angr 9.2.95__py3-none-manylinux2014_x86_64.whl → 9.2.97__py3-none-manylinux2014_x86_64.whl

angr/analyses/reaching_definitions/reaching_definitions.py

@@ -55,7 +55,7 @@ class ReachingDefinitionsAnalysis(
         self,
         subject: Union[Subject, ailment.Block, Block, Function, str] = None,
         func_graph=None,
-        max_iterations=3,
+        max_iterations=30,
         track_tmps=False,
         track_consts=True,
         observation_points: "Iterable[ObservationPoint]" = None,
@@ -74,6 +74,7 @@ class ReachingDefinitionsAnalysis(
         interfunction_level: int = 0,
         track_liveness: bool = True,
         func_addr: Optional[int] = None,
+        element_limit: int = 5,
     ):
         """
         :param subject:                         The subject of the analysis: a function, or a single basic block
@@ -131,6 +132,7 @@ class ReachingDefinitionsAnalysis(
         self._canonical_size = canonical_size
         self._use_callee_saved_regs_at_return = use_callee_saved_regs_at_return
         self._func_addr = func_addr
+        self._element_limit = element_limit
 
         if dep_graph is None or dep_graph is False:
             self._dep_graph = None
@@ -469,13 +471,28 @@ class ReachingDefinitionsAnalysis(
                 analysis=self,
                 canonical_size=self._canonical_size,
                 initializer=self._state_initializer,
+                element_limit=self._element_limit,
             )
 
     # pylint: disable=no-self-use,arguments-differ
     def _merge_states(self, _node, *states: ReachingDefinitionsState):
+        assert len(states) >= 2
         merged_state, merge_occurred = states[0].merge(*states[1:])
         return merged_state, not merge_occurred
 
+    def _compare_states(self, node, old_state: ReachingDefinitionsState, new_state: ReachingDefinitionsState) -> bool:
+        """
+        Return True if new_state >= old_state in the lattice.
+
+        :param node:
+        :param old_state:
+        :param new_state:
+        :return:
+        """
+
+        reached_fixedpoint = new_state.compare(old_state)
+        return reached_fixedpoint
+
     def _run_on_node(self, node, state: ReachingDefinitionsState):
         """
 
@@ -550,7 +567,7 @@ class ReachingDefinitionsAnalysis(
         state.downsize()
 
         if self._node_iterations[block_key] < self._max_iterations:
-            return True, state
+            return None, state
         else:
             return False, state
 

angr/analyses/variable_recovery/engine_ail.py

@@ -469,20 +469,20 @@ class SimEngineVRAIL(
 
         r0 = self._expr(arg0)
         r1 = self._expr(arg1)
-        from_size = r1.bits
-        to_size = r0.bits
+        from_size = expr.from_bits
+        to_size = expr.to_bits
 
         if expr.signed:
-            quotient = r0.data.SDiv(claripy.SignExt(to_size - from_size, r1.data))
-            remainder = r0.data.SMod(claripy.SignExt(to_size - from_size, r1.data))
+            quotient = r0.data.SDiv(claripy.SignExt(from_size - to_size, r1.data))
+            remainder = r0.data.SMod(claripy.SignExt(from_size - to_size, r1.data))
             quotient_size = to_size
             remainder_size = to_size
             r = claripy.Concat(
                 claripy.Extract(remainder_size - 1, 0, remainder), claripy.Extract(quotient_size - 1, 0, quotient)
             )
         else:
-            quotient = r0.data // claripy.ZeroExt(to_size - from_size, r1.data)
-            remainder = r0.data % claripy.ZeroExt(to_size - from_size, r1.data)
+            quotient = r0.data // claripy.ZeroExt(from_size - to_size, r1.data)
+            remainder = r0.data % claripy.ZeroExt(from_size - to_size, r1.data)
             quotient_size = to_size
             remainder_size = to_size
             r = claripy.Concat(

angr/analyses/variable_recovery/engine_base.py

@@ -270,10 +270,8 @@ class SimEngineVRBase(SimEngineLight):
             return
 
         if not existing_vars:
-            l.warning(
-                "_reference() is called on expressions without variables associated. Did you call "
-                "_ensure_variable_existence() first?"
-            )
+            # no associated variables. it's usually because _ensure_variable_existence() is not called, or the address
+            # is a TOP. we ignore this case.
             return
         else:
             variable, _ = existing_vars[0]
@@ -392,6 +390,15 @@ class SimEngineVRBase(SimEngineLight):
                     stored = True
 
         if not stored:
+            # remove existing variables linked to this statement
+            existing_vars = self.variable_manager[self.func_addr].find_variables_by_stmt(
+                self.block.addr, self.stmt_idx, "memory"
+            )
+            codeloc = self._codeloc()
+            if existing_vars:
+                for existing_var, _ in list(existing_vars):
+                    self.variable_manager[self.func_addr].remove_variable_by_atom(codeloc, existing_var, stmt)
+
             # storing to a location specified by a pointer whose value cannot be determined at this point
             self._store_to_variable(richr_addr, size, stmt=stmt)
 
@@ -602,6 +609,7 @@ class SimEngineVRBase(SimEngineLight):
             self.block.addr, self.stmt_idx, ins_addr=self.ins_addr, block_idx=getattr(self.block, "idx", None)
         )
         typevar = None
+        v = None
 
         if self.state.is_stack_address(addr):
             stack_offset = self.state.get_stack_offset(addr)
@@ -743,6 +751,16 @@ class SimEngineVRBase(SimEngineLight):
             v = self._load_from_global(base_addr.concrete_value, size, expr=expr, offset=offset, elem_size=elem_size)
             typevar = v.typevar
 
+        if v is None and expr is not None:
+            # failed to map the address to a known variable
+            # remove existing variables linked to this variable
+            existing_vars = self.variable_manager[self.func_addr].find_variables_by_atom(
+                self.block.addr, self.stmt_idx, expr
+            )
+            if existing_vars:
+                for existing_var, _ in list(existing_vars):
+                    self.variable_manager[self.func_addr].remove_variable_by_atom(codeloc, existing_var, expr)
+
         # Loading data from a pointer
         if richr_addr.type_constraints:
             for tc in richr_addr.type_constraints:

angr/analyses/variable_recovery/variable_recovery_base.py

@@ -175,6 +175,7 @@ class VariableRecoveryStateBase:
             self.stack_region: MultiValuedMemory = MultiValuedMemory(
                 memory_id="mem",
                 top_func=self.top,
+                is_top_func=self.is_top,
                 phi_maker=self._make_phi_variable,
                 skip_missing_values_during_merging=True,
                 page_kwargs={"mo_cmp": self._mo_cmp},
@@ -188,6 +189,7 @@ class VariableRecoveryStateBase:
             self.register_region: MultiValuedMemory = MultiValuedMemory(
                 memory_id="reg",
                 top_func=self.top,
+                is_top_func=self.is_top,
                 phi_maker=self._make_phi_variable,
                 skip_missing_values_during_merging=True,
                 page_kwargs={"mo_cmp": self._mo_cmp},
@@ -201,6 +203,7 @@ class VariableRecoveryStateBase:
             self.global_region: MultiValuedMemory = MultiValuedMemory(
                 memory_id="mem",
                 top_func=self.top,
+                is_top_func=self.is_top,
                 phi_maker=self._make_phi_variable,
                 skip_missing_values_during_merging=True,
                 page_kwargs={"mo_cmp": self._mo_cmp},
@@ -215,7 +218,7 @@ class VariableRecoveryStateBase:
         self.type_constraints = defaultdict(set) if type_constraints is None else type_constraints
         self.func_typevar = func_typevar
         self.delayed_type_constraints = (
-            DefaultChainMapCOW(set, collapse_threshold=25)
+            DefaultChainMapCOW(default_factory=set, collapse_threshold=25)
             if delayed_type_constraints is None
             else delayed_type_constraints
         )

