PyPI - angr - Versions diffs - 9.2.103__py3-none-macosx_11_0_arm64.whl - Mend

angr 9.2.103__py3-none-macosx_11_0_arm64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (1300) hide show

angr/__init__.py +153 -0
angr/__main__.py +59 -0
angr/analyses/__init__.py +46 -0
angr/analyses/analysis.py +359 -0
angr/analyses/backward_slice.py +691 -0
angr/analyses/binary_optimizer.py +683 -0
angr/analyses/bindiff.py +1251 -0
angr/analyses/boyscout.py +77 -0
angr/analyses/callee_cleanup_finder.py +75 -0
angr/analyses/calling_convention.py +956 -0
angr/analyses/cdg.py +197 -0
angr/analyses/cfg/__init__.py +11 -0
angr/analyses/cfg/cfb.py +436 -0
angr/analyses/cfg/cfg.py +73 -0
angr/analyses/cfg/cfg_arch_options.py +82 -0
angr/analyses/cfg/cfg_base.py +2917 -0
angr/analyses/cfg/cfg_emulated.py +3570 -0
angr/analyses/cfg/cfg_fast.py +5053 -0
angr/analyses/cfg/cfg_fast_soot.py +669 -0
angr/analyses/cfg/cfg_job_base.py +204 -0
angr/analyses/cfg/indirect_jump_resolvers/__init__.py +8 -0
angr/analyses/cfg/indirect_jump_resolvers/amd64_elf_got.py +63 -0
angr/analyses/cfg/indirect_jump_resolvers/amd64_pe_iat.py +52 -0
angr/analyses/cfg/indirect_jump_resolvers/arm_elf_fast.py +151 -0
angr/analyses/cfg/indirect_jump_resolvers/const_resolver.py +141 -0
angr/analyses/cfg/indirect_jump_resolvers/default_resolvers.py +68 -0
angr/analyses/cfg/indirect_jump_resolvers/jumptable.py +2368 -0
angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py +517 -0
angr/analyses/cfg/indirect_jump_resolvers/propagator_utils.py +26 -0
angr/analyses/cfg/indirect_jump_resolvers/resolver.py +74 -0
angr/analyses/cfg/indirect_jump_resolvers/x86_elf_pic_plt.py +93 -0
angr/analyses/cfg/indirect_jump_resolvers/x86_pe_iat.py +51 -0
angr/analyses/cfg_slice_to_sink/__init__.py +2 -0
angr/analyses/cfg_slice_to_sink/cfg_slice_to_sink.py +117 -0
angr/analyses/cfg_slice_to_sink/graph.py +84 -0
angr/analyses/cfg_slice_to_sink/transitions.py +25 -0
angr/analyses/class_identifier.py +62 -0
angr/analyses/code_tagging.py +123 -0
angr/analyses/complete_calling_conventions.py +424 -0
angr/analyses/congruency_check.py +384 -0
angr/analyses/data_dep/__init__.py +2 -0
angr/analyses/data_dep/data_dependency_analysis.py +605 -0
angr/analyses/data_dep/dep_nodes.py +170 -0
angr/analyses/data_dep/sim_act_location.py +46 -0
angr/analyses/datagraph_meta.py +105 -0
angr/analyses/ddg.py +1695 -0
angr/analyses/decompiler/__init__.py +13 -0
angr/analyses/decompiler/ail_simplifier.py +1408 -0
angr/analyses/decompiler/ailgraph_walker.py +48 -0
angr/analyses/decompiler/block_io_finder.py +293 -0
angr/analyses/decompiler/block_similarity.py +188 -0
angr/analyses/decompiler/block_simplifier.py +434 -0
angr/analyses/decompiler/call_counter.py +43 -0
angr/analyses/decompiler/callsite_maker.py +403 -0
angr/analyses/decompiler/ccall_rewriters/__init__.py +6 -0
angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py +489 -0
angr/analyses/decompiler/ccall_rewriters/rewriter_base.py +19 -0
angr/analyses/decompiler/clinic.py +2166 -0
angr/analyses/decompiler/condition_processor.py +1184 -0
angr/analyses/decompiler/decompilation_cache.py +38 -0
angr/analyses/decompiler/decompilation_options.py +274 -0
angr/analyses/decompiler/decompiler.py +544 -0
angr/analyses/decompiler/empty_node_remover.py +211 -0
angr/analyses/decompiler/expression_counters.py +76 -0
angr/analyses/decompiler/expression_narrower.py +92 -0
angr/analyses/decompiler/goto_manager.py +73 -0
angr/analyses/decompiler/graph_region.py +413 -0
angr/analyses/decompiler/jump_target_collector.py +36 -0
angr/analyses/decompiler/jumptable_entry_condition_rewriter.py +66 -0
angr/analyses/decompiler/optimization_passes/__init__.py +108 -0
angr/analyses/decompiler/optimization_passes/base_ptr_save_simplifier.py +144 -0
angr/analyses/decompiler/optimization_passes/code_motion.py +360 -0
angr/analyses/decompiler/optimization_passes/const_derefs.py +265 -0
angr/analyses/decompiler/optimization_passes/cross_jump_reverter.py +108 -0
angr/analyses/decompiler/optimization_passes/deadblock_remover.py +73 -0
angr/analyses/decompiler/optimization_passes/div_simplifier.py +391 -0
angr/analyses/decompiler/optimization_passes/engine_base.py +303 -0
angr/analyses/decompiler/optimization_passes/expr_op_swapper.py +136 -0
angr/analyses/decompiler/optimization_passes/flip_boolean_cmp.py +91 -0
angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py +386 -0
angr/analyses/decompiler/optimization_passes/ite_expr_converter.py +226 -0
angr/analyses/decompiler/optimization_passes/ite_region_converter.py +189 -0
angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py +757 -0
angr/analyses/decompiler/optimization_passes/mod_simplifier.py +86 -0
angr/analyses/decompiler/optimization_passes/multi_simplifier.py +227 -0
angr/analyses/decompiler/optimization_passes/optimization_pass.py +397 -0
angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py +198 -0
angr/analyses/decompiler/optimization_passes/ret_addr_save_simplifier.py +172 -0
angr/analyses/decompiler/optimization_passes/ret_deduplicator.py +219 -0
angr/analyses/decompiler/optimization_passes/return_duplicator_base.py +448 -0
angr/analyses/decompiler/optimization_passes/return_duplicator_high.py +57 -0
angr/analyses/decompiler/optimization_passes/return_duplicator_low.py +121 -0
angr/analyses/decompiler/optimization_passes/spilled_register_finder.py +18 -0
angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py +293 -0
angr/analyses/decompiler/optimization_passes/switch_default_case_duplicator.py +110 -0
angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py +281 -0
angr/analyses/decompiler/optimization_passes/x86_gcc_getpc_simplifier.py +87 -0
angr/analyses/decompiler/peephole_optimizations/__init__.py +69 -0
angr/analyses/decompiler/peephole_optimizations/a_div_const_add_a_mul_n_div_const.py +38 -0
angr/analyses/decompiler/peephole_optimizations/a_mul_const_div_shr_const.py +38 -0
angr/analyses/decompiler/peephole_optimizations/a_shl_const_sub_a.py +31 -0
angr/analyses/decompiler/peephole_optimizations/a_sub_a_div.py +25 -0
angr/analyses/decompiler/peephole_optimizations/a_sub_a_div_const_mul_const.py +56 -0
angr/analyses/decompiler/peephole_optimizations/a_sub_a_sub_n.py +19 -0
angr/analyses/decompiler/peephole_optimizations/arm_cmpf.py +235 -0
angr/analyses/decompiler/peephole_optimizations/base.py +120 -0
angr/analyses/decompiler/peephole_optimizations/basepointeroffset_add_n.py +33 -0
angr/analyses/decompiler/peephole_optimizations/basepointeroffset_and_mask.py +35 -0
angr/analyses/decompiler/peephole_optimizations/bitwise_or_to_logical_or.py +34 -0
angr/analyses/decompiler/peephole_optimizations/bool_expr_xor_1.py +27 -0
angr/analyses/decompiler/peephole_optimizations/bswap.py +131 -0
angr/analyses/decompiler/peephole_optimizations/cmpord_rewriter.py +72 -0
angr/analyses/decompiler/peephole_optimizations/coalesce_same_cascading_ifs.py +27 -0
angr/analyses/decompiler/peephole_optimizations/const_mull_a_shift.py +91 -0
angr/analyses/decompiler/peephole_optimizations/constant_derefs.py +43 -0
angr/analyses/decompiler/peephole_optimizations/conv_a_sub0_shr_and.py +70 -0
angr/analyses/decompiler/peephole_optimizations/conv_shl_shr.py +51 -0
angr/analyses/decompiler/peephole_optimizations/eager_eval.py +225 -0
angr/analyses/decompiler/peephole_optimizations/extended_byte_and_mask.py +55 -0
angr/analyses/decompiler/peephole_optimizations/inlined_strcpy.py +146 -0
angr/analyses/decompiler/peephole_optimizations/inlined_strcpy_consolidation.py +102 -0
angr/analyses/decompiler/peephole_optimizations/inlined_wstrcpy.py +159 -0
angr/analyses/decompiler/peephole_optimizations/invert_negated_logical_conjuction_disjunction.py +50 -0
angr/analyses/decompiler/peephole_optimizations/one_sub_bool.py +33 -0
angr/analyses/decompiler/peephole_optimizations/remove_cascading_conversions.py +19 -0
angr/analyses/decompiler/peephole_optimizations/remove_empty_if_body.py +45 -0
angr/analyses/decompiler/peephole_optimizations/remove_noop_conversions.py +26 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_bitmasks.py +48 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_conversions.py +160 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_ite_branch.py +29 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_ite_comparisons.py +54 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_nots.py +17 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_reinterprets.py +43 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_shifts.py +44 -0
angr/analyses/decompiler/peephole_optimizations/remove_redundant_shifts_around_comparators.py +40 -0
angr/analyses/decompiler/peephole_optimizations/rewrite_bit_extractions.py +85 -0
angr/analyses/decompiler/peephole_optimizations/rewrite_mips_gp_loads.py +47 -0
angr/analyses/decompiler/peephole_optimizations/rol_ror.py +77 -0
angr/analyses/decompiler/peephole_optimizations/sar_to_signed_div.py +105 -0
angr/analyses/decompiler/peephole_optimizations/simplify_pc_relative_loads.py +37 -0
angr/analyses/decompiler/peephole_optimizations/single_bit_cond_to_boolexpr.py +52 -0
angr/analyses/decompiler/peephole_optimizations/single_bit_xor.py +26 -0
angr/analyses/decompiler/peephole_optimizations/tidy_stack_addr.py +133 -0
angr/analyses/decompiler/redundant_label_remover.py +116 -0
angr/analyses/decompiler/region_identifier.py +1098 -0
angr/analyses/decompiler/region_simplifiers/__init__.py +1 -0
angr/analyses/decompiler/region_simplifiers/cascading_cond_transformer.py +93 -0
angr/analyses/decompiler/region_simplifiers/cascading_ifs.py +81 -0
angr/analyses/decompiler/region_simplifiers/expr_folding.py +606 -0
angr/analyses/decompiler/region_simplifiers/goto.py +177 -0
angr/analyses/decompiler/region_simplifiers/if_.py +142 -0
angr/analyses/decompiler/region_simplifiers/ifelse.py +90 -0
angr/analyses/decompiler/region_simplifiers/loop.py +135 -0
angr/analyses/decompiler/region_simplifiers/node_address_finder.py +23 -0
angr/analyses/decompiler/region_simplifiers/region_simplifier.py +211 -0
angr/analyses/decompiler/region_simplifiers/switch_cluster_simplifier.py +644 -0
angr/analyses/decompiler/region_simplifiers/switch_expr_simplifier.py +83 -0
angr/analyses/decompiler/region_walker.py +23 -0
angr/analyses/decompiler/return_maker.py +70 -0
angr/analyses/decompiler/seq_to_blocks.py +19 -0
angr/analyses/decompiler/sequence_walker.py +235 -0
angr/analyses/decompiler/structured_codegen/__init__.py +10 -0
angr/analyses/decompiler/structured_codegen/base.py +132 -0
angr/analyses/decompiler/structured_codegen/c.py +3811 -0
angr/analyses/decompiler/structured_codegen/dummy.py +14 -0
angr/analyses/decompiler/structured_codegen/dwarf_import.py +186 -0
angr/analyses/decompiler/structuring/__init__.py +15 -0
angr/analyses/decompiler/structuring/dream.py +1225 -0
angr/analyses/decompiler/structuring/phoenix.py +2546 -0
angr/analyses/decompiler/structuring/recursive_structurer.py +186 -0
angr/analyses/decompiler/structuring/structurer_base.py +954 -0
angr/analyses/decompiler/structuring/structurer_nodes.py +414 -0
angr/analyses/decompiler/utils.py +787 -0
angr/analyses/disassembly.py +1302 -0
angr/analyses/disassembly_utils.py +104 -0
angr/analyses/dominance_frontier.py +39 -0
angr/analyses/find_objects_static.py +203 -0
angr/analyses/flirt.py +185 -0
angr/analyses/forward_analysis/__init__.py +2 -0
angr/analyses/forward_analysis/forward_analysis.py +527 -0
angr/analyses/forward_analysis/job_info.py +64 -0
angr/analyses/forward_analysis/visitors/__init__.py +4 -0
angr/analyses/forward_analysis/visitors/call_graph.py +28 -0
angr/analyses/forward_analysis/visitors/function_graph.py +85 -0
angr/analyses/forward_analysis/visitors/graph.py +250 -0
angr/analyses/forward_analysis/visitors/loop.py +28 -0
angr/analyses/forward_analysis/visitors/single_node_graph.py +38 -0
angr/analyses/identifier/__init__.py +1 -0
angr/analyses/identifier/custom_callable.py +138 -0
angr/analyses/identifier/errors.py +9 -0
angr/analyses/identifier/func.py +57 -0
angr/analyses/identifier/functions/__init__.py +36 -0
angr/analyses/identifier/functions/atoi.py +75 -0
angr/analyses/identifier/functions/based_atoi.py +128 -0
angr/analyses/identifier/functions/fdprintf.py +122 -0
angr/analyses/identifier/functions/free.py +64 -0
angr/analyses/identifier/functions/int2str.py +302 -0
angr/analyses/identifier/functions/malloc.py +113 -0
angr/analyses/identifier/functions/memcmp.py +69 -0
angr/analyses/identifier/functions/memcpy.py +89 -0
angr/analyses/identifier/functions/memset.py +43 -0
angr/analyses/identifier/functions/printf.py +122 -0
angr/analyses/identifier/functions/recv_until.py +315 -0
angr/analyses/identifier/functions/skip_calloc.py +72 -0
angr/analyses/identifier/functions/skip_realloc.py +99 -0
angr/analyses/identifier/functions/skip_recv_n.py +107 -0
angr/analyses/identifier/functions/snprintf.py +114 -0
angr/analyses/identifier/functions/sprintf.py +115 -0
angr/analyses/identifier/functions/strcasecmp.py +32 -0
angr/analyses/identifier/functions/strcmp.py +112 -0
angr/analyses/identifier/functions/strcpy.py +43 -0
angr/analyses/identifier/functions/strlen.py +26 -0
angr/analyses/identifier/functions/strncmp.py +103 -0
angr/analyses/identifier/functions/strncpy.py +65 -0
angr/analyses/identifier/functions/strtol.py +91 -0
angr/analyses/identifier/identify.py +848 -0
angr/analyses/identifier/runner.py +359 -0
angr/analyses/init_finder.py +264 -0
angr/analyses/loop_analysis.py +353 -0
angr/analyses/loopfinder.py +174 -0
angr/analyses/propagator/__init__.py +1 -0
angr/analyses/propagator/engine_ail.py +1560 -0
angr/analyses/propagator/engine_base.py +53 -0
angr/analyses/propagator/engine_vex.py +328 -0
angr/analyses/propagator/outdated_definition_walker.py +158 -0
angr/analyses/propagator/propagator.py +422 -0
angr/analyses/propagator/tmpvar_finder.py +17 -0
angr/analyses/propagator/top_checker_mixin.py +14 -0
angr/analyses/propagator/values.py +116 -0
angr/analyses/propagator/vex_vars.py +67 -0
angr/analyses/proximity_graph.py +452 -0
angr/analyses/reaching_definitions/__init__.py +65 -0
angr/analyses/reaching_definitions/call_trace.py +72 -0
angr/analyses/reaching_definitions/dep_graph.py +392 -0
angr/analyses/reaching_definitions/engine_ail.py +1172 -0
angr/analyses/reaching_definitions/engine_vex.py +1102 -0
angr/analyses/reaching_definitions/external_codeloc.py +0 -0
angr/analyses/reaching_definitions/function_handler.py +603 -0
angr/analyses/reaching_definitions/heap_allocator.py +69 -0
angr/analyses/reaching_definitions/rd_initializer.py +235 -0
angr/analyses/reaching_definitions/rd_state.py +613 -0
angr/analyses/reaching_definitions/reaching_definitions.py +594 -0
angr/analyses/reaching_definitions/subject.py +64 -0
angr/analyses/reassembler.py +2970 -0
angr/analyses/soot_class_hierarchy.py +283 -0
angr/analyses/stack_pointer_tracker.py +832 -0
angr/analyses/static_hooker.py +51 -0
angr/analyses/typehoon/__init__.py +1 -0
angr/analyses/typehoon/dfa.py +108 -0
angr/analyses/typehoon/lifter.py +91 -0
angr/analyses/typehoon/simple_solver.py +1258 -0
angr/analyses/typehoon/translator.py +242 -0
angr/analyses/typehoon/typeconsts.py +294 -0
angr/analyses/typehoon/typehoon.py +239 -0
angr/analyses/typehoon/typevars.py +565 -0
angr/analyses/typehoon/variance.py +10 -0
angr/analyses/variable_recovery/__init__.py +2 -0
angr/analyses/variable_recovery/annotations.py +57 -0
angr/analyses/variable_recovery/engine_ail.py +746 -0
angr/analyses/variable_recovery/engine_base.py +962 -0
angr/analyses/variable_recovery/engine_vex.py +580 -0
angr/analyses/variable_recovery/irsb_scanner.py +131 -0
angr/analyses/variable_recovery/variable_recovery.py +552 -0
angr/analyses/variable_recovery/variable_recovery_base.py +452 -0
angr/analyses/variable_recovery/variable_recovery_fast.py +589 -0
angr/analyses/veritesting.py +635 -0
angr/analyses/vfg.py +1945 -0
angr/analyses/vsa_ddg.py +423 -0
angr/analyses/vtable.py +92 -0
angr/analyses/xrefs.py +263 -0
angr/angrdb/__init__.py +9 -0
angr/angrdb/db.py +208 -0
angr/angrdb/models.py +183 -0
angr/angrdb/serializers/__init__.py +2 -0
angr/angrdb/serializers/cfg_model.py +41 -0
angr/angrdb/serializers/comments.py +59 -0
angr/angrdb/serializers/funcs.py +60 -0
angr/angrdb/serializers/kb.py +110 -0
angr/angrdb/serializers/labels.py +58 -0
angr/angrdb/serializers/loader.py +81 -0
angr/angrdb/serializers/structured_code.py +128 -0
angr/angrdb/serializers/variables.py +58 -0
angr/angrdb/serializers/xrefs.py +48 -0
angr/annocfg.py +320 -0
angr/blade.py +430 -0
angr/block.py +506 -0
angr/callable.py +162 -0
angr/calling_conventions.py +2383 -0
angr/code_location.py +168 -0
angr/codenode.py +140 -0
angr/concretization_strategies/__init__.py +97 -0
angr/concretization_strategies/any.py +15 -0
angr/concretization_strategies/any_named.py +32 -0
angr/concretization_strategies/controlled_data.py +54 -0
angr/concretization_strategies/eval.py +18 -0
angr/concretization_strategies/logging.py +32 -0
angr/concretization_strategies/max.py +24 -0
angr/concretization_strategies/nonzero.py +14 -0
angr/concretization_strategies/nonzero_range.py +20 -0
angr/concretization_strategies/norepeats.py +35 -0
angr/concretization_strategies/norepeats_range.py +35 -0
angr/concretization_strategies/range.py +17 -0
angr/concretization_strategies/signed_add.py +24 -0
angr/concretization_strategies/single.py +12 -0
angr/concretization_strategies/solutions.py +18 -0
angr/concretization_strategies/unlimited_range.py +15 -0
angr/distributed/__init__.py +3 -0
angr/distributed/server.py +198 -0
angr/distributed/worker.py +183 -0
angr/engines/__init__.py +41 -0
angr/engines/concrete.py +178 -0
angr/engines/engine.py +212 -0
angr/engines/failure.py +27 -0
angr/engines/hook.py +67 -0
angr/engines/light/__init__.py +2 -0
angr/engines/light/data.py +715 -0
angr/engines/light/engine.py +1441 -0
angr/engines/pcode/__init__.py +2 -0
angr/engines/pcode/behavior.py +995 -0
angr/engines/pcode/cc.py +123 -0
angr/engines/pcode/emulate.py +446 -0
angr/engines/pcode/engine.py +256 -0
angr/engines/pcode/lifter.py +1423 -0
angr/engines/procedure.py +71 -0
angr/engines/soot/__init__.py +1 -0
angr/engines/soot/engine.py +415 -0
angr/engines/soot/exceptions.py +14 -0
angr/engines/soot/expressions/__init__.py +56 -0
angr/engines/soot/expressions/arrayref.py +21 -0
angr/engines/soot/expressions/base.py +22 -0
angr/engines/soot/expressions/binop.py +27 -0
angr/engines/soot/expressions/cast.py +21 -0
angr/engines/soot/expressions/condition.py +34 -0
angr/engines/soot/expressions/constants.py +45 -0
angr/engines/soot/expressions/instanceOf.py +11 -0
angr/engines/soot/expressions/instancefieldref.py +7 -0
angr/engines/soot/expressions/invoke.py +117 -0
angr/engines/soot/expressions/length.py +7 -0
angr/engines/soot/expressions/local.py +7 -0
angr/engines/soot/expressions/new.py +15 -0
angr/engines/soot/expressions/newArray.py +51 -0
angr/engines/soot/expressions/newMultiArray.py +84 -0
angr/engines/soot/expressions/paramref.py +7 -0
angr/engines/soot/expressions/phi.py +29 -0
angr/engines/soot/expressions/staticfieldref.py +7 -0
angr/engines/soot/expressions/thisref.py +6 -0
angr/engines/soot/expressions/unsupported.py +6 -0
angr/engines/soot/field_dispatcher.py +49 -0
angr/engines/soot/method_dispatcher.py +49 -0
angr/engines/soot/statements/__init__.py +30 -0
angr/engines/soot/statements/assign.py +29 -0
angr/engines/soot/statements/base.py +80 -0
angr/engines/soot/statements/goto.py +11 -0
angr/engines/soot/statements/identity.py +14 -0
angr/engines/soot/statements/if_.py +16 -0
angr/engines/soot/statements/invoke.py +11 -0
angr/engines/soot/statements/return_.py +19 -0
angr/engines/soot/statements/switch.py +38 -0
angr/engines/soot/statements/throw.py +12 -0
angr/engines/soot/values/__init__.py +24 -0
angr/engines/soot/values/arrayref.py +124 -0
angr/engines/soot/values/base.py +4 -0
angr/engines/soot/values/constants.py +17 -0
angr/engines/soot/values/instancefieldref.py +42 -0
angr/engines/soot/values/local.py +17 -0
angr/engines/soot/values/paramref.py +17 -0
angr/engines/soot/values/staticfieldref.py +37 -0
angr/engines/soot/values/strref.py +37 -0
angr/engines/soot/values/thisref.py +148 -0
angr/engines/successors.py +540 -0
angr/engines/syscall.py +53 -0
angr/engines/unicorn.py +483 -0
angr/engines/vex/__init__.py +4 -0
angr/engines/vex/claripy/__init__.py +1 -0
angr/engines/vex/claripy/ccall.py +2097 -0
angr/engines/vex/claripy/datalayer.py +149 -0
angr/engines/vex/claripy/irop.py +1279 -0
angr/engines/vex/heavy/__init__.py +5 -0
angr/engines/vex/heavy/actions.py +237 -0
angr/engines/vex/heavy/concretizers.py +394 -0
angr/engines/vex/heavy/dirty.py +467 -0
angr/engines/vex/heavy/heavy.py +379 -0
angr/engines/vex/heavy/inspect.py +51 -0
angr/engines/vex/heavy/resilience.py +85 -0
angr/engines/vex/heavy/super_fastpath.py +34 -0
angr/engines/vex/lifter.py +424 -0
angr/engines/vex/light/__init__.py +3 -0
angr/engines/vex/light/light.py +555 -0
angr/engines/vex/light/resilience.py +73 -0
angr/engines/vex/light/slicing.py +51 -0
angr/errors.py +604 -0
angr/exploration_techniques/__init__.py +176 -0
angr/exploration_techniques/bucketizer.py +96 -0
angr/exploration_techniques/common.py +56 -0
angr/exploration_techniques/dfs.py +34 -0
angr/exploration_techniques/director.py +523 -0
angr/exploration_techniques/driller_core.py +102 -0
angr/exploration_techniques/explorer.py +146 -0
angr/exploration_techniques/lengthlimiter.py +20 -0
angr/exploration_techniques/local_loop_seer.py +64 -0
angr/exploration_techniques/loop_seer.py +239 -0
angr/exploration_techniques/manual_mergepoint.py +80 -0
angr/exploration_techniques/memory_watcher.py +40 -0
angr/exploration_techniques/oppologist.py +93 -0
angr/exploration_techniques/slicecutor.py +115 -0
angr/exploration_techniques/spiller.py +282 -0
angr/exploration_techniques/spiller_db.py +27 -0
angr/exploration_techniques/stochastic.py +57 -0
angr/exploration_techniques/suggestions.py +156 -0
angr/exploration_techniques/symbion.py +78 -0
angr/exploration_techniques/tech_builder.py +47 -0
angr/exploration_techniques/threading.py +77 -0
angr/exploration_techniques/timeout.py +31 -0
angr/exploration_techniques/tracer.py +1101 -0
angr/exploration_techniques/unique.py +104 -0
angr/exploration_techniques/veritesting.py +36 -0
angr/factory.py +385 -0
angr/flirt/__init__.py +126 -0
angr/flirt/build_sig.py +316 -0
angr/graph_utils.py +0 -0
angr/keyed_region.py +532 -0
angr/knowledge_base/__init__.py +1 -0
angr/knowledge_base/knowledge_base.py +145 -0
angr/knowledge_plugins/__init__.py +18 -0
angr/knowledge_plugins/callsite_prototypes.py +52 -0
angr/knowledge_plugins/cfg/__init__.py +16 -0
angr/knowledge_plugins/cfg/cfg_manager.py +94 -0
angr/knowledge_plugins/cfg/cfg_model.py +1057 -0
angr/knowledge_plugins/cfg/cfg_node.py +541 -0
angr/knowledge_plugins/cfg/indirect_jump.py +67 -0
angr/knowledge_plugins/cfg/memory_data.py +156 -0
angr/knowledge_plugins/comments.py +15 -0
angr/knowledge_plugins/custom_strings.py +37 -0
angr/knowledge_plugins/data.py +21 -0
angr/knowledge_plugins/debug_variables.py +221 -0
angr/knowledge_plugins/functions/__init__.py +2 -0
angr/knowledge_plugins/functions/function.py +1694 -0
angr/knowledge_plugins/functions/function_manager.py +501 -0
angr/knowledge_plugins/functions/function_parser.py +295 -0
angr/knowledge_plugins/functions/soot_function.py +131 -0
angr/knowledge_plugins/indirect_jumps.py +34 -0
angr/knowledge_plugins/key_definitions/__init__.py +16 -0
angr/knowledge_plugins/key_definitions/atoms.py +314 -0
angr/knowledge_plugins/key_definitions/constants.py +23 -0
angr/knowledge_plugins/key_definitions/definition.py +217 -0
angr/knowledge_plugins/key_definitions/environment.py +92 -0
angr/knowledge_plugins/key_definitions/heap_address.py +32 -0
angr/knowledge_plugins/key_definitions/key_definition_manager.py +81 -0
angr/knowledge_plugins/key_definitions/live_definitions.py +1074 -0
angr/knowledge_plugins/key_definitions/liveness.py +170 -0
angr/knowledge_plugins/key_definitions/rd_model.py +176 -0
angr/knowledge_plugins/key_definitions/tag.py +77 -0
angr/knowledge_plugins/key_definitions/undefined.py +67 -0
angr/knowledge_plugins/key_definitions/unknown_size.py +83 -0
angr/knowledge_plugins/key_definitions/uses.py +180 -0
angr/knowledge_plugins/labels.py +109 -0
angr/knowledge_plugins/patches.py +125 -0
angr/knowledge_plugins/plugin.py +23 -0
angr/knowledge_plugins/propagations/__init__.py +2 -0
angr/knowledge_plugins/propagations/prop_value.py +193 -0
angr/knowledge_plugins/propagations/propagation_manager.py +60 -0
angr/knowledge_plugins/propagations/propagation_model.py +74 -0
angr/knowledge_plugins/propagations/states.py +1064 -0
angr/knowledge_plugins/structured_code/__init__.py +1 -0
angr/knowledge_plugins/structured_code/manager.py +59 -0
angr/knowledge_plugins/sync/__init__.py +1 -0
angr/knowledge_plugins/sync/sync_controller.py +329 -0
angr/knowledge_plugins/types.py +87 -0
angr/knowledge_plugins/variables/__init__.py +1 -0
angr/knowledge_plugins/variables/variable_access.py +114 -0
angr/knowledge_plugins/variables/variable_manager.py +1191 -0
angr/knowledge_plugins/xrefs/__init__.py +3 -0
angr/knowledge_plugins/xrefs/xref.py +157 -0
angr/knowledge_plugins/xrefs/xref_manager.py +122 -0
angr/knowledge_plugins/xrefs/xref_types.py +13 -0
angr/lib/angr_native.dylib +0 -0
angr/misc/__init__.py +8 -0
angr/misc/ansi.py +46 -0
angr/misc/autoimport.py +89 -0
angr/misc/bug_report.py +125 -0
angr/misc/hookset.py +106 -0
angr/misc/import_hooks.py +63 -0
angr/misc/loggers.py +130 -0
angr/misc/picklable_lock.py +45 -0
angr/misc/plugins.py +291 -0
angr/misc/range.py +21 -0
angr/misc/testing.py +23 -0
angr/misc/ux.py +31 -0
angr/misc/weakpatch.py +58 -0
angr/procedures/__init__.py +2 -0
angr/procedures/advapi32/__init__.py +0 -0
angr/procedures/cgc/__init__.py +3 -0
angr/procedures/cgc/_terminate.py +10 -0
angr/procedures/cgc/allocate.py +76 -0
angr/procedures/cgc/deallocate.py +59 -0
angr/procedures/cgc/fdwait.py +62 -0
angr/procedures/cgc/random.py +60 -0
angr/procedures/cgc/receive.py +91 -0
angr/procedures/cgc/transmit.py +63 -0
angr/procedures/definitions/__init__.py +784 -0
angr/procedures/definitions/cgc.py +19 -0
angr/procedures/definitions/glibc.py +8384 -0
angr/procedures/definitions/gnulib.py +35 -0
angr/procedures/definitions/libstdcpp.py +20 -0
angr/procedures/definitions/linux_kernel.py +6167 -0
angr/procedures/definitions/linux_loader.py +6 -0
angr/procedures/definitions/msvcr.py +15 -0
angr/procedures/definitions/parse_syscalls_from_local_system.py +49 -0
angr/procedures/definitions/parse_win32json.py +2556 -0
angr/procedures/definitions/types_win32.py +34481 -0
angr/procedures/definitions/wdk_api-ms-win-dx-d3dkmt-l1-1-4.py +44 -0
angr/procedures/definitions/wdk_api-ms-win-dx-d3dkmt-l1-1-6.py +40 -0
angr/procedures/definitions/wdk_clfs.py +154 -0
angr/procedures/definitions/wdk_fltmgr.py +570 -0
angr/procedures/definitions/wdk_fwpkclnt.py +44 -0
angr/procedures/definitions/wdk_fwpuclnt.py +330 -0
angr/procedures/definitions/wdk_gdi32.py +380 -0
angr/procedures/definitions/wdk_hal.py +92 -0
angr/procedures/definitions/wdk_ksecdd.py +76 -0
angr/procedures/definitions/wdk_ndis.py +252 -0
angr/procedures/definitions/wdk_ntoskrnl.py +3463 -0
angr/procedures/definitions/wdk_offreg.py +86 -0
angr/procedures/definitions/wdk_pshed.py +50 -0
angr/procedures/definitions/wdk_secur32.py +54 -0
angr/procedures/definitions/wdk_vhfum.py +48 -0
angr/procedures/definitions/win32_aclui.py +44 -0
angr/procedures/definitions/win32_activeds.py +82 -0
angr/procedures/definitions/win32_advapi32.py +1698 -0
angr/procedures/definitions/win32_advpack.py +138 -0
angr/procedures/definitions/win32_amsi.py +52 -0
angr/procedures/definitions/win32_api-ms-win-appmodel-runtime-l1-1-1.py +58 -0
angr/procedures/definitions/win32_api-ms-win-appmodel-runtime-l1-1-3.py +48 -0
angr/procedures/definitions/win32_api-ms-win-appmodel-runtime-l1-1-6.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-apiquery-l2-1-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-backgroundtask-l1-1-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-comm-l1-1-1.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-comm-l1-1-2.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-enclave-l1-1-1.py +44 -0
angr/procedures/definitions/win32_api-ms-win-core-errorhandling-l1-1-3.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-featurestaging-l1-1-0.py +48 -0
angr/procedures/definitions/win32_api-ms-win-core-featurestaging-l1-1-1.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-file-fromapp-l1-1-0.py +60 -0
angr/procedures/definitions/win32_api-ms-win-core-handle-l1-1-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-ioring-l1-1-0.py +62 -0
angr/procedures/definitions/win32_api-ms-win-core-marshal-l1-1-0.py +46 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-3.py +46 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-4.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-5.py +44 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-6.py +46 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-7.py +42 -0
angr/procedures/definitions/win32_api-ms-win-core-memory-l1-1-8.py +44 -0
angr/procedures/definitions/win32_api-ms-win-core-path-l1-1-0.py +82 -0
angr/procedures/definitions/win32_api-ms-win-core-psm-appnotify-l1-1-0.py +42 -0
angr/procedures/definitions/win32_api-ms-win-core-psm-appnotify-l1-1-1.py +42 -0
angr/procedures/definitions/win32_api-ms-win-core-realtime-l1-1-1.py +44 -0
angr/procedures/definitions/win32_api-ms-win-core-realtime-l1-1-2.py +44 -0
angr/procedures/definitions/win32_api-ms-win-core-slapi-l1-1-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-state-helpers-l1-1-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-synch-l1-2-0.py +44 -0
angr/procedures/definitions/win32_api-ms-win-core-sysinfo-l1-2-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-sysinfo-l1-2-3.py +42 -0
angr/procedures/definitions/win32_api-ms-win-core-sysinfo-l1-2-4.py +42 -0
angr/procedures/definitions/win32_api-ms-win-core-sysinfo-l1-2-6.py +40 -0
angr/procedures/definitions/win32_api-ms-win-core-util-l1-1-1.py +42 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-error-l1-1-0.py +43 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-error-l1-1-1.py +37 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-l1-1-0.py +39 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-registration-l1-1-0.py +23 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-robuffer-l1-1-0.py +23 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-roparameterizediid-l1-1-0.py +27 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-string-l1-1-0.py +75 -0
angr/procedures/definitions/win32_api-ms-win-core-winrt-string-l1-1-1.py +23 -0
angr/procedures/definitions/win32_api-ms-win-core-wow64-l1-1-1.py +44 -0
angr/procedures/definitions/win32_api-ms-win-devices-query-l1-1-0.py +56 -0
angr/procedures/definitions/win32_api-ms-win-devices-query-l1-1-1.py +48 -0
angr/procedures/definitions/win32_api-ms-win-dx-d3dkmt-l1-1-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-gaming-deviceinformation-l1-1-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-gaming-expandedresources-l1-1-0.py +44 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-0.py +52 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-1.py +42 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-2.py +52 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-3.py +42 -0
angr/procedures/definitions/win32_api-ms-win-gaming-tcui-l1-1-4.py +54 -0
angr/procedures/definitions/win32_api-ms-win-mm-misc-l1-1-1.py +40 -0
angr/procedures/definitions/win32_api-ms-win-net-isolation-l1-1-0.py +54 -0
angr/procedures/definitions/win32_api-ms-win-security-base-l1-2-2.py +40 -0
angr/procedures/definitions/win32_api-ms-win-security-isolatedcontainer-l1-1-0.py +40 -0
angr/procedures/definitions/win32_api-ms-win-security-isolatedcontainer-l1-1-1.py +40 -0
angr/procedures/definitions/win32_api-ms-win-service-core-l1-1-3.py +40 -0
angr/procedures/definitions/win32_api-ms-win-service-core-l1-1-4.py +40 -0
angr/procedures/definitions/win32_api-ms-win-service-core-l1-1-5.py +42 -0
angr/procedures/definitions/win32_api-ms-win-shcore-scaling-l1-1-0.py +44 -0
angr/procedures/definitions/win32_api-ms-win-shcore-scaling-l1-1-1.py +50 -0
angr/procedures/definitions/win32_api-ms-win-shcore-scaling-l1-1-2.py +40 -0
angr/procedures/definitions/win32_api-ms-win-shcore-stream-winrt-l1-1-0.py +27 -0
angr/procedures/definitions/win32_api-ms-win-wsl-api-l1-1-0.py +52 -0
angr/procedures/definitions/win32_apphelp.py +40 -0
angr/procedures/definitions/win32_authz.py +104 -0
angr/procedures/definitions/win32_avicap32.py +46 -0
angr/procedures/definitions/win32_avifil32.py +158 -0
angr/procedures/definitions/win32_avrt.py +66 -0
angr/procedures/definitions/win32_bcp47mrm.py +42 -0
angr/procedures/definitions/win32_bcrypt.py +144 -0
angr/procedures/definitions/win32_bcryptprimitives.py +42 -0
angr/procedures/definitions/win32_bluetoothapis.py +120 -0
angr/procedures/definitions/win32_bthprops.py +33 -0
angr/procedures/definitions/win32_bthprops_cpl.py +50 -0
angr/procedures/definitions/win32_cabinet.py +82 -0
angr/procedures/definitions/win32_certadm.py +74 -0
angr/procedures/definitions/win32_certpoleng.py +54 -0
angr/procedures/definitions/win32_cfgmgr32.py +516 -0
angr/procedures/definitions/win32_chakra.py +212 -0
angr/procedures/definitions/win32_cldapi.py +110 -0
angr/procedures/definitions/win32_clfsw32.py +156 -0
angr/procedures/definitions/win32_clusapi.py +598 -0
angr/procedures/definitions/win32_comctl32.py +268 -0
angr/procedures/definitions/win32_comdlg32.py +80 -0
angr/procedures/definitions/win32_compstui.py +46 -0
angr/procedures/definitions/win32_computecore.py +146 -0
angr/procedures/definitions/win32_computenetwork.py +124 -0
angr/procedures/definitions/win32_computestorage.py +62 -0
angr/procedures/definitions/win32_comsvcs.py +52 -0
angr/procedures/definitions/win32_coremessaging.py +23 -0
angr/procedures/definitions/win32_credui.py +76 -0
angr/procedures/definitions/win32_crypt32.py +496 -0
angr/procedures/definitions/win32_cryptnet.py +48 -0
angr/procedures/definitions/win32_cryptui.py +58 -0
angr/procedures/definitions/win32_cryptxml.py +76 -0
angr/procedures/definitions/win32_cscapi.py +46 -0
angr/procedures/definitions/win32_d2d1.py +64 -0
angr/procedures/definitions/win32_d3d10.py +92 -0
angr/procedures/definitions/win32_d3d10_1.py +42 -0
angr/procedures/definitions/win32_d3d11.py +44 -0
angr/procedures/definitions/win32_d3d12.py +54 -0
angr/procedures/definitions/win32_d3d9.py +60 -0
angr/procedures/definitions/win32_d3dcompiler_47.py +90 -0
angr/procedures/definitions/win32_d3dcsx.py +56 -0
angr/procedures/definitions/win32_davclnt.py +74 -0
angr/procedures/definitions/win32_dbgeng.py +46 -0
angr/procedures/definitions/win32_dbghelp.py +476 -0
angr/procedures/definitions/win32_dbgmodel.py +40 -0
angr/procedures/definitions/win32_dciman32.py +78 -0
angr/procedures/definitions/win32_dcomp.py +62 -0
angr/procedures/definitions/win32_ddraw.py +52 -0
angr/procedures/definitions/win32_deviceaccess.py +40 -0
angr/procedures/definitions/win32_dflayout.py +40 -0
angr/procedures/definitions/win32_dhcpcsvc.py +68 -0
angr/procedures/definitions/win32_dhcpcsvc6.py +50 -0
angr/procedures/definitions/win32_dhcpsapi.py +430 -0
angr/procedures/definitions/win32_diagnosticdataquery.py +108 -0
angr/procedures/definitions/win32_dinput8.py +40 -0
angr/procedures/definitions/win32_directml.py +42 -0
angr/procedures/definitions/win32_dmprocessxmlfiltered.py +40 -0
angr/procedures/definitions/win32_dnsapi.py +166 -0
angr/procedures/definitions/win32_drt.py +70 -0
angr/procedures/definitions/win32_drtprov.py +56 -0
angr/procedures/definitions/win32_drttransport.py +42 -0
angr/procedures/definitions/win32_dsound.py +58 -0
angr/procedures/definitions/win32_dsparse.py +76 -0
angr/procedures/definitions/win32_dsprop.py +52 -0
angr/procedures/definitions/win32_dssec.py +46 -0
angr/procedures/definitions/win32_dsuiext.py +46 -0
angr/procedures/definitions/win32_dwmapi.py +100 -0
angr/procedures/definitions/win32_dwrite.py +40 -0
angr/procedures/definitions/win32_dxcompiler.py +42 -0
angr/procedures/definitions/win32_dxcore.py +40 -0
angr/procedures/definitions/win32_dxgi.py +50 -0
angr/procedures/definitions/win32_dxva2.py +114 -0
angr/procedures/definitions/win32_eappcfg.py +66 -0
angr/procedures/definitions/win32_eappprxy.py +74 -0
angr/procedures/definitions/win32_efswrt.py +42 -0
angr/procedures/definitions/win32_elscore.py +48 -0
angr/procedures/definitions/win32_esent.py +496 -0
angr/procedures/definitions/win32_evr.py +52 -0
angr/procedures/definitions/win32_faultrep.py +46 -0
angr/procedures/definitions/win32_fhsvcctl.py +52 -0
angr/procedures/definitions/win32_firewallapi.py +44 -0
angr/procedures/definitions/win32_fltlib.py +94 -0
angr/procedures/definitions/win32_fontsub.py +42 -0
angr/procedures/definitions/win32_forceinline.py +44 -0
angr/procedures/definitions/win32_fwpuclnt.py +422 -0
angr/procedures/definitions/win32_fxsutility.py +42 -0
angr/procedures/definitions/win32_gdi32.py +900 -0
angr/procedures/definitions/win32_gdiplus.py +1296 -0
angr/procedures/definitions/win32_glu32.py +142 -0
angr/procedures/definitions/win32_gpedit.py +50 -0
angr/procedures/definitions/win32_hhctrl_ocx.py +42 -0
angr/procedures/definitions/win32_hid.py +128 -0
angr/procedures/definitions/win32_hlink.py +94 -0
angr/procedures/definitions/win32_hrtfapo.py +40 -0
angr/procedures/definitions/win32_httpapi.py +124 -0
angr/procedures/definitions/win32_icm32.py +80 -0
angr/procedures/definitions/win32_icmui.py +42 -0
angr/procedures/definitions/win32_icu.py +2088 -0
angr/procedures/definitions/win32_ieframe.py +96 -0
angr/procedures/definitions/win32_imagehlp.py +90 -0
angr/procedures/definitions/win32_imgutil.py +56 -0
angr/procedures/definitions/win32_imm32.py +202 -0
angr/procedures/definitions/win32_infocardapi.py +72 -0
angr/procedures/definitions/win32_inkobjcore.py +92 -0
angr/procedures/definitions/win32_iphlpapi.py +440 -0
angr/procedures/definitions/win32_iscsidsc.py +196 -0
angr/procedures/definitions/win32_isolatedwindowsenvironmentutils.py +42 -0
angr/procedures/definitions/win32_kernel32.py +3199 -0
angr/procedures/definitions/win32_kernelbase.py +50 -0
angr/procedures/definitions/win32_keycredmgr.py +46 -0
angr/procedures/definitions/win32_ksproxy_ax.py +50 -0
angr/procedures/definitions/win32_ksuser.py +54 -0
angr/procedures/definitions/win32_ktmw32.py +116 -0
angr/procedures/definitions/win32_licenseprotection.py +42 -0
angr/procedures/definitions/win32_loadperf.py +62 -0
angr/procedures/definitions/win32_magnification.py +76 -0
angr/procedures/definitions/win32_mapi32.py +170 -0
angr/procedures/definitions/win32_mdmlocalmanagement.py +44 -0
angr/procedures/definitions/win32_mdmregistration.py +68 -0
angr/procedures/definitions/win32_mf.py +162 -0
angr/procedures/definitions/win32_mfcore.py +42 -0
angr/procedures/definitions/win32_mfplat.py +328 -0
angr/procedures/definitions/win32_mfplay.py +40 -0
angr/procedures/definitions/win32_mfreadwrite.py +48 -0
angr/procedures/definitions/win32_mfsensorgroup.py +58 -0
angr/procedures/definitions/win32_mfsrcsnk.py +42 -0
angr/procedures/definitions/win32_mgmtapi.py +56 -0
angr/procedures/definitions/win32_mi.py +40 -0
angr/procedures/definitions/win32_mmdevapi.py +40 -0
angr/procedures/definitions/win32_mpr.py +132 -0
angr/procedures/definitions/win32_mprapi.py +262 -0
angr/procedures/definitions/win32_mqrt.py +106 -0
angr/procedures/definitions/win32_mrmsupport.py +92 -0
angr/procedures/definitions/win32_msacm32.py +122 -0
angr/procedures/definitions/win32_msajapi.py +1132 -0
angr/procedures/definitions/win32_mscms.py +196 -0
angr/procedures/definitions/win32_mscoree.py +92 -0
angr/procedures/definitions/win32_msctfmonitor.py +44 -0
angr/procedures/definitions/win32_msdelta.py +70 -0
angr/procedures/definitions/win32_msdmo.py +60 -0
angr/procedures/definitions/win32_msdrm.py +206 -0
angr/procedures/definitions/win32_msi.py +566 -0
angr/procedures/definitions/win32_msimg32.py +44 -0
angr/procedures/definitions/win32_mspatcha.py +70 -0
angr/procedures/definitions/win32_mspatchc.py +56 -0
angr/procedures/definitions/win32_msports.py +52 -0
angr/procedures/definitions/win32_msrating.py +76 -0
angr/procedures/definitions/win32_mssign32.py +58 -0
angr/procedures/definitions/win32_mstask.py +42 -0
angr/procedures/definitions/win32_msvfw32.py +124 -0
angr/procedures/definitions/win32_mswsock.py +70 -0
angr/procedures/definitions/win32_mtxdm.py +40 -0
angr/procedures/definitions/win32_ncrypt.py +116 -0
angr/procedures/definitions/win32_ndfapi.py +70 -0
angr/procedures/definitions/win32_netapi32.py +450 -0
angr/procedures/definitions/win32_netsh.py +54 -0
angr/procedures/definitions/win32_netshell.py +42 -0
angr/procedures/definitions/win32_newdev.py +60 -0
angr/procedures/definitions/win32_ninput.py +98 -0
angr/procedures/definitions/win32_normaliz.py +42 -0
angr/procedures/definitions/win32_ntdll.py +185 -0
angr/procedures/definitions/win32_ntdllk.py +40 -0
angr/procedures/definitions/win32_ntdsapi.py +200 -0
angr/procedures/definitions/win32_ntlanman.py +58 -0
angr/procedures/definitions/win32_odbc32.py +406 -0
angr/procedures/definitions/win32_odbcbcp.py +92 -0
angr/procedures/definitions/win32_ole32.py +672 -0
angr/procedures/definitions/win32_oleacc.py +72 -0
angr/procedures/definitions/win32_oleaut32.py +848 -0
angr/procedures/definitions/win32_oledlg.py +84 -0
angr/procedures/definitions/win32_ondemandconnroutehelper.py +48 -0
angr/procedures/definitions/win32_opengl32.py +748 -0
angr/procedures/definitions/win32_opmxbox.py +44 -0
angr/procedures/definitions/win32_p2p.py +254 -0
angr/procedures/definitions/win32_p2pgraph.py +112 -0
angr/procedures/definitions/win32_pdh.py +234 -0
angr/procedures/definitions/win32_peerdist.py +94 -0
angr/procedures/definitions/win32_powrprof.py +206 -0
angr/procedures/definitions/win32_prntvpt.py +60 -0
angr/procedures/definitions/win32_projectedfslib.py +76 -0
angr/procedures/definitions/win32_propsys.py +474 -0
angr/procedures/definitions/win32_psapi.py +92 -0
angr/procedures/definitions/win32_quartz.py +42 -0
angr/procedures/definitions/win32_query.py +46 -0
angr/procedures/definitions/win32_qwave.py +60 -0
angr/procedures/definitions/win32_rasapi32.py +206 -0
angr/procedures/definitions/win32_rasdlg.py +50 -0
angr/procedures/definitions/win32_resutils.py +278 -0
angr/procedures/definitions/win32_rometadata.py +23 -0
angr/procedures/definitions/win32_rpcns4.py +160 -0
angr/procedures/definitions/win32_rpcproxy.py +46 -0
angr/procedures/definitions/win32_rpcrt4.py +932 -0
angr/procedures/definitions/win32_rstrtmgr.py +60 -0
angr/procedures/definitions/win32_rtm.py +190 -0
angr/procedures/definitions/win32_rtutils.py +120 -0
angr/procedures/definitions/win32_rtworkq.py +104 -0
angr/procedures/definitions/win32_sas.py +40 -0
angr/procedures/definitions/win32_scarddlg.py +48 -0
angr/procedures/definitions/win32_schannel.py +56 -0
angr/procedures/definitions/win32_sechost.py +42 -0
angr/procedures/definitions/win32_secur32.py +216 -0
angr/procedures/definitions/win32_sensapi.py +44 -0
angr/procedures/definitions/win32_sensorsutilsv2.py +118 -0
angr/procedures/definitions/win32_setupapi.py +706 -0
angr/procedures/definitions/win32_sfc.py +50 -0
angr/procedures/definitions/win32_shdocvw.py +44 -0
angr/procedures/definitions/win32_shell32.py +526 -0
angr/procedures/definitions/win32_shlwapi.py +758 -0
angr/procedures/definitions/win32_slc.py +102 -0
angr/procedures/definitions/win32_slcext.py +46 -0
angr/procedures/definitions/win32_slwga.py +40 -0
angr/procedures/definitions/win32_snmpapi.py +90 -0
angr/procedures/definitions/win32_spoolss.py +90 -0
angr/procedures/definitions/win32_srclient.py +40 -0
angr/procedures/definitions/win32_srpapi.py +60 -0
angr/procedures/definitions/win32_sspicli.py +52 -0
angr/procedures/definitions/win32_sti.py +40 -0
angr/procedures/definitions/win32_t2embed.py +66 -0
angr/procedures/definitions/win32_tapi32.py +536 -0
angr/procedures/definitions/win32_tbs.py +66 -0
angr/procedures/definitions/win32_tdh.py +92 -0
angr/procedures/definitions/win32_tokenbinding.py +58 -0
angr/procedures/definitions/win32_traffic.py +78 -0
angr/procedures/definitions/win32_txfw32.py +56 -0
angr/procedures/definitions/win32_ualapi.py +46 -0
angr/procedures/definitions/win32_uiautomationcore.py +234 -0
angr/procedures/definitions/win32_urlmon.py +192 -0
angr/procedures/definitions/win32_user32.py +1565 -0
angr/procedures/definitions/win32_userenv.py +126 -0
angr/procedures/definitions/win32_usp10.py +118 -0
angr/procedures/definitions/win32_uxtheme.py +192 -0
angr/procedures/definitions/win32_verifier.py +40 -0
angr/procedures/definitions/win32_version.py +66 -0
angr/procedures/definitions/win32_vertdll.py +52 -0
angr/procedures/definitions/win32_virtdisk.py +96 -0
angr/procedures/definitions/win32_vmdevicehost.py +64 -0
angr/procedures/definitions/win32_vmsavedstatedumpprovider.py +124 -0
angr/procedures/definitions/win32_vssapi.py +40 -0
angr/procedures/definitions/win32_wcmapi.py +48 -0
angr/procedures/definitions/win32_wdsbp.py +52 -0
angr/procedures/definitions/win32_wdsclientapi.py +112 -0
angr/procedures/definitions/win32_wdsmc.py +50 -0
angr/procedures/definitions/win32_wdspxe.py +100 -0
angr/procedures/definitions/win32_wdstptc.py +64 -0
angr/procedures/definitions/win32_webauthn.py +64 -0
angr/procedures/definitions/win32_webservices.py +424 -0
angr/procedures/definitions/win32_websocket.py +64 -0
angr/procedures/definitions/win32_wecapi.py +68 -0
angr/procedures/definitions/win32_wer.py +80 -0
angr/procedures/definitions/win32_wevtapi.py +108 -0
angr/procedures/definitions/win32_winbio.py +146 -0
angr/procedures/definitions/win32_windows_ai_machinelearning.py +40 -0
angr/procedures/definitions/win32_windows_data_pdf.py +23 -0
angr/procedures/definitions/win32_windows_media_mediacontrol.py +54 -0
angr/procedures/definitions/win32_windows_networking.py +40 -0
angr/procedures/definitions/win32_windows_ui_xaml.py +42 -0
angr/procedures/definitions/win32_windowscodecs.py +56 -0
angr/procedures/definitions/win32_winfax.py +150 -0
angr/procedures/definitions/win32_winhttp.py +150 -0
angr/procedures/definitions/win32_winhvemulation.py +46 -0
angr/procedures/definitions/win32_winhvplatform.py +170 -0
angr/procedures/definitions/win32_wininet.py +630 -0
angr/procedures/definitions/win32_winml.py +40 -0
angr/procedures/definitions/win32_winmm.py +390 -0
angr/procedures/definitions/win32_winscard.py +178 -0
angr/procedures/definitions/win32_winspool.py +363 -0
angr/procedures/definitions/win32_winspool_drv.py +382 -0
angr/procedures/definitions/win32_wintrust.py +158 -0
angr/procedures/definitions/win32_winusb.py +106 -0
angr/procedures/definitions/win32_wlanapi.py +158 -0
angr/procedures/definitions/win32_wlanui.py +40 -0
angr/procedures/definitions/win32_wldap32.py +524 -0
angr/procedures/definitions/win32_wldp.py +56 -0
angr/procedures/definitions/win32_wmvcore.py +60 -0
angr/procedures/definitions/win32_wnvapi.py +42 -0
angr/procedures/definitions/win32_wofutil.py +60 -0
angr/procedures/definitions/win32_ws2_32.py +358 -0
angr/procedures/definitions/win32_wscapi.py +50 -0
angr/procedures/definitions/win32_wsclient.py +44 -0
angr/procedures/definitions/win32_wsdapi.py +102 -0
angr/procedures/definitions/win32_wsmsvc.py +104 -0
angr/procedures/definitions/win32_wsnmp32.py +136 -0
angr/procedures/definitions/win32_wtsapi32.py +164 -0
angr/procedures/definitions/win32_xaudio2_8.py +46 -0
angr/procedures/definitions/win32_xinput1_4.py +52 -0
angr/procedures/definitions/win32_xinputuap.py +35 -0
angr/procedures/definitions/win32_xmllite.py +50 -0
angr/procedures/definitions/win32_xolehlp.py +46 -0
angr/procedures/definitions/win32_xpsprint.py +42 -0
angr/procedures/glibc/__ctype_b_loc.py +22 -0
angr/procedures/glibc/__ctype_tolower_loc.py +22 -0
angr/procedures/glibc/__ctype_toupper_loc.py +22 -0
angr/procedures/glibc/__errno_location.py +6 -0
angr/procedures/glibc/__init__.py +3 -0
angr/procedures/glibc/__libc_init.py +36 -0
angr/procedures/glibc/__libc_start_main.py +294 -0
angr/procedures/glibc/dynamic_loading.py +19 -0
angr/procedures/glibc/scanf.py +10 -0
angr/procedures/glibc/sscanf.py +5 -0
angr/procedures/gnulib/__init__.py +3 -0
angr/procedures/gnulib/xalloc_die.py +13 -0
angr/procedures/gnulib/xstrtol_fatal.py +13 -0
angr/procedures/java/__init__.py +38 -0
angr/procedures/java/unconstrained.py +64 -0
angr/procedures/java_io/__init__.py +0 -0
angr/procedures/java_io/read.py +11 -0
angr/procedures/java_io/write.py +16 -0
angr/procedures/java_jni/__init__.py +475 -0
angr/procedures/java_jni/array_operations.py +309 -0
angr/procedures/java_jni/class_and_interface_operations.py +31 -0
angr/procedures/java_jni/field_access.py +176 -0
angr/procedures/java_jni/global_and_local_refs.py +56 -0
angr/procedures/java_jni/method_calls.py +364 -0
angr/procedures/java_jni/not_implemented.py +25 -0
angr/procedures/java_jni/object_operations.py +95 -0
angr/procedures/java_jni/string_operations.py +86 -0
angr/procedures/java_jni/version_information.py +11 -0
angr/procedures/java_lang/__init__.py +0 -0
angr/procedures/java_lang/character.py +31 -0
angr/procedures/java_lang/double.py +24 -0
angr/procedures/java_lang/exit.py +12 -0
angr/procedures/java_lang/getsimplename.py +15 -0
angr/procedures/java_lang/integer.py +42 -0
angr/procedures/java_lang/load_library.py +8 -0
angr/procedures/java_lang/math.py +14 -0
angr/procedures/java_lang/string.py +78 -0
angr/procedures/java_lang/stringbuilder.py +43 -0
angr/procedures/java_lang/system.py +17 -0
angr/procedures/java_util/__init__.py +0 -0
angr/procedures/java_util/collection.py +34 -0
angr/procedures/java_util/iterator.py +45 -0
angr/procedures/java_util/list.py +98 -0
angr/procedures/java_util/map.py +132 -0
angr/procedures/java_util/random.py +11 -0
angr/procedures/java_util/scanner_nextline.py +22 -0
angr/procedures/libc/__init__.py +3 -0
angr/procedures/libc/abort.py +8 -0
angr/procedures/libc/access.py +10 -0
angr/procedures/libc/atoi.py +14 -0
angr/procedures/libc/atol.py +12 -0
angr/procedures/libc/calloc.py +7 -0
angr/procedures/libc/closelog.py +9 -0
angr/procedures/libc/err.py +13 -0
angr/procedures/libc/error.py +55 -0
angr/procedures/libc/exit.py +10 -0
angr/procedures/libc/fclose.py +20 -0
angr/procedures/libc/feof.py +19 -0
angr/procedures/libc/fflush.py +15 -0
angr/procedures/libc/fgetc.py +24 -0
angr/procedures/libc/fgets.py +68 -0
angr/procedures/libc/fopen.py +64 -0
angr/procedures/libc/fprintf.py +24 -0
angr/procedures/libc/fputc.py +22 -0
angr/procedures/libc/fputs.py +23 -0
angr/procedures/libc/fread.py +22 -0
angr/procedures/libc/free.py +8 -0
angr/procedures/libc/fscanf.py +20 -0
angr/procedures/libc/fseek.py +32 -0
angr/procedures/libc/ftell.py +21 -0
angr/procedures/libc/fwrite.py +18 -0
angr/procedures/libc/getchar.py +13 -0
angr/procedures/libc/getdelim.py +96 -0
angr/procedures/libc/getegid.py +7 -0
angr/procedures/libc/geteuid.py +7 -0
angr/procedures/libc/getgid.py +7 -0
angr/procedures/libc/gets.py +66 -0
angr/procedures/libc/getuid.py +7 -0
angr/procedures/libc/malloc.py +11 -0
angr/procedures/libc/memcmp.py +69 -0
angr/procedures/libc/memcpy.py +37 -0
angr/procedures/libc/memset.py +69 -0
angr/procedures/libc/openlog.py +9 -0
angr/procedures/libc/perror.py +12 -0
angr/procedures/libc/printf.py +33 -0
angr/procedures/libc/putchar.py +12 -0
angr/procedures/libc/puts.py +16 -0
angr/procedures/libc/rand.py +7 -0
angr/procedures/libc/realloc.py +7 -0
angr/procedures/libc/rewind.py +11 -0
angr/procedures/libc/scanf.py +20 -0
angr/procedures/libc/setbuf.py +8 -0
angr/procedures/libc/setvbuf.py +6 -0
angr/procedures/libc/snprintf.py +33 -0
angr/procedures/libc/sprintf.py +22 -0
angr/procedures/libc/srand.py +6 -0
angr/procedures/libc/sscanf.py +13 -0
angr/procedures/libc/stpcpy.py +18 -0
angr/procedures/libc/strcat.py +13 -0
angr/procedures/libc/strchr.py +44 -0
angr/procedures/libc/strcmp.py +28 -0
angr/procedures/libc/strcpy.py +13 -0
angr/procedures/libc/strlen.py +99 -0
angr/procedures/libc/strncat.py +18 -0
angr/procedures/libc/strncmp.py +180 -0
angr/procedures/libc/strncpy.py +18 -0
angr/procedures/libc/strnlen.py +13 -0
angr/procedures/libc/strstr.py +94 -0
angr/procedures/libc/strtol.py +263 -0
angr/procedures/libc/strtoul.py +9 -0
angr/procedures/libc/system.py +12 -0
angr/procedures/libc/time.py +9 -0
angr/procedures/libc/tmpnam.py +19 -0
angr/procedures/libc/tolower.py +7 -0
angr/procedures/libc/toupper.py +7 -0
angr/procedures/libc/ungetc.py +19 -0
angr/procedures/libc/vsnprintf.py +16 -0
angr/procedures/libc/wchar.py +15 -0
angr/procedures/libstdcpp/__init__.py +0 -0
angr/procedures/libstdcpp/_unwind_resume.py +10 -0
angr/procedures/libstdcpp/std____throw_bad_alloc.py +12 -0
angr/procedures/libstdcpp/std____throw_bad_cast.py +12 -0
angr/procedures/libstdcpp/std____throw_length_error.py +12 -0
angr/procedures/libstdcpp/std____throw_logic_error.py +12 -0
angr/procedures/libstdcpp/std__terminate.py +12 -0
angr/procedures/linux_kernel/__init__.py +3 -0
angr/procedures/linux_kernel/access.py +17 -0
angr/procedures/linux_kernel/arch_prctl.py +33 -0
angr/procedures/linux_kernel/arm_user_helpers.py +58 -0
angr/procedures/linux_kernel/brk.py +17 -0
angr/procedures/linux_kernel/cwd.py +27 -0
angr/procedures/linux_kernel/fstat.py +137 -0
angr/procedures/linux_kernel/fstat64.py +169 -0
angr/procedures/linux_kernel/futex.py +17 -0
angr/procedures/linux_kernel/getegid.py +16 -0
angr/procedures/linux_kernel/geteuid.py +16 -0
angr/procedures/linux_kernel/getgid.py +16 -0
angr/procedures/linux_kernel/getpid.py +13 -0
angr/procedures/linux_kernel/getrlimit.py +24 -0
angr/procedures/linux_kernel/gettid.py +8 -0
angr/procedures/linux_kernel/getuid.py +16 -0
angr/procedures/linux_kernel/iovec.py +43 -0
angr/procedures/linux_kernel/lseek.py +39 -0
angr/procedures/linux_kernel/mmap.py +15 -0
angr/procedures/linux_kernel/mprotect.py +41 -0
angr/procedures/linux_kernel/munmap.py +7 -0
angr/procedures/linux_kernel/openat.py +28 -0
angr/procedures/linux_kernel/set_tid_address.py +7 -0
angr/procedures/linux_kernel/sigaction.py +16 -0
angr/procedures/linux_kernel/sigprocmask.py +20 -0
angr/procedures/linux_kernel/stat.py +22 -0
angr/procedures/linux_kernel/sysinfo.py +58 -0
angr/procedures/linux_kernel/tgkill.py +7 -0
angr/procedures/linux_kernel/time.py +30 -0
angr/procedures/linux_kernel/uid.py +29 -0
angr/procedures/linux_kernel/uname.py +28 -0
angr/procedures/linux_kernel/unlink.py +22 -0
angr/procedures/linux_kernel/vsyscall.py +15 -0
angr/procedures/linux_loader/__init__.py +3 -0
angr/procedures/linux_loader/_dl_initial_error_catch_tsd.py +6 -0
angr/procedures/linux_loader/_dl_rtld_lock.py +14 -0
angr/procedures/linux_loader/sim_loader.py +53 -0
angr/procedures/linux_loader/tls.py +40 -0
angr/procedures/msvcr/__getmainargs.py +15 -0
angr/procedures/msvcr/__init__.py +4 -0
angr/procedures/msvcr/_initterm.py +37 -0
angr/procedures/msvcr/fmode.py +28 -0
angr/procedures/ntdll/__init__.py +0 -0
angr/procedures/ntdll/exceptions.py +57 -0
angr/procedures/posix/__init__.py +3 -0
angr/procedures/posix/accept.py +29 -0
angr/procedures/posix/bind.py +12 -0
angr/procedures/posix/bzero.py +6 -0
angr/procedures/posix/chroot.py +26 -0
angr/procedures/posix/close.py +9 -0
angr/procedures/posix/closedir.py +6 -0
angr/procedures/posix/dup.py +55 -0
angr/procedures/posix/fcntl.py +9 -0
angr/procedures/posix/fdopen.py +77 -0
angr/procedures/posix/fileno.py +17 -0
angr/procedures/posix/fork.py +10 -0
angr/procedures/posix/getenv.py +34 -0
angr/procedures/posix/gethostbyname.py +42 -0
angr/procedures/posix/getpass.py +18 -0
angr/procedures/posix/getsockopt.py +10 -0
angr/procedures/posix/htonl.py +11 -0
angr/procedures/posix/htons.py +11 -0
angr/procedures/posix/inet_ntoa.py +61 -0
angr/procedures/posix/listen.py +12 -0
angr/procedures/posix/mmap.py +140 -0
angr/procedures/posix/open.py +17 -0
angr/procedures/posix/opendir.py +9 -0
angr/procedures/posix/poll.py +54 -0
angr/procedures/posix/pread64.py +45 -0
angr/procedures/posix/pthread.py +87 -0
angr/procedures/posix/pwrite64.py +45 -0
angr/procedures/posix/read.py +12 -0
angr/procedures/posix/readdir.py +59 -0
angr/procedures/posix/recv.py +12 -0
angr/procedures/posix/recvfrom.py +12 -0
angr/procedures/posix/select.py +46 -0
angr/procedures/posix/send.py +22 -0
angr/procedures/posix/setsockopt.py +8 -0
angr/procedures/posix/sigaction.py +20 -0
angr/procedures/posix/sim_time.py +45 -0
angr/procedures/posix/sleep.py +7 -0
angr/procedures/posix/socket.py +18 -0
angr/procedures/posix/strcasecmp.py +23 -0
angr/procedures/posix/strdup.py +17 -0
angr/procedures/posix/strtok_r.py +65 -0
angr/procedures/posix/syslog.py +15 -0
angr/procedures/posix/tz.py +8 -0
angr/procedures/posix/unlink.py +10 -0
angr/procedures/posix/usleep.py +7 -0
angr/procedures/posix/write.py +12 -0
angr/procedures/procedure_dict.py +48 -0
angr/procedures/stubs/CallReturn.py +12 -0
angr/procedures/stubs/NoReturnUnconstrained.py +12 -0
angr/procedures/stubs/Nop.py +6 -0
angr/procedures/stubs/PathTerminator.py +8 -0
angr/procedures/stubs/Redirect.py +15 -0
angr/procedures/stubs/ReturnChar.py +10 -0
angr/procedures/stubs/ReturnUnconstrained.py +24 -0
angr/procedures/stubs/UnresolvableCallTarget.py +8 -0
angr/procedures/stubs/UnresolvableJumpTarget.py +8 -0
angr/procedures/stubs/UserHook.py +15 -0
angr/procedures/stubs/__init__.py +3 -0
angr/procedures/stubs/b64_decode.py +12 -0
angr/procedures/stubs/caller.py +13 -0
angr/procedures/stubs/crazy_scanf.py +17 -0
angr/procedures/stubs/format_parser.py +677 -0
angr/procedures/stubs/syscall_stub.py +26 -0
angr/procedures/testing/__init__.py +3 -0
angr/procedures/testing/manyargs.py +8 -0
angr/procedures/testing/retreg.py +8 -0
angr/procedures/tracer/__init__.py +4 -0
angr/procedures/tracer/random.py +8 -0
angr/procedures/tracer/receive.py +21 -0
angr/procedures/tracer/transmit.py +24 -0
angr/procedures/uclibc/__init__.py +3 -0
angr/procedures/uclibc/__uClibc_main.py +9 -0
angr/procedures/win32/EncodePointer.py +6 -0
angr/procedures/win32/ExitProcess.py +8 -0
angr/procedures/win32/GetCommandLine.py +11 -0
angr/procedures/win32/GetCurrentProcessId.py +6 -0
angr/procedures/win32/GetCurrentThreadId.py +6 -0
angr/procedures/win32/GetLastInputInfo.py +37 -0
angr/procedures/win32/GetModuleHandle.py +30 -0
angr/procedures/win32/GetProcessAffinityMask.py +34 -0
angr/procedures/win32/InterlockedExchange.py +14 -0
angr/procedures/win32/IsProcessorFeaturePresent.py +6 -0
angr/procedures/win32/VirtualAlloc.py +113 -0
angr/procedures/win32/VirtualProtect.py +59 -0
angr/procedures/win32/__init__.py +3 -0
angr/procedures/win32/critical_section.py +11 -0
angr/procedures/win32/dynamic_loading.py +103 -0
angr/procedures/win32/file_handles.py +47 -0
angr/procedures/win32/gethostbyname.py +10 -0
angr/procedures/win32/heap.py +42 -0
angr/procedures/win32/is_bad_ptr.py +25 -0
angr/procedures/win32/local_storage.py +85 -0
angr/procedures/win32/mutex.py +10 -0
angr/procedures/win32/sim_time.py +135 -0
angr/procedures/win32/system_paths.py +34 -0
angr/procedures/win32_kernel/ExAllocatePool.py +12 -0
angr/procedures/win32_kernel/ExFreePoolWithTag.py +7 -0
angr/procedures/win32_kernel/__init__.py +3 -0
angr/procedures/win_user32/__init__.py +0 -0
angr/procedures/win_user32/chars.py +12 -0
angr/procedures/win_user32/keyboard.py +13 -0
angr/procedures/win_user32/messagebox.py +49 -0
angr/project.py +834 -0
angr/protos/__init__.py +13 -0
angr/protos/cfg_pb2.py +31 -0
angr/protos/function_pb2.py +37 -0
angr/protos/primitives_pb2.py +124 -0
angr/protos/variables_pb2.py +126 -0
angr/protos/xrefs_pb2.py +34 -0
angr/py.typed +1 -0
angr/serializable.py +63 -0
angr/service.py +35 -0
angr/sim_manager.py +971 -0
angr/sim_options.py +444 -0
angr/sim_procedure.py +606 -0
angr/sim_state.py +1003 -0
angr/sim_state_options.py +409 -0
angr/sim_type.py +3372 -0
angr/sim_variable.py +562 -0
angr/simos/__init__.py +31 -0
angr/simos/cgc.py +152 -0
angr/simos/javavm.py +471 -0
angr/simos/linux.py +519 -0
angr/simos/simos.py +450 -0
angr/simos/snimmuc_nxp.py +152 -0
angr/simos/userland.py +163 -0
angr/simos/windows.py +562 -0
angr/slicer.py +353 -0
angr/state_hierarchy.py +262 -0
angr/state_plugins/__init__.py +29 -0
angr/state_plugins/callstack.py +404 -0
angr/state_plugins/cgc.py +153 -0
angr/state_plugins/concrete.py +297 -0
angr/state_plugins/debug_variables.py +194 -0
angr/state_plugins/filesystem.py +469 -0
angr/state_plugins/gdb.py +146 -0
angr/state_plugins/globals.py +62 -0
angr/state_plugins/heap/__init__.py +5 -0
angr/state_plugins/heap/heap_base.py +126 -0
angr/state_plugins/heap/heap_brk.py +134 -0
angr/state_plugins/heap/heap_freelist.py +210 -0
angr/state_plugins/heap/heap_libc.py +45 -0
angr/state_plugins/heap/heap_ptmalloc.py +646 -0
angr/state_plugins/heap/utils.py +21 -0
angr/state_plugins/history.py +548 -0
angr/state_plugins/inspect.py +376 -0
angr/state_plugins/javavm_classloader.py +133 -0
angr/state_plugins/jni_references.py +93 -0
angr/state_plugins/libc.py +1263 -0
angr/state_plugins/light_registers.py +170 -0
angr/state_plugins/log.py +85 -0
angr/state_plugins/loop_data.py +92 -0
angr/state_plugins/plugin.py +155 -0
angr/state_plugins/posix.py +709 -0
angr/state_plugins/preconstrainer.py +195 -0
angr/state_plugins/scratch.py +175 -0
angr/state_plugins/sim_action.py +334 -0
angr/state_plugins/sim_action_object.py +148 -0
angr/state_plugins/sim_event.py +58 -0
angr/state_plugins/solver.py +1129 -0
angr/state_plugins/symbolizer.py +292 -0
angr/state_plugins/trace_additions.py +752 -0
angr/state_plugins/uc_manager.py +85 -0
angr/state_plugins/unicorn_engine.py +1899 -0
angr/state_plugins/view.py +341 -0
angr/storage/__init__.py +9 -0
angr/storage/file.py +1219 -0
angr/storage/memory_mixins/__init__.py +393 -0
angr/storage/memory_mixins/__init__.pyi +49 -0
angr/storage/memory_mixins/actions_mixin.py +69 -0
angr/storage/memory_mixins/address_concretization_mixin.py +388 -0
angr/storage/memory_mixins/bvv_conversion_mixin.py +74 -0
angr/storage/memory_mixins/clouseau_mixin.py +131 -0
angr/storage/memory_mixins/conditional_store_mixin.py +24 -0
angr/storage/memory_mixins/convenient_mappings_mixin.py +257 -0
angr/storage/memory_mixins/default_filler_mixin.py +146 -0
angr/storage/memory_mixins/dirty_addrs_mixin.py +9 -0
angr/storage/memory_mixins/hex_dumper_mixin.py +85 -0
angr/storage/memory_mixins/javavm_memory/__init__.py +1 -0
angr/storage/memory_mixins/javavm_memory/javavm_memory_mixin.py +394 -0
angr/storage/memory_mixins/keyvalue_memory/__init__.py +1 -0
angr/storage/memory_mixins/keyvalue_memory/keyvalue_memory_mixin.py +36 -0
angr/storage/memory_mixins/label_merger_mixin.py +31 -0
angr/storage/memory_mixins/multi_value_merger_mixin.py +68 -0
angr/storage/memory_mixins/name_resolution_mixin.py +70 -0
angr/storage/memory_mixins/paged_memory/__init__.py +0 -0
angr/storage/memory_mixins/paged_memory/page_backer_mixins.py +266 -0
angr/storage/memory_mixins/paged_memory/paged_memory_mixin.py +750 -0
angr/storage/memory_mixins/paged_memory/paged_memory_multivalue_mixin.py +63 -0
angr/storage/memory_mixins/paged_memory/pages/__init__.py +33 -0
angr/storage/memory_mixins/paged_memory/pages/cooperation.py +330 -0
angr/storage/memory_mixins/paged_memory/pages/history_tracking_mixin.py +87 -0
angr/storage/memory_mixins/paged_memory/pages/ispo_mixin.py +53 -0
angr/storage/memory_mixins/paged_memory/pages/list_page.py +346 -0
angr/storage/memory_mixins/paged_memory/pages/multi_values.py +290 -0
angr/storage/memory_mixins/paged_memory/pages/mv_list_page.py +434 -0
angr/storage/memory_mixins/paged_memory/pages/permissions_mixin.py +33 -0
angr/storage/memory_mixins/paged_memory/pages/refcount_mixin.py +51 -0
angr/storage/memory_mixins/paged_memory/pages/ultra_page.py +468 -0
angr/storage/memory_mixins/paged_memory/privileged_mixin.py +36 -0
angr/storage/memory_mixins/paged_memory/stack_allocation_mixin.py +73 -0
angr/storage/memory_mixins/regioned_memory/__init__.py +6 -0
angr/storage/memory_mixins/regioned_memory/abstract_address_descriptor.py +35 -0
angr/storage/memory_mixins/regioned_memory/abstract_merger_mixin.py +43 -0
angr/storage/memory_mixins/regioned_memory/region_category_mixin.py +7 -0
angr/storage/memory_mixins/regioned_memory/region_data.py +245 -0
angr/storage/memory_mixins/regioned_memory/region_meta_mixin.py +125 -0
angr/storage/memory_mixins/regioned_memory/regioned_address_concretization_mixin.py +118 -0
angr/storage/memory_mixins/regioned_memory/regioned_memory_mixin.py +462 -0
angr/storage/memory_mixins/regioned_memory/static_find_mixin.py +70 -0
angr/storage/memory_mixins/simple_interface_mixin.py +73 -0
angr/storage/memory_mixins/simplification_mixin.py +13 -0
angr/storage/memory_mixins/size_resolution_mixin.py +140 -0
angr/storage/memory_mixins/slotted_memory.py +140 -0
angr/storage/memory_mixins/smart_find_mixin.py +159 -0
angr/storage/memory_mixins/symbolic_merger_mixin.py +12 -0
angr/storage/memory_mixins/top_merger_mixin.py +24 -0
angr/storage/memory_mixins/underconstrained_mixin.py +67 -0
angr/storage/memory_mixins/unwrapper_mixin.py +26 -0
angr/storage/memory_object.py +194 -0
angr/storage/pcap.py +65 -0
angr/tablespecs.py +90 -0
angr/utils/__init__.py +33 -0
angr/utils/algo.py +33 -0
angr/utils/constants.py +7 -0
angr/utils/cowdict.py +64 -0
angr/utils/dynamic_dictlist.py +92 -0
angr/utils/enums_conv.py +80 -0
angr/utils/env.py +11 -0
angr/utils/formatting.py +124 -0
angr/utils/funcid.py +133 -0
angr/utils/graph.py +822 -0
angr/utils/lazy_import.py +12 -0
angr/utils/library.py +214 -0
angr/utils/loader.py +55 -0
angr/utils/mp.py +64 -0
angr/utils/segment_list.py +558 -0
angr/utils/timing.py +45 -0
angr/utils/typing.py +17 -0
angr/vaults.py +370 -0
angr-9.2.103.dist-info/LICENSE +24 -0
angr-9.2.103.dist-info/METADATA +119 -0
angr-9.2.103.dist-info/RECORD +1300 -0
angr-9.2.103.dist-info/WHEEL +5 -0
angr-9.2.103.dist-info/entry_points.txt +2 -0
angr-9.2.103.dist-info/top_level.txt +1 -0

angr/analyses/decompiler/structuring/phoenix.py ADDED Viewed

@@ -0,0 +1,2546 @@
+# pylint:disable=line-too-long,import-outside-toplevel,import-error,multiple-statements,too-many-boolean-expressions
+from typing import Any, DefaultDict, Optional, TYPE_CHECKING
+from collections import OrderedDict as ODict
+from collections import defaultdict, OrderedDict
+from enum import Enum
+import logging
+import networkx
+import claripy
+from ailment.block import Block
+from ailment.statement import Statement, ConditionalJump, Jump, Label, Return
+from ailment.expression import Const, UnaryOp, MultiStatementExpression
+from angr.utils.graph import GraphUtils
+from ....knowledge_plugins.cfg import IndirectJumpType
+from ....utils.constants import SWITCH_MISSING_DEFAULT_NODE_ADDR
+from ....utils.graph import dominates, to_acyclic_graph, dfs_back_edges
+from ..sequence_walker import SequenceWalker
+from ..utils import (
+    remove_last_statement,
+    extract_jump_targets,
+    switch_extract_cmp_bounds,
+    is_empty_or_label_only_node,
+    has_nonlabel_statements,
+    first_nonlabel_statement,
+)
+from ..call_counter import AILCallCounter
+from .structurer_nodes import (
+    ConditionNode,
+    SequenceNode,
+    LoopNode,
+    ConditionalBreakNode,
+    BreakNode,
+    ContinueNode,
+    BaseNode,
+    MultiNode,
+    SwitchCaseNode,
+    IncompleteSwitchCaseNode,
+    EmptyBlockNotice,
+    IncompleteSwitchCaseHeadStatement,
+)
+from .structurer_base import StructurerBase
+if TYPE_CHECKING:
+    from angr.knowledge_plugins.functions import Function
+l = logging.getLogger(__name__)
+_DEBUG = False
+class GraphChangedNotification(Exception):
+    """
+    A notification for graph that is currently worked on being changed. Once this notification is caught, the graph
+    schema matching process for the current region restarts.
+    """
+class MultiStmtExprMode(str, Enum):
+    """
+    Mode of multi-statement expression creation during structuring.
+    """
+    NEVER = "Never"
+    ALWAYS = "Always"
+    MAX_ONE_CALL = "Only when less than one call"
+class PhoenixStructurer(StructurerBase):
+    """
+    Structure a region using a structuring algorithm that is similar to the one in Phoenix decompiler (described in the
+    "phoenix decompiler" paper). Note that this implementation has quite a few improvements over the original described
+    version and *should not* be used to evaluate the performance of the original algorithm described in that paper.
+    """
+    NAME = "phoenix"
+    def __init__(
+        self,
+        region,
+        parent_map=None,
+        condition_processor=None,
+        func: Optional["Function"] = None,
+        case_entry_to_switch_head: dict[int, int] | None = None,
+        parent_region=None,
+        improve_structurer=True,
+        use_multistmtexprs: MultiStmtExprMode = MultiStmtExprMode.MAX_ONE_CALL,
+        **kwargs,
+    ):
+        super().__init__(
+            region,
+            parent_map=parent_map,
+            condition_processor=condition_processor,
+            func=func,
+            case_entry_to_switch_head=case_entry_to_switch_head,
+            parent_region=parent_region,
+            improve_structurer=improve_structurer,
+            **kwargs,
+        )
+        # whitelist certain edges. removing these edges will destroy critical schemas, which will impact future
+        # structuring cycles.
+        # the set is populated during the analysis. _last_resort_refinement() will ensure not to remove any edges
+        # who fall into these sets.
+        self.whitelist_edges: set[tuple[int, int]] = set()
+        # also whitelist certain nodes that are definitely header for switch-case constructs. they should not be merged
+        # into another node before we successfully structure the entire switch-case.
+        self.switch_case_known_heads: set[Block] = set()
+        # whitelist certain nodes that should be treated as a tail node for do-whiles. these nodes should not be
+        # absorbed into other SequenceNodes
+        self.dowhile_known_tail_nodes: set = set()
+        self._phoenix_improved = self._improve_structurer
+        self._edge_virtualization_hints = []
+        self._use_multistmtexprs = use_multistmtexprs
+        if not self._phoenix_improved:
+            self._use_multistmtexprs = MultiStmtExprMode.NEVER
+        self._analyze()
+    @staticmethod
+    def _assert_graph_ok(g, msg: str) -> None:
+        if _DEBUG:
+            assert (
+                len(list(networkx.connected_components(networkx.Graph(g)))) <= 1
+            ), f"{msg}: More than one connected component. Please report this."
+            assert (
+                len([nn for nn in g if g.in_degree[nn] == 0]) <= 1
+            ), f"{msg}: More than one graph entrance. Please report this."
+    def _analyze(self):
+        # iterate until there is only one node in the region
+        self._assert_graph_ok(self._region.graph, "Incorrect region graph")
+        has_cycle = self._has_cycle()
+        # special handling for single-node loops
+        if len(self._region.graph.nodes) == 1 and has_cycle:
+            self._analyze_cyclic()
+        # backup the region prior to conducting a cyclic refinement because we may not be able to structure a cycle out
+        # of the refined graph. in that case, we restore the original region and return.
+        pre_refinement_region = None
+        while len(self._region.graph.nodes) > 1:
+            progressed = self._analyze_acyclic()
+            if progressed and self._region.head not in self._region.graph:
+                # update the head
+                self._region.head = next(
+                    iter(node for node in self._region.graph.nodes if node.addr == self._region.head.addr)
+                )
+            if has_cycle:
+                progressed |= self._analyze_cyclic()
+                if progressed:
+                    pre_refinement_region = None
+                    if self._region.head not in self._region.graph:
+                        # update the loop head
+                        self._region.head = next(
+                            iter(node for node in self._region.graph.nodes if node.addr == self._region.head.addr)
+                        )
+                elif pre_refinement_region is None:
+                    pre_refinement_region = self._region.copy()
+                    refined = self._refine_cyclic()
+                    if refined:
+                        if self._region.head not in self._region.graph:
+                            # update the loop head
+                            self._region.head = next(
+                                iter(node for node in self._region.graph.nodes if node.addr == self._region.head.addr)
+                            )
+                        has_cycle = self._has_cycle()
+                        continue
+                has_cycle = self._has_cycle()
+            if not progressed:
+                if self._region.cyclic_ancestor and not self._region.cyclic:
+                    # we prefer directly returning this subgraph in case it can be further restructured within a loop
+                    # region
+                    l.debug("No progress is made on this acyclic graph with a cyclic ancestor. Give up.")
+                    break
+                l.debug("No progress is made. Enter last resort refinement.")
+                removed_edge = self._last_resort_refinement(
+                    self._region.head,
+                    self._region.graph,
+                    (
+                        self._region.graph_with_successors
+                        if self._region.graph_with_successors is not None
+                        else networkx.DiGraph(self._region.graph)
+                    ),
+                )
+                self._assert_graph_ok(self._region.graph, "Last resort refinement went wrong")
+                if not removed_edge:
+                    # cannot make any progress in this region. return the subgraph directly
+                    break
+        if len(self._region.graph.nodes) == 1:
+            # successfully structured
+            self.result = next(iter(self._region.graph.nodes))
+        else:
+            if pre_refinement_region is not None:
+                # we could not make a loop after the last cycle refinement. restore the graph
+                self._region = pre_refinement_region
+            self.result = None  # the actual result is in self._region.graph and self._region.graph_with_successors
+    def _analyze_cyclic(self) -> bool:
+        any_matches = False
+        acyclic_graph = to_acyclic_graph(self._region.graph, loop_heads=[self._region.head])
+        for node in list(reversed(GraphUtils.quasi_topological_sort_nodes(acyclic_graph))):
+            if node not in self._region.graph:
+                continue
+            matched = self._match_cyclic_schemas(
+                node,
+                self._region.head,
+                self._region.graph,
+                (
+                    self._region.graph_with_successors
+                    if self._region.graph_with_successors is not None
+                    else networkx.DiGraph(self._region.graph)
+                ),
+            )
+            l.debug("... matching cyclic schemas: %s at %r", matched, node)
+            any_matches |= matched
+            self._assert_graph_ok(self._region.graph, "Removed incorrect edges")
+        return any_matches
+    def _match_cyclic_schemas(self, node, head, graph, full_graph) -> bool:
+        matched, loop_node, successor_node = self._match_cyclic_while(node, head, graph, full_graph)
+        if matched:
+            # traverse this node and rewrite all conditional jumps that go outside the loop to breaks
+            self._rewrite_conditional_jumps_to_breaks(loop_node.sequence_node, [successor_node.addr])
+            # traverse this node and rewrite all jumps that go to the beginning of the loop to continue
+            self._rewrite_jumps_to_continues(loop_node.sequence_node)
+            return True
+        matched, loop_node, successor_node = self._match_cyclic_dowhile(node, head, graph, full_graph)
+        if matched:
+            # traverse this node and rewrite all conditional jumps that go outside the loop to breaks
+            self._rewrite_conditional_jumps_to_breaks(loop_node.sequence_node, [successor_node.addr])
+            # traverse this node and rewrite all jumps that go to the beginning of the loop to continue
+            self._rewrite_jumps_to_continues(loop_node.sequence_node, loop_node=loop_node)
+            return True
+        if self._phoenix_improved:
+            matched, loop_node, successor_node = self._match_cyclic_while_with_single_successor(
+                node, head, graph, full_graph
+            )
+            if matched:
+                # traverse this node and rewrite all conditional jumps that go outside the loop to breaks
+                self._rewrite_conditional_jumps_to_breaks(loop_node.sequence_node, [successor_node.addr])
+                # traverse this node and rewrite all jumps that go to the beginning of the loop to continue
+                self._rewrite_jumps_to_continues(loop_node.sequence_node)
+                return True
+        matched, loop_node = self._match_cyclic_natural_loop(node, head, graph, full_graph)
+        if matched:
+            if self._region.successors is not None and len(self._region.successors) == 1:
+                # traverse this node and rewrite all conditional jumps that go outside the loop to breaks
+                self._rewrite_conditional_jumps_to_breaks(
+                    loop_node.sequence_node, [succ.addr for succ in self._region.successors]
+                )
+            # traverse this node and rewrite all jumps that go to the beginning of the loop to continue
+            self._rewrite_jumps_to_continues(loop_node.sequence_node)
+        return matched
+    def _match_cyclic_while(self, node, head, graph, full_graph) -> tuple[bool, LoopNode | None, BaseNode | None]:
+        succs = list(full_graph.successors(node))
+        if len(succs) == 2:
+            left, right = succs
+            if full_graph.has_edge(right, node) and not full_graph.has_edge(left, node):
+                left, right = right, left
+            if left is node:
+                # self loop
+                # possible candidate
+                head_block_idx, _, head_block = self._find_node_going_to_dst(node, left)
+                if head_block is None:
+                    # it happens. for example:
+                    # ## Block 4058c8
+                    # 00 | 0x4058c8 | if ((rcx<8> == 0x0<64>)) { Goto 0x4058ca<64> } else { Goto None }
+                    # 01 | 0x4058c8 | rcx<8> = (rcx<8> - 0x1<64>)
+                    # 02 | 0x4058c8 | cc_dep1<8> = Conv(8->64, Load(addr=rsi<8>, size=1, endness=Iend_LE))
+                    # 03 | 0x4058c8 | cc_dep2<8> = Conv(8->64, Load(addr=rdi<8>, size=1, endness=Iend_LE))
+                    # 04 | 0x4058c8 | rdi<8> = (rdi<8> + d<8>)
+                    # 05 | 0x4058c8 | rsi<8> = (rsi<8> + d<8>)
+                    # 06 | 0x4058c8 | if ((Conv(64->8, cc_dep1<8>) == Conv(64->8, cc_dep2<8>))) { Goto 0x4058c8<64> }
+                    #   else { Goto None }
+                    # 07 | 0x4058c8 | Goto(0x4058ca<64>)
+                    head_block_idx, _, head_block = self._find_node_going_to_dst(node, right)
+                if (
+                    isinstance(head_block, MultiNode)
+                    and head_block.nodes
+                    and isinstance(head_block.nodes[0], Block)
+                    and head_block.nodes[0].statements
+                    and isinstance(first_nonlabel_statement(head_block.nodes[0]), ConditionalJump)
+                    or isinstance(head_block, Block)
+                    and head_block.statements
+                    and isinstance(first_nonlabel_statement(head_block), ConditionalJump)
+                ):
+                    # it's a while loop if the conditional jump (or the head block) is at the beginning of node
+                    loop_type = "while" if head_block_idx == 0 else "do-while"
+                    # otherwise it's a do-while loop
+                    edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, head_block, left)
+                    edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, head_block, right)
+                    if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                        # c = !c
+                        if head_block_idx == 0:
+                            self._remove_first_statement_if_jump(head_block)
+                        else:
+                            remove_last_statement(head_block)
+                        seq_node = SequenceNode(node.addr, nodes=[node]) if not isinstance(node, SequenceNode) else node
+                        loop_node = LoopNode(loop_type, edge_cond_left, seq_node, addr=seq_node.addr)
+                        self.replace_nodes(graph, node, loop_node, self_loop=False)
+                        self.replace_nodes(full_graph, node, loop_node, self_loop=False)
+                        # ensure the loop has only one successor: the right node
+                        self._remove_edges_except(graph, loop_node, right)
+                        self._remove_edges_except(full_graph, loop_node, right)
+                        return True, loop_node, right
+            elif (
+                full_graph.has_edge(left, node)
+                and left is not head
+                and full_graph.in_degree[left] == 1
+                and full_graph.out_degree[left] == 1
+                and not full_graph.has_edge(right, node)
+            ):
+                # possible candidate
+                _, _, head_block = self._find_node_going_to_dst(node, left, condjump_only=True)
+                if head_block is not None:
+                    edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, head_block, left)
+                    edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, head_block, right)
+                    if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                        # c = !c
+                        if PhoenixStructurer._is_single_statement_block(node):
+                            # the single-statement-block check is to ensure we don't execute any code before the
+                            # conditional jump. this way the entire node can be dropped.
+                            new_node = SequenceNode(node.addr, nodes=[left])
+                            loop_node = LoopNode("while", edge_cond_left, new_node, addr=node.addr)
+                            # on the original graph
+                            self.replace_nodes(graph, node, loop_node, old_node_1=left, self_loop=False)
+                            # on the graph with successors
+                            self.replace_nodes(full_graph, node, loop_node, old_node_1=left, self_loop=False)
+                            # ensure the loop has only one successor: the right node
+                            self._remove_edges_except(graph, loop_node, right)
+                            self._remove_edges_except(full_graph, loop_node, right)
+                            return True, loop_node, right
+                        else:
+                            # we generate a while-true loop instead
+                            last_stmt = self._remove_last_statement_if_jump(head_block)
+                            cond_jump = Jump(
+                                None,
+                                Const(None, None, right.addr, self.project.arch.bits),
+                                None,
+                                ins_addr=last_stmt.ins_addr,
+                            )
+                            jump_node = Block(last_stmt.ins_addr, None, statements=[cond_jump])
+                            cond_jump_node = ConditionNode(last_stmt.ins_addr, None, edge_cond_right, jump_node)
+                            new_node = SequenceNode(node.addr, nodes=[node, cond_jump_node, left])
+                            loop_node = LoopNode("while", claripy.true, new_node, addr=node.addr)
+                            # on the original graph
+                            self.replace_nodes(graph, node, loop_node, old_node_1=left, self_loop=False)
+                            # on the graph with successors
+                            self.replace_nodes(full_graph, node, loop_node, old_node_1=left, self_loop=False)
+                            # ensure the loop has only one successor: the right node
+                            self._remove_edges_except(graph, loop_node, right)
+                            self._remove_edges_except(full_graph, loop_node, right)
+                            return True, loop_node, right
+                if self._phoenix_improved:
+                    if full_graph.out_degree[node] == 1:
+                        # while (true) { ...; if (...) break; }
+                        _, _, head_block = self._find_node_going_to_dst(node, left, condjump_only=True)
+                        if head_block is not None:
+                            edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, head_block, left)
+                            edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, head_block, right)
+                            if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                                # c = !c
+                                self._remove_last_statement_if_jump(head_block)
+                                cond_break = ConditionalBreakNode(node.addr, edge_cond_right, right.addr)
+                                new_node = SequenceNode(node.addr, nodes=[node, cond_break, left])
+                                loop_node = LoopNode("while", claripy.true, new_node, addr=node.addr)
+                                # on the original graph
+                                self.replace_nodes(graph, node, loop_node, old_node_1=left, self_loop=False)
+                                # on the graph with successors
+                                self.replace_nodes(full_graph, node, loop_node, old_node_1=left, self_loop=False)
+                                # ensure the loop has only one successor: the right node
+                                self._remove_edges_except(graph, loop_node, right)
+                                self._remove_edges_except(full_graph, loop_node, right)
+                                return True, loop_node, right
+        return False, None, None
+    def _match_cyclic_while_with_single_successor(
+        self, node, head, graph, full_graph
+    ) -> tuple[bool, LoopNode | None, BaseNode | None]:
+        if self._region.successors:
+            return False, None, None
+        if node is not head:
+            return False, None, None
+        if not (node is head or graph.in_degree[node] == 2):
+            return False, None, None
+        loop_cond = None
+        if (
+            isinstance(node, SequenceNode)
+            and node.nodes
+            and isinstance(node.nodes[-1], ConditionNode)
+            and node.nodes[-1].true_node is not None
+            and node.nodes[-1].false_node is not None
+        ):
+            successor_node = node.nodes[-1].true_node
+            # test if the successor_node returns or not
+            # FIXME: It might be too strict
+            try:
+                last_stmt = self.cond_proc.get_last_statement(successor_node)
+            except EmptyBlockNotice:
+                last_stmt = None
+            if last_stmt is not None and isinstance(last_stmt, Return):
+                loop_cond = claripy.Not(node.nodes[-1].condition)
+        if loop_cond is None:
+            return False, None, None
+        node_copy = node.copy()
+        node_copy.nodes[-1] = node_copy.nodes[-1].false_node  # replace the last node with the false node
+        # check if there is a cycle that starts with node and ends with node
+        next_node = node
+        seq_node = SequenceNode(node.addr, nodes=[node_copy])
+        seen_nodes = set()
+        while True:
+            succs = list(full_graph.successors(next_node))
+            if len(succs) != 1:
+                return False, None, None
+            next_node = succs[0]
+            if next_node is node:
+                break
+            if next_node is not node and next_node in seen_nodes:
+                return False, None, None
+            seen_nodes.add(next_node)
+            seq_node.nodes.append(next_node)
+        loop_node = LoopNode("while", loop_cond, seq_node, addr=node.addr)
+        # on the original graph
+        for node_ in seq_node.nodes:
+            if node_ is not node_copy:
+                graph.remove_node(node_)
+        self.replace_nodes(graph, node, loop_node, self_loop=False)
+        graph.add_edge(loop_node, successor_node)
+        # on the graph with successors
+        for node_ in seq_node.nodes:
+            if node_ is not node_copy:
+                full_graph.remove_node(node_)
+        self.replace_nodes(full_graph, node, loop_node, self_loop=False)
+        full_graph.add_edge(loop_node, successor_node)
+        return True, loop_node, successor_node
+    def _match_cyclic_dowhile(self, node, head, graph, full_graph) -> tuple[bool, LoopNode | None, BaseNode | None]:
+        preds = list(full_graph.predecessors(node))
+        succs = list(full_graph.successors(node))
+        if ((node is head and len(preds) >= 1) or len(preds) >= 2) and len(succs) == 1:
+            succ = succs[0]
+            succ_preds = list(full_graph.predecessors(succ))
+            succ_succs = list(full_graph.successors(succ))
+            if head is not succ and len(succ_succs) == 2 and node in succ_succs and len(succ_preds) == 1:
+                succ_succs.remove(node)
+                out_node = succ_succs[0]
+                if full_graph.has_edge(succ, node):
+                    # possible candidate
+                    _, _, succ_block = self._find_node_going_to_dst(succ, out_node, condjump_only=True)
+                    if succ_block is not None:
+                        edge_cond_succhead = self.cond_proc.recover_edge_condition(full_graph, succ_block, node)
+                        edge_cond_succout = self.cond_proc.recover_edge_condition(full_graph, succ_block, out_node)
+                        if claripy.is_true(claripy.Not(edge_cond_succhead) == edge_cond_succout):
+                            # c = !c
+                            self._remove_last_statement_if_jump(succ)
+                            drop_succ = False
+                            if self._phoenix_improved:
+                                # absorb the entire succ block if possible
+                                if self._is_sequential_statement_block(succ) and self._should_use_multistmtexprs(succ):
+                                    stmts = self._build_multistatementexpr_statements(succ)
+                                    assert stmts is not None
+                                    if stmts:
+                                        edge_cond_succhead = MultiStatementExpression(
+                                            None,
+                                            stmts,
+                                            self.cond_proc.convert_claripy_bool_ast(edge_cond_succhead),
+                                            ins_addr=succ.addr,
+                                        )
+                                    drop_succ = True
+                            new_node = SequenceNode(node.addr, nodes=[node] if drop_succ else [node, succ])
+                            loop_node = LoopNode("do-while", edge_cond_succhead, new_node, addr=node.addr)
+                            # on the original graph
+                            self.replace_nodes(graph, node, loop_node, old_node_1=succ, self_loop=False)
+                            # on the graph with successors
+                            self.replace_nodes(full_graph, node, loop_node, old_node_1=succ, self_loop=False)
+                            return True, loop_node, out_node
+        elif ((node is head and len(preds) >= 1) or len(preds) >= 2) and len(succs) == 2 and node in succs:
+            # head forms a self-loop
+            succs.remove(node)
+            succ = succs[0]
+            if not full_graph.has_edge(succ, node):
+                # possible candidate
+                edge_cond_head = self.cond_proc.recover_edge_condition(full_graph, node, node)
+                edge_cond_head_succ = self.cond_proc.recover_edge_condition(full_graph, node, succ)
+                if claripy.is_true(claripy.Not(edge_cond_head) == edge_cond_head_succ):
+                    # c = !c
+                    self._remove_last_statement_if_jump(node)
+                    seq_node = SequenceNode(node.addr, nodes=[node]) if not isinstance(node, SequenceNode) else node
+                    loop_node = LoopNode("do-while", edge_cond_head, seq_node, addr=seq_node.addr)
+                    # on the original graph
+                    self.replace_nodes(graph, node, loop_node, self_loop=False)
+                    # on the graph with successors
+                    self.replace_nodes(full_graph, node, loop_node, self_loop=False)
+                    return True, loop_node, succ
+        return False, None, None
+    def _match_cyclic_natural_loop(self, node, head, graph, full_graph) -> tuple[bool, LoopNode | None]:
+        if not (node is head or graph.in_degree[node] == 2):
+            return False, None
+        # check if there is a cycle that starts with node and ends with node
+        next_node = node
+        seq_node = SequenceNode(node.addr, nodes=[node])
+        seen_nodes = set()
+        while True:
+            succs = list(full_graph.successors(next_node))
+            if len(succs) != 1:
+                return False, None
+            next_node = succs[0]
+            if next_node is node:
+                break
+            if next_node is not node and next_node in seen_nodes:
+                return False, None
+            seen_nodes.add(next_node)
+            seq_node.nodes.append(next_node)
+        loop_node = LoopNode("while", claripy.true, seq_node, addr=node.addr)
+        # on the original graph
+        for node_ in seq_node.nodes:
+            if node_ is not node:
+                graph.remove_node(node_)
+        self.replace_nodes(graph, node, loop_node, self_loop=False)
+        # on the graph with successors
+        for node_ in seq_node.nodes:
+            if node_ is not node:
+                full_graph.remove_node(node_)
+        self.replace_nodes(full_graph, node, loop_node, self_loop=False)
+        return True, loop_node
+    def _refine_cyclic(self) -> bool:
+        loop_heads = {t for _, t in dfs_back_edges(self._region.graph, self._region.head)}
+        sorted_loop_heads = GraphUtils.quasi_topological_sort_nodes(self._region.graph, nodes=list(loop_heads))
+        for head in sorted_loop_heads:
+            l.debug("... refining cyclic at %r", head)
+            refined = self._refine_cyclic_core(head)
+            l.debug("... refined: %s", refined)
+            if refined:
+                return True
+        return False
+    def _refine_cyclic_core(self, loop_head) -> bool:
+        graph: networkx.DiGraph = self._region.graph
+        fullgraph: networkx.DiGraph = self._region.graph_with_successors
+        if fullgraph is None:
+            fullgraph = networkx.DiGraph(self._region.graph)
+        # check if there is an out-going edge from the loop head
+        head_succs = list(fullgraph.successors(loop_head))
+        successor = None  # the loop successor
+        loop_type = None
+        # continue_node either the loop header for while(true) loops or the loop header predecessor for do-while loops
+        continue_node = loop_head
+        is_while, result_while = self._refine_cyclic_is_while_loop(graph, fullgraph, loop_head, head_succs)
+        is_dowhile, result_dowhile = self._refine_cyclic_is_dowhile_loop(graph, fullgraph, loop_head, head_succs)
+        continue_edges: list[tuple[BaseNode, BaseNode]] = []
+        outgoing_edges: list = []
+        if is_while and is_dowhile:
+            # gotta pick one!
+            # for now, we handle the most common case: both successors exist in the graph of the parent region, and
+            # one successor has a path to the other successor
+            if self._parent_region is not None:
+                succ_while = result_while[-1]
+                succ_dowhile = result_dowhile[-1]
+                if succ_while in self._parent_region.graph and succ_dowhile in self._parent_region.graph:
+                    sorted_nodes = GraphUtils.quasi_topological_sort_nodes(
+                        self._parent_region.graph, loop_heads=[self._parent_region.head]
+                    )
+                    succ_while_idx = sorted_nodes.index(succ_while)
+                    succ_dowhile_idx = sorted_nodes.index(succ_dowhile)
+                    if succ_dowhile_idx < succ_while_idx:
+                        # pick do-while
+                        is_while = False
+        if is_while:
+            loop_type = "while"
+            continue_edges, outgoing_edges, continue_node, successor = result_while
+        elif is_dowhile:
+            loop_type = "do-while"
+            continue_edges, outgoing_edges, continue_node, successor = result_dowhile
+        if loop_type is None:
+            # natural loop. select *any* exit edge to determine the successor
+            # well actually, to maintain determinism, we select the successor with the highest address
+            successor_candidates = set()
+            for node in networkx.descendants(graph, loop_head):
+                for succ in fullgraph.successors(node):
+                    if succ not in graph:
+                        successor_candidates.add(succ)
+                    if loop_head is succ:
+                        continue_edges.append((node, succ))
+            if successor_candidates:
+                successor_candidates = list(sorted(successor_candidates, key=lambda x: x.addr))
+                successor = successor_candidates[0]
+                # virtualize all other edges
+                for succ in successor_candidates:
+                    for pred in fullgraph.predecessors(succ):
+                        if pred in graph:
+                            outgoing_edges.append((pred, succ))
+        if outgoing_edges:
+            # if there is a single successor, we convert all out-going edges into breaks;
+            # if there are multiple successors, and if the current region does not have a parent region, then we
+            # convert all out-going edges into gotos;
+            # otherwise we give up.
+            if self._parent_region is not None and len({dst for _, dst in outgoing_edges}) > 1:
+                # give up because there is a parent region
+                return False
+            if successor is None:
+                successor_and_edgecounts = defaultdict(int)
+                for _, dst in outgoing_edges:
+                    successor_and_edgecounts[dst] += 1
+                if len(successor_and_edgecounts) > 1:
+                    # pick one successor with the highest edge count and (in case there are multiple successors with the
+                    # same edge count) the lowest address
+                    max_edgecount = max(successor_and_edgecounts.values())
+                    successor_candidates = [
+                        nn for nn, edgecount in successor_and_edgecounts.items() if edgecount == max_edgecount
+                    ]
+                    successor = next(iter(sorted(successor_candidates, key=lambda x: x.addr)))
+                else:
+                    successor = next(iter(successor_and_edgecounts.keys()))
+            for src, dst in outgoing_edges:
+                if dst is successor:
+                    # keep in mind that at this point, src might have been structured already. this means the last
+                    # block in src may not be the actual block that has a direct jump or a conditional jump to dst. as
+                    # a result, we should walk all blocks in src to find the jump to dst, then extract the condition
+                    # and augment the corresponding block with a ConditionalBreak.
+                    _, src_parent, src_block = self._find_node_going_to_dst(src, dst)
+                    if src_block is None:
+                        l.warning(
+                            "Cannot find the source block jumping to the destination block at %#x. "
+                            "This is likely a bug elsewhere and needs to be addressed.",
+                            dst.addr,
+                        )
+                        # remove the edge anyway
+                        fullgraph.remove_edge(src, dst)
+                    elif not isinstance(src_block, (Block, MultiNode)):
+                        # it has probably been structured into BreakNode or ConditionalBreakNode
+                        # just remove the edge
+                        fullgraph.remove_edge(src, dst)
+                    else:
+                        has_continue = False
+                        # at the same time, examine if there is an edge that goes from src to the continue node. if so,
+                        # we deal with it here as well.
+                        continue_node_going_edge = src, continue_node
+                        if continue_node_going_edge in continue_edges:
+                            has_continue = True
+                            # do not remove the edge from continue_edges since we want to process them later in this
+                            # function.
+                        # create the "break" node. in fact, we create a jump or a conditional jump, which will be
+                        # rewritten to break nodes after (if possible). directly creating break nodes may lead to
+                        # unwanted results, e.g., inserting a break (that's intended to break out of the loop) inside a
+                        # switch-case that is nested within a loop.
+                        last_src_stmt = self.cond_proc.get_last_statement(src_block)
+                        break_cond = self.cond_proc.recover_edge_condition(fullgraph, src_block, dst)
+                        if claripy.is_true(break_cond):
+                            break_stmt = Jump(
+                                None,
+                                Const(None, None, successor.addr, self.project.arch.bits),
+                                None,
+                                ins_addr=last_src_stmt.ins_addr,
+                            )
+                            break_node = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
+                        else:
+                            break_stmt = Jump(
+                                None,
+                                Const(None, None, successor.addr, self.project.arch.bits),
+                                None,
+                                ins_addr=last_src_stmt.ins_addr,
+                            )
+                            break_node_inner = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
+                            break_node = ConditionNode(
+                                last_src_stmt.ins_addr,
+                                None,
+                                break_cond,
+                                break_node_inner,
+                            )
+                        new_node = SequenceNode(src_block.addr, nodes=[src_block, break_node])
+                        if has_continue:
+                            if self.is_a_jump_target(last_src_stmt, continue_node.addr):
+                                # instead of a conditional break node, we should insert a condition node instead
+                                break_stmt = Jump(
+                                    None,
+                                    Const(None, None, successor.addr, self.project.arch.bits),
+                                    None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
+                                cont_node = ContinueNode(
+                                    last_src_stmt.ins_addr,
+                                    Const(None, None, continue_node.addr, self.project.arch.bits),
+                                )
+                                cond_node = ConditionNode(
+                                    last_src_stmt.ins_addr,
+                                    None,
+                                    break_cond,
+                                    break_node,
+                                )
+                                new_node.nodes[-1] = cond_node
+                                new_node.nodes.append(cont_node)
+                                # we don't remove the edge (src, continue_node) from the graph or full graph. we will
+                                # process them later in this function.
+                            else:
+                                # the last statement in src_block is not the conditional jump whose one branch goes to
+                                # the loop head. it probably goes to another block that ends up going to the loop head.
+                                # we don't handle it here.
+                                pass
+                        self._remove_last_statement_if_jump(src_block)
+                        fullgraph.remove_edge(src, dst)
+                        if src_parent is not None:
+                            # replace the node in its parent node
+                            self.replace_node_in_node(src_parent, src_block, new_node)
+                        else:
+                            # directly replace the node in graph
+                            self.replace_nodes(graph, src, new_node)
+                            self.replace_nodes(fullgraph, src, new_node)
+                            if src is loop_head:
+                                loop_head = new_node
+                            if src is continue_node:
+                                continue_node = new_node
+                        self._replace_node_in_edge_list(outgoing_edges, src_block, new_node)
+                        self._replace_node_in_edge_list(continue_edges, src_block, new_node)
+                        # remove the last jump or conditional jump in src_block
+                        self._remove_last_statement_if_jump(src_block)
+                else:
+                    self.virtualized_edges.add((src, dst))
+                    fullgraph.remove_edge(src, dst)
+                    if fullgraph.in_degree[dst] == 0:
+                        # drop this node
+                        fullgraph.remove_node(dst)
+                        if dst in self._region.successors:
+                            self._region.successors.remove(dst)
+        if len(continue_edges) > 1:
+            # convert all but one (the one that is the farthest from the head, topological-wise) head-going edges into
+            # continues
+            sorted_nodes = GraphUtils.quasi_topological_sort_nodes(
+                fullgraph, nodes=[src for src, _ in continue_edges], loop_heads=[loop_head]
+            )
+            src_to_ignore = sorted_nodes[-1]
+            for src, _ in continue_edges:
+                if src is src_to_ignore:
+                    # this edge will be handled during loop structuring
+                    continue
+                # due to prior structuring of sub regions, the continue node may already be a Jump statement deep in
+                # src at this point. we need to find the Jump statement and replace it.
+                _, _, cont_block = self._find_node_going_to_dst(src, continue_node)
+                if cont_block is None:
+                    # cont_block is not found. but it's ok. one possibility is that src is a jump table head with one
+                    # case being the loop head. in such cases, we can just remove the edge.
+                    if src.addr not in self.kb.cfgs["CFGFast"].jump_tables:
+                        l.warning(
+                            "_refine_cyclic_core: Cannot find the block going to loop head for edge %r -> %r. "
+                            "Remove the edge anyway.",
+                            src,
+                            continue_node,
+                        )
+                    if graph.has_edge(src, continue_node):
+                        graph.remove_edge(src, continue_node)
+                    fullgraph.remove_edge(src, continue_node)
+                else:
+                    # remove the edge.
+                    graph.remove_edge(src, continue_node)
+                    fullgraph.remove_edge(src, continue_node)
+                    # replace it with the original node plus the continue node
+                    try:
+                        last_stmt = self.cond_proc.get_last_statement(cont_block)
+                    except EmptyBlockNotice:
+                        # meh
+                        last_stmt = None
+                    if last_stmt is not None:
+                        new_cont_node = None
+                        if isinstance(last_stmt, ConditionalJump):
+                            new_cont_node = ContinueNode(last_stmt.ins_addr, continue_node.addr)
+                            if (
+                                isinstance(last_stmt.true_target, Const)
+                                and last_stmt.true_target.value == continue_node.addr
+                            ):
+                                new_cont_node = ConditionNode(
+                                    last_stmt.ins_addr, None, last_stmt.condition, new_cont_node
+                                )
+                            else:
+                                new_cont_node = ConditionNode(
+                                    last_stmt.ins_addr,
+                                    None,
+                                    UnaryOp(None, "Not", last_stmt.condition),
+                                    new_cont_node,
+                                )
+                        elif isinstance(last_stmt, Jump):
+                            new_cont_node = ContinueNode(last_stmt.ins_addr, continue_node.addr)
+                        if new_cont_node is not None:
+                            self._remove_last_statement_if_jump(cont_block)
+                            new_node = SequenceNode(src.addr, nodes=[src, new_cont_node])
+                            self.replace_nodes(graph, src, new_node)
+                            self.replace_nodes(fullgraph, src, new_node)
+        if loop_type == "do-while":
+            self.dowhile_known_tail_nodes.add(continue_node)
+        return bool(outgoing_edges or len(continue_edges) > 1)
+    def _refine_cyclic_is_while_loop(
+        self, graph, fullgraph, loop_head, head_succs
+    ) -> tuple[bool, tuple[list, list, BaseNode, BaseNode] | None]:
+        if len(head_succs) == 2 and any(head_succ not in graph for head_succ in head_succs):
+            # make sure the head_pred is not already structured
+            _, _, head_block_0 = self._find_node_going_to_dst(loop_head, head_succs[0])
+            _, _, head_block_1 = self._find_node_going_to_dst(loop_head, head_succs[1])
+            if head_block_0 is head_block_1 and head_block_0 is not None:
+                # there is an out-going edge from the loop head
+                # virtualize all other edges
+                continue_edges: list[tuple[BaseNode, BaseNode]] = []
+                outgoing_edges = []
+                successor = next(iter(head_succ for head_succ in head_succs if head_succ not in graph))
+                for node in networkx.descendants(graph, loop_head):
+                    succs = list(fullgraph.successors(node))
+                    if loop_head in succs:
+                        continue_edges.append((node, loop_head))
+                    outside_succs = [succ for succ in succs if succ not in graph]
+                    for outside_succ in outside_succs:
+                        outgoing_edges.append((node, outside_succ))
+                return True, (continue_edges, outgoing_edges, loop_head, successor)
+        return False, None
+    def _refine_cyclic_is_dowhile_loop(  # pylint:disable=unused-argument
+        self, graph, fullgraph, loop_head, head_succs
+    ) -> tuple[bool, tuple[list, list, BaseNode, BaseNode] | None]:
+        # check if there is an out-going edge from the loop tail
+        head_preds = list(fullgraph.predecessors(loop_head))
+        if len(head_preds) == 1:
+            head_pred = head_preds[0]
+            head_pred_succs = list(fullgraph.successors(head_pred))
+            if len(head_pred_succs) == 2 and any(nn not in graph for nn in head_pred_succs):
+                # make sure the head_pred is not already structured
+                _, _, src_block_0 = self._find_node_going_to_dst(head_pred, head_pred_succs[0])
+                _, _, src_block_1 = self._find_node_going_to_dst(head_pred, head_pred_succs[1])
+                if src_block_0 is src_block_1 and src_block_0 is not None:
+                    continue_edges: list[tuple[BaseNode, BaseNode]] = []
+                    outgoing_edges = []
+                    # there is an out-going edge from the loop tail
+                    # virtualize all other edges
+                    successor = next(iter(nn for nn in head_pred_succs if nn not in graph))
+                    continue_node = head_pred
+                    for node in networkx.descendants(graph, loop_head):
+                        if node is head_pred:
+                            continue
+                        succs = list(fullgraph.successors(node))
+                        if head_pred in succs:
+                            continue_edges.append((node, head_pred))
+                        outside_succs = [succ for succ in succs if succ not in graph]
+                        for outside_succ in outside_succs:
+                            outgoing_edges.append((node, outside_succ))
+                    return True, (continue_edges, outgoing_edges, continue_node, successor)
+        return False, None
+    def _analyze_acyclic(self) -> bool:
+        # match against known schemas
+        l.debug("Matching acyclic schemas for region %r.", self._region)
+        any_matches = False
+        idx = 0
+        while True:
+            l.debug("_match_acyclic_schemas: Iteration %d", idx)
+            idx += 1
+            try:
+                any_matches_this_iteration = self._match_acyclic_schemas(
+                    self._region.graph,
+                    (
+                        self._region.graph_with_successors
+                        if self._region.graph_with_successors is not None
+                        else networkx.DiGraph(self._region.graph)
+                    ),
+                    self._region.head,
+                )
+            except GraphChangedNotification:
+                # restart
+                l.debug("_match_acyclic_schemas: Graph changed. Restart.")
+                idx = 0
+                continue
+            if not any_matches_this_iteration:
+                break
+            any_matches = True
+            # update the head if needed
+            if self._region.head not in self._region.graph:
+                # update the head
+                self._region.head = next(
+                    iter(node for node in self._region.graph.nodes if node.addr == self._region.head.addr)
+                )
+        return any_matches
+    def _match_acyclic_schemas(self, graph: networkx.DiGraph, full_graph: networkx.DiGraph, head) -> bool:
+        # traverse the graph in reverse topological order
+        any_matches = False
+        self._assert_graph_ok(self._region.graph, "Got a wrong graph to work on")
+        if graph.in_degree[head] == 0:
+            acyclic_graph = graph
+        else:
+            acyclic_graph = networkx.DiGraph(graph)
+            acyclic_graph.remove_edges_from(graph.in_edges(head))
+            self._assert_graph_ok(acyclic_graph, "Removed wrong edges")
+        for node in list(reversed(GraphUtils.quasi_topological_sort_nodes(acyclic_graph))):
+            if node not in graph:
+                continue
+            if graph.has_edge(node, head):
+                # it's a back edge. skip
+                continue
+            l.debug("... matching acyclic switch-case constructs at %r", node)
+            matched = self._match_acyclic_switch_cases(graph, full_graph, node)
+            l.debug("... matched: %s", matched)
+            any_matches |= matched
+            if matched:
+                break
+            l.debug("... matching acyclic sequence at %r", node)
+            matched = self._match_acyclic_sequence(graph, full_graph, node)
+            l.debug("... matched: %s", matched)
+            any_matches |= matched
+            if matched:
+                break
+            l.debug("... matching acyclic ITE at %r", node)
+            matched = self._match_acyclic_ite(graph, full_graph, node)
+            l.debug("... matched: %s", matched)
+            any_matches |= matched
+            if matched:
+                break
+            if self._phoenix_improved:
+                l.debug("... matching acyclic ITE with short-circuit conditions at %r", node)
+                matched = self._match_acyclic_short_circuit_conditions(graph, full_graph, node)
+                l.debug("... matched: %s", matched)
+                any_matches |= matched
+                if matched:
+                    break
+            self._assert_graph_ok(self._region.graph, "Removed incorrect edges")
+        return any_matches
+    # switch cases
+    def _match_acyclic_switch_cases(self, graph: networkx.DiGraph, full_graph: networkx.DiGraph, node) -> bool:
+        if isinstance(node, (SwitchCaseNode, IncompleteSwitchCaseNode)):
+            return False
+        r = self._match_acyclic_switch_cases_incomplete_switch_head(node, graph, full_graph)
+        if r:
+            return r
+        jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+        r = self._match_acyclic_switch_cases_address_loaded_from_memory(node, graph, full_graph, jump_tables)
+        if r:
+            return r
+        r = self._match_acyclic_switch_cases_address_computed(node, graph, full_graph, jump_tables)
+        if r:
+            return r
+        r = self._match_acyclic_incomplete_switch_cases(node, graph, full_graph, jump_tables)
+        return r
+    def _match_acyclic_switch_cases_incomplete_switch_head(self, node, graph, full_graph) -> bool:
+        try:
+            last_stmts = self.cond_proc.get_last_statements(node)
+        except EmptyBlockNotice:
+            return False
+        if len(last_stmts) != 1:
+            return False
+        last_stmt = last_stmts[0]
+        if not isinstance(last_stmt, IncompleteSwitchCaseHeadStatement):
+            return False
+        # make a fake jumptable
+        node_default_addr = None
+        case_entries: dict[int, tuple[int, int | None]] = {}
+        for _, case_value, case_target_addr, case_target_idx, _ in last_stmt.case_addrs:
+            if isinstance(case_value, str):
+                if case_value == "default":
+                    node_default_addr = case_target_addr
+                    continue
+                raise ValueError(f"Unsupported 'case_value' {case_value}")
+            case_entries[case_value] = (case_target_addr, case_target_idx)
+        cases, node_default, to_remove = self._switch_build_cases(
+            case_entries,
+            node,
+            node,
+            node_default_addr,
+            graph,
+            full_graph,
+        )
+        if node_default_addr is not None and node_default is None:
+            # the default node is not found. it's likely the node has been structured and is part of another construct
+            # (e.g., inside another switch-case). we need to create a default node that jumps to the other node
+            jmp_to_default_node = Jump(
+                None,
+                Const(None, None, node_default_addr, self.project.arch.bits),
+                None,
+                ins_addr=SWITCH_MISSING_DEFAULT_NODE_ADDR,
+            )
+            node_default = Block(SWITCH_MISSING_DEFAULT_NODE_ADDR, 0, statements=[jmp_to_default_node])
+            graph.add_edge(node, node_default)
+            full_graph.add_edge(node, node_default)
+        r = self._make_switch_cases_core(
+            node,
+            self.cond_proc.claripy_ast_from_ail_condition(last_stmt.switch_variable),
+            cases,
+            node_default_addr,
+            node_default,
+            last_stmt.ins_addr,
+            to_remove,
+            graph,
+            full_graph,
+            can_bail=True,
+        )
+        if not r:
+            return False
+        # special handling of duplicated default nodes
+        if node_default is not None and self._region.graph.out_degree[node] > 1:
+            other_out_nodes = list(self._region.graph.successors(node))
+            for o in other_out_nodes:
+                if o.addr == node_default.addr and o is not node_default:
+                    self._region.graph.remove_node(o)
+                    if self._region.graph_with_successors is not None:
+                        self._region.graph_with_successors.remove_node(o)
+        self._switch_handle_gotos(cases, node_default, None)
+        return True
+    def _match_acyclic_switch_cases_address_loaded_from_memory(self, node, graph, full_graph, jump_tables) -> bool:
+        try:
+            last_stmt = self.cond_proc.get_last_statement(node)
+        except EmptyBlockNotice:
+            return False
+        successor_addrs = extract_jump_targets(last_stmt)
+        if len(successor_addrs) != 2:
+            return False
+        for t in successor_addrs:
+            if t in jump_tables:
+                # this is a candidate!
+                target = t
+                break
+        else:
+            return False
+        jump_table = jump_tables[target]
+        if jump_table.type != IndirectJumpType.Jumptable_AddressLoadedFromMemory:
+            return False
+        # extract the comparison expression, lower-, and upper-bounds from the last statement
+        cmp = switch_extract_cmp_bounds(last_stmt)
+        if not cmp:
+            return False
+        cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+        node_a = next(iter(nn for nn in graph.nodes if nn.addr == target), None)
+        if node_a is None:
+            return False
+        # the default case
+        node_b_addr = next(iter(t for t in successor_addrs if t != target), None)
+        if node_b_addr is None:
+            return False
+        # populate whitelist_edges
+        for case_node_addr in jump_table.jumptable_entries:
+            self.whitelist_edges.add((node_a.addr, case_node_addr))
+        self.whitelist_edges.add((node.addr, node_b_addr))
+        self.whitelist_edges.add((node_a.addr, node_b_addr))
+        self.switch_case_known_heads.add(node)
+        # sanity check: case nodes are successors to node_a. all case nodes must have at most common one successor
+        node_pred = None
+        if graph.in_degree[node] == 1:
+            node_pred = list(graph.predecessors(node))[0]
+        case_nodes = list(graph.successors(node_a))
+        case_node_successors = set()
+        for case_node in case_nodes:
+            if case_node is node_pred:
+                continue
+            if case_node.addr in jump_table.jumptable_entries:
+                succs = set(graph.successors(case_node))
+                case_node_successors |= {succ for succ in succs if succ.addr not in jump_table.jumptable_entries}
+        if len(case_node_successors) > 1:
+            return False
+        # we will definitely be able to structure this into a full switch-case. remove node from switch_case_known_heads
+        self.switch_case_known_heads.remove(node)
+        # un-structure IncompleteSwitchCaseNode
+        if isinstance(node_a, SequenceNode) and node_a.nodes and isinstance(node_a.nodes[0], IncompleteSwitchCaseNode):
+            _, new_seq_node = self._unpack_sequencenode_head(graph, node_a)
+            self._unpack_sequencenode_head(full_graph, node_a, new_seq=new_seq_node)
+            # update node_a
+            node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
+        if isinstance(node_a, IncompleteSwitchCaseNode):
+            self._unpack_incompleteswitchcasenode(graph, node_a)
+            self._unpack_incompleteswitchcasenode(full_graph, node_a)
+            # update node_a
+            node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
+        cases, node_default, to_remove = self._switch_build_cases(
+            {cmp_lb + i: entry_addr for (i, entry_addr) in enumerate(jump_table.jumptable_entries)},
+            node,
+            node_a,
+            node_b_addr,
+            graph,
+            full_graph,
+        )
+        if node_default is None:
+            switch_end_addr = node_b_addr
+        else:
+            # we don't know what the end address of this switch-case structure is. let's figure it out
+            switch_end_addr = None
+            to_remove.add(node_default)
+        to_remove.add(node_a)  # add node_a
+        self._make_switch_cases_core(
+            node,
+            cmp_expr,
+            cases,
+            node_b_addr,
+            node_default,
+            last_stmt.ins_addr,
+            to_remove,
+            graph,
+            full_graph,
+            node_a=node_a,
+        )
+        self._switch_handle_gotos(cases, node_default, switch_end_addr)
+        return True
+    def _match_acyclic_switch_cases_address_computed(self, node, graph, full_graph, jump_tables) -> bool:
+        if node.addr not in jump_tables:
+            return False
+        jump_table = jump_tables[node.addr]
+        if jump_table.type != IndirectJumpType.Jumptable_AddressComputed:
+            return False
+        try:
+            last_stmts = self.cond_proc.get_last_statements(node)
+        except EmptyBlockNotice:
+            return False
+        if len(last_stmts) != 1:
+            return False
+        last_stmt = last_stmts[0]
+        if not isinstance(last_stmt, ConditionalJump):
+            return False
+        # Typical look:
+        #   t2 = (r5<4> - 0x22<32>)
+        #   if ((t2 <= 0x1c<32>)) { Goto (0x41d10c<32> + (t2 << 0x2<8>)) } else { Goto 0x41d108<32> }
+        #
+        # extract the comparison expression, lower-, and upper-bounds from the last statement
+        cmp = switch_extract_cmp_bounds(last_stmt)
+        if not cmp:
+            return False
+        cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+        if isinstance(last_stmt.false_target, Const):
+            default_addr = last_stmt.false_target.value
+        else:
+            return False
+        cases, node_default, to_remove = self._switch_build_cases(
+            {cmp_lb + i: entry_addr for (i, entry_addr) in enumerate(jump_table.jumptable_entries)},
+            node,
+            node,
+            default_addr,
+            graph,
+            full_graph,
+        )
+        if node_default is None:
+            # there must be a default case
+            return False
+        self._make_switch_cases_core(
+            node, cmp_expr, cases, default_addr, node_default, node.addr, to_remove, graph, full_graph
+        )
+        return True
+    def _match_acyclic_incomplete_switch_cases(
+        self, node, graph: networkx.DiGraph, full_graph: networkx.DiGraph, jump_tables: dict
+    ) -> bool:
+        # sanity checks
+        if node.addr not in jump_tables:
+            return False
+        if isinstance(node, IncompleteSwitchCaseNode):
+            return False
+        if is_empty_or_label_only_node(node):
+            return False
+        successors = list(graph.successors(node))
+        if (
+            successors
+            and {succ.addr for succ in successors} == set(jump_tables[node.addr].jumptable_entries)
+            and all(graph.in_degree[succ] == 1 for succ in successors)
+        ):
+            out_nodes = set()
+            for succ in successors:
+                out_nodes |= set(full_graph.successors(succ))
+            out_nodes = list(out_nodes)
+            if len(out_nodes) <= 1:
+                new_node = IncompleteSwitchCaseNode(node.addr, node, successors)
+                graph.remove_nodes_from(successors)
+                self.replace_nodes(graph, node, new_node)
+                if out_nodes and out_nodes[0] in graph:
+                    graph.add_edge(new_node, out_nodes[0])
+                full_graph.remove_nodes_from(successors)
+                self.replace_nodes(full_graph, node, new_node)
+                if out_nodes:
+                    full_graph.add_edge(new_node, out_nodes[0])
+                return True
+        return False
+    def _switch_build_cases(
+        self,
+        case_and_entryaddrs: dict[int, int | tuple[int, int | None]],
+        head_node,
+        node_a: BaseNode,
+        node_b_addr,
+        graph,
+        full_graph,
+    ) -> tuple[ODict, Any, set[Any]]:
+        cases: ODict[int | tuple[int], SequenceNode] = OrderedDict()
+        to_remove = set()
+        # it is possible that the default node gets duplicated by other analyses and creates a default node (addr.a)
+        # and a case node (addr.b). The addr.a node is a successor to the head node while the addr.b node is a
+        # successor to node_a
+        default_node_candidates = [nn for nn in graph.nodes if nn.addr == node_b_addr]
+        if len(default_node_candidates) == 0:
+            node_default: BaseNode | None = None
+        elif len(default_node_candidates) == 1:
+            node_default: BaseNode | None = default_node_candidates[0]
+        else:
+            node_default: BaseNode | None = next(
+                iter(nn for nn in default_node_candidates if graph.has_edge(head_node, nn)), None
+            )
+        if node_default is not None and not isinstance(node_default, SequenceNode):
+            # make the default node a SequenceNode so that we can insert Break and Continue nodes into it later
+            new_node = SequenceNode(node_default.addr, nodes=[node_default])
+            self.replace_nodes(graph, node_default, new_node)
+            self.replace_nodes(full_graph, node_default, new_node)
+            node_default = new_node
+        # entry_addrs_set = set(jumptable_entries)
+        converted_nodes: dict[tuple[int, int | None], Any] = {}
+        entry_addr_to_ids: DefaultDict[tuple[int, int | None], set[int]] = defaultdict(set)
+        # the default node might get duplicated (e.g., by EagerReturns). we detect if a duplicate of the default node
+        # (node b) is a successor node of node a. we only skip those entries going to the default node if no duplicate
+        # of default node exists in node a's successors.
+        node_a_successors = list(graph.successors(node_a))
+        if len(default_node_candidates) > 1:
+            node_b_in_node_a_successors = any(nn for nn in node_a_successors if nn in default_node_candidates)
+        else:
+            # the default node is not duplicated
+            node_b_in_node_a_successors = False
+        for case_idx, entry_addr in case_and_entryaddrs.items():
+            if isinstance(entry_addr, tuple):
+                entry_addr, entry_idx = entry_addr
+            else:
+                entry_idx = None
+            if not node_b_in_node_a_successors and entry_addr == node_b_addr:
+                # jump to default or end of the switch-case structure - ignore this case
+                continue
+            entry_addr_to_ids[(entry_addr, entry_idx)].add(case_idx)
+            if (entry_addr, entry_idx) in converted_nodes:
+                continue
+            if entry_addr == self._region.head.addr:
+                # do not make the region head part of the switch-case construct (because it will lead to the removal
+                # of the region head node). replace this entry with a goto statement later.
+                entry_node = None
+            else:
+                entry_node = next(
+                    iter(
+                        nn
+                        for nn in node_a_successors
+                        if nn.addr == entry_addr and (not isinstance(nn, (Block, MultiNode)) or nn.idx == entry_idx)
+                    ),
+                    None,
+                )
+            if entry_node is None:
+                # Missing entries. They are probably *after* the entire switch-case construct. Replace it with an empty
+                # Goto node.
+                case_inner_node = Block(
+                    0,
+                    0,
+                    statements=[
+                        Jump(
+                            None,
+                            Const(None, None, entry_addr, self.project.arch.bits),
+                            target_idx=entry_idx,
+                            ins_addr=0,
+                            stmt_idx=0,
+                        )
+                    ],
+                )
+                case_node = SequenceNode(0, nodes=[case_inner_node])
+                converted_nodes[(entry_addr, entry_idx)] = case_node
+                continue
+            if isinstance(entry_node, SequenceNode):
+                case_node = entry_node
+            else:
+                case_node = SequenceNode(entry_node.addr, nodes=[entry_node])
+            to_remove.add(entry_node)
+            converted_nodes[(entry_addr, entry_idx)] = case_node
+        for entry_addr_and_idx, converted_node in converted_nodes.items():
+            assert entry_addr_and_idx in entry_addr_to_ids
+            case_ids = entry_addr_to_ids[entry_addr_and_idx]
+            if len(case_ids) == 1:
+                cases[next(iter(case_ids))] = converted_node
+            else:
+                cases[tuple(sorted(case_ids))] = converted_node
+        # reorganize cases to handle fallthroughs
+        cases = self._reorganize_switch_cases(cases)
+        return cases, node_default, to_remove
+    def _make_switch_cases_core(
+        self,
+        head,
+        cmp_expr,
+        cases: ODict,
+        node_default_addr: int,
+        node_default,
+        addr,
+        to_remove: set,
+        graph: networkx.DiGraph,
+        full_graph: networkx.DiGraph,
+        node_a=None,
+        can_bail=False,
+    ) -> bool:
+        scnode = SwitchCaseNode(cmp_expr, cases, node_default, addr=addr)
+        # insert the switch-case node to the graph
+        other_nodes_inedges = []
+        out_edges = []
+        # remove all those entry nodes
+        if node_default is not None:
+            to_remove.add(node_default)
+        for nn in to_remove:
+            if nn is head:
+                continue
+            for src in graph.predecessors(nn):
+                if src not in to_remove:
+                    other_nodes_inedges.append((src, nn))
+            for dst in full_graph.successors(nn):
+                if dst not in to_remove:
+                    out_edges.append((nn, dst))
+        if can_bail:
+            nonhead_out_nodes = {edge[1] for edge in out_edges if edge[1] is not head}
+            if len(nonhead_out_nodes) > 1:
+                # not ready to be structured yet - do it later
+                return False
+        if node_default is not None:
+            # the head no longer goes to the default case
+            graph.remove_edge(head, node_default)
+            full_graph.remove_edge(head, node_default)
+        else:
+            # the default node is not in the current graph, but it might be in the full graph
+            node_default_in_full_graph = next(iter(nn for nn in full_graph if nn.addr == node_default_addr), None)
+            if node_default_in_full_graph is not None and full_graph.has_edge(head, node_default_in_full_graph):
+                # the head no longer jumps to the default node - the switch jumps to it
+                full_graph.remove_edge(head, node_default_in_full_graph)
+        for nn in to_remove:
+            graph.remove_node(nn)
+            full_graph.remove_node(nn)
+        graph.add_edge(head, scnode)
+        full_graph.add_edge(head, scnode)
+        if out_edges:
+            # for all out edges going to head, we ensure there is a goto at the end of each corresponding case node
+            for out_src, out_dst in out_edges:
+                if out_dst is head:
+                    all_case_nodes = list(cases.values())
+                    if node_default is not None:
+                        all_case_nodes.append(node_default)
+                    case_node: SequenceNode = [nn for nn in all_case_nodes if nn.addr == out_src.addr][0]
+                    case_node_last_stmt = self.cond_proc.get_last_statement(case_node)
+                    if not isinstance(case_node_last_stmt, Jump):
+                        jump_stmt = Jump(
+                            None, Const(None, None, head.addr, self.project.arch.bits), None, ins_addr=out_src.addr
+                        )
+                        jump_node = Block(out_src.addr, 0, statements=[jump_stmt])
+                        case_node.nodes.append(jump_node)
+                    graph.add_edge(scnode, head)
+                    full_graph.add_edge(scnode, head)
+            out_edges = [edge for edge in out_edges if edge[1] is not head]
+            if out_edges:
+                # leave only one out edge and virtualize all other out edges
+                out_edge = out_edges[0]
+                out_dst = out_edge[1]
+                if out_dst in graph:
+                    graph.add_edge(scnode, out_dst)
+                full_graph.add_edge(scnode, out_dst)
+                if full_graph.has_edge(head, out_dst):
+                    full_graph.remove_edge(head, out_dst)
+        # remove the last statement (conditional jump) in the head node
+        remove_last_statement(head)
+        if node_a is not None:
+            # remove the last statement in node_a
+            remove_last_statement(node_a)
+        return True
+    # other acyclic schemas
+    def _match_acyclic_sequence(self, graph, full_graph, start_node) -> bool:
+        """
+        Check if there is a sequence of regions, where each region has a single predecessor and a single successor.
+        """
+        succs = list(graph.successors(start_node))
+        if len(succs) == 1:
+            end_node = succs[0]
+            jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+            if (
+                full_graph.out_degree[start_node] == 1
+                and full_graph.in_degree[end_node] == 1
+                and not full_graph.has_edge(end_node, start_node)
+                and end_node.addr not in jump_tables
+                and end_node not in self.switch_case_known_heads
+                and start_node not in self.switch_case_known_heads
+                and end_node not in self.dowhile_known_tail_nodes
+            ):
+                # merge two blocks
+                new_seq = self._merge_nodes(start_node, end_node)
+                # on the original graph
+                self.replace_nodes(graph, start_node, new_seq, old_node_1=end_node if end_node in graph else None)
+                # on the graph with successors
+                self.replace_nodes(full_graph, start_node, new_seq, old_node_1=end_node)
+                return True
+        return False
+    def _match_acyclic_ite(self, graph, full_graph, start_node) -> bool:
+        """
+        Check if start_node is the beginning of an If-Then-Else region. Create a Condition node if it is the case.
+        """
+        succs = list(full_graph.successors(start_node))
+        if len(succs) == 2:
+            left, right = succs
+            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+                # structure the switch-case first before we wrap them into an ITE. give up
+                return False
+            left_succs = list(full_graph.successors(left))
+            right_succs = list(full_graph.successors(right))
+            if (
+                left in graph
+                and right in graph
+                and (
+                    (not left_succs and not right_succs)
+                    or (not left_succs and len(right_succs) == 1)
+                    or (not right_succs and len(left_succs) == 1)
+                    or (len(left_succs) == 1 and left_succs == right_succs)
+                )
+            ):
+                # potentially ITE
+                jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+                if (
+                    full_graph.in_degree[left] == 1
+                    and full_graph.in_degree[right] == 1
+                    and left.addr not in jump_tables
+                    and right.addr not in jump_tables
+                ):
+                    edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
+                    edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
+                    if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                        # c = !c
+                        last_if_jump = self._remove_last_statement_if_jump(start_node)
+                        new_cond_node = ConditionNode(
+                            last_if_jump.ins_addr if last_if_jump is not None else start_node.addr,
+                            None,
+                            edge_cond_left,
+                            left,
+                            false_node=right,
+                        )
+                        new_node = SequenceNode(start_node.addr, nodes=[start_node, new_cond_node])
+                        if not left_succs:
+                            # on the original graph
+                            if left in graph:
+                                graph.remove_node(left)
+                            self.replace_nodes(graph, start_node, new_node, old_node_1=right)
+                            # on the graph with successors
+                            full_graph.remove_node(left)
+                            self.replace_nodes(full_graph, start_node, new_node, old_node_1=right)
+                        else:
+                            # on the original graph
+                            if right in graph:
+                                graph.remove_node(right)
+                            self.replace_nodes(graph, start_node, new_node, old_node_1=left)
+                            # on the graph with successors
+                            full_graph.remove_node(right)
+                            self.replace_nodes(full_graph, start_node, new_node, old_node_1=left)
+                        return True
+            if right in graph and not right_succs and full_graph.in_degree[right] == 1 and left in graph:
+                # swap them
+                left, right = right, left
+                left_succs, right_succs = right_succs, left_succs
+            if left in graph and not left_succs and full_graph.in_degree[left] == 1 and right in graph:
+                # potentially If-Then
+                jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+                if left.addr not in jump_tables and right.addr not in jump_tables:
+                    edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
+                    edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
+                    if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                        # c = !c
+                        last_if_jump = self._remove_last_statement_if_jump(start_node)
+                        new_cond_node = ConditionNode(
+                            last_if_jump.ins_addr if last_if_jump is not None else start_node.addr,
+                            None,
+                            edge_cond_left,
+                            left,
+                            false_node=None,
+                        )
+                        new_node = SequenceNode(start_node.addr, nodes=[start_node, new_cond_node])
+                        # on the original graph
+                        self.replace_nodes(graph, start_node, new_node, old_node_1=left)
+                        # on the graph with successors
+                        self.replace_nodes(full_graph, start_node, new_node, old_node_1=left)
+                        return True
+            if len(right_succs) == 1 and right_succs[0] == left:
+                # swap them
+                left, right = right, left
+                left_succs, right_succs = right_succs, left_succs
+            if left in graph and len(left_succs) == 1 and left_succs[0] == right:
+                # potentially If-Then
+                if full_graph.in_degree[left] == 1 and full_graph.in_degree[right] >= 2:
+                    edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
+                    edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
+                    if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                        # c = !c
+                        last_if_jump = self._remove_last_statement_if_jump(start_node)
+                        new_cond_node = ConditionNode(
+                            last_if_jump.ins_addr if last_if_jump is not None else start_node.addr,
+                            None,
+                            edge_cond_left,
+                            left,
+                            false_node=None,
+                        )
+                        new_node = SequenceNode(start_node.addr, nodes=[start_node, new_cond_node])
+                        # on the original graph
+                        self.replace_nodes(graph, start_node, new_node, old_node_1=left)
+                        # on the graph with successors
+                        self.replace_nodes(full_graph, start_node, new_node, old_node_1=left)
+                        return True
+            if right in graph and left not in graph:
+                # swap them
+                left, right = right, left
+                left_succs, right_succs = right_succs, left_succs  # pylint:disable=unused-variable
+            if left in graph and right not in graph:
+                # potentially If-then
+                if full_graph.in_degree[left] == 1 and (
+                    full_graph.in_degree[right] == 2
+                    and left_succs == [right]
+                    or full_graph.in_degree[right] == 1
+                    and not left_succs
+                ):
+                    edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
+                    edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
+                    if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                        # c = !c
+                        try:
+                            last_stmt = self.cond_proc.get_last_statement(start_node)
+                        except EmptyBlockNotice:
+                            last_stmt = None
+                        new_cond_node = ConditionNode(
+                            last_stmt.ins_addr if last_stmt is not None else start_node.addr,
+                            None,
+                            edge_cond_left,
+                            left,
+                            false_node=None,
+                        )
+                        new_nodes = [start_node, new_cond_node]
+                        if full_graph.in_degree[right] == 1:
+                            # only remove the if statement when it will no longer be used later
+                            self._remove_last_statement_if_jump(start_node)
+                            # add a goto node at the end
+                            new_jump_node = Block(
+                                new_cond_node.addr,
+                                0,
+                                statements=[
+                                    Jump(
+                                        None,
+                                        Const(None, None, right.addr, self.project.arch.bits),
+                                        ins_addr=new_cond_node.addr,
+                                    )
+                                ],
+                            )
+                            new_nodes.append(new_jump_node)
+                        new_node = SequenceNode(start_node.addr, nodes=new_nodes)
+                        # on the original graph
+                        self.replace_nodes(graph, start_node, new_node, old_node_1=left)
+                        # on the graph with successors
+                        self.replace_nodes(full_graph, start_node, new_node, old_node_1=left)
+                        return True
+        return False
+    def _match_acyclic_short_circuit_conditions(
+        self, graph: networkx.DiGraph, full_graph: networkx.DiGraph, start_node
+    ) -> bool:
+        """
+        Check if start_node is the beginning of an If-Then-Else region with cascading short-circuit expressions as the
+        condition. Create a Condition node if it is the case.
+        """
+        # There are four possible graph schemas.
+        #
+        # Type A: Cascading Or::
+        #
+        #     cond_node
+        #     |        \
+        #     |         \
+        # next_cond      \
+        #    ...    \     \
+        #            \    |
+        #             \   |
+        #              \  |
+        #    ...       body
+        #       ...      /
+        #         \ \ \ /
+        #        successor
+        #
+        # We reduce it into if (cond || next_cond) { body }
+        #
+        # Type B: Cascading Or with else::
+        #
+        #     cond_node
+        #     |        \
+        #     |         \
+        # next_cond      \
+        #    ...    \     \
+        #            \    |
+        #             \   |
+        #              \  |
+        #    ...       body
+        #      else      /
+        #         \ \ \ /
+        #        successor
+        #
+        # We reduce it into if (cond || next_cond) { body } else { else }
+        #
+        # Type C: Cascading And::
+        #
+        #     cond_node
+        #     |        \
+        #     |         \
+        # next_cond      \
+        #    ...    \     \
+        #            \    |
+        #             \   |
+        #      \       \ /
+        #       \       |
+        #       body    |
+        #    ...  |     |
+        #         |     |
+        #         \ \ \ /
+        #        successor
+        #
+        # We reduce it into if (cond && next_cond) { body }
+        #
+        # Type D: Cascading And with else::
+        #
+        #     cond_node
+        #     |        \
+        #     |         \
+        # next_cond      \
+        #    ...    \     \
+        #            \    |
+        #             \   |
+        #      \       \ /
+        #       \       |
+        #       body    |
+        #    ...  |    else
+        #         |     |
+        #         \ \ \ /
+        #        successor
+        #
+        # We reduce it into if (cond && next_cond) { body } else { else }
+        r = self._match_acyclic_short_circuit_conditions_type_a(graph, full_graph, start_node)
+        if r is not None:
+            left, left_cond, right, left_right_cond, succ = r
+            # create the condition node
+            memo = {}
+            if not self._is_single_statement_block(left):
+                if not self._should_use_multistmtexprs(left):
+                    return False
+                # create a MultiStatementExpression for left_right_cond
+                stmts = self._build_multistatementexpr_statements(left)
+                assert stmts is not None
+                mstmt_expr = MultiStatementExpression(
+                    None, stmts, self.cond_proc.convert_claripy_bool_ast(left_right_cond), ins_addr=left.addr
+                )
+                memo[left_right_cond._hash] = mstmt_expr
+            cond = self.cond_proc.convert_claripy_bool_ast(
+                claripy.Or(claripy.Not(left_cond), left_right_cond), memo=memo
+            )
+            cond_jump = ConditionalJump(
+                None,
+                cond,
+                Const(None, None, right.addr, self.project.arch.bits),
+                Const(None, None, succ.addr, self.project.arch.bits),
+                true_target_idx=right.idx if isinstance(right, (Block, MultiNode)) else None,
+                false_target_idx=succ.idx if isinstance(succ, (Block, MultiNode)) else None,
+                ins_addr=start_node.addr,
+                stmt_idx=0,
+            )
+            new_cond_node = Block(start_node.addr, None, statements=[cond_jump])
+            self._remove_last_statement_if_jump(start_node)
+            new_node = SequenceNode(start_node.addr, nodes=[start_node, new_cond_node])
+            self.replace_nodes(graph, start_node, new_node, old_node_1=left if left in graph else None)
+            self.replace_nodes(full_graph, start_node, new_node, old_node_1=left)
+            return True
+        r = self._match_acyclic_short_circuit_conditions_type_b(graph, full_graph, start_node)
+        if r is not None:
+            left, left_cond, right, right_left_cond, else_node = r
+            # create the condition node
+            memo = {}
+            if not self._is_single_statement_block(right):
+                if not self._should_use_multistmtexprs(right):
+                    return False
+                # create a MultiStatementExpression for left_right_cond
+                stmts = self._build_multistatementexpr_statements(right)
+                assert stmts is not None
+                mstmt_expr = MultiStatementExpression(
+                    None, stmts, self.cond_proc.convert_claripy_bool_ast(right_left_cond), ins_addr=left.addr
+                )
+                memo[right_left_cond._hash] = mstmt_expr
+            cond = self.cond_proc.convert_claripy_bool_ast(claripy.Or(left_cond, right_left_cond), memo=memo)
+            cond_jump = ConditionalJump(
+                None,
+                cond,
+                Const(None, None, left.addr, self.project.arch.bits, ins_addr=start_node.addr),
+                Const(None, None, else_node.addr, self.project.arch.bits, ins_addr=start_node.addr),
+                true_target_idx=left.idx if isinstance(left, (Block, MultiNode)) else None,
+                false_target_idx=else_node.idx if isinstance(else_node, (Block, MultiNode)) else None,
+                ins_addr=start_node.addr,
+                stmt_idx=0,
+            )
+            new_cond_node = Block(start_node.addr, None, statements=[cond_jump])
+            self._remove_last_statement_if_jump(start_node)
+            new_node = SequenceNode(start_node.addr, nodes=[start_node, new_cond_node])
+            self.replace_nodes(graph, start_node, new_node, old_node_1=right if right in graph else None)
+            self.replace_nodes(full_graph, start_node, new_node, old_node_1=right)
+            return True
+        r = self._match_acyclic_short_circuit_conditions_type_c(graph, full_graph, start_node)
+        if r is not None:
+            left, left_cond, succ, left_succ_cond, right = r
+            # create the condition node
+            memo = {}
+            if not self._is_single_statement_block(left):
+                if not self._should_use_multistmtexprs(left):
+                    return False
+                # create a MultiStatementExpression for left_right_cond
+                stmts = self._build_multistatementexpr_statements(left)
+                assert stmts is not None
+                mstmt_expr = MultiStatementExpression(
+                    None, stmts, self.cond_proc.convert_claripy_bool_ast(left_succ_cond), ins_addr=left.addr
+                )
+                memo[left_succ_cond._hash] = mstmt_expr
+            cond = self.cond_proc.convert_claripy_bool_ast(
+                claripy.And(left_cond, claripy.Not(left_succ_cond)), memo=memo
+            )
+            cond_jump = ConditionalJump(
+                None,
+                cond,
+                Const(None, None, right.addr, self.project.arch.bits),
+                Const(None, None, succ.addr, self.project.arch.bits),
+                true_target_idx=right.idx if isinstance(right, (Block, MultiNode)) else None,
+                false_target_idx=succ.idx if isinstance(succ, (Block, MultiNode)) else None,
+                ins_addr=start_node.addr,
+                stmt_idx=0,
+            )
+            new_cond_node = Block(start_node.addr, None, statements=[cond_jump])
+            self._remove_last_statement_if_jump(start_node)
+            new_node = SequenceNode(start_node.addr, nodes=[start_node, new_cond_node])
+            self.replace_nodes(graph, start_node, new_node, old_node_1=left if left in graph else None)
+            self.replace_nodes(full_graph, start_node, new_node, old_node_1=left)
+            return True
+        r = self._match_acyclic_short_circuit_conditions_type_d(graph, full_graph, start_node)
+        if r is not None:
+            left, left_cond, right, right_left_cond, else_node = r
+            # create the condition node
+            memo = {}
+            if not self._is_single_statement_block(left):
+                if not self._should_use_multistmtexprs(left):
+                    return False
+                # create a MultiStatementExpression for left_right_cond
+                stmts = self._build_multistatementexpr_statements(left)
+                assert stmts is not None
+                mstmt_expr = MultiStatementExpression(
+                    None, stmts, self.cond_proc.convert_claripy_bool_ast(right_left_cond), ins_addr=left.addr
+                )
+                memo[right_left_cond._hash] = mstmt_expr
+            cond = self.cond_proc.convert_claripy_bool_ast(
+                claripy.And(left_cond, right_left_cond),
+                memo=memo,
+            )
+            cond_jump = ConditionalJump(
+                None,
+                cond,
+                Const(None, None, right.addr, self.project.arch.bits),
+                Const(None, None, else_node.addr, self.project.arch.bits),
+                true_target_idx=right.idx if isinstance(right, (Block, MultiNode)) else None,
+                false_target_idx=else_node.idx if isinstance(else_node, (Block, MultiNode)) else None,
+                ins_addr=start_node.addr,
+                stmt_idx=0,
+            )
+            new_cond_node = Block(start_node.addr, None, statements=[cond_jump])
+            self._remove_last_statement_if_jump(start_node)
+            new_node = SequenceNode(start_node.addr, nodes=[start_node, new_cond_node])
+            self.replace_nodes(graph, start_node, new_node, old_node_1=left if left in graph else None)
+            self.replace_nodes(full_graph, start_node, new_node, old_node_1=left)
+            return True
+        return False
+    def _match_acyclic_short_circuit_conditions_type_a(  # pylint:disable=unused-argument
+        self, graph, full_graph, start_node
+    ) -> tuple | None:
+        #   if (a) goto right
+        #   else if (b) goto right
+        #   else goto other_succ
+        # right:
+        #   ...
+        #   goto other_succ
+        # other_succ:
+        succs = list(full_graph.successors(start_node))
+        if len(succs) == 2:
+            left, right = succs
+            if full_graph.in_degree[left] > 1 and full_graph.in_degree[right] == 1:
+                left, right = right, left
+            if (
+                self._is_sequential_statement_block(left)
+                and full_graph.in_degree[left] == 1
+                and full_graph.in_degree[right] >= 1
+            ):
+                edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
+                edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
+                if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                    # c0 = !c0
+                    left_succs = list(full_graph.successors(left))
+                    if len(left_succs) == 2 and right in left_succs:
+                        other_succ = next(iter(succ for succ in left_succs if succ is not right))
+                        if full_graph.out_degree[right] == 1 and full_graph.has_edge(right, other_succ):
+                            # there must be an edge between right and other_succ
+                            edge_cond_left_right = self.cond_proc.recover_edge_condition(full_graph, left, right)
+                            edge_cond_left_other = self.cond_proc.recover_edge_condition(full_graph, left, other_succ)
+                            if claripy.is_true(claripy.Not(edge_cond_left_right) == edge_cond_left_other):
+                                # c1 = !c1
+                                return left, edge_cond_left, right, edge_cond_left_right, other_succ
+        return None
+    def _match_acyclic_short_circuit_conditions_type_b(  # pylint:disable=unused-argument
+        self, graph, full_graph, start_node
+    ) -> tuple | None:
+        #   if (a) goto left
+        # right:
+        #   else if (b) goto left
+        #   else goto else_node
+        # left:
+        #   ...
+        #   goto succ
+        # else_node:
+        #   ...
+        #   goto succ
+        # succ:
+        succs = list(full_graph.successors(start_node))
+        if len(succs) == 2:
+            left, right = succs
+            if full_graph.in_degree[left] == 1 and full_graph.in_degree[right] == 2:
+                left, right = right, left
+            if (
+                self._is_sequential_statement_block(right)
+                and full_graph.in_degree[left] == 2
+                and full_graph.in_degree[right] == 1
+            ):
+                edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
+                edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
+                if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):
+                    # c0 = !c0
+                    right_succs = list(full_graph.successors(right))
+                    left_succs = list(full_graph.successors(left))
+                    if len(right_succs) == 2 and left in right_succs:
+                        else_node = next(iter(succ for succ in right_succs if succ is not left))
+                        if len([succ for succ in left_succs if succ is not else_node]) == 1:
+                            edge_cond_right_left = self.cond_proc.recover_edge_condition(full_graph, right, left)
+                            edge_cond_right_else = self.cond_proc.recover_edge_condition(full_graph, right, else_node)
+                            if claripy.is_true(claripy.Not(edge_cond_right_left) == edge_cond_right_else):
+                                # c1 = !c1
+                                return left, edge_cond_left, right, edge_cond_right_left, else_node
+        return None
+    def _match_acyclic_short_circuit_conditions_type_c(  # pylint:disable=unused-argument
+        self, graph, full_graph, start_node
+    ) -> tuple | None:
+        #   if (a) goto successor
+        #   else if (b) goto successor
+        # right:
+        #   ...
+        # successor:
+        succs = list(full_graph.successors(start_node))
+        if len(succs) == 2:
+            left, successor = succs
+            if full_graph.in_degree[left] > 1 and full_graph.in_degree[successor] == 1:
+                left, successor = successor, left
+            if (
+                self._is_sequential_statement_block(left)
+                and full_graph.in_degree[left] == 1
+                and full_graph.in_degree[successor] >= 1
+            ):
+                edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
+                edge_cond_successor = self.cond_proc.recover_edge_condition(full_graph, start_node, successor)
+                if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_successor):
+                    # c0 = !c0
+                    left_succs = list(full_graph.successors(left))
+                    if len(left_succs) == 2 and successor in left_succs:
+                        right = next(iter(succ for succ in left_succs if succ is not successor))
+                        if full_graph.out_degree[right] == 1 and full_graph.has_edge(right, successor):
+                            # there must be an edge from right to successor
+                            edge_cond_left_right = self.cond_proc.recover_edge_condition(full_graph, left, right)
+                            edge_cond_left_successor = self.cond_proc.recover_edge_condition(
+                                full_graph, left, successor
+                            )
+                            if claripy.is_true(claripy.Not(edge_cond_left_right) == edge_cond_left_successor):
+                                # c1 = !c1
+                                return left, edge_cond_left, successor, edge_cond_left_successor, right
+        return None
+    def _match_acyclic_short_circuit_conditions_type_d(  # pylint:disable=unused-argument
+        self, graph, full_graph, start_node
+    ) -> tuple | None:
+        #   if (a) goto else_node
+        # left:
+        #   else if (b) goto else_node
+        # right:
+        #   ...
+        #   goto successor
+        # else_node:
+        #   ...
+        #   goto successor
+        # successor:
+        succs = list(full_graph.successors(start_node))
+        if len(succs) == 2:
+            left, else_node = succs
+            if full_graph.in_degree[left] > 1 and full_graph.in_degree[else_node] == 1:
+                left, else_node = else_node, left
+            if (
+                self._is_sequential_statement_block(left)
+                and full_graph.in_degree[left] == 1
+                and full_graph.in_degree[else_node] >= 1
+            ):
+                edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
+                edge_cond_else = self.cond_proc.recover_edge_condition(full_graph, start_node, else_node)
+                if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_else):
+                    # c0 = !c0
+                    left_succs = list(full_graph.successors(left))
+                    if len(left_succs) == 2 and else_node in left_succs:
+                        right = next(iter(succ for succ in left_succs if succ is not else_node))
+                        edge_cond_left_right = self.cond_proc.recover_edge_condition(full_graph, left, right)
+                        edge_cond_left_else = self.cond_proc.recover_edge_condition(full_graph, left, else_node)
+                        if claripy.is_true(claripy.Not(edge_cond_left_right) == edge_cond_left_else):
+                            # c1 = !c1
+                            return left, edge_cond_left, right, edge_cond_left_right, else_node
+        return None
+    def _last_resort_refinement(self, head, graph: networkx.DiGraph, full_graph: networkx.DiGraph | None) -> bool:
+        if self._phoenix_improved:
+            while self._edge_virtualization_hints:
+                src, dst = self._edge_virtualization_hints.pop(0)
+                if graph.has_edge(src, dst):
+                    self._virtualize_edge(graph, full_graph, src, dst)
+                    l.debug("last_resort: Removed edge %r -> %r (type 3)", src, dst)
+                    return True
+        # virtualize an edge to allow progressing in structuring
+        all_edges_wo_dominance = []  # to ensure determinism, edges in this list are ordered by a tuple of
+        # (src_addr, dst_addr)
+        secondary_edges = []  # likewise, edges in this list are ordered by a tuple of (src_addr, dst_addr)
+        other_edges = []
+        idoms = networkx.immediate_dominators(full_graph, head)
+        if networkx.is_directed_acyclic_graph(full_graph):
+            acyclic_graph = full_graph
+        else:
+            acyclic_graph = to_acyclic_graph(full_graph, loop_heads=[head])
+        for src, dst in acyclic_graph.edges:
+            if src is dst:
+                continue
+            if src not in graph:
+                continue
+            if not dominates(idoms, src, dst) and not dominates(idoms, dst, src):
+                if (src.addr, dst.addr) not in self.whitelist_edges:
+                    all_edges_wo_dominance.append((src, dst))
+            elif not dominates(idoms, src, dst):
+                if (src.addr, dst.addr) not in self.whitelist_edges:
+                    secondary_edges.append((src, dst))
+            else:
+                if (src.addr, dst.addr) not in self.whitelist_edges:
+                    other_edges.append((src, dst))
+        ordered_nodes = GraphUtils.quasi_topological_sort_nodes(acyclic_graph, loop_heads=[head])
+        node_seq = {nn: (len(ordered_nodes) - idx) for (idx, nn) in enumerate(ordered_nodes)}  # post-order
+        if all_edges_wo_dominance:
+            all_edges_wo_dominance = self._chick_order_edges(all_edges_wo_dominance, node_seq)
+            # virtualize the first edge
+            src, dst = all_edges_wo_dominance[0]
+            self._virtualize_edge(graph, full_graph, src, dst)
+            l.debug("last_resort: Removed edge %r -> %r (type 1)", src, dst)
+            return True
+        if secondary_edges:
+            secondary_edges = self._chick_order_edges(secondary_edges, node_seq)
+            # virtualize the first edge
+            src, dst = secondary_edges[0]
+            self._virtualize_edge(graph, full_graph, src, dst)
+            l.debug("last_resort: Removed edge %r -> %r (type 2)", src, dst)
+            return True
+        l.debug("last_resort: No edge to remove")
+        return False
+    def _virtualize_edge(self, graph, full_graph, src, dst):
+        # if the last statement of src is a conditional jump, we rewrite it into a Condition(Jump) and a direct jump
+        try:
+            last_stmt = self.cond_proc.get_last_statement(src)
+        except EmptyBlockNotice:
+            last_stmt = None
+        new_src = None
+        remove_src_last_stmt = False
+        if isinstance(last_stmt, ConditionalJump):
+            if isinstance(last_stmt.true_target, Const) and last_stmt.true_target.value == dst.addr:
+                goto0_condition = last_stmt.condition
+                goto0_target = last_stmt.true_target
+                goto1_target = last_stmt.false_target
+            elif isinstance(last_stmt.false_target, Const) and last_stmt.false_target.value == dst.addr:
+                goto0_condition = UnaryOp(None, "Not", last_stmt.condition)
+                goto0_target = last_stmt.false_target
+                goto1_target = last_stmt.true_target
+            else:
+                # this should not really happen...
+                goto0_condition = None
+                goto0_target = None
+                goto1_target = None
+            if goto0_condition is not None:
+                goto0 = Block(
+                    last_stmt.ins_addr,
+                    0,
+                    statements=[Jump(None, goto0_target, ins_addr=last_stmt.ins_addr, stmt_idx=0)],
+                )
+                cond_node = ConditionNode(last_stmt.ins_addr, None, goto0_condition, goto0)
+                goto1_node = Block(
+                    last_stmt.ins_addr,
+                    0,
+                    statements=[Jump(None, goto1_target, ins_addr=last_stmt.ins_addr, stmt_idx=0)],
+                )
+                remove_src_last_stmt = True
+                new_src = SequenceNode(src.addr, nodes=[src, cond_node, goto1_node])
+        elif isinstance(last_stmt, Jump):
+            # do nothing
+            pass
+        else:
+            # insert a Jump at the end
+            stmt_addr = src.addr
+            goto_node = Block(
+                stmt_addr,
+                0,
+                statements=[
+                    Jump(None, Const(None, None, dst.addr, self.project.arch.bits), ins_addr=stmt_addr, stmt_idx=0)
+                ],
+            )
+            new_src = SequenceNode(src.addr, nodes=[src, goto_node])
+        if graph.has_edge(src, dst):
+            graph.remove_edge(src, dst)
+            self.virtualized_edges.add((src, dst))
+        if new_src is not None:
+            self.replace_nodes(graph, src, new_src)
+        if full_graph is not None:
+            self.virtualized_edges.add((src, dst))
+            full_graph.remove_edge(src, dst)
+            if new_src is not None:
+                self.replace_nodes(full_graph, src, new_src)
+        if remove_src_last_stmt:
+            remove_last_statement(src)
+    def _should_use_multistmtexprs(self, node: Block | BaseNode) -> bool:
+        if self._use_multistmtexprs == MultiStmtExprMode.NEVER:
+            return False
+        if self._use_multistmtexprs == MultiStmtExprMode.ALWAYS:
+            return True
+        if self._use_multistmtexprs == MultiStmtExprMode.MAX_ONE_CALL:
+            # count the number of calls
+            ctr = AILCallCounter()
+            ctr.walk(node)
+            return ctr.calls <= 1
+        l.warning("Unsupported enum value for _use_multistmtexprs: %s", self._use_multistmtexprs)
+        return False
+    @staticmethod
+    def _find_node_going_to_dst(
+        node: SequenceNode,
+        dst: Block | BaseNode,
+        last=True,
+        condjump_only=False,
+    ) -> tuple[int | None, BaseNode | None, Block | None]:
+        """
+        :param node:
+        :param dst_addr:
+        :param dst_idx:
+        :return:            A tuple of (parent node, node who has a successor of dst_addr)
+        """
+        dst_addr = dst.addr
+        dst_idx = dst.idx if isinstance(dst, Block) else ...
+        def _check(last_stmt):
+            if (
+                not condjump_only
+                and isinstance(last_stmt, Jump)
+                and isinstance(last_stmt.target, Const)
+                and last_stmt.target.value == dst_addr
+                and (dst_idx is ... or last_stmt.target_idx == dst_idx)
+            ):
+                return True
+            elif isinstance(last_stmt, ConditionalJump):
+                if (
+                    isinstance(last_stmt.true_target, Const)
+                    and last_stmt.true_target.value == dst_addr
+                    and (dst_idx is ... or last_stmt.true_target_idx == dst_idx)
+                ):
+                    return True
+                elif (
+                    isinstance(last_stmt.false_target, Const)
+                    and last_stmt.false_target.value == dst_addr
+                    and (dst_idx is ... or last_stmt.false_target_idx == dst_idx)
+                ):
+                    return True
+            elif isinstance(last_stmt, IncompleteSwitchCaseHeadStatement):
+                if any(case_addr == dst_addr for _, _, _, case_addr in last_stmt.case_addrs):
+                    return True
+            return False
+        def _handle_Block(block: Block, parent=None, **kwargs):  # pylint:disable=unused-argument
+            if block.statements:
+                first_stmt = first_nonlabel_statement(block)
+                if first_stmt is not None:
+                    # this block has content. increment the block ID counter
+                    walker.block_id += 1
+                if _check(first_stmt):
+                    walker.parent_and_block.append((walker.block_id, parent, block))
+                elif len(block.statements) > 1:
+                    last_stmt = block.statements[-1]
+                    if _check(last_stmt):
+                        walker.parent_and_block.append((walker.block_id, parent, block))
+                    elif (
+                        not isinstance(last_stmt, (Jump, ConditionalJump))
+                        and block.addr + block.original_size == dst_addr
+                    ):
+                        walker.parent_and_block.append((walker.block_id, parent, block))
+        def _handle_MultiNode(block: MultiNode, parent=None, **kwargs):  # pylint:disable=unused-argument
+            if block.nodes and isinstance(block.nodes[-1], Block) and block.nodes[-1].statements:
+                first_stmt = first_nonlabel_statement(block)
+                if first_stmt is not None:
+                    # this block has content. increment the block ID counter
+                    walker.block_id += 1
+                if _check(block.nodes[-1].statements[-1]):
+                    walker.parent_and_block.append((walker.block_id, parent, block))
+                    return
+        def _handle_BreakNode(break_node: BreakNode, parent=None, **kwargs):  # pylint:disable=unused-argument
+            walker.block_id += 1
+            if (
+                break_node.target == dst_addr
+                or isinstance(break_node.target, Const)
+                and break_node.target.value == dst_addr
+            ):
+                # FIXME: idx is ignored
+                walker.parent_and_block.append((walker.block_id, parent, break_node))
+                return
+        walker = SequenceWalker(
+            handlers={
+                Block: _handle_Block,
+                MultiNode: _handle_MultiNode,
+                BreakNode: _handle_BreakNode,
+            },
+            update_seqnode_in_place=False,
+            force_forward_scan=True,
+        )
+        walker.parent_and_block: list[tuple[int, Any, Block | MultiNode]] = []
+        walker.block_id = -1
+        walker.walk(node)
+        if not walker.parent_and_block:
+            return None, None, None
+        else:
+            if last:
+                return walker.parent_and_block[-1]
+            return walker.parent_and_block[0]
+    @staticmethod
+    def _unpack_sequencenode_head(graph: networkx.DiGraph, seq: SequenceNode, new_seq=None):
+        if not seq.nodes:
+            return False, None
+        node = seq.nodes[0]
+        if new_seq is None:
+            # create the new sequence node if no prior-created sequence node is passed in
+            new_seq = seq.copy()
+            new_seq.nodes = new_seq.nodes[1:]
+            if new_seq.nodes:
+                new_seq.addr = new_seq.nodes[0].addr
+        preds = list(graph.predecessors(seq))
+        succs = list(graph.successors(seq))
+        graph.remove_node(seq)
+        for pred in preds:
+            graph.add_edge(pred, node)
+        if new_seq.nodes:
+            graph.add_edge(node, new_seq)
+        for succ in succs:
+            if succ is seq:
+                graph.add_edge(new_seq, new_seq)
+            else:
+                graph.add_edge(new_seq, succ)
+        return True, new_seq
+    @staticmethod
+    def _unpack_incompleteswitchcasenode(graph: networkx.DiGraph, incscnode: IncompleteSwitchCaseNode):
+        preds = list(graph.predecessors(incscnode))
+        succs = list(graph.successors(incscnode))
+        if len(succs) <= 1:
+            graph.remove_node(incscnode)
+            for pred in preds:
+                graph.add_edge(pred, incscnode.head)
+            for case_node in incscnode.cases:
+                graph.add_edge(incscnode.head, case_node)
+                if succs:
+                    graph.add_edge(case_node, succs[0])
+    @staticmethod
+    def _count_statements(node: BaseNode | Block) -> int:
+        if isinstance(node, Block):
+            return sum(1 for stmt in node.statements if not isinstance(stmt, Label))
+        elif isinstance(node, MultiNode):
+            return sum(PhoenixStructurer._count_statements(nn) for nn in node.nodes)
+        elif isinstance(node, SequenceNode):
+            return sum(PhoenixStructurer._count_statements(nn) for nn in node.nodes)
+        return 1
+    @staticmethod
+    def _is_single_statement_block(node: BaseNode | Block) -> bool:
+        if isinstance(node, (Block, MultiNode, SequenceNode)):
+            return PhoenixStructurer._count_statements(node) == 1
+        return False
+    @staticmethod
+    def _is_sequential_statement_block(node: BaseNode | Block) -> bool:
+        """
+        Examine if the node can be converted into a MultiStatementExpression object. The conversion fails if there are
+        any conditional statements or goto statements before the very last statement of the node.
+        """
+        def _is_sequential_statement_list(stmts: list[Statement]) -> bool:
+            if not stmts:
+                return True
+            for stmt in stmts[:-1]:
+                if isinstance(
+                    stmt,
+                    (
+                        ConditionalJump,
+                        Jump,
+                    ),
+                ):
+                    return False
+            return True
+        def _to_statement_list(node: Block | MultiNode | SequenceNode) -> list[Statement]:
+            if isinstance(node, Block):
+                return node.statements
+            if isinstance(node, MultiNode):
+                # expand it
+                all_statements = []
+                for nn in node.nodes:
+                    all_statements += _to_statement_list(nn)
+                return all_statements
+            if isinstance(node, SequenceNode):
+                all_statements = []
+                for nn in node.nodes:
+                    all_statements += _to_statement_list(nn)
+                return all_statements
+            raise TypeError(f"Unsupported node type {type(node)}")
+        try:
+            stmt_list = _to_statement_list(node)
+        except TypeError:
+            return False
+        return _is_sequential_statement_list(stmt_list)
+    @staticmethod
+    def _build_multistatementexpr_statements(block) -> list[Statement] | None:
+        stmts = []
+        if isinstance(block, (SequenceNode, MultiNode)):
+            for b in block.nodes:
+                stmts_ = PhoenixStructurer._build_multistatementexpr_statements(b)
+                if stmts_ is None:
+                    return None
+                stmts += stmts_
+            return stmts
+        elif isinstance(block, Block):
+            for idx, stmt in enumerate(block.statements):
+                if isinstance(stmt, Label):
+                    continue
+                if isinstance(stmt, ConditionalJump):
+                    if idx == len(block.statements) - 1:
+                        continue
+                    return None
+                if isinstance(stmt, Jump):
+                    return None
+                stmts.append(stmt)
+            return stmts
+        return None
+    @staticmethod
+    def _remove_edges_except(graph: networkx.DiGraph, src, dst):
+        for succ in list(graph.successors(src)):
+            if succ is not src and succ is not dst:
+                graph.remove_edge(src, succ)
+    @staticmethod
+    def _remove_first_statement_if_jump(node: BaseNode | Block) -> Jump | ConditionalJump | None:
+        if isinstance(node, Block):
+            if node.statements:
+                idx = 0
+                first_stmt = node.statements[idx]
+                while isinstance(first_stmt, Label):
+                    idx += 1
+                    if idx >= len(node.statements):
+                        first_stmt = None
+                        break
+                    first_stmt = node.statements[idx]
+                if isinstance(first_stmt, (Jump, ConditionalJump)):
+                    if idx == 0:
+                        node.statements = node.statements[1:]
+                    else:
+                        node.statements = node.statements[0:idx] + node.statements[idx + 1 :]
+                    return first_stmt
+            return None
+        if isinstance(node, MultiNode):
+            for nn in node.nodes:
+                if isinstance(nn, Block):
+                    if not has_nonlabel_statements(nn):
+                        continue
+                    return PhoenixStructurer._remove_first_statement_if_jump(nn)
+                break
+        return None
+    @staticmethod
+    def _chick_order_edges(edges: list, node_seq: dict[Any, int]) -> list:
+        graph = networkx.DiGraph()
+        graph.add_edges_from(edges)
+        def _sort_edge(edge_):
+            # this is a bit complex. we first sort based on the topological order of the destination node; edges with
+            # destination nodes that are closer to the head (as specified in node_seq) should be virtualized first.
+            # then we solve draws by prioritizing edges whose destination nodes are with a lower in-degree (only
+            # consider the sub graph with these edges), and a few other properties.
+            src, dst = edge_
+            dst_in_degree = graph.in_degree[dst]
+            src_out_degree = graph.out_degree[src]
+            return -node_seq.get(dst), dst_in_degree, src_out_degree, -src.addr, -dst.addr
+        return list(sorted(edges, key=_sort_edge, reverse=True))
+    @staticmethod
+    def _replace_node_in_edge_list(edge_list: list[tuple], old_node, new_node) -> None:
+        for idx in range(len(edge_list)):  # pylint:disable=consider-using-enumerate
+            edge = edge_list[idx]
+            src, dst = edge
+            replace = False
+            if src is old_node:
+                src = new_node
+                replace = True
+            if dst is old_node:
+                dst = new_node
+                replace = True
+            if replace:
+                edge_list[idx] = src, dst
+    @staticmethod
+    def dump_graph(graph: networkx.DiGraph, path: str) -> None:
+        graph_with_str = networkx.DiGraph()
+        for node in graph:
+            graph_with_str.add_node(f'"{repr(node)}"')
+        for src, dst in graph.edges:
+            graph_with_str.add_edge(f'"{repr(src)}"', f'"{repr(dst)}"')
+        networkx.drawing.nx_pydot.write_dot(graph_with_str, path)