angr 9.2.147__py3-none-win_amd64.whl → 9.2.149__py3-none-win_amd64.whl

angr/analyses/variable_recovery/engine_base.py

@@ -70,9 +70,12 @@ class SimEngineVRBase(
     and storing data.
     """
 
-    def __init__(self, project, kb):
+    def __init__(self, project, kb, vvar_type_hints: dict[int, typeconsts.TypeConstant] | None = None):
         super().__init__(project)
 
+        self.vvar_type_hints: dict[int, typeconsts.TypeConstant] = (
+            vvar_type_hints if vvar_type_hints is not None else {}
+        )
         self.kb = kb
         self.vvar_region: dict[int, Any] = {}
 
@@ -417,6 +420,7 @@ class SimEngineVRBase(
                     vvar.size,
                     ident=self.state.variable_manager[self.func_addr].next_variable_ident("stack"),
                     region=self.func_addr,
+                    base="bp",
                 )
                 self.state.variable_manager[self.func_addr].add_variable("stack", vvar.stack_offset, variable)
             elif vvar.was_parameter:
@@ -452,13 +456,19 @@ class SimEngineVRBase(
                 # assign a new type variable to it
                 typevar = typevars.TypeVariable()
                 self.state.typevars.add_type_variable(variable, typevar)
-                # create constraints
             else:
                 typevar = self.state.typevars.get_type_variable(variable)
+
+            # create constraints accordingly
+
             self.state.add_type_constraint(typevars.Subtype(richr.typevar, typevar))
-            # the constraint below is a default constraint that may conflict with more specific ones with different
-            # sizes; we post-process at the very end of VRA to remove conflicting default constraints.
-            self.state.add_type_constraint(typevars.Subtype(typevar, typeconsts.int_type(variable.size * 8)))
+            if vvar.varid in self.vvar_type_hints:
+                # handle type hints
+                self.state.add_type_constraint(typevars.Subtype(typevar, self.vvar_type_hints[vvar.varid]))
+            else:
+                # the constraint below is a default constraint that may conflict with more specific ones with different
+                # sizes; we post-process at the very end of VRA to remove conflicting default constraints.
+                self.state.add_type_constraint(typevars.Subtype(typevar, typeconsts.int_type(variable.size * 8)))
 
         return variable
 
@@ -977,14 +987,22 @@ class SimEngineVRBase(
             value = self.state.top(size * self.project.arch.byte_width)
             if create_variable:
                 # create a new variable if necessary
-                variable = SimRegisterVariable(
-                    offset,
-                    size if force_variable_size is None else force_variable_size,
-                    ident=self.state.variable_manager[self.func_addr].next_variable_ident("register"),
-                    region=self.func_addr,
-                )
+
+                # check if there is an existing variable for the atom at this location already
+                existing_vars: set[tuple[SimVariable, int]] = self.state.variable_manager[
+                    self.func_addr
+                ].find_variables_by_atom(self.block.addr, self.stmt_idx, expr)
+                if not existing_vars:
+                    variable = SimRegisterVariable(
+                        offset,
+                        size if force_variable_size is None else force_variable_size,
+                        ident=self.state.variable_manager[self.func_addr].next_variable_ident("register"),
+                        region=self.func_addr,
+                    )
+                    self.state.variable_manager[self.func_addr].add_variable("register", offset, variable)
+                else:
+                    variable = next(iter(existing_vars))[0]
                 value = self.state.annotate_with_variables(value, [(0, variable)])
-                self.state.variable_manager[self.func_addr].add_variable("register", offset, variable)
             self.state.register_region.store(offset, value)
             value_list = [{value}]
         else:
@@ -1079,6 +1097,7 @@ class SimEngineVRBase(
                         vvar.size,
                         ident=self.state.variable_manager[self.func_addr].next_variable_ident("stack"),
                         region=self.func_addr,
+                        base="bp",
                     )
                     value = self.state.annotate_with_variables(value, [(0, variable)])
                     self.state.variable_manager[self.func_addr].add_variable("stack", vvar.stack_offset, variable)
@@ -1129,6 +1148,12 @@ class SimEngineVRBase(
         if var is not None and var.size != vvar.size:
             # ignore the variable and the associated type if we are only reading part of the variable
             return RichR(value, variable=var)
+
+        # handle type hints
+        if vvar.varid in self.vvar_type_hints:
+            assert isinstance(typevar, typevars.TypeVariable)
+            self.state.add_type_constraint(typevars.Subtype(typevar, self.vvar_type_hints[vvar.varid]))
+
         return RichR(value, variable=var, typevar=typevar)
 
     def _create_access_typevar(

angr/analyses/variable_recovery/variable_recovery_fast.py

@@ -12,21 +12,25 @@ import ailment
 from ailment.expression import VirtualVariable
 
 import angr.errors
+from angr import SIM_TYPE_COLLECTIONS
 from angr.analyses import AnalysesHub
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.block import Block
 from angr.errors import AngrVariableRecoveryError, SimEngineError
 from angr.knowledge_plugins import Function
+from angr.knowledge_plugins.key_definitions import atoms
 from angr.sim_variable import SimStackVariable, SimRegisterVariable, SimVariable, SimMemoryVariable
 from angr.engines.vex.claripy.irop import vexop_to_simop
 from angr.analyses import ForwardAnalysis, visitors
 from angr.analyses.typehoon.typevars import Equivalence, TypeVariable, TypeVariables, Subtype, DerivedTypeVariable
-from angr.analyses.typehoon.typeconsts import Int
+from angr.analyses.typehoon.typeconsts import Int, TypeConstant, BottomType, TopType
+from angr.analyses.typehoon.lifter import TypeLifter
 from .variable_recovery_base import VariableRecoveryBase, VariableRecoveryStateBase
 from .engine_vex import SimEngineVRVEX
 from .engine_ail import SimEngineVRAIL
 import contextlib
 
+
 if TYPE_CHECKING:
     from angr.analyses.typehoon.typevars import TypeConstraint
 
@@ -241,6 +245,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         unify_variables=True,
         func_arg_vvars: dict[int, tuple[VirtualVariable, SimVariable]] | None = None,
         vvar_to_vvar: dict[int, int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
     ):
         if not isinstance(func, Function):
             func = self.kb.functions[func]
@@ -269,8 +274,17 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         self._func_arg_vvars = func_arg_vvars
         self._unify_variables = unify_variables
 
+        # handle type hints
+        self.vvar_type_hints = {}
+        if type_hints:
+            self._parse_type_hints(type_hints)
+
         self._ail_engine: SimEngineVRAIL = SimEngineVRAIL(
-            self.project, self.kb, call_info=call_info, vvar_to_vvar=self.vvar_to_vvar
+            self.project,
+            self.kb,
+            call_info=call_info,
+            vvar_to_vvar=self.vvar_to_vvar,
+            vvar_type_hints=self.vvar_type_hints,
         )
         self._vex_engine: SimEngineVRVEX = SimEngineVRVEX(self.project, self.kb, call_info=call_info)
 
@@ -617,5 +631,22 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
             if adjusted:
                 state.register_region.store(self.project.arch.sp_offset, sp_v)
 
+    def _parse_type_hints(self, type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]]) -> None:
+        self.vvar_type_hints = {}
+        for loc, type_hint_str in type_hints:
+            if isinstance(loc, atoms.VirtualVariable):
+                type_hint = self._parse_type_hint(type_hint_str)
+                if type_hint is not None:
+                    self.vvar_type_hints[loc.varid] = type_hint
+            # TODO: Handle other types of locations
+
+    def _parse_type_hint(self, type_hint_str: str) -> TypeConstant | None:
+        ty = SIM_TYPE_COLLECTIONS["cpp::std"].get(type_hint_str)
+        if ty is None:
+            return None
+        ty = ty.with_arch(self.project.arch)
+        lifted = TypeLifter(self.project.arch.bits).lift(ty)
+        return None if isinstance(lifted, (BottomType, TopType)) else lifted
+
 
 AnalysesHub.register_default("VariableRecoveryFast", VariableRecoveryFast)

angr/calling_conventions.py

@@ -1,9 +1,9 @@
 # pylint:disable=line-too-long,missing-class-docstring,no-self-use
 from __future__ import annotations
 import logging
-from typing import cast
+from typing import Generic, cast, TypeVar
 
