angr 9.2.76__py3-none-win_amd64.whl → 9.2.77__py3-none-win_amd64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.76"
+__version__ = "9.2.77"
 
 if bytes is str:
     raise Exception(

angr/analyses/cfg/indirect_jump_resolvers/amd64_pe_iat.py

@@ -22,7 +22,13 @@ class AMD64PeIatResolver(IndirectJumpResolver):
         if jumpkind not in {"Ijk_Call", "Ijk_Boring"}:
             return False
 
-        opnd = self.project.factory.block(addr).capstone.insns[-1].insn.operands[0]
+        insns = self.project.factory.block(addr).capstone.insns
+        if not insns:
+            return False
+        if not insns[-1].insn.operands:
+            return False
+
+        opnd = insns[-1].insn.operands[0]
         # Must be of the form: call qword ptr [0xABCD]
         if opnd.type == X86_OP_MEM and opnd.mem.disp and opnd.mem.base == X86_REG_RIP and opnd.mem.index == 0:
             return True

angr/analyses/cfg/indirect_jump_resolvers/x86_pe_iat.py

@@ -22,7 +22,13 @@ class X86PeIatResolver(IndirectJumpResolver):
         if jumpkind != "Ijk_Call":
             return False
 
-        opnd = self.project.factory.block(addr).capstone.insns[-1].insn.operands[0]
+        insns = self.project.factory.block(addr).capstone.insns
+        if not insns:
+            return False
+        if not insns[-1].insn.operands:
+            return False
+
+        opnd = insns[-1].insn.operands[0]
         # Must be of the form: call ds:0xABCD
         if opnd.type == X86_OP_MEM and opnd.mem.disp and not opnd.mem.base and not opnd.mem.index:
             return True

angr/analyses/decompiler/clinic.py

@@ -1399,7 +1399,10 @@ class Clinic(Analysis):
             )
             end_block_ail = ailment.IRSBConverter.convert(end_block.vex, self._ail_manager)
         else:
-            end_block_ail = next(iter(b for b in ail_graph if b.addr == end_block_addr))
+            try:
+                end_block_ail = next(iter(b for b in ail_graph if b.addr == end_block_addr))
+            except StopIteration:
+                return None
 
         # last check: if the first instruction of the end block has Sar, then we bail (due to the peephole optimization
         # SarToSignedDiv)

angr/analyses/decompiler/condition_processor.py

@@ -102,6 +102,7 @@ _ail2claripy_op_mapping = {
     "Shr": lambda expr, conv, _: _op_with_unified_size(claripy.LShR, conv, expr.operands[0], expr.operands[1]),
     "Shl": lambda expr, conv, _: _op_with_unified_size(operator.lshift, conv, expr.operands[0], expr.operands[1]),
     "Sar": lambda expr, conv, _: _op_with_unified_size(operator.rshift, conv, expr.operands[0], expr.operands[1]),
+    "Concat": lambda expr, conv, _: claripy.Concat(*[conv(operand) for operand in expr.operands]),
     # There are no corresponding claripy operations for the following operations
     "DivMod": lambda expr, _, m: _dummy_bvs(expr, m),
     "CmpF": lambda expr, _, m: _dummy_bvs(expr, m),
@@ -686,6 +687,9 @@ class ConditionProcessor:
             if cond_.args[0] is True
             else ailment.Expr.Const(None, None, False, 1, **tags),
             "Extract": lambda cond_, tags: self._convert_extract(*cond_.args, tags, memo=memo),
+            "ZeroExt": lambda cond_, tags: _binary_op_reduce(
+                "Concat", [claripy.BVV(0, cond_.args[0]), cond_.args[1]], tags
+            ),
         }
 
         if cond.op in _mapping:

angr/analyses/decompiler/optimization_passes/ite_region_converter.py

@@ -146,14 +146,15 @@ class ITERegionConverter(OptimizationPass):
         #
 
         new_region_head = region_head.copy()
+        addr_obj = true_stmt.src if "ins_addr" in true_stmt.src.tags else true_stmt
         ternary_expr = ITE(
             None,
             region_head.statements[-1].condition,
             true_stmt.src,
             false_stmt.src,
-            ins_addr=true_stmt.src.ins_addr,
-            vex_block_addr=true_stmt.src.vex_block_addr,
-            vex_stmt_idx=true_stmt.src.vex_stmt_idx,
+            ins_addr=addr_obj.ins_addr,
+            vex_block_addr=addr_obj.vex_block_addr,
+            vex_stmt_idx=addr_obj.vex_stmt_idx,
         )
         new_assignment = true_stmt.copy()
         new_assignment.src = ternary_expr

angr/analyses/decompiler/optimization_passes/multi_simplifier.py

@@ -21,7 +21,7 @@ class MultiSimplifierAILEngine(SimplifierAILEngine):
         if type(operand_0) in [Expr.Convert, Expr.Register]:
             if isinstance(operand_1, (Expr.Convert, Expr.Register)):
                 if operand_0 == operand_1:
-                    count = Expr.Const(expr.idx, None, 2, 8)
+                    count = Expr.Const(expr.idx, None, 2, operand_1.bits)
                     return Expr.BinaryOp(expr.idx, "Mul", [operand_1, count], expr.signed, **expr.tags)
         # 2*x + x = 3*x
         if Expr.BinaryOp in [type(operand_0), type(operand_1)]:

angr/analyses/decompiler/structured_codegen/c.py

@@ -2721,6 +2721,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         o_constant, o_terms = extract_terms(expr)
 
         def bail_out():
+            if len(o_terms) == 0:
+                # probably a plain integer, return as is
+                return expr
             result = reduce(
                 lambda a1, a2: CBinaryOp("Add", a1, a2, codegen=self),
                 (

angr/analyses/propagator/engine_ail.py

@@ -1204,7 +1204,7 @@ class SimEnginePropagatorAIL(
                     o1_expr if o1_expr is not None else expr.operands[1],
                 ],
                 expr.signed,
-                bits=o0_expr.bits * 2,
+                bits=expr.bits,
                 floating_point=expr.floating_point,
                 rounding_mode=expr.rounding_mode,
                 **expr.tags,

angr/analyses/reaching_definitions/engine_ail.py

@@ -118,9 +118,6 @@ class SimEngineRDAIL(
     def _process_Stmt(self, whitelist=None):
         super()._process_Stmt(whitelist=whitelist)
 
-        if self.state.analysis:
-            self.state.analysis.model.complete_loc()
-
     def _handle_Stmt(self, stmt):
         if self.state.analysis:
             self.state.analysis.stmt_observe(self.stmt_idx, stmt, self.block, self.state, OP_BEFORE)
@@ -801,7 +798,7 @@ class SimEngineRDAIL(
         elif expr0_v is None and expr1_v is not None:
             # each value in expr0 >> expr1_v
             if expr0.count() == 1 and 0 in expr0:
-                if all(v.concrete for v in expr0[0]):
+                if all(v.concrete for v in expr0[0]) and expr1_v.concrete:
                     vs = {
                         (claripy.LShR(v, expr1_v.concrete_value) if v.concrete else self.state.top(bits))
                         for v in expr0[0]
@@ -839,7 +836,7 @@ class SimEngineRDAIL(
         elif expr0_v is None and expr1_v is not None:
             # each value in expr0 >> expr1_v
             if expr0.count() == 1 and 0 in expr0:
-                if all(v.concrete for v in expr0[0]):
+                if all(v.concrete for v in expr0[0]) and expr1_v.concrete:
                     vs = {
                         (claripy.LShR(v, expr1_v.concrete_value) if v.concrete else self.state.top(bits))
                         for v in expr0[0]
@@ -877,7 +874,7 @@ class SimEngineRDAIL(
         elif expr0_v is None and expr1_v is not None:
             # each value in expr0 << expr1_v
             if expr0.count() == 1 and 0 in expr0:
-                if all(v.concrete for v in expr0[0]):
+                if all(v.concrete for v in expr0[0]) and expr1_v.concrete:
                     vs = {((v << expr1_v.concrete_value) if v.concrete else self.state.top(bits)) for v in expr0[0]}
                     r = MultiValues(offset_to_values={0: vs})
         elif expr0_v is not None and expr1_v is None:

angr/analyses/reaching_definitions/engine_vex.py

@@ -147,11 +147,11 @@ class SimEngineRDVEX(
                 if self.state.is_heap_address(d):
                     heap_offset = self.state.get_heap_offset(d)
                     if heap_offset is not None:
-                        self.state.add_heap_use(heap_offset, 1, "Iend_BE")
+                        self.state.add_heap_use(heap_offset, 1)
                 elif self.state.is_stack_address(d):
                     stack_offset = self.state.get_stack_offset(d)
                     if stack_offset is not None:
-                        self.state.add_stack_use(stack_offset, 1, "Iend_BE")
+                        self.state.add_stack_use(stack_offset, 1)
 
         if self.state.exit_observed and reg_offset == self.arch.sp_offset:
             return
@@ -989,6 +989,34 @@ class SimEngineRDVEX(
                 return MultiValues(claripy.BVV(0, 1))
         return MultiValues(self.state.top(1))
 
+    def _handle_CmpGT(self, expr):
+        arg0, arg1 = expr.args
+        expr_0 = self._expr(arg0)
+        expr_1 = self._expr(arg1)
+
+        e0 = expr_0.one_value()
+        e1 = expr_1.one_value()
+        if e0 is not None and e1 is not None:
+            if not e0.symbolic and not e1.symbolic:
+                return MultiValues(claripy.BVV(1, 1) if e0.concrete_value > e1.concrete_value else claripy.BVV(0, 1))
+            elif e0 is e1:
+                return MultiValues(claripy.BVV(0, 1))
+        return MultiValues(self.state.top(1))
+
+    def _handle_CmpGE(self, expr):
+        arg0, arg1 = expr.args
+        expr_0 = self._expr(arg0)
+        expr_1 = self._expr(arg1)
+
+        e0 = expr_0.one_value()
+        e1 = expr_1.one_value()
+        if e0 is not None and e1 is not None:
+            if not e0.symbolic and not e1.symbolic:
+                return MultiValues(claripy.BVV(1, 1) if e0.concrete_value >= e1.concrete_value else claripy.BVV(0, 1))
+            elif e0 is e1:
+                return MultiValues(claripy.BVV(0, 1))
+        return MultiValues(self.state.top(1))
+
     # ppc only
     def _handle_CmpORD(self, expr):
         arg0, arg1 = expr.args
@@ -1001,6 +1029,8 @@ class SimEngineRDVEX(
 
         if e0 is not None and e1 is not None:
             if not e0.symbolic and not e1.symbolic:
+                e0 = e0.concrete_value
+                e1 = e1.concrete_value
                 if e0 < e1:
                     return MultiValues(claripy.BVV(0x8, bits))
                 elif e0 > e1:

angr/analyses/reaching_definitions/function_handler.py

@@ -409,7 +409,7 @@ class FunctionHandler:
         # translate all the dep atoms into dep defns
         for effect in data.effects:
             if effect.sources_defns is None and effect.sources:
-                effect.sources_defns = set().union(*(set(state.get_definitions(atom)) for atom in effect.sources))
+                effect.sources_defns = set().union(*(state.get_definitions(atom) for atom in effect.sources))
                 if not effect.sources_defns:
                     effect.sources_defns = {Definition(atom, ExternalCodeLocation()) for atom in effect.sources}
                 other_input_defns |= effect.sources_defns - all_args_defns

angr/analyses/reaching_definitions/rd_initializer.py

@@ -63,7 +63,7 @@ class RDAStateInitializer:
         self.initialize_architectural_state(state, func_addr, ex_loc, rtoc_value)
 
         if state.analysis is not None:
-            state.analysis.model.complete_loc()
+            state.analysis.model.make_liveness_snapshot()
 
     def initialize_all_function_arguments(
         self,
@@ -147,7 +147,7 @@ class RDAStateInitializer:
             rtoc_def = Definition(rtoc_atom, ex_loc, tags={InitialValueTag()})
             state.all_definitions.add(rtoc_def)
             if state.analysis is not None:
-                state.analysis.model.add_def(rtoc_def, ex_loc)
+                state.analysis.model.add_def(rtoc_def)
             rtoc = state.annotate_with_def(claripy.BVV(rtoc_value, self.arch.bits), rtoc_def)
             state.registers.store(offset, rtoc)
         elif self.arch.name.startswith("MIPS64"):
@@ -156,7 +156,7 @@ class RDAStateInitializer:
             t9_def = Definition(t9_atom, ex_loc, tags={InitialValueTag()})
             state.all_definitions.add(t9_def)
             if state.analysis is not None:
-                state.analysis.model.add_def(t9_def, ex_loc)
+                state.analysis.model.add_def(t9_def)
             t9 = state.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
             state.registers.store(offset, t9)
         elif self.arch.name.startswith("MIPS"):
@@ -167,7 +167,7 @@ class RDAStateInitializer:
             t9_def = Definition(t9_atom, ex_loc, tags={InitialValueTag()})
             state.all_definitions.add(t9_def)
             if state.analysis is not None:
-                state.analysis.model.add_def(t9_def, ex_loc)
+                state.analysis.model.add_def(t9_def)
             t9 = state.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
             state.registers.store(t9_offset, t9)
 
@@ -185,7 +185,7 @@ class RDAStateInitializer:
         reg_def = Definition(reg_atom, ex_loc, tags={ParameterTag(function=func_addr)})
         state.all_definitions.add(reg_def)
         if state.analysis is not None:
-            state.analysis.model.add_def(reg_def, ex_loc)
+            state.analysis.model.add_def(reg_def)
         if value is None:
             value = state.top(self.arch.bits)
         reg = state.annotate_with_def(value, reg_def)
@@ -198,7 +198,7 @@ class RDAStateInitializer:
         ml_def = Definition(ml_atom, ex_loc, tags={ParameterTag(function=func_addr)})
         state.all_definitions.add(ml_def)
         if state.analysis is not None:
-            state.analysis.model.add_def(ml_def, ex_loc)
+            state.analysis.model.add_def(ml_def)
         ml = state.annotate_with_def(state.top(self.arch.bits), ml_def)
         stack_address = state.get_stack_address(state.stack_address(arg.stack_offset))
         state.stack.store(stack_address, ml, endness=self.arch.memory_endness)

angr/analyses/reaching_definitions/rd_state.py

@@ -328,7 +328,7 @@ class ReachingDefinitionsState:
         Overwrite existing definitions w.r.t 'atom' with a dummy definition instance. A dummy definition will not be
         removed during simplification.
         """
-        existing_defs = set(self.live_definitions.get_definitions(atom))
+        existing_defs = self.live_definitions.get_definitions(atom)
 
         self.live_definitions.kill_definitions(atom)
 
@@ -347,7 +347,7 @@ class ReachingDefinitionsState:
         override_codeloc: Optional[CodeLocation] = None,
     ) -> Tuple[Optional[MultiValues], Set[Definition]]:
         codeloc = override_codeloc or self.codeloc
-        existing_defs = set(self.live_definitions.get_definitions(atom))
+        existing_defs = self.live_definitions.get_definitions(atom)
         mv = self.live_definitions.kill_and_add_definition(
             atom, codeloc, data, dummy=dummy, tags=tags, endness=endness, annotated=annotated
         )
@@ -417,7 +417,7 @@ class ReachingDefinitionsState:
         for def_ in existing_defs:
             self.analysis.model.kill_def(def_)
         for def_ in defs:
-            self.analysis.model.add_def(def_, codeloc)
+            self.analysis.model.add_def(def_)
 
         return mv, defs
 
@@ -450,8 +450,8 @@ class ReachingDefinitionsState:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_register_use_by_def(definition, self.codeloc, expr=expr)
 
-    def add_stack_use(self, stack_offset: int, size: int, endness, expr: Optional[Any] = None) -> None:
-        defs = self.live_definitions.get_stack_definitions(stack_offset, size, endness)
+    def add_stack_use(self, stack_offset: int, size: int, expr: Optional[Any] = None) -> None:
+        defs = self.live_definitions.get_stack_definitions(stack_offset, size)
         self.add_stack_use_by_defs(defs, expr=expr)
 
     def add_stack_use_by_defs(self, defs: Iterable[Definition], expr: Optional[Any] = None):
@@ -459,8 +459,8 @@ class ReachingDefinitionsState:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_stack_use_by_def(definition, self.codeloc, expr=expr)
 
-    def add_heap_use(self, heap_offset: int, size: int, endness, expr: Optional[Any] = None) -> None:
-        defs = self.live_definitions.get_heap_definitions(heap_offset, size, endness)
+    def add_heap_use(self, heap_offset: int, size: int, expr: Optional[Any] = None) -> None:
+        defs = self.live_definitions.get_heap_definitions(heap_offset, size)
         self.add_heap_use_by_defs(defs, expr=expr)
 
     def add_heap_use_by_defs(self, defs: Iterable[Definition], expr: Optional[Any] = None):
@@ -477,10 +477,8 @@ class ReachingDefinitionsState:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
-    def get_definitions(
-        self, atom: Union[Atom, Definition, Iterable[Atom], Iterable[Definition]]
-    ) -> Iterable[Definition]:
-        yield from self.live_definitions.get_definitions(atom)
+    def get_definitions(self, atom: Union[Atom, Definition, Iterable[Atom], Iterable[Definition]]) -> Set[Definition]:
+        return self.live_definitions.get_definitions(atom)
 
     def get_values(self, spec: Union[Atom, Definition, Iterable[Atom]]) -> Optional[MultiValues]:
         return self.live_definitions.get_values(spec)

angr/analyses/typehoon/typevars.py

@@ -1,9 +1,7 @@
 # pylint:disable=missing-class-docstring
-from typing import Dict, Any, Optional, TYPE_CHECKING
+from typing import Dict, Any, Optional, Set, TYPE_CHECKING
 from itertools import count
 
-from ...utils.cowdict import ChainMapCOW
-
 if TYPE_CHECKING:
     from angr.sim_variable import SimVariable
 
@@ -340,25 +338,20 @@ class DerivedTypeVariable(TypeVariable):
 
 
 class TypeVariables:
-    __slots__ = ("_typevars",)
+    __slots__ = (
+        "_typevars",
+        "_last_typevars",
+    )
 
     def __init__(self):
-        self._typevars: Dict["SimVariable", TypeVariable] = ChainMapCOW(collapse_threshold=25)
-
-    def merge(self, tvs):
-        merged = TypeVariables()
-
-        # TODO: Replace this with a real lattice-based merging
-        merged._typevars = self._typevars.copy()
-        if tvs._typevars:
-            merged._typevars = merged._typevars.clean()
-            merged._typevars.update(tvs._typevars)
-
-        return merged
+        self._typevars: Dict["SimVariable", Set[TypeVariable]] = {}
+        self._last_typevars: Dict[SimVariable, TypeVariable] = {}
 
     def copy(self):
         copied = TypeVariables()
-        copied._typevars = self._typevars.copy()
+        for var, typevars in self._typevars.items():
+            copied._typevars[var] = typevars.copy()
+        copied._last_typevars = self._last_typevars.copy()
         return copied
 
     def __repr__(self):
@@ -369,27 +362,24 @@ class TypeVariables:
         return "{TypeVars: %d items}" % len(self._typevars)
 
     def add_type_variable(self, var: "SimVariable", codeloc, typevar: TypeVariable):  # pylint:disable=unused-argument
-        # if var not in self._typevars:
-        #    self._typevars[var] = { }
-
-        # assert codeloc not in self._typevars[var]
-        # self._typevars[var][codeloc] = typevar
-        self._typevars = self._typevars.clean()
-        self._typevars[var] = typevar
+        if var not in self._typevars:
+            self._typevars[var] = set()
+        elif typevar in self._typevars[var]:
+            return
+        self._typevars[var].add(typevar)
+        self._last_typevars[var] = typevar
 
     def get_type_variable(self, var, codeloc):  # pylint:disable=unused-argument
-        return self._typevars[var]  # [codeloc]
+        return self._last_typevars[var]
 
     def has_type_variable_for(self, var: "SimVariable", codeloc):  # pylint:disable=unused-argument
-        if var not in self._typevars:
-            return False
-        return True
+        return var in self._typevars
         # if codeloc not in self._typevars[var]:
         #     return False
         # return True
 
     def __getitem__(self, var):
-        return self._typevars[var]
+        return self._last_typevars[var]
 
     def __contains__(self, var):
         return var in self._typevars

angr/analyses/variable_recovery/variable_recovery_fast.py

@@ -1,5 +1,5 @@
 # pylint:disable=wrong-import-position,wrong-import-order
-from typing import Optional, List, Tuple, Union
+from typing import Optional, List, Tuple, Union, DefaultDict, Set
 import logging
 from collections import defaultdict
 
@@ -17,7 +17,7 @@ from ...knowledge_plugins import Function
 from ...sim_variable import SimStackVariable, SimRegisterVariable, SimVariable, SimMemoryVariable
 from ...engines.vex.claripy.irop import vexop_to_simop
 from angr.analyses import ForwardAnalysis, visitors
-from ..typehoon.typevars import Equivalence, TypeVariable
+from ..typehoon.typevars import Equivalence, TypeVariable, TypeVariables
 from .variable_recovery_base import VariableRecoveryBase, VariableRecoveryStateBase
 from .engine_vex import SimEngineVRVEX
 from .engine_ail import SimEngineVRAIL
@@ -86,9 +86,9 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
             stack_region=self.stack_region.copy(),
             register_region=self.register_region.copy(),
             global_region=self.global_region.copy(),
-            typevars=self.typevars.copy(),
-            type_constraints=self.type_constraints.copy(),
-            delayed_type_constraints=self.delayed_type_constraints.copy(),
+            typevars=self.typevars,
+            type_constraints=self.type_constraints,
+            delayed_type_constraints=self.delayed_type_constraints,
             stack_offset_typevars=dict(self.stack_offset_typevars),
             project=self.project,
             ret_val_size=self.ret_val_size,
@@ -125,26 +125,17 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
         merged_global_region.set_state(self)
         merge_occurred |= merged_global_region.merge([other.global_region for other in others], None)
 
-        merged_typevars = self.typevars
-        merged_typeconstraints = self.type_constraints.copy()
-        delayed_typeconstraints = self.delayed_type_constraints.copy().clean()
-        for other in others:
-            merged_typevars = merged_typevars.merge(other.typevars)
-            merged_typeconstraints |= other.type_constraints
-            for v, cons in other.delayed_type_constraints.items():
-                delayed_typeconstraints[v] |= cons
-
-        merge_occurred |= self.typevars != merged_typevars
-        merge_occurred |= self.type_constraints != merged_typeconstraints
-        merge_occurred |= self.delayed_type_constraints != delayed_typeconstraints
+        typevars = self.typevars
+        type_constraints = self.type_constraints
+        delayed_typeconstraints = self.delayed_type_constraints
 
         # add subtype constraints for all replacements
         for v0, v1 in self.phi_variables.items():
             # v0 will be replaced by v1
-            if not merged_typevars.has_type_variable_for(v1, None):
-                merged_typevars.add_type_variable(v1, None, TypeVariable())
-            if not merged_typevars.has_type_variable_for(v0, None):
-                merged_typevars.add_type_variable(v0, None, TypeVariable())
+            if not typevars.has_type_variable_for(v1, None):
+                typevars.add_type_variable(v1, None, TypeVariable())
+            if not typevars.has_type_variable_for(v0, None):
+                typevars.add_type_variable(v0, None, TypeVariable())
             # Assuming v2 = phi(v0, v1), then we know that v0_typevar == v1_typevar == v2_typevar
             # However, it's possible that neither v0 nor v1 will ever be used in future blocks, which not only makes
             # this phi function useless, but also leads to the incorrect assumption that v1_typevar == v2_typevar.
@@ -152,9 +143,7 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
             # when v1 (the new variable that will end up in the state) is ever used in the future.
 
             # create an equivalence relationship
-            equivalence = Equivalence(
-                merged_typevars.get_type_variable(v1, None), merged_typevars.get_type_variable(v0, None)
-            )
+            equivalence = Equivalence(typevars.get_type_variable(v1, None), typevars.get_type_variable(v0, None))
             delayed_typeconstraints[v1].add(equivalence)
 
         stack_offset_typevars = {}
@@ -173,7 +162,7 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
             else:
                 typevar = TypeVariable()
                 for orig_typevar in all_typevars:
-                    merged_typeconstraints.add(Equivalence(orig_typevar, typevar))
+                    type_constraints.add(Equivalence(orig_typevar, typevar))
             stack_offset_typevars[offset] = typevar
 
         ret_val_size = self.ret_val_size
@@ -195,8 +184,8 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
             stack_region=merged_stack_region,
             register_region=merged_register_region,
             global_region=merged_global_region,
-            typevars=merged_typevars,
-            type_constraints=merged_typeconstraints,
+            typevars=typevars,
+            type_constraints=type_constraints,
             delayed_type_constraints=delayed_typeconstraints,
             stack_offset_typevars=stack_offset_typevars,
             project=self.project,
@@ -205,6 +194,9 @@ class VariableRecoveryFastState(VariableRecoveryStateBase):
 
         return state, merge_occurred
 
+    def downsize(self) -> None:
+        pass
+
     #
     # Util methods
     #
@@ -277,8 +269,10 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         self._node_iterations = defaultdict(int)
 
         self._node_to_cc = {}
-        self.var_to_typevars = defaultdict(set)
+        self.var_to_typevars: DefaultDict[SimVariable, Set[TypeVariable]] = defaultdict(set)
+        self.typevars = None
         self.type_constraints = None
+        self.delayed_type_constraints = None
         self.ret_val_size = None
 
         self._analyze()
@@ -293,7 +287,9 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
     #
 
     def _pre_analysis(self):
+        self.typevars = TypeVariables()
         self.type_constraints = set()
+        self.delayed_type_constraints = defaultdict(set)
 
         self.initialize_dominance_frontiers()
 
@@ -321,6 +317,9 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
             self.project.arch,
             self.function,
             project=self.project,
+            typevars=self.typevars,
+            type_constraints=self.type_constraints,
+            delayed_type_constraints=self.delayed_type_constraints,
         )
         initial_sp = state.stack_address(self.project.arch.bytes if self.project.arch.call_pushes_ret else 0)
         if self.project.arch.sp_offset is not None:
@@ -434,9 +433,6 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         self._process_block(state, block)
 
         self._node_iterations[block_key] += 1
-        self.type_constraints |= state.type_constraints
-        for var, typevar in state.typevars._typevars.items():
-            self.var_to_typevars[var].add(typevar)
 
         if state.ret_val_size is not None:
             if self.ret_val_size is None or self.ret_val_size < state.ret_val_size:
@@ -467,6 +463,10 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         if self._unify_variables:
             self.variable_manager[self.function.addr].unify_variables()
 
+        # fill in var_to_typevars
+        for var, typevar_set in self.typevars._typevars.items():
+            self.var_to_typevars[var] = typevar_set
+
         # unify type variables for global variables
         for var, typevars in self.var_to_typevars.items():
             if len(typevars) > 1 and isinstance(var, SimMemoryVariable) and not isinstance(var, SimStackVariable):
@@ -476,6 +476,8 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
 
         self.variable_manager[self.function.addr].ret_val_size = self.ret_val_size
 
+        self.delayed_type_constraints = None
+
     #
     # Private methods
     #

angr/engines/light/engine.py

@@ -547,7 +547,7 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         to_size = expr_1.size()
         if signed:
             quotient = expr_0.SDiv(claripy.SignExt(from_size - to_size, expr_1))
-            remainder = expr_1.SMod(claripy.SignExt(from_size - to_size, expr_1))
+            remainder = expr_0.SMod(claripy.SignExt(from_size - to_size, expr_1))
             quotient_size = to_size
             remainder_size = to_size
             return claripy.Concat(

angr/keyed_region.py

@@ -1,6 +1,6 @@
 import logging
 import weakref
-from typing import Union, TYPE_CHECKING
+from typing import Union, Optional, Tuple, TYPE_CHECKING
 
 from sortedcontainers import SortedDict
 
@@ -133,7 +133,7 @@ class KeyedRegion:
         self._storage, om, self._phi_node_contains = s
         self._object_mapping = weakref.WeakValueDictionary(om)
 
-    def _get_container(self, offset):
+    def _get_container(self, offset) -> Tuple[int, Optional[RegionObject]]:
         try:
             base_offset = next(self._storage.irange(maximum=offset, reverse=True))
         except StopIteration:
@@ -419,7 +419,23 @@ class KeyedRegion:
 
         # is there a region item that begins before the start and overlaps with this variable?
         floor_key, floor_item = self._get_container(start)
-        if floor_item is not None and floor_key not in overlapping_items:
+        if floor_item is None:
+            # fast path: just insert it
+            self._storage[start] = RegionObject(start, object_size, {stored_object})
+            return
+
+        # fast path: if there is a perfect overlap, just update the item
+        if len(overlapping_items) == 1 and floor_item.start == start and floor_item.end == end:
+            if overwrite:
+                floor_item.set_object(stored_object)
+            elif merge_to_top is False and top is None:
+                floor_item.add_object(stored_object)
+            else:
+                self._add_object_with_check(floor_item, stored_object, merge_to_top=merge_to_top, top=top)
+            return
+
+        # slower path: there are multiple overlapping items
+        if floor_key not in overlapping_items:
             # insert it into the beginning
             overlapping_items.insert(0, floor_key)
 

angr/knowledge_plugins/functions/function.py

@@ -648,6 +648,14 @@ class Function(Serializable):
         """
         return self.binary.loader.find_symbol(self.addr)
 
+    @property
+    def pseudocode(self) -> str:
+        """
+        :return: the function's pseudocode
+        """
+        dec = self.project.analyses.Decompiler(self, cfg=self._function_manager._kb.cfgs.get_most_accurate())
+        return dec.codegen.text
+
     def add_jumpout_site(self, node):
         """
         Add a custom jumpout site.