angr 9.2.123__py3-none-macosx_11_0_arm64.whl → 9.2.125__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/peephole_optimizations/remove_cascading_conversions.py

@@ -11,9 +11,15 @@ class RemoveCascadingConversions(PeepholeOptimizationExprBase):
     expr_classes = (Convert,)
 
     def optimize(self, expr: Convert, **kwargs):
-        if isinstance(expr.operand, Convert):
+        if (
+            expr.from_type == Convert.TYPE_INT
+            and expr.to_type == Convert.TYPE_INT
+            and isinstance(expr.operand, Convert)
+            and expr.operand.from_type == Convert.TYPE_INT
+            and expr.operand.to_type == Convert.TYPE_INT
+        ):
             inner = expr.operand
-            if inner.from_bits == expr.to_bits:
+            if inner.from_bits == expr.to_bits and inner.from_type == expr.to_type:
                 if inner.from_bits < inner.to_bits:
                     # extension -> truncation
                     return inner.operand

angr/analyses/decompiler/region_identifier.py

@@ -163,6 +163,22 @@ class RegionIdentifier(Analysis):
                 raise AngrRuntimeError("Cannot find the start node from the graph!") from ex
         raise AngrRuntimeError("Cannot find the start node from the graph!")
 
+    def _get_entry_node(self, graph: networkx.DiGraph):
+        if self.entry_node_addr is None:
+            return None
+        return next(
+            (
+                n
+                for n in graph.nodes()
+                if (
+                    (n.addr, n.idx) == self.entry_node_addr
+                    if isinstance(n, Block)
+                    else n.addr == self.entry_node_addr[0]
+                )
+            ),
+            None,
+        )
+
     def _test_reducibility(self):
         # make a copy of the graph
         graph = networkx.DiGraph(self._graph)
@@ -188,8 +204,19 @@ class RegionIdentifier(Analysis):
         return len(graph.nodes) == 1
 
     def _make_supergraph(self, graph: networkx.DiGraph):
+
+        entry_node = None
+        if self.entry_node_addr is not None:
+            entry_node = next(iter(nn for nn in graph if nn.addr == self.entry_node_addr[0]), None)
+
         while True:
             for src, dst, data in graph.edges(data=True):
+                if entry_node is not None and dst is entry_node:
+                    # the entry node must be kept instead of merged with its predecessor (which can happen in real
+                    # binaries! e.g., 444a401b900eb825f216e95111dcb6ef94b01a81fc7b88a48599867db8c50365, function
+                    # 0x1802BEA28, block 0x1802BEA05 and 0x1802BEA28)
+                    continue
+
                 type_ = data.get("type", None)
                 if type_ == "fake_return":
                     if len(list(graph.successors(src))) == 1 and len(list(graph.predecessors(dst))) == 1:
@@ -452,6 +479,8 @@ class RegionIdentifier(Analysis):
     #
 
     def _make_cyclic_region(self, head, graph: networkx.DiGraph):
+        original_entry = self._get_entry_node(graph)
+
         l.debug("Found cyclic region at %#08x", head.addr)
         initial_loop_nodes = self._find_initial_loop_nodes(graph, head)
         l.debug("Initial loop nodes %s", self._dbg_block_list(initial_loop_nodes))
@@ -505,6 +534,13 @@ class RegionIdentifier(Analysis):
             # multi-successor region. refinement is required
             self._refine_loop_successors(region, graph)
 
+        # if the head node is in the graph and it's not the head of the graph, we will need to update the head node
+        # address.
+        if original_entry is not None and original_entry in region.graph and region.head is not original_entry:
+            self.entry_node_addr = (head.addr, None)
+            # FIXME: the identified region will probably be incorrect. we may need to add a jump block that jumps to
+            #  original_entry.
+
         return region
 
     def _refine_loop_successors(self, region, graph: networkx.DiGraph):

angr/analyses/decompiler/region_simplifiers/loop.py

@@ -16,6 +16,7 @@ from angr.analyses.decompiler.structuring.structurer_nodes import (
     CascadingConditionNode,
 )
 from angr.analyses.decompiler.utils import is_statement_terminating, has_nonlabel_nonphi_statements
+from angr.utils.ail import is_phi_assignment
 
 
 class LoopSimplifier(SequenceWalker):
@@ -104,14 +105,7 @@ class LoopSimplifier(SequenceWalker):
             )
             and (
                 all(has_nonlabel_nonphi_statements(block) for block in self.continue_preludes[node])
-                and all(
-                    not self._control_transferring_statement(block.statements[-1])
-                    for block in self.continue_preludes[node]
-                )
-                and all(
-                    block.statements[-1] == self.continue_preludes[node][0].statements[-1]
-                    for block in self.continue_preludes[node]
-                )
+                and all(not is_phi_assignment(block.statements[-1]) for block in self.continue_preludes[node])
             )
         ):
             node.sort = "for"

angr/analyses/decompiler/region_simplifiers/switch_cluster_simplifier.py

@@ -284,6 +284,10 @@ def simplify_switch_clusters(
 
     for variable in var2switches:
         switch_regions = var2switches[variable]
+        if len(switch_regions) <= 1:
+            # nothing to simplify or merge if there is only one switch region
+            continue
+
         cond_regions = list(var2condnodes[variable])
 
         if not cond_regions:
@@ -449,10 +453,10 @@ def simplify_switch_clusters(
         # build the SwitchCase node and replace old nodes in the parent node
         cases_dict = OrderedDict(cases)
         new_switchcase = SwitchCaseNode(
-            switch_regions_default_nodes[0].node.switch_expr,
+            switch_regions[0].node.switch_expr,
             cases_dict,
             default_node,
-            addr=switch_regions_default_nodes[0].node.addr,
+            addr=switch_regions[0].node.addr,
         )
 
         # what are we trying to replace?
@@ -525,13 +529,15 @@ def simplify_lowered_switches_core(
 
     if outermost_node is None:
         return False
+    if not isinstance(outermost_node, ConditionNode):
+        return False
     if isinstance(outermost_node.condition, UnaryOp) and outermost_node.condition.op == "Not":
         # attempt to flip any simple negated comparison for normalized operations
         outermost_node.condition = negate(outermost_node.condition.operand)
 
     caseno_to_node = {}
     default_node_candidates: list[tuple[BaseNode, BaseNode]] = []  # parent to default node candidate
-    stack: list[(ConditionNode, int, int)] = [(outermost_node, 0, 0xFFFF_FFFF_FFFF_FFFF)]
+    stack: list[tuple[BaseNode, int, int]] = [(outermost_node, 0, 0xFFFF_FFFF_FFFF_FFFF)]
     while stack:
         node, min_, max_ = stack.pop(0)
         if node not in node_to_condnode:

angr/analyses/decompiler/ssailification/rewriting.py

@@ -9,7 +9,7 @@ import networkx
 import ailment
 from ailment import Block
 from ailment.expression import Expression, Phi, VirtualVariable, VirtualVariableCategory
-from ailment.statement import Assignment, Label
+from ailment.statement import Statement, Assignment, Label
 
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
@@ -38,6 +38,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
         stackvar_locs: dict[int, int],
+        rewrite_tmps: bool,
         ail_manager,
         vvar_id_start: int = 0,
     ):
@@ -52,6 +53,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         self._udef_to_phiid = udef_to_phiid
         self._phiid_to_loc = phiid_to_loc
         self._stackvar_locs = stackvar_locs
+        self._rewrite_tmps = rewrite_tmps
         self._ail_manager = ail_manager
         self._engine_ail = SimEngineSSARewriting(
             self.project.arch,
@@ -61,6 +63,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
             udef_to_phiid=self._udef_to_phiid,
             phiid_to_loc=self._phiid_to_loc,
             stackvar_locs=self._stackvar_locs,
+            rewrite_tmps=self._rewrite_tmps,
             ail_manager=ail_manager,
             vvar_id_start=vvar_id_start,
         )
@@ -71,7 +74,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
 
         self._analyze()
 
-        self.def_to_vvid: dict[Expression, int] = self._engine_ail.def_to_vvid
+        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = self._engine_ail.def_to_vvid
         self.out_graph = self._make_new_graph(ail_graph)
 
     @property

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -1,9 +1,8 @@
 # pylint:disable=no-self-use,unused-argument
 from __future__ import annotations
-from typing import Any
 import logging
 
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump
+from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement
 from ailment.expression import (
     Expression,
     Register,
@@ -18,6 +17,8 @@ from ailment.expression import (
     StackBaseOffset,
     VEXCCallExpression,
     ITE,
+    Tmp,
+    DirtyExpression,
 )
 
 from angr.utils.ssa import get_reg_offset_base_and_size
@@ -51,6 +52,7 @@ class SimEngineSSARewriting(
         ail_manager=None,
         vvar_id_start: int = 0,
         bp_as_gpr: bool = False,
+        rewrite_tmps: bool = False,
     ):
         super().__init__()
 
@@ -58,10 +60,11 @@ class SimEngineSSARewriting(
         self.project = project
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
-        self.def_to_vvid: dict[Any, int] = {}
+        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = {}
         self.stackvar_locs = stackvar_locs
         self.udef_to_phiid = udef_to_phiid
         self.phiid_to_loc = phiid_to_loc
+        self.rewrite_tmps = rewrite_tmps
         self.ail_manager = ail_manager
 
         self._current_vvar_id = vvar_id_start
@@ -97,9 +100,11 @@ class SimEngineSSARewriting(
                 self.state.registers[stmt.dst.reg_offset][stmt.dst.size] = stmt.dst
             elif stmt.dst.category == VirtualVariableCategory.STACK:
                 self.state.stackvars[stmt.dst.stack_offset][stmt.dst.size] = stmt.dst
+            elif stmt.dst.category == VirtualVariableCategory.TMP:
+                self.state.tmps[stmt.dst.tmp_idx] = stmt.dst
             new_dst = None
         else:
-            new_dst = self._replace_def_expr(stmt.dst)
+            new_dst = self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.dst)
 
         stmt_base_reg = None
         if new_dst is not None:
@@ -124,7 +129,9 @@ class SimEngineSSARewriting(
                         **stmt.dst.tags,
                     )
                     existing_base_reg_vvar = self._replace_use_reg(base_reg_expr)
-                    base_reg_vvar = self._replace_def_expr(base_reg_expr)
+                    base_reg_vvar = self._replace_def_expr(
+                        self.block.addr, self.block.idx, self.stmt_idx, base_reg_expr
+                    )
                     stmt_base_reg = Assignment(
                         self.ail_manager.next_atom(),
                         base_reg_vvar,
@@ -134,6 +141,8 @@ class SimEngineSSARewriting(
                         **stmt.tags,
                     )
                     self.state.registers[base_offset][base_size] = base_reg_vvar
+            elif isinstance(stmt.dst, Tmp):
+                pass
             else:
                 raise NotImplementedError
 
@@ -151,7 +160,7 @@ class SimEngineSSARewriting(
 
     def _handle_Store(self, stmt: Store) -> Store | Assignment | None:
         new_data = self._expr(stmt.data)
-        vvar = self._replace_def_store(stmt)
+        vvar = self._replace_def_store(self.block.addr, self.block.idx, self.stmt_idx, stmt)
         if vvar is not None:
             return Assignment(stmt.idx, vvar, stmt.data if new_data is None else new_data, **stmt.tags)
 
@@ -189,9 +198,19 @@ class SimEngineSSARewriting(
         return None
 
     def _handle_Call(self, stmt: Call) -> Call | None:
-        new_target = self._replace_use_reg(stmt.target) if isinstance(stmt.target, Register) else None
-        new_ret_expr = self._replace_def_expr(stmt.ret_expr) if stmt.ret_expr is not None else None
-        new_fp_ret_expr = self._replace_def_expr(stmt.fp_ret_expr) if stmt.fp_ret_expr is not None else None
+        changed = False
+
+        new_target = self._replace_use_expr(stmt.target)
+        new_ret_expr = (
+            self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.ret_expr)
+            if stmt.ret_expr is not None
+            else None
+        )
+        new_fp_ret_expr = (
+            self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.fp_ret_expr)
+            if stmt.fp_ret_expr is not None
+            else None
+        )
 
         cc = stmt.calling_convention if stmt.calling_convention is not None else self.project.factory.cc()
         if cc is not None:
@@ -211,22 +230,50 @@ class SimEngineSSARewriting(
             self._clear_aliasing_regs(stmt.fp_ret_expr.reg_offset, stmt.fp_ret_expr.size)
             self.state.registers[stmt.fp_ret_expr.reg_offset][stmt.fp_ret_expr.size] = new_fp_ret_expr
 
+        new_args = None
+        if stmt.args is not None:
+            new_args = []
+            for arg in stmt.args:
+                new_arg = self._expr(arg)
+                if new_arg is not None:
+                    changed = True
+                    new_args.append(new_arg)
+                else:
+                    new_args.append(arg)
+
         if new_target is not None or new_ret_expr is not None or new_fp_ret_expr is not None:
+            changed = True
+
+        if changed:
             return Call(
                 stmt.idx,
                 stmt.target if new_target is None else new_target,
                 calling_convention=stmt.calling_convention,
                 prototype=stmt.prototype,
-                args=stmt.args,
+                args=new_args,
                 ret_expr=stmt.ret_expr if new_ret_expr is None else new_ret_expr,
                 fp_ret_expr=stmt.fp_ret_expr if new_fp_ret_expr is None else new_fp_ret_expr,
+                bits=stmt.bits,
                 **stmt.tags,
             )
         return None
 
+    _handle_CallExpr = _handle_Call
+
+    def _handle_DirtyStatement(self, stmt: DirtyStatement) -> DirtyStatement | None:
+        dirty = self._expr(stmt.dirty)
+        if dirty is None or dirty is stmt.dirty:
+            return None
+        return DirtyStatement(stmt.idx, dirty, **stmt.tags)
+
     def _handle_Register(self, expr: Register) -> VirtualVariable | None:
         return self._replace_use_reg(expr)
 
+    def _handle_Tmp(self, expr: Tmp) -> VirtualVariable | None:
+        return (
+            self._replace_use_tmp(self.block.addr, self.block.idx, self.stmt_idx, expr) if self.rewrite_tmps else None
+        )
+
     def _handle_Load(self, expr: Load) -> Load | VirtualVariable | None:
         if isinstance(expr.addr, StackBaseOffset) and isinstance(expr.addr.offset, int):
             new_expr = self._replace_use_load(expr)
@@ -341,13 +388,42 @@ class SimEngineSSARewriting(
                 new_operands.append(operand)
 
         if updated:
-            return VEXCCallExpression(expr.idx, expr.cee_name, new_operands, bits=expr.bits, **expr.tags)
+            return VEXCCallExpression(expr.idx, expr.callee, new_operands, bits=expr.bits, **expr.tags)
         return None
 
-    def _handle_Dummy(self, expr) -> None:
+    def _handle_DirtyExpression(self, expr: DirtyExpression) -> DirtyExpression | None:
+        updated = False
+        new_operands = []
+        for operand in expr.operands:
+            new_operand = self._expr(operand)
+            if new_operand is not None:
+                updated = True
+                new_operands.append(new_operand)
+            else:
+                new_operands.append(operand)
+
+        new_guard = None
+        if expr.guard is not None:
+            new_guard = self._expr(expr.guard)
+            if new_guard is not None:
+                updated = True
+
+        if updated:
+            return DirtyExpression(
+                expr.idx,
+                expr.callee,
+                new_operands,
+                guard=new_guard,
+                mfx=expr.mfx,
+                maddr=expr.maddr,
+                msize=expr.msize,
+                bits=expr.bits,
+                **expr.tags,
+            )
         return None
 
-    _handle_DirtyExpression = _handle_Dummy
+    def _handle_Dummy(self, expr) -> None:
+        return None
 
     #
     # Expression replacement
@@ -417,23 +493,29 @@ class SimEngineSSARewriting(
             **new_base_expr.tags,
         )
 
-    def _replace_def_expr(self, thing: Expression | Statement) -> VirtualVariable | None:
+    def _replace_def_expr(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: Expression | Statement
+    ) -> VirtualVariable | None:
         """
         Return a new virtual variable for the given defined expression.
         """
         if isinstance(thing, Register):
-            return self._replace_def_reg(thing)
+            return self._replace_def_reg(block_addr, block_idx, stmt_idx, thing)
         if isinstance(thing, Store):
-            return self._replace_def_store(thing)
+            return self._replace_def_store(block_addr, block_idx, stmt_idx, thing)
+        if isinstance(thing, Tmp) and self.rewrite_tmps:
+            return self._replace_def_tmp(block_addr, block_idx, stmt_idx, thing)
         return None
 
-    def _replace_def_reg(self, expr: Register) -> VirtualVariable:
+    def _replace_def_reg(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Register
+    ) -> VirtualVariable:
         """
         Return a new virtual variable for the given defined register.
         """
 
         # get the virtual variable ID
-        vvid = self.get_vvid_by_def(expr)
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
         return VirtualVariable(
             expr.idx,
             vvid,
@@ -464,14 +546,16 @@ class SimEngineSSARewriting(
             return vvar
         return self.state.registers[base_off][base_size]
 
-    def _replace_def_store(self, stmt: Store) -> VirtualVariable | None:
+    def _replace_def_store(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, stmt: Store
+    ) -> VirtualVariable | None:
         if (
             isinstance(stmt.addr, StackBaseOffset)
             and isinstance(stmt.addr.offset, int)
             and stmt.addr.offset in self.stackvar_locs
             and stmt.size == self.stackvar_locs[stmt.addr.offset]
         ):
-            vvar_id = self.get_vvid_by_def(stmt)
+            vvar_id = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, stmt)
             vvar = VirtualVariable(
                 self.ail_manager.next_atom(),
                 vvar_id,
@@ -484,6 +568,31 @@ class SimEngineSSARewriting(
             return vvar
         return None
 
+    def _replace_def_tmp(self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Tmp) -> VirtualVariable:
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
+        vvar = VirtualVariable(
+            expr.idx,
+            vvid,
+            expr.bits,
+            VirtualVariableCategory.TMP,
+            oident=expr.tmp_idx,
+            **expr.tags,
+        )
+        self.state.tmps[expr.tmp_idx] = vvar
+        return vvar
+
+    def _replace_use_expr(self, thing: Expression | Statement) -> VirtualVariable | None:
+        """
+        Return a new virtual variable for the given defined expression.
+        """
+        if isinstance(thing, Register):
+            return self._replace_use_reg(thing)
+        if isinstance(thing, Store):
+            raise NotImplementedError("Store expressions are not supported in _replace_use_expr.")
+        if isinstance(thing, Tmp) and self.rewrite_tmps:
+            return self._replace_use_tmp(self.block.addr, self.block.idx, self.stmt_idx, thing)
+        return None
+
     def _replace_use_reg(self, reg_expr: Register) -> VirtualVariable | Expression:
 
         if reg_expr.reg_offset in self.state.registers:
@@ -556,7 +665,8 @@ class SimEngineSSARewriting(
             and expr.size == self.stackvar_locs[expr.addr.offset]
         ):
             if expr.size not in self.state.stackvars[expr.addr.offset]:
-                vvar_id = self.get_vvid_by_def(expr)
+                # create it on the fly
+                vvar_id = self.get_vvid_by_def(self.block.addr, self.block.idx, self.stmt_idx, expr)
                 return VirtualVariable(
                     self.ail_manager.next_atom(),
                     vvar_id,
@@ -579,15 +689,31 @@ class SimEngineSSARewriting(
             )
         return None
 
+    def _replace_use_tmp(self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Tmp) -> VirtualVariable:
+        vvar = self.state.tmps.get(expr.tmp_idx)
+        if vvar is None:
+            return self._replace_def_tmp(block_addr, block_idx, stmt_idx, expr)
+        return VirtualVariable(
+            expr.idx,
+            vvar.varid,
+            vvar.bits,
+            VirtualVariableCategory.TMP,
+            oident=expr.tmp_idx,
+            **expr.tags,
+        )
+
     #
     # Utils
     #
 
-    def get_vvid_by_def(self, thing: Expression | Statement) -> int:
-        if thing in self.def_to_vvid:
-            return self.def_to_vvid[thing]
+    def get_vvid_by_def(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: Expression | Statement
+    ) -> int:
+        key = block_addr, block_idx, stmt_idx, thing
+        if key in self.def_to_vvid:
+            return self.def_to_vvid[key]
         vvid = self.next_vvar_id()
-        self.def_to_vvid[thing] = vvid
+        self.def_to_vvid[key] = vvid
         return vvid
 
     def _clear_aliasing_regs(self, reg_offset: int, size: int, remove_base_reg: bool = True) -> None:

angr/analyses/decompiler/ssailification/rewriting_state.py

@@ -32,6 +32,7 @@ class RewritingState:
         self.stackvars: defaultdict[int, dict[int, VirtualVariable]] = (
             stackvars if stackvars is not None else defaultdict(dict)
         )
+        self.tmps: dict[int, VirtualVariable] = {}
         self.original_block = original_block
         self.out_block = None
 

angr/analyses/decompiler/ssailification/ssailification.py

@@ -5,8 +5,8 @@ from collections import defaultdict
 from itertools import count
 from bisect import bisect_left
 
-from ailment.expression import Register, StackBaseOffset
-from ailment.statement import Store
+from ailment.expression import Expression, Register, StackBaseOffset, Tmp
+from ailment.statement import Statement, Store
 
 from angr.knowledge_plugins.functions import Function
 from angr.code_location import CodeLocation
@@ -33,6 +33,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         func_addr: int | None = None,
         ail_manager=None,
         ssa_stackvars: bool = False,
+        ssa_tmps: bool = False,
         vvar_id_start: int = 0,
     ):
         """
@@ -51,6 +52,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         self._func_addr = func_addr
         self._ail_manager = ail_manager
         self._ssa_stackvars = ssa_stackvars
+        self._ssa_tmps = ssa_tmps
         self._entry = (
             entry
             if entry is not None
@@ -68,6 +70,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             stack_pointer_tracker,
             bp_as_gpr,
             ssa_stackvars,
+            ssa_tmps,
         )
 
         # calculate virtual variables and phi nodes
@@ -86,13 +89,19 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             self._udef_to_phiid,
             self._phiid_to_loc,
             self._stackvar_locs,
+            self._ssa_tmps,
             self._ail_manager,
             vvar_id_start=vvar_id_start,
         )
         self.out_graph = rewriter.out_graph
         self.max_vvar_id = rewriter.max_vvar_id
 
-    def _calculate_virtual_variables(self, ail_graph, def_to_loc: dict, loc_to_defs: dict[CodeLocation, Any]):
+    def _calculate_virtual_variables(
+        self,
+        ail_graph,
+        def_to_loc: list[tuple[Expression | Statement, CodeLocation]],
+        loc_to_defs: dict[CodeLocation, Any],
+    ):
         """
         Calculate the mapping from defs to virtual variables as well as where to insert phi nodes.
         """
@@ -112,7 +121,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         if self._ssa_stackvars:
             # for stack variables, we collect all definitions and identify stack variable locations using heuristics
 
-            stackvar_locs = self._synthesize_stackvar_locs([def_ for def_ in def_to_loc if isinstance(def_, Store)])
+            stackvar_locs = self._synthesize_stackvar_locs([def_ for def_, _ in def_to_loc if isinstance(def_, Store)])
             sorted_stackvar_offs = sorted(stackvar_locs)
         else:
             stackvar_locs = {}
@@ -121,10 +130,8 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         # computer phi node locations for each unified definition
         udef_to_defs = defaultdict(set)
         udef_to_blockkeys = defaultdict(set)
-        for def_ in def_to_loc:
+        for def_, loc in def_to_loc:
             if isinstance(def_, Register):
-                loc = def_to_loc[def_]
-
                 base_off, base_size = get_reg_offset_base_and_size(def_.reg_offset, self.project.arch, size=def_.size)
                 base_reg_bits = base_size * self.project.arch.byte_width
                 udef_to_defs[("reg", base_off, base_reg_bits)].add(def_)
@@ -135,8 +142,6 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                     udef_to_defs[("reg", def_.reg_offset, reg_bits)].add((loc.block_addr, loc.block_idx))
             elif isinstance(def_, Store):
                 if isinstance(def_.addr, StackBaseOffset) and isinstance(def_.addr.offset, int):
-                    loc = def_to_loc[def_]
-
                     idx_begin = bisect_left(sorted_stackvar_offs, def_.addr.offset)
                     for i in range(idx_begin, len(sorted_stackvar_offs)):
                         off = sorted_stackvar_offs[i]
@@ -144,6 +149,9 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                             break
                         udef_to_defs[("stack", off, stackvar_locs[off])].add(def_)
                         udef_to_blockkeys[("stack", off, stackvar_locs[off])].add((loc.block_addr, loc.block_idx))
+            elif isinstance(def_, Tmp):
+                # Tmps are local to each block and do not need phi nodes
+                pass
             else:
                 raise NotImplementedError
                 # other types are not supported yet

angr/analyses/decompiler/ssailification/traversal.py

@@ -19,10 +19,11 @@ class TraversalAnalysis(ForwardAnalysis[None, NodeType, object, object]):
     TraversalAnalysis traverses the AIL graph and collects definitions.
     """
 
-    def __init__(self, project, func, ail_graph, sp_tracker, bp_as_gpr: bool, stackvars: bool):
+    def __init__(self, project, func, ail_graph, sp_tracker, bp_as_gpr: bool, stackvars: bool, tmps: bool):
 
         self.project = project
         self._stackvars = stackvars
+        self._tmps = tmps
         self._function = func
         self._graph_visitor = FunctionGraphVisitor(self._function, ail_graph)
 
@@ -34,6 +35,7 @@ class TraversalAnalysis(ForwardAnalysis[None, NodeType, object, object]):
             sp_tracker=sp_tracker,
             bp_as_gpr=bp_as_gpr,
             stackvars=self._stackvars,
+            tmps=self._tmps,
         )
 
         self._visited_blocks: set[Any] = set()