angr 9.2.139__py3-none-macosx_10_9_x86_64.whl → 9.2.141__py3-none-macosx_10_9_x86_64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.139"
+__version__ = "9.2.141"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -33,6 +33,7 @@ from angr.knowledge_plugins.key_definitions.rd_model import ReachingDefinitionsM
 from angr.knowledge_plugins.variables.variable_access import VariableAccessSort
 from angr.knowledge_plugins.functions import Function
 from angr.utils.constants import DEFAULT_STATEMENT
+from angr.utils.ssa import get_reg_offset_base_and_size, get_reg_offset_base
 from angr import SIM_PROCEDURES
 from angr.analyses import Analysis, register_analysis, ReachingDefinitionsAnalysis
 from angr.analyses.reaching_definitions import get_all_definitions
@@ -150,6 +151,8 @@ class CallingConventionAnalysis(Analysis):
         The major analysis routine.
         """
 
+        assert self._function is not None
+
         if self._function.is_simprocedure:
             hooker = self.project.hooked_by(self._function.addr)
             if isinstance(
@@ -200,8 +203,8 @@ class CallingConventionAnalysis(Analysis):
                         )
                         if prototype.args:
                             break
-                self.cc = cc
-                self.prototype = prototype
+                self.cc = cc  # type: ignore
+                self.prototype = prototype  # type: ignore
             return
         if self._function.is_plt:
             r = self._analyze_plt()
@@ -218,23 +221,33 @@ class CallingConventionAnalysis(Analysis):
             if self.analyze_callsites:
                 # only take the first 3 because running reaching definition analysis on all functions is costly
                 callsite_facts = self._extract_and_analyze_callsites(max_analyzing_callsites=3)
-                prototype = self._adjust_prototype(
-                    prototype, callsite_facts, update_arguments=UpdateArgumentsOption.UpdateWhenCCHasNoArgs
+                prototype = (
+                    self._adjust_prototype(
+                        prototype, callsite_facts, update_arguments=UpdateArgumentsOption.UpdateWhenCCHasNoArgs
+                    )
+                    if prototype is not None
+                    else None
                 )
 
             self.cc = cc
             self.prototype = prototype
 
     def _analyze_callsite_only(self):
+        assert self.caller_func_addr is not None
+        assert self.callsite_block_addr is not None
+        assert self.callsite_insn_addr is not None
+        cc, prototype = None, None
+
         for include_callsite_preds in [False, True]:
-            callsite_facts = [
-                self._analyze_callsite(
-                    self.caller_func_addr,
-                    self.callsite_block_addr,
-                    self.callsite_insn_addr,
-                    include_preds=include_callsite_preds,
-                )
-            ]
+            fact = self._analyze_callsite(
+                self.caller_func_addr,
+                self.callsite_block_addr,
+                self.callsite_insn_addr,
+                include_preds=include_callsite_preds,
+            )
+            if fact is None:
+                continue
+            callsite_facts = [fact]
             cc_cls = default_cc(
                 self.project.arch.name,
                 platform=(
@@ -252,12 +265,13 @@ class CallingConventionAnalysis(Analysis):
         self.cc = cc
         self.prototype = prototype
 
-    def _analyze_plt(self) -> tuple[SimCC, SimTypeFunction] | None:
+    def _analyze_plt(self) -> tuple[SimCC, SimTypeFunction | None] | None:
         """
         Get the calling convention for a PLT stub.
 
         :return:    A calling convention.
         """
+        assert self._function is not None
 
         if len(self._function.jumpout_sites) != 1:
             l.warning(
@@ -283,6 +297,14 @@ class CallingConventionAnalysis(Analysis):
             real_func = None
 
         if real_func is not None:
+            if real_func.calling_convention is None:
+                cc_cls = default_cc(self.project.arch.name)
+                if cc_cls is None:
+                    # can't determine the default calling convention for this architecture
+                    return None
+                cc = cc_cls(self.project.arch)
+            else:
+                cc = real_func.calling_convention
             if real_func.is_simprocedure:
                 if self.project.is_hooked(real_func.addr):
                     # prioritize the hooker
@@ -290,17 +312,20 @@ class CallingConventionAnalysis(Analysis):
                     if hooker is not None and (
                         not hooker.is_stub or (hooker.is_function and not hooker.guessed_prototype)
                     ):
-                        return real_func.calling_convention, hooker.prototype
-                if real_func.calling_convention and real_func.prototype:
-                    return real_func.calling_convention, real_func.prototype
+                        return cc, hooker.prototype
+                if real_func.prototype is not None:
+                    return cc, real_func.prototype
             else:
-                return real_func.calling_convention, real_func.prototype
+                return cc, real_func.prototype
 
         if self.analyze_callsites:
             # determine the calling convention by analyzing its callsites
             callsite_facts = self._extract_and_analyze_callsites(max_analyzing_callsites=1)
             cc_cls = default_cc(self.project.arch.name)
-            cc = cc_cls(self.project.arch) if cc_cls is not None else None
+            if cc_cls is None:
+                # can't determine the default calling convention for this architecture
+                return None
+            cc = cc_cls(self.project.arch)
             prototype = SimTypeFunction([], None)
             prototype = self._adjust_prototype(
                 prototype, callsite_facts, update_arguments=UpdateArgumentsOption.AlwaysUpdate
@@ -314,6 +339,7 @@ class CallingConventionAnalysis(Analysis):
         Go over the variable information in variable manager for this function, and return all uninitialized
         register/stack variables.
         """
+        assert self._function is not None
 
         if self._function.is_simprocedure or self._function.is_plt:
             # we do not analyze SimProcedures or PLT stubs
@@ -328,7 +354,7 @@ class CallingConventionAnalysis(Analysis):
             input_variables = vm.input_variables()
             input_args = self._args_from_vars(input_variables, vm)
         else:
-            input_args = self._input_args
+            input_args = set(self._input_args)
             retval_size = self._retval_size
 
         # check if this function is a variadic function
@@ -341,8 +367,14 @@ class CallingConventionAnalysis(Analysis):
         # TODO: properly determine sp_delta
         sp_delta = self.project.arch.bytes if self.project.arch.call_pushes_ret else 0
 
-        input_args = list(input_args)  # input_args might be modified by find_cc()
-        cc = SimCC.find_cc(self.project.arch, input_args, sp_delta, platform=self.project.simos.name)
+        full_input_args = self._consolidate_input_args(input_args)
+        full_input_args_copy = list(full_input_args)  # input_args might be modified by find_cc()
+        cc = SimCC.find_cc(self.project.arch, full_input_args_copy, sp_delta, platform=self.project.simos.name)
+
+        # update input_args according to the difference between full_input_args and full_input_args_copy
+        for a in full_input_args:
+            if a not in full_input_args_copy and a in input_args:
+                input_args.remove(a)
 
         if cc is None:
             l.warning(
@@ -403,6 +435,8 @@ class CallingConventionAnalysis(Analysis):
         returns anything or not.
         """
 
+        assert self._function is not None
+
         if self._cfg is None:
             l.warning("CFG is not provided. Skip calling convention analysis at call sites.")
             return []
@@ -641,12 +675,6 @@ class CallingConventionAnalysis(Analysis):
             else:
                 break
 
-        if None in temp_args:
-            first_none_idx = temp_args.index(None)
-            # test if there is at least one argument set after None; if so, we ignore the first None
-            if any(arg is not None for arg in temp_args[first_none_idx:]):
-                temp_args[first_none_idx] = expected_args[first_none_idx]
-
         if None in temp_args:
             # we be very conservative here and ignore all arguments starting from the first missing one
             first_none_idx = temp_args.index(None)
@@ -656,29 +684,27 @@ class CallingConventionAnalysis(Analysis):
 
     def _adjust_prototype(
         self,
-        proto: SimTypeFunction | None,
+        proto: SimTypeFunction,
         facts: list[CallSiteFact],
         update_arguments: int = UpdateArgumentsOption.DoNotUpdate,
-    ) -> SimTypeFunction | None:
-        if proto is None:
-            return None
-
+    ) -> SimTypeFunction:
         # is the return value used anywhere?
         if facts:
             if all(fact.return_value_used is False for fact in facts):
                 proto.returnty = SimTypeBottom(label="void")
             else:
-                proto.returnty = SimTypeInt().with_arch(self.project.arch)
+                if proto.returnty is None or isinstance(proto.returnty, SimTypeBottom):
+                    proto.returnty = SimTypeInt().with_arch(self.project.arch)
 
         if (
             update_arguments == UpdateArgumentsOption.AlwaysUpdate
             or (update_arguments == UpdateArgumentsOption.UpdateWhenCCHasNoArgs and not proto.args)
         ) and len({len(fact.args) for fact in facts}) == 1:
             fact = next(iter(facts))
-            proto.args = [
+            proto.args = tuple(
                 self._guess_arg_type(arg) if arg is not None else SimTypeInt().with_arch(self.project.arch)
                 for arg in fact.args
-            ]
+            )
 
         return proto
 
@@ -691,6 +717,8 @@ class CallingConventionAnalysis(Analysis):
         :return:
         """
 
+        assert self._function is not None
+
         args = set()
         ret_addr_offset = 0 if not self.project.arch.call_pushes_ret else self.project.arch.bytes
 
@@ -715,13 +743,8 @@ class CallingConventionAnalysis(Analysis):
                 # a register variable, convert it to a register argument
                 if not is_sane_register_variable(self.project.arch, variable.reg, variable.size, def_cc=def_cc):
                     continue
-                if self.project.arch.name in {"AMD64", "X86"} and variable.size < self.project.arch.bytes:
-                    # use complete registers on AMD64 and X86
-                    reg_name = self.project.arch.translate_register_name(variable.reg, size=self.project.arch.bytes)
-                    arg = SimRegArg(reg_name, self.project.arch.bytes)
-                else:
-                    reg_name = self.project.arch.translate_register_name(variable.reg, size=variable.size)
-                    arg = SimRegArg(reg_name, variable.size)
+                reg_name = self.project.arch.translate_register_name(variable.reg, size=variable.size)
+                arg = SimRegArg(reg_name, variable.size)
                 args.add(arg)
 
                 accesses = var_manager.get_variable_accesses(variable)
@@ -763,15 +786,58 @@ class CallingConventionAnalysis(Analysis):
 
         return args.difference(restored_reg_vars)
 
-    def _reorder_args(self, args: list[SimRegArg | SimStackArg], cc: SimCC) -> list[SimRegArg | SimStackArg]:
+    def _consolidate_input_args(self, input_args: set[SimRegArg | SimStackArg]) -> set[SimRegArg | SimStackArg]:
+        """
+        Consolidate register arguments by converting partial registers to full registers on certain architectures.
+
+        :param input_args:  A set of input arguments.
+        :return:            A set of consolidated input args.
+        """
+
+        if self.project.arch.name in {"AMD64", "X86"}:
+            new_input_args = set()
+            for a in input_args:
+                if isinstance(a, SimRegArg) and a.size < self.project.arch.bytes:
+                    # use complete registers on AMD64 and X86
+                    reg_offset, reg_size = self.project.arch.registers[a.reg_name]
+                    full_reg_offset, full_reg_size = get_reg_offset_base_and_size(
+                        reg_offset, self.project.arch, size=reg_size
+                    )
+                    full_reg_name = self.project.arch.translate_register_name(full_reg_offset, size=full_reg_size)
+                    arg = SimRegArg(full_reg_name, full_reg_size)
+                    if arg not in new_input_args:
+                        new_input_args.add(arg)
+                else:
+                    new_input_args.add(a)
+            return new_input_args
+
+        return input_args
+
+    def _reorder_args(self, args: set[SimRegArg | SimStackArg], cc: SimCC) -> list[SimRegArg | SimStackArg]:
         """
         Reorder arguments according to the calling convention identified.
 
-        :param args:   A list of arguments that haven't been ordered.
+        :param args:   A set of arguments that haven't been ordered.
         :param cc:    The identified calling convention.
         :return:            A reordered list of args.
         """
 
+        def _is_same_reg(rn0: str, rn1: str) -> bool:
+            """
+            Check if rn0 and rn1 belong to the same base register.
+
+            :param rn0:     Register name of the first register.
+            :param rn1:     Register name of the second register.
+            :return:        True if they belong to the same base register; False otherwise.
+            """
+            if rn0 == rn1:
+                return True
+            off0, sz0 = self.project.arch.registers[rn0]
+            full_off0 = get_reg_offset_base(off0, self.project.arch, sz0)
+            off1, sz1 = self.project.arch.registers[rn1]
+            full_off1 = get_reg_offset_base(off1, self.project.arch, sz1)
+            return full_off0 == full_off1
+
         reg_args = []
 
         # split args into two lists
@@ -790,7 +856,7 @@ class CallingConventionAnalysis(Analysis):
         # match int args first
         for reg_name in cc.ARG_REGS:
             try:
-                arg = next(iter(a for a in int_args if isinstance(a, SimRegArg) and a.reg_name == reg_name))
+                arg = next(iter(a for a in int_args if isinstance(a, SimRegArg) and _is_same_reg(a.reg_name, reg_name)))
             except StopIteration:
                 # have we reached the end of the args list?
                 if [a for a in int_args if isinstance(a, SimRegArg)] or len(stack_int_args) > 0:
@@ -806,7 +872,9 @@ class CallingConventionAnalysis(Analysis):
         if fp_args:
             for reg_name in cc.FP_ARG_REGS:
                 try:
-                    arg = next(iter(a for a in fp_args if isinstance(a, SimRegArg) and a.reg_name == reg_name))
+                    arg = next(
+                        iter(a for a in fp_args if isinstance(a, SimRegArg) and _is_same_reg(a.reg_name, reg_name))
+                    )
                 except StopIteration:
                     # have we reached the end of the args list?
                     if [a for a in fp_args if isinstance(a, SimRegArg)] or len(stack_fp_args) > 0:
@@ -839,17 +907,27 @@ class CallingConventionAnalysis(Analysis):
         return SimTypeBottom()
 
     def _guess_retval_type(self, cc: SimCC, ret_val_size: int | None) -> SimType:
+        assert self._function is not None
+
         if cc.FP_RETURN_VAL and self._function.ret_sites:
             # examine the last block of the function and see which registers are assigned to
             for ret_block in self._function.ret_sites:
+                fpretval_updated, retval_updated = False, False
+                fp_reg_size = 0
                 irsb = self.project.factory.block(ret_block.addr, size=ret_block.size).vex
                 for stmt in irsb.statements:
                     if isinstance(stmt, Put) and isinstance(stmt.data, RdTmp):
-                        reg_size = irsb.tyenv.sizeof(stmt.data.tmp) // self.project.arch.byte_width
+                        reg_size = irsb.tyenv.sizeof(stmt.data.tmp) // self.project.arch.byte_width  # type: ignore
                         reg_name = self.project.arch.translate_register_name(stmt.offset, size=reg_size)
-                        if reg_name == cc.FP_RETURN_VAL.reg_name:
-                            # possibly float
-                            return SimTypeFloat() if reg_size == 4 else SimTypeDouble()
+                        if isinstance(cc.FP_RETURN_VAL, SimRegArg) and reg_name == cc.FP_RETURN_VAL.reg_name:
+                            fpretval_updated = True
+                            fp_reg_size = reg_size
+                        elif isinstance(cc.RETURN_VAL, SimRegArg) and reg_name == cc.RETURN_VAL.reg_name:
+                            retval_updated = True
+
+                if fpretval_updated and not retval_updated:
+                    # possibly float
+                    return SimTypeFloat() if fp_reg_size == 4 else SimTypeDouble()
 
         if ret_val_size is not None:
             if ret_val_size == 1:
@@ -861,12 +939,15 @@ class CallingConventionAnalysis(Analysis):
             if 5 <= ret_val_size <= 8:
                 return SimTypeLongLong()
 
-        # fallback
-        return SimTypeInt() if cc.arch.bits == 32 else SimTypeLongLong()
+        return SimTypeBottom(label="void")
 
     @staticmethod
     def _likely_saving_temp_reg(ail_block: ailment.Block, d: Definition, all_reg_defs: set[Definition]) -> bool:
-        if d.codeloc.block_addr == ail_block.addr and d.codeloc.stmt_idx < len(ail_block.statements):
+        if (
+            d.codeloc.block_addr == ail_block.addr
+            and d.codeloc.stmt_idx is not None
+            and d.codeloc.stmt_idx < len(ail_block.statements)
+        ):
             stmt = ail_block.statements[d.codeloc.stmt_idx]
             if isinstance(stmt, ailment.Stmt.Assignment) and isinstance(stmt.src, ailment.Expr.Register):
                 src_offset = stmt.src.reg_offset
@@ -884,6 +965,8 @@ class CallingConventionAnalysis(Analysis):
         # TODO: Use a better pattern matching approach
         if len(func.block_addrs_set) < 3:
             return False, None
+        if func.startpoint is None:
+            return False, None
 
         head = func.startpoint
         out_edges = list(func.transition_graph.out_edges(head, data=True))

angr/analyses/calling_convention/fact_collector.py

@@ -90,7 +90,7 @@ binop_handler = SimEngineNostmtVEX[FactCollectorState, claripy.ast.BV, FactColle
 
 class SimEngineFactCollectorVEX(
     SimEngineNostmtVEX[FactCollectorState, SpOffset | RegisterOffset | int, None],
-    SimEngineLight[type[FactCollectorState], SpOffset | RegisterOffset | int, Block, None],
+    SimEngineLight[FactCollectorState, SpOffset | RegisterOffset | int, Block, None],
 ):
     """
     THe engine for FactCollector.
@@ -101,7 +101,7 @@ class SimEngineFactCollectorVEX(
         super().__init__(project)
 
     def _process_block_end(self, stmt_result: list, whitelist: set[int] | None) -> None:
-        if self.block.vex.jumpkind == "Ijk_Call":
+        if self.block.vex.jumpkind == "Ijk_Call" and self.arch.ret_offset is not None:
             self.state.register_written(self.arch.ret_offset, self.arch.bytes)
 
     def _top(self, bits: int):
@@ -110,7 +110,7 @@ class SimEngineFactCollectorVEX(
     def _is_top(self, expr: Any) -> bool:
         raise NotImplementedError
 
-    def _handle_conversion(self, from_size: int, to_size: int, signed: bool, operand: pyvex.IRExpr) -> Any:
+    def _handle_conversion(self, from_size: int, to_size: int, signed: bool, operand: pyvex.expr.IRExpr) -> Any:
         return None
 
     def _handle_stmt_Put(self, stmt):
@@ -142,9 +142,9 @@ class SimEngineFactCollectorVEX(
         return expr.con.value
 
     def _handle_expr_GSPTR(self, expr):
-        return None
+        return 0
 
-    def _handle_expr_Get(self, expr) -> SpOffset | None:
+    def _handle_expr_Get(self, expr) -> SpOffset | RegisterOffset:
         if expr.offset == self.arch.sp_offset:
             return SpOffset(self.arch.bits, self.state.sp_value, is_base=False)
         if expr.offset == self.arch.bp_offset and not self.bp_as_gpr:
@@ -304,7 +304,10 @@ class FactCollector(Analysis):
 
     def _handle_function(self, state: FactCollectorState, func: Function) -> None:
         try:
-            arg_locs = func.calling_convention.arg_locs(func.prototype)
+            if func.calling_convention is not None and func.prototype is not None:
+                arg_locs = func.calling_convention.arg_locs(func.prototype)
+            else:
+                return
         except (TypeError, ValueError):
             return
 
@@ -355,6 +358,7 @@ class FactCollector(Analysis):
 
                 if isinstance(node, BlockNode) and node.size == 0:
                     continue
+
                 if isinstance(node, HookNode):
                     # attempt to convert it into a function
                     if self.kb.functions.contains_addr(node.addr):
@@ -369,17 +373,43 @@ class FactCollector(Analysis):
                         and not isinstance(node.prototype.returnty, SimTypeBottom)
                     ):
                         # assume the function overwrites the return variable
-                        retval_size = (
-                            node.prototype.returnty.with_arch(self.project.arch).size // self.project.arch.byte_width
-                        )
+                        returnty_size = node.prototype.returnty.with_arch(self.project.arch).size
+                        assert returnty_size is not None
+                        retval_size = returnty_size // self.project.arch.byte_width
                         retval_sizes.append(retval_size)
                     continue
 
+                # if this block ends with a call to a function, we process the function first
+                func_succs = [
+                    succ
+                    for succ in func_graph.successors(node)
+                    if isinstance(succ, (Function, HookNode)) or self.kb.functions.contains_addr(succ.addr)
+                ]
+                if len(func_succs) == 1:
+                    func_succ = func_succs[0]
+                    if isinstance(func_succ, (BlockNode, HookNode)) and self.kb.functions.contains_addr(func_succ.addr):
+                        # attempt to convert it into a function
+                        func_succ = self.kb.functions.get_by_addr(func_succ.addr)
+                    if isinstance(func_succ, Function):
+                        if (
+                            func_succ.calling_convention is not None
+                            and func_succ.prototype is not None
+                            and func_succ.prototype.returnty is not None
+                            and not isinstance(func_succ.prototype.returnty, SimTypeBottom)
+                        ):
+                            # assume the function overwrites the return variable
+                            returnty_size = func_succ.prototype.returnty.with_arch(self.project.arch).size
+                            assert returnty_size is not None
+                            retval_size = returnty_size // self.project.arch.byte_width
+                            retval_sizes.append(retval_size)
+                        continue
+
                 block = self.project.factory.block(node.addr, size=node.size)
                 # scan the block statements backwards to find writes to the return value register
                 retval_size = None
                 for stmt in reversed(block.vex.statements):
                     if isinstance(stmt, pyvex.IRStmt.Put):
+                        assert block.vex.tyenv is not None
                         size = stmt.data.result_size(block.vex.tyenv) // self.project.arch.byte_width
                         if stmt.offset == retreg_offset:
                             retval_size = max(size, 1)
@@ -391,9 +421,9 @@ class FactCollector(Analysis):
                 for pred, _, data in func_graph.in_edges(node, data=True):
                     edge_type = data.get("type")
                     if pred not in traversed and depth + 1 <= self._max_depth:
-                        if edge_type == "fake_return":
+                        if edge_type == "call":
                             continue
-                        if edge_type in {"transition", "call"}:
+                        if edge_type in {"transition", "fake_return"}:
                             queue.append((depth + 1, pred))
 
         self.retval_size = max(retval_sizes) if retval_sizes else None
@@ -472,6 +502,7 @@ class FactCollector(Analysis):
                                 ):
                                     tmps[stmt.tmp] = "sp"
                     if isinstance(stmt, pyvex.IRStmt.Put):
+                        assert block.vex.tyenv is not None
                         size = stmt.data.result_size(block.vex.tyenv) // self.project.arch.byte_width
                         # is the data loaded from the stack?
                         if (
@@ -532,13 +563,8 @@ class FactCollector(Analysis):
                 ):
                     continue
                 reg_offset_created.add(offset)
-                if self.project.arch.name in {"AMD64", "X86"} and size < self.project.arch.bytes:
-                    # use complete registers on AMD64 and X86
-                    reg_name = self.project.arch.translate_register_name(offset, size=self.project.arch.bytes)
-                    arg = SimRegArg(reg_name, self.project.arch.bytes)
-                else:
-                    reg_name = self.project.arch.translate_register_name(offset, size=size)
-                    arg = SimRegArg(reg_name, size)
+                reg_name = self.project.arch.translate_register_name(offset, size=size)
+                arg = SimRegArg(reg_name, size)
                 self.input_args.append(arg)
 
         stack_offset_created = set()

angr/analyses/calling_convention/utils.py

@@ -9,7 +9,9 @@ from angr.calling_conventions import SimCC
 l = logging.getLogger(__name__)
 
 
-def is_sane_register_variable(arch: archinfo.Arch, reg_offset: int, reg_size: int, def_cc: SimCC | None = None) -> bool:
+def is_sane_register_variable(
+    arch: archinfo.Arch, reg_offset: int, reg_size: int, def_cc: SimCC | type[SimCC] | None = None
+) -> bool:
     """
     Filters all registers that are surly not members of function arguments.
     This can be seen as a workaround, since VariableRecoveryFast sometimes gives input variables of cc_ndep (which

angr/analyses/cfg/cfg_base.py

@@ -1421,6 +1421,19 @@ class CFGBase(Analysis):
                 # We gotta create a new one
                 l.error("normalize(): Please report it to Fish.")
 
+        # update the jump tables dict and the indirect jumps dict
+        if smallest_node.addr not in self.model.jump_tables:
+            for n in other_nodes:
+                if n.addr in self.model.jump_tables:
+                    self.model.jump_tables[n.addr].addr = smallest_node.addr
+                    self.model.jump_tables[smallest_node.addr] = self.model.jump_tables[n.addr]
+                    break
+        if smallest_node.addr not in self.indirect_jumps:
+            for n in other_nodes:
+                if n.addr in self.indirect_jumps:
+                    self.indirect_jumps[n.addr].addr = smallest_node.addr
+                    self.indirect_jumps[smallest_node.addr] = self.indirect_jumps[n.addr]
+                    break
         # deal with duplicated entries in self.jump_tables and self.indirect_jumps
         if smallest_node.addr in self.model.jump_tables:
             for n in other_nodes:

angr/analyses/cfg/cfg_fast.py

@@ -1524,6 +1524,17 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 }:
                     func.info["is_rust_probestack"] = True
 
+            # determine if the function is __alloca_probe
+            if func is not None and len(func.block_addrs_set) == 4:
+                block_bytes = {func.get_block(block_addr).bytes for block_addr in func.block_addrs_set}
+                if block_bytes == {
+                    b"H\x83\xec\x10L\x89\x14$L\x89\\$\x08M3\xdbL\x8dT$\x18L+\xd0M\x0fB\xd3eL\x8b\x1c%\x10\x00\x00\x00M;\xd3s\x16",
+                    b"fA\x81\xe2\x00\xf0M\x8d\x9b\x00\xf0\xff\xffA\xc6\x03\x00M;\xd3u\xf0",
+                    b"M\x8d\x9b\x00\xf0\xff\xffA\xc6\x03\x00M;\xd3u\xf0",
+                    b"L\x8b\x14$L\x8b\\$\x08H\x83\xc4\x10\xc3",
+                }:
+                    func.info["is_alloca_probe"] = True
+
         if self._collect_data_ref and self.project is not None and ":" in self.project.arch.name:
             # this is a pcode arch - use Clinic to recover data references
 

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -182,23 +182,24 @@ class ConstantValueManager:
 
         # determine blocks to run FCP on
 
-        # - include at most three levels of successors from the entrypoint
+        # - include at most three levels of superblock successors from the entrypoint
         startpoint = self.func.startpoint
         blocks = set()
-        succs = [startpoint]
-        for _ in range(3):
+        succ_and_levels = [(startpoint, 0)]
+        while succ_and_levels:
             new_succs = []
-            for node in succs:
+            for node, level in succ_and_levels:
                 if node in blocks:
                     continue
                 blocks.add(node)
                 if node.addr == self.indirect_jump_addr:
                     # stop at the indirect jump block
                     continue
-                new_succs += list(self.func.graph.successors(node))
-            succs = new_succs
-            if not succs:
-                break
+                for _, succ, data in self.func.graph.out_edges(node, data=True):
+                    new_level = level if data.get("type") == "fake_return" else level + 1
+                    if new_level <= 3:
+                        new_succs.append((succ, new_level))
+            succ_and_levels = new_succs
 
         # - include at most six levels of predecessors from the indirect jump block
         ij_block = self.func.get_node(self.indirect_jump_addr)