angr 9.2.134__py3-none-manylinux2014_aarch64.whl → 9.2.135__py3-none-manylinux2014_aarch64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.134"
+__version__ = "9.2.135"
 
 if bytes is str:
     raise Exception(

angr/analyses/__init__.py

@@ -30,7 +30,7 @@ from .variable_recovery import VariableRecovery, VariableRecoveryFast
 from .identifier import Identifier
 from .callee_cleanup_finder import CalleeCleanupFinder
 from .reaching_definitions import ReachingDefinitionsAnalysis
-from .calling_convention import CallingConventionAnalysis
+from .calling_convention import CallingConventionAnalysis, FactCollector
 from .code_tagging import CodeTagging
 from .stack_pointer_tracker import StackPointerTracker
 from .dominance_frontier import DominanceFrontier
@@ -84,6 +84,7 @@ __all__ = (
     "Decompiler",
     "Disassembly",
     "DominanceFrontier",
+    "FactCollector",
     "FlirtAnalysis",
     "ForwardAnalysis",
     "Identifier",

angr/analyses/calling_convention/__init__.py

@@ -0,0 +1,6 @@
+from __future__ import annotations
+from .calling_convention import CallingConventionAnalysis
+from .fact_collector import FactCollector
+
+
+__all__ = ["CallingConventionAnalysis", "FactCollector"]

angr/analyses/{calling_convention.py → calling_convention/calling_convention.py}

@@ -9,7 +9,6 @@ import capstone
 
 from pyvex.stmt import Put
 from pyvex.expr import RdTmp
-from archinfo.arch_arm import is_arm_arch, ArchARMHF
 import ailment
 
 from angr.code_location import ExternalCodeLocation
@@ -35,8 +34,9 @@ from angr.knowledge_plugins.variables.variable_access import VariableAccessSort
 from angr.knowledge_plugins.functions import Function
 from angr.utils.constants import DEFAULT_STATEMENT
 from angr import SIM_PROCEDURES
-from .reaching_definitions import get_all_definitions
-from . import Analysis, register_analysis, ReachingDefinitionsAnalysis
+from angr.analyses import Analysis, register_analysis, ReachingDefinitionsAnalysis
+from angr.analyses.reaching_definitions import get_all_definitions
+from .utils import is_sane_register_variable
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins.cfg import CFGModel
@@ -95,6 +95,8 @@ class CallingConventionAnalysis(Analysis):
         callsite_block_addr: int | None = None,
         callsite_insn_addr: int | None = None,
         func_graph: networkx.DiGraph | None = None,
+        input_args: list[SimRegArg | SimStackArg] | None = None,
+        retval_size: int | None = None,
     ):
         if func is not None and not isinstance(func, Function):
             func = self.kb.functions[func]
@@ -106,6 +108,15 @@ class CallingConventionAnalysis(Analysis):
         self.callsite_block_addr = callsite_block_addr
         self.callsite_insn_addr = callsite_insn_addr
         self._func_graph = func_graph
+        self._input_args = input_args
+        self._retval_size = retval_size
+
+        if self._retval_size is not None and self._input_args is None:
+            # retval size will be ignored if input_args is not specified - user error?
+            raise TypeError(
+                "input_args must be provided to use retval_size. Otherwise please set both input_args and "
+                "retval_size to None."
+            )
 
         self.cc: SimCC | None = None
         self.prototype: SimTypeFunction | None = None
@@ -308,9 +319,17 @@ class CallingConventionAnalysis(Analysis):
             # we do not analyze SimProcedures or PLT stubs
             return None
 
-        if not self._variable_manager.has_function_manager(self._function.addr):
-            l.warning("Please run variable recovery on %r before analyzing its calling convention.", self._function)
-            return None
+        if self._input_args is None:
+            if not self._variable_manager.has_function_manager(self._function.addr):
+                l.warning("Please run variable recovery on %r before analyzing its calling convention.", self._function)
+                return None
+            vm = self._variable_manager[self._function.addr]
+            retval_size = vm.ret_val_size
+            input_variables = vm.input_variables()
+            input_args = self._args_from_vars(input_variables, vm)
+        else:
+            input_args = self._input_args
+            retval_size = self._retval_size
 
         # check if this function is a variadic function
         if self.project.arch.name == "AMD64":
@@ -319,11 +338,6 @@ class CallingConventionAnalysis(Analysis):
             is_variadic = False
             fixed_args = None
 
-        vm = self._variable_manager[self._function.addr]
-
-        input_variables = vm.input_variables()
-        input_args = self._args_from_vars(input_variables, vm)
-
         # TODO: properly determine sp_delta
         sp_delta = self.project.arch.bytes if self.project.arch.call_pushes_ret else 0
 
@@ -342,7 +356,7 @@ class CallingConventionAnalysis(Analysis):
             args = args[:fixed_args]
 
         # guess the type of the return value -- it's going to be a wild guess...
-        ret_type = self._guess_retval_type(cc, vm.ret_val_size)
+        ret_type = self._guess_retval_type(cc, retval_size)
         if self._function.name == "main" and self.project.arch.bits == 64 and isinstance(ret_type, SimTypeLongLong):
             # hack - main must return an int even in 64-bit binaries
             ret_type = SimTypeInt()
@@ -698,14 +712,14 @@ class CallingConventionAnalysis(Analysis):
                     args.add(arg)
             elif isinstance(variable, SimRegisterVariable):
                 # a register variable, convert it to a register argument
-                if not self._is_sane_register_variable(variable, def_cc=def_cc):
+                if not is_sane_register_variable(self.project.arch, variable.reg, variable.size, def_cc=def_cc):
                     continue
-                reg_name = self.project.arch.translate_register_name(variable.reg, size=variable.size)
                 if self.project.arch.name in {"AMD64", "X86"} and variable.size < self.project.arch.bytes:
                     # use complete registers on AMD64 and X86
                     reg_name = self.project.arch.translate_register_name(variable.reg, size=self.project.arch.bytes)
                     arg = SimRegArg(reg_name, self.project.arch.bytes)
                 else:
+                    reg_name = self.project.arch.translate_register_name(variable.reg, size=variable.size)
                     arg = SimRegArg(reg_name, variable.size)
                 args.add(arg)
 
@@ -748,53 +762,6 @@ class CallingConventionAnalysis(Analysis):
 
         return args.difference(restored_reg_vars)
 
-    def _is_sane_register_variable(self, variable: SimRegisterVariable, def_cc: SimCC | None = None) -> bool:
-        """
-        Filters all registers that are surly not members of function arguments.
-        This can be seen as a workaround, since VariableRecoveryFast sometimes gives input variables of cc_ndep (which
-        is a VEX-specific register) :-(
-
-        :param variable: The variable to test.
-        :return:         True if it is an acceptable function argument, False otherwise.
-        :rtype:          bool
-        """
-
-        arch = self.project.arch
-        arch_name = arch.name
-        if ":" in arch_name:
-            # for pcode architectures, we only leave registers that are known to be used as input arguments
-            if def_cc is not None:
-                return arch.translate_register_name(variable.reg, size=variable.size) in def_cc.ARG_REGS
-            return True
-
-        # VEX
-        if arch_name == "AARCH64":
-            return 16 <= variable.reg < 80  # x0-x7
-
-        if arch_name == "AMD64":
-            return 24 <= variable.reg < 40 or 64 <= variable.reg < 104  # rcx, rdx  # rsi, rdi, r8, r9, r10
-            # 224 <= variable.reg < 480)  # xmm0-xmm7
-
-        if is_arm_arch(arch):
-            if isinstance(arch, ArchARMHF):
-                return 8 <= variable.reg < 24 or 128 <= variable.reg < 160  # r0 - 32  # s0 - s7, or d0 - d4
-            return 8 <= variable.reg < 24  # r0-r3
-
-        if arch_name == "MIPS32":
-            return 24 <= variable.reg < 40  # a0-a3
-
-        if arch_name == "MIPS64":
-            return 48 <= variable.reg < 80 or 112 <= variable.reg < 208  # a0-a3 or t4-t7
-
-        if arch_name == "PPC32":
-            return 28 <= variable.reg < 60  # r3-r10
-
-        if arch_name == "X86":
-            return 8 <= variable.reg < 24 or 160 <= variable.reg < 288  # eax, ebx, ecx, edx  # xmm0-xmm7
-
-        l.critical("Unsupported architecture %s.", arch.name)
-        return True
-
     def _reorder_args(self, args: list[SimRegArg | SimStackArg], cc: SimCC) -> list[SimRegArg | SimStackArg]:
         """
         Reorder arguments according to the calling convention identified.

angr/analyses/calling_convention/fact_collector.py

@@ -0,0 +1,503 @@
+from __future__ import annotations
+from typing import Any
+
+import pyvex
+import claripy
+
+from angr.utils.bits import s2u, u2s
+from angr.block import Block
+from angr.analyses.analysis import Analysis
+from angr.analyses import AnalysesHub
+from angr.knowledge_plugins.functions import Function
+from angr.codenode import BlockNode, HookNode
+from angr.engines.light import SimEngineNostmtVEX, SimEngineLight, SpOffset, RegisterOffset
+from angr.calling_conventions import SimRegArg, SimStackArg, default_cc
+from angr.sim_type import SimTypeBottom
+from .utils import is_sane_register_variable
+
+
+class FactCollectorState:
+    """
+    The abstract state for FactCollector.
+    """
+
+    __slots__ = (
+        "bp_value",
+        "callee_stored_regs",
+        "reg_reads",
+        "reg_writes",
+        "simple_stack",
+        "sp_value",
+        "stack_reads",
+        "stack_writes",
+        "tmps",
+    )
+
+    def __init__(self):
+        self.tmps = {}
+        self.simple_stack = {}
+
+        self.callee_stored_regs: dict[int, int] = {}  # reg offset -> stack offset
+        self.reg_reads = {}
+        self.reg_writes: set[int] = set()
+        self.stack_reads = {}
+        self.stack_writes: set[int] = set()
+        self.sp_value = 0
+        self.bp_value = 0
+
+    def register_read(self, offset: int, size_in_bytes: int):
+        if offset in self.reg_writes:
+            return
+        if offset not in self.reg_reads:
+            self.reg_reads[offset] = size_in_bytes
+        else:
+            self.reg_reads[offset] = max(self.reg_reads[offset], size_in_bytes)
+
+    def register_written(self, offset: int, size_in_bytes: int):
+        for o in range(size_in_bytes):
+            self.reg_writes.add(offset + o)
+
+    def stack_read(self, offset: int, size_in_bytes: int):
+        if offset in self.stack_writes:
+            return
+        if offset not in self.stack_reads:
+            self.stack_reads[offset] = size_in_bytes
+        else:
+            self.stack_reads[offset] = max(self.stack_reads[offset], size_in_bytes)
+
+    def stack_written(self, offset: int, size_int_bytes: int):
+        for o in range(size_int_bytes):
+            self.stack_writes.add(offset + o)
+
+    def copy(self, with_tmps: bool = False) -> FactCollectorState:
+        new_state = FactCollectorState()
+        new_state.reg_reads = self.reg_reads.copy()
+        new_state.stack_reads = self.stack_reads.copy()
+        new_state.stack_writes = self.stack_writes.copy()
+        new_state.reg_writes = self.reg_writes.copy()
+        new_state.callee_stored_regs = self.callee_stored_regs.copy()
+        new_state.sp_value = self.sp_value
+        new_state.bp_value = self.bp_value
+        new_state.simple_stack = self.simple_stack.copy()
+        if with_tmps:
+            new_state.tmps = self.tmps.copy()
+        return new_state
+
+
+binop_handler = SimEngineNostmtVEX[FactCollectorState, claripy.ast.BV, FactCollectorState].binop_handler
+
+
+class SimEngineFactCollectorVEX(
+    SimEngineNostmtVEX[FactCollectorState, SpOffset | RegisterOffset | int, None],
+    SimEngineLight[type[FactCollectorState], SpOffset | RegisterOffset | int, Block, None],
+):
+    """
+    THe engine for FactCollector.
+    """
+
+    def __init__(self, project, bp_as_gpr: bool):
+        self.bp_as_gpr = bp_as_gpr
+        super().__init__(project)
+
+    def _process_block_end(self, stmt_result: list, whitelist: set[int] | None) -> None:
+        if self.block.vex.jumpkind == "Ijk_Call":
+            self.state.register_written(self.arch.ret_offset, self.arch.bytes)
+
+    def _top(self, bits: int):
+        return None
+
+    def _is_top(self, expr: Any) -> bool:
+        raise NotImplementedError
+
+    def _handle_conversion(self, from_size: int, to_size: int, signed: bool, operand: pyvex.IRExpr) -> Any:
+        return None
+
+    def _handle_stmt_Put(self, stmt):
+        v = self._expr(stmt.data)
+        if stmt.offset == self.arch.sp_offset and isinstance(v, SpOffset):
+            self.state.sp_value = v.offset
+        elif stmt.offset == self.arch.bp_offset and isinstance(v, SpOffset):
+            self.state.bp_value = v.offset
+        else:
+            self.state.register_written(stmt.offset, stmt.data.result_size(self.tyenv) // self.arch.byte_width)
+
+    def _handle_stmt_Store(self, stmt: pyvex.IRStmt.Store):
+        addr = self._expr(stmt.addr)
+        if isinstance(addr, SpOffset):
+            self.state.stack_written(addr.offset, stmt.data.result_size(self.tyenv) // self.arch.byte_width)
+            data = self._expr(stmt.data)
+            if isinstance(data, RegisterOffset) and not isinstance(data, SpOffset):
+                # push reg; we record the stored register as well as the stack slot offset
+                self.state.callee_stored_regs[data.reg] = u2s(addr.offset, self.arch.bits)
+            if isinstance(data, SpOffset):
+                self.state.simple_stack[addr.offset] = data
+
+    def _handle_stmt_WrTmp(self, stmt: pyvex.IRStmt.WrTmp):
+        v = self._expr(stmt.data)
+        if v is not None:
+            self.state.tmps[stmt.tmp] = v
+
+    def _handle_expr_Const(self, expr: pyvex.IRExpr.Const):
+        return expr.con.value
+
+    def _handle_expr_GSPTR(self, expr):
+        return None
+
+    def _handle_expr_Get(self, expr) -> SpOffset | None:
+        if expr.offset == self.arch.sp_offset:
+            return SpOffset(self.arch.bits, self.state.sp_value, is_base=False)
+        if expr.offset == self.arch.bp_offset and not self.bp_as_gpr:
+            return SpOffset(self.arch.bits, self.state.bp_value, is_base=False)
+        bits = expr.result_size(self.tyenv)
+        self.state.register_read(expr.offset, bits // self.arch.byte_width)
+        return RegisterOffset(bits, expr.offset, 0)
+
+    def _handle_expr_GetI(self, expr):
+        return None
+
+    def _handle_expr_ITE(self, expr):
+        return None
+
+    def _handle_expr_Load(self, expr):
+        addr = self._expr(expr.addr)
+        if isinstance(addr, SpOffset):
+            self.state.stack_read(addr.offset, expr.result_size(self.tyenv) // self.arch.byte_width)
+            return self.state.simple_stack.get(addr.offset)
+        return None
+
+    def _handle_expr_RdTmp(self, expr):
+        return self.state.tmps.get(expr.tmp, None)
+
+    def _handle_expr_VECRET(self, expr):
+        return None
+
+    @binop_handler
+    def _handle_binop_Add(self, expr):
+        op0, op1 = self._expr(expr.args[0]), self._expr(expr.args[1])
+        if isinstance(op0, SpOffset) and isinstance(op1, int):
+            return SpOffset(op0.bits, s2u(op0.offset + op1, op0.bits), is_base=op0.is_base)
+        if isinstance(op1, SpOffset) and isinstance(op0, int):
+            return SpOffset(op1.bits, s2u(op1.offset + op0, op1.bits), is_base=op1.is_base)
+        return None
+
+    @binop_handler
+    def _handle_binop_Sub(self, expr):
+        op0, op1 = self._expr(expr.args[0]), self._expr(expr.args[1])
+        if isinstance(op0, SpOffset) and isinstance(op1, int):
+            return SpOffset(op0.bits, s2u(op0.offset - op1, op0.bits), is_base=op0.is_base)
+        if isinstance(op1, SpOffset) and isinstance(op0, int):
+            return SpOffset(op1.bits, s2u(op1.offset - op0, op1.bits), is_base=op1.is_base)
+        return None
+
+    @binop_handler
+    def _handle_binop_And(self, expr):
+        op0, op1 = self._expr(expr.args[0]), self._expr(expr.args[1])
+        if isinstance(op0, SpOffset):
+            return op0
+        if isinstance(op1, SpOffset):
+            return op1
+        return None
+
+
+class FactCollector(Analysis):
+    """
+    An extremely fast analysis that extracts necessary facts of a function for CallingConventionAnalysis to make
+    decision on the calling convention and prototype of a function.
+    """
+
+    def __init__(self, func: Function, max_depth: int = 5):
+        self.function = func
+        self._max_depth = max_depth
+
+        self.input_args: list[SimRegArg | SimStackArg] | None = None
+        self.retval_size: int | None = None
+
+        self._analyze()
+
+    def _analyze(self):
+        # breadth-first search using function graph, collect registers and stack variables that are written to as well
+        # as read from, until max_depth is reached
+
+        end_states = self._analyze_startpoint()
+        self._analyze_endpoints_for_retval_size()
+        callee_restored_regs = self._analyze_endpoints_for_restored_regs()
+        self._determine_input_args(end_states, callee_restored_regs)
+
+    def _analyze_startpoint(self):
+        func_graph = self.function.transition_graph
+        startpoint = self.function.startpoint
+        bp_as_gpr = self.function.info.get("bp_as_gpr", False)
+        engine = SimEngineFactCollectorVEX(self.project, bp_as_gpr)
+        init_state = FactCollectorState()
+        if self.project.arch.call_pushes_ret:
+            init_state.sp_value = self.project.arch.bytes
+        init_state.bp_value = init_state.sp_value
+
+        traversed = set()
+        queue: list[tuple[int, FactCollectorState, BlockNode | HookNode | Function, BlockNode | HookNode | None]] = [
+            (0, init_state, startpoint, None)
+        ]
+        end_states: list[FactCollectorState] = []
+        while queue:
+            depth, state, node, retnode = queue.pop(0)
+            traversed.add(node)
+
+            if depth > self._max_depth:
+                end_states.append(state)
+                break
+
+            if isinstance(node, BlockNode) and node.size == 0:
+                continue
+            if isinstance(node, HookNode):
+                # attempt to convert it into a function
+                if self.kb.functions.contains_addr(node.addr):
+                    node = self.kb.functions.get_by_addr(node.addr)
+                else:
+                    continue
+            if isinstance(node, Function):
+                if node.calling_convention is not None and node.prototype is not None:
+                    # consume args and overwrite the return register
+                    self._handle_function(state, node)
+                if node.returning is False or retnode is None:
+                    # the function call does not return
+                    end_states.append(state)
+                else:
+                    # enqueue the retnode, but we don't increment the depth
+                    new_state = state.copy()
+                    if self.project.arch.call_pushes_ret:
+                        new_state.sp_value += self.project.arch.bytes
+                    queue.append((depth, new_state, retnode, None))
+                continue
+
+            block = self.project.factory.block(node.addr, size=node.size)
+            engine.process(state, block=block)
+
+            successor_added = False
