angr 9.2.139__py3-none-manylinux2014_aarch64.whl → 9.2.141__py3-none-manylinux2014_aarch64.whl

angr/analyses/typehoon/simple_solver.py

@@ -5,6 +5,7 @@ from collections import defaultdict
 import logging
 
 import networkx
+from sortedcontainers import SortedDict
 
 from angr.utils.constants import MAX_POINTSTO_BITS
 from .typevars import (
@@ -1165,25 +1166,45 @@ class SimpleSolver:
             # this might be a struct
             fields = {}
 
-            candidate_bases = defaultdict(set)
+            candidate_bases = SortedDict()
 
             for labels, _succ in path_and_successors:
                 last_label = labels[-1] if labels else None
                 if isinstance(last_label, HasField):
                     # TODO: Really determine the maximum possible size of the field when MAX_POINTSTO_BITS is in use
+                    if last_label.offset not in candidate_bases:
+                        candidate_bases[last_label.offset] = set()
                     candidate_bases[last_label.offset].add(
                         1 if last_label.bits == MAX_POINTSTO_BITS else (last_label.bits // 8)
                     )
 
+            # determine possible bases and map each offset to its base
+            offset_to_base = SortedDict()
+            for start_offset, sizes in candidate_bases.items():
+                for size in sizes:
+                    for i in range(size):
+                        access_off = start_offset + i
+                        if access_off not in offset_to_base:
+                            offset_to_base[access_off] = start_offset
+
+            # determine again the maximum size of each field (at each offset)
+            offset_to_maxsize = defaultdict(int)
+            offset_to_sizes = defaultdict(set)  # we do not consider offsets to each base offset
+            for labels, _succ in path_and_successors:
+                last_label = labels[-1] if labels else None
+                if isinstance(last_label, HasField):
+                    base = offset_to_base[last_label.offset]
+                    access_size = 1 if last_label.bits == MAX_POINTSTO_BITS else (last_label.bits // 8)
+                    offset_to_maxsize[base] = max(offset_to_maxsize[base], (last_label.offset - base) + access_size)
+                    offset_to_sizes[base].add(access_size)
+
             node_to_base = {}
 
             for labels, succ in path_and_successors:
                 last_label = labels[-1] if labels else None
                 if isinstance(last_label, HasField):
-                    for start_offset, sizes in candidate_bases.items():
-                        for size in sizes:
-                            if last_label.offset > start_offset and last_label.offset < start_offset + size:  # ???
-                                node_to_base[succ] = start_offset
+                    prev_offset = next(offset_to_base.irange(maximum=last_label.offset, reverse=True))
+                    node_to_base[succ] = offset_to_base[prev_offset]
 
             node_by_offset = defaultdict(set)
 
@@ -1195,16 +1216,33 @@ class SimpleSolver:
                     else:
                         node_by_offset[last_label.offset].add(succ)
 
-            for offset, child_nodes in node_by_offset.items():
+            sorted_offsets: list[int] = sorted(node_by_offset)
+            for i in range(len(sorted_offsets)):  # pylint:disable=consider-using-enumerate
+                offset = sorted_offsets[i]
+
+                child_nodes = node_by_offset[offset]
                 sol = self._determine(equivalent_classes, the_typevar, sketch, solution, nodes=child_nodes)
                 if isinstance(sol, TopType):
-                    sol = int_type(min(candidate_bases[offset]) * 8)
+                    # make it an array if possible
+                    elem_size = min(offset_to_sizes[offset])
+                    array_size = offset_to_maxsize[offset]
+                    if array_size % elem_size != 0:
+                        # fall back to byte_t
+                        elem_size = 1
+                    elem_type = int_type(elem_size * 8)
+                    sol = elem_type if array_size == elem_size else Array(elem_type, array_size // elem_size)
                 fields[offset] = sol
 
             if not fields:
                 result = Top_
                 for node in nodes:
                     self._solution_cache[node.typevar] = result
+                    solution[node.typevar] = result
+            elif any(off < 0 for off in fields):
+                result = self._pointer_class()(Bottom_)
+                for node in nodes:
+                    self._solution_cache[node.typevar] = result
+                    solution[node.typevar] = result
             else:
                 # back-patch
                 struct_type.fields = fields

angr/analyses/typehoon/typeconsts.py

@@ -42,7 +42,7 @@ class TypeConstant:
             raise NotImplementedError
         return self.SIZE
 
-    def __repr__(self, memo=None):
+    def __repr__(self, memo=None) -> str:
         raise NotImplementedError
 
 
@@ -57,7 +57,7 @@ class BottomType(TypeConstant):
 
 
 class Int(TypeConstant):
-    def __repr__(self, memo=None):
+    def __repr__(self, memo=None) -> str:
         return "intbase"
 
 
@@ -82,14 +82,14 @@ class Int16(Int):
 class Int32(Int):
     SIZE = 4
 
-    def __repr__(self, memo=None):
+    def __repr__(self, memo=None) -> str:
         return "int32"
 
 
 class Int64(Int):
     SIZE = 8
 
-    def __repr__(self, memo=None):
+    def __repr__(self, memo=None) -> str:
         return "int64"
 
 
@@ -115,7 +115,7 @@ class Int512(Int):
 
 
 class FloatBase(TypeConstant):
-    def __repr__(self, memo=None):
+    def __repr__(self, memo=None) -> str:
         return "floatbase"
 
 
@@ -185,6 +185,12 @@ class Array(TypeConstant):
         self.element: TypeConstant | None = element
         self.count: int | None = count
 
+    @property
+    def size(self) -> int:
+        if not self.count or not self.element:
+            return 0
+        return self.element.size * self.count
+
     @memoize
     def __repr__(self, memo=None):
         if self.count is None:
@@ -221,6 +227,13 @@ class Struct(TypeConstant):
         tpl = tuple((k, self.fields[k]._hash(visited) if self.fields[k] is not None else None) for k in keys)
         return hash(tpl)
 
+    @property
+    def size(self) -> int:
+        if not self.fields:
+            return 0
+        max_field_off = max(self.fields.keys())
+        return max_field_off + self.fields[max_field_off].size
+
     @memoize
     def __repr__(self, memo=None):
         prefix = "struct"

angr/analyses/variable_recovery/engine_ail.py

@@ -333,7 +333,7 @@ class SimEngineVRAIL(
         tvs = set()
         for _, vvar in expr.src_and_vvars:
             if vvar is not None:
-                r = self._read_from_vvar(vvar, expr=expr, vvar_id=self._mapped_vvarid(vvar.varid))
+                r = self._read_from_vvar(vvar, expr=vvar, vvar_id=self._mapped_vvarid(vvar.varid))
                 if r.typevar is not None:
                     tvs.add(r.typevar)
 

angr/analyses/variable_recovery/engine_base.py

@@ -430,6 +430,7 @@ class SimEngineVRBase(
                 self.state.variable_manager[self.func_addr].add_variable("register", vvar.oident, variable)
             elif vvar.was_tmp:
                 # FIXME: we treat all tmp vvars as registers
+                assert vvar.tmp_idx is not None
                 variable = SimRegisterVariable(
                     4096 + vvar.tmp_idx,
                     vvar.size,
@@ -503,7 +504,7 @@ class SimEngineVRBase(
                     self.state.variable_manager[self.func_addr].remove_variable_by_atom(codeloc, existing_var, atom)
 
             # storing to a location specified by a pointer whose value cannot be determined at this point
-            self._store_to_variable(richr_addr, size)
+            self._store_to_variable(richr_addr, data, size)
 
     def _store_to_stack(
         self, stack_offset, data: RichR[claripy.ast.BV | claripy.ast.FP], size, offset=0, atom=None, endness=None
@@ -669,7 +670,7 @@ class SimEngineVRBase(
                 self.state.add_type_constraint(typevars.Subtype(store_typevar, typeconsts.TopType()))
                 self.state.add_type_constraint(typevars.Subtype(data.typevar, store_typevar))
 
-    def _store_to_variable(self, richr_addr: RichR[claripy.ast.BV], size: int):
+    def _store_to_variable(self, richr_addr: RichR[claripy.ast.BV], data: RichR, size: int):
         addr_variable = richr_addr.variable
         codeloc = self._codeloc()
 
@@ -691,7 +692,8 @@ class SimEngineVRBase(
             store_typevar = self._create_access_typevar(base_typevar, True, size, field_offset)
             if addr_variable is not None:
                 self.state.typevars.add_type_variable(addr_variable, codeloc, typevar)
-            self.state.add_type_constraint(typevars.Subtype(store_typevar, typeconsts.TopType()))
+            data_typevar = data.typevar if data.typevar is not None else typeconsts.TopType()
+            self.state.add_type_constraint(typevars.Subtype(store_typevar, data_typevar))
 
     def _load(self, richr_addr: RichR[claripy.ast.BV], size: int, expr=None):
         """
@@ -941,13 +943,13 @@ class SimEngineVRBase(
             # it's an array!
             if offset.concrete:
                 concrete_offset = offset.concrete_value * elem_size
-                load_typevar = self._create_access_typevar(typevar, True, size, concrete_offset)
+                load_typevar = self._create_access_typevar(typevar, False, size, concrete_offset)
                 self.state.add_type_constraint(typevars.Subtype(load_typevar, typeconsts.TopType()))
             else:
                 # FIXME: This is a hack
                 for i in range(4):
                     concrete_offset = size * i
-                    load_typevar = self._create_access_typevar(typevar, True, size, concrete_offset)
+                    load_typevar = self._create_access_typevar(typevar, False, size, concrete_offset)
                     self.state.add_type_constraint(typevars.Subtype(load_typevar, typeconsts.TopType()))
 
         return RichR(self.state.top(size * self.project.arch.byte_width), typevar=typevar)

angr/analyses/variable_recovery/engine_vex.py

@@ -8,12 +8,13 @@ from archinfo.arch_arm import is_arm_arch
 
 from angr.block import Block
 from angr.errors import SimMemoryMissingError
-from angr.calling_conventions import SimRegArg, SimStackArg, default_cc
+from angr.calling_conventions import SimRegArg, SimStackArg, SimTypeFunction, default_cc
 from angr.engines.vex.claripy.datalayer import value as claripy_value
 from angr.engines.light import SimEngineNostmtVEX
 from angr.knowledge_plugins import Function
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.analyses.typehoon import typevars, typeconsts
+from angr.sim_type import SimTypeBottom
 from .engine_base import SimEngineVRBase, RichR
 from .irsb_scanner import VEXIRSBScanner
 
@@ -222,24 +223,39 @@ class SimEngineVRVEX(
 
     def _process_block_end(self, stmt_result, whitelist):
         # handles block-end calls
+        has_call = False
         current_addr = self.state.block_addr
         for target_func in self.call_info.get(current_addr, []):
             self._handle_function_concrete(target_func)
+            has_call = True
 
-        if self.block.vex.jumpkind == "Ijk_Call":
+        if has_call or self.block.vex.jumpkind == "Ijk_Call":
             # emulates return values from calls
             cc = None
+            proto: SimTypeFunction | None = None
             for target_func in self.call_info.get(self.state.block_addr, []):
                 if target_func.calling_convention is not None:
                     cc = target_func.calling_convention
+                    proto = target_func.prototype
                     break
             if cc is None:
                 cc = default_cc(self.arch.name, platform=self.project.simos.name)(self.arch)
-            if isinstance(cc.RETURN_VAL, SimRegArg):
-                reg_offset, reg_size = self.arch.registers[cc.RETURN_VAL.reg_name]
+
+            if proto is not None and not isinstance(proto.returnty, SimTypeBottom):
+                ret_reg = cc.return_val(proto.returnty)
+            else:
+                ret_reg = cc.RETURN_VAL
+            if isinstance(ret_reg, SimRegArg):
+                reg_offset, reg_size = self.arch.registers[ret_reg.reg_name]
                 data = self._top(reg_size * self.arch.byte_width)
                 self._assign_to_register(reg_offset, data, reg_size, create_variable=False)
 
+                # handle tail-call optimizations
+                if self.block.vex.jumpkind == "Ijk_Boring":
+                    self.state.ret_val_size = (
+                        reg_size if self.state.ret_val_size is None else max(self.state.ret_val_size, reg_size)
+                    )
+
         elif self.block.vex.jumpkind == "Ijk_Ret":
             # handles return statements
 

angr/block.py

@@ -130,19 +130,23 @@ class Block(Serializable):
     BLOCK_MAX_SIZE = 4096
 
     __slots__ = [
+        "_backup_state",
         "_bytes",
         "_capstone",
         "_collect_data_refs",
         "_const_prop",
         "_cross_insn_opt",
         "_disassembly",
+        "_extra_stop_points",
         "_initial_regs",
         "_instruction_addrs",
         "_instructions",
         "_load_from_ro_regions",
+        "_max_size",
         "_opt_level",
         "_project",
         "_strict_block_end",
+        "_traceflags",
         "_vex",
         "_vex_nostmt",
         "addr",
@@ -155,11 +159,10 @@ class Block(Serializable):
         self,
         addr,
         project=None,
-        arch: Arch = None,
+        arch: Arch | None = None,
         size=None,
         max_size=None,
         byte_string=None,
-        vex=None,
         thumb=False,
         backup_state=None,
         extra_stop_points=None,
@@ -174,14 +177,11 @@ class Block(Serializable):
         initial_regs=None,
         skip_stmts=False,
     ):
-        # set up arch
-        self.arch: Arch
-        if project is not None:
+        if arch is not None:
+            self.arch = arch
+        elif project is not None:
             self.arch = project.arch
         else:
-            self.arch = arch
-
-        if self.arch is None:
             raise ValueError('Either "project" or "arch" has to be specified.')
 
         if project is not None and backup_state is None and project.kb.patches.values():
@@ -195,63 +195,23 @@ class Block(Serializable):
         else:
             thumb = False
 
-        self._project: Project | None = project
-        self.thumb = thumb
+        self._project = project
         self.addr = addr
+        self._backup_state = backup_state
+        self.thumb = thumb
         self._opt_level = opt_level
-        self._initial_regs: list[tuple[int, int, int]] | None = (
-            initial_regs if (collect_data_refs or const_prop) else None
-        )
+        self._initial_regs = initial_regs if (collect_data_refs or const_prop) else None
+        self._traceflags = traceflags
+        self._extra_stop_points = extra_stop_points
+        self._max_size = max_size if max_size is not None else self.BLOCK_MAX_SIZE
 
         if self._project is None and byte_string is None:
             raise ValueError('"byte_string" has to be specified if "project" is not provided.')
 
-        if size is None:
-            if byte_string is not None:
-                size = len(byte_string)
-            elif vex is not None:
-                size = vex.size
-            else:
-                if self._initial_regs:
-                    self.set_initial_regs()
-                clemory = None
-                if project is not None:
-                    clemory = (
-                        project.loader.memory_ro_view
-                        if project.loader.memory_ro_view is not None
-                        else project.loader.memory
-                    )
-                vex = self._vex_engine.lift_vex(
-                    clemory=clemory,
-                    state=backup_state,
-                    insn_bytes=byte_string,
-                    addr=addr,
-                    size=max_size,
-                    thumb=thumb,
-                    extra_stop_points=extra_stop_points,
-                    opt_level=opt_level,
-                    num_inst=num_inst,
-                    traceflags=traceflags,
-                    strict_block_end=strict_block_end,
-                    collect_data_refs=collect_data_refs,
-                    load_from_ro_regions=load_from_ro_regions,
-                    const_prop=const_prop,
-                    cross_insn_opt=cross_insn_opt,
-                    skip_stmts=skip_stmts,
-                )
-                if self._initial_regs:
-                    self.reset_initial_regs()
-                size = vex.size
-
-        if skip_stmts:
-            self._vex = None
-            self._vex_nostmt = vex
-        else:
-            self._vex = vex
-            self._vex_nostmt = None
+        self._vex = None
+        self._vex_nostmt = None
         self._disassembly = None
         self._capstone = None
-        self.size = size
         self._collect_data_refs = collect_data_refs
         self._strict_block_end = strict_block_end
         self._cross_insn_opt = cross_insn_opt
@@ -261,6 +221,23 @@ class Block(Serializable):
         self._instructions: int | None = num_inst
         self._instruction_addrs: list[int] = []
 
+        self._bytes = byte_string
+        self.size = size
+
+        if size is None:
+            if byte_string is not None:
+                size = len(byte_string)
+            else:
+                vex = self._lift_nocache(skip_stmts)
+                size = vex.size
+
+                if skip_stmts:
+                    self._vex_nostmt = vex
+                else:
+                    self._vex = vex
+
+        self.size = size
+
         if skip_stmts:
             self._parse_vex_info(self._vex_nostmt)
         else:
@@ -343,50 +320,7 @@ class Block(Serializable):
             raise ValueError("Project is not set")
         return self._project.factory.default_engine  # type:ignore
 
-    @property
-    def vex(self) -> IRSB | PcodeIRSB:
-        if not self._vex:
-            if self._initial_regs:
-                self.set_initial_regs()
-            clemory = None
-            if self._project is not None:
-                clemory = (
-                    self._project.loader.memory_ro_view
-                    if self._project.loader.memory_ro_view is not None
-                    else self._project.loader.memory
-                )
-            self._vex = self._vex_engine.lift_vex(
-                clemory=clemory,
-                insn_bytes=self._bytes,
-                addr=self.addr,
-                thumb=self.thumb,
-                size=self.size,
-                num_inst=self._instructions,
-                opt_level=self._opt_level,
-                arch=self.arch,
-                collect_data_refs=self._collect_data_refs,
-                strict_block_end=self._strict_block_end,
-                cross_insn_opt=self._cross_insn_opt,
-                load_from_ro_regions=self._load_from_ro_regions,
-                const_prop=self._const_prop,
-            )
-            if self._initial_regs:
-                self.reset_initial_regs()
-            self._parse_vex_info(self._vex)
-
-        assert self._vex is not None
-        return self._vex
-
-    @property
-    def vex_nostmt(self):
-        if self._vex_nostmt:
-            return self._vex_nostmt
-
-        if self._vex:
-            return self._vex
-
-        if self._initial_regs:
-            self.set_initial_regs()
+    def _lift_nocache(self, skip_stmts: bool) -> IRSB | PcodeIRSB:
         clemory = None
         if self._project is not None:
             clemory = (
@@ -394,25 +328,53 @@ class Block(Serializable):
                 if self._project.loader.memory_ro_view is not None
                 else self._project.loader.memory
             )
-        self._vex_nostmt = self._vex_engine.lift_vex(
+
+        if self._initial_regs:
+            self.set_initial_regs()
+
+        vex = self._vex_engine.lift_vex(
+            addr=self.addr,
+            state=self._backup_state,
             clemory=clemory,
             insn_bytes=self._bytes,
-            addr=self.addr,
-            thumb=self.thumb,
+            arch=self.arch,
             size=self.size,
             num_inst=self._instructions,
+            traceflags=self._traceflags,
+            thumb=self.thumb,
+            extra_stop_points=self._extra_stop_points,
             opt_level=self._opt_level,
-            arch=self.arch,
-            skip_stmts=True,
-            collect_data_refs=self._collect_data_refs,
             strict_block_end=self._strict_block_end,
+            skip_stmts=skip_stmts,
+            collect_data_refs=self._collect_data_refs,
             cross_insn_opt=self._cross_insn_opt,
             load_from_ro_regions=self._load_from_ro_regions,
             const_prop=self._const_prop,
         )
+
         if self._initial_regs:
             self.reset_initial_regs()
+
+        return vex
+
+    @property
+    def vex(self) -> IRSB | PcodeIRSB:
+        if not self._vex:
+            self._vex = self._lift_nocache(False)
+            self._parse_vex_info(self._vex)
+
+        return self._vex
+
+    @property
+    def vex_nostmt(self):
+        if self._vex_nostmt:
+            return self._vex_nostmt
+        if self._vex:
+            return self._vex
+
+        self._vex_nostmt = self._lift_nocache(True)
         self._parse_vex_info(self._vex_nostmt)
+
         return self._vex_nostmt
 
     @property

angr/callable.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 import pycparser
 
+from .sim_manager import SimulationManager
 from .errors import AngrCallableError, AngrCallableMultistateError
 from .calling_conventions import default_cc, SimCC
 
@@ -28,6 +29,7 @@ class Callable:
         cc=None,
         add_options=None,
         remove_options=None,
+        step_limit: int | None = None,
     ):
         """
         :param project:         The project to operate on
@@ -60,6 +62,7 @@ class Callable:
         self._func_ty = prototype
         self._add_options = add_options if add_options else set()
         self._remove_options = remove_options if remove_options else set()
+        self._step_limit = step_limit
 
         self.result_path_group = None
         self.result_state = None
@@ -95,16 +98,12 @@ class Callable:
             remove_options=self._remove_options,
         )
 
-        def step_func(pg):
-            pg2 = pg.prune()
-            if len(pg2.active) > 1:
-                raise AngrCallableMultistateError("Execution split on symbolic condition!")
-            return pg2
-
         caller = self._project.factory.simulation_manager(state)
-        caller.run(step_func=step_func if self._concrete_only else None).unstash(from_stash="deadended")
+        caller.run(step_func=self._step_func).unstash(from_stash="deadended")
         caller.prune(filter_func=lambda pt: pt.addr == self._deadend_addr)
 
+        if "step_limited" in caller.stashes:
+            caller.stash(from_stash="step_limited", to_stash="active")
         if len(caller.active) == 0:
             raise AngrCallableError("No paths returned from function")
 
@@ -159,3 +158,11 @@ class Callable:
                 raise AngrCallableError(f"Unsupported expression type {type(expr)}.")
 
         return self.__call__(*args)
+
+    def _step_func(self, pg: SimulationManager):
+        pg2 = pg.prune()
+        if self._concrete_only and len(pg2.active) > 1:
+            raise AngrCallableMultistateError("Execution split on symbolic condition!")
+        if self._step_limit:
+            pg2.stash(filter_func=lambda p: p.history.depth >= self._step_limit, to_stash="step_limited")
+        return pg2