angr 9.2.134__py3-none-manylinux2014_x86_64.whl → 9.2.136__py3-none-manylinux2014_x86_64.whl

angr/analyses/s_propagator.py

@@ -53,7 +53,6 @@ class SPropagatorAnalysis(Analysis):
         subject: Block | Function,
         func_graph=None,
         only_consts: bool = True,
-        immediate_stmt_removal: bool = False,
         stack_pointer_tracker=None,
         func_addr: int | None = None,
     ):
@@ -71,7 +70,6 @@ class SPropagatorAnalysis(Analysis):
         self.func_graph = func_graph
         self.func_addr = func_addr
         self.only_consts = only_consts
-        self.immediate_stmt_removal = immediate_stmt_removal
         self._sp_tracker = stack_pointer_tracker
 
         bp_as_gpr = False
@@ -209,7 +207,7 @@ class SPropagatorAnalysis(Analysis):
                         stmt_src = stmt_src.operand
                     if isinstance(stmt_src, Load) and isinstance(stmt_src.addr, Const):
                         gv_updated = False
-                        for vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
+                        for _vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
                             gv_updated |= self.is_global_variable_updated(
                                 self.func_graph,
                                 blocks,

angr/analyses/soot_class_hierarchy.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 import logging
 
+from angr.analyses import AnalysesHub
 from . import Analysis
 
 l = logging.getLogger(name=__name__)
@@ -269,6 +270,4 @@ class SootClassHierarchy(Analysis):
         return targets
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("SootClassHierarchy", SootClassHierarchy)

angr/analyses/stack_pointer_tracker.py

@@ -258,11 +258,11 @@ class StackPointerTrackerState:
             pass
         raise CouldNotResolveException
 
-    def put(self, reg, val):
+    def put(self, reg, val, force: bool = False):
         # strong update, but we only update values for registers that are already in self.regs and ignore all other
         # registers. obviously, self.regs should be initialized with registers that should be considered during
         # tracking,
-        if reg in self.regs:
+        if reg in self.regs or force:
             self.regs[reg] = val
 
     def copy(self):
@@ -702,6 +702,22 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
             # who are we calling?
             callees = [] if self._func is None else self._find_callees(node)
             if callees:
+                if (
+                    len(callees) == 1
+                    and callees[0].info.get("is_rust_probestack", False) is True
+                    and self.project.arch.name == "AMD64"
+                ):
+                    # special-case for rust_probestack: sp = sp - rax right after returning from the call, so we need
+                    # to keep track of rax
+                    for stmt in reversed(vex_block.statements):
+                        if (
+                            isinstance(stmt, pyvex.IRStmt.Put)
+                            and stmt.offset == self.project.arch.registers["rax"][0]
+                            and isinstance(stmt.data, pyvex.IRExpr.Const)
+                        ):
+                            state.put(stmt.offset, Constant(stmt.data.con.value), force=True)
+                            break
+
                 callee_cleanups = [
                     callee
                     for callee in callees

angr/analyses/static_hooker.py

@@ -4,6 +4,7 @@ import logging
 from . import Analysis
 
 from angr import SIM_LIBRARIES
+from angr.analyses import AnalysesHub
 from angr.errors import AngrValueError
 
 l = logging.getLogger(name=__name__)
@@ -47,6 +48,4 @@ class StaticHooker(Analysis):
                 l.debug("Failed to hook %s at %#x", func.name, func.rebased_addr)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("StaticHooker", StaticHooker)

angr/analyses/typehoon/simple_solver.py

@@ -870,7 +870,7 @@ class SimpleSolver:
             for x, y, data in graph.edges(data=True):
                 lbl = data.get("label")
                 if lbl and lbl[1] == "recall":
-                    for label, z in R[x]:
+                    for _label, z in R[x]:
                         if not graph.has_edge(z, y):
                             changed = True
                             graph.add_edge(z, y)
@@ -1167,7 +1167,7 @@ class SimpleSolver:
 
             candidate_bases = defaultdict(set)
 
