angr 9.2.136__py3-none-macosx_11_0_arm64.whl → 9.2.138__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/ssailification/traversal.py

@@ -17,13 +17,24 @@ class TraversalAnalysis(ForwardAnalysis[TraversalState, ailment.Block, object, t
     TraversalAnalysis traverses the AIL graph and collects definitions.
     """
 
-    def __init__(self, project, func, ail_graph, sp_tracker, bp_as_gpr: bool, stackvars: bool, tmps: bool):
+    def __init__(
+        self,
+        project,
+        func,
+        ail_graph,
+        sp_tracker,
+        bp_as_gpr: bool,
+        stackvars: bool,
+        tmps: bool,
+        func_args: set[ailment.Expr.VirtualVariable],
+    ):
 
         self.project = project
         self._stackvars = stackvars
         self._tmps = tmps
         self._function = func
         self._graph_visitor = FunctionGraphVisitor(self._function, ail_graph)
+        self._func_args = func_args
 
         ForwardAnalysis.__init__(
             self, order_jobs=True, allow_merging=True, allow_widening=False, graph_visitor=self._graph_visitor
@@ -52,13 +63,28 @@ class TraversalAnalysis(ForwardAnalysis[TraversalState, ailment.Block, object, t
         pass
 
     def _initial_abstract_state(self, node: ailment.Block) -> TraversalState:
-        return TraversalState(self.project.arch, self._function)
+        state = TraversalState(self.project.arch, self._function)
+        # update it with function arguments
+        if self._func_args:
+            for func_arg in self._func_args:
+                if func_arg.oident[0] == ailment.Expr.VirtualVariableCategory.REGISTER:
+                    reg_offset = func_arg.oident[1]
+                    reg_size = func_arg.size
+                    state.live_registers.add(reg_offset)
+                    # get the full register if needed
+                    basereg_offset, basereg_size = self.project.arch.get_base_register(reg_offset, size=reg_size)
+                    if basereg_size != reg_size or basereg_offset != reg_offset:
+                        state.live_registers.add(basereg_offset)
+                elif func_arg.oident[0] == ailment.Expr.VirtualVariableCategory.STACK:
+                    state.live_stackvars.add((func_arg.oident[1], func_arg.size))
+        return state
 
     def _merge_states(self, node: ailment.Block, *states: TraversalState) -> tuple[TraversalState, bool]:
         merged_state = TraversalState(
             self.project.arch,
             self._function,
             live_registers=states[0].live_registers.copy(),
+            live_stackvars=states[0].live_stackvars.copy(),
         )
         merge_occurred = merged_state.merge(*states[1:])
         return merged_state, not merge_occurred

angr/analyses/decompiler/ssailification/traversal_state.py

@@ -37,7 +37,12 @@ class TraversalState:
                 merge_occurred = True
             all_regs |= o.live_registers
 
-        # TODO: merge of live_stackvars
+        all_stackvars: set[tuple[int, int]] = self.live_stackvars.copy()
+        for o in others:
+            if o.live_stackvars.difference(all_stackvars):
+                merge_occurred = True
+            all_stackvars |= o.live_stackvars
 
         self.live_registers = all_regs
+        self.live_stackvars = all_stackvars
         return merge_occurred

angr/analyses/decompiler/structured_codegen/c.py

@@ -679,14 +679,23 @@ class CStatements(CStatement):
     Represents a sequence of statements in C.
     """
 
-    __slots__ = ("statements",)
+    __slots__ = (
+        "addr",
+        "statements",
+    )
 
-    def __init__(self, statements, **kwargs):
+    def __init__(self, statements, addr=None, **kwargs):
         super().__init__(**kwargs)
 
         self.statements = statements
+        self.addr = addr
 
     def c_repr_chunks(self, indent=0, asexpr=False):
+        indent_str = self.indent_str(indent)
+        if self.codegen.display_block_addrs:
+            yield indent_str, None
+            yield f"/* Block {hex(self.addr) if self.addr is not None else 'unknown'} */", None
+            yield "\n", None
         for stmt in self.statements:
             yield from stmt.c_repr_chunks(indent=indent, asexpr=asexpr)
             if asexpr:
@@ -1572,15 +1581,19 @@ class CVariable(CExpression):
         "unified_variable",
         "variable",
         "variable_type",
+        "vvar_id",
     )
 
