angr 9.2.141__py3-none-macosx_11_0_arm64.whl → 9.2.143__py3-none-macosx_11_0_arm64.whl

angr/calling_conventions.py

@@ -254,7 +254,7 @@ class SimFunctionArgument:
             if self.size not in (4, 8):
                 raise ValueError(f"What do I do with a float {self.size} bytes long")
             value = claripy.FPV(value, claripy.FSORT_FLOAT if self.size == 4 else claripy.FSORT_DOUBLE)
-        return value.raw_to_bv()
+        return value.raw_to_bv()  # type:ignore
 
     def check_value_get(self, value):
         if self.is_fp:
@@ -578,8 +578,12 @@ class SimCC:
     # (if applicable) and the arguments. Probably zero.
     STACKARG_SP_DIFF = 0  # The amount of stack space reserved for the return address
     CALLER_SAVED_REGS: list[str] = []  # Caller-saved registers
-    RETURN_ADDR: SimFunctionArgument  # The location where the return address is stored, as a SimFunctionArgument
-    RETURN_VAL: SimFunctionArgument  # The location where the return value is stored, as a SimFunctionArgument
+    RETURN_ADDR: SimFunctionArgument | None = (
+        None  # The location where the return address is stored, as a SimFunctionArgument
+    )
+    RETURN_VAL: SimFunctionArgument | None = (
+        None  # The location where the return value is stored, as a SimFunctionArgument
+    )
     OVERFLOW_RETURN_VAL: SimFunctionArgument | None = (
         None  # The second half of the location where a double-length return value is stored
     )
@@ -766,7 +770,11 @@ class SimCC:
         return (
             isinstance(val, (float, claripy.ast.FP))
             or (isinstance(val, claripy.ast.Base) and val.op.startswith("fp"))  # type: ignore
-            or (isinstance(val, claripy.ast.Base) and val.op == "Reverse" and val.args[0].op.startswith("fp"))
+            or (
+                isinstance(val, claripy.ast.Base)
+                and val.op == "Reverse"  # type:ignore
+                and val.args[0].op.startswith("fp")  # type:ignore
+            )
         )
 
     @staticmethod
@@ -922,8 +930,10 @@ class SimCC:
         allocator.apply(state, alloc_base)
 
         for loc, val in zip(arg_locs, vals):
+            assert loc is not None
             loc.set_value(state, val, stack_base=stack_base)
-        self.return_addr.set_value(state, ret_addr, stack_base=stack_base)
+        if self.return_addr is not None:
+            self.return_addr.set_value(state, ret_addr, stack_base=stack_base)
 
     def teardown_callsite(self, state, return_val=None, prototype=None, force_callee_cleanup=False):
         """
@@ -943,10 +953,10 @@ class SimCC:
             self.set_return_val(state, return_val, prototype.returnty)
             # ummmmmmmm hack
             loc = self.return_val(prototype.returnty)
-            if isinstance(loc, SimReferenceArgument):
+            if self.RETURN_VAL is not None and isinstance(loc, SimReferenceArgument):
                 self.RETURN_VAL.set_value(state, loc.ptr_loc.get_value(state))
 
-        ret_addr = self.return_addr.get_value(state)
+        ret_addr = self.return_addr.get_value(state) if self.return_addr is not None else None
 
         if state.arch.sp_offset is not None and prototype is not None:
             if force_callee_cleanup or self.CALLEE_CLEANUP:
@@ -975,7 +985,7 @@ class SimCC:
 
             if arg.buffer:
                 if isinstance(arg.value, claripy.ast.Bits):
-                    real_value = arg.value.chop(state.arch.byte_width)
+                    real_value = arg.value.chop(state.arch.byte_width)  # type:ignore
                 elif type(arg.value) in (bytes, str):
                     real_value = claripy.BVV(arg.value).chop(8)
                 else:
@@ -1433,7 +1443,7 @@ class SimCCX86LinuxSyscall(SimCCSyscall):
 