-            for labels, succ in path_and_successors:
+            for labels, _succ in path_and_successors:
                 last_label = labels[-1] if labels else None
                 if isinstance(last_label, HasField):
                     # TODO: Really determine the maximum possible size of the field when MAX_POINTSTO_BITS is in use

angr/analyses/variable_recovery/engine_vex.py

@@ -215,6 +215,11 @@ class SimEngineVRVEX(
                             addr = RichR(loc.stack_offset + one_sp)
                             self._load(addr, loc.size)
 
+        # clobber caller-saved registers
+        for reg_name in func.calling_convention.CALLER_SAVED_REGS:
+            reg_offset, reg_size = self.arch.registers[reg_name]
+            self._assign_to_register(reg_offset, self._top(reg_size * self.arch.byte_width), reg_size)
+
     def _process_block_end(self, stmt_result, whitelist):
         # handles block-end calls
         current_addr = self.state.block_addr

angr/analyses/variable_recovery/variable_recovery_fast.py

@@ -12,6 +12,7 @@ import ailment
 from ailment.expression import VirtualVariable
 
 import angr.errors
+from angr.analyses import AnalysesHub
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.block import Block
 from angr.errors import AngrVariableRecoveryError, SimEngineError
@@ -600,6 +601,4 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
                 state.register_region.store(self.project.arch.sp_offset, sp_v)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("VariableRecoveryFast", VariableRecoveryFast)

angr/analyses/veritesting.py

@@ -4,11 +4,14 @@ from collections import defaultdict
 from functools import cmp_to_key
 
 import networkx
+from claripy import ClaripyError
 
 from angr import SIM_PROCEDURES
 from angr import options as o
+from angr.analyses import AnalysesHub
 from angr.knowledge_base import KnowledgeBase
-from angr.errors import AngrError, AngrCFGError
+from angr.errors import AngrError, AngrCFGError, SimValueError, SimSolverModeError, SimError
+from angr.sim_options import BYPASS_VERITESTING_EXCEPTIONS
 from angr.sim_manager import SimulationManager
 from angr.utils.graph import shallow_reverse
 from . import Analysis, CFGEmulated
@@ -620,10 +623,4 @@ class Veritesting(Analysis):
         return [(n.addr, n.looping_times) for n in nodes]
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("Veritesting", Veritesting)
-
-from angr.errors import SimValueError, SimSolverModeError, SimError
-from angr.sim_options import BYPASS_VERITESTING_EXCEPTIONS
-from claripy import ClaripyError

angr/analyses/vfg.py

@@ -651,7 +651,7 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
                 l.debug("%s is not recorded. Skip the job.", job)
                 raise AngrSkipJobNotice
             # unwind the stack till the target, unless we see any pending jobs for each new top task
-            for i in range(unwind_count):
+            for _ in range(unwind_count):
                 if isinstance(self._top_task, FunctionAnalysis):
                     # are there any pending job belonging to the current function that we should handle first?
                     pending_job_key = self._get_pending_job(self._top_task.function_address)

angr/analyses/vsa_ddg.py

@@ -5,6 +5,7 @@ from collections import defaultdict
 import networkx
 from . import Analysis, VFG
 
+from angr.analyses import AnalysesHub
 from angr.code_location import CodeLocation
 from angr.errors import AngrDDGError
 from angr.sim_variable import SimRegisterVariable, SimMemoryVariable
@@ -416,6 +417,4 @@ class VSA_DDG(Analysis):
         return nodes
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("VSA_DDG", VSA_DDG)

angr/block.py

@@ -6,13 +6,14 @@ import pyvex
 from pyvex import IRSB
 from archinfo import ArchARM
 
+from .protos import primitives_pb2 as pb2
+from .serializable import Serializable
+
 try:
     from .engines import pcode
 except ImportError:
     pcode = None
 
-from .protos import primitives_pb2 as pb2
-from .serializable import Serializable
 
 l = logging.getLogger(name=__name__)
 

angr/callable.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 import pycparser
 
+from .errors import AngrCallableError, AngrCallableMultistateError
 from .calling_conventions import default_cc, SimCC
 
 
@@ -158,6 +159,3 @@ class Callable:
                 raise AngrCallableError(f"Unsupported expression type {type(expr)}.")
 
