angr 9.2.141__py3-none-manylinux2014_aarch64.whl → 9.2.143__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/structuring/phoenix.py

@@ -14,7 +14,7 @@ from ailment.statement import Statement, ConditionalJump, Jump, Label, Return
 from ailment.expression import Const, UnaryOp, MultiStatementExpression
 
 from angr.utils.graph import GraphUtils
-from angr.utils.ail import is_phi_assignment
+from angr.utils.ail import is_phi_assignment, is_head_controlled_loop_block
 from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
 from angr.utils.constants import SWITCH_MISSING_DEFAULT_NODE_ADDR
 from angr.utils.graph import dominates, to_acyclic_graph, dfs_back_edges
@@ -312,11 +312,11 @@ class PhoenixStructurer(StructurerBase):
                     and head_block.nodes
                     and isinstance(head_block.nodes[0], Block)
                     and head_block.nodes[0].statements
-                    and isinstance(first_nonlabel_nonphi_statement(head_block.nodes[0]), ConditionalJump)
+                    and is_head_controlled_loop_block(head_block.nodes[0])
                 ) or (
                     isinstance(head_block, Block)
                     and head_block.statements
-                    and isinstance(first_nonlabel_nonphi_statement(head_block), ConditionalJump)
+                    and is_head_controlled_loop_block(head_block)
                 ):
                     # it's a while loop if the conditional jump (or the head block) is at the beginning of node
                     loop_type = "while" if head_block_idx == 0 else "do-while"

angr/analyses/decompiler/utils.py

@@ -214,6 +214,19 @@ def switch_extract_switch_expr_from_jump_target(target: ailment.Expr.Expression)
                     target = target.operands[0]
                 else:
                     return None
+            elif target.op == "And":
+                # it must be and-ing the target expr with a constant
+                if (
+                    isinstance(target.operands[1], ailment.Expr.VirtualVariable)
+                    and isinstance(target.operands[0], ailment.Expr.Const)
+                ) or (
+                    isinstance(target.operands[0], ailment.Expr.VirtualVariable)
+                    and isinstance(target.operands[1], ailment.Expr.Const)
+                ):
+                    break
+                return None
+            else:
+                return None
         elif isinstance(target, ailment.Expr.Load):
             # we want the address!
             found_load = True

angr/analyses/find_objects_static.py

@@ -9,6 +9,7 @@ from angr.analyses.reaching_definitions.function_handler import FunctionHandler
 from angr.knowledge_plugins.key_definitions.atoms import Register, MemoryLocation
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE, OP_AFTER
+from angr.utils.cpp import is_cpp_funcname_ctor
 from . import Analysis, VtableFinder, CFGFast, ReachingDefinitionsAnalysis
 
 if TYPE_CHECKING:
@@ -109,7 +110,7 @@ class NewFunctionHandler(FunctionHandler):
         else:
             if self.project.kb.functions.contains_addr(function_address):
                 func = self.project.kb.functions.get_by_addr(function_address)
-                if func is not None and "ctor" in func.demangled_name:
+                if func is not None and is_cpp_funcname_ctor(func.demangled_name):
                     # check if rdi has a possible this pointer/ object address, if so then we can assign this object
                     # this class
                     # also if the func is a constructor(not stripped binaries)

angr/analyses/reaching_definitions/engine_vex.py

@@ -77,12 +77,15 @@ class SimEngineRDVEX(
     def _process_block_end(self, stmt_result, whitelist):
         self.stmt_idx = DEFAULT_STATEMENT
         self._set_codeloc()
+
+        function_handled = False
         if self.block.vex.jumpkind == "Ijk_Call":
             # it has to be a function
             block_next = self.block.vex.next
             assert isinstance(block_next, pyvex.expr.IRExpr)
             addr = self._expr_bv(block_next)
             self._handle_function(addr)
+            function_handled = True
         elif self.block.vex.jumpkind == "Ijk_Boring":
             # test if the target addr is a function or not
             block_next = self.block.vex.next
@@ -94,6 +97,16 @@ class SimEngineRDVEX(
                 if addr_int in self.functions:
                     # yes it's a jump to a function
                     self._handle_function(addr)
+                    function_handled = True
+
+        # take care of OP_AFTER during statement processing for function calls in a block
+        if self.state.analysis and function_handled:
+            self.state.analysis.stmt_observe(
+                self.stmt_idx, self.block.vex.statements[-1], self.block, self.state, OP_AFTER
+            )
+            self.state.analysis.insn_observe(
+                self.ins_addr, self.block.vex.statements[-1], self.block, self.state, OP_AFTER
+            )
 
         return self.state
 

angr/analyses/reaching_definitions/function_handler.py

@@ -121,9 +121,9 @@ class FunctionCallData:
             return False
         if isinstance(dest, MemoryLocation) and isinstance(dest.addr, SpOffset):
             for effect in self.effects:
-                if not isinstance(effect.dest, MemoryLocation) or not isinstance(effect.dest.addr, SpOffset):
-                    continue
                 stkarg = effect.dest
+                if not isinstance(stkarg, MemoryLocation) or not isinstance(stkarg.addr, SpOffset):
+                    continue
                 if (
                     dest.addr.offset + dest.size <= stkarg.addr.offset
                     or stkarg.addr.offset + stkarg.size <= dest.addr.offset
@@ -282,12 +282,20 @@ class FunctionHandler:
     A mechanism for summarizing a function call's effect on a program for ReachingDefinitionsAnalysis.
     """
 
-    def __init__(self, interfunction_level: int = 0, extra_impls: Iterable[FunctionHandler] | None = None):
+    def __init__(self, interfunction_level: int = 0, extra_impls: Iterable[type[FunctionHandler]] | None = None):
+        """
+        :param interfunction_level: Maximum depth in to continue local function exploration
+        :param extra_impls: FunctionHandler classes to implement beyond what's implemented in function_handler_library
+        """
+
         self.interfunction_level: int = interfunction_level
 
-        if extra_impls is not None:
-            for extra_handler in extra_impls:
-                for name, func in vars(extra_handler).items():
+        if extra_impls is None:
+            return
+
+        for extra_handler in extra_impls:
+            for cls in extra_handler.__mro__:
+                for name, func in vars(cls).items():
                     if name.startswith("handle_impl_"):
                         setattr(self, name, _mk_wrapper(func, self))
 
@@ -398,9 +406,13 @@ class FunctionHandler:
                     for typelib_name in prototype_lib.type_collection_names:
                         type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
             if type_collections:
-                data.prototype = dereference_simtype(data.prototype, type_collections).with_arch(state.arch)
+                prototype = dereference_simtype(data.prototype, type_collections).with_arch(state.arch)
+                data.prototype = cast(SimTypeFunction, prototype)
 
-        args_atoms_from_values = data.reset_prototype(data.prototype, state, soft_reset=True)
+        if isinstance(data.prototype, SimTypeFunction):
+            args_atoms_from_values = data.reset_prototype(data.prototype, state, soft_reset=True)
+        else:
+            args_atoms_from_values = set()
 
         # PROCESS
         state.move_codelocs(data.function_codeloc)
@@ -506,7 +518,9 @@ class FunctionHandler:
         assert data.prototype is not None
         if data.prototype.returnty is not None:
             if not isinstance(data.prototype.returnty, SimTypeBottom):
-                data.ret_values = MultiValues(state.top(data.prototype.returnty.with_arch(state.arch).size))
+                data.ret_values = MultiValues(
+                    state.top(data.prototype.returnty.with_arch(state.arch).size or state.arch.bits)
+                )
             else:
                 data.ret_values = MultiValues(state.top(state.arch.bits))
         if data.guessed_prototype:
@@ -567,7 +581,7 @@ class FunctionHandler:
         sub_rda = state.analysis.project.analyses.ReachingDefinitions(
             data.function,
             observe_all=state.analysis._observe_all,
-            observation_points=(state.analysis._observation_points or []) + return_observation_points,
+            observation_points=list(state.analysis._observation_points or []).extend(return_observation_points),
             observe_callback=state.analysis._observe_callback,
             dep_graph=state.dep_graph,
             function_handler=self,

angr/analyses/reaching_definitions/function_handler_library/stdio.py

@@ -202,6 +202,7 @@ def handle_printf(
                 for defn in state.get_definitions(atom):
                     top_val = state.annotate_with_def(top_val, defn)
                 buf_data = MultiValues(top_val)
+                buf_atoms = atom
         elif fmt == "%u":
             buf_atoms = atom
             buf_data = state.get_concrete_value(buf_atoms)

angr/analyses/reaching_definitions/function_handler_library/stdlib.py

@@ -7,7 +7,7 @@ import claripy
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.knowledge_plugins.key_definitions.atoms import Atom
 from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
-
+from angr.knowledge_plugins.key_definitions.definition import Definition
 
 if TYPE_CHECKING:
     from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
@@ -75,7 +75,7 @@ class LibcStdlibHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_calloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         nmemb = state.get_concrete_value(data.args_atoms[0]) or 48
-        size = state.get_concrete_value(data.args_atoms[0]) or 1
+        size = state.get_concrete_value(data.args_atoms[1]) or 1
         heap_ptr = state.heap_address(state.heap_allocator.allocate(nmemb * size))
         data.depends(state.deref(heap_ptr, nmemb * size), value=0)
         data.depends(data.ret_atoms, value=heap_ptr)
@@ -84,18 +84,51 @@ class LibcStdlibHandlers(FunctionHandler):
     def handle_impl_getenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         name_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
         name_value = state.get_concrete_value(name_atom, cast_to=bytes)
-        if name_value is not None:
-            name_value = name_value.strip(b"\0").decode()
+        length = 2
+        heap_value = None
+
         data.depends(None, name_atom)
 
         # store a buffer, registering it as an output of this function
         # we store this two-byte mixed value because we don't want the value to be picked up by get_concrete_value()
         # but also it should be able to be picked up by NULL_TERMINATE reads
-        heap_ptr = state.heap_allocator.allocate(2)
-        heap_atom = state.deref(heap_ptr, 2)
-        heap_value = claripy.BVS("weh", 8).concat(claripy.BVV(0, 8))
-        data.depends(heap_atom, EnvironAtom(2, name_value), value=heap_value)
-        data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
+        heap_atom = None
+        env_atom = None
+        heap_ptr = None
+        sources = []
+        if name_value is not None:
+            name_value = name_value.strip(b"\0").decode()
+            for env_atom, env_value in state.others.items():
+                if not isinstance(env_atom, EnvironAtom) or env_atom.name != name_value:
+                    continue
+
+                # There exists an environment variable with this name
+                heap_value = env_value
+                length = env_atom.size
+                heap_ptr = state.heap_allocator.allocate(length)
+                heap_atom = state.deref(heap_ptr, length)
+                break
+
+            else:
+                heap_value = None
+
+        if name_value is None or heap_value is None or heap_atom is None or env_atom is None:
+            heap_ptr = state.heap_allocator.allocate(length)
+            heap_atom = state.deref(heap_ptr, length)
+            heap_value = claripy.BVS("weh", 8)
+            env_atom = EnvironAtom(length, name_value)
+            if heap_atom is not None:
+                heap_value = state.annotate_with_def(heap_value, Definition(heap_atom, state.codeloc))
+            heap_value = heap_value.concat(claripy.BVV(0, 8))
+            data.depends(env_atom, value=heap_value)  # Puts the env_atom in the others dict
+
+        data.depends(heap_atom, env_atom, value=heap_value)
+        sources = [heap_atom, env_atom]
+        if name_atom is not None:
+            sources.append(name_atom)
+
+        value = state.heap_address(heap_ptr) if heap_ptr is not None else state.top(state.arch.bits)
+        data.depends(data.ret_atoms, *sources, value=value)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_setenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
@@ -107,9 +140,9 @@ class LibcStdlibHandlers(FunctionHandler):
 
         src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
         src_value = state.get_values(src_atom)
-        data.depends(
-            EnvironAtom(len(src_value) // 8 if src_value is not None else 1, name_value), src_atom, value=src_value
-        )
+
+        env_atom = EnvironAtom(len(src_value) // 8 if src_value is not None else 1, name_value)
+        data.depends(env_atom, src_atom, value=src_value)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_system(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):

angr/analyses/reaching_definitions/function_handler_library/string.py

@@ -1,8 +1,10 @@
 from __future__ import annotations
 import archinfo
+import claripy
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
 from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
+from angr.knowledge_plugins.key_definitions.live_definitions import MultiValues
 
 # pylint: disable=no-self-use,missing-class-docstring,unused-argument
 
@@ -12,16 +14,26 @@ class LibcStringHandlers(FunctionHandler):
     def handle_impl_strcat(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src0_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
         src1_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src0_value = state.get_values(src0_atom)
-        src1_value = state.get_values(src1_atom)
+        src0_value = state.get_values(src0_atom) if src0_atom is not None else None
+        src1_value = state.get_values(src1_atom) if src1_atom is not None else None
+
         if src0_value is not None and src1_value is not None:
             src0_value = src0_value.extract(0, len(src0_value) // 8 - 1, archinfo.Endness.BE)
             dest_value = src0_value.concat(src1_value)
             dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
+        elif src0_value is not None:
+            src0_value = src0_value.extract(0, len(src0_value) // 8 - 1, archinfo.Endness.BE)
+            top_val = state.top(state.arch.bits)
+            if src1_atom is not None:
+                for defn in state.get_definitions(src1_atom):
+                    top_val = state.annotate_with_def(top_val, defn)
+            dest_value = src0_value.concat(MultiValues(top_val))
+            dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
         else:
             dest_value = None
             dest_atom = src0_atom
-        data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
+        if src0_atom is not None and src1_atom is not None:
+            data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
         data.depends(data.ret_atoms, data.args_atoms[0], value=src0_value)
 
     handle_impl_strncat = handle_impl_strcat
@@ -29,39 +41,76 @@ class LibcStringHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strlen(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
-            data.depends(data.ret_atoms, src_atom, value=len(src_str) // 8 - 1)
+        if src_atom is not None:
+            src_str = state.get_values(src_atom) if src_atom is not None else None
+            if src_str is not None:
+                data.depends(data.ret_atoms, src_atom, value=len(src_str) // 8 - 1)
+            else:
+                data.depends(data.ret_atoms, src_atom)
         else:
-            data.depends(data.ret_atoms, src_atom)
+            data.depends(data.ret_atoms, data.args_atoms[0])
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strcpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
-            dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+        src_str = state.get_values(src_atom) if src_atom is not None else None
+        if src_str is None:
+            src_str = state.top(state.arch.bits)
+            if src_atom is not None:
+                for defn in state.get_definitions(src_atom):
+                    src_str = state.annotate_with_def(src_str, defn)
+            src_str = MultiValues(src_str)
+
+        dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+        if src_atom is not None:
             data.depends(dst_atom, src_atom, value=src_str)
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strncpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         n = state.get_concrete_value(data.args_atoms[2])
-        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE if n is None else n)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom) if src_atom is not None else None
+        if src_str is None and src_atom is not None:
+            tmp_atom = state.deref(data.args_atoms[1], 1)
+            if tmp_atom is not None:
+                tmp_str = state.get_values(tmp_atom)
+                val_defns = None if tmp_str is None else state.get_definitions(tmp_str)
+                if tmp_str is None or not val_defns:  # There's no data at all or no valid definitions
+                    src_str = state.top(state.arch.bits if n is None or n > state.arch.bytes else n * 8)
+                    defns = state.get_definitions(src_atom) if src_atom is not None else []
+                    for defn in defns:
+                        src_str = state.annotate_with_def(src_str, defn)
+                    src_str = MultiValues(src_str)
+                else:  # We found some data, but it's not NULL_TERIMINATED or of size n
+                    src_atoms = set()
+                    for defn in val_defns:
+                        a = defn.atom
+                        a.size = a.size if n is None or a.size < n else n
+                        src_atoms.add(a)
+                    src_str = state.get_values(src_atoms)
+
+        elif n is not None and src_str is not None and n < len(src_str) // 8:
+            # We have a src_str, but need to truncate it if n is not None and less than the size of src_str
+            src_atom = state.deref(data.args_atoms[1], n)
+            if src_atom is not None:
+                src_str = state.get_values(src_atom)
+
+        if src_str is not None and src_atom is not None:
             dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
             data.depends(dst_atom, src_atom, value=src_str)
+
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strdup(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
-        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        malloc_size = len(src_str) // 8 if src_str is not None else 1
-        heap_ptr = state.heap_allocator.allocate(malloc_size)
-        dst_atom = state.deref(heap_ptr, malloc_size)
-        data.depends(dst_atom, src_atom, value=src_str)
+        src_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        if src_atom is not None:
+            src_str = state.get_values(src_atom)
+            malloc_size = len(src_str) // 8 if src_str is not None else 1
+            heap_ptr = state.heap_allocator.allocate(malloc_size)
+            dst_atom = state.deref(heap_ptr, malloc_size)
+            data.depends(dst_atom, src_atom, value=src_str)
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
@@ -70,15 +119,22 @@ class LibcStringHandlers(FunctionHandler):
         if size is not None:
             src_atom = state.deref(data.args_atoms[1], size)
             dst_atom = state.deref(data.args_atoms[0], size)
-            data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
+            if src_atom is not None:
+                data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_memset(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[2])
+        c = state.get_concrete_value(data.args_atoms[1])
         if size is not None:
             dst_atom = state.deref(data.args_atoms[0], size)
-            data.depends(dst_atom, data.args_atoms[1])
+            if c is not None:
+                value = MultiValues(claripy.BVV(chr(c) * size, size * 8))
+                data.depends(dst_atom, data.args_atoms[1], value=value)
+            else:
+                data.depends(dst_atom, data.args_atoms[1], value=state.get_values(data.args_atoms[1]))
+
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate

angr/analyses/reaching_definitions/function_handler_library/unistd.py

@@ -1,17 +1,37 @@
 from __future__ import annotations
+import random
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.analyses.reaching_definitions.function_handler_library.stdio import StdinAtom, StdoutAtom
 from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+from angr.knowledge_plugins.key_definitions.atoms import Atom
 
 # pylint: disable=no-self-use,missing-class-docstring,unused-argument
 
 
+class FDAtom(Atom):
+    def __init__(self, fd: int | None, source: str, size: int = 1):
+        self.source = source
+        self.fd = fd
+        self.nonce = random.randint(0, 999999999999)
+        super().__init__(size)
+
+    def _identity(self):
+        if self.fd is not None:
+            return (self.fd,)
+        return (self.nonce,)
+
+
 class LibcUnistdHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_read(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[2]) or 1
         dst_atom = state.deref(data.args_atoms[1], size)
-        data.depends(dst_atom, StdinAtom(data.function.name, size))
+        real_fd = state.get_concrete_value(data.args_atoms[0])
+
+        fd_atom = StdinAtom(data.function.name, size) if real_fd == 0 else FDAtom(real_fd, data.function.name, size)
+        buf_data = state.top(size * 8) if size is not None else state.top(state.arch.bits)
+
+        data.depends(dst_atom, fd_atom, value=buf_data)
 
     handle_impl_recv = handle_impl_recvfrom = handle_impl_read
 

angr/analyses/reaching_definitions/rd_state.py

@@ -215,14 +215,14 @@ class ReachingDefinitionsState:
     def tmp_uses(self):
         return self.live_definitions.tmp_uses
 
-    @property
-    def register_uses(self):
-        return self.live_definitions.register_uses
-
     @property
     def registers(self) -> MultiValuedMemory:
         return self.live_definitions.registers
 
+    @property
+    def register_uses(self):
+        return self.live_definitions.register_uses
+
     @property
     def stack(self) -> MultiValuedMemory:
         return self.live_definitions.stack
@@ -239,13 +239,17 @@ class ReachingDefinitionsState:
     def heap_uses(self):
         return self.live_definitions.heap_uses
 
+    @property
+    def memory(self) -> MultiValuedMemory:
+        return self.live_definitions.memory
+
     @property
     def memory_uses(self):
         return self.live_definitions.memory_uses
 
     @property
-    def memory(self) -> MultiValuedMemory:
-        return self.live_definitions.memory
+    def others(self) -> dict[Atom, MultiValues]:
+        return self.live_definitions.others
 
     @property
     def uses_by_codeloc(self):
@@ -493,7 +497,7 @@ class ReachingDefinitionsState:
             self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
     def get_definitions(
-        self, atom: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]]
+        self, atom: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]] | MultiValues
     ) -> set[Definition[Atom]]:
         return self.live_definitions.get_definitions(atom)
 

angr/analyses/s_liveness.py

@@ -2,9 +2,10 @@ from __future__ import annotations
 
 import networkx
 from ailment.expression import VirtualVariable
-from ailment.statement import Assignment, Call
+from ailment.statement import Assignment, Call, ConditionalJump
 
 from angr.analyses import Analysis, register_analysis
+from angr.utils.ail import is_head_controlled_loop_block, is_phi_assignment
 from angr.utils.ssa import VVarUsesCollector, phi_assignment_get_src
 
 
@@ -69,8 +70,14 @@ class SLivenessAnalysis(Analysis):
             block_key = block.addr, block.idx
             changed = False
 
+            head_controlled_loop = is_head_controlled_loop_block(block)
+
             live = set()
             for succ in graph.successors(block):
+                if head_controlled_loop and (block.addr, block.idx) == (succ.addr, succ.idx):
+                    # this is a head-controlled loop block; we ignore the self-loop edge because all variables defined
+                    # in the block after the conditional jump will be dead after leaving the current block
+                    continue
                 edge = (block.addr, block.idx), (succ.addr, succ.idx)
                 if edge in live_on_edges:
                     live |= live_on_edges[edge]
@@ -81,8 +88,18 @@ class SLivenessAnalysis(Analysis):
                 changed = True
                 live_outs[block_key] = live.copy()
 
+            if head_controlled_loop:
+                # this is a head-controlled loop block; we start scanning from the first condition jump backwards
+                condjump_idx = next(
+                    iter(i for i, stmt in enumerate(block.statements) if isinstance(stmt, ConditionalJump)), None
+                )
+                assert condjump_idx is not None
+                stmts = block.statements[: condjump_idx + 1]
+            else:
+                stmts = block.statements
+
             live_in_by_pred = {}
-            for stmt in reversed(block.statements):
+            for stmt in reversed(stmts):
                 # handle assignments: a defined vvar is not live before the assignment
                 if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
                     live.discard(stmt.dst.varid)
@@ -92,6 +109,10 @@ class SLivenessAnalysis(Analysis):
                 phi_expr = phi_assignment_get_src(stmt)
                 if phi_expr is not None:
                     for src, vvar in phi_expr.src_and_vvars:
+                        if head_controlled_loop and src == (block.addr, block.idx):
+                            # this is a head-controlled loop block; we ignore the self-loop edge
+                            continue
+
                         if src not in live_in_by_pred:
                             live_in_by_pred[src] = live.copy()
                         if vvar is not None:
@@ -99,9 +120,15 @@ class SLivenessAnalysis(Analysis):
                         live_in_by_pred[src].discard(stmt.dst.varid)
 
                 # handle the statement: add used vvars to the live set
-                vvar_use_collector = VVarUsesCollector()
-                vvar_use_collector.walk_statement(stmt)
-                live |= vvar_use_collector.vvars
+                if head_controlled_loop and is_phi_assignment(stmt):
+                    for src, vvar in stmt.src.src_and_vvars:
+                        # this is a head-controlled loop block; we ignore the self-loop edge
+                        if src != (block.addr, block.idx) and vvar is not None:
+                            live |= {vvar.varid}
+                else:
+                    vvar_use_collector = VVarUsesCollector()
+                    vvar_use_collector.walk_statement(stmt)
+                    live |= vvar_use_collector.vvars
 
             if live_ins[block_key] != live:
                 live_ins[block_key] = live
@@ -135,7 +162,18 @@ class SLivenessAnalysis(Analysis):
 
         for block in self.func_graph.nodes():
             live = self.model.live_outs[(block.addr, block.idx)].copy()
-            for stmt in reversed(block.statements):
+
+            if is_head_controlled_loop_block(block):
+                # this is a head-controlled loop block; we start scanning from the first condition jump backwards
+                condjump_idx = next(
+                    iter(i for i, stmt in enumerate(block.statements) if isinstance(stmt, ConditionalJump)), None
+                )
+                assert condjump_idx is not None
+                stmts = block.statements[: condjump_idx + 1]
+            else:
+                stmts = block.statements
+
+            for stmt in reversed(stmts):
                 if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
                     def_vvar = stmt.dst.varid
                 elif isinstance(stmt, Call) and isinstance(stmt.ret_expr, VirtualVariable):