angr 9.2.130__py3-none-manylinux2014_aarch64.whl → 9.2.132__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -1,50 +1,53 @@
 from __future__ import annotations
 from collections import OrderedDict
 
-from ailment.statement import Assignment, Call, Store, ConditionalJump
+from ailment.statement import Call, Store, ConditionalJump
 from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression, Tmp, DirtyExpression
 
-from angr.engines.light import SimEngineLight, SimEngineLightAILMixin
+from angr.engines.light import SimEngineLightAIL
+from angr.project import Project
 from angr.utils.ssa import get_reg_offset_base
 from angr.utils.orderedset import OrderedSet
 from angr.calling_conventions import default_cc
 from .traversal_state import TraversalState
 
 
-class SimEngineSSATraversal(
-    SimEngineLightAILMixin,
-    SimEngineLight,
-):
+class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None]):
     """
     This engine collects all register and stack variable locations and links them to the block of their creation.
     """
 
-    state: TraversalState
-
     def __init__(
         self,
-        arch,
+        project: Project,
         simos,
         sp_tracker=None,
         bp_as_gpr: bool = False,
         def_to_loc=None,
         loc_to_defs=None,
         stackvars: bool = False,
-        tmps: bool = False,
+        use_tmps: bool = False,
     ):
-        super().__init__()
-
-        self.arch = arch
+        super().__init__(project)
         self.simos = simos
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
         self.stackvars = stackvars
-        self.tmps = tmps
+        self.use_tmps = use_tmps
 
         self.def_to_loc = def_to_loc if def_to_loc is not None else []
         self.loc_to_defs = loc_to_defs if loc_to_defs is not None else OrderedDict()
 
-    def _handle_Assignment(self, stmt: Assignment):
+    def _is_top(self, expr):
+        return True
+
+    def _top(self, bits):
+        return None
+
+    def _process_block_end(self, block, stmt_data, whitelist):
+        pass
+
+    def _handle_stmt_Assignment(self, stmt):
         if isinstance(stmt.dst, Register):
             codeloc = self._codeloc()
             self.def_to_loc.append((stmt.dst, codeloc))
@@ -57,7 +60,7 @@ class SimEngineSSATraversal(
 
         self._expr(stmt.src)
 
-    def _handle_Store(self, stmt: Store):
+    def _handle_stmt_Store(self, stmt: Store):
         self._expr(stmt.addr)
         self._expr(stmt.data)
         if stmt.guard is not None:
@@ -72,14 +75,14 @@ class SimEngineSSATraversal(
 
             self.state.live_stackvars.add((stmt.addr.offset, stmt.size))
 
-    def _handle_ConditionalJump(self, stmt: ConditionalJump):
+    def _handle_stmt_ConditionalJump(self, stmt: ConditionalJump):
         self._expr(stmt.condition)
         if stmt.true_target is not None:
             self._expr(stmt.true_target)
         if stmt.false_target is not None:
             self._expr(stmt.false_target)
 
-    def _handle_Call(self, stmt: Call):
+    def _handle_stmt_Call(self, stmt: Call):
 
         # kill caller-saved registers
         cc = (
@@ -87,6 +90,7 @@ class SimEngineSSATraversal(
             if stmt.calling_convention is None
             else stmt.calling_convention
         )
+        assert cc is not None
         for reg_name in cc.CALLER_SAVED_REGS:
             reg_offset = self.arch.registers[reg_name][0]
             base_off = get_reg_offset_base(reg_offset, self.arch)
@@ -102,11 +106,22 @@ class SimEngineSSATraversal(
             base_off = get_reg_offset_base(stmt.ret_expr.reg_offset, self.arch)
             self.state.live_registers.add(base_off)
 
-        super()._ail_handle_Call(stmt)
+    def _handle_stmt_Dummy(self, stmt):
+        pass
+
+    def _handle_stmt_DirtyStatement(self, stmt):
+        self._expr(stmt.dirty)
+
+    def _handle_stmt_Jump(self, stmt):
+        self._expr(stmt.target)
 
-    _handle_CallExpr = _handle_Call
+    _handle_stmt_Label = _handle_stmt_Dummy
 
-    def _handle_Register(self, expr: Register):
+    def _handle_stmt_Return(self, stmt):
+        for expr in stmt.ret_exprs:
+            self._expr(expr)
+
+    def _handle_expr_Register(self, expr: Register):
         base_offset = get_reg_offset_base(expr.reg_offset, self.arch)
 
         if base_offset not in self.state.live_registers:
@@ -118,8 +133,8 @@ class SimEngineSSATraversal(
 
             self.state.live_registers.add(base_offset)
 
-    def _handle_Tmp(self, expr: Tmp):
-        if self.tmps:
+    def _handle_expr_Tmp(self, expr: Tmp):
+        if self.use_tmps:
             codeloc = self._codeloc()
             self.def_to_loc.append((expr, codeloc))
             if codeloc not in self.loc_to_defs:
@@ -128,39 +143,99 @@ class SimEngineSSATraversal(
 
             self.state.live_tmps.add(expr.tmp_idx)
 
-    def _handle_Cmp(self, expr: BinaryOp):
+    def _handle_binop_Default(self, expr: BinaryOp):
         self._expr(expr.operands[0])
         self._expr(expr.operands[1])
 
-    _handle_CmpLE = _handle_Cmp
-    _handle_CmpLT = _handle_Cmp
-    _handle_CmpGE = _handle_Cmp
-    _handle_CmpGT = _handle_Cmp
-    _handle_CmpEQ = _handle_Cmp
-    _handle_CmpNE = _handle_Cmp
+    _handle_binop_CmpLE = _handle_binop_Default
+    _handle_binop_CmpLT = _handle_binop_Default
+    _handle_binop_CmpGE = _handle_binop_Default
+    _handle_binop_CmpGT = _handle_binop_Default
+    _handle_binop_CmpEQ = _handle_binop_Default
+    _handle_binop_CmpNE = _handle_binop_Default
+    _handle_binop_Add = _handle_binop_Default
+    _handle_binop_AddF = _handle_binop_Default
+    _handle_binop_AddV = _handle_binop_Default
+    _handle_binop_And = _handle_binop_Default
+    _handle_binop_Carry = _handle_binop_Default
+    _handle_binop_CmpF = _handle_binop_Default
+    _handle_binop_Concat = _handle_binop_Default
+    _handle_binop_Div = _handle_binop_Default
+    _handle_binop_DivF = _handle_binop_Default
+    _handle_binop_DivV = _handle_binop_Default
+    _handle_binop_LogicalAnd = _handle_binop_Default
+    _handle_binop_LogicalOr = _handle_binop_Default
+    _handle_binop_Mod = _handle_binop_Default
+    _handle_binop_Mul = _handle_binop_Default
+    _handle_binop_Mull = _handle_binop_Default
+    _handle_binop_MulF = _handle_binop_Default
+    _handle_binop_MulV = _handle_binop_Default
+    _handle_binop_MulHiV = _handle_binop_Default
+    _handle_binop_Or = _handle_binop_Default
+    _handle_binop_Rol = _handle_binop_Default
+    _handle_binop_Ror = _handle_binop_Default
+    _handle_binop_SBorrow = _handle_binop_Default
+    _handle_binop_SCarry = _handle_binop_Default
+    _handle_binop_Sar = _handle_binop_Default
+    _handle_binop_Shl = _handle_binop_Default
+    _handle_binop_Shr = _handle_binop_Default
+    _handle_binop_Sub = _handle_binop_Default
+    _handle_binop_SubF = _handle_binop_Default
+    _handle_binop_SubV = _handle_binop_Default
+    _handle_binop_Xor = _handle_binop_Default
+    _handle_binop_InterleaveLOV = _handle_binop_Default
+    _handle_binop_InterleaveHIV = _handle_binop_Default
+    _handle_binop_CasCmpEQ = _handle_binop_Default
+    _handle_binop_CasCmpNE = _handle_binop_Default
+    _handle_binop_ExpCmpNE = _handle_binop_Default
+    _handle_binop_SarNV = _handle_binop_Default
+    _handle_binop_ShrNV = _handle_binop_Default
+    _handle_binop_ShlNV = _handle_binop_Default
+    _handle_binop_CmpEQV = _handle_binop_Default
+    _handle_binop_CmpNEV = _handle_binop_Default
+    _handle_binop_CmpGEV = _handle_binop_Default
+    _handle_binop_CmpGTV = _handle_binop_Default
+    _handle_binop_CmpLEV = _handle_binop_Default
+    _handle_binop_CmpLTV = _handle_binop_Default
+    _handle_binop_MinV = _handle_binop_Default
+    _handle_binop_MaxV = _handle_binop_Default
+    _handle_binop_QAddV = _handle_binop_Default
+    _handle_binop_QNarrowBinV = _handle_binop_Default
+    _handle_binop_PermV = _handle_binop_Default
+    _handle_binop_Set = _handle_binop_Default
+
+    def _handle_unop_Default(self, expr):
+        self._expr(expr.operands[0])
 
-    def _handle_UnaryOp(self, expr):
+    _handle_unop_BitwiseNeg = _handle_unop_Default
+    _handle_unop_Dereference = _handle_unop_Default
+    _handle_unop_Neg = _handle_unop_Default
+    _handle_unop_Not = _handle_unop_Default
+    _handle_unop_Reference = _handle_unop_Default
+    _handle_unop_Clz = _handle_unop_Default
+    _handle_unop_Ctz = _handle_unop_Default
+    _handle_unop_GetMSBs = _handle_unop_Default
+    _handle_unop_unpack = _handle_unop_Default
+    _handle_unop_Sqrt = _handle_unop_Default
+    _handle_unop_RSqrtEst = _handle_unop_Default
+
+    def _handle_expr_UnaryOp(self, expr):
         self._expr(expr.operand)
 
-    def _handle_BinaryOp(self, expr):
-        self._expr(expr.operands[0])
-        self._expr(expr.operands[1])
-
-    def _handle_TernaryOp(self, expr):
+    def _handle_expr_BinaryOp(self, expr):
         self._expr(expr.operands[0])
         self._expr(expr.operands[1])
-        self._expr(expr.operands[2])
 
-    def _handle_ITE(self, expr: ITE):
+    def _handle_expr_ITE(self, expr: ITE):
         self._expr(expr.cond)
         self._expr(expr.iftrue)
         self._expr(expr.iffalse)
 
-    def _handle_VEXCCallExpression(self, expr: VEXCCallExpression):
+    def _handle_expr_VEXCCallExpression(self, expr: VEXCCallExpression):
         for operand in expr.operands:
             self._expr(operand)
 
-    def _handle_DirtyExpression(self, expr: DirtyExpression):
+    def _handle_expr_DirtyExpression(self, expr: DirtyExpression):
         for operand in expr.operands:
             self._expr(operand)
         if expr.guard is not None:
@@ -171,5 +246,13 @@ class SimEngineSSATraversal(
     def _handle_Dummy(self, expr):
         pass
 
-    _handle_VirtualVariable = _handle_Dummy
-    _handle_Phi = _handle_Dummy
+    _handle_expr_VirtualVariable = _handle_Dummy
+    _handle_expr_Phi = _handle_Dummy
+    _handle_expr_Load = _handle_Dummy
+    _handle_expr_Convert = _handle_Dummy
+    _handle_expr_Const = _handle_Dummy
+    _handle_expr_MultiStatementExpression = _handle_Dummy
+    _handle_expr_Reinterpret = _handle_Dummy
+    _handle_expr_StackBaseOffset = _handle_Dummy
+    _handle_expr_BasePointerOffset = _handle_Dummy
+    _handle_expr_Call = _handle_Dummy

angr/analyses/decompiler/structured_codegen/c.py

@@ -33,6 +33,7 @@ from angr.sim_type import (
     dereference_simtype,
     SimTypeInt128,
     SimTypeInt256,
+    SimTypeInt512,
 )
 from angr.knowledge_plugins.functions import Function
 from angr.sim_variable import SimVariable, SimTemporaryVariable, SimStackVariable, SimMemoryVariable
@@ -52,6 +53,7 @@ from angr.analyses.decompiler.structuring.structurer_nodes import (
     LoopNode,
     BreakNode,
     SwitchCaseNode,
+    IncompleteSwitchCaseNode,
     ContinueNode,
     CascadingConditionNode,
 )
@@ -1136,6 +1138,53 @@ class CSwitchCase(CStatement):
         yield "\n", None
 
 
+class CIncompleteSwitchCase(CStatement):
+    """
+    Represents an incomplete switch-case construct; this only appear in the decompilation output when switch-case
+    structuring fails (for whatever reason).
+    """
+
+    __slots__ = ("head", "cases", "tags")
+
+    def __init__(self, head, cases, tags=None, **kwargs):
+        super().__init__(**kwargs)
+
+        self.head = head
+        self.cases: list[tuple[int, CStatements]] = cases
+        self.tags = tags
+
+    def c_repr_chunks(self, indent=0, asexpr=False):
+        indent_str = self.indent_str(indent=indent)
+        paren = CClosingObject("(")
+        brace = CClosingObject("{")
+
+        yield from self.head.c_repr_chunks(indent=indent)
+        yield "\n", None
+        yield indent_str, None
+        yield "switch ", self
+        yield "(", paren
+        yield "/* incomplete */", None
+        yield ")", paren
+        if self.codegen.braces_on_own_lines:
+            yield "\n", None
+            yield indent_str, None
+        else:
+            yield " ", None
+        yield "{", brace
+        yield "\n", None
+
+        # cases
+        for case_addr, case in self.cases:
+            yield indent_str, None
+            yield f"case {case_addr:#x}", self
+            yield ":\n", None
+            yield from case.c_repr_chunks(indent=indent + INDENT_DELTA)
+
+        yield indent_str, None
+        yield "}", brace
+        yield "\n", None
+
+
 class CAssignment(CStatement):
     """
     a = b
@@ -1299,6 +1348,8 @@ class CFunctionCall(CStatement, CExpression):
             if self.show_disambiguated_name and self._is_target_ambiguous(func_name):
                 func_name = self.callee_func.get_unambiguous_name(display_name=func_name)
             yield func_name, self
+        elif isinstance(self.callee_target, str):
+            yield self.callee_target, self
         else:
             yield from CExpression._try_c_repr_chunks(self.callee_target)
 
@@ -1819,7 +1870,6 @@ class CBinaryOp(CExpression):
             "Mul": self._c_repr_chunks_mul,
             "Mull": self._c_repr_chunks_mull,
             "Div": self._c_repr_chunks_div,
-            "DivMod": self._c_repr_chunks_divmod,
             "Mod": self._c_repr_chunks_mod,
             "And": self._c_repr_chunks_and,
             "Xor": self._c_repr_chunks_xor,
@@ -2443,6 +2493,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             Block: self._handle_AILBlock,
             BreakNode: self._handle_Break,
             SwitchCaseNode: self._handle_SwitchCase,
+            IncompleteSwitchCaseNode: self._handle_IncompleteSwitchCase,
             ContinueNode: self._handle_Continue,
             # AIL statements
             Stmt.Store: self._handle_Stmt_Store,
@@ -2671,16 +2722,16 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
     # Util methods
     #
 
-    def default_simtype_from_size(self, n: int, signed: bool = True) -> SimType:
+    def default_simtype_from_bits(self, n: int, signed: bool = True) -> SimType:
         _mapping = {
-            8: SimTypeLongLong,
-            4: SimTypeInt,
-            2: SimTypeShort,
-            1: SimTypeChar,
+            64: SimTypeLongLong,
+            32: SimTypeInt,
+            16: SimTypeShort,
+            8: SimTypeChar,
         }
         if n in _mapping:
             return _mapping.get(n)(signed=signed).with_arch(self.project.arch)
-        return SimTypeNum(n * self.project.arch.byte_width, signed=signed).with_arch(self.project.arch)
+        return SimTypeNum(n, signed=signed).with_arch(self.project.arch)
 
     def _variable(self, variable: SimVariable, fallback_type_size: int | None) -> CVariable:
         # TODO: we need to fucking make sure that variable recovery and type inference actually generates a size
@@ -2690,7 +2741,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             variable, is_global=isinstance(variable, SimMemoryVariable) and not isinstance(variable, SimStackVariable)
         )
         if variable_type is None:
-            variable_type = self.default_simtype_from_size(fallback_type_size or self.project.arch.bytes)
+            variable_type = self.default_simtype_from_bits(
+                (fallback_type_size or self.project.arch.bytes) * self.project.arch.byte_width
+            )
         cvar = CVariable(variable, unified_variable=unified, variable_type=variable_type, codegen=self)
         self._variables_in_use[variable] = cvar
         return cvar
@@ -3172,6 +3225,12 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         tags = {"ins_addr": node.addr}
         return CSwitchCase(switch_expr, cases, default=default, tags=tags, codegen=self)
 
+    def _handle_IncompleteSwitchCase(self, node: IncompleteSwitchCaseNode, **kwargs):
+        head = self._handle(node.head, is_expr=False)
+        cases = [(case.addr, self._handle(case, is_expr=False)) for case in node.cases]
+        tags = {"ins_addr": node.addr}
+        return CIncompleteSwitchCase(head, cases, tags=tags, codegen=self)
+
     def _handle_Continue(self, node, **kwargs):
         tags = {"ins_addr": node.addr}
 
@@ -3313,7 +3372,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         if result.is_expr and result.type.size != stmt.size * self.project.arch.byte_width:
             result = CTypeCast(
                 result.type,
-                self.default_simtype_from_size(stmt.size, signed=getattr(result.type, "signed", False)),
+                self.default_simtype_from_bits(
+                    stmt.size * self.project.arch.byte_width, signed=getattr(result.type, "signed", False)
+                ),
                 result,
                 codegen=self,
             )
@@ -3376,12 +3437,12 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                 return cvar
             offset = 0 if expr.variable_offset is None else expr.variable_offset
             # FIXME: The type should be associated to the register expression itself
-            type_ = self.default_simtype_from_size(expr.size, signed=False)
+            type_ = self.default_simtype_from_bits(expr.bits, signed=False)
             return self._access_constant_offset(self._get_variable_reference(cvar), offset, type_, lvalue, negotiate)
         return CRegister(expr, tags=expr.tags, codegen=self)
 
     def _handle_Expr_Load(self, expr: Expr.Load, **kwargs):
-        ty = self.default_simtype_from_size(expr.size)
+        ty = self.default_simtype_from_bits(expr.bits)
 
         def negotiate(old_ty: SimType, proposed_ty: SimType) -> SimType:
             # we do not allow returning a struct for a primitive type
@@ -3404,9 +3465,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
     def _handle_Expr_Tmp(self, expr: Tmp, **kwargs):
         l.warning("FIXME: Leftover Tmp expressions are found.")
-        return self._variable(SimTemporaryVariable(expr.tmp_idx), expr.size)
+        return self._variable(SimTemporaryVariable(expr.tmp_idx, expr.bits), expr.size)
 
-    def _handle_Expr_Const(self, expr, type_=None, reference_values=None, variable=None, **kwargs):
+    def _handle_Expr_Const(self, expr: Expr.Const, type_=None, reference_values=None, variable=None, **kwargs):
         inline_string = False
         function_pointer = False
 
@@ -3483,7 +3544,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         if type_ is None:
             # default to int
-            type_ = self.default_simtype_from_size(expr.size)
+            type_ = self.default_simtype_from_bits(expr.bits)
 
         if variable is None and hasattr(expr, "reference_variable") and expr.reference_variable is not None:
             variable = expr.reference_variable
@@ -3529,7 +3590,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
     def _handle_Expr_Convert(self, expr: Expr.Convert, **kwargs):
         # width of converted type is easy
         dst_type: SimTypeInt | SimTypeChar
-        if 258 >= expr.to_bits > 128:
+        if 512 >= expr.to_bits > 256:
+            dst_type = SimTypeInt512()
+        elif 256 >= expr.to_bits > 128:
             dst_type = SimTypeInt256()
         elif 128 >= expr.to_bits > 64:
             dst_type = SimTypeInt128()
@@ -3561,7 +3624,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         # do we need an intermediate cast?
         if orig_child_signed != expr.is_signed and expr.to_bits > expr.from_bits:
             # this is a problem. sign-extension only happens when the SOURCE of the cast is signed
-            child_ty = self.default_simtype_from_size(child.type.size // self.project.arch.byte_width, expr.is_signed)
+            child_ty = self.default_simtype_from_bits(child.type.size, expr.is_signed)
             child = CTypeCast(None, child_ty, child, codegen=self)
 
         return CTypeCast(None, dst_type.with_arch(self.project.arch), child, tags=expr.tags, codegen=self)

angr/analyses/decompiler/structuring/phoenix.py

@@ -1192,8 +1192,10 @@ class PhoenixStructurer(StructurerBase):
             # update node_a
             node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
         if isinstance(node_a, IncompleteSwitchCaseNode):
-            self._unpack_incompleteswitchcasenode(graph, node_a)
-            self._unpack_incompleteswitchcasenode(full_graph, node_a)
+            r = self._unpack_incompleteswitchcasenode(graph, node_a)
+            if not r:
+                return False
+            self._unpack_incompleteswitchcasenode(full_graph, node_a)  # this shall not fail
             # update node_a
             node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
 
@@ -1308,7 +1310,9 @@ class PhoenixStructurer(StructurerBase):
         ):
             out_nodes = set()
             for succ in successors:
-                out_nodes |= set(full_graph.successors(succ))
+                out_nodes |= {
+                    succ for succ in full_graph.successors(succ) if succ is not node and succ not in successors
+                }
             out_nodes = list(out_nodes)
             if len(out_nodes) <= 1:
                 new_node = IncompleteSwitchCaseNode(node.addr, node, successors)
@@ -1508,7 +1512,10 @@ class PhoenixStructurer(StructurerBase):
                     if node_default is not None:
                         all_case_nodes.append(node_default)
                     case_node: SequenceNode = next(nn for nn in all_case_nodes if nn.addr == out_src.addr)
-                    case_node_last_stmt = self.cond_proc.get_last_statement(case_node)
+                    try:
+                        case_node_last_stmt = self.cond_proc.get_last_statement(case_node)
+                    except EmptyBlockNotice:
+                        case_node_last_stmt = None
                     if not isinstance(case_node_last_stmt, Jump):
                         jump_stmt = Jump(
                             None, Const(None, None, head.addr, self.project.arch.bits), None, ins_addr=out_src.addr
@@ -1562,6 +1569,15 @@ class PhoenixStructurer(StructurerBase):
 
         return case_and_entry_addrs
 
+    def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
+        jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+        if node.addr in jump_tables:
+            return True
+        for succ in graph.successors(node):
+            if succ.addr in jump_tables:
+                return True
+        return node in self.switch_case_known_heads
+
     # other acyclic schemas
 
     def _match_acyclic_sequence(self, graph, full_graph, start_node) -> bool:
@@ -1571,14 +1587,12 @@ class PhoenixStructurer(StructurerBase):
         succs = list(graph.successors(start_node))
         if len(succs) == 1:
             end_node = succs[0]
-            jump_tables = self.kb.cfgs["CFGFast"].jump_tables
             if (
                 full_graph.out_degree[start_node] == 1
                 and full_graph.in_degree[end_node] == 1
                 and not full_graph.has_edge(end_node, start_node)
-                and end_node.addr not in jump_tables
-                and end_node not in self.switch_case_known_heads
-                and start_node not in self.switch_case_known_heads
+                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, end_node)
+                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, start_node)
                 and end_node not in self.dowhile_known_tail_nodes
             ):
                 # merge two blocks
@@ -1599,7 +1613,9 @@ class PhoenixStructurer(StructurerBase):
         succs = list(full_graph.successors(start_node))
         if len(succs) == 2:
             left, right = succs
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 # structure the switch-case first before we wrap them into an ITE. give up
                 return False
 
@@ -2032,7 +2048,9 @@ class PhoenixStructurer(StructurerBase):
                 left, right = right, left
 
             # ensure left and right nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 return None
 
             if (
@@ -2079,7 +2097,9 @@ class PhoenixStructurer(StructurerBase):
                 left, right = right, left
 
             # ensure left and right nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 return None
 
             if (
@@ -2120,7 +2140,9 @@ class PhoenixStructurer(StructurerBase):
                 left, successor = successor, left
 
             # ensure left and successor nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or successor in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, successor):
                 return None
 
             if (
@@ -2168,7 +2190,9 @@ class PhoenixStructurer(StructurerBase):
                 left, else_node = else_node, left
 
             # ensure left and else nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or else_node in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, else_node):
                 return None
 
             if (
@@ -2460,7 +2484,7 @@ class PhoenixStructurer(StructurerBase):
         return True, new_seq
 
     @staticmethod
-    def _unpack_incompleteswitchcasenode(graph: networkx.DiGraph, incscnode: IncompleteSwitchCaseNode):
+    def _unpack_incompleteswitchcasenode(graph: networkx.DiGraph, incscnode: IncompleteSwitchCaseNode) -> bool:
         preds = list(graph.predecessors(incscnode))
         succs = list(graph.successors(incscnode))
         if len(succs) <= 1:
@@ -2471,6 +2495,8 @@ class PhoenixStructurer(StructurerBase):
                 graph.add_edge(incscnode.head, case_node)
                 if succs:
                     graph.add_edge(case_node, succs[0])
+            return True
+        return False
 
     @staticmethod
     def _count_statements(node: BaseNode | Block) -> int:

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -411,3 +411,12 @@ class IncompleteSwitchCaseHeadStatement(ailment.statement.Statement):
         return ailment.utils.stable_hash(
             (IncompleteSwitchCaseHeadStatement, self.idx, self.switch_variable, self._case_addrs_str)
         )
+
+    def replace(self, old_expr, new_expr):
+        return self
+
+    def likes(self, other):
+        return self == other
+
+    def matches(self, other):
+        return self == other