angr 9.2.143__py3-none-manylinux2014_aarch64.whl → 9.2.145__py3-none-manylinux2014_aarch64.whl

angr/analyses/typehoon/typehoon.py

@@ -1,17 +1,18 @@
 # pylint:disable=bad-builtin
 from __future__ import annotations
 from typing import TYPE_CHECKING
+from collections import defaultdict
 
 from angr.sim_type import SimStruct, SimTypePointer, SimTypeArray
 from angr.errors import AngrRuntimeError
 from angr.analyses.analysis import Analysis, AnalysesHub
+from angr.sim_variable import SimVariable, SimStackVariable
 from .simple_solver import SimpleSolver
 from .translator import TypeTranslator
 from .typeconsts import Struct, Pointer, TypeConstant, Array, TopType
 from .typevars import Equivalence, Subtype, TypeVariable
 
 if TYPE_CHECKING:
-    from angr.sim_variable import SimVariable
     from angr.sim_type import SimType
     from .typevars import TypeConstraint
 
@@ -38,6 +39,7 @@ class Typehoon(Analysis):
         var_mapping: dict[SimVariable, set[TypeVariable]] | None = None,
         must_struct: set[TypeVariable] | None = None,
         stackvar_max_sizes: dict[TypeVariable, int] | None = None,
+        stack_offset_tvs: dict[int, TypeVariable] | None = None,
     ):
         """
 
@@ -54,6 +56,7 @@ class Typehoon(Analysis):
         self._var_mapping = var_mapping
         self._must_struct = must_struct
         self._stackvar_max_sizes = stackvar_max_sizes if stackvar_max_sizes is not None else {}
+        self._stack_offset_tvs = stack_offset_tvs if stack_offset_tvs is not None else {}
 
         self.bits = self.project.arch.bits
         self.solution = None
@@ -70,25 +73,55 @@ class Typehoon(Analysis):
     # Public methods
     #
 
-    def update_variable_types(self, func_addr: int | str, var_to_typevars):
+    def update_variable_types(
+        self,
+        func_addr: int | str,
+        var_to_typevars: dict[SimVariable, set[TypeVariable]],
+        stack_offset_tvs: dict[int, TypeVariable] | None = None,
+    ) -> None:
+
+        if not self.simtypes_solution:
+            return
+
         for var, typevars in var_to_typevars.items():
-            for typevar in typevars:
+            # if the variable is a stack variable, does the stack offset have any corresponding type variable?
+            typevars_list = sorted(typevars, key=lambda tv: tv.idx)
+            if stack_offset_tvs and isinstance(var, SimStackVariable) and var.offset in stack_offset_tvs:
+                typevars_list.append(stack_offset_tvs[var.offset])
+
+            type_candidates: list[SimType] = []
+            for typevar in typevars_list:
                 type_ = self.simtypes_solution.get(typevar, None)
-                if type_ is not None:
-                    # print("{} -> {}: {}".format(var, typevar, type_))
-                    # Hack: if a global address is of a pointer type and it is not an array, we unpack the type
-                    if (
-                        func_addr == "global"
-                        and isinstance(type_, SimTypePointer)
-                        and not isinstance(type_.pts_to, SimTypeArray)
-                    ):
-                        type_ = type_.pts_to
-
-                    name = None
-                    if isinstance(type_, SimStruct):
-                        name = type_.name
-
-                    self.kb.variables[func_addr].set_variable_type(var, type_, name=name)
+                # print("{} -> {}: {}".format(var, typevar, type_))
+                # Hack: if a global address is of a pointer type and it is not an array, we unpack the type
+                if (
+                    func_addr == "global"
+                    and isinstance(type_, SimTypePointer)
+                    and not isinstance(type_.pts_to, SimTypeArray)
+                ):
+                    type_ = type_.pts_to
+                type_candidates.append(type_)
+
+            # determine the best type - this logic can be made better!
+            if not type_candidates:
+                continue
+            if len(type_candidates) > 1:
+                types_by_size: dict[int, list[SimType]] = defaultdict(list)
+                for t in type_candidates:
+                    if t.size is not None:
+                        types_by_size[t.size].append(t)
+                if not types_by_size:
+                    # we only have BOT and TOP? damn
+                    the_type = type_candidates[0]
+                else:
+                    max_size = max(types_by_size.keys())
+                    the_type = types_by_size[max_size][0]  # TODO: Sort it
+            else:
+                the_type = type_candidates[0]
+
+            self.kb.variables[func_addr].set_variable_type(
+                var, the_type, name=the_type.name if isinstance(the_type, SimStruct) else None
+            )
 
