angr 9.2.140__py3-none-win_amd64.whl → 9.2.142__py3-none-win_amd64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.140"
+__version__ = "9.2.142"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -33,6 +33,7 @@ from angr.knowledge_plugins.key_definitions.rd_model import ReachingDefinitionsM
 from angr.knowledge_plugins.variables.variable_access import VariableAccessSort
 from angr.knowledge_plugins.functions import Function
 from angr.utils.constants import DEFAULT_STATEMENT
+from angr.utils.ssa import get_reg_offset_base_and_size, get_reg_offset_base
 from angr import SIM_PROCEDURES
 from angr.analyses import Analysis, register_analysis, ReachingDefinitionsAnalysis
 from angr.analyses.reaching_definitions import get_all_definitions
@@ -164,6 +165,19 @@ class CallingConventionAnalysis(Analysis):
             ):
                 return
 
+            if (
+                hooker is not None
+                and hooker.cc is not None
+                and hooker.is_function
+                and not hooker.guessed_prototype
+                and hooker.prototype is not None
+            ):
+                # copy the calling convention and prototype from the SimProcedure instance
+                self.cc = hooker.cc
+                self.prototype = hooker.prototype
+                self.prototype_libname = hooker.library_name
+                return
+
             if self._function.prototype is None:
                 # try our luck
                 # we set ignore_binary_name to True because the binary name SimProcedures is "cle##externs" and does not
@@ -264,7 +278,7 @@ class CallingConventionAnalysis(Analysis):
         self.cc = cc
         self.prototype = prototype
 
-    def _analyze_plt(self) -> tuple[SimCC, SimTypeFunction] | None:
+    def _analyze_plt(self) -> tuple[SimCC, SimTypeFunction | None] | None:
         """
         Get the calling convention for a PLT stub.
 
@@ -296,24 +310,36 @@ class CallingConventionAnalysis(Analysis):
             real_func = None
 
         if real_func is not None:
+            if real_func.calling_convention is None:
+                cc_cls = default_cc(self.project.arch.name)
+                if cc_cls is None:
+                    # can't determine the default calling convention for this architecture
+                    return None
+                cc = cc_cls(self.project.arch)
+            else:
+                cc = real_func.calling_convention
             if real_func.is_simprocedure:
                 if self.project.is_hooked(real_func.addr):
                     # prioritize the hooker
                     hooker = self.project.hooked_by(real_func.addr)
-                    if hooker is not None and (
-                        not hooker.is_stub or (hooker.is_function and not hooker.guessed_prototype)
-                    ):
-                        return real_func.calling_convention, hooker.prototype
-                if real_func.calling_convention and real_func.prototype:
-                    return real_func.calling_convention, real_func.prototype
+                    if hooker is not None and hooker.is_function and not hooker.guessed_prototype:
+                        # we only take the prototype from the SimProcedure if
+                        # - the SimProcedure is a function
+                        # - the prototype of the SimProcedure is not guessed
+                        return cc, hooker.prototype
+                if real_func.prototype is not None:
+                    return cc, real_func.prototype
             else:
-                return real_func.calling_convention, real_func.prototype
+                return cc, real_func.prototype
 
         if self.analyze_callsites:
             # determine the calling convention by analyzing its callsites
             callsite_facts = self._extract_and_analyze_callsites(max_analyzing_callsites=1)
             cc_cls = default_cc(self.project.arch.name)
-            cc = cc_cls(self.project.arch) if cc_cls is not None else None
+            if cc_cls is None:
+                # can't determine the default calling convention for this architecture
+                return None
+            cc = cc_cls(self.project.arch)
             prototype = SimTypeFunction([], None)
             prototype = self._adjust_prototype(
                 prototype, callsite_facts, update_arguments=UpdateArgumentsOption.AlwaysUpdate
@@ -342,7 +368,7 @@ class CallingConventionAnalysis(Analysis):
             input_variables = vm.input_variables()
             input_args = self._args_from_vars(input_variables, vm)
         else:
-            input_args = self._input_args
+            input_args = set(self._input_args)
             retval_size = self._retval_size
 
         # check if this function is a variadic function
@@ -355,8 +381,14 @@ class CallingConventionAnalysis(Analysis):
         # TODO: properly determine sp_delta
         sp_delta = self.project.arch.bytes if self.project.arch.call_pushes_ret else 0
 
-        input_args = list(input_args)  # input_args might be modified by find_cc()
-        cc = SimCC.find_cc(self.project.arch, input_args, sp_delta, platform=self.project.simos.name)
+        full_input_args = self._consolidate_input_args(input_args)
+        full_input_args_copy = list(full_input_args)  # input_args might be modified by find_cc()
+        cc = SimCC.find_cc(self.project.arch, full_input_args_copy, sp_delta, platform=self.project.simos.name)
+
+        # update input_args according to the difference between full_input_args and full_input_args_copy
+        for a in full_input_args:
+            if a not in full_input_args_copy and a in input_args:
+                input_args.remove(a)
 
         if cc is None:
             l.warning(
@@ -657,12 +689,6 @@ class CallingConventionAnalysis(Analysis):
             else:
                 break
 
-        if None in temp_args:
-            first_none_idx = temp_args.index(None)
-            # test if there is at least one argument set after None; if so, we ignore the first None
-            if any(arg is not None for arg in temp_args[first_none_idx:]):
-                temp_args[first_none_idx] = expected_args[first_none_idx]
-
         if None in temp_args:
             # we be very conservative here and ignore all arguments starting from the first missing one
             first_none_idx = temp_args.index(None)
@@ -681,17 +707,18 @@ class CallingConventionAnalysis(Analysis):
             if all(fact.return_value_used is False for fact in facts):
                 proto.returnty = SimTypeBottom(label="void")
             else:
-                proto.returnty = SimTypeInt().with_arch(self.project.arch)
+                if proto.returnty is None or isinstance(proto.returnty, SimTypeBottom):
+                    proto.returnty = SimTypeInt().with_arch(self.project.arch)
 
         if (
             update_arguments == UpdateArgumentsOption.AlwaysUpdate
             or (update_arguments == UpdateArgumentsOption.UpdateWhenCCHasNoArgs and not proto.args)
         ) and len({len(fact.args) for fact in facts}) == 1:
             fact = next(iter(facts))
-            proto.args = [
+            proto.args = tuple(
                 self._guess_arg_type(arg) if arg is not None else SimTypeInt().with_arch(self.project.arch)
                 for arg in fact.args
-            ]
+            )
 
         return proto
 
@@ -730,13 +757,8 @@ class CallingConventionAnalysis(Analysis):
                 # a register variable, convert it to a register argument
                 if not is_sane_register_variable(self.project.arch, variable.reg, variable.size, def_cc=def_cc):
                     continue
-                if self.project.arch.name in {"AMD64", "X86"} and variable.size < self.project.arch.bytes:
-                    # use complete registers on AMD64 and X86
-                    reg_name = self.project.arch.translate_register_name(variable.reg, size=self.project.arch.bytes)
-                    arg = SimRegArg(reg_name, self.project.arch.bytes)
-                else:
-                    reg_name = self.project.arch.translate_register_name(variable.reg, size=variable.size)
-                    arg = SimRegArg(reg_name, variable.size)
+                reg_name = self.project.arch.translate_register_name(variable.reg, size=variable.size)
+                arg = SimRegArg(reg_name, variable.size)
                 args.add(arg)
 
                 accesses = var_manager.get_variable_accesses(variable)
@@ -778,15 +800,58 @@ class CallingConventionAnalysis(Analysis):
 
         return args.difference(restored_reg_vars)
 
