Don't route callee-save registers through functions

typetapper/analysis.py

@@ -56,15 +56,23 @@ class TypeTapperAnalysis(angr.Analysis):
                 pred_addr = pred.addr
                 pred_blockinfo = self.manager.block_info[pred_addr]
                 callsite_addr = fakeret_addr if attrs['jumpkind'] == 'Ijk_Ret' else pred_addr if attrs['jumpkind'] in ('Ijk_Call', 'Ijk_FakeRet') else None
+                if attrs['jumpkind'] == 'Ijk_FakeRet':
+                    func_addr = next((succ.function_address for succ, attrs in self._cfg.graph.succ[pred].items() if attrs['jumpkind'] == 'Ijk_Call'), None)
+                elif attrs['jumpkind'] == 'Ijk_Call':
+                    func_addr = node.function_address
+                elif attrs['jumpkind'] == 'Ijk_Ret':
+                    func_addr = pred.function_address
+                else:
+                    func_addr = None
 
                 # TAKE IT BACK NOW Y'ALL
                 for name in node_blockinfo.ready_inputs:
                     input_atom = node_blockinfo.inputs[name]
-                    if attrs['jumpkind'] == 'Ijk_FakeRet':
+                    if func_addr is not None:
                         # determine which registers are clobbered; determine the cc
-                        func_addr: CFGNode = next((succ.addr for succ, attrs in self._cfg.graph.succ[pred].items() if attrs['jumpkind'] == 'Ijk_Call'), None)
                         function = self.kb.functions[func_addr]
-                        if function.calling_convention is None or input_atom.slot_name in function.calling_convention.CALLER_SAVED_REGS:
+                        # cc is None --> assume everything goes in and nothing goes through
+                        if (function.calling_convention is None or input_atom.slot_name in function.calling_convention.CALLER_SAVED_REGS) ^ (attrs['jumpkind'] in ('Ijk_Call', 'Ijk_Ret')):
                             continue
 
                     output_atom = pred_blockinfo.outputs.get(input_atom.slot_name, None)