angr 9.2.123__py3-none-macosx_10_9_x86_64.whl → 9.2.124__py3-none-macosx_10_9_x86_64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.123"
+__version__ = "9.2.124"
 
 if bytes is str:
     raise Exception(

angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py

@@ -153,6 +153,11 @@ class MipsElfFastResolver(IndirectJumpResolver):
 
     def _resolve_case_1(self, addr: int, block: pyvex.IRSB, func_addr: int, gp_value: int, cfg) -> int | None:
         # lift the block again with the correct setting
+
+        inital_regs = [(self.project.arch.registers["t9"][0], self.project.arch.registers["t9"][1], func_addr)]
+        if gp_value is not None:
+            inital_regs.append((self.project.arch.registers["gp"][0], self.project.arch.registers["gp"][1], gp_value))
+
         first_irsb = self.project.factory.block(
             addr,
             size=block.size,
@@ -160,10 +165,7 @@ class MipsElfFastResolver(IndirectJumpResolver):
             const_prop=True,
             cross_insn_opt=False,
             load_from_ro_regions=True,
-            initial_regs=[
-                (self.project.arch.registers["t9"][0], self.project.arch.registers["t9"][1], func_addr),
-                (self.project.arch.registers["gp"][0], self.project.arch.registers["gp"][1], gp_value),
-            ],
+            initial_regs=inital_regs,
         ).vex_nostmt
 
         if not isinstance(first_irsb.next, pyvex.IRExpr.RdTmp):
@@ -193,6 +195,10 @@ class MipsElfFastResolver(IndirectJumpResolver):
             # the register (t9) is set in this block - we can resolve the jump target using only the current block
             return Case2Result.RESUME, None
 
+        inital_regs = [(self.project.arch.registers["t9"][0], self.project.arch.registers["t9"][1], func_addr)]
+        if gp_value is not None:
+            inital_regs.append((self.project.arch.registers["gp"][0], self.project.arch.registers["gp"][1], gp_value))
+
         # lift the first block again with the correct setting
         first_irsb = self.project.factory.block(
             first_block_addr,
@@ -200,10 +206,7 @@ class MipsElfFastResolver(IndirectJumpResolver):
             collect_data_refs=False,
             const_prop=True,
             load_from_ro_regions=True,
-            initial_regs=[
-                (self.project.arch.registers["t9"][0], self.project.arch.registers["t9"][1], func_addr),
-                (self.project.arch.registers["gp"][0], self.project.arch.registers["gp"][1], gp_value),
-            ],
+            initial_regs=inital_regs,
         ).vex_nostmt
 
         last_reg_setting_tmp = self._get_last_reg_setting_tmp(first_irsb, jump_target_reg)

angr/analyses/cfg/indirect_jump_resolvers/mips_elf_got.py

@@ -51,11 +51,11 @@ class MipsElfGotResolver(IndirectJumpResolver):
             return False, []
         dynsym_addr = self._find_and_cache_section_addr(obj, ".dynsym")
         if dynsym_addr is None:
-            return None
+            return False, []
 
         dynstr_addr = self._find_and_cache_section_addr(obj, ".dynstr")
         if dynstr_addr is None:
-            return None
+            return False, []
 
         if block.size != 16:
             return False, []

angr/analyses/decompiler/ail_simplifier.py

@@ -1316,18 +1316,7 @@ class AILSimplifier(Analysis):
                             continue
                     uses = rd.get_vvar_uses(def_.atom)
 
