angr 9.2.77__py3-none-win_amd64.whl → 9.2.79__py3-none-win_amd64.whl

angr/analyses/decompiler/peephole_optimizations/inlined_strcpy_consolidation.py

@@ -0,0 +1,103 @@
+# pylint:disable=arguments-differ
+from typing import List, Tuple, Optional
+
+from ailment.expression import Expression, BinaryOp, Const, Register, StackBaseOffset
+from ailment.statement import Call, Store
+
+from .base import PeepholeOptimizationMultiStmtBase
+from .inlined_strcpy import InlinedStrcpy
+
+
+class InlinedStrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
+    """
+    Consolidate multiple inlined strcpy calls.
+    """
+
+    __slots__ = ()
+
+    NAME = "Consolidate multiple inlined strcpy calls"
+    stmt_classes = ((Call, Call), (Call, Store))
+
+    def optimize(self, stmts: List[Call], **kwargs):
+        last_stmt, stmt = stmts
+        if InlinedStrcpyConsolidation._is_inlined_strcpy(last_stmt):
+            s_last: bytes = self.kb.custom_strings[last_stmt.args[1].value]
+            addr_last = last_stmt.args[0]
+            new_str = None  # will be set if consolidation should happen
+
+            if isinstance(stmt, Call) and InlinedStrcpyConsolidation._is_inlined_strcpy(stmt):
+                # consolidating two calls
+                s_curr: bytes = self.kb.custom_strings[stmt.args[1].value]
+                addr_curr = stmt.args[0]
+                # determine if the two addresses are consecutive
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    # consolidate both calls!
+                    new_str = s_last + s_curr
+            elif isinstance(stmt, Store) and isinstance(stmt.data, Const):
+                # consolidating a call and a store, in case the store statement is storing the suffix of a string (but
+                # the suffix is too short to qualify an inlined strcpy optimization)
+                addr_curr = stmt.addr
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    if stmt.size == 1 and stmt.data.value == 0:
+                        # it's probably the terminating null byte
+                        r, s = True, "\x00"
+                    else:
+                        r, s = InlinedStrcpy.is_integer_likely_a_string(
+                            stmt.data.value, stmt.size, stmt.endness, min_length=1
+                        )
+                    if r:
+                        new_str = s_last + s.encode("ascii")
+
+            if new_str is not None:
+                if new_str.endswith(b"\x00"):
+                    call_name = "strcpy"
+                    new_str_idx = self.kb.custom_strings.allocate(new_str[:-1])
+                    args = [
+                        last_stmt.args[0],
+                        Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True),
+                    ]
+                else:
+                    call_name = "strncpy"
+                    new_str_idx = self.kb.custom_strings.allocate(new_str)
+                    args = [
+                        last_stmt.args[0],
+                        Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True),
+                        Const(None, None, len(new_str), self.project.arch.bits),
+                    ]
+
+                return [Call(stmt.idx, call_name, args=args, **stmt.tags)]
+
+        return None
+
+    @staticmethod
+    def _is_inlined_strcpy(stmt: Call):
+        if isinstance(stmt.target, str) and stmt.target == "strncpy":
+            if len(stmt.args) == 3 and isinstance(stmt.args[1], Const) and hasattr(stmt.args[1], "custom_string"):
+                return True
+        return False
+
+    @staticmethod
+    def _parse_addr(addr: Expression) -> Tuple[Expression, int]:
+        if isinstance(addr, Register):
+            return addr, 0
+        if isinstance(addr, StackBaseOffset):
+            return StackBaseOffset(None, addr.bits, 0), addr.offset
+        if isinstance(addr, BinaryOp):
+            if addr.op == "Add" and isinstance(addr.operands[1], Const):
+                base_0, offset_0 = InlinedStrcpyConsolidation._parse_addr(addr.operands[0])
+                return base_0, offset_0 + addr.operands[1].value
+            if addr.op == "Sub" and isinstance(addr.operands[1], Const):
+                base_0, offset_0 = InlinedStrcpyConsolidation._parse_addr(addr.operands[0])
+                return base_0, offset_0 - addr.operands[1].value
+
+        return addr, 0
+
+    @staticmethod
+    def _get_delta(addr_0: Expression, addr_1: Expression) -> Optional[int]:
+        base_0, offset_0 = InlinedStrcpyConsolidation._parse_addr(addr_0)
+        base_1, offset_1 = InlinedStrcpyConsolidation._parse_addr(addr_1)
+        if base_0.likes(base_1):
+            return offset_1 - offset_0
+        return None

angr/analyses/decompiler/structured_codegen/c.py

@@ -2037,11 +2037,22 @@ class CConstant(CExpression):
                     return
                 yield hex(self.reference_values[self._type]), self
             elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeChar):
-                refval = self.reference_values[self._type]  # angr.knowledge_plugin.cfg.MemoryData
-                yield CConstant.str_to_c_str(refval.content.decode("utf-8")), self
+                refval = self.reference_values[self._type]
+                if isinstance(refval, MemoryData):
+                    v = refval.content.decode("utf-8")
+                else:
+                    # it's a string
+                    assert isinstance(v, str)
+                    v = refval
+                yield CConstant.str_to_c_str(v), self
             elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeWideChar):
-                refval = self.reference_values[self._type]  # angr.knowledge_plugin.cfg.MemoryData
-                yield CConstant.str_to_c_str(refval.content.decode("utf_16_le"), prefix="L"), self
+                refval = self.reference_values[self._type]
+                if isinstance(refval, MemoryData):
+                    v = refval.content.decode("utf_16_le")
+                else:
+                    # it's a string
+                    v = refval
+                yield CConstant.str_to_c_str(v, prefix="L"), self
             else:
                 if isinstance(self.reference_values[self._type], int):
                     yield self.fmt_int(self.reference_values[self._type]), self
@@ -3199,6 +3210,11 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         inline_string = False
         function_pointer = False
 
+        if reference_values is None and hasattr(expr, "reference_values"):
+            reference_values = expr.reference_values.copy()
+            if reference_values:
+                type_ = next(iter(reference_values))
+
         if reference_values is None:
             reference_values = {}
             type_ = unpack_typeref(type_)

angr/analyses/decompiler/utils.py

@@ -1,9 +1,14 @@
-# pylint:disable=wrong-import-position
-from typing import Optional, Tuple, Any, Union, List
+import pathlib
+from typing import Optional, Tuple, Any, Union, List, Iterable
+import logging
 
 import networkx
+from rich.progress import track
 
 import ailment
+import angr
+
+_l = logging.getLogger(__name__)
 
 
 def remove_last_statement(node):
@@ -533,6 +538,127 @@ def peephole_optimize_stmts(block, stmt_opts):
     return statements, any_update
 
 
+def match_stmt_classes(all_stmts: List, idx: int, stmt_class_seq: Iterable[type]) -> bool:
+    for i, cls in enumerate(stmt_class_seq):
+        if idx + i >= len(all_stmts):
+            return False
+        if not isinstance(all_stmts[idx + i], cls):
+            return False
+    return True
+
+
+def peephole_optimize_multistmts(block, stmt_opts):
+    any_update = False
+    statements = block.statements[::]
+
+    # run multi-statement optimizers
+    stmt_idx = 0
+    while stmt_idx < len(statements):
+        redo = True
+        while redo and stmt_idx < len(statements):
+            redo = False
+            for opt in stmt_opts:
+                matched = False
+                stmt_seq_len = None
+                for stmt_class_seq in opt.stmt_classes:
+                    if match_stmt_classes(statements, stmt_idx, stmt_class_seq):
+                        stmt_seq_len = len(stmt_class_seq)
+                        matched = True
+                        break
+
+                if matched:
+                    matched_stmts = statements[stmt_idx : stmt_idx + stmt_seq_len]
+                    r = opt.optimize(matched_stmts, stmt_idx=stmt_idx, block=block)
+                    if r is not None:
+                        # update statements
+                        statements = statements[:stmt_idx] + r + statements[stmt_idx + stmt_seq_len :]
+                        any_update = True
+                        redo = True
+                        break
+
+        # move on to the next statement
+        stmt_idx += 1
+
+    return statements, any_update
+
+
+def decompile_functions(path, functions=None, structurer=None, catch_errors=True) -> Optional[str]:
+    """
+    Decompile a binary into a set of functions.
+
+    :param path:            The path to the binary to decompile.
+    :param functions:       The functions to decompile. If None, all functions will be decompiled.
+    :param structurer:      The structuring algorithms to use.
+    :param catch_errors:    The structuring algorithms to use.
+    :return:                The decompilation of all functions appended in order.
+    """
+    # delayed imports to avoid circular imports
+    from angr.analyses.decompiler.decompilation_options import PARAM_TO_OPTION
+
+    structurer = structurer or "phoenix"
+    path = pathlib.Path(path).resolve().absolute()
+    proj = angr.Project(path, auto_load_libs=False)
+    cfg = proj.analyses.CFG(normalize=True, data_references=True)
+    proj.analyses.CompleteCallingConventions(recover_variables=True, analyze_callsites=True)
+
+    # collect all functions when None are provided
+    if functions is None:
+        functions = cfg.functions.values()
+
+    # normalize the functions that could be ints as names
+    normalized_functions = []
+    for func in functions:
+        try:
+            normalized_name = int(func, 0)
+        except ValueError:
+            normalized_name = func
+        normalized_functions.append(normalized_name)
+    functions = normalized_functions
+
+    # verify that all functions exist
+    for func in functions:
+        if func not in cfg.functions:
+            raise ValueError(f"Function {func} does not exist in the CFG.")
+
+    # decompile all functions
+    decompilation = ""
+    dec_options = [
+        (PARAM_TO_OPTION["structurer_cls"], structurer),
+    ]
+    for func in track(functions, description="Decompiling functions", transient=True):
+        f = cfg.functions[func]
+        if f is None or f.is_plt:
+            continue
+
+        exception_string = ""
+        if not catch_errors:
+            dec = proj.analyses.Decompiler(f, cfg=cfg, options=dec_options)
+        else:
+            try:
+                # TODO: add a timeout
+                dec = proj.analyses.Decompiler(f, cfg=cfg, options=dec_options)
+            except Exception as e:
+                exception_string = str(e).replace("\n", " ")
+                dec = None
+
+        # do sanity checks on decompilation, skip checks if we already errored
+        if not exception_string:
+            if dec is None or not dec.codegen or not dec.codegen.text:
+                exception_string = "Decompilation had no code output (failed in Dec)"
+            elif "{\n}" in dec.codegen.text:
+                exception_string = "Decompilation outputted an empty function (failed in structuring)"
+            elif structurer in ["dream", "combing"] and "goto" in dec.codegen.text:
+                exception_string = "Decompilation outputted a goto for a Gotoless algorithm (failed in structuring)"
+
+        if exception_string:
+            _l.critical("Failed to decompile %s because %s", str(func), exception_string)
+            decompilation += f"// [error: {func} | {exception_string}]\n"
+        else:
+            decompilation += dec.codegen.text + "\n"
+
+    return decompilation
+
+
 # delayed import
 from .structuring.structurer_nodes import (
     MultiNode,

angr/analyses/disassembly.py

@@ -219,6 +219,14 @@ class Instruction(DisassemblyPiece):
         for operand in dummy_operands:
             opr_pieces = self.split_op_string(operand)
             cur_operand = []
+
+            if not (operand and opr_pieces):
+                # opr_pieces may contain empty string when invalid disasm
+                # result is generated by capstone
+                l.error(f'Failed to parse insn "{self.insn}". Please report.')
+                self.operands.clear()
+                break
+
             if opr_pieces[0][0].isalpha() and opr_pieces[0] in self.arch.registers:
                 cur_operand.append(Register(opr_pieces[0]))
                 # handle register's suffix (e.g. "sp!", "d0[1]", "v0.16b")
@@ -269,7 +277,6 @@ class Instruction(DisassemblyPiece):
 
         if len(self.operands) == 0 and len(self.insn.operands) != 0:
             l.error("Operand parsing failed for instruction %s at address %x", str(self.insn), self.insn.address)
-            self.operands = []
             return
 
     @staticmethod

angr/analyses/propagator/engine_ail.py

@@ -302,8 +302,15 @@ class SimEnginePropagatorAIL(
                             if 0 in current_reg_value.offset_and_details:
                                 detail = current_reg_value.offset_and_details[0]
                                 if detail.def_at == def_at:
-                                    l.debug("Add a replacement: %s with %s", expr, reg_atom)
-                                    self.state.add_replacement(self._codeloc(), expr, reg_atom)
+                                    outdated = False
+                                    outdated_, has_avoid_ = self.is_using_outdated_def(
+                                        detail.expr, detail.def_at, self._codeloc(), avoid=expr
+                                    )
+                                    if outdated_ or has_avoid_:
+                                        outdated = True
+                                    if not outdated:
+                                        l.debug("Add a replacement: %s with %s", expr, reg_atom)
+                                        self.state.add_replacement(self._codeloc(), expr, reg_atom)
                                     top = self.state.top(expr.size * self.arch.byte_width)
                                     return PropValue.from_value_and_details(top, expr.size, expr, self._codeloc())
 

angr/analyses/proximity_graph.py

@@ -180,6 +180,33 @@ class ProximityGraphAnalysis(Analysis):
 
         self._work()
 
+    def _condense_blank_nodes(self, graph: networkx.DiGraph) -> None:
+        nodes = list(graph.nodes)
+        blank_nodes: List[BaseProxiNode] = []
+
+        for node in nodes:
+            if isinstance(node, BaseProxiNode) and node.type_ == ProxiNodeTypes.Empty:
+                blank_nodes.append(node)
+            else:
+                if blank_nodes:
+                    self._merge_nodes(graph, blank_nodes)
+                    blank_nodes = []
+
+        if blank_nodes:
+            self._merge_nodes(graph, blank_nodes)
+
+    def _merge_nodes(self, graph: networkx.DiGraph, nodes: List[BaseProxiNode]) -> None:
+        for node in nodes:
+            predecessors = set(graph.predecessors(node))
+            successors = set(graph.successors(node))
+
+            for pred in predecessors:
+                for succ in successors:
+                    edge_data = graph.get_edge_data(pred, node) or {}
+                    graph.add_edge(pred, succ, **edge_data)
+
+            graph.remove_node(node)
+
     def _work(self):
         self.graph = networkx.DiGraph()
 
@@ -210,6 +237,9 @@ class ProximityGraphAnalysis(Analysis):
             self.graph.add_nodes_from(subgraph.nodes())
             self.graph.add_edges_from(subgraph.edges())
 
+        # condense blank nodes after the graph has been constructed
+        self._condense_blank_nodes(self.graph)
+
     def _endnode_connector(self, func: "Function", subgraph: networkx.DiGraph):
         """
         Properly connect expanded function call's to proximity graph.

angr/analyses/variable_recovery/engine_ail.py

@@ -124,7 +124,7 @@ class SimEngineVRAIL(
             prototype = stmt.prototype
         elif isinstance(stmt.target, ailment.Expr.Const):
             func_addr = stmt.target.value
-            if func_addr in self.kb.functions:
+            if isinstance(func_addr, self.kb.functions.address_types) and func_addr in self.kb.functions:
                 func = self.kb.functions[func_addr]
                 prototype = func.prototype
 

angr/analyses/variable_recovery/engine_vex.py

@@ -179,7 +179,16 @@ class SimEngineVRVEX(
         if func.prototype is None or func.calling_convention is None:
             return
 
-        for arg_loc in func.calling_convention.arg_locs(func.prototype):
+        try:
+            arg_locs = func.calling_convention.arg_locs(func.prototype)
+        except (TypeError, ValueError):
+            func.prototype = None
+            return
+
+        if None in arg_locs:
+            return
+
+        for arg_loc in arg_locs:
             for loc in arg_loc.get_footprint():
                 if isinstance(loc, SimRegArg):
                     self._read_from_register(self.arch.registers[loc.reg_name][0] + loc.reg_offset, loc.size)

angr/blade.py

@@ -1,3 +1,4 @@
+# pylint:disable=unnecessary-dunder-call
 import itertools
 
 import networkx
@@ -10,6 +11,12 @@ from .utils.constants import DEFAULT_STATEMENT
 from .slicer import SimSlicer
 
 
+class BadJumpkindNotification(Exception):
+    """
+    Notifies the caller that the jumpkind is bad (e.g., Ijk_NoDecode)
+    """
+
+
 class Blade:
     """
     Blade is a light-weight program slicer that works with networkx DiGraph containing CFGNodes.
@@ -177,6 +184,8 @@ class Blade:
                 irsb = self.project.factory.block(
                     v, cross_insn_opt=self._cross_insn_opt, backup_state=self._base_state
                 ).vex
+                if irsb.jumpkind == "Ijk_NoDecode":
+                    raise BadJumpkindNotification()
                 self._run_cache[v] = irsb
                 return irsb
             else:
@@ -248,7 +257,7 @@ class Blade:
         # Retrieve the target: are we slicing from a register(IRStmt.Put), or a temp(IRStmt.WrTmp)?
         try:
             stmts = self._get_irsb(self._dst_run).statements
-        except SimTranslationError:
+        except (SimTranslationError, BadJumpkindNotification):
             return
 
         if self._dst_stmt_idx != -1:
@@ -337,7 +346,10 @@ class Blade:
         regs = regs.copy()
 
         irsb_addr = self._get_addr(run)
-        stmts = self._get_irsb(run).statements
+        try:
+            stmts = self._get_irsb(run).statements
+        except (SimTranslationError, BadJumpkindNotification):
+            return
 
         if exit_stmt_idx is None or exit_stmt_idx == DEFAULT_STATEMENT:
             # Initialize the temps set with whatever in the `next` attribute of this irsb

angr/block.py

@@ -427,6 +427,10 @@ class Block(Serializable):
 
     @property
     def instruction_addrs(self):
+        if self.size == 0:
+            # hooks and other pseudo-functions
+            return []
+
         if not self._instruction_addrs and self._vex is None:
             # initialize instruction addrs
             _ = self.vex

angr/knowledge_plugins/__init__.py

@@ -15,3 +15,4 @@ from .propagations import PropagationManager
 from .structured_code import StructuredCodeManager
 from .types import TypesStore
 from .callsite_prototypes import CallsitePrototypes
+from .custom_strings import CustomStrings

angr/knowledge_plugins/custom_strings.py

@@ -0,0 +1,40 @@
+from typing import Dict
+
+from .plugin import KnowledgeBasePlugin
+
+
+class CustomStrings(KnowledgeBasePlugin):
+    """
+    Store new strings that are recovered during various analysis. Each string has a unique ID associated.
+    """
+
+    def __init__(self, kb):
+        super().__init__()
+        self._kb = kb
+
+        self.string_id = 0
+        self.strings: Dict[int, bytes] = {}
+
+    def allocate(self, s: bytes) -> int:
+        # de-duplication
+        # TODO: Use a reverse map if this becomes a bottle-neck in the future
+        for idx, string in self.strings.items():
+            if string == s:
+                return idx
+
+        string_id = self.string_id
+        self.strings[string_id] = s
+        self.string_id += 1
+        return string_id
+
+    def __getitem__(self, idx):
+        return self.strings[idx]
+
+    def copy(self):
+        o = CustomStrings(self._kb)
+        o.strings = self.strings.copy()
+        o.string_id = self.string_id
+        return o
+
+
+KnowledgeBasePlugin.register_default("custom_strings", CustomStrings)

angr/knowledge_plugins/functions/function.py

@@ -1,7 +1,6 @@
 import os
 import logging
 import networkx
-import string
 import itertools
 from collections import defaultdict
 from typing import Union, Optional, Iterable, Set
@@ -14,6 +13,7 @@ from archinfo.arch_arm import get_real_address_if_arm
 import claripy
 
 from angr.block import Block
+from angr.knowledge_plugins.cfg.memory_data import MemoryDataSort
 
 from ...codenode import CodeNode, BlockNode, HookNode, SyscallNode
 from ...serializable import Serializable
@@ -80,6 +80,7 @@ class Function(Serializable):
         "is_alignment",
         "is_prototype_guessed",
         "ran_cca",
+        "_cyclomatic_complexity",
     )
 
     def __init__(
@@ -161,6 +162,9 @@ class Function(Serializable):
         self.info = {}  # storing special information, like $gp values for MIPS32
         self.tags = ()  # store function tags. can be set manually by performing CodeTagging analysis.
 
+        # Initialize _cyclomatic_complexity to None
+        self._cyclomatic_complexity = None
+
         # TODO: Can we remove the following two members?
         # Register offsets of those arguments passed in registers
         self._argument_registers = []
@@ -302,6 +306,42 @@ class Function(Serializable):
             except (SimEngineError, SimMemoryError):
                 pass
 
+    @property
+    def cyclomatic_complexity(self):
+        """
+        The cyclomatic complexity of the function.
+
+        Cyclomatic complexity is a software metric used to indicate the complexity of a program.
+        It is a quantitative measure of the number of linearly independent paths through a program's source code.
+        It is computed using the formula: M = E - N + 2P, where
+        E = the number of edges in the graph,
+        N = the number of nodes in the graph,
+        P = the number of connected components.
+
+        The cyclomatic complexity value is lazily computed and cached for future use.
+        Initially this value is None until it is computed for the first time
+
+        :return: The cyclomatic complexity of the function.
+        :rtype: int
+        """
+        if self._cyclomatic_complexity is None:
+            self._cyclomatic_complexity = (
+                self.transition_graph.number_of_edges() - self.transition_graph.number_of_nodes() + 2
+            )
+        return self._cyclomatic_complexity
+
+    @property
+    def xrefs(self):
+        """
+        An iterator of all xrefs of the current function.
+
+        :return: angr.knowledge_plugins.xrefs.xref.XRef instances.
+        """
+        for block in self.blocks:
+            yield from self._function_manager._kb.xrefs.get_xrefs_by_ins_addr_region(
+                block.addr, block.addr + block.size
+            )
+
     @property
     def block_addrs(self):
         """
@@ -413,49 +453,28 @@ class Function(Serializable):
         """
         return FunctionParser.parse_from_cmsg(cmsg, **kwargs)
 
-    def string_references(self, minimum_length=2, vex_only=False):
+    def string_references(self, minimum_length=2):
         """
         All of the constant string references used by this function.
 
         :param minimum_length:  The minimum length of strings to find (default is 1)
-        :param vex_only:        Only analyze VEX IR, don't interpret the entry state to detect additional constants.
-        :return:                A list of tuples of (address, string) where is address is the location of the string in
-                                memory.
+        :return:                A generator yielding tuples of (address, string) where is address
+                                is the location of the string in memory.
         """
-        strings = []
-        memory = self._project.loader.memory
 
-        # get known instruction addresses and call targets
-        # these addresses cannot be string references, but show up frequently in the runtime values
-        known_executable_addresses = set()
-        for block in self.blocks:
-            known_executable_addresses.update(block.instruction_addrs)
-        for function in self._function_manager.values():
-            known_executable_addresses.update({x.addr for x in function.graph.nodes()})
-
-        # loop over all local runtime values and check if the value points to a printable string
-        for addr in self.local_runtime_values if not vex_only else self.code_constants:
-            if not isinstance(addr, claripy.fp.FPV) and addr in memory:
-                # check that the address isn't an pointing to known executable code
-                # and that it isn't an indirect pointer to known executable code
-                try:
-                    possible_pointer = memory.unpack_word(addr)
-                    if addr not in known_executable_addresses and possible_pointer not in known_executable_addresses:
-                        # build string
-                        stn = ""
-                        offset = 0
-                        current_char = chr(memory[addr + offset])
-                        while current_char in string.printable:
-                            stn += current_char
-                            offset += 1
-                            current_char = chr(memory[addr + offset])
-
-                        # check that the string was a null terminated string with minimum length
-                        if current_char == "\x00" and len(stn) >= minimum_length:
-                            strings.append((addr, stn))
-                except KeyError:
-                    pass
-        return strings
+        cfg = self._function_manager._kb.cfgs.get_most_accurate()
+
+        for x in self.xrefs:
+            try:
+                md = cfg.memory_data[x.dst]
+            except KeyError:
+                continue
+            if md.sort not in {MemoryDataSort.String, MemoryDataSort.UnicodeString}:
+                continue
+            if len(md.content) < minimum_length:
+                continue
+
+            yield (md.addr, md.content)
 
     @property
     def local_runtime_values(self):
@@ -574,6 +593,7 @@ class Function(Serializable):
         s += "  Alignment: %s\n" % (self.alignment)
         s += f"  Arguments: reg: {self._argument_registers}, stack: {self._argument_stack_variables}\n"
         s += "  Blocks: [%s]\n" % ", ".join(["%#x" % i for i in self.block_addrs])
+        s += "  Cyclomatic Complexity: %s\n" % self.cyclomatic_complexity
         s += "  Calling convention: %s" % self.calling_convention
         return s
 

angr/knowledge_plugins/key_definitions/live_definitions.py

@@ -74,7 +74,7 @@ class DefinitionAnnotation(Annotation):
                 and self.eliminatable == other.eliminatable
             )
         else:
-            raise ValueError("DefinitionAnnotation can only check equality with other DefinitionAnnotation")
+            return False
 
     def __repr__(self):
         return f"<{self.__class__.__name__}({repr(self.definition)})"