 class SimCCX86WindowsSyscall(SimCCSyscall):
     # TODO: Make sure the information is correct
-    ARG_REGS = []
+    ARG_REGS = ["ecx"]
     FP_ARG_REGS = []
     RETURN_VAL = SimRegArg("eax", 4)
     RETURN_ADDR = SimRegArg("ip_at_syscall", 4)
@@ -1673,7 +1683,7 @@ class SimCCAMD64LinuxSyscall(SimCCSyscall):
 
 class SimCCAMD64WindowsSyscall(SimCCSyscall):
     # TODO: Make sure the information is correct
-    ARG_REGS = []
+    ARG_REGS = ["rcx"]
     FP_ARG_REGS = []
     RETURN_VAL = SimRegArg("rax", 8)
     RETURN_ADDR = SimRegArg("ip_at_syscall", 8)

angr/knowledge_plugins/functions/function.py

@@ -9,7 +9,7 @@ import contextlib
 from typing import overload
 
 import networkx
-from itanium_demangler import parse
+import pydemumble
 
 from cle.backends.symbol import Symbol
 from archinfo.arch_arm import get_real_address_if_arm
@@ -202,7 +202,8 @@ class Function(Serializable):
         if is_plt is not None:
             self.is_plt = is_plt
         else:
-            # Whether this function is a PLT entry or not is fully relying on the PLT detection in CLE
+            # Whether this function is a PLT entry or not is primarily relying on the PLT detection in CLE; it may also
+            # be updated (to True) during CFG recovery.
             if self.project is None:
                 raise ValueError(
                     "'is_plt' must be specified if you do not specify a function manager for this new function."
@@ -1568,14 +1569,8 @@ class Function(Serializable):
 
     @property
     def demangled_name(self):
-        if self.name[0:2] == "_Z":
-            try:
-                ast = parse(self.name)
-            except (NotImplementedError, KeyError):  # itanium demangler is not the most robust package in the world
-                return self.name
-            if ast:
-                return ast.__str__()
-        return self.name
+        ast = pydemumble.demangle(self.name)
+        return ast if ast else self.name
 
     def get_unambiguous_name(self, display_name: str | None = None) -> str:
         """

angr/knowledge_plugins/variables/variable_manager.py

@@ -32,6 +32,7 @@ from angr.knowledge_plugins.types import TypesStore
 from .variable_access import VariableAccess, VariableAccessSort
 
 if TYPE_CHECKING:
+    from angr.analyses.decompiler.stack_item import StackItem
     from angr.code_location import CodeLocation
 
 l = logging.getLogger(name=__name__)
@@ -1141,6 +1142,32 @@ class VariableManagerInternal(Serializable):
                     return False
         return True
 
+    def get_stackvar_max_sizes(self, stack_items: dict[int, StackItem]) -> dict[SimStackVariable, int]:
+        """
+        Get the maximum size of each stack variable regardless of the type of each stack variable, under the assumption
+        that stack variables do not overlap.
+
+        :return:        A dictionary from SimStackVariable to its maximum size.
+        """
+
+        stackvars_by_offset = defaultdict(list)
+        for v in self._variables:
+            if isinstance(v, SimStackVariable):
+                offset = v.offset
+                stackvars_by_offset[offset].append(v)
+
+        max_sizes = {}
+        offsets = sorted(list(stackvars_by_offset) + list(stack_items))
+        for i, offset in enumerate(offsets):
+            if i + 1 < len(offsets):
+                next_off = offsets[i + 1]
+                sz = next_off - offset
+                if offset in stackvars_by_offset:
+                    for v in stackvars_by_offset[offset]:
+                        max_sizes[v] = max(v.size, sz)
+
+        return max_sizes
+
 
 class VariableManager(KnowledgeBasePlugin):
     """

angr/procedures/definitions/__init__.py

@@ -7,8 +7,7 @@ import inspect
 from collections import defaultdict
 from typing import TYPE_CHECKING
 
-import itanium_demangler
-
+import pydemumble
 import archinfo
 
 from angr.errors import AngrMissingTypeError
@@ -345,14 +344,8 @@ class SimCppLibrary(SimLibrary):
 