+            call_succ, ret_succ = None, None
+            for _, succ, data in func_graph.out_edges(node, data=True):
+                edge_type = data.get("type")
+                if succ not in traversed and depth + 1 <= self._max_depth:
+                    if edge_type == "fake_return":
+                        ret_succ = succ
+                    elif edge_type == "transition":
+                        successor_added = True
+                        queue.append((depth + 1, state.copy(), succ, None))
+                    elif edge_type == "call":
+                        call_succ = succ
+            if call_succ is not None:
+                successor_added = True
+                queue.append((depth + 1, state.copy(), call_succ, ret_succ))
+
+            if not successor_added:
+                end_states.append(state)
+
+        return end_states
+
+    def _handle_function(self, state: FactCollectorState, func: Function) -> None:
+        try:
+            arg_locs = func.calling_convention.arg_locs(func.prototype)
+        except (TypeError, ValueError):
+            func.prototype = None
+            return
+
+        if None in arg_locs:
+            return
+
+        for arg_loc in arg_locs:
+            for loc in arg_loc.get_footprint():
+                if isinstance(loc, SimRegArg):
+                    state.register_read(self.project.arch.registers[loc.reg_name][0] + loc.reg_offset, loc.size)
+                elif isinstance(loc, SimStackArg):
+                    sp_value = state.sp_value
+                    if sp_value is not None:
+                        state.stack_read(sp_value + loc.stack_offset, loc.size)
+
+        # clobber caller-saved regs
+        for reg_name in func.calling_convention.CALLER_SAVED_REGS:
+            offset = self.project.arch.registers[reg_name][0]
+            state.register_written(offset, self.project.arch.registers[reg_name][1])
+
+    def _analyze_endpoints_for_retval_size(self):
+        """
+        Analyze all endpoints to determine the return value size.
+        """
+        func_graph = self.function.transition_graph
+        cc_cls = default_cc(
+            self.project.arch.name, platform=self.project.simos.name if self.project.simos is not None else None
+        )
+        cc = cc_cls(self.project.arch)
+        if isinstance(cc.RETURN_VAL, SimRegArg):
+            retreg_offset = cc.RETURN_VAL.check_offset(self.project.arch)
+        else:
+            return
+
+        retval_sizes = []
+        for endpoint in self.function.endpoints:
+            traversed = set()
+            queue: list[tuple[int, BlockNode | HookNode]] = [(0, endpoint)]
+            while queue:
+                depth, node = queue.pop(0)
+                traversed.add(node)
+
+                if depth > 3:
+                    break
+
+                if isinstance(node, BlockNode) and node.size == 0:
+                    continue
+                if isinstance(node, HookNode):
+                    # attempt to convert it into a function
+                    if self.kb.functions.contains_addr(node.addr):
+                        node = self.kb.functions.get_by_addr(node.addr)
+                    else:
+                        continue
+                if isinstance(node, Function):
+                    if (
+                        node.calling_convention is not None
+                        and node.prototype is not None
+                        and node.prototype.returnty is not None
+                        and not isinstance(node.prototype.returnty, SimTypeBottom)
+                    ):
+                        # assume the function overwrites the return variable
+                        retval_size = (
+                            node.prototype.returnty.with_arch(self.project.arch).size // self.project.arch.byte_width
+                        )
+                        retval_sizes.append(retval_size)
+                    continue
+
+                block = self.project.factory.block(node.addr, size=node.size)
+                # scan the block statements backwards to find writes to the return value register
+                retval_size = None
+                for stmt in reversed(block.vex.statements):
+                    if isinstance(stmt, pyvex.IRStmt.Put):
+                        size = stmt.data.result_size(block.vex.tyenv) // self.project.arch.byte_width
+                        if stmt.offset == retreg_offset:
+                            retval_size = max(size, 1)
+
+                if retval_size is not None:
+                    retval_sizes.append(retval_size)
+                    continue
+
+                for pred, _, data in func_graph.in_edges(node, data=True):
+                    edge_type = data.get("type")
+                    if pred not in traversed and depth + 1 <= self._max_depth:
+                        if edge_type == "fake_return":
+                            continue
+                        if edge_type in {"transition", "call"}:
+                            queue.append((depth + 1, pred))
+
+        self.retval_size = max(retval_sizes) if retval_sizes else None
+
+    def _analyze_endpoints_for_restored_regs(self):
+        """
+        Analyze all endpoints to determine the restored registers.
+        """
+        func_graph = self.function.transition_graph
+        callee_restored_regs = set()
+
+        for endpoint in self.function.endpoints:
+            traversed = set()
+            queue: list[tuple[int, BlockNode | HookNode]] = [(0, endpoint)]
+            while queue:
+                depth, node = queue.pop(0)
+                traversed.add(node)
+
+                if depth > 3:
+                    break
+
+                if isinstance(node, BlockNode) and node.size == 0:
+                    continue
+                if isinstance(node, (HookNode, Function)):
+                    continue
+
+                block = self.project.factory.block(node.addr, size=node.size)
+                # scan the block statements backwards to find all statements that restore registers from the stack
+                tmps = {}
+                for stmt in block.vex.statements:
+                    if isinstance(stmt, pyvex.IRStmt.WrTmp):
+                        if isinstance(stmt.data, pyvex.IRExpr.Get) and stmt.data.offset in {
+                            self.project.arch.bp_offset,
+                            self.project.arch.sp_offset,
+                        }:
+                            tmps[stmt.tmp] = "sp"
+                        elif (
+                            isinstance(stmt.data, pyvex.IRExpr.Load)
+                            and isinstance(stmt.data.addr, pyvex.IRExpr.RdTmp)
+                            and tmps.get(stmt.data.addr.tmp) == "sp"
+                        ):
+                            tmps[stmt.tmp] = "stack_value"
+                        elif isinstance(stmt.data, pyvex.IRExpr.Const):
+                            tmps[stmt.tmp] = "const"
+                        elif isinstance(stmt.data, pyvex.IRExpr.Binop) and (  # noqa:SIM102
+                            stmt.data.op.startswith("Iop_Add") or stmt.data.op.startswith("Iop_Sub")
+                        ):
+                            if (
+                                isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp)
+                                and tmps.get(stmt.data.args[0].tmp) == "sp"
+                            ) or (
+                                isinstance(stmt.data.args[1], pyvex.IRExpr.RdTmp)
+                                and tmps.get(stmt.data.args[1].tmp) == "sp"
+                            ):
+                                tmps[stmt.tmp] = "sp"
+                    if isinstance(stmt, pyvex.IRStmt.Put):
+                        size = stmt.data.result_size(block.vex.tyenv) // self.project.arch.byte_width
+                        # is the data loaded from the stack?
+                        if (
+                            size == self.project.arch.bytes
+                            and isinstance(stmt.data, pyvex.IRExpr.RdTmp)
+                            and tmps.get(stmt.data.tmp) == "stack_value"
+                        ):
+                            callee_restored_regs.add(stmt.offset)
+
+                for pred, _, data in func_graph.in_edges(node, data=True):
+                    edge_type = data.get("type")
+                    if pred not in traversed and depth + 1 <= self._max_depth and edge_type == "transition":
+                        queue.append((depth + 1, pred))
+
+        return callee_restored_regs
+
+    def _determine_input_args(self, end_states: list[FactCollectorState], callee_restored_regs: set[int]) -> None:
+        self.input_args = []
+        reg_offset_created = set()
+        callee_saved_regs = set()
+        callee_saved_reg_stack_offsets = set()
+
+        # determine callee-saved registers
+        for state in end_states:
+            for reg_offset, stack_offset in state.callee_stored_regs.items():
+                if reg_offset in callee_restored_regs:
+                    callee_saved_regs.add(reg_offset)
+                    callee_saved_reg_stack_offsets.add(stack_offset)
+
+        for state in end_states:
+            for offset, size in state.reg_reads.items():
+                if (
+                    offset in reg_offset_created
+                    or offset == self.project.arch.bp_offset
+                    or not is_sane_register_variable(self.project.arch, offset, size)
+                    or offset in callee_saved_regs
+                ):
+                    continue
+                reg_offset_created.add(offset)
+                if self.project.arch.name in {"AMD64", "X86"} and size < self.project.arch.bytes:
+                    # use complete registers on AMD64 and X86
+                    reg_name = self.project.arch.translate_register_name(offset, size=self.project.arch.bytes)
+                    arg = SimRegArg(reg_name, self.project.arch.bytes)
+                else:
+                    reg_name = self.project.arch.translate_register_name(offset, size=size)
+                    arg = SimRegArg(reg_name, size)
+                self.input_args.append(arg)
+
+        stack_offset_created = set()
+        ret_addr_offset = 0 if not self.project.arch.call_pushes_ret else self.project.arch.bytes
+        for state in end_states:
+            for offset, size in state.stack_reads.items():
+                offset = u2s(offset, self.project.arch.bits)
+                if offset - ret_addr_offset > 0:
+                    if offset in stack_offset_created or offset in callee_saved_reg_stack_offsets:
+                        continue
+                    stack_offset_created.add(offset)
+                    arg = SimStackArg(offset - ret_addr_offset, size)
+                    self.input_args.append(arg)
+
+
+AnalysesHub.register_default("FunctionFactCollector", FactCollector)

