angr 9.2.65__py3-none-win_amd64.whl → 9.2.66__py3-none-win_amd64.whl

angr/analyses/reaching_definitions/rd_initializer.py

@@ -0,0 +1,221 @@
+import logging
+from typing import Optional, Tuple, TYPE_CHECKING
+
+import claripy
+from archinfo import Arch
+from angr.sim_type import SimType, SimTypeFunction
+from angr.analyses.reaching_definitions.subject import Subject
+from angr.analyses.reaching_definitions.call_trace import CallTrace
+from angr.calling_conventions import SimRegArg, SimStackArg, SimCC, SimFunctionArgument
+from angr.engines.light import SpOffset
+from angr.knowledge_plugins import Function
+from angr.knowledge_plugins.key_definitions.atoms import Register, MemoryLocation
+from angr.knowledge_plugins.key_definitions.definition import Definition
+from angr.knowledge_plugins.key_definitions.tag import ParameterTag, InitialValueTag
+from angr.code_location import ExternalCodeLocation
+
+l = logging.getLogger(name=__name__)
+
+if TYPE_CHECKING:
+    from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+
+
+class RDAStateInitializer:
+    """
+    This class acts as the basic implementation for the logic that initializes the base state
+    for the reaching definitions analysis.
+
+    It also defines the _interface_ that a state initializer should implement,
+    if the language/runtime being analyzed requires more complicated logic to set up the state.
+
+    This code/logic was previously part of the ReachingDefinitionsState class, but this was moved here to separate
+    these two concerns, and allow easily changing the initialization logic without having to change the state class.
+
+    """
+
+    def __init__(self, arch: Arch):
+        self.arch: Arch = arch
+
+    def initialize_function_state(
+        self, state: "ReachingDefinitionsState", cc: Optional[SimCC], func_addr: int, rtoc_value: Optional[int] = None
+    ) -> None:
+        """
+        This is the entry point to the state initialization logic.
+        It will be called during the initialization of an ReachingDefinitionsState,
+        if the state was freshly created (without existing live_definitions)
+        """
+        call_string = self._generate_call_string(state._subject, func_addr)
+        ex_loc = ExternalCodeLocation(call_string)
+        if state.analysis is not None:
+            state.analysis.model.at_new_stmt(ex_loc)
+
+        # Setup Stack pointer
+        self.initialize_stack_pointer(state, func_addr, ex_loc)
+
+        # initialize function arguments, based on the calling convention and signature
+        if state.analysis is not None and cc is not None:
+            prototype = state.analysis.kb.functions[func_addr].prototype
+        else:
+            prototype = None
+        self.initialize_all_function_arguments(state, func_addr, ex_loc, cc, prototype)
+
+        # architecture dependent initialization
+        self.initialize_architectural_state(state, func_addr, ex_loc, rtoc_value)
+
+        if state.analysis is not None:
+            state.analysis.model.complete_loc()
+
+    def initialize_all_function_arguments(
+        self,
+        state: "ReachingDefinitionsState",
+        func_addr: int,
+        ex_loc: ExternalCodeLocation,
+        cc: Optional[SimCC],
+        prototype: Optional[SimTypeFunction],
+    ) -> None:
+        """
+        This method handles the setup for _all_ arguments of a function.
+
+        The default implementation uses the calling convention to extract the argument locations, associates them with
+        the type, and passes them to the logic for one argument.
+
+        You probably don't need to override this
+        """
+        if cc is not None and prototype is not None:
+            # Type inference for zip is broken in PyCharm 2023.* currently, so we help out manually
+            loc: SimFunctionArgument
+            ty: SimType
+            for loc, ty in zip(cc.arg_locs(prototype), prototype.args):
+                for arg in loc.get_footprint():
+                    self.initialize_one_function_argument(state, func_addr, ex_loc, arg, ty)
+
+    def initialize_one_function_argument(
+        self,
+        state: "ReachingDefinitionsState",
+        func_addr: int,
+        ex_loc: ExternalCodeLocation,
+        argument_location: SimFunctionArgument,
+        argument_type: Optional[SimType] = None,
+    ) -> None:
+        """
+        This method handles the setup for _one_ argument of a function.
+        This is the main method to override for custom initialization logic.
+
+        The default implementation initializes only the argument location itself, but the signature allows
+        this to support extra logic based on the _type_ of the argument as well.
+
+        For example if the argument is a pointer to something,
+        the default implementation would only set up the register with the value TOP.
+
+        A custom implementation could instead dedicate some memory somewhere (e.g. on the heap), setup whatever object
+        is being pointed to, and then put the actual pointer to this inside the register
+        """
+        _ = argument_type
+        if isinstance(argument_location, SimRegArg):
+            self._initialize_function_argument_register(state, func_addr, ex_loc, argument_location)
+        elif isinstance(argument_location, SimStackArg):
+            self._initialize_function_argument_stack(state, func_addr, ex_loc, argument_location)
+        else:
+            raise TypeError("Unsupported parameter type %s." % type(argument_location).__name__)
+
+    def initialize_stack_pointer(
+        self, state: "ReachingDefinitionsState", _func_addr: int, ex_loc: ExternalCodeLocation
+    ) -> None:
+        # initialize stack pointer
+        sp_atom = Register(self.arch.sp_offset, self.arch.bytes)
+        sp_def = Definition(sp_atom, ex_loc, tags={InitialValueTag()})
+        sp = state.annotate_with_def(state._initial_stack_pointer(), sp_def)
+        state.registers.store(self.arch.sp_offset, sp)
+
+    def initialize_architectural_state(
+        self,
+        state: "ReachingDefinitionsState",
+        func_addr: int,
+        ex_loc: ExternalCodeLocation,
+        rtoc_value: Optional[int] = None,
+    ) -> None:
+        """
+        Some architectures require initialization that is specific to that architecture.
+
+        Override this if you need to add support for an architecture that requires this, and isn't covered yet
+        """
+        if self.arch.name.startswith("PPC64"):
+            if rtoc_value is None:
+                raise TypeError("rtoc_value must be provided on PPC64.")
+            offset, size = self.arch.registers["rtoc"]
+            rtoc_atom = Register(offset, size)
+            rtoc_def = Definition(rtoc_atom, ex_loc, tags={InitialValueTag()})
+            state.all_definitions.add(rtoc_def)
+            if state.analysis is not None:
+                state.analysis.model.add_def(rtoc_def, ex_loc)
+            rtoc = state.annotate_with_def(claripy.BVV(rtoc_value, self.arch.bits), rtoc_def)
+            state.registers.store(offset, rtoc)
+        elif self.arch.name.startswith("MIPS64"):
+            offset, size = self.arch.registers["t9"]
+            t9_atom = Register(offset, size)
+            t9_def = Definition(t9_atom, ex_loc, tags={InitialValueTag()})
+            state.all_definitions.add(t9_def)
+            if state.analysis is not None:
+                state.analysis.model.add_def(t9_def, ex_loc)
+            t9 = state.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
+            state.registers.store(offset, t9)
+        elif self.arch.name.startswith("MIPS"):
+            if func_addr is None:
+                l.warning("func_addr must not be None to initialize a function in mips")
+            t9_offset = self.arch.registers["t9"][0]
+            t9_atom = Register(t9_offset, self.arch.bytes)
+            t9_def = Definition(t9_atom, ex_loc, tags={InitialValueTag()})
+            state.all_definitions.add(t9_def)
+            if state.analysis is not None:
+                state.analysis.model.add_def(t9_def, ex_loc)
+            t9 = state.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
+            state.registers.store(t9_offset, t9)
+
+    def _initialize_function_argument_register(
+        self,
+        state: "ReachingDefinitionsState",
+        func_addr: int,
+        ex_loc: ExternalCodeLocation,
+        arg: SimRegArg,
+        value: Optional[claripy.ast.Base] = None,
+    ):
+        # FIXME: implement reg_offset handling in SimRegArg
+        reg_offset = self.arch.registers[arg.reg_name][0]
+        reg_atom = Register(reg_offset, self.arch.bytes)
+        reg_def = Definition(reg_atom, ex_loc, tags={ParameterTag(function=func_addr)})
+        state.all_definitions.add(reg_def)
+        if state.analysis is not None:
+            state.analysis.model.add_def(reg_def, ex_loc)
+        if value is None:
+            value = state.top(self.arch.bits)
+        reg = state.annotate_with_def(value, reg_def)
+        state.registers.store(reg_offset, reg)
+
+    def _initialize_function_argument_stack(
+        self, state: "ReachingDefinitionsState", func_addr: int, ex_loc: ExternalCodeLocation, arg: SimStackArg
+    ):
+        ml_atom = MemoryLocation(SpOffset(self.arch.bits, arg.stack_offset), arg.size)
+        ml_def = Definition(ml_atom, ex_loc, tags={ParameterTag(function=func_addr)})
+        state.all_definitions.add(ml_def)
+        if state.analysis is not None:
+            state.analysis.model.add_def(ml_def, ex_loc)
+        ml = state.annotate_with_def(state.top(self.arch.bits), ml_def)
+        stack_address = state.get_stack_address(state.stack_address(arg.stack_offset))
+        state.stack.store(stack_address, ml, endness=self.arch.memory_endness)
+
+    @staticmethod
+    def _generate_call_string(subject: Subject, current_address: int) -> Optional[Tuple[int, ...]]:
+        if isinstance(subject.content, Function):
+            return (subject.content.addr,)
+        elif isinstance(subject.content, CallTrace):
+            if any(current_address == x.caller_func_addr for x in subject.content.callsites):
+                callsites = iter(reversed([x.caller_func_addr for x in subject.content.callsites]))
+                for call_addr in callsites:
+                    if current_address == call_addr:
+                        break
+                return tuple(callsites)
+            else:
+                return tuple(x.caller_func_addr for x in subject.content.callsites)
+        else:
+            l.warning("Subject with unknown content-type")
+            return None

angr/analyses/reaching_definitions/rd_state.py

@@ -1,13 +1,18 @@
-from typing import Optional, Iterable, Set, Tuple, Any, TYPE_CHECKING, Iterator, Union
+from typing import Optional, Iterable, Set, Tuple, Any, TYPE_CHECKING, Iterator, Union, overload, Type
 import logging
 
 import archinfo
 import claripy
 
-from ...analyses.reaching_definitions.call_trace import CallTrace
+from angr.misc.ux import deprecated
+from angr.knowledge_plugins.key_definitions.environment import Environment
+from angr.knowledge_plugins.key_definitions.tag import Tag
+from angr.knowledge_plugins.key_definitions.heap_address import HeapAddress
+from angr.engines.light import SpOffset
+from angr.code_location import CodeLocation
 from ...storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
 from ...storage.memory_mixins import MultiValuedMemory
-from ...knowledge_plugins.key_definitions import LiveDefinitions
+from ...knowledge_plugins.key_definitions import LiveDefinitions, DerefSize, Definition
 from ...knowledge_plugins.key_definitions.atoms import (
     Atom,
     GuardUse,
@@ -15,17 +20,9 @@ from ...knowledge_plugins.key_definitions.atoms import (
     MemoryLocation,
     ConstantSrc,
 )
-from ...knowledge_plugins.functions.function import Function
-from ...knowledge_plugins.key_definitions.definition import Definition
-from ...knowledge_plugins.key_definitions.environment import Environment
-from ...knowledge_plugins.key_definitions.tag import InitialValueTag, ParameterTag, Tag
-from ...knowledge_plugins.key_definitions.heap_address import HeapAddress
-from ...calling_conventions import SimCC, SimRegArg, SimStackArg
-from ...engines.light import SpOffset
-from ...code_location import CodeLocation
-from .external_codeloc import ExternalCodeLocation
 from .heap_allocator import HeapAllocator
 from .subject import Subject, SubjectType
+from .rd_initializer import RDAStateInitializer
 
 if TYPE_CHECKING:
     from .reaching_definitions import ReachingDefinitionsAnalysis
@@ -92,6 +89,7 @@ class ReachingDefinitionsState:
         environment: Environment = None,
         sp_adjusted: bool = False,
         all_definitions: Optional[Set[Definition]] = None,
+        initializer: Optional["RDAStateInitializer"] = None,
     ):
         # handy short-hands
         self.codeloc = codeloc
@@ -105,16 +103,6 @@ class ReachingDefinitionsState:
 
         self.all_definitions: Set[Definition] = set() if all_definitions is None else all_definitions
 
-        if live_definitions is None:
-            # the first time this state is created. initialize it
-            self.live_definitions = LiveDefinitions(
-                self.arch, track_tmps=self._track_tmps, canonical_size=canonical_size
-            )
-            self._set_initialization_values(subject, rtoc_value)
-        else:
-            # this state is a copy from a previous state. skip the initialization
-            self.live_definitions = live_definitions
-
         self.heap_allocator = heap_allocator or HeapAllocator(canonical_size)
         self._environment: Environment = environment or Environment()
 
@@ -126,6 +114,24 @@ class ReachingDefinitionsState:
         # block and is always set to False at the beginning of the analysis of each block.
         self.exit_observed: bool = False
 
+        # initialize the live definitions
+        # This must stay at the end of the __init__ method, because the _set_initialization_values method will call
+        # the state initializer which might need to access some of the above attributes, e.g. the heap_allocator
+        # to do its job
+
+        if live_definitions is None:
+            # the first time this state is created. initialize it
+            self.live_definitions = LiveDefinitions(
+                self.arch, track_tmps=self._track_tmps, canonical_size=canonical_size
+            )
+            self._set_initialization_values(subject, rtoc_value, initializer=initializer)
+
+            if self.analysis is not None:
+                self.live_definitions.project = self.analysis.project
+        else:
+            # this state is a copy from a previous state. skip the initialization
+            self.live_definitions = live_definitions
+
     #
     # Util methods for working with the memory model
     #
@@ -136,26 +142,18 @@ class ReachingDefinitionsState:
     def is_top(self, *args):
         return self.live_definitions.is_top(*args)
 
-    def heap_address(self, offset: int) -> claripy.ast.Base:
-        base = claripy.BVS("heap_base", self.arch.bits, explicit_name=True)
-        if offset:
-            return base + offset
-        return base
+    def heap_address(self, offset: Union[int, HeapAddress]) -> claripy.ast.BV:
+        return self.live_definitions.heap_address(offset)
 
     @staticmethod
     def is_heap_address(addr: claripy.ast.Base) -> bool:
-        return "heap_base" in addr.variables
+        return LiveDefinitions.is_heap_address(addr)
 
     @staticmethod
     def get_heap_offset(addr: claripy.ast.Base) -> Optional[int]:
-        if "heap_base" in addr.variables:
-            if addr.op == "BVS":
-                return 0
-            elif addr.op == "__add__" and len(addr.args) == 2 and addr.args[1].op == "BVV":
-                return addr.args[1]._model_concrete.value
-        return None
+        return LiveDefinitions.get_heap_offset(addr)
 
-    def stack_address(self, offset: int) -> claripy.ast.Base:
+    def stack_address(self, offset: int) -> claripy.ast.BV:
         return self.live_definitions.stack_address(offset)
 
     def is_stack_address(self, addr: claripy.ast.Base) -> bool:
@@ -205,7 +203,7 @@ class ReachingDefinitionsState:
     #
 
     @property
-    def tmp_definitions(self):
+    def tmps(self):
         return self.live_definitions.tmps
 
     @property
@@ -217,20 +215,20 @@ class ReachingDefinitionsState:
         return self.live_definitions.register_uses
 
     @property
-    def register_definitions(self) -> MultiValuedMemory:
-        return self.live_definitions.register_definitions
+    def registers(self) -> MultiValuedMemory:
+        return self.live_definitions.registers
 
     @property
-    def stack_definitions(self) -> MultiValuedMemory:
-        return self.live_definitions.stack_definitions
+    def stack(self) -> MultiValuedMemory:
+        return self.live_definitions.stack
 
     @property
     def stack_uses(self):
         return self.live_definitions.stack_uses
 
     @property
-    def heap_definitions(self) -> MultiValuedMemory:
-        return self.live_definitions.heap_definitions
+    def heap(self) -> MultiValuedMemory:
+        return self.live_definitions.heap
 
     @property
     def heap_uses(self):
@@ -241,8 +239,8 @@ class ReachingDefinitionsState:
         return self.live_definitions.memory_uses
 
     @property
-    def memory_definitions(self) -> MultiValuedMemory:
-        return self.live_definitions.memory_definitions
+    def memory(self) -> MultiValuedMemory:
+        return self.live_definitions.memory
 
     @property
     def uses_by_codeloc(self):
@@ -270,124 +268,29 @@ class ReachingDefinitionsState:
         ctnt = "RDState-%r" % (self.live_definitions)
         return "{%s}" % ctnt
 
-    def _set_initialization_values(self, subject: Subject, rtoc_value: Optional[int] = None):
+    def _set_initialization_values(
+        self, subject: Subject, rtoc_value: Optional[int] = None, initializer: Optional[RDAStateInitializer] = None
+    ):
+        if initializer is None:
+            initializer = RDAStateInitializer(self.arch)
+
         if subject.type == SubjectType.Function:
             if isinstance(self.arch, archinfo.arch_ppc64.ArchPPC64) and not rtoc_value:
                 raise ValueError("The architecture being ppc64, the parameter `rtoc_value` should be provided.")
 
