angr 9.2.171__cp310-abi3-manylinux_2_28_aarch64.whl → 9.2.173__cp310-abi3-manylinux_2_28_aarch64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.171"
+__version__ = "9.2.173"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/fact_collector.py

@@ -622,10 +622,15 @@ class FactCollector(Analysis):
 
         stack_offset_created = set()
         ret_addr_offset = 0 if not self.project.arch.call_pushes_ret else self.project.arch.bytes
+        # handle shadow stack args
+        cc_cls = default_cc(
+            self.project.arch.name, platform=self.project.simos.name if self.project.simos is not None else None
+        )
+        stackarg_sp_buff = cc_cls.STACKARG_SP_BUFF if cc_cls is not None else 0
         for state in end_states:
             for offset, size in state.stack_reads.items():
                 offset = u2s(offset, self.project.arch.bits)
-                if offset - ret_addr_offset > 0:
+                if offset - ret_addr_offset > stackarg_sp_buff:
                     if offset in stack_offset_created or offset in callee_saved_reg_stack_offsets:
                         continue
                     stack_offset_created.add(offset)

angr/analyses/cfg/cfg_fast.py

@@ -3237,22 +3237,24 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             # Fill in the jump_tables dict
             self.jump_tables[jump.addr] = jump
             # occupy the jump table region
-            if jump.jumptable_addr is not None:
-                self._seg_list.occupy(jump.jumptable_addr, jump.jumptable_size, "data")
+            for jumptable_info in jump.jumptables:
+                if jumptable_info.addr is None:
+                    continue
+                self._seg_list.occupy(jumptable_info.addr, jumptable_info.size, "data")
                 if self._collect_data_ref:
-                    if jump.jumptable_addr in self._memory_data:
-                        memory_data = self._memory_data[jump.jumptable_addr]
-                        memory_data.size = jump.jumptable_size
-                        memory_data.max_size = jump.jumptable_size
+                    if jumptable_info.addr in self._memory_data:
+                        memory_data = self._memory_data[jumptable_info.addr]
+                        memory_data.size = jumptable_info.size
+                        memory_data.max_size = jumptable_info.size
                         memory_data.sort = MemoryDataSort.Unknown
                     else:
                         memory_data = MemoryData(
-                            jump.jumptable_addr,
-                            jump.jumptable_size,
+                            jumptable_info.addr,
+                            jumptable_info.size,
                             MemoryDataSort.Unknown,
-                            max_size=jump.jumptable_size,
+                            max_size=jumptable_info.size,
                         )
-                        self._memory_data[jump.jumptable_addr] = memory_data
+                        self._memory_data[jumptable_info.addr] = memory_data
 
         jump.resolved_targets = targets
         all_targets = set(targets)

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -780,7 +780,7 @@ class JumpTableResolver(IndirectJumpResolver):
         self._find_bss_region()
 
     def filter(self, cfg, addr, func_addr, block, jumpkind):
-        if pcode is not None and isinstance(block.vex, pcode.lifter.IRSB):
+        if pcode is not None and isinstance(block.vex, pcode.lifter.IRSB):  # type:ignore
             if once("pcode__indirect_jump_resolver"):
                 l.warning("JumpTableResolver does not support P-Code IR yet; CFG may be incomplete.")
             return False
@@ -1049,6 +1049,7 @@ class JumpTableResolver(IndirectJumpResolver):
 
             # Get the jumping targets
             for r in simgr.found:
+                jt2, jt2_addr, jt2_entrysize, jt2_size = None, None, None, None
                 if load_stmt is not None:
                     ret = self._try_resolve_targets_load(
                         r,
@@ -1064,7 +1065,18 @@ class JumpTableResolver(IndirectJumpResolver):
                     if ret is None:
                         # Try the next state
                         continue
-                    jump_table, jumptable_addr, entry_size, jumptable_size, all_targets, sort = ret
+                    (
+                        jump_table,
+                        jumptable_addr,
+                        entry_size,
+                        jumptable_size,
+                        all_targets,
+                        sort,
+                        jt2,
+                        jt2_addr,
+                        jt2_entrysize,
+                        jt2_size,
+                    ) = ret
                     if sort == "jumptable":
                         ij_type = IndirectJumpType.Jumptable_AddressLoadedFromMemory
                     elif sort == "vtable":
@@ -1116,15 +1128,14 @@ class JumpTableResolver(IndirectJumpResolver):
                             ij.jumptable = True
                         else:
                             ij.jumptable = False
-                        ij.jumptable_addr = jumptable_addr
-                        ij.jumptable_size = jumptable_size
-                        ij.jumptable_entry_size = entry_size
+                        ij.add_jumptable(jumptable_addr, jumptable_size, entry_size, jump_table, is_primary=True)
                         ij.resolved_targets = set(jump_table)
-                        ij.jumptable_entries = jump_table
                         ij.type = ij_type
                     else:
                         ij.jumptable = False
                         ij.resolved_targets = set(jump_table)
+                    if jt2 is not None and jt2_addr is not None and jt2_size is not None and jt2_entrysize is not None:
+                        ij.add_jumptable(jt2_addr, jt2_size, jt2_entrysize, jt2, is_primary=False)
 
                 return True, all_targets
 
@@ -1560,7 +1571,9 @@ class JumpTableResolver(IndirectJumpResolver):
                 stmt_whitelist = annotatedcfg.get_whitelisted_statements(block_addr)
                 assert isinstance(stmt_whitelist, list)
                 try:
-                    engine.process(state, block=block, whitelist=stmt_whitelist)
+                    engine.process(
+                        state, block=block, whitelist=set(stmt_whitelist) if stmt_whitelist is not None else None
+                    )
                 except (claripy.ClaripyError, SimError, AngrError):
                     # anything can happen
                     break
@@ -1789,7 +1802,18 @@ class JumpTableResolver(IndirectJumpResolver):
                         )
                     else:
                         l.debug("Table at %#x has %d plausible targets", table_base_addr, num_targets)
-                        return jump_table, table_base_addr, load_size, num_targets * load_size, jump_table, sort
+                        return (
+                            jump_table,
+                            table_base_addr,
+                            load_size,
+                            num_targets * load_size,
+                            jump_table,
+                            sort,
+                            None,
+                            None,
+                            None,
+                            None,
+                        )
 
             # We resolved too many targets for this indirect jump. Something might have gone wrong.
             l.debug(
@@ -1848,6 +1872,7 @@ class JumpTableResolver(IndirectJumpResolver):
         # Adjust entries inside the jump table
         mask = (2**self.project.arch.bits) - 1
         transformation_list = list(reversed([v for v in transformations.values() if not v.first_load]))
+        jt_2nd_memloads: dict[int, int] = {}
         if transformation_list:
 
             def handle_signed_ext(a):
@@ -1872,6 +1897,10 @@ class JumpTableResolver(IndirectJumpResolver):
                 return (a + con) & mask
 
             def handle_load(size, a):
+                if a not in jt_2nd_memloads:
+                    jt_2nd_memloads[a] = size
+                else:
+                    jt_2nd_memloads[a] = max(jt_2nd_memloads[a], size)
                 return cfg._fast_memory_load_pointer(a, size=size)
 
             invert_conversion_ops = []
@@ -1936,6 +1965,31 @@ class JumpTableResolver(IndirectJumpResolver):
             l.debug("Could not recover jump table")
             return None
 
+        # there might be a secondary jumptable
+        jt_2nd = self._get_secondary_jumptable_from_transformations(transformation_list)
+        jt_2nd_entries: list[int] | None = None
+        jt_2nd_baseaddr: int | None = None
+        jt_2nd_entrysize: int | None = None
+        jt_2nd_size: int | None = None
+        if jt_2nd is not None and jt_2nd_memloads:
+            # determine the size of the secondary jump table
+            jt_2nd_baseaddr, jt_2nd_entrysize = jt_2nd
+            if jt_2nd_baseaddr in jt_2nd_memloads:
+                jt_2nd_size = max(jt_2nd_memloads) - jt_2nd_baseaddr + jt_2nd_entrysize
+                if jt_2nd_size % jt_2nd_entrysize == 0:
+                    jt_2nd_entrycount = jt_2nd_size // jt_2nd_entrysize
+                    if jt_2nd_entrycount <= len(all_targets):
+                        # we found it!
+                        jt_2nd_entries = []
+                        for i in range(jt_2nd_entrycount):
+                            target = cfg._fast_memory_load_pointer(
+                                jt_2nd_baseaddr + i * jt_2nd_entrysize,
+                                size=jt_2nd_entrysize,
+                            )
+                            if target is None:
+                                break
+                            jt_2nd_entries.append(target)
+
         # Finally... all targets are ready
         illegal_target_found = False
         for target in all_targets:
@@ -1953,7 +2007,18 @@ class JumpTableResolver(IndirectJumpResolver):
         if illegal_target_found:
             return None
 
-        return jump_table, min_jumptable_addr, load_size, total_cases * load_size, all_targets, sort
+        return (
+            jump_table,
+            min_jumptable_addr,
+            load_size,
+            total_cases * load_size,
+            all_targets,
+            sort,
+            jt_2nd_entries,
+            jt_2nd_baseaddr,
+            jt_2nd_entrysize,
+            jt_2nd_size,
+        )
 
     def _try_resolve_targets_ite(
         self, r, addr, cfg, annotatedcfg, ite_stmt: pyvex.IRStmt.WrTmp
@@ -2279,6 +2344,64 @@ class JumpTableResolver(IndirectJumpResolver):
                 return None
         return jump_addr
 
+    def _get_secondary_jumptable_from_transformations(
+        self, transformations: list[AddressTransformation]
+    ) -> tuple[int, int] | None:
+        """
+        Find the potential secondary "jump table" from a list of transformations.
+
+        :param transformations: A list of address transformations.
+        :return:    A tuple of [jump_table_addr, entry_size] if a secondary jump table is found. None otherwise.
+        """
+
+        # find all add-(add-)load sequence
+
+        for i in range(len(transformations) - 1):
+            prev_tran = transformations[i - 1] if i - 1 >= 0 else None
+            tran = transformations[i]
+            if not (
+                tran.op == AddressTransformationTypes.Add
+                and (prev_tran is None or prev_tran.op != AddressTransformationTypes.Add)
+            ):
+                continue
+            next_tran = transformations[i + 1]
+            add_tran, load_tran = None, None
+            if next_tran.op == AddressTransformationTypes.Load:
+                add_tran = None
+                load_tran = next_tran
+            elif next_tran.op == AddressTransformationTypes.Add:
+                next2_tran = transformations[i + 2] if i + 2 < len(transformations) else None
+                if next2_tran is not None and next2_tran.op == AddressTransformationTypes.Load:
+                    add_tran = next_tran
+                    load_tran = next2_tran
+
+            if load_tran is None:
+                continue
+            # we have found an add-(add-)load sequence
+            jumptable_base_addr = None
+            if isinstance(tran.operands[0], AddressOperand) and isinstance(tran.operands[1], int):
+                jumptable_base_addr = tran.operands[1]
+            elif isinstance(tran.operands[1], AddressOperand) and isinstance(tran.operands[0], int):
+                jumptable_base_addr = tran.operands[0]
+            else:
+                # unsupported first add
+                continue
+
+            if add_tran is not None:
+                mask = (1 << self.project.arch.bits) - 1
+                if isinstance(add_tran.operands[0], AddressOperand) and isinstance(add_tran.operands[1], int):
+                    jumptable_base_addr = (jumptable_base_addr + add_tran.operands[1]) & mask
+                elif isinstance(add_tran.operands[1], AddressOperand) and isinstance(add_tran.operands[0], int):
+                    jumptable_base_addr = (jumptable_base_addr + add_tran.operands[0]) & mask
+                else:
+                    # unsupported second add
+                    continue
+
+            load_size = load_tran.operands[1]
+            # we have a potential secondary jump table!
+            return jumptable_base_addr, load_size
+        return None
+
     def _sp_moved_up(self, block) -> bool:
         """
         Examine if the stack pointer moves up (if any values are popped out of the stack) within a single block.

angr/analyses/decompiler/block_simplifier.py

@@ -303,6 +303,23 @@ class BlockSimplifier(Analysis):
         return block.copy(statements=new_statements)
 
     def _eliminate_dead_assignments(self, block):
+
+        def _statement_has_calls(stmt: Statement) -> bool:
+            """
+            Check if a statement has any Call expressions.
+            """
+            walker = HasCallExprWalker()
+            walker.walk_statement(stmt)
+            return walker.has_call_expr
+
+        def _expression_has_calls(expr: Expression) -> bool:
+            """
+            Check if an expression has any Call expressions.
+            """
+            walker = HasCallExprWalker()
+            walker.walk_expression(expr)
+            return walker.has_call_expr
+
         new_statements = []
         if not block.statements:
             return block
@@ -325,8 +342,11 @@ class BlockSimplifier(Analysis):
         # micro optimization: if all statements that use a tmp are going to be removed, we remove this tmp as well
         for tmp, used_locs in rd.all_tmp_uses[block_loc].items():
             used_at = {stmt_idx for _, stmt_idx in used_locs}
-            if used_at.issubset(dead_defs_stmt_idx):
-                continue
+            if used_at.issubset(dead_defs_stmt_idx):  # noqa:SIM102
+                # cannot remove this tmp if any use sites involve call expressions; this is basically a duplicate of
+                # the logic in the larger loop below
+                if all(not _statement_has_calls(block.statements[i]) for i in used_at):
+                    continue
             used_tmps.add(tmp.tmp_idx)
 
         # Remove dead assignments
@@ -337,9 +357,7 @@ class BlockSimplifier(Analysis):
                     # is it assigning to an unused tmp or a dead virgin?
 
                     # does .src involve any Call expressions? if so, we cannot remove it
-                    walker = HasCallExprWalker()
-                    walker.walk_expression(stmt.src)
-                    if not walker.has_call_expr:
+                    if not _expression_has_calls(stmt.src):
                         continue
 
                     if type(stmt.dst) is Tmp and isinstance(stmt.src, Call):

angr/analyses/decompiler/clinic.py

@@ -2158,10 +2158,9 @@ class Clinic(Analysis):
             # custom string?
             if hasattr(expr, "custom_string") and expr.custom_string is True:
                 s = self.kb.custom_strings[expr.value]
+                ty = expr.type if hasattr(expr, "type") else SimTypePointer(SimTypeChar()).with_arch(self.project.arch)
                 expr.tags["reference_values"] = {
-                    SimTypePointer(SimTypeChar().with_arch(self.project.arch)).with_arch(self.project.arch): s.decode(
-                        "latin-1"
-                    ),
+                    ty: s,
                 }
             else:
                 # global variable?

angr/analyses/decompiler/decompiler.py

@@ -562,7 +562,13 @@ class Decompiler(Analysis):
                 continue
 
             pass_ = timethis(pass_)
-            a = pass_(self.func, seq=seq_node, scratch=self._optimization_scratch, **kwargs)
+            a = pass_(
+                self.func,
+                seq=seq_node,
+                scratch=self._optimization_scratch,
+                peephole_optimizations=self._peephole_optimizations,
+                **kwargs,
+            )
             if a.out_seq:
                 seq_node = a.out_seq
 

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -35,6 +35,7 @@ from .switch_reused_entry_rewriter import SwitchReusedEntryRewriter
 from .condition_constprop import ConditionConstantPropagation
 from .determine_load_sizes import DetermineLoadSizes
 from .eager_std_string_concatenation import EagerStdStringConcatenationPass
+from .peephole_simplifier import PostStructuringPeepholeOptimizationPass
 
 if TYPE_CHECKING:
     from angr.analyses.decompiler.presets import DecompilationPreset
@@ -72,6 +73,7 @@ ALL_OPTIMIZATION_PASSES = [
     ConditionConstantPropagation,
     DetermineLoadSizes,
     EagerStdStringConcatenationPass,
+    PostStructuringPeepholeOptimizationPass,
 ]
 
 # these passes may duplicate code to remove gotos or improve the structure of the graph

angr/analyses/decompiler/optimization_passes/peephole_simplifier.py

@@ -0,0 +1,75 @@
+from __future__ import annotations
+
+from angr import ailment
+from angr.analyses.decompiler.utils import (
+    peephole_optimize_expr,
+)
+from angr.analyses.decompiler.sequence_walker import SequenceWalker
+from angr.analyses.decompiler.peephole_optimizations import (
+    PeepholeOptimizationExprBase,
+    EXPR_OPTS,
+)
+from .optimization_pass import OptimizationPassStage, SequenceOptimizationPass
+
+
+class ExpressionSequenceWalker(SequenceWalker):
+    """
+    Walks sequences with generic expression handling.
+    """
+
+    def _handle(self, node, **kwargs):
+        if isinstance(node, ailment.Expr.Expression):
+            handler = self._handlers.get(ailment.Expr.Expression, None)
+            if handler:
+                return handler(node, **kwargs)
+        return super()._handle(node, **kwargs)
+
+
+class PostStructuringPeepholeOptimizationPass(SequenceOptimizationPass):
+    """
+    Perform a post-structuring peephole optimization pass to simplify node statements and expressions.
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_STRUCTURING
+    NAME = "Post-Structuring Peephole Optimization"
+    DESCRIPTION = (__doc__ or "").strip()
+
+    def __init__(self, func, peephole_optimizations=None, **kwargs):
+        super().__init__(func, **kwargs)
+        self._peephole_optimizations = peephole_optimizations
+        self._expr_peephole_opts = [
+            cls(self.project, self.kb, self._func.addr)
+            for cls in (self._peephole_optimizations or EXPR_OPTS)
+            if issubclass(cls, PeepholeOptimizationExprBase)
+        ]
+        self.analyze()
+
+    def _check(self):
+        return True, None
+
+    def _analyze(self, cache=None):
+        walker = ExpressionSequenceWalker(
+            handlers={ailment.Expr.Expression: self._optimize_expr, ailment.Block: self._optimize_block}
+        )
+        walker.walk(self.seq)
+        self.out_seq = self.seq
+
+    def _optimize_expr(self, expr, **_):
+        new_expr = peephole_optimize_expr(expr, self._expr_peephole_opts)
+        return new_expr if expr != new_expr else None
+
+    def _optimize_block(self, block, **_):
+        old_block, new_block = None, block
+        while old_block != new_block:
+            old_block = new_block
+            # Note: AILBlockSimplifier updates expressions in place
+            simp = self.project.analyses.AILBlockSimplifier(
+                new_block,
+                func_addr=self._func.addr,
+                peephole_optimizations=self._peephole_optimizations,
+            )
+            assert simp.result_block is not None
+            new_block = simp.result_block
+        return new_block if block != new_block else None

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -47,6 +47,7 @@ from .inlined_memcpy import InlinedMemcpy
 from .inlined_strcpy import InlinedStrcpy
 from .inlined_strcpy_consolidation import InlinedStrcpyConsolidation
 from .inlined_wstrcpy import InlinedWstrcpy
+from .inlined_wstrcpy_consolidation import InlinedWstrcpyConsolidation
 from .cmpord_rewriter import CmpORDRewriter
 from .coalesce_adjacent_shrs import CoalesceAdjacentShiftRights
 from .a_mul_const_sub_a import AMulConstSubA
@@ -104,6 +105,7 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     InlinedStrcpy,
     InlinedStrcpyConsolidation,
     InlinedWstrcpy,
+    InlinedWstrcpyConsolidation,
     CmpORDRewriter,
     CoalesceAdjacentShiftRights,
     ShlToMul,

angr/analyses/decompiler/peephole_optimizations/cas_intrinsics.py

@@ -1,7 +1,7 @@
 # pylint:disable=arguments-differ,too-many-boolean-expressions
 from __future__ import annotations
 
-from angr.ailment.expression import BinaryOp, Load
+from angr.ailment.expression import BinaryOp, Load, Expression, Tmp
 from angr.ailment.statement import CAS, ConditionalJump, Statement, Assignment, Call
 
 from .base import PeepholeOptimizationMultiStmtBase
@@ -60,11 +60,13 @@ class CASIntrinsics(PeepholeOptimizationMultiStmtBase):
             and next_stmt.ins_addr == cas_stmt.ins_addr
         ):
             addr = cas_stmt.addr
+            expd_lo = self._resolve_tmp_expr(cas_stmt.expd_lo, block)
+            next_stmt_cond_op1 = self._resolve_tmp_expr(next_stmt.condition.operands[1], block)
             if (
-                isinstance(cas_stmt.expd_lo, Load)
-                and cas_stmt.expd_lo.addr.likes(addr)
-                and isinstance(next_stmt.condition.operands[1], Load)
-                and next_stmt.condition.operands[1].addr.likes(addr)
+                isinstance(expd_lo, Load)
+                and expd_lo.addr.likes(addr)
+                and isinstance(next_stmt_cond_op1, Load)
+                and next_stmt_cond_op1.addr.likes(addr)
                 and cas_stmt.old_lo.likes(next_stmt.condition.operands[0])
                 and cas_stmt.old_hi is None
             ):
@@ -113,3 +115,11 @@ class CASIntrinsics(PeepholeOptimizationMultiStmtBase):
                 os = "Linux"
             return _INTRINSICS_NAMES[mnemonic][os]
         return mnemonic
+
+    @staticmethod
+    def _resolve_tmp_expr(expr: Expression, block) -> Expression:
+        if isinstance(expr, Tmp):
+            for stmt in block.statements:
+                if isinstance(stmt, Assignment) and stmt.dst.likes(expr):
+                    return stmt.src
+        return expr