angr/analyses/calling_convention/utils.py

@@ -0,0 +1,57 @@
+from __future__ import annotations
+import logging
+
+import archinfo
+from archinfo.arch_arm import is_arm_arch, ArchARMHF
+
+from angr.calling_conventions import SimCC
+
+l = logging.getLogger(__name__)
+
+
+def is_sane_register_variable(arch: archinfo.Arch, reg_offset: int, reg_size: int, def_cc: SimCC | None = None) -> bool:
+    """
+    Filters all registers that are surly not members of function arguments.
+    This can be seen as a workaround, since VariableRecoveryFast sometimes gives input variables of cc_ndep (which
+    is a VEX-specific register) :-(
+
+    :param reg_offset:  The register offset.
+    :param reg_size:    The register size.
+    :return:            True if it is an acceptable function argument, False otherwise.
+    :rtype:             bool
+    """
+
+    arch_name = arch.name
+    if ":" in arch_name:
+        # for pcode architectures, we only leave registers that are known to be used as input arguments
+        if def_cc is not None:
+            return arch.translate_register_name(reg_offset, size=reg_size) in def_cc.ARG_REGS
+        return True
+
+    # VEX
+    if arch_name == "AARCH64":
+        return 16 <= reg_offset < 80  # x0-x7
+
+    if arch_name == "AMD64":
+        return 24 <= reg_offset < 40 or 64 <= reg_offset < 104  # rcx, rdx  # rsi, rdi, r8, r9, r10
+        # 224 <= reg_offset < 480)  # xmm0-xmm7
+
+    if is_arm_arch(arch):
+        if isinstance(arch, ArchARMHF):
+            return 8 <= reg_offset < 24 or 128 <= reg_offset < 160  # r0 - 32  # s0 - s7, or d0 - d4
+        return 8 <= reg_offset < 24  # r0-r3
+
+    if arch_name == "MIPS32":
+        return 24 <= reg_offset < 40  # a0-a3
+
+    if arch_name == "MIPS64":
+        return 48 <= reg_offset < 80 or 112 <= reg_offset < 208  # a0-a3 or t4-t7
+
+    if arch_name == "PPC32":
+        return 28 <= reg_offset < 60  # r3-r10
+
+    if arch_name == "X86":
+        return 8 <= reg_offset < 24 or 160 <= reg_offset < 288  # eax, ebx, ecx, edx  # xmm0-xmm7
+
+    l.critical("Unsupported architecture %s.", arch.name)
+    return True

angr/analyses/complete_calling_conventions.py

@@ -7,6 +7,7 @@ import threading
 import time
 import logging
 from collections import defaultdict
+from enum import Enum
 
 import networkx
 
@@ -16,7 +17,7 @@ from angr.utils.graph import GraphUtils
 from angr.simos import SimWindows
 from angr.utils.mp import mp_context, Initializer
 from angr.knowledge_plugins.cfg import CFGModel
-from . import Analysis, register_analysis, VariableRecoveryFast, CallingConventionAnalysis
+from . import Analysis, register_analysis, VariableRecoveryFast, CallingConventionAnalysis, FactCollector
 
 if TYPE_CHECKING:
     from angr.calling_conventions import SimCC
@@ -30,6 +31,18 @@ _l = logging.getLogger(name=__name__)
 _mp_context = mp_context()
 
