angr 9.2.122__py3-none-macosx_11_0_arm64.whl → 9.2.124__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py

@@ -13,6 +13,7 @@ from ailment.expression import (
     BinaryOp,
     VirtualVariable,
     Phi,
+    UnaryOp,
     VirtualVariableCategory,
 )
 from ailment.statement import ConditionalJump, Jump, Assignment
@@ -238,6 +239,12 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
                 return self.state.vvar_load(vvar)
         return None
 
+    def _handle_Neg(self, expr: UnaryOp):
+        v = self._expr(expr.operand)
+        if isinstance(v, claripy.ast.Bits):
+            return ~v
+        return None
+
     def _handle_Convert(self, expr: Convert):
         v = self._expr(expr.operand)
         if isinstance(v, claripy.ast.Bits):

angr/analyses/decompiler/optimization_passes/ite_region_converter.py

@@ -42,10 +42,8 @@ class ITERegionConverter(OptimizationPass):
             if not ite_assign_regions:
                 break
 
-            for region_head, region_tail, true_block, true_stmt, false_block, false_stmt in ite_assign_regions:
-                round_update |= self._convert_region_to_ternary_expr(
-                    region_head, region_tail, true_block, true_stmt, false_block, false_stmt
-                )
+            for region_head, region_tail, _, true_stmt, _, false_stmt in ite_assign_regions:
+                round_update |= self._convert_region_to_ternary_expr(region_head, region_tail, true_stmt, false_stmt)
 
             if not round_update:
                 break
@@ -188,9 +186,7 @@ class ITERegionConverter(OptimizationPass):
         self,
         region_head,
         region_tail,
-        true_block,
         true_stmt: Assignment | Call,
-        false_block,
         false_stmt: Assignment | Call,
     ):
         if region_head not in self._graph or region_tail not in self._graph:
@@ -206,6 +202,7 @@ class ITERegionConverter(OptimizationPass):
         true_stmt_src = true_stmt.src if isinstance(true_stmt, Assignment) else true_stmt
         true_stmt_dst = true_stmt.dst if isinstance(true_stmt, Assignment) else true_stmt.ret_expr
         false_stmt_src = false_stmt.src if isinstance(false_stmt, Assignment) else false_stmt
+        false_stmt_dst = false_stmt.dst if isinstance(false_stmt, Assignment) else false_stmt.ret_expr
 
         addr_obj = true_stmt_src if "ins_addr" in true_stmt_src.tags else true_stmt
         ternary_expr = ITE(
@@ -213,9 +210,7 @@ class ITERegionConverter(OptimizationPass):
             conditional_jump.condition,
             false_stmt_src,
             true_stmt_src,
-            ins_addr=addr_obj.ins_addr,
-            vex_block_addr=addr_obj.vex_block_addr,
-            vex_stmt_idx=addr_obj.vex_stmt_idx,
+            **addr_obj.tags,
         )
         dst = VirtualVariable(
             true_stmt_dst.idx,
@@ -242,6 +237,14 @@ class ITERegionConverter(OptimizationPass):
         #
 
         region_nodes = subgraph_between_nodes(self._graph, region_head, [region_tail])
+
+        # we must obtain the predecessors of the region tail instead of using true_block and false_block because
+        # true_block and false_block may have other successors before reaching the region tail!
+        region_tail_preds = [pred for pred in self._graph.predecessors(region_tail) if pred in region_nodes]
+        if len(region_tail_preds) != 2:
+            return False
+        region_tail_pred_srcs = {(pred.addr, pred.idx) for pred in region_tail_preds}
+
         for node in region_nodes:
             if node is region_head or node is region_tail:
                 continue
@@ -257,12 +260,32 @@ class ITERegionConverter(OptimizationPass):
             if not is_phi_assignment(stmt):
                 stmts.append(stmt)
                 continue
+
+            # is this the statement that we are looking for?
+            found_true_src_vvar, found_false_src_vvar = False, False
+            for src, vvar in stmt.src.src_and_vvars:
+                if vvar is not None:
+                    if vvar.varid == true_stmt_dst.varid:
+                        found_true_src_vvar = True
+                    elif vvar.varid == false_stmt_dst.varid:
+                        found_false_src_vvar = True
+            # we should only update the vvars of this phi statement if we found both true and false source vvars
+            update_vars = found_true_src_vvar and found_false_src_vvar
+
             new_src_and_vvars = []
+            original_vvars = []
             for src, vvar in stmt.src.src_and_vvars:
-                if src not in {(true_block.addr, true_block.idx), (false_block.addr, false_block.idx)}:
+                if src not in region_tail_pred_srcs:
                     new_src_and_vvars.append((src, vvar))
+                else:
+                    original_vvars.append(vvar)
             new_vvar = new_assignment.dst.copy()
-            new_src_and_vvars.append(((region_head.addr, region_head.idx), new_vvar))
+            if update_vars:
+                new_src_and_vvars.append(((region_head.addr, region_head.idx), new_vvar))
+            else:
+                new_src_and_vvars.append(
+                    ((region_head.addr, region_head.idx), original_vvars[0] if original_vvars else None)
+                )
 
             new_phi = Phi(
                 stmt.src.idx,

angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py

@@ -396,7 +396,16 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
             default_case_candidates = {}
             last_comp = None
             stack = [(head, 0, 0xFFFF_FFFF_FFFF_FFFF)]
-            while stack:
+
+            # cursed: there is an infinite loop in the following loop that
+            # occurs rarely. we need to keep track of the nodes we've seen
+            # to break out of the loop.
+            # See https://github.com/angr/angr/pull/4953
+            #
+            # FIXME: the root cause should be fixed and this workaround removed
+            seen = set()
+            while stack and tuple(stack) not in seen:
+                seen.add(tuple(stack))
                 comp, min_, max_ = stack.pop(0)
                 (
                     comp_type,

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -1,7 +1,7 @@
 # pylint:disable=unused-argument
 from __future__ import annotations
 import logging
-from typing import TYPE_CHECKING
+from typing import Any, TYPE_CHECKING
 from collections.abc import Generator
 from enum import Enum
 
@@ -117,6 +117,7 @@ class OptimizationPass(BaseOptimizationPass):
         reaching_definitions=None,
         vvar_id_start=None,
         entry_node_addr=None,
+        scratch: dict[str, Any] | None = None,
         **kwargs,
     ):
         super().__init__(func)
@@ -127,6 +128,7 @@ class OptimizationPass(BaseOptimizationPass):
         self._variable_kb = variable_kb
         self._ri = region_identifier
         self._rd = reaching_definitions
+        self._scratch = scratch if scratch is not None else {}
         self._new_block_addrs = set()
         self.vvar_id_start = vvar_id_start
         self.entry_node_addr: tuple[int, int | None] = (

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -1,6 +1,5 @@
 from __future__ import annotations
 from typing import Any
-from itertools import count
 import copy
 import logging
 
@@ -78,23 +77,27 @@ class ReturnDuplicatorBase:
     def __init__(
         self,
         func,
-        node_idx_start: int = 0,
         max_calls_in_regions: int = 2,
         minimize_copies_for_regions: bool = True,
         ri: RegionIdentifier | None = None,
         vvar_id_start: int | None = None,
-        **kwargs,
+        scratch: dict[str, Any] | None = None,
     ):
-        self.node_idx = count(start=node_idx_start)
         self._max_calls_in_region = max_calls_in_regions
         self._minimize_copies_for_regions = minimize_copies_for_regions
         self._supergraph = None
 
         # this should also be set by the optimization passes initer
+        self.scratch = scratch if scratch is not None else {}
         self._func = func
         self._ri: RegionIdentifier | None = ri
         self.vvar_id_start = vvar_id_start
 
+    def next_node_idx(self) -> int:
+        node_idx = self.scratch.get("returndup_node_idx", 0) + 1
+        self.scratch["returndup_node_idx"] = node_idx
+        return node_idx
+
     #
     # must implement these methods
     #
@@ -208,7 +211,7 @@ class ReturnDuplicatorBase:
                 else:
                     node_copy = copy.deepcopy(node)
                 node_copy = self._use_fresh_virtual_variables(node_copy, vvar_mapping)
-                node_copy.idx = next(self.node_idx)
+                node_copy.idx = self.next_node_idx()
                 self._fix_copied_node_labels(node_copy)
                 copies[node] = node_copy
 

angr/analyses/decompiler/optimization_passes/return_duplicator_high.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 import logging
+from typing import Any
 
 import networkx
 
@@ -26,22 +27,26 @@ class ReturnDuplicatorHigh(OptimizationPass, ReturnDuplicatorBase):
     def __init__(
         self,
         func,
-        # internal parameters that should be used by Clinic
-        node_idx_start: int = 0,
         # settings
         max_calls_in_regions: int = 2,
         minimize_copies_for_regions: bool = True,
+        region_identifier=None,
+        vvar_id_start: int | None = None,
+        scratch: dict[str, Any] | None = None,
         **kwargs,
     ):
+        OptimizationPass.__init__(
+            self, func, vvar_id_start=vvar_id_start, scratch=scratch, region_identifier=region_identifier, **kwargs
+        )
         ReturnDuplicatorBase.__init__(
             self,
             func,
-            node_idx_start=node_idx_start,
             max_calls_in_regions=max_calls_in_regions,
             minimize_copies_for_regions=minimize_copies_for_regions,
-            **kwargs,
+            ri=region_identifier,
+            vvar_id_start=vvar_id_start,
+            scratch=scratch,
         )
-        OptimizationPass.__init__(self, func, **kwargs)
         # since we run before the RegionIdentification pass in the decompiler, we need to collect it early here
         self._ri = self._recover_regions(self._graph)
 

angr/analyses/decompiler/optimization_passes/return_duplicator_low.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 import logging
 import inspect
+from typing import Any
 
 import networkx
 
@@ -46,25 +47,35 @@ class ReturnDuplicatorLow(StructuringOptimizationPass, ReturnDuplicatorBase):
     def __init__(
         self,
         func,
-        # internal parameters that should be used by Clinic
-        node_idx_start: int = 0,
         # settings
         max_opt_iters: int = 4,
         max_calls_in_regions: int = 2,
         prevent_new_gotos: bool = True,
         minimize_copies_for_regions: bool = True,
+        region_identifier=None,
+        vvar_id_start: int | None = None,
+        scratch: dict[str, Any] | None = None,
         **kwargs,
     ):
+        StructuringOptimizationPass.__init__(
+            self,
+            func,
+            max_opt_iters=max_opt_iters,
+            prevent_new_gotos=prevent_new_gotos,
+            require_gotos=True,
+            vvar_id_start=vvar_id_start,
+            scratch=scratch,
+            region_identifier=region_identifier,
+            **kwargs,
+        )
         ReturnDuplicatorBase.__init__(
             self,
             func,
-            node_idx_start=node_idx_start,
             max_calls_in_regions=max_calls_in_regions,
             minimize_copies_for_regions=minimize_copies_for_regions,
-            **kwargs,
-        )
-        StructuringOptimizationPass.__init__(
-            self, func, max_opt_iters=max_opt_iters, prevent_new_gotos=prevent_new_gotos, require_gotos=True, **kwargs
+            ri=region_identifier,
+            vvar_id_start=vvar_id_start,
+            scratch=scratch,
         )
         self.analyze()
 

angr/analyses/decompiler/optimization_passes/switch_default_case_duplicator.py

@@ -75,8 +75,12 @@ class SwitchDefaultCaseDuplicator(OptimizationPass):
         default_case_node_addrs = cache["default_case_node_addrs"]
 
         out_graph = None
+        duplicated_default_addrs: set[int] = set()
 
         for switch_head_addr, jump_node_addr, default_addr in default_case_node_addrs:
+            if default_addr in duplicated_default_addrs:
+                continue
+
             default_case_node = self._func.get_node(default_addr)
             unexpected_pred_addrs = {
                 pred.addr
@@ -92,6 +96,8 @@ class SwitchDefaultCaseDuplicator(OptimizationPass):
                 for jump_node in jump_nodes:
                     jump_node_descedents |= networkx.descendants(self._graph, jump_node)
 
+                duplicated_default_addrs.add(default_addr)
+
                 # duplicate default_case_node for each unexpected predecessor
                 for unexpected_pred_addr in unexpected_pred_addrs:
                     for unexpected_pred in self._get_blocks(unexpected_pred_addr):

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -100,6 +100,8 @@ class WinStackCanarySimplifier(OptimizationPass):
         for pred_addr in pred_addr_to_endpoint_addrs:
             # the predecessor should call _security_check_cookie
             endpoint_preds = list(self._get_blocks(pred_addr))
+            if not endpoint_preds:
+                continue
             if self._find_stmt_calling_security_check_cookie(endpoint_preds[0]) is None:
                 _l.debug("The predecessor does not call _security_check_cookie().")
                 continue

angr/analyses/decompiler/peephole_optimizations/const_mull_a_shift.py

@@ -1,7 +1,7 @@
 # pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 
-from ailment.expression import Convert, BinaryOp, Const
+from ailment.expression import Convert, BinaryOp, Const, Expression
 
 from .base import PeepholeOptimizationExprBase
 
@@ -56,47 +56,10 @@ class ConstMullAShift(PeepholeOptimizationExprBase):
 
         elif isinstance(expr, BinaryOp) and expr.op in {"Add", "Sub"}:
             expr0, expr1 = expr.operands
-            if (
-                isinstance(expr0, BinaryOp)
-                and expr0.op in {"Shr", "Sar"}
-                and isinstance(expr0.operands[1], Const)
-                and isinstance(expr1, BinaryOp)
-                and expr1.op in {"Shr", "Sar"}
-                and isinstance(expr1.operands[1], Const)
-            ):
-                if (
-                    isinstance(expr0.operands[0], BinaryOp)
-                    and expr0.operands[0].op in {"Mull", "Mul"}
-                    and isinstance(expr0.operands[0].operands[1], Const)
-                ):
-                    a0 = expr0.operands[0].operands[0]
-                    a1 = expr1.operands[0]
-                elif (
-                    isinstance(expr1.operands[0], BinaryOp)
-                    and expr1.operands[0].op in {"Mull", "Mul"}
-                    and isinstance(expr1.operands[0].operands[1], Const)
-                ):
-                    a1 = expr0.operands[0].operands[0]
-                    a0 = expr1.operands[0]
-                else:
-                    a0, a1 = None, None
-                if a0 is not None and a1 is not None and a0.likes(a1):
-                    # (a * x >> M1) +/- (a >> M2)  ==>  a / N
-                    C = expr0.operands[0].operands[1].value
-                    X = a0
-                    V = expr0.operands[1].value
-                    ndigits = 5 if V == 32 else 6
-                    divisor = self._check_divisor(pow(2, V), C, ndigits)
-                    if divisor is not None:
-                        new_const = Const(None, None, divisor, X.bits)
-                        # we cannot drop the convert in this case
-                        return BinaryOp(
-                            expr0.operands[0].idx,
-                            "Div",
-                            [X, new_const],
-                            expr0.operands[0].signed,
-                            **expr0.operands[0].tags,
-                        )
+            if isinstance(expr1, Convert) and expr1.from_bits == 32 and expr1.to_bits == 64:
+                r = self._match_case_a(expr0, expr1)
+                if r is not None:
+                    return r
 
             # with Convert in consideration
             if (
@@ -149,8 +112,78 @@ class ConstMullAShift(PeepholeOptimizationExprBase):
 
         return None
 
+    def _match_case_a(self, expr0: Expression, expr1: Convert) -> BinaryOp | None:
+        # (
+        #   (((Conv(32->64, vvar_44{reg 32}) * 0x4325c53f<64>) >>a 0x24<8>) & 0xffffffff<64>) -
+        #   Conv(32->s64, (vvar_44{reg 32} >>a 0x1f<8>))
+        # )
+
+        expr1 = expr1.operand
+
+        if (
+            isinstance(expr0, BinaryOp)
+            and expr0.op == "And"
+            and isinstance(expr0.operands[1], Const)
+            and expr0.operands[1].value == 0xFFFFFFFF
+        ):
+            expr0 = expr0.operands[0]
+        else:
+            return None
+
+        if (
+            isinstance(expr0, BinaryOp)
+            and expr0.op in {"Shr", "Sar"}
+            and isinstance(expr0.operands[1], Const)
+            and isinstance(expr1, BinaryOp)
+            and expr1.op in {"Shr", "Sar"}
+            and isinstance(expr1.operands[1], Const)
+        ):
+            if (
+                isinstance(expr0.operands[0], BinaryOp)
+                and expr0.operands[0].op in {"Mull", "Mul"}
+                and isinstance(expr0.operands[0].operands[1], Const)
+            ):
+                a0 = expr0.operands[0].operands[0]
+                a1 = expr1.operands[0]
+            elif (
+                isinstance(expr1.operands[0], BinaryOp)
+                and expr1.operands[0].op in {"Mull", "Mul"}
+                and isinstance(expr1.operands[0].operands[1], Const)
+            ):
+                a1 = expr0.operands[0].operands[0]
+                a0 = expr1.operands[0]
+            else:
+                a0, a1 = None, None
+
+            # a0: Conv(32->64, vvar_44{reg 32})
+            # a1: vvar_44{reg 32}
+            if isinstance(a0, Convert) and a0.from_bits == a1.bits:
+                a0 = a0.operand
+
+            if a0 is not None and a1 is not None and a0.likes(a1):
+                # (a * x >> M1) +/- (a >> M2)  ==>  a / N
+                C = expr0.operands[0].operands[1].value
+                X = a0
+                V = expr0.operands[1].value
+                ndigits = 5 if V == 32 else 6
+                divisor = self._check_divisor(pow(2, V), C, ndigits)
+                if divisor is not None:
+                    new_const = Const(None, None, divisor, X.bits)
+                    # we cannot drop the convert in this case
+                    return BinaryOp(
+                        expr0.operands[0].idx,
+                        "Div",
+                        [X, new_const],
+                        expr0.operands[0].signed,
+                        **expr0.operands[0].tags,
+                    )
+
+        return None
+
     @staticmethod
     def _check_divisor(a, b, ndigits=6):
+        if b == 0:
+            return None
         divisor_1 = 1 + (a // b)
         divisor_2 = int(round(a / float(b), ndigits))
         return divisor_1 if divisor_1 == divisor_2 else None

angr/analyses/decompiler/peephole_optimizations/remove_cascading_conversions.py

@@ -11,9 +11,15 @@ class RemoveCascadingConversions(PeepholeOptimizationExprBase):
     expr_classes = (Convert,)
 
     def optimize(self, expr: Convert, **kwargs):
-        if isinstance(expr.operand, Convert):
+        if (
+            expr.from_type == Convert.TYPE_INT
+            and expr.to_type == Convert.TYPE_INT
+            and isinstance(expr.operand, Convert)
+            and expr.operand.from_type == Convert.TYPE_INT
+            and expr.operand.to_type == Convert.TYPE_INT
+        ):
             inner = expr.operand
-            if inner.from_bits == expr.to_bits:
+            if inner.from_bits == expr.to_bits and inner.from_type == expr.to_type:
                 if inner.from_bits < inner.to_bits:
                     # extension -> truncation
                     return inner.operand

angr/analyses/decompiler/region_identifier.py

@@ -163,6 +163,22 @@ class RegionIdentifier(Analysis):
                 raise AngrRuntimeError("Cannot find the start node from the graph!") from ex
         raise AngrRuntimeError("Cannot find the start node from the graph!")
 
+    def _get_entry_node(self, graph: networkx.DiGraph):
+        if self.entry_node_addr is None:
+            return None
+        return next(
+            (
+                n
+                for n in graph.nodes()
+                if (
+                    (n.addr, n.idx) == self.entry_node_addr
+                    if isinstance(n, Block)
+                    else n.addr == self.entry_node_addr[0]
+                )
+            ),
+            None,
+        )
+
     def _test_reducibility(self):
         # make a copy of the graph
         graph = networkx.DiGraph(self._graph)
@@ -188,8 +204,19 @@ class RegionIdentifier(Analysis):
         return len(graph.nodes) == 1
 
     def _make_supergraph(self, graph: networkx.DiGraph):
+
+        entry_node = None
+        if self.entry_node_addr is not None:
+            entry_node = next(iter(nn for nn in graph if nn.addr == self.entry_node_addr[0]), None)
+
         while True:
             for src, dst, data in graph.edges(data=True):
+                if entry_node is not None and dst is entry_node:
+                    # the entry node must be kept instead of merged with its predecessor (which can happen in real
+                    # binaries! e.g., 444a401b900eb825f216e95111dcb6ef94b01a81fc7b88a48599867db8c50365, function
+                    # 0x1802BEA28, block 0x1802BEA05 and 0x1802BEA28)
+                    continue
+
                 type_ = data.get("type", None)
                 if type_ == "fake_return":
                     if len(list(graph.successors(src))) == 1 and len(list(graph.predecessors(dst))) == 1:
@@ -452,6 +479,8 @@ class RegionIdentifier(Analysis):
     #
 
     def _make_cyclic_region(self, head, graph: networkx.DiGraph):
+        original_entry = self._get_entry_node(graph)
+
         l.debug("Found cyclic region at %#08x", head.addr)
         initial_loop_nodes = self._find_initial_loop_nodes(graph, head)
         l.debug("Initial loop nodes %s", self._dbg_block_list(initial_loop_nodes))
@@ -505,6 +534,13 @@ class RegionIdentifier(Analysis):
             # multi-successor region. refinement is required
             self._refine_loop_successors(region, graph)
 
+        # if the head node is in the graph and it's not the head of the graph, we will need to update the head node
+        # address.
+        if original_entry is not None and original_entry in region.graph and region.head is not original_entry:
+            self.entry_node_addr = (head.addr, None)
+            # FIXME: the identified region will probably be incorrect. we may need to add a jump block that jumps to
+            #  original_entry.
+
         return region
 
     def _refine_loop_successors(self, region, graph: networkx.DiGraph):

angr/analyses/decompiler/region_simplifiers/expr_folding.py

@@ -395,6 +395,10 @@ class ExpressionReplacer(AILBlockWalker):
 
     def _handle_Assignment(self, stmt_idx: int, stmt: Assignment, block: Block | None):
         # override the base handler and make sure we do not replace .dst with a Call expression or an ITE expression
+
+        if is_phi_assignment(stmt):
+            return None
+
         changed = False
 
         dst = self._handle_expr(0, stmt.dst, stmt_idx, stmt, block)

angr/analyses/decompiler/region_simplifiers/loop.py

@@ -16,6 +16,7 @@ from angr.analyses.decompiler.structuring.structurer_nodes import (
     CascadingConditionNode,
 )
 from angr.analyses.decompiler.utils import is_statement_terminating, has_nonlabel_nonphi_statements
+from angr.utils.ail import is_phi_assignment
 
 
 class LoopSimplifier(SequenceWalker):
@@ -104,14 +105,7 @@ class LoopSimplifier(SequenceWalker):
             )
             and (
                 all(has_nonlabel_nonphi_statements(block) for block in self.continue_preludes[node])
-                and all(
-                    not self._control_transferring_statement(block.statements[-1])
-                    for block in self.continue_preludes[node]
-                )
-                and all(
-                    block.statements[-1] == self.continue_preludes[node][0].statements[-1]
-                    for block in self.continue_preludes[node]
-                )
+                and all(not is_phi_assignment(block.statements[-1]) for block in self.continue_preludes[node])
             )
         ):
             node.sort = "for"

angr/analyses/decompiler/region_simplifiers/switch_cluster_simplifier.py

@@ -284,6 +284,10 @@ def simplify_switch_clusters(
 
     for variable in var2switches:
         switch_regions = var2switches[variable]
+        if len(switch_regions) <= 1:
+            # nothing to simplify or merge if there is only one switch region
+            continue
+
         cond_regions = list(var2condnodes[variable])
 
         if not cond_regions:
@@ -449,10 +453,10 @@ def simplify_switch_clusters(
         # build the SwitchCase node and replace old nodes in the parent node
         cases_dict = OrderedDict(cases)
         new_switchcase = SwitchCaseNode(
-            switch_regions_default_nodes[0].node.switch_expr,
+            switch_regions[0].node.switch_expr,
             cases_dict,
             default_node,
-            addr=switch_regions_default_nodes[0].node.addr,
+            addr=switch_regions[0].node.addr,
         )
 
         # what are we trying to replace?
@@ -525,13 +529,15 @@ def simplify_lowered_switches_core(
 
     if outermost_node is None:
         return False
+    if not isinstance(outermost_node, ConditionNode):
+        return False
     if isinstance(outermost_node.condition, UnaryOp) and outermost_node.condition.op == "Not":
         # attempt to flip any simple negated comparison for normalized operations
         outermost_node.condition = negate(outermost_node.condition.operand)
 
     caseno_to_node = {}
     default_node_candidates: list[tuple[BaseNode, BaseNode]] = []  # parent to default node candidate
-    stack: list[(ConditionNode, int, int)] = [(outermost_node, 0, 0xFFFF_FFFF_FFFF_FFFF)]
+    stack: list[tuple[BaseNode, int, int]] = [(outermost_node, 0, 0xFFFF_FFFF_FFFF_FFFF)]
     while stack:
         node, min_, max_ = stack.pop(0)
         if node not in node_to_condnode:

angr/analyses/decompiler/sequence_walker.py

@@ -216,11 +216,27 @@ class SequenceWalker:
         )
 
     def _handle_CascadingCondition(self, node: CascadingConditionNode, **kwargs):
-        for index, (_, child_node) in enumerate(node.condition_and_nodes):
-            self._handle(child_node, parent=node, index=index)
+        cond_nodes_changed = False
+        new_condition_and_nodes = []
+        for index, (cond, child_node) in enumerate(node.condition_and_nodes):
+            new_child = self._handle(child_node, parent=node, index=index)
+            if new_child is not None:
+                cond_nodes_changed = True
+                new_condition_and_nodes.append((cond, new_child))
+            else:
+                new_condition_and_nodes.append((cond, child_node))
+
+        new_else = None
         if node.else_node is not None:
-            self._handle(node.else_node, parent=node, index=-1)
-        return
+            new_else = self._handle(node.else_node, parent=node, index=-1)
+
+        if cond_nodes_changed or new_else is not None:
+            return CascadingConditionNode(
+                node.addr,
+                new_condition_and_nodes if cond_nodes_changed else node.condition_and_nodes,
+                else_node=new_else if new_else is not None else node.else_node,
+            )
+        return None
 
     def _handle_ConditionalBreak(self, node: ConditionalBreakNode, **kwargs):  # pylint:disable=no-self-use
         return None