-                elif def_.atom.was_reg:
-                    uses = rd.get_vvar_uses(def_.atom)
-                    if (
-                        def_.atom.reg_offset in self.project.arch.artificial_registers_offsets
-                        and len(uses) == 1
-                        and next(iter(uses)) == def_.codeloc
-                    ):
-                        # TODO: Verify if we still need this hack after moving to SSA
-                        # cc_ndep = amd64g_calculate_condition(..., cc_ndep)
-                        uses = set()
-
-                elif def_.atom.was_parameter:
+                elif def_.atom.was_reg or def_.atom.was_parameter:
                     uses = rd.get_vvar_uses(def_.atom)
 
                 else:
@@ -1425,9 +1414,17 @@ class AILSimplifier(Analysis):
                                 simplified = True
                                 continue
                             if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
-                                # no one is using the returned virtual variable. replace this assignment statement with
-                                # a call statement
-                                stmt = stmt.src
+                                # no one is using the returned virtual variable.
+                                # now the things are a bit tricky here
+                                if isinstance(stmt.src, Call):
+                                    # replace this assignment statement with a call statement
+                                    stmt = stmt.src
+                                elif isinstance(stmt.src, Convert) and isinstance(stmt.src.operand, Call):
+                                    # the convert is useless now
+                                    stmt = stmt.src.operand
+                                else:
+                                    # we can't change this stmt at all because it has an expression with Calls inside
+                                    pass
                         else:
                             # no calls. remove it
                             simplified = True
@@ -1460,7 +1457,7 @@ class AILSimplifier(Analysis):
     def _find_cyclic_dependent_phis_and_dirty_vvars(self, rd: SRDAModel) -> set[int]:
         blocks_dict = {(bb.addr, bb.idx): bb for bb in self.func_graph}
 
-        # find dirty vvars
+        # find dirty vvars and vexccall vvars
         dirty_vvar_ids = set()
         for bb in self.func_graph:
             for stmt in bb.statements:
@@ -1468,7 +1465,7 @@ class AILSimplifier(Analysis):
                     isinstance(stmt, Assignment)
                     and isinstance(stmt.dst, VirtualVariable)
                     and stmt.dst.was_reg
-                    and isinstance(stmt.src, DirtyExpression)
+                    and isinstance(stmt.src, (DirtyExpression, VEXCCallExpression))
                 ):
                     dirty_vvar_ids.add(stmt.dst.varid)
 
@@ -1544,8 +1541,8 @@ class AILSimplifier(Analysis):
             v = False
 
         def _handle_expr(expr_idx: int, expr: Expression, stmt_idx: int, stmt: Statement, block) -> Expression | None:
-            if isinstance(expr, DirtyExpression) and isinstance(expr.dirty_expr, VEXCCallExpression):
-                rewriter = rewriter_cls(expr.dirty_expr, self.project.arch)
+            if isinstance(expr, VEXCCallExpression):
+                rewriter = rewriter_cls(expr, self.project.arch)
                 if rewriter.result is not None:
                     _any_update.v = True
                     return rewriter.result

angr/analyses/decompiler/callsite_maker.py

@@ -143,7 +143,7 @@ class CallSiteMaker(Analysis):
                 if isinstance(arg_loc, SimRegArg):
                     size = arg_loc.size
                     offset = arg_loc.check_offset(cc.arch)
-                    value_and_def = self._resolve_register_argument(call_stmt, arg_loc)
+                    value_and_def = self._resolve_register_argument(arg_loc)
                     if value_and_def is not None:
                         vvar_def = value_and_def[1]
                         arg_vvars.append(vvar_def)
@@ -283,14 +283,15 @@ class CallSiteMaker(Analysis):
         l.warning("TODO: Unsupported statement type %s for definitions.", type(stmt))
         return None
 
-    def _resolve_register_argument(self, call_stmt, arg_loc) -> tuple[int | None, Expr.VirtualVariable] | None:
+    def _resolve_register_argument(self, arg_loc) -> tuple[int | None, Expr.VirtualVariable] | None:
         offset = arg_loc.check_offset(self.project.arch)
 
         if self._reaching_definitions is not None:
             # Find its definition
-            ins_addr = call_stmt.tags["ins_addr"]
             view = SRDAView(self._reaching_definitions.model)
-            vvar = view.get_reg_vvar_by_insn(offset, ins_addr, OP_BEFORE, block_idx=self.block.idx)
+            vvar = view.get_reg_vvar_by_stmt(
+                offset, self.block.addr, self.block.idx, len(self.block.statements) - 1, OP_BEFORE
+            )
 
             if vvar is not None:
                 vvar_value = view.get_vvar_value(vvar)
@@ -318,8 +319,8 @@ class CallSiteMaker(Analysis):
             if self._reaching_definitions is not None:
                 # find its definition
                 view = SRDAView(self._reaching_definitions.model)
-                vvar = view.get_stack_vvar_by_insn(
-                    sp_offset, size, call_stmt.ins_addr, OP_BEFORE, block_idx=self.block.idx
+                vvar = view.get_stack_vvar_by_stmt(
+                    sp_offset, size, self.block.addr, self.block.idx, len(self.block.statements) - 1, OP_BEFORE
                 )
                 if vvar is not None:
                     value = view.get_vvar_value(vvar)
@@ -416,7 +417,7 @@ class CallSiteMaker(Analysis):
 
             value = None
             if isinstance(arg_loc, SimRegArg):
-                value_and_def = self._resolve_register_argument(call_stmt, arg_loc)
+                value_and_def = self._resolve_register_argument(arg_loc)
                 if value_and_def is not None:
                     value = value_and_def[0]
 

angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py

@@ -20,7 +20,7 @@ class AMD64CCallRewriter(CCallRewriterBase):
     __slots__ = ()
 
     def _rewrite(self, ccall: Expr.VEXCCallExpression) -> Expr.Expression | None:
-        if ccall.cee_name == "amd64g_calculate_condition":
+        if ccall.callee == "amd64g_calculate_condition":
             cond = ccall.operands[0]
             op = ccall.operands[1]
             dep_1 = ccall.operands[2]
@@ -288,6 +288,28 @@ class AMD64CCallRewriter(CCallRewriterBase):
 
                         r = Expr.BinaryOp(ccall.idx, "CmpLT", (dep_1, dep_2), True, **ccall.tags)
                         return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
+
+                    if op_v in {
+                        AMD64_OpTypes["G_CC_OP_LOGICB"],
+                        AMD64_OpTypes["G_CC_OP_LOGICW"],
+                        AMD64_OpTypes["G_CC_OP_LOGICL"],
+                        AMD64_OpTypes["G_CC_OP_LOGICQ"],
+                    }:
+                        # dep_1 is the result, dep_2 is always zero
+                        # dep_1 <s 0
+
+                        dep_1 = self._fix_size(
+                            dep_1,
+                            op_v,
+                            AMD64_OpTypes["G_CC_OP_LOGICB"],
+                            AMD64_OpTypes["G_CC_OP_LOGICW"],
+                            AMD64_OpTypes["G_CC_OP_LOGICL"],
+                            ccall.tags,
+                        )
+                        zero = Expr.Const(None, None, 0, dep_1.bits)
+                        r = Expr.BinaryOp(ccall.idx, "CmpLT", (dep_1, zero), True, **ccall.tags)
+                        return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
+
                 elif cond_v == AMD64_CondTypes["CondNBE"]:
                     if op_v in {
                         AMD64_OpTypes["G_CC_OP_SUBB"],
@@ -390,7 +412,7 @@ class AMD64CCallRewriter(CCallRewriterBase):
                     )
                     return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
 
-        elif ccall.cee_name == "amd64g_calculate_rflags_c":
+        elif ccall.callee == "amd64g_calculate_rflags_c":
             # calculate the carry flag
             op = ccall.operands[0]
             dep_1 = ccall.operands[1]

angr/analyses/decompiler/clinic.py

@@ -110,6 +110,7 @@ class Clinic(Analysis):
         inlined_counts: dict[int, int] | None = None,
         inlining_parents: set[int] | None = None,
         vvar_id_start: int = 0,
+        optimization_scratch: dict[str, Any] | None = None,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -124,6 +125,7 @@ class Clinic(Analysis):
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
         self.data_refs: dict[int, int] = {}  # data address to instruction address
+        self.optimization_scratch = optimization_scratch if optimization_scratch is not None else {}
 
         self._func_graph: networkx.DiGraph | None = None
         self._ail_manager = None
@@ -919,10 +921,16 @@ class Clinic(Analysis):
             "Ijk_Sys"
         ):
             # we don't support lifting this block. use a dummy block instead
+            dirty_expr = ailment.Expr.DirtyExpression(
+                self._ail_manager.next_atom,
+                f"Unsupported jumpkind {block.vex.jumpkind} at address {block_node.addr}",
+                [],
+                bits=0,
+            )
             statements = [
                 ailment.Stmt.DirtyStatement(
                     self._ail_manager.next_atom(),
-                    f"Unsupported jumpkind {block.vex.jumpkind} at address {block_node.addr}",
+                    dirty_expr,
                     ins_addr=block_node.addr,
                 )
             ]
@@ -1219,6 +1227,7 @@ class Clinic(Analysis):
                 variable_kb=variable_kb,
                 vvar_id_start=self.vvar_id_start,
                 entry_node_addr=self.entry_node_addr,
+                scratch=self.optimization_scratch,
                 **kwargs,
             )
             if a.out_graph:
@@ -1256,6 +1265,7 @@ class Clinic(Analysis):
                 ailment.Expr.VirtualVariableCategory.PARAMETER,
                 oident=arg.reg,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             self.vvar_id_start += 1
             arg_vvars[arg_vvar.varid] = arg_vvar, arg
@@ -1269,6 +1279,7 @@ class Clinic(Analysis):
                     False,
                     arg_vvar,
                     ins_addr=self.function.addr,
+                    vex_block_addr=self.function.addr,
                 )
 
             fullreg_dst = ailment.Expr.Register(
@@ -1277,12 +1288,14 @@ class Clinic(Analysis):
                 basereg_offset,
                 basereg_size * self.project.arch.byte_width,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             stmt = ailment.Stmt.Assignment(
                 self._ail_manager.next_atom(),
                 fullreg_dst,
                 arg_vvar,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             new_stmts.append(stmt)
 
@@ -1313,6 +1326,7 @@ class Clinic(Analysis):
             ail_graph,
             entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr)),
             ail_manager=self._ail_manager,
+            ssa_tmps=True,
             ssa_stackvars=True,
             vvar_id_start=self.vvar_id_start,
         )
@@ -1792,6 +1806,18 @@ class Clinic(Analysis):
         elif isinstance(expr, ailment.Stmt.Call):
             self._link_variables_on_call(variable_manager, global_variables, block, stmt_idx, expr, is_expr=True)
 
+        elif isinstance(expr, ailment.Expr.VEXCCallExpression):
+            for operand in expr.operands:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, operand)
+
+        elif isinstance(expr, ailment.Expr.DirtyExpression):
+            for operand in expr.operands:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, operand)
+            if expr.maddr:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.maddr)
+            if expr.guard:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.guard)
+
     def _function_graph_to_ail_graph(self, func_graph, blocks_by_addr_and_size=None):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size

angr/analyses/decompiler/condition_processor.py

@@ -160,6 +160,8 @@ _ail2claripy_op_mapping = {
     "GetMSBs": lambda expr, _, m: _dummy_bvs(expr, m),
     "InterleaveLOV": lambda expr, _, m: _dummy_bvs(expr, m),
     "InterleaveHIV": lambda expr, _, m: _dummy_bvs(expr, m),
+    # catch-all
+    "_DUMMY_": lambda expr, _, m: _dummy_bvs(expr, m),
 }
 
 #
@@ -771,7 +773,7 @@ class ConditionProcessor:
 
         if isinstance(
             condition,
-            (ailment.Expr.DirtyExpression, ailment.Expr.BasePointerOffset, ailment.Expr.ITE),
+            (ailment.Expr.VEXCCallExpression, ailment.Expr.BasePointerOffset, ailment.Expr.ITE),
         ):
             return _dummy_bvs(condition, self._condition_mapping)
         if isinstance(condition, ailment.Stmt.Call):
@@ -828,9 +830,14 @@ class ConditionProcessor:
             # fall back to op
             lambda_expr = _ail2claripy_op_mapping.get(condition.op, None)
         if lambda_expr is None:
-            raise NotImplementedError(
-                f"Unsupported AIL expression operation {condition.op} or {condition.verbose_op}. Consider implementing."
+            # fall back to the catch-all option
+            l.debug(
+                "Unsupported AIL expression operation %s (or verbose: %s). Fall back to the default catch-all dummy "
+                "option. Consider implementing.",
+                condition.op,
+                condition.verbose_op,
             )
+            lambda_expr = _ail2claripy_op_mapping["_DUMMY_"]
         r = lambda_expr(condition, self.claripy_ast_from_ail_condition, self._condition_mapping)
 
         if isinstance(r, claripy.ast.Bool) and nobool:

angr/analyses/decompiler/decompilation_cache.py

@@ -14,6 +14,7 @@ class DecompilationCache:
     """
 
     __slots__ = (
+        "parameters",
         "addr",
         "type_constraints",
         "func_typevar",
@@ -25,6 +26,7 @@ class DecompilationCache:
     )
 
     def __init__(self, addr):
+        self.parameters: dict[str, Any] = {}
         self.addr = addr
         self.type_constraints: set | None = None
         self.func_typevar = None

angr/analyses/decompiler/decompiler.py

@@ -68,12 +68,13 @@ class Decompiler(Analysis):
         inline_functions=frozenset(),
         update_memory_data: bool = True,
         generate_code: bool = True,
+        use_cache: bool = True,
     ):
         if not isinstance(func, Function):
             func = self.kb.functions[func]
         self.func: Function = func
         self._cfg = cfg.model if isinstance(cfg, CFGFast) else cfg
-        self._options = options
+        self._options = options or []
 
         if preset is None and optimization_passes:
             self._optimization_passes = optimization_passes
@@ -102,6 +103,25 @@ class Decompiler(Analysis):
         self._update_memory_data = update_memory_data
         self._generate_code = generate_code
         self._inline_functions = inline_functions
+        self._cache_parameters = (
+            {
+                "cfg": self._cfg,
+                "variable_kb": self._variable_kb,
+                "options": {(o, v) for o, v in self._options if o.category != "Display" and v != o.default_value},
+                "optimization_passes": self._optimization_passes,
+                "sp_tracker_track_memory": self._sp_tracker_track_memory,
+                "peephole_optimizations": self._peephole_optimizations,
+                "vars_must_struct": self._vars_must_struct,
+                "flavor": self._flavor,
+                "expr_comments": self._expr_comments,
+                "stmt_comments": self._stmt_comments,
+                "ite_exprs": self._ite_exprs,
+                "binop_operators": self._binop_operators,
+                "inline_functions": self._inline_functions,
+            }
+            if use_cache
+            else None
+        )
 
         self.clinic = None  # mostly for debugging purposes
         self.codegen: CStructuredCodeGenerator | None = None
@@ -111,27 +131,43 @@ class Decompiler(Analysis):
         self.unoptimized_ail_graph: networkx.DiGraph | None = None
         self.ail_graph: networkx.DiGraph | None = None
         self.vvar_id_start = None
+        self._optimization_scratch: dict[str, Any] = {}
 
         if decompile:
             self._decompile()
 
+    def _can_use_decompilation_cache(self, cache: DecompilationCache) -> bool:
+        a, b = self._cache_parameters, cache.parameters
+        id_checks = {"cfg", "variable_kb"}
+        return all(a[k] is b[k] if k in id_checks else a[k] == b[k] for k in self._cache_parameters)
+
     @timethis
     def _decompile(self):
         if self.func.is_simprocedure:
             return
 
-        # Load from cache
-        try:
-            cache = self.kb.structured_code[(self.func.addr, self._flavor)]
+        cache = None
+
+        if self._cache_parameters is not None:
+            try:
+                cache = self.kb.decompilations[self.func.addr]
+                if not self._can_use_decompilation_cache(cache):
+                    cache = None
+            except KeyError:
+                pass
+
+        if cache:
             old_codegen = cache.codegen
             old_clinic = cache.clinic
             ite_exprs = cache.ite_exprs if self._ite_exprs is None else self._ite_exprs
             binop_operators = cache.binop_operators if self._binop_operators is None else self._binop_operators
-        except KeyError:
-            ite_exprs = self._ite_exprs
-            binop_operators = self._binop_operators
+            l.debug("Decompilation cache hit")
+        else:
             old_codegen = None
             old_clinic = None
+            ite_exprs = self._ite_exprs
+            binop_operators = self._binop_operators
+            l.debug("Decompilation cache miss")
 
         self.options_by_class = defaultdict(list)
 
@@ -167,6 +203,7 @@ class Decompiler(Analysis):
             fold_callexprs_into_conditions = True
 
         cache = DecompilationCache(self.func.addr)
+        cache.parameters = self._cache_parameters
         cache.ite_exprs = ite_exprs
         cache.binop_operators = binop_operators
 
@@ -189,6 +226,7 @@ class Decompiler(Analysis):
                 cache=cache,
                 progress_callback=progress_callback,
                 inline_functions=self._inline_functions,
+                optimization_scratch=self._optimization_scratch,
                 **self.options_to_params(self.options_by_class["clinic"]),
             )
         else:
@@ -302,6 +340,8 @@ class Decompiler(Analysis):
         self.cache.codegen = codegen
         self.cache.clinic = self.clinic
 
+        self.kb.decompilations[self.func.addr] = self.cache
+
     def _recover_regions(self, graph: networkx.DiGraph, condition_processor, update_graph: bool = True):
         return self.project.analyses[RegionIdentifier].prep(kb=self.kb)(
             self.func,
@@ -355,6 +395,7 @@ class Decompiler(Analysis):
                 variable_kb=self._variable_kb,
                 reaching_definitions=reaching_definitions,
                 entry_node_addr=self.clinic.entry_node_addr,
+                scratch=self._optimization_scratch,
                 **kwargs,
             )
 
@@ -414,6 +455,7 @@ class Decompiler(Analysis):
                 reaching_definitions=reaching_definitions,
                 vvar_id_start=self.vvar_id_start,
                 entry_node_addr=self.clinic.entry_node_addr,
+                scratch=self._optimization_scratch,
                 **kwargs,
             )
 
@@ -442,7 +484,7 @@ class Decompiler(Analysis):
                 continue
 
             pass_ = timethis(pass_)
-            a = pass_(self.func, seq=seq_node, **kwargs)
+            a = pass_(self.func, seq=seq_node, scratch=self._optimization_scratch, **kwargs)
             if a.out_seq:
                 seq_node = a.out_seq
 

angr/analyses/decompiler/dephication/graph_vvar_mapping.py

@@ -3,7 +3,7 @@ import logging
 from collections import defaultdict
 
 from ailment.block import Block
-from ailment.expression import Phi, VirtualVariable
+from ailment.expression import Phi, VirtualVariable, VirtualVariableCategory
 from ailment.statement import Assignment, Jump, ConditionalJump, Label
 
 from angr.analyses import Analysis
@@ -213,8 +213,16 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
 
                 the_block = self._blocks[(src_block_addr, src_block_idx)]
                 ins_addr = the_block.addr + the_block.original_size - 1
+                if vvar.category == VirtualVariableCategory.PARAMETER:
+                    # it's a parameter, so we copy the variable into a dummy register vvar
+                    # a parameter vvar should never be assigned to
+                    new_category = VirtualVariableCategory.REGISTER
+                    new_oident = 4096
+                else:
+                    new_category = vvar.category
+                    new_oident = vvar.oident
                 new_vvar = VirtualVariable(
-                    None, new_vvar_id, vvar.bits, vvar.category, oident=vvar.oident, ins_addr=ins_addr
+                    None, new_vvar_id, vvar.bits, new_category, oident=new_oident, ins_addr=ins_addr
                 )
                 assignment = Assignment(None, new_vvar, vvar, ins_addr=ins_addr)
 

angr/analyses/decompiler/dephication/rewriting_engine.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 
 from ailment.block import Block
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump
+from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement
 from ailment.expression import (
     Register,
     VirtualVariable,
@@ -14,6 +14,8 @@ from ailment.expression import (
     Convert,
     StackBaseOffset,
     ITE,
+    VEXCCallExpression,
+    DirtyExpression,
 )
 
 from angr.engines.light import SimEngineLight, SimEngineLightAILMixin
@@ -139,10 +141,19 @@ class SimEngineDephiRewriting(
                 args=stmt.args,
                 ret_expr=stmt.ret_expr if new_ret_expr is None else new_ret_expr,
                 fp_ret_expr=stmt.fp_ret_expr if new_fp_ret_expr is None else new_fp_ret_expr,
+                bits=stmt.bits,
                 **stmt.tags,
             )
         return None
 
+    _handle_CallExpr = _handle_Call
+
+    def _handle_DirtyStatement(self, stmt: DirtyStatement) -> DirtyStatement | None:
+        dirty = self._expr(stmt.dirty)
+        if dirty is None or dirty is stmt.dirty:
+            return None
+        return DirtyStatement(stmt.idx, dirty, **stmt.tags)
+
     def _handle_Register(self, expr: Register) -> None:
         return None
 
@@ -243,5 +254,57 @@ class SimEngineDephiRewriting(
             )
         return None
 
+    def _handle_VEXCCallExpression(self, expr: VEXCCallExpression) -> VEXCCallExpression | None:
+        new_operands = []
+        updated = False
+        for o in expr.operands:
+            new_o = self._expr(o)
+            if new_o is not None:
+                updated = True
+                new_operands.append(new_o)
+            else:
+                new_operands.append(o)
+
+        if updated:
+            return VEXCCallExpression(
+                expr.idx,
+                expr.callee,
+                new_operands,
+                bits=expr.bits,
+                **expr.tags,
+            )
+        return None
+
+    def _handle_DirtyExpression(self, expr: DirtyExpression) -> DirtyExpression | None:
+        new_operands = []
+        updated = False
+        for o in expr.operands:
+            new_o = self._expr(o)
+            if new_o is not None:
+                updated = True
+                new_operands.append(new_o)
+            else:
+                new_operands.append(o)
+
+        new_guard = None
+        if expr.guard is not None:
+            new_guard = self._expr(expr.guard)
+            if new_guard is not None:
+                updated = True
+
+        if updated:
+            return DirtyExpression(
+                expr.idx,
+                expr.callee,
+                new_operands,
+                guard=new_guard,
+                mfx=expr.mfx,
+                maddr=expr.maddr,
+                msize=expr.msize,
+                bits=expr.bits,
+                **expr.tags,
+            )
+        return None
+
     def _handle_StackBaseOffset(self, expr: StackBaseOffset) -> None:
         return None

angr/analyses/decompiler/expression_narrower.py

@@ -105,7 +105,11 @@ class NarrowingInfoExtractor(AILBlockWalkerBase):
     def _handle_DirtyExpression(
         self, expr_idx: int, expr: DirtyExpression, stmt_idx: int, stmt: Statement, block: Block | None
     ):
-        return self._handle_expr(0, expr.dirty_expr, stmt_idx, stmt, block)
+        r = False
+        if expr.operands:
+            for i, op in enumerate(expr.operands):
+                r |= self._handle_expr(i, op, stmt_idx, stmt, block)
+        return r
 
     def _handle_VEXCCallExpression(
         self, expr_idx: int, expr: VEXCCallExpression, stmt_idx: int, stmt: Statement, block: Block | None

angr/analyses/decompiler/optimization_passes/div_simplifier.py

@@ -18,7 +18,10 @@ class DivSimplifierAILEngine(SimplifierAILEngine):
     An AIL pass for the div simplifier
     """
 
-    def _check_divisor(self, a, b, ndigits=6):  # pylint: disable=no-self-use
+    @staticmethod
+    def _check_divisor(a, b, ndigits=6):
+        if b == 0:
+            return None
         divisor_1 = 1 + (a // b)
         divisor_2 = int(round(a / float(b), ndigits))
         return divisor_1 if divisor_1 == divisor_2 else None