 
+class CallingConventionAnalysisMode(Enum):
+    """
+    The mode of calling convention analysis.
+
+    FAST: Using FactCollector to collect facts, then use facts for calling convention analysis.
+    VARIABLES: Using variables in VariableManager for calling convention analysis.
+    """
+
+    FAST = "fast"
+    VARIABLES = "variables"
+
+
 class CompleteCallingConventionsAnalysis(Analysis):
     """
     Implements full-binary calling convention analysis. During the initial analysis of a binary, you may set
@@ -39,6 +52,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
 
     def __init__(
         self,
+        mode: CallingConventionAnalysisMode = CallingConventionAnalysisMode.FAST,
         recover_variables=False,
         low_priority=False,
         force=False,
@@ -71,6 +85,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
         :param workers:             Number of multiprocessing workers.
         """
 
+        self.mode = mode
         self._recover_variables = recover_variables
         self._low_priority = low_priority
         self._force = force
@@ -88,6 +103,10 @@ class CompleteCallingConventionsAnalysis(Analysis):
         self._func_graphs = func_graphs if func_graphs else {}
         self.prototype_libnames: set[str] = set()
 
+        # sanity check
+        if self.mode not in {CallingConventionAnalysisMode.FAST, CallingConventionAnalysisMode.VARIABLES}:
+            raise ValueError(f"Invalid calling convention analysis mode {self.mode}.")
+
         self._func_addrs = []  # a list that holds addresses of all functions to be analyzed
         self._results = []
         if workers > 0:
@@ -322,7 +341,11 @@ class CompleteCallingConventionsAnalysis(Analysis):
                 self.kb.variables.get_function_manager(func_addr),
             )
 
-        if self._recover_variables and self.function_needs_variable_recovery(func):
+        if (
+            self.mode == CallingConventionAnalysisMode.VARIABLES
+            and self._recover_variables
+            and self.function_needs_variable_recovery(func)
+        ):
             # special case: we don't have a PCode-engine variable recovery analysis for PCode architectures!
             if ":" in self.project.arch.name and self._func_graphs and func.addr in self._func_graphs:
                 # this is a pcode architecture
@@ -341,9 +364,15 @@ class CompleteCallingConventionsAnalysis(Analysis):
                 )
                 return None, None, None, None
 
+        kwargs = {}
+        if self.mode == CallingConventionAnalysisMode.FAST:
+            facts = self.project.analyses[FactCollector].prep(kb=self.kb)(func)
+            kwargs["input_args"] = facts.input_args
+            kwargs["retval_size"] = facts.retval_size
+
         # determine the calling convention of each function
         cc_analysis = self.project.analyses[CallingConventionAnalysis].prep(kb=self.kb)(
-            func, cfg=self._cfg, analyze_callsites=self._analyze_callsites
+            func, cfg=self._cfg, analyze_callsites=self._analyze_callsites, **kwargs
         )
 
         if cc_analysis.cc is not None:

angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py

@@ -13,12 +13,6 @@ from .optimization_pass import OptimizationPass, OptimizationPassStage
 _l = logging.getLogger(name=__name__)
 
 
-def s2u(s, bits):
-    if s > 0:
-        return s
-    return (1 << bits) + s
-
-
 class RegisterSaveAreaSimplifier(OptimizationPass):
     """
     Optimizes away register spilling effects, including callee-saved registers.

angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py

@@ -5,18 +5,13 @@ import logging
 
 import ailment
 
+from angr.utils.bits import s2u
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
 _l = logging.getLogger(name=__name__)
 
 
-def s2u(s, bits):
-    if s > 0:
-        return s
-    return (1 << bits) + s
-
-
 class StackCanarySimplifier(OptimizationPass):
     """
     Removes stack canary checks from decompilation results.

angr/analyses/decompiler/optimization_passes/switch_default_case_duplicator.py

@@ -17,12 +17,6 @@ from .optimization_pass import OptimizationPass, OptimizationPassStage
 _l = logging.getLogger(name=__name__)
 
 
-def s2u(s, bits):
-    if s > 0:
-        return s
-    return (1 << bits) + s
-
-
 class SwitchDefaultCaseDuplicator(OptimizationPass):
     """
     For each switch-case construct (identified by jump tables), duplicate the default-case node when we detect

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -13,12 +13,6 @@ from .optimization_pass import OptimizationPass, OptimizationPassStage
 _l = logging.getLogger(name=__name__)
 
 
-def s2u(s, bits):
-    if s > 0:
-        return s
-    return (1 << bits) + s
-
-
 class WinStackCanarySimplifier(OptimizationPass):
     """
     Removes stack canary checks from decompilation results for Windows PE files.

angr/analyses/variable_recovery/engine_vex.py

@@ -215,6 +215,11 @@ class SimEngineVRVEX(
                             addr = RichR(loc.stack_offset + one_sp)
                             self._load(addr, loc.size)
 
+        # clobber caller-saved registers
+        for reg_name in func.calling_convention.CALLER_SAVED_REGS:
+            reg_offset, reg_size = self.arch.registers[reg_name]
+            self._assign_to_register(reg_offset, self._top(reg_size * self.arch.byte_width), reg_size)
+
     def _process_block_end(self, stmt_result, whitelist):
         # handles block-end calls
         current_addr = self.state.block_addr

angr/calling_conventions.py

@@ -4,6 +4,7 @@ import logging
 from typing import cast
 from collections.abc import Iterable
 from collections import defaultdict
+import contextlib
 
 import claripy
 import archinfo
@@ -33,7 +34,6 @@ from .sim_type import (
 )
 from .state_plugins.sim_action_object import SimActionObject
 from .engines.soot.engine import SootMixin
-import contextlib
 
 l = logging.getLogger(name=__name__)
 l.addFilter(UniqueLogFilter())
@@ -656,7 +656,7 @@ class SimCC:
             self.next_arg(session, SimTypePointer(SimTypeBottom()))
         return session
 
-    def return_in_implicit_outparam(self, ty):
+    def return_in_implicit_outparam(self, ty):  # pylint:disable=unused-argument
         return False
 
     def stack_space(self, args):
@@ -1098,7 +1098,8 @@ class SimCC:
         all_fp_args: set[int | str] = {_arg_ident(a) for a in sample_inst.fp_args}
         all_int_args: set[int | str] = {_arg_ident(a) for a in sample_inst.int_args}
         both_iter = sample_inst.memory_args
-        some_both_args: set[int | str] = {_arg_ident(next(both_iter)) for _ in range(len(args))}
+        max_args = cls._guess_arg_count(args)
+        some_both_args: set[int | str] = {_arg_ident(next(both_iter)) for _ in range(max_args)}
 
         new_args = []
         for arg in args:
@@ -1115,6 +1116,13 @@ class SimCC:
 
         return True
 
+    @classmethod
+    def _guess_arg_count(cls, args, limit: int = 64) -> int:
+        # pylint:disable=not-callable
+        stack_args = [a for a in args if isinstance(a, SimStackArg)]
+        stack_arg_count = (max(a.stack_offset for a in stack_args) // cls.ARCH().bytes + 1) if stack_args else 0
+        return min(limit, max(len(args), stack_arg_count))
+
     @staticmethod
     def find_cc(
         arch: archinfo.Arch, args: list[SimFunctionArgument], sp_delta: int, platform: str = "Linux"
@@ -1687,7 +1695,7 @@ class SimCCARM(SimCC):
                     raise NotImplementedError("Bug. Report to @rhelmot")
                 elif cls == "MEMORY":
                     mapped_classes.append(next(session.both_iter))
-                elif cls == "INTEGER" or cls == "SINGLEP":
+                elif cls in {"INTEGER", "SINGLEP"}:
                     try:
                         mapped_classes.append(next(session.int_iter))
                     except StopIteration:

angr/knowledge_plugins/functions/function.py

@@ -12,7 +12,6 @@ from cle.backends.symbol import Symbol
 from archinfo.arch_arm import get_real_address_if_arm
 import claripy
 
-from angr.block import Block
 from angr.knowledge_plugins.cfg.memory_data import MemoryDataSort
 
 from angr.codenode import CodeNode, BlockNode, HookNode, SyscallNode
@@ -403,7 +402,7 @@ class Function(Serializable):
     def nodes(self) -> Iterable[CodeNode]:
         return self.transition_graph.nodes()
 
-    def get_node(self, addr) -> Block:
+    def get_node(self, addr) -> BlockNode | None:
         return self._addr_to_block_node.get(addr, None)
 
     @property
@@ -1036,8 +1035,9 @@ class Function(Serializable):
                     if function.returning is False:
                         # the target function does not return
                         the_node = self.get_node(src.addr)
-                        self._callout_sites.add(the_node)
-                        self._add_endpoint(the_node, "call")
+                        if the_node is not None:
+                            self._callout_sites.add(the_node)
+                            self._add_endpoint(the_node, "call")
 
     def get_call_sites(self) -> Iterable[int]:
         """

angr/knowledge_plugins/functions/function_manager.py

@@ -460,6 +460,12 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         :rtype: Function or None
         """
         if name is not None and name.startswith("sub_"):
+            # first check if a function with the specified name exists
+            for func in self.get_by_name(name, check_previous_names=check_previous_names):
+                if plt is None or func.is_plt == plt:
+                    return func
+
+            # then enter the syntactic sugar mode
             try:
                 addr = int(name.split("_")[-1], 16)
                 name = None

angr/utils/bits.py

@@ -31,3 +31,16 @@ def zeroextend_on_demand(op0: claripy.ast.BV, op1: claripy.ast.BV) -> claripy.as
     if op0.size() > op1.size():
         return claripy.ZeroExt(op0.size() - op1.size(), op1)
     return op1
+
+
+def s2u(s, bits):
+    mask = (1 << bits) - 1
+    if s > 0:
+        return s & mask
+    return ((1 << bits) + s) & mask
+
+
+def u2s(u, bits):
+    if u < (1 << (bits - 1)):
+        return u
+    return (u & ((1 << bits) - 1)) - (1 << bits)

{angr-9.2.134.dist-info → angr-9.2.135.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: angr
-Version: 9.2.134
+Version: 9.2.135
 Summary: A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
 Home-page: https://github.com/angr/angr
 License: BSD-2-Clause
@@ -16,13 +16,13 @@ Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: CppHeaderParser
 Requires-Dist: GitPython
-Requires-Dist: ailment==9.2.134
-Requires-Dist: archinfo==9.2.134
+Requires-Dist: ailment==9.2.135
+Requires-Dist: archinfo==9.2.135
 Requires-Dist: cachetools
 Requires-Dist: capstone==5.0.3
 Requires-Dist: cffi>=1.14.0
-Requires-Dist: claripy==9.2.134
-Requires-Dist: cle==9.2.134
+Requires-Dist: claripy==9.2.135
+Requires-Dist: cle==9.2.135
 Requires-Dist: itanium-demangler
 Requires-Dist: mulpyplexer
 Requires-Dist: nampa
@@ -31,7 +31,7 @@ Requires-Dist: protobuf>=5.28.2
 Requires-Dist: psutil
 Requires-Dist: pycparser>=2.18
 Requires-Dist: pyformlang
-Requires-Dist: pyvex==9.2.134
+Requires-Dist: pyvex==9.2.135
 Requires-Dist: rich>=13.1.0
 Requires-Dist: sortedcontainers
 Requires-Dist: sympy

{angr-9.2.134.dist-info → angr-9.2.135.dist-info}/RECORD

@@ -1,10 +1,10 @@
-angr/__init__.py,sha256=RdEZBtno9mn8PRTf_VSkaLK0AnqKMT1zIMQkRyqJAfI,9153
+angr/__init__.py,sha256=odyiYDh0AXyqpY0ivUXjx-rMAeY96FK0_h_7pMp_sFU,9153
 angr/__main__.py,sha256=XeawhF6Cco9eWcfMTDWzYYggLB3qjnQ87IIeFOplaHM,2873
 angr/annocfg.py,sha256=0NIvcuCskwz45hbBzigUTAuCrYutjDMwEXtMJf0y0S0,10742
 angr/blade.py,sha256=NhesOPloKJC1DQJRv_HBT18X7oNxK16JwAfNz2Lc1o0,15384
 angr/block.py,sha256=4mP-OKNqiTxOf2-GPfyKokpuF4j4ua_o5WZcC7W6BL8,14815
 angr/callable.py,sha256=1rzhXjWlx62jKJaRKHvp12rbsJ75zNa86vXtCt6eFLo,6065
-angr/calling_conventions.py,sha256=TZZXPPAOFYqoKfq6KYpItgpf-FInNzfit13meSb4TTg,92979
+angr/calling_conventions.py,sha256=zciZ1DAct9heBs-2CkVpkvT2yK5jExIom3SoA9WW2ug,93409
 angr/code_location.py,sha256=kXNJDEMge9VRHadrK4E6HQ8wDdCaHSXNqyAZuHDEGuM,5397
 angr/codenode.py,sha256=hehAHvUuxgUYiVtCFMTxloYC6bO4_CQjcp_52WWDHMA,3781
 angr/errors.py,sha256=I0L-TbxmVYIkC-USuHwaQ9BGPi2YVObnhZXQQ3kJFuo,8385
@@ -26,19 +26,18 @@ angr/slicer.py,sha256=DND0BERanYKafasRH9MDFAng0rSjdjmzXj2-phCD6CQ,10634
 angr/state_hierarchy.py,sha256=qDQCUGXmQm3vOxE3CSoiqTH4OAFFOWZZt9BLhNpeOhA,8484
 angr/tablespecs.py,sha256=Kx1e87FxTx3_ZN7cAHWZSRpdInT4Vfj5gExAWtLkLTw,3259
 angr/vaults.py,sha256=v_RBKEGN2wkyOoskC_akKSlawcRtMicukKh1O1hxrJk,9719
-angr/analyses/__init__.py,sha256=Tj98rg_BM_YBK7EIYrvfcyIxQnMnzFrMZp4-Id43rFE,3434
+angr/analyses/__init__.py,sha256=JVCNQfvffUjtvz5kvzvtYKmH_yG1Qjy-caSuQ8JMgpw,3470
 angr/analyses/analysis.py,sha256=7Jkob2CBEXHzW7F1hZk9AqfOKLglpfHplpyxba1fN_4,14998
 angr/analyses/backward_slice.py,sha256=a9uro3rqqDDiQRCnDCQzaSRcZvDQkCdRzLsrx5xe8uM,27219
 angr/analyses/binary_optimizer.py,sha256=Sm05TR-F5QtU1qx9jKr2lGfj03xw_O1IyBJjwnoUjJ0,26160
 angr/analyses/bindiff.py,sha256=AGOlH6Hsofo-6WwEleX80-DYs70aV-P8JV-GiDnoT9A,51391
 angr/analyses/boyscout.py,sha256=pMJNmVBt8MbCiVe8Pk8SQ3IOppHGK2qHe6G7A3e3WA8,2483
 angr/analyses/callee_cleanup_finder.py,sha256=aogcfYfvzsVPVfseJl2KKczMu7pPPtwC7bqTyQ0UsvI,2812
-angr/analyses/calling_convention.py,sha256=tW8NgKRCN9wjc5YpkzBV8hckAAoRKrb0EXjl3kBVa70,40869
 angr/analyses/cdg.py,sha256=oPgHV4MVpGkfRUE0ZiaghBSkgTsr6tkG1IK4f_GtOBA,6230
 angr/analyses/class_identifier.py,sha256=bytFQ0c7KuQhbYPPJDkhtV0ZU_Xo8_9KLZxHe9TtyMs,3010
 angr/analyses/code_tagging.py,sha256=Gj7Ms24RnmhC9OD57gw7R6_c-pLfqSug-LVUMw_JmXE,3510
 angr/analyses/codecave.py,sha256=k_dDhMN4wcq2bs5VrwpOv96OowQ7AbZSs6j5Z6YbIpk,2209
-angr/analyses/complete_calling_conventions.py,sha256=rwsVfq0TUOx-YW2RtbeXajAreBEfs9QDyQAE51PnEfo,18279
+angr/analyses/complete_calling_conventions.py,sha256=Jsl9YgYW4OaRFBXqcXNTt_AwKoHMP2M7NIMh3kZYodI,19356
 angr/analyses/congruency_check.py,sha256=SRlUKJaylCQydWsb4AGG8LUGuh5RwI8ksKZL6jf-4P8,16166
 angr/analyses/datagraph_meta.py,sha256=Ng0jqLD5ucRn_fBXhYq3l6scs3kczRk6Sk-Sen1forc,3414
 angr/analyses/ddg.py,sha256=c8P8zCkem7P717PYIJD35evK64Oh8YBa_tj6LdCeuTQ,63229
@@ -65,6 +64,10 @@ angr/analyses/vfg.py,sha256=_RDuP83ts55-FTVNMQGx7MJD1aDvNw4FHDhCwa7nUFw,72879
 angr/analyses/vsa_ddg.py,sha256=NQUauuMPZVrW7oCPpvIl-OIvGWUZHk_xEVLw3SCYzj8,16137
 angr/analyses/vtable.py,sha256=1Ed7jzr99rk9VgOGzcxBw_6GFqby5mIdSTGPqQPhcZM,3872
 angr/analyses/xrefs.py,sha256=vs6cpVmwXHOmxrI9lJUwCRMYbPSqvIQXS5_fINMaOGI,10290
+angr/analyses/calling_convention/__init__.py,sha256=bK5VS6AxT5l86LAhTL7l1HUT9IuvXG9x9ikbIohIFoE,194
+angr/analyses/calling_convention/calling_convention.py,sha256=_fTXe9oVCJ61roZrWhRRv_5FGtiQpiJmlLkf1x3ZL9Q,39692
+angr/analyses/calling_convention/fact_collector.py,sha256=FCRGdAr6VmROUemKM3ibpJ4LU3rUT3PwC312zkq6sT4,21334
+angr/analyses/calling_convention/utils.py,sha256=A4m85U1gd_dEuPEjlh4vWBC-mxxozOFIGIhApmgTvdI,2017
 angr/analyses/cfg/__init__.py,sha256=-w8Vd6FD6rtjlQaQ7MxwmliFgS2zt-kZepAY4gHas04,446
 angr/analyses/cfg/cfb.py,sha256=2Iej5PhB_U9JbfvvBuXy_07_UY9j7yiztKZYrGnc0U0,15369
 angr/analyses/cfg/cfg.py,sha256=ZHZFWtP4uD1YxgKy44O_oD_BiSo871Llcd1zpXmFkBE,3177
@@ -154,17 +157,17 @@ angr/analyses/decompiler/optimization_passes/ite_region_converter.py,sha256=gsWg
 angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py,sha256=ldEBDJTwS-FfzIkvCilCDY8IxzarHTXxv4jNZG28XDU,38818
 angr/analyses/decompiler/optimization_passes/mod_simplifier.py,sha256=BzgSGM39Uv1WAGPM831wLnKW8t-mw9tQoV07ZlxbU_Y,3379
 angr/analyses/decompiler/optimization_passes/optimization_pass.py,sha256=EYls4BcE4z1Hjvhez5oodKWLjLZe_KpRgKQZV0hck3Q,22637
-angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py,sha256=tc4FruEl0sFpm1DUu9g8gWlueRm0t9rhfHsdUrVplBo,7932
+angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py,sha256=X6A252YhqUvT7A6J5NqCKBom2PRlh5NDHpAjXfNvBfg,7854
 angr/analyses/decompiler/optimization_passes/ret_addr_save_simplifier.py,sha256=GIFiYM_C_ChHrD2D1JGRFlE--PU3FOxTqzOX-lXmJLY,6404
 angr/analyses/decompiler/optimization_passes/ret_deduplicator.py,sha256=STMnRyZWiqdoGPa3c7Q4KCHv-JHUdJ2t4oLEltEMpII,7995
 angr/analyses/decompiler/optimization_passes/return_duplicator_base.py,sha256=7QO_sJBR8WgjRxD8PXwxu0NeoCQchNJNClcwMzEmOsU,24921
 angr/analyses/decompiler/optimization_passes/return_duplicator_high.py,sha256=ICDYwQJt5E2OVasdqn42jzbjwUXhSj6Plh3Y1iUHpAQ,2178
 angr/analyses/decompiler/optimization_passes/return_duplicator_low.py,sha256=-mBEVfwGz986lDDEGwBG8wvGQTrFZHE7TLV-7rWt-H0,10076
-angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py,sha256=Fviff-U5n3_9kHWsbMbW0_FRQhK_010nhuq83Pg8gOU,14467
-angr/analyses/decompiler/optimization_passes/switch_default_case_duplicator.py,sha256=nMI9geZiLG5diaI3YciNKvJ0PAZXtUBLgAfknCf48QE,6539
+angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py,sha256=vHfTCTG33r-PwwikP8tBbNqWvNt-SvRZfOsDNeAdiPc,14421
+angr/analyses/decompiler/optimization_passes/switch_default_case_duplicator.py,sha256=gvGpjP3t-an8iIBkmPGXob0-aRHL2idGZpd7hErlgFo,6461
 angr/analyses/decompiler/optimization_passes/switch_reused_entry_rewriter.py,sha256=m7ZMkqE2qbl4rl4M_Fi8xS6I1vUaTzUBIzsE6qpbwkM,4020
 angr/analyses/decompiler/optimization_passes/tag_slicer.py,sha256=8_gmoeYgDD1Hb8Rpqcb-01_B4897peDF-J6KA5PjQT8,1176
-angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py,sha256=cpbsP6_ilZDu2M_jX8TEnwVrsQXljHEjSMw25HyK6PM,12806
+angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py,sha256=57AlQgCbaPSiY7OwcKdOXnr0LUACCO0r1TweqIDyUzo,12728
 angr/analyses/decompiler/optimization_passes/x86_gcc_getpc_simplifier.py,sha256=6NxaX2oT6BMkevb8xt9vlS3Jl-CmSK59F0FVab68B48,3088
 angr/analyses/decompiler/optimization_passes/duplication_reverter/__init__.py,sha256=hTeOdooVDZnBnjiAguD7_BS9YJru8rOiSHN3H0sdzcA,126
 angr/analyses/decompiler/optimization_passes/duplication_reverter/ail_merge_graph.py,sha256=nLu-s4wn6b3z6MlItwCH1kWpeAc4C-fP3MNN3WRCSuo,21666
@@ -351,7 +354,7 @@ angr/analyses/variable_recovery/__init__.py,sha256=eA1SHzfSx8aPufUdkvgMmBnbI6VDY
 angr/analyses/variable_recovery/annotations.py,sha256=2va7cXnRHYqVqXeVt00QanxfAo3zanL4BkAcC0-Bk20,1438
 angr/analyses/variable_recovery/engine_ail.py,sha256=ZmJCMH_y0oYdLRTwHw34MOy-5_9SgrklLgnLLLtHf5k,31197
 angr/analyses/variable_recovery/engine_base.py,sha256=ZqIlYpEPSB5WmhQ6p8H0HIMkRUG7ISMlCDOsHuE4-Sc,51146
-angr/analyses/variable_recovery/engine_vex.py,sha256=2xb7zlNrD3PpNILlDUvTp9Vt9JdhOqn3O3zIe101-QQ,20368
+angr/analyses/variable_recovery/engine_vex.py,sha256=UAA2FpOq4lAjsBzy5FoIOoR9dF4615UFNLDlDiWEfCs,20645
 angr/analyses/variable_recovery/irsb_scanner.py,sha256=vWplxRc-iwIJsQ5aHWH1t29zdyLPjfklm8h3CWHseng,5143
 angr/analyses/variable_recovery/variable_recovery.py,sha256=s5hwY9oOibhLxsJIePhYRmrX0mrDIi_zKkfNblwYyhE,22169
 angr/analyses/variable_recovery/variable_recovery_base.py,sha256=cJsc64ev_UmWTb2KNTdRF3HtpZyh4J2CEgnUAlH2MVg,15181
@@ -518,8 +521,8 @@ angr/knowledge_plugins/cfg/cfg_node.py,sha256=mAvQ8XAEURM7y0suc_S9lfxCmfXSTJHmWB
 angr/knowledge_plugins/cfg/indirect_jump.py,sha256=W3KWpH7Sx-6Z7h_BwQjCK_XfP3ce_MaeAu_Aaq3D3qg,2072
 angr/knowledge_plugins/cfg/memory_data.py,sha256=QLxFZfrtwz8u6UJn1L-Sxa-C8S0Gy9IOlfNfHCLPIow,5056
 angr/knowledge_plugins/functions/__init__.py,sha256=asiLNiT6sHbjP6eU-kDpawIoVxv4J35cwz5yQHtQ2E0,167
-angr/knowledge_plugins/functions/function.py,sha256=6G479_dWkp0PAAEKQWCUY3pH0b-qcOWjT9O6dOt4NLk,67287
-angr/knowledge_plugins/functions/function_manager.py,sha256=R-VtbkN3-l1-U4Wk4XHC8lGZo7DpXbEDE7Ok986YYYI,19594
+angr/knowledge_plugins/functions/function.py,sha256=Kiyi18e8ex8OpoQmbX4MHoHyZOGNLeAP3t-SvERiDtU,67326
+angr/knowledge_plugins/functions/function_manager.py,sha256=cU_0alc7yQ_AE5pm2NiCicjAaeL6zLX4KntQAqy32Ws,19893
 angr/knowledge_plugins/functions/function_parser.py,sha256=cpxn0EYp8qTqVQUBfwxodNIEFuNojdQboJG-q7uLdd0,11822
 angr/knowledge_plugins/functions/soot_function.py,sha256=kAEzniVHa2FOjb2qlLElXtbbgAeeUkor7iQIFyJuoYY,5005
 angr/knowledge_plugins/key_definitions/__init__.py,sha256=-x1VGH3LHMze3T-RygodvUG3oXXa5jhKvjXoPKyiU_0,432
@@ -1333,7 +1336,7 @@ angr/storage/memory_mixins/regioned_memory/static_find_mixin.py,sha256=tWyiNrMxm
 angr/utils/__init__.py,sha256=kBUIJCp9WSgzb62zMg4puUUeheMSl9U4RFqkfiL3en8,1159
 angr/utils/ail.py,sha256=8_FloZ6cP89D2Nfc_2wCPcuVv7ny-aP-OKS3syCSMLk,1054
 angr/utils/algo.py,sha256=4TaEFE4tU-59KyRVFASqXeoiwH01ZMj5fZd_JVcpdOY,1038
-angr/utils/bits.py,sha256=flNgPQ_OlAxk-SsW2lv_DbLSkqYc7J4jGd8VRB_WJE8,817
+angr/utils/bits.py,sha256=_eWPyymSbj01jsLexicRtD_X7sUKKj_fTUI0DEIZ-rc,1054
 angr/utils/constants.py,sha256=ZnK6Ed-1U_8yaw-7ZaCLSM0-z7bSuKPg715bBrquxKE,257
 angr/utils/cowdict.py,sha256=qx2iO1rrCDTQUGX9dqi9ZAly2Dgm6bCEgdSAQw9MxRM,2159
 angr/utils/dynamic_dictlist.py,sha256=bHQrxhUCkk6NDDzEBouAWESjMyKfQUJIk8g38R27iXw,3048
@@ -1354,9 +1357,9 @@ angr/utils/timing.py,sha256=ELuRPzdRSHzOATgtAzTFByMlVr021ypMrsvtpopreLg,1481
 angr/utils/ssa/__init__.py,sha256=OD3eTWAiH9QXGpwliNBCTC3Z4bux9iBX3Sp50aUNHvI,8758
 angr/utils/ssa/tmp_uses_collector.py,sha256=rSpvMxBHzg-tmvhsfjn3iLyPEKzaZN-xpQrdslMq3J4,793
 angr/utils/ssa/vvar_uses_collector.py,sha256=8gfAWdRMz73Deh-ZshDM3GPAot9Lf-rHzCiaCil0hlE,1342
-angr-9.2.134.dist-info/LICENSE,sha256=cgL_ho5B1NH8UxwtBuqThRWdjear8b7hktycaS1sz6g,1327
-angr-9.2.134.dist-info/METADATA,sha256=F82cwrJZ-zYDIYDpEL9zylN0aNkwmUle6tmDKM2kffg,4762
-angr-9.2.134.dist-info/WHEEL,sha256=-NJbNRco0VfEz3luq7ku84EsJsWGgW5ZrO0zAtrzmbo,109
-angr-9.2.134.dist-info/entry_points.txt,sha256=Vjh1C8PMyr5dZFMnik5WkEP01Uwr2T73I3a6N32sgQU,44
-angr-9.2.134.dist-info/top_level.txt,sha256=dKw0KWTbwLXytFvv15oAAG4sUs3ey47tt6DorJG9-hw,5
-angr-9.2.134.dist-info/RECORD,,
+angr-9.2.135.dist-info/LICENSE,sha256=cgL_ho5B1NH8UxwtBuqThRWdjear8b7hktycaS1sz6g,1327
+angr-9.2.135.dist-info/METADATA,sha256=Ls0VQIZqogjAt1EPMIvz_70vDMvP4J1vNj2eNH6nT-4,4762
+angr-9.2.135.dist-info/WHEEL,sha256=-NJbNRco0VfEz3luq7ku84EsJsWGgW5ZrO0zAtrzmbo,109
+angr-9.2.135.dist-info/entry_points.txt,sha256=Vjh1C8PMyr5dZFMnik5WkEP01Uwr2T73I3a6N32sgQU,44
+angr-9.2.135.dist-info/top_level.txt,sha256=dKw0KWTbwLXytFvv15oAAG4sUs3ey47tt6DorJG9-hw,5
+angr-9.2.135.dist-info/RECORD,,