angr 9.2.150__py3-none-macosx_11_0_arm64.whl → 9.2.153__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/region_identifier.py

@@ -1,4 +1,5 @@
 from __future__ import annotations
+from typing import Any
 from itertools import count
 from collections import defaultdict
 import logging
@@ -70,6 +71,9 @@ class RegionIdentifier(Analysis):
         self._largest_successor_tree_outside_loop = largest_successor_tree_outside_loop
         self._force_loop_single_exit = force_loop_single_exit
         self._complete_successors = complete_successors
+        # we keep a dictionary of node and their traversal order in a quasi-topological traversal and update this
+        # dictionary as we update the graph
+        self._node_order: dict[Any, tuple[int, int]] = {}
 
         self._analyze()
 
@@ -102,11 +106,30 @@ class RegionIdentifier(Analysis):
 
         self._start_node = self._get_start_node(graph)
 
+        self._node_order = self._compute_node_order(graph)
+
         self.region = self._make_regions(graph)
 
         # make regions into block address lists
         self.regions_by_block_addrs = self._make_regions_by_block_addrs()
 
+    @staticmethod
+    def _compute_node_order(graph: networkx.DiGraph) -> dict[Any, tuple[int, int]]:
+        sorted_nodes = GraphUtils.quasi_topological_sort_nodes(graph)
+        node_order = {}
+        for i, n in enumerate(sorted_nodes):
+            node_order[n] = i, 0
+        return node_order
+
+    def _sort_nodes(self, nodes: list | set) -> list:
+        """
+        Sorts the nodes in the order specified in self._node_order.
+
+        :param nodes:   A list or set of nodes to be sorted.
+        :return:        A sorted list of nodes.
+        """
+        return sorted(nodes, key=lambda n: self._node_order[n])
+
     def _make_regions_by_block_addrs(self) -> list[list[tuple[int, int | None]]]:
         """
         Creates a list of addr lists representing each region without recursion. A single region is defined
@@ -182,30 +205,6 @@ class RegionIdentifier(Analysis):
             None,
         )
 
-    def _test_reducibility(self):
-        # make a copy of the graph
-        graph = networkx.DiGraph(self._graph)
-
-        # preprocess: make it a super graph
-        self._make_supergraph(graph)
-
-        while True:
-            changed = False
-
-            # find a node with a back-edge, remove the edge (deleting the loop), and replace it with a MultiNode
-            changed |= self._remove_self_loop(graph)
-
-            # find a node that has only one predecessor, and merge it with its predecessor (replace them with a
-            # MultiNode)
-            changed |= self._merge_single_entry_node(graph)
-
-            if not changed:
-                # a fixed-point is reached
-                break
-
-        # Flow graph reducibility, Hecht and Ullman
-        return len(graph.nodes) == 1
-
     def _make_supergraph(self, graph: networkx.DiGraph):
 
         entry_node = None
@@ -236,7 +235,7 @@ class RegionIdentifier(Analysis):
 
     def _find_loop_headers(self, graph: networkx.DiGraph) -> list:
         heads = list({t for _, t in dfs_back_edges(graph, self._start_node)})
-        return GraphUtils.quasi_topological_sort_nodes(graph, heads)
+        return self._sort_nodes(heads)
 
     def _find_initial_loop_nodes(self, graph: networkx.DiGraph, head):
         # TODO optimize
@@ -290,7 +289,7 @@ class RegionIdentifier(Analysis):
         # node.
         subgraph = networkx.DiGraph()
 
-        sorted_refined_exit_nodes = GraphUtils.quasi_topological_sort_nodes(graph, refined_exit_nodes)
+        sorted_refined_exit_nodes = self._sort_nodes(refined_exit_nodes)
         while len(sorted_refined_exit_nodes) > 1 and new_exit_nodes:
             # visit each node in refined_exit_nodes once and determine which nodes to consider as loop nodes
             candidate_nodes = {}
@@ -324,7 +323,7 @@ class RegionIdentifier(Analysis):
 
             sorted_refined_exit_nodes += list(new_exit_nodes)
             sorted_refined_exit_nodes = list(set(sorted_refined_exit_nodes))
-            sorted_refined_exit_nodes = GraphUtils.quasi_topological_sort_nodes(graph, sorted_refined_exit_nodes)
+            sorted_refined_exit_nodes = self._sort_nodes(sorted_refined_exit_nodes)
 
         refined_exit_nodes = set(sorted_refined_exit_nodes)
         refined_loop_nodes = refined_loop_nodes - refined_exit_nodes
@@ -373,37 +372,6 @@ class RegionIdentifier(Analysis):
 
         return refined_loop_nodes, refined_exit_nodes
 
-    def _remove_self_loop(self, graph: networkx.DiGraph):
-        r = False
-
-        while True:
-            for node in graph.nodes():
-                if node in graph[node]:
-                    # found a self loop
-                    self._remove_node(graph, node)
-                    r = True
-                    break
-            else:
-                break
-
-        return r
-
-    def _merge_single_entry_node(self, graph: networkx.DiGraph):
-        r = False
-
-        while True:
-            for node in networkx.dfs_postorder_nodes(graph):
-                preds = list(graph.predecessors(node))
-                if len(preds) == 1:
-                    # merge the two nodes
-                    self._absorb_node(graph, preds[0], node)
-                    r = True
-                    break
-            else:
-                break
-
-        return r
-
     def _make_regions(self, graph: networkx.DiGraph):
         structured_loop_headers = set()
         new_regions = []
@@ -535,7 +503,14 @@ class RegionIdentifier(Analysis):
             abnormal_exit_nodes = set()
 
         region = self._abstract_cyclic_region(
-            graph, refined_loop_nodes, head, normal_entries, abnormal_entries, normal_exit_node, abnormal_exit_nodes
+            graph,
+            refined_loop_nodes,
+            head,
+            normal_entries,
+            abnormal_entries,
+            normal_exit_node,
+            abnormal_exit_nodes,
+            self._node_order,
         )
         if region.successors is not None and len(region.successors) > 1 and self._force_loop_single_exit:
             # multi-successor region. refinement is required
@@ -661,6 +636,10 @@ class RegionIdentifier(Analysis):
             graph.remove_edge(region, succ)
             graph.add_edge(cond, succ, **edge_data)
 
+        # compute the node order of newly created nodes
+        self._node_order[region] = region_node_order = min(self._node_order[node_] for node_ in region.graph)
+        self._node_order[cond] = region_node_order[0], region_node_order[1] + 1
+
     #
     # Acyclic regions
     #
@@ -733,6 +712,7 @@ class RegionIdentifier(Analysis):
                         graph,
                         GraphRegion(node, subgraph, None, None, False, None, cyclic_ancestor=cyclic),
                         [],
+                        self._node_order,
                         secondary_graph=secondary_graph,
                     )
                 continue
@@ -780,7 +760,12 @@ class RegionIdentifier(Analysis):
                         l.debug("Node %r, frontier %r.", node, frontier)
                         # l.debug("Identified an acyclic region %s.", self._dbg_block_list(region.graph.nodes()))
                         self._abstract_acyclic_region(
-                            graph, region, frontier, dummy_endnode=dummy_endnode, secondary_graph=secondary_graph
+                            graph,
+                            region,
+                            frontier,
+                            self._node_order,
+                            dummy_endnode=dummy_endnode,
+                            secondary_graph=secondary_graph,
                         )
                         # assert dummy_endnode not in graph
                         region_created = True
@@ -909,11 +894,17 @@ class RegionIdentifier(Analysis):
             )
         return None
 
