angr 9.2.139__py3-none-macosx_10_9_x86_64.whl → 9.2.140__py3-none-macosx_10_9_x86_64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.139"
+__version__ = "9.2.140"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -150,6 +150,8 @@ class CallingConventionAnalysis(Analysis):
         The major analysis routine.
         """
 
+        assert self._function is not None
+
         if self._function.is_simprocedure:
             hooker = self.project.hooked_by(self._function.addr)
             if isinstance(
@@ -200,8 +202,8 @@ class CallingConventionAnalysis(Analysis):
                         )
                         if prototype.args:
                             break
-                self.cc = cc
-                self.prototype = prototype
+                self.cc = cc  # type: ignore
+                self.prototype = prototype  # type: ignore
             return
         if self._function.is_plt:
             r = self._analyze_plt()
@@ -218,23 +220,33 @@ class CallingConventionAnalysis(Analysis):
             if self.analyze_callsites:
                 # only take the first 3 because running reaching definition analysis on all functions is costly
                 callsite_facts = self._extract_and_analyze_callsites(max_analyzing_callsites=3)
-                prototype = self._adjust_prototype(
-                    prototype, callsite_facts, update_arguments=UpdateArgumentsOption.UpdateWhenCCHasNoArgs
+                prototype = (
+                    self._adjust_prototype(
+                        prototype, callsite_facts, update_arguments=UpdateArgumentsOption.UpdateWhenCCHasNoArgs
+                    )
+                    if prototype is not None
+                    else None
                 )
 
             self.cc = cc
             self.prototype = prototype
 
     def _analyze_callsite_only(self):
+        assert self.caller_func_addr is not None
+        assert self.callsite_block_addr is not None
+        assert self.callsite_insn_addr is not None
+        cc, prototype = None, None
+
         for include_callsite_preds in [False, True]:
-            callsite_facts = [
-                self._analyze_callsite(
-                    self.caller_func_addr,
-                    self.callsite_block_addr,
-                    self.callsite_insn_addr,
-                    include_preds=include_callsite_preds,
-                )
-            ]
+            fact = self._analyze_callsite(
+                self.caller_func_addr,
+                self.callsite_block_addr,
+                self.callsite_insn_addr,
+                include_preds=include_callsite_preds,
+            )
+            if fact is None:
+                continue
+            callsite_facts = [fact]
             cc_cls = default_cc(
                 self.project.arch.name,
                 platform=(
@@ -258,6 +270,7 @@ class CallingConventionAnalysis(Analysis):
 
         :return:    A calling convention.
         """
+        assert self._function is not None
 
         if len(self._function.jumpout_sites) != 1:
             l.warning(
@@ -314,6 +327,7 @@ class CallingConventionAnalysis(Analysis):
         Go over the variable information in variable manager for this function, and return all uninitialized
         register/stack variables.
         """
+        assert self._function is not None
 
         if self._function.is_simprocedure or self._function.is_plt:
             # we do not analyze SimProcedures or PLT stubs
@@ -403,6 +417,8 @@ class CallingConventionAnalysis(Analysis):
         returns anything or not.
         """
 
+        assert self._function is not None
+
         if self._cfg is None:
             l.warning("CFG is not provided. Skip calling convention analysis at call sites.")
             return []
@@ -656,13 +672,10 @@ class CallingConventionAnalysis(Analysis):
 
     def _adjust_prototype(
         self,
-        proto: SimTypeFunction | None,
+        proto: SimTypeFunction,
         facts: list[CallSiteFact],
         update_arguments: int = UpdateArgumentsOption.DoNotUpdate,
-    ) -> SimTypeFunction | None:
-        if proto is None:
-            return None
-
+    ) -> SimTypeFunction:
         # is the return value used anywhere?
         if facts:
             if all(fact.return_value_used is False for fact in facts):
@@ -691,6 +704,8 @@ class CallingConventionAnalysis(Analysis):
         :return:
         """
 
+        assert self._function is not None
+
         args = set()
         ret_addr_offset = 0 if not self.project.arch.call_pushes_ret else self.project.arch.bytes
 
@@ -839,17 +854,27 @@ class CallingConventionAnalysis(Analysis):
         return SimTypeBottom()
 
     def _guess_retval_type(self, cc: SimCC, ret_val_size: int | None) -> SimType:
+        assert self._function is not None
+
         if cc.FP_RETURN_VAL and self._function.ret_sites:
             # examine the last block of the function and see which registers are assigned to
             for ret_block in self._function.ret_sites:
+                fpretval_updated, retval_updated = False, False
+                fp_reg_size = 0
                 irsb = self.project.factory.block(ret_block.addr, size=ret_block.size).vex
                 for stmt in irsb.statements:
                     if isinstance(stmt, Put) and isinstance(stmt.data, RdTmp):
-                        reg_size = irsb.tyenv.sizeof(stmt.data.tmp) // self.project.arch.byte_width
+                        reg_size = irsb.tyenv.sizeof(stmt.data.tmp) // self.project.arch.byte_width  # type: ignore
                         reg_name = self.project.arch.translate_register_name(stmt.offset, size=reg_size)
-                        if reg_name == cc.FP_RETURN_VAL.reg_name:
-                            # possibly float
-                            return SimTypeFloat() if reg_size == 4 else SimTypeDouble()
+                        if isinstance(cc.FP_RETURN_VAL, SimRegArg) and reg_name == cc.FP_RETURN_VAL.reg_name:
+                            fpretval_updated = True
+                            fp_reg_size = reg_size
+                        elif isinstance(cc.RETURN_VAL, SimRegArg) and reg_name == cc.RETURN_VAL.reg_name:
+                            retval_updated = True
+
+                if fpretval_updated and not retval_updated:
+                    # possibly float
+                    return SimTypeFloat() if fp_reg_size == 4 else SimTypeDouble()
 
         if ret_val_size is not None:
             if ret_val_size == 1:
@@ -884,6 +909,8 @@ class CallingConventionAnalysis(Analysis):
         # TODO: Use a better pattern matching approach
         if len(func.block_addrs_set) < 3:
             return False, None
+        if func.startpoint is None:
+            return False, None
 
         head = func.startpoint
         out_edges = list(func.transition_graph.out_edges(head, data=True))

angr/analyses/cfg/cfg_base.py

@@ -1421,6 +1421,19 @@ class CFGBase(Analysis):
                 # We gotta create a new one
                 l.error("normalize(): Please report it to Fish.")
 
+        # update the jump tables dict and the indirect jumps dict
+        if smallest_node.addr not in self.model.jump_tables:
+            for n in other_nodes:
+                if n.addr in self.model.jump_tables:
+                    self.model.jump_tables[n.addr].addr = smallest_node.addr
+                    self.model.jump_tables[smallest_node.addr] = self.model.jump_tables[n.addr]
+                    break
+        if smallest_node.addr not in self.indirect_jumps:
+            for n in other_nodes:
+                if n.addr in self.indirect_jumps:
+                    self.indirect_jumps[n.addr].addr = smallest_node.addr
+                    self.indirect_jumps[smallest_node.addr] = self.indirect_jumps[n.addr]
+                    break
         # deal with duplicated entries in self.jump_tables and self.indirect_jumps
         if smallest_node.addr in self.model.jump_tables:
             for n in other_nodes:

angr/analyses/cfg/cfg_fast.py

@@ -1524,6 +1524,17 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 }:
                     func.info["is_rust_probestack"] = True
 
+            # determine if the function is __alloca_probe
+            if func is not None and len(func.block_addrs_set) == 4:
+                block_bytes = {func.get_block(block_addr).bytes for block_addr in func.block_addrs_set}
+                if block_bytes == {
+                    b"H\x83\xec\x10L\x89\x14$L\x89\\$\x08M3\xdbL\x8dT$\x18L+\xd0M\x0fB\xd3eL\x8b\x1c%\x10\x00\x00\x00M;\xd3s\x16",
+                    b"fA\x81\xe2\x00\xf0M\x8d\x9b\x00\xf0\xff\xffA\xc6\x03\x00M;\xd3u\xf0",
+                    b"M\x8d\x9b\x00\xf0\xff\xffA\xc6\x03\x00M;\xd3u\xf0",
+                    b"L\x8b\x14$L\x8b\\$\x08H\x83\xc4\x10\xc3",
+                }:
+                    func.info["is_alloca_probe"] = True
+
         if self._collect_data_ref and self.project is not None and ":" in self.project.arch.name:
             # this is a pcode arch - use Clinic to recover data references
 

angr/analyses/decompiler/ail_simplifier.py

@@ -27,6 +27,7 @@ from ailment.expression import (
 from angr.analyses.s_propagator import SPropagatorAnalysis
 from angr.analyses.s_reaching_definitions import SRDAModel
 from angr.utils.ail import is_phi_assignment, HasExprWalker
+from angr.utils.ssa import has_call_in_between_stmts, has_store_stmt_in_between_stmts, has_load_expr_in_between_stmts
 from angr.code_location import CodeLocation, ExternalCodeLocation
 from angr.sim_variable import SimStackVariable, SimMemoryVariable, SimVariable
 from angr.knowledge_plugins.propagations.states import Equivalence
@@ -292,7 +293,7 @@ class AILSimplifier(Analysis):
 
         narrowed = False
 
-        addr_and_idx_to_block: dict[tuple[int, int], Block] = {}
+        addr_and_idx_to_block: dict[tuple[int, int | None], Block] = {}
         for block in self.func_graph.nodes():
             addr_and_idx_to_block[(block.addr, block.idx)] = block
 
@@ -424,6 +425,7 @@ class AILSimplifier(Analysis):
                 return ExprNarrowingInfo(False)
 
             block = self.blocks.get(old_block, old_block)
+            assert loc.stmt_idx is not None
             if loc.stmt_idx >= len(block.statements):
                 # missing a statement for whatever reason
                 return ExprNarrowingInfo(False)
@@ -551,14 +553,23 @@ class AILSimplifier(Analysis):
                 return None, None
             return expr.size, ("expr", (expr,))
 
-        first_op = walker.operations[0]
+        ops = walker.operations
+        first_op = ops[0]
+        if isinstance(first_op, BinaryOp) and first_op.op in {"Add", "Sub"}:
+            # expr + x
+            ops = ops[1:]
+            if not ops:
+                if expr is None:
+                    return None, None
+                return expr.size, ("expr", (expr,))
+            first_op = ops[0]
         if isinstance(first_op, Convert) and first_op.to_bits >= self.project.arch.byte_width:
             # we need at least one byte!
             return first_op.to_bits // self.project.arch.byte_width, ("convert", (first_op,))
         if isinstance(first_op, BinaryOp):
             second_op = None
-            if len(walker.operations) >= 2:
-                second_op = walker.operations[1]
+            if len(ops) >= 2:
+                second_op = ops[1]
             if (
                 first_op.op == "And"
                 and isinstance(first_op.operands[1], Const)
@@ -623,9 +634,9 @@ class AILSimplifier(Analysis):
             block = blocks_by_addr_and_idx[(block_addr, block_idx)]
 
             # only replace loads if there are stack arguments in this block
-            replace_loads = insn_addrs_using_stack_args is not None and {
-                stmt.ins_addr for stmt in block.statements
-            }.intersection(insn_addrs_using_stack_args)
+            replace_loads: bool = insn_addrs_using_stack_args is not None and bool(
+                {stmt.ins_addr for stmt in block.statements}.intersection(insn_addrs_using_stack_args)
+            )
 
             # remove virtual variables in the avoid list
             if self._avoid_vvar_ids:
@@ -662,7 +673,7 @@ class AILSimplifier(Analysis):
         if not equivalence:
             return simplified
 
-        addr_and_idx_to_block: dict[tuple[int, int], Block] = {}
+        addr_and_idx_to_block: dict[tuple[int, int | None], Block] = {}
         for block in self.func_graph.nodes():
             addr_and_idx_to_block[(block.addr, block.idx)] = block
 
@@ -943,6 +954,8 @@ class AILSimplifier(Analysis):
                     for use_loc in all_use_locs:
                         if use_loc == eq.codeloc:
                             continue
+                        assert use_loc.block_addr is not None
+                        assert use_loc.stmt_idx is not None
                         block = addr_and_idx_to_block[(use_loc.block_addr, use_loc.block_idx)]
                         stmt = block.statements[use_loc.stmt_idx]
                         if isinstance(stmt, Assignment) or (isinstance(replace_with, Load) and isinstance(stmt, Store)):
@@ -954,11 +967,15 @@ class AILSimplifier(Analysis):
 
                 remove_initial_assignment = False  # expression folding will take care of it
 
+            assert replace_with is not None
+
             if any(not isinstance(use_and_expr[1], VirtualVariable) for _, use_and_expr in all_uses_with_def):
                 # if any of the uses are phi assignments, we skip
                 used_in_phi_assignment = False
                 for _, use_and_expr in all_uses_with_def:
                     u = use_and_expr[0]
+                    assert u.block_addr is not None
+                    assert u.stmt_idx is not None
                     block = addr_and_idx_to_block[(u.block_addr, u.block_idx)]
                     stmt = block.statements[u.stmt_idx]
                     if is_phi_assignment(stmt):
@@ -1120,8 +1137,6 @@ class AILSimplifier(Analysis):
         than once after simplification and graph structuring where conditions might be duplicated (e.g., in Dream).
         In such cases, the one-use expression folder in RegionSimplifier will perform this transformation.
         """
-        # Disabled until https://github.com/angr/angr/issues/5112 and related folding issues are fixed
-        return False
 
         # pylint:disable=unreachable
         simplified = False
@@ -1130,7 +1145,7 @@ class AILSimplifier(Analysis):
         if not equivalence:
             return simplified
 
-        addr_and_idx_to_block: dict[tuple[int, int], Block] = {}
+        addr_and_idx_to_block: dict[tuple[int, int | None], Block] = {}
         for block in self.func_graph.nodes():
             addr_and_idx_to_block[(block.addr, block.idx)] = block
 
@@ -1168,6 +1183,8 @@ class AILSimplifier(Analysis):
                     ),
                     eq.codeloc,
                 )
+                assert the_def.codeloc.block_addr is not None
+                assert the_def.codeloc.stmt_idx is not None
 
                 all_uses: set[tuple[CodeLocation, Any]] = set(rd.get_vvar_uses_with_expr(the_def.atom))
 
@@ -1176,6 +1193,8 @@ class AILSimplifier(Analysis):
                 u, used_expr = next(iter(all_uses))
                 if used_expr is None:
                     continue
+                assert u.block_addr is not None
+                assert u.stmt_idx is not None
 
                 if u in def_locations_to_remove:
                     # this use site has been altered by previous folding attempts. the corresponding statement will be
@@ -1196,41 +1215,28 @@ class AILSimplifier(Analysis):
                 if u.block_addr not in {b.addr for b in super_node_blocks}:
                     continue
 
-                # check if the register has been overwritten by statements in between the def site and the use site
-                # usesite_atom_defs = set(rd.get_defs(the_def.atom, u, OP_BEFORE))
-                # if len(usesite_atom_defs) != 1:
-                #     continue
-                # usesite_atom_def = next(iter(usesite_atom_defs))
-                # if usesite_atom_def != the_def:
-                #     continue
-
-                # check if any atoms that the call relies on has been overwritten by statements in between the def site
-                # and the use site.
-                # TODO: Prove non-interference
-                # defsite_all_expr_uses = set(rd.all_uses.get_uses_by_location(the_def.codeloc))
-                # defsite_used_atoms = set()
-                # for dd in defsite_all_expr_uses:
-                #     defsite_used_atoms.add(dd.atom)
-                # usesite_expr_def_outdated = False
-                # for defsite_expr_atom in defsite_used_atoms:
-                #     usesite_expr_uses = set(rd.get_defs(defsite_expr_atom, u, OP_BEFORE))
-                #     if not usesite_expr_uses:
-                #         # the atom is not defined at the use site - it's fine
-                #         continue
-                #     defsite_expr_uses = set(rd.get_defs(defsite_expr_atom, the_def.codeloc, OP_BEFORE))
-                #     if usesite_expr_uses != defsite_expr_uses:
-                #         # special case: ok if this atom is assigned to at the def site and has not been overwritten
-                #         if len(usesite_expr_uses) == 1:
-                #             usesite_expr_use = next(iter(usesite_expr_uses))
-                #             if usesite_expr_use.atom == defsite_expr_atom and (
-                #                 usesite_expr_use.codeloc == the_def.codeloc
-                #                 or usesite_expr_use.codeloc.block_addr == call_addr
-                #             ):
-                #                 continue
-                #         usesite_expr_def_outdated = True
-                #         break
-                # if usesite_expr_def_outdated:
-                #     continue
+                # ensure there are no other calls between the def site and the use site.
+                # this is because we do not want to alter the order of calls.
+                u_inclusive = CodeLocation(u.block_addr, u.stmt_idx + 1, block_idx=u.block_idx)
+                # note that the target statement being a store is fine
+                if (
+                    has_call_in_between_stmts(
+                        self.func_graph,
+                        addr_and_idx_to_block,
+                        the_def.codeloc,
+                        u_inclusive,
+                        skip_if_contains_vvar=the_def.atom.varid,
+                    )
+                    or has_store_stmt_in_between_stmts(self.func_graph, addr_and_idx_to_block, the_def.codeloc, u)
+                    or has_load_expr_in_between_stmts(
+                        self.func_graph,
+                        addr_and_idx_to_block,
+                        the_def.codeloc,
+                        u_inclusive,
+                        skip_if_contains_vvar=the_def.atom.varid,
+                    )
+                ):
+                    continue
 
                 # check if there are any calls in between the def site and the use site
                 if self._count_calls_in_supernodeblocks(super_node_blocks, the_def.codeloc, u) > 0:
@@ -1316,8 +1322,8 @@ class AILSimplifier(Analysis):
         # keeping tracking of statements to remove and statements (as well as dead vvars) to keep allows us to handle
         # cases where a statement defines more than one atoms, e.g., a call statement that defines both the return
         # value and the floating-point return value.
-        stmts_to_remove_per_block: dict[tuple[int, int], set[int]] = defaultdict(set)
-        stmts_to_keep_per_block: dict[tuple[int, int], set[int]] = defaultdict(set)
+        stmts_to_remove_per_block: dict[tuple[int, int | None], set[int]] = defaultdict(set)
+        stmts_to_keep_per_block: dict[tuple[int, int | None], set[int]] = defaultdict(set)
         dead_vvar_ids: set[int] = set()
 
         # Find all statements that should be removed
@@ -1344,6 +1350,7 @@ class AILSimplifier(Analysis):
                             pass
                         elif stackarg_offsets is not None:
                             # we always remove definitions for stack arguments
+                            assert def_.atom.stack_offset is not None
                             if (def_.atom.stack_offset & mask) not in stackarg_offsets:
                                 continue
                         else:
@@ -1364,10 +1371,15 @@ class AILSimplifier(Analysis):
                     dead_vvar_ids.add(def_.atom.varid)
 
                 if not isinstance(def_.codeloc, ExternalCodeLocation):
+                    assert def_.codeloc.block_addr is not None
+                    assert def_.codeloc.stmt_idx is not None
                     stmts_to_remove_per_block[(def_.codeloc.block_addr, def_.codeloc.block_idx)].add(
                         def_.codeloc.stmt_idx
                     )
             else:
+                if not isinstance(def_.codeloc, ExternalCodeLocation):
+                    assert def_.codeloc.block_addr is not None
+                    assert def_.codeloc.stmt_idx is not None
                 stmts_to_keep_per_block[(def_.codeloc.block_addr, def_.codeloc.block_idx)].add(def_.codeloc.stmt_idx)
 
         # find all phi variables that rely on variables that no longer exist
@@ -1380,6 +1392,7 @@ class AILSimplifier(Analysis):
                     vvarid in removed_vvar_ids for vvarid in phi_use_varids
                 ):
                     loc = rd.all_vvar_definitions[rd.varid_to_vvar[phi_varid]]
+                    assert loc.block_addr is not None and loc.stmt_idx is not None
                     stmts_to_remove_per_block[(loc.block_addr, loc.block_idx)].add(loc.stmt_idx)
                     new_removed_vvar_ids.add(phi_varid)
                     all_removed_var_ids.add(phi_varid)
@@ -1391,11 +1404,13 @@ class AILSimplifier(Analysis):
         redundant_phi_and_dirty_varids = self._find_cyclic_dependent_phis_and_dirty_vvars(rd)
         for varid in redundant_phi_and_dirty_varids:
             loc = rd.all_vvar_definitions[rd.varid_to_vvar[varid]]
+            assert loc.block_addr is not None and loc.stmt_idx is not None
             stmts_to_remove_per_block[(loc.block_addr, loc.block_idx)].add(loc.stmt_idx)
             stmts_to_keep_per_block[(loc.block_addr, loc.block_idx)].discard(loc.stmt_idx)
 
         for codeloc in self._calls_to_remove | self._assignments_to_remove:
             # this call can be removed. make sure it exists in stmts_to_remove_per_block
+            assert codeloc.block_addr is not None and codeloc.stmt_idx is not None
             stmts_to_remove_per_block[codeloc.block_addr, codeloc.block_idx].add(codeloc.stmt_idx)
 
         simplified = False
@@ -1565,7 +1580,7 @@ class AILSimplifier(Analysis):
         if rewriter_cls is None:
             return False
 
-        walker = None
+        walker = AILBlockWalker()
 
         class _any_update:
             """
@@ -1574,7 +1589,9 @@ class AILSimplifier(Analysis):
 
             v = False
 
-        def _handle_expr(expr_idx: int, expr: Expression, stmt_idx: int, stmt: Statement, block) -> Expression | None:
+        def _handle_expr(
+            expr_idx: int, expr: Expression, stmt_idx: int, stmt: Statement | None, block: Block | None
+        ) -> Expression | None:
             if isinstance(expr, VEXCCallExpression):
                 rewriter = rewriter_cls(expr, self.project.arch)
                 if rewriter.result is not None:
@@ -1585,8 +1602,6 @@ class AILSimplifier(Analysis):
             return AILBlockWalker._handle_expr(walker, expr_idx, expr, stmt_idx, stmt, block)
 
         blocks_by_addr_and_idx = {(node.addr, node.idx): node for node in self.func_graph.nodes()}
-
-        walker = AILBlockWalker()
         walker._handle_expr = _handle_expr
 
         updated = False