angr 9.2.138__py3-none-macosx_11_0_arm64.whl → 9.2.139__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/optimization_passes/return_duplicator_high.py

@@ -4,9 +4,9 @@ from typing import Any
 
 import networkx
 
+from angr.analyses.decompiler.structuring import SAILRStructurer, DreamStructurer
 from .return_duplicator_base import ReturnDuplicatorBase
 from .optimization_pass import OptimizationPass, OptimizationPassStage
-from angr.analyses.decompiler.structuring import SAILRStructurer, DreamStructurer
 
 _l = logging.getLogger(name=__name__)
 
@@ -19,7 +19,7 @@ class ReturnDuplicatorHigh(OptimizationPass, ReturnDuplicatorBase):
 
     ARCHES = None
     PLATFORMS = None
-    STAGE = OptimizationPassStage.AFTER_VARIABLE_RECOVERY
+    STAGE = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
     NAME = "Duplicate return-only blocks (high)"
     DESCRIPTION = __doc__
     STRUCTURING = [SAILRStructurer.NAME, DreamStructurer.NAME]
@@ -28,27 +28,22 @@ class ReturnDuplicatorHigh(OptimizationPass, ReturnDuplicatorBase):
         self,
         func,
         # settings
+        *,
+        vvar_id_start: int,
         max_calls_in_regions: int = 2,
         minimize_copies_for_regions: bool = True,
-        region_identifier=None,
-        vvar_id_start: int | None = None,
         scratch: dict[str, Any] | None = None,
         **kwargs,
     ):
-        OptimizationPass.__init__(
-            self, func, vvar_id_start=vvar_id_start, scratch=scratch, region_identifier=region_identifier, **kwargs
-        )
+        OptimizationPass.__init__(self, func, vvar_id_start=vvar_id_start, scratch=scratch, **kwargs)
         ReturnDuplicatorBase.__init__(
             self,
             func,
             max_calls_in_regions=max_calls_in_regions,
             minimize_copies_for_regions=minimize_copies_for_regions,
-            ri=region_identifier,
             vvar_id_start=vvar_id_start,
             scratch=scratch,
         )
-        # since we run before the RegionIdentification pass in the decompiler, we need to collect it early here
-        self._ri = self._recover_regions(self._graph)
 
         self.analyze()
 
@@ -60,6 +55,8 @@ class ReturnDuplicatorHigh(OptimizationPass, ReturnDuplicatorBase):
         return dst_is_const_ret
 
     def _analyze(self, cache=None):
+        # since we run before the RegionIdentification pass in the decompiler, we need to collect it early here
+        self._ri = self._recover_regions(self._graph)
         copy_graph = networkx.DiGraph(self._graph)
         if self._analyze_core(copy_graph):
             self.out_graph = self._simplify_graph(copy_graph)

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -150,7 +150,12 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             if isinstance(expr.operands[1], Const) and expr.operands[1].value == 1:
                 # x * 1 => x
                 return expr.operands[0]
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
+            if (
+                isinstance(expr.operands[0], Const)
+                and expr.operands[0].is_int
+                and isinstance(expr.operands[1], Const)
+                and expr.operands[1].is_int
+            ):
                 # constant multiplication
                 mask = (1 << expr.bits) - 1
                 return Const(
@@ -236,6 +241,10 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                 return expr.operands[1]
             if isinstance(expr.operands[1], Const) and expr.operands[1].value == 0:
                 return expr.operands[0]
+            if isinstance(expr.operands[0], Const) and expr.operands[0].value == (1 << expr.operands[0].bits) - 1:
+                return expr.operands[0]
+            if isinstance(expr.operands[1], Const) and expr.operands[1].value == (1 << expr.operands[1].bits) - 1:
+                return expr.operands[1]
             if expr.operands[0].likes(expr.operands[1]):
                 return expr.operands[0]
 
@@ -290,6 +299,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
     def _optimize_convert(expr: Convert):
         if (
             isinstance(expr.operand, Const)
+            and expr.operand.is_int
             and expr.from_type == Convert.TYPE_INT
             and expr.to_type == Convert.TYPE_INT
             and expr.from_bits > expr.to_bits
@@ -300,6 +310,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             return Const(expr.idx, expr.operand.variable, v, expr.to_bits, **expr.operand.tags)
         if (
             isinstance(expr.operand, Const)
+            and expr.operand.is_int
             and expr.from_type == Convert.TYPE_INT
             and expr.to_type == Convert.TYPE_INT
             and expr.from_bits <= expr.to_bits

angr/analyses/decompiler/peephole_optimizations/remove_redundant_conversions.py

@@ -169,29 +169,65 @@ class RemoveRedundantConversions(PeepholeOptimizationExprBase):
     @staticmethod
     def _optimize_Convert(expr: Convert):
         operand_expr = expr.operand
-        if isinstance(operand_expr, BinaryOp) and operand_expr.op in {
-            "Mul",
-            "Shl",
-            "Div",
-            "DivMod",
-            "Mod",
-            "Add",
-            "Sub",
-        }:
-            op0, op1 = operand_expr.operands
-            if (
-                isinstance(op0, Convert)
-                and isinstance(op1, Convert)
-                and op0.from_bits == op1.from_bits
-                and op0.to_bits == op1.to_bits
-                and expr.from_bits == op0.to_bits
-                and expr.to_bits == op1.from_bits
-            ):
-                return BinaryOp(
-                    operand_expr.idx,
-                    operand_expr.op,
-                    [op0.operand, op1.operand],
-                    expr.is_signed,
-                    **operand_expr.tags,
-                )
+        if isinstance(operand_expr, BinaryOp):
+            if operand_expr.op in {
+                "Mul",
+                "Shl",
+                "Div",
+                "DivMod",
+                "Mod",
+                "Add",
+                "Sub",
+            }:
+                op0, op1 = operand_expr.operands
+                if (
+                    isinstance(op0, Convert)
+                    and isinstance(op1, Convert)
+                    and op0.from_bits == op1.from_bits
+                    and op0.to_bits == op1.to_bits
+                    and expr.from_bits == op0.to_bits
+                    and expr.to_bits == op1.from_bits
+                ):
+                    return BinaryOp(
+                        operand_expr.idx,
+                        operand_expr.op,
+                        [op0.operand, op1.operand],
+                        expr.is_signed,
+                        **operand_expr.tags,
+                    )
+            elif operand_expr.op == "Or" and expr.from_bits > expr.to_bits:
+                # Conv(64->32,((vvar_183{reg 128} & 0xffffffff00000000<64>)
+                #   | Conv(32->64, Load(addr=0x200002dc<32>, size=4, endness=Iend_LE))))
+                # =>
+                # Conv(64->32, Load(addr=0x200002dc<32>, size=4, endness=Iend_LE))
+                high_mask = ((1 << expr.from_bits) - 1) - ((1 << expr.to_bits) - 1)
+                op0, op1 = operand_expr.operands
+                if (
+                    isinstance(op0, BinaryOp)
+                    and op0.op == "And"
+                    and isinstance(op0.operands[1], Const)
+                    and op0.operands[1].value == high_mask
+                ):
+                    return Convert(
+                        expr.idx,
+                        expr.from_bits,
+                        expr.to_bits,
+                        expr.is_signed,
+                        op1,
+                        **expr.tags,
+                    )
+                if (
+                    isinstance(op1, BinaryOp)
+                    and op1.op == "And"
+                    and isinstance(op1.operands[1], Const)
+                    and op1.operands[1].value == high_mask
+                ):
+                    return Convert(
+                        expr.idx,
+                        expr.from_bits,
+                        expr.to_bits,
+                        expr.is_signed,
+                        op0,
+                        **expr.tags,
+                    )
         return None

angr/analyses/decompiler/peephole_optimizations/remove_redundant_shifts.py

@@ -1,4 +1,4 @@
-# pylint:disable=no-self-use,missing-class-docstring
+# pylint:disable=no-self-use,too-many-boolean-expressions
 from __future__ import annotations
 from ailment.expression import BinaryOp, Const, Convert
 
@@ -7,6 +7,10 @@ from .utils import get_expr_shift_left_amount
 
 
 class RemoveRedundantShifts(PeepholeOptimizationExprBase):
+    """
+    Remove redundant bitshift operations.
+    """
+
     __slots__ = ()
 
     NAME = "Remove redundant bitshifts"
@@ -43,4 +47,49 @@ class RemoveRedundantShifts(PeepholeOptimizationExprBase):
         if expr.op in {"Shl", "Shr", "Sar"} and isinstance(expr.operands[1], Const) and expr.operands[1].value == 0:
             return expr.operands[0]
 
+        mask_hi32bits = 0xFFFFFFFF_00000000
+        exp_32bits = 0x1_00000000
+        if (
+            expr.op == "Shr"
+            and isinstance(expr.operands[1], Const)
+            and expr.operands[1].value == 32
+            and isinstance(expr.operands[0], BinaryOp)
+            and expr.operands[0].op == "Or"
+        ):
+            op0, op1 = expr.operands[0].operands
+            if (
+                isinstance(op1, Convert)
+                and op1.from_bits == 32
+                and op1.to_bits == 64
+                and op1.from_type == Convert.TYPE_INT
+                and op1.to_type == Convert.TYPE_INT
+                and isinstance(op0, BinaryOp)
+                and op0.op == "And"
+            ):
+                # (expr<64-bits> & 0xffffffff_00000000) | Conv(32->64, expr<32-bits>)) >> 32  ==>  expr<64-bits> >> 32
+                inner_op0, inner_op1 = op0.operands
+                if isinstance(inner_op1, Const) and inner_op1.value == mask_hi32bits:
+                    if (
+                        isinstance(inner_op0, BinaryOp)
+                        and isinstance(inner_op0.operands[1], Const)
+                        and inner_op0.operands[1].value == exp_32bits
+                    ):
+                        return inner_op0.operands[0]
+                    return BinaryOp(expr.idx, "Shr", [inner_op0, expr.operands[1]], expr.signed, **expr.tags)
+                return BinaryOp(expr.idx, "Shr", [op0, expr.operands[1]], expr.signed, **expr.tags)
+
+            for op0, op1 in [expr.operands[0].operands, expr.operands[0].operands[::-1]]:
+                # ((v11 & 0xffff_ffff | 10.0 * 0x1_00000000) >> 32)   ==>   10.0
+                if (
+                    isinstance(op0, BinaryOp)
+                    and op0.op == "And"
+                    and isinstance(op0.operands[1], Const)
+                    and op0.operands[1].value == 0xFFFF_FFFF
+                    and isinstance(op1, BinaryOp)
+                    and op1.op == "Mul"
+                    and isinstance(op1.operands[1], Const)
+                    and op1.operands[1].value == 0x1_0000_0000
+                ):
+                    return op1.operands[0]
+
         return None

angr/analyses/decompiler/presets/fast.py

@@ -21,6 +21,7 @@ from angr.analyses.decompiler.optimization_passes import (
     CallStatementRewriter,
     DeadblockRemover,
     SwitchReusedEntryRewriter,
+    ConditionConstantPropagation,
 )
 
 
@@ -47,6 +48,7 @@ preset_fast = DecompilationPreset(
         FlipBooleanCmp,
         InlinedStringTransformationSimplifier,
         CallStatementRewriter,
+        ConditionConstantPropagation,
     ],
 )
 

angr/analyses/decompiler/presets/full.py

@@ -26,6 +26,7 @@ from angr.analyses.decompiler.optimization_passes import (
     InlinedStringTransformationSimplifier,
     CallStatementRewriter,
     SwitchReusedEntryRewriter,
+    ConditionConstantPropagation,
 )
 
 
@@ -57,6 +58,7 @@ preset_full = DecompilationPreset(
         InlinedStringTransformationSimplifier,
         CallStatementRewriter,
         SwitchReusedEntryRewriter,
+        ConditionConstantPropagation,
     ],
 )
 

angr/analyses/decompiler/region_simplifiers/region_simplifier.py

@@ -88,6 +88,10 @@ class RegionSimplifier(Analysis):
     #
 
     def _fold_oneuse_expressions(self, region):
+        # Disabled until https://github.com/angr/angr/issues/5110 and related folding issues fixed
+        return region
+
+        # pylint:disable=unreachable
         variable_manager = self.variable_kb.variables[self.func.addr]
         expr_counter = ExpressionCounter(region, variable_manager)
 

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 
 from ailment.manager import Manager
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement
+from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement, Jump
 from ailment.expression import (
     Expression,
     Register,
@@ -19,6 +19,7 @@ from ailment.expression import (
     ITE,
     Tmp,
     DirtyExpression,
+    Reinterpret,
 )
 
 from angr.engines.light.engine import SimEngineNostmtAIL
@@ -183,6 +184,12 @@ class SimEngineSSARewriting(
 
         return None
 
+    def _handle_stmt_Jump(self, stmt: Jump) -> Jump | None:
+        new_target = self._expr(stmt.target)
+        if new_target is not None:
+            return Jump(stmt.idx, new_target, stmt.target_idx, **stmt.tags)
+        return None
+
     def _handle_stmt_ConditionalJump(self, stmt: ConditionalJump) -> ConditionalJump | None:
         new_cond = self._expr(stmt.condition)
         new_true_target = self._expr(stmt.true_target) if stmt.true_target is not None else None
@@ -429,7 +436,18 @@ class SimEngineSSARewriting(
     def _handle_expr_Phi(self, expr):
         return None
 
-    def _handle_expr_Reinterpret(self, expr):
+    def _handle_expr_Reinterpret(self, expr: Reinterpret) -> Reinterpret | None:
+        new_operand = self._expr(expr.operand)
+        if new_operand is not None:
+            return Reinterpret(
+                expr.idx,
+                expr.from_bits,
+                expr.from_type,
+                expr.to_bits,
+                expr.to_type,
+                new_operand,
+                **expr.tags,
+            )
         return None
 
     def _handle_expr_StackBaseOffset(self, expr):

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -205,7 +205,7 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
     _handle_binop_Set = _handle_binop_Default
 
     def _handle_unop_Default(self, expr):
-        self._expr(expr.operands[0])
+        self._expr(expr.operand)
 
     _handle_unop_BitwiseNeg = _handle_unop_Default
     _handle_unop_Dereference = _handle_unop_Default
@@ -243,16 +243,17 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
         if expr.maddr is not None:
             self._expr(expr.maddr)
 
+    _handle_expr_Convert = _handle_unop_Default
+    _handle_expr_Reinterpret = _handle_unop_Default
+
     def _handle_Dummy(self, expr):
         pass
 
     _handle_expr_VirtualVariable = _handle_Dummy
     _handle_expr_Phi = _handle_Dummy
     _handle_expr_Load = _handle_Dummy
-    _handle_expr_Convert = _handle_Dummy
     _handle_expr_Const = _handle_Dummy
     _handle_expr_MultiStatementExpression = _handle_Dummy
-    _handle_expr_Reinterpret = _handle_Dummy
     _handle_expr_StackBaseOffset = _handle_Dummy
     _handle_expr_BasePointerOffset = _handle_Dummy
     _handle_expr_Call = _handle_Dummy

angr/analyses/decompiler/structured_codegen/c.py

@@ -2504,6 +2504,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         omit_func_header=False,
         display_block_addrs=False,
         display_vvar_ids=False,
+        min_data_addr: int = 0x400_000,
     ):
         super().__init__(flavor=flavor)
 
@@ -2578,6 +2579,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         self.omit_func_header = omit_func_header
         self.display_block_addrs = display_block_addrs
         self.display_vvar_ids = display_vvar_ids
+        self.min_data_addr = min_data_addr
         self.text = None
         self.map_pos_to_node = None
         self.map_pos_to_addr = None
@@ -3519,8 +3521,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                     expr.value
                 ]
                 inline_string = True
-            elif isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, SimTypeChar):
-                # char*
+            elif isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, (SimTypeChar, SimTypeBottom)):
+                # char* or void*
                 # Try to get a string
                 if (
                     self._cfg is not None
@@ -3583,11 +3585,16 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             elif function_pointer:
                 self._function_pointers.add(expr.reference_variable)
 
+        var_access = None
         if variable is not None and not reference_values:
             cvar = self._variable(variable, None)
             offset = getattr(expr, "reference_variable_offset", 0)
-            return self._access_constant_offset_reference(self._get_variable_reference(cvar), offset, None)
+            var_access = self._access_constant_offset_reference(self._get_variable_reference(cvar), offset, None)
 
+        if var_access is not None and expr.value >= self.min_data_addr:
+            return var_access
+
+        reference_values["offset"] = var_access
         return CConstant(expr.value, type_, reference_values=reference_values, tags=expr.tags, codegen=self)
 
     def _handle_Expr_UnaryOp(self, expr, **kwargs):

angr/analyses/decompiler/structuring/dream.py

@@ -567,8 +567,13 @@ class DreamStructurer(StructurerBase):
             seq, cmp_lb, jump_table.jumptable_entries, i, node_b_addr, addr2nodes
         )
         # if we don't know what the end address of this switch-case structure is, let's figure it out
-        switch_end_addr = node_b_addr if node_default is None else None
-        self._switch_handle_gotos(cases, node_default, switch_end_addr)
+        switch_end_addr = (
+            node_b_addr
+            if node_default is None
+            else self._switch_find_switch_end_addr(cases, node_default, {nn.addr for nn in self._region.graph})
+        )
+        if switch_end_addr is not None:
+            self._switch_handle_gotos(cases, node_default, switch_end_addr)
 
         self._make_switch_cases_core(
             seq,