angr 9.2.138__py3-none-macosx_11_0_arm64.whl → 9.2.139__py3-none-macosx_11_0_arm64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.138"
+__version__ = "9.2.139"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/fact_collector.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from typing import Any
 
@@ -332,6 +333,9 @@ class FactCollector(Analysis):
         cc_cls = default_cc(
             self.project.arch.name, platform=self.project.simos.name if self.project.simos is not None else None
         )
+        if cc_cls is None:
+            # don't know what the calling convention may be... give up
+            return
         cc = cc_cls(self.project.arch)
         if isinstance(cc.RETURN_VAL, SimRegArg):
             retreg_offset = cc.RETURN_VAL.check_offset(self.project.arch)
@@ -401,6 +405,16 @@ class FactCollector(Analysis):
         func_graph = self.function.transition_graph
         callee_restored_regs = set()
 
+        sp_masks = {
+            0xFFFFFFFE,
+            0xFFFFFFFC,
+            0xFFFFFFF8,
+            0xFFFFFFF0,
+            0xFFFFFFFF_FFFFFFFE,
+            0xFFFFFFFF_FFFFFFFC,
+            0xFFFFFFFF_FFFFFFF8,
+            0xFFFFFFFF_FFFFFFF0,
+        }
         for endpoint in self.function.endpoints:
             traversed = set()
             queue: list[tuple[int, BlockNode | HookNode]] = [(0, endpoint)]
@@ -434,17 +448,29 @@ class FactCollector(Analysis):
                             tmps[stmt.tmp] = "stack_value"
                         elif isinstance(stmt.data, pyvex.IRExpr.Const):
                             tmps[stmt.tmp] = "const"
-                        elif isinstance(stmt.data, pyvex.IRExpr.Binop) and (  # noqa:SIM102
-                            stmt.data.op.startswith("Iop_Add") or stmt.data.op.startswith("Iop_Sub")
-                        ):
-                            if (
-                                isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp)
-                                and tmps.get(stmt.data.args[0].tmp) == "sp"
-                            ) or (
-                                isinstance(stmt.data.args[1], pyvex.IRExpr.RdTmp)
-                                and tmps.get(stmt.data.args[1].tmp) == "sp"
-                            ):
-                                tmps[stmt.tmp] = "sp"
+                        elif isinstance(stmt.data, pyvex.IRExpr.Binop):
+                            if stmt.data.op.startswith("Iop_Add") or stmt.data.op.startswith("Iop_Sub"):
+                                if (
+                                    isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp)
+                                    and tmps.get(stmt.data.args[0].tmp) == "sp"
+                                ) or (
+                                    isinstance(stmt.data.args[1], pyvex.IRExpr.RdTmp)
+                                    and tmps.get(stmt.data.args[1].tmp) == "sp"
+                                ):
+                                    tmps[stmt.tmp] = "sp"
+                            elif stmt.data.op.startswith("Iop_And"):  # noqa: SIM102
+                                if (
+                                    isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp)
+                                    and tmps.get(stmt.data.args[0].tmp) == "sp"
+                                    and isinstance(stmt.data.args[1], pyvex.IRExpr.Const)
+                                    and stmt.data.args[1].con.value in sp_masks
+                                ) or (
+                                    isinstance(stmt.data.args[1], pyvex.IRExpr.RdTmp)
+                                    and tmps.get(stmt.data.args[1].tmp) == "sp"
+                                    and isinstance(stmt.data.args[0], pyvex.IRExpr.Const)
+                                    and stmt.data.args[0].con.value in sp_masks
+                                ):
+                                    tmps[stmt.tmp] = "sp"
                     if isinstance(stmt, pyvex.IRStmt.Put):
                         size = stmt.data.result_size(block.vex.tyenv) // self.project.arch.byte_width
                         # is the data loaded from the stack?
@@ -460,7 +486,28 @@ class FactCollector(Analysis):
                     if pred not in traversed and depth + 1 <= self._max_depth and edge_type == "transition":
                         queue.append((depth + 1, pred))
 
-        return callee_restored_regs
+        # remove offsets of registers that may store return values from callee_restored_regs
+        ret_reg_offsets = set()
+        cc_cls = default_cc(
+            self.project.arch.name, platform=self.project.simos.name if self.project.simos is not None else None
+        )
+        if cc_cls is not None:
+            cc = cc_cls(self.project.arch)
+            if isinstance(cc.RETURN_VAL, SimRegArg):
+                retreg_offset = cc.RETURN_VAL.check_offset(self.project.arch)
+                ret_reg_offsets.add(retreg_offset)
+            if isinstance(cc.OVERFLOW_RETURN_VAL, SimRegArg):
+                retreg_offset = cc.OVERFLOW_RETURN_VAL.check_offset(self.project.arch)
+                ret_reg_offsets.add(retreg_offset)
+            if isinstance(cc.FP_RETURN_VAL, SimRegArg):
+                try:
+                    retreg_offset = cc.FP_RETURN_VAL.check_offset(self.project.arch)
+                    ret_reg_offsets.add(retreg_offset)
+                except KeyError:
+                    # register name does not exist
+                    pass
+
+        return callee_restored_regs.difference(ret_reg_offsets)
 
     def _determine_input_args(self, end_states: list[FactCollectorState], callee_restored_regs: set[int]) -> None:
         self.input_args = []

angr/analyses/calling_convention/utils.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 import logging
 
 import archinfo
-from archinfo.arch_arm import is_arm_arch, ArchARMHF
+from archinfo.arch_arm import is_arm_arch, ArchARMHF, ArchARMCortexM
 
 from angr.calling_conventions import SimCC
 
@@ -37,7 +37,7 @@ def is_sane_register_variable(arch: archinfo.Arch, reg_offset: int, reg_size: in
         # 224 <= reg_offset < 480)  # xmm0-xmm7
 
     if is_arm_arch(arch):
-        if isinstance(arch, ArchARMHF):
+        if isinstance(arch, (ArchARMHF, ArchARMCortexM)):
             return 8 <= reg_offset < 24 or 128 <= reg_offset < 160  # r0 - 32  # s0 - s7, or d0 - d4
         return 8 <= reg_offset < 24  # r0-r3
 

angr/analyses/cfg/cfg_fast.py

@@ -2819,11 +2819,13 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if sec is not None and sec.is_readable and not sec.is_writable:
             # points to a non-writable region. read it out and see if there is another pointer!
             v = self._fast_memory_load_pointer(ref.data_addr, ref.data_size)
+            if v is None:
+                return
 
             # this value can either be a pointer or an offset from the pc... we need to try them both
             # attempt 1: a direct pointer
             sec_2nd = self.project.loader.find_section_containing(v)
-            if sec_2nd is not None and sec_2nd.is_readable and not sec_2nd.is_writable:
+            if sec_2nd is not None and sec_2nd.is_readable:
                 # found it!
                 self._add_data_reference(
                     irsb_addr,
@@ -2872,7 +2874,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 actual_ref_ins_addr = ref.ins_addr + 4
                 v += 8 + actual_ref_ins_addr
             sec_3rd = self.project.loader.find_section_containing(v)
-            if sec_3rd is not None and sec_3rd.is_readable and not sec_3rd.is_writable:
+            if sec_3rd is not None and sec_3rd.is_readable:
                 # found it!
                 self._add_data_reference(
                     irsb_addr, ref.stmt_idx, actual_ref_ins_addr, v, data_size=None, data_type=MemoryDataSort.Unknown
@@ -4178,7 +4180,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             for segment in self.project.loader.main_object.segments:
                 if segment.is_readable and segment.memsize >= 8:
                     # the gp area is sometimes writable, so we can't test for (not segment.is_writable)
-                    content = self.project.loader.memory.load(segment.vaddr, segment.memsize)
+                    try:
+                        content = self.project.loader.memory.load(segment.vaddr, segment.memsize)
+                    except KeyError:
+                        continue
                     content_buf = pyvex.ffi.from_buffer(content)
                     self._ro_region_cdata_cache.append(content_buf)
                     pyvex.pvc.register_readonly_region(segment.vaddr, segment.memsize, content_buf)
@@ -4187,7 +4192,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 # also map .got
                 for section in self.project.loader.main_object.sections:
                     if section.name == ".got":
-                        content = self.project.loader.memory.load(section.vaddr, section.memsize)
+                        try:
+                            content = self.project.loader.memory.load(section.vaddr, section.memsize)
+                        except KeyError:
+                            continue
                         content_buf = pyvex.ffi.from_buffer(content)
                         self._ro_region_cdata_cache.append(content_buf)
                         pyvex.pvc.register_readonly_region(section.vaddr, section.memsize, content_buf)

angr/analyses/decompiler/ail_simplifier.py

@@ -102,7 +102,7 @@ class AILSimplifier(Analysis):
         self.func = func
         self.func_graph = func_graph if func_graph is not None else func.graph
         self._reaching_definitions: SRDAModel | None = None
-        self._propagator = None
+        self._propagator: SPropagatorAnalysis | None = None
 
         self._remove_dead_memdefs = remove_dead_memdefs
         self._stack_arg_offsets = stack_arg_offsets
@@ -117,6 +117,7 @@ class AILSimplifier(Analysis):
         self._removed_vvar_ids = removed_vvar_ids if removed_vvar_ids is not None else set()
         self._arg_vvars = arg_vvars
         self._avoid_vvar_ids = avoid_vvar_ids
+        self._propagator_dead_vvar_ids: set[int] = set()
 
         self._calls_to_remove: set[CodeLocation] = set()
         self._assignments_to_remove: set[CodeLocation] = set()
@@ -231,6 +232,7 @@ class AILSimplifier(Analysis):
             only_consts=self._only_consts,
         )
         self._propagator = prop
+        self._propagator_dead_vvar_ids = prop.dead_vvar_ids
         return prop
 
     def _compute_equivalence(self) -> set[Equivalence]:
@@ -247,6 +249,9 @@ class AILSimplifier(Analysis):
                     if isinstance(stmt.ret_expr, (VirtualVariable, Load)):
                         codeloc = CodeLocation(block.addr, stmt_idx, block_idx=block.idx, ins_addr=stmt.ins_addr)
                         equivalence.add(Equivalence(codeloc, stmt.ret_expr, stmt))
+                    elif isinstance(stmt.fp_ret_expr, (VirtualVariable, Load)):
+                        codeloc = CodeLocation(block.addr, stmt_idx, block_idx=block.idx, ins_addr=stmt.ins_addr)
+                        equivalence.add(Equivalence(codeloc, stmt.fp_ret_expr, stmt))
                 elif (
                     isinstance(stmt, Store)
                     and isinstance(stmt.size, int)
@@ -1115,7 +1120,10 @@ class AILSimplifier(Analysis):
         than once after simplification and graph structuring where conditions might be duplicated (e.g., in Dream).
         In such cases, the one-use expression folder in RegionSimplifier will perform this transformation.
         """
+        # Disabled until https://github.com/angr/angr/issues/5112 and related folding issues are fixed
+        return False
 
+        # pylint:disable=unreachable
         simplified = False
 
         equivalence = self._compute_equivalence()
@@ -1326,7 +1334,10 @@ class AILSimplifier(Analysis):
             if isinstance(def_.atom, atoms.MemoryLocation) and isinstance(def_.atom.addr, int):
                 continue
             if isinstance(def_.atom, atoms.VirtualVariable):
-                if def_.atom.was_stack:
+                if def_.atom.varid in self._propagator_dead_vvar_ids:
+                    # we are definitely removing this variable if it has no uses
+                    uses = rd.get_vvar_uses(def_.atom)
+                elif def_.atom.was_stack:
                     if not self._remove_dead_memdefs:
                         if rd.is_phi_vvar_id(def_.atom.varid):
                             # we always remove unused phi variables
@@ -1540,7 +1551,7 @@ class AILSimplifier(Analysis):
             if bail:
                 continue
 
-            if all(varid in phi_and_dirty_vvar_ids for varid in scc):
+            if all(varid in phi_and_dirty_vvar_ids or rd.varid_to_vvar[varid].was_reg for varid in scc):
                 cyclic_dependent_phi_varids |= set(scc)
 
         return cyclic_dependent_phi_varids

angr/analyses/decompiler/block_simplifier.py

@@ -58,7 +58,6 @@ class BlockSimplifier(Analysis):
         self,
         block: Block | None,
         func_addr: int | None = None,
-        remove_dead_memdefs=False,
         stack_pointer_tracker=None,
         peephole_optimizations: None | (
             Iterable[type[PeepholeOptimizationStmtBase] | type[PeepholeOptimizationExprBase]]
@@ -74,7 +73,6 @@ class BlockSimplifier(Analysis):
         self.block = block
         self.func_addr = func_addr
 
-        self._remove_dead_memdefs = remove_dead_memdefs
         self._stack_pointer_tracker = stack_pointer_tracker
 
         if peephole_optimizations is None:

angr/analyses/decompiler/callsite_maker.py

@@ -5,9 +5,19 @@ import logging
 
 import archinfo
 from ailment import Stmt, Expr, Const
+from ailment.manager import Manager
 
 from angr.procedures.stubs.format_parser import FormatParser, FormatSpecifier
-from angr.sim_type import SimTypeBottom, SimTypePointer, SimTypeChar, SimTypeInt, dereference_simtype
+from angr.sim_type import (
+    SimTypeBottom,
+    SimTypePointer,
+    SimTypeChar,
+    SimTypeInt,
+    SimTypeFloat,
+    dereference_simtype,
+    SimTypeFunction,
+    SimTypeLongLong,
+)
 from angr.calling_conventions import SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE
 from angr.analyses import Analysis, register_analysis
@@ -27,7 +37,7 @@ class CallSiteMaker(Analysis):
     Add calling convention, declaration, and args to a call site.
     """
 
-    def __init__(self, block, reaching_definitions=None, stack_pointer_tracker=None, ail_manager=None):
+    def __init__(self, block, reaching_definitions=None, stack_pointer_tracker=None, ail_manager: Manager = None):
         self.block = block
 
         self._reaching_definitions = reaching_definitions
@@ -60,7 +70,7 @@ class CallSiteMaker(Analysis):
             return
 
         cc = None
-        prototype = None
+        prototype: SimTypeFunction | None = None
         func = None
         stack_arg_locs: list[SimStackArg] = []
         stackarg_sp_diff = 0
@@ -106,7 +116,9 @@ class CallSiteMaker(Analysis):
                     for typelib_name in prototype_lib.type_collection_names:
                         type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
             if type_collections:
-                prototype = dereference_simtype(prototype, type_collections).with_arch(self.project.arch)
+                prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
+                    self.project.arch
+                )
 
         args = []
         arg_vvars = []
@@ -120,15 +132,18 @@ class CallSiteMaker(Analysis):
                 arg_locs = cc.arg_locs(prototype)
                 if prototype.variadic:
                     # determine the number of variadic arguments
+                    assert func is not None
                     variadic_args = self._determine_variadic_arguments(func, cc, call_stmt)
                     if variadic_args:
                         callsite_ty = copy.copy(prototype)
-                        callsite_ty.args = list(callsite_ty.args)
+                        callsite_args = list(callsite_ty.args)
+                        base_type = SimTypeInt if self.project.arch.bits == 32 else SimTypeLongLong
                         for _ in range(variadic_args):
-                            callsite_ty.args.append(SimTypeInt().with_arch(self.project.arch))
+                            callsite_args.append(base_type().with_arch(self.project.arch))
+                        callsite_ty.args = tuple(callsite_args)
                         arg_locs = cc.arg_locs(callsite_ty)
 
-        if arg_locs is not None:
+        if arg_locs is not None and cc is not None:
             expanded_arg_locs = []
             for arg_loc in arg_locs:
                 if isinstance(arg_loc, SimComboArg):
@@ -155,6 +170,38 @@ class CallSiteMaker(Analysis):
                             oident=vvar_def.oident,
                             **vvar_def.tags,
                         )
+                        vvar_def_reg_offset = None
+                        if vvar_def.was_reg:
+                            vvar_def_reg_offset = vvar_def.reg_offset
+                        elif (
+                            vvar_def.was_parameter
+                            and vvar_def.parameter_category == Expr.VirtualVariableCategory.REGISTER
+                        ):
+                            vvar_def_reg_offset = vvar_def.parameter_reg_offset
+
+                        if vvar_def_reg_offset is not None and offset > vvar_def_reg_offset:
+                            # we need to shift the value
+                            vvar_use = Expr.BinaryOp(
+                                self._ail_manager.next_atom(),
+                                "Shr",
+                                [
+                                    vvar_use,
+                                    Expr.Const(
+                                        self._ail_manager.next_atom(), None, (offset - vvar_def_reg_offset) * 8, 8
+                                    ),
+                                ],
+                                **vvar_use.tags,
+                            )
+                        if vvar_def.size > arg_loc.size:
+                            # we need to narrow the value
+                            vvar_use = Expr.Convert(
+                                self._ail_manager.next_atom(),
+                                vvar_use.bits,
+                                arg_loc.size * self.project.arch.byte_width,
+                                False,
+                                vvar_use,
+                                **vvar_use.tags,
+                            )
                         args.append(vvar_use)
                     else:
                         reg = Expr.Register(
@@ -219,6 +266,7 @@ class CallSiteMaker(Analysis):
         # calculate stack offsets for arguments that are put on the stack. these offsets will be consumed by
         # simplification steps in the future, which may decide to remove statements that store arguments on the stack.
         if stack_arg_locs:
+            assert self._stack_pointer_tracker is not None
             sp_offset = self._stack_pointer_tracker.offset_before(call_stmt.ins_addr, self.project.arch.sp_offset)
             if sp_offset is None:
                 l.warning(
@@ -233,8 +281,22 @@ class CallSiteMaker(Analysis):
                 }
 
         ret_expr = call_stmt.ret_expr
-        # if ret_expr is None, it means in previous steps (such as during AIL simplification) we have deemed the return
-        # value of this call statement as useless and is removed.
+        fp_ret_expr = call_stmt.fp_ret_expr
+        # if ret_expr and fp_ret_expr are None, it means in previous steps (such as during AIL simplification) we have
+        # deemed the return value of this call statement as useless and is removed.
+
+        if (
+            ret_expr is not None
+            and fp_ret_expr is not None
+            and prototype is not None
+            and prototype.returnty is not None
+        ):
+            # we need to determine the return type of this call (ret_expr vs fp_ret_expr)
+            is_float = isinstance(prototype.returnty, SimTypeFloat)
+            if is_float:
+                ret_expr = None
+            else:
+                fp_ret_expr = None
 
         if (
             ret_expr is not None
@@ -243,9 +305,9 @@ class CallSiteMaker(Analysis):
             and not isinstance(prototype.returnty, SimTypeBottom)
             and not isinstance(ret_expr, Expr.VirtualVariable)
         ):
-            # try to narrow the return expression if needed
+            # try to narrow the non-float return expression if needed
             ret_type_bits = prototype.returnty.with_arch(self.project.arch).size
-            if ret_expr.bits > ret_type_bits:
+            if ret_type_bits is not None and ret_expr.bits > ret_type_bits:
                 ret_expr = ret_expr.copy()
                 ret_expr.bits = ret_type_bits
             # TODO: Support narrowing virtual variables
@@ -257,6 +319,7 @@ class CallSiteMaker(Analysis):
             prototype=prototype,
             args=args,
             ret_expr=ret_expr,
+            fp_ret_expr=fp_ret_expr,
             arg_vvars=arg_vvars,
             **call_stmt.tags,
         )
@@ -291,7 +354,7 @@ class CallSiteMaker(Analysis):
         l.warning("TODO: Unsupported statement type %s for definitions.", type(stmt))
         return None
 
-    def _resolve_register_argument(self, arg_loc) -> tuple[int | None, Expr.VirtualVariable] | None:
+    def _resolve_register_argument(self, arg_loc) -> tuple[Expr.Expression | None, Expr.VirtualVariable] | None:
         offset = arg_loc.check_offset(self.project.arch)
 
         if self._reaching_definitions is not None:
@@ -310,6 +373,8 @@ class CallSiteMaker(Analysis):
         return None
 
     def _resolve_stack_argument(self, call_stmt, arg_loc) -> tuple[Any, Any]:  # pylint:disable=unused-argument
+        assert self._stack_pointer_tracker is not None
+
         size = arg_loc.size
         offset = arg_loc.stack_offset
         if self.project.arch.call_pushes_ret:
@@ -331,6 +396,7 @@ class CallSiteMaker(Analysis):
                     sp_offset, size, self.block.addr, self.block.idx, len(self.block.statements) - 1, OP_BEFORE
                 )
                 if vvar is not None:
+                    # FIXME: vvar may be larger than that we ask; we may need to chop the correct value of vvar
                     value = view.get_vvar_value(vvar)
                     if value is not None and not isinstance(value, Expr.Phi):
                         return None, value
@@ -391,8 +457,8 @@ class CallSiteMaker(Analysis):
 
         return s
 
-    def _determine_variadic_arguments(self, func: Function | None, cc: SimCC, call_stmt) -> int | None:
-        if (func is not None and "printf" in func.name) or "scanf" in func.name:
+    def _determine_variadic_arguments(self, func: Function, cc: SimCC, call_stmt) -> int | None:
+        if "printf" in func.name or "scanf" in func.name:
             return self._determine_variadic_arguments_for_format_strings(func, cc, call_stmt)
         return None