angr 9.2.163__cp310-abi3-win_amd64.whl → 9.2.165__cp310-abi3-win_amd64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.163"
+__version__ = "9.2.165"
 
 if bytes is str:
     raise Exception(

angr/ailment/converter_vex.py

@@ -606,7 +606,7 @@ class VEXStmtConverter(Converter):
         expd_hi = VEXExprConverter.convert(stmt.expdHi, manager) if stmt.expdHi is not None else None
         old_lo = VEXExprConverter.tmp(stmt.oldLo, manager.tyenv.sizeof(stmt.oldLo), manager)
         old_hi = (
-            VEXExprConverter.tmp(stmt.oldHi, stmt.oldHi.result_size(manager.tyenv), manager)
+            VEXExprConverter.tmp(stmt.oldHi, manager.tyenv.sizeof(stmt.oldHi), manager)
             if stmt.oldHi != 0xFFFFFFFF
             else None
         )

angr/ailment/expression.py

@@ -616,7 +616,11 @@ class Convert(UnaryOp):
         self.rounding_mode = rounding_mode
 
     def __str__(self):
-        return f"Conv({self.from_bits}->{'s' if self.is_signed else ''}{self.to_bits}, {self.operand})"
+        from_type = "I" if self.from_type == Convert.TYPE_INT else "F"
+        to_type = "I" if self.to_type == Convert.TYPE_INT else "F"
+        return (
+            f"Conv({self.from_bits}{from_type}->{'s' if self.is_signed else ''}{self.to_bits}{to_type}, {self.operand})"
+        )
 
     def __repr__(self):
         return str(self)

angr/analyses/analysis.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 import functools
+import os
 import sys
 import contextlib
 from collections import defaultdict
@@ -14,6 +15,8 @@ import logging
 import time
 import typing
 
+import psutil
+
 from rich import progress
 
 from angr.misc.plugins import PluginVendor, VendorPreset
@@ -287,6 +290,8 @@ class Analysis:
     _name: str
     errors: list[AnalysisLogEntry] = []
     named_errors: defaultdict[str, list[AnalysisLogEntry]] = defaultdict(list)
+    _ram_usage: float | None = None
+    _last_ramusage_update: float = 0.0
     _progress_callback = None
     _show_progressbar = False
     _progressbar = None
@@ -295,7 +300,7 @@ class Analysis:
     _PROGRESS_WIDGETS = [
         progress.TaskProgressColumn(),
         progress.BarColumn(),
-        progress.TextColumn("Elapsed Time:"),
+        progress.TextColumn("Elapsed:"),
         progress.TimeElapsedColumn(),
         progress.TextColumn("Time:"),
         progress.TimeRemainingColumn(),
@@ -311,7 +316,9 @@ class Analysis:
                 raise
             else:
                 error = AnalysisLogEntry("exception occurred", exc_info=True)
-                l.error("Caught and logged %s with resilience: %s", error.exc_type.__name__, error.exc_value)
+                l.error(
+                    "Caught and logged %s with resilience: %s", error.exc_type.__name__, error.exc_value  # type:ignore
+                )
                 if name is None:
                     self.errors.append(error)
                 else:
@@ -342,10 +349,12 @@ class Analysis:
             if self._progressbar is None:
                 self._initialize_progressbar()
 
+            assert self._task is not None
+            assert self._progressbar is not None
             self._progressbar.update(self._task, completed=percentage)
 
-        if text is not None and self._progressbar:
-            self._progressbar.update(self._task, description=text)
+            if text is not None and self._progressbar:
+                self._progressbar.update(self._task, description=text)
 
         if self._progress_callback is not None:
             self._progress_callback(percentage, text=text, **kwargs)  # pylint:disable=not-callable
@@ -360,6 +369,7 @@ class Analysis:
             if self._progressbar is None:
                 self._initialize_progressbar()
             if self._progressbar is not None:
+                assert self._task is not None
                 self._progressbar.update(self._task, completed=100)
                 self._progressbar.stop()
                 self._progressbar = None
@@ -384,6 +394,19 @@ class Analysis:
         if ctr != 0 and ctr % freq == 0:
             time.sleep(sleep_time)
 
+    @property
+    def ram_usage(self) -> float:
+        """
+        Return the current RAM usage of the Python process, in bytes. The value is updated at most once per second.
+        """
+
+        if time.time() - self._last_ramusage_update > 1:
+            self._last_ramusage_update = time.time()
+            proc = psutil.Process(os.getpid())
+            meminfo = proc.memory_info()
+            self._ram_usage = meminfo.rss
+        return self._ram_usage if self._ram_usage is not None else -0.1
+
     def __getstate__(self):
         d = dict(self.__dict__)
         d.pop("_progressbar", None)

angr/analyses/cfg/cfg_base.py

@@ -1952,11 +1952,11 @@ class CFGBase(Analysis):
                     # skip empty blocks (that are usually caused by lifting failures)
                     continue
                 block = func_0.get_block(block_node.addr, block_node.size)
-                if block.vex_nostmt.jumpkind not in ("Ijk_Boring", "Ijk_InvalICache"):
-                    continue
                 # Skip alignment blocks
                 if self._is_noop_block(self.project.arch, block):
                     continue
+                if block.vex_nostmt.jumpkind not in ("Ijk_Boring", "Ijk_InvalICache"):
+                    continue
 
                 # does the first block transition to the next function?
                 transition_found = False
@@ -2001,17 +2001,20 @@ class CFGBase(Analysis):
 
                 cfgnode_1_merged = False
                 # we only merge two CFG nodes if the first one does not end with a branch instruction
-                if (
-                    len(func_0.block_addrs_set) == 1
-                    and len(out_edges) == 1
-                    and out_edges[0][0].addr == cfgnode_0.addr
-                    and out_edges[0][0].size == cfgnode_0.size
-                    and self.project.factory.block(cfgnode_0.addr, strict_block_end=True).size > cfgnode_0.size
-                ):
-                    cfgnode_1_merged = True
-                    self._merge_cfgnodes(cfgnode_0, cfgnode_1)
-                    adjusted_cfgnodes.add(cfgnode_0)
-                    adjusted_cfgnodes.add(cfgnode_1)
+                if len(func_0.block_addrs_set) == 1 and len(out_edges) == 1:
+                    outedge_src, outedge_dst, outedge_data = out_edges[0]
+                    if (
+                        outedge_src.addr == cfgnode_0.addr
+                        and outedge_src.size == cfgnode_0.size
+                        and outedge_dst.addr == cfgnode_1.addr
+                        and cfgnode_0.addr + cfgnode_0.size == cfgnode_1.addr
+                        and outedge_data.get("type", None) == "transition"
+                        and outedge_data.get("stmt_idx", None) == DEFAULT_STATEMENT
+                    ):
+                        cfgnode_1_merged = True
+                        self._merge_cfgnodes(cfgnode_0, cfgnode_1)
+                        adjusted_cfgnodes.add(cfgnode_0)
+                        adjusted_cfgnodes.add(cfgnode_1)
 
                 # Merge it
                 func_1 = functions[addr_1]

angr/analyses/cfg/cfg_emulated.py

@@ -28,6 +28,7 @@ from angr.errors import (
     AngrCFGError,
     AngrError,
     AngrSkipJobNotice,
+    AngrSyscallError,
     SimError,
     SimValueError,
     SimSolverModeError,
@@ -1806,7 +1807,10 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
         # Fix target_addr for syscalls
         if suc_jumpkind.startswith("Ijk_Sys"):
-            syscall_proc = self.project.simos.syscall(new_state)
+            try:
+                syscall_proc = self.project.simos.syscall(new_state)
+            except AngrSyscallError:
+                syscall_proc = None
             if syscall_proc is not None:
                 target_addr = syscall_proc.addr
 

angr/analyses/cfg/cfg_fast.py

@@ -846,6 +846,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         # exception handling
         self._exception_handling_by_endaddr = SortedDict()
 
+        self.stage: str = ""
+
         #
         # Variables used during analysis
         #
@@ -1077,12 +1079,12 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         # no wide string is found
         return 0
 
-    def _scan_for_repeating_bytes(self, start_addr: int, repeating_byte: int, threshold: int = 2) -> int:
+    def _scan_for_repeating_bytes(self, start_addr: int, repeating_byte: int | None, threshold: int = 2) -> int:
         """
         Scan from a given address and determine the occurrences of a given byte.
 
         :param start_addr:      The address in memory to start scanning.
-        :param repeating_byte:  The repeating byte to scan for.
+        :param repeating_byte:  The repeating byte to scan for; None for *any* repeating byte.
         :param threshold:       The minimum occurrences.
         :return:                The occurrences of a given byte.
         """
@@ -1090,12 +1092,15 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         addr = start_addr
 
         repeating_length = 0
+        last_byte = repeating_byte
 
         while self._inside_regions(addr):
             val = self._load_a_byte_as_int(addr)
             if val is None:
                 break
-            if val == repeating_byte:
+            if last_byte is None:
+                last_byte = val
+            elif val == last_byte:
                 repeating_length += 1
             else:
                 break
@@ -1249,6 +1254,16 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 self.model.memory_data[start_addr] = MemoryData(start_addr, zeros_length, MemoryDataSort.Alignment)
                 start_addr += zeros_length
 
+            # we consider over 16 bytes of any repeated bytes to be bad
+            repeating_byte_length = self._scan_for_repeating_bytes(start_addr, None, threshold=16)
+            if repeating_byte_length:
+                matched_something = True
+                self._seg_list.occupy(start_addr, repeating_byte_length, "nodecode")
+                self.model.memory_data[start_addr] = MemoryData(
+                    start_addr, repeating_byte_length, MemoryDataSort.Unknown
+                )
+                start_addr += repeating_byte_length
+
             if not matched_something:
                 # umm now it's probably code
                 break
@@ -1259,7 +1274,16 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if start_addr % instr_alignment > 0:
             # occupy those few bytes
             size = instr_alignment - (start_addr % instr_alignment)
-            self._seg_list.occupy(start_addr, size, "alignment")
+
+            # to avoid extremely fragmented segmentation, we mark the current segment as the same type as the previous
+            # adjacent segment if its type is nodecode
+            segment_sort = "alignment"
+            if start_addr >= 1:
+                previous_segment_sort = self._seg_list.occupied_by_sort(start_addr - 1)
+                if previous_segment_sort == "nodecode":
+                    segment_sort = "nodecode"
+
+            self._seg_list.occupy(start_addr, size, segment_sort)
             self.model.memory_data[start_addr] = MemoryData(start_addr, size, MemoryDataSort.Unknown)
             start_addr = start_addr - start_addr % instr_alignment + instr_alignment
             # trickiness: aligning the start_addr may create a new address that is outside any mapped region.
@@ -1339,6 +1363,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         return job.addr
 
     def _pre_analysis(self):
+        self.stage = "Pre-analysis"
+
         # Create a read-only memory view in loader for faster data loading
         self.project.loader.gen_ro_memview()
 
@@ -1424,6 +1450,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         self._job_ctr = 0
 
+        self.stage = "Analysis (Stage 1)"
+
     def _pre_job_handling(self, job: CFGJob):  # pylint:disable=arguments-differ
         """
         Some pre job-processing tasks, like update progress bar.
@@ -1459,7 +1487,13 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             percentage = min(
                 self._seg_list.occupied_size * max_percentage_stage_1 / self._regions_size, max_percentage_stage_1
             )
-            self._update_progress(percentage, cfg=self)
+            ram_usage = self.ram_usage / (1024 * 1024)
+            text = (
+                f"{self.stage} | {len(self.functions)} funcs, {len(self.graph)} blocks | "
+                f"{len(self._indirect_jumps_to_resolve)}/{len(self.indirect_jumps)} IJs | "
+                f"{ram_usage:0.2f} MB RAM"
+            )
+            self._update_progress(percentage, text=text, cfg=self)
 
     def _intra_analysis(self):
         pass
@@ -1758,6 +1792,9 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self._model.edges_to_repair = remaining_edges_to_repair
 
     def _post_analysis(self):
+
+        self.stage = "Analysis (Stage 2)"
+
         self._repair_edges()
 
         self._make_completed_functions()
@@ -4504,6 +4541,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
                 if not self._arch_options.has_arm_code and addr % 2 == 0:
                     # No ARM code for this architecture!
+                    self._seg_list.occupy(real_addr, 2, "nodecode")
                     return None, None, None, None
 
             initial_regs = self._get_initial_registers(addr, cfg_job, current_function_addr)

angr/analyses/cfg/indirect_jump_resolvers/arm_elf_fast.py

@@ -125,7 +125,17 @@ class ArmElfFastResolver(IndirectJumpResolver):
         # Note that this function assumes the IRSB is optimized (opt_level > 0)
         # the logic will be vastly different if the IRSB is not optimized (opt_level == 0)
 
-        b = Blade(cfg.graph, addr, -1, cfg=cfg, project=self.project, ignore_sp=True, ignore_bp=True, max_level=2)
+        b = Blade(
+            cfg.graph,
+            addr,
+            -1,
+            cfg=cfg,
+            project=self.project,
+            ignore_sp=True,
+            ignore_bp=True,
+            max_level=2,
+            control_dependence=False,
+        )
         sources = [n for n in b.slice.nodes() if b.slice.in_degree(n) == 0]
         if not sources:
             return False, []

angr/analyses/cfg/indirect_jump_resolvers/const_resolver.py

@@ -5,10 +5,12 @@ import logging
 import claripy
 import pyvex
 
+from angr.knowledge_plugins.propagations import PropagationModel
 from angr.utils.constants import DEFAULT_STATEMENT
 from angr.code_location import CodeLocation
 from angr.blade import Blade
 from angr.analyses.propagator import vex_vars
+from angr.utils.vex import get_tmp_def_stmt
 from .resolver import IndirectJumpResolver
 from .propagator_utils import PropagatorLoadCallback
 
@@ -47,6 +49,12 @@ class ConstantResolver(IndirectJumpResolver):
         super().__init__(project, timeless=False)
         self.max_func_nodes = max_func_nodes
 
+        # stats
+        self._resolved = 0
+        self._unresolved = 0
+        self._cache_hits = 0
+        self._props_saved = 0
+
     def filter(self, cfg, addr, func_addr, block, jumpkind):
         if not cfg.functions.contains_addr(func_addr):
             # the function does not exist
@@ -122,58 +130,203 @@ class ConstantResolver(IndirectJumpResolver):
                 max_level=3,
                 stop_at_calls=True,
                 cross_insn_opt=True,
+                control_dependence=False,
             )
             stmt_loc = addr, DEFAULT_STATEMENT
-            preds = list(b.slice.predecessors(stmt_loc))
-            while preds:
-                if len(preds) == 1:
-                    # skip all IMarks
-                    pred_addr, stmt_idx = preds[0]
-                    if stmt_idx != DEFAULT_STATEMENT:
-                        block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
-                        if isinstance(block.statements[stmt_idx], pyvex.IRStmt.IMark):
-                            preds = list(b.slice.predecessors(preds[0]))
-                            continue
+            if self._check_jump_target_is_loaded_from_dynamic_addr(b, stmt_loc):
+                # loading from memory - unsupported
+                return False, []
+            if self._check_jump_target_is_compared_against(b, stmt_loc):
+                # the jump/call target is compared against another value, which means it's not deterministic
+                # ConstantResolver does not support such cases by design
+                return False, []
 
-                for pred_addr, stmt_idx in preds:
-                    block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
-                    if stmt_idx != DEFAULT_STATEMENT:
-                        stmt = block.statements[stmt_idx]
-                        if (
-                            isinstance(stmt, pyvex.IRStmt.WrTmp)
-                            and isinstance(stmt.data, pyvex.IRExpr.Load)
-                            and not isinstance(stmt.data.addr, pyvex.IRExpr.Const)
-                        ):
-                            # loading from memory - unsupported
-                            return False, []
-                break
+            # first check the replacements cache
+            resolved_tmp = None
+            is_full_func_prop = None
+            block_loc = CodeLocation(block.addr, tmp_stmt_idx, ins_addr=tmp_ins_addr)
+            tmp_var = vex_vars.VEXTmp(vex_block.next.tmp)
+            prop_key = "FCP", func_addr
+            cached_prop = cfg.kb.propagations.get(prop_key)
+            if cached_prop is not None:
+                is_full_func_prop = len(func.block_addrs_set) == cached_prop.function_block_count
+                replacements = cached_prop.replacements
+                if exists_in_replacements(replacements, block_loc, tmp_var):
+                    self._cache_hits += 1
+                    resolved_tmp = replacements[block_loc][tmp_var]
 
-            _l.debug("ConstantResolver: Propagating for %r at %#x.", func, addr)
-            prop = self.project.analyses.FastConstantPropagation(
-                func,
-                vex_cross_insn_opt=False,
-                load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-            )
+            if resolved_tmp is None and is_full_func_prop:
+                self._props_saved += 1
 
-            replacements = prop.replacements
-            if replacements:
-                block_loc = CodeLocation(block.addr, tmp_stmt_idx, ins_addr=tmp_ins_addr)
-                tmp_var = vex_vars.VEXTmp(vex_block.next.tmp)
+            if resolved_tmp is None and not is_full_func_prop:
+                _l.debug("ConstantResolver: Propagating for %r at %#x.", func, addr)
+                prop = self.project.analyses.FastConstantPropagation(
+                    func,
+                    vex_cross_insn_opt=False,
+                    load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
+                )
+                # update the cache
+                model = PropagationModel(
+                    prop_key, replacements=prop.replacements, function_block_count=len(func.block_addrs_set)
+                )
+                cfg.kb.propagations.update(prop_key, model)
 
-                if exists_in_replacements(replacements, block_loc, tmp_var):
+                replacements = prop.replacements
+                if replacements and exists_in_replacements(replacements, block_loc, tmp_var):
                     resolved_tmp = replacements[block_loc][tmp_var]
 
-                    if (
-                        isinstance(resolved_tmp, claripy.ast.Base)
-                        and resolved_tmp.op == "BVV"
-                        and self._is_target_valid(cfg, resolved_tmp.args[0])
-                    ):
-                        return True, [resolved_tmp.args[0]]
-                    if isinstance(resolved_tmp, int) and self._is_target_valid(cfg, resolved_tmp):
-                        return True, [resolved_tmp]
+            if resolved_tmp is not None:
+                if (
+                    isinstance(resolved_tmp, claripy.ast.Base)
+                    and resolved_tmp.op == "BVV"
+                    and self._is_target_valid(cfg, resolved_tmp.args[0])
+                ):
+                    self._resolved += 1
+                    # print(f"{self._resolved} ({self._props_saved} saved, {self._cache_hits} cached) / "
+                    #       f"{self._resolved + self._unresolved}")
+                    # print(f"+ Function: {func_addr:#x}, block {addr:#x}, target {resolved_tmp.args[0]:#x}")
+                    return True, [resolved_tmp.args[0]]
+                if isinstance(resolved_tmp, int) and self._is_target_valid(cfg, resolved_tmp):
+                    self._resolved += 1
+                    # print(f"{self._resolved} ({self._props_saved} saved, {self._cache_hits} cached) / "
+                    #       f"{self._resolved + self._unresolved}")
+                    # print(f"+ Function: {func_addr:#x}, block {addr:#x}, target {resolved_tmp:#x}")
+                    return True, [resolved_tmp]
 
+        self._unresolved += 1
+        # print(f"{RESOLVED} ({SAVED_PROPS} saved, {HIT_CACHE} cached) / {RESOLVED + UNRESOLVED}")
+        # print(f"- Function: {func_addr:#x}, block {addr:#x}, FAILED")
         return False, []
 
+    def _check_jump_target_is_loaded_from_dynamic_addr(self, b, stmt_loc) -> bool:
+        queue: list[tuple[int, int, int]] = []  # depth, block_addr, stmt_idx
+        seen_locs: set[tuple[int, int]] = set()
+        for block_addr, stmt_idx in b.slice.predecessors(stmt_loc):
+            if (block_addr, stmt_idx) in seen_locs:
+                continue
+            seen_locs.add((block_addr, stmt_idx))
+            queue.append((0, block_addr, stmt_idx))
+        while queue:
+            depth, pred_addr, stmt_idx = queue.pop(0)
+            if depth >= 3:
+                break
+
+            # skip all IMarks
+            if stmt_idx != DEFAULT_STATEMENT:
+                block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
+                stmt = block.statements[stmt_idx]
+                if isinstance(stmt, pyvex.IRStmt.IMark):
+                    for succ_addr, succ_stmt_idx in b.slice.predecessors((pred_addr, stmt_idx)):
+                        if (succ_addr, succ_stmt_idx) in seen_locs:
+                            continue
+                        seen_locs.add((succ_addr, succ_stmt_idx))
+                        queue.append((depth + 1 if succ_addr != pred_addr else depth, succ_addr, succ_stmt_idx))
+                    continue
+
+                if (
+                    isinstance(stmt, pyvex.IRStmt.WrTmp)
+                    and isinstance(stmt.data, pyvex.IRExpr.Load)
+                    and not isinstance(stmt.data.addr, pyvex.IRExpr.Const)
+                ):
+                    # loading from memory
+                    return True
+
+            for succ_addr, succ_stmt_idx in b.slice.predecessors((pred_addr, stmt_idx)):
+                if (succ_addr, succ_stmt_idx) in seen_locs:
+                    continue
+                seen_locs.add((succ_addr, succ_stmt_idx))
+                queue.append((depth + 1 if succ_addr != pred_addr else depth, succ_addr, succ_stmt_idx))
+
+        return False
+
+    def _check_jump_target_is_compared_against(self, b, stmt_loc) -> bool:
+        # let's find which register the jump uses
+        jump_site = self.project.factory.block(stmt_loc[0], cross_insn_opt=True).vex
+        if not isinstance(jump_site.next, pyvex.IRExpr.RdTmp):
+            return False
+        next_tmp = jump_site.next.tmp
+        # find its definition
+        next_tmp_def = get_tmp_def_stmt(jump_site, next_tmp)
+        if next_tmp_def is None:
+            return False
+        next_tmp_def_stmt = jump_site.statements[next_tmp_def]
+        if not (
+            isinstance(next_tmp_def_stmt, pyvex.IRStmt.WrTmp) and isinstance(next_tmp_def_stmt.data, pyvex.IRExpr.Get)
+        ):
+            return False
+        next_reg = next_tmp_def_stmt.data.offset
+
+        # traverse back at most one level and check:
+        # - this register has never been updated
+        # - a comparison is conducted on this register (via a tmp, most likely)
+        queue = []
+        seen = set()
+        for block_addr, stmt_idx in b.slice.predecessors(stmt_loc):
+            if (block_addr, stmt_idx) in seen:
+                continue
+            seen.add((block_addr, stmt_idx))
+            queue.append((0, block_addr, stmt_idx))
+        while queue:
+            depth, pred_addr, stmt_idx = queue.pop(0)
+            if depth > 1:
+                continue
+
+            # skip all IMarks
+            pred = pred_addr, stmt_idx
+            if stmt_idx != DEFAULT_STATEMENT:
+                block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
+                stmt = block.statements[stmt_idx]
+                if isinstance(stmt, pyvex.IRStmt.IMark):
+                    for succ_addr, succ_stmt_idx in b.slice.predecessors(pred):
+                        if (succ_addr, succ_stmt_idx) in seen:
+                            continue
+                        seen.add((succ_addr, succ_stmt_idx))
+                        queue.append((depth + 1 if succ_addr != pred_addr else depth, succ_addr, succ_stmt_idx))
+                    continue
+
+                if isinstance(stmt, pyvex.IRStmt.Put) and stmt.offset == next_reg:
+                    # this register has been updated before we find a comparison; do not continue along this path
+                    continue
+
+                if (
+                    isinstance(stmt, pyvex.IRStmt.WrTmp)
+                    and isinstance(stmt.data, pyvex.IRExpr.Binop)
+                    and stmt.data.op.startswith("Iop_Cmp")
+                ):
+                    # what is it comparing against?
+                    for arg in stmt.data.args:
+                        if isinstance(arg, pyvex.IRExpr.RdTmp):
+                            arg_tmp_def = get_tmp_def_stmt(block, arg.tmp)
+                            if arg_tmp_def is not None:
+                                arg_tmp_def_stmt = block.statements[arg_tmp_def]
+                                if (
+                                    isinstance(arg_tmp_def_stmt, pyvex.IRStmt.WrTmp)
+                                    and isinstance(arg_tmp_def_stmt.data, pyvex.IRExpr.Get)
+                                    and arg_tmp_def_stmt.data.offset == next_reg
+                                ):
+                                    # the jump target is compared against this register
+                                    return True
+                                # another case: VEX optimization may have caused the tmp to be stored in the target
+                                # register. we need handle this case as well.
+                                if any(
+                                    isinstance(stmt_, pyvex.IRStmt.Put)
+                                    and stmt_.offset == next_reg
+                                    and isinstance(stmt_.data, pyvex.IRExpr.RdTmp)
+                                    and stmt_.data.tmp == arg.tmp
+                                    for stmt_ in block.statements[arg_tmp_def + 1 : stmt_idx]
+                                ):
+                                    # the jump target is compared against this register
+                                    return True
+
+            # continue traversing predecessors
+            for succ_addr, succ_stmt_idx in b.slice.predecessors(pred):
+                if (succ_addr, succ_stmt_idx) in seen:
+                    continue
+                seen.add((succ_addr, succ_stmt_idx))
+                queue.append((depth + 1 if succ_addr != pred_addr else depth, succ_addr, succ_stmt_idx))
+
+        return False
+
     @staticmethod
     def _find_tmp_write_stmt_and_ins(vex_block, tmp: int) -> tuple[int | None, int | None]:
         stmt_idx = None