angr 9.2.143__py3-none-win_amd64.whl → 9.2.145__py3-none-win_amd64.whl

angr/analyses/decompiler/decompiler.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 from collections import defaultdict
 from collections.abc import Iterable
-from typing import Optional, Union, Any, TYPE_CHECKING
+from typing import Any, TYPE_CHECKING
 
 import networkx
 from cle import SymbolType
@@ -35,9 +35,9 @@ if TYPE_CHECKING:
 
 l = logging.getLogger(name=__name__)
 
-_PEEPHOLE_OPTIMIZATIONS_TYPE = Optional[
-    Iterable[Union[type["PeepholeOptimizationStmtBase"], type["PeepholeOptimizationExprBase"]]]
-]
+_PEEPHOLE_OPTIMIZATIONS_TYPE = (
+    Iterable[type["PeepholeOptimizationStmtBase"] | type["PeepholeOptimizationExprBase"]] | None
+)
 
 
 class Decompiler(Analysis):

angr/analyses/decompiler/optimization_passes/base_ptr_save_simplifier.py

@@ -16,7 +16,7 @@ class BasePointerSaveSimplifier(OptimizationPass):
     """
 
     ARCHES = ["X86", "AMD64", "ARMEL", "ARMHF", "ARMCortexM", "MIPS32", "MIPS64"]
-    PLATFORMS = ["cgc", "linux"]
+    PLATFORMS = None
     STAGE = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
     NAME = "Simplify base pointer saving"
     DESCRIPTION = __doc__.strip()

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -443,6 +443,11 @@ class StructuringOptimizationPass(OptimizationPass):
         """
         Wrapper for _analyze() that verifies the graph is structurable before and after the optimization.
         """
+        # replace the normal check in OptimizationPass.analyze()
+        ret, cache = self._check()
+        if not ret:
+            return
+
         if not self._graph_is_structurable(self._graph, initial=True):
             return
 
@@ -450,11 +455,6 @@ class StructuringOptimizationPass(OptimizationPass):
         if self._require_gotos and not self._initial_gotos:
             return
 
-        # replace the normal check in OptimizationPass.analyze()
-        ret, cache = self._check()
-        if not ret:
-            return
-
         # setup for the very first analysis
         self.out_graph = networkx.DiGraph(self._graph)
         if self._max_opt_iters > 1:

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -95,6 +95,7 @@ class ReturnDuplicatorBase:
         minimize_copies_for_regions: bool = True,
         ri: RegionIdentifier | None = None,
         scratch: dict[str, Any] | None = None,
+        max_func_blocks: int = 1500,
     ):
         self._max_calls_in_region = max_calls_in_regions
         self._minimize_copies_for_regions = minimize_copies_for_regions
@@ -105,6 +106,7 @@ class ReturnDuplicatorBase:
         self._func = func
         self._ri: RegionIdentifier | None = ri
         self.vvar_id_start = vvar_id_start
+        self._max_func_blocks = max_func_blocks
 
     def next_node_idx(self) -> int:
         node_idx = self.scratch.get("returndup_node_idx", 0) + 1
@@ -123,6 +125,9 @@ class ReturnDuplicatorBase:
     #
 
     def _check(self):
+        # is this function too large?
+        if len(self._func.block_addrs_set) > self._max_func_blocks:
+            return False, None
         # does this function have end points?
         return bool(self._func.endpoints), None
 

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -110,8 +110,11 @@ class WinStackCanarySimplifier(OptimizationPass):
                     _l.debug("Cannot find the statement calling _security_check_cookie() in the predecessor.")
                     continue
 
-                # TODO: Support x86
-                canary_storing_stmt_idx = self._find_amd64_canary_storing_stmt(pred, store_offset)
+                canary_storing_stmt_idx = (
+                    self._find_amd64_canary_storing_stmt(pred, store_offset)
+                    if self.project.arch.name == "AMD64"
+                    else self._find_x86_canary_storing_stmt(pred, store_offset)
+                )
                 if canary_storing_stmt_idx is None:
                     _l.debug("Cannot find the canary check statement in the predecessor.")
                     continue
@@ -270,6 +273,59 @@ class WinStackCanarySimplifier(OptimizationPass):
                 return idx
         return None
 
+    def _find_x86_canary_storing_stmt(self, block, canary_value_stack_offset):
+        load_stmt_idx = None
+
+        for idx, stmt in enumerate(block.statements):
+            # when we are lucky, we have one instruction
+            if (
+                (
+                    isinstance(stmt, ailment.Stmt.Assignment)
+                    and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                    and stmt.dst.was_reg
+                    and stmt.dst.reg_offset == self.project.arch.registers["eax"][0]
+                )
+                and isinstance(stmt.src, ailment.Expr.BinaryOp)
+                and stmt.src.op == "Xor"
+            ):
+                op0, op1 = stmt.src.operands
+                if (
+                    isinstance(op0, ailment.Expr.Load)
+                    and isinstance(op0.addr, ailment.Expr.StackBaseOffset)
+                    and op0.addr.offset == canary_value_stack_offset
+                ) and isinstance(op1, ailment.Expr.StackBaseOffset):
+                    # found it
+                    return idx
+            # or when we are unlucky, we have two instructions...
+            if (
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                and stmt.dst.reg_offset == self.project.arch.registers["eax"][0]
+                and isinstance(stmt.src, ailment.Expr.Load)
+                and isinstance(stmt.src.addr, ailment.Expr.StackBaseOffset)
+                and stmt.src.addr.offset == canary_value_stack_offset
+            ):
+                load_stmt_idx = idx
+            if (
+                load_stmt_idx is not None
+                and idx >= load_stmt_idx + 1
+                and (
+                    isinstance(stmt, ailment.Stmt.Assignment)
+                    and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                    and stmt.dst.was_reg
+                    and isinstance(stmt.src, ailment.Expr.BinaryOp)
+                    and stmt.src.op == "Xor"
+                )
+                and (
+                    isinstance(stmt.src.operands[0], ailment.Expr.VirtualVariable)
+                    and stmt.src.operands[0].was_reg
+                    and stmt.src.operands[0].reg_offset == self.project.arch.registers["eax"][0]
+                    and isinstance(stmt.src.operands[1], ailment.Expr.StackBaseOffset)
+                )
+            ):
+                return idx
+        return None
+
     @staticmethod
     def _find_return_addr_storing_stmt(block):
         for idx, stmt in enumerate(block.statements):

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -5,6 +5,7 @@ from .a_mul_const_div_shr_const import AMulConstDivShrConst
 from .a_shl_const_sub_a import AShlConstSubA
 from .a_sub_a_div import ASubADiv
 from .a_sub_a_div_const_mul_const import ASubADivConstMulConst
+from .a_sub_a_shr_const_shr_const import ASubAShrConstShrConst
 from .arm_cmpf import ARMCmpF
 from .bswap import Bswap
 from .coalesce_same_cascading_ifs import CoalesceSameCascadingIfs
@@ -57,6 +58,7 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     AMulConstSubA,
     ASubADiv,
     ASubADivConstMulConst,
+    ASubAShrConstShrConst,
     ARMCmpF,
     Bswap,
     CoalesceSameCascadingIfs,

angr/analyses/decompiler/peephole_optimizations/a_sub_a_shr_const_shr_const.py

@@ -0,0 +1,37 @@
+# pylint:disable=no-self-use,too-many-boolean-expressions
+from __future__ import annotations
+from ailment.expression import BinaryOp, Const
+
+from .base import PeepholeOptimizationExprBase
+
+
+class ASubAShrConstShrConst(PeepholeOptimizationExprBase):
+    """
+    Convert `cdq; sub eax, edx; sar eax, 1` to `eax /= 2`.
+    """
+
+    __slots__ = ()
+
+    NAME = "(a - (a >> 31)) >> N => a / 2 ** N (signed)"
+    expr_classes = (BinaryOp,)
+
+    def optimize(self, expr: BinaryOp, **kwargs):
+        if (
+            expr.op == "Sar"
+            and len(expr.operands) == 2
+            and isinstance(expr.operands[1], Const)
+            and expr.operands[1].is_int
+            and isinstance(expr.operands[0], BinaryOp)
+            and expr.operands[0].op == "Sub"
+        ):
+            a0, a1 = expr.operands[0].operands
+            if (
+                isinstance(a1, BinaryOp)
+                and a1.op == "Sar"
+                and isinstance(a1.operands[1], Const)
+                and a1.operands[1].value == 31
+                and a0.likes(a1.operands[0])
+            ):
+                dividend = 2 ** expr.operands[1].value
+                return BinaryOp(a0.idx, "Div", [a0, Const(None, None, dividend, expr.bits)], True, **expr.tags)
+        return None

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -698,6 +698,8 @@ class SimEngineSSARewriting(
             raise NotImplementedError("Store expressions are not supported in _replace_use_expr.")
         if isinstance(thing, Tmp) and self.rewrite_tmps:
             return self._replace_use_tmp(self.block.addr, self.block.idx, self.stmt_idx, thing)
+        if isinstance(thing, Load):
+            return self._replace_use_load(thing)
         return None
 
     def _replace_use_reg(self, reg_expr: Register) -> VirtualVariable | Expression:

angr/analyses/decompiler/ssailification/ssailification.py

@@ -5,7 +5,15 @@ from collections import defaultdict
 from itertools import count
 from bisect import bisect_left
 
-from ailment.expression import Expression, Register, StackBaseOffset, Tmp, VirtualVariable, VirtualVariableCategory
+from ailment.expression import (
+    Expression,
+    Register,
+    StackBaseOffset,
+    Tmp,
+    VirtualVariable,
+    VirtualVariableCategory,
+    Load,
+)
 from ailment.statement import Statement, Store
 
 from angr.knowledge_plugins.functions import Function
@@ -151,7 +159,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                     reg_bits = def_.size * self.project.arch.byte_width
                     udef_to_defs[("reg", def_.reg_offset, reg_bits)].add(def_)
                     udef_to_blockkeys[("reg", def_.reg_offset, reg_bits)].add((loc.block_addr, loc.block_idx))
-            elif isinstance(def_, Store):
+            elif isinstance(def_, (Store, Load)):
                 if isinstance(def_.addr, StackBaseOffset) and isinstance(def_.addr.offset, int):
                     idx_begin = bisect_left(sorted_stackvar_offs, def_.addr.offset)
                     for i in range(idx_begin, len(sorted_stackvar_offs)):

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 from collections import OrderedDict
 
 from ailment.statement import Call, Store, ConditionalJump
-from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression, Tmp, DirtyExpression
+from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression, Tmp, DirtyExpression, Load
 
 from angr.engines.light import SimEngineLightAIL
 from angr.project import Project
@@ -133,6 +133,22 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
 
             self.state.live_registers.add(base_offset)
 
+    def _handle_expr_Load(self, expr: Load):
+        self._expr(expr.addr)
+        if (
+            self.stackvars
+            and isinstance(expr.addr, StackBaseOffset)
+            and isinstance(expr.addr.offset, int)
+            and (expr.addr.offset, expr.size) not in self.state.live_stackvars
+        ):
+            # we must create this stack variable on the fly; we did not see its creation before it is first used
+            codeloc = self._codeloc()
+            self.def_to_loc.append((expr, codeloc))
+            if codeloc not in self.loc_to_defs:
+                self.loc_to_defs[codeloc] = OrderedSet()
+            self.loc_to_defs[codeloc].add(expr)
+            self.state.live_stackvars.add((expr.addr.offset, expr.size))
+
     def _handle_expr_Tmp(self, expr: Tmp):
         if self.use_tmps:
             codeloc = self._codeloc()
@@ -251,7 +267,6 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
 
     _handle_expr_VirtualVariable = _handle_Dummy
     _handle_expr_Phi = _handle_Dummy
-    _handle_expr_Load = _handle_Dummy
     _handle_expr_Const = _handle_Dummy
     _handle_expr_MultiStatementExpression = _handle_Dummy
     _handle_expr_StackBaseOffset = _handle_Dummy

angr/analyses/decompiler/structured_codegen/c.py

@@ -3426,8 +3426,13 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             return old_ty
 
         if expr.variable is not None:
-            cvar = self._variable(expr.variable, expr.size)
-            offset = expr.variable_offset or 0
+            if "struct_member_info" in expr.tags:
+                offset, var, _ = expr.struct_member_info
+                cvar = self._variable(var, var.size)
+            else:
+                cvar = self._variable(expr.variable, expr.size)
+                offset = expr.variable_offset or 0
+
             assert type(offset) is int  # I refuse to deal with the alternative
             return self._access_constant_offset(CUnaryOp("Reference", cvar, codegen=self), offset, ty, False, negotiate)
 
@@ -3649,8 +3654,24 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         return CMultiStatementExpression(cstmts, cexpr, tags=expr.tags, codegen=self)
 
     def _handle_VirtualVariable(self, expr: Expr.VirtualVariable, **kwargs):
-        if expr.variable:
-            cvar = self._variable(expr.variable, None, vvar_id=expr.varid)
+        def negotiate(old_ty: SimType, proposed_ty: SimType) -> SimType:
+            # we do not allow returning a struct for a primitive type
+            if old_ty.size == proposed_ty.size and (
+                not isinstance(proposed_ty, SimStruct) or isinstance(old_ty, SimStruct)
+            ):
+                return proposed_ty
+            return old_ty
+
+        if expr.variable is not None:
+            if "struct_member_info" in expr.tags:
+                offset, var, _ = expr.struct_member_info
+                cbasevar = self._variable(var, expr.size)
+                cvar = self._access_constant_offset(
+                    self._get_variable_reference(cbasevar), offset, cbasevar.type, False, negotiate
+                )
+            else:
+                cvar = self._variable(expr.variable, None, vvar_id=expr.varid)
+
             if expr.variable.size != expr.size:
                 l.warning(
                     "VirtualVariable size (%d) and variable size (%d) do not match. Force a type cast.",

angr/analyses/disassembly.py

@@ -4,7 +4,7 @@ import contextlib
 import logging
 from collections import defaultdict
 from collections.abc import Sequence
-from typing import Union, Any
+from typing import Any
 
 import pyvex
 import archinfo
@@ -24,8 +24,8 @@ try:
     from angr.engines import pcode
     import pypcode
 
-    IRSBType = Union[pyvex.IRSB, pcode.lifter.IRSB]
-    IROpObjType = Union[pyvex.stmt.IRStmt, pypcode.PcodeOp]
+    IRSBType = pyvex.IRSB | pcode.lifter.IRSB
+    IROpObjType = pyvex.stmt.IRStmt | pypcode.PcodeOp
 except ImportError:
     pcode = None
     IRSBType = pyvex.IRSB

angr/analyses/fcp/fcp.py

@@ -407,10 +407,7 @@ class FastConstantPropagation(Analysis):
             except (TypeError, ValueError):
                 arg_locs = None
 
-            if None in arg_locs:
-                arg_locs = None
-
-            if arg_locs is not None:
+            if arg_locs is not None and None not in arg_locs:
                 for arg_loc in arg_locs:
                     for loc in arg_loc.get_footprint():
                         if isinstance(loc, SimStackArg):

angr/analyses/s_reaching_definitions/s_reaching_definitions.py

@@ -131,28 +131,27 @@ class SReachingDefinitionsAnalysis(Analysis):
                     stmt if isinstance(stmt, Call) else stmt.src if isinstance(stmt, Assignment) else stmt.ret_exprs[0]
                 )
                 assert isinstance(call, Call)
-                if call.prototype is None:
-                    # without knowing the prototype, we must conservatively add uses to all registers that are
-                    # potentially used here
-                    if call.calling_convention is not None:
-                        cc = call.calling_convention
-                    else:
-                        # just use all registers in the default calling convention because we don't know anything about
-                        # the calling convention yet
-                        cc_cls = default_cc(self.project.arch.name)
-                        assert cc_cls is not None
-                        cc = cc_cls(self.project.arch)
-
-                    codeloc = CodeLocation(block_addr, stmt_idx, block_idx=block_idx, ins_addr=stmt.ins_addr)
-                    arg_locs = list(cc.ARG_REGS)
-                    if cc.FP_ARG_REGS:
-                        arg_locs += [r_name for r_name in cc.FP_ARG_REGS if r_name not in arg_locs]
-
-                    for arg_reg_name in arg_locs:
-                        reg_offset = self.project.arch.registers[arg_reg_name][0]
-                        if reg_offset in reg_to_vvarids:
-                            vvarid = reg_to_vvarids[reg_offset]
-                            self.model.add_vvar_use(vvarid, None, codeloc)
+
+                # conservatively add uses to all registers that are potentially used here
+                if call.calling_convention is not None:
+                    cc = call.calling_convention
+                else:
+                    # just use all registers in the default calling convention because we don't know anything about
+                    # the calling convention yet
+                    cc_cls = default_cc(self.project.arch.name)
+                    assert cc_cls is not None
+                    cc = cc_cls(self.project.arch)
+
+                codeloc = CodeLocation(block_addr, stmt_idx, block_idx=block_idx, ins_addr=stmt.ins_addr)
+                arg_locs = list(cc.ARG_REGS)
+                if cc.FP_ARG_REGS:
+                    arg_locs += [r_name for r_name in cc.FP_ARG_REGS if r_name not in arg_locs]
+
+                for arg_reg_name in arg_locs:
+                    reg_offset = self.project.arch.registers[arg_reg_name][0]
+                    if reg_offset in reg_to_vvarids:
+                        vvarid = reg_to_vvarids[reg_offset]
+                        self.model.add_vvar_use(vvarid, None, codeloc)
 
         if self._track_tmps:
             # track tmps

angr/analyses/stack_pointer_tracker.py

@@ -15,6 +15,7 @@ from angr.analyses import AnalysesHub
 from angr.knowledge_plugins import Function
 from angr.block import BlockNode
 from angr.errors import SimTranslationError
+from angr.calling_conventions import SimStackArg
 from .analysis import Analysis
 
 try:
@@ -554,7 +555,7 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
         if vex_block is not None:
             if isinstance(vex_block, pyvex.IRSB):
                 curr_stmt_start_addr = self._process_vex_irsb(node, vex_block, state)
-            elif pypcode is not None and isinstance(vex_block, pcode.lifter.IRSB):
+            elif pypcode is not None and isinstance(vex_block, pcode.lifter.IRSB):  # type: ignore
                 curr_stmt_start_addr = self._process_pcode_irsb(node, vex_block, state)
             else:
                 raise NotImplementedError(f"Unsupported block type {type(vex_block)}")
@@ -587,7 +588,7 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                         raise CouldNotResolveException
                     if arg1_expr is BOTTOM:
                         return BOTTOM
-                    return arg0_expr + arg1_expr
+                    return arg0_expr + arg1_expr  # type: ignore
                 if expr.op.startswith("Iop_Sub"):
                     arg0_expr = _resolve_expr(arg0)
                     if arg0_expr is None:
@@ -599,7 +600,7 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                         raise CouldNotResolveException
                     if arg1_expr is BOTTOM:
                         return BOTTOM
-                    return arg0_expr - arg1_expr
+                    return arg0_expr - arg1_expr  # type: ignore
                 if expr.op.startswith("Iop_And"):
                     # handle stack pointer alignments
                     arg0_expr = _resolve_expr(arg0)
@@ -713,43 +714,78 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                     pass
             # who are we calling?
             callees = [] if self._func is None else self._find_callees(node)
+            sp_adjusted = False
             if callees:
                 if len(callees) == 1:
+
                     callee = callees[0]
-                    track_rax = False
-                    if (
-                        (callee.info.get("is_rust_probestack", False) and self.project.arch.name == "AMD64")
-                        or (callee.info.get("is_alloca_probe", False) and self.project.arch.name == "AMD64")
-                        or callee.name == "__chkstk"
-                    ):
-                        # sp = sp - rax right after returning from the call
-                        track_rax = True
-
-                    if track_rax:
-                        for stmt in reversed(vex_block.statements):
-                            if (
-                                isinstance(stmt, pyvex.IRStmt.Put)
-                                and stmt.offset == self.project.arch.registers["rax"][0]
-                                and isinstance(stmt.data, pyvex.IRExpr.Const)
-                            ):
-                                state.put(stmt.offset, Constant(stmt.data.con.value), force=True)
-                                break
+                    if callee.info.get("is_rust_probestack", False):
+                        # sp = sp - rax/eax right after returning from the call
+                        rust_probe_stack_rax_regname: str | None = None
+                        if self.project.arch.name == "AMD64":
+                            rust_probe_stack_rax_regname = "rax"
+                        elif self.project.arch.name == "X86":
+                            rust_probe_stack_rax_regname = "eax"
+
+                        if rust_probe_stack_rax_regname is not None:
+                            for stmt in reversed(vex_block.statements):
+                                if (
+                                    isinstance(stmt, pyvex.IRStmt.Put)
+                                    and stmt.offset == self.project.arch.registers[rust_probe_stack_rax_regname][0]
+                                    and isinstance(stmt.data, pyvex.IRExpr.Const)
+                                ):
+                                    sp_adjusted = True
+                                    state.put(stmt.offset, Constant(stmt.data.con.value), force=True)
+                                    break
+
+                    if not sp_adjusted and (callee.info.get("is_alloca_probe", False) or callee.name == "__chkstk"):
+                        # sp = sp - rax, but it's adjusted within the callee
+                        chkstk_stack_rax_regname: str | None = None
+                        if self.project.arch.name == "AMD64":
+                            chkstk_stack_rax_regname = "rax"
+                        elif self.project.arch.name == "X86":
+                            chkstk_stack_rax_regname = "eax"
+
+                        if chkstk_stack_rax_regname is not None:
+                            for stmt in reversed(vex_block.statements):
+                                if (
+                                    isinstance(stmt, pyvex.IRStmt.Put)
+                                    and stmt.offset == self.project.arch.registers[chkstk_stack_rax_regname][0]
+                                    and isinstance(stmt.data, pyvex.IRExpr.Const)
+                                    and self.project.arch.sp_offset in state.regs
+                                ):
+                                    sp_adjusted = True
+                                    sp_v = state.regs[self.project.arch.sp_offset]
+                                    sp_v -= Constant(stmt.data.con.value)
+                                    state.put(self.project.arch.sp_offset, sp_v, force=True)
+                                    break
 
                 callee_cleanups = [
                     callee
                     for callee in callees
-                    if callee.calling_convention is not None and callee.calling_convention.CALLEE_CLEANUP
+                    if callee.calling_convention is not None
+                    and callee.calling_convention.CALLEE_CLEANUP
+                    and callee.prototype is not None
                 ]
                 if callee_cleanups:
                     # found callee clean-up cases...
+                    callee = callee_cleanups[0]
+                    assert callee.calling_convention is not None  # just to make pyright happy
                     try:
                         v = state.get(self.project.arch.sp_offset)
                         incremented = None
                         if v is BOTTOM:
                             incremented = BOTTOM
-                        elif callee_cleanups[0].prototype is not None:
-                            num_args = len(callee_cleanups[0].prototype.args)
-                            incremented = v + Constant(self.project.arch.bytes * num_args)
+                        elif callee.prototype is not None:
+                            num_stack_args = len(
+                                [
+                                    arg_loc
+                                    for arg_loc in callee.calling_convention.arg_locs(callee.prototype)
+                                    if isinstance(arg_loc, SimStackArg)
+                                ]
+                            )
+                            if num_stack_args > 0:
+                                incremented = v + Constant(self.project.arch.bytes * num_stack_args)
                         if incremented is not None:
                             state.put(self.project.arch.sp_offset, incremented)
                     except CouldNotResolveException:

angr/analyses/typehoon/dfa.py

@@ -1,21 +1,22 @@
+# pylint:disable=import-outside-toplevel
 from __future__ import annotations
 from typing import TYPE_CHECKING
 
 import networkx
 
 # FIXME: Remove the dependency on pyformlang
-from pyformlang.finite_automaton import Epsilon, EpsilonNFA, State, Symbol
 
 from angr.errors import AngrError
 from .typevars import BaseLabel, Subtype
 from .variance import Variance
 
 if TYPE_CHECKING:
+    from pyformlang.finite_automaton import EpsilonNFA
     from pyformlang.finite_automaton import DeterministicFiniteAutomaton
 
 
-START_STATE = State("START")
-END_STATE = State("END")
+START_STATE = None
+END_STATE = None
 
 
 class EmptyEpsilonNFAError(AngrError):
@@ -31,6 +32,15 @@ class DFAConstraintSolver:
 
     @staticmethod
     def graph_to_epsilon_nfa(graph: networkx.DiGraph, starts: set, ends: set) -> EpsilonNFA:
+        from pyformlang.finite_automaton import Epsilon, EpsilonNFA, State, Symbol  # delayed import
+
+        global START_STATE, END_STATE  # pylint:disable=global-statement
+
+        if START_STATE is None:
+            START_STATE = State("START")
+        if END_STATE is None:
+            END_STATE = State("END")
+
         enfa = EpsilonNFA()
 
         # print("Converting graph to eNFA")