angr 9.2.136__py3-none-manylinux2014_x86_64.whl → 9.2.137__py3-none-manylinux2014_x86_64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.136"
+__version__ = "9.2.137"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -436,7 +436,8 @@ class CallingConventionAnalysis(Analysis):
             if caller.is_simprocedure or caller.is_alignment:
                 # do not analyze SimProcedures or alignment stubs
                 continue
-            call_sites_by_function[caller].append((src.addr, src.instruction_addrs[-1]))
+            if src.instruction_addrs:
+                call_sites_by_function[caller].append((src.addr, src.instruction_addrs[-1]))
 
         call_sites_by_function_list = sorted(call_sites_by_function.items(), key=lambda x: x[0].addr)[
             :max_analyzing_callsites

angr/analyses/calling_convention/fact_collector.py

@@ -276,13 +276,21 @@ class FactCollector(Analysis):
             call_succ, ret_succ = None, None
             for _, succ, data in func_graph.out_edges(node, data=True):
                 edge_type = data.get("type")
+                outside = data.get("outside", False)
                 if succ not in traversed and depth + 1 <= self._max_depth:
                     if edge_type == "fake_return":
                         ret_succ = succ
-                    elif edge_type == "transition":
+                    elif edge_type == "transition" and not outside:
                         successor_added = True
                         queue.append((depth + 1, state.copy(), succ, None))
-                    elif edge_type == "call":
+                    elif edge_type == "call" or (edge_type == "transition" and outside):
+                        # a call or a tail-call
+                        if not isinstance(succ, Function):
+                            if self.kb.functions.contains_addr(succ.addr):
+                                succ = self.kb.functions.get_by_addr(succ.addr)
+                            else:
+                                # not sure who we are calling
+                                continue
                         call_succ = succ
             if call_succ is not None:
                 successor_added = True

angr/analyses/cfg/cfg_base.py

@@ -2520,18 +2520,17 @@ class CFGBase(Analysis):
     #
 
     @staticmethod
-    def _is_noop_block(arch: archinfo.Arch, block):
+    def _is_noop_block(arch: archinfo.Arch, block) -> bool:
         """
         Check if the block is a no-op block by checking VEX statements.
 
         :param arch:    An architecture descriptor.
         :param block: The VEX block instance.
         :return: True if the entire block is a single-byte or multi-byte nop instruction, False otherwise.
-        :rtype: bool
         """
 
         if arch.name == "X86" or arch.name == "AMD64":
-            if set(block.bytes) == {"b\x90"}:
+            if set(block.bytes) == {0x90}:
                 return True
         elif arch.name == "MIPS32":
             if arch.memory_endness == "Iend_BE":
@@ -2577,36 +2576,7 @@ class CFGBase(Analysis):
                 if THUMB_NOOPS.issuperset(insns):
                     return True
 
-        # Fallback
-        # the block is a noop block if it only has IMark statements **and** it jumps to its immediate successor. VEX
-        # will generate such blocks when opt_level==1 and cross_insn_opt is True
-        fallthrough_addr = block.addr + block.size
-        next_ = block.vex.next
-        if (
-            isinstance(next_, pyvex.IRExpr.Const)
-            and next_.con.value == fallthrough_addr
-            and all((type(stmt) is pyvex.IRStmt.IMark) for stmt in block.vex.statements)
-        ):
-            return True
-
-        # the block is a noop block if it only has IMark statements and IP-setting statements that set the IP to the
-        # next location. VEX will generate such blocks when opt_level==1 and cross_insn_opt is False
-        ip_offset = arch.ip_offset
-        if (
-            all(
-                (type(stmt) is pyvex.IRStmt.IMark or (type(stmt) is pyvex.IRStmt.Put and stmt.offset == ip_offset))
-                for stmt in block.vex.statements
-            )
-            and block.vex.statements
-        ):
-            last_stmt = block.vex.statements[-1]
-            if (
-                isinstance(last_stmt, pyvex.IRStmt.IMark)
-                and isinstance(next_, pyvex.IRExpr.Const)
-                and next_.con.value == fallthrough_addr
-            ):
-                return True
-        return False
+        return block.vex_nostmt.is_noop_block
 
     @staticmethod
     def _is_noop_insn(insn):

angr/analyses/cfg/cfg_emulated.py

@@ -3208,109 +3208,6 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         # Update loop backedges and graph
         self._loop_back_edges = list(itertools.chain.from_iterable(loop.continue_edges for loop in loop_finder.loops))
 