-from collections.abc import Iterable, Sequence
+from collections.abc import Iterable
 from collections import defaultdict
 import contextlib
 
@@ -39,6 +39,8 @@ from .state_plugins.sim_action_object import SimActionObject
 l = logging.getLogger(name=__name__)
 l.addFilter(UniqueLogFilter())
 
+T = TypeVar("T", bound="SimFunctionArgument")
+
 
 class PointerWrapper:
     def __init__(self, value, buffer=False):
@@ -386,12 +388,12 @@ class SimStackArg(SimFunctionArgument):
         return SimStackArg(self.stack_offset + offset, size, is_fp)
 
 
-class SimComboArg(SimFunctionArgument):
+class SimComboArg(SimFunctionArgument, Generic[T]):
     """
     An argument which spans multiple storage locations. Locations should be given least-significant first.
     """
 
-    def __init__(self, locations, is_fp=False):
+    def __init__(self, locations: list[T], is_fp=False):
         super().__init__(sum(x.size for x in locations), is_fp=is_fp)
         self.locations = locations
 
@@ -449,6 +451,45 @@ class SimStructArg(SimFunctionArgument):
 
         return others
 
+    def get_single_footprint(self) -> SimStackArg | SimRegArg | SimComboArg:
+        if self.struct._arch is None:
+            raise TypeError("Can't tell the size of a struct without an arch")
+        stack_min = None
+        stack_max = None
+        regs = []
+        for field in self.struct.fields:
+            loc = self.locs[field]
+            if isinstance(loc, SimStackArg):
+                if stack_min is None or stack_max is None:
+                    stack_min = loc.stack_offset
+                    stack_max = loc.stack_offset
+                else:
+                    # sanity check that arguments are laid out in order...
+                    assert loc.stack_offset >= stack_max
+                    stack_max = loc.stack_offset + loc.size
+            elif isinstance(loc, SimRegArg):
+                regs.append(loc)
+            else:
+                assert False, "Why would a struct have layout elements other than stack and reg?"
+
+        # things to consider...
+        # what happens if we return the concat of two registers but there's slack space missing?
+        # an example of this would be big-endian struct { long a; int b; }
+        # do any CCs do this??
+        # for now assume no
+
+        if stack_min is not None:
+            if regs:
+                assert (
+                    False
+                ), "Unknown CC argument passing structure - why are we passing both regs and stack at the same time?"
+            return SimStackArg(stack_min, self.struct.size // self.struct._arch.byte_width)
+        if not regs:
+            assert False, "huh??????"
+        if len(regs) == 1:
+            return regs[0]
+        return SimComboArg(regs)
+
     def get_value(self, state, **kwargs):
         return SimStructValue(
             self.struct, {field: getter.get_value(state, **kwargs) for field, getter in self.locs.items()}
@@ -486,7 +527,7 @@ class SimReferenceArgument(SimFunctionArgument):
                         zero on the stack. It will be passed ``stack_base=ptr_loc.get_value(state)``
     """
 
-    def __init__(self, ptr_loc, main_loc):
+    def __init__(self, ptr_loc: SimFunctionArgument, main_loc: SimFunctionArgument):
         super().__init__(ptr_loc.size)  # ???
         self.ptr_loc = ptr_loc
         self.main_loc = main_loc
@@ -700,6 +741,7 @@ class SimCC:
             )
         if self.return_in_implicit_outparam(ty):
             if perspective_returned:
+                assert self.RETURN_VAL is not None
                 ptr_loc = self.RETURN_VAL
             else:
                 ptr_loc = self.next_arg(self.ArgSession(self), SimTypePointer(SimTypeBottom()))
@@ -713,6 +755,7 @@ class SimCC:
         if self.RETURN_VAL is None or isinstance(ty, SimTypeBottom):
             return None
         if ty.size > self.RETURN_VAL.size * self.arch.byte_width:
+            assert self.OVERFLOW_RETURN_VAL is not None
             return SimComboArg([self.RETURN_VAL, self.OVERFLOW_RETURN_VAL])
         return self.RETURN_VAL.refine(size=ty.size // self.arch.byte_width, arch=self.arch, is_fp=False)
 
@@ -991,7 +1034,8 @@ class SimCC:
                 else:
                     raise TypeError("PointerWrapper(buffer=True) can only be used with a bitvector or a bytestring")
             else:
-                child_type = SimTypeArray(ty.pts_to) if type(arg.value) in (str, bytes, list) else ty.pts_to
+                sub = ty.pts_to if isinstance(ty, SimTypePointer) else ty.refs
+                child_type = SimTypeArray(sub) if isinstance(arg.value, (str, bytes, list)) else sub
                 try:
                     real_value = SimCC._standardize_value(arg.value, child_type, state, alloc)
                 except TypeError as e:  # this is a dangerous catch...
@@ -1003,32 +1047,34 @@ class SimCC:
 
         if isinstance(arg, (str, bytes)):
             # sanitize the argument and request standardization again with SimTypeArray
-            if type(arg) is str:
+            if isinstance(arg, str):
                 arg = arg.encode()
             arg += b"\0"
             if isinstance(ty, SimTypePointer) and isinstance(ty.pts_to, SimTypeChar):
                 pass
-            elif isinstance(ty, SimTypeFixedSizeArray) and isinstance(ty.elem_type, SimTypeChar):
-                if len(arg) > ty.length:
-                    raise TypeError(f"String {arg!r} is too long for {ty}")
-                arg = arg.ljust(ty.length, b"\0")
-            elif isinstance(ty, SimTypeArray) and isinstance(ty.elem_type, SimTypeChar):
+            elif (isinstance(ty, SimTypeFixedSizeArray) and isinstance(ty.elem_type, SimTypeChar)) or (
+                isinstance(ty, SimTypeArray) and isinstance(ty.elem_type, SimTypeChar)
+            ):
                 if ty.length is not None:
                     if len(arg) > ty.length:
                         raise TypeError(f"String {arg!r} is too long for {ty}")
                     arg = arg.ljust(ty.length, b"\0")
             elif isinstance(ty, SimTypeString):
-                if len(arg) > ty.length + 1:
-                    raise TypeError(f"String {arg!r} is too long for {ty}")
-                arg = arg.ljust(ty.length + 1, b"\0")
+                if ty.length is not None:
+                    if len(arg) > ty.length + 1:
+                        raise TypeError(f"String {arg!r} is too long for {ty}")
+                    arg = arg.ljust(ty.length + 1, b"\0")
             else:
                 raise TypeError(f"Type mismatch: Expected {ty}, got char*")
             return SimCC._standardize_value(list(arg), SimTypeArray(SimTypeChar(), len(arg)), state, alloc)
 
         if isinstance(arg, list):
-            if isinstance(ty, (SimTypePointer, SimTypeReference)):
+            if isinstance(ty, SimTypePointer):
                 ref = True
                 subty = ty.pts_to
+            elif isinstance(ty, SimTypeReference):
+                ref = True
+                subty = ty.refs
             elif isinstance(ty, SimTypeArray):
                 ref = True
                 subty = ty.elem_type
@@ -1045,7 +1091,7 @@ class SimCC:
         if isinstance(arg, (tuple, dict, SimStructValue)):
             if not isinstance(ty, SimStruct):
                 raise TypeError(f"Type mismatch: Expected {ty}, got {type(arg)} (i.e. struct)")
-            if type(arg) is not SimStructValue:
+            if not isinstance(arg, SimStructValue):
                 if len(arg) != len(ty.fields):
                     raise TypeError(f"Wrong number of fields in struct, expected {len(ty.fields)} got {len(arg)}")
                 arg = SimStructValue(ty, arg)
@@ -1075,14 +1121,16 @@ class SimCC:
                     raise TypeError(f"Type mismatch: expected {ty}, got {arg.sort}")
                 return arg
             if isinstance(ty, (SimTypeReg, SimTypeNum)):
-                return arg.val_to_bv(ty.size, ty.signed)
+                return arg.val_to_bv(ty.size, ty.signed if isinstance(ty, SimTypeNum) else False)
             raise TypeError(f"Type mismatch: expected {ty}, got {arg.sort}")
 
         if isinstance(arg, claripy.ast.BV):
             if isinstance(ty, (SimTypeReg, SimTypeNum)):
                 if len(arg) != ty.size:
                     if arg.concrete:
-                        return claripy.BVV(arg.concrete_value, ty.size)
+                        size = ty.size
+                        assert size is not None
+                        return claripy.BVV(arg.concrete_value, size)
                     raise TypeError(f"Type mismatch of symbolic data: expected {ty}, got {len(arg)} bits")
                 return arg
             if isinstance(ty, (SimTypeFloat)):
@@ -1101,7 +1149,7 @@ class SimCC:
         return isinstance(other, self.__class__)
 
     @classmethod
-    def _match(cls, arch, args: list, sp_delta):
+    def _match(cls, arch, args: list[SimRegArg | SimStackArg], sp_delta):
         if (
             cls.arches() is not None and ":" not in arch.name and not isinstance(arch, cls.arches())
         ):  # pylint:disable=isinstance-second-argument-not-valid-type
@@ -1139,13 +1187,16 @@ class SimCC:
     @classmethod
     def _guess_arg_count(cls, args, limit: int = 64) -> int:
         # pylint:disable=not-callable
+        assert cls.ARCH is not None
         stack_args = [a for a in args if isinstance(a, SimStackArg)]
-        stack_arg_count = (max(a.stack_offset for a in stack_args) // cls.ARCH().bytes + 1) if stack_args else 0
+        stack_arg_count = (
+            (max(a.stack_offset for a in stack_args) // cls.ARCH(archinfo.Endness.LE).bytes + 1) if stack_args else 0
+        )
         return min(limit, max(len(args), stack_arg_count))
 
     @staticmethod
     def find_cc(
-        arch: archinfo.Arch, args: Sequence[SimFunctionArgument], sp_delta: int, platform: str = "Linux"
+        arch: archinfo.Arch, args: list[SimRegArg | SimStackArg], sp_delta: int, platform: str | None = "Linux"
     ) -> SimCC | None:
         """
         Pinpoint the best-fit calling convention and return the corresponding SimCC instance, or None if no fit is
@@ -1229,7 +1280,7 @@ class SimCCUsercall(SimCC):
     def next_arg(self, session, arg_type):
         return next(session.real_args)
 
-    def return_val(self, ty, **kwargs):
+    def return_val(self, ty, **kwargs):  # pylint: disable=unused-argument
         return self.ret_loc
 
 
@@ -1284,6 +1335,21 @@ class SimCCMicrosoftCdecl(SimCCCdecl):
     STRUCT_RETURN_THRESHOLD = 64
 
 
+class SimCCMicrosoftThiscall(SimCCCdecl):
+    CALLEE_CLEANUP = True
+    ARG_REGS = ["ecx"]
+    CALLER_SAVED_REGS = ["eax", "ecx", "edx"]
+    STRUCT_RETURN_THRESHOLD = 64
+
+    def arg_locs(self, prototype) -> list[SimFunctionArgument]:
+        if prototype._arch is None:
+            prototype = prototype.with_arch(self.arch)
+        session = self.arg_session(prototype.returnty)
+        if not prototype.args:
+            return []
+        return [SimRegArg("ecx", self.arch.bytes)] + [self.next_arg(session, arg_ty) for arg_ty in prototype.args[1:]]
+
+
 class SimCCStdcall(SimCCMicrosoftCdecl):
     CALLEE_CLEANUP = True
 
@@ -1418,7 +1484,7 @@ class SimCCSyscall(SimCC):
         self.ERROR_REG.set_value(state, error_reg_val)
         return expr
 
-    def set_return_val(self, state, val, ty, **kwargs):  # pylint:disable=arguments-differ
+    def set_return_val(self, state, val, ty, **kwargs):  # type:ignore  # pylint:disable=arguments-differ
         if self.ERROR_REG is not None:
             val = self.linux_syscall_update_error_reg(state, val)
         super().set_return_val(state, val, ty, **kwargs)
@@ -1556,6 +1622,7 @@ class SimCCSystemVAMD64(SimCC):
         classification = self._classify(ty)
         if any(cls == "MEMORY" for cls in classification):
             assert all(cls == "MEMORY" for cls in classification)
+            assert ty.size is not None
             byte_size = ty.size // self.arch.byte_width
             referenced_locs = [SimStackArg(offset, self.arch.bytes) for offset in range(0, byte_size, self.arch.bytes)]
             referenced_loc = refine_locs_with_struct_type(self.arch, referenced_locs, ty)
@@ -1594,6 +1661,7 @@ class SimCCSystemVAMD64(SimCC):
         if isinstance(ty, (SimTypeFloat,)):
             return ["SSE"] + ["SSEUP"] * (nchunks - 1)
         if isinstance(ty, (SimStruct, SimTypeFixedSizeArray, SimUnion)):
+            assert ty.size is not None
             if ty.size > 512:
                 return ["MEMORY"] * nchunks
             flattened = self._flatten(ty)
@@ -1672,7 +1740,7 @@ class SimCCAMD64LinuxSyscall(SimCCSyscall):
     CALLER_SAVED_REGS = ["rax", "rcx", "r11"]
 
     @staticmethod
-    def _match(arch, args, sp_delta):  # pylint: disable=unused-argument
+    def _match(arch, args, sp_delta):  # type:ignore # pylint: disable=unused-argument
         # doesn't appear anywhere but syscalls
         return False
 
@@ -1804,6 +1872,7 @@ class SimCCARM(SimCC):
                 for suboffset, subsubty_list in subresult.items():
                     result[offset + suboffset] += subsubty_list
         elif isinstance(ty, SimTypeFixedSizeArray):
+            assert ty.elem_type.size is not None
             subresult = self._flatten(ty.elem_type)
             if subresult is None:
                 return None
@@ -2222,7 +2291,7 @@ class SimCCUnknown(SimCC):
     """
 
     @staticmethod
-    def _match(arch, args, sp_delta):  # pylint: disable=unused-argument
+    def _match(arch, args, sp_delta):  # type:ignore  # pylint: disable=unused-argument
         # It always returns True
         return True
 
@@ -2266,7 +2335,7 @@ CC: dict[str, dict[str, list[type[SimCC]]]] = {
         "default": [SimCCCdecl],
         "Linux": [SimCCCdecl],
         "CGC": [SimCCCdecl],
-        "Win32": [SimCCMicrosoftCdecl, SimCCMicrosoftFastcall],
+        "Win32": [SimCCMicrosoftCdecl, SimCCMicrosoftFastcall, SimCCMicrosoftThiscall],
     },
     "ARMEL": {
         "default": [SimCCARM],

angr/engines/light/engine.py

@@ -533,6 +533,7 @@ class SimEngineLightAIL(
     def __init__(self, *args, **kwargs):
         self._stmt_handlers: dict[str, Callable[[Any], StmtDataType]] = {
             "Assignment": self._handle_stmt_Assignment,
+            "WeakAssignment": self._handle_stmt_WeakAssignment,
             "Store": self._handle_stmt_Store,
             "Jump": self._handle_stmt_Jump,
             "ConditionalJump": self._handle_stmt_ConditionalJump,
@@ -697,6 +698,9 @@ class SimEngineLightAIL(
     @abstractmethod
     def _handle_stmt_Assignment(self, stmt: ailment.statement.Assignment) -> StmtDataType: ...
 
+    @abstractmethod
+    def _handle_stmt_WeakAssignment(self, stmt: ailment.statement.WeakAssignment) -> StmtDataType: ...
+
     @abstractmethod
     def _handle_stmt_Store(self, stmt: ailment.statement.Store) -> StmtDataType: ...
 
@@ -1006,6 +1010,9 @@ class SimEngineNostmtAIL(
     def _handle_stmt_Assignment(self, stmt) -> StmtDataType | None:
         pass
 
+    def _handle_stmt_WeakAssignment(self, stmt) -> StmtDataType | None:
+        pass
+
     def _handle_stmt_Store(self, stmt) -> StmtDataType | None:
         pass
 

angr/exploration_techniques/director.py

@@ -71,7 +71,7 @@ class BaseGoal:
 
         block_id = cfg._generate_block_id(call_stack_suffix, state.addr, is_syscall)
 
-        return cfg.get_node(block_id)
+        return cfg.model.get_node(block_id)
 
     @staticmethod
     def _dfs_edges(graph, source, max_steps=None):