         return self.__call__(*args)
-
-
-from .errors import AngrCallableError, AngrCallableMultistateError

angr/calling_conventions.py

@@ -4,6 +4,7 @@ import logging
 from typing import cast
 from collections.abc import Iterable
 from collections import defaultdict
+import contextlib
 
 import claripy
 import archinfo
@@ -33,7 +34,6 @@ from .sim_type import (
 )
 from .state_plugins.sim_action_object import SimActionObject
 from .engines.soot.engine import SootMixin
-import contextlib
 
 l = logging.getLogger(name=__name__)
 l.addFilter(UniqueLogFilter())
@@ -656,7 +656,7 @@ class SimCC:
             self.next_arg(session, SimTypePointer(SimTypeBottom()))
         return session
 
-    def return_in_implicit_outparam(self, ty):
+    def return_in_implicit_outparam(self, ty):  # pylint:disable=unused-argument
         return False
 
     def stack_space(self, args):
@@ -1098,7 +1098,8 @@ class SimCC:
         all_fp_args: set[int | str] = {_arg_ident(a) for a in sample_inst.fp_args}
         all_int_args: set[int | str] = {_arg_ident(a) for a in sample_inst.int_args}
         both_iter = sample_inst.memory_args
-        some_both_args: set[int | str] = {_arg_ident(next(both_iter)) for _ in range(len(args))}
+        max_args = cls._guess_arg_count(args)
+        some_both_args: set[int | str] = {_arg_ident(next(both_iter)) for _ in range(max_args)}
 
         new_args = []
         for arg in args:
@@ -1115,6 +1116,13 @@ class SimCC:
 
         return True
 
+    @classmethod
+    def _guess_arg_count(cls, args, limit: int = 64) -> int:
+        # pylint:disable=not-callable
+        stack_args = [a for a in args if isinstance(a, SimStackArg)]
+        stack_arg_count = (max(a.stack_offset for a in stack_args) // cls.ARCH().bytes + 1) if stack_args else 0
+        return min(limit, max(len(args), stack_arg_count))
+
     @staticmethod
     def find_cc(
         arch: archinfo.Arch, args: list[SimFunctionArgument], sp_delta: int, platform: str = "Linux"
@@ -1592,7 +1600,7 @@ class SimCCSystemVAMD64(SimCC):
                     # TODO I think we need an explicit stride field on array types
                     result[idx * ty.elem_type.size // self.arch.byte_width + suboffset] += subsubty_list
         elif isinstance(ty, SimUnion):
-            for field, subty in ty.members.items():
+            for subty in ty.members.values():
                 subresult = self._flatten(subty)
                 if subresult is None:
                     return None
@@ -1687,7 +1695,7 @@ class SimCCARM(SimCC):
                     raise NotImplementedError("Bug. Report to @rhelmot")
                 elif cls == "MEMORY":
                     mapped_classes.append(next(session.both_iter))
-                elif cls == "INTEGER" or cls == "SINGLEP":
+                elif cls in {"INTEGER", "SINGLEP"}:
                     try:
                         mapped_classes.append(next(session.int_iter))
                     except StopIteration:
@@ -1764,7 +1772,7 @@ class SimCCARM(SimCC):
                     # TODO I think we need an explicit stride field on array types
                     result[idx * ty.elem_type.size // self.arch.byte_width + suboffset] += subsubty_list
         elif isinstance(ty, SimUnion):
-            for field, subty in ty.members.items():
+            for subty in ty.members.values():
                 subresult = self._flatten(subty)
                 if subresult is None:
                     return None
@@ -1983,7 +1991,7 @@ class SimCCO32(SimCC):
                     # TODO I think we need an explicit stride field on array types
                     result[idx * ty.elem_type.size // self.arch.byte_width + suboffset] += subsubty_list
         elif isinstance(ty, SimUnion):
-            for field, subty in ty.members.items():
+            for subty in ty.members.values():
                 subresult = self._flatten(subty)
                 if subresult is None:
                     return None

angr/codenode.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 import logging
+import weakref
 
 l = logging.getLogger(name=__name__)
 
@@ -17,7 +18,7 @@ class CodeNode:
         self.addr: int = addr
         self.size: int = size
         self.thumb = thumb
-        self._graph = graph
+        self._graph = weakref.proxy(graph) if graph is not None else None
 
         self._hash = None
 
@@ -46,6 +47,9 @@ class CodeNode:
             self._hash = hash((self.addr, self.size))
         return self._hash
 
+    def set_graph(self, graph):
+        self._graph = weakref.proxy(graph)
+
     def successors(self) -> list[CodeNode]:
         if self._graph is None:
             raise ValueError("Cannot calculate successors for graphless node")

angr/concretization_strategies/__init__.py

@@ -1,89 +1,7 @@
 from __future__ import annotations
 
-
-class SimConcretizationStrategy:
-    """
-    Concretization strategies control the resolution of symbolic memory indices
-    in SimuVEX. By subclassing this class and setting it as a concretization strategy
-    (on state.memory.read_strategies and state.memory.write_strategies), SimuVEX's
-    memory index concretization behavior can be modified.
-    """
-
-    def __init__(self, filter=None, exact=True):  # pylint:disable=redefined-builtin
-        """
-        Initializes the base SimConcretizationStrategy.
-
-        :param filter: A function, taking arguments of (SimMemory, claripy.AST) that determines
-                       if this strategy can handle resolving the provided AST.
-        :param exact: A flag (default: True) that determines if the convenience resolution
-                      functions provided by this class use exact or approximate resolution.
-        """
-        self._exact = exact
-        self._filter = filter
-
-    def _min(self, memory, addr, **kwargs):
-        """
-        Gets the minimum solution of an address.
-        """
-        return memory.state.solver.min(addr, exact=kwargs.pop("exact", self._exact), **kwargs)
-
-    def _max(self, memory, addr, **kwargs):
-        """
-        Gets the maximum solution of an address.
-        """
-        return memory.state.solver.max(addr, exact=kwargs.pop("exact", self._exact), **kwargs)
-
-    def _any(self, memory, addr, **kwargs):
-        """
-        Gets any solution of an address.
-        """
-        return memory.state.solver.eval(addr, exact=kwargs.pop("exact", self._exact), **kwargs)
-
-    def _eval(self, memory, addr, n, **kwargs):
-        """
-        Gets n solutions for an address.
-        """
-        return memory.state.solver.eval_upto(addr, n, exact=kwargs.pop("exact", self._exact), **kwargs)
-
-    def _range(self, memory, addr, **kwargs):
-        """
-        Gets the (min, max) range of solutions for an address.
-        """
-        return (self._min(memory, addr, **kwargs), self._max(memory, addr, **kwargs))
-
-    def concretize(self, memory, addr, **kwargs):
-        """
-        Concretizes the address into a list of values.
-        If this strategy cannot handle this address, returns None.
-        """
-        if self._filter is None or self._filter(memory, addr):
-            return self._concretize(memory, addr, **kwargs)
-        return None
-
-    def _concretize(self, memory, addr, **kwargs):
-        """
-        Should be implemented by child classes to handle concretization.
-        :param **kwargs:
-        """
-        raise NotImplementedError
-
-    def copy(self):
-        """
-        Returns a copy of the strategy, if there is data that should be kept separate between
-        states. If not, returns self.
-        """
-        return self
-
-    def merge(self, others):
-        """
-        Merges this strategy with others (if there is data that should be kept separate between
-        states. If not, is a no-op.
-        """
-
-
-# pylint: disable=wrong-import-position
-# FIXME: This is a circular import, move base class to a separate file
 from .any import SimConcretizationStrategyAny
+from .base import SimConcretizationStrategy
 from .controlled_data import SimConcretizationStrategyControlledData
 from .eval import SimConcretizationStrategyEval
 from .max import SimConcretizationStrategyMax

angr/concretization_strategies/any.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyAny(SimConcretizationStrategy):

angr/concretization_strategies/any_named.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 import claripy
 
-from . import SimConcretizationStrategy
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyAnyNamed(SimConcretizationStrategy):

