angr 9.2.118__py3-none-macosx_11_0_arm64.whl → 9.2.119__py3-none-macosx_11_0_arm64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.118"
+__version__ = "9.2.119"
 
 if bytes is str:
     raise Exception(

angr/analyses/analysis.py

@@ -5,8 +5,10 @@ import sys
 import contextlib
 from collections import defaultdict
 from inspect import Signature
-from typing import TYPE_CHECKING, TypeVar, Type, Generic, Optional
+from typing import TYPE_CHECKING, TypeVar, Generic, cast
 from collections.abc import Callable
+from types import NoneType
+from itertools import chain
 
 import logging
 import time
@@ -16,6 +18,7 @@ from rich import progress
 
 from ..misc.plugins import PluginVendor, VendorPreset
 from ..misc.ux import deprecated
+from ..misc import telemetry
 
 if TYPE_CHECKING:
     from ..knowledge_base import KnowledgeBase
@@ -55,6 +58,7 @@ if TYPE_CHECKING:
     AnalysisParams = ParamSpec("AnalysisParams")
 
 l = logging.getLogger(name=__name__)
+t = telemetry.get_tracer(name=__name__)
 
 
 class AnalysisLogEntry:
@@ -186,7 +190,45 @@ class AnalysisFactory(Generic[A]):
         show_progressbar: bool = False,
     ) -> type[A]:
         @functools.wraps(self._analysis_cls.__init__)
+        @t.start_as_current_span(self._analysis_cls.__name__)
         def wrapper(*args, **kwargs):
+            span = telemetry.get_current_span()
+            sig = cast(Signature, self.__call__.__func__.__signature__)
+            bound = sig.bind(None, *args, **kwargs)
+            for name, val in chain(bound.arguments.items(), bound.arguments.get("kwargs", {}).items()):
+                if name in ("kwargs", "self"):
+                    continue
+                if isinstance(val, (str, bytes, bool, int, float, NoneType)):
+                    if val is None:
+                        span.set_attribute(f"arg.{name}.is_none", True)
+                    else:
+                        span.set_attribute(f"arg.{name}", val)
+                elif isinstance(val, (list, tuple, set, frozenset)):
+                    listval = list(val)
+                    if not listval or (
+                        isinstance(listval[0], (str, bytes, bool, int, float))
+                        and all(type(sval) == type(listval[0]) for sval in listval)
+                    ):
+                        span.set_attribute(f"arg.{name}", listval)
+                elif isinstance(val, dict):
+                    listval_keys = list(val)
+                    listval_values = list(val.values())
+                    if not listval_keys or (
+                        isinstance(listval_keys[0], (str, bytes, bool, int, float))
+                        and all(type(sval) == type(listval_keys[0]) for sval in listval_keys)
+                    ):
+                        span.set_attribute(f"arg.{name}.keys", listval_keys)
+                    if not listval_values or (
+                        isinstance(listval_values[0], (str, bytes, bool, int, float))
+                        and all(type(sval) == type(listval_values[0]) for sval in listval_values)
+                    ):
+                        span.set_attribute(f"arg.{name}.values", listval_values)
+                else:
+                    span.set_attribute(f"arg.{name}.unrepresentable", True)
+            if self._project.filename is not None:
+                span.set_attribute("project.binary_name", self._project.filename)
+            span.set_attribute("project.arch_name", self._project.arch.name)
+
             oself = object.__new__(self._analysis_cls)
             oself.named_errors = defaultdict(list)
             oself.errors = []

angr/analyses/cfg/cfg_fast.py

@@ -1049,15 +1049,14 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         # no wide string is found
         return 0
 
-    def _scan_for_repeating_bytes(self, start_addr, repeating_byte, threshold=2):
+    def _scan_for_repeating_bytes(self, start_addr: int, repeating_byte: int, threshold: int = 2) -> int:
         """
         Scan from a given address and determine the occurrences of a given byte.
 
-        :param int start_addr:      The address in memory to start scanning.
-        :param int repeating_byte:  The repeating byte to scan for.
-        :param int threshold:  The minimum occurrences.
-        :return:                    The occurrences of a given byte.
-        :rtype:                     int
+        :param start_addr:      The address in memory to start scanning.
+        :param repeating_byte:  The repeating byte to scan for.
+        :param threshold:       The minimum occurrences.
+        :return:                The occurrences of a given byte.
         """
 
         addr = start_addr
@@ -1078,6 +1077,70 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             return repeating_length
         return 0
 
+    def _scan_for_consecutive_pointers(self, start_addr: int, threshold: int = 2) -> int:
+        """
+        Scan from a given address and determine if there are at least `threshold` of pointers.
+
+        This function will yield high numbers of false positives if the mapped memory regions are too low (for example,
+        <= 0x100000). It is recommended to set `threshold` to a higher value in such cases.
+
+        :param start_addr:  The address to start scanning from.
+        :param threshold:   The minimum number of pointers to be found.
+        :return:            The number of pointers found.
+        """
+
+        current_object = self.project.loader.find_object_containing(start_addr)
+        addr = start_addr
+        pointer_count = 0
+        pointer_size = self.project.arch.bytes
+
+        while self._inside_regions(addr):
+            val = self._fast_memory_load_pointer(addr)
+            if val is None:
+                break
+            obj = self.project.loader.find_object_containing(val)
+            if obj is not None and obj is current_object:
+                pointer_count += 1
+            else:
+                break
+            addr += pointer_size
+
+        if pointer_count >= threshold:
+            return pointer_count
+        return 0
+
+    def _scan_for_mixed_pointers(self, start_addr: int, threshold: int = 3, window: int = 6) -> int:
+        """
+        Scan from a given address and determine if there are at least `threshold` of pointers within a given window of pointers.
+
+        This function will yield high numbers of false positives if the mapped memory regions are too low (for example,
+        <= 0x100000). It is recommended to set `threshold` to a higher value in such cases.
+
+        :param start_addr:  The address to start scanning from.
+        :param threshold:   The minimum number of pointers to be found.
+        :return:            The number of pointers found.
+        """
+
+        current_object = self.project.loader.find_object_containing(start_addr)
+        addr = start_addr
+        ctr = 0
+        pointer_count = 0
+        pointer_size = self.project.arch.bytes
+
+        while self._inside_regions(addr) and ctr < window:
+            ctr += 1
+            val = self._fast_memory_load_pointer(addr)
+            if val is None:
+                break
+            obj = self.project.loader.find_object_containing(val)
+            if obj is not None and obj is current_object:
+                pointer_count += 1
+            addr += pointer_size
+
+        if pointer_count >= threshold:
+            return ctr
+        return 0
+
     def _next_code_addr_core(self):
         """
         Call _next_unscanned_addr() first to get the next address that is not scanned. Then check if data locates at
@@ -1091,35 +1154,83 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         start_addr = next_addr
 
         while True:
-            string_length = self._scan_for_printable_strings(start_addr)
-            if string_length == 0:
-                string_length = self._scan_for_printable_widestrings(start_addr)
-
-            if string_length:
-                self._seg_list.occupy(start_addr, string_length, "string")
-                start_addr += string_length
+            pointer_length, string_length, cc_length = 0, 0, 0
+            matched_something = False
+
+            if start_addr % self.project.arch.bytes == 0:
+                # find potential pointer array
+                threshold = 6 if start_addr <= 0x100000 else 1
+                pointer_count = self._scan_for_consecutive_pointers(start_addr, threshold=threshold)
+                pointer_length = pointer_count * self.project.arch.bytes
+
+                if pointer_length:
+                    matched_something = True
+                    self._seg_list.occupy(start_addr, pointer_length, "pointer-array")
+                    self.model.memory_data[start_addr] = MemoryData(
+                        start_addr, pointer_length, MemoryDataSort.PointerArray
+                    )
+                    start_addr += pointer_length
+
+                elif start_addr <= 0x100000:
+                    # for high addresses, all pointers have been found in _scan_for_consecutive_pointers() because we
+                    # set threshold there to 1
+                    threshold = 4
+                    pointer_count = self._scan_for_mixed_pointers(start_addr, threshold=threshold, window=6)
+                    pointer_length = pointer_count * self.project.arch.bytes
+
+                    if pointer_length:
+                        matched_something = True
+                        self._seg_list.occupy(start_addr, pointer_length, "pointer-array")
+                        self.model.memory_data[start_addr] = MemoryData(
+                            start_addr, pointer_length, MemoryDataSort.PointerArray
+                        )
+                        start_addr += pointer_length
+
+            if not matched_something:
+                # find strings
+                is_widestring = False
+                string_length = self._scan_for_printable_strings(start_addr)
+                if string_length == 0:
+                    is_widestring = True
+                    string_length = self._scan_for_printable_widestrings(start_addr)
+
+                if string_length:
+                    matched_something = True
+                    self._seg_list.occupy(start_addr, string_length, "string")
+                    md = MemoryData(
+                        start_addr,
+                        string_length,
+                        MemoryDataSort.String if not is_widestring else MemoryDataSort.UnicodeString,
+                    )
+                    md.fill_content(self.project.loader)
+                    self.model.memory_data[start_addr] = md
+                    start_addr += string_length
 
-            if self.project.arch.name in ("X86", "AMD64"):
+            if not matched_something and self.project.arch.name in {"X86", "AMD64"}:
                 cc_length = self._scan_for_repeating_bytes(start_addr, 0xCC, threshold=1)
                 if cc_length:
+                    matched_something = True
                     self._seg_list.occupy(start_addr, cc_length, "alignment")
+                    self.model.memory_data[start_addr] = MemoryData(start_addr, cc_length, MemoryDataSort.Alignment)
                     start_addr += cc_length
-            else:
-                cc_length = 0
 
             zeros_length = self._scan_for_repeating_bytes(start_addr, 0x00)
             if zeros_length:
+                matched_something = True
                 self._seg_list.occupy(start_addr, zeros_length, "alignment")
+                self.model.memory_data[start_addr] = MemoryData(start_addr, zeros_length, MemoryDataSort.Alignment)
                 start_addr += zeros_length
 
-            if string_length == 0 and cc_length == 0 and zeros_length == 0:
+            if not matched_something:
                 # umm now it's probably code
                 break
 
         instr_alignment = self._initial_state.arch.instruction_alignment
         if start_addr % instr_alignment > 0:
             # occupy those few bytes
-            self._seg_list.occupy(start_addr, instr_alignment - (start_addr % instr_alignment), "alignment")
+            size = instr_alignment - (start_addr % instr_alignment)
+            self._seg_list.occupy(start_addr, size, "alignment")
+            self.model.memory_data[start_addr] = MemoryData(start_addr, size, MemoryDataSort.Unknown)
             start_addr = start_addr - start_addr % instr_alignment + instr_alignment
             # trickiness: aligning the start_addr may create a new address that is outside any mapped region.
             if not self._inside_regions(start_addr):
@@ -4272,7 +4383,6 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             # Let's try to create the pyvex IRSB directly, since it's much faster
             nodecode = False
             irsb = None
-            irsb_string = None
             lifted_block = None
             try:
                 lifted_block = self._lift(
@@ -4283,11 +4393,12 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     load_from_ro_regions=True,
                     initial_regs=initial_regs,
                 )
-                irsb = lifted_block.vex_nostmt
-                irsb_string = lifted_block.bytes[: irsb.size]
+                irsb = lifted_block.vex_nostmt  # may raise SimTranslationError
             except SimTranslationError:
                 nodecode = True
 
+            irsb_string: bytes = lifted_block.bytes[: irsb.size] if irsb is not None else lifted_block.bytes
+
             # special logic during the complete scanning phase
             if cfg_job.job_type == CFGJobType.COMPLETE_SCANNING and is_arm_arch(self.project.arch):
                 # it's way too easy to incorrectly disassemble THUMB code contains 0x4f as ARM code svc?? #????
@@ -4324,10 +4435,11 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                             initial_regs=initial_regs,
                         )
                         irsb = lifted_block.vex_nostmt
-                        irsb_string = lifted_block.bytes[: irsb.size]
                     except SimTranslationError:
                         nodecode = True
 
+                    irsb_string: bytes = lifted_block.bytes[: irsb.size] if irsb is not None else lifted_block.bytes
+
                     if not (nodecode or irsb.size == 0 or irsb.jumpkind == "Ijk_NoDecode"):
                         # it is decodeable
                         if current_function_addr == addr:
@@ -4397,7 +4509,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 nodecode_size = 1
 
                 # special handling for ud, ud1, and ud2 on x86 and x86-64
-                if irsb_string[-2:] == b"\x0f\x0b" and self.project.arch.name == "AMD64":
+                if self.project.arch.name == "AMD64" and irsb_string[-2:] == b"\x0f\x0b":
                     # VEX supports ud2 and make it part of the block size, only in AMD64.
                     valid_ins = True
                     nodecode_size = 0

angr/analyses/decompiler/ail_simplifier.py

@@ -475,7 +475,7 @@ class AILSimplifier(Analysis):
                     assert is_phi_assignment(stmt)
 
                     for _, vvar in stmt.src.src_and_vvars:
-                        if vvar.varid == def_.atom.varid:
+                        if vvar is not None and vvar.varid == def_.atom.varid:
                             use_exprs.append((vvar, loc, ("phi-src-expr", (vvar,))))
 
             # replace all uses if necessary

angr/analyses/decompiler/clinic.py

@@ -12,6 +12,7 @@ import capstone
 
 import ailment
 
+from angr.errors import AngrDecompilationError
 from ...knowledge_base import KnowledgeBase
 from ...knowledge_plugins.functions import Function
 from ...knowledge_plugins.cfg.memory_data import MemoryDataSort
@@ -1210,6 +1211,7 @@ class Clinic(Analysis):
                 # of the graph is applied
                 self.unoptimized_graph = self._copy_graph(ail_graph)
 
+            pass_ = timethis(pass_)
             a = pass_(
                 self.function,
                 blocks_by_addr=addr_to_blocks,
@@ -1794,21 +1796,30 @@ class Clinic(Analysis):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size
 
-        node_to_block_mapping = {}
         graph = networkx.DiGraph()
 
-        for node in func_graph.nodes():
-            ail_block = blocks_by_addr_and_size.get((node.addr, node.size), node)
-            node_to_block_mapping[node] = ail_block
-
-            if ail_block is not None:
-                graph.add_node(ail_block)
-
-        for src_node, dst_node, data in func_graph.edges(data=True):
-            src = node_to_block_mapping[src_node]
-            dst = node_to_block_mapping[dst_node]
+        entry_node = next(iter(node for node in func_graph if node.addr == self._entry_node_addr[0]), None)
+        if entry_node is None:
+            raise AngrDecompilationError(
+                f"Entry node with address {self._entry_node_addr[0]:#x} not found in the function graph"
+            )
 
-            if dst is not None:
+        # add the entry node into the graph
+        ail_block = blocks_by_addr_and_size.get((entry_node.addr, entry_node.size))
+        if ail_block is None:
+            raise AngrDecompilationError(f"AIL block at address {entry_node.addr:#x} not found")
+        graph.add_node(ail_block)
+
+        # get all descendants and only include them in the AIL graph.
+        # this way all unreachable blocks will be excluded from the AIL graph.
+        descendants = networkx.descendants(func_graph, entry_node) | {entry_node}
+        for src_node, dst_node, data in networkx.subgraph_view(
+            func_graph, filter_node=lambda n: n in descendants
+        ).edges(data=True):
+            src = blocks_by_addr_and_size.get((src_node.addr, src_node.size))
+            dst = blocks_by_addr_and_size.get((dst_node.addr, dst_node.size))
+
+            if src is not None and dst is not None:
                 graph.add_edge(src, dst, **data)
 
         return graph

angr/analyses/decompiler/condition_processor.py

@@ -56,6 +56,25 @@ _UNIFIABLE_COMPARISONS = {
     "SGE",
 }
 
+
+_INVERSE_OPERATIONS = {
+    "__eq__": "__ne__",
+    "__ne__": "__eq__",
+    "__gt__": "__le__",
+    "__lt__": "__ge__",
+    "__ge__": "__lt__",
+    "__le__": "__gt__",
+    "ULT": "UGE",
+    "UGE": "ULT",
+    "UGT": "ULE",
+    "ULE": "UGT",
+    "SLT": "SGE",
+    "SGE": "SLT",
+    "SLE": "SGT",
+    "SGT": "SLE",
+}
+
+
 #
 # Util methods and mapping used during AIL AST to claripy AST conversion
 #
@@ -138,6 +157,7 @@ _ail2claripy_op_mapping = {
     "SBorrow": lambda expr, _, m: _dummy_bvs(expr, m),
     "ExpCmpNE": lambda expr, _, m: _dummy_bools(expr, m),
     "CmpORD": lambda expr, _, m: _dummy_bvs(expr, m),  # in case CmpORDRewriter fails
+    "GetMSBs": lambda expr, _, m: _dummy_bvs(expr, m),
 }
 
 #
@@ -178,7 +198,7 @@ class ConditionProcessor:
             predicate = self._extract_predicate(src, dst, edge_type)
         except EmptyBlockNotice:
             # catch empty block notice - although this should not really happen
-            predicate = claripy.true
+            predicate = claripy.true()
         return predicate
 
     def recover_edge_conditions(self, region, graph=None) -> dict:
@@ -254,15 +274,15 @@ class ConditionProcessor:
 
             if node is head:
                 # the head is always reachable
-                reaching_condition = claripy.true
+                reaching_condition = claripy.true()
             elif idoms is not None and _strictly_postdominates(idoms, node, head):
                 # the node that post dominates the head is always reachable
-                reaching_conditions[node] = claripy.true
+                reaching_conditions[node] = claripy.true()
             else:
                 for pred in preds:
                     edge = (pred, node)
-                    pred_condition = reaching_conditions.get(pred, claripy.true)
-                    edge_condition = edge_conditions.get(edge, claripy.true)
+                    pred_condition = reaching_conditions.get(pred, claripy.true())
+                    edge_condition = edge_conditions.get(edge, claripy.true())
 
                     if reaching_condition is None:
                         reaching_condition = claripy.And(pred_condition, edge_condition)
@@ -596,7 +616,7 @@ class ConditionProcessor:
             return claripy.Not(bool_var)
 
         if type(src_block) is GraphRegion:
-            return claripy.true
+            return claripy.true()
 
         # sometimes the last statement is the conditional jump. sometimes it's the first statement of the block
         if (
@@ -609,10 +629,10 @@ class ConditionProcessor:
             last_stmt = self.get_last_statement(src_block)
 
         if last_stmt is None:
-            return claripy.true
+            return claripy.true()
         if type(last_stmt) is ailment.Stmt.Jump:
             if isinstance(last_stmt.target, ailment.Expr.Const):
-                return claripy.true
+                return claripy.true()
             # indirect jump
             target_ast = self.claripy_ast_from_ail_condition(last_stmt.target)
             return target_ast == dst_block.addr
@@ -622,7 +642,7 @@ class ConditionProcessor:
                 return bool_var
             return claripy.Not(bool_var)
 
-        return claripy.true
+        return claripy.true()
 
     #
     # Expression conversion
@@ -727,6 +747,7 @@ class ConditionProcessor:
             "ZeroExt": lambda cond_, tags: _binary_op_reduce(
                 "Concat", [claripy.BVV(0, cond_.args[0]), cond_.args[1]], tags
             ),
+            "Concat": lambda cond_, tags: _binary_op_reduce("Concat", cond_.args, tags),
         }
 
         if cond.op in _mapping:
@@ -780,8 +801,8 @@ class ConditionProcessor:
                 var = claripy.BoolV(condition.value)
             else:
                 var = claripy.BVV(condition.value, condition.bits)
-            if isinstance(var, claripy.Bits) and var.size() == 1:
-                var = claripy.true if var.concrete_value == 1 else claripy.false
+            if isinstance(var, claripy.ast.Bits) and var.size() == 1:
+                var = claripy.true() if var.concrete_value == 1 else claripy.false()
             return var
         if isinstance(condition, ailment.Expr.Tmp):
             l.warning("Left-over ailment.Tmp variable %s.", condition)
@@ -839,7 +860,7 @@ class ConditionProcessor:
 
         if ast.op in _UNIFIABLE_COMPARISONS:
             # unify comparisons to enable more simplification opportunities without going "deep" in sympy
-            inverse_op = getattr(ast.args[0], claripy.operations.inverse_operations[ast.op])
+            inverse_op = getattr(ast.args[0], _INVERSE_OPERATIONS[ast.op])
             return sympy.Not(ConditionProcessor.claripy_ast_to_sympy_expr(inverse_op(ast.args[1]), memo=memo))
 
         if memo is not None and ast in memo:
@@ -860,9 +881,9 @@ class ConditionProcessor:
         if isinstance(expr, sympy.Not):
             return claripy.Not(ConditionProcessor.sympy_expr_to_claripy_ast(expr.args[0], memo))
         if isinstance(expr, sympy.logic.boolalg.BooleanTrue):
-            return claripy.true
+            return claripy.true()
         if isinstance(expr, sympy.logic.boolalg.BooleanFalse):
-            return claripy.false
+            return claripy.false()
         raise AngrRuntimeError("Unreachable reached")
 
     @staticmethod
@@ -1092,7 +1113,9 @@ class ConditionProcessor:
         for term in all_terms_without_negs:
             neg = negations.get(term)
 
-            replaced_with_true = ConditionProcessor._replace_term_in_ast(cond, term, claripy.true, neg, claripy.false)
+            replaced_with_true = ConditionProcessor._replace_term_in_ast(
+                cond, term, claripy.true(), neg, claripy.false()
+            )
             sat0 = solver.satisfiable(
                 extra_constraints=(
                     cond,
@@ -1108,7 +1131,9 @@ class ConditionProcessor:
             if sat0 or sat1:
                 continue
 
-            replaced_with_false = ConditionProcessor._replace_term_in_ast(cond, term, claripy.false, neg, claripy.true)
+            replaced_with_false = ConditionProcessor._replace_term_in_ast(
+                cond, term, claripy.false(), neg, claripy.true()
+            )
             sat0 = solver.satisfiable(
                 extra_constraints=(
                     cond,

angr/analyses/decompiler/decompiler.py

@@ -334,6 +334,7 @@ class Decompiler(Analysis):
                 )
                 continue
 
+            pass_ = timethis(pass_)
             a = pass_(
                 self.func,
                 blocks_by_addr=addr_to_blocks,
@@ -389,6 +390,7 @@ class Decompiler(Analysis):
                 )
                 continue
 
+            pass_ = timethis(pass_)
             a = pass_(
                 self.func,
                 blocks_by_addr=addr_to_blocks,
@@ -425,6 +427,7 @@ class Decompiler(Analysis):
             if pass_.STAGE != OptimizationPassStage.AFTER_STRUCTURING:
                 continue
 
+            pass_ = timethis(pass_)
             a = pass_(self.func, seq=seq_node, **kwargs)
             if a.out_seq:
                 seq_node = a.out_seq

angr/analyses/decompiler/jumptable_entry_condition_rewriter.py

@@ -16,7 +16,7 @@ class JumpTableEntryConditionRewriter(SequenceWalker):
 
     def _process_expr(self, expr):
         if expr in self._jumptable_entry_conds:
-            return claripy.true
+            return claripy.true()
 
         new_args = []
         replaced = False

angr/analyses/decompiler/optimization_passes/duplication_reverter/ail_merge_graph.py

@@ -140,7 +140,7 @@ class AILMergeGraph:
         self.starts = []
         self.original_ends = []
 
-    def create_conditionless_graph(self, starting_blocks: list[Block], graph_lcs):
+    def create_conditionless_graph(self, starting_blocks: list[Block], graph_lcs) -> dict[Block, Block] | None:
         # get all the original blocks (reverted from the LCS) and their split blocks.
         # split-blocks are blocks that need to be split at some stmt index to make the two blocks
         # equal across both graphs. At a highlevel, the first block in both matching graphs either need
@@ -180,9 +180,12 @@ class AILMergeGraph:
         # we create a new graph, full of the original blocks of the base, with blocks
         # that should be split replaced.
         # this graph is only the initial merge_graph needed, where only the blocks
-        self.graph, update_blocks = self.clone_graph_replace_splits(
-            nx.subgraph(self.original_graph, self.original_blocks[merge_base]), base_to_split
-        )
+        subgraph = nx.subgraph(self.original_graph, self.original_blocks[merge_base])
+        # ensure all base blocks are within the subgraph
+        for block in base_to_split:
+            if block not in subgraph:
+                return None
+        self.graph, update_blocks = self.clone_graph_replace_splits(subgraph, base_to_split)
         self._update_all_split_refs(update_blocks)
         for update_block, new_block in update_blocks.items():
             if update_block in starting_blocks:

angr/analyses/decompiler/optimization_passes/duplication_reverter/duplication_reverter.py

@@ -51,7 +51,7 @@ class DuplicationReverter(StructuringOptimizationPass):
             strictly_less_gotos=False,
             recover_structure_fails=True,
             must_improve_rel_quality=True,
-            max_opt_iters=30,
+            max_opt_iters=5,
             simplify_ail=True,
             require_gotos=True,
             readd_labels=True,
@@ -679,6 +679,10 @@ class DuplicationReverter(StructuringOptimizationPass):
         ail_merge_graph = AILMergeGraph(original_graph=graph)
         # some blocks in originals may update during this time (if-statements can change)
         update_blocks = ail_merge_graph.create_conditionless_graph(blocks, graph_lcs)
+        if update_blocks is None:
+            # failed to create the condition-less graph
+            self.candidate_blacklist.add(tuple(blocks))
+            raise SAILRSemanticError("Failed to create a condition-less graph, this analysis must skip it")
 
         #
         # SPECIAL CASE: the merged graph contains only 1 node and no splits
@@ -1170,9 +1174,9 @@ class DuplicationReverter(StructuringOptimizationPass):
             entry_blocks = [node for node in graph.nodes if graph.in_degree(node) == 0]
             entry_block = None if len(entry_blocks) != 1 else entry_blocks[0]
 
-            self._entry_node_cache[graph] = entry_block
             if entry_block is None:
                 return None
+            self._entry_node_cache[graph] = entry_block
 
         entry_blk = self._entry_node_cache[graph]