angr 9.2.138__py3-none-manylinux2014_x86_64.whl → 9.2.140__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/clinic.py

@@ -89,6 +89,8 @@ class Clinic(Analysis):
     A Clinic deals with AILments.
     """
 
+    _ail_manager: ailment.Manager
+
     def __init__(
         self,
         func,
@@ -109,7 +111,7 @@ class Clinic(Analysis):
         cache: DecompilationCache | None = None,
         mode: ClinicMode = ClinicMode.DECOMPILE,
         sp_shift: int = 0,
-        inline_functions: set[Function] | None = frozenset(),
+        inline_functions: set[Function] | None = None,
         inlined_counts: dict[int, int] | None = None,
         inlining_parents: set[int] | None = None,
         vvar_id_start: int = 0,
@@ -117,7 +119,6 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
-        unsound_fix_abnormal_switches: bool = True,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -131,11 +132,10 @@ class Clinic(Analysis):
         self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimRegArg]] | None = None
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
-        self.data_refs: dict[int, int] = {}  # data address to instruction address
+        self.data_refs: dict[int, list[DataRefDesc]] = {}  # data address to data reference description
         self.optimization_scratch = optimization_scratch if optimization_scratch is not None else {}
 
         self._func_graph: networkx.DiGraph | None = None
-        self._ail_manager = None
         self._blocks_by_addr_and_size = {}
         self.entry_node_addr: tuple[int, int | None] = self.function.addr, None
 
@@ -149,7 +149,6 @@ class Clinic(Analysis):
         self._must_struct = must_struct
         self._reset_variable_names = reset_variable_names
         self._rewrite_ites_to_diamonds = rewrite_ites_to_diamonds
-        self._unsound_fix_abnormal_switches = unsound_fix_abnormal_switches
         self.reaching_definitions: ReachingDefinitionsAnalysis | None = None
         self._cache = cache
         self._mode = mode
@@ -159,7 +158,7 @@ class Clinic(Analysis):
         # inlining help
         self._sp_shift = sp_shift
         self._max_stack_depth = 0
-        self._inline_functions = inline_functions
+        self._inline_functions = inline_functions if inline_functions else set()
         self._inlined_counts = {} if inlined_counts is None else inlined_counts
         self._inlining_parents = inlining_parents or ()
         self._desired_variables = desired_variables
@@ -167,6 +166,7 @@ class Clinic(Analysis):
         self._complete_successors = complete_successors
 
         self._register_save_areas_removed: bool = False
+        self.edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]] = []
 
         self._new_block_addrs = set()
 
@@ -200,7 +200,7 @@ class Clinic(Analysis):
         """
 
         try:
-            return self._blocks_by_addr_and_size[(addr, size)]
+            return self._blocks_by_addr_and_size[(addr, size)] if self._blocks_by_addr_and_size is not None else None
         except KeyError:
             return None
 
@@ -209,6 +209,7 @@ class Clinic(Analysis):
 
         :return:
         """
+        assert self.graph is not None
 
         s = ""
 
@@ -297,6 +298,8 @@ class Clinic(Analysis):
         return ail_graph
 
     def _slice_variables(self, ail_graph):
+        assert self.variable_kb is not None
+
         nodes_index = {(n.addr, n.idx): n for n in ail_graph.nodes()}
 
         vfm = self.variable_kb.variables.function_managers[self.function.addr]
@@ -344,7 +347,7 @@ class Clinic(Analysis):
             optimization_passes=[StackCanarySimplifier],
             sp_shift=self._max_stack_depth,
             vvar_id_start=self.vvar_id_start,
-            fail_fast=self._fail_fast,
+            fail_fast=self._fail_fast,  # type: ignore
         )
         self.vvar_id_start = callee_clinic.vvar_id_start + 1
         self._max_stack_depth = callee_clinic._max_stack_depth
@@ -490,9 +493,7 @@ class Clinic(Analysis):
         # we never remove dead memory definitions before making callsites. otherwise stack arguments may go missing
         # before they are recognized as stack arguments.
         self._update_progress(38.0, text="Simplifying blocks 1")
-        ail_graph = self._simplify_blocks(
-            ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
-        )
+        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
         self._rewrite_alloca(ail_graph)
 
         # Run simplification passes
@@ -515,9 +516,7 @@ class Clinic(Analysis):
         # Run simplification passes again. there might be more chances for peephole optimizations after function-level
         # simplification
         self._update_progress(48.0, text="Simplifying blocks 2")
-        ail_graph = self._simplify_blocks(
-            ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
-        )
+        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
 
         # rewrite (qualified) stack variables into SSA form
         ail_graph = self._transform_to_ssa_level1(ail_graph, func_args)
@@ -557,7 +556,6 @@ class Clinic(Analysis):
         self._update_progress(60.0, text="Simplifying blocks 3")
         ail_graph = self._simplify_blocks(
             ail_graph,
-            remove_dead_memdefs=self._remove_dead_memdefs,
             stack_pointer_tracker=spt,
             cache=block_simplification_cache,
         )
@@ -581,7 +579,6 @@ class Clinic(Analysis):
         self._update_progress(75.0, text="Simplifying blocks 4")
         ail_graph = self._simplify_blocks(
             ail_graph,
-            remove_dead_memdefs=self._remove_dead_memdefs,
             stack_pointer_tracker=spt,
             cache=block_simplification_cache,
         )
@@ -624,6 +621,7 @@ class Clinic(Analysis):
 
         # remove empty nodes from the graph
         ail_graph = self.remove_empty_nodes(ail_graph)
+        # note that there are still edges to remove before we can structure this graph!
 
         self.arg_list = arg_list
         self.arg_vvars = arg_vvars
@@ -694,9 +692,7 @@ class Clinic(Analysis):
         # we never remove dead memory definitions before making callsites. otherwise stack arguments may go missing
         # before they are recognized as stack arguments.
         self._update_progress(35.0, text="Simplifying blocks 1")
-        ail_graph = self._simplify_blocks(
-            ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
-        )
+        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
 
         # Simplify the entire function for the first time
         self._update_progress(45.0, text="Simplifying function 1")
@@ -808,7 +804,7 @@ class Clinic(Analysis):
 
             # case 2: the callee is a SimProcedure
             if target_func.is_simprocedure:
-                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)
+                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)  # type: ignore
                 if cc.cc is not None and cc.prototype is not None:
                     target_func.calling_convention = cc.cc
                     target_func.prototype = cc.prototype
@@ -816,7 +812,7 @@ class Clinic(Analysis):
 
             # case 3: the callee is a PLT function
             if target_func.is_plt:
-                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)
+                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)  # type: ignore
                 if cc.cc is not None and cc.prototype is not None:
                     target_func.calling_convention = cc.cc
                     target_func.prototype = cc.prototype
@@ -886,7 +882,7 @@ class Clinic(Analysis):
         # finally, recover the calling convention of the current function
         if self.function.prototype is None or self.function.calling_convention is None:
             self.project.analyses.CompleteCallingConventions(
-                fail_fast=self._fail_fast,
+                fail_fast=self._fail_fast,  # type: ignore
                 recover_variables=True,
                 prioritize_func_addrs=[self.function.addr],
                 skip_other_funcs=True,
@@ -1101,7 +1097,6 @@ class Clinic(Analysis):
     def _simplify_blocks(
         self,
         ail_graph: networkx.DiGraph,
-        remove_dead_memdefs=False,
         stack_pointer_tracker=None,
         cache: dict[ailment.Block, NamedTuple] | None = None,
     ):
@@ -1120,7 +1115,6 @@ class Clinic(Analysis):
         for ail_block in ail_graph.nodes():
             simplified = self._simplify_block(
                 ail_block,
-                remove_dead_memdefs=remove_dead_memdefs,
                 stack_pointer_tracker=stack_pointer_tracker,
                 cache=cache,
             )
@@ -1138,7 +1132,7 @@ class Clinic(Analysis):
 
         return ail_graph
 
-    def _simplify_block(self, ail_block, remove_dead_memdefs=False, stack_pointer_tracker=None, cache=None):
+    def _simplify_block(self, ail_block, stack_pointer_tracker=None, cache=None):
         """
         Simplify a single AIL block.
 
@@ -1149,8 +1143,9 @@ class Clinic(Analysis):
 
         cached_rd, cached_prop = None, None
         cache_item = None
+        cache_key = ail_block.addr, ail_block.idx
         if cache:
-            cache_item = cache.get(ail_block, None)
+            cache_item = cache.get(cache_key, None)
             if cache_item:
                 # cache hit
                 cached_rd = cache_item.rd
@@ -1160,7 +1155,6 @@ class Clinic(Analysis):
             ail_block,
             self.function.addr,
             fail_fast=self._fail_fast,
-            remove_dead_memdefs=remove_dead_memdefs,
             stack_pointer_tracker=stack_pointer_tracker,
             peephole_optimizations=self.peephole_optimizations,
             cached_reaching_definitions=cached_rd,
@@ -1169,8 +1163,8 @@ class Clinic(Analysis):
         # update the cache
         if cache is not None:
             if cache_item:
-                del cache[ail_block]
-            cache[simp.result_block] = BlockCache(simp._reaching_definitions, simp._propagator)
+                del cache[cache_key]
+            cache[cache_key] = BlockCache(simp._reaching_definitions, simp._propagator)
         return simp.result_block
 
     @timethis
@@ -1807,7 +1801,7 @@ class Clinic(Analysis):
             else:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.operand)
 
-        elif type(expr) is ailment.Expr.Convert:
+        elif type(expr) in {ailment.Expr.Convert, ailment.Expr.Reinterpret}:
             self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.operand)
 
         elif type(expr) is ailment.Expr.ITE:
@@ -1828,7 +1822,7 @@ class Clinic(Analysis):
                 expr.variable = var
                 expr.variable_offset = offset
 
-        elif isinstance(expr, ailment.Expr.Const):
+        elif isinstance(expr, ailment.Expr.Const) and expr.is_int:
             # custom string?
             if hasattr(expr, "custom_string") and expr.custom_string is True:
                 s = self.kb.custom_strings[expr.value]
@@ -1873,6 +1867,7 @@ class Clinic(Analysis):
     def _function_graph_to_ail_graph(self, func_graph, blocks_by_addr_and_size=None):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size
+        assert blocks_by_addr_and_size is not None
 
         graph = networkx.DiGraph()
 
@@ -1947,8 +1942,9 @@ class Clinic(Analysis):
                 break
         if ite_expr_stmt_idx is None:
             return None
+        assert ite_expr_stmt is not None
 
-        ite_expr: ailment.Expr.ITE = ite_expr_stmt.src
+        ite_expr: ailment.Expr.ITE = ite_expr_stmt.src  # type: ignore
         new_head_ail.statements = new_head_ail.statements[:ite_expr_stmt_idx]
         # build the conditional jump
         true_block_addr = ite_ins_addr + 1
@@ -1976,6 +1972,7 @@ class Clinic(Analysis):
                 break
         if ite_expr_stmt_idx is None:
             return None
+        assert ite_expr_stmt is not None
 
         true_block_ail.statements[ite_expr_stmt_idx] = ailment.Stmt.Assignment(
             ite_expr_stmt.idx, ite_expr_stmt.dst, ite_expr_stmt.src.iftrue, **ite_expr_stmt.tags
@@ -1995,6 +1992,7 @@ class Clinic(Analysis):
                 break
         if ite_expr_stmt_idx is None:
             return None
+        assert ite_expr_stmt is not None
 
         false_block_ail.statements[ite_expr_stmt_idx] = ailment.Stmt.Assignment(
             ite_expr_stmt.idx, ite_expr_stmt.dst, ite_expr_stmt.src.iffalse, **ite_expr_stmt.tags
@@ -2002,8 +2000,8 @@ class Clinic(Analysis):
 
         original_block = next(iter(b for b in ail_graph if b.addr == block_addr))
 
-        original_block_in_edges = list(ail_graph.in_edges(original_block))
-        original_block_out_edges = list(ail_graph.out_edges(original_block))
+        original_block_in_edges = list(ail_graph.in_edges(original_block, data=True))
+        original_block_out_edges = list(ail_graph.out_edges(original_block, data=True))
 
         # build the target block if the target block does not exist in the current function
         end_block_addr = ite_ins_addr + ite_insn_size
@@ -2040,19 +2038,19 @@ class Clinic(Analysis):
 
         if end_block_ail not in ail_graph:
             # newly created. add it and the necessary edges into the graph
-            for _, dst in original_block_out_edges:
+            for _, dst, data in original_block_out_edges:
                 if dst is original_block:
-                    ail_graph.add_edge(end_block_ail, new_head_ail)
+                    ail_graph.add_edge(end_block_ail, new_head_ail, **data)
                 else:
-                    ail_graph.add_edge(end_block_ail, dst)
+                    ail_graph.add_edge(end_block_ail, dst, **data)
 
         # in edges
-        for src, _ in original_block_in_edges:
+        for src, _, data in original_block_in_edges:
             if src is original_block:
                 # loop
-                ail_graph.add_edge(end_block_ail, new_head_ail)
+                ail_graph.add_edge(end_block_ail, new_head_ail, **data)
             else:
-                ail_graph.add_edge(src, new_head_ail)
+                ail_graph.add_edge(src, new_head_ail, **data)
 
         # triangle
         ail_graph.add_edge(new_head_ail, true_block_ail)
@@ -2115,49 +2113,60 @@ class Clinic(Analysis):
             # the overlapped instructions and add an unconditional jump so that it jumps to 0x41da9d.
             # this is the most common case created by jump threading optimization in compilers. it's easy to handle.
 
-            # Case 2: the intended head and the other heads do not share the same suffix of instructions. in this case,
-            # we cannot reliably convert the blocks into a properly structured switch-case construct. we will alter the
-            # last instruction of all other heads to jump to the cmp instruction in the intended head, but do not remove
-            # any other instructions in these other heads. this is unsound, but is the best we can do in this case.
+            # Case 2 & 3: the intended head and the other heads do not share the same suffix of instructions. in this
+            # case, we have two choices:
+            #   Case 2: The intended head has two successors, but at least one unintended head has only one successor.
+            #           we cannot reliably convert the blocks into a properly structured switch-case construct. we will
+            #           last instruction of all other heads to jump to the cmp instruction in the intended head, but do
+            #           not remove any other instructions in these other heads. this is unsound, but is the best we can
+            #           do in this case.
+            #   Case 3: The intended head has only one successor (which is the indirect jump node). during structuring,
+            #           we expect it will be structured as a no-default-node switch-case construct. in this case, we
+            #           can simply remove the edges from all other heads to the jump node and only leave the edge from
+            #           the intended head to the jump node. we will see goto statements in the output, but this will
+            #           lead to correct structuring result.
 
             overlaps = [self._get_overlapping_suffix_instructions(intended_head, head) for head in other_heads]
             if overlaps and (overlap := min(overlaps)) > 0:
                 # Case 1
                 self._fix_abnormal_switch_case_heads_case1(ail_graph, candidate, intended_head, other_heads, overlap)
-            else:
-                if self._unsound_fix_abnormal_switches:
-                    # Case 2
-                    l.warning("Switch-case at %#x has multiple head nodes but cannot be fixed soundly.", candidate.addr)
-                    # find the comparison instruction in the intended head
-                    comparison_stmt = None
-                    if "cc_op" in self.project.arch.registers:
-                        comparison_stmt = next(
-                            iter(
-                                stmt
-                                for stmt in intended_head.statements
-                                if isinstance(stmt, ailment.Stmt.Assignment)
-                                and isinstance(stmt.dst, ailment.Expr.Register)
-                                and stmt.dst.reg_offset == self.project.arch.registers["cc_op"][0]
-                            ),
-                            None,
-                        )
-                    intended_head_block = self.project.factory.block(
-                        intended_head.addr, size=intended_head.original_size
+            elif ail_graph.out_degree[intended_head] == 2:
+                # Case 2
+                l.warning("Switch-case at %#x has multiple head nodes but cannot be fixed soundly.", candidate.addr)
+                # find the comparison instruction in the intended head
+                comparison_stmt = None
+                if "cc_op" in self.project.arch.registers:
+                    comparison_stmt = next(
+                        iter(
+                            stmt
+                            for stmt in intended_head.statements
+                            if isinstance(stmt, ailment.Stmt.Assignment)
+                            and isinstance(stmt.dst, ailment.Expr.Register)
+                            and stmt.dst.reg_offset == self.project.arch.registers["cc_op"][0]
+                        ),
+                        None,
                     )
-                    if comparison_stmt is not None:
-                        cmp_rpos = len(
-                            intended_head_block.instruction_addrs
-                        ) - intended_head_block.instruction_addrs.index(comparison_stmt.ins_addr)
-                    else:
-                        cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
-                    self._fix_abnormal_switch_case_heads_case2(
-                        ail_graph,
-                        candidate,
-                        intended_head,
-                        other_heads,
-                        intended_head_split_insns=cmp_rpos,
-                        other_head_split_insns=0,
+                intended_head_block = self.project.factory.block(intended_head.addr, size=intended_head.original_size)
+                if comparison_stmt is not None:
+                    cmp_rpos = len(intended_head_block.instruction_addrs) - intended_head_block.instruction_addrs.index(
+                        comparison_stmt.ins_addr
                     )
+                else:
+                    cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
+                self._fix_abnormal_switch_case_heads_case2(
+                    ail_graph,
+                    candidate,
+                    intended_head,
+                    other_heads,
+                    intended_head_split_insns=cmp_rpos,
+                    other_head_split_insns=0,
+                )
+            else:
+                # Case 3
+                self._fix_abnormal_switch_case_heads_case3(
+                    candidate,
+                    other_heads,
+                )
 
     def _get_overlapping_suffix_instructions(self, ailblock_0: ailment.Block, ailblock_1: ailment.Block) -> int:
         # we first compare their ending conditional jumps
@@ -2366,6 +2375,16 @@ class Clinic(Analysis):
                     # it should be going to the default node. ignore it
                     pass
 
