angr 9.2.160__cp310-abi3-macosx_11_0_arm64.whl → 9.2.162__cp310-abi3-macosx_11_0_arm64.whl

angr/engines/icicle.py

@@ -5,17 +5,16 @@ from __future__ import annotations
 import logging
 import os
 from dataclasses import dataclass
+from typing_extensions import override
 
-import claripy
 import pypcode
 from archinfo import Arch, Endness
 
+from angr.engines.concrete import ConcreteEngine, HeavyConcreteState
 from angr.engines.failure import SimEngineFailure
 from angr.engines.hook import HooksMixin
-from angr.engines.successors import SuccessorsEngine
 from angr.engines.syscall import SimEngineSyscall
 from angr.rustylib.icicle import Icicle, VmExit, ExceptionCode
-from angr.sim_state import SimState
 
 log = logging.getLogger(__name__)
 
@@ -30,12 +29,13 @@ class IcicleStateTranslationData:
     to an angr state.
     """
 
-    base_state: SimState
+    base_state: HeavyConcreteState
     registers: set[str]
     writable_pages: set[int]
+    initial_cpu_icount: int
 
 
-class IcicleEngine(SuccessorsEngine):
+class IcicleEngine(ConcreteEngine):
     """
     An angr engine that uses Icicle to execute concrete states. The purpose of
     this implementation is to provide a high-performance concrete execution
@@ -55,6 +55,16 @@ class IcicleEngine(SuccessorsEngine):
     intends to provide a more complete set of features, such as hooks and syscalls.
     """
 
+    breakpoints: set[int]
+
+    def __init__(self, *args, **kwargs):
+        """
+        Initialize the IcicleEngine. This sets up the breakpoints set and
+        initializes the parent class.
+        """
+        super().__init__(*args, **kwargs)
+        self.breakpoints = set()
+
     @staticmethod
     def __make_icicle_arch(arch: Arch) -> str | None:
         """
@@ -81,7 +91,7 @@ class IcicleEngine(SuccessorsEngine):
         return IcicleEngine.__is_arm(icicle_arch) and addr & 1 == 1
 
     @staticmethod
-    def __get_pages(state: SimState) -> set[int]:
+    def __get_pages(state: HeavyConcreteState) -> set[int]:
         """
         Unfortunately, the memory model doesn't have a way to get all pages.
         Instead, we can get all of the backers from the loader, then all of the
@@ -104,7 +114,7 @@ class IcicleEngine(SuccessorsEngine):
         return pages
 
     @staticmethod
-    def __convert_angr_state_to_icicle(state: SimState) -> tuple[Icicle, IcicleStateTranslationData]:
+    def __convert_angr_state_to_icicle(state: HeavyConcreteState) -> tuple[Icicle, IcicleStateTranslationData]:
         icicle_arch = IcicleEngine.__make_icicle_arch(state.arch)
         if icicle_arch is None:
             raise ValueError("Unsupported architecture")
@@ -161,12 +171,15 @@ class IcicleEngine(SuccessorsEngine):
             base_state=state,
             registers=copied_registers,
             writable_pages=writable_pages,
+            initial_cpu_icount=emu.cpu_icount,
         )
 
         return (emu, translation_data)
 
     @staticmethod
-    def __convert_icicle_state_to_angr(emu: Icicle, translation_data: IcicleStateTranslationData) -> SimState:
+    def __convert_icicle_state_to_angr(
+        emu: Icicle, translation_data: IcicleStateTranslationData, status: VmExit
+    ) -> HeavyConcreteState:
         state = translation_data.base_state.copy()
 
         # 1. Copy the register values
@@ -181,20 +194,8 @@ class IcicleEngine(SuccessorsEngine):
             addr = page_num * state.memory.page_size
             state.memory.store(addr, emu.mem_read(addr, state.memory.page_size))
 
-        return state
-
-    def process_successors(self, successors, *, num_inst=0, **kwargs):
-        if len(kwargs) > 0:
-            log.warning("IcicleEngine.process_successors received unknown kwargs: %s", kwargs)
-
-        emu, translation_data = self.__convert_angr_state_to_icicle(self.state)
-
-        if num_inst > 0:
-            emu.icount_limit = num_inst
-
-        status = emu.run()  # pylint: ignore=assignment-from-no-return (pylint bug)
+        # 3. Set history.jumpkind
         exc = emu.exception_code
-
         if status == VmExit.UnhandledException:
             if exc in (
                 ExceptionCode.ReadUnmapped,
@@ -203,22 +204,57 @@ class IcicleEngine(SuccessorsEngine):
                 ExceptionCode.WritePerm,
                 ExceptionCode.ExecViolation,
             ):
-                jumpkind = "Ijk_SigSEGV"
+                state.history.jumpkind = "Ijk_SigSEGV"
             elif exc == ExceptionCode.Syscall:
-                jumpkind = "Ijk_Syscall"
+                state.history.jumpkind = "Ijk_Syscall"
             elif exc == ExceptionCode.Halt:
-                jumpkind = "Ijk_Exit"
+                state.history.jumpkind = "Ijk_Exit"
             elif exc == ExceptionCode.InvalidInstruction:
-                jumpkind = "Ijk_NoDecode"
+                state.history.jumpkind = "Ijk_NoDecode"
             else:
-                jumpkind = "Ijk_EmFail"
+                state.history.jumpkind = "Ijk_EmFail"
         else:
-            jumpkind = "Ijk_Boring"
+            state.history.jumpkind = "Ijk_Boring"
+
+        # 4. Set history.recent_instruction_count
+        state.history.recent_instruction_count = emu.cpu_icount - translation_data.initial_cpu_icount
+
+        return state
+
+    @override
+    def get_breakpoints(self) -> set[int]:
+        """Return the set of currently set breakpoints."""
+        return self.breakpoints
+
+    @override
+    def add_breakpoint(self, addr: int) -> None:
+        """Add a breakpoint at the given address."""
+        self.breakpoints.add(addr)
+
+    @override
+    def remove_breakpoint(self, addr: int) -> None:
+        """Remove a breakpoint at the given address, if present."""
+        self.breakpoints.discard(addr)
+
+    @override
+    def process_concrete(self, state: HeavyConcreteState, num_inst: int | None = None) -> HeavyConcreteState:
+        emu, translation_data = self.__convert_angr_state_to_icicle(state)
+
+        # Set breakpoints, skip the current PC. This assumes that if running
+        # with a breakpoint at the current PC, then the user has already done
+        # the necessary handling and is resuming execution.
+        for addr in self.breakpoints:
+            if emu.pc != addr:
+                emu.add_breakpoint(addr)
+
+        # Set the instruction count limit
+        if num_inst is not None and num_inst > 0:
+            emu.icount_limit = num_inst
 
-        successor_state = IcicleEngine.__convert_icicle_state_to_angr(emu, translation_data)
-        successors.add_successor(successor_state, successor_state.ip, claripy.true(), jumpkind, add_guard=False)
+        # Run it
+        status = emu.run()
 
-        successors.processed = True
+        return IcicleEngine.__convert_icicle_state_to_angr(emu, translation_data, status)
 
 
 class UberIcicleEngine(SimEngineFailure, SimEngineSyscall, HooksMixin, IcicleEngine):

angr/exploration_techniques/driller_core.py

@@ -94,7 +94,7 @@ class DrillerCore(ExplorationTechnique):
     @staticmethod
     def _has_false(state):
         # Check if the state is unsat even if we remove preconstraints.
-        if state.scratch.guard.identical(claripy.false()):
+        if claripy.is_false(state.scratch.guard):
             return True
 
-        return any(c.identical(claripy.false()) for c in state.solver.constraints)
+        return any(claripy.is_false(c) for c in state.solver.constraints)

angr/knowledge_plugins/functions/function.py

@@ -1666,7 +1666,7 @@ class Function(Serializable):
         if self.is_rust_function():
             ast = pydemumble.demangle(self.name)
             return Function._rust_fmt_node(ast.split("::")[-2])
-        func_name = get_cpp_function_name(self.demangled_name, specialized=False, qualified=True)
+        func_name = get_cpp_function_name(self.demangled_name)
         return func_name.split("::")[-1]
 
     def get_unambiguous_name(self, display_name: str | None = None) -> str:

angr/knowledge_plugins/functions/function_manager.py

@@ -154,8 +154,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         :return:            None
         """
         with open(filepath, "w", encoding="utf-8") as f:
-            for src, dst in self.callgraph.edges():
-                f.write(f"{src:#x}\tDirectEdge\t{dst:#x}\n")
+            f.writelines(f"{src:#x}\tDirectEdge\t{dst:#x}\n" for src, dst in self.callgraph.edges())
 
     def _addr_in_plt_cached_ranges(self, addr: int) -> bool:
         if self._rplt_cache_ranges is None:

angr/project.py

@@ -297,11 +297,18 @@ class Project:
 
         # Step 1: get the set of libraries we are allowed to use to resolve unresolved symbols
         missing_libs = []
+        missing_wincore_dlls = False
         for lib_name in self.loader.missing_dependencies:
             try:
                 missing_libs.extend(SIM_LIBRARIES[lib_name])
             except KeyError:
                 l.info("There are no simprocedures for missing library %s :(", lib_name)
+                if lib_name.startswith("api-ms-win-"):
+                    missing_wincore_dlls = True
+        if missing_wincore_dlls and "kernel32.dll" not in self.loader.missing_dependencies:
+            # some of the missing api-ms-win-*.dll libraries are actually provided by kernel32.dll
+            missing_libs.extend(SIM_LIBRARIES["kernel32.dll"])
+
         # additionally provide libraries we _have_ loaded as a fallback fallback
         # this helps in the case that e.g. CLE picked up a linux arm libc to satisfy an android arm binary
         for lib in self.loader.all_objects:

angr/sim_type.py

@@ -609,33 +609,41 @@ class SimTypeWideChar(SimTypeReg):
 
     _base_name = "char"
 
-    def __init__(self, signed=True, label=None):
+    def __init__(self, signed=True, label=None, endness: Endness = Endness.BE):
         """
         :param label: the type label.
         """
         SimTypeReg.__init__(self, 16, label=label)
         self.signed = signed
+        self.endness = endness
 
     def __repr__(self):
         return "wchar"
 
     def store(self, state, addr, value: StoreType):
-        self._size = state.arch.byte_width
         try:
             super().store(state, addr, value)
         except TypeError:
             if isinstance(value, bytes) and len(value) == 2:
-                value = claripy.BVV(value[0], state.arch.byte_width)
+                inner = (
+                    ((value[0] << state.arch.byte_width) | value[1])
+                    if self.endness == Endness.BE
+                    else ((value[1] << state.arch.byte_width) | value[0])
+                )
+                value = claripy.BVV(inner, state.arch.byte_width * 2)
                 super().store(state, addr, value)
             else:
                 raise
 
     def extract(self, state, addr, concrete=False) -> Any:
-        self._size = state.arch.byte_width
-
-        out = super().extract(state, addr, concrete)
+        out = state.memory.load(addr, 2)
         if concrete:
-            return bytes([out])
+            data = state.solver.eval(out, cast_to=bytes)
+            fmt_str = "utf-16be" if self.endness == Endness.BE else "utf-16le"
+            try:
+                return data.decode(fmt_str)
+            except UnicodeDecodeError:
+                return data
         return out
 
     def _init_str(self):
@@ -645,7 +653,7 @@ class SimTypeWideChar(SimTypeReg):
         )
 
     def copy(self):
-        return self.__class__(signed=self.signed, label=self.label)
+        return self.__class__(signed=self.signed, label=self.label, endness=self.endness)
 
 
 class SimTypeBool(SimTypeReg):

angr/simos/javavm.py

@@ -255,7 +255,7 @@ class SimJavaVM(SimOS):
                     upper = native_arg_value.get_bytes(0, 4)
                     lower = native_arg_value.get_bytes(4, 4)
                     idx = args.index(arg)
-                    args = args[:idx] + (SootArgument(upper, "int"), SootArgument(lower, "int")) + args[idx + 1 :]
+                    args = (*args[:idx], SootArgument(upper, "int"), SootArgument(lower, "int"), *args[idx + 1 :])
                     native_arg_values += [upper, lower]
                     continue
                 if type(arg.value) is BV and len(arg.value) > arg_ty.size:

angr/utils/graph.py

@@ -55,7 +55,7 @@ def inverted_idoms(graph: networkx.DiGraph) -> tuple[networkx.DiGraph, dict | No
 
 
 def to_acyclic_graph(
-    graph: networkx.DiGraph, ordered_nodes: list | None = None, loop_heads: list | None = None
+    graph: networkx.DiGraph, node_order: dict[Any, int] | None = None, loop_heads: list | None = None
 ) -> networkx.DiGraph:
     """
     Convert a given DiGraph into an acyclic graph.
@@ -66,21 +66,22 @@ def to_acyclic_graph(
     :return:                The converted acyclic graph.
     """
 
-    if ordered_nodes is None:
+    if node_order is None:
         # take the quasi-topological order of the graph
         ordered_nodes = GraphUtils.quasi_topological_sort_nodes(graph, loop_heads=loop_heads)
-
-    acyclic_graph = networkx.DiGraph()
+        node_order = {n: i for i, n in enumerate(ordered_nodes)}
 
     # add each node and its edge into the graph
-    visited = set()
-    for node in ordered_nodes:
-        visited.add(node)
-        acyclic_graph.add_node(node)
-        for successor in graph.successors(node):
-            if successor not in visited:
-                acyclic_graph.add_edge(node, successor)
-
+    edges_to_remove = []
+    for src, dst in graph.edges():
+        src_order = node_order[src]
+        dst_order = node_order[dst]
+        if src_order > dst_order:
+            # this is a back edge, we need to remove it
+            edges_to_remove.append((src, dst))
+
+    acyclic_graph = graph.copy()
+    acyclic_graph.remove_edges_from(edges_to_remove)
     return acyclic_graph
 
 
@@ -534,11 +535,30 @@ class Dominators:
 
     def _pd_eval(self, v):
         assert self._ancestor is not None
+        assert self._semi is not None
         assert self._label is not None
 
         if self._ancestor[v.index] is None:
             return v
-        self._pd_compress(v)
+
+        # pd_compress without recursion
+        queue = []
+        current = v
+        ancestor = self._ancestor[current.index]
+        greater_ancestor = self._ancestor[ancestor.index]
+        while greater_ancestor is not None:
+            queue.append(current)
+            current, ancestor = ancestor, greater_ancestor
+            greater_ancestor = self._ancestor[ancestor.index]
+
+        for vv in reversed(queue):
+            if (
+                self._semi[self._label[self._ancestor[vv.index].index].index].index
+                < self._semi[self._label[vv.index].index].index
+            ):
+                self._label[vv.index] = self._label[self._ancestor[vv.index].index]
+            self._ancestor[vv.index] = self._ancestor[self._ancestor[vv.index].index]
+
         return self._label[v.index]
 
     def _pd_compress(self, v):
@@ -653,6 +673,21 @@ class GraphUtils:
 
         return list(widening_addrs)
 
+    @staticmethod
+    def dfs_postorder_nodes_deterministic(graph: networkx.DiGraph, source):
+        visited = set()
+        stack = [source]
+        while stack:
+            node = stack[-1]
+            if node not in visited:
+                visited.add(node)
+                for succ in sorted(graph.successors(node), key=GraphUtils._sort_node):
+                    if succ not in visited:
+                        stack.append(succ)
+            else:
+                yield node
+                stack.pop()
+
     @staticmethod
     def reverse_post_order_sort_nodes(graph, nodes=None):
         """

angr/utils/library.py

@@ -168,7 +168,7 @@ def parsedcprotos2py(
                 proto_.returnty = SimTypeFd(label=proto_.returnty.label)
             for i, arg in enumerate(proto_.args):
                 if (func_name, i) in fd_spots:
-                    proto_.args = proto_.args[:i] + (SimTypeFd(label=arg.label),) + proto_.args[i + 1 :]
+                    proto_.args = (*proto_.args[:i], SimTypeFd(label=arg.label), *proto_.args[i + 1 :])
 
         line1 = " " * 8 + "#" + ((" " + decl) if decl else "") + "\n"
         line2 = " " * 8 + repr(func_name) + ": " + (proto_._init_str() if proto_ is not None else "None") + "," + "\n"
@@ -195,17 +195,18 @@ def cprotos2py(cprotos: list[str], fd_spots=frozenset(), remove_sys_prefix=False
     return parsedcprotos2py(parsed_cprotos, fd_spots=fd_spots, remove_sys_prefix=remove_sys_prefix)
 
 
-def get_cpp_function_name(demangled_name, specialized=True, qualified=True):
-    # remove "<???>"s
-    name = normalize_cpp_function_name(demangled_name) if not specialized else demangled_name
+def get_cpp_function_name(demangled_name: str) -> str:
+    """
+    Parse a demangled C++ declaration into a function name.
 
-    if not qualified:
-        # remove leading namespaces
-        chunks = name.split("::")
-        name = "::".join(chunks[2:])
+    Note that the extracted name may include template instantiation, for example:
 
-    # remove arguments
-    if "(" in name:
-        name = name[: name.find("(")]
+        example_func<int>
 
-    return name
+    :param demangled_name: The demangled C++ function name.
+    :return:               The qualified function name, excluding return type and parameters.
+    """
+    func_decls, _ = parse_cpp_file(demangled_name)
+    if func_decls and len(func_decls) == 1:
+        return next(iter(func_decls))
+    return normalize_cpp_function_name(demangled_name)

angr/utils/ssa/__init__.py

@@ -6,7 +6,7 @@ from typing import Any, Literal, overload
 import networkx
 
 import archinfo
-from angr.ailment import Expression, Block
+from angr.ailment import Expression, Block, UnaryOp
 from angr.ailment.expression import (
     VirtualVariable,
     Const,
@@ -42,7 +42,7 @@ def get_reg_offset_base_and_size(
 
 def get_reg_offset_base_and_size(
     reg_offset: int, arch: archinfo.Arch, size: int | None = None, resilient: bool = True
-) -> tuple[int, int] | None:
+) -> tuple[int, int | None] | None:
     """
     Translate a given register offset into the offset of its full register and obtain the size of the full register.
 
@@ -89,7 +89,7 @@ def get_reg_offset_base(reg_offset, arch, size=None, resilient=True):
 
 
 def get_vvar_deflocs(
-    blocks, phi_vvars: dict[int, set[int]] | None = None
+    blocks, phi_vvars: dict[int, set[int | None]] | None = None
 ) -> dict[int, tuple[VirtualVariable, CodeLocation]]:
     vvar_to_loc: dict[int, tuple[VirtualVariable, CodeLocation]] = {}
     for block in blocks:
@@ -100,7 +100,7 @@ def get_vvar_deflocs(
                 )
                 if phi_vvars is not None and isinstance(stmt.src, Phi):
                     phi_vvars[stmt.dst.varid] = {
-                        vvar_.varid for src, vvar_ in stmt.src.src_and_vvars if vvar_ is not None
+                        vvar_.varid if vvar_ is not None else None for src, vvar_ in stmt.src.src_and_vvars
                     }
             elif isinstance(stmt, Call):
                 if isinstance(stmt.ret_expr, VirtualVariable):
@@ -161,7 +161,7 @@ def get_tmp_uselocs(blocks) -> dict[CodeLocation, dict[atoms.Tmp, set[tuple[Tmp,
     return tmp_to_loc
 
 
-def is_const_assignment(stmt: Statement) -> tuple[bool, Const | None]:
+def is_const_assignment(stmt: Statement) -> tuple[bool, Const | StackBaseOffset | None]:
     if isinstance(stmt, Assignment) and isinstance(stmt.src, (Const, StackBaseOffset)):
         return True, stmt.src
     return False, None
@@ -278,6 +278,31 @@ def has_tmp_expr(expr: Expression) -> bool:
     return walker.has_blacklisted_exprs
 
 
+class AILReferenceFinder(AILBlockWalkerBase):
+    """
+    Walks an AIL expression or statement and finds if it contains references to certain expressions.
+    """
+
+    def __init__(self, vvar_id: int):
+        super().__init__()
+        self.vvar_id = vvar_id
+        self.has_references_to_vvar = False
+
+    def _handle_UnaryOp(
+        self, expr_idx: int, expr: UnaryOp, stmt_idx: int, stmt: Statement | None, block: Block | None
+    ) -> Any:
+        if expr.op == "Reference" and isinstance(expr.operand, VirtualVariable) and expr.operand.varid == self.vvar_id:
+            self.has_references_to_vvar = True
+            return None
+        return super()._handle_UnaryOp(expr_idx, expr, stmt_idx, stmt, block)
+
+
+def has_reference_to_vvar(stmt: Statement, vvar_id: int) -> bool:
+    walker = AILReferenceFinder(vvar_id)
+    walker.walk_statement(stmt)
+    return walker.has_references_to_vvar
+
+
 def check_in_between_stmts(
     graph: networkx.DiGraph,
     blocks: dict[tuple[int, int | None], Block],
@@ -358,6 +383,33 @@ def has_load_expr_in_between_stmts(
     )
 
 
+def is_vvar_propagatable(vvar: VirtualVariable, def_stmt: Statement | None) -> bool:
+    if vvar.was_tmp or vvar.was_reg or vvar.was_parameter:
+        return True
+    if vvar.was_stack and isinstance(def_stmt, Assignment):
+        if isinstance(def_stmt.src, Const):
+            return True
+        if (
+            isinstance(def_stmt.src, VirtualVariable)
+            and def_stmt.src.was_stack
+            and def_stmt.src.stack_offset == vvar.stack_offset
+        ):
+            # special case: the following block
+            #   ## Block 401e98
+            #   00 | 0x401e98 | LABEL_401e98:
+            #   01 | 0x401e98 | vvar_227{stack -12} = 𝜙@32b [((4202088, None), vvar_277{stack -12}), ((4202076, None),
+            #                   vvar_278{stack -12})]
+            #   02 | 0x401ea0 | return Conv(32->64, vvar_227{stack -12});
+            # might be simplified to the following block after return duplication
+            #   ## Block 401e98.1
+            #   00 | 0x401e98 | LABEL_401e98__1:
+            #   01 | 0x401e98 | vvar_279{stack -12} = vvar_277{stack -12}
+            #   02 | 0x401ea0 | return Conv(32->64, vvar_279{stack -12});
+            # in this case, vvar_279 is eliminatable.
+            return True
+    return False
+
+
 def is_vvar_eliminatable(vvar: VirtualVariable, def_stmt: Statement | None) -> bool:
     if vvar.was_tmp or vvar.was_reg or vvar.was_parameter:
         return True

{angr-9.2.160.dist-info → angr-9.2.162.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: angr
-Version: 9.2.160
+Version: 9.2.162
 Summary: A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
 License: BSD-2-Clause
 Project-URL: Homepage, https://angr.io/
@@ -16,12 +16,12 @@ Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: cxxheaderparser
 Requires-Dist: GitPython
-Requires-Dist: archinfo==9.2.160
+Requires-Dist: archinfo==9.2.162
 Requires-Dist: cachetools
 Requires-Dist: capstone==5.0.3
 Requires-Dist: cffi>=1.14.0
-Requires-Dist: claripy==9.2.160
-Requires-Dist: cle==9.2.160
+Requires-Dist: claripy==9.2.162
+Requires-Dist: cle==9.2.162
 Requires-Dist: mulpyplexer
 Requires-Dist: networkx!=2.8.1,>=2.0
 Requires-Dist: protobuf>=5.28.2
@@ -30,7 +30,7 @@ Requires-Dist: pycparser>=2.18
 Requires-Dist: pydemumble
 Requires-Dist: pyformlang
 Requires-Dist: pypcode<4.0,>=3.2.1
-Requires-Dist: pyvex==9.2.160
+Requires-Dist: pyvex==9.2.162
 Requires-Dist: rich>=13.1.0
 Requires-Dist: sortedcontainers
 Requires-Dist: sympy