angr 9.2.83__py3-none-win_amd64.whl → 9.2.85__py3-none-win_amd64.whl

angr/analyses/decompiler/structured_codegen/c.py

@@ -2,10 +2,12 @@
 from typing import Optional, Dict, List, Tuple, Set, Any, Union, TYPE_CHECKING, Callable
 from collections import defaultdict
 import logging
+import struct
 from functools import reduce
 
 from ailment import Block, Expr, Stmt, Tmp
 from ailment.expression import StackBaseOffset, BinaryOp
+from unique_log_filter import UniqueLogFilter
 
 from ....sim_type import (
     SimTypeLongLong,
@@ -57,6 +59,8 @@ if TYPE_CHECKING:
 
 
 l = logging.getLogger(name=__name__)
+l.addFilter(UniqueLogFilter())
+
 
 INDENT_DELTA = 4
 
@@ -1177,6 +1181,7 @@ class CFunctionCall(CStatement, CExpression):
         "tags",
         "is_expr",
         "show_demangled_name",
+        "show_disambiguated_name",
     )
 
     def __init__(
@@ -1189,6 +1194,7 @@ class CFunctionCall(CStatement, CExpression):
         tags=None,
         is_expr: bool = False,
         show_demangled_name=True,
+        show_disambiguated_name: bool = True,
         **kwargs,
     ):
         super().__init__(**kwargs)
@@ -1201,6 +1207,7 @@ class CFunctionCall(CStatement, CExpression):
         self.tags = tags
         self.is_expr = is_expr
         self.show_demangled_name = show_demangled_name
+        self.show_disambiguated_name = show_disambiguated_name
 
     @property
     def prototype(self) -> Optional[SimTypeFunction]:  # TODO there should be a prototype for each callsite!
@@ -1216,6 +1223,23 @@ class CFunctionCall(CStatement, CExpression):
         else:
             raise RuntimeError("CFunctionCall.type should not be accessed if the function call is used as a statement.")
 
+    def _is_target_ambiguous(self, func_name: str) -> bool:
+        """
+        Check for call target name ambiguity.
+        """
+        caller, callee = self.codegen._func, self.callee_func
+
+        for var in self.codegen._variables_in_use.values():
+            if func_name == var.name:
+                return True
+
+        # FIXME: Handle name mangle
+        for func in self.codegen.kb.functions.get_by_name(callee.name):
+            if func is not callee and (caller.binary is not callee.binary or func.binary is callee.binary):
+                return True
+
+        return False
+
     def c_repr_chunks(self, indent=0, asexpr: bool = False):
         """
 
@@ -1235,6 +1259,8 @@ class CFunctionCall(CStatement, CExpression):
                 func_name = get_cpp_function_name(self.callee_func.demangled_name, specialized=False, qualified=True)
             else:
                 func_name = self.callee_func.name
+            if self.show_disambiguated_name and self._is_target_ambiguous(func_name):
+                func_name = self.callee_func.get_unambiguous_name(display_name=func_name)
             yield func_name, self
         else:
             yield from CExpression._try_c_repr_chunks(self.callee_target)
@@ -1443,15 +1469,19 @@ class CVariable(CExpression):
     def type(self):
         return self.variable_type
 
-    def c_repr_chunks(self, indent=0, asexpr=False):
+    @property
+    def name(self):
         v = self.variable if self.unified_variable is None else self.unified_variable
 
         if v.name:
-            yield v.name, self
+            return v.name
         elif isinstance(v, SimTemporaryVariable):
-            yield "tmp_%d" % v.tmp_id, self
+            return "tmp_%d" % v.tmp_id
         else:
-            yield str(v), self
+            return str(v)
+
+    def c_repr_chunks(self, indent=0, asexpr=False):
+        yield self.name, self
 
 
 class CIndexedVariable(CExpression):
@@ -1702,6 +1732,7 @@ class CBinaryOp(CExpression):
             # lowest precedence
             ["Concat"],
             ["LogicalOr"],
+            ["LogicalXor"],
             ["LogicalAnd"],
             ["Or"],
             ["Xor"],
@@ -1711,6 +1742,7 @@ class CBinaryOp(CExpression):
             ["Shl", "Shr", "Sar"],
             ["Add", "Sub"],
             ["Mul", "Div"],
+            ["SBorrow", "SCarry", "Carry"],
             # highest precedence
         ]
         for i, sublist in enumerate(precedence_list):
@@ -1739,6 +1771,7 @@ class CBinaryOp(CExpression):
             "Sar": self._c_repr_chunks_sar,
             "LogicalAnd": self._c_repr_chunks_logicaland,
             "LogicalOr": self._c_repr_chunks_logicalor,
+            "LogicalXor": self._c_repr_chunks_logicalxor,
             "CmpLE": self._c_repr_chunks_cmple,
             "CmpLEs": self._c_repr_chunks_cmple,
             "CmpLT": self._c_repr_chunks_cmplt,
@@ -1758,7 +1791,7 @@ class CBinaryOp(CExpression):
         if handler is not None:
             yield from handler()
         else:
-            yield "BinaryOp %s" % (self.op), self
+            yield from self._c_repr_chunks_opfirst(self.op)
 
     def _has_const_null_rhs(self) -> bool:
         return isinstance(self.rhs, CConstant) and self.rhs.value == 0
@@ -1799,6 +1832,15 @@ class CBinaryOp(CExpression):
             else:
                 yield from self._try_c_repr_chunks(self.rhs)
 
+    def _c_repr_chunks_opfirst(self, op):
+        yield op, self
+        paren = CClosingObject("(")
+        yield "(", paren
+        yield from self._try_c_repr_chunks(self.lhs)
+        yield ", ", None
+        yield from self._try_c_repr_chunks(self.rhs)
+        yield ")", paren
+
     def _c_repr_chunks_add(self):
         yield from self._c_repr_chunks(" + ")
 
@@ -1844,6 +1886,9 @@ class CBinaryOp(CExpression):
     def _c_repr_chunks_logicalor(self):
         yield from self._c_repr_chunks(" || ")
 
+    def _c_repr_chunks_logicalxor(self):
+        yield from self._c_repr_chunks(" ^ ")
+
     def _c_repr_chunks_cmple(self):
         yield from self._c_repr_chunks(" <= ")
 
@@ -2004,6 +2049,14 @@ class CConstant(CExpression):
     def fmt_char(self, v: bool):
         self._fmt_setter["char"] = v
 
+    @property
+    def fmt_float(self):
+        return self.fmt.get("float", False)
+
+    @fmt_float.setter
+    def fmt_float(self, v: bool):
+        self._fmt_setter["float"] = v
+
     @property
     def type(self):
         return self._type
@@ -2088,6 +2141,11 @@ class CConstant(CExpression):
         :return:        The formatted string.
         """
 
+        if self.fmt_float:
+            if 0 < value <= 0xFFFF_FFFF:
+                str_value = str(struct.unpack("f", struct.pack("I", value))[0])
+                return str_value
+
         if self.fmt_neg:
             if value > 0:
                 value = value - 2**self._type.size
@@ -2272,6 +2330,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         externs=None,
         const_formats=None,
         show_demangled_name=True,
+        show_disambiguated_name=True,
         ail_graph=None,
         simplify_else_scope=True,
         cstyle_ifs=True,
@@ -2338,6 +2397,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         self.externs = externs or set()
         self.show_externs = show_externs
         self.show_demangled_name = show_demangled_name
+        self.show_disambiguated_name = show_disambiguated_name
         self.ail_graph = ail_graph
         self.simplify_else_scope = simplify_else_scope
         self.cstyle_ifs = cstyle_ifs
@@ -3115,6 +3175,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             tags=stmt.tags,
             is_expr=is_expr,
             show_demangled_name=self.show_demangled_name,
+            show_disambiguated_name=self.show_disambiguated_name,
             codegen=self,
         )
 

angr/analyses/decompiler/structuring/phoenix.py

@@ -114,6 +114,8 @@ class PhoenixStructurer(StructurerBase):
         self._edge_virtualization_hints = []
 
         self._use_multistmtexprs = use_multistmtexprs
+        if not self._phoenix_improved:
+            self._use_multistmtexprs = MultiStmtExprMode.NEVER
 
         self._analyze()
 
@@ -2141,7 +2143,7 @@ class PhoenixStructurer(StructurerBase):
             pass
         else:
             # insert a Jump at the end
-            stmt_addr = last_stmt.ins_addr if last_stmt is not None else src.addr
+            stmt_addr = src.addr
             goto_node = Block(
                 stmt_addr,
                 0,

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -3,6 +3,7 @@ from typing import List, Tuple, Any, Optional, Union, OrderedDict as ODict
 
 import claripy
 import ailment
+import ailment.utils
 
 
 INDENT_DELTA = 2
@@ -387,11 +388,7 @@ class IncompleteSwitchCaseHeadStatement(ailment.statement.Statement):
     Describes a switch-case head. This is only created by LoweredSwitchSimplifier.
     """
 
-    __slots__ = (
-        "addr",
-        "switch_variable",
-        "case_addrs",
-    )
+    __slots__ = ("addr", "switch_variable", "case_addrs", "_case_addrs_str")
 
     def __init__(self, idx, switch_variable, case_addrs, **kwargs):
         super().__init__(idx, **kwargs)
@@ -399,9 +396,18 @@ class IncompleteSwitchCaseHeadStatement(ailment.statement.Statement):
         # original cmp node, case value | "default", address of the case node, idx of the case node,
         # address of the next cmp node
         self.case_addrs: List[Tuple[ailment.Block, Union[int, str], int, Optional[int], int]] = case_addrs
+        # a string representation of the addresses of all cases, used for hashing
+        self._case_addrs_str = str(sorted([c[0].addr for c in self.case_addrs if c[0] is not None]))
 
     def __repr__(self):
         return f"SwitchCaseHead: switch {self.switch_variable} with {len(self.case_addrs)} cases"
 
     def __str__(self):
         return f"switch ({str(self.switch_variable)}): {len(self.case_addrs)} cases"
+
+    __hash__ = ailment.statement.TaggedObject.__hash__
+
+    def _hash_core(self):
+        return ailment.utils.stable_hash(
+            (IncompleteSwitchCaseHeadStatement, self.idx, self.switch_variable, self._case_addrs_str)
+        )

angr/analyses/decompiler/utils.py

@@ -1,4 +1,6 @@
+# pylint:disable=wrong-import-position
 import pathlib
+import copy
 from typing import Optional, Tuple, Any, Union, List, Iterable
 import logging
 
@@ -378,6 +380,30 @@ def remove_labels(graph: networkx.DiGraph):
     return new_graph
 
 
+def add_labels(graph: networkx.DiGraph):
+    new_graph = networkx.DiGraph()
+    nodes_map = {}
+    for node in graph:
+        lbl = ailment.Stmt.Label(None, f"LABEL_{node.addr:x}", node.addr, block_idx=node.idx)
+        node_copy = node.copy()
+        node_copy.statements = [lbl] + node_copy.statements
+        nodes_map[node] = node_copy
+
+    new_graph.add_nodes_from(nodes_map.values())
+    for src, dst in graph.edges:
+        new_graph.add_edge(nodes_map[src], nodes_map[dst])
+
+    return new_graph
+
+
+def update_labels(graph: networkx.DiGraph):
+    """
+    A utility function to recreate the labels for every node in an AIL graph. This useful when you are working with
+    a graph where only _some_ of the nodes have labels.
+    """
+    return add_labels(remove_labels(graph))
+
+
 def structured_node_is_simple_return(node: Union["SequenceNode", "MultiNode"], graph: networkx.DiGraph) -> bool:
     """
     Will check if a "simple return" is contained within the node a simple returns looks like this:
@@ -510,6 +536,30 @@ def peephole_optimize_expr(expr, expr_opts):
     return new_expr
 
 
+def copy_graph(graph: networkx.DiGraph):
+    """
+    Copy AIL Graph.
+
+    :return: A copy of the AIl graph.
+    """
+    graph_copy = networkx.DiGraph()
+    block_mapping = {}
+    # copy all blocks
+    for block in graph.nodes():
+        new_block = copy.copy(block)
+        new_stmts = copy.copy(block.statements)
+        new_block.statements = new_stmts
+        block_mapping[block] = new_block
+        graph_copy.add_node(new_block)
+
+    # copy all edges
+    for src, dst, data in graph.edges(data=True):
+        new_src = block_mapping[src]
+        new_dst = block_mapping[dst]
+        graph_copy.add_edge(new_src, new_dst, **data)
+    return graph_copy
+
+
 def peephole_optimize_stmts(block, stmt_opts):
     any_update = False
     statements = []

angr/analyses/disassembly.py

@@ -133,6 +133,8 @@ class IROp(DisassemblyPiece):
         self.irsb = irsb
 
     def __str__(self):
+        if pcode and isinstance(self.obj, pypcode.PcodeOp):
+            return pypcode.PcodePrettyPrinter.fmt_op(self.obj)
         return str(self.obj)
 
     def _render(self, formatting):  # pylint:disable=unused-argument
@@ -1078,9 +1080,14 @@ class Disassembly(Analysis):
 
         if irsb.statements is not None:
             if pcode is not None and isinstance(self.project.factory.default_engine, pcode.HeavyPcodeMixin):
-                for ins in irsb._instructions:
-                    addr = ins.address.offset
-                    addr_to_ops_map[addr].extend([IROp(addr, op.seq.uniq, op, irsb) for op in ins.ops])
+                addr = None
+                stmt_idx = 0
+                for op in irsb._ops:
+                    if op.opcode == pypcode.OpCode.IMARK:
+                        addr = op.inputs[0].offset
+                    else:
+                        addr_to_ops_map[addr].append(IROp(addr, stmt_idx, op, irsb))
+                    stmt_idx += 1
             else:
                 for seq, stmt in enumerate(irsb.statements):
                     if isinstance(stmt, pyvex.stmt.IMark):

angr/analyses/propagator/engine_ail.py

@@ -4,6 +4,7 @@ import logging
 
 import claripy
 from ailment import Stmt, Expr
+from unique_log_filter import UniqueLogFilter
 
 from angr.knowledge_plugins.propagations.prop_value import PropValue, Detail
 from angr.knowledge_plugins.key_definitions.atoms import Register
@@ -20,6 +21,7 @@ if TYPE_CHECKING:
     from angr.code_location import CodeLocation
 
 l = logging.getLogger(name=__name__)
+l.addFilter(UniqueLogFilter())
 
 
 class SimEnginePropagatorAIL(
@@ -1268,6 +1270,129 @@ class SimEnginePropagatorAIL(
             )
         return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
 
+    def _ail_handle_LogicalOr(self, expr: Expr.BinaryOp):
+        o0_value = self._expr(expr.operands[0])
+        o1_value = self._expr(expr.operands[1])
+
+        value = self.state.top(expr.bits)
+        if o0_value is None or o1_value is None:
+            new_expr = expr
+        else:
+            o0_expr = o0_value.one_expr
+            o1_expr = o1_value.one_expr
+
+            value = self.state.top(expr.bits)
+            new_expr = Expr.BinaryOp(
+                expr.idx,
+                "LogicalOr",
+                [
+                    o0_expr if o0_expr is not None else expr.operands[0],
+                    o1_expr if o1_expr is not None else expr.operands[1],
+                ],
+                expr.signed,
+                **expr.tags,
+            )
+        return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
+
+    def _ail_handle_LogicalXor(self, expr: Expr.BinaryOp):
+        o0_value = self._expr(expr.operands[0])
+        o1_value = self._expr(expr.operands[1])
+
+        value = self.state.top(expr.bits)
+        if o0_value is None or o1_value is None:
+            new_expr = expr
+        else:
+            o0_expr = o0_value.one_expr
+            o1_expr = o1_value.one_expr
+
+            value = self.state.top(expr.bits)
+            new_expr = Expr.BinaryOp(
+                expr.idx,
+                "LogicalXor",
+                [
+                    o0_expr if o0_expr is not None else expr.operands[0],
+                    o1_expr if o1_expr is not None else expr.operands[1],
+                ],
+                expr.signed,
+                **expr.tags,
+            )
+        return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
+
+    def _ail_handle_Carry(self, expr: Expr.BinaryOp):
+        o0_value = self._expr(expr.operands[0])
+        o1_value = self._expr(expr.operands[1])
+
+        value = self.state.top(expr.bits)
+        if o0_value is None or o1_value is None:
+            new_expr = expr
+        else:
+            o0_expr = o0_value.one_expr
+            o1_expr = o1_value.one_expr
+            new_expr = Expr.BinaryOp(
+                expr.idx,
+                "Carry",
+                [
+                    o0_expr if o0_expr is not None else expr.operands[0],
+                    o1_expr if o1_expr is not None else expr.operands[1],
+                ],
+                expr.signed,
+                bits=expr.bits,
+                floating_point=expr.floating_point,
+                rounding_mode=expr.rounding_mode,
+                **expr.tags,
+            )
+        return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
+
+    def _ail_handle_SCarry(self, expr: Expr.BinaryOp):
+        o0_value = self._expr(expr.operands[0])
+        o1_value = self._expr(expr.operands[1])
+
+        value = self.state.top(expr.bits)
+        if o0_value is None or o1_value is None:
+            new_expr = expr
+        else:
+            o0_expr = o0_value.one_expr
+            o1_expr = o1_value.one_expr
+            new_expr = Expr.BinaryOp(
+                expr.idx,
+                "SCarry",
+                [
+                    o0_expr if o0_expr is not None else expr.operands[0],
+                    o1_expr if o1_expr is not None else expr.operands[1],
+                ],
+                expr.signed,
+                bits=expr.bits,
+                floating_point=expr.floating_point,
+                rounding_mode=expr.rounding_mode,
+                **expr.tags,
+            )
+        return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
+
+    def _ail_handle_SBorrow(self, expr: Expr.BinaryOp):
+        o0_value = self._expr(expr.operands[0])
+        o1_value = self._expr(expr.operands[1])
+
+        value = self.state.top(expr.bits)
+        if o0_value is None or o1_value is None:
+            new_expr = expr
+        else:
+            o0_expr = o0_value.one_expr
+            o1_expr = o1_value.one_expr
+            new_expr = Expr.BinaryOp(
+                expr.idx,
+                "SBorrow",
+                [
+                    o0_expr if o0_expr is not None else expr.operands[0],
+                    o1_expr if o1_expr is not None else expr.operands[1],
+                ],
+                expr.signed,
+                bits=expr.bits,
+                floating_point=expr.floating_point,
+                rounding_mode=expr.rounding_mode,
+                **expr.tags,
+            )
+        return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
+
     def _ail_handle_TernaryOp(self, expr: Expr.TernaryOp):
         o0_value = self._expr(expr.operands[0])
         o1_value = self._expr(expr.operands[1])

angr/analyses/reaching_definitions/engine_ail.py

@@ -981,7 +981,6 @@ class SimEngineRDAIL(
         expr1: MultiValues = self._expr(expr.operands[1])
         bits = expr.bits
 
-        r = None
         expr0_v = expr0.one_value()
         expr1_v = expr1.one_value()
 
@@ -999,7 +998,6 @@ class SimEngineRDAIL(
         expr1: MultiValues = self._expr(expr.operands[1])
         bits = expr.bits
 
-        r = None
         expr0_v = expr0.one_value()
         expr1_v = expr1.one_value()
 
@@ -1010,6 +1008,21 @@ class SimEngineRDAIL(
         r = MultiValues(claripy.If(expr0_v != 0, expr0_v, expr1_v))
         return r
 
+    def _ail_handle_LogicalXor(self, expr: ailment.Expr.BinaryOp) -> MultiValues:
+        expr0: MultiValues = self._expr(expr.operands[0])
+        expr1: MultiValues = self._expr(expr.operands[1])
+        bits = expr.bits
+
+        expr0_v = expr0.one_value()
+        expr1_v = expr1.one_value()
+
+        if expr0_v is None or expr1_v is None:
+            r = MultiValues(self.state.top(bits))
+            return r
+
+        r = MultiValues(claripy.If(expr0_v != 0, expr1_v, expr0_v))
+        return r
+
     def _ail_handle_Xor(self, expr: ailment.Expr.BinaryOp) -> MultiValues:
         expr0: MultiValues = self._expr(expr.operands[0])
         expr1: MultiValues = self._expr(expr.operands[1])
@@ -1042,6 +1055,27 @@ class SimEngineRDAIL(
 
         return r
 
+    def _ail_handle_Carry(self, expr: ailment.Expr.BinaryOp) -> MultiValues:
+        _ = self._expr(expr.operands[0])
+        _ = self._expr(expr.operands[1])
+        bits = expr.bits
+        r = MultiValues(self.state.top(bits))
+        return r
+
+    def _ail_handle_SCarry(self, expr: ailment.Expr.BinaryOp) -> MultiValues:
+        _ = self._expr(expr.operands[0])
+        _ = self._expr(expr.operands[1])
+        bits = expr.bits
+        r = MultiValues(self.state.top(bits))
+        return r
+
+    def _ail_handle_SBorrow(self, expr: ailment.Expr.BinaryOp) -> MultiValues:
+        _ = self._expr(expr.operands[0])
+        _ = self._expr(expr.operands[1])
+        bits = expr.bits
+        r = MultiValues(self.state.top(bits))
+        return r
+
     def _ail_handle_Concat(self, expr: ailment.Expr.BinaryOp) -> MultiValues:
         expr0: MultiValues = self._expr(expr.operands[0])
         expr1: MultiValues = self._expr(expr.operands[1])

angr/analyses/reaching_definitions/rd_initializer.py

@@ -33,8 +33,9 @@ class RDAStateInitializer:
 
     """
 
-    def __init__(self, arch: Arch):
+    def __init__(self, arch: Arch, project=None):
         self.arch: Arch = arch
+        self.project = project
 
     def initialize_function_state(
         self, state: "ReachingDefinitionsState", cc: Optional[SimCC], func_addr: int, rtoc_value: Optional[int] = None
@@ -171,6 +172,19 @@ class RDAStateInitializer:
             t9 = state.annotate_with_def(claripy.BVV(func_addr, self.arch.bits), t9_def)
             state.registers.store(t9_offset, t9)
 
+        # project-specific initialization
+        if self.project is not None:
+            if self.project.simos is not None and self.project.simos.function_initial_registers:
+                for reg_name, reg_value in self.project.simos.function_initial_registers.items():
+                    reg_offset = self.arch.registers[reg_name][0]
+                    reg_atom = Register(reg_offset, self.arch.registers[reg_name][1])
+                    reg_def = Definition(reg_atom, ex_loc, tags={InitialValueTag()})
+                    state.all_definitions.add(reg_def)
+                    if state.analysis is not None:
+                        state.analysis.model.add_def(reg_def)
+                    reg = state.annotate_with_def(claripy.BVV(reg_value, self.arch.registers[reg_name][1]), reg_def)
+                    state.registers.store(reg_offset, reg)
+
     def _initialize_function_argument_register(
         self,
         state: "ReachingDefinitionsState",

angr/analyses/reaching_definitions/rd_state.py

@@ -124,10 +124,11 @@ class ReachingDefinitionsState:
             self.live_definitions = LiveDefinitions(
                 self.arch, track_tmps=self._track_tmps, canonical_size=canonical_size
             )
-            self._set_initialization_values(subject, rtoc_value, initializer=initializer)
-
             if self.analysis is not None:
                 self.live_definitions.project = self.analysis.project
+            self._set_initialization_values(
+                subject, rtoc_value, initializer=initializer, project=self.live_definitions.project
+            )
         else:
             # this state is a copy from a previous state. skip the initialization
             self.live_definitions = live_definitions
@@ -269,10 +270,14 @@ class ReachingDefinitionsState:
         return "{%s}" % ctnt
 
     def _set_initialization_values(
-        self, subject: Subject, rtoc_value: Optional[int] = None, initializer: Optional[RDAStateInitializer] = None
+        self,
+        subject: Subject,
+        rtoc_value: Optional[int] = None,
+        initializer: Optional[RDAStateInitializer] = None,
+        project=None,
     ):
         if initializer is None:
-            initializer = RDAStateInitializer(self.arch)
+            initializer = RDAStateInitializer(self.arch, project=project)
 
         if subject.type == SubjectType.Function:
             if isinstance(self.arch, archinfo.arch_ppc64.ArchPPC64) and not rtoc_value:

angr/analyses/stack_pointer_tracker.py

@@ -695,28 +695,21 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
             else:
                 raise CouldNotResolveException()
 
-        for instr in pcode_irsb._instructions:
-            if curr_stmt_start_addr is not None:
-                # we've reached a new instruction. Time to store the post state
-                self._set_post_state(curr_stmt_start_addr, state.freeze())
-            curr_stmt_start_addr = instr.address.offset
-            self._set_pre_state(curr_stmt_start_addr, state.freeze())
-
-            for op in instr.ops:
-                op: "pypcode.PcodeOp"
+        is_call = False
+        for op in pcode_irsb._ops:
+            if op.opcode == pypcode.OpCode.IMARK:
+                if curr_stmt_start_addr is not None:
+                    # we've reached a new instruction. Time to store the post state
+                    self._set_post_state(curr_stmt_start_addr, state.freeze())
+                curr_stmt_start_addr = op.inputs[0].offset
+                self._set_pre_state(curr_stmt_start_addr, state.freeze())
+            else:
                 try:
                     resolve_op(op)
                 except CouldNotResolveException:
                     pass
 
-        # examine the last instruction and determine if this is a call instruction
-        is_call = False
-        if pcode_irsb._instructions:
-            last_instr = pcode_irsb._instructions[-1]
-            if last_instr.ops:
-                last_op = last_instr.ops[-1]
-                if last_op.opcode == pypcode.OpCode.CALL:
-                    is_call = True
+                is_call |= op.opcode == pypcode.OpCode.CALL
 
         # stack pointer adjustment
         if self.project.arch.sp_offset in self.reg_offsets and is_call: