angr 9.2.136__py3-none-macosx_11_0_arm64.whl → 9.2.137__py3-none-macosx_11_0_arm64.whl

angr/analyses/s_propagator.py

@@ -17,7 +17,7 @@ from ailment.expression import (
 from ailment.statement import Assignment, Store, Return, Jump
 
 from angr.knowledge_plugins.functions import Function
-from angr.code_location import CodeLocation
+from angr.code_location import CodeLocation, ExternalCodeLocation
 from angr.analyses import Analysis, register_analysis
 from angr.utils.ssa import (
     get_vvar_uselocs,
@@ -54,6 +54,7 @@ class SPropagatorAnalysis(Analysis):
         func_graph=None,
         only_consts: bool = True,
         stack_pointer_tracker=None,
+        func_args: set[VirtualVariable] | None = None,
         func_addr: int | None = None,
     ):
         if isinstance(subject, Block):
@@ -69,6 +70,7 @@ class SPropagatorAnalysis(Analysis):
 
         self.func_graph = func_graph
         self.func_addr = func_addr
+        self.func_args = func_args
         self.only_consts = only_consts
         self._sp_tracker = stack_pointer_tracker
 
@@ -109,6 +111,11 @@ class SPropagatorAnalysis(Analysis):
         # find all vvar uses
         vvar_uselocs = get_vvar_uselocs(blocks.values())
 
+        # update vvar_deflocs using function arguments
+        if self.func_args:
+            for func_arg in self.func_args:
+                vvar_deflocs[func_arg] = ExternalCodeLocation()
+
         # find all ret sites and indirect jump sites
         retsites: set[tuple[int, int | None, int]] = set()
         jumpsites: set[tuple[int, int | None, int]] = set()
@@ -130,8 +137,9 @@ class SPropagatorAnalysis(Analysis):
 
             vvarid_to_vvar[vvar.varid] = vvar
             defloc = vvar_deflocs[vvar]
-            assert defloc.block_addr is not None
-            assert defloc.stmt_idx is not None
+            if isinstance(defloc, ExternalCodeLocation):
+                continue
+
             block = blocks[(defloc.block_addr, defloc.block_idx)]
             stmt = block.statements[defloc.stmt_idx]
             r, v = is_const_assignment(stmt)
@@ -179,7 +187,20 @@ class SPropagatorAnalysis(Analysis):
                         continue
 
                     if is_const_and_vvar_assignment(stmt):
-                        replacements[vvar_useloc][vvar_used] = stmt.src
+                        # if the useloc is a phi assignment statement, ensure that stmt.src is the same as the phi
+                        # variable
+                        useloc_stmt = blocks[(vvar_useloc.block_addr, vvar_useloc.block_idx)].statements[
+                            vvar_useloc.stmt_idx
+                        ]
+                        if is_phi_assignment(useloc_stmt):
+                            if (
+                                isinstance(stmt.src, VirtualVariable)
+                                and stmt.src.oident == useloc_stmt.dst.oident
+                                and stmt.src.category == useloc_stmt.dst.category
+                            ):
+                                replacements[vvar_useloc][vvar_used] = stmt.src
+                        else:
+                            replacements[vvar_useloc][vvar_used] = stmt.src
                         continue
 
                 elif (

angr/analyses/s_reaching_definitions/s_rda_model.py

@@ -15,8 +15,9 @@ class SRDAModel:
     The model for SRDA.
     """
 
-    def __init__(self, func_graph, arch):
+    def __init__(self, func_graph, func_args, arch):
         self.func_graph = func_graph
+        self.func_args = func_args
         self.arch = arch
         self.varid_to_vvar: dict[int, VirtualVariable] = {}
         self.all_vvar_definitions: dict[VirtualVariable, CodeLocation] = {}

angr/analyses/s_reaching_definitions/s_rda_view.py

@@ -4,7 +4,7 @@ import logging
 from collections import defaultdict
 
 from ailment.statement import Statement, Assignment, Call, Label
-from ailment.expression import VirtualVariable, Expression
+from ailment.expression import VirtualVariable, VirtualVariableCategory, Expression
 
 from angr.utils.ail import is_phi_assignment
 from angr.utils.graph import GraphUtils
@@ -133,6 +133,16 @@ class SRDAView:
         predicater = RegVVarPredicate(reg_offset, vvars, self.model.arch)
         self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate)
 
+        if not vvars:
+            # not found - check function arguments
+            for func_arg in self.model.func_args:
+                if isinstance(func_arg, VirtualVariable):
+                    func_arg_category = func_arg.oident[0]
+                    if func_arg_category == VirtualVariableCategory.REGISTER:
+                        func_arg_regoff = func_arg.oident[1]
+                        if func_arg_regoff == reg_offset:
+                            vvars.add(func_arg)
+
         assert len(vvars) <= 1
         return next(iter(vvars), None)
 
@@ -149,6 +159,15 @@ class SRDAView:
         predicater = StackVVarPredicate(stack_offset, size, vvars)
         self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate)
 
+        if not vvars:
+            # not found - check function arguments
+            for func_arg in self.model.func_args:
+                if isinstance(func_arg, VirtualVariable):
+                    func_arg_category = func_arg.oident[0]
+                    if func_arg_category == VirtualVariableCategory.STACK:
+                        func_arg_stackoff = func_arg.oident[1]
+                        if func_arg_stackoff == stack_offset and func_arg.size == size:
+                            vvars.add(func_arg)
         assert len(vvars) <= 1
         return next(iter(vvars), None)
 

angr/analyses/s_reaching_definitions/s_reaching_definitions.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 from ailment.block import Block
 from ailment.statement import Assignment, Call, Return
+from ailment.expression import VirtualVariable
 import networkx
 
 from angr.knowledge_plugins.functions import Function
@@ -24,6 +25,7 @@ class SReachingDefinitionsAnalysis(Analysis):
         subject,
         func_addr: int | None = None,
         func_graph: networkx.DiGraph[Block] | None = None,
+        func_args: set[VirtualVariable] | None = None,
         track_tmps: bool = False,
     ):
         if isinstance(subject, Block):
@@ -39,13 +41,14 @@ class SReachingDefinitionsAnalysis(Analysis):
 
         self.func_graph = func_graph
         self.func_addr = func_addr if func_addr is not None else self.func.addr if self.func is not None else None
+        self.func_args = func_args
         self._track_tmps = track_tmps
 
         self._bp_as_gpr = False
         if self.func is not None:
             self._bp_as_gpr = self.func.info.get("bp_as_gpr", False)
 
-        self.model = SRDAModel(func_graph, self.project.arch)
+        self.model = SRDAModel(func_graph, func_args, self.project.arch)
 
         self._analyze()
 
@@ -66,6 +69,13 @@ class SReachingDefinitionsAnalysis(Analysis):
         # find all explicit vvar uses
         vvar_uselocs = get_vvar_uselocs(blocks.values())
 
+        # update vvar definitions using function arguments
+        if self.func_args:
+            for vvar in self.func_args:
+                if vvar not in vvar_deflocs:
+                    vvar_deflocs[vvar] = ExternalCodeLocation()
+            self.model.func_args = self.func_args
+
         # update model
         for vvar, defloc in vvar_deflocs.items():
             self.model.varid_to_vvar[vvar.varid] = vvar

angr/analyses/stack_pointer_tracker.py

@@ -2,6 +2,7 @@
 from __future__ import annotations
 
 from typing import Any, TYPE_CHECKING
+import contextlib
 import re
 import logging
 from collections import defaultdict
@@ -15,7 +16,6 @@ from angr.knowledge_plugins import Function
 from angr.block import BlockNode
 from angr.errors import SimTranslationError
 from .analysis import Analysis
-import contextlib
 
