angr 9.2.122__py3-none-win_amd64.whl → 9.2.124__py3-none-win_amd64.whl

angr/analyses/decompiler/ssailification/rewriting.py

@@ -9,7 +9,7 @@ import networkx
 import ailment
 from ailment import Block
 from ailment.expression import Expression, Phi, VirtualVariable, VirtualVariableCategory
-from ailment.statement import Assignment, Label
+from ailment.statement import Statement, Assignment, Label
 
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
@@ -38,6 +38,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
         stackvar_locs: dict[int, int],
+        rewrite_tmps: bool,
         ail_manager,
         vvar_id_start: int = 0,
     ):
@@ -52,6 +53,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         self._udef_to_phiid = udef_to_phiid
         self._phiid_to_loc = phiid_to_loc
         self._stackvar_locs = stackvar_locs
+        self._rewrite_tmps = rewrite_tmps
         self._ail_manager = ail_manager
         self._engine_ail = SimEngineSSARewriting(
             self.project.arch,
@@ -61,6 +63,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
             udef_to_phiid=self._udef_to_phiid,
             phiid_to_loc=self._phiid_to_loc,
             stackvar_locs=self._stackvar_locs,
+            rewrite_tmps=self._rewrite_tmps,
             ail_manager=ail_manager,
             vvar_id_start=vvar_id_start,
         )
@@ -71,7 +74,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
 
         self._analyze()
 
-        self.def_to_vvid: dict[Expression, int] = self._engine_ail.def_to_vvid
+        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = self._engine_ail.def_to_vvid
         self.out_graph = self._make_new_graph(ail_graph)
 
     @property

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -1,9 +1,8 @@
 # pylint:disable=no-self-use,unused-argument
 from __future__ import annotations
-from typing import Any
 import logging
 
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump
+from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement
 from ailment.expression import (
     Expression,
     Register,
@@ -18,6 +17,8 @@ from ailment.expression import (
     StackBaseOffset,
     VEXCCallExpression,
     ITE,
+    Tmp,
+    DirtyExpression,
 )
 
 from angr.utils.ssa import get_reg_offset_base_and_size
@@ -51,6 +52,7 @@ class SimEngineSSARewriting(
         ail_manager=None,
         vvar_id_start: int = 0,
         bp_as_gpr: bool = False,
+        rewrite_tmps: bool = False,
     ):
         super().__init__()
 
@@ -58,10 +60,11 @@ class SimEngineSSARewriting(
         self.project = project
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
-        self.def_to_vvid: dict[Any, int] = {}
+        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = {}
         self.stackvar_locs = stackvar_locs
         self.udef_to_phiid = udef_to_phiid
         self.phiid_to_loc = phiid_to_loc
+        self.rewrite_tmps = rewrite_tmps
         self.ail_manager = ail_manager
 
         self._current_vvar_id = vvar_id_start
@@ -97,9 +100,11 @@ class SimEngineSSARewriting(
                 self.state.registers[stmt.dst.reg_offset][stmt.dst.size] = stmt.dst
             elif stmt.dst.category == VirtualVariableCategory.STACK:
                 self.state.stackvars[stmt.dst.stack_offset][stmt.dst.size] = stmt.dst
+            elif stmt.dst.category == VirtualVariableCategory.TMP:
+                self.state.tmps[stmt.dst.tmp_idx] = stmt.dst
             new_dst = None
         else:
-            new_dst = self._replace_def_expr(stmt.dst)
+            new_dst = self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.dst)
 
         stmt_base_reg = None
         if new_dst is not None:
@@ -124,7 +129,9 @@ class SimEngineSSARewriting(
                         **stmt.dst.tags,
                     )
                     existing_base_reg_vvar = self._replace_use_reg(base_reg_expr)
-                    base_reg_vvar = self._replace_def_expr(base_reg_expr)
+                    base_reg_vvar = self._replace_def_expr(
+                        self.block.addr, self.block.idx, self.stmt_idx, base_reg_expr
+                    )
                     stmt_base_reg = Assignment(
                         self.ail_manager.next_atom(),
                         base_reg_vvar,
@@ -134,6 +141,8 @@ class SimEngineSSARewriting(
                         **stmt.tags,
                     )
                     self.state.registers[base_offset][base_size] = base_reg_vvar
+            elif isinstance(stmt.dst, Tmp):
+                pass
             else:
                 raise NotImplementedError
 
@@ -151,7 +160,7 @@ class SimEngineSSARewriting(
 
     def _handle_Store(self, stmt: Store) -> Store | Assignment | None:
         new_data = self._expr(stmt.data)
-        vvar = self._replace_def_store(stmt)
+        vvar = self._replace_def_store(self.block.addr, self.block.idx, self.stmt_idx, stmt)
         if vvar is not None:
             return Assignment(stmt.idx, vvar, stmt.data if new_data is None else new_data, **stmt.tags)
 
@@ -189,9 +198,19 @@ class SimEngineSSARewriting(
         return None
 
     def _handle_Call(self, stmt: Call) -> Call | None:
-        new_target = self._replace_use_reg(stmt.target) if isinstance(stmt.target, Register) else None
-        new_ret_expr = self._replace_def_expr(stmt.ret_expr) if stmt.ret_expr is not None else None
-        new_fp_ret_expr = self._replace_def_expr(stmt.fp_ret_expr) if stmt.fp_ret_expr is not None else None
+        changed = False
+
+        new_target = self._replace_use_expr(stmt.target)
+        new_ret_expr = (
+            self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.ret_expr)
+            if stmt.ret_expr is not None
+            else None
+        )
+        new_fp_ret_expr = (
+            self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.fp_ret_expr)
+            if stmt.fp_ret_expr is not None
+            else None
+        )
 
         cc = stmt.calling_convention if stmt.calling_convention is not None else self.project.factory.cc()
         if cc is not None:
@@ -211,22 +230,50 @@ class SimEngineSSARewriting(
             self._clear_aliasing_regs(stmt.fp_ret_expr.reg_offset, stmt.fp_ret_expr.size)
             self.state.registers[stmt.fp_ret_expr.reg_offset][stmt.fp_ret_expr.size] = new_fp_ret_expr
 
+        new_args = None
+        if stmt.args is not None:
+            new_args = []
+            for arg in stmt.args:
+                new_arg = self._expr(arg)
+                if new_arg is not None:
+                    changed = True
+                    new_args.append(new_arg)
+                else:
+                    new_args.append(arg)
+
         if new_target is not None or new_ret_expr is not None or new_fp_ret_expr is not None:
+            changed = True
+
+        if changed:
             return Call(
                 stmt.idx,
                 stmt.target if new_target is None else new_target,
                 calling_convention=stmt.calling_convention,
                 prototype=stmt.prototype,
-                args=stmt.args,
+                args=new_args,
                 ret_expr=stmt.ret_expr if new_ret_expr is None else new_ret_expr,
                 fp_ret_expr=stmt.fp_ret_expr if new_fp_ret_expr is None else new_fp_ret_expr,
+                bits=stmt.bits,
                 **stmt.tags,
             )
         return None
 
+    _handle_CallExpr = _handle_Call
+
+    def _handle_DirtyStatement(self, stmt: DirtyStatement) -> DirtyStatement | None:
+        dirty = self._expr(stmt.dirty)
+        if dirty is None or dirty is stmt.dirty:
+            return None
+        return DirtyStatement(stmt.idx, dirty, **stmt.tags)
+
     def _handle_Register(self, expr: Register) -> VirtualVariable | None:
         return self._replace_use_reg(expr)
 
+    def _handle_Tmp(self, expr: Tmp) -> VirtualVariable | None:
+        return (
+            self._replace_use_tmp(self.block.addr, self.block.idx, self.stmt_idx, expr) if self.rewrite_tmps else None
+        )
+
     def _handle_Load(self, expr: Load) -> Load | VirtualVariable | None:
         if isinstance(expr.addr, StackBaseOffset) and isinstance(expr.addr.offset, int):
             new_expr = self._replace_use_load(expr)
@@ -341,13 +388,42 @@ class SimEngineSSARewriting(
                 new_operands.append(operand)
 
         if updated:
-            return VEXCCallExpression(expr.idx, expr.cee_name, new_operands, bits=expr.bits, **expr.tags)
+            return VEXCCallExpression(expr.idx, expr.callee, new_operands, bits=expr.bits, **expr.tags)
         return None
 
-    def _handle_Dummy(self, expr) -> None:
+    def _handle_DirtyExpression(self, expr: DirtyExpression) -> DirtyExpression | None:
+        updated = False
+        new_operands = []
+        for operand in expr.operands:
+            new_operand = self._expr(operand)
+            if new_operand is not None:
+                updated = True
+                new_operands.append(new_operand)
+            else:
+                new_operands.append(operand)
+
+        new_guard = None
+        if expr.guard is not None:
+            new_guard = self._expr(expr.guard)
+            if new_guard is not None:
+                updated = True
+
+        if updated:
+            return DirtyExpression(
+                expr.idx,
+                expr.callee,
+                new_operands,
+                guard=new_guard,
+                mfx=expr.mfx,
+                maddr=expr.maddr,
+                msize=expr.msize,
+                bits=expr.bits,
+                **expr.tags,
+            )
         return None
 
-    _handle_DirtyExpression = _handle_Dummy
+    def _handle_Dummy(self, expr) -> None:
+        return None
 
     #
     # Expression replacement
@@ -417,23 +493,29 @@ class SimEngineSSARewriting(
             **new_base_expr.tags,
         )
 
-    def _replace_def_expr(self, thing: Expression | Statement) -> VirtualVariable | None:
+    def _replace_def_expr(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: Expression | Statement
+    ) -> VirtualVariable | None:
         """
         Return a new virtual variable for the given defined expression.
         """
         if isinstance(thing, Register):
-            return self._replace_def_reg(thing)
+            return self._replace_def_reg(block_addr, block_idx, stmt_idx, thing)
         if isinstance(thing, Store):
-            return self._replace_def_store(thing)
+            return self._replace_def_store(block_addr, block_idx, stmt_idx, thing)
+        if isinstance(thing, Tmp) and self.rewrite_tmps:
+            return self._replace_def_tmp(block_addr, block_idx, stmt_idx, thing)
         return None
 
-    def _replace_def_reg(self, expr: Register) -> VirtualVariable:
+    def _replace_def_reg(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Register
+    ) -> VirtualVariable:
         """
         Return a new virtual variable for the given defined register.
         """
 
         # get the virtual variable ID
-        vvid = self.get_vvid_by_def(expr)
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
         return VirtualVariable(
             expr.idx,
             vvid,
@@ -464,14 +546,16 @@ class SimEngineSSARewriting(
             return vvar
         return self.state.registers[base_off][base_size]
 
-    def _replace_def_store(self, stmt: Store) -> VirtualVariable | None:
+    def _replace_def_store(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, stmt: Store
+    ) -> VirtualVariable | None:
         if (
             isinstance(stmt.addr, StackBaseOffset)
             and isinstance(stmt.addr.offset, int)
             and stmt.addr.offset in self.stackvar_locs
             and stmt.size == self.stackvar_locs[stmt.addr.offset]
         ):
-            vvar_id = self.get_vvid_by_def(stmt)
+            vvar_id = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, stmt)
             vvar = VirtualVariable(
                 self.ail_manager.next_atom(),
                 vvar_id,
@@ -484,6 +568,31 @@ class SimEngineSSARewriting(
             return vvar
         return None
 
+    def _replace_def_tmp(self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Tmp) -> VirtualVariable:
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
+        vvar = VirtualVariable(
+            expr.idx,
+            vvid,
+            expr.bits,
+            VirtualVariableCategory.TMP,
+            oident=expr.tmp_idx,
+            **expr.tags,
+        )
+        self.state.tmps[expr.tmp_idx] = vvar
+        return vvar
+
+    def _replace_use_expr(self, thing: Expression | Statement) -> VirtualVariable | None:
+        """
+        Return a new virtual variable for the given defined expression.
+        """
+        if isinstance(thing, Register):
+            return self._replace_use_reg(thing)
+        if isinstance(thing, Store):
+            raise NotImplementedError("Store expressions are not supported in _replace_use_expr.")
+        if isinstance(thing, Tmp) and self.rewrite_tmps:
+            return self._replace_use_tmp(self.block.addr, self.block.idx, self.stmt_idx, thing)
+        return None
+
     def _replace_use_reg(self, reg_expr: Register) -> VirtualVariable | Expression:
 
         if reg_expr.reg_offset in self.state.registers:
@@ -556,7 +665,8 @@ class SimEngineSSARewriting(
             and expr.size == self.stackvar_locs[expr.addr.offset]
         ):
             if expr.size not in self.state.stackvars[expr.addr.offset]:
-                vvar_id = self.get_vvid_by_def(expr)
+                # create it on the fly
+                vvar_id = self.get_vvid_by_def(self.block.addr, self.block.idx, self.stmt_idx, expr)
                 return VirtualVariable(
                     self.ail_manager.next_atom(),
                     vvar_id,
@@ -579,15 +689,31 @@ class SimEngineSSARewriting(
             )
         return None
 
+    def _replace_use_tmp(self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Tmp) -> VirtualVariable:
+        vvar = self.state.tmps.get(expr.tmp_idx)
+        if vvar is None:
+            return self._replace_def_tmp(block_addr, block_idx, stmt_idx, expr)
+        return VirtualVariable(
+            expr.idx,
+            vvar.varid,
+            vvar.bits,
+            VirtualVariableCategory.TMP,
+            oident=expr.tmp_idx,
+            **expr.tags,
+        )
+
     #
     # Utils
     #
 
-    def get_vvid_by_def(self, thing: Expression | Statement) -> int:
-        if thing in self.def_to_vvid:
-            return self.def_to_vvid[thing]
+    def get_vvid_by_def(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: Expression | Statement
+    ) -> int:
+        key = block_addr, block_idx, stmt_idx, thing
+        if key in self.def_to_vvid:
+            return self.def_to_vvid[key]
         vvid = self.next_vvar_id()
-        self.def_to_vvid[thing] = vvid
+        self.def_to_vvid[key] = vvid
         return vvid
 
     def _clear_aliasing_regs(self, reg_offset: int, size: int, remove_base_reg: bool = True) -> None:

angr/analyses/decompiler/ssailification/rewriting_state.py

@@ -32,6 +32,7 @@ class RewritingState:
         self.stackvars: defaultdict[int, dict[int, VirtualVariable]] = (
             stackvars if stackvars is not None else defaultdict(dict)
         )
+        self.tmps: dict[int, VirtualVariable] = {}
         self.original_block = original_block
         self.out_block = None
 

angr/analyses/decompiler/ssailification/ssailification.py

@@ -5,8 +5,8 @@ from collections import defaultdict
 from itertools import count
 from bisect import bisect_left
 
-from ailment.expression import Register, StackBaseOffset
-from ailment.statement import Store
+from ailment.expression import Expression, Register, StackBaseOffset, Tmp
+from ailment.statement import Statement, Store
 
 from angr.knowledge_plugins.functions import Function
 from angr.code_location import CodeLocation
@@ -33,6 +33,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         func_addr: int | None = None,
         ail_manager=None,
         ssa_stackvars: bool = False,
+        ssa_tmps: bool = False,
         vvar_id_start: int = 0,
     ):
         """
@@ -51,6 +52,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         self._func_addr = func_addr
         self._ail_manager = ail_manager
         self._ssa_stackvars = ssa_stackvars
+        self._ssa_tmps = ssa_tmps
         self._entry = (
             entry
             if entry is not None
@@ -68,6 +70,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             stack_pointer_tracker,
             bp_as_gpr,
             ssa_stackvars,
+            ssa_tmps,
         )
 
         # calculate virtual variables and phi nodes
@@ -86,13 +89,19 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             self._udef_to_phiid,
             self._phiid_to_loc,
             self._stackvar_locs,
+            self._ssa_tmps,
             self._ail_manager,
             vvar_id_start=vvar_id_start,
         )
         self.out_graph = rewriter.out_graph
         self.max_vvar_id = rewriter.max_vvar_id
 
-    def _calculate_virtual_variables(self, ail_graph, def_to_loc: dict, loc_to_defs: dict[CodeLocation, Any]):
+    def _calculate_virtual_variables(
+        self,
+        ail_graph,
+        def_to_loc: list[tuple[Expression | Statement, CodeLocation]],
+        loc_to_defs: dict[CodeLocation, Any],
+    ):
         """
         Calculate the mapping from defs to virtual variables as well as where to insert phi nodes.
         """
@@ -112,7 +121,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         if self._ssa_stackvars:
             # for stack variables, we collect all definitions and identify stack variable locations using heuristics
 
-            stackvar_locs = self._synthesize_stackvar_locs([def_ for def_ in def_to_loc if isinstance(def_, Store)])
+            stackvar_locs = self._synthesize_stackvar_locs([def_ for def_, _ in def_to_loc if isinstance(def_, Store)])
             sorted_stackvar_offs = sorted(stackvar_locs)
         else:
             stackvar_locs = {}
@@ -121,10 +130,8 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         # computer phi node locations for each unified definition
         udef_to_defs = defaultdict(set)
         udef_to_blockkeys = defaultdict(set)
-        for def_ in def_to_loc:
+        for def_, loc in def_to_loc:
             if isinstance(def_, Register):
-                loc = def_to_loc[def_]
-
                 base_off, base_size = get_reg_offset_base_and_size(def_.reg_offset, self.project.arch, size=def_.size)
                 base_reg_bits = base_size * self.project.arch.byte_width
                 udef_to_defs[("reg", base_off, base_reg_bits)].add(def_)
@@ -135,8 +142,6 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                     udef_to_defs[("reg", def_.reg_offset, reg_bits)].add((loc.block_addr, loc.block_idx))
             elif isinstance(def_, Store):
                 if isinstance(def_.addr, StackBaseOffset) and isinstance(def_.addr.offset, int):
-                    loc = def_to_loc[def_]
-
                     idx_begin = bisect_left(sorted_stackvar_offs, def_.addr.offset)
                     for i in range(idx_begin, len(sorted_stackvar_offs)):
                         off = sorted_stackvar_offs[i]
@@ -144,6 +149,9 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                             break
                         udef_to_defs[("stack", off, stackvar_locs[off])].add(def_)
                         udef_to_blockkeys[("stack", off, stackvar_locs[off])].add((loc.block_addr, loc.block_idx))
+            elif isinstance(def_, Tmp):
+                # Tmps are local to each block and do not need phi nodes
+                pass
             else:
                 raise NotImplementedError
                 # other types are not supported yet

angr/analyses/decompiler/ssailification/traversal.py

@@ -19,10 +19,11 @@ class TraversalAnalysis(ForwardAnalysis[None, NodeType, object, object]):
     TraversalAnalysis traverses the AIL graph and collects definitions.
     """
 
-    def __init__(self, project, func, ail_graph, sp_tracker, bp_as_gpr: bool, stackvars: bool):
+    def __init__(self, project, func, ail_graph, sp_tracker, bp_as_gpr: bool, stackvars: bool, tmps: bool):
 
         self.project = project
         self._stackvars = stackvars
+        self._tmps = tmps
         self._function = func
         self._graph_visitor = FunctionGraphVisitor(self._function, ail_graph)
 
@@ -34,6 +35,7 @@ class TraversalAnalysis(ForwardAnalysis[None, NodeType, object, object]):
             sp_tracker=sp_tracker,
             bp_as_gpr=bp_as_gpr,
             stackvars=self._stackvars,
+            tmps=self._tmps,
         )
 
         self._visited_blocks: set[Any] = set()

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 from collections import OrderedDict
 
 from ailment.statement import Assignment, Call, Store, ConditionalJump
-from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression
+from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression, Tmp, DirtyExpression
 
 from angr.engines.light import SimEngineLight, SimEngineLightAILMixin
 from angr.utils.ssa import get_reg_offset_base
@@ -21,7 +21,14 @@ class SimEngineSSATraversal(
     state: TraversalState
 
     def __init__(
-        self, arch, sp_tracker=None, bp_as_gpr: bool = False, def_to_loc=None, loc_to_defs=None, stackvars: bool = False
+        self,
+        arch,
+        sp_tracker=None,
+        bp_as_gpr: bool = False,
+        def_to_loc=None,
+        loc_to_defs=None,
+        stackvars: bool = False,
+        tmps: bool = False,
     ):
         super().__init__()
 
@@ -29,14 +36,15 @@ class SimEngineSSATraversal(
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
         self.stackvars = stackvars
+        self.tmps = tmps
 
-        self.def_to_loc = def_to_loc if def_to_loc is not None else OrderedDict()
+        self.def_to_loc = def_to_loc if def_to_loc is not None else []
         self.loc_to_defs = loc_to_defs if loc_to_defs is not None else OrderedDict()
 
     def _handle_Assignment(self, stmt: Assignment):
         if isinstance(stmt.dst, Register):
             codeloc = self._codeloc()
-            self.def_to_loc[stmt.dst] = codeloc
+            self.def_to_loc.append((stmt.dst, codeloc))
             if codeloc not in self.loc_to_defs:
                 self.loc_to_defs[codeloc] = OrderedSet()
             self.loc_to_defs[codeloc].add(stmt.dst)
@@ -52,7 +60,7 @@ class SimEngineSSATraversal(
 
         if self.stackvars and isinstance(stmt.addr, StackBaseOffset) and isinstance(stmt.addr.offset, int):
             codeloc = self._codeloc()
-            self.def_to_loc[stmt] = codeloc
+            self.def_to_loc.append((stmt, codeloc))
             if codeloc not in self.loc_to_defs:
                 self.loc_to_defs[codeloc] = OrderedSet()
             self.loc_to_defs[codeloc].add(stmt)
@@ -69,7 +77,7 @@ class SimEngineSSATraversal(
     def _handle_Call(self, stmt: Call):
         if stmt.ret_expr is not None and isinstance(stmt.ret_expr, Register):
             codeloc = self._codeloc()
-            self.def_to_loc[stmt.ret_expr] = codeloc
+            self.def_to_loc.append((stmt.ret_expr, codeloc))
             if codeloc not in self.loc_to_defs:
                 self.loc_to_defs[codeloc] = OrderedSet()
             self.loc_to_defs[codeloc].add(stmt.ret_expr)
@@ -79,18 +87,30 @@ class SimEngineSSATraversal(
 
         super()._ail_handle_Call(stmt)
 
+    _handle_CallExpr = _handle_Call
+
     def _handle_Register(self, expr: Register):
         base_offset = get_reg_offset_base(expr.reg_offset, self.arch)
 
         if base_offset not in self.state.live_registers:
             codeloc = self._codeloc()
-            self.def_to_loc[expr] = codeloc
+            self.def_to_loc.append((expr, codeloc))
             if codeloc not in self.loc_to_defs:
                 self.loc_to_defs[codeloc] = OrderedSet()
             self.loc_to_defs[codeloc].add(expr)
 
             self.state.live_registers.add(base_offset)
 
+    def _handle_Tmp(self, expr: Tmp):
+        if self.tmps:
+            codeloc = self._codeloc()
+            self.def_to_loc.append((expr, codeloc))
+            if codeloc not in self.loc_to_defs:
+                self.loc_to_defs[codeloc] = OrderedSet()
+            self.loc_to_defs[codeloc].add(expr)
+
+            self.state.live_tmps.add(expr.tmp_idx)
+
     def _handle_Cmp(self, expr: BinaryOp):
         self._expr(expr.operands[0])
         self._expr(expr.operands[1])
@@ -123,9 +143,16 @@ class SimEngineSSATraversal(
         for operand in expr.operands:
             self._expr(operand)
 
+    def _handle_DirtyExpression(self, expr: DirtyExpression):
+        for operand in expr.operands:
+            self._expr(operand)
+        if expr.guard is not None:
+            self._expr(expr.guard)
+        if expr.maddr is not None:
+            self._expr(expr.maddr)
+
     def _handle_Dummy(self, expr):
         pass
 
     _handle_VirtualVariable = _handle_Dummy
     _handle_Phi = _handle_Dummy
-    _handle_DirtyExpression = _handle_Dummy

angr/analyses/decompiler/ssailification/traversal_state.py

@@ -18,6 +18,7 @@ class TraversalState:
 
         self.live_registers: set[int] = set() if live_registers is None else live_registers
         self.live_stackvars: set[tuple[int, int]] = set() if live_stackvars is None else live_stackvars
+        self.live_tmps: set[int] = set()  # tmps are internal to a block only and never propagated from another state
 
     def copy(self) -> TraversalState:
         return TraversalState(