angr 9.2.126__py3-none-manylinux2014_aarch64.whl → 9.2.128__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/optimization_passes/switch_reused_entry_rewriter.py

@@ -0,0 +1,102 @@
+# pylint:disable=too-many-boolean-expressions
+from __future__ import annotations
+from itertools import count
+import logging
+
+from ailment.block import Block
+from ailment.statement import Jump
+from ailment.expression import Const
+
+from angr.knowledge_plugins.cfg import IndirectJumpType
+
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+
+
+_l = logging.getLogger(name=__name__)
+
+
+class SwitchReusedEntryRewriter(OptimizationPass):
+    """
+    For each switch-case construct (identified by jump tables), rewrite the entry into a goto block when we detect
+    situations where an entry node is reused by edges in switch-case constructs that are not the current one. This code
+    reuse is usually caused by compiler code deduplication.
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_AIL_GRAPH_CREATION
+    NAME = "Rewrite switch-case entry nodes with multiple predecessors into goto statements."
+    DESCRIPTION = __doc__.strip()
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+
+        self.node_idx = count(start=self._scratch.get("node_idx", 0))
+
+        self.analyze()
+
+        self._scratch["node_idx"] = next(self.node_idx)
+
+    def _check(self):
+        jumptables = self.kb.cfgs.get_most_accurate().jump_tables
+        switch_jump_block_addrs = {
+            jumptable.addr
+            for jumptable in jumptables.values()
+            if jumptable.type
+            in {IndirectJumpType.Jumptable_AddressComputed, IndirectJumpType.Jumptable_AddressLoadedFromMemory}
+        }
+        jump_node_addrs = self._func.block_addrs_set.intersection(switch_jump_block_addrs)
+        if not jump_node_addrs:
+            return False, None
+
+        # ensure each jump table entry node has only one predecessor
+        reused_entries: dict[Block, set[Block]] = {}
+        for jumptable in jumptables.values():
+            for entry_addr in sorted(set(jumptable.jumptable_entries)):
+                entry_nodes = self._get_blocks(entry_addr)
+                for entry_node in entry_nodes:
+                    preds = list(self._graph.predecessors(entry_node))
+                    if len(preds) > 1:
+                        non_current_jumptable_preds = [pred for pred in preds if pred.addr != jumptable.addr]
+                        if any(p.addr in switch_jump_block_addrs for p in non_current_jumptable_preds):
+                            reused_entries[entry_node] = {
+                                pred for pred in preds if pred.addr in switch_jump_block_addrs
+                            }
+
+        if not reused_entries:
+            return False, None
+        cache = {"reused_entries": reused_entries}
+        return True, cache
+
+    def _analyze(self, cache=None):
+
+        reused_entries: dict[Block, set[Block]] = cache["reused_entries"]
+        out_graph = None
+
+        for entry_node, pred_nodes in reused_entries.items():
+            # we assign the entry node to the predecessor with the lowest address
+            sorted_pred_nodes = sorted(pred_nodes, key=lambda x: (x.addr, x.idx))
+
+            for head_node in sorted_pred_nodes[1:]:
+
+                # create the new goto node
+                goto_stmt = Jump(
+                    None,
+                    Const(None, None, entry_node.addr, self.project.arch.bits, ins_addr=entry_node.addr),
+                    target_idx=entry_node.idx,
+                    ins_addr=entry_node.addr,
+                )
+                goto_node = Block(
+                    entry_node.addr,
+                    0,
+                    statements=[goto_stmt],
+                    idx=next(self.node_idx),
+                )
+
+                if out_graph is None:
+                    out_graph = self._graph
+                out_graph.remove_edge(head_node, entry_node)
+                out_graph.add_edge(head_node, goto_node)
+                # we are virtualizing these edges, so we don't need to add the edge from goto_node to the entry_node
+
+        self.out_graph = out_graph

angr/analyses/decompiler/presets/basic.py

@@ -9,6 +9,7 @@ from angr.analyses.decompiler.optimization_passes import (
     RetAddrSaveSimplifier,
     X86GccGetPcSimplifier,
     CallStatementRewriter,
+    SwitchReusedEntryRewriter,
 )
 
 
@@ -23,6 +24,7 @@ preset_basic = DecompilationPreset(
         RetAddrSaveSimplifier,
         X86GccGetPcSimplifier,
         CallStatementRewriter,
+        SwitchReusedEntryRewriter,
     ],
 )
 

angr/analyses/decompiler/presets/fast.py

@@ -21,6 +21,7 @@ from angr.analyses.decompiler.optimization_passes import (
     CallStatementRewriter,
     MultiSimplifier,
     DeadblockRemover,
+    SwitchReusedEntryRewriter,
 )
 
 
@@ -41,6 +42,7 @@ preset_fast = DecompilationPreset(
         ReturnDuplicatorHigh,
         DeadblockRemover,
         SwitchDefaultCaseDuplicator,
+        SwitchReusedEntryRewriter,
         LoweredSwitchSimplifier,
         ReturnDuplicatorLow,
         ReturnDeduplicator,

angr/analyses/decompiler/presets/full.py

@@ -26,6 +26,7 @@ from angr.analyses.decompiler.optimization_passes import (
     FlipBooleanCmp,
     InlinedStringTransformationSimplifier,
     CallStatementRewriter,
+    SwitchReusedEntryRewriter,
 )
 
 
@@ -57,6 +58,7 @@ preset_full = DecompilationPreset(
         FlipBooleanCmp,
         InlinedStringTransformationSimplifier,
         CallStatementRewriter,
+        SwitchReusedEntryRewriter,
     ],
 )
 

angr/analyses/decompiler/region_identifier.py

@@ -532,7 +532,7 @@ class RegionIdentifier(Analysis):
         )
         if len(region.successors) > 1 and self._force_loop_single_exit:
             # multi-successor region. refinement is required
-            self._refine_loop_successors(region, graph)
+            self._refine_loop_successors_to_guarded_successors(region, graph)
 
         # if the head node is in the graph and it's not the head of the graph, we will need to update the head node
         # address.
@@ -543,10 +543,10 @@ class RegionIdentifier(Analysis):
 
         return region
 
-    def _refine_loop_successors(self, region, graph: networkx.DiGraph):
+    def _refine_loop_successors_to_guarded_successors(self, region, graph: networkx.DiGraph):
         """
-        If there are multiple successors of a loop, convert them into conditional gotos. Eventually there should be
-        only one loop successor.
+        If there are multiple successors of a loop, convert them into guarded successors. Eventually there should be
+        only one loop successor. This is used in the DREAM structuring algorithm.
 
         :param GraphRegion region:      The cyclic region to refine.
         :param networkx.DiGraph graph:  The current graph that is being structured.
@@ -565,11 +565,11 @@ class RegionIdentifier(Analysis):
         cond = ConditionNode(
             condnode_addr,
             None,
-            self.cond_proc.reaching_conditions[successors[0]],
-            successors[0],
-            false_node=None,
+            self.cond_proc.reaching_conditions[successors[1]],
+            successors[1],
+            false_node=successors[0],
         )
-        for succ in successors[1:]:
+        for succ in successors[2:]:
             cond = ConditionNode(
                 condnode_addr,
                 None,

angr/analyses/decompiler/ssailification/traversal.py

@@ -32,6 +32,7 @@ class TraversalAnalysis(ForwardAnalysis[None, NodeType, object, object]):
         )
         self._engine_ail = SimEngineSSATraversal(
             self.project.arch,
+            self.project.simos,
             sp_tracker=sp_tracker,
             bp_as_gpr=bp_as_gpr,
             stackvars=self._stackvars,

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -7,6 +7,7 @@ from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCal
 from angr.engines.light import SimEngineLight, SimEngineLightAILMixin
 from angr.utils.ssa import get_reg_offset_base
 from angr.utils.orderedset import OrderedSet
+from angr.calling_conventions import default_cc
 from .traversal_state import TraversalState
 
 
@@ -23,6 +24,7 @@ class SimEngineSSATraversal(
     def __init__(
         self,
         arch,
+        simos,
         sp_tracker=None,
         bp_as_gpr: bool = False,
         def_to_loc=None,
@@ -33,6 +35,7 @@ class SimEngineSSATraversal(
         super().__init__()
 
         self.arch = arch
+        self.simos = simos
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
         self.stackvars = stackvars
@@ -75,6 +78,18 @@ class SimEngineSSATraversal(
             self._expr(stmt.false_target)
 
     def _handle_Call(self, stmt: Call):
+
+        # kill caller-saved registers
+        cc = (
+            default_cc(self.arch.name, platform=self.simos.name if self.simos is not None else None)
+            if stmt.calling_convention is None
+            else stmt.calling_convention
+        )
+        for reg_name in cc.CALLER_SAVED_REGS:
+            reg_offset = self.arch.registers[reg_name][0]
+            base_off = get_reg_offset_base(reg_offset, self.arch)
+            self.state.live_registers.discard(base_off)
+
         if stmt.ret_expr is not None and isinstance(stmt.ret_expr, Register):
             codeloc = self._codeloc()
             self.def_to_loc.append((stmt.ret_expr, codeloc))

angr/analyses/decompiler/structured_codegen/c.py

@@ -2511,9 +2511,6 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         self._analyze()
 
-        if flavor is not None:
-            self.kb.structured_code[(func.addr, flavor)] = self
-
     def reapply_options(self, options):
         for option, value in options:
             if option.param == "braces_on_own_lines":

angr/analyses/decompiler/structured_codegen/dwarf_import.py

@@ -5,6 +5,7 @@ import logging
 from sortedcontainers import SortedList
 
 from angr.analyses import Analysis, register_analysis
+from angr.analyses.decompiler.decompilation_cache import DecompilationCache
 from .base import BaseStructuredCodeGenerator, InstructionMapping, PositionMapping
 from angr.knowledge_plugins.functions.function import Function
 
@@ -30,7 +31,9 @@ class ImportSourceCode(BaseStructuredCodeGenerator, Analysis):
         self.regenerate_text()
 
         if flavor is not None and self.text:
-            self.kb.structured_code[(function.addr, flavor)] = self
+            if (function.addr, flavor) not in self.kb.decompilations:
+                self.kb.decompilations[(function.addr, flavor)] = DecompilationCache(function.addr)
+            self.kb.decompilations[(function.addr, flavor)].codegen = self
 
     def regenerate_text(self):
         cache = {}

angr/analyses/decompiler/structuring/phoenix.py

@@ -127,6 +127,8 @@ class PhoenixStructurer(StructurerBase):
     @staticmethod
     def _assert_graph_ok(g, msg: str) -> None:
         if _DEBUG:
+            if g is None:
+                return
             assert (
                 len(list(networkx.connected_components(networkx.Graph(g)))) <= 1
             ), f"{msg}: More than one connected component. Please report this."
@@ -229,7 +231,8 @@ class PhoenixStructurer(StructurerBase):
             )
             l.debug("... matching cyclic schemas: %s at %r", matched, node)
             any_matches |= matched
-            self._assert_graph_ok(self._region.graph, "Removed incorrect edges")
+            if matched:
+                self._assert_graph_ok(self._region.graph, "Removed incorrect edges")
         return any_matches
 
     def _match_cyclic_schemas(self, node, head, graph, full_graph) -> bool:
@@ -559,9 +562,12 @@ class PhoenixStructurer(StructurerBase):
         seq_node = SequenceNode(node.addr, nodes=[node])
         seen_nodes = set()
         while True:
-            succs = list(full_graph.successors(next_node))
+            succs = list(graph.successors(next_node))
             if len(succs) != 1:
                 return False, None
+            if full_graph.out_degree[next_node] > 1:
+                # all successors in the full graph should have been refined away at this point
+                return False, None
             next_node = succs[0]
 
             if next_node is node:
@@ -600,6 +606,8 @@ class PhoenixStructurer(StructurerBase):
             refined = self._refine_cyclic_core(head)
             l.debug("... refined: %s", refined)
             if refined:
+                self._assert_graph_ok(self._region.graph, "Refinement went wrong")
+                # cyclic refinement may create dangling nodes in the full graph
                 return True
         return False
 
@@ -1020,7 +1028,9 @@ class PhoenixStructurer(StructurerBase):
                 any_matches |= matched
                 if matched:
                     break
-            self._assert_graph_ok(self._region.graph, "Removed incorrect edges")
+
+        self._assert_graph_ok(self._region.graph, "Removed incorrect edges")
+
         return any_matches
 
     # switch cases
@@ -1094,7 +1104,7 @@ class PhoenixStructurer(StructurerBase):
             to_remove,
             graph,
             full_graph,
-            can_bail=True,
+            bail_on_nonhead_outedges=True,
         )
         if not r:
             return False
@@ -1161,18 +1171,18 @@ class PhoenixStructurer(StructurerBase):
             node_pred = next(iter(graph.predecessors(node)))
 
         case_nodes = list(graph.successors(node_a))
-        case_node_successors = set()
-        for case_node in case_nodes:
-            if case_node is node_pred:
-                continue
-            if case_node.addr in jump_table.jumptable_entries:
-                succs = set(graph.successors(case_node))
-                case_node_successors |= {succ for succ in succs if succ.addr not in jump_table.jumptable_entries}
-        if len(case_node_successors) > 1:
-            return False
 
-        # we will definitely be able to structure this into a full switch-case. remove node from switch_case_known_heads
-        self.switch_case_known_heads.remove(node)
+        # case 1: the common successor happens to be directly reachable from node_a (usually as a result of compiler
+        # optimization)
+        # example: touch_touch_no_switch.o:main
+        r = self.switch_case_entry_node_has_common_successor_case_1(graph, jump_table, case_nodes, node_pred)
+
+        # case 2: the common successor is not directly reachable from node_a. this is a more common case.
+        if not r:
+            r |= self.switch_case_entry_node_has_common_successor_case_2(graph, jump_table, case_nodes, node_pred)
+
+        if not r:
+            return False
 
         # un-structure IncompleteSwitchCaseNode
         if isinstance(node_a, SequenceNode) and node_a.nodes and isinstance(node_a.nodes[0], IncompleteSwitchCaseNode):
@@ -1186,8 +1196,10 @@ class PhoenixStructurer(StructurerBase):
             # update node_a
             node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
 
+        case_and_entry_addrs = self._find_case_and_entry_addrs(node_a, graph, cmp_lb, jump_table)
+
         cases, node_default, to_remove = self._switch_build_cases(
-            {cmp_lb + i: entry_addr for (i, entry_addr) in enumerate(jump_table.jumptable_entries)},
+            case_and_entry_addrs,
             node,
             node_a,
             node_b_addr,
@@ -1203,7 +1215,7 @@ class PhoenixStructurer(StructurerBase):
             to_remove.add(node_default)
 
         to_remove.add(node_a)  # add node_a
-        self._make_switch_cases_core(
+        r = self._make_switch_cases_core(
             node,
             cmp_expr,
             cases,
@@ -1215,7 +1227,11 @@ class PhoenixStructurer(StructurerBase):
             full_graph,
             node_a=node_a,
         )
+        if not r:
+            return False
 
+        # fully structured into a switch-case. remove node from switch_case_known_heads
+        self.switch_case_known_heads.remove(node)
         self._switch_handle_gotos(cases, node_default, switch_end_addr)
 
         return True
@@ -1253,8 +1269,10 @@ class PhoenixStructurer(StructurerBase):
         else:
             return False
 
+        case_and_entry_addrs = self._find_case_and_entry_addrs(node, graph, cmp_lb, jump_table)
+
         cases, node_default, to_remove = self._switch_build_cases(
-            {cmp_lb + i: entry_addr for (i, entry_addr) in enumerate(jump_table.jumptable_entries)},
+            case_and_entry_addrs,
             node,
             node,
             default_addr,
@@ -1265,12 +1283,10 @@ class PhoenixStructurer(StructurerBase):
             # there must be a default case
             return False
 
-        self._make_switch_cases_core(
+        return self._make_switch_cases_core(
             node, cmp_expr, cases, default_addr, node_default, node.addr, to_remove, graph, full_graph
         )
 
-        return True
-
     def _match_acyclic_incomplete_switch_cases(
         self, node, graph: networkx.DiGraph, full_graph: networkx.DiGraph, jump_tables: dict
     ) -> bool:
@@ -1322,14 +1338,9 @@ class PhoenixStructurer(StructurerBase):
         # and a case node (addr.b). The addr.a node is a successor to the head node while the addr.b node is a
         # successor to node_a
         default_node_candidates = [nn for nn in graph.nodes if nn.addr == node_b_addr]
-        if len(default_node_candidates) == 0:
-            node_default: BaseNode | None = None
-        elif len(default_node_candidates) == 1:
-            node_default: BaseNode | None = default_node_candidates[0]
-        else:
-            node_default: BaseNode | None = next(
-                iter(nn for nn in default_node_candidates if graph.has_edge(head_node, nn)), None
-            )
+        node_default: BaseNode | None = next(
+            iter(nn for nn in default_node_candidates if graph.has_edge(head_node, nn)), None
+        )
 
         if node_default is not None and not isinstance(node_default, SequenceNode):
             # make the default node a SequenceNode so that we can insert Break and Continue nodes into it later
@@ -1432,7 +1443,7 @@ class PhoenixStructurer(StructurerBase):
         graph: networkx.DiGraph,
         full_graph: networkx.DiGraph,
         node_a=None,
-        can_bail=False,
+        bail_on_nonhead_outedges: bool = False,
     ) -> bool:
         scnode = SwitchCaseNode(cmp_expr, cases, node_default, addr=addr)
 
@@ -1454,14 +1465,24 @@ class PhoenixStructurer(StructurerBase):
                 if dst not in to_remove:
                     out_edges.append((nn, dst))
 
-        if can_bail:
+        if bail_on_nonhead_outedges:
             nonhead_out_nodes = {edge[1] for edge in out_edges if edge[1] is not head}
             if len(nonhead_out_nodes) > 1:
                 # not ready to be structured yet - do it later
                 return False
 
+        # check if structuring will create any dangling nodes
+        for case_node in to_remove:
+            if case_node is not node_default and case_node is not node_a and case_node is not head:
+                for succ in graph.successors(case_node):
+                    if succ is not case_node and succ is not head and graph.in_degree[succ] == 1:
+                        # succ will be dangling - not ready to be structured yet - do it later
+                        return False
+
         if node_default is not None:
             # the head no longer goes to the default case
+            if graph.has_edge(head, node_default):
+                pass
             graph.remove_edge(head, node_default)
             full_graph.remove_edge(head, node_default)
         else:
@@ -1505,6 +1526,13 @@ class PhoenixStructurer(StructurerBase):
                 if full_graph.has_edge(head, out_dst):
                     full_graph.remove_edge(head, out_dst)
 
+                # fix full_graph if needed: remove successors that are no longer needed
+                for out_src, out_dst in out_edges[1:]:
+                    if out_dst in full_graph and out_dst not in graph and full_graph.in_degree[out_dst] == 0:
+                        full_graph.remove_node(out_dst)
+                        if out_dst in self._region.successors:
+                            self._region.successors.remove(out_dst)
+
         # remove the last statement (conditional jump) in the head node
         remove_last_statement(head)
 
@@ -1514,6 +1542,25 @@ class PhoenixStructurer(StructurerBase):
 
         return True
 
+    @staticmethod
+    def _find_case_and_entry_addrs(
+        jump_head, graph, cmp_lb: int, jump_table
+    ) -> dict[int, int | tuple[int, int | None]]:
+        case_and_entry_addrs = {}
+
+        addr_to_entry_nodes = defaultdict(list)
+        for succ in graph.successors(jump_head):
+            addr_to_entry_nodes[succ.addr].append(succ)
+
+        for i, entry_addr in enumerate(jump_table.jumptable_entries):
+            case_no = cmp_lb + i
+            if entry_addr in addr_to_entry_nodes and isinstance(addr_to_entry_nodes[entry_addr][0], (MultiNode, Block)):
+                case_and_entry_addrs[case_no] = entry_addr, addr_to_entry_nodes[entry_addr][0].idx
+            else:
+                case_and_entry_addrs[case_no] = entry_addr
+
+        return case_and_entry_addrs
+
     # other acyclic schemas
 
     def _match_acyclic_sequence(self, graph, full_graph, start_node) -> bool:
@@ -1982,6 +2029,11 @@ class PhoenixStructurer(StructurerBase):
 
             if full_graph.in_degree[left] > 1 and full_graph.in_degree[right] == 1:
                 left, right = right, left
+
+            # ensure left and right nodes are not the head of a switch-case construct
+            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+                return None
+
             if (
                 self._is_sequential_statement_block(left)
                 and full_graph.in_degree[left] == 1
@@ -2024,6 +2076,11 @@ class PhoenixStructurer(StructurerBase):
 
             if full_graph.in_degree[left] == 1 and full_graph.in_degree[right] == 2:
                 left, right = right, left
+
+            # ensure left and right nodes are not the head of a switch-case construct
+            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+                return None
+
             if (
                 self._is_sequential_statement_block(right)
                 and full_graph.in_degree[left] == 2
@@ -2060,6 +2117,11 @@ class PhoenixStructurer(StructurerBase):
 
             if full_graph.in_degree[left] > 1 and full_graph.in_degree[successor] == 1:
                 left, successor = successor, left
+
+            # ensure left and successor nodes are not the head of a switch-case construct
+            if left in self.switch_case_known_heads or successor in self.switch_case_known_heads:
+                return None
+
             if (
                 self._is_sequential_statement_block(left)
                 and full_graph.in_degree[left] == 1
@@ -2103,6 +2165,11 @@ class PhoenixStructurer(StructurerBase):
 
             if full_graph.in_degree[left] > 1 and full_graph.in_degree[else_node] == 1:
                 left, else_node = else_node, left
+
+            # ensure left and else nodes are not the head of a switch-case construct
+            if left in self.switch_case_known_heads or else_node in self.switch_case_known_heads:
+                return None
+
             if (
                 self._is_sequential_statement_block(left)
                 and full_graph.in_degree[left] == 1
@@ -2563,3 +2630,36 @@ class PhoenixStructurer(StructurerBase):
             graph_with_str.add_edge(f'"{src!r}"', f'"{dst!r}"')
 
         networkx.drawing.nx_pydot.write_dot(graph_with_str, path)
+
+    @staticmethod
+    def switch_case_entry_node_has_common_successor_case_1(graph, jump_table, case_nodes, node_pred) -> bool:
+        all_succs = set()
+        for case_node in case_nodes:
+            if case_node is node_pred:
+                continue
+            if case_node.addr in jump_table.jumptable_entries:
+                all_succs |= set(graph.successors(case_node))
+
+        case_node_successors = set()
+        for case_node in case_nodes:
+            if case_node is node_pred:
+                continue
+            if case_node in all_succs:
+                continue
+            if case_node.addr in jump_table.jumptable_entries:
+                succs = set(graph.successors(case_node))
+                case_node_successors |= {succ for succ in succs if succ.addr not in jump_table.jumptable_entries}
+
+        return len(case_node_successors) <= 1
+
+    @staticmethod
+    def switch_case_entry_node_has_common_successor_case_2(graph, jump_table, case_nodes, node_pred) -> bool:
+        case_node_successors = set()
+        for case_node in case_nodes:
+            if case_node is node_pred:
+                continue
+            if case_node.addr in jump_table.jumptable_entries:
+                succs = set(graph.successors(case_node))
+                case_node_successors |= {succ for succ in succs if succ.addr not in jump_table.jumptable_entries}
+
+        return len(case_node_successors) <= 1

angr/analyses/decompiler/structuring/recursive_structurer.py

@@ -83,7 +83,9 @@ class RecursiveStructurer(Analysis):
                 # Get the parent region
                 parent_region = parent_map.get(current_region)
                 # structure this region
-                st: StructurerBase = self.project.analyses[self.structurer_cls].prep()(
+                st: StructurerBase = self.project.analyses[self.structurer_cls].prep(
+                    kb=self.kb, fail_fast=self._fail_fast
+                )(
                     current_region.copy(),
                     parent_map=parent_map,
                     condition_processor=self.cond_proc,

angr/analyses/decompiler/structuring/structurer_base.py

@@ -18,6 +18,7 @@ from angr.analyses.decompiler.utils import (
     remove_last_statement,
     has_nonlabel_nonphi_statements,
 )
+from angr.analyses.decompiler.label_collector import LabelCollector
 from .structurer_nodes import (
     MultiNode,
     SequenceNode,
@@ -800,9 +801,17 @@ class StructurerBase(Analysis):
                 starting_case_ids.append(idx)
                 continue
 
+        # we can't just collect addresses and block IDs of switch-case entry nodes because SequenceNode does not keep
+        # track of block IDs.
+        case_label_addrs = set()
+        for case_node in cases.values():
+            lc = LabelCollector(case_node)
+            for lst in lc.labels.values():
+                case_label_addrs |= set(lst)
+
         for idx in starting_case_ids:
             new_cases[idx] = cases[idx]
-            self._remove_last_statement_if_jump(new_cases[idx])
+            self._remove_last_statement_if_jump_to_addr(new_cases[idx], case_label_addrs)
             succs = networkx.dfs_successors(graph, idx)
             idx_ = idx
             while idx_ in succs:
@@ -813,6 +822,29 @@ class StructurerBase(Analysis):
 
         return new_cases
 
+    @staticmethod
+    def _remove_last_statement_if_jump_to_addr(
+        node: BaseNode | ailment.Block, addr_and_ids: set[tuple[int, int | None]]
+    ) -> ailment.Stmt.Jump | ailment.Stmt.ConditionalJump | None:
+        try:
+            last_stmts = ConditionProcessor.get_last_statements(node)
+        except EmptyBlockNotice:
+            return None
+
+        if len(last_stmts) == 1 and isinstance(last_stmts[0], (ailment.Stmt.Jump, ailment.Stmt.ConditionalJump)):
+            last_stmt = last_stmts[0]
+            jump_targets = []
+            if isinstance(last_stmt, ailment.Stmt.Jump) and isinstance(last_stmt.target, ailment.Expr.Const):
+                jump_targets = [(last_stmt.target.value, last_stmt.target_idx)]
+            elif isinstance(last_stmt, ailment.Stmt.ConditionalJump):
+                if isinstance(last_stmt.true_target, ailment.Expr.Const):
+                    jump_targets.append((last_stmt.true_target.value, last_stmt.true_target_idx))
+                if isinstance(last_stmt.false_target, ailment.Expr.Const):
+                    jump_targets.append((last_stmt.false_target.value, last_stmt.false_target_idx))
+            if any(tpl in addr_and_ids for tpl in jump_targets):
+                return remove_last_statement(node)
+        return None
+
     @staticmethod
     def _remove_last_statement_if_jump(
         node: BaseNode | ailment.Block,

angr/analyses/reaching_definitions/function_handler_library/string.py

@@ -46,8 +46,8 @@ class LibcStringHandlers(FunctionHandler):
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strncpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
-        n = state.get_concrete_value(data.args_atoms[1])
-        src_atom = state.deref(data.args_atoms[2], DerefSize.NULL_TERMINATE if n is None else n)
+        n = state.get_concrete_value(data.args_atoms[2])
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE if n is None else n)
         src_str = state.get_values(src_atom)
         if src_str is not None:
             dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)