angr 9.2.143__py3-none-macosx_11_0_arm64.whl → 9.2.144__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/ssailification/ssailification.py

@@ -5,7 +5,15 @@ from collections import defaultdict
 from itertools import count
 from bisect import bisect_left
 
-from ailment.expression import Expression, Register, StackBaseOffset, Tmp, VirtualVariable, VirtualVariableCategory
+from ailment.expression import (
+    Expression,
+    Register,
+    StackBaseOffset,
+    Tmp,
+    VirtualVariable,
+    VirtualVariableCategory,
+    Load,
+)
 from ailment.statement import Statement, Store
 
 from angr.knowledge_plugins.functions import Function
@@ -151,7 +159,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                     reg_bits = def_.size * self.project.arch.byte_width
                     udef_to_defs[("reg", def_.reg_offset, reg_bits)].add(def_)
                     udef_to_blockkeys[("reg", def_.reg_offset, reg_bits)].add((loc.block_addr, loc.block_idx))
-            elif isinstance(def_, Store):
+            elif isinstance(def_, (Store, Load)):
                 if isinstance(def_.addr, StackBaseOffset) and isinstance(def_.addr.offset, int):
                     idx_begin = bisect_left(sorted_stackvar_offs, def_.addr.offset)
                     for i in range(idx_begin, len(sorted_stackvar_offs)):

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 from collections import OrderedDict
 
 from ailment.statement import Call, Store, ConditionalJump
-from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression, Tmp, DirtyExpression
+from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression, Tmp, DirtyExpression, Load
 
 from angr.engines.light import SimEngineLightAIL
 from angr.project import Project
@@ -133,6 +133,22 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
 
             self.state.live_registers.add(base_offset)
 
+    def _handle_expr_Load(self, expr: Load):
+        self._expr(expr.addr)
+        if (
+            self.stackvars
+            and isinstance(expr.addr, StackBaseOffset)
+            and isinstance(expr.addr.offset, int)
+            and (expr.addr.offset, expr.size) not in self.state.live_stackvars
+        ):
+            # we must create this stack variable on the fly; we did not see its creation before it is first used
+            codeloc = self._codeloc()
+            self.def_to_loc.append((expr, codeloc))
+            if codeloc not in self.loc_to_defs:
+                self.loc_to_defs[codeloc] = OrderedSet()
+            self.loc_to_defs[codeloc].add(expr)
+            self.state.live_stackvars.add((expr.addr.offset, expr.size))
+
     def _handle_expr_Tmp(self, expr: Tmp):
         if self.use_tmps:
             codeloc = self._codeloc()
@@ -251,7 +267,6 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
 
     _handle_expr_VirtualVariable = _handle_Dummy
     _handle_expr_Phi = _handle_Dummy
-    _handle_expr_Load = _handle_Dummy
     _handle_expr_Const = _handle_Dummy
     _handle_expr_MultiStatementExpression = _handle_Dummy
     _handle_expr_StackBaseOffset = _handle_Dummy

angr/analyses/decompiler/structured_codegen/c.py

@@ -3426,8 +3426,13 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             return old_ty
 
         if expr.variable is not None:
-            cvar = self._variable(expr.variable, expr.size)
-            offset = expr.variable_offset or 0
+            if "struct_member_info" in expr.tags:
+                offset, var, _ = expr.struct_member_info
+                cvar = self._variable(var, var.size)
+            else:
+                cvar = self._variable(expr.variable, expr.size)
+                offset = expr.variable_offset or 0
+
             assert type(offset) is int  # I refuse to deal with the alternative
             return self._access_constant_offset(CUnaryOp("Reference", cvar, codegen=self), offset, ty, False, negotiate)
 
@@ -3649,8 +3654,24 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         return CMultiStatementExpression(cstmts, cexpr, tags=expr.tags, codegen=self)
 
     def _handle_VirtualVariable(self, expr: Expr.VirtualVariable, **kwargs):
-        if expr.variable:
-            cvar = self._variable(expr.variable, None, vvar_id=expr.varid)
+        def negotiate(old_ty: SimType, proposed_ty: SimType) -> SimType:
+            # we do not allow returning a struct for a primitive type
+            if old_ty.size == proposed_ty.size and (
+                not isinstance(proposed_ty, SimStruct) or isinstance(old_ty, SimStruct)
+            ):
+                return proposed_ty
+            return old_ty
+
+        if expr.variable is not None:
+            if "struct_member_info" in expr.tags:
+                offset, var, _ = expr.struct_member_info
+                cbasevar = self._variable(var, expr.size)
+                cvar = self._access_constant_offset(
+                    self._get_variable_reference(cbasevar), offset, cbasevar.type, False, negotiate
+                )
+            else:
+                cvar = self._variable(expr.variable, None, vvar_id=expr.varid)
+
             if expr.variable.size != expr.size:
                 l.warning(
                     "VirtualVariable size (%d) and variable size (%d) do not match. Force a type cast.",

angr/analyses/disassembly.py

@@ -4,7 +4,7 @@ import contextlib
 import logging
 from collections import defaultdict
 from collections.abc import Sequence
-from typing import Union, Any
+from typing import Any
 
 import pyvex
 import archinfo
@@ -24,8 +24,8 @@ try:
     from angr.engines import pcode
     import pypcode
 
-    IRSBType = Union[pyvex.IRSB, pcode.lifter.IRSB]
-    IROpObjType = Union[pyvex.stmt.IRStmt, pypcode.PcodeOp]
+    IRSBType = pyvex.IRSB | pcode.lifter.IRSB
+    IROpObjType = pyvex.stmt.IRStmt | pypcode.PcodeOp
 except ImportError:
     pcode = None
     IRSBType = pyvex.IRSB

angr/analyses/fcp/fcp.py

@@ -407,10 +407,7 @@ class FastConstantPropagation(Analysis):
             except (TypeError, ValueError):
                 arg_locs = None
 
-            if None in arg_locs:
-                arg_locs = None
-
-            if arg_locs is not None:
+            if arg_locs is not None and None not in arg_locs:
                 for arg_loc in arg_locs:
                     for loc in arg_loc.get_footprint():
                         if isinstance(loc, SimStackArg):

angr/analyses/s_reaching_definitions/s_reaching_definitions.py

@@ -131,28 +131,27 @@ class SReachingDefinitionsAnalysis(Analysis):
                     stmt if isinstance(stmt, Call) else stmt.src if isinstance(stmt, Assignment) else stmt.ret_exprs[0]
                 )
                 assert isinstance(call, Call)
-                if call.prototype is None:
-                    # without knowing the prototype, we must conservatively add uses to all registers that are
-                    # potentially used here
-                    if call.calling_convention is not None:
-                        cc = call.calling_convention
-                    else:
-                        # just use all registers in the default calling convention because we don't know anything about
-                        # the calling convention yet
-                        cc_cls = default_cc(self.project.arch.name)
-                        assert cc_cls is not None
-                        cc = cc_cls(self.project.arch)
-
-                    codeloc = CodeLocation(block_addr, stmt_idx, block_idx=block_idx, ins_addr=stmt.ins_addr)
-                    arg_locs = list(cc.ARG_REGS)
-                    if cc.FP_ARG_REGS:
-                        arg_locs += [r_name for r_name in cc.FP_ARG_REGS if r_name not in arg_locs]
-
-                    for arg_reg_name in arg_locs:
-                        reg_offset = self.project.arch.registers[arg_reg_name][0]
-                        if reg_offset in reg_to_vvarids:
-                            vvarid = reg_to_vvarids[reg_offset]
-                            self.model.add_vvar_use(vvarid, None, codeloc)
+
+                # conservatively add uses to all registers that are potentially used here
+                if call.calling_convention is not None:
+                    cc = call.calling_convention
+                else:
+                    # just use all registers in the default calling convention because we don't know anything about
+                    # the calling convention yet
+                    cc_cls = default_cc(self.project.arch.name)
+                    assert cc_cls is not None
+                    cc = cc_cls(self.project.arch)
+
+                codeloc = CodeLocation(block_addr, stmt_idx, block_idx=block_idx, ins_addr=stmt.ins_addr)
+                arg_locs = list(cc.ARG_REGS)
+                if cc.FP_ARG_REGS:
+                    arg_locs += [r_name for r_name in cc.FP_ARG_REGS if r_name not in arg_locs]
+
+                for arg_reg_name in arg_locs:
+                    reg_offset = self.project.arch.registers[arg_reg_name][0]
+                    if reg_offset in reg_to_vvarids:
+                        vvarid = reg_to_vvarids[reg_offset]
+                        self.model.add_vvar_use(vvarid, None, codeloc)
 
         if self._track_tmps:
             # track tmps

angr/analyses/typehoon/dfa.py

@@ -1,21 +1,22 @@
+# pylint:disable=import-outside-toplevel
 from __future__ import annotations
 from typing import TYPE_CHECKING
 
 import networkx
 
 # FIXME: Remove the dependency on pyformlang
-from pyformlang.finite_automaton import Epsilon, EpsilonNFA, State, Symbol
 
 from angr.errors import AngrError
 from .typevars import BaseLabel, Subtype
 from .variance import Variance
 
 if TYPE_CHECKING:
+    from pyformlang.finite_automaton import EpsilonNFA
     from pyformlang.finite_automaton import DeterministicFiniteAutomaton
 
 
-START_STATE = State("START")
-END_STATE = State("END")
+START_STATE = None
+END_STATE = None
 
 
 class EmptyEpsilonNFAError(AngrError):
@@ -31,6 +32,15 @@ class DFAConstraintSolver:
 
     @staticmethod
     def graph_to_epsilon_nfa(graph: networkx.DiGraph, starts: set, ends: set) -> EpsilonNFA:
+        from pyformlang.finite_automaton import Epsilon, EpsilonNFA, State, Symbol  # delayed import
+
+        global START_STATE, END_STATE  # pylint:disable=global-statement
+
+        if START_STATE is None:
+            START_STATE = State("START")
+        if END_STATE is None:
+            END_STATE = State("END")
+
         enfa = EpsilonNFA()
 
         # print("Converting graph to eNFA")

angr/analyses/typehoon/typehoon.py

@@ -1,17 +1,18 @@
 # pylint:disable=bad-builtin
 from __future__ import annotations
 from typing import TYPE_CHECKING
+from collections import defaultdict
 
 from angr.sim_type import SimStruct, SimTypePointer, SimTypeArray
 from angr.errors import AngrRuntimeError
 from angr.analyses.analysis import Analysis, AnalysesHub
+from angr.sim_variable import SimVariable, SimStackVariable
 from .simple_solver import SimpleSolver
 from .translator import TypeTranslator
 from .typeconsts import Struct, Pointer, TypeConstant, Array, TopType
 from .typevars import Equivalence, Subtype, TypeVariable
 
 if TYPE_CHECKING:
-    from angr.sim_variable import SimVariable
     from angr.sim_type import SimType
     from .typevars import TypeConstraint
 
@@ -38,6 +39,7 @@ class Typehoon(Analysis):
         var_mapping: dict[SimVariable, set[TypeVariable]] | None = None,
         must_struct: set[TypeVariable] | None = None,
         stackvar_max_sizes: dict[TypeVariable, int] | None = None,
+        stack_offset_tvs: dict[int, TypeVariable] | None = None,
     ):
         """
 
@@ -54,6 +56,7 @@ class Typehoon(Analysis):
         self._var_mapping = var_mapping
         self._must_struct = must_struct
         self._stackvar_max_sizes = stackvar_max_sizes if stackvar_max_sizes is not None else {}
+        self._stack_offset_tvs = stack_offset_tvs if stack_offset_tvs is not None else {}
 
         self.bits = self.project.arch.bits
         self.solution = None
@@ -70,25 +73,55 @@ class Typehoon(Analysis):
     # Public methods
     #
 
-    def update_variable_types(self, func_addr: int | str, var_to_typevars):
+    def update_variable_types(
+        self,
+        func_addr: int | str,
+        var_to_typevars: dict[SimVariable, set[TypeVariable]],
+        stack_offset_tvs: dict[int, TypeVariable] | None = None,
+    ) -> None:
+
+        if not self.simtypes_solution:
+            return
+
         for var, typevars in var_to_typevars.items():
-            for typevar in typevars:
+            # if the variable is a stack variable, does the stack offset have any corresponding type variable?
+            typevars_list = sorted(typevars, key=lambda tv: tv.idx)
+            if stack_offset_tvs and isinstance(var, SimStackVariable) and var.offset in stack_offset_tvs:
+                typevars_list.append(stack_offset_tvs[var.offset])
+
+            type_candidates: list[SimType] = []
+            for typevar in typevars_list:
                 type_ = self.simtypes_solution.get(typevar, None)
-                if type_ is not None:
-                    # print("{} -> {}: {}".format(var, typevar, type_))
-                    # Hack: if a global address is of a pointer type and it is not an array, we unpack the type
-                    if (
-                        func_addr == "global"
-                        and isinstance(type_, SimTypePointer)
-                        and not isinstance(type_.pts_to, SimTypeArray)
-                    ):
-                        type_ = type_.pts_to
-
-                    name = None
-                    if isinstance(type_, SimStruct):
-                        name = type_.name
-
-                    self.kb.variables[func_addr].set_variable_type(var, type_, name=name)
+                # print("{} -> {}: {}".format(var, typevar, type_))
+                # Hack: if a global address is of a pointer type and it is not an array, we unpack the type
+                if (
+                    func_addr == "global"
+                    and isinstance(type_, SimTypePointer)
+                    and not isinstance(type_.pts_to, SimTypeArray)
+                ):
+                    type_ = type_.pts_to
+                type_candidates.append(type_)
+
+            # determine the best type - this logic can be made better!
+            if not type_candidates:
+                continue
+            if len(type_candidates) > 1:
+                types_by_size: dict[int, list[SimType]] = defaultdict(list)
+                for t in type_candidates:
+                    if t.size is not None:
+                        types_by_size[t.size].append(t)
+                if not types_by_size:
+                    # we only have BOT and TOP? damn
+                    the_type = type_candidates[0]
+                else:
+                    max_size = max(types_by_size.keys())
+                    the_type = types_by_size[max_size][0]  # TODO: Sort it
+            else:
+                the_type = type_candidates[0]
+
+            self.kb.variables[func_addr].set_variable_type(
+                var, the_type, name=the_type.name if isinstance(the_type, SimStruct) else None
+            )
 
     def pp_constraints(self) -> None:
         """
@@ -131,6 +164,8 @@ class Typehoon(Analysis):
             sol = self.solution[typevar]
             var_and_typevar = f"{typevar_to_var[typevar]} ({typevar})" if typevar in typevar_to_var else typevar
             print(f"    {var_and_typevar} -> {sol}")
+        for stack_off, tv in self._stack_offset_tvs.items():
+            print(f"    stack_{stack_off:#x} ({tv}) -> {self.solution[tv]}")
         print("### end of solutions ###")
 
     #
@@ -157,6 +192,7 @@ class Typehoon(Analysis):
         if self._var_mapping:
             for variable_typevars in self._var_mapping.values():
                 typevars |= variable_typevars
+            typevars |= set(self._stack_offset_tvs.values())
         else:
             # collect type variables from constraints
             for constraint in self._constraints[self.func_var]:
@@ -175,6 +211,9 @@ class Typehoon(Analysis):
         - structs where every element is of the same type will be converted to an array of that element type.
         """
 
+        if not self.solution:
+            return
+
         for tv in list(self.solution.keys()):
             if self._must_struct and tv in self._must_struct:
                 continue
@@ -223,6 +262,9 @@ class Typehoon(Analysis):
         Translate solutions in type variables to solutions in SimTypes.
         """
 
+        if not self.solution:
+            return
+
         simtypes_solution = {}
         translator = TypeTranslator(arch=self.project.arch)
         needs_backpatch = set()

angr/analyses/typehoon/typevars.py

@@ -397,11 +397,13 @@ class DerivedTypeVariable(TypeVariable):
 class TypeVariables:
     __slots__ = (
         "_last_typevars",
+        "_typevar2var",
         "_typevars",
     )
 
     def __init__(self):
         self._typevars: dict[SimVariable, set[TypeVariable]] = {}
+        self._typevar2var: dict[TypeVariable, SimVariable] = {}
         self._last_typevars: dict[SimVariable, TypeVariable] = {}
 
     def copy(self):
@@ -418,22 +420,24 @@ class TypeVariables:
         # )
         return f"{{TypeVars: {len(self._typevars)} items}}"
 
-    def add_type_variable(self, var: SimVariable, codeloc, typevar: TypeType):  # pylint:disable=unused-argument
+    def add_type_variable(self, var: SimVariable, typevar: TypeVariable, latest: bool = True):
         if var not in self._typevars:
             self._typevars[var] = set()
         elif typevar in self._typevars[var]:
             return
         self._typevars[var].add(typevar)
-        self._last_typevars[var] = typevar
+        if latest:
+            self._last_typevars[var] = typevar
+        self._typevar2var[typevar] = var
 
-    def get_type_variable(self, var, codeloc):  # pylint:disable=unused-argument
+    def get_type_variable(self, var):  # pylint:disable=unused-argument
         return self._last_typevars[var]
 
-    def has_type_variable_for(self, var: SimVariable, codeloc):  # pylint:disable=unused-argument
+    def has_type_variable_for(self, var: SimVariable):  # pylint:disable=unused-argument
         return var in self._typevars
-        # if codeloc not in self._typevars[var]:
-        #     return False
-        # return True
+
+    def typevar_to_variable(self, typevar: TypeVariable) -> SimVariable | None:
+        return self._typevar2var.get(typevar, None)
 
     def __getitem__(self, var):
         return self._last_typevars[var]

angr/analyses/variable_recovery/engine_ail.py

@@ -9,14 +9,13 @@ from unique_log_filter import UniqueLogFilter
 
 from angr.engines.light.engine import SimEngineNostmtAIL
 from angr.procedures import SIM_LIBRARIES, SIM_TYPE_COLLECTIONS
-from angr.utils.constants import MAX_POINTSTO_BITS
 from angr.sim_type import SimTypeFunction, dereference_simtype
 from angr.analyses.typehoon import typeconsts, typevars
 from angr.analyses.typehoon.lifter import TypeLifter
 from .engine_base import SimEngineVRBase, RichR
 
 if TYPE_CHECKING:
-    pass
+    from .variable_recovery_fast import VariableRecoveryFastState  # noqa: F401
 
 
 l = logging.getLogger(name=__name__)
@@ -272,6 +271,8 @@ class SimEngineVRAIL(
                 if arg.typevar is not None:
                     arg_type = dereference_simtype(arg_type, type_collections).with_arch(arg_type._arch)
                     arg_ty = TypeLifter(self.arch.bits).lift(arg_type)
+                    if isinstance(arg_ty, typevars.TypeConstraint) and isinstance(arg.typevar, typevars.TypeConstraint):
+                        continue
                     type_constraint = typevars.Subtype(arg.typevar, arg_ty)
                     self.state.add_type_constraint(type_constraint)
 
@@ -399,28 +400,23 @@ class SimEngineVRAIL(
         return RichR(self.state.top(expr.to_bits), typevar=typevar)
 
     def _handle_expr_StackBaseOffset(self, expr: ailment.Expr.StackBaseOffset):
-        ref_typevar = self.state.stack_offset_typevars.get(expr.offset, None)
-
-        if ref_typevar is None:
+        refbase_typevar = self.state.stack_offset_typevars.get(expr.offset, None)
+        if refbase_typevar is None:
             # allocate a new type variable
-            ref_typevar = typevars.TypeVariable()
-            self.state.stack_offset_typevars[expr.offset] = ref_typevar
+            refbase_typevar = typevars.TypeVariable()
+            self.state.stack_offset_typevars[expr.offset] = refbase_typevar
+
+        ref_typevar = typevars.TypeVariable()
+        access_derived_typevar = self._create_access_typevar(ref_typevar, False, None, 0)
+        load_constraint = typevars.Subtype(refbase_typevar, access_derived_typevar)
+        self.state.add_type_constraint(load_constraint)
 
         value_v = self.state.stack_address(expr.offset)
         richr = RichR(value_v, typevar=ref_typevar)
         codeloc = self._codeloc()
-        var_and_offsets = self._ensure_variable_existence(richr, codeloc, src_expr=expr)
+        self._ensure_variable_existence(richr, codeloc, src_expr=expr)
         if self._reference_spoffset:
             self._reference(richr, codeloc, src=expr)
-        for var, off_in_var in var_and_offsets:
-            if self.state.typevars.has_type_variable_for(var, codeloc):
-                var_typevar = self.state.typevars.get_type_variable(var, codeloc)
-                load_typevar = self._create_access_typevar(
-                    ref_typevar, False, MAX_POINTSTO_BITS // 8, 0 if off_in_var is None else off_in_var
-                )
-                type_constraint = typevars.Subtype(var_typevar, load_typevar)
-                self.state.add_type_constraint(type_constraint)
-
         return richr
 
     def _handle_expr_BasePointerOffset(self, expr):

angr/analyses/variable_recovery/engine_base.py

@@ -15,7 +15,7 @@ from angr.sim_variable import SimVariable, SimStackVariable, SimRegisterVariable
 from angr.code_location import CodeLocation
 from angr.analyses.typehoon import typevars, typeconsts
 from angr.analyses.typehoon.typevars import TypeVariable, DerivedTypeVariable, AddN, SubN, Load, Store
-
+from angr.utils.constants import MAX_POINTSTO_BITS
 
 #
 # The base engine used in VariableRecoveryFast
@@ -269,9 +269,9 @@ class SimEngineVRBase(
             return
         variable, _ = existing_vars[0]
 
-        if not self.state.typevars.has_type_variable_for(variable, codeloc):
+        if not self.state.typevars.has_type_variable_for(variable):
             variable_typevar = typevars.TypeVariable()
-            self.state.typevars.add_type_variable(variable, codeloc, variable_typevar)
+            self.state.typevars.add_type_variable(variable, variable_typevar)
         # we do not add any type constraint here because we are not sure if the given memory address will ever be
         # accessed or not
 
@@ -350,13 +350,13 @@ class SimEngineVRBase(
         self.state.variable_manager[self.func_addr].write_to(variable, None, codeloc, atom=dst, overwrite=False)
 
         if richr.typevar is not None:
-            if not self.state.typevars.has_type_variable_for(variable, codeloc):
+            if not self.state.typevars.has_type_variable_for(variable):
                 # assign a new type variable to it
                 typevar = typevars.TypeVariable()
-                self.state.typevars.add_type_variable(variable, codeloc, typevar)
+                self.state.typevars.add_type_variable(variable, typevar)
                 # create constraints
             else:
-                typevar = self.state.typevars.get_type_variable(variable, codeloc)
+                typevar = self.state.typevars.get_type_variable(variable)
             self.state.add_type_constraint(typevars.Subtype(richr.typevar, typevar))
             self.state.add_type_constraint(typevars.Subtype(typevar, typeconsts.int_type(variable.size * 8)))
 
@@ -448,13 +448,13 @@ class SimEngineVRBase(
         self.state.variable_manager[self.func_addr].write_to(variable, None, codeloc, atom=dst, overwrite=False)
 
         if richr.typevar is not None:
-            if not self.state.typevars.has_type_variable_for(variable, codeloc):
+            if not self.state.typevars.has_type_variable_for(variable):
                 # assign a new type variable to it
                 typevar = typevars.TypeVariable()
-                self.state.typevars.add_type_variable(variable, codeloc, typevar)
+                self.state.typevars.add_type_variable(variable, typevar)
                 # create constraints
             else:
-                typevar = self.state.typevars.get_type_variable(variable, codeloc)
+                typevar = self.state.typevars.get_type_variable(variable)
             self.state.add_type_constraint(typevars.Subtype(richr.typevar, typevar))
             # the constraint below is a default constraint that may conflict with more specific ones with different
             # sizes; we post-process at the very end of VRA to remove conflicting default constraints.
@@ -564,11 +564,11 @@ class SimEngineVRBase(
 
             # create type constraints
             if data.typevar is not None:
-                if not self.state.typevars.has_type_variable_for(variable, codeloc):
+                if not self.state.typevars.has_type_variable_for(variable):
                     typevar = typevars.TypeVariable()
-                    self.state.typevars.add_type_variable(variable, codeloc, typevar)
+                    self.state.typevars.add_type_variable(variable, typevar)
                 else:
-                    typevar = self.state.typevars.get_type_variable(variable, codeloc)
+                    typevar = self.state.typevars.get_type_variable(variable)
                 if typevar is not None:
                     self.state.add_type_constraint(typevars.Subtype(data.typevar, typevar))
         # TODO: Create a tv_sp.store.<bits>@N <: typevar type constraint for the stack pointer
@@ -640,11 +640,11 @@ class SimEngineVRBase(
                 variable_manager.write_to(var, var_offset, codeloc, atom=stmt)
 
         # create type constraints
-        if not self.state.typevars.has_type_variable_for(variable, codeloc):
+        if not self.state.typevars.has_type_variable_for(variable):
             typevar = typevars.TypeVariable()
-            self.state.typevars.add_type_variable(variable, codeloc, typevar)
+            self.state.typevars.add_type_variable(variable, typevar)
         else:
-            typevar = self.state.typevars.get_type_variable(variable, codeloc)
+            typevar = self.state.typevars.get_type_variable(variable)
 
         if offset is not None and elem_size is not None:
             # it's an array!
@@ -671,9 +671,6 @@ class SimEngineVRBase(
                 self.state.add_type_constraint(typevars.Subtype(data.typevar, store_typevar))
 
     def _store_to_variable(self, richr_addr: RichR[claripy.ast.BV], data: RichR, size: int):
-        addr_variable = richr_addr.variable
-        codeloc = self._codeloc()
-
         # Storing data into a pointer
         if richr_addr.type_constraints:
             for tc in richr_addr.type_constraints:
@@ -690,8 +687,6 @@ class SimEngineVRBase(
                 field_offset = 0
 
             store_typevar = self._create_access_typevar(base_typevar, True, size, field_offset)
-            if addr_variable is not None:
-                self.state.typevars.add_type_variable(addr_variable, codeloc, typevar)
             data_typevar = data.typevar if data.typevar is not None else typeconsts.TopType()
             self.state.add_type_constraint(typevars.Subtype(store_typevar, data_typevar))
 
@@ -823,11 +818,11 @@ class SimEngineVRBase(
                         self.state.delayed_type_constraints.pop(var)
 
                     # create type constraints
-                    if not self.state.typevars.has_type_variable_for(var, codeloc):
+                    if not self.state.typevars.has_type_variable_for(var):
                         typevar = typevars.TypeVariable()
-                        self.state.typevars.add_type_variable(var, codeloc, typevar)
+                        self.state.typevars.add_type_variable(var, typevar)
                     else:
-                        typevar = self.state.typevars.get_type_variable(var, codeloc)
+                        typevar = self.state.typevars.get_type_variable(var)
 
                 else:
                     typevar = typevars.TypeVariable()
@@ -933,11 +928,11 @@ class SimEngineVRBase(
 
         variable, _ = next(iter(existing_vars))
         # create type constraints
-        if not self.state.typevars.has_type_variable_for(variable, codeloc):
+        if not self.state.typevars.has_type_variable_for(variable):
             typevar = typevars.TypeVariable()
-            self.state.typevars.add_type_variable(variable, codeloc, typevar)
+            self.state.typevars.add_type_variable(variable, typevar)
         else:
-            typevar = self.state.typevars.get_type_variable(variable, codeloc)
+            typevar = self.state.typevars.get_type_variable(variable)
 
         if offset is not None and elem_size is not None:
             # it's an array!
@@ -1024,7 +1019,7 @@ class SimEngineVRBase(
 
                 if var not in self.state.typevars:
                     typevar = typevars.TypeVariable()
-                    self.state.typevars.add_type_variable(var, codeloc, typevar)
+                    self.state.typevars.add_type_variable(var, typevar)
                 else:
                     # FIXME: This is an extremely stupid hack. Fix it later.
                     # | typevar = next(reversed(list(self.state.typevars[var].values())))
@@ -1125,7 +1120,7 @@ class SimEngineVRBase(
 
                 if var not in self.state.typevars:
                     typevar = typevars.TypeVariable()
-                    self.state.typevars.add_type_variable(var, codeloc, typevar)
+                    self.state.typevars.add_type_variable(var, typevar)
                 else:
                     # FIXME: This is an extremely stupid hack. Fix it later.
                     # | typevar = next(reversed(list(self.state.typevars[var].values())))
@@ -1140,7 +1135,7 @@ class SimEngineVRBase(
         self,
         typevar: typeconsts.TypeConstant | TypeVariable | DerivedTypeVariable,
         is_store: bool,
-        size: int,
+        size: int | None,
         offset: int,
     ) -> DerivedTypeVariable:
         if isinstance(typevar, DerivedTypeVariable):
@@ -1157,8 +1152,9 @@ class SimEngineVRBase(
                 else:
                     typevar = DerivedTypeVariable(typevar.type_var, None, labels=typevar.labels[:-1])
         lbl = Store() if is_store else Load()
+        bits = size * self.project.arch.byte_width if size is not None else MAX_POINTSTO_BITS
         return DerivedTypeVariable(
             typevar,
             None,
-            labels=(lbl, typevars.HasField(size * self.project.arch.byte_width, offset)),
+            labels=(lbl, typevars.HasField(bits, offset)),
         )