-    # Private methods - function/procedure/subroutine analysis
-    # Including calling convention, function arguments, etc.
-
-    def _refine_function_arguments(self, func, callsites):
-        """
-
-        :param func:
-        :param callsites:
-        :return:
-        """
-
-        for i, c in enumerate(callsites):
-            # Execute one block ahead of the callsite, and execute one basic block after the callsite
-            # In this process, the following tasks are performed:
-            # - Record registers/stack variables that are modified
-            # - Record the change of the stack pointer
-            # - Check if the return value is used immediately
-            # We assume that the stack is balanced before and after the call (you can have caller clean-up of course).
-            # Any abnormal behaviors will be logged.
-            # Hopefully this approach will allow us to have a better understanding of parameters of those function
-            # stubs and function proxies.
-
-            if c.simprocedure_name is not None:
-                # Skip all SimProcedures
-                continue
-
-            l.debug("Refining %s at 0x%x (%d/%d).", repr(func), c.addr, i, len(callsites))
-
-            # Get a basic block ahead of the callsite
-            blocks_ahead = [c]
-
-            # the block after
-            blocks_after = []
-            successors = self.get_successors_and_jumpkind(c, excluding_fakeret=False)
-            for s, jk in successors:
-                if jk == "Ijk_FakeRet":
-                    blocks_after = [s]
-                    break
-
-            regs_overwritten = set()
-            stack_overwritten = set()
-            regs_read = set()
-            regs_written = set()
-
-            try:
-                # Execute the predecessor
-                path = self.project.factory.path(
-                    self.project.factory.blank_state(mode="fastpath", addr=blocks_ahead[0].addr)
-                )
-                path.step()
-                all_successors = path.next_run.successors + path.next_run.unsat_successors
-                if not all_successors:
-                    continue
-
-                suc = all_successors[0]
-                se = suc.solver
-                # Examine the path log
-                actions = suc.history.recent_actions
-                sp = se.eval_one(suc.regs.sp, default=0) + self.project.arch.call_sp_fix
-                for ac in actions:
-                    if ac.type == "reg" and ac.action == "write":
-                        regs_overwritten.add(ac.offset)
-                    elif ac.type == "mem" and ac.action == "write":
-                        addr = se.eval_one(ac.addr.ast, default=0)
-                        if (self.project.arch.call_pushes_ret and addr >= sp + self.project.arch.bytes) or (
-                            not self.project.arch.call_pushes_ret and addr >= sp
-                        ):
-                            offset = addr - sp
-                            stack_overwritten.add(offset)
-
-                func.prepared_registers.add(tuple(regs_overwritten))
-                func.prepared_stack_variables.add(tuple(stack_overwritten))
-
-            except (SimError, AngrError):
-                pass
-
-            try:
-                if blocks_after:
-                    path = self.project.factory.path(
-                        self.project.factory.blank_state(mode="fastpath", addr=blocks_after[0].addr)
-                    )
-                    path.step()
-                    all_successors = path.next_run.successors + path.next_run.unsat_successors
-                    if not all_successors:
-                        continue
-
-                    suc = all_successors[0]
-                    actions = suc.history.recent_actions
-                    for ac in actions:
-                        if ac.type == "reg" and ac.action == "read" and ac.offset not in regs_written:
-                            regs_read.add(ac.offset)
-                        elif ac.type == "reg" and ac.action == "write":
-                            regs_written.add(ac.offset)
-
-                    # Filter registers, remove unnecessary registers from the set
-                    # regs_overwritten = self.project.arch.argument_registers.intersection(regs_overwritten)
-                    regs_read = self.project.arch.argument_registers.intersection(regs_read)
-
-                    func.registers_read_afterwards.add(tuple(regs_read))
-
-            except (SimError, AngrError):
-                pass
-
     # Private methods - dominators and post-dominators
 
     def _immediate_dominators(self, node, target_graph=None, reverse_graph=False):

angr/analyses/cfg/cfg_fast.py

@@ -1,5 +1,6 @@
 # pylint:disable=superfluous-parens,too-many-boolean-expressions,line-too-long
 from __future__ import annotations
+from typing import TYPE_CHECKING
 import itertools
 import logging
 import math
@@ -52,6 +53,10 @@ from .cfg_arch_options import CFGArchOptions
 from .cfg_base import CFGBase
 from .indirect_jump_resolvers.jumptable import JumpTableResolver
 
+if TYPE_CHECKING:
+    from angr.block import Block
+    from angr.engines.pcode.lifter import IRSB as PcodeIRSB
+
 
 VEX_IRSB_MAX_SIZE = 400
 
@@ -825,10 +830,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         #
         # Variables used during analysis
         #
-        self._pending_jobs = None
-        self._traced_addresses = None
+        self._pending_jobs = None  # type:ignore
+        self._traced_addresses = None  # type:ignore
         self._function_returns = None
-        self._function_exits = None
+        self._function_exits = None  # type:ignore
         self._gp_value: int | None = None
         self._ro_region_cdata_cache: list | None = None
         self._job_ctr = 0
@@ -872,7 +877,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if size is None:
             size = len(data)
 
-        data = bytes(pyvex.ffi.buffer(data, size))
+        data = bytes(pyvex.ffi.buffer(data, size))  # type:ignore
         for x in range(256):
             p_x = float(data.count(x)) / size
             if p_x > 0:
@@ -1229,7 +1234,9 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 # umm now it's probably code
                 break
 
-        instr_alignment = self._initial_state.arch.instruction_alignment
+        instr_alignment = self.project.arch.instruction_alignment
+        if not instr_alignment:
+            instr_alignment = 1
         if start_addr % instr_alignment > 0:
             # occupy those few bytes
             size = instr_alignment - (start_addr % instr_alignment)
@@ -1286,7 +1293,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         nodecode_bytes_ratio = (
             0.0 if self._next_addr is None else self._nodecode_bytes_ratio(self._next_addr, self._nodecode_window_size)
         )
-        if nodecode_bytes_ratio >= self._nodecode_threshold:
+        if nodecode_bytes_ratio >= self._nodecode_threshold and self._next_addr is not None:
             next_allowed_addr = self._next_addr + self._nodecode_step
         else:
             next_allowed_addr = 0
@@ -1313,6 +1320,9 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         return job.addr
 
     def _pre_analysis(self):
+        # Create a read-only memory view in loader for faster data loading
+        self.project.loader.gen_ro_memview()
+
         # Call _initialize_cfg() before self.functions is used.
         self._initialize_cfg()
 
@@ -1757,6 +1767,9 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         CFGBase._post_analysis(self)
 
+        # drop the read-only memory view in loader
+        self.project.loader.discard_ro_memview()
+
         # Clean up
         self._traced_addresses = None
         self._lifter_deregister_readonly_regions()
@@ -2926,7 +2939,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                         if v is not None:
                             tmps[stmt.tmp] = v
 
-                elif type(stmt.data) in (pyvex.IRExpr.Binop,):  # pylint: disable=unidiomatic-typecheck
+                elif type(stmt.data) is pyvex.IRExpr.Binop:  # pylint: disable=unidiomatic-typecheck
                     # rip-related addressing
                     if stmt.data.op in ("Iop_Add32", "Iop_Add64"):
                         if all(type(arg) is pyvex.expr.Const for arg in stmt.data.args):
@@ -4412,8 +4425,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
             # Let's try to create the pyvex IRSB directly, since it's much faster
             nodecode = False
-            irsb = None
-            lifted_block = None
+            irsb: pyvex.IRSB | PcodeIRSB | None = None
+            lifted_block: Block = None  # type:ignore
             try:
                 lifted_block = self._lift(
                     addr,
@@ -4427,10 +4440,13 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             except SimTranslationError:
                 nodecode = True
 
-            irsb_string: bytes = lifted_block.bytes[: irsb.size] if irsb is not None else lifted_block.bytes
+            irsb_string: bytes = b""
+            lifted_block_bytes = lifted_block.bytes if lifted_block.bytes is not None else b""
+            if lifted_block is not None:
+                irsb_string = lifted_block_bytes[: irsb.size] if irsb is not None else lifted_block_bytes
 
             # special logic during the complete scanning phase
-            if cfg_job.job_type == CFGJobType.COMPLETE_SCANNING and is_arm_arch(self.project.arch):
+            if cfg_job.job_type == CFGJobType.COMPLETE_SCANNING and is_arm_arch(self.project.arch) and irsb is not None:
                 # it's way too easy to incorrectly disassemble THUMB code contains 0x4f as ARM code svc?? #????
                 # if we get a single block that getting decoded to svc?? under ARM mode, we treat it as nodecode
                 if (
@@ -4468,7 +4484,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     except SimTranslationError:
                         nodecode = True
 
-                    irsb_string: bytes = lifted_block.bytes[: irsb.size] if irsb is not None else lifted_block.bytes
+                    irsb_string = lifted_block.bytes[: irsb.size] if irsb is not None else lifted_block.bytes
 
                     if not (nodecode or irsb.size == 0 or irsb.jumpkind == "Ijk_NoDecode"):
                         # it is decodeable

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -505,6 +505,21 @@ class JumpTableProcessor(
             return self._top(expr.result_size(self.tyenv))
         return v
 
+    @binop_handler
+    def _handle_binop_And(self, expr):
+        arg0 = self._expr(expr.args[0])
+        if (
+            isinstance(arg0, claripy.ast.BV)
+            and self._is_registeroffset(arg0)
+            and isinstance(expr.args[1], pyvex.IRExpr.Const)
+        ):
+            mask_value = expr.args[1].con.value
+            if mask_value in {1, 3, 7, 15, 31, 63, 127, 255}:
+                # 1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51:0x40bd1b
+                self.state.is_jumptable = True
+                return arg0 & mask_value
+        return self._top(expr.result_size(self.tyenv))
+
     @binop_handler
     def _handle_binop_CmpLE(self, expr):
         return self._handle_Comparison(*expr.args)

angr/analyses/class_identifier.py

@@ -30,8 +30,7 @@ class ClassIdentifier(Analysis):
                 continue
             col_ind = func.demangled_name.rfind("::")
             class_name = func.demangled_name[:col_ind]
-            if class_name.startswith("non-virtual thunk for "):
-                class_name = class_name[len("non-virtual thunk for ") :]
+            class_name = class_name.removeprefix("non-virtual thunk for ")
             if col_ind != -1:
                 if class_name not in self.classes:
                     ctor = False

angr/analyses/complete_calling_conventions.py

@@ -208,6 +208,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
                 self._update_progress(percentage, text=f"{idx + 1}/{total_funcs} - {func.demangled_name}")
                 if self._low_priority:
                     self._release_gil(idx + 1, 10, 0.000001)
+            self._finish_progress()
 
         else:
             self._remaining_funcs.value = len(self._func_addrs)
@@ -298,6 +299,8 @@ class CompleteCallingConventionsAnalysis(Analysis):
             for proc in procs:
                 proc.join()
 
+            self._finish_progress()
+
     def _worker_routine(self, worker_id: int, initializer: Initializer):
         initializer.initialize()
         idx = 0

angr/analyses/decompiler/ail_simplifier.py

@@ -207,9 +207,11 @@ class AILSimplifier(Analysis):
         # Computing reaching definitions or return the cached one
         if self._reaching_definitions is not None:
             return self._reaching_definitions
+        func_args = {vvar for vvar, _ in self._arg_vvars.values()} if self._arg_vvars else set()
         rd = self.project.analyses.SReachingDefinitions(
             subject=self.func,
             func_graph=self.func_graph,
+            func_args=func_args,
             # use_callee_saved_regs_at_return=self._use_callee_saved_regs_at_return,
             # track_tmps=True,
         ).model
@@ -220,9 +222,11 @@ class AILSimplifier(Analysis):
         # Propagate expressions or return the existing result
         if self._propagator is not None:
             return self._propagator
-        prop = self.project.analyses[SPropagatorAnalysis].prep()(
+        func_args = {vvar for vvar, _ in self._arg_vvars.values()} if self._arg_vvars else set()
+        prop = self.project.analyses[SPropagatorAnalysis].prep(fail_fast=self._fail_fast)(
             subject=self.func,
             func_graph=self.func_graph,
+            func_args=func_args,
             # gp=self._gp,
             only_consts=self._only_consts,
         )
@@ -898,6 +902,13 @@ class AILSimplifier(Analysis):
 
                 to_replace_def = the_def
 
+                # check: the definition of expression being replaced should not be a phi variable
+                if (
+                    isinstance(to_replace_def.atom, atoms.VirtualVariable)
+                    and to_replace_def.atom.varid in rd.phi_vvar_ids
+                ):
+                    continue
+
                 # find all uses of this definition
                 # we make a copy of the set since we may touch the set (uses) when replacing expressions
                 all_uses: set[tuple[CodeLocation, Any]] = set(rd.get_vvar_uses_with_expr(to_replace_def.atom))

angr/analyses/decompiler/block_simplifier.py

@@ -141,7 +141,7 @@ class BlockSimplifier(Analysis):
 
     def _compute_propagation(self, block) -> SPropagatorAnalysis:
         if self._propagator is None:
-            self._propagator = self.project.analyses[SPropagatorAnalysis].prep()(
+            self._propagator = self.project.analyses[SPropagatorAnalysis].prep(fail_fast=self._fail_fast)(
                 subject=block,
                 func_addr=self.func_addr,
                 stack_pointer_tracker=self._stack_pointer_tracker,
@@ -152,7 +152,7 @@ class BlockSimplifier(Analysis):
         if self._reaching_definitions is None:
             self._reaching_definitions = (
                 self.project.analyses[SReachingDefinitionsAnalysis]
-                .prep()(
+                .prep(fail_fast=self._fail_fast)(
                     subject=block,
                     track_tmps=True,
                     func_addr=self.func_addr,

angr/analyses/decompiler/ccall_rewriters/__init__.py

@@ -1,7 +1,9 @@
 from __future__ import annotations
 from .amd64_ccalls import AMD64CCallRewriter
+from .x86_ccalls import X86CCallRewriter
 
 
 CCALL_REWRITERS = {
+    "X86": X86CCallRewriter,
     "AMD64": AMD64CCallRewriter,
 }

angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py

@@ -14,7 +14,7 @@ AMD64_CondBitOffsets = data["AMD64"]["CondBitOffsets"]
 
 class AMD64CCallRewriter(CCallRewriterBase):
     """
-    Implements ccall rewriter for AMD64.
+    Implements VEX ccall rewriter for AMD64.
     """
 
     __slots__ = ()

angr/analyses/decompiler/ccall_rewriters/x86_ccalls.py

@@ -0,0 +1,69 @@
+from __future__ import annotations
+
+from ailment import Expr
+
+from angr.engines.vex.claripy.ccall import data
+from .rewriter_base import CCallRewriterBase
+
+
+X86_CondTypes = data["X86"]["CondTypes"]
+X86_OpTypes = data["X86"]["OpTypes"]
+X86_CondBitMasks = data["X86"]["CondBitMasks"]
+X86_CondBitOffsets = data["X86"]["CondBitOffsets"]
+
+
+class X86CCallRewriter(CCallRewriterBase):
+    """
+    Implements VEX ccall rewriter for X86.
+    """
+
+    __slots__ = ()
+
+    def _rewrite(self, ccall: Expr.VEXCCallExpression) -> Expr.Expression | None:
+        if ccall.callee == "x86g_calculate_condition":
+            cond = ccall.operands[0]
+            op = ccall.operands[1]
+            dep_1 = ccall.operands[2]
+            dep_2 = ccall.operands[3]
+            if isinstance(cond, Expr.Const) and isinstance(op, Expr.Const):
+                cond_v = cond.value
+                op_v = op.value
+                if cond_v == X86_CondTypes["CondLE"]:  # noqa: SIM102
+                    if op_v in {
+                        X86_OpTypes["G_CC_OP_SUBB"],
+                        X86_OpTypes["G_CC_OP_SUBW"],
+                        X86_OpTypes["G_CC_OP_SUBL"],
+                    }:
+                        # dep_1 <=s dep_2
+                        dep_1 = self._fix_size(
+                            dep_1,
+                            op_v,
+                            X86_OpTypes["G_CC_OP_SUBB"],
+                            X86_OpTypes["G_CC_OP_SUBW"],
+                            ccall.tags,
+                        )
+                        dep_2 = self._fix_size(
+                            dep_2,
+                            op_v,
+                            X86_OpTypes["G_CC_OP_SUBB"],
+                            X86_OpTypes["G_CC_OP_SUBW"],
+                            ccall.tags,
+                        )
+
+                        r = Expr.BinaryOp(ccall.idx, "CmpLE", (dep_1, dep_2), True, **ccall.tags)
+                        return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
+        return None
+
+    @staticmethod
+    def _fix_size(expr, op_v: int, type_8bit, type_16bit, tags):
+        if op_v == type_8bit:
+            bits = 8
+        elif op_v == type_16bit:
+            bits = 16
+        else:
+            bits = 32
+        if bits < 32:
+            if isinstance(expr, Expr.Const):
+                return Expr.Const(expr.idx, None, expr.value & ((1 << bits) - 1), bits, **tags)
+            return Expr.Convert(None, 32, bits, False, expr, **tags)
+        return expr