angr/engines/light/engine.py

@@ -1078,7 +1078,14 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
             expr_1 = arg1
 
         return ailment.Expr.BinaryOp(
-            expr.idx, "DivMod", [expr_0, expr_1], expr.signed, bits=expr_0.bits * 2, **expr.tags
+            expr.idx,
+            "DivMod",
+            [expr_0, expr_1],
+            expr.signed,
+            bits=expr.bits,
+            from_bits=expr.from_bits,
+            to_bits=expr.to_bits,
+            **expr.tags,
         )
 
     def _ail_handle_Mod(self, expr):

angr/knowledge_plugins/key_definitions/atoms.py

@@ -71,7 +71,7 @@ class Atom:
         Instanciate an `Atom` from a given argument.
 
         :param argument: The argument to create a new atom from.
-        :param registers: A mapping representing the registers of a given architecture.
+        :param arch: The argument representing archinfo architecture for argument.
         :param full_reg: Whether to return an atom indicating the entire register if the argument only specifies a
                         slice of the register.
         :param sp:      The current stack offset. Optional. Only used when argument is a SimStackArg.
@@ -84,7 +84,9 @@ class Atom:
         elif isinstance(argument, SimStackArg):
             if sp is None:
                 raise ValueError("You must provide a stack pointer to translate a SimStackArg")
-            return MemoryLocation(SpOffset(arch.bits, argument.stack_offset + sp), argument.size)
+            return MemoryLocation(
+                SpOffset(arch.bits, argument.stack_offset + sp), argument.size, endness=arch.memory_endness
+            )
         else:
             raise TypeError("Argument type %s is not yet supported." % type(argument))
 

angr/knowledge_plugins/key_definitions/environment.py

@@ -14,6 +14,8 @@ class Environment:
     **Note**: The <Environment> object does not store the values associated with variables themselves.
     """
 
+    __slots__ = ("_environment",)
+
     def __init__(self, environment: Dict[Union[str, Undefined], Set[claripy.ast.Base]] = None):
         self._environment: Dict[Union[str, Undefined], Set[claripy.ast.Base]] = environment or {}
 
@@ -81,3 +83,12 @@ class Environment:
 
         merge_occurred = new_env != self._environment
         return Environment(environment=new_env), merge_occurred
+
+    def compare(self, other: "Environment") -> bool:
+        for k in set(self._environment.keys()).union(set(other._environment.keys())):
+            if k not in self._environment:
+                return False
+            if k in self._environment and k in other._environment:
+                if not self._environment[k].issuperset(other._environment[k]):
+                    return False
+        return True

angr/knowledge_plugins/key_definitions/live_definitions.py

@@ -49,11 +49,12 @@ class DefinitionAnnotation(Annotation):
     An annotation that attaches a `Definition` to an AST.
     """
 
-    __slots__ = ("definition",)
+    __slots__ = ("definition", "_hash")
 
     def __init__(self, definition):
         super().__init__()
         self.definition = definition
+        self._hash = hash((DefinitionAnnotation, self.definition))
 
     @property
     def relocatable(self):
@@ -64,15 +65,11 @@ class DefinitionAnnotation(Annotation):
         return False
 
     def __hash__(self):
-        return hash((self.definition, self.relocatable, self.eliminatable))
+        return self._hash
 
     def __eq__(self, other: "object"):
-        if isinstance(other, DefinitionAnnotation):
-            return (
-                self.definition == other.definition
-                and self.relocatable == other.relocatable
-                and self.eliminatable == other.eliminatable
-            )
+        if type(other) is DefinitionAnnotation:
+            return self.definition == other.definition
         else:
             return False
 
@@ -129,6 +126,7 @@ class LiveDefinitions:
         memory_uses=None,
         tmp_uses=None,
         other_uses=None,
+        element_limit=5,
     ):
         self.project: Optional["Project"] = None
         self.arch = arch
@@ -139,9 +137,11 @@ class LiveDefinitions:
             MultiValuedMemory(
                 memory_id="reg",
                 top_func=self.top,
+                is_top_func=self.is_top,
                 skip_missing_values_during_merging=False,
                 page_kwargs={"mo_cmp": self._mo_cmp},
                 endness=self.arch.register_endness,
+                element_limit=element_limit,
             )
             if registers is None
             else registers
@@ -150,8 +150,10 @@ class LiveDefinitions:
             MultiValuedMemory(
                 memory_id="mem",
                 top_func=self.top,
+                is_top_func=self.is_top,
                 skip_missing_values_during_merging=False,
                 page_kwargs={"mo_cmp": self._mo_cmp},
+                element_limit=element_limit,
             )
             if stack is None
             else stack
@@ -160,8 +162,10 @@ class LiveDefinitions:
             MultiValuedMemory(
                 memory_id="mem",
                 top_func=self.top,
+                is_top_func=self.is_top,
                 skip_missing_values_during_merging=False,
                 page_kwargs={"mo_cmp": self._mo_cmp},
+                element_limit=element_limit,
             )
             if memory is None
             else memory
@@ -170,8 +174,10 @@ class LiveDefinitions:
             MultiValuedMemory(
                 memory_id="mem",
                 top_func=self.top,
+                is_top_func=self.is_top,
                 skip_missing_values_during_merging=False,
                 page_kwargs={"mo_cmp": self._mo_cmp},
+                element_limit=element_limit,
             )
             if heap is None
             else heap
@@ -464,6 +470,33 @@ class LiveDefinitions:
 
         return state, merge_occurred
 
+    def compare(self, other: "LiveDefinitions") -> bool:
+        r0 = self.registers.compare(other.registers)
+        if r0 is False:
+            return False
+        r1 = self.heap.compare(other.heap)
+        if r1 is False:
+            return False
+        r2 = self.memory.compare(other.memory)
+        if r2 is False:
+            return False
+        r3 = self.stack.compare(other.stack)
+        if r3 is False:
+            return False
+
+        r4 = True
+        for k in other.others:
+            if k in self.others:
+                thing = self.others[k].merge(other.others[k])
+                if thing != self.others[k]:
+                    r4 = False
+                    break
+            else:
+                r4 = False
+                break
+
+        return r0 and r1 and r2 and r3 and r4
+
     def kill_definitions(self, atom: Atom) -> None:
         """
         Overwrite existing definitions w.r.t 'atom' with a dummy definition instance. A dummy definition will not be

angr/knowledge_plugins/key_definitions/uses.py

@@ -21,10 +21,14 @@ class Uses:
         uses_by_location: Optional[DefaultChainMapCOW] = None,
     ):
         self._uses_by_definition: DefaultChainMapCOW["Definition", Set[Tuple[CodeLocation, Optional[Any]]]] = (
-            DefaultChainMapCOW(set, collapse_threshold=25) if uses_by_definition is None else uses_by_definition
+            DefaultChainMapCOW(default_factory=set, collapse_threshold=25)
+            if uses_by_definition is None
+            else uses_by_definition
         )
         self._uses_by_location: DefaultChainMapCOW[CodeLocation, Set[Tuple["Definition", Optional[Any]]]] = (
-            DefaultChainMapCOW(set, collapse_threshold=25) if uses_by_location is None else uses_by_location
+            DefaultChainMapCOW(default_factory=set, collapse_threshold=25)
+            if uses_by_location is None
+            else uses_by_location
         )
 
     def add_use(self, definition: "Definition", codeloc: CodeLocation, expr: Optional[Any] = None):
@@ -35,7 +39,9 @@ class Uses:
         :param codeloc:     The code location where the use occurs.
         :param expr:        The expression that uses the specified definition at this location.
         """
+        self._uses_by_definition = self._uses_by_definition.clean()
         self._uses_by_definition[definition].add((codeloc, expr))
+        self._uses_by_location = self._uses_by_location.clean()
         self._uses_by_location[codeloc].add((definition, expr))
 
     def get_uses(self, definition: "Definition") -> Set[CodeLocation]:
@@ -65,6 +71,7 @@ class Uses:
         """
         if definition in self._uses_by_definition:
             if codeloc in self._uses_by_definition[definition]:
+                self._uses_by_definition = self._uses_by_definition.clean()
                 if expr is None:
                     for codeloc_, expr_ in list(self._uses_by_definition[definition]):
                         if codeloc_ == codeloc:
@@ -73,6 +80,7 @@ class Uses:
                     self._uses_by_definition[definition].remove((codeloc, expr))
 
         if codeloc in self._uses_by_location:
+            self._uses_by_location = self._uses_by_location.clean()
             for item in list(self._uses_by_location[codeloc]):
                 if item[0] == definition:
                     self._uses_by_location[codeloc].remove(item)
@@ -85,9 +93,11 @@ class Uses:
         :return:            None
         """
         if definition in self._uses_by_definition:
+            self._uses_by_definition = self._uses_by_definition.clean()
             codeloc_and_ids = self._uses_by_definition[definition]
             del self._uses_by_definition[definition]
 
+            self._uses_by_location = self._uses_by_location.clean()
             for codeloc, _ in codeloc_and_ids:
                 for item in list(self._uses_by_location[codeloc]):
                     if item[0] == definition:
@@ -149,18 +159,22 @@ class Uses:
 
         for k, v in other._uses_by_definition.items():
             if k not in self._uses_by_definition:
+                self._uses_by_definition = self._uses_by_definition.clean()
                 self._uses_by_definition[k] = v
                 merge_occurred = True
             elif not v.issubset(self._uses_by_definition[k]):
                 merge_occurred = True
-                self._uses_by_definition[k] |= v
+                self._uses_by_definition = self._uses_by_definition.clean()
+                self._uses_by_definition[k] = self._uses_by_definition[k] | v
 
         for k, v in other._uses_by_location.items():
             if k not in self._uses_by_location:
+                self._uses_by_location = self._uses_by_location.clean()
                 self._uses_by_location[k] = v
                 merge_occurred = True
             elif not v.issubset(self._uses_by_location[k]):
                 merge_occurred = True
-                self._uses_by_location[k] |= v
+                self._uses_by_location = self._uses_by_location.clean()
+                self._uses_by_location[k] = self._uses_by_location[k] | v
 
         return merge_occurred

angr/knowledge_plugins/propagations/states.py

@@ -221,9 +221,10 @@ class PropagatorState:
                         merge_occurred = True
                     else:
                         if PropagatorState.is_top(repl) or PropagatorState.is_top(replacements_0[loc][var]):
-                            t = PropagatorState.top(_get_repl_size(repl))
-                            replacements_0[loc][var] = t
-                            merge_occurred = True
+                            if not PropagatorState.is_top(replacements_0[loc][var]):
+                                t = PropagatorState.top(_get_repl_size(repl))
+                                replacements_0[loc][var] = t
+                                merge_occurred = True
                         elif (
                             isinstance(replacements_0[loc][var], claripy.ast.Base) or isinstance(repl, claripy.ast.Base)
                         ) and replacements_0[loc][var] is not repl:
@@ -316,6 +317,12 @@ class RegisterAnnotation(claripy.Annotation):
     def relocatable(self) -> bool:
         return True
 
+    def __hash__(self):
+        return hash((RegisterAnnotation, self.offset, self.size))
+
+    def __eq__(self, other):
+        return type(other) is RegisterAnnotation and self.offset == other.offset and self.size == other.size
+
 
 class RegisterComparisonAnnotation(claripy.Annotation):
     """
@@ -336,6 +343,18 @@ class RegisterComparisonAnnotation(claripy.Annotation):
     def relocatable(self) -> bool:
         return True
 
+    def __hash__(self):
+        return hash((RegisterComparisonAnnotation, self.offset, self.size, self.cmp_op, self.value))
+
+    def __eq__(self, other):
+        return (
+            type(other) is RegisterAnnotation
+            and self.offset == other.offset
+            and self.size == other.size
+            and self.cmp_op == other.cmp_op
+            and self.value == other.value
+        )
+
 
 class PropagatorVEXState(PropagatorState):
     """

angr/knowledge_plugins/types.py

@@ -56,6 +56,12 @@ class TypesStore(KnowledgeBasePlugin, UserDict):
         yield from super().__iter__()
         yield from iter(ALL_TYPES)
 
+    def __getstate__(self):
+        return self.data  # do not pickle self.kb
+
+    def __setstate__(self, state):
+        self.data = state
+
     def iter_own(self):
         """
         Iterate over all the names which are stored in this object - i.e. ``values()`` without ``ALL_TYPES``

angr/knowledge_plugins/variables/variable_manager.py

@@ -122,7 +122,32 @@ class VariableManagerInternal(Serializable):
         self.__dict__.update(state)
 
     def __getstate__(self):
-        d = dict(self.__dict__)
+        attributes = [
+            "func_addr",
+            "_variables",
+            "_global_region",
+            "_stack_region",
+            "_register_region",
+            "_live_variables",
+            "_variable_accesses",
+            "_insn_to_variable",
+            "_stmt_to_variable",
+            "_variable_to_stmt",
+            "_atom_to_variable",
+            "_ident_to_variable",
+            "_variable_counters",
+            "_unified_variables",
+            "_variables_to_unified_variables",
+            "_phi_variables",
+            "_variables_to_phivars",
+            "_phi_variables_by_block",
+            "types",
+            "variable_to_types",
+            "variables_with_manual_types",
+            "_variables_without_writes",
+            "ret_val_size",
+        ]
+        d = {k: getattr(self, k) for k in attributes}
         d["manager"] = None
         d["types"].kb = None
         return d
@@ -441,6 +466,29 @@ class VariableManagerInternal(Serializable):
             if atom_hash is not None:
                 self._atom_to_variable[key][atom_hash].add(var_and_offset)
 
+    def remove_variable_by_atom(self, location: "CodeLocation", variable: SimVariable, atom):
+        key = (
+            (location.block_addr, location.stmt_idx)
+            if location.block_idx is None
+            else (location.block_addr, location.block_idx, location.stmt_idx)
+        )
+        if key in self._stmt_to_variable:
+            for var_and_offset in list(self._stmt_to_variable[key]):
+                if var_and_offset[0] == variable:
+                    self._stmt_to_variable[key].remove(var_and_offset)
+            if not self._stmt_to_variable[key]:
+                del self._stmt_to_variable[key]
+
+        atom_hash = (hash(atom) & 0xFFFF_FFFF) if atom is not None else None
+        if key in self._atom_to_variable and atom_hash is not None and atom_hash in self._atom_to_variable[key]:
+            for var_and_offset in list(self._atom_to_variable[key][atom_hash]):
+                if var_and_offset[0] == variable:
+                    self._atom_to_variable[key][atom_hash].discard(var_and_offset)
+            if not self._atom_to_variable[key][atom_hash]:
+                del self._atom_to_variable[key][atom_hash]
+            if not self._atom_to_variable[key]:
+                del self._atom_to_variable[key]
+
     def make_phi_node(self, block_addr, *variables):
         """
         Create a phi variable for variables at block `block_addr`.
@@ -736,10 +784,11 @@ class VariableManagerInternal(Serializable):
             if variable in self._phi_variables:
                 # a phi variable is definitely not an input variable
                 continue
-            accesses = self._variable_accesses[variable]
-            if has_read_access(accesses):
-                if not exclude_specials or not variable.category:
-                    input_variables.append(variable)
+            if variable in self._variable_accesses:
+                accesses = self._variable_accesses[variable]
+                if has_read_access(accesses):
+                    if not exclude_specials or not variable.category:
+                        input_variables.append(variable)
 
         return input_variables
 

angr/simos/simos.py

@@ -277,6 +277,8 @@ class SimOS:
 
         if state.arch.name == "PPC64" and toc is not None:
             state.regs.r2 = toc
+        elif state.arch.name in ("MIPS32", "MIPS64"):
+            state.regs.t9 = addr
 
         return state
 

angr/storage/memory_mixins/__init__.py

@@ -67,6 +67,9 @@ class MemoryMixin(SimStatePlugin):
     def merge(self, others, merge_conditions, common_ancestor=None) -> bool:
         pass
 
+    def compare(self, other) -> bool:
+        pass
+
     def widen(self, others):
         pass
 

angr/storage/memory_mixins/multi_value_merger_mixin.py

@@ -1,13 +1,17 @@
+# pylint:disable=missing-class-docstring
 from typing import Iterable, Tuple, Any, Callable, Optional
 
 from . import MemoryMixin
 
 
 class MultiValueMergerMixin(MemoryMixin):
-    def __init__(self, *args, element_limit=5, annotation_limit=256, top_func=None, phi_maker=None, **kwargs):
+    def __init__(
+        self, *args, element_limit=5, annotation_limit=256, top_func=None, is_top_func=None, phi_maker=None, **kwargs
+    ):
         self._element_limit = element_limit
         self._annotation_limit = annotation_limit
         self._top_func: Callable = top_func
+        self._is_top_func: Callable = is_top_func
         self._phi_maker: Optional[Callable] = phi_maker
 
         super().__init__(*args, **kwargs)
@@ -20,18 +24,23 @@ class MultiValueMergerMixin(MemoryMixin):
                 return {phi_var}
 
         # try to merge it in the traditional way
-        if len(values_set) > self._element_limit:
-            # strip annotations from each value and see how many raw values there are in total
-            # We have to use cache_key to determine uniqueness here, because if __hash__ collides,
-            # python implicitly calls __eq__ to determine if the two objects are actually the same
-            # and that just results in a new AST for a BV. Python then tries to convert that AST to a bool
-            # which fails with the safeguard in claripy.ast.bool.Bool.__bool__.
-            stripped_values_set = {v._apply_to_annotations(lambda alist: None).cache_key for v in values_set}
-            if len(stripped_values_set) > 1:
+        has_top = any(self._is_top_func(v) for v in values_set)
+        if has_top or len(values_set) > self._element_limit:
+            if has_top:
                 ret_val = self._top_func(merged_size * self.state.arch.byte_width)
             else:
-                # Get the AST back from the cache_key
-                ret_val = next(iter(stripped_values_set)).ast
+                # strip annotations from each value and see how many raw values there are in total
+                # We have to use cache_key to determine uniqueness here, because if __hash__ collides,
+                # python implicitly calls __eq__ to determine if the two objects are actually the same
+                # and that just results in a new AST for a BV. Python then tries to convert that AST to a bool
+                # which fails with the safeguard in claripy.ast.bool.Bool.__bool__.
+                stripped_values_set = {v._apply_to_annotations(lambda alist: None).cache_key for v in values_set}
+                if len(stripped_values_set) > 1:
+                    ret_val = self._top_func(merged_size * self.state.arch.byte_width)
+                else:
+                    # Get the AST back from the cache_key
+                    ret_val = next(iter(stripped_values_set)).ast
+
             # migrate annotations
             annotations = []
             annotations_set = set()
@@ -41,6 +50,7 @@ class MultiValueMergerMixin(MemoryMixin):
                         annotations.append(anno)
                         annotations_set.add(anno)
             if annotations:
+                annotations = sorted(annotations, key=str)
                 ret_val = ret_val.annotate(*annotations[: self._annotation_limit])
             merged_val = {ret_val}
         else:
@@ -52,5 +62,6 @@ class MultiValueMergerMixin(MemoryMixin):
         copied._element_limit = self._element_limit
         copied._annotation_limit = self._annotation_limit
         copied._top_func = self._top_func
+        copied._is_top_func = self._is_top_func
         copied._phi_maker = self._phi_maker
         return copied