angr 9.2.147__py3-none-manylinux2014_x86_64.whl → 9.2.149__py3-none-manylinux2014_x86_64.whl

angr/knowledge_plugins/functions/function.py

@@ -23,10 +23,10 @@ from angr.procedures import SIM_LIBRARIES
 from angr.procedures.definitions import SimSyscallLibrary
 from angr.protos import function_pb2
 from angr.calling_conventions import DEFAULT_CC, default_cc
-from angr.misc.ux import deprecated
 from angr.sim_type import SimTypeFunction, parse_defns
 from angr.calling_conventions import SimCC
 from angr.project import Project
+from angr.utils.library import get_cpp_function_name
 from .function_parser import FunctionParser
 
 l = logging.getLogger(name=__name__)
@@ -92,6 +92,10 @@ class Function(Serializable):
         is_plt: bool | None = None,
         returning=None,
         alignment=False,
+        calling_convention: SimCC | None = None,
+        prototype: SimTypeFunction | None = None,
+        prototype_libname: str | None = None,
+        is_prototype_guessed: bool = True,
     ):
         """
         Function constructor. If the optional parameters are not provided, they will be automatically determined upon
@@ -139,11 +143,11 @@ class Function(Serializable):
         self.retaddr_on_stack = False
         self.sp_delta = 0
         # Calling convention
-        self.calling_convention: SimCC | None = None
+        self.calling_convention = calling_convention
         # Function prototype
-        self.prototype: SimTypeFunction | None = None
-        self.prototype_libname: str | None = None
-        self.is_prototype_guessed: bool = True
+        self.prototype = prototype
+        self.prototype_libname = prototype_libname
+        self.is_prototype_guessed = is_prototype_guessed
         # Whether this function returns or not. `None` means it's not determined yet
         self._returning = None
 
@@ -239,15 +243,6 @@ class Function(Serializable):
 
         self._init_prototype_and_calling_convention()
 
-    @property
-    @deprecated(".is_alignment")
-    def alignment(self):
-        return self.is_alignment
-
-    @alignment.setter
-    def alignment(self, value):
-        self.is_alignment = value
-
     @property
     def name(self):
         return self._name
@@ -357,7 +352,8 @@ class Function(Serializable):
             # we know the size
             size = self._block_sizes[addr]
 
-        block = self._project.factory.block(addr, size=size, byte_string=byte_string)
+        assert self.project is not None
+        block = self.project.factory.block(addr, size=size, byte_string=byte_string)
         if size is None:
             # update block_size dict
             self._block_sizes[addr] = block.size
@@ -460,18 +456,19 @@ class Function(Serializable):
         """
         constants = set()
 
-        if not self._project.loader.main_object.contains_addr(self.addr):
+        assert self.project is not None
+        if not self.project.loader.main_object.contains_addr(self.addr):
             return constants
 
         # FIXME the old way was better for architectures like mips, but we need the initial irsb
         # reanalyze function with a new initial state (use persistent registers)
         # initial_state = self._function_manager._cfg.get_any_irsb(self.addr).initial_state
-        # fresh_state = self._project.factory.blank_state(mode="fastpath")
+        # fresh_state = self.project.factory.blank_state(mode="fastpath")
         # for reg in initial_state.arch.persistent_regs + ['ip']:
         #     fresh_state.registers.store(reg, initial_state.registers.load(reg))
 
         # reanalyze function with a new initial state
-        fresh_state = self._project.factory.blank_state(mode="fastpath")
+        fresh_state = self.project.factory.blank_state(mode="fastpath")
         fresh_state.regs.ip = self.addr
 
         graph_addrs = {x.addr for x in self.graph.nodes() if isinstance(x, BlockNode)}
@@ -486,10 +483,10 @@ class Function(Serializable):
             if state.solver.eval(state.ip) not in graph_addrs:
                 continue
             # don't trace into simprocedures
-            if self._project.is_hooked(state.solver.eval(state.ip)):
+            if self.project.is_hooked(state.solver.eval(state.ip)):
                 continue
             # don't trace outside of the binary
-            if not self._project.loader.main_object.contains_addr(state.solver.eval(state.ip)):
+            if not self.project.loader.main_object.contains_addr(state.solver.eval(state.ip)):
                 continue
             # don't trace unreachable blocks
             if state.history.jumpkind in {
@@ -506,7 +503,7 @@ class Function(Serializable):
             curr_ip = state.solver.eval(state.ip)
 
             # get runtime values from logs of successors
-            successors = self._project.factory.successors(state)
+            successors = self.project.factory.successors(state)
             for succ in successors.flat_successors + successors.unsat_successors:
                 for a in succ.history.recent_actions:
                     for ao in a.all_objects:
@@ -562,7 +559,7 @@ class Function(Serializable):
             f"  SP difference: {self.sp_delta}\n"
             f"  Has return: {self.has_return}\n"
             f"  Returning: {'Unknown' if self.returning is None else self.returning}\n"
-            f"  Alignment: {self.alignment}\n"
+            f"  Alignment: {self.is_alignment}\n"
             f"  Arguments: reg: {self._argument_registers}, stack: {self._argument_stack_variables}\n"
             f"  Blocks: [{', '.join(f'{i:#x}' for i in self.block_addrs)}]\n"
             f"  Cyclomatic Complexity: {self.cyclomatic_complexity}\n"
@@ -612,7 +609,7 @@ class Function(Serializable):
 
     @property
     def size(self):
-        return sum(self._block_sizes.values())
+        return sum(self._block_sizes[addr] for addr in self._local_blocks)
 
     @property
     def binary(self):
@@ -620,8 +617,8 @@ class Function(Serializable):
         Get the object this function belongs to.
         :return: The object this function belongs to.
         """
-
-        return self._project.loader.find_object_containing(self.addr, membership_check=False)
+        assert self.project is not None
+        return self.project.loader.find_object_containing(self.addr, membership_check=False)
 
     @property
     def offset(self) -> int:
@@ -698,10 +695,12 @@ class Function(Serializable):
             project = self.project
             if project.is_hooked(addr):
                 hooker = project.hooked_by(addr)
-                name = hooker.display_name
+                if hooker is not None:
+                    name = hooker.display_name
             elif project.simos.is_syscall_addr(addr):
                 syscall_inst = project.simos.syscall_from_addr(addr)
-                name = syscall_inst.display_name
+                if syscall_inst is not None:
+                    name = syscall_inst.display_name
 
         # generate an IDA-style sub_X name
         if name is None:
@@ -1338,7 +1337,8 @@ class Function(Serializable):
 
     @property
     def callable(self):
-        return self._project.factory.callable(self.addr)
+        assert self.project is not None
+        return self.project.factory.callable(self.addr)
 
     def normalize(self):
         """
@@ -1349,6 +1349,7 @@ class Function(Serializable):
 
         :return: None
         """
+        assert self.project is not None
 
         # let's put a check here
         if self.startpoint is None:
@@ -1377,8 +1378,8 @@ class Function(Serializable):
 
             # Break other nodes
             for n in other_nodes:
-                new_size = get_real_address_if_arm(self._project.arch, smallest_node.addr) - get_real_address_if_arm(
-                    self._project.arch, n.addr
+                new_size = get_real_address_if_arm(self.project.arch, smallest_node.addr) - get_real_address_if_arm(
+                    self.project.arch, n.addr
                 )
                 if new_size == 0:
                     # This is the node that has the same size as the smallest one
@@ -1511,20 +1512,21 @@ class Function(Serializable):
             lib = SIM_LIBRARIES.get(binary_name, None)
             libraries = set()
             if lib is not None:
-                libraries.add(lib)
+                libraries.update(lib)
 
         else:
             # try all libraries or all libraries that match the given library name hint
             libraries = set()
-            for lib_name, lib in SIM_LIBRARIES.items():
+            for lib_name, libs in SIM_LIBRARIES.items():
                 # TODO: Add support for syscall libraries. Note that syscall libraries have different function
                 #  prototypes for .has_prototype() and .get_prototype()...
-                if not isinstance(lib, SimSyscallLibrary):
-                    if binary_name_hint:
-                        if binary_name_hint.lower() in lib_name.lower():
+                for lib in libs:
+                    if not isinstance(lib, SimSyscallLibrary):
+                        if binary_name_hint:
+                            if binary_name_hint.lower() in lib_name.lower():
+                                libraries.add(lib)
+                        else:
                             libraries.add(lib)
-                    else:
-                        libraries.add(lib)
 
         if not libraries:
             return False
@@ -1581,11 +1583,78 @@ class Function(Serializable):
         # int, long
         return addr
 
+    def is_rust_function(self):
+        ast = pydemumble.demangle(self.name)
+        if ast:
+            nodes = ast.split("::")
+            if len(nodes) >= 2:
+                last_node = nodes[-1]
+                return (
+                    len(last_node) == 17
+                    and last_node.startswith("h")
+                    and all(c in "0123456789abcdef" for c in last_node[1:])
+                )
+        return False
+
+    @staticmethod
+    def _rust_fmt_node(node):
+        result = []
+        rest = node
+        if rest.startswith("_$"):
+            rest = rest[1:]
+        while True:
+            if rest.startswith("."):
+                if len(rest) > 1 and rest[1] == ".":
+                    result.append("::")
+                    rest = rest[2:]
+                else:
+                    result.append(".")
+                    rest = rest[1:]
+            elif rest.startswith("$"):
+                if "$" in rest[1:]:
+                    escape, rest = rest[1:].split("$", 1)
+                else:
+                    break
+
+                unescaped = {"SP": "@", "BP": "*", "RF": "&", "LT": "<", "GT": ">", "LP": "(", "RP": ")", "C": ","}.get(
+                    escape
+                )
+
+                if unescaped is None and escape.startswith("u"):
+                    digits = escape[1:]
+                    if all(c in "0123456789abcdef" for c in digits):
+                        c = chr(int(digits, 16))
+                        if ord(c) >= 32 and ord(c) != 127:
+                            result.append(c)
+                            continue
+                if unescaped:
+                    result.append(unescaped)
+                else:
+                    break
+            else:
+                idx = min((rest.find(c) for c in "$." if c in rest), default=len(rest))
+                result.append(rest[:idx])
+                rest = rest[idx:]
+                if not rest:
+                    break
+        return "".join(result)
+
     @property
     def demangled_name(self):
         ast = pydemumble.demangle(self.name)
+        if self.is_rust_function():
+            nodes = ast.split("::")[:-1]
+            ast = "::".join([Function._rust_fmt_node(node) for node in nodes])
         return ast if ast else self.name
 
+    @property
+    def short_name(self):
+        if self.is_rust_function():
+            ast = pydemumble.demangle(self.name)
+            return Function._rust_fmt_node(ast.split("::")[-2])
+        func_name = get_cpp_function_name(self.demangled_name, specialized=False, qualified=True)
+        return func_name.split("::")[-1]
+
     def get_unambiguous_name(self, display_name: str | None = None) -> str:
         """
         Get a disambiguated function name.
@@ -1597,6 +1666,7 @@ class Function(Serializable):
             ::<addr>::<name>   when the function binary is an unnamed non-main object, or when multiple functions with
                                the same name are defined in the function binary.
         """
+        assert self.project is not None
         must_disambiguate_by_addr = self.binary is not self.project.loader.main_object and self.binary_name is None
 
         # If there are multiple functions with the same name in the same object, disambiguate by address
@@ -1615,6 +1685,7 @@ class Function(Serializable):
         return n + (display_name or self.name)
 
     def apply_definition(self, definition: str, calling_convention: SimCC | type[SimCC] | None = None) -> None:
+        assert self.project is not None
         if not definition.endswith(";"):
             definition += ";"
         func_def = parse_defns(definition, arch=self.project.arch)
@@ -1677,7 +1748,7 @@ class Function(Serializable):
         func.calling_convention = self.calling_convention
         func.prototype = self.prototype
         func._returning = self._returning
-        func.alignment = self.is_alignment
+        func.is_alignment = self.is_alignment
         func.startpoint = self.startpoint
         func._addr_to_block_node = self._addr_to_block_node.copy()
         func._block_sizes = self._block_sizes.copy()

angr/knowledge_plugins/functions/function_manager.py

@@ -505,6 +505,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
 
     def rebuild_callgraph(self):
         self.callgraph = networkx.MultiDiGraph()
+        cfg = self._kb.cfgs.get_most_accurate()
         for func_addr in self._function_map:
             self.callgraph.add_node(func_addr)
         for func in self._function_map.values():
@@ -512,6 +513,14 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
                 for node in func.transition_graph.nodes():
                     if isinstance(node, Function):
                         self.callgraph.add_edge(func.addr, node.addr)
+                    else:
+                        cfgnode = cfg.get_any_node(node.addr)
+                        if (
+                            cfgnode is not None
+                            and cfgnode.function_address is not None
+                            and cfgnode.function_address != func.addr
+                        ):
+                            self.callgraph.add_edge(func.addr, cfgnode.function_address)
 
 
 KnowledgeBasePlugin.register_default("functions", FunctionManager)

angr/knowledge_plugins/functions/function_parser.py

@@ -36,6 +36,10 @@ class FunctionParser:
         obj.alignment = function.is_alignment
         obj.binary_name = function.binary_name or ""
         obj.normalized = function.normalized
+        obj.calling_convention = pickle.dumps(function.calling_convention)
+        obj.prototype = pickle.dumps(function.prototype)
+        obj.prototype_libname = (function.prototype_libname or "").encode()
+        obj.is_prototype_guessed = function.is_prototype_guessed
 
         # signature matched?
         if not function.from_signature:
@@ -107,6 +111,10 @@ class FunctionParser:
             returning=cmsg.returning,
             alignment=cmsg.alignment,
             binary_name=None if not cmsg.binary_name else cmsg.binary_name,
+            calling_convention=pickle.loads(cmsg.calling_convention),
+            prototype=pickle.loads(cmsg.prototype),
+            prototype_libname=cmsg.prototype_libname if cmsg.prototype_libname else None,
+            is_prototype_guessed=cmsg.is_prototype_guessed,
         )
         obj._project = project
         obj.normalized = cmsg.normalized
@@ -209,7 +217,7 @@ class FunctionParser:
                     stmt_idx=stmt_idx,
                     is_exception=edge_type == "exception",
                 )
-            elif edge_type == "call":
+            elif edge_type in ("call", "syscall"):
                 # find the corresponding fake_ret edge
                 fake_ret_edge = next(
                     iter(edge_ for edge_ in fake_return_edges[src_addr] if edge_[1].addr == src.addr + src.size), None

angr/knowledge_plugins/functions/soot_function.py

@@ -83,7 +83,7 @@ class SootFunction(Function):
         # Whether this function returns or not. `None` means it's not determined yet
         self._returning = None
 
-        self.alignment = None
+        self.is_alignment = None
 
         # Determine returning status for SimProcedures and Syscalls
         hooker = None

angr/knowledge_plugins/key_definitions/key_definition_manager.py

@@ -51,7 +51,7 @@ class KeyDefinitionManager(KnowledgeBasePlugin):
             if not self._kb.functions.contains_addr(func_addr):
                 return None
             func = self._kb.functions[func_addr]
-            if func.is_simprocedure or func.is_plt or func.alignment:
+            if func.is_simprocedure or func.is_plt or func.is_alignment:
                 return None
             callsites = list(func.get_call_sites())
             if not callsites:

angr/knowledge_plugins/propagations/states.py

@@ -527,12 +527,14 @@ class Equivalence:
         "atom0",
         "atom1",
         "codeloc",
+        "is_weakassignment",
     )
 
