field_type = soot_value.type
         # get heap allocation id from base object
-        fixed_base = translate_value(soot_value.base, state)
+        fixed_base = angr.engines.soot.values.translate_value(soot_value.base, state)
         field_ref_base = state.memory.load(fixed_base)
         obj_alloc_id = field_ref_base.heap_alloc_id
         # return field reference

angr/engines/successors.py

@@ -6,6 +6,13 @@ import claripy
 
 from archinfo.arch_soot import ArchSoot, SootAddressDescriptor
 
+from angr import sim_options as o
+from angr.errors import SimSolverModeError, AngrUnsupportedSyscallError, AngrSyscallError, SimValueError, SimUnsatError
+from angr.storage import DUMMY_SYMBOLIC_READ_VALUE
+from angr.state_plugins.inspect import BP_BEFORE, BP_AFTER
+from angr.state_plugins.callstack import CallStack
+from angr.state_plugins.sim_action_object import _raw_ast
+
 
 if TYPE_CHECKING:
     from angr import SimState
@@ -533,10 +540,4 @@ class SimSuccessors:
 
 
 # pylint: disable=wrong-import-position
-from angr.state_plugins.inspect import BP_BEFORE, BP_AFTER
-from angr.errors import SimSolverModeError, AngrUnsupportedSyscallError, AngrSyscallError, SimValueError, SimUnsatError
 from angr.calling_conventions import SYSCALL_CC
-from angr.state_plugins.sim_action_object import _raw_ast
-from angr.state_plugins.callstack import CallStack
-from angr.storage import DUMMY_SYMBOLIC_READ_VALUE
-from angr import sim_options as o

angr/engines/syscall.py

@@ -1,12 +1,13 @@
 from __future__ import annotations
-import angr
 import logging
 
-l = logging.getLogger(name=__name__)
-
+import angr
+from angr.errors import AngrUnsupportedSyscallError
 from .engine import SuccessorsMixin
 from .procedure import ProcedureMixin
 
+l = logging.getLogger(name=__name__)
+
 
 # pylint:disable=abstract-method,arguments-differ
 class SimEngineSyscall(SuccessorsMixin, ProcedureMixin):
@@ -48,6 +49,3 @@ class SimEngineSyscall(SuccessorsMixin, ProcedureMixin):
             sys_procedure = angr.SIM_PROCEDURES["stubs"]["syscall"](cc=cc)
 
         return self.process_procedure(state, successors, sys_procedure, **kwargs)
-
-
-from angr.errors import AngrUnsupportedSyscallError

angr/engines/unicorn.py

@@ -6,6 +6,7 @@ import logging
 import archinfo
 import claripy
 
+import angr
 from angr.errors import SimIRSBError, SimIRSBNoDecodeError, SimValueError
 from .engine import SuccessorsMixin
 from .vex.heavy.heavy import VEXEarlyExit
@@ -30,8 +31,8 @@ class SimEngineUnicorn(SuccessorsMixin):
     - extra_stop_points:   A collection of addresses at which execution should halt
     """
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
+    def __init__(self, project: angr.Project):
+        super().__init__(project)
         # Cache of details of basic blocks containing statements that need to re-executed
         self._block_details_cache = {}
         # Addresses of basic blocks which native interface will not execute

angr/engines/vex/claripy/ccall.py

@@ -3,8 +3,11 @@ import logging
 
 import claripy
 from archinfo.arch_arm import is_arm_arch
-from angr.state_plugins.sim_action_object import _raw_ast, SimActionObject
+
 from angr import errors
+from angr.errors import SimError, SimCCallError
+from angr.sim_options import USE_SIMPLIFIED_CCALLS
+from angr.state_plugins.sim_action_object import _raw_ast, SimActionObject
 
 l = logging.getLogger(name=__name__)
 
@@ -2020,11 +2023,10 @@ def _get_flags(state) -> claripy.ast.bv.BV:
     except CCallMultivaluedException as e:
         cases, to_replace = e.args
         args = [cc_op, cc_dep1, cc_dep2, cc_ndep]
-        for i, arg in enumerate(args):
-            if arg is to_replace:
-                break
-        else:
-            raise errors.UnsupportedCCallError("Trying to concretize a value which is not an argument")
+        try:
+            i = args.index(to_replace)
+        except ValueError as ve:
+            raise errors.UnsupportedCCallError("Trying to concretize a value which is not an argument") from ve
         return claripy.ite_cases([(case, func(state, *args[:i], value_, *args[i + 1 :])) for case, value_ in cases], 0)
 
 
@@ -2064,7 +2066,3 @@ def _get_nbits(cc_str):
     elif cc_str.endswith("64"):
         nbits = 64
     return nbits
-
-
-from angr.errors import SimError, SimCCallError
-from angr.sim_options import USE_SIMPLIFIED_CCALLS

angr/engines/vex/claripy/datalayer.py

@@ -130,11 +130,10 @@ class ClaripyDataMixin(VEXMixin):
         except ccall.CCallMultivaluedException as e:
             cases, to_replace = e.args
             # pylint: disable=undefined-loop-variable
-            for i, arg in enumerate(args):
-                if arg is to_replace:
-                    break
-            else:
-                raise errors.UnsupportedCCallError("Trying to concretize a value which is not an argument")
+            try:
+                i = args.index(to_replace)
+            except ValueError as ve:
+                raise errors.UnsupportedCCallError("Trying to concretize a value which is not an argument") from ve
             evaluated_cases = [(case, func(self.state, *args[:i], value_, *args[i + 1 :])) for case, value_ in cases]
             try:
                 return claripy.ite_cases(evaluated_cases, value(ty, 0))

angr/exploration_techniques/__init__.py

@@ -17,7 +17,6 @@ from .manual_mergepoint import ManualMergepoint
 from .tech_builder import TechniqueBuilder
 from .stochastic import StochasticSearch
 from .unique import UniqueSearch
-from .symbion import Symbion
 from .memory_watcher import MemoryWatcher
 from .bucketizer import Bucketizer
 from .local_loop_seer import LocalLoopSeer
@@ -45,7 +44,6 @@ __all__ = (
     "StochasticSearch",
     "StubStasher",
     "Suggestions",
-    "Symbion",
     "TechniqueBuilder",
     "Threading",
     "Timeout",

angr/exploration_techniques/spiller.py

@@ -4,6 +4,7 @@ from __future__ import annotations
 import contextlib
 import logging
 
+from angr import vaults
 from .base import ExplorationTechnique
 
 
@@ -277,6 +278,3 @@ class Spiller(ExplorationTechnique):
     @staticmethod
     def state_priority(state):
         return id(state)
-
-
-from angr import vaults

angr/exploration_techniques/stochastic.py

@@ -44,13 +44,12 @@ class StochasticSearch(ExplorationTechnique):
                 assert len(states) >= 2
                 total_weight = sum(self.affinity[s.addr] for s in states)
                 selected = self._random.uniform(0, total_weight)
-                i = 0
                 for i, state in enumerate(states):
                     weight = self.affinity[state.addr]
                     if selected < weight:
-                        break
+                        return states[i]
                     selected -= weight
-                return states[i]
+                return states[len(states) - 1]
 
             simgr.stashes[stash] = [weighted_pick(simgr.stashes[stash])]
 

angr/factory.py

@@ -11,7 +11,7 @@ from .sim_state import SimState
 from .calling_conventions import default_cc, SimRegArg, SimStackArg, PointerWrapper, SimCCUnknown
 from .callable import Callable
 from .errors import AngrAssemblyError, AngrError
-from .engines import UberEngine, ProcedureEngine, SimEngineConcrete
+from .engines import UberEngine, ProcedureEngine
 from .sim_type import SimTypeFunction, SimTypeInt
 from .codenode import HookNode, SyscallNode
 from .block import Block, SootBlock
@@ -39,7 +39,6 @@ class AngrObjectFactory:
     project: Project
     default_engine_factory: type[SimEngine]
     procedure_engine: ProcedureEngine
-    concrete_engine: SimEngineConcrete | None
     _default_cc: type[SimCC] | None
 
     # We use thread local storage to cache engines on a per-thread basis
@@ -66,16 +65,11 @@ class AngrObjectFactory:
         )
         self.procedure_engine = ProcedureEngine(project)
 
-        if project.concrete_target:
-            self.concrete_engine = SimEngineConcrete(project)
-        else:
-            self.concrete_engine = None
-
     def __getstate__(self):
-        return self.project, self.default_engine_factory, self.procedure_engine, self.concrete_engine, self._default_cc
+        return self.project, self.default_engine_factory, self.procedure_engine, self._default_cc
 
     def __setstate__(self, state):
-        self.project, self.default_engine_factory, self.procedure_engine, self.concrete_engine, self._default_cc = state
+        self.project, self.default_engine_factory, self.procedure_engine, self._default_cc = state
         self._tls = threading.local()
 
     @property

angr/knowledge_plugins/cfg/cfg_model.py

@@ -6,10 +6,10 @@ import logging
 from typing import TYPE_CHECKING
 from collections.abc import Callable
 from collections import defaultdict
-import bisect
 import string
 
 import networkx
+from sortedcontainers import SortedList
 
 import cle
 
@@ -81,7 +81,7 @@ class CFGModel(Serializable):
         # CFGNodes dict indexed by block ID. Don't serialize
         self._nodes: dict[int, CFGNode] = {}
         # addresses of CFGNodes to speed up get_any_node(..., anyaddr=True). Don't serialize
-        self._node_addrs: list[int] = []
+        self._node_addrs: SortedList[int] | None = None
 
         self.normalized = False
 
@@ -137,7 +137,8 @@ class CFGModel(Serializable):
             edge.dst_ea = dst.addr
             for k, v in data.items():
                 if k == "jumpkind":
-                    edge.jumpkind = cfg_jumpkind_to_pb(v)
+                    jk = cfg_jumpkind_to_pb(v)
+                    edge.jumpkind = primitives_pb2.Edge.UnknownJumpkind if jk is None else jk
                 elif k == "ins_addr":
                     edge.ins_addr = v if v is not None else 0xFFFF_FFFF_FFFF_FFFF
                 elif k == "stmt_idx":
@@ -176,7 +177,7 @@ class CFGModel(Serializable):
                     "The resulting graph may be broken."
                 )
 
-        model._node_addrs = sorted(model._nodes_by_addr.keys())
+        model._node_addrs = None
 
         # edges
         for edge_pb2 in cmsg.edges:
@@ -219,6 +220,9 @@ class CFGModel(Serializable):
 
         return model
 
+    def _build_node_addr_index(self):
+        self._node_addrs = SortedList(iter(k for k, lst in self._nodes_by_addr.items() if lst))
+
     #
     # Node insertion and removal
     #
@@ -227,12 +231,8 @@ class CFGModel(Serializable):
         self._nodes[block_id] = node
         self._nodes_by_addr[node.addr].append(node)
 
-        if isinstance(node.addr, int):
-            pos = bisect.bisect_left(self._node_addrs, node.addr)
-            if pos >= len(self._node_addrs):
-                self._node_addrs.append(node.addr)
-            elif self._node_addrs[pos] != node.addr:
-                self._node_addrs.insert(pos, node.addr)
+        if self._node_addrs is not None and isinstance(node.addr, int) and node.addr not in self._node_addrs:
+            self._node_addrs.add(node.addr)
 
     def remove_node(self, block_id: int, node: CFGNode) -> None:
         """
@@ -250,10 +250,8 @@ class CFGModel(Serializable):
             if not self._nodes_by_addr[node.addr]:
                 del self._nodes_by_addr[node.addr]
 
-                if isinstance(node.addr, int):
-                    pos = bisect.bisect_left(self._node_addrs, node.addr)
-                    if pos < len(self._node_addrs) and self._node_addrs[pos] == node.addr:
-                        self._node_addrs.pop(pos)
+                if self._node_addrs is not None and isinstance(node.addr, int) and node.addr in self._node_addrs:
+                    self._node_addrs.remove(node.addr)
 
     #
     # CFG View
@@ -294,17 +292,22 @@ class CFGModel(Serializable):
         # fastpath: directly look in the nodes list
         if not anyaddr or addr in self._nodes_by_addr:
             try:
-                return self._nodes_by_addr[addr][0]
-            except (KeyError, IndexError):
+                if is_syscall is None:
+                    return self._nodes_by_addr[addr][0]
+                return next(iter(node for node in self._nodes_by_addr[addr] if node.is_syscall == is_syscall))
+            except (KeyError, IndexError, StopIteration):
                 pass
 
         if force_fastpath:
             return None
 
         if isinstance(addr, int):
+            if self._node_addrs is None:
+                self._build_node_addr_index()
+
             # slower path
             # find all potential addresses that the block may cover
-            pos = bisect.bisect_left(self._node_addrs, max(addr - VEX_IRSB_MAX_SIZE, 0))
+            pos = self._node_addrs.bisect_left(max(addr - VEX_IRSB_MAX_SIZE, 0))
 
             is_cfgemulated = self.ident == "CFGEmulated"