-    def __init__(self, variable: SimVariable, unified_variable=None, variable_type=None, tags=None, **kwargs):
+    def __init__(
+        self, variable: SimVariable, unified_variable=None, variable_type=None, tags=None, vvar_id=None, **kwargs
+    ):
         super().__init__(**kwargs)
 
         self.variable: SimVariable = variable
         self.unified_variable: SimVariable | None = unified_variable
         self.variable_type: SimType = variable_type.with_arch(self.codegen.project.arch)
         self.tags = tags
+        self.vvar_id = vvar_id
 
     @property
     def type(self):
@@ -1598,6 +1611,8 @@ class CVariable(CExpression):
 
     def c_repr_chunks(self, indent=0, asexpr=False):
         yield self.name, self
+        if self.codegen.display_vvar_ids:
+            yield f"<vvar_{self.vvar_id}>", self
 
 
 class CIndexedVariable(CExpression):
@@ -2141,7 +2156,8 @@ class CConstant(CExpression):
         result = self.fmt.get("neg", None)
         if result is None:
             result = False
-            if isinstance(self.value, int):
+            # guess it
+            if isinstance(self._type, (SimTypeInt, SimTypeChar)) and self._type.signed and isinstance(self.value, int):
                 value_size = self._type.size if self._type is not None else None
                 if (value_size == 32 and 0xF000_0000 <= self.value <= 0xFFFF_FFFF) or (
                     value_size == 64 and 0xF000_0000_0000_0000 <= self.value <= 0xFFFF_FFFF_FFFF_FFFF
@@ -2486,6 +2502,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         simplify_else_scope=True,
         cstyle_ifs=True,
         omit_func_header=False,
+        display_block_addrs=False,
+        display_vvar_ids=False,
     ):
         super().__init__(flavor=flavor)
 
@@ -2558,6 +2576,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         self.simplify_else_scope = simplify_else_scope
         self.cstyle_ifs = cstyle_ifs
         self.omit_func_header = omit_func_header
+        self.display_block_addrs = display_block_addrs
+        self.display_vvar_ids = display_vvar_ids
         self.text = None
         self.map_pos_to_node = None
         self.map_pos_to_addr = None
@@ -2740,7 +2760,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             return _mapping.get(n)(signed=signed).with_arch(self.project.arch)
         return SimTypeNum(n, signed=signed).with_arch(self.project.arch)
 
-    def _variable(self, variable: SimVariable, fallback_type_size: int | None) -> CVariable:
+    def _variable(self, variable: SimVariable, fallback_type_size: int | None, vvar_id: int | None = None) -> CVariable:
         # TODO: we need to fucking make sure that variable recovery and type inference actually generates a size
         # TODO: for each variable it links into the fucking ail. then we can remove fallback_type_size.
         unified = self._variable_kb.variables[self._func.addr].unified_variable(variable)
@@ -2751,7 +2771,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             variable_type = self.default_simtype_from_bits(
                 (fallback_type_size or self.project.arch.bytes) * self.project.arch.byte_width
             )
-        cvar = CVariable(variable, unified_variable=unified, variable_type=variable_type, codegen=self)
+        cvar = CVariable(variable, unified_variable=unified, variable_type=variable_type, codegen=self, vvar_id=vvar_id)
         self._variables_in_use[variable] = cvar
         return cvar
 
@@ -3106,14 +3126,18 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
     # Handlers
     #
 
-    def _handle(self, node, is_expr: bool = True, lvalue: bool = False):
+    def _handle(self, node, is_expr: bool = True, lvalue: bool = False, likely_signed=False):
         if (node, is_expr) in self.ailexpr2cnode:
             return self.ailexpr2cnode[(node, is_expr)]
 
         handler: Callable | None = self._handlers.get(node.__class__, None)
         if handler is not None:
             # special case for Call
-            converted = handler(node, is_expr=is_expr) if isinstance(node, Stmt.Call) else handler(node, lvalue=lvalue)
+            converted = (
+                handler(node, is_expr=is_expr)
+                if isinstance(node, Stmt.Call)
+                else handler(node, lvalue=lvalue, likely_signed=likely_signed)
+            )
             self.ailexpr2cnode[(node, is_expr)] = converted
             return converted
         raise UnsupportedNodeTypeError(f"Node type {type(node)} is not supported yet.")
@@ -3127,10 +3151,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         for node in seq.nodes:
             lines.append(self._handle(node, is_expr=False))
 
-        if not lines:
-            return CStatements([], codegen=None)
-
-        return CStatements(lines, codegen=self) if len(lines) > 1 else lines[0]
+        return lines[0] if len(lines) == 1 else CStatements(lines, codegen=self, addr=seq.addr)
 
     def _handle_Loop(self, loop_node, **kwargs):
         tags = {"ins_addr": loop_node.addr}
@@ -3217,7 +3238,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             r = self._handle(n, is_expr=False)
             lines.append(r)
 
-        return CStatements(lines, codegen=self) if len(lines) > 1 else lines[0]
+        return lines[0] if len(lines) == 1 else CStatements(lines, codegen=self, addr=node.addr)
 
     def _handle_SwitchCase(self, node, **kwargs):
         """
@@ -3260,7 +3281,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                 cstmt = CUnsupportedStatement(stmt, codegen=self)
             cstmts.append(cstmt)
 
-        return CStatements(cstmts, codegen=self)
+        return CStatements(cstmts, codegen=self, addr=node.addr)
 
     #
     # AIL statement handlers
@@ -3315,9 +3336,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             if stmt.dst.variable is not None:
                 if "struct_member_info" in stmt.dst.tags:
                     offset, var, _ = stmt.dst.struct_member_info
-                    cvar = self._variable(var, stmt.dst.size)
+                    cvar = self._variable(var, stmt.dst.size, vvar_id=stmt.dst.varid)
                 else:
-                    cvar = self._variable(stmt.dst.variable, stmt.dst.size)
+                    cvar = self._variable(stmt.dst.variable, stmt.dst.size, vvar_id=stmt.dst.varid)
                     offset = stmt.dst.variable_offset or 0
                 assert type(offset) is int  # I refuse to deal with the alternative
 
@@ -3474,7 +3495,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         l.warning("FIXME: Leftover Tmp expressions are found.")
         return self._variable(SimTemporaryVariable(expr.tmp_idx, expr.bits), expr.size)
 
-    def _handle_Expr_Const(self, expr: Expr.Const, type_=None, reference_values=None, variable=None, **kwargs):
+    def _handle_Expr_Const(
+        self, expr: Expr.Const, type_=None, reference_values=None, variable=None, likely_signed=True, **kwargs
+    ):
         inline_string = False
         function_pointer = False
 
@@ -3550,8 +3573,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                             inline_string = True
 
         if type_ is None:
-            # default to int
-            type_ = self.default_simtype_from_bits(expr.bits)
+            # default to int or unsigned int, determined by likely_signed
+            type_ = self.default_simtype_from_bits(expr.bits, signed=likely_signed)
 
         if variable is None and hasattr(expr, "reference_variable") and expr.reference_variable is not None:
             variable = expr.reference_variable
@@ -3583,7 +3606,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             )
 
         lhs = self._handle(expr.operands[0])
-        rhs = self._handle(expr.operands[1])
+        rhs = self._handle(expr.operands[1], likely_signed=expr.op not in {"And", "Or"})
 
         return CBinaryOp(
             expr.op,
@@ -3679,7 +3702,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
     def _handle_VirtualVariable(self, expr: Expr.VirtualVariable, **kwargs):
         if expr.variable:
-            cvar = self._variable(expr.variable, None)
+            cvar = self._variable(expr.variable, None, vvar_id=expr.varid)
             if expr.variable.size != expr.size:
                 l.warning(
                     "VirtualVariable size (%d) and variable size (%d) do not match. Force a type cast.",

