angr 9.2.138__py3-none-macosx_11_0_arm64.whl → 9.2.139__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/clinic.py

@@ -109,7 +109,7 @@ class Clinic(Analysis):
         cache: DecompilationCache | None = None,
         mode: ClinicMode = ClinicMode.DECOMPILE,
         sp_shift: int = 0,
-        inline_functions: set[Function] | None = frozenset(),
+        inline_functions: set[Function] | None = None,
         inlined_counts: dict[int, int] | None = None,
         inlining_parents: set[int] | None = None,
         vvar_id_start: int = 0,
@@ -131,7 +131,7 @@ class Clinic(Analysis):
         self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimRegArg]] | None = None
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
-        self.data_refs: dict[int, int] = {}  # data address to instruction address
+        self.data_refs: dict[int, list[DataRefDesc]] = {}  # data address to data reference description
         self.optimization_scratch = optimization_scratch if optimization_scratch is not None else {}
 
         self._func_graph: networkx.DiGraph | None = None
@@ -159,7 +159,7 @@ class Clinic(Analysis):
         # inlining help
         self._sp_shift = sp_shift
         self._max_stack_depth = 0
-        self._inline_functions = inline_functions
+        self._inline_functions = inline_functions if inline_functions else set()
         self._inlined_counts = {} if inlined_counts is None else inlined_counts
         self._inlining_parents = inlining_parents or ()
         self._desired_variables = desired_variables
@@ -200,7 +200,7 @@ class Clinic(Analysis):
         """
 
         try:
-            return self._blocks_by_addr_and_size[(addr, size)]
+            return self._blocks_by_addr_and_size[(addr, size)] if self._blocks_by_addr_and_size is not None else None
         except KeyError:
             return None
 
@@ -490,9 +490,7 @@ class Clinic(Analysis):
         # we never remove dead memory definitions before making callsites. otherwise stack arguments may go missing
         # before they are recognized as stack arguments.
         self._update_progress(38.0, text="Simplifying blocks 1")
-        ail_graph = self._simplify_blocks(
-            ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
-        )
+        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
         self._rewrite_alloca(ail_graph)
 
         # Run simplification passes
@@ -515,9 +513,7 @@ class Clinic(Analysis):
         # Run simplification passes again. there might be more chances for peephole optimizations after function-level
         # simplification
         self._update_progress(48.0, text="Simplifying blocks 2")
-        ail_graph = self._simplify_blocks(
-            ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
-        )
+        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
 
         # rewrite (qualified) stack variables into SSA form
         ail_graph = self._transform_to_ssa_level1(ail_graph, func_args)
@@ -557,7 +553,6 @@ class Clinic(Analysis):
         self._update_progress(60.0, text="Simplifying blocks 3")
         ail_graph = self._simplify_blocks(
             ail_graph,
-            remove_dead_memdefs=self._remove_dead_memdefs,
             stack_pointer_tracker=spt,
             cache=block_simplification_cache,
         )
@@ -581,7 +576,6 @@ class Clinic(Analysis):
         self._update_progress(75.0, text="Simplifying blocks 4")
         ail_graph = self._simplify_blocks(
             ail_graph,
-            remove_dead_memdefs=self._remove_dead_memdefs,
             stack_pointer_tracker=spt,
             cache=block_simplification_cache,
         )
@@ -694,9 +688,7 @@ class Clinic(Analysis):
         # we never remove dead memory definitions before making callsites. otherwise stack arguments may go missing
         # before they are recognized as stack arguments.
         self._update_progress(35.0, text="Simplifying blocks 1")
-        ail_graph = self._simplify_blocks(
-            ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
-        )
+        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
 
         # Simplify the entire function for the first time
         self._update_progress(45.0, text="Simplifying function 1")
@@ -1101,7 +1093,6 @@ class Clinic(Analysis):
     def _simplify_blocks(
         self,
         ail_graph: networkx.DiGraph,
-        remove_dead_memdefs=False,
         stack_pointer_tracker=None,
         cache: dict[ailment.Block, NamedTuple] | None = None,
     ):
@@ -1120,7 +1111,6 @@ class Clinic(Analysis):
         for ail_block in ail_graph.nodes():
             simplified = self._simplify_block(
                 ail_block,
-                remove_dead_memdefs=remove_dead_memdefs,
                 stack_pointer_tracker=stack_pointer_tracker,
                 cache=cache,
             )
@@ -1138,7 +1128,7 @@ class Clinic(Analysis):
 
         return ail_graph
 
-    def _simplify_block(self, ail_block, remove_dead_memdefs=False, stack_pointer_tracker=None, cache=None):
+    def _simplify_block(self, ail_block, stack_pointer_tracker=None, cache=None):
         """
         Simplify a single AIL block.
 
@@ -1149,8 +1139,9 @@ class Clinic(Analysis):
 
         cached_rd, cached_prop = None, None
         cache_item = None
+        cache_key = ail_block.addr, ail_block.idx
         if cache:
-            cache_item = cache.get(ail_block, None)
+            cache_item = cache.get(cache_key, None)
             if cache_item:
                 # cache hit
                 cached_rd = cache_item.rd
@@ -1160,7 +1151,6 @@ class Clinic(Analysis):
             ail_block,
             self.function.addr,
             fail_fast=self._fail_fast,
-            remove_dead_memdefs=remove_dead_memdefs,
             stack_pointer_tracker=stack_pointer_tracker,
             peephole_optimizations=self.peephole_optimizations,
             cached_reaching_definitions=cached_rd,
@@ -1169,8 +1159,8 @@ class Clinic(Analysis):
         # update the cache
         if cache is not None:
             if cache_item:
-                del cache[ail_block]
-            cache[simp.result_block] = BlockCache(simp._reaching_definitions, simp._propagator)
+                del cache[cache_key]
+            cache[cache_key] = BlockCache(simp._reaching_definitions, simp._propagator)
         return simp.result_block
 
     @timethis
@@ -1807,7 +1797,7 @@ class Clinic(Analysis):
             else:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.operand)
 
-        elif type(expr) is ailment.Expr.Convert:
+        elif type(expr) in {ailment.Expr.Convert, ailment.Expr.Reinterpret}:
             self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.operand)
 
         elif type(expr) is ailment.Expr.ITE:
@@ -1828,7 +1818,7 @@ class Clinic(Analysis):
                 expr.variable = var
                 expr.variable_offset = offset
 
-        elif isinstance(expr, ailment.Expr.Const):
+        elif isinstance(expr, ailment.Expr.Const) and expr.is_int:
             # custom string?
             if hasattr(expr, "custom_string") and expr.custom_string is True:
                 s = self.kb.custom_strings[expr.value]
@@ -1873,6 +1863,7 @@ class Clinic(Analysis):
     def _function_graph_to_ail_graph(self, func_graph, blocks_by_addr_and_size=None):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size
+        assert blocks_by_addr_and_size is not None
 
         graph = networkx.DiGraph()
 
@@ -1947,8 +1938,9 @@ class Clinic(Analysis):
                 break
         if ite_expr_stmt_idx is None:
             return None
+        assert ite_expr_stmt is not None
 
-        ite_expr: ailment.Expr.ITE = ite_expr_stmt.src
+        ite_expr: ailment.Expr.ITE = ite_expr_stmt.src  # type: ignore
         new_head_ail.statements = new_head_ail.statements[:ite_expr_stmt_idx]
         # build the conditional jump
         true_block_addr = ite_ins_addr + 1
@@ -1976,6 +1968,7 @@ class Clinic(Analysis):
                 break
         if ite_expr_stmt_idx is None:
             return None
+        assert ite_expr_stmt is not None
 
         true_block_ail.statements[ite_expr_stmt_idx] = ailment.Stmt.Assignment(
             ite_expr_stmt.idx, ite_expr_stmt.dst, ite_expr_stmt.src.iftrue, **ite_expr_stmt.tags
@@ -1995,6 +1988,7 @@ class Clinic(Analysis):
                 break
         if ite_expr_stmt_idx is None:
             return None
+        assert ite_expr_stmt is not None
 
         false_block_ail.statements[ite_expr_stmt_idx] = ailment.Stmt.Assignment(
             ite_expr_stmt.idx, ite_expr_stmt.dst, ite_expr_stmt.src.iffalse, **ite_expr_stmt.tags
@@ -2002,8 +1996,8 @@ class Clinic(Analysis):
 
         original_block = next(iter(b for b in ail_graph if b.addr == block_addr))
 
-        original_block_in_edges = list(ail_graph.in_edges(original_block))
-        original_block_out_edges = list(ail_graph.out_edges(original_block))
+        original_block_in_edges = list(ail_graph.in_edges(original_block, data=True))
+        original_block_out_edges = list(ail_graph.out_edges(original_block, data=True))
 
         # build the target block if the target block does not exist in the current function
         end_block_addr = ite_ins_addr + ite_insn_size
@@ -2040,19 +2034,19 @@ class Clinic(Analysis):
 
         if end_block_ail not in ail_graph:
             # newly created. add it and the necessary edges into the graph
-            for _, dst in original_block_out_edges:
+            for _, dst, data in original_block_out_edges:
                 if dst is original_block:
-                    ail_graph.add_edge(end_block_ail, new_head_ail)
+                    ail_graph.add_edge(end_block_ail, new_head_ail, **data)
                 else:
-                    ail_graph.add_edge(end_block_ail, dst)
+                    ail_graph.add_edge(end_block_ail, dst, **data)
 
         # in edges
-        for src, _ in original_block_in_edges:
+        for src, _, data in original_block_in_edges:
             if src is original_block:
                 # loop
-                ail_graph.add_edge(end_block_ail, new_head_ail)
+                ail_graph.add_edge(end_block_ail, new_head_ail, **data)
             else:
-                ail_graph.add_edge(src, new_head_ail)
+                ail_graph.add_edge(src, new_head_ail, **data)
 
         # triangle
         ail_graph.add_edge(new_head_ail, true_block_ail)
@@ -2466,7 +2460,7 @@ class Clinic(Analysis):
             expr_idx: int,
             expr: ailment.expression.Expression,
             stmt_idx: int,
-            stmt: ailment.statement.Statement,
+            stmt: ailment.statement.Statement | None,
             block: ailment.Block | None,
         ):
             if expr is None:
@@ -2500,7 +2494,7 @@ class Clinic(Analysis):
             expr: ailment.expression.Const,
             stmt_idx: int,
             stmt: ailment.statement.Statement,
-            block: ailment.Block | None,
+            block: ailment.Block,
         ):
             if isinstance(expr.value, int) and hasattr(expr, "ins_addr"):
                 data_refs[block.addr].append(
@@ -2518,7 +2512,7 @@ class Clinic(Analysis):
             expr: ailment.expression.Load,
             stmt_idx: int,
             stmt: ailment.statement.Statement,
-            block: ailment.Block | None,
+            block: ailment.Block,
         ):
             if isinstance(expr.addr, ailment.expression.Const):
                 addr = expr.addr
@@ -2548,7 +2542,7 @@ class Clinic(Analysis):
 
             return ailment.AILBlockWalker._handle_Load(walker, expr_idx, expr, stmt_idx, stmt, block)
 
-        def handle_Store(stmt_idx: int, stmt: ailment.statement.Store, block: ailment.Block | None):
+        def handle_Store(stmt_idx: int, stmt: ailment.statement.Store, block: ailment.Block):
             if isinstance(stmt.addr, ailment.expression.Const):
                 addr = stmt.addr
                 if isinstance(addr.value, int) and hasattr(addr, "ins_addr"):

angr/analyses/decompiler/condition_processor.py

@@ -18,7 +18,7 @@ from angr.utils import is_pyinstaller
 from angr.utils.graph import dominates, inverted_idoms
 from angr.block import Block, BlockNode
 from angr.errors import AngrRuntimeError
-from .peephole_optimizations import InvertNegatedLogicalConjunctionsAndDisjunctions
+from .peephole_optimizations import InvertNegatedLogicalConjunctionsAndDisjunctions, RemoveRedundantNots
 from .structuring.structurer_nodes import (
     MultiNode,
     EmptyBlockNotice,
@@ -231,7 +231,7 @@ class ConditionProcessor:
         self._ast2annotations = {}
 
         self._peephole_expr_optimizations = [
-            cls(None, None, None) for cls in [InvertNegatedLogicalConjunctionsAndDisjunctions]
+            cls(None, None, None) for cls in [InvertNegatedLogicalConjunctionsAndDisjunctions, RemoveRedundantNots]
         ]
 
     def clear(self):

angr/analyses/decompiler/decompiler.py

@@ -288,6 +288,8 @@ class Decompiler(Analysis):
         )
         ri = self._recover_regions(clinic.graph, cond_proc, update_graph=not delay_graph_updates)
 
+        self._update_progress(73.0, text="Running region-simplification passes")
+
         # run optimizations that may require re-RegionIdentification
         clinic.graph, ri = self._run_region_simplification_passes(
             clinic.graph,

angr/analyses/decompiler/dephication/rewriting_engine.py

@@ -15,6 +15,7 @@ from ailment.expression import (
     ITE,
     VEXCCallExpression,
     DirtyExpression,
+    Reinterpret,
 )
 
 from angr.engines.light import SimEngineNostmtAIL
@@ -164,7 +165,7 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             return Load(expr.idx, new_addr, expr.size, expr.endness, guard=expr.guard, alt=expr.alt, **expr.tags)
         return None
 
-    def _handle_expr_Convert(self, expr):
+    def _handle_expr_Convert(self, expr: Convert) -> Convert | None:
         new_operand = self._expr(expr.operand)
         if new_operand is not None:
             return Convert(
@@ -180,6 +181,20 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             )
         return None
 
+    def _handle_expr_Reinterpret(self, expr: Reinterpret) -> Reinterpret | None:
+        new_operand = self._expr(expr.operand)
+        if new_operand is not None:
+            return Reinterpret(
+                expr.idx,
+                expr.from_bits,
+                expr.from_type,
+                expr.to_bits,
+                expr.to_type,
+                new_operand,
+                **expr.tags,
+            )
+        return None
+
     def _handle_expr_Const(self, expr):
         return None
 
@@ -346,18 +361,12 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             )
         return None
 
-    def _handle_expr_DirtyExpression(self, expr):
-        return None
-
     def _handle_expr_MultiStatementExpression(self, expr):
         return None
 
     def _handle_expr_Register(self, expr):
         return None
 
-    def _handle_expr_Reinterpret(self, expr):
-        return None
-
     def _handle_expr_Tmp(self, expr):
         return None
 

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -32,6 +32,7 @@ from .const_prop_reverter import ConstPropOptReverter
 from .call_stmt_rewriter import CallStatementRewriter
 from .duplication_reverter import DuplicationReverter
 from .switch_reused_entry_rewriter import SwitchReusedEntryRewriter
+from .condition_constprop import ConditionConstantPropagation
 
 if TYPE_CHECKING:
     from angr.analyses.decompiler.presets import DecompilationPreset
@@ -66,6 +67,7 @@ ALL_OPTIMIZATION_PASSES = [
     InlinedStringTransformationSimplifier,
     CallStatementRewriter,
     TagSlicer,
+    ConditionConstantPropagation,
 ]
 
 # these passes may duplicate code to remove gotos or improve the structure of the graph
@@ -113,6 +115,7 @@ __all__ = (
     "BasePointerSaveSimplifier",
     "CallStatementRewriter",
     "CodeMotionOptimization",
+    "ConditionConstantPropagation",
     "ConstPropOptReverter",
     "ConstantDereferencesSimplifier",
     "CrossJumpReverter",

angr/analyses/decompiler/optimization_passes/condition_constprop.py

@@ -0,0 +1,149 @@
+from __future__ import annotations
+
+import networkx
+
+from ailment import AILBlockWalker, Block
+from ailment.statement import ConditionalJump, Statement
+from ailment.expression import Const, BinaryOp, VirtualVariable
+
+from angr.analyses.decompiler.region_identifier import RegionIdentifier
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+
+
+class ConstantCondition:
+    """
+    Describes an opportunity for replacing a vvar with a constant value.
+    """
+
+    def __init__(self, vvar_id: int, value: Const, block_addr: int, block_idx: int | None):
+        self.vvar_id = vvar_id
+        self.value = value
+        self.block_addr = block_addr
+        self.block_idx = block_idx
+
+    def __repr__(self):
+        return f"<ConstCond vvar_{self.vvar_id} == {self.value} since {self.block_addr:#x}-{self.block_idx}>"
+
+
+class CCondPropBlockWalker(AILBlockWalker):
+    """
+    Block walker for ConditionConstantPropagation to replace vvars with constant values.
+    """
+
+    def __init__(self, vvar_id: int, const_value: Const):
+        super().__init__()
+        self._new_block: Block | None = None  # output
+        self.vvar_id = vvar_id
+        self.const_value = const_value
+
+    def walk(self, block: Block):
+        self._new_block = None
+        super().walk(block)
+        return self._new_block
+
+    def _handle_stmt(self, stmt_idx: int, stmt: Statement, block: Block):  # type: ignore
+        r = super()._handle_stmt(stmt_idx, stmt, block)
+        if r is not None:
+            # replace the original statement
+            if self._new_block is None:
+                self._new_block = block.copy()
+            self._new_block.statements[stmt_idx] = r
+
+    def _handle_VirtualVariable(  # type: ignore
+        self, expr_idx: int, expr: VirtualVariable, stmt_idx: int, stmt: Statement, block: Block | None
+    ) -> Const | None:
+        if expr.varid == self.vvar_id:
+            return Const(expr.idx, None, self.const_value.value, self.const_value.bits, **expr.tags)
+        return None
+
+
+class ConditionConstantPropagation(OptimizationPass):
+    """
+    Reason about constant propagation opportunities from conditionals and propagate constants in the graph accordingly.
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_SINGLE_BLOCK_SIMPLIFICATION
+    NAME = "Propagate constants using information deduced from conditionals."
+    DESCRIPTION = __doc__.strip()  # type: ignore
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+        self.analyze()
+
+    def _check(self):
+        cconds = self._find_const_conditions()
+        if not cconds:
+            return False, None
+        return True, {"cconds": cconds}
+
+    def _analyze(self, cache=None):
+        if not cache or cache.get("cconds", None) is None:  # noqa: SIM108
+            cconds = self._find_const_conditions()
+        else:
+            cconds = cache["cconds"]
+
+        if not cconds:
+            return
+
+        # group cconds according to their sources
+        cconds_by_src: dict[tuple[int, int | None], list[ConstantCondition]] = {}
+        for ccond in cconds:
+            src = ccond.block_addr, ccond.block_idx
+            if src not in cconds_by_src:
+                cconds_by_src[src] = []
+            cconds_by_src[src].append(ccond)
+
+        # calculate a dominance frontier for each block
+        entry_node_addr, entry_node_idx = self.entry_node_addr
+        entry_node = self._get_block(entry_node_addr, idx=entry_node_idx)
+        df = networkx.algorithms.dominance_frontiers(self._graph, entry_node)
+
+        for src, cconds in cconds_by_src.items():
+            head_block = self._get_block(src[0], idx=src[1])
+            if head_block is None:
+                continue
+            frontier = df.get(head_block)
+            if frontier is None:
+                continue
+            graph_slice = RegionIdentifier.slice_graph(self._graph, head_block, frontier, include_frontier=False)
+            for ccond in cconds:
+                walker = CCondPropBlockWalker(ccond.vvar_id, ccond.value)
+                for block in graph_slice:
+                    new_block = walker.walk(block)
+                    if new_block is not None:
+                        self._update_block(block, new_block)
+
+    def _find_const_conditions(self) -> list[ConstantCondition]:
+        cconds = []
+
+        for block in self._graph:
+            if block.statements:
+                last_stmt = block.statements[-1]
+                if (
+                    not isinstance(last_stmt, ConditionalJump)
+                    or not isinstance(last_stmt.true_target, Const)
+                    or not isinstance(last_stmt.false_target, Const)
+                ):
+                    continue
+
+                if isinstance(last_stmt.condition, BinaryOp):
+                    cond = last_stmt.condition
+                    op = cond.op
+                    op0, op1 = cond.operands
+                    if isinstance(op0, Const):
+                        op0, op1 = op1, op0
+                    if isinstance(op0, VirtualVariable) and isinstance(op1, Const) and op1.is_int:
+                        if op == "CmpEQ":
+                            ccond = ConstantCondition(
+                                op0.varid, op1, last_stmt.true_target.value, last_stmt.true_target_idx  # type: ignore
+                            )
+                            cconds.append(ccond)
+                        elif op == "CmpNE":
+                            ccond = ConstantCondition(
+                                op0.varid, op1, last_stmt.false_target.value, last_stmt.false_target_idx  # type: ignore
+                            )
+                            cconds.append(ccond)
+
+        return cconds

angr/analyses/decompiler/optimization_passes/deadblock_remover.py

@@ -25,13 +25,19 @@ class DeadblockRemover(OptimizationPass):
     PLATFORMS = None
     STAGE = OptimizationPassStage.BEFORE_REGION_IDENTIFICATION
     NAME = "Remove blocks with unsatisfiable conditions"
-    DESCRIPTION = __doc__.strip()
+    DESCRIPTION = __doc__.strip()  # type: ignore
 
-    def __init__(self, func, **kwargs):
+    def __init__(self, func, node_cutoff: int = 200, **kwargs):
         super().__init__(func, **kwargs)
+        self._node_cutoff = node_cutoff
         self.analyze()
 
     def _check(self):
+        # don't run this optimization on super large functions
+        assert self._graph is not None
+        if len(self._graph) >= self._node_cutoff:
+            return False, None
+
         cond_proc = ConditionProcessor(self.project.arch)
         if networkx.is_directed_acyclic_graph(self._graph):
             acyclic_graph = self._graph
@@ -45,7 +51,10 @@ class DeadblockRemover(OptimizationPass):
         cache = {"cond_proc": cond_proc}
         return True, cache
 
-    def _analyze(self, cache=None):
+    def _analyze(self, cache: dict | None = None):
+        assert cache is not None
+        assert self._graph is not None
+
         cond_proc = cache["cond_proc"]
         to_remove = {
             blk

angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py

@@ -136,7 +136,7 @@ class InlinedStringTransformationAILEngine(
                 # jumped to a node that we do not know about
                 break
             block = self.nodes[self.pc]
-            self._process(state, block=block, whitelist=None)
+            self.process(state, block=block, whitelist=None)
             if self.pc is None:
                 # not sure where to jump...
                 break

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -111,12 +111,15 @@ class OptimizationPass(BaseOptimizationPass):
     The base class for any function-level graph optimization pass.
     """
 
+    _graph: networkx.DiGraph
+
     def __init__(
         self,
         func,
+        *,
+        graph,
         blocks_by_addr=None,
         blocks_by_addr_and_idx=None,
-        graph=None,
         variable_kb=None,
         region_identifier=None,
         reaching_definitions=None,
@@ -132,7 +135,7 @@ class OptimizationPass(BaseOptimizationPass):
         # self._blocks is just a cache
         self._blocks_by_addr: dict[int, set[ailment.Block]] = blocks_by_addr or {}
         self._blocks_by_addr_and_idx: dict[tuple[int, int | None], ailment.Block] = blocks_by_addr_and_idx or {}
-        self._graph: networkx.DiGraph | None = graph
+        self._graph = graph
         self._variable_kb = variable_kb
         self._ri = region_identifier
         self._rd = reaching_definitions

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -44,7 +44,9 @@ class FreshVirtualVariableRewriter(AILBlockWalker):
 
         return new_stmt
 
-    def _handle_VirtualVariable(self, expr_idx: int, expr: VirtualVariable, stmt_idx: int, stmt, block: Block | None):
+    def _handle_VirtualVariable(  # type:ignore
+        self, expr_idx: int, expr: VirtualVariable, stmt_idx: int, stmt, block: Block | None
+    ) -> VirtualVariable | None:
         if expr.varid in self.vvar_mapping:
             return VirtualVariable(
                 expr.idx,
@@ -58,7 +60,7 @@ class FreshVirtualVariableRewriter(AILBlockWalker):
             )
         return None
 
-    def _handle_stmt(self, stmt_idx: int, stmt, block: Block):
+    def _handle_stmt(self, stmt_idx: int, stmt, block: Block):  # type:ignore
         r = super()._handle_stmt(stmt_idx, stmt, block)
         if r is not None:
             # replace the original statement
@@ -77,10 +79,11 @@ class ReturnDuplicatorBase:
     def __init__(
         self,
         func,
+        *,
+        vvar_id_start: int,
         max_calls_in_regions: int = 2,
         minimize_copies_for_regions: bool = True,
         ri: RegionIdentifier | None = None,
-        vvar_id_start: int | None = None,
         scratch: dict[str, Any] | None = None,
     ):
         self._max_calls_in_region = max_calls_in_regions
@@ -257,8 +260,7 @@ class ReturnDuplicatorBase:
                     # not used in this branch. drop this statement
                     continue
                 else:
-                    phi_var = Phi(stmt.src.idx, stmt.src.bits, [((pred.addr, pred.idx), vvar_src)], **stmt.src.tags)
-                    new_stmt = Assignment(stmt.idx, stmt.dst, phi_var, **stmt.tags)
+                    new_stmt = Assignment(stmt.idx, stmt.dst, vvar_src, **stmt.tags)
                     stmts.append(new_stmt)
                     continue
             stmts.append(stmt)
@@ -287,6 +289,8 @@ class ReturnDuplicatorBase:
         self, endnode_regions: dict[Any, tuple[list[tuple[Any, Any]], networkx.DiGraph]], graph: networkx.DiGraph
     ):
         updated_regions = endnode_regions.copy()
+        assert self._ri is not None
+        assert isinstance(self._ri.region, GraphRegion)
         all_region_block_addrs = list(self._find_block_sets_in_all_regions(self._ri.region).values())
         for region_head, (in_edges, region) in endnode_regions.items():
             is_single_const_ret_region = self._is_simple_return_graph(region)
@@ -356,7 +360,7 @@ class ReturnDuplicatorBase:
             return False
 
         # check if the graph is a single successor chain
-        if not all(labeless_graph.out_degree(n) <= 1 for n in nodes):
+        if not all(labeless_graph.out_degree[n] <= 1 for n in nodes):
             return False
 
         # collect the statements from the top node, make sure one exists
@@ -398,7 +402,11 @@ class ReturnDuplicatorBase:
         if ret_exprs and len(ret_exprs) > 1:
             return False
 
-        ret_expr = ReturnDuplicatorBase.unwrap_conv(ret_exprs[0]) if ret_exprs and len(ret_exprs) == 1 else None
+        if not ret_exprs:
+            # a simple return statement that does not carry any value or variable to return
+            return True
+
+        ret_expr = ReturnDuplicatorBase.unwrap_conv(ret_exprs[0])
         # check if ret_expr is a virtual variable or not
         if not isinstance(ret_expr, (VirtualVariable, Const)):
             return False