angr 9.2.140__py3-none-manylinux2014_x86_64.whl → 9.2.142__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/structuring/dream.py

@@ -314,7 +314,7 @@ class DreamStructurer(StructurerBase):
             loop_head, loop_region_graph, successors=None, graph_with_successors=None, cyclic=False, full_graph=None
         )
         structurer = self.project.analyses[DreamStructurer].prep()(
-            region, condition_processor=self.cond_proc, func=self.function
+            region, condition_processor=self.cond_proc, func=self.function, jump_tables=self.jump_tables
         )
         seq = structurer.result
 

angr/analyses/decompiler/structuring/phoenix.py

@@ -14,7 +14,7 @@ from ailment.statement import Statement, ConditionalJump, Jump, Label, Return
 from ailment.expression import Const, UnaryOp, MultiStatementExpression
 
 from angr.utils.graph import GraphUtils
-from angr.utils.ail import is_phi_assignment
+from angr.utils.ail import is_phi_assignment, is_head_controlled_loop_block
 from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
 from angr.utils.constants import SWITCH_MISSING_DEFAULT_NODE_ADDR
 from angr.utils.graph import dominates, to_acyclic_graph, dfs_back_edges
@@ -312,11 +312,11 @@ class PhoenixStructurer(StructurerBase):
                     and head_block.nodes
                     and isinstance(head_block.nodes[0], Block)
                     and head_block.nodes[0].statements
-                    and isinstance(first_nonlabel_nonphi_statement(head_block.nodes[0]), ConditionalJump)
+                    and is_head_controlled_loop_block(head_block.nodes[0])
                 ) or (
                     isinstance(head_block, Block)
                     and head_block.statements
-                    and isinstance(first_nonlabel_nonphi_statement(head_block), ConditionalJump)
+                    and is_head_controlled_loop_block(head_block)
                 ):
                     # it's a while loop if the conditional jump (or the head block) is at the beginning of node
                     loop_type = "while" if head_block_idx == 0 else "do-while"
@@ -1723,7 +1723,12 @@ class PhoenixStructurer(StructurerBase):
         for case_node in to_remove:
             if case_node is not node_default and case_node is not node_a and case_node is not head:
                 for succ in graph.successors(case_node):
-                    if succ is not case_node and succ is not head and graph.in_degree[succ] == 1:
+                    if (
+                        succ is not case_node
+                        and succ is not head
+                        and succ is not self._region.head
+                        and graph.in_degree[succ] == 1
+                    ):
                         # succ will be dangling - not ready to be structured yet - do it later
                         return False
 

angr/analyses/decompiler/structuring/structurer_base.py

@@ -371,8 +371,8 @@ class StructurerBase(Analysis):
                         jump_stmt = this_node.nodes[-1].statements[-1]
                         this_node = this_node.nodes[-1]
 
-                    assert isinstance(this_node, ailment.Block)
                     if isinstance(jump_stmt, ailment.Stmt.Jump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.target, ailment.Expr.Const)
@@ -381,6 +381,7 @@ class StructurerBase(Analysis):
                             # this goto is useless
                             this_node.statements = this_node.statements[:-1]
                     elif isinstance(jump_stmt, ailment.Stmt.ConditionalJump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.true_target, ailment.Expr.Const)

angr/analyses/decompiler/utils.py

@@ -625,6 +625,48 @@ def update_labels(graph: networkx.DiGraph):
     return add_labels(remove_labels(graph))
 
 
+def _flatten_structured_node(packed_node: SequenceNode | MultiNode) -> list[ailment.Block]:
+    if not packed_node or not packed_node.nodes:
+        return []
+
+    blocks = []
+    if packed_node.nodes is not None:
+        for _node in packed_node.nodes:
+            if isinstance(_node, (SequenceNode, MultiNode)):
+                blocks += _flatten_structured_node(_node)
+            else:
+                blocks.append(_node)
+
+    return blocks
+
+
+def _find_node_in_graph(node: ailment.Block, graph: networkx.DiGraph) -> ailment.Block | None:
+    for bb in graph:
+        if bb.addr == node.addr and bb.idx == node.idx:
+            return bb
+    return None
+
+
+def structured_node_has_multi_predecessors(node: SequenceNode | MultiNode, graph: networkx.DiGraph) -> bool:
+    if graph is None:
+        return False
+
+    first_block = None
+    if isinstance(node, (SequenceNode, MultiNode)) and node.nodes:
+        flat_blocks = _flatten_structured_node(node)
+        node = flat_blocks[0]
+
+    if isinstance(node, ailment.Block):
+        first_block = node
+
+    if first_block is not None:
+        graph_node = _find_node_in_graph(first_block, graph)
+        if graph_node is not None:
+            return len(list(graph.predecessors(graph_node))) > 1
+
+    return False
+
+
 def structured_node_is_simple_return(
     node: SequenceNode | MultiNode, graph: networkx.DiGraph, use_packed_successors=False
 ) -> bool:
@@ -639,21 +681,6 @@ def structured_node_is_simple_return(
 
     Returns true on any block ending in linear statements and a return.
     """
-
-    def _flatten_structured_node(packed_node: SequenceNode | MultiNode) -> list[ailment.Block]:
-        if not packed_node or not packed_node.nodes:
-            return []
-
-        blocks = []
-        if packed_node.nodes is not None:
-            for _node in packed_node.nodes:
-                if isinstance(_node, (SequenceNode, MultiNode)):
-                    blocks += _flatten_structured_node(_node)
-                else:
-                    blocks.append(_node)
-
-        return blocks
-
     # sanity check: we need a graph to understand returning blocks
     if graph is None:
         return False
@@ -676,11 +703,10 @@ def structured_node_is_simple_return(
     if valid_last_stmt:
         # note that the block may not be the same block in the AIL graph post dephication. we must find the block again
         # in the graph.
-        for bb in graph:
-            if bb.addr == last_block.addr and bb.idx == last_block.idx:
-                # found it
-                succs = list(graph.successors(bb))
-                return not succs or succs == [bb]
+        last_graph_block = _find_node_in_graph(last_block, graph)
+        if last_graph_block is not None:
+            succs = list(graph.successors(last_graph_block))
+            return not succs or succs == [last_graph_block]
     return False
 
 

angr/analyses/find_objects_static.py

@@ -9,6 +9,7 @@ from angr.analyses.reaching_definitions.function_handler import FunctionHandler
 from angr.knowledge_plugins.key_definitions.atoms import Register, MemoryLocation
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE, OP_AFTER
+from angr.utils.cpp import is_cpp_funcname_ctor
 from . import Analysis, VtableFinder, CFGFast, ReachingDefinitionsAnalysis
 
 if TYPE_CHECKING:
@@ -109,7 +110,7 @@ class NewFunctionHandler(FunctionHandler):
         else:
             if self.project.kb.functions.contains_addr(function_address):
                 func = self.project.kb.functions.get_by_addr(function_address)
-                if func is not None and "ctor" in func.demangled_name:
+                if func is not None and is_cpp_funcname_ctor(func.demangled_name):
                     # check if rdi has a possible this pointer/ object address, if so then we can assign this object
                     # this class
                     # also if the func is a constructor(not stripped binaries)

angr/analyses/reaching_definitions/engine_vex.py

@@ -77,12 +77,15 @@ class SimEngineRDVEX(
     def _process_block_end(self, stmt_result, whitelist):
         self.stmt_idx = DEFAULT_STATEMENT
         self._set_codeloc()
+
+        function_handled = False
         if self.block.vex.jumpkind == "Ijk_Call":
             # it has to be a function
             block_next = self.block.vex.next
             assert isinstance(block_next, pyvex.expr.IRExpr)
             addr = self._expr_bv(block_next)
             self._handle_function(addr)
+            function_handled = True
         elif self.block.vex.jumpkind == "Ijk_Boring":
             # test if the target addr is a function or not
             block_next = self.block.vex.next
@@ -94,6 +97,16 @@ class SimEngineRDVEX(
                 if addr_int in self.functions:
                     # yes it's a jump to a function
                     self._handle_function(addr)
+                    function_handled = True
+
+        # take care of OP_AFTER during statement processing for function calls in a block
+        if self.state.analysis and function_handled:
+            self.state.analysis.stmt_observe(
+                self.stmt_idx, self.block.vex.statements[-1], self.block, self.state, OP_AFTER
+            )
+            self.state.analysis.insn_observe(
+                self.ins_addr, self.block.vex.statements[-1], self.block, self.state, OP_AFTER
+            )
 
         return self.state
 

angr/analyses/reaching_definitions/function_handler.py

@@ -121,9 +121,9 @@ class FunctionCallData:
             return False
         if isinstance(dest, MemoryLocation) and isinstance(dest.addr, SpOffset):
             for effect in self.effects:
-                if not isinstance(effect.dest, MemoryLocation) or not isinstance(effect.dest.addr, SpOffset):
-                    continue
                 stkarg = effect.dest
+                if not isinstance(stkarg, MemoryLocation) or not isinstance(stkarg.addr, SpOffset):
+                    continue
                 if (
                     dest.addr.offset + dest.size <= stkarg.addr.offset
                     or stkarg.addr.offset + stkarg.size <= dest.addr.offset
@@ -282,12 +282,20 @@ class FunctionHandler:
     A mechanism for summarizing a function call's effect on a program for ReachingDefinitionsAnalysis.
     """
 
-    def __init__(self, interfunction_level: int = 0, extra_impls: Iterable[FunctionHandler] | None = None):
+    def __init__(self, interfunction_level: int = 0, extra_impls: Iterable[type[FunctionHandler]] | None = None):
+        """
+        :param interfunction_level: Maximum depth in to continue local function exploration
+        :param extra_impls: FunctionHandler classes to implement beyond what's implemented in function_handler_library
+        """
+
         self.interfunction_level: int = interfunction_level
 
-        if extra_impls is not None:
-            for extra_handler in extra_impls:
-                for name, func in vars(extra_handler).items():
+        if extra_impls is None:
+            return
+
+        for extra_handler in extra_impls:
+            for cls in extra_handler.__mro__:
+                for name, func in vars(cls).items():
                     if name.startswith("handle_impl_"):
                         setattr(self, name, _mk_wrapper(func, self))
 
@@ -398,9 +406,13 @@ class FunctionHandler:
                     for typelib_name in prototype_lib.type_collection_names:
                         type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
             if type_collections:
-                data.prototype = dereference_simtype(data.prototype, type_collections).with_arch(state.arch)
+                prototype = dereference_simtype(data.prototype, type_collections).with_arch(state.arch)
+                data.prototype = cast(SimTypeFunction, prototype)
 
-        args_atoms_from_values = data.reset_prototype(data.prototype, state, soft_reset=True)
+        if isinstance(data.prototype, SimTypeFunction):
+            args_atoms_from_values = data.reset_prototype(data.prototype, state, soft_reset=True)
+        else:
+            args_atoms_from_values = set()
 
         # PROCESS
         state.move_codelocs(data.function_codeloc)
@@ -506,7 +518,9 @@ class FunctionHandler:
         assert data.prototype is not None
         if data.prototype.returnty is not None:
             if not isinstance(data.prototype.returnty, SimTypeBottom):
-                data.ret_values = MultiValues(state.top(data.prototype.returnty.with_arch(state.arch).size))
+                data.ret_values = MultiValues(
+                    state.top(data.prototype.returnty.with_arch(state.arch).size or state.arch.bits)
+                )
             else:
                 data.ret_values = MultiValues(state.top(state.arch.bits))
         if data.guessed_prototype:
@@ -567,7 +581,7 @@ class FunctionHandler:
         sub_rda = state.analysis.project.analyses.ReachingDefinitions(
             data.function,
             observe_all=state.analysis._observe_all,
-            observation_points=(state.analysis._observation_points or []) + return_observation_points,
+            observation_points=list(state.analysis._observation_points or []).extend(return_observation_points),
             observe_callback=state.analysis._observe_callback,
             dep_graph=state.dep_graph,
             function_handler=self,

angr/analyses/reaching_definitions/function_handler_library/stdio.py

@@ -202,6 +202,7 @@ def handle_printf(
                 for defn in state.get_definitions(atom):
                     top_val = state.annotate_with_def(top_val, defn)
                 buf_data = MultiValues(top_val)
+                buf_atoms = atom
         elif fmt == "%u":
             buf_atoms = atom
             buf_data = state.get_concrete_value(buf_atoms)

angr/analyses/reaching_definitions/function_handler_library/stdlib.py

@@ -7,7 +7,7 @@ import claripy
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.knowledge_plugins.key_definitions.atoms import Atom
 from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
-
+from angr.knowledge_plugins.key_definitions.definition import Definition
 
 if TYPE_CHECKING:
     from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
@@ -75,7 +75,7 @@ class LibcStdlibHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_calloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         nmemb = state.get_concrete_value(data.args_atoms[0]) or 48
-        size = state.get_concrete_value(data.args_atoms[0]) or 1
+        size = state.get_concrete_value(data.args_atoms[1]) or 1
         heap_ptr = state.heap_address(state.heap_allocator.allocate(nmemb * size))
         data.depends(state.deref(heap_ptr, nmemb * size), value=0)
         data.depends(data.ret_atoms, value=heap_ptr)
@@ -84,18 +84,51 @@ class LibcStdlibHandlers(FunctionHandler):
     def handle_impl_getenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         name_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
         name_value = state.get_concrete_value(name_atom, cast_to=bytes)
-        if name_value is not None:
-            name_value = name_value.strip(b"\0").decode()
+        length = 2
+        heap_value = None
+
         data.depends(None, name_atom)
 
         # store a buffer, registering it as an output of this function
         # we store this two-byte mixed value because we don't want the value to be picked up by get_concrete_value()
         # but also it should be able to be picked up by NULL_TERMINATE reads
-        heap_ptr = state.heap_allocator.allocate(2)
-        heap_atom = state.deref(heap_ptr, 2)
-        heap_value = claripy.BVS("weh", 8).concat(claripy.BVV(0, 8))
-        data.depends(heap_atom, EnvironAtom(2, name_value), value=heap_value)
-        data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
+        heap_atom = None
+        env_atom = None
+        heap_ptr = None
+        sources = []
+        if name_value is not None:
+            name_value = name_value.strip(b"\0").decode()
+            for env_atom, env_value in state.others.items():
+                if not isinstance(env_atom, EnvironAtom) or env_atom.name != name_value:
+                    continue
+
+                # There exists an environment variable with this name
+                heap_value = env_value
+                length = env_atom.size
+                heap_ptr = state.heap_allocator.allocate(length)
+                heap_atom = state.deref(heap_ptr, length)
+                break
+
+            else:
+                heap_value = None
+
+        if name_value is None or heap_value is None or heap_atom is None or env_atom is None:
+            heap_ptr = state.heap_allocator.allocate(length)
+            heap_atom = state.deref(heap_ptr, length)
+            heap_value = claripy.BVS("weh", 8)
+            env_atom = EnvironAtom(length, name_value)
+            if heap_atom is not None:
+                heap_value = state.annotate_with_def(heap_value, Definition(heap_atom, state.codeloc))
+            heap_value = heap_value.concat(claripy.BVV(0, 8))
+            data.depends(env_atom, value=heap_value)  # Puts the env_atom in the others dict
+
+        data.depends(heap_atom, env_atom, value=heap_value)
+        sources = [heap_atom, env_atom]
+        if name_atom is not None:
+            sources.append(name_atom)
+
+        value = state.heap_address(heap_ptr) if heap_ptr is not None else state.top(state.arch.bits)
+        data.depends(data.ret_atoms, *sources, value=value)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_setenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
@@ -107,9 +140,9 @@ class LibcStdlibHandlers(FunctionHandler):
 
         src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
         src_value = state.get_values(src_atom)
-        data.depends(
-            EnvironAtom(len(src_value) // 8 if src_value is not None else 1, name_value), src_atom, value=src_value
-        )
+
+        env_atom = EnvironAtom(len(src_value) // 8 if src_value is not None else 1, name_value)
+        data.depends(env_atom, src_atom, value=src_value)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_system(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):

angr/analyses/reaching_definitions/function_handler_library/string.py

@@ -1,8 +1,10 @@
 from __future__ import annotations
 import archinfo
+import claripy
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
 from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
+from angr.knowledge_plugins.key_definitions.live_definitions import MultiValues
 
 # pylint: disable=no-self-use,missing-class-docstring,unused-argument
 
@@ -12,16 +14,26 @@ class LibcStringHandlers(FunctionHandler):
     def handle_impl_strcat(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src0_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
         src1_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src0_value = state.get_values(src0_atom)
-        src1_value = state.get_values(src1_atom)
+        src0_value = state.get_values(src0_atom) if src0_atom is not None else None
+        src1_value = state.get_values(src1_atom) if src1_atom is not None else None
+
         if src0_value is not None and src1_value is not None:
             src0_value = src0_value.extract(0, len(src0_value) // 8 - 1, archinfo.Endness.BE)
             dest_value = src0_value.concat(src1_value)
             dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
+        elif src0_value is not None:
+            src0_value = src0_value.extract(0, len(src0_value) // 8 - 1, archinfo.Endness.BE)
+            top_val = state.top(state.arch.bits)
+            if src1_atom is not None:
+                for defn in state.get_definitions(src1_atom):
+                    top_val = state.annotate_with_def(top_val, defn)
+            dest_value = src0_value.concat(MultiValues(top_val))
+            dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
         else:
             dest_value = None
             dest_atom = src0_atom
-        data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
+        if src0_atom is not None and src1_atom is not None:
+            data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
         data.depends(data.ret_atoms, data.args_atoms[0], value=src0_value)
 
     handle_impl_strncat = handle_impl_strcat
@@ -29,39 +41,76 @@ class LibcStringHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strlen(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
-            data.depends(data.ret_atoms, src_atom, value=len(src_str) // 8 - 1)
+        if src_atom is not None:
+            src_str = state.get_values(src_atom) if src_atom is not None else None
+            if src_str is not None:
+                data.depends(data.ret_atoms, src_atom, value=len(src_str) // 8 - 1)
+            else:
+                data.depends(data.ret_atoms, src_atom)
         else:
-            data.depends(data.ret_atoms, src_atom)
+            data.depends(data.ret_atoms, data.args_atoms[0])
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strcpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
-            dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+        src_str = state.get_values(src_atom) if src_atom is not None else None
+        if src_str is None:
+            src_str = state.top(state.arch.bits)
+            if src_atom is not None:
+                for defn in state.get_definitions(src_atom):
+                    src_str = state.annotate_with_def(src_str, defn)
+            src_str = MultiValues(src_str)
+
+        dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+        if src_atom is not None:
             data.depends(dst_atom, src_atom, value=src_str)
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strncpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         n = state.get_concrete_value(data.args_atoms[2])
-        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE if n is None else n)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom) if src_atom is not None else None
+        if src_str is None and src_atom is not None:
+            tmp_atom = state.deref(data.args_atoms[1], 1)
+            if tmp_atom is not None:
+                tmp_str = state.get_values(tmp_atom)
+                val_defns = None if tmp_str is None else state.get_definitions(tmp_str)
+                if tmp_str is None or not val_defns:  # There's no data at all or no valid definitions
+                    src_str = state.top(state.arch.bits if n is None or n > state.arch.bytes else n * 8)
+                    defns = state.get_definitions(src_atom) if src_atom is not None else []
+                    for defn in defns:
+                        src_str = state.annotate_with_def(src_str, defn)
+                    src_str = MultiValues(src_str)
+                else:  # We found some data, but it's not NULL_TERIMINATED or of size n
+                    src_atoms = set()
+                    for defn in val_defns:
+                        a = defn.atom
+                        a.size = a.size if n is None or a.size < n else n
+                        src_atoms.add(a)
+                    src_str = state.get_values(src_atoms)
+
+        elif n is not None and src_str is not None and n < len(src_str) // 8:
+            # We have a src_str, but need to truncate it if n is not None and less than the size of src_str
+            src_atom = state.deref(data.args_atoms[1], n)
+            if src_atom is not None:
+                src_str = state.get_values(src_atom)
+
+        if src_str is not None and src_atom is not None:
             dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
             data.depends(dst_atom, src_atom, value=src_str)
+
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strdup(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
-        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        malloc_size = len(src_str) // 8 if src_str is not None else 1
-        heap_ptr = state.heap_allocator.allocate(malloc_size)
-        dst_atom = state.deref(heap_ptr, malloc_size)
-        data.depends(dst_atom, src_atom, value=src_str)
+        src_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        if src_atom is not None:
+            src_str = state.get_values(src_atom)
+            malloc_size = len(src_str) // 8 if src_str is not None else 1
+            heap_ptr = state.heap_allocator.allocate(malloc_size)
+            dst_atom = state.deref(heap_ptr, malloc_size)
+            data.depends(dst_atom, src_atom, value=src_str)
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
@@ -70,15 +119,22 @@ class LibcStringHandlers(FunctionHandler):
         if size is not None:
             src_atom = state.deref(data.args_atoms[1], size)
             dst_atom = state.deref(data.args_atoms[0], size)
-            data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
+            if src_atom is not None:
+                data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_memset(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[2])
+        c = state.get_concrete_value(data.args_atoms[1])
         if size is not None:
             dst_atom = state.deref(data.args_atoms[0], size)
-            data.depends(dst_atom, data.args_atoms[1])
+            if c is not None:
+                value = MultiValues(claripy.BVV(chr(c) * size, size * 8))
+                data.depends(dst_atom, data.args_atoms[1], value=value)
+            else:
+                data.depends(dst_atom, data.args_atoms[1], value=state.get_values(data.args_atoms[1]))
+
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate

angr/analyses/reaching_definitions/function_handler_library/unistd.py

@@ -1,17 +1,37 @@
 from __future__ import annotations
+import random
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.analyses.reaching_definitions.function_handler_library.stdio import StdinAtom, StdoutAtom
 from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+from angr.knowledge_plugins.key_definitions.atoms import Atom
 
 # pylint: disable=no-self-use,missing-class-docstring,unused-argument
 
 
+class FDAtom(Atom):
+    def __init__(self, fd: int | None, source: str, size: int = 1):
+        self.source = source
+        self.fd = fd
+        self.nonce = random.randint(0, 999999999999)
+        super().__init__(size)
+
+    def _identity(self):
+        if self.fd is not None:
+            return (self.fd,)
+        return (self.nonce,)
+
+
 class LibcUnistdHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_read(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[2]) or 1
         dst_atom = state.deref(data.args_atoms[1], size)
-        data.depends(dst_atom, StdinAtom(data.function.name, size))
+        real_fd = state.get_concrete_value(data.args_atoms[0])
+
+        fd_atom = StdinAtom(data.function.name, size) if real_fd == 0 else FDAtom(real_fd, data.function.name, size)
+        buf_data = state.top(size * 8) if size is not None else state.top(state.arch.bits)
+
+        data.depends(dst_atom, fd_atom, value=buf_data)
 
     handle_impl_recv = handle_impl_recvfrom = handle_impl_read
 

angr/analyses/reaching_definitions/rd_state.py

@@ -215,14 +215,14 @@ class ReachingDefinitionsState:
     def tmp_uses(self):
         return self.live_definitions.tmp_uses
 
-    @property
-    def register_uses(self):
-        return self.live_definitions.register_uses
-
     @property
     def registers(self) -> MultiValuedMemory:
         return self.live_definitions.registers
 
+    @property
+    def register_uses(self):
+        return self.live_definitions.register_uses
+
     @property
     def stack(self) -> MultiValuedMemory:
         return self.live_definitions.stack
@@ -239,13 +239,17 @@ class ReachingDefinitionsState:
     def heap_uses(self):
         return self.live_definitions.heap_uses
 
+    @property
+    def memory(self) -> MultiValuedMemory:
+        return self.live_definitions.memory
+
     @property
     def memory_uses(self):
         return self.live_definitions.memory_uses
 
     @property
-    def memory(self) -> MultiValuedMemory:
-        return self.live_definitions.memory
+    def others(self) -> dict[Atom, MultiValues]:
+        return self.live_definitions.others
 
     @property
     def uses_by_codeloc(self):
@@ -493,7 +497,7 @@ class ReachingDefinitionsState:
             self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
     def get_definitions(
-        self, atom: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]]
+        self, atom: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]] | MultiValues
     ) -> set[Definition[Atom]]:
         return self.live_definitions.get_definitions(atom)