angr 9.2.131__py3-none-win_amd64.whl → 9.2.133__py3-none-win_amd64.whl

angr/analyses/decompiler/clinic.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from typing import Any, NamedTuple, TYPE_CHECKING
 import copy
@@ -12,6 +13,7 @@ import capstone
 
 import ailment
 
+from angr.analyses.decompiler.ssailification.ssailification import Ssailification
 from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.functions import Function
@@ -268,6 +270,7 @@ class Clinic(Analysis):
     def _decompilation_fixups(self, ail_graph):
         is_pcode_arch = ":" in self.project.arch.name
 
+        self._remove_redundant_jump_blocks(ail_graph)
         # _fix_abnormal_switch_case_heads may re-lift from VEX blocks, so it should be placed as high up as possible
         self._fix_abnormal_switch_case_heads(ail_graph)
         if self._rewrite_ites_to_diamonds:
@@ -597,7 +600,7 @@ class Clinic(Analysis):
             arg_list.append(arg_vvars[idx][1])
 
         # Get virtual variable mapping that can de-phi the SSA representation
-        vvar2vvar = self._collect_dephi_vvar_mapping_and_rewrite_blocks(ail_graph)
+        vvar2vvar, copied_vvar_ids = self._collect_dephi_vvar_mapping_and_rewrite_blocks(ail_graph, arg_vvars)
 
         # Recover variables on AIL blocks
         self._update_progress(80.0, text="Recovering variables")
@@ -605,7 +608,11 @@ class Clinic(Analysis):
 
         # Run simplification passes
         self._update_progress(85.0, text="Running simplifications 4")
-        ail_graph = self._run_simplification_passes(ail_graph, stage=OptimizationPassStage.AFTER_VARIABLE_RECOVERY)
+        ail_graph = self._run_simplification_passes(
+            ail_graph,
+            stage=OptimizationPassStage.AFTER_VARIABLE_RECOVERY,
+            avoid_vvar_ids=copied_vvar_ids,
+        )
 
         # Make function prototype
         self._update_progress(90.0, text="Making function prototype")
@@ -1359,10 +1366,9 @@ class Clinic(Analysis):
 
     @timethis
     def _transform_to_ssa_level0(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
-        ssailification = self.project.analyses.Ssailification(
+        ssailification = self.project.analyses[Ssailification].prep(fail_fast=self._fail_fast)(
             self.function,
             ail_graph,
-            fail_fast=self._fail_fast,
             entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr)),
             ail_manager=self._ail_manager,
             ssa_stackvars=False,
@@ -1387,16 +1393,19 @@ class Clinic(Analysis):
         return ssailification.out_graph
 
     @timethis
-    def _collect_dephi_vvar_mapping_and_rewrite_blocks(self, ail_graph: networkx.DiGraph) -> dict[int, int]:
+    def _collect_dephi_vvar_mapping_and_rewrite_blocks(
+        self, ail_graph: networkx.DiGraph, arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]]
+    ) -> tuple[dict[int, int], set[int]]:
         dephication = self.project.analyses.GraphDephicationVVarMapping(
             self.function,
             ail_graph,
             fail_fast=self._fail_fast,
             entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr)),
             vvar_id_start=self.vvar_id_start,
+            arg_vvars=[arg_vvar for arg_vvar, _ in arg_vvars.values()],
         )
         self.vvar_id_start = dephication.vvar_id_start + 1
-        return dephication.vvar_to_vvar_mapping
+        return dephication.vvar_to_vvar_mapping, dephication.copied_vvar_ids
 
     @timethis
     def _make_argument_list(self) -> list[SimVariable]:
@@ -1410,7 +1419,7 @@ class Clinic(Analysis):
                         argvar = SimRegisterVariable(
                             self.project.arch.registers[arg.reg_name][0],
                             arg.size,
-                            ident="arg_%d" % idx,
+                            ident=f"arg_{idx}",
                             name=arg_names[idx],
                             region=self.function.addr,
                         )
@@ -1419,13 +1428,13 @@ class Clinic(Analysis):
                             arg.stack_offset,
                             arg.size,
                             base="bp",
-                            ident="arg_%d" % idx,
+                            ident=f"arg_{idx}",
                             name=arg_names[idx],
                             region=self.function.addr,
                         )
                     else:
                         argvar = SimVariable(
-                            ident="arg_%d" % idx,
+                            ident=f"arg_{idx}",
                             name=arg_names[idx],
                             region=self.function.addr,
                             size=arg.size,
@@ -1932,10 +1941,12 @@ class Clinic(Analysis):
                         break
 
     def _create_triangle_for_ite_expression(self, ail_graph, block_addr: int, ite_ins_addr: int):
-        # lift the ite instruction to get its size
-        ite_insn_size = self.project.factory.block(ite_ins_addr, num_inst=1).size
+        ite_insn_only_block = self.project.factory.block(ite_ins_addr, num_inst=1)
+        ite_insn_size = ite_insn_only_block.size
         if ite_insn_size <= 2:  # we need an address for true_block and another address for false_block
             return None
+        if ite_insn_only_block.vex.exit_statements:
+            return None
 
         # relift the head and the ITE instruction
         new_head = self.project.factory.block(
@@ -2037,6 +2048,10 @@ class Clinic(Analysis):
             ):
                 return None
 
+        # corner-case: the last statement of original_block might have been patched by _remove_redundant_jump_blocks.
+        # we detect such case and fix it in new_head_ail
+        self._remove_redundant_jump_blocks_repatch_relifted_block(original_block, end_block_ail)
+
         ail_graph.remove_node(original_block)
 
         if end_block_ail not in ail_graph:
@@ -2142,15 +2157,15 @@ class Clinic(Analysis):
                             ),
                             None,
                         )
+                    intended_head_block = self.project.factory.block(
+                        intended_head.addr, size=intended_head.original_size
+                    )
                     if comparison_stmt is not None:
-                        intended_head_block = self.project.factory.block(
-                            intended_head.addr, size=intended_head.original_size
-                        )
                         cmp_rpos = len(
                             intended_head_block.instruction_addrs
                         ) - intended_head_block.instruction_addrs.index(comparison_stmt.ins_addr)
                     else:
-                        cmp_rpos = 2
+                        cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
                     self._fix_abnormal_switch_case_heads_case2(
                         ail_graph,
                         candidate,
@@ -2216,7 +2231,6 @@ class Clinic(Analysis):
                 if isinstance(stmt, ailment.Stmt.Assignment)
                 and isinstance(stmt.src, ailment.Expr.BinaryOp)
                 and stmt.src.op in ailment.Expr.BinaryOp.COMPARISON_NEGATION
-                and isinstance(stmt.src.operands[1], ailment.Expr.Const)
                 and stmt.ins_addr == last_stmt_0.ins_addr
             ),
             None,
@@ -2228,7 +2242,6 @@ class Clinic(Analysis):
                 if isinstance(stmt, ailment.Stmt.Assignment)
                 and isinstance(stmt.src, ailment.Expr.BinaryOp)
                 and stmt.src.op in ailment.Expr.BinaryOp.COMPARISON_NEGATION
-                and isinstance(stmt.src.operands[1], ailment.Expr.Const)
                 and stmt.ins_addr == last_stmt_1.ins_addr
             ),
             None,
@@ -2270,51 +2283,86 @@ class Clinic(Analysis):
         # split the intended head into two
         intended_head_block = self.project.factory.block(intended_head.addr, size=intended_head.original_size)
         split_ins_addr = intended_head_block.instruction_addrs[-intended_head_split_insns]
-        intended_head_block_0 = self.project.factory.block(intended_head.addr, size=split_ins_addr - intended_head.addr)
+        # note that the two blocks can be fully overlapping, so block_0 will be empty...
+        intended_head_block_0 = (
+            self.project.factory.block(intended_head.addr, size=split_ins_addr - intended_head.addr)
+            if split_ins_addr != intended_head.addr
+            else None
+        )
         intended_head_block_1 = self.project.factory.block(
             split_ins_addr, size=intended_head.addr + intended_head.original_size - split_ins_addr
         )
-        intended_head_0 = self._convert_vex(intended_head_block_0)
+        intended_head_0 = self._convert_vex(intended_head_block_0) if intended_head_block_0 is not None else None
         intended_head_1 = self._convert_vex(intended_head_block_1)
 
+        # corner-case: the last statement of intended_head might have been patched by _remove_redundant_jump_blocks. we
+        # detect such case and fix it in intended_head_1
+        self._remove_redundant_jump_blocks_repatch_relifted_block(intended_head, intended_head_1)
+
         # adjust the graph accordingly
         preds = list(ail_graph.predecessors(intended_head))
         succs = list(ail_graph.successors(intended_head))
         ail_graph.remove_node(intended_head)
-        ail_graph.add_edge(intended_head_0, intended_head_1)
-        for pred in preds:
-            if pred is intended_head:
-                ail_graph.add_edge(intended_head_1, intended_head_0)
-            else:
-                ail_graph.add_edge(pred, intended_head_0)
-        for succ in succs:
-            if succ is intended_head:
-                ail_graph.add_edge(intended_head_1, intended_head_0)
-            else:
-                ail_graph.add_edge(intended_head_1, succ)
+
+        if intended_head_0 is None:
+            # perfect overlap; the first block is empty
+            for pred in preds:
+                if pred is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_1)
+                else:
+                    ail_graph.add_edge(pred, intended_head_1)
+            for succ in succs:
+                if succ is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_1)
+                else:
+                    ail_graph.add_edge(intended_head_1, succ)
+        else:
+            ail_graph.add_edge(intended_head_0, intended_head_1)
+            for pred in preds:
+                if pred is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_0)
+                else:
+                    ail_graph.add_edge(pred, intended_head_0)
+            for succ in succs:
+                if succ is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_0)
+                else:
+                    ail_graph.add_edge(intended_head_1, succ)
 
         # split other heads
         for o in other_heads:
             if other_head_split_insns > 0:
                 o_block = self.project.factory.block(o.addr, size=o.original_size)
                 o_split_addr = o_block.instruction_addrs[-other_head_split_insns]
-                new_o_block = self.project.factory.block(o.addr, size=o_split_addr - o.addr)
-                new_head = self._convert_vex(new_o_block)
+                new_o_block = (
+                    self.project.factory.block(o.addr, size=o_split_addr - o.addr) if o_split_addr != o.addr else None
+                )
+                new_head = self._convert_vex(new_o_block) if new_o_block is not None else None
             else:
                 new_head = o
 
-            if (
-                new_head.statements
-                and isinstance(new_head.statements[-1], ailment.Stmt.Jump)
-                and isinstance(new_head.statements[-1].target, ailment.Expr.Const)
-            ):
-                # update the jump target
-                new_head.statements[-1] = ailment.Stmt.Jump(
-                    new_head.statements[-1].idx,
+            if new_head is None:
+                # the head is removed - let's replace it with a jump to the target
+                jump_stmt = ailment.Stmt.Jump(
+                    None,
                     ailment.Expr.Const(None, None, intended_head_1.addr, self.project.arch.bits),
                     target_idx=intended_head_1.idx,
-                    **new_head.statements[-1].tags,
+                    ins_addr=o.addr,
                 )
+                new_head = ailment.Block(o.addr, 1, statements=[jump_stmt], idx=o.idx)
+            else:
+                if (
+                    new_head.statements
+                    and isinstance(new_head.statements[-1], ailment.Stmt.Jump)
+                    and isinstance(new_head.statements[-1].target, ailment.Expr.Const)
+                ):
+                    # update the jump target
+                    new_head.statements[-1] = ailment.Stmt.Jump(
+                        new_head.statements[-1].idx,
+                        ailment.Expr.Const(None, None, intended_head_1.addr, self.project.arch.bits),
+                        target_idx=intended_head_1.idx,
+                        **new_head.statements[-1].tags,
+                    )
 
             # adjust the graph accordingly
             preds = list(ail_graph.predecessors(o))
@@ -2384,6 +2432,39 @@ class Clinic(Analysis):
                             ail_graph.add_edge(pred, succs[0])
                         ail_graph.remove_node(node)
 
+    @staticmethod
+    def _remove_redundant_jump_blocks_repatch_relifted_block(
+        patched_block: ailment.Block, new_block: ailment.Block
+    ) -> None:
+        """
+        The last statement of patched_block might have been patched by _remove_redundant_jump_blocks. In this case, we
+        fix the last instruction for new_block, which is a newly lifted (from VEX) block that ends at the same address
+        as patched_block.
+
+        :param patched_block:   Previously patched block.
+        :param new_block:       Newly lifted block.
+        """
+
+        if (
+            isinstance(patched_block.statements[-1], ailment.Stmt.Jump)
+            and isinstance(patched_block.statements[-1].target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1], ailment.Stmt.Jump)
+            and isinstance(new_block.statements[-1].target, ailment.Expr.Const)
+            and not patched_block.statements[-1].likes(new_block.statements[-1])
+        ):
+            new_block.statements[-1].target = patched_block.statements[-1].target
+        if (
+            isinstance(patched_block.statements[-1], ailment.Stmt.ConditionalJump)
+            and isinstance(patched_block.statements[-1].true_target, ailment.Expr.Const)
+            and isinstance(patched_block.statements[-1].false_target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1], ailment.Stmt.ConditionalJump)
+            and isinstance(new_block.statements[-1].true_target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1].false_target, ailment.Expr.Const)
+            and not patched_block.statements[-1].likes(new_block.statements[-1])
+        ):
+            new_block.statements[-1].true_target = patched_block.statements[-1].true_target
+            new_block.statements[-1].false_target = patched_block.statements[-1].false_target
+
     @staticmethod
     def _insert_block_labels(ail_graph):
         for node in ail_graph.nodes:

angr/analyses/decompiler/condition_processor.py

@@ -113,41 +113,53 @@ _ail2claripy_op_mapping = {
     "LogicalOr": lambda expr, conv, _, ia: claripy.Or(
         conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
     ),
-    "CmpEQ": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) == conv(expr.operands[1], ins_addr=ia),
-    "CmpNE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) != conv(expr.operands[1], ins_addr=ia),
-    "CmpLE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) <= conv(expr.operands[1], ins_addr=ia),
-    "CmpLEs": lambda expr, conv, _, ia: claripy.SLE(
-        conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
+    "CmpEQ": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    == conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CmpNE": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    != conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CmpLE": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    <= conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CmpLE (signed)": lambda expr, conv, _, ia: claripy.SLE(
+        conv(expr.operands[0], nobool=True, ins_addr=ia), conv(expr.operands[1], nobool=True, ins_addr=ia)
     ),
-    "CmpLT": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) < conv(expr.operands[1], ins_addr=ia),
-    "CmpLTs": lambda expr, conv, _, ia: claripy.SLT(
-        conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
+    "CmpLT": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    < conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CmpLT (signed)": lambda expr, conv, _, ia: claripy.SLT(
+        conv(expr.operands[0], nobool=True, ins_addr=ia), conv(expr.operands[1], nobool=True, ins_addr=ia)
     ),
-    "CmpGE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) >= conv(expr.operands[1], ins_addr=ia),
-    "CmpGEs": lambda expr, conv, _, ia: claripy.SGE(
-        conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
+    "CmpGE": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    >= conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CmpGE (signed)": lambda expr, conv, _, ia: claripy.SGE(
+        conv(expr.operands[0], nobool=True, ins_addr=ia), conv(expr.operands[1], nobool=True, ins_addr=ia)
     ),
-    "CmpGT": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) > conv(expr.operands[1], ins_addr=ia),
-    "CmpGTs": lambda expr, conv, _, ia: claripy.SGT(
-        conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
+    "CmpGT": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    > conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CmpGT (signed)": lambda expr, conv, _, ia: claripy.SGT(
+        conv(expr.operands[0], nobool=True, ins_addr=ia), conv(expr.operands[1], nobool=True, ins_addr=ia)
     ),
-    "CasCmpEQ": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) == conv(expr.operands[1], ins_addr=ia),
-    "CasCmpNE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) != conv(expr.operands[1], ins_addr=ia),
-    "CasCmpLE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) <= conv(expr.operands[1], ins_addr=ia),
-    "CasCmpLEs": lambda expr, conv, _, ia: claripy.SLE(
-        conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
+    "CasCmpEQ": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    == conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CasCmpNE": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    != conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CasCmpLE": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    <= conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CasCmpLE (signed)": lambda expr, conv, _, ia: claripy.SLE(
+        conv(expr.operands[0], nobool=True, ins_addr=ia), conv(expr.operands[1], nobool=True, ins_addr=ia)
     ),
-    "CasCmpLT": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) < conv(expr.operands[1], ins_addr=ia),
-    "CasCmpLTs": lambda expr, conv, _, ia: claripy.SLT(
-        conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
+    "CasCmpLT": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    < conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CasCmpLT (signed)": lambda expr, conv, _, ia: claripy.SLT(
+        conv(expr.operands[0], nobool=True, ins_addr=ia), conv(expr.operands[1], nobool=True, ins_addr=ia)
     ),
-    "CasCmpGE": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) >= conv(expr.operands[1], ins_addr=ia),
-    "CasCmpGEs": lambda expr, conv, _, ia: claripy.SGE(
-        conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
+    "CasCmpGE": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    >= conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CasCmpGE (signed)": lambda expr, conv, _, ia: claripy.SGE(
+        conv(expr.operands[0], nobool=True, ins_addr=ia), conv(expr.operands[1], nobool=True, ins_addr=ia)
     ),
-    "CasCmpGT": lambda expr, conv, _, ia: conv(expr.operands[0], ins_addr=ia) > conv(expr.operands[1], ins_addr=ia),
-    "CasCmpGTs": lambda expr, conv, _, ia: claripy.SGT(
-        conv(expr.operands[0], ins_addr=ia), conv(expr.operands[1], ins_addr=ia)
+    "CasCmpGT": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
+    > conv(expr.operands[1], nobool=True, ins_addr=ia),
+    "CasCmpGT (signed)": lambda expr, conv, _, ia: claripy.SGT(
+        conv(expr.operands[0], nobool=True, ins_addr=ia), conv(expr.operands[1], nobool=True, ins_addr=ia)
     ),
     "Add": lambda expr, conv, _, ia: conv(expr.operands[0], nobool=True, ins_addr=ia)
     + conv(expr.operands[1], nobool=True, ins_addr=ia),
@@ -177,10 +189,9 @@ _ail2claripy_op_mapping = {
     ),
     "Concat": lambda expr, conv, _, ia: claripy.Concat(*[conv(operand, ins_addr=ia) for operand in expr.operands]),
     # There are no corresponding claripy operations for the following operations
-    "DivMod": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "CmpF": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "Mull": lambda expr, _, m, *args: _dummy_bvs(expr, m),
-    "Mulls": lambda expr, _, m, *args: _dummy_bvs(expr, m),
+    "Mull (signed)": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "Reinterpret": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "Rol": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "Ror": lambda expr, _, m, *args: _dummy_bvs(expr, m),
@@ -190,7 +201,10 @@ _ail2claripy_op_mapping = {
     "SBorrow": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "ExpCmpNE": lambda expr, _, m, *args: _dummy_bools(expr, m),
     "CmpORD": lambda expr, _, m, *args: _dummy_bvs(expr, m),  # in case CmpORDRewriter fails
+    "CmpEQV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "GetMSBs": lambda expr, _, m, *args: _dummy_bvs(expr, m),
+    "ShlNV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
+    "ShrNV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "InterleaveLOV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     "InterleaveHIV": lambda expr, _, m, *args: _dummy_bvs(expr, m),
     # catch-all
@@ -800,9 +814,13 @@ class ConditionProcessor:
             f"Condition variable {cond} has an unsupported operator {cond.op}. Consider implementing."
         )
 
-    def claripy_ast_from_ail_condition(self, condition, nobool: bool = False, *, ins_addr: int = 0) -> claripy.ast.Bool:
+    def claripy_ast_from_ail_condition(
+        self, condition, nobool: bool = False, *, ins_addr: int = 0
+    ) -> claripy.ast.Bool | claripy.ast.Bits:
         # Unpack a condition all the way to the leaves
-        if isinstance(condition, claripy.ast.Base):  # pylint:disable=isinstance-second-argument-not-valid-type
+        if isinstance(
+            condition, (claripy.ast.Bits, claripy.ast.Bool)
+        ):  # pylint:disable=isinstance-second-argument-not-valid-type
             return condition
 
         if isinstance(
@@ -830,11 +848,11 @@ class ConditionProcessor:
             # convert is special. if it generates a 1-bit variable, it should be treated as a BoolS
             if condition.to_bits == 1:
                 var_ = self.claripy_ast_from_ail_condition(condition.operands[0], ins_addr=ins_addr)
-                name = "ailcond_Conv(%d->%d, %d)" % (condition.from_bits, condition.to_bits, hash(var_))
+                name = f"ailcond_Conv({condition.from_bits}->{condition.to_bits}, {hash(var_)})"
                 var = claripy.BoolS(name, explicit_name=True)
             else:
                 var_ = self.claripy_ast_from_ail_condition(condition.operands[0], ins_addr=ins_addr)
-                name = "ailexpr_Conv(%d->%d, %d)" % (condition.from_bits, condition.to_bits, hash(var_))
+                name = f"ailexpr_Conv({condition.from_bits}->{condition.to_bits}, {hash(var_)})"
                 var = claripy.BVS(name, condition.to_bits, explicit_name=True)
             self._condition_mapping[var.args[0]] = condition
             return var
@@ -849,17 +867,17 @@ class ConditionProcessor:
         if isinstance(condition, ailment.Expr.Tmp):
             l.warning("Left-over ailment.Tmp variable %s.", condition)
             if condition.bits == 1:
-                var = claripy.BoolS("ailtmp_%d" % condition.tmp_idx, explicit_name=True)
+                var = claripy.BoolS(f"ailtmp_{condition.tmp_idx}", explicit_name=True)
             else:
-                var = claripy.BVS("ailtmp_%d" % condition.tmp_idx, condition.bits, explicit_name=True)
+                var = claripy.BVS(f"ailtmp_{condition.tmp_idx}", condition.bits, explicit_name=True)
             self._condition_mapping[var.args[0]] = condition
             return var
         if isinstance(condition, ailment.Expr.MultiStatementExpression):
             # just cache it
             if condition.bits == 1:
-                var = claripy.BoolS("mstmtexpr_%d" % hash(condition), explicit_name=True)
+                var = claripy.BoolS(f"mstmtexpr_{hash(condition)}", explicit_name=True)
             else:
-                var = claripy.BVS("mstmtexpr_%d" % hash(condition), condition.bits, explicit_name=True)
+                var = claripy.BVS(f"mstmtexpr_{hash(condition)}", condition.bits, explicit_name=True)
             self._condition_mapping[var.args[0]] = condition
             return var
 
@@ -883,7 +901,7 @@ class ConditionProcessor:
             self._condition_mapping[r.args[0]] = condition
 
         if r is NotImplemented:
-            if condition.bits == 1:
+            if condition.bits == 1 and not nobool:
                 r = claripy.BoolS(f"ailexpr_{condition!r}", explicit_name=True)
             else:
                 r = claripy.BVS(f"ailexpr_{condition!r}", condition.bits, explicit_name=True)

angr/analyses/decompiler/counters/__init__.py

@@ -7,10 +7,10 @@ from .expression_counters import SingleExpressionCounter, RegisterExpressionCoun
 
 
 __all__ = (
-    "BooleanCounter",
     "AILBlockCallCounter",
+    "BooleanCounter",
     "ControlFlowStructureCounter",
-    "SingleExpressionCounter",
-    "RegisterExpressionCounter",
     "OperatorCounter",
+    "RegisterExpressionCounter",
+    "SingleExpressionCounter",
 )

angr/analyses/decompiler/decompilation_cache.py

@@ -14,16 +14,16 @@ class DecompilationCache:
     """
 
     __slots__ = (
-        "parameters",
         "addr",
-        "type_constraints",
-        "func_typevar",
-        "var_to_typevar",
-        "codegen",
-        "clinic",
-        "ite_exprs",
         "binop_operators",
+        "clinic",
+        "codegen",
         "errors",
+        "func_typevar",
+        "ite_exprs",
+        "parameters",
+        "type_constraints",
+        "var_to_typevar",
     )
 
     def __init__(self, addr):

angr/analyses/decompiler/dephication/__init__.py

@@ -3,4 +3,4 @@ from .graph_vvar_mapping import GraphDephicationVVarMapping
 from .graph_dephication import GraphDephication
 from .seqnode_dephication import SeqNodeDephication
 
-__all__ = ["GraphDephicationVVarMapping", "GraphDephication", "SeqNodeDephication"]
+__all__ = ["GraphDephication", "GraphDephicationVVarMapping", "SeqNodeDephication"]

angr/analyses/decompiler/dephication/graph_rewriting.py

@@ -37,7 +37,7 @@ class GraphRewritingAnalysis(ForwardAnalysis[None, NodeType, object, object]):
         )
         self._graph = ail_graph
         self._vvar_to_vvar = vvar_to_vvar
-        self._engine_ail = SimEngineDephiRewriting(self.project.arch, self._vvar_to_vvar)
+        self._engine_ail = SimEngineDephiRewriting(self.project, self._vvar_to_vvar)
 
         self._visited_blocks: set[Any] = set()
         self.out_blocks = {}

angr/analyses/decompiler/dephication/graph_vvar_mapping.py

@@ -10,7 +10,7 @@ from angr.analyses import Analysis
 from angr.analyses.s_reaching_definitions import SRDAModel
 from angr.knowledge_plugins.functions import Function
 from angr.analyses import register_analysis
-from angr.utils.ssa import is_phi_assignment
+from angr.utils.ssa import is_phi_assignment, DEPHI_VVAR_REG_OFFSET
 
 l = logging.getLogger(name=__name__)
 
@@ -30,6 +30,7 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
         ail_graph,
         entry=None,
         vvar_id_start: int = 0,
+        arg_vvars: list[VirtualVariable] | None = None,
     ):
         """
         :param func:                            The subject of the analysis: a function, or a single basic block
@@ -49,8 +50,10 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
         self._vvar_defloc = {}
         self.vvar_id_start = vvar_id_start
         self._stmts_to_prepend = defaultdict(list)
+        self._arg_vvars = arg_vvars or []
 
         self.vvar_to_vvar_mapping = None
+        self.copied_vvar_ids: set[int] = set()
         self._rd: SRDAModel = self.project.analyses.SReachingDefinitions(
             subject=self._function, func_graph=self._graph
         ).model
@@ -74,7 +77,9 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
                 phi_congruence_class[varid] = {varid}
 
         # compute liveness
-        liveness = self.project.analyses.SLiveness(self._function, func_graph=self._graph, entry=self._entry)
+        liveness = self.project.analyses.SLiveness(
+            self._function, func_graph=self._graph, entry=self._entry, arg_vvars=self._arg_vvars
+        )
 
         live_ins = liveness.model.live_ins
         live_outs = liveness.model.live_outs
@@ -136,6 +141,8 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
 
                 if insertion_type == 0:
                     for src, old_vvar_id, new_vvar_id in new_vvar_ids:
+                        self.copied_vvar_ids.add(new_vvar_id)
+
                         phi_congruence_class[new_vvar_id] = {new_vvar_id}
                         live_outs[src].add(new_vvar_id)
 
@@ -153,6 +160,7 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
 
                 else:  # insertion_type == 1
                     phi_block_loc, old_phi_varid, new_phi_varid = next(iter(new_vvar_ids))
+                    self.copied_vvar_ids.add(new_phi_varid)
 
                     phi_congruence_class[new_phi_varid] = {new_phi_varid}
 
@@ -217,7 +225,7 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
                     # it's a parameter, so we copy the variable into a dummy register vvar
                     # a parameter vvar should never be assigned to
                     new_category = VirtualVariableCategory.REGISTER
-                    new_oident = 4096
+                    new_oident = DEPHI_VVAR_REG_OFFSET
                 else:
                     new_category = vvar.category
                     new_oident = vvar.oident