angr 9.2.175__cp310-abi3-macosx_11_0_arm64.whl → 9.2.177__cp310-abi3-macosx_11_0_arm64.whl

angr/analyses/typehoon/translator.py

@@ -85,7 +85,7 @@ class TypeTranslator:
             internal = sim_type.SimTypeBottom(label="void").with_arch(self.arch)
         else:
             internal = self._tc2simtype(tc.basetype)
-        return sim_type.SimTypePointer(internal).with_arch(self.arch)
+        return sim_type.SimTypePointer(internal, label=tc.name).with_arch(self.arch)
 
     def _translate_Pointer32(self, tc):
         if isinstance(tc.basetype, typeconsts.BottomType):
@@ -93,11 +93,11 @@ class TypeTranslator:
             internal = sim_type.SimTypeBottom(label="void").with_arch(self.arch)
         else:
             internal = self._tc2simtype(tc.basetype)
-        return sim_type.SimTypePointer(internal).with_arch(self.arch)
+        return sim_type.SimTypePointer(internal, label=tc.name).with_arch(self.arch)
 
     def _translate_Array(self, tc: typeconsts.Array) -> sim_type.SimTypeArray:
         elem_type = self._tc2simtype(tc.element)
-        return sim_type.SimTypeArray(elem_type, length=tc.count).with_arch(self.arch)
+        return sim_type.SimTypeArray(elem_type, length=tc.count, label=tc.name).with_arch(self.arch)
 
     def _translate_Struct(self, tc: typeconsts.Struct):
         if tc in self.structs:
@@ -136,26 +136,26 @@ class TypeTranslator:
 
         return s
 
-    def _translate_Int8(self, tc):  # pylint:disable=unused-argument
-        return sim_type.SimTypeChar(signed=False).with_arch(self.arch)
+    def _translate_Int8(self, tc):
+        return sim_type.SimTypeChar(signed=False, label=tc.name).with_arch(self.arch)
 
-    def _translate_Int16(self, tc):  # pylint:disable=unused-argument
-        return sim_type.SimTypeShort(signed=False).with_arch(self.arch)
+    def _translate_Int16(self, tc):
+        return sim_type.SimTypeShort(signed=False, label=tc.name).with_arch(self.arch)
 
-    def _translate_Int32(self, tc):  # pylint:disable=unused-argument
-        return sim_type.SimTypeInt(signed=False).with_arch(self.arch)
+    def _translate_Int32(self, tc):
+        return sim_type.SimTypeInt(signed=False, label=tc.name).with_arch(self.arch)
 
-    def _translate_Int64(self, tc):  # pylint:disable=unused-argument
-        return sim_type.SimTypeLongLong(signed=False).with_arch(self.arch)
+    def _translate_Int64(self, tc):
+        return sim_type.SimTypeLongLong(signed=False, label=tc.name).with_arch(self.arch)
 
-    def _translate_Int128(self, tc):  # pylint:disable=unused-argument
-        return sim_type.SimTypeInt128(signed=False).with_arch(self.arch)
+    def _translate_Int128(self, tc):
+        return sim_type.SimTypeInt128(signed=False, label=tc.name).with_arch(self.arch)
 
-    def _translate_Int256(self, tc):  # pylint:disable=unused-argument
-        return sim_type.SimTypeInt256(signed=False).with_arch(self.arch)
+    def _translate_Int256(self, tc):
+        return sim_type.SimTypeInt256(signed=False, label=tc.name).with_arch(self.arch)
 
-    def _translate_Int512(self, tc):  # pylint:disable=unused-argument
-        return sim_type.SimTypeInt512(signed=False).with_arch(self.arch)
+    def _translate_Int512(self, tc):
+        return sim_type.SimTypeInt512(signed=False, label=tc.name).with_arch(self.arch)
 
     def _translate_TypeVariableReference(self, tc):
         if tc.typevar in self.translated:
@@ -164,11 +164,11 @@ class TypeTranslator:
         self._has_nonexistent_ref = True
         return SimTypeTempRef(tc.typevar)
 
-    def _translate_Float32(self, tc: typeconsts.Float32) -> sim_type.SimTypeFloat:  # pylint:disable=unused-argument
-        return sim_type.SimTypeFloat().with_arch(self.arch)
+    def _translate_Float32(self, tc: typeconsts.Float32) -> sim_type.SimTypeFloat:
+        return sim_type.SimTypeFloat(label=tc.name).with_arch(self.arch)
 
-    def _translate_Float64(self, tc: typeconsts.Float64) -> sim_type.SimTypeDouble:  # pylint:disable=unused-argument
-        return sim_type.SimTypeDouble().with_arch(self.arch)
+    def _translate_Float64(self, tc: typeconsts.Float64) -> sim_type.SimTypeDouble:
+        return sim_type.SimTypeDouble(label=tc.name).with_arch(self.arch)
 
     #
     # Backpatching
@@ -197,25 +197,25 @@ class TypeTranslator:
     #
 
     def _translate_SimTypeInt128(self, st: sim_type.SimTypeChar) -> typeconsts.Int128:
-        return typeconsts.Int128()
+        return typeconsts.Int128(name=st.label)
 
     def _translate_SimTypeInt256(self, st: sim_type.SimTypeChar) -> typeconsts.Int256:
-        return typeconsts.Int256()
+        return typeconsts.Int256(name=st.label)
 
     def _translate_SimTypeInt512(self, st: sim_type.SimTypeChar) -> typeconsts.Int512:
-        return typeconsts.Int512()
+        return typeconsts.Int512(name=st.label)
 
     def _translate_SimTypeInt(self, st: sim_type.SimTypeInt) -> typeconsts.Int32:
-        return typeconsts.Int32()
+        return typeconsts.Int32(name=st.label)
 
     def _translate_SimTypeLong(self, st: sim_type.SimTypeLong) -> typeconsts.Int32:
-        return typeconsts.Int32()
+        return typeconsts.Int32(name=st.label)
 
     def _translate_SimTypeLongLong(self, st: sim_type.SimTypeLongLong) -> typeconsts.Int64:
-        return typeconsts.Int64()
+        return typeconsts.Int64(name=st.label)
 
     def _translate_SimTypeChar(self, st: sim_type.SimTypeChar) -> typeconsts.Int8:
-        return typeconsts.Int8()
+        return typeconsts.Int8(name=st.label)
 
     def _translate_SimStruct(self, st: sim_type.SimStruct) -> typeconsts.Struct:
         fields = {}
@@ -224,25 +224,25 @@ class TypeTranslator:
             offset = offsets[name]
             fields[offset] = self._simtype2tc(ty)
 
-        return typeconsts.Struct(fields=fields)
+        return typeconsts.Struct(fields=fields, name=st.label)
 
     def _translate_SimTypeArray(self, st: sim_type.SimTypeArray) -> typeconsts.Array:
         elem_type = self._simtype2tc(st.elem_type)
-        return typeconsts.Array(elem_type, count=st.length)
+        return typeconsts.Array(elem_type, count=st.length, name=st.label)
 
     def _translate_SimTypePointer(self, st: sim_type.SimTypePointer) -> typeconsts.Pointer32 | typeconsts.Pointer64:
         base = self._simtype2tc(st.pts_to)
         if self.arch.bits == 32:
-            return typeconsts.Pointer32(base)
+            return typeconsts.Pointer32(base, name=st.label)
         if self.arch.bits == 64:
-            return typeconsts.Pointer64(base)
+            return typeconsts.Pointer64(base, name=st.label)
         raise TypeError(f"Unsupported pointer size {self.arch.bits}")
 
     def _translate_SimTypeFloat(self, st: sim_type.SimTypeFloat) -> typeconsts.Float32:
-        return typeconsts.Float32()
+        return typeconsts.Float32(name=st.label)
 
     def _translate_SimTypeDouble(self, st: sim_type.SimTypeDouble) -> typeconsts.Float64:
-        return typeconsts.Float64()
+        return typeconsts.Float64(name=st.label)
 
 
 TypeConstHandlers = {

angr/analyses/typehoon/typeconsts.py

@@ -5,6 +5,7 @@ All type constants used in type inference. They can be mapped, translated, or re
 from __future__ import annotations
 
 import functools
+import itertools
 
 
 def memoize(f):
@@ -24,6 +25,9 @@ def memoize(f):
 class TypeConstant:
     SIZE = None
 
+    def __init__(self, name: str | None = None):
+        self.name = name
+
     def pp_str(self, mapping) -> str:  # pylint:disable=unused-argument
         return repr(self)
 
@@ -115,7 +119,8 @@ class Int512(Int):
 
 
 class IntVar(Int):
-    def __init__(self, size):
+    def __init__(self, size, name: str | None = None):
+        super().__init__(name)
         self._size = size
 
     @property
@@ -146,7 +151,8 @@ class Float64(Float):
 
 
 class Pointer(TypeConstant):
-    def __init__(self, basetype: TypeConstant | None):
+    def __init__(self, basetype: TypeConstant | None, name: str | None = None):
+        super().__init__(name=name)
         self.basetype: TypeConstant | None = basetype
 
     def __eq__(self, other):
@@ -169,13 +175,15 @@ class Pointer32(Pointer, Int32):
     32-bit pointers.
     """
 
-    def __init__(self, basetype=None):
-        Pointer.__init__(self, basetype)
+    def __init__(self, basetype=None, name: str | None = None):
+        Pointer.__init__(self, basetype, name=name)
+        Int32.__init__(self, name=name)
 
     @memoize
     def __repr__(self, memo=None):
         bt = self.basetype.__repr__(memo=memo) if isinstance(self.basetype, TypeConstant) else repr(self.basetype)
-        return f"ptr32({bt})"
+        name_str = f"{self.name}#" if self.name else ""
+        return f"{name_str}ptr32({bt})"
 
 
 class Pointer64(Pointer, Int64):
@@ -183,17 +191,20 @@ class Pointer64(Pointer, Int64):
     64-bit pointers.
     """
 
-    def __init__(self, basetype=None):
-        Pointer.__init__(self, basetype)
+    def __init__(self, basetype=None, name: str | None = None):
+        Pointer.__init__(self, basetype, name=name)
+        Int64.__init__(self, name=name)
 
     @memoize
     def __repr__(self, memo=None):
         bt = self.basetype.__repr__(memo=memo) if isinstance(self.basetype, TypeConstant) else repr(self.basetype)
-        return f"ptr64({bt})"
+        name_str = f"{self.name}#" if self.name else ""
+        return f"{name_str}ptr64({bt})"
 
 
 class Array(TypeConstant):
-    def __init__(self, element=None, count=None):
+    def __init__(self, element=None, count=None, name: str | None = None):
+        super().__init__(name=name)
         self.element: TypeConstant | None = element
         self.count: int | None = count
 
@@ -222,18 +233,22 @@ class Array(TypeConstant):
         return self._hash(set())
 
 
+_STRUCT_ID = itertools.count()
+
+
 class Struct(TypeConstant):
-    def __init__(self, fields=None, name=None, field_names=None, is_cppclass: bool = False):
+    def __init__(self, fields=None, name=None, field_names=None, is_cppclass: bool = False, idx: int = -1):
+        super().__init__(name=name)
         self.fields = {} if fields is None else fields  # offset to type
-        self.name = name
         self.field_names = field_names
         self.is_cppclass = is_cppclass
+        self.idx = idx if idx != -1 else next(_STRUCT_ID)
 
     def _hash(self, visited: set[int]):
         if id(self) in visited:
             return 0
         visited.add(id(self))
-        return hash((type(self), self._hash_fields(visited)))
+        return hash((type(self), self.idx, self._hash_fields(visited)))
 
     def _hash_fields(self, visited: set[int]):
         keys = sorted(self.fields.keys())
@@ -252,6 +267,7 @@ class Struct(TypeConstant):
     @memoize
     def __repr__(self, memo=None):
         prefix = "CppClass" if self.is_cppclass else "struct"
+        prefix += f"#{self.idx}"
         if self.name:
             prefix = f"{prefix} {self.name}"
         return (
@@ -262,14 +278,15 @@ class Struct(TypeConstant):
         )
 
     def __eq__(self, other):
-        return type(other) is type(self) and hash(self) == hash(other)
+        return type(other) is type(self) and self.idx == other.idx and hash(self) == hash(other)
 
     def __hash__(self):
         return self._hash(set())
 
 
 class Function(TypeConstant):
-    def __init__(self, params: list, outputs: list):
+    def __init__(self, params: list, outputs: list, name: str | None = None):
+        super().__init__(name=name)
         self.params = params
         self.outputs = outputs
 
@@ -298,7 +315,8 @@ class Function(TypeConstant):
 
 
 class TypeVariableReference(TypeConstant):
-    def __init__(self, typevar):
+    def __init__(self, typevar, name: str | None = None):
+        super().__init__(name=name)
         self.typevar = typevar
 
     def __repr__(self, memo=None):

angr/analyses/typehoon/typevars.py

@@ -559,20 +559,27 @@ class ReinterpretAs(BaseLabel):
 
 
 class HasField(BaseLabel):
+    """
+    Has a field of the given bit size * elem_count at the given offset.
+    """
+
     __slots__ = (
         "bits",
+        "elem_count",
         "offset",
     )
 
-    def __init__(self, bits, offset):
+    def __init__(self, bits, offset, elem_count: int = 1):
         self.bits = bits
         self.offset = offset
+        self.elem_count = elem_count
         super().__init__()
 
     def __repr__(self):
         if self.bits == MAX_POINTSTO_BITS:
             return f"<MAX_POINTSTO_BITS>@{self.offset}"
-        return f"<{self.bits} bits>@{self.offset}"
+        elem_str = str(self.elem_count) if self.elem_count != 1 else ""
+        return f"<{self.bits} bits>@{self.offset}{elem_str}"
 
 
 class IsArray(BaseLabel):

angr/analyses/variable_recovery/engine_ail.py

@@ -34,6 +34,7 @@ class SimEngineVRAIL(
     def __init__(
         self,
         *args,
+        type_lifter: TypeLifter,
         call_info=None,
         vvar_to_vvar: dict[int, int] | None,
         vvar_type_hints: dict[int, typeconsts.TypeConstant] | None = None,
@@ -44,6 +45,7 @@ class SimEngineVRAIL(
         self._reference_spoffset: bool = False
         self.call_info = call_info or {}
         self.vvar_to_vvar = vvar_to_vvar
+        self.type_lifter = type_lifter
 
     def _mapped_vvarid(self, vvar_id: int) -> int | None:
         if self.vvar_to_vvar is not None and vvar_id in self.vvar_to_vvar:
@@ -169,6 +171,45 @@ class SimEngineVRAIL(
             if isinstance(funcaddr_typevar, typevars.TypeVariable):
                 load_typevar = self._create_access_typevar(funcaddr_typevar, False, self.arch.bytes, 0)
                 self.state.add_type_constraint(typevars.Subtype(funcaddr_typevar, load_typevar))
+        elif isinstance(target, str):
+            # special handling for some intrinsics
+            match target:
+                case (
+                    "InterlockedExchange8"
+                    | "InterlockedExchange16"
+                    | "InterlockedExchange"
+                    | "InterlockedExchange64"
+                    | "InterlockedCompareExchange16"
+                    | "InterlockedCompareExchange"
+                    | "InterlockedCompareExchange64"
+                    | "InterlockedCompareExchange128"
+                    | "InterlockedExchangeAdd"
+                    | "InterlockedExchangeAdd64"
+                ):
+                    arg_tv = (
+                        args[0].typevar
+                        if args[0].typevar is not None
+                        else args[1].typevar if args[1].typevar is not None else None
+                    )
+                    if arg_tv is not None:
+                        ret_ty = self._create_access_typevar(
+                            arg_tv, False, args[0].data.size() // self.arch.byte_width, 0
+                        )
+                        return RichR(self.state.top(ret_expr_bits), typevar=ret_ty)
+                case (
+                    "InterlockedIncrement"
+                    | "InterlockedIncrement16"
+                    | "InterlockedIncrement64"
+                    | "InterlockedDecrement"
+                    | "InterlockedDecrement16"
+                    | "InterlockedDecrement64"
+                ):
+                    arg_tv = args[0].typevar if args[0].typevar is not None else None
+                    if arg_tv is not None:
+                        ret_ty = self._create_access_typevar(
+                            arg_tv, False, args[0].data.size() // self.arch.byte_width, 0
+                        )
+                        return RichR(self.state.top(ret_expr_bits), typevar=ret_ty)
 
         # discover the prototype
         prototype: SimTypeFunction | None = None
@@ -195,7 +236,7 @@ class SimEngineVRAIL(
                     arg_type = (
                         dereference_simtype_by_lib(arg_type, prototype_libname) if prototype_libname else arg_type
                     )
-                    arg_ty = TypeLifter(self.arch.bits).lift(arg_type)
+                    arg_ty = self.type_lifter.lift(arg_type)
                     type_constraint = typevars.Subtype(arg.typevar, arg_ty)
                     self.state.add_type_constraint(type_constraint)
 
@@ -282,7 +323,7 @@ class SimEngineVRAIL(
                     arg_type = (
                         dereference_simtype_by_lib(arg_type, prototype_libname) if prototype_libname else arg_type
                     )
-                    arg_ty = TypeLifter(self.arch.bits).lift(arg_type)
+                    arg_ty = self.type_lifter.lift(arg_type)
                     if arg.typevar is not None and isinstance(
                         arg_ty, (typeconsts.TypeConstant, typevars.TypeVariable, typevars.DerivedTypeVariable)
                     ):

angr/analyses/variable_recovery/engine_base.py

@@ -277,7 +277,10 @@ class SimEngineVRBase(
         variable, _ = existing_vars[0]
 
         if not self.state.typevars.has_type_variable_for(variable):
-            variable_typevar = typevars.TypeVariable()
+            if isinstance(variable, SimStackVariable) and variable.offset in self.state.stack_offset_typevars:
+                variable_typevar = self.state.stack_offset_typevars[variable.offset]
+            else:
+                variable_typevar = typevars.TypeVariable()
             self.state.typevars.add_type_variable(variable, variable_typevar)
         # we do not add any type constraint here because we are not sure if the given memory address will ever be
         # accessed or not

angr/analyses/variable_recovery/variable_recovery_fast.py

@@ -284,6 +284,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         self._unify_variables = unify_variables
 
         # handle type hints
+        self.type_lifter = TypeLifter(self.project.arch.bits)
         self.vvar_type_hints = {}
         if type_hints:
             self._parse_type_hints(type_hints)
@@ -294,6 +295,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
             call_info=call_info,
             vvar_to_vvar=self.vvar_to_vvar,
             vvar_type_hints=self.vvar_type_hints,
+            type_lifter=self.type_lifter,
         )
         self._vex_engine: SimEngineVRVEX = SimEngineVRVEX(self.project, self.kb, call_info=call_info)
 
@@ -654,7 +656,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         if ty is None:
             return None
         ty = ty.with_arch(self.project.arch)
-        lifted = TypeLifter(self.project.arch.bits).lift(ty)
+        lifted = self.type_lifter.lift(ty)
         return None if isinstance(lifted, (BottomType, TopType)) else lifted
 
 

angr/emulator.py

@@ -95,7 +95,8 @@ class Emulator:
         num_inst_executed: int = 0
         while self._state.history.jumpkind != "Ijk_Exit":
             # Check if there is a breakpoint at the current address
-            if completed_engine_execs > 0 and self._state.addr in self._engine.get_breakpoints():
+            addr_with_lower_bit_cleared = self._state.addr & ~1
+            if completed_engine_execs > 0 and addr_with_lower_bit_cleared in self._engine.get_breakpoints():
                 return EmulatorStopReason.BREAKPOINT
 
             # Check if we've already executed the requested number of instructions

angr/engines/hook.py

@@ -54,7 +54,7 @@ class HooksMixin(SuccessorsEngine, ProcedureMixin):
         if procedure is None:
             procedure = self._lookup_hook(state, procedure)
         if procedure is None:
-            return super().process_successors(successors, procedure=procedure, **kwargs)
+            return super().process_successors(successors, **kwargs)
 
         if isinstance(procedure.addr, SootAddressDescriptor):
             l.debug("Running %s (originally at %r)", repr(procedure), procedure.addr)

angr/engines/icicle.py

@@ -8,7 +8,7 @@ from dataclasses import dataclass
 from typing_extensions import override
 
 import pypcode
-from archinfo import Arch, Endness
+from archinfo import Arch, ArchPcode, Endness, ArchARMCortexM
 
 from angr.engines.concrete import ConcreteEngine, HeavyConcreteState
 from angr.engines.failure import SimEngineFailure
@@ -72,6 +72,8 @@ class IcicleEngine(ConcreteEngine):
         accurate, just a set of heuristics to get the right architecture. When
         adding a new architecture, this function may need to be updated.
         """
+        if isinstance(arch, ArchARMCortexM) or (isinstance(arch, ArchPcode) and arch.pcode_arch == "ARM:LE:32:Cortex"):
+            return "armv7m"
         if arch.linux_name == "arm":
             return "armv7a" if arch.memory_endness == Endness.LE else "armeb"
         return arch.linux_name
@@ -84,11 +86,20 @@ class IcicleEngine(ConcreteEngine):
         return icicle_arch.startswith(("arm", "thumb"))
 
     @staticmethod
-    def __is_thumb(icicle_arch: str, addr: int) -> bool:
+    def __is_cortex_m(angr_arch: Arch, icicle_arch: str) -> bool:
+        """
+        Check if the architecture is cortex-m based on the address.
+        """
+        return isinstance(angr_arch, ArchARMCortexM) or icicle_arch == "armv7m"
+
+    @staticmethod
+    def __is_thumb(angr_arch: Arch, icicle_arch: str, addr: int) -> bool:
         """
         Check if the architecture is thumb based on the address.
         """
-        return IcicleEngine.__is_arm(icicle_arch) and addr & 1 == 1
+        return IcicleEngine.__is_cortex_m(angr_arch, icicle_arch) or (
+            IcicleEngine.__is_arm(icicle_arch) and addr & 1 == 1
+        )
 
     @staticmethod
     def __get_pages(state: HeavyConcreteState) -> set[int]:
@@ -132,13 +143,16 @@ class IcicleEngine(ConcreteEngine):
         for register in state.arch.register_list:
             register = register.vex_name.lower() if register.vex_name is not None else register.name
             try:
-                emu.reg_write(register, state.solver.eval(state.registers.load(register), cast_to=int))
+                emu.reg_write(
+                    register,
+                    state.solver.eval(state.registers.load(register), cast_to=int),
+                )
                 copied_registers.add(register)
             except KeyError:
                 log.debug("Register %s not found in icicle", register)
 
         # Unset the thumb bit if necessary
-        if IcicleEngine.__is_thumb(icicle_arch, state.addr):
+        if IcicleEngine.__is_thumb(state.arch, icicle_arch, state.addr):
             emu.pc = state.addr & ~1
             emu.isa_mode = 1
         elif "arm" in icicle_arch:  # Hack to work around us calling it r15t
@@ -242,11 +256,13 @@ class IcicleEngine(ConcreteEngine):
     @override
     def add_breakpoint(self, addr: int) -> None:
         """Add a breakpoint at the given address."""
+        addr = addr & ~1  # Clear thumb bit if set
         self.breakpoints.add(addr)
 
     @override
     def remove_breakpoint(self, addr: int) -> None:
         """Remove a breakpoint at the given address, if present."""
+        addr = addr & ~1  # Clear thumb bit if set
         self.breakpoints.discard(addr)
 
     @override

angr/engines/vex/claripy/ccall.py

@@ -343,7 +343,7 @@ def pc_make_rdata_if_necessary(nbits, cf, pf, af, zf, sf, of, platform=None):
 
 
 def pc_actions_ADD(state, nbits, arg_l, arg_r, cc_ndep, platform=None):
-    data_mask, sign_mask = pc_preamble(nbits)
+    data_mask, _sign_mask = pc_preamble(nbits)
     res = arg_l + arg_r
 
     cf = claripy.If(claripy.ULT(res, arg_l), claripy.BVV(1, 1), claripy.BVV(0, 1))
@@ -701,7 +701,7 @@ def pc_calculate_rdata_all(state, cc_op, cc_dep1, cc_dep2, cc_ndep, platform=Non
 def pc_calculate_condition(state, cond, cc_op, cc_dep1, cc_dep2, cc_ndep, platform=None):
     rdata_all = pc_calculate_rdata_all_WRK(state, cc_op, cc_dep1, cc_dep2, cc_ndep, platform=platform)
     if isinstance(rdata_all, tuple):
-        cf, pf, af, zf, sf, of = rdata_all
+        cf, pf, _af, zf, sf, of = rdata_all
         v = op_concretize(cond)
 
         inv = v & 1
@@ -993,7 +993,7 @@ def pc_calculate_rdata_c(state, cc_op, cc_dep1, cc_dep2, cc_ndep, platform=None)
     rdata_all = pc_calculate_rdata_all_WRK(state, cc_op, cc_dep1, cc_dep2, cc_ndep, platform=platform)
 
     if isinstance(rdata_all, tuple):
-        cf, pf, af, zf, sf, of = rdata_all
+        cf, _pf, _af, _zf, _sf, _of = rdata_all
         return claripy.Concat(claripy.BVV(0, data[platform]["size"] - 1), cf & 1)
     return claripy.LShR(rdata_all, data[platform]["CondBitOffsets"]["G_CC_SHIFT_C"]) & 1
 

angr/knowledge_plugins/functions/function.py

@@ -759,8 +759,7 @@ class Function(Serializable):
         if hooker:
             if hasattr(hooker, "DYNAMIC_RET") and hooker.DYNAMIC_RET:
                 return True
-            if hasattr(hooker, "NO_RET"):
-                return not hooker.NO_RET
+            return hooker.returns
 
         # Cannot determine
         return None
@@ -1579,6 +1578,7 @@ class Function(Serializable):
                     return False
                 self.prototype = proto.with_arch(self.project.arch)
                 self.prototype_libname = library.name
+                self.returning = library.is_returning(name)
 
                 # update self.calling_convention if necessary
                 if self.calling_convention is None:
@@ -1750,6 +1750,23 @@ class Function(Serializable):
         _find_called(self.addr)
         return {self._function_manager.function(a) for a in called}
 
+    def holes(self, min_size: int = 8) -> int:
+        """
+        Find the number of non-consecutive areas in the function that are at least `min_size` bytes large.
+        """
+
+        block_addrs = sorted(self._local_block_addrs)
+        if not block_addrs:
+            return 0
+        holes = 0
+        for i, addr in enumerate(block_addrs):
+            if i == len(block_addrs) - 1:
+                break
+            next_addr = block_addrs[i + 1]
+            if next_addr > addr + self._block_sizes[addr] and next_addr - (addr + self._block_sizes[addr]) >= min_size:
+                holes += 1
+        return holes
+
     def copy(self):
         func = Function(self._function_manager, self.addr, name=self.name, syscall=self.is_syscall)
         func.transition_graph = networkx.DiGraph(self.transition_graph)

angr/procedures/definitions/__init__.py

@@ -427,6 +427,15 @@ class SimLibrary:
 
         return func_name in self.prototypes or func_name in self.prototypes_json
 
+    def is_returning(self, name: str) -> bool:
+        """
+        Check if a function is known to return.
+
+        :param name:    The name of the function.
+        :return:        A bool indicating if the function is known to return or not.
+        """
+        return name not in self.non_returning
+
 
 class SimCppLibrary(SimLibrary):
     """

angr/procedures/definitions/parse_win32json.py

@@ -2443,22 +2443,33 @@ def do_it(in_dir):
 
             parsed_cprotos[(prefix, lib, suffix)].append((func, proto, ""))
 
+    non_returning_functions = {
+        "KeBugCheck",
+        "KeBugCheckEx",
+    }
+
     # dump to JSON files
     for (prefix, libname, suffix), parsed_cprotos_per_lib in parsed_cprotos.items():
         filename = libname.replace(".", "_") + ".json"
         os.makedirs(prefix, exist_ok=True)
         logging.debug("Writing to file %s...", filename)
+        non_returning = []
         d = {
             "_t": "lib",
             "type_collection_names": ["win32"],
             "library_names": [libname if not suffix else f"{libname}.{suffix}"],
             "default_cc": {"X86": "SimCCStdcall", "AMD64": "SimCCMicrosoftAMD64"},
+            "non_returning": non_returning,
             "functions": OrderedDict(),
         }
         for func, cproto, doc in sorted(parsed_cprotos_per_lib, key=lambda x: x[0]):
             d["functions"][func] = {"proto": json.dumps(cproto.to_json()).replace('"', "'")}
             if doc:
                 d["functions"][func]["doc"] = doc
+            if func in non_returning_functions:
+                non_returning.append(func)
+        if not non_returning:
+            del d["non_returning"]
         with open(os.path.join(prefix, filename), "w") as f:
             f.write(json.dumps(d, indent="\t"))
 

angr/procedures/definitions/wdk/ntoskrnl.json

@@ -10,6 +10,10 @@
 		"X86": "SimCCStdcall",
 		"AMD64": "SimCCMicrosoftAMD64"
 	},
+	"non_returning": [
+		"KeBugCheck",
+		"KeBugCheckEx"
+	],
 	"functions": {
 		"CcAsyncCopyRead": {
 			"proto": "{'_t': 'func', 'args': [{'_t': 'ptr', 'pts_to': {'_t': '_ref', 'name': 'FILE_OBJECT', 'ot': '_ref'}}, {'_t': 'ptr', 'pts_to': {'_t': 'llong', 'label': 'Int64'}}, {'_t': 'int', 'signed': false, 'label': 'UInt32'}, {'_t': '_ref', 'name': 'BOOLEAN', 'ot': 'char'}, {'_t': 'ptr', 'pts_to': {'_t': 'bot', 'label': 'Void'}}, {'_t': 'ptr', 'pts_to': {'_t': '_ref', 'name': 'IO_STATUS_BLOCK', 'ot': '_ref'}}, {'_t': '_ref', 'name': 'PETHREAD', 'ot': 'ptr'}, {'_t': 'ptr', 'pts_to': {'_t': '_ref', 'name': 'CC_ASYNC_READ_CONTEXT', 'ot': '_ref'}}], 'returnty': {'_t': '_ref', 'name': 'BOOLEAN', 'ot': 'char'}, 'arg_names': ['FileObject', 'FileOffset', 'Length', 'Wait', 'Buffer', 'IoStatus', 'IoIssuerThread', 'AsyncReadContext']}"