+    @staticmethod
     def _abstract_acyclic_region(
-        self, graph: networkx.DiGraph, region, frontier, dummy_endnode=None, secondary_graph=None
+        graph: networkx.DiGraph,
+        region,
+        frontier,
+        node_order: dict[Any, tuple[int, int]],
+        dummy_endnode=None,
+        secondary_graph=None,
     ):
-        in_edges = self._region_in_edges(graph, region, data=True)
-        out_edges = self._region_out_edges(graph, region, data=True)
+        in_edges = RegionIdentifier._region_in_edges(graph, region, data=True)
+        out_edges = RegionIdentifier._region_out_edges(graph, region, data=True)
 
         nodes_set = set()
         for node_ in list(region.graph.nodes()):
@@ -922,6 +913,7 @@ class RegionIdentifier(Analysis):
                 graph.remove_node(node_)
 
         graph.add_node(region)
+        node_order[region] = min(node_order[node_] for node_ in nodes_set)
 
         for src, _, data in in_edges:
             if src not in nodes_set:
@@ -937,7 +929,7 @@ class RegionIdentifier(Analysis):
                     graph.add_edge(region, frontier_node)
 
         if secondary_graph is not None:
-            self._abstract_acyclic_region(secondary_graph, region, {})
+            RegionIdentifier._abstract_acyclic_region(secondary_graph, region, {}, node_order)
 
     @staticmethod
     def _abstract_cyclic_region(
@@ -948,6 +940,7 @@ class RegionIdentifier(Analysis):
         abnormal_entries,
         normal_exit_node,
         abnormal_exit_nodes,
+        node_order: dict[Any, tuple[int, int]],
     ):
         region = GraphRegion(head, None, None, None, True, None)
 
@@ -1019,6 +1012,8 @@ class RegionIdentifier(Analysis):
         graph.add_node(region)
         for src, dst, data in delayed_edges:
             graph.add_edge(src, dst, **data)
+        # update node order
+        node_order[region] = node_order[head]
 
         region.full_graph = full_graph
 
@@ -1039,25 +1034,8 @@ class RegionIdentifier(Analysis):
                 out_edges.append((region, dst, data_))
         return out_edges
 
-    def _remove_node(self, graph: networkx.DiGraph, node):  # pylint:disable=no-self-use
-        in_edges = [(src, dst, data) for (src, dst, data) in graph.in_edges(node, data=True) if src is not node]
-        out_edges = [(src, dst, data) for (src, dst, data) in graph.out_edges(node, data=True) if dst is not node]
-
-        # true case: it forms a region by itself :-)
-        new_node = None if len(in_edges) <= 1 and len(out_edges) <= 1 else MultiNode([node])
-
-        graph.remove_node(node)
-
-        if new_node is not None:
-            for src, _, data in in_edges:
-                graph.add_edge(src, new_node, **data)
-
-            for _, dst, data in out_edges:
-                graph.add_edge(new_node, dst, **data)
-
-    def _merge_nodes(
-        self, graph: networkx.DiGraph, node_a, node_b, force_multinode=False
-    ):  # pylint:disable=no-self-use
+    @staticmethod
+    def _merge_nodes(graph: networkx.DiGraph, node_a, node_b, force_multinode=False):
         in_edges = list(graph.in_edges(node_a, data=True))
         out_edges = list(graph.out_edges(node_b, data=True))
 
@@ -1089,9 +1067,116 @@ class RegionIdentifier(Analysis):
 
         return new_node
 
-    def _absorb_node(
-        self, graph: networkx.DiGraph, node_mommy, node_kiddie, force_multinode=False
-    ):  # pylint:disable=no-self-use
+    def _ensure_jump_at_loop_exit_ends(self, node: Block | MultiNode) -> None:
+        if isinstance(node, Block):
+            if not node.statements:
+                node.statements.append(
+                    Jump(
+                        None,
+                        Const(None, None, node.addr + node.original_size, self.project.arch.bits),
+                        ins_addr=node.addr,
+                    )
+                )
+            else:
+                if not isinstance(first_nonlabel_nonphi_statement(node), ConditionalJump) and not isinstance(
+                    node.statements[-1],
+                    (
+                        Jump,
+                        ConditionalJump,
+                        IncompleteSwitchCaseHeadStatement,
+                    ),
+                ):
+                    node.statements.append(
+                        Jump(
+                            None,
+                            Const(None, None, node.addr + node.original_size, self.project.arch.bits),
+                            ins_addr=node.addr,
+                        )
+                    )
+        elif isinstance(node, MultiNode) and node.nodes:
+            self._ensure_jump_at_loop_exit_ends(node.nodes[-1])
+
+    @staticmethod
+    def _dbg_block_list(blocks):
+        return [(hex(b.addr) if hasattr(b, "addr") else repr(b)) for b in blocks]
+
+    #
+    # Reducibility
+    #
+
+    def test_reducibility(self) -> bool:
+        # make a copy of the graph
+        graph = networkx.DiGraph(self._graph)
+
+        # preprocess: make it a super graph
+        self._make_supergraph(graph)
+
+        while True:
+            changed = False
+
+            # find a node with a back-edge, remove the edge (deleting the loop), and replace it with a MultiNode
+            changed |= self._remove_self_loop(graph)
+
+            # find a node that has only one predecessor, and merge it with its predecessor (replace them with a
+            # MultiNode)
+            changed |= self._merge_single_entry_node(graph)
+
+            if not changed:
+                # a fixed-point is reached
+                break
+
+        # Flow graph reducibility, Hecht and Ullman
+        return len(graph.nodes) == 1
+
+    def _remove_self_loop(self, graph: networkx.DiGraph) -> bool:
+        r = False
+
+        while True:
+            for node in graph.nodes():
+                if node in graph[node]:
+                    # found a self loop
+                    self._remove_node(graph, node)
+                    r = True
+                    break
+            else:
+                break
+
+        return r
+
+    def _merge_single_entry_node(self, graph: networkx.DiGraph) -> bool:
+        r = False
+
+        while True:
+            for node in networkx.dfs_postorder_nodes(graph):
+                preds = list(graph.predecessors(node))
+                if len(preds) == 1:
+                    # merge the two nodes
+                    self._absorb_node(graph, preds[0], node)
+                    r = True
+                    break
+            else:
+                break
+
+        return r
+
+    def _remove_node(self, graph: networkx.DiGraph, node):  # pylint:disable=no-self-use
+        in_edges = [(src, dst, data) for (src, dst, data) in graph.in_edges(node, data=True) if src is not node]
+        out_edges = [(src, dst, data) for (src, dst, data) in graph.out_edges(node, data=True) if dst is not node]
+
+        # true case: it forms a region by itself :-)
+        new_node = None if len(in_edges) <= 1 and len(out_edges) <= 1 else MultiNode([node])
+
+        graph.remove_node(node)
+
+        if new_node is not None:
+            for src, _, data in in_edges:
+                graph.add_edge(src, new_node, **data)
+
+            for _, dst, data in out_edges:
+                graph.add_edge(new_node, dst, **data)
+
+    @staticmethod
+    def _absorb_node(graph: networkx.DiGraph, node_mommy, node_kiddie, force_multinode=False):
         in_edges_mommy = graph.in_edges(node_mommy, data=True)
         out_edges_mommy = graph.out_edges(node_mommy, data=True)
         out_edges_kiddie = graph.out_edges(node_kiddie, data=True)
@@ -1129,38 +1214,5 @@ class RegionIdentifier(Analysis):
         assert node_mommy not in graph
         assert node_kiddie not in graph
 
-    def _ensure_jump_at_loop_exit_ends(self, node: Block | MultiNode) -> None:
-        if isinstance(node, Block):
-            if not node.statements:
-                node.statements.append(
-                    Jump(
-                        None,
-                        Const(None, None, node.addr + node.original_size, self.project.arch.bits),
-                        ins_addr=node.addr,
-                    )
-                )
-            else:
-                if not isinstance(first_nonlabel_nonphi_statement(node), ConditionalJump) and not isinstance(
-                    node.statements[-1],
-                    (
-                        Jump,
-                        ConditionalJump,
-                        IncompleteSwitchCaseHeadStatement,
-                    ),
-                ):
-                    node.statements.append(
-                        Jump(
-                            None,
-                            Const(None, None, node.addr + node.original_size, self.project.arch.bits),
-                            ins_addr=node.addr,
-                        )
-                    )
-        elif isinstance(node, MultiNode) and node.nodes:
-            self._ensure_jump_at_loop_exit_ends(node.nodes[-1])
-
-    @staticmethod
-    def _dbg_block_list(blocks):
-        return [(hex(b.addr) if hasattr(b, "addr") else repr(b)) for b in blocks]
-
 
 register_analysis(RegionIdentifier, "RegionIdentifier")

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -1,4 +1,4 @@
-# pylint:disable=no-self-use,unused-argument
+# pylint:disable=no-self-use,unused-argument,too-many-boolean-expressions
 from __future__ import annotations
 from typing import Literal
 import logging
@@ -9,6 +9,7 @@ from ailment.manager import Manager
 from ailment.statement import (
     Statement,
     Assignment,
+    CAS,
     Store,
     Call,
     Return,
@@ -18,6 +19,7 @@ from ailment.statement import (
     WeakAssignment,
 )
 from ailment.expression import (
+    Atom,
     Expression,
     Register,
     VirtualVariable,
@@ -204,6 +206,40 @@ class SimEngineSSARewriting(
             )
         return None
 
+    def _handle_stmt_CAS(self, stmt: CAS) -> CAS | None:
+        new_addr = self._expr(stmt.addr)
+        new_data_lo = self._expr(stmt.data_lo)
+        new_data_hi = self._expr(stmt.data_hi) if stmt.data_hi is not None else None
+        new_expd_lo = self._expr(stmt.expd_lo)
+        new_expd_hi = self._expr(stmt.expd_hi) if stmt.expd_hi is not None else None
+        new_old_lo = self._expr(stmt.old_lo)
+        new_old_hi = self._expr(stmt.old_hi) if stmt.old_hi is not None else None
+        assert new_old_lo is None or isinstance(new_old_lo, Atom)
+        assert new_old_hi is None or isinstance(new_old_hi, Atom)
+
+        if (
+            new_addr is not None
+            or new_old_lo is not None
+            or new_old_hi is not None
+            or new_data_lo is not None
+            or new_data_hi is not None
+            or new_expd_lo is not None
+            or new_expd_hi is not None
+        ):
+            return CAS(
+                stmt.idx,
+                stmt.addr if new_addr is None else new_addr,
+                stmt.data_lo if new_data_lo is None else new_data_lo,
+                stmt.data_hi if new_data_hi is None else new_data_hi,
+                stmt.expd_lo if new_expd_lo is None else new_expd_lo,
+                stmt.expd_hi if new_expd_hi is None else new_expd_hi,
+                stmt.old_lo if new_old_lo is None else new_old_lo,
+                stmt.old_hi if new_old_hi is None else new_old_hi,
+                stmt.endness,
+                **stmt.tags,
+            )
+        return None
+
     def _handle_stmt_Store(self, stmt: Store) -> Store | Assignment | tuple[Assignment, ...] | None:
         new_data = self._expr(stmt.data)
         if stmt.guard is None:

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 from collections import OrderedDict
 
-from ailment.statement import Call, Store, ConditionalJump
+from ailment.statement import Call, Store, ConditionalJump, CAS
 from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression, Tmp, DirtyExpression, Load
 
 from angr.engines.light import SimEngineLightAIL
@@ -64,6 +64,15 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
         self._expr(stmt.src)
         self._expr(stmt.dst)
 
+    def _handle_stmt_CAS(self, stmt: CAS):
+        self._expr(stmt.addr)
+        self._expr(stmt.data_lo)
+        if stmt.data_hi is not None:
+            self._expr(stmt.data_hi)
+        self._expr(stmt.expd_lo)
+        if stmt.expd_hi is not None:
+            self._expr(stmt.expd_hi)
+
     def _handle_stmt_Store(self, stmt: Store):
         self._expr(stmt.addr)
         self._expr(stmt.data)

angr/analyses/reaching_definitions/engine_ail.py

@@ -143,6 +143,26 @@ class SimEngineRDAIL(
         else:
             l.warning("Unsupported type of Assignment dst %s.", type(dst).__name__)
 
+    def _handle_stmt_CAS(self, stmt: ailment.statement.CAS):
+        addr = self._expr(stmt.addr)
+        old_lo = stmt.old_lo
+        old_hi = stmt.old_hi
+
+        self._expr(stmt.data_lo)
+        if stmt.data_hi is not None:
+            self._expr(stmt.data_hi)
+        self._expr(stmt.expd_lo)
+        if stmt.expd_hi is not None:
+            self._expr(stmt.expd_hi)
+
+        if isinstance(old_lo, ailment.Tmp):
+            self.state.kill_and_add_definition(Tmp(old_lo.tmp_idx, old_lo.size), addr)
+            self.tmps[old_lo.tmp_idx] = self._top(old_lo.size)
+
+        if isinstance(old_hi, ailment.Tmp):
+            self.state.kill_and_add_definition(Tmp(old_hi.tmp_idx, old_hi.size), addr)
+            self.tmps[old_hi.tmp_idx] = self._top(old_hi.size)
+
     def _handle_stmt_Store(self, stmt: ailment.Stmt.Store) -> None:
         data = self._expr(stmt.data)
         addr = self._expr_bv(stmt.addr)

angr/analyses/s_propagator.py

@@ -511,5 +511,33 @@ class SPropagatorAnalysis(Analysis):
         }
         return (block_1.addr, block_1.idx) in stmt_0_targets
 
+    @staticmethod
+    def vvar_dep_graph(blocks, vvar_def_locs, vvar_use_locs) -> networkx.DiGraph:
+        g = networkx.DiGraph()
+
+        for var_id in vvar_def_locs:
+            # where is it used?
+            for _, use_loc in vvar_use_locs[var_id]:
+                if isinstance(use_loc, ExternalCodeLocation):
+                    g.add_edge(var_id, "ExternalCodeLocation")
+                    continue
+                assert use_loc.block_addr is not None
+                assert use_loc.stmt_idx is not None
+                block = blocks[(use_loc.block_addr, use_loc.block_idx)]
+                stmt = block.statements[use_loc.stmt_idx]
+                if isinstance(stmt, Assignment):
+                    if isinstance(stmt.dst, VirtualVariable):
+                        g.add_edge(var_id, stmt.dst.varid)
+                    else:
+                        g.add_edge(var_id, f"Assignment@{stmt.ins_addr:#x}")
+                elif isinstance(stmt, Store):
+                    # store to memory
+                    g.add_edge(var_id, f"Store@{stmt.ins_addr:#x}")
+                else:
+                    # other statements
+                    g.add_edge(var_id, f"{stmt.__class__.__name__}@{stmt.ins_addr:#x}")
+
+        return g
+
 
 register_analysis(SPropagatorAnalysis, "SPropagator")

angr/analyses/smc.py

@@ -42,6 +42,8 @@ class TraceClassifier:
         """
         addr = state.solver.eval(state.inspect.mem_write_address)
         length = state.inspect.mem_write_length
+        if length is None:
+            length = len(state.inspect.mem_write_expr) // state.arch.byte_width
         if not isinstance(length, int):
             length = state.solver.eval(length)
         self.map.add(addr, length, TraceActions.WRITE)
@@ -103,7 +105,7 @@ class SelfModifyingCodeAnalysis(Analysis):
         """
         :param subject: Subject of analysis
         :param max_bytes: Maximum number of bytes from subject address. 0 for no limit (default).
-        :param state: State to begin executing from from.
+        :param state: State to begin executing from.
         """
         assert self.project.selfmodifying_code
 

angr/analyses/stack_pointer_tracker.py

@@ -791,7 +791,8 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                                     sp_adjusted = True
                                     sp_v = state.regs[self.project.arch.sp_offset]
                                     sp_v -= Constant(stmt.data.con.value)
-                                    state.put(self.project.arch.sp_offset, sp_v, force=True)
+                                    state.put(self.project.arch.sp_offset, sp_v, force=True)  # sp -= OFFSET
+                                    state.put(stmt.offset, Constant(0), force=True)  # rax = 0
                                     break
 
                 callee_cleanups = [