angr 9.2.61__py3-none-manylinux2014_x86_64.whl → 9.2.63__py3-none-manylinux2014_x86_64.whl

angr/analyses/propagator/outdated_definition_walker.py

@@ -1,15 +1,16 @@
+# pylint:disable=consider-using-in
 from typing import Optional, Callable, TYPE_CHECKING
 
 from ailment import Block, Stmt, Expr, AILBlockWalker
 
-from ...errors import SimMemoryMissingError
 from ...code_location import CodeLocation
+from ...knowledge_plugins.key_definitions.constants import OP_BEFORE, OP_AFTER
+from ...knowledge_plugins.key_definitions import atoms
 
 if TYPE_CHECKING:
     from archinfo import Arch
     from .propagator import PropagatorAILState
-    from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
-    from angr.knowledge_plugins.key_definitions import LiveDefinitions
+    from angr.analyses.reaching_definitions import ReachingDefinitionsModel
 
 
 class OutdatedDefinitionWalker(AILBlockWalker):
@@ -21,20 +22,17 @@ class OutdatedDefinitionWalker(AILBlockWalker):
         self,
         expr,
         expr_defat: CodeLocation,
-        livedefs_defat: "LiveDefinitions",
         current_loc: CodeLocation,
-        livedefs_currentloc: "LiveDefinitions",
         state: "PropagatorAILState",
         arch: "Arch",
         avoid: Optional[Expr.Expression] = None,
         extract_offset_to_sp: Callable = None,
+        rda: "ReachingDefinitionsModel" = None,
     ):
         super().__init__()
         self.expr = expr
         self.expr_defat = expr_defat
-        self.livedefs_defat = livedefs_defat
         self.current_loc = current_loc
-        self.livedefs_currentloc = livedefs_currentloc
         self.state = state
         self.avoid = avoid
         self.arch = arch
@@ -45,6 +43,7 @@ class OutdatedDefinitionWalker(AILBlockWalker):
         self.expr_handlers[Expr.VEXCCallExpression] = self._handle_VEXCCallExpression
         self.out_dated = False
         self.has_avoid = False
+        self.rda = rda
 
     # pylint:disable=unused-argument
     def _handle_Tmp(self, expr_idx: int, expr: Expr.Tmp, stmt_idx: int, stmt: Stmt.Assignment, block: Optional[Block]):
@@ -63,19 +62,8 @@ class OutdatedDefinitionWalker(AILBlockWalker):
             self.has_avoid = True
 
         # is the used register still alive at this point?
-        try:
-            reg_vals: "MultiValues" = self.livedefs_defat.register_definitions.load(expr.reg_offset, size=expr.size)
-            defs_defat = list(self.livedefs_defat.extract_defs_from_mv(reg_vals))
-        except SimMemoryMissingError:
-            defs_defat = []
-
-        try:
-            reg_vals: "MultiValues" = self.livedefs_currentloc.register_definitions.load(
-                expr.reg_offset, size=expr.size
-            )
-            defs_currentloc = list(self.livedefs_currentloc.extract_defs_from_mv(reg_vals))
-        except SimMemoryMissingError:
-            defs_currentloc = []
+        defs_defat = self.rda.get_defs(atoms.Register(expr.reg_offset, expr.size), self.expr_defat, OP_AFTER)
+        defs_currentloc = self.rda.get_defs(atoms.Register(expr.reg_offset, expr.size), self.current_loc, OP_BEFORE)
 
         codelocs_defat = {def_.codeloc for def_ in defs_defat}
         codelocs_currentloc = {def_.codeloc for def_ in defs_currentloc}
@@ -83,31 +71,19 @@ class OutdatedDefinitionWalker(AILBlockWalker):
             self.out_dated = True
 
     def _handle_Load(self, expr_idx: int, expr: Expr.Load, stmt_idx: int, stmt: Stmt.Statement, block: Optional[Block]):
-        if self.avoid is not None and (  # pylint:disable=consider-using-in
-            expr == self.avoid or expr.addr == self.avoid
-        ):
+        if self.avoid is not None and (expr == self.avoid or expr.addr == self.avoid):
             self.has_avoid = True
 
         if isinstance(expr.addr, Expr.StackBaseOffset):
             sp_offset = self.extract_offset_to_sp(expr.addr)
 
             if sp_offset is not None:
-                stack_addr = self.livedefs_defat.stack_offset_to_stack_addr(sp_offset)
-                try:
-                    mem_vals: "MultiValues" = self.livedefs_defat.stack_definitions.load(
-                        stack_addr, size=expr.size, endness=expr.endness
-                    )
-                    defs_defat = list(self.livedefs_defat.extract_defs_from_mv(mem_vals))
-                except SimMemoryMissingError:
-                    defs_defat = []
-
-                try:
-                    mem_vals: "MultiValues" = self.livedefs_currentloc.stack_definitions.load(
-                        stack_addr, size=expr.size, endness=expr.endness
-                    )
-                    defs_currentloc = list(self.livedefs_defat.extract_defs_from_mv(mem_vals))
-                except SimMemoryMissingError:
-                    defs_currentloc = []
+                defs_defat = self.rda.get_defs(
+                    atoms.MemoryLocation(atoms.SpOffset(expr.bits, sp_offset), expr.size), self.expr_defat, OP_AFTER
+                )
+                defs_currentloc = self.rda.get_defs(
+                    atoms.MemoryLocation(atoms.SpOffset(expr.bits, sp_offset), expr.size), self.current_loc, OP_BEFORE
+                )
 
                 codelocs_defat = {def_.codeloc for def_ in defs_defat}
                 codelocs_currentloc = {def_.codeloc for def_ in defs_currentloc}
@@ -126,21 +102,9 @@ class OutdatedDefinitionWalker(AILBlockWalker):
 
         elif isinstance(expr.addr, Expr.Const):
             mem_addr = expr.addr.value
-            try:
-                mem_vals: "MultiValues" = self.livedefs_defat.memory_definitions.load(
-                    mem_addr, size=expr.size, endness=expr.endness
-                )
-                defs_defat = list(self.livedefs_defat.extract_defs_from_mv(mem_vals))
-            except SimMemoryMissingError:
-                defs_defat = []
 
-            try:
-                mem_vals: "MultiValues" = self.livedefs_currentloc.memory_definitions.load(
-                    mem_addr, size=expr.size, endness=expr.endness
-                )
-                defs_currentloc = list(self.livedefs_defat.extract_defs_from_mv(mem_vals))
-            except SimMemoryMissingError:
-                defs_currentloc = []
+            defs_defat = self.rda.get_defs(atoms.MemoryLocation(mem_addr, expr.size), self.expr_defat, OP_AFTER)
+            defs_currentloc = self.rda.get_defs(atoms.MemoryLocation(mem_addr, expr.size), self.current_loc, OP_BEFORE)
 
             codelocs_defat = {def_.codeloc for def_ in defs_defat}
             codelocs_currentloc = {def_.codeloc for def_ in defs_currentloc}

angr/analyses/propagator/propagator.py

@@ -257,6 +257,7 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
             # make a copy of the state if it's not the initial state
             state = state.copy()
             state._equivalence.clear()
+            state.init_replacements()
         else:
             # clear self._initial_state so that we *do not* run this optimization again!
             self._initial_state = None

angr/analyses/reaching_definitions/engine_ail.py

@@ -100,20 +100,26 @@ class SimEngineRDAIL(
 
     def _set_codeloc(self):
         # TODO do we want a better mechanism to specify context updates?
-        self.state.move_codelocs(
-            CodeLocation(
-                self.block.addr,
-                self.stmt_idx,
-                ins_addr=self.ins_addr,
-                block_idx=self.block.idx,
-                context=self.state.codeloc.context,
-            )
+        new_codeloc = CodeLocation(
+            self.block.addr,
+            self.stmt_idx,
+            ins_addr=self.ins_addr,
+            block_idx=self.block.idx,
+            context=self.state.codeloc.context,
         )
+        self.state.move_codelocs(new_codeloc)
+        self.state.analysis.model.at_new_stmt(new_codeloc)
 
     #
     # AIL statement handlers
     #
 
+    def _process_Stmt(self, whitelist=None):
+        super()._process_Stmt(whitelist=whitelist)
+
+        if self.state.analysis:
+            self.state.analysis.model.complete_loc()
+
     def _handle_Stmt(self, stmt):
         if self.state.analysis:
             self.state.analysis.stmt_observe(self.stmt_idx, stmt, self.block, self.state, OP_BEFORE)
@@ -250,6 +256,11 @@ class SimEngineRDAIL(
         ip = Register(self.arch.ip_offset, self.arch.bytes)
         self.state.kill_definitions(ip)
 
+        statement = self.block.statements[self.stmt_idx]
+        caller_will_handle_single_ret = True
+        if hasattr(statement, "dst") and statement.dst != stmt.ret_expr:
+            caller_will_handle_single_ret = False
+
         data = FunctionCallData(
             self.state.codeloc,
             self._function_handler.make_function_codeloc(
@@ -261,7 +272,7 @@ class SimEngineRDAIL(
             name=func_name,
             args_values=[self._expr(arg) for arg in stmt.args] if stmt.args is not None else None,
             redefine_locals=stmt.args is None and not is_expr,
-            caller_will_handle_single_ret=True,
+            caller_will_handle_single_ret=caller_will_handle_single_ret,
             ret_atoms={Atom.from_ail_expr(stmt.ret_expr, self.arch)} if stmt.ret_expr is not None else None,
         )
 

angr/analyses/reaching_definitions/engine_vex.py

@@ -90,9 +90,11 @@ class SimEngineRDVEX(
 
     def _set_codeloc(self):
         # TODO do we want a better mechanism to specify context updates?
-        self.state.move_codelocs(
-            CodeLocation(self.block.addr, self.stmt_idx, ins_addr=self.ins_addr, context=self.state.codeloc.context)
+        new_codeloc = CodeLocation(
+            self.block.addr, self.stmt_idx, ins_addr=self.ins_addr, context=self.state.codeloc.context
         )
+        self.state.move_codelocs(new_codeloc)
+        self.state.analysis.model.at_new_stmt(new_codeloc)
 
     #
     # VEX statement handlers
@@ -211,7 +213,10 @@ class SimEngineRDVEX(
                     atom = MemoryLocation(a, size)
                     tags = None
                 elif self.state.is_stack_address(a):
-                    atom = MemoryLocation(SpOffset(self.arch.bits, self.state.get_stack_offset(a)), size)
+                    offset = self.state.get_stack_offset(a)
+                    if offset is None:
+                        continue
+                    atom = MemoryLocation(SpOffset(self.arch.bits, offset), size)
                     function_address = None  # we cannot get the function address in the middle of a store if a CFG
                     # does not exist. you should backpatch the function address later using
                     # the 'ins_addr' metadata entry.
@@ -267,6 +272,14 @@ class SimEngineRDVEX(
         _ = self._expr(stmt.guard)
         target = stmt.dst.value
         self.state.mark_guard(target)
+        if self.state.analysis is not None:
+            self.state.analysis.exit_observe(
+                self.block.addr,
+                self.stmt_idx,
+                self.block,
+                self.state,
+                node_idx=self.block.block_idx if hasattr(self.block, "block_idx") else None,
+            )
         if (
             self.block.instruction_addrs
             and self.ins_addr in self.block.instruction_addrs
@@ -669,12 +682,14 @@ class SimEngineRDVEX(
             # we do not support division between two real multivalues
             r = MultiValues(self.state.top(bits))
         elif expr0_v is None and expr1_v is not None:
-            if expr0.count() == 1 and 0 in expr0:
+            if expr1_v == 0:
+                r = MultiValues(self.state.top(bits))
+            elif expr0.count() == 1 and 0 in expr0:
                 vs = {v / expr1_v for v in expr0[0]}
                 r = MultiValues(offset_to_values={0: vs})
         elif expr0_v is not None and expr1_v is None:
             if expr1.count() == 1 and 0 in expr1:
-                vs = {v / expr0_v for v in expr1[0]}
+                vs = {expr0_v / v for v in expr1[0] if (not v.concrete) or v.concrete_value != 0}
                 r = MultiValues(offset_to_values={0: vs})
         else:
             if expr0_v.concrete and expr1_v.concrete:

angr/analyses/reaching_definitions/function_handler.py

@@ -52,7 +52,7 @@ class FunctionCallData:
 
     Function handler contract:
 
-    - If redefine_locals is unset, do not adjust any artifacts of the function call abstration, such as the stack
+    - If redefine_locals is unset, do not adjust any artifacts of the function call abstraction, such as the stack
       pointer, the caller saved registers, etc.
     - If caller_will_handle_single_ret is set, and there is a single entry in `ret_atoms`, do not apply to the state
       effects modifying this atom. Instead, set `ret_values` and `ret_values_deps` to the values and deps which are
@@ -137,7 +137,13 @@ class FunctionCallData:
             )
         else:
             self.effects.append(
-                FunctionEffect(dest, set(sources), value=value, apply_at_callsite=apply_at_callsite, tags=tags)
+                FunctionEffect(
+                    dest,
+                    set(sources),
+                    value=value,
+                    apply_at_callsite=apply_at_callsite,
+                    tags=tags,
+                )
             )
 
 
@@ -333,7 +339,7 @@ class FunctionHandler:
                 mv, defs = state.kill_and_add_definition(
                     effect.dest,
                     value,
-                    endness=state.arch.memory_endness,
+                    endness=None,
                     uses=effect.sources_defns or set(),
                     tags=effect.tags,
                 )

angr/analyses/reaching_definitions/rd_state.py

@@ -318,6 +318,10 @@ class ReachingDefinitionsState:
         sp = self.annotate_with_def(self._initial_stack_pointer(), sp_def)
         self.register_definitions.store(self.arch.sp_offset, sp)
 
+        ex_loc = ExternalCodeLocation(call_string)
+        if self.analysis is not None:
+            self.analysis.model.at_new_stmt(ex_loc)
+
         if cc is not None:
             prototype = self.analysis.kb.functions[func_addr].prototype
             if prototype is not None:
@@ -328,20 +332,20 @@ class ReachingDefinitionsState:
                             # FIXME: implement reg_offset handling in SimRegArg
                             reg_offset = self.arch.registers[arg.reg_name][0]
                             reg_atom = Register(reg_offset, self.arch.bytes)
-                            reg_def = Definition(
-                                reg_atom, ExternalCodeLocation(call_string), tags={ParameterTag(function=func_addr)}
-                            )
+                            reg_def = Definition(reg_atom, ex_loc, tags={ParameterTag(function=func_addr)})
                             self.all_definitions.add(reg_def)
+                            if self.analysis is not None:
+                                self.analysis.model.add_def(reg_def, ex_loc)
                             reg = self.annotate_with_def(self.top(self.arch.bits), reg_def)
                             self.register_definitions.store(reg_offset, reg)
 
                         # initialize stack parameters
                         elif isinstance(arg, SimStackArg):
                             ml_atom = MemoryLocation(SpOffset(self.arch.bits, arg.stack_offset), arg.size)
-                            ml_def = Definition(
-                                ml_atom, ExternalCodeLocation(call_string), tags={ParameterTag(function=func_addr)}
-                            )
+                            ml_def = Definition(ml_atom, ex_loc, tags={ParameterTag(function=func_addr)})
                             self.all_definitions.add(ml_def)
+                            if self.analysis is not None:
+                                self.analysis.model.add_def(ml_def, ex_loc)
                             ml = self.annotate_with_def(self.top(self.arch.bits), ml_def)
                             stack_address = self.get_stack_address(self.stack_address(arg.stack_offset))
                             self.stack_definitions.store(stack_address, ml, endness=self.arch.memory_endness)
@@ -354,15 +358,19 @@ class ReachingDefinitionsState:
                 raise TypeError("rtoc_value must be provided on PPC64.")
             offset, size = self.arch.registers["rtoc"]
             rtoc_atom = Register(offset, size)
-            rtoc_def = Definition(rtoc_atom, ExternalCodeLocation(call_string), tags={InitialValueTag()})
+            rtoc_def = Definition(rtoc_atom, ex_loc, tags={InitialValueTag()})
             self.all_definitions.add(rtoc_def)
+            if self.analysis is not None:
+                self.analysis.model.add_def(rtoc_def, ex_loc)
             rtoc = self.annotate_with_def(claripy.BVV(rtoc_value, self.arch.bits), rtoc_def)
             self.register_definitions.store(offset, rtoc)
         elif self.arch.name.startswith("MIPS64"):
             offset, size = self.arch.registers["t9"]
             t9_atom = Register(offset, size)
-            t9_def = Definition(t9_atom, ExternalCodeLocation(call_string), tags={InitialValueTag()})
+            t9_def = Definition(t9_atom, ex_loc, tags={InitialValueTag()})
             self.all_definitions.add(t9_def)
+            if self.analysis is not None:
+                self.analysis.model.add_def(t9_def, ex_loc)
             t9 = self.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
             self.register_definitions.store(offset, t9)
         elif self.arch.name.startswith("MIPS"):
@@ -370,12 +378,17 @@ class ReachingDefinitionsState:
                 l.warning("func_addr must not be None to initialize a function in mips")
             t9_offset = self.arch.registers["t9"][0]
             t9_atom = Register(t9_offset, self.arch.bytes)
-            t9_def = Definition(t9_atom, ExternalCodeLocation(call_string), tags={InitialValueTag()})
+            t9_def = Definition(t9_atom, ex_loc, tags={InitialValueTag()})
             self.all_definitions.add(t9_def)
+            if self.analysis is not None:
+                self.analysis.model.add_def(t9_def, ex_loc)
             t9 = self.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
             self.register_definitions.store(t9_offset, t9)
 
-    def copy(self) -> "ReachingDefinitionsState":
+        if self.analysis is not None:
+            self.analysis.model.complete_loc()
+
+    def copy(self, discard_tmpdefs=False) -> "ReachingDefinitionsState":
         rd = ReachingDefinitionsState(
             self.codeloc,
             self.arch,
@@ -383,7 +396,7 @@ class ReachingDefinitionsState:
             track_tmps=self._track_tmps,
             track_consts=self._track_consts,
             analysis=self.analysis,
-            live_definitions=self.live_definitions.copy(),
+            live_definitions=self.live_definitions.copy(discard_tmpdefs=discard_tmpdefs),
             canonical_size=self._canonical_size,
             heap_allocator=self.heap_allocator,
             environment=self._environment,
@@ -412,9 +425,13 @@ class ReachingDefinitionsState:
         Overwrite existing definitions w.r.t 'atom' with a dummy definition instance. A dummy definition will not be
         removed during simplification.
         """
+        existing_defs = set(self.live_definitions.get_definitions(atom))
 
         self.live_definitions.kill_definitions(atom)
 
+        for def_ in existing_defs:
+            self.analysis.model.kill_def(def_)
+
     def kill_and_add_definition(
         self,
         atom: Atom,
@@ -427,6 +444,7 @@ class ReachingDefinitionsState:
         override_codeloc: Optional[CodeLocation] = None,
     ) -> Tuple[Optional[MultiValues], Set[Definition]]:
         codeloc = override_codeloc or self.codeloc
+        existing_defs = set(self.live_definitions.get_definitions(atom))
         mv = self.live_definitions.kill_and_add_definition(
             atom, codeloc, data, dummy=dummy, tags=tags, endness=endness, annotated=annotated
         )
@@ -493,16 +511,19 @@ class ReachingDefinitionsState:
         else:
             defs = set()
 
+        for def_ in existing_defs:
+            self.analysis.model.kill_def(def_)
+        for def_ in defs:
+            self.analysis.model.add_def(def_, codeloc)
+
         return mv, defs
 
     def add_use(self, atom: Atom, expr: Optional[Any] = None) -> None:
         self.codeloc_uses.update(self.get_definitions(atom))
-
         self.live_definitions.add_use(atom, self.codeloc, expr=expr)
 
     def add_use_by_def(self, definition: Definition, expr: Optional[Any] = None) -> None:
         self.codeloc_uses.add(definition)
-
         self.live_definitions.add_use_by_def(definition, self.codeloc, expr=expr)
 
     def add_tmp_use(self, tmp: int, expr: Optional[Any] = None) -> None:

angr/analyses/reaching_definitions/reaching_definitions.py

@@ -6,6 +6,7 @@ import ailment
 import pyvex
 
 from angr.analyses import ForwardAnalysis
+from angr.analyses.reaching_definitions.external_codeloc import ExternalCodeLocation
 from ...block import Block
 from ...knowledge_plugins.cfg.cfg_node import CFGNode
 from ...codenode import CodeNode
@@ -20,14 +21,16 @@ from ..analysis import Analysis
 from .engine_ail import SimEngineRDAIL
 from .engine_vex import SimEngineRDVEX
 from .rd_state import ReachingDefinitionsState
-from .subject import Subject
+from .subject import Subject, SubjectType
 from .function_handler import FunctionHandler, FunctionCallRelationships
 from .dep_graph import DepGraph
 
 if TYPE_CHECKING:
     from typing import Literal
 
-    ObservationPoint = Tuple[Literal["insn", "node", "stmt"], Union[int, Tuple[int, int, int]], ObservationPointType]
+    ObservationPoint = Tuple[
+        Literal["insn", "node", "stmt", "exit"], Union[int, Tuple[int, int], Tuple[int, int, int]], ObservationPointType
+    ]
 
 l = logging.getLogger(name=__name__)
 
@@ -144,6 +147,10 @@ class ReachingDefinitionsAnalysis(
 
         self._node_iterations: DefaultDict[int, int] = defaultdict(int)
 
+        self.model: ReachingDefinitionsModel = ReachingDefinitionsModel(
+            func_addr=self.subject.content.addr if isinstance(self.subject.content, Function) else None
+        )
+
         self._engine_vex = SimEngineRDVEX(
             self.project,
             functions=self.kb.functions,
@@ -157,9 +164,6 @@ class ReachingDefinitionsAnalysis(
         )
 
         self._visited_blocks: Set[Any] = visited_blocks or set()
-        self.model: ReachingDefinitionsModel = ReachingDefinitionsModel(
-            func_addr=self.subject.content.addr if isinstance(self.subject.content, Function) else None
-        )
         self.function_calls: Dict[CodeLocation, FunctionCallRelationships] = {}
 
         self._analyze()
@@ -226,11 +230,18 @@ class ReachingDefinitionsAnalysis(
 
         return self.observed_results[key]
 
-    def node_observe(self, node_addr: int, state: ReachingDefinitionsState, op_type: ObservationPointType) -> None:
+    def node_observe(
+        self,
+        node_addr: int,
+        state: ReachingDefinitionsState,
+        op_type: ObservationPointType,
+        node_idx: Optional[int] = None,
+    ) -> None:
         """
         :param node_addr:   Address of the node.
         :param state:       The analysis state.
-        :param op_type:     Type of the bbservation point. Must be one of the following: OP_BEFORE, OP_AFTER.
+        :param op_type:     Type of the observation point. Must be one of the following: OP_BEFORE, OP_AFTER.
+        :param node_idx:    ID of the node. Used in AIL to differentiate blocks with the same address.
         """
 
         key = None
@@ -239,15 +250,21 @@ class ReachingDefinitionsAnalysis(
 
         if self._observe_all:
             observe = True
-            key: ObservationPoint = ("node", node_addr, op_type)
+            key: ObservationPoint = (
+                ("node", node_addr, op_type) if node_idx is None else ("node", (node_addr, node_idx), op_type)
+            )
         elif self._observation_points is not None:
-            key: ObservationPoint = ("node", node_addr, op_type)
+            key: ObservationPoint = (
+                ("node", node_addr, op_type) if node_idx is None else ("node", (node_addr, node_idx), op_type)
+            )
             if key in self._observation_points:
                 observe = True
         elif self._observe_callback is not None:
-            observe = self._observe_callback("node", addr=node_addr, state=state, op_type=op_type)
+            observe = self._observe_callback("node", addr=node_addr, state=state, op_type=op_type, node_idx=node_idx)
             if observe:
-                key: ObservationPoint = ("node", node_addr, op_type)
+                key: ObservationPoint = (
+                    ("node", node_addr, op_type) if node_idx is None else ("node", (node_addr, node_idx), op_type)
+                )
 
         if observe:
             self.observed_results[key] = state.live_definitions
@@ -349,6 +366,52 @@ class ReachingDefinitionsAnalysis(
             # it's an AIL block
             self.observed_results[key] = state.live_definitions.copy()
 
+    def exit_observe(
+        self,
+        node_addr: int,
+        exit_stmt_idx: int,
+        block: Union[Block, ailment.Block],
+        state: ReachingDefinitionsState,
+        node_idx: Optional[int] = None,
+    ):
+        observe = False
+        key = None
+
+        if self._observe_all:
+            observe = True
+            key = (
+                ("exit", (node_addr, exit_stmt_idx), ObservationPointType.OP_AFTER)
+                if node_idx is None
+                else ("exit", (node_addr, node_idx, exit_stmt_idx), ObservationPointType.OP_AFTER)
+            )
+        elif self._observation_points is not None:
+            key = (
+                ("exit", (node_addr, exit_stmt_idx), ObservationPointType.OP_AFTER)
+                if node_idx is None
+                else ("exit", (node_addr, node_idx, exit_stmt_idx), ObservationPointType.OP_AFTER)
+            )
+            if key in self._observation_points:
+                observe = True
+        elif self._observe_callback is not None:
+            observe = self._observe_callback(
+                "exit",
+                node_addr=node_addr,
+                exit_stmt_idx=exit_stmt_idx,
+                block=block,
+                state=state,
+            )
+            if observe:
+                key = (
+                    ("exit", (node_addr, exit_stmt_idx), ObservationPointType.OP_AFTER)
+                    if node_idx is None
+                    else ("exit", (node_addr, node_idx, exit_stmt_idx), ObservationPointType.OP_AFTER)
+                )
+
+        if not observe:
+            return
+
+        self.observed_results[key] = state.live_definitions.copy()
+
     @property
     def subject(self):
         return self._subject
@@ -401,23 +464,36 @@ class ReachingDefinitionsAnalysis(
             block_key = node.addr
         elif isinstance(node, CFGNode):
             if node.is_simprocedure or node.is_syscall:
-                return False, state.copy()
+                return False, state.copy(discard_tmpdefs=True)
             block = node.block
             engine = self._engine_vex
             block_key = node.addr
         else:
             l.warning("Unsupported node type %s.", node.__class__)
-            return False, state.copy()
-
-        self.node_observe(node.addr, state, OP_BEFORE)
+            return False, state.copy(discard_tmpdefs=True)
+
+        state = state.copy(discard_tmpdefs=True)
+        self.node_observe(node.addr, state.copy(), OP_BEFORE)
+
+        if self.subject.type == SubjectType.Function:
+            node_parents = [
+                CodeLocation(pred.addr, 0, block_idx=pred.idx if isinstance(pred, ailment.Block) else None)
+                for pred in self._graph_visitor.predecessors(node)
+            ]
+            if node.addr == self.subject.content.addr:
+                node_parents += [ExternalCodeLocation()]
+            self.model.at_new_block(
+                CodeLocation(block.addr, 0, block_idx=block.idx if isinstance(block, ailment.Block) else None),
+                node_parents,
+            )
 
-        state = state.copy()
         state = engine.process(
             state,
             block=block,
             fail_fast=self._fail_fast,
             visited_blocks=self._visited_blocks,
             dep_graph=self._dep_graph,
+            model=self.model,
         )
 
         self._node_iterations[block_key] += 1

angr/analyses/variable_recovery/engine_vex.py

@@ -389,6 +389,26 @@ class SimEngineVRVEX(
         r = self.state.top(result_size)
         return RichR(r)
 
+    def _handle_Mod(self, expr):
+        arg0, arg1 = expr.args
+        r0 = self._expr(arg0)
+        r1 = self._expr(arg1)
+
+        result_size = expr.result_size(self.tyenv)
+        if r0.data.concrete and r1.data.concrete and r1.data.concrete_value != 0:
+            # constants
+            try:
+                if result_size != r1.data.size():
+                    remainder = r0.data.SMod(claripy.SignExt(result_size - r1.data.size(), r1.data))
+                else:
+                    remainder = r0.data.SMod(r1.data)
+                return RichR(remainder)
+            except ZeroDivisionError:
+                pass
+
+        r = self.state.top(result_size)
+        return RichR(r)
+
     def _handle_Shr(self, expr):
         arg0, arg1 = expr.args
         r0 = self._expr(arg0)

angr/analyses/variable_recovery/variable_recovery_fast.py

@@ -241,6 +241,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         track_sp=True,
         func_args: Optional[List[SimVariable]] = None,
         store_live_variables=False,
+        unify_variables=True,
     ):
         if not isinstance(func, Function):
             func = self.kb.functions[func]
@@ -268,6 +269,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         self._job_ctr = 0
         self._track_sp = track_sp and self.project.arch.sp_offset is not None
         self._func_args = func_args
+        self._unify_variables = unify_variables
 
         self._ail_engine = SimEngineVRAIL(self.project, self.kb, call_info=call_info)
         self._vex_engine = SimEngineVRVEX(self.project, self.kb, call_info=call_info)
@@ -460,6 +462,9 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
                     state.downsize_region(state.stack_region),
                 )
 
+        if self._unify_variables:
+            self.variable_manager[self.function.addr].unify_variables()
+
         # unify type variables for global variables
         for var, typevars in self.var_to_typevars.items():
             if len(typevars) > 1 and isinstance(var, SimMemoryVariable) and not isinstance(var, SimStackVariable):