angr 9.2.146__py3-none-manylinux2014_aarch64.whl → 9.2.148__py3-none-manylinux2014_aarch64.whl

angr/calling_conventions.py

@@ -1,9 +1,9 @@
 # pylint:disable=line-too-long,missing-class-docstring,no-self-use
 from __future__ import annotations
 import logging
-from typing import cast
+from typing import Generic, cast, TypeVar
 
-from collections.abc import Iterable, Sequence
+from collections.abc import Iterable
 from collections import defaultdict
 import contextlib
 
@@ -39,6 +39,8 @@ from .state_plugins.sim_action_object import SimActionObject
 l = logging.getLogger(name=__name__)
 l.addFilter(UniqueLogFilter())
 
+T = TypeVar("T", bound="SimFunctionArgument")
+
 
 class PointerWrapper:
     def __init__(self, value, buffer=False):
@@ -386,12 +388,12 @@ class SimStackArg(SimFunctionArgument):
         return SimStackArg(self.stack_offset + offset, size, is_fp)
 
 
-class SimComboArg(SimFunctionArgument):
+class SimComboArg(SimFunctionArgument, Generic[T]):
     """
     An argument which spans multiple storage locations. Locations should be given least-significant first.
     """
 
-    def __init__(self, locations, is_fp=False):
+    def __init__(self, locations: list[T], is_fp=False):
         super().__init__(sum(x.size for x in locations), is_fp=is_fp)
         self.locations = locations
 
@@ -449,6 +451,45 @@ class SimStructArg(SimFunctionArgument):
 
         return others
 
+    def get_single_footprint(self) -> SimStackArg | SimRegArg | SimComboArg:
+        if self.struct._arch is None:
+            raise TypeError("Can't tell the size of a struct without an arch")
+        stack_min = None
+        stack_max = None
+        regs = []
+        for field in self.struct.fields:
+            loc = self.locs[field]
+            if isinstance(loc, SimStackArg):
+                if stack_min is None or stack_max is None:
+                    stack_min = loc.stack_offset
+                    stack_max = loc.stack_offset
+                else:
+                    # sanity check that arguments are laid out in order...
+                    assert loc.stack_offset >= stack_max
+                    stack_max = loc.stack_offset + loc.size
+            elif isinstance(loc, SimRegArg):
+                regs.append(loc)
+            else:
+                assert False, "Why would a struct have layout elements other than stack and reg?"
+
+        # things to consider...
+        # what happens if we return the concat of two registers but there's slack space missing?
+        # an example of this would be big-endian struct { long a; int b; }
+        # do any CCs do this??
+        # for now assume no
+
+        if stack_min is not None:
+            if regs:
+                assert (
+                    False
+                ), "Unknown CC argument passing structure - why are we passing both regs and stack at the same time?"
+            return SimStackArg(stack_min, self.struct.size // self.struct._arch.byte_width)
+        if not regs:
+            assert False, "huh??????"
+        if len(regs) == 1:
+            return regs[0]
+        return SimComboArg(regs)
+
     def get_value(self, state, **kwargs):
         return SimStructValue(
             self.struct, {field: getter.get_value(state, **kwargs) for field, getter in self.locs.items()}
@@ -486,7 +527,7 @@ class SimReferenceArgument(SimFunctionArgument):
                         zero on the stack. It will be passed ``stack_base=ptr_loc.get_value(state)``
     """
 
-    def __init__(self, ptr_loc, main_loc):
+    def __init__(self, ptr_loc: SimFunctionArgument, main_loc: SimFunctionArgument):
         super().__init__(ptr_loc.size)  # ???
         self.ptr_loc = ptr_loc
         self.main_loc = main_loc
@@ -700,6 +741,7 @@ class SimCC:
             )
         if self.return_in_implicit_outparam(ty):
             if perspective_returned:
+                assert self.RETURN_VAL is not None
                 ptr_loc = self.RETURN_VAL
             else:
                 ptr_loc = self.next_arg(self.ArgSession(self), SimTypePointer(SimTypeBottom()))
@@ -713,6 +755,7 @@ class SimCC:
         if self.RETURN_VAL is None or isinstance(ty, SimTypeBottom):
             return None
         if ty.size > self.RETURN_VAL.size * self.arch.byte_width:
+            assert self.OVERFLOW_RETURN_VAL is not None
             return SimComboArg([self.RETURN_VAL, self.OVERFLOW_RETURN_VAL])
         return self.RETURN_VAL.refine(size=ty.size // self.arch.byte_width, arch=self.arch, is_fp=False)
 
@@ -991,7 +1034,8 @@ class SimCC:
                 else:
                     raise TypeError("PointerWrapper(buffer=True) can only be used with a bitvector or a bytestring")
             else:
-                child_type = SimTypeArray(ty.pts_to) if type(arg.value) in (str, bytes, list) else ty.pts_to
+                sub = ty.pts_to if isinstance(ty, SimTypePointer) else ty.refs
+                child_type = SimTypeArray(sub) if isinstance(arg.value, (str, bytes, list)) else sub
                 try:
                     real_value = SimCC._standardize_value(arg.value, child_type, state, alloc)
                 except TypeError as e:  # this is a dangerous catch...
@@ -1003,32 +1047,34 @@ class SimCC:
 
         if isinstance(arg, (str, bytes)):
             # sanitize the argument and request standardization again with SimTypeArray
-            if type(arg) is str:
+            if isinstance(arg, str):
                 arg = arg.encode()
             arg += b"\0"
             if isinstance(ty, SimTypePointer) and isinstance(ty.pts_to, SimTypeChar):
                 pass
-            elif isinstance(ty, SimTypeFixedSizeArray) and isinstance(ty.elem_type, SimTypeChar):
-                if len(arg) > ty.length:
-                    raise TypeError(f"String {arg!r} is too long for {ty}")
-                arg = arg.ljust(ty.length, b"\0")
-            elif isinstance(ty, SimTypeArray) and isinstance(ty.elem_type, SimTypeChar):
+            elif (isinstance(ty, SimTypeFixedSizeArray) and isinstance(ty.elem_type, SimTypeChar)) or (
+                isinstance(ty, SimTypeArray) and isinstance(ty.elem_type, SimTypeChar)
+            ):
                 if ty.length is not None:
                     if len(arg) > ty.length:
                         raise TypeError(f"String {arg!r} is too long for {ty}")
                     arg = arg.ljust(ty.length, b"\0")
             elif isinstance(ty, SimTypeString):
-                if len(arg) > ty.length + 1:
-                    raise TypeError(f"String {arg!r} is too long for {ty}")
-                arg = arg.ljust(ty.length + 1, b"\0")
+                if ty.length is not None:
+                    if len(arg) > ty.length + 1:
+                        raise TypeError(f"String {arg!r} is too long for {ty}")
+                    arg = arg.ljust(ty.length + 1, b"\0")
             else:
                 raise TypeError(f"Type mismatch: Expected {ty}, got char*")
             return SimCC._standardize_value(list(arg), SimTypeArray(SimTypeChar(), len(arg)), state, alloc)
 
         if isinstance(arg, list):
-            if isinstance(ty, (SimTypePointer, SimTypeReference)):
+            if isinstance(ty, SimTypePointer):
                 ref = True
                 subty = ty.pts_to
+            elif isinstance(ty, SimTypeReference):
+                ref = True
+                subty = ty.refs
             elif isinstance(ty, SimTypeArray):
                 ref = True
                 subty = ty.elem_type
@@ -1045,7 +1091,7 @@ class SimCC:
         if isinstance(arg, (tuple, dict, SimStructValue)):
             if not isinstance(ty, SimStruct):
                 raise TypeError(f"Type mismatch: Expected {ty}, got {type(arg)} (i.e. struct)")
-            if type(arg) is not SimStructValue:
+            if not isinstance(arg, SimStructValue):
                 if len(arg) != len(ty.fields):
                     raise TypeError(f"Wrong number of fields in struct, expected {len(ty.fields)} got {len(arg)}")
                 arg = SimStructValue(ty, arg)
@@ -1075,14 +1121,16 @@ class SimCC:
                     raise TypeError(f"Type mismatch: expected {ty}, got {arg.sort}")
                 return arg
             if isinstance(ty, (SimTypeReg, SimTypeNum)):
-                return arg.val_to_bv(ty.size, ty.signed)
+                return arg.val_to_bv(ty.size, ty.signed if isinstance(ty, SimTypeNum) else False)
             raise TypeError(f"Type mismatch: expected {ty}, got {arg.sort}")
 
         if isinstance(arg, claripy.ast.BV):
             if isinstance(ty, (SimTypeReg, SimTypeNum)):
                 if len(arg) != ty.size:
                     if arg.concrete:
-                        return claripy.BVV(arg.concrete_value, ty.size)
+                        size = ty.size
+                        assert size is not None
+                        return claripy.BVV(arg.concrete_value, size)
                     raise TypeError(f"Type mismatch of symbolic data: expected {ty}, got {len(arg)} bits")
                 return arg
             if isinstance(ty, (SimTypeFloat)):
@@ -1101,7 +1149,7 @@ class SimCC:
         return isinstance(other, self.__class__)
 
     @classmethod
-    def _match(cls, arch, args: list, sp_delta):
+    def _match(cls, arch, args: list[SimRegArg | SimStackArg], sp_delta):
         if (
             cls.arches() is not None and ":" not in arch.name and not isinstance(arch, cls.arches())
         ):  # pylint:disable=isinstance-second-argument-not-valid-type
@@ -1139,13 +1187,16 @@ class SimCC:
     @classmethod
     def _guess_arg_count(cls, args, limit: int = 64) -> int:
         # pylint:disable=not-callable
+        assert cls.ARCH is not None
         stack_args = [a for a in args if isinstance(a, SimStackArg)]
-        stack_arg_count = (max(a.stack_offset for a in stack_args) // cls.ARCH().bytes + 1) if stack_args else 0
+        stack_arg_count = (
+            (max(a.stack_offset for a in stack_args) // cls.ARCH(archinfo.Endness.LE).bytes + 1) if stack_args else 0
+        )
         return min(limit, max(len(args), stack_arg_count))
 
     @staticmethod
     def find_cc(
-        arch: archinfo.Arch, args: Sequence[SimFunctionArgument], sp_delta: int, platform: str = "Linux"
+        arch: archinfo.Arch, args: list[SimRegArg | SimStackArg], sp_delta: int, platform: str = "Linux"
     ) -> SimCC | None:
         """
         Pinpoint the best-fit calling convention and return the corresponding SimCC instance, or None if no fit is
@@ -1229,7 +1280,7 @@ class SimCCUsercall(SimCC):
     def next_arg(self, session, arg_type):
         return next(session.real_args)
 
-    def return_val(self, ty, **kwargs):
+    def return_val(self, ty, **kwargs):  # pylint: disable=unused-argument
         return self.ret_loc
 
 

angr/engines/vex/heavy/concretizers.py

@@ -160,6 +160,15 @@ def concretize_fscale(state, args):
     return claripy.FPV(arg_x * math.pow(2, arg_y), claripy.FSORT_DOUBLE)
 
 
+def concretize_fsqrt32(state, args):
+    # Concretize floating point square root. Z3 does support square root but unsure if that includes floating point
+    arg_1 = state.solver.eval(args[1])
+    if arg_1 < 0 or math.isnan(arg_1):
+        return claripy.FPV(math.nan, claripy.FSORT_FLOAT)
+
+    return claripy.FPV(math.sqrt(arg_1), claripy.FSORT_FLOAT)
+
+
 def concretize_fsqrt(state, args):
     # Concretize floating point square root. Z3 does support square root but unsure if that includes floating point
     arg_1 = state.solver.eval(args[1])
@@ -365,6 +374,7 @@ concretizers = {
     "Iop_Yl2xF64": concretize_yl2x,
     "Iop_ScaleF64": concretize_fscale,
     "Iop_2xm1F64": concretize_2xm1,
+    "Iop_SqrtF32": concretize_fsqrt32,
     "Iop_SqrtF64": concretize_fsqrt,
     "Iop_CosF64": concretize_trig_cos,
     "Iop_SinF64": concretize_trig_sin,

angr/exploration_techniques/director.py

@@ -71,7 +71,7 @@ class BaseGoal:
 
         block_id = cfg._generate_block_id(call_stack_suffix, state.addr, is_syscall)
 
-        return cfg.get_node(block_id)
+        return cfg.model.get_node(block_id)
 
     @staticmethod
     def _dfs_edges(graph, source, max_steps=None):

angr/flirt/__init__.py

@@ -6,44 +6,16 @@ import json
 from collections import defaultdict
 import logging
 
-import nampa
+from angr.analyses.flirt import (
+    FlirtSignature,
+    FlirtSignatureParsed,
+    FlirtSignatureError,
+    flirt_arch_to_arch_name,
+    flirt_os_type_to_os_name,
+)
 
-_l = logging.getLogger(__name__)
-
-
-class FlirtSignature:
-    """
-    This class describes a FLIRT signature.
-    """
 
-    def __init__(
-        self,
-        arch: str,
-        platform: str,
-        sig_name: str,
-        sig_path: str,
-        unique_strings: set[str] | None = None,
-        compiler: str | None = None,
-        compiler_version: str | None = None,
-        os_name: str | None = None,
-        os_version: str | None = None,
-    ):
-        self.arch = arch
-        self.platform = platform
-        self.sig_name = sig_name
-        self.sig_path = sig_path
-        self.unique_strings = unique_strings
-        self.compiler = compiler
-        self.compiler_version = compiler_version
-        self.os_name = os_name
-        self.os_version = os_version
-
-    def __repr__(self):
-        if self.os_name:
-            if self.os_version:
-                return f"<{self.sig_name}@{self.arch}-{self.os_name}-{self.os_version}>"
-            return f"<{self.sig_name}@{self.arch}-{self.os_name}>"
-        return f"<{self.sig_name}@{self.arch}-{self.platform}>"
+_l = logging.getLogger(__name__)
 
 
 FS = FlirtSignature
@@ -72,8 +44,8 @@ def load_signatures(path: str) -> None:
                 sig_path = os.path.join(root, filename)
                 try:
                     with open(sig_path, "rb") as f:
-                        flirt_header = nampa.flirt.parse_header(f)
-                except nampa.flirt.FlirtException:
+                        sig_parsed = FlirtSignatureParsed.parse(f)
+                except FlirtSignatureError:
                     _l.warning("Failed to load FLIRT signature file %s.", sig_path)
                     continue
 
@@ -84,8 +56,8 @@ def load_signatures(path: str) -> None:
                     with open(meta_path) as f:
                         meta = json.load(f)
 
-                    arch = meta.get("arch", None)
-                    platform = meta.get("platform", None)
+                    arch = str(meta.get("arch", "Unknown"))
+                    platform = str(meta.get("platform", "UnknownOS"))
                     os_name = meta.get("os", None)
                     os_version = meta.get("os_version", None)
                     compiler = meta.get("compiler", None)
@@ -94,9 +66,8 @@ def load_signatures(path: str) -> None:
 
                 else:
                     # nope... we need to extract information from the signature file
-                    # TODO: Convert them to angr-specific strings
-                    arch = flirt_header.arch
-                    platform = flirt_header.os_types
+                    arch = flirt_arch_to_arch_name(sig_parsed.arch, sig_parsed.app_types)
+                    platform = flirt_os_type_to_os_name(sig_parsed.os_types)
                     os_name = None
                     os_version = None
                     unique_strings = None
@@ -106,7 +77,7 @@ def load_signatures(path: str) -> None:
                 signature = FlirtSignature(
                     arch,
                     platform,
-                    flirt_header.library_name.decode("utf-8"),
+                    sig_parsed.libname,
                     sig_path,
                     unique_strings=unique_strings,
                     compiler=compiler,

angr/knowledge_plugins/functions/function.py

@@ -23,7 +23,6 @@ from angr.procedures import SIM_LIBRARIES
 from angr.procedures.definitions import SimSyscallLibrary
 from angr.protos import function_pb2
 from angr.calling_conventions import DEFAULT_CC, default_cc
-from angr.misc.ux import deprecated
 from angr.sim_type import SimTypeFunction, parse_defns
 from angr.calling_conventions import SimCC
 from angr.project import Project
@@ -92,6 +91,10 @@ class Function(Serializable):
         is_plt: bool | None = None,
         returning=None,
         alignment=False,
+        calling_convention: SimCC | None = None,
+        prototype: SimTypeFunction | None = None,
+        prototype_libname: str | None = None,
+        is_prototype_guessed: bool = True,
     ):
         """
         Function constructor. If the optional parameters are not provided, they will be automatically determined upon
@@ -139,11 +142,11 @@ class Function(Serializable):
         self.retaddr_on_stack = False
         self.sp_delta = 0
         # Calling convention
-        self.calling_convention: SimCC | None = None
+        self.calling_convention = calling_convention
         # Function prototype
-        self.prototype: SimTypeFunction | None = None
-        self.prototype_libname: str | None = None
-        self.is_prototype_guessed: bool = True
+        self.prototype = prototype
+        self.prototype_libname = prototype_libname
+        self.is_prototype_guessed = is_prototype_guessed
         # Whether this function returns or not. `None` means it's not determined yet
         self._returning = None
 
@@ -218,7 +221,7 @@ class Function(Serializable):
             self.is_default_name = False
             self._name = name
         self.previous_names = []
-        self.from_signature = None
+        self.from_signature: str | None = None
 
         # Determine the name the binary where this function is.
         if binary_name is not None:
@@ -239,15 +242,6 @@ class Function(Serializable):
 
         self._init_prototype_and_calling_convention()
 
-    @property
-    @deprecated(".is_alignment")
-    def alignment(self):
-        return self.is_alignment
-
-    @alignment.setter
-    def alignment(self, value):
-        self.is_alignment = value
-
     @property
     def name(self):
         return self._name
@@ -357,7 +351,8 @@ class Function(Serializable):
             # we know the size
             size = self._block_sizes[addr]
 
-        block = self._project.factory.block(addr, size=size, byte_string=byte_string)
+        assert self.project is not None
+        block = self.project.factory.block(addr, size=size, byte_string=byte_string)
         if size is None:
             # update block_size dict
             self._block_sizes[addr] = block.size
@@ -460,18 +455,19 @@ class Function(Serializable):
         """
         constants = set()
 
-        if not self._project.loader.main_object.contains_addr(self.addr):
+        assert self.project is not None
+        if not self.project.loader.main_object.contains_addr(self.addr):
             return constants
 
         # FIXME the old way was better for architectures like mips, but we need the initial irsb
         # reanalyze function with a new initial state (use persistent registers)
         # initial_state = self._function_manager._cfg.get_any_irsb(self.addr).initial_state
-        # fresh_state = self._project.factory.blank_state(mode="fastpath")
+        # fresh_state = self.project.factory.blank_state(mode="fastpath")
         # for reg in initial_state.arch.persistent_regs + ['ip']:
         #     fresh_state.registers.store(reg, initial_state.registers.load(reg))
 
         # reanalyze function with a new initial state
-        fresh_state = self._project.factory.blank_state(mode="fastpath")
+        fresh_state = self.project.factory.blank_state(mode="fastpath")
         fresh_state.regs.ip = self.addr
 
         graph_addrs = {x.addr for x in self.graph.nodes() if isinstance(x, BlockNode)}
@@ -486,10 +482,10 @@ class Function(Serializable):
             if state.solver.eval(state.ip) not in graph_addrs:
                 continue
             # don't trace into simprocedures
-            if self._project.is_hooked(state.solver.eval(state.ip)):
+            if self.project.is_hooked(state.solver.eval(state.ip)):
                 continue
             # don't trace outside of the binary
-            if not self._project.loader.main_object.contains_addr(state.solver.eval(state.ip)):
+            if not self.project.loader.main_object.contains_addr(state.solver.eval(state.ip)):
                 continue
             # don't trace unreachable blocks
             if state.history.jumpkind in {
@@ -506,7 +502,7 @@ class Function(Serializable):
             curr_ip = state.solver.eval(state.ip)
 
             # get runtime values from logs of successors
-            successors = self._project.factory.successors(state)
+            successors = self.project.factory.successors(state)
             for succ in successors.flat_successors + successors.unsat_successors:
                 for a in succ.history.recent_actions:
                     for ao in a.all_objects:
@@ -562,7 +558,7 @@ class Function(Serializable):
             f"  SP difference: {self.sp_delta}\n"
             f"  Has return: {self.has_return}\n"
             f"  Returning: {'Unknown' if self.returning is None else self.returning}\n"
-            f"  Alignment: {self.alignment}\n"
+            f"  Alignment: {self.is_alignment}\n"
             f"  Arguments: reg: {self._argument_registers}, stack: {self._argument_stack_variables}\n"
             f"  Blocks: [{', '.join(f'{i:#x}' for i in self.block_addrs)}]\n"
             f"  Cyclomatic Complexity: {self.cyclomatic_complexity}\n"
@@ -612,7 +608,7 @@ class Function(Serializable):
 
     @property
     def size(self):
-        return sum(b.size for b in self.blocks)
+        return sum(self._block_sizes[addr] for addr in self._local_blocks)
 
     @property
     def binary(self):
@@ -620,8 +616,8 @@ class Function(Serializable):
         Get the object this function belongs to.
         :return: The object this function belongs to.
         """
-
-        return self._project.loader.find_object_containing(self.addr, membership_check=False)
+        assert self.project is not None
+        return self.project.loader.find_object_containing(self.addr, membership_check=False)
 
     @property
     def offset(self) -> int:
@@ -698,10 +694,12 @@ class Function(Serializable):
             project = self.project
             if project.is_hooked(addr):
                 hooker = project.hooked_by(addr)
-                name = hooker.display_name
+                if hooker is not None:
+                    name = hooker.display_name
             elif project.simos.is_syscall_addr(addr):
                 syscall_inst = project.simos.syscall_from_addr(addr)
-                name = syscall_inst.display_name
+                if syscall_inst is not None:
+                    name = syscall_inst.display_name
 
         # generate an IDA-style sub_X name
         if name is None:
@@ -1338,7 +1336,8 @@ class Function(Serializable):
 
     @property
     def callable(self):
-        return self._project.factory.callable(self.addr)
+        assert self.project is not None
+        return self.project.factory.callable(self.addr)
 
     def normalize(self):
         """
@@ -1349,6 +1348,7 @@ class Function(Serializable):
 
         :return: None
         """
+        assert self.project is not None
 
         # let's put a check here
         if self.startpoint is None:
@@ -1377,8 +1377,8 @@ class Function(Serializable):
 
             # Break other nodes
             for n in other_nodes:
-                new_size = get_real_address_if_arm(self._project.arch, smallest_node.addr) - get_real_address_if_arm(
-                    self._project.arch, n.addr
+                new_size = get_real_address_if_arm(self.project.arch, smallest_node.addr) - get_real_address_if_arm(
+                    self.project.arch, n.addr
                 )
                 if new_size == 0:
                     # This is the node that has the same size as the smallest one
@@ -1511,20 +1511,21 @@ class Function(Serializable):
             lib = SIM_LIBRARIES.get(binary_name, None)
             libraries = set()
             if lib is not None:
-                libraries.add(lib)
+                libraries.update(lib)
 
         else:
             # try all libraries or all libraries that match the given library name hint
             libraries = set()
-            for lib_name, lib in SIM_LIBRARIES.items():
+            for lib_name, libs in SIM_LIBRARIES.items():
                 # TODO: Add support for syscall libraries. Note that syscall libraries have different function
                 #  prototypes for .has_prototype() and .get_prototype()...
-                if not isinstance(lib, SimSyscallLibrary):
-                    if binary_name_hint:
-                        if binary_name_hint.lower() in lib_name.lower():
+                for lib in libs:
+                    if not isinstance(lib, SimSyscallLibrary):
+                        if binary_name_hint:
+                            if binary_name_hint.lower() in lib_name.lower():
+                                libraries.add(lib)
+                        else:
                             libraries.add(lib)
-                    else:
-                        libraries.add(lib)
 
         if not libraries:
             return False
@@ -1597,6 +1598,7 @@ class Function(Serializable):
             ::<addr>::<name>   when the function binary is an unnamed non-main object, or when multiple functions with
                                the same name are defined in the function binary.
         """
+        assert self.project is not None
         must_disambiguate_by_addr = self.binary is not self.project.loader.main_object and self.binary_name is None
 
         # If there are multiple functions with the same name in the same object, disambiguate by address
@@ -1615,6 +1617,7 @@ class Function(Serializable):
         return n + (display_name or self.name)
 
     def apply_definition(self, definition: str, calling_convention: SimCC | type[SimCC] | None = None) -> None:
+        assert self.project is not None
         if not definition.endswith(";"):
             definition += ";"
         func_def = parse_defns(definition, arch=self.project.arch)
@@ -1677,7 +1680,7 @@ class Function(Serializable):
         func.calling_convention = self.calling_convention
         func.prototype = self.prototype
         func._returning = self._returning
-        func.alignment = self.is_alignment
+        func.is_alignment = self.is_alignment
         func.startpoint = self.startpoint
         func._addr_to_block_node = self._addr_to_block_node.copy()
         func._block_sizes = self._block_sizes.copy()

angr/knowledge_plugins/functions/function_manager.py

@@ -505,6 +505,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
 
     def rebuild_callgraph(self):
         self.callgraph = networkx.MultiDiGraph()
+        cfg = self._kb.cfgs.get_most_accurate()
         for func_addr in self._function_map:
             self.callgraph.add_node(func_addr)
         for func in self._function_map.values():
@@ -512,6 +513,14 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
                 for node in func.transition_graph.nodes():
                     if isinstance(node, Function):
                         self.callgraph.add_edge(func.addr, node.addr)
+                    else:
+                        cfgnode = cfg.get_any_node(node.addr)
+                        if (
+                            cfgnode is not None
+                            and cfgnode.function_address is not None
+                            and cfgnode.function_address != func.addr
+                        ):
+                            self.callgraph.add_edge(func.addr, cfgnode.function_address)
 
 
 KnowledgeBasePlugin.register_default("functions", FunctionManager)

angr/knowledge_plugins/functions/function_parser.py

@@ -36,6 +36,10 @@ class FunctionParser:
         obj.alignment = function.is_alignment
         obj.binary_name = function.binary_name or ""
         obj.normalized = function.normalized
+        obj.calling_convention = pickle.dumps(function.calling_convention)
+        obj.prototype = pickle.dumps(function.prototype)
+        obj.prototype_libname = (function.prototype_libname or "").encode()
+        obj.is_prototype_guessed = function.is_prototype_guessed
 
         # signature matched?
         if not function.from_signature:
@@ -107,6 +111,10 @@ class FunctionParser:
             returning=cmsg.returning,
             alignment=cmsg.alignment,
             binary_name=None if not cmsg.binary_name else cmsg.binary_name,
+            calling_convention=pickle.loads(cmsg.calling_convention),
+            prototype=pickle.loads(cmsg.prototype),
+            prototype_libname=cmsg.prototype_libname if cmsg.prototype_libname else None,
+            is_prototype_guessed=cmsg.is_prototype_guessed,
         )
         obj._project = project
         obj.normalized = cmsg.normalized
@@ -209,7 +217,7 @@ class FunctionParser:
                     stmt_idx=stmt_idx,
                     is_exception=edge_type == "exception",
                 )
-            elif edge_type == "call":
+            elif edge_type in ("call", "syscall"):
                 # find the corresponding fake_ret edge
                 fake_ret_edge = next(
                     iter(edge_ for edge_ in fake_return_edges[src_addr] if edge_[1].addr == src.addr + src.size), None

angr/knowledge_plugins/functions/soot_function.py

@@ -83,7 +83,7 @@ class SootFunction(Function):
         # Whether this function returns or not. `None` means it's not determined yet
         self._returning = None
 
-        self.alignment = None
+        self.is_alignment = None
 
         # Determine returning status for SimProcedures and Syscalls
         hooker = None

angr/knowledge_plugins/key_definitions/key_definition_manager.py

@@ -51,7 +51,7 @@ class KeyDefinitionManager(KnowledgeBasePlugin):
             if not self._kb.functions.contains_addr(func_addr):
                 return None
             func = self._kb.functions[func_addr]
-            if func.is_simprocedure or func.is_plt or func.alignment:
+            if func.is_simprocedure or func.is_plt or func.is_alignment:
                 return None
             callsites = list(func.get_call_sites())
             if not callsites: