angr 9.2.145__py3-none-manylinux2014_x86_64.whl → 9.2.147__py3-none-manylinux2014_x86_64.whl

angr/analyses/flirt/flirt_sig.py

@@ -0,0 +1,356 @@
+from __future__ import annotations
+import struct
+import zlib
+from io import BytesIO
+
+from angr.errors import AngrError
+from .consts import FlirtParseFlag, FlirtFeatureFlag, FlirtFunctionFlag
+from .flirt_utils import read_max_2_bytes, read_multiple_bytes
+from .flirt_function import FlirtFunction
+from .flirt_module import FlirtModule
+from .flirt_node import FlirtNode
+
+
+class FlirtSignatureError(AngrError):
+    """
+    Describes errors related to FLIRT signatures, especially parsing.
+    """
+
+
+class FlirtSignature:
+    """
+    This class describes a FLIRT signature without any internal data that is only available after parsing.
+    """
+
+    def __init__(
+        self,
+        arch: str,
+        platform: str,
+        sig_name: str,
+        sig_path: str,
+        unique_strings: set[str] | None = None,
+        compiler: str | None = None,
+        compiler_version: str | None = None,
+        os_name: str | None = None,
+        os_version: str | None = None,
+    ):
+        self.arch = arch
+        self.platform = platform
+        self.sig_name = sig_name
+        self.sig_path = sig_path
+        self.unique_strings = unique_strings
+        self.compiler = compiler
+        self.compiler_version = compiler_version
+        self.os_name = os_name
+        self.os_version = os_version
+
+    def __repr__(self):
+        if self.os_name:
+            if self.os_version:
+                return f"<{self.sig_name}@{self.arch}-{self.os_name}-{self.os_version}>"
+            return f"<{self.sig_name}@{self.arch}-{self.os_name}>"
+        return f"<{self.sig_name}@{self.arch}-{self.platform}>"
+
+
+class FlirtSignatureParsed:
+    """
+    Describes a FLIRT signature file after parsing.
+    """
+
+    __slots__ = (
+        "app_types",
+        "arch",
+        "crc",
+        "ctype",
+        "ctypes_crc",
+        "features",
+        "file_types",
+        "libname",
+        "nfuncs",
+        "os_types",
+        "pattern_size",
+        "root",
+        "version",
+    )
+
+    def __init__(
+        self,
+        version: int,
+        arch: int,
+        file_types: int,
+        os_types: int,
+        app_types: int,
+        features: int,
+        crc: int,
+        ctype: int,
+        ctypes_crc: int,
+        nfuncs: int | None,
+        pattern_size: int | None,
+        libname: str,
+        root: FlirtNode | None,
+    ):
+        self.version = version
+        self.arch = arch
+        self.file_types = file_types
+        self.os_types = os_types
+        self.app_types = app_types
+        self.features = features
+        self.crc = crc
+        self.ctype = ctype
+        self.ctypes_crc = ctypes_crc
+        self.nfuncs = nfuncs
+        self.pattern_size = pattern_size
+        self.libname = libname
+        self.root = root
+
+    def parse_tree(self, file_obj, root: bool = False) -> FlirtNode:
+        """
+        Parse a FLIRT function tree.
+        """
+
+        if not root:
+            length = file_obj.read(1)[0]
+            variant_mask = self.parse_variant_mask(file_obj, length)
+            pattern = self.parse_node(file_obj, length, variant_mask)
+        else:
+            length = 0
+            pattern = []
+
+        node_count = read_multiple_bytes(file_obj)
+        if node_count > 0:
+            # non-leaf; load its child nodes
+            nodes: list[FlirtNode] = [None] * node_count  # type: ignore
+            for i in range(node_count):
+                nn = self.parse_tree(file_obj)
+                nodes[i] = nn
+            return FlirtNode(nodes, [], length, pattern)
+        # leaf
+        modules = self.parse_modules(file_obj)
+        return FlirtNode([], modules, length, pattern)
+
+    def parse_public_function(self, file_obj, offset: int) -> tuple[FlirtFunction, int, int]:
+        off = read_multiple_bytes(file_obj) if self.version >= 9 else read_max_2_bytes(file_obj)
+        off += offset
+
+        local = False  # is it a local function?
+        collision = False  # is it an unresolved collision?
+
+        flags = file_obj.read(1)[0]
+        if flags < 0x20:
+            local = bool(flags & FlirtFunctionFlag.FUNCTION_LOCAL)
+            collision = bool(flags & FlirtFunctionFlag.FUNCTION_UNRESOLVED_COLLISION)
+            next_byte = file_obj.read(1)[0]
+        else:
+            next_byte = flags
+
+        name_lst = []
+        name_end = False  # in case the function name is too long...
+        for _ in range(1024):  # max length of a function name
+            if next_byte < 0x20:
+                name_end = True
+                break
+            name_lst.append(next_byte)
+            next_byte = file_obj.read(1)[0]
+
+        name = bytes(name_lst).decode("utf-8")
+        if not name_end:
+            name = name + "..."
+        return FlirtFunction(name, off, local, collision), off, next_byte
+
+    def parse_referenced_functions(self, file_obj) -> list[FlirtFunction]:
+        func_count = file_obj.read(1)[0] if self.version >= 8 else 1
+        lst = []
+        for _ in range(func_count):
+            off = read_multiple_bytes(file_obj) if self.version >= 9 else read_max_2_bytes(file_obj)
+            name_len = file_obj.read(1)[0]
+            if name_len == 0:
+                name_len = read_multiple_bytes(file_obj)
+            if name_len > 1024:
+                raise FlirtSignatureError(f"Function name too long: {name_len}")
+            name_bytes = file_obj.read(name_len)
+            if len(name_bytes) < name_len:
+                raise FlirtSignatureError("Unexpected EOF")
+            name = name_bytes.decode("utf-8").rstrip("\x00")
+            lst.append(FlirtFunction(name, off, False, False))
+        return lst
+
+    def parse_tail_bytes(self, file_obj) -> list[tuple[int, int]]:
+        bytes_count = file_obj.read(1)[0] if self.version >= 8 else 1
+        lst = []
+        for _ in range(bytes_count):
+            off = read_multiple_bytes(file_obj) if self.version >= 9 else read_max_2_bytes(file_obj)
+            value = file_obj.read(1)[0]
+            lst.append((off, value))
+        return lst
+
+    def parse_modules(self, file_obj) -> list[FlirtModule]:
+        modules = []
+        while True:
+            crc_len = file_obj.read(1)[0]
+            crc = struct.unpack(">H", file_obj.read(2))[0]
+
+            while True:
+                # parse all modules with the same CRC
+                module, flags = self.parse_module(file_obj)
+                module.crc_len = crc_len
+                module.crc = crc
+                modules.append(module)
+                if flags & FlirtParseFlag.PARSE_MORE_MODULES_WITH_SAME_CRC == 0:
+                    break
+
+            # same crc length but different crc
+            if flags & FlirtParseFlag.PARSE_MORE_MODULES == 0:
+                break
+        return modules
+
+    def parse_module(self, file_obj) -> tuple[FlirtModule, int]:
+        length = read_multiple_bytes(file_obj) if self.version >= 9 else read_max_2_bytes(file_obj)
+        pub_funcs = []
+        off = 0
+        while True:
+            func, off, flags = self.parse_public_function(file_obj, off)
+            pub_funcs.append(func)
+            if flags & FlirtParseFlag.PARSE_MORE_PUBLIC_NAMES == 0:
+                break
+
+        tail_bytes: list[tuple[int, int]] = []
+        if flags & FlirtParseFlag.PARSE_READ_TAIL_BYTES:
+            tail_bytes = self.parse_tail_bytes(file_obj)
+
+        ref_funcs = []
+        if flags & FlirtParseFlag.PARSE_READ_REFERENCED_FUNCTIONS:
+            ref_funcs = self.parse_referenced_functions(file_obj)
+
+        return (
+            FlirtModule(
+                length,
+                0,  # back-filled in its caller
+                0,  # back-filled in its caller
+                pub_funcs,
+                ref_funcs,
+                tail_bytes,
+            ),
+            flags,
+        )
+
+    @staticmethod
+    def parse_variant_mask(file_obj, length: int) -> int:
+        if length < 0x10:
+            return read_max_2_bytes(file_obj)
+        if length <= 0x20:
+            return read_multiple_bytes(file_obj)
+        if length <= 0x40:
+            return (read_multiple_bytes(file_obj) << 32) | read_multiple_bytes(file_obj)
+        raise FlirtSignatureError(f"Unexpected variant mask length: {length}")
+
+    @staticmethod
+    def is_bit_set_be(mask: int, mask_len: int, bit_offset: int) -> bool:
+        assert mask_len > bit_offset
+        return mask & (1 << (mask_len - bit_offset - 1)) != 0
+
+    @staticmethod
+    def parse_node(file_obj, length: int, variant_mask: int) -> list[int]:
+        pattern = [-1] * length
+        for i in range(length):
+            if not FlirtSignatureParsed.is_bit_set_be(variant_mask, length, i):
+                pattern[i] = file_obj.read(1)[0]
+        return pattern
+
+    @classmethod
+    def parse(cls, file_obj) -> FlirtSignatureParsed:
+        """
+        Parse a FLIRT signature file.
+
+        The following struct definitions come from radare2
+
+        // FLIRT v5+
+        ut8 magic[6];
+        ut8 version;
+        ut8 arch;
+        ut32 file_types;
+        ut16 os_types;
+        ut16 app_types;
+        ut16 features;
+        ut16 old_n_functions;
+        ut16 crc16;
+        ut8 ctype[12];
+        ut8 library_name_len;
+        ut16 ctypes_crc16;
+
+        // FLIRT v6+
+        ut32 nfuncs;
+
+        // FLIRT v8+
+        ut16 pattern_size;
+
+        // FLIRT v10
+        ut16 unknown;
+        """
+
+        struct_str = "<6s B B I H H H H H 12s B H".replace(" ", "")
+        sz = struct.calcsize(struct_str)
+        header_bytes = file_obj.read(sz)
+        if len(header_bytes) != sz:
+            raise FlirtSignatureError
+        unpacked = struct.unpack(struct_str, header_bytes)
+
+        # sanity check
+        if unpacked[0] != b"IDASGN":
+            raise FlirtSignatureError("Unexpected magic bytes")
+
+        version = unpacked[1]
+        if version < 5:
+            raise FlirtSignatureError("Unsupported FLIRT signature version")
+
+        if version >= 6:
+            # nfuncs
+            data = file_obj.read(4)
+            if len(data) != 4:
+                raise FlirtSignatureError("Unexpected EOF")
+            nfuncs = struct.unpack("<I", data)[0]
+        else:
+            nfuncs = None
+        if version >= 8:
+            # pattern_size
+            data = file_obj.read(2)
+            if len(data) != 2:
+                raise FlirtSignatureError("Unexpected EOF")
+            pattern_size = struct.unpack("<H", data)[0]
+        else:
+            pattern_size = None
+
+        if version >= 10:
+            # unknown
+            data = file_obj.read(2)
+            if len(data) != 2:
+                raise FlirtSignatureError("Unexpected EOF")
+
+        libname_len = unpacked[10]
+        libname = file_obj.read(libname_len).decode("utf-8")
+
+        obj = cls(
+            version=version,
+            arch=unpacked[2],
+            file_types=unpacked[3],
+            os_types=unpacked[4],
+            app_types=unpacked[5],
+            features=unpacked[6],
+            crc=unpacked[7],
+            ctype=unpacked[8],
+            ctypes_crc=unpacked[11],
+            nfuncs=nfuncs,
+            pattern_size=pattern_size,
+            libname=libname,
+            root=None,
+        )
+
+        # is it compressed?
+        if obj.features & FlirtFeatureFlag.FEATURE_COMPRESSED:
+            data = file_obj.read()
+            decompressed = BytesIO(zlib.decompress(data))
+            file_obj = decompressed
+
+        root = obj.parse_tree(file_obj, root=True)
+
+        obj.root = root
+        return obj

angr/analyses/flirt/flirt_utils.py

@@ -0,0 +1,31 @@
+# Util functions that are mostly rewrite of the original code in redare2
+from __future__ import annotations
+import struct
+
+
+def read_short(file_obj) -> int:
+    return struct.unpack(">H", file_obj.read(2))[0]
+
+
+def read_word(file_obj) -> int:
+    return struct.unpack(">I", file_obj.read(4))[0]
+
+
+def read_max_2_bytes(file_obj) -> int:
+    b = file_obj.read(1)[0]
+    if b & 0x80 != 0x80:
+        return b
+    return ((b & 0x7F) << 8) + file_obj.read(1)[0]
+
+
+def read_multiple_bytes(file_obj) -> int:
+    b = file_obj.read(1)[0]
+    if b & 0x80 != 0x80:
+        return b
+    if b & 0xC0 != 0xC0:
+        return ((b & 0x7F) << 8) + file_obj.read(1)[0]
+    if b & 0xE0 != 0xE0:
+        b = ((b & 0x3F) << 24) + (file_obj.read(1)[0] << 16)
+        b += read_short(file_obj)
+        return b
+    return read_word(file_obj)

angr/analyses/stack_pointer_tracker.py

@@ -7,6 +7,7 @@ import re
 import logging
 from collections import defaultdict
 
+from archinfo.arch_arm import is_arm_arch
 import pyvex
 
 from angr.analyses import ForwardAnalysis, visitors
@@ -16,6 +17,7 @@ from angr.knowledge_plugins import Function
 from angr.block import BlockNode
 from angr.errors import SimTranslationError
 from angr.calling_conventions import SimStackArg
+
 from .analysis import Analysis
 
 try:
@@ -381,6 +383,10 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
             block_start_addr = func.addr if func is not None else block.addr  # type: ignore
             self._reg_value_at_block_start[block_start_addr] = initial_reg_values
 
+        self._itstate_regoffset = None
+        if is_arm_arch(self.project.arch):
+            self._itstate_regoffset = self.project.arch.registers["itstate"][0]
+
         _l.debug("Running on function %r", self._func)
         self._analyze()
 
@@ -617,18 +623,43 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                         and is_alignment_mask(arg1_expr.val)
                     ):
                         return arg0_expr
+                    # also handle bitwise-and between constants
+                    if isinstance(arg0_expr, Constant) and isinstance(arg1_expr, Constant):
+                        return Constant(arg0_expr.val & arg1_expr.val)
+                elif expr.op.startswith("Iop_Xor"):
+                    # handle bitwise-xor between constants
+                    arg0_expr = _resolve_expr(arg0)
+                    arg1_expr = _resolve_expr(arg1)
+                    if isinstance(arg0_expr, Constant) and isinstance(arg1_expr, Constant):
+                        return Constant(arg0_expr.val ^ arg1_expr.val)
                 elif expr.op.startswith("Iop_CmpEQ"):
                     arg0_expr = _resolve_expr(arg0)
                     arg1_expr = _resolve_expr(arg1)
                     if isinstance(arg0_expr, (Register, OffsetVal)) and isinstance(arg1_expr, (Register, OffsetVal)):
                         return Eq(arg0_expr, arg1_expr)
+                elif expr.op.startswith("Iop_CmpNE"):
+                    arg0_expr = _resolve_expr(arg0)
+                    arg1_expr = _resolve_expr(arg1)
+                    if isinstance(arg0_expr, Constant) and isinstance(arg1_expr, Constant):
+                        return Constant(1 if arg0_expr.val == arg1_expr.val else 0)
+                elif expr.op.startswith("Iop_Shr"):
+                    arg0_expr = _resolve_expr(arg0)
+                    arg1_expr = _resolve_expr(arg1)
+                    if isinstance(arg0_expr, Constant) and isinstance(arg1_expr, Constant):
+                        return Constant(arg0_expr.val >> arg1_expr.val)
                 raise CouldNotResolveException
             if type(expr) is pyvex.IRExpr.RdTmp and expr.tmp in tmps and tmps[expr.tmp] is not None:
                 return tmps[expr.tmp]
             if type(expr) is pyvex.IRExpr.Const:
                 return Constant(expr.con.value)
             if type(expr) is pyvex.IRExpr.Get:
+                if self._itstate_regoffset is not None and expr.offset == self._itstate_regoffset:
+                    return Constant(0)
                 return state.get(expr.offset)
+            if type(expr) is pyvex.IRExpr.ITE:
+                cond = _resolve_expr(expr.cond)
+                if isinstance(cond, Constant):
+                    return _resolve_expr(expr.iftrue) if cond.val == 1 else _resolve_expr(expr.iffalse)
             if type(expr) is pyvex.IRExpr.Unop:
                 m = IROP_CONVERT_REGEX.match(expr.op)
                 if m is not None:
@@ -646,6 +677,9 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                     if isinstance(v, Eq):
                         return v
                     return TOP
+            elif type(expr) is pyvex.IRExpr.CCall and expr.callee.name == "armg_calculate_condition":
+                # this is a hack for handling ARM THUMB conditional instructions and may not always work...
+                return Constant(0)
             elif self.track_mem and type(expr) is pyvex.IRExpr.Load:
                 return state.load(_resolve_expr(expr.addr))
             raise CouldNotResolveException

angr/analyses/typehoon/lifter.py

@@ -11,8 +11,10 @@ from angr.sim_type import (
     SimTypePointer,
     SimStruct,
     SimTypeArray,
+    SimTypeFloat,
+    SimTypeDouble,
 )
-from .typeconsts import BottomType, Int8, Int16, Int32, Int64, Pointer32, Pointer64, Struct, Array
+from .typeconsts import BottomType, Int8, Int16, Int32, Int64, Pointer32, Pointer64, Struct, Array, Float32, Float64
 
 if TYPE_CHECKING:
     from .typeconsts import TypeConstant
@@ -79,6 +81,12 @@ class TypeLifter:
         elem_type = self.lift(ty.elem_type)
         return Array(elem_type, count=ty.length)
 
+    def _lift_SimTypeFloat(self, ty: SimTypeFloat) -> Float32:  # pylint:disable=unused-argument,no-self-use
+        return Float32()
+
+    def _lift_SimTypeDouble(self, ty: SimTypeDouble) -> Float64:  # pylint:disable=unused-argument,no-self-use
+        return Float64()
+
 
 _mapping = {
     SimTypeChar: TypeLifter._lift_SimTypeChar,
@@ -89,4 +97,6 @@ _mapping = {
     SimTypePointer: TypeLifter._lift_SimTypePointer,
     SimStruct: TypeLifter._lift_SimStruct,
     SimTypeArray: TypeLifter._lift_SimTypeArray,
+    SimTypeFloat: TypeLifter._lift_SimTypeFloat,
+    SimTypeDouble: TypeLifter._lift_SimTypeDouble,
 }

angr/analyses/typehoon/simple_solver.py

@@ -41,6 +41,9 @@ from .typeconsts import (
     Array,
     Function,
     int_type,
+    Float,
+    Float32,
+    Float64,
 )
 from .variance import Variance
 from .dfa import DFAConstraintSolver, EmptyEpsilonNFAError
@@ -60,6 +63,9 @@ PRIMITIVE_TYPES = {
     BottomType(),
     Struct(),
     Array(),
+    Float(),
+    Float32(),
+    Float64(),
 }
 
 Top_ = TopType()
@@ -73,6 +79,9 @@ Pointer64_ = Pointer64()
 Pointer32_ = Pointer32()
 Struct_ = Struct()
 Array_ = Array()
+Float_ = Float()
+Float32_ = Float32()
+Float64_ = Float64()
 
 # lattice for 64-bit binaries
 BASE_LATTICE_64 = networkx.DiGraph()

angr/analyses/typehoon/translator.py

@@ -161,6 +161,12 @@ class TypeTranslator:
         self._has_nonexistent_ref = True
         return SimTypeTempRef(tc.typevar)
 
+    def _translate_Float32(self, tc: typeconsts.Float32) -> sim_type.SimTypeFloat:  # pylint:disable=unused-argument
+        return sim_type.SimTypeFloat().with_arch(self.arch)
+
+    def _translate_Float64(self, tc: typeconsts.Float64) -> sim_type.SimTypeDouble:  # pylint:disable=unused-argument
+        return sim_type.SimTypeDouble().with_arch(self.arch)
+
     #
     # Backpatching
     #
@@ -229,6 +235,12 @@ class TypeTranslator:
             return typeconsts.Pointer64(base)
         raise TypeError(f"Unsupported pointer size {self.arch.bits}")
 
+    def _translate_SimTypeFloat(self, st: sim_type.SimTypeFloat) -> typeconsts.Float32:
+        return typeconsts.Float32()
+
+    def _translate_SimTypeDouble(self, st: sim_type.SimTypeDouble) -> typeconsts.Float64:
+        return typeconsts.Float64()
+
 
 TypeConstHandlers = {
     typeconsts.Pointer64: TypeTranslator._translate_Pointer64,
@@ -243,6 +255,8 @@ TypeConstHandlers = {
     typeconsts.Int256: TypeTranslator._translate_Int256,
     typeconsts.Int512: TypeTranslator._translate_Int512,
     typeconsts.TypeVariableReference: TypeTranslator._translate_TypeVariableReference,
+    typeconsts.Float32: TypeTranslator._translate_Float32,
+    typeconsts.Float64: TypeTranslator._translate_Float64,
 }
 
 
@@ -257,4 +271,6 @@ SimTypeHandlers = {
     sim_type.SimTypeInt512: TypeTranslator._translate_SimTypeInt512,
     sim_type.SimStruct: TypeTranslator._translate_SimStruct,
     sim_type.SimTypeArray: TypeTranslator._translate_SimTypeArray,
+    sim_type.SimTypeFloat: TypeTranslator._translate_SimTypeFloat,
+    sim_type.SimTypeDouble: TypeTranslator._translate_SimTypeDouble,
 }

angr/analyses/typehoon/typeconsts.py

@@ -114,23 +114,23 @@ class Int512(Int):
         return "int512"
 
 
-class FloatBase(TypeConstant):
+class Float(TypeConstant):
     def __repr__(self, memo=None) -> str:
         return "floatbase"
 
 
-class Float(FloatBase):
+class Float32(Float):
     SIZE = 4
 
     def __repr__(self, memo=None):
-        return "float"
+        return "float32"
 
 
-class Double(FloatBase):
+class Float64(Float):
     SIZE = 8
 
     def __repr__(self, memo=None):
-        return "double"
+        return "float64"
 
 
 class Pointer(TypeConstant):
@@ -317,9 +317,9 @@ def int_type(bits: int) -> Int:
     raise TypeError(f"Not a known size of int: {bits}")
 
 
-def float_type(bits: int) -> FloatBase | None:
+def float_type(bits: int) -> Float | None:
     if bits == 32:
-        return Float()
+        return Float32()
     if bits == 64:
-        return Double()
+        return Float64()
     return None

angr/analyses/vfg.py

@@ -1547,7 +1547,7 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
                 reg_sp_si = self._create_stack_region(successor_state, successor_addr)
 
                 # Save the new sp register
-                new_reg_sp_expr = reg_sp_si.annotate(claripy.annotation.RegionAnnotation("global", 0, reg_sp_si))
+                new_reg_sp_expr = reg_sp_si.annotate(claripy.annotation.RegionAnnotation("global", 0))
                 successor_state.regs.sp = new_reg_sp_expr
 
             new_job = VFGJob(

angr/block.py

@@ -433,9 +433,9 @@ class Block(Serializable):
 
     @property
     def instructions(self) -> int:
-        if not self._instructions and self._vex is None:
-            # initialize from VEX
-            _ = self.vex
+        if not self._instructions and self._vex is None and self._vex_nostmt is None:
+            # initialize from VEX, but we do not need statements to know instructions
+            _ = self.vex_nostmt
 
         assert self._instructions is not None
         return self._instructions
@@ -446,9 +446,9 @@ class Block(Serializable):
             # hooks and other pseudo-functions
             return []
 
-        if not self._instruction_addrs and self._vex is None:
-            # initialize instruction addrs
-            _ = self.vex
+        if not self._instruction_addrs and self._vex is None and self._vex_nostmt is None:
+            # initialize instruction addrs, but we do not need statements
+            _ = self.vex_nostmt
 
         return self._instruction_addrs
 

angr/engines/vex/heavy/concretizers.py

@@ -160,6 +160,15 @@ def concretize_fscale(state, args):
     return claripy.FPV(arg_x * math.pow(2, arg_y), claripy.FSORT_DOUBLE)
 
 
+def concretize_fsqrt32(state, args):
+    # Concretize floating point square root. Z3 does support square root but unsure if that includes floating point
+    arg_1 = state.solver.eval(args[1])
+    if arg_1 < 0 or math.isnan(arg_1):
+        return claripy.FPV(math.nan, claripy.FSORT_FLOAT)
+
+    return claripy.FPV(math.sqrt(arg_1), claripy.FSORT_FLOAT)
+
+
 def concretize_fsqrt(state, args):
     # Concretize floating point square root. Z3 does support square root but unsure if that includes floating point
     arg_1 = state.solver.eval(args[1])
@@ -365,6 +374,7 @@ concretizers = {
     "Iop_Yl2xF64": concretize_yl2x,
     "Iop_ScaleF64": concretize_fscale,
     "Iop_2xm1F64": concretize_2xm1,
+    "Iop_SqrtF32": concretize_fsqrt32,
     "Iop_SqrtF64": concretize_fsqrt,
     "Iop_CosF64": concretize_trig_cos,
     "Iop_SinF64": concretize_trig_sin,