angr 9.2.122__py3-none-macosx_11_0_arm64.whl → 9.2.124__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/clinic.py

@@ -110,6 +110,7 @@ class Clinic(Analysis):
         inlined_counts: dict[int, int] | None = None,
         inlining_parents: set[int] | None = None,
         vvar_id_start: int = 0,
+        optimization_scratch: dict[str, Any] | None = None,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -124,6 +125,7 @@ class Clinic(Analysis):
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
         self.data_refs: dict[int, int] = {}  # data address to instruction address
+        self.optimization_scratch = optimization_scratch if optimization_scratch is not None else {}
 
         self._func_graph: networkx.DiGraph | None = None
         self._ail_manager = None
@@ -749,8 +751,9 @@ class Clinic(Analysis):
                 continue
 
             call_sites = []
-            for pred in self.function.transition_graph.predecessors(node):
-                call_sites.append(pred)
+            for pred, _, data in self.function.transition_graph.in_edges(node, data=True):
+                if data.get("type", None) != "return":
+                    call_sites.append(pred)
             # case 1: calling conventions and prototypes are available at every single call site
             if call_sites and all(self.kb.callsite_prototypes.has_prototype(callsite.addr) for callsite in call_sites):
                 continue
@@ -918,10 +921,16 @@ class Clinic(Analysis):
             "Ijk_Sys"
         ):
             # we don't support lifting this block. use a dummy block instead
+            dirty_expr = ailment.Expr.DirtyExpression(
+                self._ail_manager.next_atom,
+                f"Unsupported jumpkind {block.vex.jumpkind} at address {block_node.addr}",
+                [],
+                bits=0,
+            )
             statements = [
                 ailment.Stmt.DirtyStatement(
                     self._ail_manager.next_atom(),
-                    f"Unsupported jumpkind {block.vex.jumpkind} at address {block_node.addr}",
+                    dirty_expr,
                     ins_addr=block_node.addr,
                 )
             ]
@@ -1218,6 +1227,7 @@ class Clinic(Analysis):
                 variable_kb=variable_kb,
                 vvar_id_start=self.vvar_id_start,
                 entry_node_addr=self.entry_node_addr,
+                scratch=self.optimization_scratch,
                 **kwargs,
             )
             if a.out_graph:
@@ -1255,6 +1265,7 @@ class Clinic(Analysis):
                 ailment.Expr.VirtualVariableCategory.PARAMETER,
                 oident=arg.reg,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             self.vvar_id_start += 1
             arg_vvars[arg_vvar.varid] = arg_vvar, arg
@@ -1268,6 +1279,7 @@ class Clinic(Analysis):
                     False,
                     arg_vvar,
                     ins_addr=self.function.addr,
+                    vex_block_addr=self.function.addr,
                 )
 
             fullreg_dst = ailment.Expr.Register(
@@ -1276,12 +1288,14 @@ class Clinic(Analysis):
                 basereg_offset,
                 basereg_size * self.project.arch.byte_width,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             stmt = ailment.Stmt.Assignment(
                 self._ail_manager.next_atom(),
                 fullreg_dst,
                 arg_vvar,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             new_stmts.append(stmt)
 
@@ -1312,6 +1326,7 @@ class Clinic(Analysis):
             ail_graph,
             entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr)),
             ail_manager=self._ail_manager,
+            ssa_tmps=True,
             ssa_stackvars=True,
             vvar_id_start=self.vvar_id_start,
         )
@@ -1791,6 +1806,18 @@ class Clinic(Analysis):
         elif isinstance(expr, ailment.Stmt.Call):
             self._link_variables_on_call(variable_manager, global_variables, block, stmt_idx, expr, is_expr=True)
 
+        elif isinstance(expr, ailment.Expr.VEXCCallExpression):
+            for operand in expr.operands:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, operand)
+
+        elif isinstance(expr, ailment.Expr.DirtyExpression):
+            for operand in expr.operands:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, operand)
+            if expr.maddr:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.maddr)
+            if expr.guard:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.guard)
+
     def _function_graph_to_ail_graph(self, func_graph, blocks_by_addr_and_size=None):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size

angr/analyses/decompiler/condition_processor.py

@@ -160,6 +160,8 @@ _ail2claripy_op_mapping = {
     "GetMSBs": lambda expr, _, m: _dummy_bvs(expr, m),
     "InterleaveLOV": lambda expr, _, m: _dummy_bvs(expr, m),
     "InterleaveHIV": lambda expr, _, m: _dummy_bvs(expr, m),
+    # catch-all
+    "_DUMMY_": lambda expr, _, m: _dummy_bvs(expr, m),
 }
 
 #
@@ -771,7 +773,7 @@ class ConditionProcessor:
 
         if isinstance(
             condition,
-            (ailment.Expr.DirtyExpression, ailment.Expr.BasePointerOffset, ailment.Expr.ITE),
+            (ailment.Expr.VEXCCallExpression, ailment.Expr.BasePointerOffset, ailment.Expr.ITE),
         ):
             return _dummy_bvs(condition, self._condition_mapping)
         if isinstance(condition, ailment.Stmt.Call):
@@ -828,9 +830,14 @@ class ConditionProcessor:
             # fall back to op
             lambda_expr = _ail2claripy_op_mapping.get(condition.op, None)
         if lambda_expr is None:
-            raise NotImplementedError(
-                f"Unsupported AIL expression operation {condition.op} or {condition.verbose_op}. Consider implementing."
+            # fall back to the catch-all option
+            l.debug(
+                "Unsupported AIL expression operation %s (or verbose: %s). Fall back to the default catch-all dummy "
+                "option. Consider implementing.",
+                condition.op,
+                condition.verbose_op,
             )
+            lambda_expr = _ail2claripy_op_mapping["_DUMMY_"]
         r = lambda_expr(condition, self.claripy_ast_from_ail_condition, self._condition_mapping)
 
         if isinstance(r, claripy.ast.Bool) and nobool:

angr/analyses/decompiler/decompilation_cache.py

@@ -14,6 +14,7 @@ class DecompilationCache:
     """
 
     __slots__ = (
+        "parameters",
         "addr",
         "type_constraints",
         "func_typevar",
@@ -25,6 +26,7 @@ class DecompilationCache:
     )
 
     def __init__(self, addr):
+        self.parameters: dict[str, Any] = {}
         self.addr = addr
         self.type_constraints: set | None = None
         self.func_typevar = None

angr/analyses/decompiler/decompiler.py

@@ -68,12 +68,13 @@ class Decompiler(Analysis):
         inline_functions=frozenset(),
         update_memory_data: bool = True,
         generate_code: bool = True,
+        use_cache: bool = True,
     ):
         if not isinstance(func, Function):
             func = self.kb.functions[func]
         self.func: Function = func
         self._cfg = cfg.model if isinstance(cfg, CFGFast) else cfg
-        self._options = options
+        self._options = options or []
 
         if preset is None and optimization_passes:
             self._optimization_passes = optimization_passes
@@ -102,6 +103,25 @@ class Decompiler(Analysis):
         self._update_memory_data = update_memory_data
         self._generate_code = generate_code
         self._inline_functions = inline_functions
+        self._cache_parameters = (
+            {
+                "cfg": self._cfg,
+                "variable_kb": self._variable_kb,
+                "options": {(o, v) for o, v in self._options if o.category != "Display" and v != o.default_value},
+                "optimization_passes": self._optimization_passes,
+                "sp_tracker_track_memory": self._sp_tracker_track_memory,
+                "peephole_optimizations": self._peephole_optimizations,
+                "vars_must_struct": self._vars_must_struct,
+                "flavor": self._flavor,
+                "expr_comments": self._expr_comments,
+                "stmt_comments": self._stmt_comments,
+                "ite_exprs": self._ite_exprs,
+                "binop_operators": self._binop_operators,
+                "inline_functions": self._inline_functions,
+            }
+            if use_cache
+            else None
+        )
 
         self.clinic = None  # mostly for debugging purposes
         self.codegen: CStructuredCodeGenerator | None = None
@@ -111,27 +131,43 @@ class Decompiler(Analysis):
         self.unoptimized_ail_graph: networkx.DiGraph | None = None
         self.ail_graph: networkx.DiGraph | None = None
         self.vvar_id_start = None
+        self._optimization_scratch: dict[str, Any] = {}
 
         if decompile:
             self._decompile()
 
+    def _can_use_decompilation_cache(self, cache: DecompilationCache) -> bool:
+        a, b = self._cache_parameters, cache.parameters
+        id_checks = {"cfg", "variable_kb"}
+        return all(a[k] is b[k] if k in id_checks else a[k] == b[k] for k in self._cache_parameters)
+
     @timethis
     def _decompile(self):
         if self.func.is_simprocedure:
             return
 
-        # Load from cache
-        try:
-            cache = self.kb.structured_code[(self.func.addr, self._flavor)]
+        cache = None
+
+        if self._cache_parameters is not None:
+            try:
+                cache = self.kb.decompilations[self.func.addr]
+                if not self._can_use_decompilation_cache(cache):
+                    cache = None
+            except KeyError:
+                pass
+
+        if cache:
             old_codegen = cache.codegen
             old_clinic = cache.clinic
             ite_exprs = cache.ite_exprs if self._ite_exprs is None else self._ite_exprs
             binop_operators = cache.binop_operators if self._binop_operators is None else self._binop_operators
-        except KeyError:
-            ite_exprs = self._ite_exprs
-            binop_operators = self._binop_operators
+            l.debug("Decompilation cache hit")
+        else:
             old_codegen = None
             old_clinic = None
+            ite_exprs = self._ite_exprs
+            binop_operators = self._binop_operators
+            l.debug("Decompilation cache miss")
 
         self.options_by_class = defaultdict(list)
 
@@ -167,6 +203,7 @@ class Decompiler(Analysis):
             fold_callexprs_into_conditions = True
 
         cache = DecompilationCache(self.func.addr)
+        cache.parameters = self._cache_parameters
         cache.ite_exprs = ite_exprs
         cache.binop_operators = binop_operators
 
@@ -189,6 +226,7 @@ class Decompiler(Analysis):
                 cache=cache,
                 progress_callback=progress_callback,
                 inline_functions=self._inline_functions,
+                optimization_scratch=self._optimization_scratch,
                 **self.options_to_params(self.options_by_class["clinic"]),
             )
         else:
@@ -302,6 +340,8 @@ class Decompiler(Analysis):
         self.cache.codegen = codegen
         self.cache.clinic = self.clinic
 
+        self.kb.decompilations[self.func.addr] = self.cache
+
     def _recover_regions(self, graph: networkx.DiGraph, condition_processor, update_graph: bool = True):
         return self.project.analyses[RegionIdentifier].prep(kb=self.kb)(
             self.func,
@@ -355,6 +395,7 @@ class Decompiler(Analysis):
                 variable_kb=self._variable_kb,
                 reaching_definitions=reaching_definitions,
                 entry_node_addr=self.clinic.entry_node_addr,
+                scratch=self._optimization_scratch,
                 **kwargs,
             )
 
@@ -414,6 +455,7 @@ class Decompiler(Analysis):
                 reaching_definitions=reaching_definitions,
                 vvar_id_start=self.vvar_id_start,
                 entry_node_addr=self.clinic.entry_node_addr,
+                scratch=self._optimization_scratch,
                 **kwargs,
             )
 
@@ -442,7 +484,7 @@ class Decompiler(Analysis):
                 continue
 
             pass_ = timethis(pass_)
-            a = pass_(self.func, seq=seq_node, **kwargs)
+            a = pass_(self.func, seq=seq_node, scratch=self._optimization_scratch, **kwargs)
             if a.out_seq:
                 seq_node = a.out_seq
 

angr/analyses/decompiler/dephication/graph_vvar_mapping.py

@@ -3,7 +3,7 @@ import logging
 from collections import defaultdict
 
 from ailment.block import Block
-from ailment.expression import Phi, VirtualVariable
+from ailment.expression import Phi, VirtualVariable, VirtualVariableCategory
 from ailment.statement import Assignment, Jump, ConditionalJump, Label
 
 from angr.analyses import Analysis
@@ -213,8 +213,16 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
 
                 the_block = self._blocks[(src_block_addr, src_block_idx)]
                 ins_addr = the_block.addr + the_block.original_size - 1
+                if vvar.category == VirtualVariableCategory.PARAMETER:
+                    # it's a parameter, so we copy the variable into a dummy register vvar
+                    # a parameter vvar should never be assigned to
+                    new_category = VirtualVariableCategory.REGISTER
+                    new_oident = 4096
+                else:
+                    new_category = vvar.category
+                    new_oident = vvar.oident
                 new_vvar = VirtualVariable(
-                    None, new_vvar_id, vvar.bits, vvar.category, oident=vvar.oident, ins_addr=ins_addr
+                    None, new_vvar_id, vvar.bits, new_category, oident=new_oident, ins_addr=ins_addr
                 )
                 assignment = Assignment(None, new_vvar, vvar, ins_addr=ins_addr)
 

angr/analyses/decompiler/dephication/rewriting_engine.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 
 from ailment.block import Block
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump
+from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement
 from ailment.expression import (
     Register,
     VirtualVariable,
@@ -14,6 +14,8 @@ from ailment.expression import (
     Convert,
     StackBaseOffset,
     ITE,
+    VEXCCallExpression,
+    DirtyExpression,
 )
 
 from angr.engines.light import SimEngineLight, SimEngineLightAILMixin
@@ -126,7 +128,7 @@ class SimEngineDephiRewriting(
         return None
 
     def _handle_Call(self, stmt: Call) -> Call | None:
-        new_target = self._expr(stmt.target) if stmt.target is not None else None
+        new_target = self._expr(stmt.target) if stmt.target is not None and not isinstance(stmt.target, str) else None
         new_ret_expr = self._expr(stmt.ret_expr) if stmt.ret_expr is not None else None
         new_fp_ret_expr = self._expr(stmt.fp_ret_expr) if stmt.fp_ret_expr is not None else None
 
@@ -139,10 +141,19 @@ class SimEngineDephiRewriting(
                 args=stmt.args,
                 ret_expr=stmt.ret_expr if new_ret_expr is None else new_ret_expr,
                 fp_ret_expr=stmt.fp_ret_expr if new_fp_ret_expr is None else new_fp_ret_expr,
+                bits=stmt.bits,
                 **stmt.tags,
             )
         return None
 
+    _handle_CallExpr = _handle_Call
+
+    def _handle_DirtyStatement(self, stmt: DirtyStatement) -> DirtyStatement | None:
+        dirty = self._expr(stmt.dirty)
+        if dirty is None or dirty is stmt.dirty:
+            return None
+        return DirtyStatement(stmt.idx, dirty, **stmt.tags)
+
     def _handle_Register(self, expr: Register) -> None:
         return None
 
@@ -243,5 +254,57 @@ class SimEngineDephiRewriting(
             )
         return None
 
+    def _handle_VEXCCallExpression(self, expr: VEXCCallExpression) -> VEXCCallExpression | None:
+        new_operands = []
+        updated = False
+        for o in expr.operands:
+            new_o = self._expr(o)
+            if new_o is not None:
+                updated = True
+                new_operands.append(new_o)
+            else:
+                new_operands.append(o)
+
+        if updated:
+            return VEXCCallExpression(
+                expr.idx,
+                expr.callee,
+                new_operands,
+                bits=expr.bits,
+                **expr.tags,
+            )
+        return None
+
+    def _handle_DirtyExpression(self, expr: DirtyExpression) -> DirtyExpression | None:
+        new_operands = []
+        updated = False
+        for o in expr.operands:
+            new_o = self._expr(o)
+            if new_o is not None:
+                updated = True
+                new_operands.append(new_o)
+            else:
+                new_operands.append(o)
+
+        new_guard = None
+        if expr.guard is not None:
+            new_guard = self._expr(expr.guard)
+            if new_guard is not None:
+                updated = True
+
+        if updated:
+            return DirtyExpression(
+                expr.idx,
+                expr.callee,
+                new_operands,
+                guard=new_guard,
+                mfx=expr.mfx,
+                maddr=expr.maddr,
+                msize=expr.msize,
+                bits=expr.bits,
+                **expr.tags,
+            )
+        return None
+
     def _handle_StackBaseOffset(self, expr: StackBaseOffset) -> None:
         return None

angr/analyses/decompiler/expression_narrower.py

@@ -1,23 +1,52 @@
 from __future__ import annotations
 from typing import Any, TYPE_CHECKING
-from ailment import AILBlockWalkerBase
+from collections import defaultdict
+import logging
+
+from ailment import AILBlockWalkerBase, AILBlockWalker
+from ailment.statement import Assignment, Call
+from ailment.expression import VirtualVariable, Convert, BinaryOp, Phi
+
+from angr.knowledge_plugins.key_definitions import atoms
+from angr.code_location import CodeLocation
 
 if TYPE_CHECKING:
     from ailment.expression import (
         Expression,
-        BinaryOp,
         Load,
         UnaryOp,
-        Convert,
         ITE,
         DirtyExpression,
         VEXCCallExpression,
     )
-    from ailment.statement import Call, Statement
+    from ailment.statement import Statement
     from ailment.block import Block
 
 
-class ExpressionNarrowingWalker(AILBlockWalkerBase):
+_l = logging.getLogger(__name__)
+
+
+class ExprNarrowingInfo:
+    """
+    Stores the analysis result of _narrowing_needed().
+    """
+
+    __slots__ = ("narrowable", "to_size", "use_exprs", "phi_vars")
+
+    def __init__(
+        self,
+        narrowable: bool,
+        to_size: int | None = None,
+        use_exprs: list[tuple[atoms.VirtualVariable, CodeLocation, tuple[str, tuple[Expression, ...]]]] | None = None,
+        phi_vars: set[atoms.VirtualVariable] | None = None,
+    ):
+        self.narrowable = narrowable
+        self.to_size = to_size
+        self.use_exprs = use_exprs
+        self.phi_vars = phi_vars
+
+
+class NarrowingInfoExtractor(AILBlockWalkerBase):
     """
     Walks a statement or an expression and extracts the operations that are applied on the given expression.
 
@@ -76,7 +105,11 @@ class ExpressionNarrowingWalker(AILBlockWalkerBase):
     def _handle_DirtyExpression(
         self, expr_idx: int, expr: DirtyExpression, stmt_idx: int, stmt: Statement, block: Block | None
     ):
-        return self._handle_expr(0, expr.dirty_expr, stmt_idx, stmt, block)
+        r = False
+        if expr.operands:
+            for i, op in enumerate(expr.operands):
+                r |= self._handle_expr(i, op, stmt_idx, stmt, block)
+        return r
 
     def _handle_VEXCCallExpression(
         self, expr_idx: int, expr: VEXCCallExpression, stmt_idx: int, stmt: Statement, block: Block | None
@@ -85,3 +118,170 @@ class ExpressionNarrowingWalker(AILBlockWalkerBase):
         for idx, operand in enumerate(expr.operands):
             r |= self._handle_expr(idx, operand, stmt_idx, stmt, block)
         return r
+
+
+class ExpressionNarrower(AILBlockWalker):
+    """
+    Narrows an expression regardless of whether the expression is a definition or a use.
+    """
+
+    def __init__(
+        self, project, rd, narrowables, addr2blocks: dict[tuple[int, int | None], Block], new_blocks: dict[Block, Block]
+    ):
+        super().__init__(update_block=False)
+
+        self.project = project
+        self._rd = rd
+        self._addr2blocks = addr2blocks
+        self._new_blocks = new_blocks
+
+        self.new_vvar_sizes: dict[int, int] = {}
+        self.replacement_core_vvars: dict[int, list[VirtualVariable]] = defaultdict(list)
+        self.narrowed_any = False
+
+        for def_, narrow_info in narrowables:
+            self.new_vvar_sizes[def_.atom.varid] = narrow_info.to_size
+
+    def walk(self, block: Block):
+        self.narrowed_any = False
+        return super().walk(block)
+
+    def _handle_Assignment(self, stmt_idx: int, stmt: Assignment, block: Block | None) -> Assignment | None:
+
+        if isinstance(stmt.src, Phi):
+            changed = False
+
+            src_and_vvars = []
+            for src, vvar in stmt.src.src_and_vvars:
+                if vvar is None:
+                    src_and_vvars.append((src, None))
+                    continue
+                if vvar.varid in self.new_vvar_sizes and self.new_vvar_sizes[vvar.varid] != vvar.size:
+                    self.narrowed_any = True
+                    changed = True
+                    new_var = VirtualVariable(
+                        vvar.idx,
+                        vvar.varid,
+                        self.new_vvar_sizes[vvar.varid] * self.project.arch.byte_width,
+                        category=vvar.category,
+                        oident=vvar.oident,
+                        **vvar.tags,
+                    )
+
+                    self.replacement_core_vvars[new_var.varid].append(new_var)
+                else:
+                    new_var = None
+
+                src_and_vvars.append((src, new_var))
+
+            new_src = Phi(stmt.src.idx, stmt.src.bits, src_and_vvars, **stmt.src.tags)
+
+        else:
+            new_src = self._handle_expr(1, stmt.src, stmt_idx, stmt, block)
+            if new_src is None:
+                changed = False
+                new_src = stmt.src
+            else:
+                changed = True
+
+        if isinstance(stmt.dst, VirtualVariable) and stmt.dst.varid in self.new_vvar_sizes:
+            changed = True
+            new_dst = VirtualVariable(
+                stmt.dst.idx,
+                stmt.dst.varid,
+                self.new_vvar_sizes[stmt.dst.varid] * self.project.arch.byte_width,
+                category=stmt.dst.category,
+                oident=stmt.dst.oident,
+                **stmt.dst.tags,
+            )
+
+            self.replacement_core_vvars[new_dst.varid].append(new_dst)
+
+            if isinstance(new_src, Phi):
+                new_src.bits = self.new_vvar_sizes[stmt.dst.varid] * self.project.arch.byte_width
+            else:
+                new_src = Convert(
+                    None,
+                    stmt.src.bits,
+                    self.new_vvar_sizes[stmt.dst.varid] * self.project.arch.byte_width,
+                    False,
+                    new_src,
+                    **new_src.tags,
+                )
+        else:
+            new_dst = self._handle_expr(0, stmt.dst, stmt_idx, stmt, block)
+            if new_dst is not None:
+                changed = True
+            else:
+                new_dst = stmt.dst
+
+        if changed:
+            self.narrowed_any = True
+            return Assignment(stmt.idx, new_dst, new_src, **stmt.tags)
+
+        return None
+
+    def _handle_VirtualVariable(
+        self, expr_idx: int, expr: VirtualVariable, stmt_idx: int, stmt: Statement, block: Block | None
+    ) -> Convert | None:
+        if expr.varid in self.new_vvar_sizes and self.new_vvar_sizes[expr.varid] != expr.size:
+            self.narrowed_any = True
+            new_expr = VirtualVariable(
+                expr.idx,
+                expr.varid,
+                self.new_vvar_sizes[expr.varid] * self.project.arch.byte_width,
+                category=expr.category,
+                oident=expr.oident,
+                **expr.tags,
+            )
+
+            self.replacement_core_vvars[expr.varid].append(new_expr)
+
+            return Convert(
+                None,
+                new_expr.bits,
+                expr.bits,
+                False,
+                new_expr,
+                **new_expr.tags,
+            )
+        return None
+
+    def _handle_Call(self, stmt_idx: int, stmt: Call, block: Block | None) -> Call | None:
+        new_stmt = super()._handle_Call(stmt_idx, stmt, block)
+        if new_stmt is None:
+            changed = False
+            new_stmt = stmt
+        else:
+            changed = True
+
+        if (
+            stmt.ret_expr is not None
+            and isinstance(stmt.ret_expr, VirtualVariable)
+            and stmt.ret_expr.was_reg
+            and stmt.ret_expr.varid in self.new_vvar_sizes
+            and stmt.ret_expr.size != self.new_vvar_sizes[stmt.ret_expr.varid]
+        ):
+            changed = True
+
+            # update reg name
+            tags = dict(stmt.ret_expr.tags)
+            tags["reg_name"] = self.project.arch.translate_register_name(
+                stmt.ret_expr.reg_offset, size=self.new_vvar_sizes[stmt.ret_expr.varid]
+            )
+            new_ret_expr = VirtualVariable(
+                stmt.ret_expr.idx,
+                stmt.ret_expr.varid,
+                self.new_vvar_sizes[stmt.ret_expr.varid] * self.project.arch.byte_width,
+                category=stmt.ret_expr.category,
+                oident=stmt.ret_expr.oident,
+                **tags,
+            )
+            self.replacement_core_vvars[new_ret_expr.varid].append(new_ret_expr)
+            new_stmt.ret_expr = new_ret_expr
+
+        if changed:
+            self.narrowed_any = True
+            return new_stmt
+
+        return None

angr/analyses/decompiler/optimization_passes/div_simplifier.py

@@ -18,7 +18,10 @@ class DivSimplifierAILEngine(SimplifierAILEngine):
     An AIL pass for the div simplifier
     """
 
-    def _check_divisor(self, a, b, ndigits=6):  # pylint: disable=no-self-use
+    @staticmethod
+    def _check_divisor(a, b, ndigits=6):
+        if b == 0:
+            return None
         divisor_1 = 1 + (a // b)
         divisor_2 = int(round(a / float(b), ndigits))
         return divisor_1 if divisor_1 == divisor_2 else None