     def pp_constraints(self) -> None:
         """
@@ -131,6 +164,8 @@ class Typehoon(Analysis):
             sol = self.solution[typevar]
             var_and_typevar = f"{typevar_to_var[typevar]} ({typevar})" if typevar in typevar_to_var else typevar
             print(f"    {var_and_typevar} -> {sol}")
+        for stack_off, tv in self._stack_offset_tvs.items():
+            print(f"    stack_{stack_off:#x} ({tv}) -> {self.solution[tv]}")
         print("### end of solutions ###")
 
     #
@@ -157,6 +192,7 @@ class Typehoon(Analysis):
         if self._var_mapping:
             for variable_typevars in self._var_mapping.values():
                 typevars |= variable_typevars
+            typevars |= set(self._stack_offset_tvs.values())
         else:
             # collect type variables from constraints
             for constraint in self._constraints[self.func_var]:
@@ -175,6 +211,9 @@ class Typehoon(Analysis):
         - structs where every element is of the same type will be converted to an array of that element type.
         """
 
+        if not self.solution:
+            return
+
         for tv in list(self.solution.keys()):
             if self._must_struct and tv in self._must_struct:
                 continue
@@ -223,6 +262,9 @@ class Typehoon(Analysis):
         Translate solutions in type variables to solutions in SimTypes.
         """
 
+        if not self.solution:
+            return
+
         simtypes_solution = {}
         translator = TypeTranslator(arch=self.project.arch)
         needs_backpatch = set()

angr/analyses/typehoon/typevars.py

@@ -397,11 +397,13 @@ class DerivedTypeVariable(TypeVariable):
 class TypeVariables:
     __slots__ = (
         "_last_typevars",
+        "_typevar2var",
         "_typevars",
     )
 
     def __init__(self):
         self._typevars: dict[SimVariable, set[TypeVariable]] = {}
+        self._typevar2var: dict[TypeVariable, SimVariable] = {}
         self._last_typevars: dict[SimVariable, TypeVariable] = {}
 
     def copy(self):
@@ -418,22 +420,24 @@ class TypeVariables:
         # )
         return f"{{TypeVars: {len(self._typevars)} items}}"
 
-    def add_type_variable(self, var: SimVariable, codeloc, typevar: TypeType):  # pylint:disable=unused-argument
+    def add_type_variable(self, var: SimVariable, typevar: TypeVariable, latest: bool = True):
         if var not in self._typevars:
             self._typevars[var] = set()
         elif typevar in self._typevars[var]:
             return
         self._typevars[var].add(typevar)
-        self._last_typevars[var] = typevar
+        if latest:
+            self._last_typevars[var] = typevar
+        self._typevar2var[typevar] = var
 
-    def get_type_variable(self, var, codeloc):  # pylint:disable=unused-argument
+    def get_type_variable(self, var):  # pylint:disable=unused-argument
         return self._last_typevars[var]
 
-    def has_type_variable_for(self, var: SimVariable, codeloc):  # pylint:disable=unused-argument
+    def has_type_variable_for(self, var: SimVariable):  # pylint:disable=unused-argument
         return var in self._typevars
-        # if codeloc not in self._typevars[var]:
-        #     return False
-        # return True
+
+    def typevar_to_variable(self, typevar: TypeVariable) -> SimVariable | None:
+        return self._typevar2var.get(typevar, None)
 
     def __getitem__(self, var):
         return self._last_typevars[var]

angr/analyses/variable_recovery/engine_ail.py

@@ -9,14 +9,13 @@ from unique_log_filter import UniqueLogFilter
 
 from angr.engines.light.engine import SimEngineNostmtAIL
 from angr.procedures import SIM_LIBRARIES, SIM_TYPE_COLLECTIONS
-from angr.utils.constants import MAX_POINTSTO_BITS
 from angr.sim_type import SimTypeFunction, dereference_simtype
 from angr.analyses.typehoon import typeconsts, typevars
 from angr.analyses.typehoon.lifter import TypeLifter
 from .engine_base import SimEngineVRBase, RichR
 
 if TYPE_CHECKING:
-    pass
+    from .variable_recovery_fast import VariableRecoveryFastState  # noqa: F401
 
 
 l = logging.getLogger(name=__name__)
@@ -272,6 +271,8 @@ class SimEngineVRAIL(
                 if arg.typevar is not None:
                     arg_type = dereference_simtype(arg_type, type_collections).with_arch(arg_type._arch)
                     arg_ty = TypeLifter(self.arch.bits).lift(arg_type)
+                    if isinstance(arg_ty, typevars.TypeConstraint) and isinstance(arg.typevar, typevars.TypeConstraint):
+                        continue
                     type_constraint = typevars.Subtype(arg.typevar, arg_ty)
                     self.state.add_type_constraint(type_constraint)
 
@@ -399,28 +400,23 @@ class SimEngineVRAIL(
         return RichR(self.state.top(expr.to_bits), typevar=typevar)
 
     def _handle_expr_StackBaseOffset(self, expr: ailment.Expr.StackBaseOffset):
-        ref_typevar = self.state.stack_offset_typevars.get(expr.offset, None)
-
-        if ref_typevar is None:
+        refbase_typevar = self.state.stack_offset_typevars.get(expr.offset, None)
+        if refbase_typevar is None:
             # allocate a new type variable
-            ref_typevar = typevars.TypeVariable()
-            self.state.stack_offset_typevars[expr.offset] = ref_typevar
+            refbase_typevar = typevars.TypeVariable()
+            self.state.stack_offset_typevars[expr.offset] = refbase_typevar
+
+        ref_typevar = typevars.TypeVariable()
+        access_derived_typevar = self._create_access_typevar(ref_typevar, False, None, 0)
+        load_constraint = typevars.Subtype(refbase_typevar, access_derived_typevar)
+        self.state.add_type_constraint(load_constraint)
 
         value_v = self.state.stack_address(expr.offset)
         richr = RichR(value_v, typevar=ref_typevar)
         codeloc = self._codeloc()
-        var_and_offsets = self._ensure_variable_existence(richr, codeloc, src_expr=expr)
+        self._ensure_variable_existence(richr, codeloc, src_expr=expr)
         if self._reference_spoffset:
             self._reference(richr, codeloc, src=expr)
-        for var, off_in_var in var_and_offsets:
-            if self.state.typevars.has_type_variable_for(var, codeloc):
-                var_typevar = self.state.typevars.get_type_variable(var, codeloc)
-                load_typevar = self._create_access_typevar(
-                    ref_typevar, False, MAX_POINTSTO_BITS // 8, 0 if off_in_var is None else off_in_var
-                )
-                type_constraint = typevars.Subtype(var_typevar, load_typevar)
-                self.state.add_type_constraint(type_constraint)
-
         return richr
 
     def _handle_expr_BasePointerOffset(self, expr):

angr/analyses/variable_recovery/engine_base.py

@@ -15,7 +15,7 @@ from angr.sim_variable import SimVariable, SimStackVariable, SimRegisterVariable
 from angr.code_location import CodeLocation
 from angr.analyses.typehoon import typevars, typeconsts
 from angr.analyses.typehoon.typevars import TypeVariable, DerivedTypeVariable, AddN, SubN, Load, Store
-
+from angr.utils.constants import MAX_POINTSTO_BITS
 
 #
 # The base engine used in VariableRecoveryFast
@@ -269,9 +269,9 @@ class SimEngineVRBase(
             return
         variable, _ = existing_vars[0]
 
-        if not self.state.typevars.has_type_variable_for(variable, codeloc):
+        if not self.state.typevars.has_type_variable_for(variable):
             variable_typevar = typevars.TypeVariable()
-            self.state.typevars.add_type_variable(variable, codeloc, variable_typevar)
+            self.state.typevars.add_type_variable(variable, variable_typevar)
         # we do not add any type constraint here because we are not sure if the given memory address will ever be
         # accessed or not
 