     @staticmethod
     def _try_demangle(name):
-        if name[0:2] == "_Z":
-            try:
-                ast = itanium_demangler.parse(name)
-            except NotImplementedError:
-                return name
-            if ast:
-                return str(ast)
-        return name
+        ast = pydemumble.demangle(name)
+        return ast if ast else name
 
     @staticmethod
     def _proto_from_demangled_name(name: str) -> SimTypeFunction | None:

angr/procedures/definitions/linux_kernel.py

@@ -3,6 +3,7 @@ import logging
 
 from angr.sim_type import SimTypeFunction, SimTypePointer, SimTypeLong, SimStruct, SimTypeInt, SimTypeChar, SimTypeBottom, SimTypeFd, SimTypeLongLong
 from angr.procedures import SIM_PROCEDURES as P
+from angr.calling_conventions import SYSCALL_CC
 from . import SimSyscallLibrary
 
 _l = logging.getLogger(__name__)
@@ -11,6 +12,10 @@ _l = logging.getLogger(__name__)
 lib = SimSyscallLibrary()
 lib.set_library_names('linux')
 lib.add_all_from_dict(P['linux_kernel'])
+for arch, os_name_to_cc in SYSCALL_CC.items():
+    linux_syscall_cc = os_name_to_cc.get("Linux")
+    if linux_syscall_cc:
+        lib.set_default_cc(arch, linux_syscall_cc)
 
 lib.add('open', P['posix']['open'])
 lib.add('read', P['posix']['read'])

angr/procedures/definitions/wdk_ntoskrnl.py

@@ -20,6 +20,8 @@ lib.add_all_from_dict(P["win32_kernel"])
 lib.set_library_names("ntoskrnl.exe")
 prototypes = \
     {
+        # int 29h
+        '__fastfail': SimTypeFunction([SimTypeInt(signed=False, label="Int")], SimTypeBottom(label="void"), arg_names=["code"]),
         #
         'NtQueryObject': SimTypeFunction([SimTypePointer(SimTypeInt(signed=True, label="Int"), label="IntPtr", offset=0), SimTypeInt(signed=False, label="OBJECT_INFORMATION_CLASS"), SimTypePointer(SimTypeBottom(label="Void"), offset=0), SimTypeInt(signed=False, label="UInt32"), SimTypePointer(SimTypeInt(signed=False, label="UInt32"), offset=0)], SimTypeInt(signed=True, label="Int32"), arg_names=["Handle", "ObjectInformationClass", "ObjectInformation", "ObjectInformationLength", "ReturnLength"]),
         #

angr/procedures/win32_kernel/__fastfail.py

@@ -0,0 +1,15 @@
+from __future__ import annotations
+import angr
+
+
+class __fastfail(angr.SimProcedure):
+    """
+    Immediately terminates the calling process with minimum overhead.
+
+    https://learn.microsoft.com/en-us/cpp/intrinsics/fastfail?view=msvc-170
+    """
+
+    NO_RET = True
+
+    def run(self, _):  # pylint:disable=arguments-differ
+        self.exit(0xC0000409)

angr/sim_procedure.py

@@ -3,7 +3,7 @@ import inspect
 import copy
 import itertools
 import logging
-from typing import TYPE_CHECKING
+from typing import Any, TYPE_CHECKING
 
 import claripy
 from cle import SymbolType
@@ -339,7 +339,7 @@ class SimProcedure:
     ALT_NAMES = None  # alternative names
     local_vars: tuple[str, ...] = ()
 
-    def run(self, *args, **kwargs):  # pylint: disable=unused-argument
+    def run(self, *args, **kwargs) -> Any:  # pylint: disable=unused-argument
         """
         Implement the actual procedure here!
         """

angr/simos/simos.py

@@ -1,4 +1,5 @@
 from __future__ import annotations
+from typing import TYPE_CHECKING
 import logging
 import struct
 
@@ -14,6 +15,9 @@ from angr.procedures import SIM_PROCEDURES as P
 from angr import sim_options as o
 from angr.storage.file import SimFileStream, SimFileBase
 
+if TYPE_CHECKING:
+    from angr.sim_procedure import SimProcedure
+
 
 _l = logging.getLogger(name=__name__)
 
@@ -46,7 +50,7 @@ class SimOS:
         self.unresolvable_call_target = self.project.loader.extern_object.allocate()
         self.project.hook(self.unresolvable_call_target, P["stubs"]["UnresolvableCallTarget"]())
 
-        def irelative_resolver(resolver_addr):
+        def irelative_resolver(resolver_addr: int) -> int | None:
             # autohooking runs before this does, might have provided this already
             # in that case, we want to advertise the _resolver_ address, since it is now
             # providing the behavior of the actual function
@@ -70,7 +74,7 @@ class SimOS:
                 _l.error("Resolver at %#x failed to resolve!", resolver_addr)
                 return None
 
-            return val.concrete_value
+            return val.concrete_value if val is not None and val.concrete else None
 
         self.project.loader.perform_irelative_relocs(irelative_resolver)
 
@@ -79,7 +83,7 @@ class SimOS:
 
         if sym is not None:
             addr, _ = self.prepare_function_symbol(name, basic_addr=sym.rebased_addr)
-            if self.project.is_hooked(addr) and not self.project.hooked_by(addr).is_stub:
+            if self.project.is_hooked(addr) and not self.project.hooked_by(addr).is_stub:  # type: ignore
                 return
             self.project.hook(addr, hook)
 
@@ -242,7 +246,7 @@ class SimOS:
         return self.state_entry(**kwargs)
 
     def state_call(self, addr, *args, **kwargs):
-        cc = kwargs.pop("cc", default_cc(self.arch.name, platform=self.name)(self.project.arch))
+        cc = kwargs.pop("cc", default_cc(self.arch.name, platform=self.name)(self.project.arch))  # type: ignore
         state = kwargs.pop("base_state", None)
         toc = kwargs.pop("toc", None)
 
@@ -326,22 +330,22 @@ class SimOS:
     # Dummy stuff to allow this API to be used freely
 
     # pylint: disable=unused-argument, no-self-use
-    def syscall(self, state, allow_unsupported=True):
+    def syscall(self, state: SimState, allow_unsupported: bool = True) -> SimProcedure | None:
         return None
 
-    def syscall_abi(self, state) -> str:
+    def syscall_abi(self, state: SimState) -> str | None:
         return None
 
-    def syscall_cc(self, state) -> angr.calling_conventions.SimCCSyscall | None:
+    def syscall_cc(self, state: SimState) -> angr.calling_conventions.SimCCSyscall | None:
         raise NotImplementedError
 
-    def is_syscall_addr(self, addr):
+    def is_syscall_addr(self, addr) -> bool:
         return False
 
-    def syscall_from_addr(self, addr, allow_unsupported=True):
+    def syscall_from_addr(self, addr, allow_unsupported=True) -> SimProcedure | None:
         return None
 
-    def syscall_from_number(self, number, allow_unsupported=True, abi=None):
+    def syscall_from_number(self, number, allow_unsupported=True, abi=None) -> SimProcedure | None:
         return None
 
     def setup_gdt(self, state, gdt):

angr/simos/windows.py

@@ -15,6 +15,7 @@ from angr import sim_options as o
 from angr.tablespecs import StringTableSpec
 from angr.procedures import SIM_LIBRARIES as L
 from angr.procedures.definitions import load_win32api_definitions
+from angr.calling_conventions import SYSCALL_CC
 from .simos import SimOS
 
 _l = logging.getLogger(name=__name__)
@@ -26,6 +27,8 @@ VS_SECURITY_COOKIES = {"AMD64": _VS_Security_Cookie(0x2B992DDFA232, 48), "X86":
 
 
 class SecurityCookieInit(enum.Enum):
+    """Security cooke initialization value initialization method."""
+
     NONE = 0
     RANDOM = 1
     STATIC = 2
@@ -48,6 +51,11 @@ class SimWindows(SimOS):
         self.acmdln_ptr = None
         self.wcmdln_ptr = None
 
+        self.fastfail = L["ntoskrnl.exe"].get("__fastfail", self.arch)
+        self.fastfail.addr = self._find_or_make(self.fastfail.display_name)
+        self.fastfail.cc = SYSCALL_CC[self.arch.name]["Win32"](self.arch)
+        self._syscall_handlers = {self.fastfail.addr: self.fastfail}
+
     def configure_project(self):
         super().configure_project()
 
@@ -66,11 +74,15 @@ class SimWindows(SimOS):
         self.acmdln_ptr = self._find_or_make("_acmdln")
         self.wcmdln_ptr = self._find_or_make("_wcmdln")
 
-        self.is_dump = isinstance(self.project.loader.main_object, cle.backends.Minidump)
+        self.project.hook(self.fastfail.addr, self.fastfail)
 
         if not self.is_dump:
             self.project.loader.tls.new_thread()
 
+    @property
+    def is_dump(self) -> bool:
+        return isinstance(self.project.loader.main_object, cle.backends.Minidump)
+
     def _find_or_make(self, name):
         sym = self.project.loader.find_symbol(name)
         if sym is None:
@@ -420,6 +432,35 @@ class SimWindows(SimOS):
         successors.add_successor(exc_state, self._exception_handler, claripy.true(), "Ijk_Exception")
         successors.processed = True
 
+    def syscall(self, state, allow_unsupported=True):
+        """
+        Given a state, return the procedure corresponding to the current syscall.
+        This procedure will have .syscall_number, .display_name, and .addr set.
+
+        :param state:               The state to get the syscall number from
+        :param allow_unsupported:   Whether to return a "dummy" sycall instead of raising an unsupported exception
+        """
+        if state.block(state.history.jump_source).bytes.hex() == "cd29":  # int 29h
+            return self.fastfail
+        return None
+
+    def is_syscall_addr(self, addr):
+        """
+        Return whether or not the given address corresponds to a syscall implementation.
+        """
+        return addr in self._syscall_handlers
+
+    def syscall_from_addr(self, addr, allow_unsupported=True):
+        """
+        Get a syscall SimProcedure from an address.
+
+        :param addr: The address to convert to a syscall SimProcedure
+        :param allow_unsupported: Whether to return a dummy procedure for an unsupported syscall instead of raising an
+                                  exception.
+        :return: The SimProcedure for the syscall, or None if the address is not a syscall address.
+        """
+        return self._syscall_handlers.get(addr, None)
+
     # these two methods load and store register state from a struct CONTEXT
     # https://www.nirsoft.net/kernel_struct/vista/CONTEXT.html
     @staticmethod

angr/utils/ail.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 from ailment import AILBlockWalkerBase
 from ailment.block import Block
 from ailment.expression import Expression, VirtualVariable, Phi
-from ailment.statement import Assignment, Statement
+from ailment.statement import Assignment, Statement, ConditionalJump
 
 
 def is_phi_assignment(stmt: Statement) -> bool:
@@ -28,3 +28,43 @@ class HasExprWalker(AILBlockWalkerBase):
             self.contains_exprs = True
         if not self.contains_exprs:
             super()._handle_expr(expr_idx, expr, stmt_idx, stmt, block)
+
+
+def is_head_controlled_loop_block(block: Block) -> bool:
+    """
+    Determine if the block is a "head-controlled loop." A head-controlled loop (for the lack of a better term) is a
+    single-block that contains a conditional jump towards the beginning of the block. This conditional jump controls
+    whether the loop body (the remaining statements after the conditional jump) will be executed or not. It is usually
+    the result of lifting rep stosX instructions on x86 and amd64.
+
+    A head-controlled loop block looks like the following (lifted from rep stosq qword ptr [rdi], rax):
+
+    ## Block 4036df
+    00 | 0x4036df | LABEL_4036df:
+    01 | 0x4036df | vvar_27{reg 72} = 𝜙@64b []
+    02 | 0x4036df | vvar_28{reg 24} = 𝜙@64b []
+    03 | 0x4036df | t1 = rcx<8>
+    04 | 0x4036df | t4 = (t1 == 0x0<64>)
+    05 | 0x4036df | if (t4) { Goto 0x4036e2<64> } else { Goto 0x4036df<64> }
+    06 | 0x4036df | t5 = (t1 - 0x1<64>)
+    07 | 0x4036df | rcx<8> = t5
+    08 | 0x4036df | t7 = d<8>
+    09 | 0x4036df | t6 = (t7 << 0x3<8>)
+    10 | 0x4036df | t2 = rax<8>
+    11 | 0x4036df | t3 = rdi<8>
+    12 | 0x4036df | STORE(addr=t3, data=t2, size=8, endness=Iend_LE, guard=None)
+    13 | 0x4036df | t8 = (t3 + t6)
+    14 | 0x4036df | rdi<8> = t8
+
+    Where statement 5 is the conditional jump that controls the execution of the remaining statements of this block.
+
+    :param block:   An AIL block.
+    :return:        True if the block represents a head-controlled loop block, False otherwise.
+    """
+
+    if not block.statements:
+        return False
+    last_stmt = block.statements[-1]
+    if isinstance(last_stmt, ConditionalJump):
+        return False
+    return any(isinstance(stmt, ConditionalJump) for stmt in block.statements[:-1])

angr/utils/cpp.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+
+
+def is_cpp_funcname_ctor(name: str) -> bool:
+    """
+    Check if a demangled C++ function name is a constructor.
+
+    :param name:    The demangled C++ function name.
+    :return:        True if the function name is a constructor, False otherwise.
+    """
+
+    # With pydemumble, constructor names look like:
+    #    A::A()
+    if "::" not in name:
+        return False
+    parts = name.split("::")
+    return bool(len(parts) == 2 and parts[0] and parts[0] + "()" == parts[1])

angr/utils/doms.py

@@ -0,0 +1,149 @@
+# pylint:disable=consider-using-dict-items
+from __future__ import annotations
+from typing import Any
+from collections import defaultdict
+
+import networkx
+
+from angr.utils.graph import shallow_reverse
+
+
+class IncrementalDominators:
+    """
+    This class allows for incrementally updating dominators and post-dominators for graphs. The graph must only be
+    modified by replacing nodes, not adding nodes or edges.
+    """
+
+    def __init__(self, graph: networkx.DiGraph, start, post: bool = False):
+        self.graph = graph
+        self.start = start
+        self._post: bool = post  # calculate post-dominators if True
+        self._pre: bool = not post  # calculate dominators
+
+        self._doms: dict[Any, Any] = {}
+        self._dfs: dict[Any, set[Any]] | None = None  # initialized on-demand
+        self._inverted_dom_tree: dict[Any, Any] | None = None  # initialized on demand
+
+        self._doms = self.init_doms()
+
+    def init_doms(self) -> dict[Any, Any]:
+        if self._post:
+            t = shallow_reverse(self.graph)
+            doms = networkx.immediate_dominators(t, self.start)
+        else:
+            doms = networkx.immediate_dominators(self.graph, self.start)
+        return doms
+
+    def init_dfs(self) -> dict[Any, set[Any]]:
+        _pred = self.graph.predecessors if self._pre else self.graph.successors
+        df: dict = {}
+        for u in self._doms:
+            _preds = list(_pred(u))  # type:ignore
+            if len(_preds) >= 2:
+                for v in _preds:
+                    if v in self._doms:
+                        while v is not self._doms[u]:
+                            if v not in df:
+                                df[v] = set()
+                            df[v].add(u)
+                            v = self._doms[v]
+        return df
+
+    def _update_inverted_domtree(self):
+        # recalculate the dominators for dominatees of replaced nodes
+        if self._inverted_dom_tree is None:
+            self._inverted_dom_tree = defaultdict(list)
+            for dtee, dtor in self._doms.items():
+                self._inverted_dom_tree[dtor].append(dtee)
+
+    def graph_updated(self, new_node: Any, replaced_nodes: set[Any], replaced_head: Any):
+        self._update_inverted_domtree()
+        assert self._inverted_dom_tree is not None
+
+        # recalculate the dominators for impacted nodes
+        new_dom = self._doms[replaced_head]
+        while new_dom in replaced_nodes and new_dom is not self.start:
+            new_dom = self._doms[new_dom]
+
+        if self.start in replaced_nodes:
+            self.start = new_node
+        if new_dom in replaced_nodes:
+            new_dom = new_node
+
+        new_node_doms = []
+        for rn in replaced_nodes:
+            if rn not in self._inverted_dom_tree:
+                continue
+            for dtee in self._inverted_dom_tree[rn]:
+                self._doms[dtee] = new_node
+                new_node_doms.append(dtee)
+        self._doms[new_node] = new_dom
+
+        if self._dfs is not None:
+            # update dominance frontiers
+            if replaced_head in self._dfs:
+                self._dfs[new_node] = self._dfs[replaced_head]
+            for rn in replaced_nodes:
+                if rn in self._dfs:
+                    del self._dfs[rn]
+                for df in self._dfs.values():
+                    if rn in df:
+                        df.remove(rn)
+                        df.add(new_node)
+
+        # keep inverted dom tree up-to-date
+        self._inverted_dom_tree[new_dom].append(new_node)
+        self._inverted_dom_tree[new_node] = new_node_doms
+        for rn in replaced_nodes:
+            if rn in self._doms:
+                d = self._doms[rn]
+                del self._doms[rn]
+                self._inverted_dom_tree[d].remove(rn)
+            if rn in self._inverted_dom_tree:
+                del self._inverted_dom_tree[rn]
+
+    def idom(self, node: Any) -> Any | None:
+        """
+        Get the immediate dominator of a given node.
+        """
+
+        return self._doms.get(node, None)
+
+    def df(self, node: Any) -> set[Any]:
+        """
+        Generate the dominance frontier of a node.
+        """
+        if self._dfs is None:
+            self._dfs = self.init_dfs()
+        return self._dfs.get(node, set())
+
+    def dominates(self, dominator_node: Any, node: Any) -> bool:
+        """
+        Tests if dominator_node dominates (or post-dominates) node.
+        """
+
+        n = node
+        while n:
+            if n is dominator_node:
+                return True
+            d = self.idom(n)
+            n = d if d is not None and n is not d else None
+        return False
+
+    def _debug_check(self):
+        true_doms = self.init_doms()
+        if len(true_doms) != len(self._doms):
+            raise ValueError("dominators do not match")
+        for k in true_doms:
+            if true_doms[k] != self._doms[k]:
+                print(f"{k!r}: {true_doms[k]!r} {self._doms[k]!r}")
+                raise ValueError("dominators do not match")
+
+        if self._dfs is not None:
+            dfs = self.init_dfs()
+            if len(dfs) != len(self._dfs):
+                raise ValueError("dfs do not match")
+            for k in dfs:
+                if dfs[k] != self._dfs[k]:
+                    print(f"{k!r}: {dfs[k]!r} {self._dfs[k]!r}")
+                    raise ValueError("dfs do not match")

angr/utils/library.py

@@ -168,7 +168,7 @@ def parsedcprotos2py(
                 proto_.returnty = SimTypeFd(label=proto_.returnty.label)
             for i, arg in enumerate(proto_.args):
                 if (func_name, i) in fd_spots:
-                    proto_.args[i] = SimTypeFd(label=arg.label)
+                    proto_.args = proto_.args[:i] + (SimTypeFd(label=arg.label),) + proto_.args[i + 1 :]
 
         line1 = " " * 8 + "#" + ((" " + decl) if decl else "") + "\n"
         line2 = " " * 8 + repr(func_name) + ": " + (proto_._init_str() if proto_ is not None else "None") + "," + "\n"