angr 9.2.141__py3-none-win_amd64.whl → 9.2.142__py3-none-win_amd64.whl

angr/analyses/decompiler/region_identifier.py

@@ -11,7 +11,8 @@ from ailment.statement import ConditionalJump, Jump
 from ailment.expression import Const
 
 from angr.utils.graph import GraphUtils
-from angr.utils.graph import dfs_back_edges, subgraph_between_nodes, dominates, shallow_reverse
+from angr.utils.graph import dfs_back_edges, subgraph_between_nodes, dominates
+from angr.utils.doms import IncrementalDominators
 from angr.errors import AngrRuntimeError
 from angr.analyses import Analysis, register_analysis
 from .structuring.structurer_nodes import MultiNode, ConditionNode, IncompleteSwitchCaseHeadStatement
@@ -115,11 +116,11 @@ class RegionIdentifier(Analysis):
         @return: List of addr lists
         """
 
-        work_list = [self.region]
+        work_list: list[GraphRegion] = [self.region]  #  type: ignore
         block_only_regions = []
         seen_regions = set()
         while work_list:
-            children_regions = []
+            children_regions: list[GraphRegion] = []
             for region in work_list:
                 children_blocks = []
                 for node in region.graph.nodes:
@@ -234,7 +235,7 @@ class RegionIdentifier(Analysis):
                 break
 
     def _find_loop_headers(self, graph: networkx.DiGraph) -> list:
-        heads = {t for _, t in dfs_back_edges(graph, self._start_node)}
+        heads = list({t for _, t in dfs_back_edges(graph, self._start_node)})
         return GraphUtils.quasi_topological_sort_nodes(graph, heads)
 
     def _find_initial_loop_nodes(self, graph: networkx.DiGraph, head):
@@ -392,7 +393,7 @@ class RegionIdentifier(Analysis):
 
         while True:
             for node in networkx.dfs_postorder_nodes(graph):
-                preds = graph.predecessors(node)
+                preds = list(graph.predecessors(node))
                 if len(preds) == 1:
                     # merge the two nodes
                     self._absorb_node(graph, preds[0], node)
@@ -473,7 +474,7 @@ class RegionIdentifier(Analysis):
             head = next(iter(n for n in subgraph.nodes() if n.addr == head.addr))
             region.head = head
 
-        if len(graph.nodes()) == 1 and isinstance(next(iter(graph.nodes())), GraphRegion):
+        if len(graph) == 1 and isinstance(next(iter(graph.nodes())), GraphRegion):
             return next(iter(graph.nodes()))
         # create a large graph region
         new_head = self._get_start_node(graph)
@@ -491,6 +492,7 @@ class RegionIdentifier(Analysis):
         l.debug("Initial loop nodes %s", self._dbg_block_list(initial_loop_nodes))
 
         # Make sure no other loops are contained in the current loop
+        assert self._loop_headers is not None
         if {n for n in initial_loop_nodes if n.addr != head.addr}.intersection(self._loop_headers):
             return None
 
@@ -535,7 +537,7 @@ class RegionIdentifier(Analysis):
         region = self._abstract_cyclic_region(
             graph, refined_loop_nodes, head, normal_entries, abnormal_entries, normal_exit_node, abnormal_exit_nodes
         )
-        if len(region.successors) > 1 and self._force_loop_single_exit:
+        if region.successors is not None and len(region.successors) > 1 and self._force_loop_single_exit:
             # multi-successor region. refinement is required
             self._refine_loop_successors_to_guarded_successors(region, graph)
 
@@ -705,23 +707,20 @@ class RegionIdentifier(Analysis):
         else:
             dummy_endnode = None
 
-        # compute dominator tree
-        doms = networkx.immediate_dominators(graph_copy, head)
-
-        # compute post-dominator tree
-        inverted_graph = shallow_reverse(graph_copy)
-        postdoms = networkx.immediate_dominators(inverted_graph, endnodes[0])
-
-        # dominance frontiers
-        df = networkx.algorithms.dominance_frontiers(graph_copy, head)
+        # dominators and post-dominators, computed incrementally
+        doms = IncrementalDominators(graph_copy, head)
+        postdoms = IncrementalDominators(graph_copy, endnodes[0], post=True)
 