 try:
     import pypcode
@@ -702,21 +702,31 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
             # who are we calling?
             callees = [] if self._func is None else self._find_callees(node)
             if callees:
-                if (
-                    len(callees) == 1
-                    and callees[0].info.get("is_rust_probestack", False) is True
-                    and self.project.arch.name == "AMD64"
-                ):
-                    # special-case for rust_probestack: sp = sp - rax right after returning from the call, so we need
-                    # to keep track of rax
-                    for stmt in reversed(vex_block.statements):
-                        if (
-                            isinstance(stmt, pyvex.IRStmt.Put)
-                            and stmt.offset == self.project.arch.registers["rax"][0]
-                            and isinstance(stmt.data, pyvex.IRExpr.Const)
-                        ):
-                            state.put(stmt.offset, Constant(stmt.data.con.value), force=True)
-                            break
+                if len(callees) == 1:
+                    callee = callees[0]
+
+                    if callee.info.get("is_rust_probestack", False) is True and self.project.arch.name == "AMD64":
+                        # special-case for rust_probestack: sp = sp - rax right after returning from the call, so we
+                        # need to keep track of rax
+                        for stmt in reversed(vex_block.statements):
+                            if (
+                                isinstance(stmt, pyvex.IRStmt.Put)
+                                and stmt.offset == self.project.arch.registers["rax"][0]
+                                and isinstance(stmt.data, pyvex.IRExpr.Const)
+                            ):
+                                state.put(stmt.offset, Constant(stmt.data.con.value), force=True)
+                                break
+                    elif callee.name == "__chkstk":
+                        # special-case for __chkstk: sp = sp - rax right after returning from the call, so we need to
+                        # keep track of rax
+                        for stmt in reversed(vex_block.statements):
+                            if (
+                                isinstance(stmt, pyvex.IRStmt.Put)
+                                and stmt.offset == self.project.arch.registers["rax"][0]
+                                and isinstance(stmt.data, pyvex.IRExpr.Const)
+                            ):
+                                state.put(stmt.offset, Constant(stmt.data.con.value), force=True)
+                                break
 
                 callee_cleanups = [
                     callee

angr/analyses/variable_recovery/engine_ail.py

@@ -74,17 +74,28 @@ class SimEngineVRAIL(
 
         elif dst_type is ailment.Expr.VirtualVariable:
             data = self._expr(stmt.src)
-            self._assign_to_vvar(
+            variable = self._assign_to_vvar(
                 stmt.dst, data, src=stmt.src, dst=stmt.dst, vvar_id=self._mapped_vvarid(stmt.dst.varid)
             )
 
+            if variable is not None and isinstance(stmt.src, ailment.Expr.Phi):
+                # this is a phi node - we update variable manager's phi variable tracking
+                for _, vvar in stmt.src.src_and_vvars:
+                    if vvar is not None:
+                        r = self._read_from_vvar(vvar, expr=stmt.src, vvar_id=self._mapped_vvarid(vvar.varid))
+                        if r.variable is not None:
+                            pv = self.variable_manager[self.func_addr]._phi_variables
+                            if variable not in pv:
+                                pv[variable] = set()
+                            pv[variable].add(r.variable)
+
             if stmt.dst.was_stack and isinstance(stmt.dst.stack_offset, int):
                 # store it to the stack region in case it's directly referenced later
                 self._store(
                     RichR(self.state.stack_address(stmt.dst.stack_offset)),
                     data,
                     stmt.dst.bits // self.arch.byte_width,
-                    stmt=stmt,
+                    atom=stmt.dst,
                 )
 
         else:
@@ -94,10 +105,11 @@ class SimEngineVRAIL(
         addr_r = self._expr_bv(stmt.addr)
         data = self._expr(stmt.data)
         size = stmt.size
-        self._store(addr_r, data, size, stmt=stmt)
+        self._store(addr_r, data, size, atom=stmt)
 
-    def _handle_stmt_Jump(self, stmt):
-        pass
+    def _handle_stmt_Jump(self, stmt: ailment.Stmt.Jump):
+        if not isinstance(stmt.target, ailment.Expr.Const):
+            self._expr(stmt.target)
 
     def _handle_stmt_ConditionalJump(self, stmt):
         self._expr(stmt.condition)
@@ -149,7 +161,7 @@ class SimEngineVRAIL(
                 prototype_libname = func.prototype_libname
 
         # dump the type of the return value
-        ret_ty = typevars.TypeVariable() if prototype is not None else typevars.TypeVariable()
+        ret_ty = typevars.TypeVariable()
         if isinstance(ret_ty, typeconsts.BottomType):
             ret_ty = typevars.TypeVariable()
 
@@ -218,7 +230,7 @@ class SimEngineVRAIL(
                 prototype_libname = func.prototype_libname
 
         # dump the type of the return value
-        ret_ty = typevars.TypeVariable() if prototype is not None else typevars.TypeVariable()
+        ret_ty = typevars.TypeVariable()
         if isinstance(ret_ty, typeconsts.BottomType):
             ret_ty = typevars.TypeVariable()
 

angr/analyses/variable_recovery/engine_base.py

@@ -387,7 +387,7 @@ class SimEngineVRBase(
         ) or not create_variable:
             # only store the value. don't worry about variables.
             self.vvar_region[vvar_id] = richr.data
-            return
+            return None
 
         codeloc: CodeLocation = self._codeloc()
         data = richr.data
@@ -463,10 +463,14 @@ class SimEngineVRBase(
             else:
                 typevar = self.state.typevars.get_type_variable(variable, codeloc)
             self.state.add_type_constraint(typevars.Subtype(richr.typevar, typevar))
+            # the constraint below is a default constraint that may conflict with more specific ones with different
+            # sizes; we post-process at the very end of VRA to remove conflicting default constraints.
             self.state.add_type_constraint(typevars.Subtype(typevar, typeconsts.int_type(variable.size * 8)))
 
+        return variable
+
     def _store(
-        self, richr_addr: RichR[claripy.ast.BV], data: RichR[claripy.ast.BV | claripy.ast.FP], size, stmt=None
+        self, richr_addr: RichR[claripy.ast.BV], data: RichR[claripy.ast.BV | claripy.ast.FP], size, atom=None
     ):  # pylint:disable=unused-argument
         """
 
@@ -481,19 +485,19 @@ class SimEngineVRBase(
 
         if addr.concrete:
             # fully concrete. this is a global address
-            self._store_to_global(addr.concrete_value, data, size, stmt=stmt)
+            self._store_to_global(addr.concrete_value, data, size, stmt=atom)
             stored = True
         elif self._addr_has_concrete_base(addr) and (parsed := self._parse_offsetted_addr(addr)) is not None:
             # we are storing to a concrete global address with an offset
             base_addr, offset, elem_size = parsed
-            self._store_to_global(base_addr.concrete_value, data, size, stmt=stmt, offset=offset, elem_size=elem_size)
+            self._store_to_global(base_addr.concrete_value, data, size, stmt=atom, offset=offset, elem_size=elem_size)
             stored = True
         else:
             if self.state.is_stack_address(addr):
                 stack_offset = self.state.get_stack_offset(addr)
                 if stack_offset is not None:
                     # fast path: Storing data to stack
-                    self._store_to_stack(stack_offset, data, size, stmt=stmt)
+                    self._store_to_stack(stack_offset, data, size, atom=atom)
                     stored = True
 
         if not stored:
@@ -504,21 +508,21 @@ class SimEngineVRBase(
             codeloc = self._codeloc()
             if existing_vars:
                 for existing_var, _ in list(existing_vars):
-                    self.variable_manager[self.func_addr].remove_variable_by_atom(codeloc, existing_var, stmt)
+                    self.variable_manager[self.func_addr].remove_variable_by_atom(codeloc, existing_var, atom)
 
             # storing to a location specified by a pointer whose value cannot be determined at this point
-            self._store_to_variable(richr_addr, size, stmt=stmt)
+            self._store_to_variable(richr_addr, size)
 
     def _store_to_stack(
-        self, stack_offset, data: RichR[claripy.ast.BV | claripy.ast.FP], size, offset=0, stmt=None, endness=None
+        self, stack_offset, data: RichR[claripy.ast.BV | claripy.ast.FP], size, offset=0, atom=None, endness=None
     ):
-        if stmt is None:
+        if atom is None:
             existing_vars = self.variable_manager[self.func_addr].find_variables_by_stmt(
                 self.block.addr, self.stmt_idx, "memory"
             )
         else:
             existing_vars = self.variable_manager[self.func_addr].find_variables_by_atom(
-                self.block.addr, self.stmt_idx, stmt
+                self.block.addr, self.stmt_idx, atom
             )
         if not existing_vars:
             variable = SimStackVariable(
@@ -562,7 +566,7 @@ class SimEngineVRBase(
                     var,
                     offset_into_var,
                     codeloc,
-                    atom=stmt,
+                    atom=atom,
                 )
 
             # create type constraints
@@ -673,9 +677,7 @@ class SimEngineVRBase(
                 self.state.add_type_constraint(typevars.Subtype(store_typevar, typeconsts.TopType()))
                 self.state.add_type_constraint(typevars.Subtype(data.typevar, store_typevar))
 
-    def _store_to_variable(
-        self, richr_addr: RichR[claripy.ast.BV], size: int, stmt=None
-    ):  # pylint:disable=unused-argument
+    def _store_to_variable(self, richr_addr: RichR[claripy.ast.BV], size: int):
         addr_variable = richr_addr.variable
         codeloc = self._codeloc()
 

angr/analyses/variable_recovery/engine_vex.py

@@ -74,7 +74,7 @@ class SimEngineVRVEX(
         size = stmt.data.result_size(self.tyenv) // 8
         r = self._expr(stmt.data)
 
-        self._store(addr_r, r, size, stmt=stmt)
+        self._store(addr_r, r, size, atom=stmt)
 
     def _handle_stmt_StoreG(self, stmt):
         guard = self._expr(stmt.guard)
@@ -82,7 +82,7 @@ class SimEngineVRVEX(
             addr = self._expr_bv(stmt.addr)
             size = stmt.data.result_size(self.tyenv) // 8
             data = self._expr(stmt.data)
-            self._store(addr, data, size, stmt=stmt)
+            self._store(addr, data, size, atom=stmt)
 
     def _handle_stmt_LoadG(self, stmt):
         guard = self._expr(stmt.guard)

angr/analyses/variable_recovery/variable_recovery_fast.py

@@ -20,7 +20,8 @@ from angr.knowledge_plugins import Function
 from angr.sim_variable import SimStackVariable, SimRegisterVariable, SimVariable, SimMemoryVariable
 from angr.engines.vex.claripy.irop import vexop_to_simop
 from angr.analyses import ForwardAnalysis, visitors
-from angr.analyses.typehoon.typevars import Equivalence, TypeVariable, TypeVariables
+from angr.analyses.typehoon.typevars import Equivalence, TypeVariable, TypeVariables, Subtype, DerivedTypeVariable
+from angr.analyses.typehoon.typeconsts import Int
 from .variable_recovery_base import VariableRecoveryBase, VariableRecoveryStateBase
 from .engine_vex import SimEngineVRVEX
 from .engine_ail import SimEngineVRAIL
@@ -500,6 +501,26 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
                 for tv in sorted_typevars[1:]:
                     self.type_constraints[self.func_typevar].add(Equivalence(sorted_typevars[0], tv))
 
+        # remove default constraints with size conflicts
+        for func_var in self.type_constraints:
+            var_to_subtyping: dict[TypeVariable, list[Subtype]] = defaultdict(list)
+            for constraint in self.type_constraints[func_var]:
+                if isinstance(constraint, Subtype) and isinstance(constraint.sub_type, TypeVariable):
+                    var_to_subtyping[constraint.sub_type].append(constraint)
+
+            for constraints in var_to_subtyping.values():
+                if len(constraints) <= 1:
+                    continue
+                default_subtyping_constraints = set()
+                has_nondefault_subtyping_constraints = False
+                for constraint in constraints:
+                    if isinstance(constraint.super_type, Int):
+                        default_subtyping_constraints.add(constraint)
+                    elif isinstance(constraint.super_type, DerivedTypeVariable) and constraint.super_type.labels:
+                        has_nondefault_subtyping_constraints = True
+                if has_nondefault_subtyping_constraints:
+                    self.type_constraints[func_var].difference_update(default_subtyping_constraints)
+
         self.variable_manager[self.function.addr].ret_val_size = self.ret_val_size
 
         self.delayed_type_constraints = None

angr/block.py

@@ -1,10 +1,11 @@
 # pylint:disable=wrong-import-position,arguments-differ
 from __future__ import annotations
 import logging
+from typing import TYPE_CHECKING
 
 import pyvex
 from pyvex import IRSB
-from archinfo import ArchARM
+from archinfo import Arch, ArchARM
 
 from .protos import primitives_pb2 as pb2
 from .serializable import Serializable
@@ -14,6 +15,12 @@ try:
 except ImportError:
     pcode = None
 
+if TYPE_CHECKING:
+    from angr import Project
+    from angr.engines.vex import VEXLifter
+    from angr.engines.pcode.lifter import PcodeLifterEngineMixin, IRSB as PcodeIRSB
+    from angr.engines.soot.engine import SootMixin
+
 
 l = logging.getLogger(name=__name__)
 
@@ -148,7 +155,7 @@ class Block(Serializable):
         self,
         addr,
         project=None,
-        arch=None,
+        arch: Arch = None,
         size=None,
         max_size=None,
         byte_string=None,
@@ -168,6 +175,7 @@ class Block(Serializable):
         skip_stmts=False,
     ):
         # set up arch
+        self.arch: Arch
         if project is not None:
             self.arch = project.arch
         else:
@@ -187,7 +195,7 @@ class Block(Serializable):
         else:
             thumb = False
 
-        self._project = project
+        self._project: Project | None = project
         self.thumb = thumb
         self.addr = addr
         self._opt_level = opt_level
@@ -206,8 +214,15 @@ class Block(Serializable):
             else:
                 if self._initial_regs:
                     self.set_initial_regs()
+                clemory = None
+                if project is not None:
+                    clemory = (
+                        project.loader.memory_ro_view
+                        if project.loader.memory_ro_view is not None
+                        else project.loader.memory
+                    )
                 vex = self._vex_engine.lift_vex(
-                    clemory=project.loader.memory,
+                    clemory=clemory,
                     state=backup_state,
                     insn_bytes=byte_string,
                     addr=addr,
@@ -243,7 +258,7 @@ class Block(Serializable):
         self._load_from_ro_regions = load_from_ro_regions
         self._const_prop = const_prop
 
-        self._instructions = num_inst
+        self._instructions: int | None = num_inst
         self._instruction_addrs: list[int] = []
 
         if skip_stmts:
@@ -258,7 +273,7 @@ class Block(Serializable):
                 if type(self._bytes) is memoryview:
                     self._bytes = bytes(self._bytes)
                 elif type(self._bytes) is not bytes:
-                    self._bytes = bytes(pyvex.ffi.buffer(self._bytes, size))
+                    self._bytes = bytes(pyvex.ffi.buffer(self._bytes, size))  # type:ignore
             else:
                 self._bytes = None
         elif type(byte_string) is bytes:
@@ -269,7 +284,7 @@ class Block(Serializable):
         else:
             # Convert bytestring to a str
             # size will ALWAYS be known at this point
-            self._bytes = str(pyvex.ffi.buffer(byte_string, self.size))
+            self._bytes = bytes(pyvex.ffi.buffer(byte_string, self.size))  # type:ignore
 
     def _parse_vex_info(self, vex_block):
         if vex_block is not None:
@@ -323,16 +338,25 @@ class Block(Serializable):
         pyvex.pvc.reset_initial_register_values()
 
     @property
-    def _vex_engine(self):
-        return self._project.factory.default_engine
+    def _vex_engine(self) -> VEXLifter | PcodeLifterEngineMixin:
+        if self._project is None:
+            raise ValueError("Project is not set")
+        return self._project.factory.default_engine  # type:ignore
 
     @property
-    def vex(self) -> IRSB:
+    def vex(self) -> IRSB | PcodeIRSB:
         if not self._vex:
             if self._initial_regs:
                 self.set_initial_regs()
+            clemory = None
+            if self._project is not None:
+                clemory = (
+                    self._project.loader.memory_ro_view
+                    if self._project.loader.memory_ro_view is not None
+                    else self._project.loader.memory
+                )
             self._vex = self._vex_engine.lift_vex(
-                clemory=self._project.loader.memory if self._project is not None else None,
+                clemory=clemory,
                 insn_bytes=self._bytes,
                 addr=self.addr,
                 thumb=self.thumb,
@@ -350,6 +374,7 @@ class Block(Serializable):
                 self.reset_initial_regs()
             self._parse_vex_info(self._vex)
 
+        assert self._vex is not None
         return self._vex
 
     @property
@@ -362,8 +387,15 @@ class Block(Serializable):
 
         if self._initial_regs:
             self.set_initial_regs()
+        clemory = None
+        if self._project is not None:
+            clemory = (
+                self._project.loader.memory_ro_view
+                if self._project.loader.memory_ro_view is not None
+                else self._project.loader.memory
+            )
         self._vex_nostmt = self._vex_engine.lift_vex(
-            clemory=self._project.loader.memory if self._project is not None else None,
+            clemory=clemory,
             insn_bytes=self._bytes,
             addr=self.addr,
             thumb=self.thumb,
@@ -394,17 +426,17 @@ class Block(Serializable):
         """
         if self._disassembly is None:
             if self._using_pcode_engine:
-                self._disassembly = self.vex.disassembly
+                self._disassembly = self.vex.disassembly  # type:ignore
             else:
                 self._disassembly = self.capstone
         return self._disassembly
 
     @property
-    def capstone(self):
+    def capstone(self) -> CapstoneBlock:
         if self._capstone:
             return self._capstone
 
-        cs = self.arch.capstone if not self.thumb else self.arch.capstone_thumb
+        cs = self.arch.capstone if not self.thumb else self.arch.capstone_thumb  # type:ignore
 
         insns = []
 
@@ -423,12 +455,18 @@ class Block(Serializable):
         return BlockNode(self.addr, self.size, bytestr=self.bytes, thumb=self.thumb)
 
     @property
-    def bytes(self) -> bytes:
+    def bytes(self) -> bytes | None:
         if self._bytes is None:
             addr = self.addr
             if self.thumb:
                 addr = (addr >> 1) << 1
-            self._bytes = self._project.loader.memory.load(addr, self.size)
+            if self._project is not None:
+                mem = (
+                    self._project.loader.memory_ro_view
+                    if self._project.loader.memory_ro_view is not None
+                    else self._project.loader.memory
+                )
+                self._bytes = mem.load(addr, self.size)
         return self._bytes
 
     @property
@@ -437,6 +475,7 @@ class Block(Serializable):
             # initialize from VEX
             _ = self.vex
 
+        assert self._instructions is not None
         return self._instructions
 
     @property
@@ -477,17 +516,17 @@ class SootBlock:
     Represents a Soot IR basic block.
     """
 
-    def __init__(self, addr, project=None, arch=None):
+    def __init__(self, addr, *, project: Project, arch: Arch):
         self.addr = addr
         self.arch = arch
         self._project = project
         self._the_binary = project.loader.main_object
 
     @property
-    def _soot_engine(self):
+    def _soot_engine(self) -> SootMixin:
         if self._project is None:
             assert False, "This should be unreachable"
-        return self._project.factory.default_engine
+        return self._project.factory.default_engine  # type:ignore
 
     @property
     def soot(self):

angr/engines/pcode/emulate.py

@@ -92,7 +92,7 @@ class PcodeEmulatorMixin(SimEngineBase):
                 self.state,
                 fallthru_addr,
                 self.state.scratch.guard,
-                "Ijk_Boring",
+                irsb.jumpkind,
                 exit_stmt_idx=DEFAULT_STATEMENT,
                 exit_ins_addr=self.state.scratch.ins_addr,
             )