@@ -350,13 +350,13 @@ class SimEngineVRBase(
         self.state.variable_manager[self.func_addr].write_to(variable, None, codeloc, atom=dst, overwrite=False)
 
         if richr.typevar is not None:
-            if not self.state.typevars.has_type_variable_for(variable, codeloc):
+            if not self.state.typevars.has_type_variable_for(variable):
                 # assign a new type variable to it
                 typevar = typevars.TypeVariable()
-                self.state.typevars.add_type_variable(variable, codeloc, typevar)
+                self.state.typevars.add_type_variable(variable, typevar)
                 # create constraints
             else:
-                typevar = self.state.typevars.get_type_variable(variable, codeloc)
+                typevar = self.state.typevars.get_type_variable(variable)
             self.state.add_type_constraint(typevars.Subtype(richr.typevar, typevar))
             self.state.add_type_constraint(typevars.Subtype(typevar, typeconsts.int_type(variable.size * 8)))
 
@@ -448,13 +448,13 @@ class SimEngineVRBase(
         self.state.variable_manager[self.func_addr].write_to(variable, None, codeloc, atom=dst, overwrite=False)
 
         if richr.typevar is not None:
-            if not self.state.typevars.has_type_variable_for(variable, codeloc):
+            if not self.state.typevars.has_type_variable_for(variable):
                 # assign a new type variable to it
                 typevar = typevars.TypeVariable()
-                self.state.typevars.add_type_variable(variable, codeloc, typevar)
+                self.state.typevars.add_type_variable(variable, typevar)
                 # create constraints
             else:
-                typevar = self.state.typevars.get_type_variable(variable, codeloc)
+                typevar = self.state.typevars.get_type_variable(variable)
             self.state.add_type_constraint(typevars.Subtype(richr.typevar, typevar))
             # the constraint below is a default constraint that may conflict with more specific ones with different
             # sizes; we post-process at the very end of VRA to remove conflicting default constraints.
@@ -564,11 +564,11 @@ class SimEngineVRBase(
 
             # create type constraints
             if data.typevar is not None:
-                if not self.state.typevars.has_type_variable_for(variable, codeloc):
+                if not self.state.typevars.has_type_variable_for(variable):
                     typevar = typevars.TypeVariable()
-                    self.state.typevars.add_type_variable(variable, codeloc, typevar)
+                    self.state.typevars.add_type_variable(variable, typevar)
                 else:
-                    typevar = self.state.typevars.get_type_variable(variable, codeloc)
+                    typevar = self.state.typevars.get_type_variable(variable)
                 if typevar is not None:
                     self.state.add_type_constraint(typevars.Subtype(data.typevar, typevar))
         # TODO: Create a tv_sp.store.<bits>@N <: typevar type constraint for the stack pointer
@@ -640,11 +640,11 @@ class SimEngineVRBase(
                 variable_manager.write_to(var, var_offset, codeloc, atom=stmt)
 
         # create type constraints
-        if not self.state.typevars.has_type_variable_for(variable, codeloc):
+        if not self.state.typevars.has_type_variable_for(variable):
             typevar = typevars.TypeVariable()
-            self.state.typevars.add_type_variable(variable, codeloc, typevar)
+            self.state.typevars.add_type_variable(variable, typevar)
         else:
-            typevar = self.state.typevars.get_type_variable(variable, codeloc)
+            typevar = self.state.typevars.get_type_variable(variable)
 
         if offset is not None and elem_size is not None:
             # it's an array!
@@ -671,9 +671,6 @@ class SimEngineVRBase(
                 self.state.add_type_constraint(typevars.Subtype(data.typevar, store_typevar))
 
     def _store_to_variable(self, richr_addr: RichR[claripy.ast.BV], data: RichR, size: int):
-        addr_variable = richr_addr.variable
-        codeloc = self._codeloc()
-
         # Storing data into a pointer
         if richr_addr.type_constraints:
             for tc in richr_addr.type_constraints:
@@ -690,8 +687,6 @@ class SimEngineVRBase(
                 field_offset = 0
 
             store_typevar = self._create_access_typevar(base_typevar, True, size, field_offset)
-            if addr_variable is not None:
-                self.state.typevars.add_type_variable(addr_variable, codeloc, typevar)
             data_typevar = data.typevar if data.typevar is not None else typeconsts.TopType()
             self.state.add_type_constraint(typevars.Subtype(store_typevar, data_typevar))
 
@@ -823,11 +818,11 @@ class SimEngineVRBase(
                         self.state.delayed_type_constraints.pop(var)
 
                     # create type constraints
-                    if not self.state.typevars.has_type_variable_for(var, codeloc):
+                    if not self.state.typevars.has_type_variable_for(var):
                         typevar = typevars.TypeVariable()
-                        self.state.typevars.add_type_variable(var, codeloc, typevar)
+                        self.state.typevars.add_type_variable(var, typevar)
                     else:
-                        typevar = self.state.typevars.get_type_variable(var, codeloc)
+                        typevar = self.state.typevars.get_type_variable(var)
 
                 else:
                     typevar = typevars.TypeVariable()
@@ -933,11 +928,11 @@ class SimEngineVRBase(
 
         variable, _ = next(iter(existing_vars))
         # create type constraints
-        if not self.state.typevars.has_type_variable_for(variable, codeloc):
+        if not self.state.typevars.has_type_variable_for(variable):
             typevar = typevars.TypeVariable()
-            self.state.typevars.add_type_variable(variable, codeloc, typevar)
+            self.state.typevars.add_type_variable(variable, typevar)
         else:
-            typevar = self.state.typevars.get_type_variable(variable, codeloc)
+            typevar = self.state.typevars.get_type_variable(variable)
 
         if offset is not None and elem_size is not None:
             # it's an array!
@@ -1024,7 +1019,7 @@ class SimEngineVRBase(
 
                 if var not in self.state.typevars:
                     typevar = typevars.TypeVariable()
-                    self.state.typevars.add_type_variable(var, codeloc, typevar)
+                    self.state.typevars.add_type_variable(var, typevar)
                 else:
                     # FIXME: This is an extremely stupid hack. Fix it later.
                     # | typevar = next(reversed(list(self.state.typevars[var].values())))
@@ -1125,7 +1120,7 @@ class SimEngineVRBase(
 
                 if var not in self.state.typevars:
                     typevar = typevars.TypeVariable()
-                    self.state.typevars.add_type_variable(var, codeloc, typevar)
+                    self.state.typevars.add_type_variable(var, typevar)
                 else:
                     # FIXME: This is an extremely stupid hack. Fix it later.
                     # | typevar = next(reversed(list(self.state.typevars[var].values())))
@@ -1140,7 +1135,7 @@ class SimEngineVRBase(
         self,
         typevar: typeconsts.TypeConstant | TypeVariable | DerivedTypeVariable,
         is_store: bool,
-        size: int,
+        size: int | None,
         offset: int,
     ) -> DerivedTypeVariable:
         if isinstance(typevar, DerivedTypeVariable):
@@ -1157,8 +1152,9 @@ class SimEngineVRBase(
                 else:
                     typevar = DerivedTypeVariable(typevar.type_var, None, labels=typevar.labels[:-1])
         lbl = Store() if is_store else Load()
+        bits = size * self.project.arch.byte_width if size is not None else MAX_POINTSTO_BITS
         return DerivedTypeVariable(
             typevar,
             None,
-            labels=(lbl, typevars.HasField(size * self.project.arch.byte_width, offset)),
+            labels=(lbl, typevars.HasField(bits, offset)),
         )

angr/analyses/variable_recovery/variable_recovery_fast.py

@@ -47,6 +47,7 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
         analysis,
         arch,
         func,
+        project,
         stack_region=None,
         register_region=None,
         global_region=None,
@@ -55,7 +56,6 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
         func_typevar=None,
         delayed_type_constraints=None,
         stack_offset_typevars=None,
-        project=None,
         ret_val_size=None,
     ):
         super().__init__(
@@ -63,6 +63,7 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
             analysis,
             arch,
             func,
+            project,
             stack_region=stack_region,
             register_region=register_region,
             global_region=global_region,
@@ -71,12 +72,11 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
             func_typevar=func_typevar,
             delayed_type_constraints=delayed_type_constraints,
             stack_offset_typevars=stack_offset_typevars,
-            project=project,
         )
         self.ret_val_size = ret_val_size
 
     def __repr__(self):
-        return f"<VRAbstractState@{self.block_addr:#x}: {len(self.register_region)} register variables, {len(self.stack_region)} stack variables>"
+        return f"<VRAbstractState@{self.block_addr:#x}"
 
     def __eq__(self, other):
         if type(other) is not VariableRecoveryFastState:
@@ -96,12 +96,14 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
             type_constraints=self.type_constraints,
             func_typevar=self.func_typevar,
             delayed_type_constraints=self.delayed_type_constraints,
-            stack_offset_typevars=dict(self.stack_offset_typevars),
+            stack_offset_typevars=self.stack_offset_typevars,
             project=self.project,
             ret_val_size=self.ret_val_size,
         )
 
-    def merge(self, others: tuple[VariableRecoveryFastState], successor=None) -> tuple[VariableRecoveryFastState, bool]:
+    def merge(
+        self, others: tuple[VariableRecoveryFastState, ...], successor=None
+    ) -> tuple[VariableRecoveryFastState, bool]:
         """
         Merge two abstract states.
 
@@ -135,10 +137,10 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
         # add subtype constraints for all replacements
         for v0, v1 in self.phi_variables.items():
             # v0 will be replaced by v1
-            if not typevars.has_type_variable_for(v1, None):
-                typevars.add_type_variable(v1, None, TypeVariable())
-            if not typevars.has_type_variable_for(v0, None):
-                typevars.add_type_variable(v0, None, TypeVariable())
+            if not typevars.has_type_variable_for(v1):
+                typevars.add_type_variable(v1, TypeVariable())
+            if not typevars.has_type_variable_for(v0):
+                typevars.add_type_variable(v0, TypeVariable())
             # Assuming v2 = phi(v0, v1), then we know that v0_typevar == v1_typevar == v2_typevar
             # However, it's possible that neither v0 nor v1 will ever be used in future blocks, which not only makes
             # this phi function useless, but also leads to the incorrect assumption that v1_typevar == v2_typevar.
@@ -146,7 +148,7 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
             # when v1 (the new variable that will end up in the state) is ever used in the future.
 
             # create an equivalence relationship
-            equivalence = Equivalence(typevars.get_type_variable(v1, None), typevars.get_type_variable(v0, None))
+            equivalence = Equivalence(typevars.get_type_variable(v1), typevars.get_type_variable(v0))
             delayed_typeconstraints[v1].add(equivalence)
 
         stack_offset_typevars = {}
@@ -281,6 +283,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         self.func_typevar = TypeVariable(name=func.name)
         self.delayed_type_constraints = None
         self.ret_val_size = None
+        self.stack_offset_typevars: dict[int, TypeVariable] = {}
 
         self._analyze()
 
@@ -328,6 +331,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
             type_constraints=self.type_constraints,
             func_typevar=self.func_typevar,
             delayed_type_constraints=self.delayed_type_constraints,
+            stack_offset_typevars=self.stack_offset_typevars,
         )
         initial_sp = state.stack_address(self.project.arch.bytes if self.project.arch.call_pushes_ret else 0)
         if self.project.arch.sp_offset is not None:
@@ -439,20 +443,10 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
             block = self.project.factory.block(node.addr, node.size, opt_level=1, cross_insn_opt=False)
             block_key = node.addr
 
-        # if node.addr in self._instates:
-        #     prev_state: VariableRecoveryFastState = self._instates[node.addr]
-        #     if input_state == prev_state:
-        #         l.debug('Skip node %#x as we have reached a fixed-point', node.addr)
-        #         return False, input_state
-        #     else:
-        #         l.debug('Merging input state of node %#x with the previous state.', node.addr)
-        #         input_state, _ = prev_state.merge((input_state,), successor=node.addr)
-
         state = state.copy()
         state.block_addr = node.addr
         if isinstance(node, ailment.Block):
             state.block_idx = node.idx
-        # self._instates[node.addr] = state
 
         if self._node_iterations[block_key] >= self._max_iterations:
             l.debug("Skip node %#x as we have iterated %d times on it.", node.addr, self._node_iterations[node.addr])
@@ -491,10 +485,12 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
             self.variable_manager[self.function.addr].unify_variables()
 
         # fill in var_to_typevars
+        assert self.typevars is not None
         for var, typevar_set in self.typevars._typevars.items():
             self.var_to_typevars[var] = typevar_set
 
         # unify type variables for global variables
+        assert self.type_constraints is not None
         for var, typevars in self.var_to_typevars.items():
             if len(typevars) > 1 and isinstance(var, SimMemoryVariable) and not isinstance(var, SimStackVariable):
                 sorted_typevars = sorted(typevars, key=lambda x: str(x))  # pylint:disable=unnecessary-lambda
@@ -600,7 +596,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
             block = self._peephole_optimize(block)
 
         processor = self._ail_engine if isinstance(block, ailment.Block) else self._vex_engine
-        processor.process(state, block=block, fail_fast=self._fail_fast)
+        processor.process(state, block=block, fail_fast=self._fail_fast)  # type: ignore
 
         if self._track_sp and block.addr in self._node_to_cc:
             # readjusting sp at the end for blocks that end in a call

angr/knowledge_plugins/functions/function.py

@@ -237,21 +237,7 @@ class Function(Serializable):
 
             self._returning = self._get_initial_returning()
 
-        # Determine a calling convention
-        # If it is a SimProcedure it might have a CC already defined which can be used
-        if self.is_simprocedure and self.project is not None and self.addr in self.project._sim_procedures:
-            simproc = self.project._sim_procedures[self.addr]
-            cc = simproc.cc
-            if cc is None:
-                arch = self.project.arch
-                if self.project.arch.name in DEFAULT_CC:
-                    cc = default_cc(
-                        arch.name, platform=self.project.simos.name if self.project.simos is not None else None
-                    )(arch)
-
-            self.calling_convention: SimCC | None = cc
-        else:
-            self.calling_convention: SimCC | None = None
+        self._init_prototype_and_calling_convention()
 
     @property
     @deprecated(".is_alignment")
@@ -768,6 +754,34 @@ class Function(Serializable):
         # Cannot determine
         return None
 
+    def _init_prototype_and_calling_convention(self) -> None:
+        """
+        Initialize prototype and calling convention from a SimProcedure, if available.
+        """
+        hooker = None
+        if self.is_syscall and self.project is not None and self.project.simos.is_syscall_addr(self.addr):
+            hooker = self.project.simos.syscall_from_addr(self.addr)
+        elif self.is_simprocedure and self.project is not None:
+            hooker = self.project.hooked_by(self.addr)
+        if hooker is None or hooker.guessed_prototype:
+            return
+
+        if hooker.prototype:
+            self.prototype_libname = hooker.library_name
+            self.prototype = hooker.prototype
+            self.is_prototype_guessed = False
+
+        cc = hooker.cc
+        if cc is None and self.project is not None:
+            arch = self.project.arch
+            if arch.name in DEFAULT_CC:
+                cc_cls = default_cc(
+                    arch.name, platform=self.project.simos.name if self.project.simos is not None else None
+                )
+                if cc_cls is not None:
+                    cc = cc_cls(arch)
+        self.calling_convention = cc
+
     def _clear_transition_graph(self):
         self._block_sizes = {}
         self._addr_to_block_node = {}

angr/knowledge_plugins/key_definitions/constants.py

@@ -1,5 +1,5 @@
 from __future__ import annotations
-from typing import Literal, Union
+from typing import Literal
 import enum
 
 DEBUG = False
@@ -25,5 +25,5 @@ OP_BEFORE = ObservationPointType.OP_BEFORE
 OP_AFTER = ObservationPointType.OP_AFTER
 
 ObservationPoint = tuple[
-    Literal["insn", "node", "stmt", "exit"], Union[int, tuple[int, int], tuple[int, int, int]], ObservationPointType
+    Literal["insn", "node", "stmt", "exit"], int | tuple[int, int] | tuple[int, int, int], ObservationPointType
 ]

angr/knowledge_plugins/key_definitions/liveness.py

@@ -1,5 +1,5 @@
 from __future__ import annotations
-from typing import Optional, TYPE_CHECKING
+from typing import TYPE_CHECKING
 
 from collections import defaultdict
 from itertools import chain
@@ -14,11 +14,11 @@ if TYPE_CHECKING:
     from angr.code_location import CodeLocation
 
 
-LocationType = tuple[int, Optional[int], Optional[int]]  # block addr, block ID, stmt ID
+LocationType = tuple[int, int | None, int | None]  # block addr, block ID, stmt ID
 LocationWithPosType = tuple[
-    int, Optional[int], Optional[int], ObservationPointType
+    int, int | None, int | None, ObservationPointType
 ]  # block addr, block ID, stmt ID, before/after
-BlockAddrType = tuple[int, Optional[int]]  # block addr, block ID
+BlockAddrType = tuple[int, int | None]  # block addr, block ID
 
 
 class Liveness: