angr 9.2.140__py3-none-manylinux2014_x86_64.whl → 9.2.142__py3-none-manylinux2014_x86_64.whl

angr/analyses/s_liveness.py

@@ -2,9 +2,10 @@ from __future__ import annotations
 
 import networkx
 from ailment.expression import VirtualVariable
-from ailment.statement import Assignment, Call
+from ailment.statement import Assignment, Call, ConditionalJump
 
 from angr.analyses import Analysis, register_analysis
+from angr.utils.ail import is_head_controlled_loop_block, is_phi_assignment
 from angr.utils.ssa import VVarUsesCollector, phi_assignment_get_src
 
 
@@ -69,8 +70,14 @@ class SLivenessAnalysis(Analysis):
             block_key = block.addr, block.idx
             changed = False
 
+            head_controlled_loop = is_head_controlled_loop_block(block)
+
             live = set()
             for succ in graph.successors(block):
+                if head_controlled_loop and (block.addr, block.idx) == (succ.addr, succ.idx):
+                    # this is a head-controlled loop block; we ignore the self-loop edge because all variables defined
+                    # in the block after the conditional jump will be dead after leaving the current block
+                    continue
                 edge = (block.addr, block.idx), (succ.addr, succ.idx)
                 if edge in live_on_edges:
                     live |= live_on_edges[edge]
@@ -81,8 +88,18 @@ class SLivenessAnalysis(Analysis):
                 changed = True
                 live_outs[block_key] = live.copy()
 
+            if head_controlled_loop:
+                # this is a head-controlled loop block; we start scanning from the first condition jump backwards
+                condjump_idx = next(
+                    iter(i for i, stmt in enumerate(block.statements) if isinstance(stmt, ConditionalJump)), None
+                )
+                assert condjump_idx is not None
+                stmts = block.statements[: condjump_idx + 1]
+            else:
+                stmts = block.statements
+
             live_in_by_pred = {}
-            for stmt in reversed(block.statements):
+            for stmt in reversed(stmts):
                 # handle assignments: a defined vvar is not live before the assignment
                 if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
                     live.discard(stmt.dst.varid)
@@ -92,6 +109,10 @@ class SLivenessAnalysis(Analysis):
                 phi_expr = phi_assignment_get_src(stmt)
                 if phi_expr is not None:
                     for src, vvar in phi_expr.src_and_vvars:
+                        if head_controlled_loop and src == (block.addr, block.idx):
+                            # this is a head-controlled loop block; we ignore the self-loop edge
+                            continue
+
                         if src not in live_in_by_pred:
                             live_in_by_pred[src] = live.copy()
                         if vvar is not None:
@@ -99,9 +120,15 @@ class SLivenessAnalysis(Analysis):
                         live_in_by_pred[src].discard(stmt.dst.varid)
 
                 # handle the statement: add used vvars to the live set
-                vvar_use_collector = VVarUsesCollector()
-                vvar_use_collector.walk_statement(stmt)
-                live |= vvar_use_collector.vvars
+                if head_controlled_loop and is_phi_assignment(stmt):
+                    for src, vvar in stmt.src.src_and_vvars:
+                        # this is a head-controlled loop block; we ignore the self-loop edge
+                        if src != (block.addr, block.idx) and vvar is not None:
+                            live |= {vvar.varid}
+                else:
+                    vvar_use_collector = VVarUsesCollector()
+                    vvar_use_collector.walk_statement(stmt)
+                    live |= vvar_use_collector.vvars
 
             if live_ins[block_key] != live:
                 live_ins[block_key] = live
@@ -135,7 +162,18 @@ class SLivenessAnalysis(Analysis):
 
         for block in self.func_graph.nodes():
             live = self.model.live_outs[(block.addr, block.idx)].copy()
-            for stmt in reversed(block.statements):
+
+            if is_head_controlled_loop_block(block):
+                # this is a head-controlled loop block; we start scanning from the first condition jump backwards
+                condjump_idx = next(
+                    iter(i for i, stmt in enumerate(block.statements) if isinstance(stmt, ConditionalJump)), None
+                )
+                assert condjump_idx is not None
+                stmts = block.statements[: condjump_idx + 1]
+            else:
+                stmts = block.statements
+
+            for stmt in reversed(stmts):
                 if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
                     def_vvar = stmt.dst.varid
                 elif isinstance(stmt, Call) and isinstance(stmt.ret_expr, VirtualVariable):

angr/analyses/s_reaching_definitions/s_rda_model.py

@@ -91,13 +91,15 @@ class SRDAModel:
                     )
         return defs
 
-    def get_vvar_uses(self, obj: atoms.VirtualVariable) -> set[CodeLocation]:
+    def get_vvar_uses(self, obj: VirtualVariable | atoms.VirtualVariable) -> set[CodeLocation]:
         the_vvar = self.varid_to_vvar.get(obj.varid, None)
         if the_vvar is not None:
             return {loc for _, loc in self.all_vvar_uses[the_vvar]}
         return set()
 
-    def get_vvar_uses_with_expr(self, obj: atoms.VirtualVariable) -> set[tuple[CodeLocation, VirtualVariable]]:
+    def get_vvar_uses_with_expr(
+        self, obj: VirtualVariable | atoms.VirtualVariable
+    ) -> set[tuple[CodeLocation, VirtualVariable]]:
         the_vvar = self.varid_to_vvar.get(obj.varid, None)
         if the_vvar is not None:
             return {(loc, expr) for expr, loc in self.all_vvar_uses[the_vvar]}

angr/analyses/s_reaching_definitions/s_rda_view.py

@@ -1,8 +1,10 @@
 from __future__ import annotations
 
 import logging
+from collections.abc import Callable
 from collections import defaultdict
 
+from ailment import Block
 from ailment.statement import Statement, Assignment, Call, Label
 from ailment.expression import VirtualVariable, VirtualVariableCategory, Expression
 
@@ -22,7 +24,7 @@ class RegVVarPredicate:
     Implements a predicate that is used in get_reg_vvar_by_stmt_idx and get_reg_vvar_by_insn.
     """
 
-    def __init__(self, reg_offset: int, vvars: set[VirtualVariable], arch):
+    def __init__(self, reg_offset: int, vvars: list[VirtualVariable], arch):
         self.reg_offset = reg_offset
         self.vvars = vvars
         self.arch = arch
@@ -47,7 +49,8 @@ class RegVVarPredicate:
             and stmt.dst.was_reg
             and stmt.dst.reg_offset == self.reg_offset
         ):
-            self.vvars.add(stmt.dst)
+            if stmt.dst not in self.vvars:
+                self.vvars.append(stmt.dst)
             return True
         if isinstance(stmt, Call):
             if (
@@ -55,7 +58,8 @@ class RegVVarPredicate:
                 and stmt.ret_expr.was_reg
                 and stmt.ret_expr.reg_offset == self.reg_offset
             ):
-                self.vvars.add(stmt.ret_expr)
+                if stmt.ret_expr not in self.vvars:
+                    self.vvars.append(stmt.ret_expr)
                 return True
             # is it clobbered maybe?
             clobbered_regs = self._get_call_clobbered_regs(stmt)
@@ -69,7 +73,7 @@ class StackVVarPredicate:
     Implements a predicate that is used in get_stack_vvar_by_stmt_idx and get_stack_vvar_by_insn.
     """
 
-    def __init__(self, stack_offset: int, size: int, vvars: set[VirtualVariable]):
+    def __init__(self, stack_offset: int, size: int, vvars: list[VirtualVariable]):
         self.stack_offset = stack_offset
         self.size = size
         self.vvars = vvars
@@ -82,7 +86,8 @@ class StackVVarPredicate:
             and stmt.dst.stack_offset <= self.stack_offset < stmt.dst.stack_offset + stmt.dst.size
             and stmt.dst.stack_offset <= self.stack_offset + self.size <= stmt.dst.stack_offset + stmt.dst.size
         ):
-            self.vvars.add(stmt.dst)
+            if stmt.dst not in self.vvars:
+                self.vvars.append(stmt.dst)
             return True
         return False
 
@@ -96,7 +101,13 @@ class SRDAView:
         self.model = model
 
     def _get_vvar_by_stmt(
-        self, block_addr: int, block_idx: int | None, stmt_idx: int, op_type: ObservationPointType, predicate
+        self,
+        block_addr: int,
+        block_idx: int | None,
+        stmt_idx: int,
+        op_type: ObservationPointType,
+        predicate: Callable,
+        consecutive: bool = False,
     ):
         # find the starting block
         for block in self.model.func_graph:
@@ -107,7 +118,10 @@ class SRDAView:
             return
 
         traversed = set()
-        queue = [(the_block, stmt_idx if op_type == ObservationPointType.OP_BEFORE else stmt_idx + 1)]
+        queue: list[tuple[Block, int | None]] = [
+            (the_block, stmt_idx if op_type == ObservationPointType.OP_BEFORE else stmt_idx + 1)
+        ]
+        predicate_returned_true = False
         while queue:
             block, start_stmt_idx = queue.pop(0)
             traversed.add(block)
@@ -115,7 +129,8 @@ class SRDAView:
             stmts = block.statements[:start_stmt_idx] if start_stmt_idx is not None else block.statements
 
             for stmt in reversed(stmts):
-                should_break = predicate(stmt)
+                r = predicate(stmt)
+                should_break = (predicate_returned_true and r is False) if consecutive else r
                 if should_break:
                     break
             else:
@@ -129,7 +144,7 @@ class SRDAView:
         self, reg_offset: int, block_addr: int, block_idx: int | None, stmt_idx: int, op_type: ObservationPointType
     ) -> VirtualVariable | None:
         reg_offset = get_reg_offset_base(reg_offset, self.model.arch)
-        vvars = set()
+        vvars = []
         predicater = RegVVarPredicate(reg_offset, vvars, self.model.arch)
         self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate)
 
@@ -137,14 +152,14 @@ class SRDAView:
             # not found - check function arguments
             for func_arg in self.model.func_args:
                 if isinstance(func_arg, VirtualVariable):
-                    func_arg_category = func_arg.oident[0]
+                    func_arg_category = func_arg.parameter_category
                     if func_arg_category == VirtualVariableCategory.REGISTER:
-                        func_arg_regoff = func_arg.oident[1]
+                        func_arg_regoff = func_arg.parameter_reg_offset
                         if func_arg_regoff == reg_offset:
-                            vvars.add(func_arg)
+                            vvars.append(func_arg)
 
         assert len(vvars) <= 1
-        return next(iter(vvars), None)
+        return vvars[0] if vvars else None
 
     def get_stack_vvar_by_stmt(  # pylint: disable=too-many-positional-arguments
         self,
@@ -155,21 +170,24 @@ class SRDAView:
         stmt_idx: int,
         op_type: ObservationPointType,
     ) -> VirtualVariable | None:
-        vvars = set()
+        vvars = []
         predicater = StackVVarPredicate(stack_offset, size, vvars)
-        self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate)
+        self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate, consecutive=True)
 
         if not vvars:
             # not found - check function arguments
             for func_arg in self.model.func_args:
                 if isinstance(func_arg, VirtualVariable):
-                    func_arg_category = func_arg.oident[0]
+                    func_arg_category = func_arg.parameter_category
                     if func_arg_category == VirtualVariableCategory.STACK:
-                        func_arg_stackoff = func_arg.oident[1]
+                        func_arg_stackoff = func_arg.oident[1]  # type: ignore
                         if func_arg_stackoff == stack_offset and func_arg.size == size:
-                            vvars.add(func_arg)
-        assert len(vvars) <= 1
-        return next(iter(vvars), None)
+                            vvars.append(func_arg)
+        # there might be multiple vvars; we prioritize the one whose size fits the best
+        for v in vvars:
+            if v.stack_offset == stack_offset and v.size == size:
+                return v
+        return vvars[0] if vvars else None
 
     def _get_vvar_by_insn(self, addr: int, op_type: ObservationPointType, predicate, block_idx: int | None = None):
         # find the starting block
@@ -202,23 +220,23 @@ class SRDAView:
         self, reg_offset: int, addr: int, op_type: ObservationPointType, block_idx: int | None = None
     ) -> VirtualVariable | None:
         reg_offset = get_reg_offset_base(reg_offset, self.model.arch)
-        vvars = set()
+        vvars = []
         predicater = RegVVarPredicate(reg_offset, vvars, self.model.arch)
 
         self._get_vvar_by_insn(addr, op_type, predicater.predicate, block_idx=block_idx)
 
         assert len(vvars) <= 1
-        return next(iter(vvars), None)
+        return vvars[0] if vvars else None
 
     def get_stack_vvar_by_insn(  # pylint: disable=too-many-positional-arguments
         self, stack_offset: int, size: int, addr: int, op_type: ObservationPointType, block_idx: int | None = None
     ) -> VirtualVariable | None:
-        vvars = set()
+        vvars = []
         predicater = StackVVarPredicate(stack_offset, size, vvars)
         self._get_vvar_by_insn(addr, op_type, predicater.predicate, block_idx=block_idx)
 
         assert len(vvars) <= 1
-        return next(iter(vvars), None)
+        return vvars[0] if vvars else None
 
     def get_vvar_value(self, vvar: VirtualVariable) -> Expression | None:
         if vvar not in self.model.all_vvar_definitions:
@@ -227,7 +245,7 @@ class SRDAView:
 
         for block in self.model.func_graph:
             if block.addr == codeloc.block_addr and block.idx == codeloc.block_idx:
-                if codeloc.stmt_idx < len(block.statements):
+                if codeloc.stmt_idx is not None and codeloc.stmt_idx < len(block.statements):
                     stmt = block.statements[codeloc.stmt_idx]
                     if isinstance(stmt, Assignment) and stmt.dst.likes(vvar):
                         return stmt.src

angr/analyses/typehoon/simple_solver.py

@@ -185,7 +185,9 @@ class Sketch:
             return self.node_mapping[typevar]
         node: SketchNodeBase | None = None
         if isinstance(typevar, DerivedTypeVariable):
-            node = self.node_mapping[SimpleSolver._to_typevar_or_typeconst(typevar.type_var)]
+            t = SimpleSolver._to_typevar_or_typeconst(typevar.type_var)
+            assert isinstance(t, TypeVariable)
+            node = self.node_mapping[t]
             for label in typevar.labels:
                 succs = []
                 for _, dst, data in self.graph.out_edges(node, data=True):
@@ -210,11 +212,26 @@ class Sketch:
         # sub <: super
         if not isinstance(constraint, Subtype):
             return
-        subtype = self.flatten_typevar(constraint.sub_type)
-        supertype = self.flatten_typevar(constraint.super_type)
+        subtype, _ = self.flatten_typevar(constraint.sub_type)
+        supertype, try_maxsize = self.flatten_typevar(constraint.super_type)
+
+        if (
+            try_maxsize
+            and isinstance(subtype, TypeVariable)
+            and subtype in self.solver.stackvar_max_sizes
+            and isinstance(supertype, TypeConstant)
+            and not isinstance(supertype, BottomType)
+        ):
+            basetype = supertype
+            assert basetype.size is not None
+            max_size = self.solver.stackvar_max_sizes.get(subtype, None)
+            if max_size not in {0, None} and max_size // basetype.size > 0:  # type: ignore
+                supertype = Array(element=basetype, count=max_size // basetype.size)  # type: ignore
+
         if SimpleSolver._typevar_inside_set(subtype, PRIMITIVE_TYPES) and not SimpleSolver._typevar_inside_set(
             supertype, PRIMITIVE_TYPES
         ):
+            assert isinstance(supertype, (TypeVariable, DerivedTypeVariable))
             super_node = self.lookup(supertype)
             assert super_node is None or isinstance(super_node, SketchNode)
             if super_node is not None:
@@ -222,6 +239,7 @@ class Sketch:
         elif SimpleSolver._typevar_inside_set(supertype, PRIMITIVE_TYPES) and not SimpleSolver._typevar_inside_set(
             subtype, PRIMITIVE_TYPES
         ):
+            assert isinstance(subtype, (TypeVariable, DerivedTypeVariable))
             sub_node = self.lookup(subtype)
             assert sub_node is None or isinstance(sub_node, SketchNode)
             # assert sub_node is not None
@@ -231,7 +249,7 @@ class Sketch:
     @staticmethod
     def flatten_typevar(
         derived_typevar: TypeVariable | TypeConstant | DerivedTypeVariable,
-    ) -> DerivedTypeVariable | TypeVariable | TypeConstant:
+    ) -> tuple[DerivedTypeVariable | TypeVariable | TypeConstant, bool]:
         # pylint:disable=too-many-boolean-expressions
         if (
             isinstance(derived_typevar, DerivedTypeVariable)
@@ -243,8 +261,10 @@ class Sketch:
             and derived_typevar.labels[1].offset == 0
             and derived_typevar.labels[1].bits == MAX_POINTSTO_BITS
         ):
-            return derived_typevar.type_var.basetype
-        return derived_typevar
+            bt = derived_typevar.type_var.basetype
+            assert bt is not None
+            return bt, True
+        return derived_typevar, False
 
 
 #
@@ -313,6 +333,11 @@ class ConstraintGraphNode:
             else:
                 prefix = DerivedTypeVariable(self.typevar.type_var, None, labels=self.typevar.labels[:-1])
             variance = Variance.COVARIANT if self.variance == last_label.variance else Variance.CONTRAVARIANT
+            if not isinstance(prefix, (TypeVariable, DerivedTypeVariable)):
+                # we may see incorrectly generated type constraints that attempt to load from an int:
+                #   int64.load
+                # we don't want to entertain such constraints
+                return None
             return (
                 ConstraintGraphNode(prefix, variance, self.tag, FORGOTTEN.PRE_FORGOTTEN),
                 self.typevar.labels[-1],
@@ -330,6 +355,7 @@ class ConstraintGraphNode:
             raise TypeError(f"Unsupported type {type(self.typevar)}")
         variance = Variance.COVARIANT if self.variance == label.variance else Variance.CONTRAVARIANT
         var = typevar if not labels else DerivedTypeVariable(typevar, None, labels=labels)
+        assert isinstance(var, (TypeVariable, DerivedTypeVariable))
         return ConstraintGraphNode(var, variance, self.tag, FORGOTTEN.PRE_FORGOTTEN)
 
     def inverse(self) -> ConstraintGraphNode:
@@ -366,13 +392,14 @@ class SimpleSolver:
     improvements.
     """
 
-    def __init__(self, bits: int, constraints, typevars):
+    def __init__(self, bits: int, constraints, typevars, stackvar_max_sizes: dict[TypeVariable, int] | None = None):
         if bits not in (32, 64):
             raise ValueError(f"Pointer size {bits} is not supported. Expect 32 or 64.")
 
         self.bits = bits
         self._constraints: dict[TypeVariable, set[TypeConstraint]] = constraints
         self._typevars: set[TypeVariable] = typevars
+        self.stackvar_max_sizes = stackvar_max_sizes if stackvar_max_sizes is not None else {}
         self._base_lattice = BASE_LATTICES[bits]
         self._base_lattice_inverted = networkx.DiGraph()
         for src, dst in self._base_lattice.edges:
@@ -1289,7 +1316,7 @@ class SimpleSolver:
             for _, succ, data in out_edges:
                 if isinstance(succ, RecursiveRefNode):
                     ref = succ
-                    succ: SketchNode | None = sketch.lookup(succ.target)
+                    succ: SketchNode | None = sketch.lookup(succ.target)  # type: ignore
                     if succ is None:
                         # failed to resolve...
                         _l.warning(

angr/analyses/typehoon/typehoon.py

@@ -37,6 +37,7 @@ class Typehoon(Analysis):
         ground_truth=None,
         var_mapping: dict[SimVariable, set[TypeVariable]] | None = None,
         must_struct: set[TypeVariable] | None = None,
+        stackvar_max_sizes: dict[TypeVariable, int] | None = None,
     ):
         """
 
@@ -52,6 +53,7 @@ class Typehoon(Analysis):
         self._ground_truth: dict[TypeVariable, SimType] | None = ground_truth
         self._var_mapping = var_mapping
         self._must_struct = must_struct
+        self._stackvar_max_sizes = stackvar_max_sizes if stackvar_max_sizes is not None else {}
 
         self.bits = self.project.arch.bits
         self.solution = None
@@ -163,7 +165,7 @@ class Typehoon(Analysis):
                         typevars.add(constraint.sub_type)
                     if isinstance(constraint.super_type, TypeVariable):
                         typevars.add(constraint.super_type)
-        solver = SimpleSolver(self.bits, self._constraints, typevars)
+        solver = SimpleSolver(self.bits, self._constraints, typevars, stackvar_max_sizes=self._stackvar_max_sizes)
         self.solution = solver.solution
 
     def _specialize(self):

angr/analyses/variable_recovery/engine_ail.py

@@ -333,7 +333,7 @@ class SimEngineVRAIL(
         tvs = set()
         for _, vvar in expr.src_and_vvars:
             if vvar is not None:
-                r = self._read_from_vvar(vvar, expr=expr, vvar_id=self._mapped_vvarid(vvar.varid))
+                r = self._read_from_vvar(vvar, expr=vvar, vvar_id=self._mapped_vvarid(vvar.varid))
                 if r.typevar is not None:
                     tvs.add(r.typevar)
 

angr/analyses/variable_recovery/engine_vex.py

@@ -8,12 +8,13 @@ from archinfo.arch_arm import is_arm_arch
 
 from angr.block import Block
 from angr.errors import SimMemoryMissingError
-from angr.calling_conventions import SimRegArg, SimStackArg, default_cc
+from angr.calling_conventions import SimRegArg, SimStackArg, SimTypeFunction, default_cc
 from angr.engines.vex.claripy.datalayer import value as claripy_value
 from angr.engines.light import SimEngineNostmtVEX
 from angr.knowledge_plugins import Function
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.analyses.typehoon import typevars, typeconsts
+from angr.sim_type import SimTypeBottom
 from .engine_base import SimEngineVRBase, RichR
 from .irsb_scanner import VEXIRSBScanner
 
@@ -222,24 +223,39 @@ class SimEngineVRVEX(
 
     def _process_block_end(self, stmt_result, whitelist):
         # handles block-end calls
+        has_call = False
         current_addr = self.state.block_addr
         for target_func in self.call_info.get(current_addr, []):
             self._handle_function_concrete(target_func)
+            has_call = True
 
-        if self.block.vex.jumpkind == "Ijk_Call":
+        if has_call or self.block.vex.jumpkind == "Ijk_Call":
             # emulates return values from calls
             cc = None
+            proto: SimTypeFunction | None = None
             for target_func in self.call_info.get(self.state.block_addr, []):
                 if target_func.calling_convention is not None:
                     cc = target_func.calling_convention
+                    proto = target_func.prototype
                     break
             if cc is None:
                 cc = default_cc(self.arch.name, platform=self.project.simos.name)(self.arch)
-            if isinstance(cc.RETURN_VAL, SimRegArg):
-                reg_offset, reg_size = self.arch.registers[cc.RETURN_VAL.reg_name]
+
+            if proto is not None and not isinstance(proto.returnty, SimTypeBottom):
+                ret_reg = cc.return_val(proto.returnty)
+            else:
+                ret_reg = cc.RETURN_VAL
+            if isinstance(ret_reg, SimRegArg):
+                reg_offset, reg_size = self.arch.registers[ret_reg.reg_name]
                 data = self._top(reg_size * self.arch.byte_width)
                 self._assign_to_register(reg_offset, data, reg_size, create_variable=False)
 
+                # handle tail-call optimizations
+                if self.block.vex.jumpkind == "Ijk_Boring":
+                    self.state.ret_val_size = (
+                        reg_size if self.state.ret_val_size is None else max(self.state.ret_val_size, reg_size)
+                    )
+
         elif self.block.vex.jumpkind == "Ijk_Ret":
             # handles return statements
 

angr/calling_conventions.py

@@ -2,7 +2,8 @@
 from __future__ import annotations
 import logging
 from typing import cast
-from collections.abc import Iterable
+
+from collections.abc import Iterable, Sequence
 from collections import defaultdict
 import contextlib
 
@@ -82,7 +83,8 @@ class AllocHelper:
 
     def size(self):
         val = self.translate(self.ptr, claripy.BVV(0, len(self.ptr)))
-        assert val.op == "BVV"
+        assert isinstance(val, claripy.ast.Base) and val.op == "BVV"
+        assert isinstance(val.args[0], int)
         return abs(val.args[0])
 
     @classmethod
@@ -130,6 +132,7 @@ def refine_locs_with_struct_type(
         arg_type = SimTypeInt(label=arg_type.label).with_arch(arch)
 
     if isinstance(arg_type, (SimTypeReg, SimTypeNum, SimTypeFloat)):
+        assert arg_type.size is not None
         seen_bytes = 0
         pieces = []
         while seen_bytes < arg_type.size // arch.byte_width:
@@ -147,20 +150,21 @@ def refine_locs_with_struct_type(
             piece.is_fp = True
         return piece
     if isinstance(arg_type, SimTypeFixedSizeArray):
+        assert arg_type.elem_type.size is not None and arg_type.length is not None
         # TODO explicit stride
-        locs = [
+        locs_list = [
             refine_locs_with_struct_type(
                 arch, locs, arg_type.elem_type, offset=offset + i * arg_type.elem_type.size // arch.byte_width
             )
             for i in range(arg_type.length)
         ]
-        return SimArrayArg(locs)
+        return SimArrayArg(locs_list)
     if isinstance(arg_type, SimStruct):
-        locs = {
+        locs_dict = {
             field: refine_locs_with_struct_type(arch, locs, field_ty, offset=offset + arg_type.offsets[field])
             for field, field_ty in arg_type.fields.items()
         }
-        return SimStructArg(arg_type, locs)
+        return SimStructArg(arg_type, locs_dict)
     if isinstance(arg_type, SimUnion):
         # Treat a SimUnion as functionality equivalent to its longest member
         for member in arg_type.members.values():
@@ -574,8 +578,8 @@ class SimCC:
     # (if applicable) and the arguments. Probably zero.
     STACKARG_SP_DIFF = 0  # The amount of stack space reserved for the return address
     CALLER_SAVED_REGS: list[str] = []  # Caller-saved registers
-    RETURN_ADDR: SimFunctionArgument = None  # The location where the return address is stored, as a SimFunctionArgument
-    RETURN_VAL: SimFunctionArgument = None  # The location where the return value is stored, as a SimFunctionArgument
+    RETURN_ADDR: SimFunctionArgument  # The location where the return address is stored, as a SimFunctionArgument
+    RETURN_VAL: SimFunctionArgument  # The location where the return value is stored, as a SimFunctionArgument
     OVERFLOW_RETURN_VAL: SimFunctionArgument | None = (
         None  # The second half of the location where a double-length return value is stored
     )
@@ -728,6 +732,7 @@ class SimCC:
             l.warning("Function argument type cannot be BOT. Treating it as a 32-bit int.")
             arg_type = SimTypeInt().with_arch(self.arch)
         is_fp = isinstance(arg_type, SimTypeFloat)
+        assert arg_type.size is not None
         size = arg_type.size // self.arch.byte_width
         try:
             arg = next(session.fp_iter) if is_fp else next(session.int_iter)
@@ -760,7 +765,7 @@ class SimCC:
     def is_fp_value(val):
         return (
             isinstance(val, (float, claripy.ast.FP))
-            or (isinstance(val, claripy.ast.Base) and val.op.startswith("fp"))
+            or (isinstance(val, claripy.ast.Base) and val.op.startswith("fp"))  # type: ignore
             or (isinstance(val, claripy.ast.Base) and val.op == "Reverse" and val.args[0].op.startswith("fp"))
         )
 
@@ -1130,7 +1135,7 @@ class SimCC:
 
     @staticmethod
     def find_cc(
-        arch: archinfo.Arch, args: list[SimFunctionArgument], sp_delta: int, platform: str = "Linux"
+        arch: archinfo.Arch, args: Sequence[SimFunctionArgument], sp_delta: int, platform: str = "Linux"
     ) -> SimCC | None:
         """
         Pinpoint the best-fit calling convention and return the corresponding SimCC instance, or None if no fit is
@@ -1428,7 +1433,7 @@ class SimCCX86LinuxSyscall(SimCCSyscall):
 
 class SimCCX86WindowsSyscall(SimCCSyscall):
     # TODO: Make sure the information is correct
-    ARG_REGS = []
+    ARG_REGS = ["ecx"]
     FP_ARG_REGS = []
     RETURN_VAL = SimRegArg("eax", 4)
     RETURN_ADDR = SimRegArg("ip_at_syscall", 4)
@@ -1668,7 +1673,7 @@ class SimCCAMD64LinuxSyscall(SimCCSyscall):
 
 class SimCCAMD64WindowsSyscall(SimCCSyscall):
     # TODO: Make sure the information is correct
-    ARG_REGS = []
+    ARG_REGS = ["rcx"]
     FP_ARG_REGS = []
     RETURN_VAL = SimRegArg("rax", 8)
     RETURN_ADDR = SimRegArg("ip_at_syscall", 8)

angr/factory.py

@@ -7,6 +7,7 @@ from typing import overload, TYPE_CHECKING
 import archinfo
 from archinfo.arch_soot import ArchSoot, SootAddressDescriptor
 
+from .knowledge_plugins.functions import Function
 from .sim_state import SimState
 from .calling_conventions import default_cc, SimRegArg, SimStackArg, PointerWrapper, SimCCUnknown
 from .callable import Callable
@@ -236,7 +237,7 @@ class AngrObjectFactory:
 
     def callable(
         self,
-        addr,
+        addr: int | Function,
         prototype=None,
         concrete_only=False,
         perform_merge=True,
@@ -251,8 +252,9 @@ class AngrObjectFactory:
         A Callable is a representation of a function in the binary that can be interacted with like a native python
         function.
 
-        :param addr:            The address of the function to use
-        :param prototype:         The prototype of the call to use, as a string or a SimTypeFunction
+        :param addr:            The address of the function to use. If you pass in the function object, we will take
+                                its addr.
+        :param prototype:       The prototype of the call to use, as a string or a SimTypeFunction
         :param concrete_only:   Throw an exception if the execution splits into multiple states
         :param perform_merge:   Merge all result states into one at the end (only relevant if concrete_only=False)
         :param base_state:      The state from which to do these runs
@@ -263,6 +265,9 @@ class AngrObjectFactory:
                                 python function.
         :rtype:                 angr.callable.Callable
         """
+        if isinstance(addr, Function):
+            addr = addr.addr
+
         return Callable(
             self.project,
             addr=addr,