angr/analyses/decompiler/structuring/phoenix.py

@@ -1,4 +1,5 @@
 # pylint:disable=line-too-long,import-outside-toplevel,import-error,multiple-statements,too-many-boolean-expressions
+# ruff: noqa: SIM102
 from __future__ import annotations
 from typing import Any, TYPE_CHECKING
 from collections import defaultdict, OrderedDict
@@ -26,6 +27,7 @@ from angr.analyses.decompiler.utils import (
     is_empty_or_label_only_node,
     has_nonlabel_nonphi_statements,
     first_nonlabel_nonphi_statement,
+    switch_extract_bitwiseand_jumptable_info,
 )
 from angr.analyses.decompiler.counters.call_counter import AILCallCounter
 from .structurer_nodes import (
@@ -1045,6 +1047,11 @@ class PhoenixStructurer(StructurerBase):
         if r:
             return r
         jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+        r = self._match_acyclic_switch_cases_address_loaded_from_memory_no_ob_check(
+            node, graph, full_graph, jump_tables
+        )
+        if r:
+            return r
         r = self._match_acyclic_switch_cases_address_loaded_from_memory(node, graph, full_graph, jump_tables)
         if r:
             return r
@@ -1240,6 +1247,93 @@ class PhoenixStructurer(StructurerBase):
 
         return True
 
+    def _match_acyclic_switch_cases_address_loaded_from_memory_no_ob_check(
+        self, node, graph, full_graph, jump_tables
+    ) -> bool:
+        if node.addr not in jump_tables:
+            return False
+
+        try:
+            last_stmt = self.cond_proc.get_last_statement(node)
+        except EmptyBlockNotice:
+            return False
+        if not (isinstance(last_stmt, Jump) and not isinstance(last_stmt.target, Const)):
+            return False
+
+        jump_table = jump_tables[node.addr]
+        if jump_table.type != IndirectJumpType.Jumptable_AddressLoadedFromMemory:
+            return False
+
+        # extract the index expression, lower-, and upper-bounds from the last statement
+        index = switch_extract_bitwiseand_jumptable_info(last_stmt)
+        if not index:
+            return False
+        index_expr, cmp_lb, cmp_ub = index  # pylint:disable=unused-variable
+        case_count = cmp_ub - cmp_lb + 1
+
+        # ensure we have the same number of cases
+        if case_count != len(jump_table.jumptable_entries):
+            return False
+
+        # populate whitelist_edges
+        for case_node_addr in jump_table.jumptable_entries:
+            self.whitelist_edges.add((node.addr, case_node_addr))
+        self.switch_case_known_heads.add(node)
+
+        # sanity check: case nodes are successors to node. all case nodes must have at most common one successor
+        node_pred = None
+        if graph.in_degree[node] == 1:
+            node_pred = next(iter(graph.predecessors(node)))
+
+        case_nodes = list(graph.successors(node))
+
+        # case 1: the common successor happens to be directly reachable from node_a (usually as a result of compiler
+        # optimization)
+        # example: touch_touch_no_switch.o:main
+        r = self.switch_case_entry_node_has_common_successor_case_1(graph, jump_table, case_nodes, node_pred)
+
+        # case 2: the common successor is not directly reachable from node_a. this is a more common case.
+        if not r:
+            r |= self.switch_case_entry_node_has_common_successor_case_2(graph, jump_table, case_nodes, node_pred)
+
+        if not r:
+            return False
+
+        case_and_entry_addrs = self._find_case_and_entry_addrs(node, graph, cmp_lb, jump_table)
+
+        cases, node_default, to_remove = self._switch_build_cases(
+            case_and_entry_addrs,
+            node,
+            node,
+            None,
+            graph,
+            full_graph,
+        )
+
+        assert node_default is None
+        switch_end_addr = None
+
+        r = self._make_switch_cases_core(
+            node,
+            index_expr,
+            cases,
+            None,
+            None,
+            last_stmt.ins_addr,
+            to_remove,
+            graph,
+            full_graph,
+            node_a=None,
+        )
+        if not r:
+            return False
+
+        # fully structured into a switch-case. remove node from switch_case_known_heads
+        self.switch_case_known_heads.remove(node)
+        self._switch_handle_gotos(cases, node_default, switch_end_addr)
+
+        return True
+
     def _match_acyclic_switch_cases_address_computed(self, node, graph, full_graph, jump_tables) -> bool:
         if node.addr not in jump_tables:
             return False
@@ -1333,7 +1427,7 @@ class PhoenixStructurer(StructurerBase):
         case_and_entryaddrs: dict[int, int | tuple[int, int | None]],
         head_node,
         node_a: BaseNode,
-        node_b_addr,
+        node_b_addr: int | None,
         graph,
         full_graph,
     ) -> tuple[OrderedDict, Any, set[Any]]:
@@ -1343,7 +1437,9 @@ class PhoenixStructurer(StructurerBase):
         # it is possible that the default node gets duplicated by other analyses and creates a default node (addr.a)
         # and a case node (addr.b). The addr.a node is a successor to the head node while the addr.b node is a
         # successor to node_a
-        default_node_candidates = [nn for nn in graph.nodes if nn.addr == node_b_addr]
+        default_node_candidates = (
+            [nn for nn in graph.nodes if nn.addr == node_b_addr] if node_b_addr is not None else []
+        )
         node_default: BaseNode | None = next(
             iter(nn for nn in default_node_candidates if graph.has_edge(head_node, nn)), None
         )
@@ -1355,7 +1451,6 @@ class PhoenixStructurer(StructurerBase):
             self.replace_nodes(full_graph, node_default, new_node)
             node_default = new_node
 
-        # entry_addrs_set = set(jumptable_entries)
         converted_nodes: dict[tuple[int, int | None], Any] = {}
         entry_addr_to_ids: defaultdict[tuple[int, int | None], set[int]] = defaultdict(set)
 
@@ -1442,7 +1537,7 @@ class PhoenixStructurer(StructurerBase):
         head,
         cmp_expr,
         cases: OrderedDict,
-        node_default_addr: int,
+        node_default_addr: int | None,
         node_default,
         addr,
         to_remove: set,
@@ -1491,7 +1586,7 @@ class PhoenixStructurer(StructurerBase):
                 pass
             graph.remove_edge(head, node_default)
             full_graph.remove_edge(head, node_default)
-        else:
+        elif node_default_addr is not None:
             # the default node is not in the current graph, but it might be in the full graph
             node_default_in_full_graph = next(iter(nn for nn in full_graph if nn.addr == node_default_addr), None)
             if node_default_in_full_graph is not None and full_graph.has_edge(head, node_default_in_full_graph):
@@ -1570,12 +1665,22 @@ class PhoenixStructurer(StructurerBase):
 
         return case_and_entry_addrs
 
-    def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
+    def _is_node_unstructured_switch_case_head(self, node) -> bool:
         jump_tables = self.kb.cfgs["CFGFast"].jump_tables
         if node.addr in jump_tables:
+            # maybe it has been structured?
+            try:
+                last_stmts = self.cond_proc.get_last_statements(node)
+            except EmptyBlockNotice:
+                return False
+            return len(last_stmts) == 1 and isinstance(last_stmts[0], Jump)
+        return False
+
+    def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
+        if self._is_node_unstructured_switch_case_head(node):
             return True
         for succ in graph.successors(node):
-            if succ.addr in jump_tables:
+            if self._is_node_unstructured_switch_case_head(succ):
                 return True
         return node in self.switch_case_known_heads
 
