angr 9.2.136__py3-none-macosx_11_0_arm64.whl → 9.2.137__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/clinic.py

@@ -49,7 +49,6 @@ from .optimization_passes import (
     DUPLICATING_OPTS,
     CONDENSING_OPTS,
 )
-from .utils import first_nonlabel_statement_id
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins.cfg import CFGModel
@@ -461,12 +460,12 @@ class Clinic(Analysis):
         # Make function arguments
         self._update_progress(33.0, text="Making argument list")
         arg_list = self._make_argument_list()
-        arg_vvars = {}
-        ail_graph = self._create_argument_accessing_statements(arg_list, ail_graph, arg_vvars)
+        arg_vvars = self._create_function_argument_vvars(arg_list)
+        func_args = {arg_vvar for arg_vvar, _ in arg_vvars.values()}
 
         # Transform the graph into partial SSA form
         self._update_progress(35.0, text="Transforming to partial-SSA form")
-        ail_graph = self._transform_to_ssa_level0(ail_graph)
+        ail_graph = self._transform_to_ssa_level0(ail_graph, func_args)
 
         # full-function constant-only propagation
         self._update_progress(36.0, text="Constant propagation")
@@ -521,7 +520,7 @@ class Clinic(Analysis):
         )
 
         # rewrite (qualified) stack variables into SSA form
-        ail_graph = self._transform_to_ssa_level1(ail_graph)
+        ail_graph = self._transform_to_ssa_level1(ail_graph, func_args)
 
         # clear _blocks_by_addr_and_size so no one can use it again
         # TODO: Totally remove this dict
@@ -529,10 +528,12 @@ class Clinic(Analysis):
 
         # Rust-specific; only call this on Rust binaries when we can identify language and compiler
         ail_graph = self._rewrite_rust_probestack_call(ail_graph)
+        # Windows-specific
+        ail_graph = self._rewrite_windows_stkchk_call(ail_graph)
 
         # Make call-sites
         self._update_progress(50.0, text="Making callsites")
-        _, stackarg_offsets, removed_vvar_ids = self._make_callsites(ail_graph, stack_pointer_tracker=spt)
+        _, stackarg_offsets, removed_vvar_ids = self._make_callsites(ail_graph, func_args, stack_pointer_tracker=spt)
 
         # Run simplification passes
         self._update_progress(53.0, text="Running simplifications 2")
@@ -1306,84 +1307,57 @@ class Clinic(Analysis):
         return ail_graph
 
     @timethis
-    def _create_argument_accessing_statements(
-        self,
-        arg_list: list[SimVariable],
-        ail_graph: networkx.DiGraph,
-        arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]],
-    ) -> networkx.DiGraph:
-        entrypoint = next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr))
-        new_stmts = []
+    def _create_function_argument_vvars(self, arg_list) -> dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]]:
+        arg_vvars = {}
         for arg in arg_list:
-            if not isinstance(arg, SimRegisterVariable):
-                continue
-
-            # get the full register if needed
-            basereg_offset, basereg_size = self.project.arch.get_base_register(arg.reg, size=arg.size)
-
-            arg_vvar = ailment.Expr.VirtualVariable(
-                self._ail_manager.next_atom(),
-                self.vvar_id_start,
-                arg.bits,
-                ailment.Expr.VirtualVariableCategory.PARAMETER,
-                oident=arg.reg,
-                ins_addr=self.function.addr,
-                vex_block_addr=self.function.addr,
-            )
-            self.vvar_id_start += 1
-            arg_vvars[arg_vvar.varid] = arg_vvar, arg
-
-            if basereg_size != arg.size:
-                # extend the value to the full register
-                arg_vvar = ailment.Expr.Convert(
+            if isinstance(arg, SimRegisterVariable):
+                # get the full register if needed
+                arg_vvar = ailment.Expr.VirtualVariable(
                     self._ail_manager.next_atom(),
-                    arg.size * self.project.arch.byte_width,
-                    basereg_size * self.project.arch.byte_width,
-                    False,
-                    arg_vvar,
+                    self.vvar_id_start,
+                    arg.bits,
+                    ailment.Expr.VirtualVariableCategory.PARAMETER,
+                    oident=(ailment.Expr.VirtualVariableCategory.REGISTER, arg.reg),
                     ins_addr=self.function.addr,
                     vex_block_addr=self.function.addr,
                 )
+                self.vvar_id_start += 1
+                arg_vvars[arg_vvar.varid] = arg_vvar, arg
+            elif isinstance(arg, SimStackVariable):
+                arg_vvar = ailment.Expr.VirtualVariable(
+                    self._ail_manager.next_atom(),
+                    self.vvar_id_start,
+                    arg.bits,
+                    ailment.Expr.VirtualVariableCategory.PARAMETER,
+                    oident=(ailment.Expr.VirtualVariableCategory.STACK, arg.offset),
+                    ins_addr=self.function.addr,
+                    vex_block_addr=self.function.addr,
+                )
+                self.vvar_id_start += 1
+                arg_vvars[arg_vvar.varid] = arg_vvar, arg
 
-            fullreg_dst = ailment.Expr.Register(
-                self._ail_manager.next_atom(),
-                None,
-                basereg_offset,
-                basereg_size * self.project.arch.byte_width,
-                ins_addr=self.function.addr,
-                vex_block_addr=self.function.addr,
-            )
-            stmt = ailment.Stmt.Assignment(
-                self._ail_manager.next_atom(),
-                fullreg_dst,
-                arg_vvar,
-                ins_addr=self.function.addr,
-                vex_block_addr=self.function.addr,
-            )
-            new_stmts.append(stmt)
-
-        non_label_stmt_idx = first_nonlabel_statement_id(entrypoint)
-        # update the ail block in-place
-        entrypoint.statements = (
-            entrypoint.statements[:non_label_stmt_idx] + new_stmts + entrypoint.statements[non_label_stmt_idx:]
-        )
-        return ail_graph
+        return arg_vvars
 
     @timethis
-    def _transform_to_ssa_level0(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+    def _transform_to_ssa_level0(
+        self, ail_graph: networkx.DiGraph, func_args: set[ailment.Expr.VirtualVariable]
+    ) -> networkx.DiGraph:
         ssailification = self.project.analyses[Ssailification].prep(fail_fast=self._fail_fast)(
             self.function,
             ail_graph,
             entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr)),
             ail_manager=self._ail_manager,
             ssa_stackvars=False,
+            func_args=func_args,
             vvar_id_start=self.vvar_id_start,
         )
         self.vvar_id_start = ssailification.max_vvar_id + 1
         return ssailification.out_graph
 
     @timethis
-    def _transform_to_ssa_level1(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+    def _transform_to_ssa_level1(
+        self, ail_graph: networkx.DiGraph, func_args: set[ailment.Expr.VirtualVariable]
+    ) -> networkx.DiGraph:
         ssailification = self.project.analyses.Ssailification(
             self.function,
             ail_graph,
@@ -1392,6 +1366,7 @@ class Clinic(Analysis):
             ail_manager=self._ail_manager,
             ssa_tmps=True,
             ssa_stackvars=True,
+            func_args=func_args,
             vvar_id_start=self.vvar_id_start,
         )
         self.vvar_id_start = ssailification.max_vvar_id + 1
@@ -1449,7 +1424,7 @@ class Clinic(Analysis):
         return []
 
     @timethis
-    def _make_callsites(self, ail_graph, stack_pointer_tracker=None):
+    def _make_callsites(self, ail_graph, func_args: set[ailment.Expr.VirtualVariable], stack_pointer_tracker=None):
         """
         Simplify all function call statements.
         """
@@ -1458,6 +1433,7 @@ class Clinic(Analysis):
         rd = self.project.analyses.SReachingDefinitions(
             subject=self.function,
             func_graph=ail_graph,
+            func_args=func_args,
             fail_fast=self._fail_fast,
             # use_callee_saved_regs_at_return=not self._register_save_areas_removed,  FIXME
         )
@@ -1714,6 +1690,9 @@ class Clinic(Analysis):
             elif stmt_type is ailment.Stmt.ConditionalJump:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.condition)
 
+            elif stmt_type is ailment.Stmt.Jump and not isinstance(stmt.target, ailment.Expr.Const):
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.target)
+
             elif stmt_type is ailment.Stmt.Call:
                 self._link_variables_on_call(variable_manager, global_variables, block, stmt_idx, stmt, is_expr=False)
 
@@ -2767,6 +2746,39 @@ class Clinic(Analysis):
                     break
         return ail_graph
 
+    def _rewrite_windows_stkchk_call(self, ail_graph) -> networkx.DiGraph:
+        if not (self.project.simos is not None and self.project.simos.name == "Win32"):
+            return ail_graph
+
+        for node in ail_graph:
+            if not node.statements or ail_graph.out_degree[node] != 1:
+                continue
+            last_stmt = node.statements[-1]
+            if isinstance(last_stmt, ailment.Stmt.Call) and isinstance(last_stmt.target, ailment.Expr.Const):
+                func = (
+                    self.project.kb.functions.get_by_addr(last_stmt.target.value)
+                    if self.project.kb.functions.contains_addr(last_stmt.target.value)
+                    else None
+                )
+                if func is not None and func.name == "__chkstk":
+                    # get rid of this call
+                    node.statements = node.statements[:-1]
+                    if self.project.arch.call_pushes_ret and node.statements:
+                        last_stmt = node.statements[-1]
+                        succ = next(iter(ail_graph.successors(node)))
+                        if (
+                            isinstance(last_stmt, ailment.Stmt.Store)
+                            and isinstance(last_stmt.addr, ailment.Expr.StackBaseOffset)
+                            and isinstance(last_stmt.addr.offset, int)
+                            and last_stmt.addr.offset < 0
+                            and isinstance(last_stmt.data, ailment.Expr.Const)
+                            and last_stmt.data.value == succ.addr
+                        ):
+                            # remove the statement that pushes the return address
+                            node.statements = node.statements[:-1]
+                    break
+        return ail_graph
+
     def _rewrite_alloca(self, ail_graph):
         # pylint:disable=too-many-boolean-expressions
         alloca_node = None

angr/analyses/decompiler/condition_processor.py

@@ -721,6 +721,8 @@ class ConditionProcessor:
         :return: None
         """
 
+        if not isinstance(cond, claripy.ast.Base):
+            return cond
         if memo is None:
             memo = {}
         if cond._hash in memo:

angr/analyses/decompiler/decompiler.py

@@ -368,6 +368,7 @@ class Decompiler(Analysis):
         self.cache.clinic = self.clinic
 
         self.kb.decompilations[(self.func.addr, self._flavor)] = self.cache
+        self._finish_progress()
 
     def _recover_regions(self, graph: networkx.DiGraph, condition_processor, update_graph: bool = True):
         return self.project.analyses[RegionIdentifier].prep(kb=self.kb, fail_fast=self._fail_fast)(

angr/analyses/decompiler/dephication/dephication_base.py

@@ -77,6 +77,8 @@ class DephicationBase(Analysis):
             mapped_phivarid = phivarid_to_phivarid.get(phi_varid, phi_varid)
             for varid in varids:
                 vvar_to_vvar[varid] = mapped_phivarid
+            if phi_varid != mapped_phivarid:
+                vvar_to_vvar[phi_varid] = mapped_phivarid
 
         return vvar_to_vvar
 

angr/analyses/decompiler/dephication/rewriting_engine.py

@@ -88,12 +88,14 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             )
 
         if new_dst is not None or new_src is not None:
-            return Assignment(
-                stmt.idx,
-                stmt.dst if new_dst is None else new_dst,
-                stmt.src if new_src is None else new_src,
-                **stmt.tags,
-            )
+            # ensure we do not generate vvar_A = vvar_A
+            dst = stmt.dst if new_dst is None else new_dst
+            src = stmt.src if new_src is None else new_src
+            if isinstance(dst, VirtualVariable) and isinstance(src, VirtualVariable) and dst.varid == src.varid:
+                # skip it
+                return ()
+
+            return Assignment(stmt.idx, dst, src, **stmt.tags)
         return None
 
     def _handle_stmt_Store(self, stmt):

angr/analyses/decompiler/dephication/seqnode_dephication.py

@@ -5,7 +5,7 @@ from typing import Any
 
 from ailment.block import Block
 from ailment.statement import Assignment
-from ailment.expression import VirtualVariable, Phi
+from ailment.expression import VirtualVariable, Phi, BinaryOp, UnaryOp
 
 import angr
 from angr.utils.ail import is_phi_assignment
@@ -60,6 +60,9 @@ class SeqNodeRewriter(SequenceWalker):
                 Block: self._handle_Block,
                 # statement handlers
                 Assignment: self._handle_Assignment,
+                # expression handlers
+                BinaryOp: self._handle_BinaryOp,
+                UnaryOp: self._handle_UnaryOp,
             }
         )
 
@@ -74,6 +77,12 @@ class SeqNodeRewriter(SequenceWalker):
     def _handle_Assignment(self, stmt: Assignment, **kwargs) -> Assignment:  # pylint:disable=unused-argument
         return self.engine._handle_stmt_Assignment(stmt)
 
+    def _handle_BinaryOp(self, expr, **kwargs):  # pylint:disable=unused-argument
+        return self.engine._handle_expr_BinaryOp(expr)
+
+    def _handle_UnaryOp(self, expr, **kwargs):  # pylint:disable=unused-argument
+        return self.engine._handle_expr_UnaryOp(expr)
+
     def _handle_Block(self, block: Block, **kwargs) -> Block | None:  # pylint:disable=unused-argument
         self.engine.out_block = None
         self.engine.process(None, block=block)

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -571,8 +571,7 @@ class ReturnDuplicatorBase:
                 new_name = stmt.name if stmt.name else f"Label_{stmt.ins_addr:x}"
                 if stmt.block_idx is not None:
                     suffix = f"__{stmt.block_idx}"
-                    if new_name.endswith(suffix):
-                        new_name = new_name[: -len(suffix)]
+                    new_name = new_name.removesuffix(suffix)
                 else:
                     new_name = stmt.name
                 new_name += f"__{block.idx}"

angr/analyses/decompiler/sequence_walker.py

@@ -204,13 +204,17 @@ class SequenceWalker:
 
         new_false_node = self._handle(node.false_node, parent=node, index=1) if node.false_node is not None else None
 
-        if new_true_node is None and new_false_node is None:
+        new_condition = (
+            self._handle(node.condition, parent=node, label="condition") if node.condition is not None else None
+        )
+
+        if new_true_node is None and new_false_node is None and new_condition is None:
             return None
 
         return ConditionNode(
             node.addr,
             node.reaching_condition,
-            node.condition,
+            node.condition if new_condition is None else new_condition,
             node.true_node if new_true_node is None else new_true_node,
             false_node=node.false_node if new_false_node is None else new_false_node,
         )

angr/analyses/decompiler/ssailification/rewriting.py

@@ -40,6 +40,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         stackvar_locs: dict[int, int],
         rewrite_tmps: bool,
         ail_manager,
+        func_args: set[VirtualVariable],
         vvar_id_start: int = 0,
     ):
         self.project = project
@@ -55,6 +56,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         self._stackvar_locs = stackvar_locs
         self._rewrite_tmps = rewrite_tmps
         self._ail_manager = ail_manager
+        self._func_args = func_args
         self._engine_ail = SimEngineSSARewriting(
             self.project,
             sp_tracker=sp_tracker,
@@ -205,12 +207,20 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
                 self.insert_phi_statements(node, phi_stmts)
 
     def _initial_abstract_state(self, node) -> RewritingState:
-        return RewritingState(
+        state = RewritingState(
             CodeLocation(node.addr, stmt_idx=0, ins_addr=node.addr, block_idx=node.idx),
             self.project.arch,
             self._function,
             node,
         )
+        # update state with function arguments
+        for func_arg in self._func_args:
+            if func_arg.oident[0] == VirtualVariableCategory.REGISTER:
+                reg_offset, reg_size = func_arg.oident[1], func_arg.size
+                state.registers[reg_offset][reg_size] = func_arg
+            elif func_arg.oident[0] == VirtualVariableCategory.STACK:
+                state.stackvars[func_arg.oident[1]][func_arg.size] = func_arg
+        return state
 
     def _run_on_node(self, node, state: RewritingState):
         """

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -462,7 +462,7 @@ class SimEngineSSARewriting(
         base_mask = Const(self.ail_manager.next_atom(), None, base_mask, existing_vvar.bits)
         new_base_expr = BinaryOp(
             self.ail_manager.next_atom(),
-            "Or",
+            "And",
             [existing_vvar, base_mask],
             False,
             bits=existing_vvar.bits,
@@ -618,6 +618,15 @@ class SimEngineSSARewriting(
             ):
                 vvar = self.state.registers[reg_expr.reg_offset][reg_expr.size]
                 assert vvar is not None
+                if vvar.category == VirtualVariableCategory.PARAMETER:
+                    return VirtualVariable(
+                        reg_expr.idx,
+                        vvar.varid,
+                        vvar.bits,
+                        VirtualVariableCategory.PARAMETER,
+                        oident=vvar.oident,
+                        **vvar.tags,
+                    )
                 return VirtualVariable(
                     reg_expr.idx,
                     vvar.varid,
@@ -640,6 +649,20 @@ class SimEngineSSARewriting(
                             vvar,
                             **reg_expr.tags,
                         )
+                elif reg_expr.size > existing_size:
+                    # part of the variable exists... maybe it's a parameter?
+                    vvar = self.state.registers[reg_expr.reg_offset][existing_size]
+                    if vvar.category == VirtualVariableCategory.PARAMETER:
+                        # just zero-extend it
+                        return Convert(
+                            self.ail_manager.next_atom(),
+                            existing_size * self.project.arch.byte_width,
+                            reg_expr.size * self.project.arch.byte_width,
+                            False,
+                            vvar,
+                            **vvar.tags,
+                        )
+                    break
                 else:
                     break
 
@@ -651,24 +674,29 @@ class SimEngineSSARewriting(
             ins_addr=reg_expr.ins_addr,
         )
         # extract
-        shift_amount = Const(
-            self.ail_manager.next_atom(),
-            None,
-            (reg_expr.reg_offset - vvar.oident) * self.arch.byte_width,
-            8,
-            **reg_expr.tags,
-        )
-        shifted = BinaryOp(
-            self.ail_manager.next_atom(),
-            "Shr",
-            [
-                vvar,
-                shift_amount,
-            ],
-            False,
-            bits=vvar.bits,
-            **reg_expr.tags,
-        )
+        if reg_expr.reg_offset == vvar.oident:
+            shifted = vvar
+        else:
+            shift_amount = Const(
+                self.ail_manager.next_atom(),
+                None,
+                (reg_expr.reg_offset - vvar.oident) * self.arch.byte_width,
+                8,
+                **reg_expr.tags,
+            )
+            shifted = BinaryOp(
+                self.ail_manager.next_atom(),
+                "Shr",
+                [
+                    vvar,
+                    shift_amount,
+                ],
+                False,
+                bits=vvar.bits,
+                **reg_expr.tags,
+            )
+        if shifted.bits == reg_expr.bits:
+            return shifted
         return Convert(
             self.ail_manager.next_atom(),
             shifted.bits,
@@ -700,6 +728,15 @@ class SimEngineSSARewriting(
             # TODO: Support truncation
             # TODO: Maybe also support concatenation
             vvar = self.state.stackvars[expr.addr.offset][expr.size]
+            if vvar.category == VirtualVariableCategory.PARAMETER:
+                return VirtualVariable(
+                    expr.idx,
+                    vvar.varid,
+                    vvar.bits,
+                    VirtualVariableCategory.PARAMETER,
+                    oident=vvar.oident,
+                    **vvar.tags,
+                )
             return VirtualVariable(
                 expr.idx,
                 vvar.varid,

angr/analyses/decompiler/ssailification/ssailification.py

@@ -5,7 +5,7 @@ from collections import defaultdict
 from itertools import count
 from bisect import bisect_left
 
-from ailment.expression import Expression, Register, StackBaseOffset, Tmp
+from ailment.expression import Expression, Register, StackBaseOffset, Tmp, VirtualVariable, VirtualVariableCategory
 from ailment.statement import Statement, Store
 
 from angr.knowledge_plugins.functions import Function
@@ -34,6 +34,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         ail_manager=None,
         ssa_stackvars: bool = False,
         ssa_tmps: bool = False,
+        func_args: set[VirtualVariable] | None = None,
         vvar_id_start: int = 0,
     ):
         """
@@ -53,6 +54,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         self._ail_manager = ail_manager
         self._ssa_stackvars = ssa_stackvars
         self._ssa_tmps = ssa_tmps
+        self._func_args = func_args if func_args is not None else set()
         self._entry = (
             entry
             if entry is not None
@@ -71,6 +73,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             bp_as_gpr,
             ssa_stackvars,
             ssa_tmps,
+            self._func_args,
         )
 
         # calculate virtual variables and phi nodes
@@ -91,6 +94,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             self._stackvar_locs,
             self._ssa_tmps,
             self._ail_manager,
+            self._func_args,
             vvar_id_start=vvar_id_start,
         )
         self.out_graph = rewriter.out_graph
@@ -122,6 +126,11 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             # for stack variables, we collect all definitions and identify stack variable locations using heuristics
 
             stackvar_locs = self._synthesize_stackvar_locs([def_ for def_, _ in def_to_loc if isinstance(def_, Store)])
+            # handle function arguments
+            if self._func_args:
+                for func_arg in self._func_args:
+                    if func_arg.oident[0] == VirtualVariableCategory.STACK:
+                        stackvar_locs[func_arg.oident[1]] = func_arg.size
             sorted_stackvar_offs = sorted(stackvar_locs)
         else:
             stackvar_locs = {}
@@ -137,9 +146,10 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                 udef_to_defs[("reg", base_off, base_reg_bits)].add(def_)
                 udef_to_blockkeys[("reg", base_off, base_reg_bits)].add((loc.block_addr, loc.block_idx))
                 # add a definition for the partial register
-                if base_off != def_.reg_offset:
+                if base_off != def_.reg_offset or base_size != def_.size:
                     reg_bits = def_.size * self.project.arch.byte_width
-                    udef_to_defs[("reg", def_.reg_offset, reg_bits)].add((loc.block_addr, loc.block_idx))
+                    udef_to_defs[("reg", def_.reg_offset, reg_bits)].add(def_)
+                    udef_to_blockkeys[("reg", def_.reg_offset, reg_bits)].add((loc.block_addr, loc.block_idx))
             elif isinstance(def_, Store):
                 if isinstance(def_.addr, StackBaseOffset) and isinstance(def_.addr.offset, int):
                     idx_begin = bisect_left(sorted_stackvar_offs, def_.addr.offset)

angr/analyses/decompiler/ssailification/traversal.py

@@ -17,13 +17,24 @@ class TraversalAnalysis(ForwardAnalysis[TraversalState, ailment.Block, object, t
     TraversalAnalysis traverses the AIL graph and collects definitions.
     """
 
-    def __init__(self, project, func, ail_graph, sp_tracker, bp_as_gpr: bool, stackvars: bool, tmps: bool):
+    def __init__(
+        self,
+        project,
+        func,
+        ail_graph,
+        sp_tracker,
+        bp_as_gpr: bool,
+        stackvars: bool,
+        tmps: bool,
+        func_args: set[ailment.Expr.VirtualVariable],
+    ):
 
         self.project = project
         self._stackvars = stackvars
         self._tmps = tmps
         self._function = func
         self._graph_visitor = FunctionGraphVisitor(self._function, ail_graph)
+        self._func_args = func_args
 
         ForwardAnalysis.__init__(
             self, order_jobs=True, allow_merging=True, allow_widening=False, graph_visitor=self._graph_visitor
@@ -52,13 +63,28 @@ class TraversalAnalysis(ForwardAnalysis[TraversalState, ailment.Block, object, t
         pass
 
     def _initial_abstract_state(self, node: ailment.Block) -> TraversalState:
-        return TraversalState(self.project.arch, self._function)
+        state = TraversalState(self.project.arch, self._function)
+        # update it with function arguments
+        if self._func_args:
+            for func_arg in self._func_args:
+                if func_arg.oident[0] == ailment.Expr.VirtualVariableCategory.REGISTER:
+                    reg_offset = func_arg.oident[1]
+                    reg_size = func_arg.size
+                    state.live_registers.add(reg_offset)
+                    # get the full register if needed
+                    basereg_offset, basereg_size = self.project.arch.get_base_register(reg_offset, size=reg_size)
+                    if basereg_size != reg_size or basereg_offset != reg_offset:
+                        state.live_registers.add(basereg_offset)
+                elif func_arg.oident[0] == ailment.Expr.VirtualVariableCategory.STACK:
+                    state.live_stackvars.add((func_arg.oident[1], func_arg.size))
+        return state
 
     def _merge_states(self, node: ailment.Block, *states: TraversalState) -> tuple[TraversalState, bool]:
         merged_state = TraversalState(
             self.project.arch,
             self._function,
             live_registers=states[0].live_registers.copy(),
+            live_stackvars=states[0].live_stackvars.copy(),
         )
         merge_occurred = merged_state.merge(*states[1:])
         return merged_state, not merge_occurred

angr/analyses/decompiler/ssailification/traversal_state.py

@@ -37,7 +37,12 @@ class TraversalState:
                 merge_occurred = True
             all_regs |= o.live_registers
 
-        # TODO: merge of live_stackvars
+        all_stackvars: set[tuple[int, int]] = self.live_stackvars.copy()
+        for o in others:
+            if o.live_stackvars.difference(all_stackvars):
+                merge_occurred = True
+            all_stackvars |= o.live_stackvars
 
         self.live_registers = all_regs
+        self.live_stackvars = all_stackvars
         return merge_occurred