         # visit the nodes in post-order
-        for node in networkx.dfs_postorder_nodes(graph_copy, source=head):
+        region_created = False
+        for node in list(networkx.dfs_postorder_nodes(graph_copy, source=head)):
             if node is dummy_endnode:
                 # skip the dummy endnode
                 continue
             if cyclic and node is head:
                 continue
+            if node not in graph_copy:
+                continue
 
             out_degree = graph_copy.out_degree[node]
             if out_degree == 0:
@@ -740,10 +739,10 @@ class RegionIdentifier(Analysis):
 
             # test if this node is an entry to a single-entry, single-successor region
             levels = 0
-            postdom_node = postdoms.get(node, None)
+            postdom_node = postdoms.idom(node)
             while postdom_node is not None:
                 if (node, postdom_node) not in failed_region_attempts and self._check_region(
-                    graph_copy, node, postdom_node, doms, df
+                    graph_copy, node, postdom_node, doms
                 ):
                     frontier = [postdom_node]
                     region = self._compute_region(
@@ -752,6 +751,8 @@ class RegionIdentifier(Analysis):
                     if region is not None:
                         # update region.graph_with_successors
                         if secondary_graph is not None:
+                            assert region.graph_with_successors is not None
+                            assert region.successors is not None
                             if self._complete_successors:
                                 for nn in list(region.graph_with_successors.nodes):
                                     original_successors = secondary_graph.successors(nn)
@@ -782,52 +783,75 @@ class RegionIdentifier(Analysis):
                             graph, region, frontier, dummy_endnode=dummy_endnode, secondary_graph=secondary_graph
                         )
                         # assert dummy_endnode not in graph
-                        return True
+                        region_created = True
+                        # we created a new region to replace one or more nodes in the graph.
+                        replaced_nodes = set(region.graph)
+                        # update graph_copy; doms and postdoms are updated as well because they hold references to
+                        # graph_copy internally.
+                        if graph_copy is not graph:
+                            self._update_graph(graph_copy, region, replaced_nodes)
+                        doms.graph_updated(region, replaced_nodes, region.head)
+                        postdoms.graph_updated(region, replaced_nodes, region.head)
+                        # break out of the inner loop
+                        break
 
                 failed_region_attempts.add((node, postdom_node))
-                if not dominates(doms, node, postdom_node):
+                if not doms.dominates(node, postdom_node):
                     break
-                if postdom_node is postdoms.get(postdom_node, None):
+                if postdom_node is postdoms.idom(postdom_node):
                     break
-                postdom_node = postdoms.get(postdom_node, None)
+                postdom_node = postdoms.idom(postdom_node)
                 levels += 1
             # l.debug("Walked back %d levels in postdom tree and did not find anything for %r. Next.", levels, node)
 
-        return False
+        return region_created
 
     @staticmethod
-    def _check_region(graph, start_node, end_node, doms, df):
-        """
+    def _update_graph(graph: networkx.DiGraph, new_region, replaced_nodes: set) -> None:
+        region_in_edges = RegionIdentifier._region_in_edges(graph, new_region, data=True)
+        region_out_edges = RegionIdentifier._region_out_edges(graph, new_region, data=True)
+        for node in replaced_nodes:
+            graph.remove_node(node)
+        graph.add_node(new_region)
+        for src, _, data in region_in_edges:
+            graph.add_edge(src, new_region, **data)
+        for _, dst, data in region_out_edges:
+            graph.add_edge(new_region, dst, **data)
 
-        :param graph:
-        :param start_node:
-        :param end_node:
-        :param doms:
-        :param df:
-        :return:
+    @staticmethod
+    def _check_region(graph, start_node, end_node, doms) -> bool:
+        """
+        Determine the graph slice between start_node and end_node forms a good region.
         """
 
         # if the exit node is the header of a loop that contains the start node, the dominance frontier should only
         # contain the exit node.
-        if not dominates(doms, start_node, end_node):
-            frontier = df.get(start_node, set())
-            for node in frontier:
+        start_node_frontier = None
+        end_node_frontier = None
+
+        if not doms.dominates(start_node, end_node):
+            start_node_frontier = doms.df(start_node)
+            for node in start_node_frontier:
                 if node is not start_node and node is not end_node:
                     return False
 
         # no edges should enter the region.
-        for node in df.get(end_node, set()):
-            if dominates(doms, start_node, node) and node is not end_node:
+        end_node_frontier = doms.df(end_node)
+        for node in end_node_frontier:
+            if doms.dominates(start_node, node) and node is not end_node:
                 return False
 
+        if start_node_frontier is None:
+            start_node_frontier = doms.df(start_node)
+
         # no edges should leave the region.
-        for node in df.get(start_node, set()):
+        for node in start_node_frontier:
             if node is start_node or node is end_node:
                 continue
-            if node not in df.get(end_node, set()):
+            if node not in end_node_frontier:
                 return False
             for pred in graph.predecessors(node):
-                if dominates(doms, start_node, pred) and not dominates(doms, end_node, pred):
+                if doms.dominates(start_node, pred) and not doms.dominates(end_node, pred):
                     return False
 
         return True
@@ -978,14 +1002,13 @@ class RegionIdentifier(Analysis):
             subgraph_with_exits.add_edge(src, dst)
         region.graph = subgraph
         region.graph_with_successors = subgraph_with_exits
-        if normal_exit_node is not None:
-            region.successors = [normal_exit_node]
-        else:
-            region.successors = []
-        region.successors += list(abnormal_exit_nodes)
+        succs = [normal_exit_node] if normal_exit_node is not None else []
+        succs += list(abnormal_exit_nodes)
+        succs = sorted(set(succs), key=lambda x: x.addr)
+        region.successors = set(succs)
 
-        for succ_0 in region.successors:
-            for succ_1 in region.successors:
+        for succ_0 in succs:
+            for succ_1 in succs:
                 if succ_0 is not succ_1 and graph.has_edge(succ_0, succ_1):
                     region.graph_with_successors.add_edge(succ_0, succ_1)
 

angr/analyses/decompiler/ssailification/rewriting.py

@@ -14,10 +14,10 @@ from ailment.statement import Assignment, Label
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
 from angr.analyses.forward_analysis import FunctionGraphVisitor
+from angr.utils.ail import is_head_controlled_loop_block
 from .rewriting_engine import SimEngineSSARewriting, DefExprType, AT
 from .rewriting_state import RewritingState
 
-
 l = logging.getLogger(__name__)
 
 
@@ -71,6 +71,14 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
         self._visited_blocks: set[Any] = set()
         self.out_blocks = {}
         self.out_states = {}
+        # loop_states stores states at the beginning of a loop block *after a loop iteration*, where the block is the
+        # following:
+        #    0x4036df | t4 = (rcx<8> == 0x0<64>)
+        #    0x4036df | if (t4) { Goto 0x4036e2<64> } else { Goto 0x4036df<64> }
+        #    0x4036df | STORE(addr=t3, data=t2, size=8, endness=Iend_LE, guard=None)
+        #    0x4036df | rdi<8> = t8
+        #
+        self.head_controlled_loop_outstates = {}
 
         self._analyze()
 
@@ -177,8 +185,12 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
         else:
             node.statements = node.statements[:idx] + phi_stmts + node.statements[idx:]
 
-    def _reg_predicate(self, node_, *, reg_offset: int, reg_size: int) -> tuple[bool, Any]:
-        out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
+    def _reg_predicate(self, node_: Block, *, reg_offset: int, reg_size: int) -> tuple[bool, Any]:
+        out_state: RewritingState = (
+            self.head_controlled_loop_outstates[(node_.addr, node_.idx)]
+            if is_head_controlled_loop_block(node_)
+            else self.out_states[(node_.addr, node_.idx)]
+        )
         if reg_offset in out_state.registers and reg_size in out_state.registers[reg_offset]:
             existing_var = out_state.registers[reg_offset][reg_size]
             if existing_var is None:
@@ -189,8 +201,12 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
             return True, vvar
         return False, None
 
-    def _stack_predicate(self, node_, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
-        out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
+    def _stack_predicate(self, node_: Block, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
+        out_state: RewritingState = (
+            self.head_controlled_loop_outstates[(node_.addr, node_.idx)]
+            if is_head_controlled_loop_block(node_)
+            else self.out_states[(node_.addr, node_.idx)]
+        )
         if stack_offset in out_state.stackvars and stackvar_size in out_state.stackvars[stack_offset]:
             existing_var = out_state.stackvars[stack_offset][stackvar_size]
             if existing_var is None:
@@ -262,18 +278,32 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
         )
 
         self._visited_blocks.add(block_key)
-        self.out_states[block_key] = state
-
-        if state.out_block is not None:
-            assert state.out_block.addr == block.addr
-
-            if self.out_blocks.get(block_key, None) == state.out_block:
-                return True, state
-            self.out_blocks[block_key] = state.out_block
-            state.out_block = None
-            return True, state
-
-        return True, state
+        # get the output state (which is the input state for the successor node)
+        # if head_controlled_loop_outstate is set, then it is the output state of the successor node; in this case, the
+        # input state for the head-controlled loop block itself is out.state.
+        # otherwise (if head_controlled_loop_outstate is not set), engine.state is the input state of the successor
+        # node.
+        if engine.head_controlled_loop_outstate is None:
+            # this is a normal block
+            out_state = state
+        else:
+            # this is a head-controlled loop block
+            out_state = engine.head_controlled_loop_outstate
+            self.head_controlled_loop_outstates[block_key] = state
+        self.out_states[block_key] = out_state
+        # the final block is always in state
+        out_block = state.out_block
+
+        if out_block is not None:
+            assert out_block.addr == block.addr
+
+            if self.out_blocks.get(block_key, None) == out_block:
+                return True, out_state
+            self.out_blocks[block_key] = out_block
+            out_state.out_block = None
+            return True, out_state
+
+        return True, out_state
 
     def _intra_analysis(self):
         pass

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -4,6 +4,7 @@ from typing import Literal
 import logging
 
 from archinfo import Endness
+from ailment.block import Block
 from ailment.manager import Manager
 from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement, Jump
 from ailment.expression import (
@@ -70,6 +71,7 @@ class SimEngineSSARewriting(
         self.phiid_to_loc = phiid_to_loc
         self.rewrite_tmps = rewrite_tmps
         self.ail_manager = ail_manager
+        self.head_controlled_loop_outstate: RewritingState | None = None
 
         self.secondary_stackvars: set[int] = set()
 
@@ -87,6 +89,12 @@ class SimEngineSSARewriting(
     # Handlers
     #
 
+    def process(
+        self, state: RewritingState, *, block: Block | None = None, whitelist: set[int] | None = None, **kwargs
+    ) -> None:
+        self.head_controlled_loop_outstate = None
+        super().process(state, block=block, whitelist=whitelist, **kwargs)
+
     def _top(self, bits):
         assert False, "Unreachable"
 
@@ -236,6 +244,11 @@ class SimEngineSSARewriting(
         new_true_target = self._expr(stmt.true_target) if stmt.true_target is not None else None
         new_false_target = self._expr(stmt.false_target) if stmt.false_target is not None else None
 
+        if self.stmt_idx != len(self.block.statements) - 1:
+            # the conditional jump is in the middle of the block (e.g., the block generated from lifting rep stosq).
+            # we need to make a copy of the state and use the state of this point in its successor
+            self.head_controlled_loop_outstate = self.state.copy()
+
         if new_cond is not None or new_true_target is not None or new_false_target is not None:
             return ConditionalJump(
                 stmt.idx,

angr/analyses/decompiler/stack_item.py

@@ -0,0 +1,36 @@
+from __future__ import annotations
+
+from enum import Enum
+
+
+class StackItemType(Enum):
+    """
+    Enum for the type of stack items.
+    """
+
+    UNKNOWN = 0
+    SAVED_BP = 1
+    SAVED_REGS = 2
+    ARGUMENT = 3
+    RET_ADDR = 4
+    STACK_CANARY = 5
+
+
+class StackItem:
+    """
+    A stack item describes a piece of data that is stored on the stack at a certain offset (usually negative).
+    """
+
+    offset: int
+    size: int
+    name: str
+    item_type: StackItemType
+
+    def __init__(self, offset: int, size: int, name: str, item_type: StackItemType = StackItemType.UNKNOWN):
+        self.offset = offset
+        self.size = size
+        self.name = name
+        self.item_type = item_type
+
+    def __repr__(self):
+        return f"<StackItem {self.name} {self.item_type!s} at {self.offset:#x} ({self.size}b)>"

angr/analyses/decompiler/structured_codegen/c.py

@@ -40,7 +40,7 @@ from angr.sim_variable import SimVariable, SimTemporaryVariable, SimStackVariabl
 from angr.utils.constants import is_alignment_mask
 from angr.utils.library import get_cpp_function_name
 from angr.utils.loader import is_in_readonly_segment, is_in_readonly_section
-from angr.utils.types import unpack_typeref, unpack_pointer
+from angr.utils.types import unpack_typeref, unpack_pointer_and_array
 from angr.analyses.decompiler.utils import structured_node_is_simple_return
 from angr.errors import UnsupportedNodeTypeError, AngrRuntimeError
 from angr.knowledge_plugins.cfg.memory_data import MemoryData, MemoryDataSort
@@ -539,6 +539,8 @@ class CFunction(CConstruct):  # pylint:disable=abstract-method
 
         if self.codegen.show_externs and self.codegen.cexterns:
             for v in sorted(self.codegen.cexterns, key=lambda v: str(v.variable.name)):
+                if v.variable not in self.variables_in_use:
+                    continue
                 varname = v.c_repr() if v.type is None else v.variable.name
                 yield "extern ", None
                 yield from type_to_c_repr_chunks(v.type, name=varname, name_type=v, full=False)
@@ -2581,7 +2583,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         # TODO store extern fallback size somewhere lol
         self.cexterns = {
-            self._variable(v, 1)
+            self._variable(v, 1, mark_used=False)
             for v in self.externs
             if v not in self._inlined_strings and v not in self._function_pointers
         }
@@ -2698,7 +2700,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             return _mapping.get(n)(signed=signed).with_arch(self.project.arch)
         return SimTypeNum(n, signed=signed).with_arch(self.project.arch)
 
-    def _variable(self, variable: SimVariable, fallback_type_size: int | None, vvar_id: int | None = None) -> CVariable:
+    def _variable(
+        self, variable: SimVariable, fallback_type_size: int | None, vvar_id: int | None = None, mark_used: bool = True
+    ) -> CVariable:
         # TODO: we need to fucking make sure that variable recovery and type inference actually generates a size
         # TODO: for each variable it links into the fucking ail. then we can remove fallback_type_size.
         unified = self._variable_kb.variables[self._func.addr].unified_variable(variable)
@@ -2710,7 +2714,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                 (fallback_type_size or self.project.arch.bytes) * self.project.arch.byte_width
             )
         cvar = CVariable(variable, unified_variable=unified, variable_type=variable_type, codegen=self, vvar_id=vvar_id)
-        self._variables_in_use[variable] = cvar
+        if mark_used:
+            self._variables_in_use[variable] = cvar
         return cvar
 
     def _get_variable_reference(self, cvar: CVariable) -> CExpression:
@@ -2776,7 +2781,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         # expr must express a POINTER to the base
         # returns a value which has a simtype of data_type as if it were dereferenced out of expr
         data_type = unpack_typeref(data_type)
-        base_type = unpack_typeref(unpack_pointer(expr.type))
+        base_type = unpack_typeref(unpack_pointer_and_array(expr.type))
         if base_type is None:
             # well, not much we can do
             if data_type is None:
@@ -2899,7 +2904,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
     ) -> CExpression:
         # same rule as _access_constant_offset wrt pointer expressions
         data_type = unpack_typeref(data_type)
-        base_type = unpack_pointer(expr.type)
+        base_type = unpack_pointer_and_array(expr.type)
         if base_type is None:
             # use the fallback from above
             return self._access_constant_offset(expr, 0, data_type, lvalue, renegotiate_type)
@@ -2959,7 +2964,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         kernel = None
         while i < len(terms):
             c, t = terms[i]
-            if isinstance(unpack_typeref(t.type), SimTypePointer):
+            if isinstance(unpack_typeref(t.type), (SimTypePointer, SimTypeArray)):
                 if kernel is not None:
                     l.warning("Summing two different pointers together. Uh oh!")
                     return bail_out()
@@ -2982,7 +2987,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         # suffering.
         while terms:
-            kernel_type = unpack_typeref(unpack_pointer(kernel.type))
+            kernel_type = unpack_typeref(unpack_pointer_and_array(kernel.type))
             assert kernel_type
 
             if kernel_type.size is None:
@@ -3049,7 +3054,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                     kernel = inner.operand
                 else:
                     kernel = CUnaryOp("Reference", inner, codegen=self)
-                if unpack_typeref(unpack_pointer(kernel.type)) == kernel_type:
+                if unpack_typeref(unpack_pointer_and_array(kernel.type)) == kernel_type:
                     # we are not making progress
                     pass
                 else:

angr/analyses/decompiler/structuring/phoenix.py

@@ -14,7 +14,7 @@ from ailment.statement import Statement, ConditionalJump, Jump, Label, Return
 from ailment.expression import Const, UnaryOp, MultiStatementExpression
 
 from angr.utils.graph import GraphUtils
-from angr.utils.ail import is_phi_assignment
+from angr.utils.ail import is_phi_assignment, is_head_controlled_loop_block
 from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
 from angr.utils.constants import SWITCH_MISSING_DEFAULT_NODE_ADDR
 from angr.utils.graph import dominates, to_acyclic_graph, dfs_back_edges
@@ -312,11 +312,11 @@ class PhoenixStructurer(StructurerBase):
                     and head_block.nodes
                     and isinstance(head_block.nodes[0], Block)
                     and head_block.nodes[0].statements
-                    and isinstance(first_nonlabel_nonphi_statement(head_block.nodes[0]), ConditionalJump)
+                    and is_head_controlled_loop_block(head_block.nodes[0])
                 ) or (
                     isinstance(head_block, Block)
                     and head_block.statements
-                    and isinstance(first_nonlabel_nonphi_statement(head_block), ConditionalJump)
+                    and is_head_controlled_loop_block(head_block)
                 ):
                     # it's a while loop if the conditional jump (or the head block) is at the beginning of node
                     loop_type = "while" if head_block_idx == 0 else "do-while"

angr/analyses/find_objects_static.py

@@ -9,6 +9,7 @@ from angr.analyses.reaching_definitions.function_handler import FunctionHandler
 from angr.knowledge_plugins.key_definitions.atoms import Register, MemoryLocation
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE, OP_AFTER
+from angr.utils.cpp import is_cpp_funcname_ctor
 from . import Analysis, VtableFinder, CFGFast, ReachingDefinitionsAnalysis
 
 if TYPE_CHECKING:
@@ -109,7 +110,7 @@ class NewFunctionHandler(FunctionHandler):
         else:
             if self.project.kb.functions.contains_addr(function_address):
                 func = self.project.kb.functions.get_by_addr(function_address)
-                if func is not None and "ctor" in func.demangled_name:
+                if func is not None and is_cpp_funcname_ctor(func.demangled_name):
                     # check if rdi has a possible this pointer/ object address, if so then we can assign this object
                     # this class
                     # also if the func is a constructor(not stripped binaries)

angr/analyses/reaching_definitions/engine_vex.py

@@ -77,12 +77,15 @@ class SimEngineRDVEX(
     def _process_block_end(self, stmt_result, whitelist):
         self.stmt_idx = DEFAULT_STATEMENT
         self._set_codeloc()
+
+        function_handled = False
         if self.block.vex.jumpkind == "Ijk_Call":
             # it has to be a function
             block_next = self.block.vex.next
             assert isinstance(block_next, pyvex.expr.IRExpr)
             addr = self._expr_bv(block_next)
             self._handle_function(addr)
+            function_handled = True
         elif self.block.vex.jumpkind == "Ijk_Boring":
             # test if the target addr is a function or not
             block_next = self.block.vex.next
@@ -94,6 +97,16 @@ class SimEngineRDVEX(
                 if addr_int in self.functions:
                     # yes it's a jump to a function
                     self._handle_function(addr)
+                    function_handled = True
+
+        # take care of OP_AFTER during statement processing for function calls in a block
+        if self.state.analysis and function_handled:
+            self.state.analysis.stmt_observe(
+                self.stmt_idx, self.block.vex.statements[-1], self.block, self.state, OP_AFTER
+            )
+            self.state.analysis.insn_observe(
+                self.ins_addr, self.block.vex.statements[-1], self.block, self.state, OP_AFTER
+            )
 
         return self.state
 

angr/analyses/reaching_definitions/function_handler.py

@@ -121,9 +121,9 @@ class FunctionCallData:
             return False
         if isinstance(dest, MemoryLocation) and isinstance(dest.addr, SpOffset):
             for effect in self.effects:
-                if not isinstance(effect.dest, MemoryLocation) or not isinstance(effect.dest.addr, SpOffset):
-                    continue
                 stkarg = effect.dest
+                if not isinstance(stkarg, MemoryLocation) or not isinstance(stkarg.addr, SpOffset):
+                    continue
                 if (
                     dest.addr.offset + dest.size <= stkarg.addr.offset
                     or stkarg.addr.offset + stkarg.size <= dest.addr.offset
@@ -282,12 +282,20 @@ class FunctionHandler:
     A mechanism for summarizing a function call's effect on a program for ReachingDefinitionsAnalysis.
     """
 
-    def __init__(self, interfunction_level: int = 0, extra_impls: Iterable[FunctionHandler] | None = None):
+    def __init__(self, interfunction_level: int = 0, extra_impls: Iterable[type[FunctionHandler]] | None = None):
+        """
+        :param interfunction_level: Maximum depth in to continue local function exploration
+        :param extra_impls: FunctionHandler classes to implement beyond what's implemented in function_handler_library
+        """
+
         self.interfunction_level: int = interfunction_level
 
-        if extra_impls is not None:
-            for extra_handler in extra_impls:
-                for name, func in vars(extra_handler).items():
+        if extra_impls is None:
+            return
+
+        for extra_handler in extra_impls:
+            for cls in extra_handler.__mro__:
+                for name, func in vars(cls).items():
                     if name.startswith("handle_impl_"):
                         setattr(self, name, _mk_wrapper(func, self))
 
@@ -398,9 +406,13 @@ class FunctionHandler:
                     for typelib_name in prototype_lib.type_collection_names:
                         type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
             if type_collections:
-                data.prototype = dereference_simtype(data.prototype, type_collections).with_arch(state.arch)
+                prototype = dereference_simtype(data.prototype, type_collections).with_arch(state.arch)
+                data.prototype = cast(SimTypeFunction, prototype)
 
-        args_atoms_from_values = data.reset_prototype(data.prototype, state, soft_reset=True)
+        if isinstance(data.prototype, SimTypeFunction):
+            args_atoms_from_values = data.reset_prototype(data.prototype, state, soft_reset=True)
+        else:
+            args_atoms_from_values = set()
 
         # PROCESS
         state.move_codelocs(data.function_codeloc)
@@ -506,7 +518,9 @@ class FunctionHandler:
         assert data.prototype is not None
         if data.prototype.returnty is not None:
             if not isinstance(data.prototype.returnty, SimTypeBottom):
-                data.ret_values = MultiValues(state.top(data.prototype.returnty.with_arch(state.arch).size))
+                data.ret_values = MultiValues(
+                    state.top(data.prototype.returnty.with_arch(state.arch).size or state.arch.bits)
+                )
             else:
                 data.ret_values = MultiValues(state.top(state.arch.bits))
         if data.guessed_prototype:
@@ -567,7 +581,7 @@ class FunctionHandler:
         sub_rda = state.analysis.project.analyses.ReachingDefinitions(
             data.function,
             observe_all=state.analysis._observe_all,
-            observation_points=(state.analysis._observation_points or []) + return_observation_points,
+            observation_points=list(state.analysis._observation_points or []).extend(return_observation_points),
             observe_callback=state.analysis._observe_callback,
             dep_graph=state.dep_graph,
             function_handler=self,

angr/analyses/reaching_definitions/function_handler_library/stdio.py

@@ -202,6 +202,7 @@ def handle_printf(
                 for defn in state.get_definitions(atom):
                     top_val = state.annotate_with_def(top_val, defn)
                 buf_data = MultiValues(top_val)
+                buf_atoms = atom
         elif fmt == "%u":
             buf_atoms = atom
             buf_data = state.get_concrete_value(buf_atoms)