@@ -1634,13 +1739,11 @@ class PhoenixStructurer(StructurerBase):
                 )
             ):
                 # potentially ITE
-                jump_tables = self.kb.cfgs["CFGFast"].jump_tables
-
                 if (
                     full_graph.in_degree[left] == 1
                     and full_graph.in_degree[right] == 1
-                    and left.addr not in jump_tables
-                    and right.addr not in jump_tables
+                    and not self._is_node_unstructured_switch_case_head(left)
+                    and not self._is_node_unstructured_switch_case_head(right)
                 ):
                     edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
                     edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
@@ -1681,9 +1784,9 @@ class PhoenixStructurer(StructurerBase):
                 left_succs, right_succs = right_succs, left_succs
             if left in graph and not left_succs and full_graph.in_degree[left] == 1 and right in graph:
                 # potentially If-Then
-                jump_tables = self.kb.cfgs["CFGFast"].jump_tables
-
-                if left.addr not in jump_tables and right.addr not in jump_tables:
+                if not self._is_node_unstructured_switch_case_head(
+                    left
+                ) and not self._is_node_unstructured_switch_case_head(right):
                     edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
                     edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
                     if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):

angr/analyses/decompiler/utils.py

@@ -40,7 +40,7 @@ def remove_last_statement(node):
     elif type(node) is LoopNode:
         stmt = remove_last_statement(node.sequence_node)
     else:
-        raise NotImplementedError
+        raise NotImplementedError(type(node))
 
     return stmt
 
@@ -69,7 +69,7 @@ def remove_last_statements(node) -> bool:
         return r
     if type(node) is LoopNode:
         return remove_last_statements(node.sequence_node)
-    raise NotImplementedError
+    raise NotImplementedError(type(node))
 
 
 def append_statement(node, stmt):
@@ -83,16 +83,16 @@ def append_statement(node, stmt):
         if node.nodes:
             append_statement(node.nodes[-1], stmt)
         else:
-            raise NotImplementedError
+            raise NotImplementedError("MultiNode without nodes")
         return
     if type(node) is SequenceNode:
         if node.nodes:
             append_statement(node.nodes[-1], stmt)
         else:
-            raise NotImplementedError
+            raise NotImplementedError("SequenceNode without nodes")
         return
 
-    raise NotImplementedError
+    raise NotImplementedError(type(node))
 
 
 def replace_last_statement(node, old_stmt, new_stmt):
@@ -118,7 +118,7 @@ def replace_last_statement(node, old_stmt, new_stmt):
             replace_last_statement(node.false_node, old_stmt, new_stmt)
         return
 
-    raise NotImplementedError
+    raise NotImplementedError(type(node))
 
 
 def extract_jump_targets(stmt):
@@ -175,6 +175,111 @@ def switch_extract_cmp_bounds(last_stmt: ailment.Stmt.ConditionalJump) -> tuple[
     return None
 
 
+def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tuple[Any, int, int] | None:
+    """
+    Check the last statement of the switch-case header node (whose address is loaded from a jump table and computed
+    using an index) and extract necessary information for rebuilding the switch-case construct.
+
+    An example of the statement:
+
+    Goto(Conv(32->s64, (
+        Load(addr=(0x4530e4<64> + (Conv(32->64, (Conv(64->32, vvar_287{reg 32}) & 0x3<32>)) * 0x4<64>)),
+             size=4, endness=Iend_LE) + 0x4530e4<32>))
+    )
+
+    :param last_stmt:   The last statement of the switch-case header node.
+    :return:            A tuple of (index expression, lower bound, upper bound), or None
+    """
+
+    if not isinstance(last_stmt, ailment.Stmt.Jump):
+        return None
+
+    # unpack the target expression
+    target = last_stmt.target
+    jump_addr_offset = None
+    jumptable_load_addr = None
+    while True:
+        if isinstance(target, ailment.Expr.Convert) and (
+            (target.from_bits == 32 and target.to_bits == 64) or (target.from_bits == 16 and target.to_bits == 32)
+        ):
+            target = target.operand
+            continue
+        if isinstance(target, ailment.Expr.BinaryOp) and target.op == "Add":
+            if isinstance(target.operands[0], ailment.Expr.Const) and isinstance(target.operands[1], ailment.Expr.Load):
+                jump_addr_offset = target.operands[0]
+                jumptable_load_addr = target.operands[1].addr
+                break
+            if isinstance(target.operands[1], ailment.Expr.Const) and isinstance(target.operands[0], ailment.Expr.Load):
+                jump_addr_offset = target.operands[1]
+                jumptable_load_addr = target.operands[0].addr
+                break
+            return None
+        if isinstance(target, ailment.Expr.Const):
+            return None
+        break
+
+    if jump_addr_offset is None or jumptable_load_addr is None:
+        return None
+
+    # parse jumptable_load_addr
+    jumptable_offset = None
+    jumptable_base_addr = None
+    if isinstance(jumptable_load_addr, ailment.Expr.BinaryOp) and jumptable_load_addr.op == "Add":
+        if isinstance(jumptable_load_addr.operands[0], ailment.Expr.Const):
+            jumptable_base_addr = jumptable_load_addr.operands[0]
+            jumptable_offset = jumptable_load_addr.operands[1]
+        elif isinstance(jumptable_load_addr.operands[1], ailment.Expr.Const):
+            jumptable_offset = jumptable_load_addr.operands[0]
+            jumptable_base_addr = jumptable_load_addr.operands[1]
+
+    if jumptable_offset is None or jumptable_base_addr is None:
+        return None
+
+    # parse jumptable_offset
+    expr = jumptable_offset
+    coeff = None
+    index_expr = None
+    lb = None
+    ub = None
+    while expr is not None:
+        if isinstance(expr, ailment.Expr.BinaryOp):
+            if expr.op == "Mul":
+                if isinstance(expr.operands[1], ailment.Expr.Const):
+                    coeff = expr.operands[1].value
+                    expr = expr.operands[0]
+                elif isinstance(expr.operands[0], ailment.Expr.Const):
+                    coeff = expr.operands[0].value
+                    expr = expr.operands[1]
+                else:
+                    return None
+            elif expr.op == "And":
+                masks = {0x1, 0x3, 0x7, 0xF, 0x1F, 0x3F, 0x7F, 0xFF, 0x1FF, 0x3FF}
+                if isinstance(expr.operands[1], ailment.Expr.Const) and expr.operands[1].value in masks:
+                    lb = 0
+                    ub = expr.operands[1].value
+                    index_expr = expr
+                    break
+                if isinstance(expr.operands[0], ailment.Expr.Const) and expr.operands[1].value in masks:
+                    lb = 0
+                    ub = expr.operands[0].value
+                    index_expr = expr
+                    break
+                return None
+            else:
+                return None
+        elif isinstance(expr, ailment.Expr.Convert):
+            if expr.is_signed is False:
+                expr = expr.operand
+            else:
+                return None
+        else:
+            break
+
+    if coeff is not None and index_expr is not None and lb is not None and ub is not None:
+        return index_expr, lb, ub
+    return None
+
+
 def get_ast_subexprs(claripy_ast):
     queue = [claripy_ast]
     while queue:
@@ -267,9 +372,9 @@ def insert_node(parent, insert_location: str, node, node_idx: int | tuple[int] |
                 parent.sequence_node = SequenceNode(parent.sequence_node.addr, nodes=[parent.sequence_node])
             insert_node(parent.sequence_node, insert_location, node, node_idx)
         else:
-            raise NotImplementedError
+            raise NotImplementedError(label)
     else:
-        raise NotImplementedError
+        raise NotImplementedError(type(parent))
 
 
 def _merge_ail_nodes(graph, node_a: ailment.Block, node_b: ailment.Block) -> ailment.Block:

angr/analyses/reaching_definitions/function_handler.py

@@ -379,7 +379,7 @@ class FunctionHandler:
                 else hook_libname
             )
             type_collections = []
-            if prototype_libname is not None:
+            if prototype_libname is not None and prototype_libname in SIM_LIBRARIES:
                 prototype_lib = SIM_LIBRARIES[prototype_libname]
                 if prototype_lib.type_collection_names:
                     for typelib_name in prototype_lib.type_collection_names: