angr 9.2.131__py3-none-macosx_11_0_arm64.whl → 9.2.132__py3-none-macosx_11_0_arm64.whl

angr/analyses/ddg.py

@@ -2,8 +2,10 @@ from __future__ import annotations
 import logging
 from collections import defaultdict
 
+import claripy
 import networkx
 import pyvex
+
 from . import Analysis
 
 from angr.code_location import CodeLocation
@@ -1030,9 +1032,9 @@ class DDG(Analysis):
 
         if not action.data.reg_deps and not action.data.tmp_deps:
             # might be a constant assignment
-            v = action.data.ast
+            v: claripy.ast.BV = action.data.ast
             if not v.symbolic:
-                const_var = SimConstantVariable(v.concrete_value)
+                const_var = SimConstantVariable(value=v.concrete_value, size=v.size())
                 const_progvar = ProgramVariable(const_var, prog_var.location)
                 self._data_graph_add_edge(const_progvar, prog_var, type="mem_data")
 
@@ -1109,7 +1111,8 @@ class DDG(Analysis):
                 elif isinstance(statement.data, pyvex.IRExpr.Const):
                     # assignment
                     const = statement.data.con.value
-                    self._ast_graph.add_edge(ProgramVariable(SimConstantVariable(const), location), pv)
+                    size = statement.data.con.size
+                    self._ast_graph.add_edge(ProgramVariable(SimConstantVariable(value=const, size=size), location), pv)
 
     def _handle_reg_read(self, action, location, state, statement):  # pylint:disable=unused-argument
         reg_offset = action.offset
@@ -1140,7 +1143,7 @@ class DDG(Analysis):
         elif reg_offset == self.project.arch.bp_offset:
             self._custom_data_per_statement = ("bp", 0)
 
-    def _handle_reg_write(self, action, location, state, statement):  # pylint:disable=unused-argument
+    def _handle_reg_write(self, action, location, state, statement: pyvex.stmt.Put):  # pylint:disable=unused-argument
         reg_offset = action.offset
         variable = SimRegisterVariable(reg_offset, action.data.ast.size() // 8)
 
@@ -1157,9 +1160,9 @@ class DDG(Analysis):
         if not action.reg_deps and not action.tmp_deps:
             # moving a constant into the register
             # try to parse out the constant from statement
-            const_variable = SimConstantVariable()
+            const_variable = SimConstantVariable(size=1)
             if statement is not None and isinstance(statement.data, pyvex.IRExpr.Const):
-                const_variable = SimConstantVariable(value=statement.data.con.value)
+                const_variable = SimConstantVariable(value=statement.data.con.value, size=statement.data.con.size)
             const_pv = ProgramVariable(const_variable, location, arch=self.project.arch)
             self._data_graph_add_edge(const_pv, pv)
 
@@ -1187,7 +1190,7 @@ class DDG(Analysis):
         ast = None
 
         tmp = action.tmp
-        pv = ProgramVariable(SimTemporaryVariable(tmp), location, arch=self.project.arch)
+        pv = ProgramVariable(SimTemporaryVariable(tmp, len(action.data)), location, arch=self.project.arch)
 
         if ast is not None:
             for operand in ast.operands:
@@ -1230,12 +1233,12 @@ class DDG(Analysis):
         if not action.tmp_deps and not self._variables_per_statement and not ast:
             # read in a constant
             # try to parse out the constant from statement
-            const_variable = SimConstantVariable()
+            const_variable = SimConstantVariable(size=1)
             if statement is not None:
                 if isinstance(statement, pyvex.IRStmt.Dirty):
                     l.warning("Dirty statements are not supported in DDG for now.")
                 elif isinstance(statement.data, pyvex.IRExpr.Const):
-                    const_variable = SimConstantVariable(value=statement.data.con.value)
+                    const_variable = SimConstantVariable(value=statement.data.con.value, size=statement.data.con.size)
             const_pv = ProgramVariable(const_variable, location, arch=self.project.arch)
             self._data_graph_add_edge(const_pv, pv)
 
@@ -1296,7 +1299,7 @@ class DDG(Analysis):
                 const_value = expr_1.ast.args[0]
                 tmp = next(iter(expr_0.tmp_deps))
 
-                const_def = ProgramVariable(SimConstantVariable(const_value), location)
+                const_def = ProgramVariable(SimConstantVariable(value=const_value, size=len(expr_1.ast)), location)
                 tmp_def = self._temp_variables[tmp]
                 return AST("-", tmp_def, const_def)
 
@@ -1310,7 +1313,7 @@ class DDG(Analysis):
                 const_value = expr_1.ast.args[0]
                 tmp = next(iter(expr_0.tmp_deps))
 
-                const_def = ProgramVariable(SimConstantVariable(const_value), location)
+                const_def = ProgramVariable(SimConstantVariable(value=const_value, size=len(expr_1.ast)), location)
                 tmp_def = self._temp_variables[tmp]
                 return AST("+", tmp_def, const_def)
 

angr/analyses/decompiler/ail_simplifier.py

@@ -24,6 +24,7 @@ from ailment.expression import (
     VirtualVariable,
 )
 
+from angr.analyses.s_propagator import SPropagatorAnalysis
 from angr.analyses.s_reaching_definitions import SRDAModel
 from angr.utils.ail import is_phi_assignment, HasExprWalker
 from angr.code_location import CodeLocation, ExternalCodeLocation
@@ -213,11 +214,11 @@ class AILSimplifier(Analysis):
         self._reaching_definitions = rd
         return rd
 
-    def _compute_propagation(self, immediate_stmt_removal: bool = False):
+    def _compute_propagation(self, immediate_stmt_removal: bool = False) -> SPropagatorAnalysis:
         # Propagate expressions or return the existing result
         if self._propagator is not None:
             return self._propagator
-        prop = self.project.analyses.SPropagator(
+        prop = self.project.analyses[SPropagatorAnalysis].prep()(
             subject=self.func,
             func_graph=self.func_graph,
             # gp=self._gp,

angr/analyses/decompiler/block_simplifier.py

@@ -2,10 +2,10 @@
 from __future__ import annotations
 import logging
 from typing import TYPE_CHECKING
-from collections.abc import Iterable
+from collections.abc import Iterable, Mapping
 
 from ailment.statement import Statement, Assignment, Call, Store, Jump
-from ailment.expression import Tmp, Load, Const, Register, Convert
+from ailment.expression import Tmp, Load, Const, Register, Convert, Expression
 from ailment import AILBlockWalkerBase
 
 from angr.code_location import ExternalCodeLocation, CodeLocation
@@ -139,7 +139,7 @@ class BlockSimplifier(Analysis):
 
         self.result_block = block
 
-    def _compute_propagation(self, block):
+    def _compute_propagation(self, block) -> SPropagatorAnalysis:
         if self._propagator is None:
             self._propagator = self.project.analyses[SPropagatorAnalysis].prep()(
                 subject=block,
@@ -155,7 +155,6 @@ class BlockSimplifier(Analysis):
                 .prep()(
                     subject=block,
                     track_tmps=True,
-                    stack_pointer_tracker=self._stack_pointer_tracker,
                     func_addr=self.func_addr,
                 )
                 .model
@@ -201,8 +200,8 @@ class BlockSimplifier(Analysis):
 
     @staticmethod
     def _replace_and_build(
-        block,
-        replacements,
+        block: Block,
+        replacements: Mapping[CodeLocation, Mapping[Expression, Expression]],
         replace_assignment_dsts: bool = False,
         replace_loads: bool = False,
         gp: int | None = None,
@@ -211,14 +210,9 @@ class BlockSimplifier(Analysis):
         new_statements = block.statements[::]
         replaced = False
 
-        stmts_to_remove = set()
         for codeloc, repls in replacements.items():
             for old, new in repls.items():
-                stmt_to_remove = None
-                if isinstance(new, dict):
-                    stmt_to_remove = new["stmt_to_remove"]
-                    new = new["expr"]
-
+                assert codeloc.stmt_idx is not None
                 stmt = new_statements[codeloc.stmt_idx]
                 if (
                     not replace_loads
@@ -229,7 +223,9 @@ class BlockSimplifier(Analysis):
                     # skip memory-based replacement for non-Call and non-gp-loading statements
                     continue
                 if stmt == old:
-                    # replace this statement
+                    # the replacement must be a call, since replacements can only be expressions
+                    # and call is the only thing which is both a statement and an expression
+                    assert isinstance(new, Call)
                     r = True
                     new_stmt = new
                 else:
@@ -257,20 +253,13 @@ class BlockSimplifier(Analysis):
                         r, new_stmt = stmt.replace(old, new)
 
                 if r:
+                    assert new_stmt is not None
                     replaced = True
                     new_statements[codeloc.stmt_idx] = new_stmt
-                    if stmt_to_remove is not None:
-                        stmts_to_remove.add(stmt_to_remove)
 
         if not replaced:
             return False, block
 
-        if stmts_to_remove:
-            stmt_ids_to_remove = {a.stmt_idx for a in stmts_to_remove}
-            all_stmts = {idx: stmt for idx, stmt in enumerate(new_statements) if idx not in stmt_ids_to_remove}
-            filtered_stmts = sorted(all_stmts.items(), key=lambda x: x[0])
-            new_statements = [stmt for _, stmt in filtered_stmts]
-
         new_block = block.copy()
         new_block.statements = new_statements
         return True, new_block

angr/analyses/decompiler/clinic.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from typing import Any, NamedTuple, TYPE_CHECKING
 import copy
@@ -12,6 +13,7 @@ import capstone
 
 import ailment
 
+from angr.analyses.decompiler.ssailification.ssailification import Ssailification
 from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.functions import Function
@@ -268,6 +270,7 @@ class Clinic(Analysis):
     def _decompilation_fixups(self, ail_graph):
         is_pcode_arch = ":" in self.project.arch.name
 
+        self._remove_redundant_jump_blocks(ail_graph)
         # _fix_abnormal_switch_case_heads may re-lift from VEX blocks, so it should be placed as high up as possible
         self._fix_abnormal_switch_case_heads(ail_graph)
         if self._rewrite_ites_to_diamonds:
@@ -1359,10 +1362,9 @@ class Clinic(Analysis):
 
     @timethis
     def _transform_to_ssa_level0(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
-        ssailification = self.project.analyses.Ssailification(
+        ssailification = self.project.analyses[Ssailification].prep(fail_fast=self._fail_fast)(
             self.function,
             ail_graph,
-            fail_fast=self._fail_fast,
             entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr)),
             ail_manager=self._ail_manager,
             ssa_stackvars=False,
@@ -1932,10 +1934,12 @@ class Clinic(Analysis):
                         break
 
     def _create_triangle_for_ite_expression(self, ail_graph, block_addr: int, ite_ins_addr: int):
-        # lift the ite instruction to get its size
-        ite_insn_size = self.project.factory.block(ite_ins_addr, num_inst=1).size
+        ite_insn_only_block = self.project.factory.block(ite_ins_addr, num_inst=1)
+        ite_insn_size = ite_insn_only_block.size
         if ite_insn_size <= 2:  # we need an address for true_block and another address for false_block
             return None
+        if ite_insn_only_block.vex.exit_statements:
+            return None
 
         # relift the head and the ITE instruction
         new_head = self.project.factory.block(
@@ -2037,6 +2041,10 @@ class Clinic(Analysis):
             ):
                 return None
 
+        # corner-case: the last statement of original_block might have been patched by _remove_redundant_jump_blocks.
+        # we detect such case and fix it in new_head_ail
+        self._remove_redundant_jump_blocks_repatch_relifted_block(original_block, end_block_ail)
+
         ail_graph.remove_node(original_block)
 
         if end_block_ail not in ail_graph:
@@ -2142,15 +2150,15 @@ class Clinic(Analysis):
                             ),
                             None,
                         )
+                    intended_head_block = self.project.factory.block(
+                        intended_head.addr, size=intended_head.original_size
+                    )
                     if comparison_stmt is not None:
-                        intended_head_block = self.project.factory.block(
-                            intended_head.addr, size=intended_head.original_size
-                        )
                         cmp_rpos = len(
                             intended_head_block.instruction_addrs
                         ) - intended_head_block.instruction_addrs.index(comparison_stmt.ins_addr)
                     else:
-                        cmp_rpos = 2
+                        cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
                     self._fix_abnormal_switch_case_heads_case2(
                         ail_graph,
                         candidate,
@@ -2216,7 +2224,6 @@ class Clinic(Analysis):
                 if isinstance(stmt, ailment.Stmt.Assignment)
                 and isinstance(stmt.src, ailment.Expr.BinaryOp)
                 and stmt.src.op in ailment.Expr.BinaryOp.COMPARISON_NEGATION
-                and isinstance(stmt.src.operands[1], ailment.Expr.Const)
                 and stmt.ins_addr == last_stmt_0.ins_addr
             ),
             None,
@@ -2228,7 +2235,6 @@ class Clinic(Analysis):
                 if isinstance(stmt, ailment.Stmt.Assignment)
                 and isinstance(stmt.src, ailment.Expr.BinaryOp)
                 and stmt.src.op in ailment.Expr.BinaryOp.COMPARISON_NEGATION
-                and isinstance(stmt.src.operands[1], ailment.Expr.Const)
                 and stmt.ins_addr == last_stmt_1.ins_addr
             ),
             None,
@@ -2270,51 +2276,86 @@ class Clinic(Analysis):
         # split the intended head into two
         intended_head_block = self.project.factory.block(intended_head.addr, size=intended_head.original_size)
         split_ins_addr = intended_head_block.instruction_addrs[-intended_head_split_insns]
-        intended_head_block_0 = self.project.factory.block(intended_head.addr, size=split_ins_addr - intended_head.addr)
+        # note that the two blocks can be fully overlapping, so block_0 will be empty...
+        intended_head_block_0 = (
+            self.project.factory.block(intended_head.addr, size=split_ins_addr - intended_head.addr)
+            if split_ins_addr != intended_head.addr
+            else None
+        )
         intended_head_block_1 = self.project.factory.block(
             split_ins_addr, size=intended_head.addr + intended_head.original_size - split_ins_addr
         )
-        intended_head_0 = self._convert_vex(intended_head_block_0)
+        intended_head_0 = self._convert_vex(intended_head_block_0) if intended_head_block_0 is not None else None
         intended_head_1 = self._convert_vex(intended_head_block_1)
 
+        # corner-case: the last statement of intended_head might have been patched by _remove_redundant_jump_blocks. we
+        # detect such case and fix it in intended_head_1
+        self._remove_redundant_jump_blocks_repatch_relifted_block(intended_head, intended_head_1)
+
         # adjust the graph accordingly
         preds = list(ail_graph.predecessors(intended_head))
         succs = list(ail_graph.successors(intended_head))
         ail_graph.remove_node(intended_head)
-        ail_graph.add_edge(intended_head_0, intended_head_1)
-        for pred in preds:
-            if pred is intended_head:
-                ail_graph.add_edge(intended_head_1, intended_head_0)
-            else:
-                ail_graph.add_edge(pred, intended_head_0)
-        for succ in succs:
-            if succ is intended_head:
-                ail_graph.add_edge(intended_head_1, intended_head_0)
-            else:
-                ail_graph.add_edge(intended_head_1, succ)
+
+        if intended_head_0 is None:
+            # perfect overlap; the first block is empty
+            for pred in preds:
+                if pred is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_1)
+                else:
+                    ail_graph.add_edge(pred, intended_head_1)
+            for succ in succs:
+                if succ is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_1)
+                else:
+                    ail_graph.add_edge(intended_head_1, succ)
+        else:
+            ail_graph.add_edge(intended_head_0, intended_head_1)
+            for pred in preds:
+                if pred is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_0)
+                else:
+                    ail_graph.add_edge(pred, intended_head_0)
+            for succ in succs:
+                if succ is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_0)
+                else:
+                    ail_graph.add_edge(intended_head_1, succ)
 
         # split other heads
         for o in other_heads:
             if other_head_split_insns > 0:
                 o_block = self.project.factory.block(o.addr, size=o.original_size)
                 o_split_addr = o_block.instruction_addrs[-other_head_split_insns]
-                new_o_block = self.project.factory.block(o.addr, size=o_split_addr - o.addr)
-                new_head = self._convert_vex(new_o_block)
+                new_o_block = (
+                    self.project.factory.block(o.addr, size=o_split_addr - o.addr) if o_split_addr != o.addr else None
+                )
+                new_head = self._convert_vex(new_o_block) if new_o_block is not None else None
             else:
                 new_head = o
 
-            if (
-                new_head.statements
-                and isinstance(new_head.statements[-1], ailment.Stmt.Jump)
-                and isinstance(new_head.statements[-1].target, ailment.Expr.Const)
-            ):
-                # update the jump target
-                new_head.statements[-1] = ailment.Stmt.Jump(
-                    new_head.statements[-1].idx,
+            if new_head is None:
+                # the head is removed - let's replace it with a jump to the target
+                jump_stmt = ailment.Stmt.Jump(
+                    None,
                     ailment.Expr.Const(None, None, intended_head_1.addr, self.project.arch.bits),
                     target_idx=intended_head_1.idx,
-                    **new_head.statements[-1].tags,
+                    ins_addr=o.addr,
                 )
+                new_head = ailment.Block(o.addr, 1, statements=[jump_stmt], idx=o.idx)
+            else:
+                if (
+                    new_head.statements
+                    and isinstance(new_head.statements[-1], ailment.Stmt.Jump)
+                    and isinstance(new_head.statements[-1].target, ailment.Expr.Const)
+                ):
+                    # update the jump target
+                    new_head.statements[-1] = ailment.Stmt.Jump(
+                        new_head.statements[-1].idx,
+                        ailment.Expr.Const(None, None, intended_head_1.addr, self.project.arch.bits),
+                        target_idx=intended_head_1.idx,
+                        **new_head.statements[-1].tags,
+                    )
 
             # adjust the graph accordingly
             preds = list(ail_graph.predecessors(o))
@@ -2384,6 +2425,39 @@ class Clinic(Analysis):
                             ail_graph.add_edge(pred, succs[0])
                         ail_graph.remove_node(node)
 
+    @staticmethod
+    def _remove_redundant_jump_blocks_repatch_relifted_block(
+        patched_block: ailment.Block, new_block: ailment.Block
+    ) -> None:
+        """
+        The last statement of patched_block might have been patched by _remove_redundant_jump_blocks. In this case, we
+        fix the last instruction for new_block, which is a newly lifted (from VEX) block that ends at the same address
+        as patched_block.
+
+        :param patched_block:   Previously patched block.
+        :param new_block:       Newly lifted block.
+        """
+
+        if (
+            isinstance(patched_block.statements[-1], ailment.Stmt.Jump)
+            and isinstance(patched_block.statements[-1].target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1], ailment.Stmt.Jump)
+            and isinstance(new_block.statements[-1].target, ailment.Expr.Const)
+            and not patched_block.statements[-1].likes(new_block.statements[-1])
+        ):
+            new_block.statements[-1].target = patched_block.statements[-1].target
+        if (
+            isinstance(patched_block.statements[-1], ailment.Stmt.ConditionalJump)
+            and isinstance(patched_block.statements[-1].true_target, ailment.Expr.Const)
+            and isinstance(patched_block.statements[-1].false_target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1], ailment.Stmt.ConditionalJump)
+            and isinstance(new_block.statements[-1].true_target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1].false_target, ailment.Expr.Const)
+            and not patched_block.statements[-1].likes(new_block.statements[-1])
+        ):
+            new_block.statements[-1].true_target = patched_block.statements[-1].true_target
+            new_block.statements[-1].false_target = patched_block.statements[-1].false_target
+
     @staticmethod
     def _insert_block_labels(ail_graph):
         for node in ail_graph.nodes:

angr/analyses/decompiler/condition_processor.py

@@ -116,37 +116,37 @@ _ail2claripy_op_mapping = {
     "CmpEQ": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) == conv(expr.operands[1], ins_addr=ia),
     "CmpNE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) != conv(expr.operands[1], ins_addr=ia),
     "CmpLE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) <= conv(expr.operands[1], ins_addr=ia),
-    "CmpLEs": lambda expr, conv, _, ia: claripy.SLE(
+    "CmpLE (signed)": lambda expr, conv, _, ia: claripy.SLE(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
     "CmpLT": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) < conv(expr.operands[1], ins_addr=ia),
-    "CmpLTs": lambda expr, conv, _, ia: claripy.SLT(
+    "CmpLT (signed)": lambda expr, conv, _, ia: claripy.SLT(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
     "CmpGE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) >= conv(expr.operands[1], ins_addr=ia),
-    "CmpGEs": lambda expr, conv, _, ia: claripy.SGE(
+    "CmpGE (signed)": lambda expr, conv, _, ia: claripy.SGE(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
     "CmpGT": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) > conv(expr.operands[1], ins_addr=ia),
-    "CmpGTs": lambda expr, conv, _, ia: claripy.SGT(
+    "CmpGT (signed)": lambda expr, conv, _, ia: claripy.SGT(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
     "CasCmpEQ": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) == conv(expr.operands[1], ins_addr=ia),
     "CasCmpNE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) != conv(expr.operands[1], ins_addr=ia),
     "CasCmpLE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) <= conv(expr.operands[1], ins_addr=ia),
-    "CasCmpLEs": lambda expr, conv, _, ia: claripy.SLE(
+    "CasCmpLE (signed)": lambda expr, conv, _, ia: claripy.SLE(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
     "CasCmpLT": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) < conv(expr.operands[1], ins_addr=ia),
-    "CasCmpLTs": lambda expr, conv, _, ia: claripy.SLT(
+    "CasCmpLT (signed)": lambda expr, conv, _, ia: claripy.SLT(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
     "CasCmpGE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) >= conv(expr.operands[1], ins_addr=ia),
-    "CasCmpGEs": lambda expr, conv, _, ia: claripy.SGE(
+    "CasCmpGE (signed)": lambda expr, conv, _, ia: claripy.SGE(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
     "CasCmpGT": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) > conv(expr.operands[1], ins_addr=ia),
-    "CasCmpGTs": lambda expr, conv, _, ia: claripy.SGT(
+    "CasCmpGT (signed)": lambda expr, conv, _, ia: claripy.SGT(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
     "Add": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
@@ -177,10 +177,9 @@ _ail2claripy_op_mapping = {
     ),
     "Concat": lambda expr, conv, _, ia: claripy.Concat(*[conv(operand, ins_addr=ia) for operand in expr.operands]),
     # There are no corresponding claripy operations for the following operations
-    "DivMod": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "CmpF": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "Mull": lambda expr, _, m, *args: _dummy_bvs(expr, m),
-    "Mulls": lambda expr, _, m, *args: _dummy_bvs(expr, m),
+    "Mull (signed)": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "Reinterpret": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "Rol": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "Ror": lambda expr, _, m, *args: _dummy_bvs(expr, m),
@@ -190,7 +189,10 @@ _ail2claripy_op_mapping = {
     "SBorrow": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "ExpCmpNE": lambda expr, _, m, *args: _dummy_bools(expr, m),
     "CmpORD": lambda expr, _, m, *args: _dummy_bvs(expr, m),  # in case CmpORDRewriter fails
+    "CmpEQV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "GetMSBs": lambda expr, _, m, *args: _dummy_bvs(expr, m),
+    "ShlNV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
+    "ShrNV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "InterleaveLOV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "InterleaveHIV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     # catch-all

angr/analyses/decompiler/dephication/graph_rewriting.py

@@ -37,7 +37,7 @@ class GraphRewritingAnalysis(ForwardAnalysis[None, NodeType, object, object]):
         )
         self._graph = ail_graph
         self._vvar_to_vvar = vvar_to_vvar
-        self._engine_ail = SimEngineDephiRewriting(self.project.arch, self._vvar_to_vvar)
+        self._engine_ail = SimEngineDephiRewriting(self.project, self._vvar_to_vvar)
 
         self._visited_blocks: set[Any] = set()
         self.out_blocks = {}