angr 9.2.156__cp310-cp310-macosx_11_0_arm64.whl → 9.2.157__cp310-cp310-macosx_11_0_arm64.whl

angr/analyses/typehoon/simple_solver.py

@@ -676,7 +676,7 @@ class SimpleSolver:
 
     @staticmethod
     def _get_all_paths(
-        graph: networkx.DiGraph,
+        graph: networkx.DiGraph[TypeVariable | DerivedTypeVariable],
         sketch: Sketch,
         node: DerivedTypeVariable,
         visited: dict[TypeVariable | DerivedTypeVariable, SketchNode],
@@ -684,7 +684,7 @@ class SimpleSolver:
         if node not in graph:
             return
         curr_node = visited[node]
-        for _, succ, data in graph.out_edges(node, data=True):
+        for _, succ, data in sorted(graph.out_edges(node, data=True), key=lambda x: str(x[1])):
             label = data["label"]
             if succ not in visited:
                 if isinstance(curr_node.typevar, DerivedTypeVariable):
@@ -1408,7 +1408,7 @@ class SimpleSolver:
             visited.add(curr_node)
 
             out_edges = sketch.graph.out_edges(curr_node, data=True)
-            for _, succ, data in out_edges:
+            for _, succ, data in sorted(out_edges, key=lambda x: str(x[1])):
                 if isinstance(succ, RecursiveRefNode):
                     ref = succ
                     succ: SketchNode | None = sketch.lookup(succ.target)  # type: ignore

angr/analyses/variable_recovery/engine_base.py

@@ -784,20 +784,14 @@ class SimEngineVRBase(
 
                     all_vars = {(0, variable) for variable in variables}
 
-                all_vars_list = list(all_vars)
+                all_vars_list = sorted(all_vars, key=lambda val: (val[0], val[1].key), reverse=True)
 
                 if len(all_vars_list) > 1:
-                    # sort by some value so that the outcome here isn't random
-                    cast(list[tuple[int, SimStackVariable]], all_vars_list).sort(
-                        reverse=True,
-                        key=lambda val: (val[0], val[1].offset, val[1].base, val[1].base_addr, val[1].size),
-                    )
-
                     l.warning(
                         "Reading memory with overlapping variables: %s. Ignoring all but the first one.", all_vars_list
                     )
 
-                var_offset, var = next(iter(all_vars_list))  # won't fail
+                var_offset, var = all_vars_list[0]  # won't fail
                 # calculate variable_offset
                 if dynamic_offset is None:
                     offset_into_variable = var_offset

angr/analyses/variable_recovery/variable_recovery.py

@@ -324,14 +324,15 @@ class VariableRecoveryState(VariableRecoveryStateBase):
             except SimMemoryMissingError:
                 pass
 
-            if len(existing_variables) > 1:
+            existing_vars_list = sorted(existing_variables, key=lambda val: (val[0], val[1].key), reverse=True)
+            if len(existing_vars_list) > 1:
                 # create a phi node for all other variables
                 l.warning(
                     "Reading memory with overlapping variables: %s. Ignoring all but the first one.", existing_variables
                 )
 
-            if existing_variables:
-                offset, variable = next(iter(existing_variables))
+            if existing_vars_list:
+                offset, variable = existing_vars_list[0]
                 self.variable_manager[self.func_addr].read_from(variable, offset, self._codeloc_from_state(state))
 
     def _hook_memory_write(self, state):

angr/calling_conventions.py

@@ -725,7 +725,7 @@ class SimCC:
         """
         session = self.ArgSession(self)
         if self.return_in_implicit_outparam(ret_ty):
-            self.next_arg(session, SimTypePointer(SimTypeBottom()))
+            self.next_arg(session, SimTypePointer(SimTypeBottom()).with_arch(self.arch))
         return session
 
     def return_in_implicit_outparam(self, ty) -> bool:  # pylint:disable=unused-argument
@@ -762,7 +762,7 @@ class SimCC:
                 assert self.RETURN_VAL is not None
                 ptr_loc = self.RETURN_VAL
             else:
-                ptr_loc = self.next_arg(self.ArgSession(self), SimTypePointer(SimTypeBottom()))
+                ptr_loc = self.next_arg(self.ArgSession(self), SimTypePointer(SimTypeBottom()).with_arch(self.arch))
             return SimReferenceArgument(
                 ptr_loc, SimStackArg(0, ty.size // self.arch.byte_width, is_fp=isinstance(ty, SimTypeFloat))
             )
@@ -1445,7 +1445,7 @@ class SimCCMicrosoftAMD64(SimCC):
                     size = subty.size
             if chosen is None:
                 # fallback to void*
-                chosen = SimTypePointer(SimTypeBottom())
+                chosen = SimTypePointer(SimTypeBottom()).with_arch(self.arch)
             return self.return_val(chosen, perspective_returned=perspective_returned)
 
         if not isinstance(ty, SimStruct):

angr/engines/hook.py

@@ -49,7 +49,7 @@ class HooksMixin(SuccessorsEngine, ProcedureMixin):
 
         return None
 
-    def process_successors(self, successors, procedure=None, **kwargs):
+    def process_successors(self, successors, *, procedure=None, **kwargs):
         state = self.state
         if procedure is None:
             procedure = self._lookup_hook(state, procedure)

angr/engines/icicle.py

@@ -0,0 +1,229 @@
+"""icicle.py: An angr engine that uses Icicle to execute code."""
+
+from __future__ import annotations
+
+import logging
+import os
+from dataclasses import dataclass
+
+import claripy
+import pypcode
+from archinfo import Arch, Endness
+
+from angr.engines.failure import SimEngineFailure
+from angr.engines.hook import HooksMixin
+from angr.engines.successors import SuccessorsEngine
+from angr.engines.syscall import SimEngineSyscall
+from angr.rustylib.icicle import Icicle, VmExit, ExceptionCode
+from angr.sim_state import SimState
+
+log = logging.getLogger(__name__)
+
+
+PROCESSORS_DIR = os.path.join(os.path.dirname(pypcode.__file__), "processors")
+
+
+@dataclass
+class IcicleStateTranslationData:
+    """
+    Represents the saved information needed to convert an Icicle state back
+    to an angr state.
+    """
+
+    base_state: SimState
+    registers: set[str]
+    writable_pages: set[int]
+
+
+class IcicleEngine(SuccessorsEngine):
+    """
+    An angr engine that uses Icicle to execute concrete states. The purpose of
+    this implementation is to provide a high-performance concrete execution
+    engine in angr. While historically, angr has focused on symbolic execution,
+    better support for concrete execution enables new use cases such as fuzzing
+    in angr. This is ideal for testing bespoke binary targets, such as
+    microcontroller firmware, which may be difficult to correctly harness for
+    use with traditional fuzzing engines.
+
+    This class is the base class for the Icicle engine. It implements execution
+    by creating an Icicle instance, copying the state from angr to Icicle, and then
+    running the Icicle instance. The results are then copied back to the angr
+    state. It is likely the case that this can be improved by re-using the Icicle
+    instance across multiple runs and only copying the state when necessary.
+
+    For a more complete implementation, use the UberIcicleEngine class, which
+    intends to provide a more complete set of features, such as hooks and syscalls.
+    """
+
+    @staticmethod
+    def __make_icicle_arch(arch: Arch) -> str | None:
+        """
+        Convert an angr architecture to an Icicle architecture. Not particularly
+        accurate, just a set of heuristics to get the right architecture. When
+        adding a new architecture, this function may need to be updated.
+        """
+        if arch.linux_name == "arm":
+            return "armv7a" if arch.memory_endness == Endness.LE else "armeb"
+        return arch.linux_name
+
+    @staticmethod
+    def __is_arm(icicle_arch: str) -> bool:
+        """
+        Check if the architecture is arm based on the address.
+        """
+        return icicle_arch.startswith(("arm", "thumb"))
+
+    @staticmethod
+    def __is_thumb(icicle_arch: str, addr: int) -> bool:
+        """
+        Check if the architecture is thumb based on the address.
+        """
+        return IcicleEngine.__is_arm(icicle_arch) and addr & 1 == 1
+
+    @staticmethod
+    def __get_pages(state: SimState) -> set[int]:
+        """
+        Unfortunately, the memory model doesn't have a way to get all pages.
+        Instead, we can get all of the backers from the loader, then all of the
+        pages from the PagedMemoryMixin and then do some math.
+        """
+        pages = set()
+        page_size = state.memory.page_size
+
+        # pages from loader segments
+        proj = state.project
+        if proj is not None:
+            for addr, backer in proj.loader.memory.backers():
+                start = addr // page_size
+                end = (addr + len(backer) - 1) // page_size
+                pages.update(range(start, end + 1))
+
+        # pages from the memory model
+        pages.update(state.memory._pages)
+
+        return pages
+
+    @staticmethod
+    def __convert_angr_state_to_icicle(state: SimState) -> tuple[Icicle, IcicleStateTranslationData]:
+        icicle_arch = IcicleEngine.__make_icicle_arch(state.arch)
+        if icicle_arch is None:
+            raise ValueError("Unsupported architecture")
+
+        proj = state.project
+        if proj is None:
+            raise ValueError("IcicleEngine requires a project to be set")
+
+        emu = Icicle(icicle_arch, PROCESSORS_DIR)
+
+        copied_registers = set()
+
+        # To create a state in Icicle, we need to do the following:
+        # 1. Copy the register values
+        for register in state.arch.register_list:
+            register = register.vex_name.lower() if register.vex_name is not None else register.name
+            try:
+                emu.reg_write(register, state.solver.eval(state.registers.load(register), cast_to=int))
+                copied_registers.add(register)
+            except KeyError:
+                log.debug("Register %s not found in icicle", register)
+
+        # Unset the thumb bit if necessary
+        if IcicleEngine.__is_thumb(icicle_arch, state.addr):
+            emu.pc = state.addr & ~1
+            emu.isa_mode = 1
+        elif "arm" in icicle_arch:  # Hack to work around us calling it r15t
+            emu.pc = state.addr
+
+        # Special case for x86 gs register
+        if state.arch.name == "X86":
+            emu.reg_write("GS_OFFSET", state.registers.load("gs").concrete_value << 16)
+
+        # 2. Copy the memory contents
+
+        mapped_pages = IcicleEngine.__get_pages(state)
+        writable_pages = set()
+        for page_num in mapped_pages:
+            addr = page_num * state.memory.page_size
+            size = state.memory.page_size
+            perm_bits = state.memory.permissions(addr).concrete_value
+            emu.mem_map(addr, size, perm_bits)
+            memory = state.memory.concrete_load(addr, size)
+            emu.mem_write(addr, memory)
+
+            if perm_bits & 2:
+                writable_pages.add(page_num)
+
+        # Add breakpoints for simprocedures
+        for addr in proj._sim_procedures:
+            emu.add_breakpoint(addr)
+
+        translation_data = IcicleStateTranslationData(
+            base_state=state,
+            registers=copied_registers,
+            writable_pages=writable_pages,
+        )
+
+        return (emu, translation_data)
+
+    @staticmethod
+    def __convert_icicle_state_to_angr(emu: Icicle, translation_data: IcicleStateTranslationData) -> SimState:
+        state = translation_data.base_state.copy()
+
+        # 1. Copy the register values
+        for register in translation_data.registers:
+            state.registers.store(register, emu.reg_read(register))
+
+        if IcicleEngine.__is_arm(emu.architecture):  # Hack to work around us calling it r15t
+            state.registers.store("pc", (emu.pc | 1) if emu.isa_mode == 1 else emu.pc)
+
+        # 2. Copy the memory contents
+        for page_num in translation_data.writable_pages:
+            addr = page_num * state.memory.page_size
+            state.memory.store(addr, emu.mem_read(addr, state.memory.page_size))
+
+        return state
+
+    def process_successors(self, successors, *, num_inst=0, **kwargs):
+        if len(kwargs) > 0:
+            log.warning("IcicleEngine.process_successors received unknown kwargs: %s", kwargs)
+
+        emu, translation_data = self.__convert_angr_state_to_icicle(self.state)
+
+        if num_inst > 0:
+            emu.icount_limit = num_inst
+
+        status = emu.run()  # pylint: ignore=assignment-from-no-return (pylint bug)
+        exc = emu.exception_code
+
+        if status == VmExit.UnhandledException:
+            if exc in (
+                ExceptionCode.ReadUnmapped,
+                ExceptionCode.ReadPerm,
+                ExceptionCode.WriteUnmapped,
+                ExceptionCode.WritePerm,
+                ExceptionCode.ExecViolation,
+            ):
+                jumpkind = "Ijk_SigSEGV"
+            elif exc == ExceptionCode.Syscall:
+                jumpkind = "Ijk_Syscall"
+            elif exc == ExceptionCode.Halt:
+                jumpkind = "Ijk_Exit"
+            elif exc == ExceptionCode.InvalidInstruction:
+                jumpkind = "Ijk_NoDecode"
+            else:
+                jumpkind = "Ijk_EmFail"
+        else:
+            jumpkind = "Ijk_Boring"
+
+        successor_state = IcicleEngine.__convert_icicle_state_to_angr(emu, translation_data)
+        successors.add_successor(successor_state, successor_state.ip, claripy.true(), jumpkind, add_guard=False)
+
+        successors.processed = True
+
+
+class UberIcicleEngine(SimEngineFailure, SimEngineSyscall, HooksMixin, IcicleEngine):
+    """
+    An extension of the IcicleEngine that uses mixins to add support for
+    syscalls and hooks. Most users will prefer to use this engine instead of the
+    IcicleEngine directly.
+    """

angr/engines/pcode/behavior.py

@@ -4,13 +4,10 @@ from collections.abc import Callable, Iterable
 
 import claripy
 from claripy.ast.bv import BV
+from pypcode import OpCode
 
 from angr.errors import AngrError
 
-try:
-    from pypcode import OpCode
-except ImportError:
-    OpCode = None
 
 # pylint:disable=abstract-method
 

angr/engines/pcode/emulate.py

@@ -3,6 +3,7 @@ import logging
 
 import claripy
 from claripy.ast.bv import BV
+from pypcode import OpCode, Varnode, PcodeOp
 
 from angr.engines.engine import SimEngine
 from angr.utils.constants import DEFAULT_STATEMENT
@@ -10,10 +11,6 @@ from .lifter import IRSB
 from .behavior import OpBehavior
 from angr.errors import AngrError
 from angr.state_plugins.inspect import BP_BEFORE, BP_AFTER
-import contextlib
-
-with contextlib.suppress(ImportError):
-    from pypcode import OpCode, Varnode, PcodeOp
 
 
 l = logging.getLogger(__name__)

angr/engines/pcode/lifter.py

@@ -11,8 +11,9 @@ from typing import Any, TYPE_CHECKING
 from collections.abc import Iterable, Sequence
 
 import archinfo
-from archinfo import ArchARM, ArchPcode
 import cle
+import pypcode
+from archinfo import ArchARM, ArchPcode
 from cachetools import LRUCache
 
 # FIXME: Reusing these errors from pyvex for compatibility. Eventually these
@@ -28,16 +29,7 @@ from angr.errors import SimEngineError, SimTranslationError, SimError
 from angr import sim_options as o
 from angr.block import DisassemblerBlock, DisassemblerInsn
 
-
-try:
-    import pypcode
-except ImportError:
-    pypcode = None
-
-
 if TYPE_CHECKING:
-    # this is to make pyright happy; otherwise it believes pypcode is None
-    import pypcode
     from pypcode import PcodeOp, Context
 
 

angr/engines/vex/claripy/irop.py

@@ -982,10 +982,10 @@ class SimIROp:
         return self._fp_vector_comparison(claripy.fpEQ, a0, a1)
 
     def _op_fgeneric_CmpLE(self, a0, a1):
-        return self._fp_vector_comparison(claripy.fpLT, a0, a1)
+        return self._fp_vector_comparison(claripy.fpLEQ, a0, a1)
 
     def _op_fgeneric_CmpLT(self, a0, a1):
-        return self._fp_vector_comparison(claripy.fpLEQ, a0, a1)
+        return self._fp_vector_comparison(claripy.fpLT, a0, a1)
 
     def _auto_vectorize(self, f, args, rm=None, rm_passed=False):
         if rm is not None:

angr/knowledge_plugins/functions/function.py

@@ -206,14 +206,17 @@ class Function(Serializable):
         if is_plt is not None:
             self.is_plt = is_plt
         else:
-            # Whether this function is a PLT entry or not is primarily relying on the PLT detection in CLE; it may also
-            # be updated (to True) during CFG recovery.
-            if self.project is None:
-                raise ValueError(
-                    "'is_plt' must be specified if you do not specify a function manager for this new function."
-                )
-
-            self.is_plt = self.project.loader.find_plt_stub_name(addr) is not None
+            if self._function_manager is not None:
+                # use the faster cached version
+                self.is_plt = self._function_manager.is_plt_cached(addr)
+            else:
+                # Whether this function is a PLT entry or not is primarily relying on the PLT detection in CLE; it may
+                # also be updated (to True) during CFG recovery.
+                if self.project is None:
+                    raise ValueError(
+                        "'is_plt' must be specified if you do not specify a function manager for this new function."
+                    )
+                self.is_plt = self.project.loader.find_plt_stub_name(addr) is not None
 
         # Determine the name of this function
         if name is None:
@@ -726,8 +729,13 @@ class Function(Serializable):
             if hooker is not None:
                 binary_name = hooker.library_name
 
-        if binary_name is None and self.binary is not None and self.binary.binary:
-            binary_name = os.path.basename(self.binary.binary)
+        if binary_name is None:
+            if self._function_manager is not None:
+                # use the faster cached version
+                binary_name = self._function_manager.get_binary_name_cached(self.addr)
+            else:
+                if self.binary is not None and self.binary.binary:
+                    binary_name = os.path.basename(self.binary.binary)
 
         return binary_name
 

angr/knowledge_plugins/functions/function_manager.py

@@ -7,11 +7,14 @@ import logging
 import collections.abc
 import re
 import weakref
+import bisect
+import os
 from sortedcontainers import SortedDict
 
 import networkx
 
 from archinfo.arch_soot import SootMethodDescriptor
+import cle
 
 from angr.errors import SimEngineError
 from angr.knowledge_plugins.plugin import KnowledgeBasePlugin
@@ -49,7 +52,8 @@ class FunctionDict(SortedDict):
                 t = Function(self._backref, addr)
             with contextlib.suppress(Exception):
                 self[addr] = t
-            self._backref._function_added(t)
+            if self._backref is not None:
+                self._backref._function_added(t)
             return t
 
     def get(self, addr):
@@ -85,7 +89,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         super().__init__(kb=kb)
         self.function_address_types = self._kb._project.arch.function_address_types
         self.address_types = self._kb._project.arch.address_types
-        self._function_map: dict[int, Function] = FunctionDict(self, key_types=self.function_address_types)
+        self._function_map: FunctionDict[int, Function] = FunctionDict(self, key_types=self.function_address_types)
         self.function_addrs_set: set = set()
         self.callgraph = networkx.MultiDiGraph()
         self.block_map = {}
@@ -93,6 +97,12 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         # Registers used for passing arguments around
         self._arg_registers = kb._project.arch.argument_registers
 
+        # local PLT dictionary cache
+        self._rplt_cache_ranges: None | list[tuple[int, int]] = None
+        self._rplt_cache: None | set[int] = None
+        # local binary name cache: min_addr -> (max_addr, binary_name)
+        self._binname_cache: None | SortedDict[int, tuple[int, str | None]] = None
+
     def __setstate__(self, state):
         self._kb = state["_kb"]
         self.function_address_types = state["function_address_types"]
@@ -101,7 +111,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         self.callgraph = state["callgraph"]
         self.block_map = state["block_map"]
 
-        self._function_map._backref = self
+        self._function_map._backref = weakref.proxy(self)
         for func in self._function_map.values():
             func._function_manager = self
 
@@ -131,18 +141,71 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         self.callgraph = networkx.MultiDiGraph()
         self.block_map.clear()
         self.function_addrs_set = set()
+        # cache
+        self._rplt_cache = None
+        self._rplt_cache_ranges = None
+        self._binname_cache = None
 
-    def _genenare_callmap_sif(self, filepath):
+    def _genenate_callmap_sif(self, filepath):
         """
         Generate a sif file from the call map.
 
         :param filepath:    Path of the sif file
         :return:            None
         """
-        with open(filepath, "wb") as f:
+        with open(filepath, "w", encoding="utf-8") as f:
             for src, dst in self.callgraph.edges():
                 f.write(f"{src:#x}\tDirectEdge\t{dst:#x}\n")
 
+    def _addr_in_plt_cached_ranges(self, addr: int) -> bool:
+        if self._rplt_cache_ranges is None:
+            return False
+        pos = bisect.bisect_left(self._rplt_cache_ranges, addr, key=lambda x: x[0])
+        return pos > 0 and self._rplt_cache_ranges[pos - 1][0] <= addr < self._rplt_cache_ranges[pos - 1][1]
+
+    def is_plt_cached(self, addr: int) -> bool:
+        # check if the addr is in the cache range
+        if not self._addr_in_plt_cached_ranges(addr):
+            # find the object containing this addr
+            obj = self._kb._project.loader.find_object_containing(addr, membership_check=False)
+            if obj is None:
+                return False
+            if self._rplt_cache_ranges is None:
+                self._rplt_cache_ranges = []
+            obj_range = obj.min_addr, obj.max_addr
+            idx = bisect.bisect_left(self._rplt_cache_ranges, obj_range)
+            if not (idx < len(self._rplt_cache_ranges) and self._rplt_cache_ranges[idx] == obj_range):
+                self._rplt_cache_ranges.insert(idx, obj_range)
+            if isinstance(obj, cle.MetaELF):
+                if self._rplt_cache is None:
+                    self._rplt_cache = set()
+                self._rplt_cache |= set(obj.reverse_plt)
+
+        return addr in self._rplt_cache if self._rplt_cache is not None else False
+
+    def _binname_cache_get_addr_base(self, addr: int) -> int | None:
+        if self._binname_cache is None:
+            return None
+        try:
+            base_addr = next(self._binname_cache.irange(maximum=addr, reverse=True))
+        except StopIteration:
+            return None
+        return base_addr if base_addr <= addr < self._binname_cache[base_addr][0] else None
+
+    def get_binary_name_cached(self, addr: int) -> str | None:
+        base_addr = self._binname_cache_get_addr_base(addr)
+        if base_addr is None:
+            # not cached; cache it first
+            obj = self._kb._project.loader.find_object_containing(addr, membership_check=False)
+            if obj is None:
+                return None
+            if self._binname_cache is None:
+                self._binname_cache = SortedDict()
+            binary_basename = os.path.basename(obj.binary) if obj.binary else None
+            self._binname_cache[obj.min_addr] = obj.max_addr, binary_basename
+            base_addr = obj.min_addr
+        return self._binname_cache[base_addr][1] if self._binname_cache is not None else None
+
     def _add_node(self, function_addr, node, syscall=None, size=None):
         if isinstance(node, self.address_types):
             node = self._kb._project.factory.snippet(node, size=size)

angr/knowledge_plugins/variables/variable_manager.py

@@ -582,7 +582,7 @@ class VariableManagerInternal(Serializable):
                     return phi
 
         # allocate a new phi variable
-        repre = next(iter(variables))
+        repre = sorted(variables, key=lambda val: val.key)[0]
         repre_type = type(repre)
         repre_size = max(var.size for var in variables)
         if repre_type is SimRegisterVariable:
@@ -635,7 +635,13 @@ class VariableManagerInternal(Serializable):
         return loc in self._variable_to_stmt[variable]
 
     def find_variable_by_stmt(self, block_addr, stmt_idx, sort, block_idx: int | None = None):
-        return next(iter(self.find_variables_by_stmt(block_addr, stmt_idx, sort, block_idx=block_idx)), None)
+        variables = sorted(
+            self.find_variables_by_stmt(block_addr, stmt_idx, sort, block_idx=block_idx),
+            key=lambda var: (var[1], var[0].key),
+        )
+        if variables:
+            return variables[0]
+        return None
 
     def find_variables_by_stmt(
         self, block_addr: int, stmt_idx: int, sort: str, block_idx: int | None = None
@@ -667,7 +673,13 @@ class VariableManagerInternal(Serializable):
         return var_and_offsets
 
     def find_variable_by_atom(self, block_addr, stmt_idx, atom, block_idx: int | None = None):
-        return next(iter(self.find_variables_by_atom(block_addr, stmt_idx, atom, block_idx=block_idx)), None)
+        variables = sorted(
+            self.find_variables_by_atom(block_addr, stmt_idx, atom, block_idx=block_idx),
+            key=lambda val: (val[1], val[0].key),
+        )
+        if variables:
+            return variables[0]
+        return None
 
     def find_variables_by_atom(
         self, block_addr, stmt_idx, atom, block_idx: int | None = None