-            self._initialize_function(
-                subject.cc,
-                subject.content.addr,
-                rtoc_value,
-            )
+            initializer.initialize_function_state(self, subject.cc, subject.content.addr, rtoc_value)
         elif subject.type == SubjectType.CallTrace:
             if isinstance(self.arch, archinfo.arch_ppc64.ArchPPC64) and not rtoc_value:
                 raise ValueError("The architecture being ppc64, the parameter `rtoc_value` should be provided.")
 
-            self._initialize_function(
-                subject.cc,
-                subject.content.current_function_address(),
-                rtoc_value,
+            initializer.initialize_function_state(
+                self, subject.cc, subject.content.current_function_address(), rtoc_value
             )
         elif subject.type == SubjectType.Block:
             pass
 
         return self
 
-    def _generate_call_string(self, current_address: int) -> Tuple[int, ...]:
-        if isinstance(self._subject.content, Function):
-            return (self._subject.content.addr,)
-        elif isinstance(self._subject.content, CallTrace):
-            if any(current_address == x.caller_func_addr for x in self._subject.content.callsites):
-                callsites = iter(reversed([x.caller_func_addr for x in self._subject.content.callsites]))
-                for call_addr in callsites:
-                    if current_address == call_addr:
-                        break
-                return tuple(callsites)
-            else:
-                return tuple(x.caller_func_addr for x in self._subject.content.callsites)
-        else:
-            l.warning("Subject with unknown content-type")
-            return None
-
-    def _initialize_function(self, cc: SimCC, func_addr: int, rtoc_value: Optional[int] = None):
-        # initialize stack pointer
-        call_string = self._generate_call_string(func_addr)
-        sp_atom = Register(self.arch.sp_offset, self.arch.bytes)
-        sp_def = Definition(sp_atom, ExternalCodeLocation(call_string), tags={InitialValueTag()})
-        sp = self.annotate_with_def(self._initial_stack_pointer(), sp_def)
-        self.register_definitions.store(self.arch.sp_offset, sp)
-
-        ex_loc = ExternalCodeLocation(call_string)
-        if self.analysis is not None:
-            self.analysis.model.at_new_stmt(ex_loc)
-
-        if cc is not None:
-            prototype = self.analysis.kb.functions[func_addr].prototype
-            if prototype is not None:
-                for loc in cc.arg_locs(prototype):
-                    for arg in loc.get_footprint():
-                        # initialize register parameters
-                        if isinstance(arg, SimRegArg):
-                            # FIXME: implement reg_offset handling in SimRegArg
-                            reg_offset = self.arch.registers[arg.reg_name][0]
-                            reg_atom = Register(reg_offset, self.arch.bytes)
-                            reg_def = Definition(reg_atom, ex_loc, tags={ParameterTag(function=func_addr)})
-                            self.all_definitions.add(reg_def)
-                            if self.analysis is not None:
-                                self.analysis.model.add_def(reg_def, ex_loc)
-                            reg = self.annotate_with_def(self.top(self.arch.bits), reg_def)
-                            self.register_definitions.store(reg_offset, reg)
-
-                        # initialize stack parameters
-                        elif isinstance(arg, SimStackArg):
-                            ml_atom = MemoryLocation(SpOffset(self.arch.bits, arg.stack_offset), arg.size)
-                            ml_def = Definition(ml_atom, ex_loc, tags={ParameterTag(function=func_addr)})
-                            self.all_definitions.add(ml_def)
-                            if self.analysis is not None:
-                                self.analysis.model.add_def(ml_def, ex_loc)
-                            ml = self.annotate_with_def(self.top(self.arch.bits), ml_def)
-                            stack_address = self.get_stack_address(self.stack_address(arg.stack_offset))
-                            self.stack_definitions.store(stack_address, ml, endness=self.arch.memory_endness)
-                        else:
-                            raise TypeError("Unsupported parameter type %s." % type(arg).__name__)
-
-        # architecture dependent initialization
-        if self.arch.name.startswith("PPC64"):
-            if rtoc_value is None:
-                raise TypeError("rtoc_value must be provided on PPC64.")
-            offset, size = self.arch.registers["rtoc"]
-            rtoc_atom = Register(offset, size)
-            rtoc_def = Definition(rtoc_atom, ex_loc, tags={InitialValueTag()})
-            self.all_definitions.add(rtoc_def)
-            if self.analysis is not None:
-                self.analysis.model.add_def(rtoc_def, ex_loc)
-            rtoc = self.annotate_with_def(claripy.BVV(rtoc_value, self.arch.bits), rtoc_def)
-            self.register_definitions.store(offset, rtoc)
-        elif self.arch.name.startswith("MIPS64"):
-            offset, size = self.arch.registers["t9"]
-            t9_atom = Register(offset, size)
-            t9_def = Definition(t9_atom, ex_loc, tags={InitialValueTag()})
-            self.all_definitions.add(t9_def)
-            if self.analysis is not None:
-                self.analysis.model.add_def(t9_def, ex_loc)
-            t9 = self.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
-            self.register_definitions.store(offset, t9)
-        elif self.arch.name.startswith("MIPS"):
-            if func_addr is None:
-                l.warning("func_addr must not be None to initialize a function in mips")
-            t9_offset = self.arch.registers["t9"][0]
-            t9_atom = Register(t9_offset, self.arch.bytes)
-            t9_def = Definition(t9_atom, ex_loc, tags={InitialValueTag()})
-            self.all_definitions.add(t9_def)
-            if self.analysis is not None:
-                self.analysis.model.add_def(t9_def, ex_loc)
-            t9 = self.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
-            self.register_definitions.store(t9_offset, t9)
-
-        if self.analysis is not None:
-            self.analysis.model.complete_loc()
-
     def copy(self, discard_tmpdefs=False) -> "ReachingDefinitionsState":
         rd = ReachingDefinitionsState(
             self.codeloc,
@@ -574,17 +477,33 @@ class ReachingDefinitionsState:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
-    def get_definitions(self, atom: Atom) -> Iterable[Definition]:
+    def get_definitions(
+        self, atom: Union[Atom, Definition, Iterable[Atom], Iterable[Definition]]
+    ) -> Iterable[Definition]:
         yield from self.live_definitions.get_definitions(atom)
 
-    def get_values(self, spec: Union[Atom, Definition]) -> Optional[MultiValues]:
+    def get_values(self, spec: Union[Atom, Definition, Iterable[Atom]]) -> Optional[MultiValues]:
         return self.live_definitions.get_values(spec)
 
-    def get_one_value(self, spec: Union[Atom, Definition]) -> Optional[claripy.ast.base.Base]:
+    def get_one_value(self, spec: Union[Atom, Definition]) -> Optional[claripy.ast.bv.BV]:
         return self.live_definitions.get_one_value(spec)
 
-    def get_concrete_value(self, spec: Union[Atom, Definition]) -> Optional[int]:
-        return self.live_definitions.get_concrete_value(spec)
+    @overload
+    def get_concrete_value(
+        self, spec: Union[Atom, Definition[Atom], Iterable[Atom]], cast_to: Type[int] = ...
+    ) -> Optional[int]:
+        ...
+
+    @overload
+    def get_concrete_value(
+        self, spec: Union[Atom, Definition[Atom], Iterable[Atom]], cast_to: Type[bytes] = ...
+    ) -> Optional[bytes]:
+        ...
+
+    def get_concrete_value(
+        self, spec: Union[Atom, Definition[Atom], Iterable[Atom]], cast_to: Union[Type[int], Type[bytes]] = int
+    ) -> Union[int, bytes, None]:
+        return self.live_definitions.get_concrete_value(spec, cast_to)
 
     def mark_guard(self, target):
         atom = GuardUse(target)
@@ -608,6 +527,7 @@ class ReachingDefinitionsState:
         self.all_definitions = set()
         self.live_definitions.reset_uses()
 
+    @deprecated("deref")
     def pointer_to_atoms(self, pointer: MultiValues, size: int, endness: str) -> Set[MemoryLocation]:
         """
         Given a MultiValues, return the set of atoms that loading or storing to the pointer with that value
@@ -622,6 +542,7 @@ class ReachingDefinitionsState:
 
         return result
 
+    @deprecated("deref")
     def pointer_to_atom(self, value: claripy.ast.base.Base, size: int, endness: str) -> Optional[MemoryLocation]:
         if self.is_top(value):
             return None
@@ -641,3 +562,24 @@ class ReachingDefinitionsState:
                 return None
 
         return MemoryLocation(addr, size, endness)
+
+    @overload
+    def deref(
+        self,
+        pointer: Union[MultiValues, Atom, Definition, Iterable[Atom], Iterable[Definition]],
+        size: Union[int, DerefSize],
+        endness: archinfo.Endness = ...,
+    ) -> Set[MemoryLocation]:
+        ...
+
+    @overload
+    def deref(
+        self,
+        pointer: Union[int, claripy.ast.BV, HeapAddress, SpOffset],
+        size: Union[int, DerefSize],
+        endness: archinfo.Endness = ...,
+    ) -> Optional[MemoryLocation]:
+        ...
+
+    def deref(self, pointer, size, endness=archinfo.Endness.BE):
+        return self.live_definitions.deref(pointer, size, endness)

angr/analyses/reaching_definitions/reaching_definitions.py

@@ -6,7 +6,6 @@ import ailment
 import pyvex
 
 from angr.analyses import ForwardAnalysis
-from angr.analyses.reaching_definitions.external_codeloc import ExternalCodeLocation
 from ...block import Block
 from ...knowledge_plugins.cfg.cfg_node import CFGNode
 from ...codenode import CodeNode
@@ -14,13 +13,14 @@ from ...engines.light import SimEngineLight
 from ...knowledge_plugins.functions import Function
 from ...knowledge_plugins.key_definitions import ReachingDefinitionsModel, LiveDefinitions
 from ...knowledge_plugins.key_definitions.constants import OP_BEFORE, OP_AFTER, ObservationPointType
-from ...code_location import CodeLocation
+from ...code_location import CodeLocation, ExternalCodeLocation
 from ...misc.ux import deprecated
 from ..forward_analysis.visitors.graph import NodeType
 from ..analysis import Analysis
 from .engine_ail import SimEngineRDAIL
 from .engine_vex import SimEngineRDVEX
 from .rd_state import ReachingDefinitionsState
+from .rd_initializer import RDAStateInitializer
 from .subject import Subject, SubjectType
 from .function_handler import FunctionHandler, FunctionCallRelationships
 from .dep_graph import DepGraph
@@ -61,6 +61,7 @@ class ReachingDefinitionsAnalysis(
         observation_points: "Iterable[ObservationPoint]" = None,
         init_state: ReachingDefinitionsState = None,
         init_context=None,
+        state_initializer: Optional["RDAStateInitializer"] = None,
         cc=None,
         function_handler: "Optional[FunctionHandler]" = None,
         observe_all=False,
@@ -70,6 +71,7 @@ class ReachingDefinitionsAnalysis(
         canonical_size=8,
         stack_pointer_tracker=None,
         use_callee_saved_regs_at_return=True,
+        interfunction_level: int = 0,
     ):
         """
         :param subject:                         The subject of the analysis: a function, or a single basic block
@@ -99,6 +101,8 @@ class ReachingDefinitionsAnalysis(
                                                 for operations where sizes are necessary.
         :param dep_graph:                       Set this to True to generate a dependency graph for the subject. It will
                                                 be available as `result.dep_graph`.
+        :param interfunction_level:             The number of functions we should recurse into. This parameter is only
+                                                used if function_handler is not provided.
         """
 
         if isinstance(subject, str):
@@ -129,13 +133,20 @@ class ReachingDefinitionsAnalysis(
             self._dep_graph = dep_graph
 
         if function_handler is None:
-            self._function_handler = FunctionHandler().hook(self)
+            self._function_handler = FunctionHandler(interfunction_level).hook(self)
         else:
+            if interfunction_level != 0:
+                l.warning("RDA(interfunction_level=XXX) doesn't do anything if you provide a function handler")
             self._function_handler = function_handler.hook(self)
 
         if self._init_state is not None:
             self._init_state = self._init_state.copy()
             self._init_state.analysis = self
+            # There should never be an initializer needed then
+            self._state_initializer = None
+        else:
+            self._state_initializer = state_initializer
+
         self._init_context = init_context
 
         self._observe_all = observe_all
@@ -435,6 +446,7 @@ class ReachingDefinitionsAnalysis(
                 track_consts=self._track_consts,
                 analysis=self,
                 canonical_size=self._canonical_size,
+                initializer=self._state_initializer,
             )
 
     # pylint: disable=no-self-use,arguments-differ