-    def __init__(self, codeloc, atom0, atom1):
+    def __init__(self, codeloc, atom0, atom1, is_weakassignment: bool = False):
         self.codeloc = codeloc
         self.atom0 = atom0
         self.atom1 = atom1
+        self.is_weakassignment = is_weakassignment
 
     def __repr__(self):
         return f"<Eq@{self.codeloc!r}: {self.atom0!r}=={self.atom1!r}>"
@@ -543,7 +545,8 @@ class Equivalence:
             and other.codeloc == self.codeloc
             and other.atom0 == self.atom0
             and other.atom1 == self.atom1
+            and other.is_weakassignment == self.is_weakassignment
         )
 
     def __hash__(self):
-        return hash((Equivalence, self.codeloc, self.atom0, self.atom1))
+        return hash((Equivalence, self.codeloc, self.atom0, self.atom1, self.is_weakassignment))

angr/knowledge_plugins/variables/variable_manager.py

@@ -934,7 +934,7 @@ class VariableManagerInternal(Serializable):
 
         for var in chain(sorted_stack_variables, sorted_reg_variables, phi_only_vars):
             idx = next(var_ctr)
-            if var.name is not None and not reset:
+            if var.name is not None and var.name != var.ident and not reset:
                 continue
             if isinstance(var, (SimStackVariable, SimRegisterVariable)):
                 var.name = f"v{idx}"
@@ -946,7 +946,7 @@ class VariableManagerInternal(Serializable):
         arg_vars = sorted(arg_vars, key=lambda v: _id_from_varident(v.ident))
         for var in arg_vars:
             idx = next(arg_ctr)
-            if var.name is not None and not reset:
+            if var.name is not None and var.name != var.ident and not reset:
                 continue
             var.name = arg_names[idx] if arg_names else f"a{idx}"
             var._hash = None
@@ -1040,7 +1040,7 @@ class VariableManagerInternal(Serializable):
         reg_vars: set[SimRegisterVariable] = set()
 
         # unify stack variables based on their locations
-        for v in self.get_variables():
+        for v in self.get_variables() + list(self._phi_variables):
             if v in self._variables_to_unified_variables:
                 # do not unify twice
                 continue

angr/procedures/definitions/__init__.py

@@ -25,7 +25,7 @@ if TYPE_CHECKING:
 
 
 l = logging.getLogger(name=__name__)
-SIM_LIBRARIES: dict[str, SimLibrary] = {}
+SIM_LIBRARIES: dict[str, list[SimLibrary]] = {}
 SIM_TYPE_COLLECTIONS: dict[str, SimTypeCollection] = {}
 
 
@@ -38,8 +38,8 @@ class SimTypeCollection:
         self.names: list[str] | None = None
         self.types: dict[str, SimType] = {}
 
-    def set_names(self, *names):
-        self.names = names
+    def set_names(self, *names: str):
+        self.names = list(names)
         for name in names:
             SIM_TYPE_COLLECTIONS[name] = self
 
@@ -121,7 +121,7 @@ class SimLibrary:
         o.names = list(self.names)
         return o
 
-    def update(self, other):
+    def update(self, other: SimLibrary):
         """
         Augment this SimLibrary with the information from another SimLibrary
 
@@ -147,7 +147,10 @@ class SimLibrary:
         """
         for name in names:
             self.names.append(name)
-            SIM_LIBRARIES[name] = self
+            if name in SIM_LIBRARIES:
+                SIM_LIBRARIES[name].append(self)
+            else:
+                SIM_LIBRARIES[name] = [self]
 
     def set_default_cc(self, arch_name, cc_cls):
         """
@@ -252,7 +255,7 @@ class SimLibrary:
             proc.guessed_prototype = False
             if proc.prototype.arg_names is None:
                 # Use inspect to extract the parameters from the run python function
-                proc.prototype.arg_names = inspect.getfullargspec(proc.run).args[1:]
+                proc.prototype.arg_names = tuple(inspect.getfullargspec(proc.run).args[1:])
             if not proc.ARGS_MISMATCH:
                 proc.num_args = len(proc.prototype.args)
         if proc.display_name in self.non_returning:
@@ -394,13 +397,12 @@ class SimCppLibrary(SimLibrary):
         stub = super().get_stub(demangled_name, arch)
         # try to determine a prototype from the function name if possible
         if demangled_name != name:
-            # itanium-mangled function name
+            # mangled function name
             stub.prototype = self._proto_from_demangled_name(demangled_name)
             if stub.prototype is not None:
                 stub.prototype = stub.prototype.with_arch(arch)
                 stub.guessed_prototype = False
                 if not stub.ARGS_MISMATCH:
-                    stub.cc.num_args = len(stub.prototype.args)
                     stub.num_args = len(stub.prototype.args)
         return stub
 
@@ -482,9 +484,10 @@ class SimSyscallLibrary(SimLibrary):
 
     def update(self, other):
         super().update(other)
-        self.syscall_number_mapping.update(other.syscall_number_mapping)
-        self.syscall_name_mapping.update(other.syscall_name_mapping)
-        self.default_cc_mapping.update(other.default_cc_mapping)
+        if isinstance(other, SimSyscallLibrary):
+            self.syscall_number_mapping.update(other.syscall_number_mapping)
+            self.syscall_name_mapping.update(other.syscall_name_mapping)
+            self.default_cc_mapping.update(other.default_cc_mapping)
 
     def minimum_syscall_number(self, abi):
         """
@@ -523,7 +526,7 @@ class SimSyscallLibrary(SimLibrary):
         :param mapping: A dict mapping syscall numbers to function names
         """
         self.syscall_number_mapping[abi].update(mapping)
-        self.syscall_name_mapping[abi].update(dict(reversed(i) for i in mapping.items()))
+        self.syscall_name_mapping[abi].update({b: a for a, b in mapping.items()})
 
     def set_abi_cc(self, abi, cc_cls):
         """

angr/procedures/definitions/types_stl.py

@@ -0,0 +1,22 @@
+# pylint:disable=line-too-long
+from __future__ import annotations
+from collections import OrderedDict
+
+from angr.procedures.definitions import SimTypeCollection
+from angr.sim_type import SimCppClass, SimTypePointer, SimTypeChar, SimTypeInt
+
+typelib = SimTypeCollection()
+typelib.set_names("cpp::std")
+typelib.types = {
+    "class std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>": SimCppClass(
+        unique_name="class std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>",
+        name="std::string",
+        members=OrderedDict(
+            [
+                ("m_data", SimTypePointer(SimTypeChar())),
+                ("m_size", SimTypeInt(signed=False)),
+                ("m_capacity", SimTypeInt(signed=False)),
+            ]
+        ),
+    ),
+}

angr/procedures/stubs/format_parser.py

@@ -164,7 +164,7 @@ class FormatString:
                     negative = claripy.SLT(target_variable, 0)
 
                     # how many digits does it take to represent this variable fully?
-                    max_digits = int(math.ceil(math.log(2**bits, base)))
+                    max_digits = math.ceil(math.log(2**bits, base))
 
                     # how many digits does the format specify?
                     spec_digits = component.length_spec

angr/project.py

@@ -14,7 +14,6 @@ from archinfo.arch_soot import SootAddressDescriptor, ArchSoot
 import cle
 from .sim_procedure import SimProcedure
 
-from .misc.ux import deprecated
 from .errors import AngrNoPluginError
 
 l = logging.getLogger(name=__name__)
@@ -300,16 +299,17 @@ class Project:
         missing_libs = []
         for lib_name in self.loader.missing_dependencies:
             try:
-                missing_libs.append(SIM_LIBRARIES[lib_name])
+                missing_libs.extend(SIM_LIBRARIES[lib_name])
             except KeyError:
                 l.info("There are no simprocedures for missing library %s :(", lib_name)
         # additionally provide libraries we _have_ loaded as a fallback fallback
         # this helps in the case that e.g. CLE picked up a linux arm libc to satisfy an android arm binary
         for lib in self.loader.all_objects:
             if lib.provides is not None and lib.provides in SIM_LIBRARIES:
-                simlib = SIM_LIBRARIES[lib.provides]
-                if simlib not in missing_libs:
-                    missing_libs.append(simlib)
+                simlibs = SIM_LIBRARIES[lib.provides]
+                for simlib in simlibs:
+                    if simlib not in missing_libs:
+                        missing_libs.append(simlib)
 
         # Step 2: Categorize every "import" symbol in each object.
         # If it's IGNORED, mark it for stubbing
@@ -362,11 +362,13 @@ class Project:
                     owner_name = owner_name.lower()
                 if owner_name not in SIM_LIBRARIES:
                     continue
-                sim_lib = SIM_LIBRARIES[owner_name]
-                if not sim_lib.has_implementation(export.name):
-                    continue
-                l.info("Using builtin SimProcedure for %s from %s", export.name, sim_lib.name)
-                self.hook_symbol(export.rebased_addr, sim_lib.get(export.name, sim_proc_arch))
+                sim_libs = SIM_LIBRARIES[owner_name]
+                for sim_lib in sim_libs:
+                    if not sim_lib.has_implementation(export.name):
+                        continue
+                    l.info("Using builtin SimProcedure for %s from %s", export.name, sim_lib.name)
+                    self.hook_symbol(export.rebased_addr, sim_lib.get(export.name, sim_proc_arch))
+                    break
 
             # Step 2.3: If 2.2 didn't work, check if the symbol wants to be resolved
             # by a library we already know something about. Resolve it appropriately.
@@ -375,7 +377,7 @@ class Project:
             # we still want to try as hard as we can to figure out where it comes from
             # so we can get the calling convention as close to right as possible.
             elif reloc.resolvewith is not None and reloc.resolvewith in SIM_LIBRARIES:
-                sim_lib = SIM_LIBRARIES[reloc.resolvewith]
+                sim_lib = sorted(SIM_LIBRARIES[reloc.resolvewith], key=lambda lib: lib.has_prototype(export.name))[-1]
                 if self._check_user_blacklists(export.name):
                     if not func.is_weak:
                         l.info("Using stub SimProcedure for unresolved %s from %s", func.name, sim_lib.name)
@@ -407,7 +409,7 @@ class Project:
                         if export.name and export.name.startswith("_Z"):
                             # GNU C++ name. Use a C++ library to create the stub
                             if "libstdc++.so" in SIM_LIBRARIES:
-                                the_lib = SIM_LIBRARIES["libstdc++.so"]
+                                the_lib = SIM_LIBRARIES["libstdc++.so"][0]
                             else:
                                 l.critical(
                                     "Does not find any C++ library in SIM_LIBRARIES. We may not correctly "
@@ -437,16 +439,17 @@ class Project:
         """
         # First, filter the SIM_LIBRARIES to a reasonable subset based on the hint
         if hint == "win":
-            hinted_libs = filter(lambda lib: lib if lib.endswith(".dll") else None, SIM_LIBRARIES)
+            hinted_libs = [lib for lib in SIM_LIBRARIES if lib.endswith(".dll")]
         else:
-            hinted_libs = filter(lambda lib: lib if ".so" in lib else None, SIM_LIBRARIES)
+            hinted_libs = [lib for lib in SIM_LIBRARIES if ".so" in lib]
 
         for lib in hinted_libs:
-            if SIM_LIBRARIES[lib].has_implementation(f.name):
-                l.debug("Found implementation for %s in %s", f, lib)
-                hook_at = f.resolvedby.rebased_addr if f.resolvedby else f.relative_addr  # ????
-                self.hook_symbol(hook_at, (SIM_LIBRARIES[lib].get(f.name, self.arch)))
-                return True
+            for simlib in SIM_LIBRARIES[lib]:
+                if simlib.has_implementation(f.name):
+                    l.debug("Found implementation for %s in %s", f, lib)
+                    hook_at = f.resolvedby.rebased_addr if f.resolvedby else f.relative_addr  # ????
+                    self.hook_symbol(hook_at, (simlib.get(f.name, self.arch)))
+                    return True
 
         l.debug("Could not find matching SimProcedure for %s, ignoring.", f.name)
         return False
@@ -826,18 +829,9 @@ class Project:
     def __repr__(self):
         return "<Project %s>" % (self.filename if self.filename is not None else "loaded from stream")
 
-    #
-    # Compatibility
-    #
-
-    @property
-    @deprecated(replacement="simos")
-    def _simos(self):
-        return self.simos
-
 
 from .factory import AngrObjectFactory
-from angr.simos import SimOS, os_mapping
+from .simos import SimOS, os_mapping
 from .analyses.analysis import AnalysesHub, AnalysesHubWithDefault
 from .knowledge_base import KnowledgeBase
 from .procedures import SIM_PROCEDURES, SIM_LIBRARIES