angr 9.2.92__py3-none-manylinux2014_x86_64.whl → 9.2.94__py3-none-manylinux2014_x86_64.whl

angr/analyses/typehoon/simple_solver.py

@@ -224,7 +224,8 @@ class Sketch:
     @staticmethod
     def flatten_typevar(
         derived_typevar: Union[TypeVariable, TypeConstant, DerivedTypeVariable]
-    ) -> Union[DerivedTypeVariable, TypeVariable, TypeConstant]:  # pylint:disable=too-many-boolean-expressions
+    ) -> Union[DerivedTypeVariable, TypeVariable, TypeConstant]:
+        # pylint:disable=too-many-boolean-expressions
         if (
             isinstance(derived_typevar, DerivedTypeVariable)
             and isinstance(derived_typevar.type_var, Pointer)
@@ -419,15 +420,45 @@ class SimpleSolver:
         for tv in typevars:
             if tv in self._constraints:
                 constraints |= self._constraints[tv]
+
+        # collect typevars used in the constraint set
+        constrained_typevars = set()
+        for constraint in constraints:
+            if isinstance(constraint, Subtype):
+                for t in (constraint.sub_type, constraint.super_type):
+                    if isinstance(t, DerivedTypeVariable):
+                        if t.type_var in typevars:
+                            constrained_typevars.add(t.type_var)
+                    elif isinstance(t, TypeVariable):
+                        if t in typevars:
+                            constrained_typevars.add(t)
+
         equivalence_classes, sketches = self.infer_shapes(typevars, constraints)
         # TODO: Handle global variables
 
         type_schemes = constraints
 
-        for tv in typevars:
-            primitive_constraints = self._generate_primitive_constraints(type_schemes, {tv})
-            for primitive_constraint in primitive_constraints:
-                sketches[tv].add_constraint(primitive_constraint)
+        constraintset2tvs = defaultdict(set)
+        for idx, tv in enumerate(constrained_typevars):
+            _l.debug("Collecting constraints for type variable %r (%d/%d)", tv, idx + 1, len(constrained_typevars))
+            # build a sub constraint set for the type variable
+            constraint_subset = frozenset(self._generate_constraint_subset(constraints, {tv}))
+            constraintset2tvs[constraint_subset].add(tv)
+
+        for idx, (constraint_subset, tvs) in enumerate(constraintset2tvs.items()):
+            _l.debug(
+                "Solving %d constraints for type variables %r (%d/%d)",
+                len(constraint_subset),
+                tvs,
+                idx + 1,
+                len(constraintset2tvs),
+            )
+            base_constraint_graph = self._generate_constraint_graph(constraint_subset, tvs | PRIMITIVE_TYPES)
+            for idx_0, tv in enumerate(tvs):
+                _l.debug("Solving for type variable %r (%d/%d)", tv, idx_0 + 1, len(tvs))
+                primitive_constraints = self._generate_primitive_constraints({tv}, base_constraint_graph)
+                for primitive_constraint in primitive_constraints:
+                    sketches[tv].add_constraint(primitive_constraint)
 
         return equivalence_classes, sketches, type_schemes
 
@@ -515,10 +546,11 @@ class SimpleSolver:
         return equivalence_classes, out_graph
 
     def _generate_primitive_constraints(
-        self, constraints: Set[TypeConstraint], non_primitive_endpoints: Set[Union[TypeVariable, DerivedTypeVariable]]
+        self,
+        non_primitive_endpoints: Set[Union[TypeVariable, DerivedTypeVariable]],
+        constraint_graph,
     ) -> Set[TypeConstraint]:
         # FIXME: Extract interesting variables
-        constraint_graph = self._generate_constraint_graph(constraints, non_primitive_endpoints | PRIMITIVE_TYPES)
         constraints_0 = self._solve_constraints_between(constraint_graph, non_primitive_endpoints, PRIMITIVE_TYPES)
         constraints_1 = self._solve_constraints_between(constraint_graph, PRIMITIVE_TYPES, non_primitive_endpoints)
         return constraints_0 | constraints_1
@@ -702,6 +734,41 @@ class SimpleSolver:
     # Constraint graph
     #
 
+    @staticmethod
+    def _generate_constraint_subset(
+        constraints: Set[TypeConstraint], typevars: Set[TypeVariable]
+    ) -> Set[TypeConstraint]:
+        subset = set()
+        related_typevars = set(typevars)
+        while True:
+            new = set()
+            for constraint in constraints:
+                if constraint in subset:
+                    continue
+                if isinstance(constraint, Subtype):
+                    if isinstance(constraint.sub_type, DerivedTypeVariable):
+                        subt = constraint.sub_type.type_var
+                    elif isinstance(constraint.sub_type, TypeVariable):
+                        subt = constraint.sub_type
+                    else:
+                        subt = None
+                    if isinstance(constraint.super_type, DerivedTypeVariable):
+                        supert = constraint.super_type.type_var
+                    elif isinstance(constraint.super_type, TypeVariable):
+                        supert = constraint.super_type
+                    else:
+                        supert = None
+                    if subt in related_typevars or supert in related_typevars:
+                        new.add(constraint)
+                        if subt is not None:
+                            related_typevars.add(subt)
+                        if supert is not None:
+                            related_typevars.add(supert)
+            if not new:
+                break
+            subset |= new
+        return subset
+
     def _generate_constraint_graph(
         self, constraints: Set[TypeConstraint], interesting_variables: Set[DerivedTypeVariable]
     ) -> networkx.DiGraph:
@@ -946,7 +1013,8 @@ class SimpleSolver:
             return t1
         return Top_
 
-    def abstract(self, t: Union[TypeConstant, TypeVariable]) -> Union[TypeConstant, TypeVariable]:
+    @staticmethod
+    def abstract(t: Union[TypeConstant, TypeVariable]) -> Union[TypeConstant, TypeVariable]:
         if isinstance(t, Pointer32):
             return Pointer32()
         elif isinstance(t, Pointer64):
@@ -1011,6 +1079,8 @@ class SimpleSolver:
                 last_labels.append(labels[-1])
 
         # now, what is this variable?
+        result = None
+
         if last_labels and all(isinstance(label, (FuncIn, FuncOut)) for label in last_labels):
             # create a dummy result and dump it to the cache
             func_type = Function([], [])
@@ -1049,22 +1119,8 @@ class SimpleSolver:
             for node in nodes:
                 solution[node.typevar] = result
 
-        elif not path_and_successors:
-            # this is a primitive variable
-            lower_bound = Bottom_
-            upper_bound = Top_
-
-            for node in nodes:
-                lower_bound = self.join(lower_bound, node.lower_bound)
-                upper_bound = self.meet(upper_bound, node.upper_bound)
-                # TODO: Support variables that are accessed via differently sized pointers
-
-            result = lower_bound if not isinstance(lower_bound, BottomType) else upper_bound
-            for node in nodes:
-                solution[node.typevar] = result
-                self._solution_cache[node.typevar] = result
-
-        else:
+        elif path_and_successors:
+            # maybe this is a pointer to a struct?
             if len(nodes) == 1:
                 the_node = next(iter(nodes))
                 if (
@@ -1136,6 +1192,21 @@ class SimpleSolver:
                 for node in nodes:
                     solution[node.typevar] = result
 
+        if not path_and_successors or result in {Top_, None}:
+            # this is probably a primitive variable
+            lower_bound = Bottom_
+            upper_bound = Top_
+
+            for node in nodes:
+                lower_bound = self.join(lower_bound, node.lower_bound)
+                upper_bound = self.meet(upper_bound, node.upper_bound)
+                # TODO: Support variables that are accessed via differently sized pointers
+
+            result = lower_bound if not isinstance(lower_bound, BottomType) else upper_bound
+            for node in nodes:
+                solution[node.typevar] = result
+                self._solution_cache[node.typevar] = result
+
         # import pprint
 
         # print("Solution")

angr/analyses/typehoon/typeconsts.py

@@ -208,7 +208,7 @@ class Struct(TypeConstant):
 
     def _hash_fields(self, visited: Set[int]):
         keys = sorted(self.fields.keys())
-        tpl = tuple((k, self.fields[k]._hash(visited)) for k in keys)
+        tpl = tuple((k, self.fields[k]._hash(visited) if self.fields[k] is not None else None) for k in keys)
         return hash(tpl)
 
     @memoize

angr/calling_conventions.py

@@ -1774,9 +1774,6 @@ class SimCCARMHF(SimCCARM):
     RETURN_VAL = SimRegArg("r0", 4)  # TODO Return val can also include reg r1
     ARCH = archinfo.ArchARMHF
 
-    def next_arg(self, session, arg_type):
-        return SimCC.next_arg(self, session, arg_type)
-
 
 class SimCCARMLinuxSyscall(SimCCSyscall):
     # TODO: Make sure all the information is correct

angr/engines/pcode/cc.py

@@ -43,7 +43,7 @@ class SimCCSPARC(SimCC):
     Default CC for SPARC
     """
 
-    ARG_REGS = ["o0", "o1"]
+    ARG_REGS = ["o0", "o1", "o2", "o3", "o4", "o5"]
     RETURN_VAL = SimRegArg("o0", 8)
     RETURN_ADDR = SimRegArg("o7", 8)
 

angr/engines/successors.py

@@ -271,6 +271,12 @@ class SimSuccessors:
             self.unsat_successors.append(state)
         elif o.NO_SYMBOLIC_JUMP_RESOLUTION in state.options and state.solver.symbolic(target):
             self.unconstrained_successors.append(state)
+        elif o.CALLLESS in state.options and state.history.jumpkind == "Ijk_Call" and state.solver.symbolic(target):
+            # If CALLESS is set, even a symbolic call target is allowed, because we don't want to resolve the target
+            # anyway
+            # The actual state will be fixed up later during `VEXMixin.process_successors`
+            self.successors.append(state)
+            self.flat_successors.append(state)
         elif not state.solver.symbolic(target) and not state.history.jumpkind.startswith("Ijk_Sys"):
             # a successor with a concrete IP, and it's not a syscall
             self.successors.append(state)

angr/knowledge_plugins/propagations/states.py

@@ -899,7 +899,8 @@ class PropagatorAILState(PropagatorState):
                             def_ = next(iter(defs))
                     if def_ is not None:
                         self._expr_used_locs[def_].append(codeloc)
-                        prop_count = len(self._expr_used_locs[def_])
+                        # we must consider known future uses of this definition as well
+                        prop_count = max(len(self._expr_used_locs[def_]), len(self.rda.all_uses.get_uses(def_)))
                     else:
                         # multiple definitions or no definitions - do not propagate
                         return False

angr/procedures/definitions/glibc.py

@@ -43,7 +43,6 @@ libc.set_non_returning(
     "__longjmp_chk",
     "__siglongjmp_chk",
 )
-libc.add_alias("exit", "_exit", "_Exit")
 
 
 #
@@ -6849,6 +6848,9 @@ libc.add_alias("getc", "_IO_getc")
 libc.add_alias("putc", "_IO_putc")
 libc.add_alias("gets", "_IO_gets")
 libc.add_alias("puts", "_IO_puts")
+libc.add_alias("exit", "_exit", "_Exit")
+libc.add_alias("sprintf", "siprintf")
+libc.add_alias("snprintf", "sniprintf")
 
 
 #