diff --git a/angr/analyses/cfg/cfg_base.py b/angr/analyses/cfg/cfg_base.py index 8e51b8b9a29..583db288273 100644 --- a/angr/analyses/cfg/cfg_base.py +++ b/angr/analyses/cfg/cfg_base.py @@ -2191,11 +2191,13 @@ def _graph_traversal_handler(self, g, src, dst, data, blockaddr_to_function, kno # We may have determined that this does not happen, since the time this path # was scheduled for exploration called_function = None + called_function_addr = None # Try to find the call that this fakeret goes with for _, d, e in all_edges: if e['jumpkind'] == 'Ijk_Call': if d.addr in blockaddr_to_function: called_function = blockaddr_to_function[d.addr] + called_function_addr = d.addr break # We may have since figured out that the called function doesn't ret. # It's important to assume that all unresolved targets do return @@ -2205,9 +2207,9 @@ def _graph_traversal_handler(self, g, src, dst, data, blockaddr_to_function, kno to_outside = not target_function is src_function - # FIXME: Not sure we should confirm this fakeret or not. - self.kb.functions._add_fakeret_to(src_function.addr, src_node, dst_node, confirmed=True, - to_outside=to_outside, to_function_addr=target_function.addr + confirmed = called_function is None or called_function.returning is True + self.kb.functions._add_fakeret_to(src_function.addr, src_node, dst_node, confirmed=confirmed, + to_outside=to_outside, to_function_addr=called_function_addr ) else: diff --git a/angr/analyses/cfg/cfg_fast.py b/angr/analyses/cfg/cfg_fast.py index 873be722c48..b50c0879a42 100644 --- a/angr/analyses/cfg/cfg_fast.py +++ b/angr/analyses/cfg/cfg_fast.py @@ -1451,7 +1451,7 @@ def _post_analysis(self): edges_to_remove = [ ] for src, dst, data in all_edges: if 'type' in data: - if data['type'] == 'fake_return' and 'confirmed' not in data: + if data['type'] == 'fake_return' and data.get('confirmed', False) is False: # Get all possible functions being called here target_funcs = [ self.functions.function(addr=func_addr)