angr 9.2.137__py3-none-macosx_11_0_arm64.whl → 9.2.139__py3-none-macosx_11_0_arm64.whl

angr/analyses/s_propagator.py

@@ -4,6 +4,8 @@ import contextlib
 from collections.abc import Mapping
 from collections import defaultdict
 
+import networkx
+
 from ailment.block import Block
 from ailment.expression import (
     Const,
@@ -14,7 +16,7 @@ from ailment.expression import (
     Convert,
     Expression,
 )
-from ailment.statement import Assignment, Store, Return, Jump
+from ailment.statement import Assignment, Store, Return, Jump, ConditionalJump
 
 from angr.knowledge_plugins.functions import Function
 from angr.code_location import CodeLocation, ExternalCodeLocation
@@ -22,6 +24,8 @@ from angr.analyses import Analysis, register_analysis
 from angr.utils.ssa import (
     get_vvar_uselocs,
     get_vvar_deflocs,
+    has_ite_expr,
+    has_ite_stmt,
     is_phi_assignment,
     is_const_assignment,
     is_const_and_vvar_assignment,
@@ -41,6 +45,8 @@ class SPropagatorModel:
 
     def __init__(self):
         self.replacements: Mapping[CodeLocation, Mapping[Expression, Expression]] = {}
+        # store vvars that are definitely dead (but usually not removed by default because they are stack variables)
+        self.dead_vvar_ids: set[int] = set()
 
 
 class SPropagatorAnalysis(Analysis):
@@ -51,7 +57,7 @@ class SPropagatorAnalysis(Analysis):
     def __init__(  # pylint: disable=too-many-positional-arguments
         self,
         subject: Block | Function,
-        func_graph=None,
+        func_graph: networkx.DiGraph | None = None,
         only_consts: bool = True,
         stack_pointer_tracker=None,
         func_args: set[VirtualVariable] | None = None,
@@ -86,6 +92,7 @@ class SPropagatorAnalysis(Analysis):
             bp_as_gpr = the_func.info.get("bp_as_gpr", False)
         self._bp_as_gpr = bp_as_gpr
 
+        # output
         self.model = SPropagatorModel()
 
         self._analyze()
@@ -94,6 +101,10 @@ class SPropagatorAnalysis(Analysis):
     def replacements(self):
         return self.model.replacements
 
+    @property
+    def dead_vvar_ids(self):
+        return self.model.dead_vvar_ids
+
     def _analyze(self):
         blocks: dict[tuple[int, int | None], Block]
         match self.mode:
@@ -128,7 +139,7 @@ class SPropagatorAnalysis(Analysis):
 
         replacements = defaultdict(dict)
 
-        # find constant assignments
+        # find constant and other propagatable assignments
         vvarid_to_vvar = {}
         const_vvars: dict[int, Const] = {}
         for vvar, defloc in vvar_deflocs.items():
@@ -136,10 +147,12 @@ class SPropagatorAnalysis(Analysis):
                 continue
 
             vvarid_to_vvar[vvar.varid] = vvar
-            defloc = vvar_deflocs[vvar]
             if isinstance(defloc, ExternalCodeLocation):
                 continue
 
+            assert defloc.block_addr is not None
+            assert defloc.stmt_idx is not None
+
             block = blocks[(defloc.block_addr, defloc.block_idx)]
             stmt = block.statements[defloc.stmt_idx]
             r, v = is_const_assignment(stmt)
@@ -155,78 +168,143 @@ class SPropagatorAnalysis(Analysis):
             if v is not None:
                 src_varids = {vvar.varid if vvar is not None else None for _, vvar in v.src_and_vvars}
                 if None not in src_varids and all(varid in const_vvars for varid in src_varids):
+                    all_int_src_varids: set[int] = {varid for varid in src_varids if varid is not None}
                     src_values = {
                         (
                             (const_vvars[varid].value, const_vvars[varid].bits)
                             if isinstance(const_vvars[varid], Const)
                             else const_vvars[varid]
                         )
-                        for varid in src_varids
+                        for varid in all_int_src_varids
                     }
                     if len(src_values) == 1:
                         # replace it!
-                        const_value = const_vvars[next(iter(src_varids))]
+                        const_value = const_vvars[next(iter(all_int_src_varids))]
                         const_vvars[vvar.varid] = const_value
                         for vvar_at_use, useloc in vvar_uselocs[vvar.varid]:
                             replacements[useloc][vvar_at_use] = const_value
 
-            if self.mode == "function" and vvar.varid in vvar_uselocs:
-                if len(vvar_uselocs[vvar.varid]) == 1:
-                    vvar_used, vvar_useloc = next(iter(vvar_uselocs[vvar.varid]))
-                    if (
-                        is_const_vvar_load_assignment(stmt)
-                        and vvar_useloc.block_addr == defloc.block_addr
-                        and vvar_useloc.block_idx == defloc.block_idx
-                        and not any(
-                            isinstance(stmt_, Store)
-                            for stmt_ in block.statements[defloc.stmt_idx + 1 : vvar_useloc.stmt_idx]
-                        )
-                    ):
+        # function mode only
+        if self.mode == "function":
+            for vvar, defloc in vvar_deflocs.items():
+                if vvar.varid not in vvar_uselocs:
+                    continue
+                if vvar.varid in const_vvars:
+                    continue
+                if isinstance(defloc, ExternalCodeLocation):
+                    continue
+
+                assert defloc.block_addr is not None
+                assert defloc.stmt_idx is not None
+
+                block = blocks[(defloc.block_addr, defloc.block_idx)]
+                stmt = block.statements[defloc.stmt_idx]
+                if (
+                    (vvar.was_reg or vvar.was_parameter)
+                    and len(vvar_uselocs[vvar.varid]) <= 2
+                    and isinstance(stmt, Assignment)
+                    and isinstance(stmt.src, Load)
+                ):
+                    # do we want to propagate this Load expression if it's used for less than twice?
+                    # it's often seen in the following pattern, where propagation will be beneficial:
+                    #    v0 = Load(...)
+                    #    if (!v0) {
+                    #       v1 = v0 + 1;
+                    #    }
+                    can_replace = True
+                    for _, vvar_useloc in vvar_uselocs[vvar.varid]:
+                        if self.has_store_stmt_in_between(blocks, defloc, vvar_useloc):
+                            can_replace = False
+
+                    if can_replace:
                         # we can propagate this load because there is no store between its def and use
-                        replacements[vvar_useloc][vvar_used] = stmt.src
+                        for vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
+                            replacements[vvar_useloc][vvar_used] = stmt.src
                         continue
 
-                    if is_const_and_vvar_assignment(stmt):
-                        # if the useloc is a phi assignment statement, ensure that stmt.src is the same as the phi
-                        # variable
-                        useloc_stmt = blocks[(vvar_useloc.block_addr, vvar_useloc.block_idx)].statements[
-                            vvar_useloc.stmt_idx
-                        ]
-                        if is_phi_assignment(useloc_stmt):
-                            if (
-                                isinstance(stmt.src, VirtualVariable)
-                                and stmt.src.oident == useloc_stmt.dst.oident
-                                and stmt.src.category == useloc_stmt.dst.category
-                            ):
-                                replacements[vvar_useloc][vvar_used] = stmt.src
-                        else:
+                if (
+                    (vvar.was_reg or vvar.was_stack)
+                    and len(vvar_uselocs[vvar.varid]) == 2
+                    and not is_phi_assignment(stmt)
+                ):
+                    # a special case: in a typical switch-case construct, a variable may be used once for comparison
+                    # for the default case and then used again for constructing the jump target. we can propagate this
+                    # variable for such cases.
+                    uselocs = {loc for _, loc in vvar_uselocs[vvar.varid]}
+                    if self.is_vvar_used_for_addr_loading_switch_case(uselocs, blocks):
+                        for vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
                             replacements[vvar_useloc][vvar_used] = stmt.src
+                        # mark the vvar as dead and should be removed
+                        self.model.dead_vvar_ids.add(vvar.varid)
                         continue
 
-                elif (
-                    len(
-                        {
+                if vvar.was_reg or vvar.was_parameter:
+                    if len(vvar_uselocs[vvar.varid]) == 1:
+                        vvar_used, vvar_useloc = next(iter(vvar_uselocs[vvar.varid]))
+                        if is_const_vvar_load_assignment(stmt) and not self.has_store_stmt_in_between(
+                            blocks, defloc, vvar_useloc
+                        ):
+                            # we can propagate this load because there is no store between its def and use
+                            replacements[vvar_useloc][vvar_used] = stmt.src
+                            continue
+
+                        if is_const_and_vvar_assignment(stmt):
+                            # if the useloc is a phi assignment statement, ensure that stmt.src is the same as the phi
+                            # variable
+                            assert vvar_useloc.block_addr is not None
+                            assert vvar_useloc.stmt_idx is not None
+                            useloc_stmt = blocks[(vvar_useloc.block_addr, vvar_useloc.block_idx)].statements[
+                                vvar_useloc.stmt_idx
+                            ]
+                            if is_phi_assignment(useloc_stmt):
+                                if (
+                                    isinstance(stmt.src, VirtualVariable)
+                                    and stmt.src.oident == useloc_stmt.dst.oident
+                                    and stmt.src.category == useloc_stmt.dst.category
+                                ):
+                                    replacements[vvar_useloc][vvar_used] = stmt.src
+                            else:
+                                replacements[vvar_useloc][vvar_used] = stmt.src
+                            continue
+
+                    else:
+                        non_exitsite_uselocs = [
                             loc
                             for _, loc in vvar_uselocs[vvar.varid]
                             if (loc.block_addr, loc.block_idx, loc.stmt_idx) not in (retsites | jumpsites)
-                        }
-                    )
-                    == 1
-                ):
-                    if is_const_and_vvar_assignment(stmt):
-                        # this vvar is used once if we exclude its uses at ret sites or jump sites. we can propagate it
-                        for vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
-                            replacements[vvar_useloc][vvar_used] = stmt.src
-                        continue
+                        ]
+                        if is_const_and_vvar_assignment(stmt):
+                            if len(non_exitsite_uselocs) == 1:
+                                # this vvar is used once if we exclude its uses at ret sites or jump sites. we can
+                                # propagate it
+                                for vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
+                                    replacements[vvar_useloc][vvar_used] = stmt.src
+                                continue
+
+                            if len(set(non_exitsite_uselocs)) == 1 and not has_ite_expr(stmt.src):
+                                useloc = non_exitsite_uselocs[0]
+                                assert useloc.block_addr is not None
+                                assert useloc.stmt_idx is not None
+                                useloc_stmt = blocks[(useloc.block_addr, useloc.block_idx)].statements[useloc.stmt_idx]
+                                if stmt.src.depth <= 3 and not has_ite_stmt(useloc_stmt):
+                                    # remove duplicate use locs (e.g., if the variable is used multiple times by the
+                                    # same statement) - but ensure stmt is simple enough
+                                    for vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
+                                        replacements[vvar_useloc][vvar_used] = stmt.src
+                                    continue
 
                 # special logic for global variables: if it's used once or multiple times, and the variable is never
                 # updated before it's used, we will propagate the load
-                if isinstance(stmt, Assignment):
+                if (vvar.was_reg or vvar.was_parameter) and isinstance(stmt, Assignment):
                     stmt_src = stmt.src
                     # unpack conversions
                     while isinstance(stmt_src, Convert):
                         stmt_src = stmt_src.operand
-                    if isinstance(stmt_src, Load) and isinstance(stmt_src.addr, Const):
+                    if (
+                        isinstance(stmt_src, Load)
+                        and isinstance(stmt_src.addr, Const)
+                        and isinstance(stmt_src.addr.value, int)
+                    ):
                         gv_updated = False
                         for _vvar_used, vvar_useloc in vvar_uselocs[vvar.varid]:
                             gv_updated |= self.is_global_variable_updated(
@@ -286,6 +364,8 @@ class SPropagatorAnalysis(Analysis):
         for block_loc, tmp_and_uses in tmp_uselocs.items():
             for tmp_atom, tmp_uses in tmp_and_uses.items():
                 # take a look at the definition and propagate the definition if supported
+                assert block_loc.block_addr is not None
+
                 block = blocks[(block_loc.block_addr, block_loc.block_idx)]
                 tmp_def_stmtidx = tmp_deflocs[block_loc][tmp_atom]
 
@@ -350,6 +430,8 @@ class SPropagatorAnalysis(Analysis):
 
             start_stmt_idx = defloc.stmt_idx if block is defblock else 0  # inclusive
             end_stmt_idx = useloc.stmt_idx if block is useblock else len(block.statements)  # exclusive
+            assert start_stmt_idx is not None
+            assert end_stmt_idx is not None
 
             for idx in range(start_stmt_idx, end_stmt_idx):
                 stmt = block.statements[idx]
@@ -380,5 +462,78 @@ class SPropagatorAnalysis(Analysis):
 
         return False
 
+    def has_store_stmt_in_between(
+        self, blocks: dict[tuple[int, int | None], Block], defloc: CodeLocation, useloc: CodeLocation
+    ) -> bool:
+        assert defloc.block_addr is not None
+        assert defloc.stmt_idx is not None
+        assert useloc.block_addr is not None
+        assert useloc.stmt_idx is not None
+        assert self.func_graph is not None
+
+        use_block = blocks[(useloc.block_addr, useloc.block_idx)]
+        def_block = blocks[(defloc.block_addr, defloc.block_idx)]
+
+        # traverse the graph, go from use_block until we reach def_block, and look for Store statements
+        seen = {use_block}
+        queue = [use_block]
+        while queue:
+            block = queue.pop(0)
+
+            starting_stmt_idx, ending_stmt_idx = 0, len(block.statements)
+            if block is def_block:
+                starting_stmt_idx = defloc.stmt_idx + 1
+            if block is use_block:
+                ending_stmt_idx = useloc.stmt_idx
+
+            for i in range(starting_stmt_idx, ending_stmt_idx):
+                if isinstance(block.statements[i], Store):
+                    return True
+
+            if block is def_block:
+                continue
+
+            for pred in self.func_graph.predecessors(block):
+                if pred not in seen:
+                    seen.add(pred)
+                    queue.append(pred)
+
+        return False
+
+    @staticmethod
+    def is_vvar_used_for_addr_loading_switch_case(uselocs: set[CodeLocation], blocks) -> bool:
+        """
+        Check if a virtual variable is used for loading an address in a switch-case construct.
+
+        :param uselocs: The use locations of the virtual variable.
+        :param blocks:  All blocks of the current function.
+        :return:        True if the virtual variable is used for loading an address in a switch-case construct, False
+                        otherwise.
+        """
+
+        if len(uselocs) != 2:
+            return False
+
+        useloc_0, useloc_1 = list(uselocs)
+        block_0 = blocks[(useloc_0.block_addr, useloc_0.block_idx)]
+        stmt_0 = block_0.statements[useloc_0.stmt_idx]
+        block_1 = blocks[(useloc_1.block_addr, useloc_1.block_idx)]
+        stmt_1 = block_1.statements[useloc_1.stmt_idx]
+
+        if isinstance(stmt_0, Jump):
+            stmt_0, stmt_1 = stmt_1, stmt_0
+            block_0, block_1 = block_1, block_0
+        if not isinstance(stmt_0, ConditionalJump) or not isinstance(stmt_1, Jump):
+            return False
+
+        # check if stmt_0 jumps to block_1
+        if not isinstance(stmt_0.true_target, Const) or not isinstance(stmt_0.false_target, Const):
+            return False
+        stmt_0_targets = {
+            (stmt_0.true_target.value, stmt_0.true_target_idx),
+            (stmt_0.false_target.value, stmt_0.false_target_idx),
+        }
+        return (block_1.addr, block_1.idx) in stmt_0_targets
+
 
 register_analysis(SPropagatorAnalysis, "SPropagator")

angr/analyses/s_reaching_definitions/s_rda_view.py

@@ -79,8 +79,8 @@ class StackVVarPredicate:
             isinstance(stmt, Assignment)
             and isinstance(stmt.dst, VirtualVariable)
             and stmt.dst.was_stack
-            and stmt.dst.stack_offset == self.stack_offset
-            and stmt.dst.size == self.size
+            and stmt.dst.stack_offset <= self.stack_offset < stmt.dst.stack_offset + stmt.dst.size
+            and stmt.dst.stack_offset <= self.stack_offset + self.size <= stmt.dst.stack_offset + stmt.dst.size
         ):
             self.vvars.add(stmt.dst)
             return True

angr/analyses/s_reaching_definitions/s_reaching_definitions.py

@@ -143,7 +143,9 @@ class SReachingDefinitionsAnalysis(Analysis):
                         cc = cc_cls(self.project.arch)
 
                     codeloc = CodeLocation(block_addr, stmt_idx, block_idx=block_idx, ins_addr=stmt.ins_addr)
-                    arg_locs = cc.ARG_REGS
+                    arg_locs = list(cc.ARG_REGS)
+                    if cc.FP_ARG_REGS:
+                        arg_locs += [r_name for r_name in cc.FP_ARG_REGS if r_name not in arg_locs]
 
                     for arg_reg_name in arg_locs:
                         reg_offset = self.project.arch.registers[arg_reg_name][0]

angr/analyses/variable_recovery/engine_ail.py

@@ -84,7 +84,7 @@ class SimEngineVRAIL(
                     if vvar is not None:
                         r = self._read_from_vvar(vvar, expr=stmt.src, vvar_id=self._mapped_vvarid(vvar.varid))
                         if r.variable is not None:
-                            pv = self.variable_manager[self.func_addr]._phi_variables
+                            pv = self.state.variable_manager[self.func_addr]._phi_variables
                             if variable not in pv:
                                 pv[variable] = set()
                             pv[variable].add(r.variable)