angr 9.2.162__cp310-abi3-manylinux2014_aarch64.whl → 9.2.164__cp310-abi3-manylinux2014_aarch64.whl

angr/analyses/decompiler/clinic.py

@@ -1216,6 +1216,7 @@ class Clinic(Analysis):
                 ):
                     # found a single successor - replace the last statement
                     new_last_stmt = last_stmt.copy()
+                    assert isinstance(successors[0].addr, int)
                     new_last_stmt.target = ailment.Expr.Const(None, None, successors[0].addr, last_stmt.target.bits)
                     block.statements[-1] = new_last_stmt
 
@@ -1844,8 +1845,6 @@ class Clinic(Analysis):
             if v.offset in vr.stack_offset_typevars:
                 tv = vr.stack_offset_typevars[v.offset]
                 tv_max_sizes[tv] = s
-        # clean up existing types for this function
-        var_manager.remove_types()
         # TODO: Type inference for global variables
         # run type inference
         if self._must_struct:
@@ -2158,9 +2157,9 @@ class Clinic(Analysis):
                 }
             else:
                 # global variable?
-                global_vars = global_variables.get_global_variables(expr.value)
+                global_vars = global_variables.get_global_variables(expr.value_int)
                 # detect if there is a related symbol
-                if not global_vars and self.project.loader.find_object_containing(expr.value):
+                if not global_vars and self.project.loader.find_object_containing(expr.value_int):
                     symbol = self.project.loader.find_symbol(expr.value)
                     if symbol is not None:
                         # Create a new global variable if there isn't one already
@@ -3041,12 +3040,12 @@ class Clinic(Analysis):
             op0, op1 = addr.operands
             if (
                 isinstance(op0, ailment.Expr.Const)
-                and self.project.loader.find_object_containing(op0.value) is not None
+                and self.project.loader.find_object_containing(op0.value_int) is not None
             ):
                 return op0, op1
             if (
                 isinstance(op1, ailment.Expr.Const)
-                and self.project.loader.find_object_containing(op1.value) is not None
+                and self.project.loader.find_object_containing(op1.value_int) is not None
             ):
                 return op1, op0
             return op0, op1  # best-effort guess
@@ -3279,6 +3278,7 @@ class Clinic(Analysis):
                         )
                     ):
                         # found it!
+                        assert self.project.arch.sp_offset is not None
                         alloca_node = node
                         sp_equal_to = ailment.Expr.BinaryOp(
                             None,

angr/analyses/decompiler/graph_region.py

@@ -271,6 +271,13 @@ class GraphRegion:
         else:
             replace_with_graph_with_successors = replace_with.graph_with_successors
 
+        # if complete_successors is True for RegionIdentifier, replace_with.graph_with_successors may include nodes
+        # and edges that are *only* reachable from immediate successors. we will want to remove these nodes and edges,
+        # otherwise we may end up structuring the same region twice!
+        replace_with_graph_with_successors = self._cleanup_graph_with_successors(
+            replace_with.graph, replace_with_graph_with_successors
+        )
+
         self._replace_node_in_graph_with_subgraph(
             self.graph,
             self.successors,
@@ -289,6 +296,18 @@ class GraphRegion:
                 replace_with.head,
             )
 
+    @staticmethod
+    def _cleanup_graph_with_successors(
+        graph: networkx.DiGraph, graph_with_successors: networkx.DiGraph
+    ) -> networkx.DiGraph:
+        expected_nodes = set(graph)
+        for n in list(expected_nodes):
+            for succ in graph_with_successors.successors(n):
+                expected_nodes.add(succ)
+        if all(n in expected_nodes for n in graph_with_successors):
+            return graph_with_successors
+        return graph_with_successors.subgraph(expected_nodes).to_directed()
+
     @staticmethod
     def _replace_node_in_graph(graph: networkx.DiGraph, node, replace_with, removed_edges: set):
         in_edges = [(src, dst) for src, dst in graph.in_edges(node) if (src, dst) not in removed_edges]

angr/analyses/decompiler/optimization_passes/deadblock_remover.py

@@ -60,7 +60,7 @@ class DeadblockRemover(OptimizationPass):
             blk
             for blk in self._graph.nodes()
             if (blk.addr != self._func.addr and self._graph.in_degree(blk) == 0)
-            or claripy.is_false(cond_proc.reaching_conditions[blk])
+            or claripy.is_false(cond_proc.reaching_conditions.get(blk, claripy.true()))
         }
 
         # fix up predecessors

angr/analyses/decompiler/region_identifier.py

@@ -99,7 +99,7 @@ class RegionIdentifier(Analysis):
 
     def _analyze(self):
         # make a copy of the graph
-        graph = networkx.DiGraph(self._graph)
+        graph = self._pick_one_connected_component(self._graph, as_copy=True)
 
         # preprocess: make it a super graph
         self._make_supergraph(graph)
@@ -113,6 +113,27 @@ class RegionIdentifier(Analysis):
         # make regions into block address lists
         self.regions_by_block_addrs = self._make_regions_by_block_addrs()
 
+    def _pick_one_connected_component(self, digraph: networkx.DiGraph, as_copy: bool = False) -> networkx.DiGraph:
+        g = networkx.Graph(digraph)
+        components = list(networkx.connected_components(g))
+        if len(components) <= 1:
+            return networkx.DiGraph(digraph) if as_copy else digraph
+
+        the_component = None
+        largest_component = None
+        for component in components:
+            if largest_component is None or len(component) > len(largest_component):
+                largest_component = component
+            if any((block.addr, block.idx) == self.entry_node_addr for block in component):
+                the_component = component
+                break
+
+        if the_component is None:
+            the_component = largest_component
+
+        assert the_component is not None
+        return digraph.subgraph(the_component).to_directed()
+
     @staticmethod
     def _compute_node_order(graph: networkx.DiGraph) -> dict[Any, tuple[int, int]]:
         sorted_nodes = GraphUtils.quasi_topological_sort_nodes(graph)

angr/analyses/decompiler/structuring/phoenix.py

@@ -13,7 +13,7 @@ from angr.ailment.block import Block
 from angr.ailment.statement import Statement, ConditionalJump, Jump, Label, Return
 from angr.ailment.expression import Const, UnaryOp, MultiStatementExpression, BinaryOp
 
-from angr.utils.graph import GraphUtils
+from angr.utils.graph import GraphUtils, Dominators, compute_dominance_frontier
 from angr.utils.ail import is_phi_assignment, is_head_controlled_loop_block
 from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
 from angr.utils.constants import SWITCH_MISSING_DEFAULT_NODE_ADDR
@@ -669,7 +669,7 @@ class PhoenixStructurer(StructurerBase):
         continue_node = loop_head
 
         is_while, result_while = self._refine_cyclic_is_while_loop(graph, fullgraph, loop_head, head_succs)
-        is_dowhile, result_dowhile = self._refine_cyclic_is_dowhile_loop(graph, fullgraph, loop_head, head_succs)
+        is_dowhile, result_dowhile = self._refine_cyclic_is_dowhile_loop(graph, fullgraph, loop_head)
 
         continue_edges: list[tuple[BaseNode, BaseNode]] = []
         outgoing_edges: list = []
@@ -702,22 +702,12 @@ class PhoenixStructurer(StructurerBase):
 
         if loop_type is None:
             # natural loop. select *any* exit edge to determine the successor
-            # well actually, to maintain determinism, we select the successor with the highest address
-            successor_candidates = set()
-            for node in networkx.descendants(graph, loop_head):
-                for succ in fullgraph.successors(node):
-                    if succ not in graph:
-                        successor_candidates.add(succ)
-                    if loop_head is succ:
-                        continue_edges.append((node, succ))
-            if successor_candidates:
-                successor_candidates = sorted(successor_candidates, key=lambda x: x.addr)
-                successor = successor_candidates[0]
-                # virtualize all other edges
-                for succ in successor_candidates:
-                    for pred in fullgraph.predecessors(succ):
-                        if pred in graph:
-                            outgoing_edges.append((pred, succ))
+            is_natural, result_natural = self._refine_cyclic_make_natural_loop(graph, fullgraph, loop_head)
+            if not is_natural:
+                # cannot refine this loop
+                return False
+            assert result_natural is not None
+            continue_edges, outgoing_edges, successor = result_natural
 
         if outgoing_edges:
             # if there is a single successor, we convert all out-going edges into breaks;
@@ -963,8 +953,8 @@ class PhoenixStructurer(StructurerBase):
                 return True, (continue_edges, outgoing_edges, loop_head, successor)
         return False, None
 
-    def _refine_cyclic_is_dowhile_loop(  # pylint:disable=unused-argument
-        self, graph, fullgraph, loop_head, head_succs
+    def _refine_cyclic_is_dowhile_loop(
+        self, graph, fullgraph, loop_head
     ) -> tuple[bool, tuple[list, list, BaseNode, BaseNode] | None]:
         # check if there is an out-going edge from the loop tail
         head_preds = list(fullgraph.predecessors(loop_head))
@@ -996,6 +986,64 @@ class PhoenixStructurer(StructurerBase):
                     return True, (continue_edges, outgoing_edges, continue_node, successor)
         return False, None
 
+    def _refine_cyclic_make_natural_loop(
+        self, graph, fullgraph, loop_head
+    ) -> tuple[bool, tuple[list, list, Any] | None]:
+        continue_edges = []
+        outgoing_edges = []
+
+        # find dominance frontier
+        doms = Dominators(fullgraph, self._region.head)
+        dom_frontiers = compute_dominance_frontier(fullgraph, doms.dom)
+
+        if loop_head not in dom_frontiers:
+            return False, None
+        dom_frontier = dom_frontiers[loop_head]
+
+        # now this is a little complex
+        dom_frontier = {node for node in dom_frontier if node is not loop_head}
+        if len(dom_frontier) == 0:
+            # the dominance frontier is empty (the loop head dominates all nodes in the full graph). however, this does
+            # not mean that the loop head must dominate all the nodes, because we only have a limited view of the full
+            # graph (e.g., some predecessors of the successor may not be in this full graph). as such, successors are
+            # the ones that are in the fullgraph but not in the graph.
+            successor_candidates = set()
+            for node in networkx.descendants(graph, loop_head):
+                for succ in fullgraph.successors(node):
+                    if succ not in graph:
+                        successor_candidates.add(succ)
+                    if loop_head is succ:
+                        continue_edges.append((node, succ))
+
+        else:
+            # this loop has a single successor
+            successor_candidates = dom_frontier
+            # traverse the loop body to find all continue edges
+            tmp_graph = networkx.DiGraph(graph)
+            tmp_graph.remove_nodes_from(successor_candidates)
+            for node in networkx.descendants(tmp_graph, loop_head):
+                if tmp_graph.has_edge(node, loop_head):
+                    continue_edges.append((node, loop_head))
+
+        if len(successor_candidates) == 0:
+            successor = None
+        else:
+            # one or multiple successors; try to pick a successor in graph, and prioritize the one with the lowest
+            # address
+            successor_candidates_in_graph = {nn for nn in successor_candidates if nn in graph}
+            if successor_candidates_in_graph:
+                # pick the one with the lowest address
+                successor = next(iter(sorted(successor_candidates_in_graph, key=lambda x: x.addr)))
+            else:
+                successor = next(iter(sorted(successor_candidates, key=lambda x: x.addr)))
+            # mark all edges as outgoing edges so they will be virtualized if they don't lead to the successor
+            for node in successor_candidates:
+                for pred in fullgraph.predecessors(node):
+                    if networkx.has_path(doms.dom, loop_head, pred):
+                        outgoing_edges.append((pred, node))
+
+        return True, (continue_edges, outgoing_edges, successor)
+
     def _analyze_acyclic(self) -> bool:
         # match against known schemas
         l.debug("Matching acyclic schemas for region %r.", self._region)
@@ -1219,6 +1267,10 @@ class PhoenixStructurer(StructurerBase):
         node_a = next(iter(nn for nn in graph.nodes if nn.addr == target), None)
         if node_a is None:
             return False
+        if node_a is self._region.head:
+            # avoid structuring if node_a is the region head; this means the current node is a duplicated switch-case
+            # head (instead of the original one), which is not something we want to structure
+            return False
 
         # the default case
         node_b_addr = next(iter(t for t in successor_addrs if t != target), None)

angr/analyses/decompiler/structuring/recursive_structurer.py

@@ -3,8 +3,6 @@ import itertools
 from typing import TYPE_CHECKING
 import logging
 
-import networkx
-
 from angr.analyses import Analysis, register_analysis
 from angr.analyses.decompiler.condition_processor import ConditionProcessor
 from angr.analyses.decompiler.graph_region import GraphRegion
@@ -12,6 +10,7 @@ from angr.analyses.decompiler.jumptable_entry_condition_rewriter import JumpTabl
 from angr.analyses.decompiler.empty_node_remover import EmptyNodeRemover
 from angr.analyses.decompiler.jump_target_collector import JumpTargetCollector
 from angr.analyses.decompiler.redundant_label_remover import RedundantLabelRemover
+from angr.utils.graph import GraphUtils
 from .structurer_nodes import BaseNode
 from .structurer_base import StructurerBase
 from .dream import DreamStructurer
@@ -61,7 +60,7 @@ class RecursiveStructurer(Analysis):
             current_region = stack[-1]
 
             has_region = False
-            for node in networkx.dfs_postorder_nodes(current_region.graph, current_region.head):
+            for node in GraphUtils.dfs_postorder_nodes_deterministic(current_region.graph, current_region.head):
                 subnodes = []
                 if type(node) is GraphRegion:
                     if node.cyclic:
@@ -177,7 +176,7 @@ class RecursiveStructurer(Analysis):
         for node in region.graph.nodes:
             if not isinstance(node, BaseNode):
                 continue
-            if node.addr == self.function.addr:
+            if self.function is not None and node.addr == self.function.addr:
                 return node
             if min_node is None or (min_node.addr is not None and node.addr is not None and min_node.addr < node.addr):
                 min_node = node

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -392,6 +392,9 @@ class IncompleteSwitchCaseNode(BaseNode):
         self.head = head
         self.cases: list = cases
 
+    def __repr__(self):
+        return f"<IncompleteSwitchCase {self.addr:#x} with {len(self.cases)} cases>"
+
 
 #
 # The following classes are custom AIL statements (not nodes, unfortunately)

angr/analyses/decompiler/utils.py

@@ -158,10 +158,14 @@ def switch_extract_cmp_bounds(
         return None
 
     # TODO: Add more operations
-    if isinstance(last_stmt.condition, ailment.Expr.BinaryOp) and last_stmt.condition.op == "CmpLE":
+    if isinstance(last_stmt.condition, ailment.Expr.BinaryOp) and last_stmt.condition.op in {"CmpLE", "CmpLT"}:
         if not isinstance(last_stmt.condition.operands[1], ailment.Expr.Const):
             return None
-        cmp_ub = last_stmt.condition.operands[1].value
+        cmp_ub = (
+            last_stmt.condition.operands[1].value
+            if last_stmt.condition.op == "CmpLE"
+            else last_stmt.condition.operands[1].value - 1
+        )
         cmp_lb = 0
         cmp = last_stmt.condition.operands[0]
         if (
@@ -250,6 +254,10 @@ def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tu
              size=4, endness=Iend_LE) + 0x4530e4<32>))
     )
 
+    Another example:
+
+    Load(addr=(((vvar_9{reg 36} & 0x3<32>) * 0x4<32>) + 0x42cd28<32>), size=4, endness=Iend_LE)
+
     :param last_stmt:   The last statement of the switch-case header node.
     :return:            A tuple of (index expression, lower bound, upper bound), or None
     """
@@ -269,16 +277,20 @@ def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tu
             continue
         if isinstance(target, ailment.Expr.BinaryOp) and target.op == "Add":
             if isinstance(target.operands[0], ailment.Expr.Const) and isinstance(target.operands[1], ailment.Expr.Load):
-                jump_addr_offset = target.operands[0]
+                jump_addr_offset = target.operands[0].value
                 jumptable_load_addr = target.operands[1].addr
                 break
             if isinstance(target.operands[1], ailment.Expr.Const) and isinstance(target.operands[0], ailment.Expr.Load):
-                jump_addr_offset = target.operands[1]
+                jump_addr_offset = target.operands[1].value
                 jumptable_load_addr = target.operands[0].addr
                 break
             return None
         if isinstance(target, ailment.Expr.Const):
             return None
+        if isinstance(target, ailment.Expr.Load):
+            jumptable_load_addr = target.addr
+            jump_addr_offset = 0
+            break
         break
 
     if jump_addr_offset is None or jumptable_load_addr is None:
@@ -655,7 +667,7 @@ def _flatten_structured_node(packed_node: SequenceNode | MultiNode) -> list[ailm
 
 def _find_node_in_graph(node: ailment.Block, graph: networkx.DiGraph) -> ailment.Block | None:
     for bb in graph:
-        if bb.addr == node.addr and bb.idx == node.idx:
+        if isinstance(bb, ailment.Block) and bb.addr == node.addr and bb.idx == node.idx:
             return bb
     return None
 

angr/analyses/fcp/fcp.py

@@ -343,16 +343,17 @@ class FastConstantPropagation(Analysis):
             engine.process(state, block=block)
 
             # if the node ends with a function call, call _handle_function
-            succs = list(func_graph_with_callees.successors(node))
-            if any(isinstance(succ, (Function, HookNode)) for succ in succs):
-                callee = next(succ for succ in succs if isinstance(succ, (Function, HookNode)))
-                if isinstance(callee, HookNode):
-                    # attempt to convert it into a function
-                    if self.kb.functions.contains_addr(callee.addr):
-                        callee = self.kb.functions.get_by_addr(callee.addr)
-                    else:
-                        callee = None
-                state = self._handle_function(state, callee)
+            if node in func_graph_with_callees:
+                succs = list(func_graph_with_callees.successors(node))
+                if any(isinstance(succ, (Function, HookNode)) for succ in succs):
+                    callee = next(succ for succ in succs if isinstance(succ, (Function, HookNode)))
+                    if isinstance(callee, HookNode):
+                        # attempt to convert it into a function
+                        if self.kb.functions.contains_addr(callee.addr):
+                            callee = self.kb.functions.get_by_addr(callee.addr)
+                        else:
+                            callee = None
+                    state = self._handle_function(state, callee)
 
             states[node] = state
 

angr/analyses/flirt/flirt_sig.py

@@ -146,7 +146,7 @@ class FlirtSignatureParsed:
         name_lst = []
         name_end = False  # in case the function name is too long...
         for _ in range(1024):  # max length of a function name
-            if next_byte < 0x20:
+            if next_byte < 0x20 or next_byte >= 0x80:
                 name_end = True
                 break
             name_lst.append(next_byte)
@@ -347,7 +347,10 @@ class FlirtSignatureParsed:
         # is it compressed?
         if obj.features & FlirtFeatureFlag.FEATURE_COMPRESSED:
             data = file_obj.read()
-            decompressed = BytesIO(zlib.decompress(data))
+            try:
+                decompressed = BytesIO(zlib.decompress(data))
+            except zlib.error as ex:
+                raise FlirtSignatureError(f"Failed to decompress FLIRT signature: {ex}") from ex
             file_obj = decompressed
 
         root = obj.parse_tree(file_obj, root=True)

angr/analyses/reaching_definitions/function_handler.py

@@ -575,7 +575,7 @@ class FunctionHandler:
         sub_rda = state.analysis.project.analyses.ReachingDefinitions(
             data.function,
             observe_all=state.analysis._observe_all,
-            observation_points=list(state.analysis._observation_points or []).extend(return_observation_points),
+            observation_points=list(state.analysis._observation_points or []) + return_observation_points,
             observe_callback=state.analysis._observe_callback,
             dep_graph=state.dep_graph,
             function_handler=self,

angr/analyses/reaching_definitions/function_handler_library/stdio.py

@@ -156,14 +156,14 @@ class LibcStdioHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_fread(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[1]) or 1
-        nmemb = state.get_concrete_value(data.args_atoms[1]) or 2
+        nmemb = state.get_concrete_value(data.args_atoms[2]) or 2
         dst_atom = state.deref(data.args_atoms[0], size * nmemb)
         data.depends(dst_atom, StdinAtom("fread", size * nmemb))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_fwrite(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[1]) or 1
-        nmemb = state.get_concrete_value(data.args_atoms[1]) or 2
+        nmemb = state.get_concrete_value(data.args_atoms[2]) or 2
         src_atom = state.deref(data.args_atoms[0], size * nmemb)
         data.depends(StdoutAtom("fwrite", size * nmemb), src_atom, value=state.get_values(src_atom))
 
@@ -206,8 +206,8 @@ def handle_printf(
         elif fmt == "%u":
             buf_atoms = atom
             buf_data = state.get_concrete_value(buf_atoms)
-            if buf_data is not None:
-                buf_data = str(buf_data).encode()
+            buf_data = str(buf_data).encode() if buf_data else b"0"
+
         elif fmt == "%d":
             buf_atoms = atom
             buf_data = state.get_concrete_value(buf_atoms)
@@ -215,11 +215,12 @@ def handle_printf(
                 if buf_data >= 2**31:
                     buf_data -= 2**32
                 buf_data = str(buf_data).encode()
+            else:
+                buf_data = b"0"
         elif fmt == "%c":
             buf_atoms = atom
             buf_data = state.get_concrete_value(atom)
-            if buf_data is not None:
-                buf_data = chr(buf_data).encode()
+            buf_data = chr(buf_data).encode() if buf_data else b"0"
         else:
             _l.warning("Unimplemented printf format string %s", fmt)
             buf_atoms = set()

angr/analyses/reaching_definitions/function_handler_library/stdlib.py

@@ -64,21 +64,25 @@ class LibcStdlibHandlers(FunctionHandler):
                 buf_value = int(buf_value.decode().strip("\0"))
             except ValueError:
                 buf_value = 0
+        else:
+            buf_value = 0  # Make the value concrete if it cannot be parsed
         data.depends(data.ret_atoms, buf_atoms, value=buf_value)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_malloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         malloc_size = state.get_concrete_value(data.args_atoms[0]) or 48
         heap_ptr = state.heap_allocator.allocate(malloc_size)
-        data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
+        heap_addr = state.heap_address(heap_ptr)
+        data.depends(data.ret_atoms, value=heap_addr)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_calloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         nmemb = state.get_concrete_value(data.args_atoms[0]) or 48
         size = state.get_concrete_value(data.args_atoms[1]) or 1
-        heap_ptr = state.heap_address(state.heap_allocator.allocate(nmemb * size))
-        data.depends(state.deref(heap_ptr, nmemb * size), value=0)
-        data.depends(data.ret_atoms, value=heap_ptr)
+        heap_ptr = state.heap_allocator.allocate(nmemb * size)
+        heap_addr = state.heap_address(heap_ptr)
+        data.depends(state.deref(heap_addr, nmemb * size), value=0)
+        data.depends(data.ret_atoms, value=heap_addr)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_getenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
@@ -156,6 +160,8 @@ class LibcStdlibHandlers(FunctionHandler):
     def handle_impl_execve(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         argv_value = state.get_one_value(data.args_atoms[1])
         if argv_value is None:
+            # Model execve with unknown argv - still has system effects
+            data.depends(SystemAtom(1), data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
             return
 
         nonce = random.randint(1, 999999999)

angr/analyses/reaching_definitions/function_handler_library/string.py

@@ -30,7 +30,7 @@ class LibcStringHandlers(FunctionHandler):
             dest_value = src0_value.concat(MultiValues(top_val))
             dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
         else:
-            dest_value = None
+            dest_value = state.top(state.arch.bits)
             dest_atom = src0_atom
         if src0_atom is not None and src1_atom is not None:
             data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
@@ -109,7 +109,8 @@ class LibcStringHandlers(FunctionHandler):
             src_str = state.get_values(src_atom)
             malloc_size = len(src_str) // 8 if src_str is not None else 1
             heap_ptr = state.heap_allocator.allocate(malloc_size)
-            dst_atom = state.deref(heap_ptr, malloc_size)
+            heap_addr = state.heap_address(heap_ptr)
+            dst_atom = state.deref(heap_addr, malloc_size)
             data.depends(dst_atom, src_atom, value=src_str)
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
@@ -121,6 +122,16 @@ class LibcStringHandlers(FunctionHandler):
             dst_atom = state.deref(data.args_atoms[0], size)
             if src_atom is not None:
                 data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
+        else:
+            # When size is unknown, use default size and create TOP value
+            default_size = state.arch.bytes
+            src_atom = state.deref(data.args_atoms[1], default_size)
+            dst_atom = state.deref(data.args_atoms[0], default_size)
+            if src_atom is not None:
+                top_val = state.top(default_size * 8)
+                for defn in state.get_definitions(src_atom):
+                    top_val = state.annotate_with_def(top_val, defn)
+                data.depends(dst_atom, src_atom, value=MultiValues(top_val))
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate

angr/analyses/reaching_definitions/function_handler_library/unistd.py

@@ -32,6 +32,9 @@ class LibcUnistdHandlers(FunctionHandler):
         buf_data = state.top(size * 8) if size is not None else state.top(state.arch.bits)
 
         data.depends(dst_atom, fd_atom, value=buf_data)
+        # Model return value - number of bytes read (could be 0 to size, or -1 for error)
+        ret_val = state.top(state.arch.bits)  # Unknown number of bytes read
+        data.depends(data.ret_atoms, fd_atom, value=ret_val)
 
     handle_impl_recv = handle_impl_recvfrom = handle_impl_read
 
@@ -41,4 +44,8 @@ class LibcUnistdHandlers(FunctionHandler):
         src_atom = state.deref(data.args_atoms[1], size)
         data.depends(StdoutAtom(data.function.name, size), src_atom, value=state.get_values(src_atom))
 
+        # Model return value - number of bytes written (could be 0 to size, or -1 for error)
+        ret_val = state.top(state.arch.bits)  # Unknown number of bytes written
+        data.depends(data.ret_atoms, value=ret_val)
+
     handle_impl_send = handle_impl_write

angr/analyses/s_reaching_definitions/s_rda_view.py

@@ -37,7 +37,8 @@ class RegVVarPredicate:
         if cc is not None:
             reg_list = cc.CALLER_SAVED_REGS
             if isinstance(cc.RETURN_VAL, SimRegArg):
-                reg_list.append(cc.RETURN_VAL.reg_name)
+                # do not update reg_list directly, otherwise you may update cc.CALLER_SAVED_REGS!
+                reg_list = [*reg_list, cc.RETURN_VAL.reg_name]
             return {self.arch.registers[reg_name][0] for reg_name in reg_list}
         log.warning("Cannot determine registers that are clobbered by call statement %r.", stmt)
         return set()

angr/analyses/typehoon/typeconsts.py

@@ -245,7 +245,9 @@ class Struct(TypeConstant):
         if not self.fields:
             return 0
         max_field_off = max(self.fields.keys())
-        return max_field_off + self.fields[max_field_off].size
+        return max_field_off + (
+            self.fields[max_field_off].size if not isinstance(self.fields[max_field_off], BottomType) else 1
+        )
 
     @memoize
     def __repr__(self, memo=None):

angr/analyses/variable_recovery/engine_base.py

@@ -142,6 +142,8 @@ class SimEngineVRBase(
     ) -> list[tuple[SimVariable, int]]:
         data = richr_addr.data
 
+        variable: SimVariable | None = None
+
         if self.state.is_stack_address(data):
             # this is a stack address
             # extract stack offset
@@ -157,7 +159,6 @@ class SimEngineVRBase(
             for candidate, offset in var_candidates:
                 if isinstance(candidate, SimStackVariable) and candidate.offset == stack_offset:
                     existing_vars.append((candidate, offset))
-            variable = None
             if existing_vars:
                 variable, _ = existing_vars[0]
 
@@ -179,12 +180,7 @@ class SimEngineVRBase(
                                     existing_vars.append((var, var_stack_offset))
 
                     if not existing_vars:
-                        existing_vars = [
-                            (v, 0)
-                            for v in self.state.variable_manager[self.func_addr].find_variables_by_stack_offset(
-                                stack_offset
-                            )
-                        ]
+                        existing_vars = [(v, 0) for v in variable_manager.find_variables_by_stack_offset(stack_offset)]
 
                     if not existing_vars:
                         # no variables exist
@@ -193,10 +189,10 @@ class SimEngineVRBase(
                             stack_offset,
                             lea_size,
                             base="bp",
-                            ident=self.state.variable_manager[self.func_addr].next_variable_ident("stack"),
+                            ident=variable_manager.next_variable_ident("stack"),
                             region=self.func_addr,
                         )
-                        self.state.variable_manager[self.func_addr].add_variable("stack", stack_offset, variable)
+                        variable_manager.add_variable("stack", stack_offset, variable)
                         l.debug("Identified a new stack variable %s at %#x.", variable, self.ins_addr)
                         existing_vars.append((variable, 0))
 
@@ -563,7 +559,7 @@ class SimEngineVRBase(
 
         if isinstance(stack_offset, int):
             expr = data.data
-            if isinstance(expr, claripy.ast.Bits) and expr.size() > 1024:
+            if isinstance(expr, claripy.ast.BV) and expr.size() > 1024:
                 # we don't write more than 256 bytes to the stack at a time for performance reasons
                 expr = expr[expr.size() - 1 : expr.size() - 1024]
             expr = self.state.annotate_with_variables(expr, [(variable_offset, variable)])