-    def _reorder_args(self, args: list[SimRegArg | SimStackArg], cc: SimCC) -> list[SimRegArg | SimStackArg]:
+    def _consolidate_input_args(self, input_args: set[SimRegArg | SimStackArg]) -> set[SimRegArg | SimStackArg]:
+        """
+        Consolidate register arguments by converting partial registers to full registers on certain architectures.
+
+        :param input_args:  A set of input arguments.
+        :return:            A set of consolidated input args.
+        """
+
+        if self.project.arch.name in {"AMD64", "X86"}:
+            new_input_args = set()
+            for a in input_args:
+                if isinstance(a, SimRegArg) and a.size < self.project.arch.bytes:
+                    # use complete registers on AMD64 and X86
+                    reg_offset, reg_size = self.project.arch.registers[a.reg_name]
+                    full_reg_offset, full_reg_size = get_reg_offset_base_and_size(
+                        reg_offset, self.project.arch, size=reg_size
+                    )
+                    full_reg_name = self.project.arch.translate_register_name(full_reg_offset, size=full_reg_size)
+                    arg = SimRegArg(full_reg_name, full_reg_size)
+                    if arg not in new_input_args:
+                        new_input_args.add(arg)
+                else:
+                    new_input_args.add(a)
+            return new_input_args
+
+        return input_args
+
+    def _reorder_args(self, args: set[SimRegArg | SimStackArg], cc: SimCC) -> list[SimRegArg | SimStackArg]:
         """
         Reorder arguments according to the calling convention identified.
 
-        :param args:   A list of arguments that haven't been ordered.
+        :param args:   A set of arguments that haven't been ordered.
         :param cc:    The identified calling convention.
         :return:            A reordered list of args.
         """
 
+        def _is_same_reg(rn0: str, rn1: str) -> bool:
+            """
+            Check if rn0 and rn1 belong to the same base register.
+
+            :param rn0:     Register name of the first register.
+            :param rn1:     Register name of the second register.
+            :return:        True if they belong to the same base register; False otherwise.
+            """
+            if rn0 == rn1:
+                return True
+            off0, sz0 = self.project.arch.registers[rn0]
+            full_off0 = get_reg_offset_base(off0, self.project.arch, sz0)
+            off1, sz1 = self.project.arch.registers[rn1]
+            full_off1 = get_reg_offset_base(off1, self.project.arch, sz1)
+            return full_off0 == full_off1
+
         reg_args = []
 
         # split args into two lists
@@ -805,7 +870,7 @@ class CallingConventionAnalysis(Analysis):
         # match int args first
         for reg_name in cc.ARG_REGS:
             try:
-                arg = next(iter(a for a in int_args if isinstance(a, SimRegArg) and a.reg_name == reg_name))
+                arg = next(iter(a for a in int_args if isinstance(a, SimRegArg) and _is_same_reg(a.reg_name, reg_name)))
             except StopIteration:
                 # have we reached the end of the args list?
                 if [a for a in int_args if isinstance(a, SimRegArg)] or len(stack_int_args) > 0:
@@ -821,7 +886,9 @@ class CallingConventionAnalysis(Analysis):
         if fp_args:
             for reg_name in cc.FP_ARG_REGS:
                 try:
-                    arg = next(iter(a for a in fp_args if isinstance(a, SimRegArg) and a.reg_name == reg_name))
+                    arg = next(
+                        iter(a for a in fp_args if isinstance(a, SimRegArg) and _is_same_reg(a.reg_name, reg_name))
+                    )
                 except StopIteration:
                     # have we reached the end of the args list?
                     if [a for a in fp_args if isinstance(a, SimRegArg)] or len(stack_fp_args) > 0:
@@ -886,12 +953,15 @@ class CallingConventionAnalysis(Analysis):
             if 5 <= ret_val_size <= 8:
                 return SimTypeLongLong()
 
-        # fallback
-        return SimTypeInt() if cc.arch.bits == 32 else SimTypeLongLong()
+        return SimTypeBottom(label="void")
 
     @staticmethod
     def _likely_saving_temp_reg(ail_block: ailment.Block, d: Definition, all_reg_defs: set[Definition]) -> bool:
-        if d.codeloc.block_addr == ail_block.addr and d.codeloc.stmt_idx < len(ail_block.statements):
+        if (
+            d.codeloc.block_addr == ail_block.addr
+            and d.codeloc.stmt_idx is not None
+            and d.codeloc.stmt_idx < len(ail_block.statements)
+        ):
             stmt = ail_block.statements[d.codeloc.stmt_idx]
             if isinstance(stmt, ailment.Stmt.Assignment) and isinstance(stmt.src, ailment.Expr.Register):
                 src_offset = stmt.src.reg_offset

angr/analyses/calling_convention/fact_collector.py

@@ -90,7 +90,7 @@ binop_handler = SimEngineNostmtVEX[FactCollectorState, claripy.ast.BV, FactColle
 
 class SimEngineFactCollectorVEX(
     SimEngineNostmtVEX[FactCollectorState, SpOffset | RegisterOffset | int, None],
-    SimEngineLight[type[FactCollectorState], SpOffset | RegisterOffset | int, Block, None],
+    SimEngineLight[FactCollectorState, SpOffset | RegisterOffset | int, Block, None],
 ):
     """
     THe engine for FactCollector.
@@ -101,7 +101,7 @@ class SimEngineFactCollectorVEX(
         super().__init__(project)
 
     def _process_block_end(self, stmt_result: list, whitelist: set[int] | None) -> None:
-        if self.block.vex.jumpkind == "Ijk_Call":
+        if self.block.vex.jumpkind == "Ijk_Call" and self.arch.ret_offset is not None:
             self.state.register_written(self.arch.ret_offset, self.arch.bytes)
 
     def _top(self, bits: int):
@@ -110,7 +110,7 @@ class SimEngineFactCollectorVEX(
     def _is_top(self, expr: Any) -> bool:
         raise NotImplementedError
 
-    def _handle_conversion(self, from_size: int, to_size: int, signed: bool, operand: pyvex.IRExpr) -> Any:
+    def _handle_conversion(self, from_size: int, to_size: int, signed: bool, operand: pyvex.expr.IRExpr) -> Any:
         return None
 
     def _handle_stmt_Put(self, stmt):
@@ -142,9 +142,9 @@ class SimEngineFactCollectorVEX(
         return expr.con.value
 
     def _handle_expr_GSPTR(self, expr):
-        return None
+        return 0
 
-    def _handle_expr_Get(self, expr) -> SpOffset | None:
+    def _handle_expr_Get(self, expr) -> SpOffset | RegisterOffset:
         if expr.offset == self.arch.sp_offset:
             return SpOffset(self.arch.bits, self.state.sp_value, is_base=False)
         if expr.offset == self.arch.bp_offset and not self.bp_as_gpr:
@@ -304,7 +304,10 @@ class FactCollector(Analysis):
 
     def _handle_function(self, state: FactCollectorState, func: Function) -> None:
         try:
-            arg_locs = func.calling_convention.arg_locs(func.prototype)
+            if func.calling_convention is not None and func.prototype is not None:
+                arg_locs = func.calling_convention.arg_locs(func.prototype)
+            else:
+                return
         except (TypeError, ValueError):
             return
 
@@ -355,6 +358,7 @@ class FactCollector(Analysis):
 
                 if isinstance(node, BlockNode) and node.size == 0:
                     continue
+
                 if isinstance(node, HookNode):
                     # attempt to convert it into a function
                     if self.kb.functions.contains_addr(node.addr):
@@ -369,17 +373,43 @@ class FactCollector(Analysis):
                         and not isinstance(node.prototype.returnty, SimTypeBottom)
                     ):
                         # assume the function overwrites the return variable
-                        retval_size = (
-                            node.prototype.returnty.with_arch(self.project.arch).size // self.project.arch.byte_width
-                        )
+                        returnty_size = node.prototype.returnty.with_arch(self.project.arch).size
+                        assert returnty_size is not None
+                        retval_size = returnty_size // self.project.arch.byte_width
                         retval_sizes.append(retval_size)
                     continue
 
+                # if this block ends with a call to a function, we process the function first
+                func_succs = [
+                    succ
+                    for succ in func_graph.successors(node)
+                    if isinstance(succ, (Function, HookNode)) or self.kb.functions.contains_addr(succ.addr)
+                ]
+                if len(func_succs) == 1:
+                    func_succ = func_succs[0]
+                    if isinstance(func_succ, (BlockNode, HookNode)) and self.kb.functions.contains_addr(func_succ.addr):
+                        # attempt to convert it into a function
+                        func_succ = self.kb.functions.get_by_addr(func_succ.addr)
+                    if isinstance(func_succ, Function):
+                        if (
+                            func_succ.calling_convention is not None
+                            and func_succ.prototype is not None
+                            and func_succ.prototype.returnty is not None
+                            and not isinstance(func_succ.prototype.returnty, SimTypeBottom)
+                        ):
+                            # assume the function overwrites the return variable
+                            returnty_size = func_succ.prototype.returnty.with_arch(self.project.arch).size
+                            assert returnty_size is not None
+                            retval_size = returnty_size // self.project.arch.byte_width
+                            retval_sizes.append(retval_size)
+                        continue
+
                 block = self.project.factory.block(node.addr, size=node.size)
                 # scan the block statements backwards to find writes to the return value register
                 retval_size = None
                 for stmt in reversed(block.vex.statements):
                     if isinstance(stmt, pyvex.IRStmt.Put):
+                        assert block.vex.tyenv is not None
                         size = stmt.data.result_size(block.vex.tyenv) // self.project.arch.byte_width
                         if stmt.offset == retreg_offset:
                             retval_size = max(size, 1)
@@ -391,9 +421,9 @@ class FactCollector(Analysis):
                 for pred, _, data in func_graph.in_edges(node, data=True):
                     edge_type = data.get("type")
                     if pred not in traversed and depth + 1 <= self._max_depth:
-                        if edge_type == "fake_return":
+                        if edge_type == "call":
                             continue
-                        if edge_type in {"transition", "call"}:
+                        if edge_type in {"transition", "fake_return"}:
                             queue.append((depth + 1, pred))
 
         self.retval_size = max(retval_sizes) if retval_sizes else None
@@ -472,6 +502,7 @@ class FactCollector(Analysis):
                                 ):
                                     tmps[stmt.tmp] = "sp"
                     if isinstance(stmt, pyvex.IRStmt.Put):
+                        assert block.vex.tyenv is not None
                         size = stmt.data.result_size(block.vex.tyenv) // self.project.arch.byte_width
                         # is the data loaded from the stack?
                         if (
@@ -532,13 +563,8 @@ class FactCollector(Analysis):
                 ):
                     continue
                 reg_offset_created.add(offset)
-                if self.project.arch.name in {"AMD64", "X86"} and size < self.project.arch.bytes:
-                    # use complete registers on AMD64 and X86
-                    reg_name = self.project.arch.translate_register_name(offset, size=self.project.arch.bytes)
-                    arg = SimRegArg(reg_name, self.project.arch.bytes)
-                else:
-                    reg_name = self.project.arch.translate_register_name(offset, size=size)
-                    arg = SimRegArg(reg_name, size)
+                reg_name = self.project.arch.translate_register_name(offset, size=size)
+                arg = SimRegArg(reg_name, size)
                 self.input_args.append(arg)
 
         stack_offset_created = set()

angr/analyses/calling_convention/utils.py

@@ -9,7 +9,9 @@ from angr.calling_conventions import SimCC
 l = logging.getLogger(__name__)
 
 
-def is_sane_register_variable(arch: archinfo.Arch, reg_offset: int, reg_size: int, def_cc: SimCC | None = None) -> bool:
+def is_sane_register_variable(
+    arch: archinfo.Arch, reg_offset: int, reg_size: int, def_cc: SimCC | type[SimCC] | None = None
+) -> bool:
     """
     Filters all registers that are surly not members of function arguments.
     This can be seen as a workaround, since VariableRecoveryFast sometimes gives input variables of cc_ndep (which

angr/analyses/cfg/cfg_base.py

@@ -11,7 +11,7 @@ import pyvex
 from cle import ELF, PE, Blob, TLSObject, MachO, ExternObject, KernelObject, FunctionHintSource, Hex, Coff, SRec, XBE
 from cle.backends import NamedRegion
 import archinfo
-from archinfo.arch_soot import SootAddressDescriptor
+from archinfo.arch_soot import SootAddressDescriptor, SootMethodDescriptor
 from archinfo.arch_arm import is_arm_arch, get_real_address_if_arm
 
 from angr.knowledge_plugins.functions.function_manager import FunctionManager
@@ -129,7 +129,7 @@ class CFGBase(Analysis):
 
         # Store all the functions analyzed before the set is cleared
         # Used for performance optimization
-        self._updated_nonreturning_functions: set[int] | None = None
+        self._updated_nonreturning_functions: set[int | SootMethodDescriptor] | None = None
 
         self._normalize = normalize
 
@@ -246,7 +246,7 @@ class CFGBase(Analysis):
             )
 
         self._regions_size = sum((end - start) for start, end in regions)
-        self._regions: dict[int, int] = SortedDict(regions)
+        self._regions: SortedDict = SortedDict(regions)
 
         l.debug("CFG recovery covers %d regions:", len(self._regions))
         for start, end in self._regions.items():
@@ -1556,6 +1556,7 @@ class CFGBase(Analysis):
                     self.kb.functions[func_addr].alignment = True
                     continue
                 node = function.get_node(block.addr)
+                assert node is not None
                 successors = list(function.graph.successors(node))
                 if len(successors) == 1 and successors[0].addr == node.addr:
                     # self loop. mark this function as a function alignment
@@ -2151,6 +2152,11 @@ class CFGBase(Analysis):
             f = self.kb.functions.function(addr=addr)
             assert f is not None
 
+            # copy over existing metadata
+            if known_functions.contains_addr(addr):
+                kf = known_functions.get_by_addr(addr)
+                f.is_plt = kf.is_plt
+
             blockaddr_to_function[addr] = f
 
             function_is_returning = False
@@ -2532,6 +2538,34 @@ class CFGBase(Analysis):
     # Other functions
     #
 
+    @staticmethod
+    def _is_noop_jump_block(block) -> bool:
+        """
+        Check if the block does nothing but jumping to a constant address.
+
+        :param block:   The block instance. We assume the block is already optimized.
+        :return:        True if the entire block is a jump to a constant address, False otherwise.
+        """
+
+        vex = block.vex
+        if vex.jumpkind != "Ijk_Boring":
+            return False
+        if isinstance(vex.next, pyvex.expr.Const):
+            return all(isinstance(stmt, pyvex.stmt.IMark) for stmt in vex.statements)
+        if isinstance(vex.next, pyvex.expr.RdTmp):
+            next_tmp = vex.next.tmp
+            return all(
+                isinstance(stmt, pyvex.stmt.IMark)
+                or (
+                    isinstance(stmt, pyvex.stmt.WrTmp)
+                    and stmt.tmp == next_tmp
+                    and isinstance(stmt.data, pyvex.expr.Load)
+                    and isinstance(stmt.data.addr, pyvex.expr.Const)
+                )
+                for stmt in vex.statements
+            )
+        return False
+
     @staticmethod
     def _is_noop_block(arch: archinfo.Arch, block) -> bool:
         """
@@ -2755,7 +2789,7 @@ class CFGBase(Analysis):
         cfg_node: CFGNode,
         irsb: pyvex.IRSB,
         func_addr: int,
-        stmt_idx: int | str = DEFAULT_STATEMENT,
+        stmt_idx: int = DEFAULT_STATEMENT,
     ) -> tuple[bool, set[int], IndirectJump | None]:
         """
         Called when we encounter an indirect jump. We will try to resolve this indirect jump using timeless (fast)

angr/analyses/cfg/cfg_fast.py

@@ -1782,7 +1782,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self.project.loader.discard_ro_memview()
 
         # Clean up
-        self._traced_addresses = None
+        self._traced_addresses = None  # type: ignore
         self._lifter_deregister_readonly_regions()
         self._function_returns = None
 
@@ -1838,6 +1838,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 xrefs = self.kb.xrefs.get_xrefs_by_dst(security_cookie_addr)
                 tested_func_addrs = set()
                 for xref in xrefs:
+                    assert xref.block_addr is not None
                     cfg_node = self.model.get_any_node(xref.block_addr)
                     if cfg_node is None:
                         continue
@@ -2081,13 +2082,20 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         if (
             cfg_job.src_node is not None
-            and self.functions.contains_addr(cfg_job.src_node.addr)
-            and self.functions[cfg_job.src_node.addr].is_default_name
             and cfg_job.src_node.addr not in self.kb.labels
             and cfg_job.jumpkind == "Ijk_Boring"
+            and self._is_noop_jump_block(cfg_job.src_node.block)
         ):
-            # assign a name to the caller function that jumps to this procedure
-            self.functions[cfg_job.src_node.addr].name = procedure.display_name
+            # the caller node is very likely to be a PLT stub
+            if not self.functions.contains_addr(cfg_job.src_node.addr):
+                src_func = self.functions.function(addr=cfg_job.src_node.addr, create=True)
+            else:
+                src_func = self.functions.get_by_addr(cfg_job.src_node.addr)
+            if len(src_func.block_addrs_set) <= 1 and src_func.is_default_name:
+                # assign a name to the caller function that jumps to this procedure
+                src_func.name = procedure.display_name
+                # mark it as PLT
+                src_func.is_plt = True
 
         if procedure.ADDS_EXITS:
             # Get two blocks ahead
@@ -3714,7 +3722,12 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
     #
 
     def _graph_add_edge(
-        self, cfg_node: CFGNode, src_node: CFGNode | None, src_jumpkind: str, src_ins_addr: int, src_stmt_idx: int
+        self,
+        cfg_node: CFGNode,
+        src_node: CFGNode | None,
+        src_jumpkind: str,
+        src_ins_addr: int | None,
+        src_stmt_idx: int | None,
     ):
         """
         Add edge between nodes, or add node if entry point
@@ -4584,6 +4597,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 elif (
                     lifted_block is not None
                     and is_x86_x64_arch
+                    and lifted_block.bytes is not None
                     and len(lifted_block.bytes) - irsb_size > 2
                     and lifted_block.bytes[irsb_size : irsb_size + 2]
                     in {
@@ -4659,7 +4673,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     self._seg_list.occupy(real_addr + irsb_size, nodecode_size, "nodecode")
 
             # Occupy the block in segment list
-            if irsb.size > 0:
+            if irsb is not None and irsb.size > 0:
                 self._seg_list.occupy(real_addr, irsb.size, "code")
 
             # Create a CFG node, and add it to the graph
@@ -4969,6 +4983,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         for assumption_addr in to_remove:
             # remove this assumption from the graph (since we may have new relationships formed later)
+            assert self._decoding_assumption_relations is not None
             if assumption_addr in self._decoding_assumption_relations:
                 self._decoding_assumption_relations.remove_node(assumption_addr)
 
@@ -5159,6 +5174,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     target_func = edges[0][1]
                     if isinstance(target_func, (HookNode, Function)) and self.project.is_hooked(target_func.addr):
                         hooker = self.project.hooked_by(target_func.addr)
+                        assert hooker is not None
                         if hooker.DYNAMIC_RET:
                             return self._is_call_returning(callsite_cfgnode, target_func.addr)
 

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -182,23 +182,28 @@ class ConstantValueManager:
 
         # determine blocks to run FCP on
 
-        # - include at most three levels of successors from the entrypoint
+        # - include at most three levels of superblock successors from the entrypoint
+        self.mapping = {}
         startpoint = self.func.startpoint
+        if startpoint is None:
+            return
+
         blocks = set()
-        succs = [startpoint]
-        for _ in range(3):
+        succ_and_levels = [(startpoint, 0)]
+        while succ_and_levels:
             new_succs = []
-            for node in succs:
+            for node, level in succ_and_levels:
                 if node in blocks:
                     continue
                 blocks.add(node)
                 if node.addr == self.indirect_jump_addr:
                     # stop at the indirect jump block
                     continue
-                new_succs += list(self.func.graph.successors(node))
-            succs = new_succs
-            if not succs:
-                break
+                for _, succ, data in self.func.graph.out_edges(node, data=True):
+                    new_level = level if data.get("type") == "fake_return" else level + 1
+                    if new_level <= 3:
+                        new_succs.append((succ, new_level))
+            succ_and_levels = new_succs
 
         # - include at most six levels of predecessors from the indirect jump block
         ij_block = self.func.get_node(self.indirect_jump_addr)