angr 9.2.65__py3-none-win_amd64.whl → 9.2.66__py3-none-win_amd64.whl

angr/analyses/decompiler/structured_codegen/c.py

@@ -892,7 +892,10 @@ class CIfElse(CStatement):
             omit_braces = (
                 self.cstyle_ifs
                 and first_node
+                and len(self.condition_and_nodes) == 1
+                # no else-if tree can exist
                 and self._is_single_stmt_node(node)
+                # no else, else is also single-stmt, or else will not exist after pass
                 and (self.else_node is None or self._is_single_stmt_node(self.else_node) or self.simplify_else_scope)
             )
 
@@ -1979,6 +1982,14 @@ class CConstant(CExpression):
     def fmt_neg(self, v):
         self._fmt_setter["neg"] = v
 
+    @property
+    def fmt_char(self):
+        return self.fmt.get("char", False)
+
+    @fmt_char.setter
+    def fmt_char(self, v: bool):
+        self._fmt_setter["char"] = v
+
     @property
     def type(self):
         return self._type
@@ -2034,10 +2045,18 @@ class CConstant(CExpression):
                 elif value < 0:
                     value = value + 2**self._type.size
 
-            if self.fmt_hex:
-                str_value = hex(value)
-            else:
-                str_value = str(value)
+            str_value = None
+            if self.fmt_char:
+                try:
+                    str_value = f"'{chr(value)}'"
+                except ValueError:
+                    str_value = None
+
+            if str_value is None:
+                if self.fmt_hex:
+                    str_value = hex(value)
+                else:
+                    str_value = str(value)
 
             yield str_value, self
         else:
@@ -3512,15 +3531,49 @@ class FieldReferenceCleanup(CStructuredCodeWalker):
 
 
 class PointerArithmeticFixer(CStructuredCodeWalker):
+    """
+    Before calling this fixer class, pointer arithmetics are purely integer-based and ignoring the pointer type.
+
+    For example, in the following case:
+
+    struct A* a_ptr;  // assume struct A is 24 bytes in size
+    a_ptr = a_ptr + 24;
+
+    It means adding 24 to the address of a_ptr, without considering the size of struct A. This fixer class will make
+    pointer arithmetics aware of the pointer type. In this case, the fixer class will convert the code to
+    a_ptr = a_ptr + 1.
+    """
+
     @classmethod
     def handle_CBinaryOp(cls, obj):
-        obj = super().handle_CBinaryOp(obj)
+        obj: CBinaryOp = super().handle_CBinaryOp(obj)
         if (
             obj.op in ("Add", "Sub")
             and isinstance(obj.type, SimTypePointer)
             and not isinstance(obj.type.pts_to, SimTypeBottom)
         ):
-            obj = obj.codegen._access_reference(obj, obj.type.pts_to)
+            out = obj.codegen._access_reference(obj, obj.type.pts_to)
+            if (
+                isinstance(out, CUnaryOp)
+                and out.op == "Reference"
+                and isinstance(out.operand, CIndexedVariable)
+                and isinstance(out.operand.index, CConstant)
+            ):
+                # rewrite &a[1] to a + 1
+                const = out.operand.index
+                if isinstance(const.value, int) and const.value < 0:
+                    op = "Sub"
+                    const = CConstant(
+                        -const.value,
+                        const.type,
+                        reference_values=const.reference_values,
+                        tags=const.tags,
+                        codegen=const.codegen,
+                    )
+                else:
+                    op = "Add"
+                return CBinaryOp(op, out.operand.variable, const, out.operand.tags, codegen=out.codegen)
+            return out
         return obj
 
 

angr/analyses/decompiler/utils.py

@@ -368,7 +368,7 @@ def structured_node_is_simple_return(node: Union["SequenceNode", "MultiNode"], g
     }
     ...
 
-    Returns tue on any block ending in linear statements and a return.
+    Returns true on any block ending in linear statements and a return.
     """
 
     def _flatten_structured_node(packed_node: Union["SequenceNode", "MultiNode"]) -> List[ailment.Block]:

angr/analyses/find_objects_static.py

@@ -74,7 +74,7 @@ class NewFunctionHandler(FunctionHandler):
             else:
                 size_arg_reg_offset = self.project.arch.registers["rdi"][0]
                 size_arg_reg_size = word_size
-            v0 = state.register_definitions.load(size_arg_reg_offset, size_arg_reg_size).one_value()
+            v0 = state.registers.load(size_arg_reg_offset, size_arg_reg_size).one_value()
             size = v0._model_concrete.value if v0 is not None and v0.concrete else None
 
             if size is not None:
@@ -108,7 +108,7 @@ class NewFunctionHandler(FunctionHandler):
             # check if rdi has a possible this pointer/ object address, if so then we can assign this object this class
             # also if the func is a constructor(not stripped binaries)
             for addr, possible_object in self.possible_objects_dict.items():
-                v1 = state.register_definitions.load(72, state.arch.bits // state.arch.byte_width).one_value()
+                v1 = state.registers.load(72, state.arch.bits // state.arch.byte_width).one_value()
                 obj_addr = v1._model_concrete.value if v1 is not None and v1.concrete else None
                 if obj_addr is not None and addr == obj_addr:
                     col_ind = self.project.kb.functions[function_address].demangled_name.rfind("::")
@@ -172,7 +172,7 @@ class StaticObjectFinder(Analysis):
                     else:
                         ret_val_reg_offset = self.project.arch.registers["rax"][0]
                         ret_val_reg_size = word_size
-                    v0 = rd_before_node.register_definitions.load(ret_val_reg_offset, ret_val_reg_size).one_value()
+                    v0 = rd_before_node.registers.load(ret_val_reg_offset, ret_val_reg_size).one_value()
                     addr_of_new_obj = v0._model_concrete.value if v0 is not None and v0.concrete else None
 
                     # we need the state right before the call
@@ -188,7 +188,7 @@ class StaticObjectFinder(Analysis):
                     else:
                         this_ptr_reg_offset = self.project.arch.registers["rdi"][0]
                         this_ptr_reg_size = word_size
-                    v1 = rd_after_node.register_definitions.load(this_ptr_reg_offset, this_ptr_reg_size).one_value()
+                    v1 = rd_after_node.registers.load(this_ptr_reg_offset, this_ptr_reg_size).one_value()
                     addr_in_rdi = v1._model_concrete.value if v1 is not None and v1.concrete else None
 
                     if addr_of_new_obj is not None and addr_of_new_obj == addr_in_rdi:

angr/analyses/propagator/engine_ail.py

@@ -6,8 +6,9 @@ import claripy
 from ailment import Stmt, Expr
 
 from angr.knowledge_plugins.propagations.prop_value import PropValue, Detail
-from angr.analyses.reaching_definitions.external_codeloc import ExternalCodeLocation
 from angr.knowledge_plugins.key_definitions.atoms import Register
+
+from angr.code_location import ExternalCodeLocation
 from ...utils.constants import is_alignment_mask
 from ...engines.light import SimEngineLightAILMixin
 from ...sim_variable import SimStackVariable, SimMemoryVariable

angr/analyses/reaching_definitions/__init__.py

@@ -15,7 +15,6 @@ from ...knowledge_plugins.key_definitions.definition import Definition
 from .. import register_analysis
 from .reaching_definitions import ReachingDefinitionsAnalysis, ReachingDefinitionsModel
 from .function_handler import FunctionHandler, FunctionCallData
-from .external_codeloc import ExternalCodeLocation
 from .rd_state import ReachingDefinitionsState
 
 if TYPE_CHECKING:
@@ -40,7 +39,6 @@ __all__ = (
     "FunctionHandler",
     "FunctionCallData",
     "get_all_definitions",
-    "ExternalCodeLocation",
 )
 
 
@@ -55,7 +53,7 @@ def get_all_definitions(region: "MultiValuedMemory") -> Set["Definition"]:
             cnt_set: Optional[Union["SimMemoryObject", Set["SimMemoryObject"]]] = page.content[idx]
             if cnt_set is None:
                 continue
-            elif type(cnt_set) is not set:
+            if type(cnt_set) is not set:
                 cnt_set = {cnt_set}
             for cnt in cnt_set:
                 for def_ in LiveDefinitions.extract_defs(cnt.object):

angr/analyses/reaching_definitions/dep_graph.py

@@ -1,4 +1,18 @@
-from typing import Optional, Dict, Set, Iterable, Union, List, TYPE_CHECKING, Tuple, overload, Literal, Any, Iterator
+from typing import (
+    Optional,
+    Dict,
+    Set,
+    Iterable,
+    Type,
+    Union,
+    List,
+    TYPE_CHECKING,
+    Tuple,
+    overload,
+    Literal,
+    Any,
+    Iterator,
+)
 from dataclasses import dataclass
 
 import networkx
@@ -6,7 +20,7 @@ import networkx
 import claripy
 from cle.loader import Loader
 
-from ...code_location import CodeLocation
+from ...code_location import CodeLocation, ExternalCodeLocation
 from ...knowledge_plugins.key_definitions.atoms import (
     Atom,
     MemoryLocation,
@@ -16,10 +30,9 @@ from ...knowledge_plugins.key_definitions.atoms import (
     ConstantSrc,
     GuardUse,
 )
-from ...knowledge_plugins.key_definitions.definition import Definition, DefinitionMatchPredicate
+from ...knowledge_plugins.key_definitions.definition import A, Definition, DefinitionMatchPredicate
 from ...knowledge_plugins.key_definitions.undefined import UNDEFINED
 from ...knowledge_plugins.cfg import CFGModel
-from .external_codeloc import ExternalCodeLocation
 
 if TYPE_CHECKING:
     pass
@@ -220,6 +233,16 @@ class DepGraph:
                 result.append(defn)
         return result
 
+    @overload
+    def find_all_predecessors(
+        self,
+        starts: Union[Definition[Atom], Iterable[Definition[Atom]]],
+        *,
+        kind: Type[A],
+        **kwargs: Any,
+    ) -> List[Definition[A]]:
+        ...
+
     @overload
     def find_all_predecessors(
         self,
@@ -292,6 +315,12 @@ class DepGraph:
     ) -> List[Definition[ConstantSrc]]:
         ...
 
+    @overload
+    def find_all_predecessors(
+        self, starts: Union[Definition[Atom], Iterable[Definition[Atom]]], **kwargs: Any
+    ) -> List[Definition[Atom]]:
+        ...
+
     def find_all_predecessors(self, starts, **kwargs):
         """
         Filter the ancestors of the given start node or nodes that match various criteria.

angr/analyses/reaching_definitions/engine_ail.py

@@ -16,9 +16,8 @@ from ...storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from ...knowledge_plugins.key_definitions.atoms import Atom, Register, Tmp, MemoryLocation
 from ...knowledge_plugins.key_definitions.constants import OP_BEFORE, OP_AFTER
 from ...knowledge_plugins.key_definitions.live_definitions import Definition, LiveDefinitions
-from ...code_location import CodeLocation
+from ...code_location import CodeLocation, ExternalCodeLocation
 from .subject import SubjectType
-from .external_codeloc import ExternalCodeLocation
 from .rd_state import ReachingDefinitionsState
 from .function_handler import FunctionHandler, FunctionCallData
 
@@ -415,7 +414,7 @@ class SimEngineRDAIL(
 
         # first check if it is ever defined
         try:
-            value: MultiValues = self.state.register_definitions.load(reg_offset, size=size)
+            value: MultiValues = self.state.registers.load(reg_offset, size=size)
         except SimMemoryMissingError as ex:
             # the full value does not exist, but we handle partial existence, too
             missing_defs = None
@@ -424,7 +423,7 @@ class SimEngineRDAIL(
                 i = 0
                 while i < size:
                     try:
-                        value: MultiValues = self.state.register_definitions.load(reg_offset + i, size=1)
+                        value: MultiValues = self.state.registers.load(reg_offset + i, size=1)
                     except SimMemoryMissingError as ex_:
                         i += ex_.missing_size
                         continue
@@ -498,7 +497,7 @@ class SimEngineRDAIL(
                 # a concrete address
                 concrete_addr: int = addr._model_concrete.value
                 try:
-                    vs: MultiValues = self.state.memory_definitions.load(concrete_addr, size=size, endness=expr.endness)
+                    vs: MultiValues = self.state.memory.load(concrete_addr, size=size, endness=expr.endness)
                     defs = set(LiveDefinitions.extract_defs_from_mv(vs))
                 except SimMemoryMissingError:
                     continue
@@ -510,7 +509,7 @@ class SimEngineRDAIL(
                 if stack_offset is not None:
                     stack_addr = self.state.live_definitions.stack_offset_to_stack_addr(stack_offset)
                     try:
-                        vs: MultiValues = self.state.stack_definitions.load(stack_addr, size=size, endness=expr.endness)
+                        vs: MultiValues = self.state.stack.load(stack_addr, size=size, endness=expr.endness)
                         defs = set(LiveDefinitions.extract_defs_from_mv(vs))
                     except SimMemoryMissingError:
                         continue

angr/analyses/reaching_definitions/engine_vex.py

@@ -16,9 +16,8 @@ from ...knowledge_plugins.key_definitions.tag import LocalVariableTag, Parameter
 from ...knowledge_plugins.key_definitions.atoms import Atom, Register, MemoryLocation, Tmp
 from ...knowledge_plugins.key_definitions.constants import OP_BEFORE, OP_AFTER
 from ...knowledge_plugins.key_definitions.heap_address import HeapAddress
-from ...code_location import CodeLocation
+from ...code_location import CodeLocation, ExternalCodeLocation
 from .rd_state import ReachingDefinitionsState
-from .external_codeloc import ExternalCodeLocation
 from .function_handler import FunctionCallData
 
 if TYPE_CHECKING:
@@ -350,7 +349,7 @@ class SimEngineRDVEX(
 
         reg_atom = Register(reg_offset, size, self.arch)
         try:
-            values: MultiValues = self.state.register_definitions.load(reg_offset, size=size)
+            values: MultiValues = self.state.registers.load(reg_offset, size=size)
         except SimMemoryMissingError:
             top = self.state.top(size * self.arch.byte_width)
             # annotate it
@@ -416,7 +415,7 @@ class SimEngineRDVEX(
                     loaded_stack_offsets.add(stack_offset)
                     stack_addr = self.state.live_definitions.stack_offset_to_stack_addr(stack_offset)
                     try:
-                        vs: MultiValues = self.state.stack_definitions.load(stack_addr, size=size, endness=endness)
+                        vs: MultiValues = self.state.stack.load(stack_addr, size=size, endness=endness)
                         # extract definitions
                         defs = set(LiveDefinitions.extract_defs_from_mv(vs))
                     except SimMemoryMissingError:
@@ -429,7 +428,7 @@ class SimEngineRDVEX(
                 # Load data from the heap
                 heap_offset = self.state.get_heap_offset(addr)
                 try:
-                    vs: MultiValues = self.state.heap_definitions.load(heap_offset, size=size, endness=endness)
+                    vs: MultiValues = self.state.heap.load(heap_offset, size=size, endness=endness)
                     defs = set(LiveDefinitions.extract_defs_from_mv(vs))
                 except SimMemoryMissingError:
                     continue
@@ -442,7 +441,7 @@ class SimEngineRDVEX(
 
                 # Load data from a global region
                 try:
-                    vs: MultiValues = self.state.memory_definitions.load(addr_v, size=size, endness=endness)
+                    vs: MultiValues = self.state.memory.load(addr_v, size=size, endness=endness)
                     defs = set(LiveDefinitions.extract_defs_from_mv(vs))
                 except SimMemoryMissingError:
                     try:
@@ -457,7 +456,7 @@ class SimEngineRDVEX(
                             v = self.state.annotate_with_def(claripy.BVV(val, size * self.arch.byte_width), missing_def)
                         vs = MultiValues(v)
                         if not section or section.is_writable:
-                            self.state.memory_definitions.store(addr_v, vs, size=size, endness=endness)
+                            self.state.memory.store(addr_v, vs, size=size, endness=endness)
                             self.state.all_definitions.add(missing_def)
                         defs = {missing_def}
                     except KeyError:

angr/analyses/reaching_definitions/external_codeloc.py

@@ -1,27 +0,0 @@
-from typing import Tuple
-
-from ...code_location import CodeLocation
-
-
-class ExternalCodeLocation(CodeLocation):
-    """
-    Stands for a program point that originates from outside an analysis' scope.
-    i.e. a value loaded from rdi in a callee where the caller has not been analyzed.
-    """
-
-    __slots__ = ("call_string",)
-
-    def __init__(self, call_string: Tuple[int, ...] = None):
-        super().__init__(0, None)
-        self.call_string = call_string if call_string is not None else ()
-
-    def __repr__(self):
-        return f"[External {[hex(x) if isinstance(x, int) else x for x in self.call_string]}]"
-
-    def __hash__(self):
-        """
-        returns the hash value of self.
-        """
-        if self._hash is None:
-            self._hash = hash((self.call_string,))
-        return self._hash

angr/analyses/reaching_definitions/function_handler.py

@@ -1,8 +1,10 @@
-from typing import TYPE_CHECKING, List, Set, Optional, Union
+from typing import TYPE_CHECKING, Iterable, List, Set, Optional, Union, Callable
 from dataclasses import dataclass, field
 import logging
+from functools import wraps
 from cle import Symbol
 from cle.backends import ELF
+import claripy
 
 from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from angr.sim_type import SimTypeBottom
@@ -13,15 +15,35 @@ from angr.sim_type import SimTypeFunction
 from angr.knowledge_plugins.key_definitions.definition import Definition
 from angr.knowledge_plugins.functions import Function
 from angr.analyses.reaching_definitions.dep_graph import FunctionCallRelationships
-from angr.code_location import CodeLocation
+from angr.code_location import CodeLocation, ExternalCodeLocation
+from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
+
 
 if TYPE_CHECKING:
+    from angr.knowledge_plugins.key_definitions.rd_model import ReachingDefinitionsModel
     from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
     from angr.analyses.reaching_definitions.reaching_definitions import ReachingDefinitionsAnalysis
 
 l = logging.getLogger(__name__)
 
 
+def get_exit_livedefinitions(func: Function, rda_model: "ReachingDefinitionsModel"):
+    """
+    Get LiveDefinitions at all exits of a function, merge them, and return.
+    """
+    lds = []
+    for block in func.endpoints:
+        ld = rda_model.get_observation_by_node(block.addr, ObservationPointType.OP_AFTER)
+        if ld is None:
+            continue
+        lds.append(ld)
+    if len(lds) == 1:
+        return lds[0]
+    if len(lds) == 0:
+        return None
+    return lds[0].merge(*lds[1:])[0]
+
+
 @dataclass
 class FunctionEffect:
     """
@@ -113,9 +135,9 @@ class FunctionCallData:
 
     def depends(
         self,
-        dest: Optional[Atom],
-        *sources: Atom,
-        value: Optional[MultiValues] = None,
+        dest: Union[Atom, Iterable[Atom], None],
+        *sources: Union[Atom, Iterable[Atom]],
+        value: Union[MultiValues, claripy.ast.BV, bytes, int, None] = None,
         apply_at_callsite: bool = False,
         tags: Optional[Set[Tag]] = None,
     ):
@@ -129,6 +151,22 @@ class FunctionCallData:
 
         The atom being modified may be None to mark uses of the source atoms which do not have any explicit sinks.
         """
+        if dest is None and value is not None:
+            raise TypeError("Cannot provide value without a destination to write it to")
+
+        if dest is not None and not isinstance(dest, Atom):
+            for dest2 in dest:
+                self.depends(dest2, *sources, value=value, apply_at_callsite=apply_at_callsite, tags=tags)
+            return
+
+        if isinstance(value, int):
+            assert dest is not None
+            value = claripy.BVV(value, dest.size * 8)
+        elif isinstance(value, bytes):
+            value = claripy.BVV(value)
+        if isinstance(value, claripy.ast.BV):
+            value = MultiValues(value)
+        assert value is None or isinstance(value, MultiValues)
         if dest is not None and self.has_clobbered(dest):
             l.warning(
                 "Function handler for %s seems to be implemented incorrectly - "
@@ -139,13 +177,76 @@ class FunctionCallData:
             self.effects.append(
                 FunctionEffect(
                     dest,
-                    set(sources),
+                    set().union(*({src} if isinstance(src, Atom) else set(src) for src in sources)),
                     value=value,
                     apply_at_callsite=apply_at_callsite,
                     tags=tags,
                 )
             )
 
+    def reset_prototype(self, prototype: SimTypeFunction, state: "ReachingDefinitionsState") -> Set[Atom]:
+        self.prototype = prototype.with_arch(state.arch)
+
+        args_atoms_from_values = set()
+        if self.args_atoms is None and self.args_values is not None:
+            self.args_atoms = [
+                set().union(
+                    *({defn.atom for defn in state.extract_defs(value)} for values in mv.values() for value in values)
+                )
+                for mv in self.args_values
+            ]
+            for atoms_set in self.args_atoms:
+                args_atoms_from_values |= atoms_set
+        elif self.args_atoms is None and self.cc is not None and self.prototype is not None:
+            self.args_atoms = FunctionHandler.c_args_as_atoms(state, self.cc, self.prototype)
+        if self.ret_atoms is None and self.cc is not None and self.prototype is not None:
+            if self.prototype.returnty is not None:
+                self.ret_atoms = FunctionHandler.c_return_as_atoms(state, self.cc, self.prototype)
+        return args_atoms_from_values
+
+
+class FunctionCallDataUnwrapped(FunctionCallData):
+    """
+    A subclass of FunctionCallData which asserts that many of its members are non-None at construction time.
+    Typechecks be gone!
+    """
+
+    address_multi: MultiValues
+    address: int
+    symbol: Symbol
+    function: Function
+    name: str
+    cc: SimCC
+    prototype: SimTypeFunction
+    args_atoms: List[Set[Atom]]
+    args_values: List[MultiValues]
+    ret_atoms: Set[Atom]
+
+    def __init__(self, inner: FunctionCallData):
+        d = dict(inner.__dict__)
+        annotations = type(self).__annotations__  # pylint: disable=no-member
+        for k, v in d.items():
+            assert v is not None or k not in annotations, (
+                "Failed to unwrap field %s - this function is more complicated than you're ready for!" % k
+            )
+            assert v is not None, "Members of FunctionCallDataUnwrapped may not be None"
+        super().__init__(**d)
+
+    @staticmethod
+    @wraps
+    def decorate(
+        f: Callable[["FunctionHandler", "ReachingDefinitionsState", "FunctionCallDataUnwrapped"], None]
+    ) -> Callable[["FunctionHandler", "ReachingDefinitionsState", FunctionCallData], None]:
+        """
+        Decorate a function handler method with this to make it take a FunctionCallDataUnwrapped instead of a
+        FunctionCallData.
+        """
+
+        def inner(self: "FunctionHandler", state: "ReachingDefinitionsState", data: FunctionCallData):
+            f(self, state, FunctionCallDataUnwrapped(data))
+
+        return inner
+
 
 # pylint: disable=unused-argument, no-self-use
 class FunctionHandler:
@@ -153,6 +254,9 @@ class FunctionHandler:
     A mechanism for summarizing a function call's effect on a program for ReachingDefinitionsAnalysis.
     """
 
+    def __init__(self, interfunction_level: int = 0):
+        self.interfunction_level: int = interfunction_level
+
     def hook(self, analysis: "ReachingDefinitionsAnalysis") -> "FunctionHandler":
         """
         Attach this instance of the function handler to an instance of RDA.
@@ -249,21 +353,7 @@ class FunctionHandler:
             data.prototype = state.analysis.project.factory.function_prototype()
             data.guessed_prototype = True
 
-        args_atoms_from_values = set()
-        if data.args_atoms is None and data.args_values is not None:
-            data.args_atoms = [
-                set().union(
-                    *({defn.atom for defn in state.extract_defs(value)} for values in mv.values() for value in values)
-                )
-                for mv in data.args_values
-            ]
-            for atoms_set in data.args_atoms:
-                args_atoms_from_values |= atoms_set
-        elif data.args_atoms is None and data.cc is not None and data.prototype is not None:
-            data.args_atoms = self.c_args_as_atoms(state, data.cc, data.prototype)
-        if data.ret_atoms is None and data.cc is not None and data.prototype is not None:
-            if data.prototype.returnty is not None:
-                data.ret_atoms = self.c_return_as_atoms(state, data.cc, data.prototype)
+        args_atoms_from_values = data.reset_prototype(data.prototype, state)
 
         # PROCESS
         state.move_codelocs(data.function_codeloc)
@@ -316,6 +406,8 @@ class FunctionHandler:
         for effect in data.effects:
             if effect.sources_defns is None and effect.sources:
                 effect.sources_defns = set().union(*(set(state.get_definitions(atom)) for atom in effect.sources))
+                if not effect.sources_defns:
+                    effect.sources_defns = {Definition(atom, ExternalCodeLocation()) for atom in effect.sources}
                 other_input_defns |= effect.sources_defns - all_args_defns
         # apply the effects, with the ones marked with apply_at_callsite=False applied first
         for effect in sorted(data.effects, key=lambda effect: effect.apply_at_callsite):
@@ -336,7 +428,7 @@ class FunctionHandler:
                 data.ret_values_deps = effect.sources_defns
             else:
                 # mark definition
-                mv, defs = state.kill_and_add_definition(
+                _, defs = state.kill_and_add_definition(
                     effect.dest,
                     value,
                     endness=None,
@@ -389,11 +481,41 @@ class FunctionHandler:
         self.handle_generic_function(state, data)
 
     def handle_local_function(self, state: "ReachingDefinitionsState", data: FunctionCallData) -> None:
-        self.handle_generic_function(state, data)
+        if self.interfunction_level > 0 and data.function is not None and state.analysis is not None:
+            self.interfunction_level -= 1
+            try:
+                self.recurse_analysis(state, data)
+            finally:
+                self.interfunction_level += 1
+        else:
+            self.handle_generic_function(state, data)
 
     def handle_external_function(self, state: "ReachingDefinitionsState", data: FunctionCallData) -> None:
         self.handle_generic_function(state, data)
 
+    def recurse_analysis(self, state: "ReachingDefinitionsState", data: FunctionCallData) -> None:
+        """
+        Precondition: ``data.function`` MUST NOT BE NONE in order to call this method.
+        """
+        assert state.analysis is not None
+        assert data.function is not None
+        sub_rda = state.analysis.project.analyses.ReachingDefinitions(
+            data.function,
+            observe_all=state.analysis._observe_all,
+            observation_points=state.analysis._observation_points,
+            observe_callback=state.analysis._observe_callback,
+            dep_graph=state.dep_graph,
+            function_handler=self,
+            init_state=state,
+        )
+        # migrate data from sub_rda to its parent
+        state.analysis.function_calls.update(sub_rda.function_calls)
+        state.analysis.model.observed_results.update(sub_rda.model.observed_results)
+
+        sub_ld = get_exit_livedefinitions(data.function, sub_rda.model)
+        if sub_ld is not None:
+            state.live_definitions = sub_ld
+
     @staticmethod
     def c_args_as_atoms(state: "ReachingDefinitionsState", cc: SimCC, prototype: SimTypeFunction) -> List[Set[Atom]]:
         if not prototype.variadic: