angr 9.2.143__py3-none-manylinux2014_aarch64.whl → 9.2.144__py3-none-manylinux2014_aarch64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.143"
+__version__ = "9.2.144"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -864,7 +864,19 @@ class CallingConventionAnalysis(Analysis):
                 else:
                     int_args.append(arg)
 
-        stack_args = sorted([a for a in args if isinstance(a, SimStackArg)], key=lambda a: a.stack_offset)
+        initial_stack_args = sorted([a for a in args if isinstance(a, SimStackArg)], key=lambda a: a.stack_offset)
+        # ensure stack args are consecutive if necessary
+        if cc.STACKARG_SP_DIFF is not None and initial_stack_args:
+            arg_by_offset = {a.stack_offset: a for a in initial_stack_args}
+            init_stackarg_offset = cc.STACKARG_SP_DIFF + cc.STACKARG_SP_BUFF
+            int_arg_size = self.project.arch.bytes
+            for stackarg_offset in range(init_stackarg_offset, max(arg_by_offset), int_arg_size):
+                if stackarg_offset not in arg_by_offset:
+                    arg_by_offset[stackarg_offset] = SimStackArg(stackarg_offset, int_arg_size)
+            stack_args = [arg_by_offset[offset] for offset in sorted(arg_by_offset)]
+        else:
+            stack_args = initial_stack_args
+
         stack_int_args = [a for a in stack_args if not a.is_fp]
         stack_fp_args = [a for a in stack_args if a.is_fp]
         # match int args first

angr/analyses/calling_convention/fact_collector.py

@@ -1,6 +1,7 @@
 # pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from typing import Any, TYPE_CHECKING
+from collections import defaultdict
 
 import pyvex
 import claripy
@@ -30,6 +31,7 @@ class FactCollectorState:
         "bp_value",
         "callee_stored_regs",
         "reg_reads",
+        "reg_reads_count",
         "reg_writes",
         "simple_stack",
         "sp_value",
@@ -44,6 +46,7 @@ class FactCollectorState:
 
         self.callee_stored_regs: dict[int, int] = {}  # reg offset -> stack offset
         self.reg_reads = {}
+        self.reg_reads_count = defaultdict(int)
         self.reg_writes: set[int] = set()
         self.stack_reads = {}
         self.stack_writes: set[int] = set()
@@ -51,6 +54,7 @@ class FactCollectorState:
         self.bp_value = 0
 
     def register_read(self, offset: int, size_in_bytes: int):
+        self.reg_reads_count[offset] += 1
         if offset in self.reg_writes:
             return
         if offset not in self.reg_reads:
@@ -58,6 +62,14 @@ class FactCollectorState:
         else:
             self.reg_reads[offset] = max(self.reg_reads[offset], size_in_bytes)
 
+    def register_read_undo(self, offset: int) -> None:
+        if offset not in self.reg_reads or offset not in self.reg_reads_count:
+            return
+        self.reg_reads_count[offset] -= 1
+        if self.reg_reads_count[offset] == 0:
+            self.reg_reads.pop(offset)
+            self.reg_reads_count.pop(offset)
+
     def register_written(self, offset: int, size_in_bytes: int):
         for o in range(size_in_bytes):
             self.reg_writes.add(offset + o)
@@ -84,6 +96,7 @@ class FactCollectorState:
         new_state.sp_value = self.sp_value
         new_state.bp_value = self.bp_value
         new_state.simple_stack = self.simple_stack.copy()
+        new_state.reg_reads_count = self.reg_reads_count.copy()
         if with_tmps:
             new_state.tmps = self.tmps.copy()
         return new_state
@@ -119,6 +132,26 @@ class SimEngineFactCollectorVEX(
 
     def _handle_stmt_Put(self, stmt):
         v = self._expr(stmt.data)
+        # there are cases like  VMOV.F32        S0, S0
+        # so we need to check if this register write is actually a no-op
+        if isinstance(stmt.data, pyvex.IRExpr.RdTmp):
+            t = self.state.tmps.get(stmt.data.tmp, None)
+            if isinstance(t, RegisterOffset) and t.reg == stmt.offset:
+                same_ins_read = False
+                for i in range(self.stmt_idx, -1, -1):
+                    if i >= self.block.vex.stmts_used:
+                        break
+                    prev_stmt = self.block.vex.statements[i]
+                    if isinstance(prev_stmt, pyvex.IRStmt.IMark):
+                        break
+                    if isinstance(prev_stmt, pyvex.IRStmt.WrTmp) and prev_stmt.tmp == stmt.data.tmp:
+                        same_ins_read = True
+                        break
+                if same_ins_read:
+                    # we need to revert the read operation as well
+                    self.state.register_read_undo(stmt.offset)
+                return
+
         if stmt.offset == self.arch.sp_offset and isinstance(v, SpOffset):
             self.state.sp_value = v.offset
         elif stmt.offset == self.arch.bp_offset and isinstance(v, SpOffset):
@@ -210,7 +243,7 @@ class FactCollector(Analysis):
     decision on the calling convention and prototype of a function.
     """
 
-    def __init__(self, func: Function, max_depth: int = 5):
+    def __init__(self, func: Function, max_depth: int = 30):
         self.function = func
         self._max_depth = max_depth
 
@@ -285,14 +318,17 @@ class FactCollector(Analysis):
             for _, succ, data in func_graph.out_edges(node, data=True):
                 edge_type = data.get("type")
                 outside = data.get("outside", False)
-                if succ not in traversed and depth + 1 <= self._max_depth:
+                if depth + 1 <= self._max_depth:
                     if edge_type == "fake_return":
-                        ret_succ = succ
+                        if succ not in traversed:
+                            ret_succ = succ
                     elif edge_type == "transition" and not outside:
-                        successor_added = True
-                        queue.append((depth + 1, state.copy(), succ, None))
+                        if succ not in traversed:
+                            successor_added = True
+                            queue.append((depth + 1, state.copy(), succ, None))
                     elif edge_type == "call" or (edge_type == "transition" and outside):
                         # a call or a tail-call
+                        # note that it's ok to traverse a called function multiple times
                         if not isinstance(succ, Function):
                             if self.kb.functions.contains_addr(succ.addr):
                                 succ = self.kb.functions.get_by_addr(succ.addr)

angr/analyses/cfg/cfg_base.py

@@ -1701,7 +1701,12 @@ class CFGBase(Analysis):
                 self._update_progress(progress)
 
             self._graph_bfs_custom(
-                self.graph, [fn], self._graph_traversal_handler, blockaddr_to_function, tmp_functions
+                self.graph,
+                [fn],
+                self._graph_traversal_handler,
+                blockaddr_to_function,
+                tmp_functions,
+                traversed_cfg_nodes,
             )
 
         to_remove = set()
@@ -2731,7 +2736,7 @@ class CFGBase(Analysis):
             relifted = self.project.factory.block(block.addr, size=block.size, opt_level=1, cross_insn_opt=True).vex
         except SimError:
             return False, []
-        if isinstance(relifted.next, pyvex.IRExpr.Const):
+        if not relifted.jumpkind.startswith("Ijk_Sys") and isinstance(relifted.next, pyvex.IRExpr.Const):
             # yes!
             return True, [relifted.next.con.value]
 

angr/analyses/cfg/cfg_emulated.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
+from typing import TYPE_CHECKING
 import itertools
 import logging
 import sys
 from collections import defaultdict
 from functools import reduce
+import contextlib
 
 import angr
 import claripy
@@ -45,7 +47,10 @@ from angr.analyses.backward_slice import BackwardSlice
 from angr.analyses.loopfinder import LoopFinder, Loop
 from .cfg_base import CFGBase
 from .cfg_job_base import BlockID, CFGJobBase
-import contextlib
+
+if TYPE_CHECKING:
+    from angr.knowledge_plugins.cfg import CFGNode
+
 
 l = logging.getLogger(name=__name__)
 
@@ -505,6 +510,8 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         :return: None
         """
 
+        assert self._starts is not None
+
         if not isinstance(max_loop_unrolling_times, int) or max_loop_unrolling_times < 0:
             raise AngrCFGError(
                 "Max loop unrolling times must be set to an integer greater than or equal to 0 if "
@@ -586,6 +593,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
             graph_copy.remove_node(new_end_node)
             src, dst = loop_backedge
+            assert src is not None and dst is not None
             if graph_copy.has_edge(src, dst):  # It might have been removed before
                 # Duplicate the dst node
                 new_dst = dst.copy()
@@ -713,9 +721,10 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         # FIXME: start should also take a CFGNode instance
 
         start_node = self.get_any_node(start)
+        assert start_node is not None
 
         node_wrapper = (start_node, 0)
-        stack = [node_wrapper]
+        stack: list[tuple[CFGNode, int]] = [node_wrapper]
         traversed_nodes = {start_node}
         subgraph_nodes = {start_node}
 
@@ -727,6 +736,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
             edges = self.graph.out_edges(n, data=True)
 
             for _, dst, data in edges:
+                assert dst is not None
                 if dst not in traversed_nodes:
                     # We see a new node!
                     traversed_nodes.add(dst)
@@ -1687,9 +1697,8 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
         for block_id in pending_exits_to_remove:
             l.debug(
-                "Removing all pending exits to %#x since the target function %#x does not return",
+                "Removing all pending exits to %#x since the target function does not return",
                 self._block_id_addr(block_id),
-                next(iter(self._pending_jobs[block_id])).returning_source,
             )
 
             for to_remove in self._pending_jobs[block_id]:

angr/analyses/cfg/cfg_fast.py

@@ -31,13 +31,10 @@ from angr import sim_options as o
 from angr.errors import (
     AngrCFGError,
     AngrSkipJobNotice,
-    AngrUnsupportedSyscallError,
     SimEngineError,
     SimMemoryError,
     SimTranslationError,
     SimValueError,
-    SimOperationError,
-    SimError,
     SimIRSBNoDecodeError,
 )
 from angr.utils.constants import DEFAULT_STATEMENT
@@ -200,7 +197,7 @@ class PendingJobs:
             return self._pop_job(next(reversed(self._jobs.keys())))
 
         # Prioritize returning functions
-        for func_addr in reversed(self._jobs.keys()):
+        for func_addr in reversed(self._jobs):
             if func_addr not in self._returning_functions:
                 continue
             return self._pop_job(func_addr)
@@ -621,6 +618,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         nodecode_window_size=512,
         nodecode_threshold=0.3,
         nodecode_step=16483,
+        check_funcret_max_job=500,
         indirect_calls_always_return: bool | None = None,
         jumptable_resolver_resolves_calls: bool | None = None,
         start=None,  # deprecated
@@ -680,6 +678,12 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                                         table resolver and must be resolved using their specific resolvers. By default,
                                         we will only disable JumpTableResolver from resolving indirect calls for large
                                         binaries (region > 50 KB).
+        :param check_funcret_max_job    When popping return-site jobs out of the job queue, angr will prioritize jobs
+                                        for which the callee is known to return. This check may be slow when there are
+                                        a large amount of jobs in different caller functions, and this situation often
+                                        occurs in obfuscated binaries where many functions never return. This parameter
+                                        acts as a threshold to disable this check when the number of jobs in the queue
+                                        exceeds this threshold.
         :param int start:               (Deprecated) The beginning address of CFG recovery.
         :param int end:                 (Deprecated) The end address of CFG recovery.
         :param CFGArchOptions arch_options: Architecture-specific options.
@@ -768,6 +772,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self._force_complete_scan = force_complete_scan
         self._use_elf_eh_frame = elf_eh_frame
         self._use_exceptions = exceptions
+        self._check_funcret_max_job = check_funcret_max_job
 
         self._nodecode_window_size = nodecode_window_size
         self._nodecode_threshold = nodecode_threshold
@@ -2576,38 +2581,16 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         jobs: list[CFGJob] = []
 
         if is_syscall:
-            # Fix the target_addr for syscalls
-            tmp_state = self.project.factory.blank_state(
-                mode="fastpath",
-                addr=cfg_node.addr,
-                add_options={o.SYMBOL_FILL_UNCONSTRAINED_MEMORY, o.SYMBOL_FILL_UNCONSTRAINED_REGISTERS},
+            resolved, resolved_targets, ij = self._indirect_jump_encountered(
+                addr, cfg_node, irsb, current_function_addr, stmt_idx
             )
-            # Find the first successor with a syscall jumpkind
-            successors = self._simulate_block_with_resilience(tmp_state)
-            if successors is not None:
-                succ = next(
-                    iter(
-                        succ
-                        for succ in successors.flat_successors
-                        if succ.history.jumpkind and succ.history.jumpkind.startswith("Ijk_Sys")
-                    ),
-                    None,
-                )
-            else:
-                succ = None
-            if succ is None:
-                # For some reason, there is no such successor with a syscall jumpkind
-                target_addr = self._unresolvable_call_target_addr
+            target_addr = None
+            if resolved:
+                if len(resolved_targets) == 1:
+                    (target_addr,) = resolved_targets
             else:
-                try:
-                    syscall_stub = self.project.simos.syscall(succ)
-                    if syscall_stub:  # can be None if simos is not a subclass of SimUserspace
-                        syscall_addr = syscall_stub.addr
-                        target_addr = syscall_addr
-                    else:
-                        target_addr = self._unresolvable_call_target_addr
-                except AngrUnsupportedSyscallError:
-                    target_addr = self._unresolvable_call_target_addr
+                if ij is not None:
+                    self._indirect_jumps_to_resolve.add(ij)
 
         new_function_addr = target_addr.method if isinstance(target_addr, SootAddressDescriptor) else target_addr
 
@@ -2732,30 +2715,6 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         return jobs
 
-    def _simulate_block_with_resilience(self, state):
-        """
-        Execute a basic block with "On Error Resume Next". Give up when there is no way moving forward.
-
-        :param SimState state:  The initial state to start simulation with.
-        :return:                A SimSuccessors instance or None if we are unable to resume execution with resilience.
-        :rtype:                 SimSuccessors or None
-        """
-
-        stmt_idx = 0
-        successors = None  # make PyCharm's linting happy
-
-        while True:
-            try:
-                successors = self.project.factory.successors(state, skip_stmts=stmt_idx)
-                break
-            except SimOperationError as ex:
-                stmt_idx = ex.stmt_idx + 1
-                continue
-            except SimError:
-                return None
-
-        return successors
-
     def _is_branching_to_outside(self, src_addr, target_addr, current_function_addr):
         """
         Determine if a branch is branching to a different function (i.e., branching to outside the current function).
@@ -3236,7 +3195,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if jump.jumpkind == "Ijk_Boring":
             unresolvable_target_addr = self._unresolvable_jump_target_addr
             simprocedure_name = "UnresolvableJumpTarget"
-        elif jump.jumpkind == "Ijk_Call":
+        elif jump.jumpkind == "Ijk_Call" or jump.jumpkind.startswith("Ijk_Sys"):
             unresolvable_target_addr = self._unresolvable_call_target_addr
             simprocedure_name = "UnresolvableCallTarget"
         else:
@@ -3707,7 +3666,9 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
     def _pop_pending_job(self, returning=True) -> CFGJob | None:
         while self._pending_jobs:
-            job = self._pending_jobs.pop_job(returning=returning)
+            job = self._pending_jobs.pop_job(
+                returning=returning if len(self._pending_jobs) < self._check_funcret_max_job else False
+            )
             if job is not None and job.job_type == CFGJobType.DATAREF_HINTS and self._seg_list.is_occupied(job.addr):
                 # ignore this hint from data refs because the target address has already been analyzed
                 continue

angr/analyses/cfg/indirect_jump_resolvers/__init__.py

@@ -10,6 +10,7 @@ from .arm_elf_fast import ArmElfFastResolver
 from .const_resolver import ConstantResolver
 from .amd64_pe_iat import AMD64PeIatResolver
 from .memload_resolver import MemoryLoadResolver
+from .syscall_resolver import SyscallResolver
 
 
 __all__ = (
@@ -21,6 +22,7 @@ __all__ = (
     "MemoryLoadResolver",
     "MipsElfFastResolver",
     "MipsElfGotResolver",
+    "SyscallResolver",
     "X86ElfPicPltResolver",
     "X86PeIatResolver",
 )

angr/analyses/cfg/indirect_jump_resolvers/constant_value_manager.py

@@ -0,0 +1,107 @@
+from __future__ import annotations
+from typing import TYPE_CHECKING, Any
+import logging
+
+import claripy
+
+from angr.code_location import CodeLocation
+from angr.project import Project
+from angr.analyses.propagator.vex_vars import VEXReg
+from .propagator_utils import PropagatorLoadCallback
+
+if TYPE_CHECKING:
+    from angr import SimState
+    from angr.knowledge_plugins import Function
+
+
+l = logging.getLogger(name=__name__)
+
+
+class ConstantValueManager:
+    """
+    Manages the loading of registers who hold constant values.
+    """
+
+    __slots__ = (
+        "func",
+        "indirect_jump_addr",
+        "kb",
+        "mapping",
+        "project",
+    )
+
+    def __init__(self, project: Project, kb, func: Function, ij_addr: int):
+        self.project = project
+        self.kb = kb
+        self.func = func
+        self.indirect_jump_addr = ij_addr
+
+        self.mapping: dict[Any, dict[Any, claripy.ast.Base]] | None = None
+
+    def reg_read_callback(self, state: SimState):
+        if self.mapping is None:
+            self._build_mapping()
+            assert self.mapping is not None
+
+        codeloc = CodeLocation(state.scratch.bbl_addr, state.scratch.stmt_idx, ins_addr=state.scratch.ins_addr)
+        if codeloc in self.mapping:
+            reg_read_offset = state.inspect.reg_read_offset
+            if isinstance(reg_read_offset, claripy.ast.BV) and reg_read_offset.op == "BVV":
+                reg_read_offset = reg_read_offset.args[0]
+            variable = VEXReg(reg_read_offset, state.inspect.reg_read_length)
+            if variable in self.mapping[codeloc]:
+                v = self.mapping[codeloc][variable]
+                if isinstance(v, int):
+                    v = claripy.BVV(v, state.inspect.reg_read_length * state.arch.byte_width)
+                state.inspect.reg_read_expr = v
+
+    def _build_mapping(self):
+        # constant propagation
+        l.debug("JumpTable: Propagating for %r at %#x.", self.func, self.indirect_jump_addr)
+
+        # determine blocks to run FCP on
+
+        # - include at most three levels of superblock successors from the entrypoint
+        self.mapping = {}
+        startpoint = self.func.startpoint
+        if startpoint is None:
+            return
+
+        blocks = set()
+        succ_and_levels = [(startpoint, 0)]
+        while succ_and_levels:
+            new_succs = []
+            for node, level in succ_and_levels:
+                if node in blocks:
+                    continue
+                blocks.add(node)
+                if node.addr == self.indirect_jump_addr:
+                    # stop at the indirect jump block
+                    continue
+                for _, succ, data in self.func.graph.out_edges(node, data=True):
+                    new_level = level if data.get("type") == "fake_return" else level + 1
+                    if new_level <= 3:
+                        new_succs.append((succ, new_level))
+            succ_and_levels = new_succs
+
+        # - include at most six levels of predecessors from the indirect jump block
+        ij_block = self.func.get_node(self.indirect_jump_addr)
+        preds = [ij_block]
+        for _ in range(6):
+            new_preds = []
+            for node in preds:
+                if node in blocks:
+                    continue
+                blocks.add(node)
+                new_preds += list(self.func.graph.predecessors(node))
+            preds = new_preds
+            if not preds:
+                break
+
+        prop = self.project.analyses.FastConstantPropagation(
+            self.func,
+            blocks=blocks,
+            vex_cross_insn_opt=True,
+            load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
+        )
+        self.mapping = prop.replacements

angr/analyses/cfg/indirect_jump_resolvers/default_resolvers.py

@@ -11,6 +11,7 @@ from . import ConstantResolver
 from . import ArmElfFastResolver
 from . import AMD64PeIatResolver
 from . import MipsElfGotResolver
+from . import SyscallResolver
 
 DEFAULT_RESOLVERS = {
     "X86": {
@@ -58,7 +59,7 @@ DEFAULT_RESOLVERS = {
             ArmElfFastResolver,
         ]
     },
-    "ALL": [MemoryLoadResolver, JumpTableResolver, ConstantResolver],
+    "ALL": [MemoryLoadResolver, JumpTableResolver, ConstantResolver, SyscallResolver],
 }
 
 

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -1,7 +1,7 @@
 # pylint:disable=wrong-import-position,wrong-import-order
 from __future__ import annotations
 import enum
-from typing import TYPE_CHECKING, Any, Literal, cast
+from typing import TYPE_CHECKING, Literal, cast
 from collections.abc import Sequence
 from collections import defaultdict, OrderedDict
 import logging
@@ -16,7 +16,6 @@ from claripy.annotation import UninitializedAnnotation
 from angr import sim_options as o
 from angr import BP, BP_BEFORE, BP_AFTER
 from angr.misc.ux import once
-from angr.code_location import CodeLocation
 from angr.concretization_strategies import SimConcretizationStrategyAny
 from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
 from angr.engines.vex.claripy import ccall
@@ -27,13 +26,11 @@ from angr.annocfg import AnnotatedCFG
 from angr.exploration_techniques.slicecutor import Slicecutor
 from angr.exploration_techniques.local_loop_seer import LocalLoopSeer
 from angr.exploration_techniques.explorer import Explorer
-from angr.project import Project
 from angr.utils.constants import DEFAULT_STATEMENT
-from angr.analyses.propagator.vex_vars import VEXReg
 from angr.analyses.propagator.top_checker_mixin import ClaripyDataVEXEngineMixin
 from angr.engines.vex.claripy.datalayer import value
 from .resolver import IndirectJumpResolver
-from .propagator_utils import PropagatorLoadCallback
+from .constant_value_manager import ConstantValueManager
 
 try:
     from angr.engines import pcode
@@ -41,7 +38,6 @@ except ImportError:
     pcode = None
 
 if TYPE_CHECKING:
-    from angr import SimState
     from angr.knowledge_plugins import Function
 
 l = logging.getLogger(name=__name__)
@@ -134,101 +130,6 @@ class JumpTargetBaseAddr:
         return self.base_addr is not None
 
 
-#
-# Constant register resolving support
-#
-
-
-class ConstantValueManager:
-    """
-    Manages the loading of registers who hold constant values.
-    """
-
-    __slots__ = (
-        "func",
-        "indirect_jump_addr",
-        "kb",
-        "mapping",
-        "project",
-    )
-
-    def __init__(self, project: Project, kb, func: Function, ij_addr: int):
-        self.project = project
-        self.kb = kb
-        self.func = func
-        self.indirect_jump_addr = ij_addr
-
-        self.mapping: dict[Any, dict[Any, claripy.ast.Base]] | None = None
-
-    def reg_read_callback(self, state: SimState):
-        if self.mapping is None:
-            self._build_mapping()
-            assert self.mapping is not None
-
-        codeloc = CodeLocation(state.scratch.bbl_addr, state.scratch.stmt_idx, ins_addr=state.scratch.ins_addr)
-        if codeloc in self.mapping:
-            reg_read_offset = state.inspect.reg_read_offset
-            if isinstance(reg_read_offset, claripy.ast.BV) and reg_read_offset.op == "BVV":
-                reg_read_offset = reg_read_offset.args[0]
-            variable = VEXReg(reg_read_offset, state.inspect.reg_read_length)
-            if variable in self.mapping[codeloc]:
-                v = self.mapping[codeloc][variable]
-                if isinstance(v, int):
-                    v = claripy.BVV(v, state.inspect.reg_read_length * state.arch.byte_width)
-                state.inspect.reg_read_expr = v
-
-    def _build_mapping(self):
-        # constant propagation
-        l.debug("JumpTable: Propagating for %r at %#x.", self.func, self.indirect_jump_addr)
-
-        # determine blocks to run FCP on
-
-        # - include at most three levels of superblock successors from the entrypoint
-        self.mapping = {}
-        startpoint = self.func.startpoint
-        if startpoint is None:
-            return
-
-        blocks = set()
-        succ_and_levels = [(startpoint, 0)]
-        while succ_and_levels:
-            new_succs = []
-            for node, level in succ_and_levels:
-                if node in blocks:
-                    continue
-                blocks.add(node)
-                if node.addr == self.indirect_jump_addr:
-                    # stop at the indirect jump block
-                    continue
-                for _, succ, data in self.func.graph.out_edges(node, data=True):
-                    new_level = level if data.get("type") == "fake_return" else level + 1
-                    if new_level <= 3:
-                        new_succs.append((succ, new_level))
-            succ_and_levels = new_succs
-
-        # - include at most six levels of predecessors from the indirect jump block
-        ij_block = self.func.get_node(self.indirect_jump_addr)
-        preds = [ij_block]
-        for _ in range(6):
-            new_preds = []
-            for node in preds:
-                if node in blocks:
-                    continue
-                blocks.add(node)
-                new_preds += list(self.func.graph.predecessors(node))
-            preds = new_preds
-            if not preds:
-                break
-
-        prop = self.project.analyses.FastConstantPropagation(
-            self.func,
-            blocks=blocks,
-            vex_cross_insn_opt=True,
-            load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-        )
-        self.mapping = prop.replacements
-
-
 #
 # Jump table pre-check
 #