angr/concretization_strategies/base.py

@@ -0,0 +1,81 @@
+from __future__ import annotations
+
+
+class SimConcretizationStrategy:
+    """
+    Concretization strategies control the resolution of symbolic memory indices
+    in SimuVEX. By subclassing this class and setting it as a concretization strategy
+    (on state.memory.read_strategies and state.memory.write_strategies), SimuVEX's
+    memory index concretization behavior can be modified.
+    """
+
+    def __init__(self, filter=None, exact=True):  # pylint:disable=redefined-builtin
+        """
+        Initializes the base SimConcretizationStrategy.
+
+        :param filter: A function, taking arguments of (SimMemory, claripy.AST) that determines
+                       if this strategy can handle resolving the provided AST.
+        :param exact: A flag (default: True) that determines if the convenience resolution
+                      functions provided by this class use exact or approximate resolution.
+        """
+        self._exact = exact
+        self._filter = filter
+
+    def _min(self, memory, addr, **kwargs):
+        """
+        Gets the minimum solution of an address.
+        """
+        return memory.state.solver.min(addr, exact=kwargs.pop("exact", self._exact), **kwargs)
+
+    def _max(self, memory, addr, **kwargs):
+        """
+        Gets the maximum solution of an address.
+        """
+        return memory.state.solver.max(addr, exact=kwargs.pop("exact", self._exact), **kwargs)
+
+    def _any(self, memory, addr, **kwargs):
+        """
+        Gets any solution of an address.
+        """
+        return memory.state.solver.eval(addr, exact=kwargs.pop("exact", self._exact), **kwargs)
+
+    def _eval(self, memory, addr, n, **kwargs):
+        """
+        Gets n solutions for an address.
+        """
+        return memory.state.solver.eval_upto(addr, n, exact=kwargs.pop("exact", self._exact), **kwargs)
+
+    def _range(self, memory, addr, **kwargs):
+        """
+        Gets the (min, max) range of solutions for an address.
+        """
+        return (self._min(memory, addr, **kwargs), self._max(memory, addr, **kwargs))
+
+    def concretize(self, memory, addr, **kwargs):
+        """
+        Concretizes the address into a list of values.
+        If this strategy cannot handle this address, returns None.
+        """
+        if self._filter is None or self._filter(memory, addr):
+            return self._concretize(memory, addr, **kwargs)
+        return None
+
+    def _concretize(self, memory, addr, **kwargs):
+        """
+        Should be implemented by child classes to handle concretization.
+        :param **kwargs:
+        """
+        raise NotImplementedError
+
+    def copy(self):
+        """
+        Returns a copy of the strategy, if there is data that should be kept separate between
+        states. If not, returns self.
+        """
+        return self
+
+    def merge(self, others):
+        """
+        Merges this strategy with others (if there is data that should be kept separate between
+        states. If not, is a no-op.
+        """

angr/concretization_strategies/controlled_data.py

@@ -1,9 +1,10 @@
 from __future__ import annotations
+
 from itertools import groupby
 
 import claripy
 
-from . import SimConcretizationStrategy
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyControlledData(SimConcretizationStrategy):

angr/concretization_strategies/eval.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyEval(SimConcretizationStrategy):

angr/concretization_strategies/logging.py

@@ -1,6 +1,8 @@
 from __future__ import annotations
+
 import logging
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyLogging(SimConcretizationStrategy):

angr/concretization_strategies/max.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
+
 from angr.errors import SimSolverError
-from . import SimConcretizationStrategy
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyMax(SimConcretizationStrategy):

angr/concretization_strategies/nonzero.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyNonzero(SimConcretizationStrategy):

angr/concretization_strategies/nonzero_range.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyNonzeroRange(SimConcretizationStrategy):

angr/concretization_strategies/norepeats.py

@@ -1,7 +1,8 @@
 from __future__ import annotations
+
 import itertools
 
-from . import SimConcretizationStrategy
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyNorepeats(SimConcretizationStrategy):

angr/concretization_strategies/norepeats_range.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
 from angr.errors import SimMergeError
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyNorepeatsRange(SimConcretizationStrategy):

angr/concretization_strategies/range.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyRange(SimConcretizationStrategy):

angr/concretization_strategies/signed_add.py

@@ -1,7 +1,8 @@
 from __future__ import annotations
+
 import claripy
 
-from . import SimConcretizationStrategy
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategySignedAdd(SimConcretizationStrategy):

angr/concretization_strategies/single.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategySingle(SimConcretizationStrategy):

angr/concretization_strategies/solutions.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategySolutions(SimConcretizationStrategy):

angr/concretization_strategies/unlimited_range.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
-from . import SimConcretizationStrategy
+
+from .base import SimConcretizationStrategy
 
 
 class SimConcretizationStrategyUnlimitedRange(SimConcretizationStrategy):