+    def _fix_abnormal_switch_case_heads_case3(
+        self, indirect_jump_node: ailment.Block, other_heads: list[ailment.Block]
+    ) -> None:
+        # remove all edges from other_heads to the indirect jump node
+        for other_head in other_heads:
+            # delay the edge removal so that we don't mess up the SSA analysis
+            self.edges_to_remove.append(
+                ((other_head.addr, other_head.idx), (indirect_jump_node.addr, indirect_jump_node.idx))
+            )
+
     @staticmethod
     def _remove_redundant_jump_blocks(ail_graph):
         def first_conditional_jump(block: ailment.Block) -> ailment.Stmt.ConditionalJump | None:
@@ -2466,7 +2485,7 @@ class Clinic(Analysis):
             expr_idx: int,
             expr: ailment.expression.Expression,
             stmt_idx: int,
-            stmt: ailment.statement.Statement,
+            stmt: ailment.statement.Statement | None,
             block: ailment.Block | None,
         ):
             if expr is None:
@@ -2500,7 +2519,7 @@ class Clinic(Analysis):
             expr: ailment.expression.Const,
             stmt_idx: int,
             stmt: ailment.statement.Statement,
-            block: ailment.Block | None,
+            block: ailment.Block,
         ):
             if isinstance(expr.value, int) and hasattr(expr, "ins_addr"):
                 data_refs[block.addr].append(
@@ -2518,7 +2537,7 @@ class Clinic(Analysis):
             expr: ailment.expression.Load,
             stmt_idx: int,
             stmt: ailment.statement.Statement,
-            block: ailment.Block | None,
+            block: ailment.Block,
         ):
             if isinstance(expr.addr, ailment.expression.Const):
                 addr = expr.addr
@@ -2548,7 +2567,7 @@ class Clinic(Analysis):
 
             return ailment.AILBlockWalker._handle_Load(walker, expr_idx, expr, stmt_idx, stmt, block)
 
-        def handle_Store(stmt_idx: int, stmt: ailment.statement.Store, block: ailment.Block | None):
+        def handle_Store(stmt_idx: int, stmt: ailment.statement.Store, block: ailment.Block):
             if isinstance(stmt.addr, ailment.expression.Const):
                 addr = stmt.addr
                 if isinstance(addr.value, int) and hasattr(addr, "ins_addr"):

angr/analyses/decompiler/condition_processor.py

@@ -18,7 +18,7 @@ from angr.utils import is_pyinstaller
 from angr.utils.graph import dominates, inverted_idoms
 from angr.block import Block, BlockNode
 from angr.errors import AngrRuntimeError
-from .peephole_optimizations import InvertNegatedLogicalConjunctionsAndDisjunctions
+from .peephole_optimizations import InvertNegatedLogicalConjunctionsAndDisjunctions, RemoveRedundantNots
 from .structuring.structurer_nodes import (
     MultiNode,
     EmptyBlockNotice,
@@ -231,7 +231,7 @@ class ConditionProcessor:
         self._ast2annotations = {}
 
         self._peephole_expr_optimizations = [
-            cls(None, None, None) for cls in [InvertNegatedLogicalConjunctionsAndDisjunctions]
+            cls(None, None, None) for cls in [InvertNegatedLogicalConjunctionsAndDisjunctions, RemoveRedundantNots]
         ]
 
     def clear(self):

angr/analyses/decompiler/decompiler.py

@@ -2,8 +2,8 @@
 from __future__ import annotations
 import logging
 from collections import defaultdict
-from typing import Optional, Union, Any, TYPE_CHECKING
 from collections.abc import Iterable
+from typing import Optional, Union, Any, TYPE_CHECKING
 
 import networkx
 from cle import SymbolType
@@ -15,6 +15,7 @@ from angr.knowledge_base import KnowledgeBase
 from angr.sim_variable import SimMemoryVariable, SimRegisterVariable, SimStackVariable
 from angr.utils import timethis
 from angr.analyses import Analysis, AnalysesHub
+from .structured_codegen.c import CStructuredCodeGenerator
 from .structuring import RecursiveStructurer, PhoenixStructurer, DEFAULT_STRUCTURER
 from .region_identifier import RegionIdentifier
 from .optimization_passes.optimization_pass import OptimizationPassStage
@@ -22,7 +23,7 @@ from .ailgraph_walker import AILGraphWalker
 from .condition_processor import ConditionProcessor
 from .decompilation_options import DecompilationOption
 from .decompilation_cache import DecompilationCache
-from .utils import remove_labels
+from .utils import remove_labels, remove_edges_in_ailgraph
 from .sequence_walker import SequenceWalker
 from .structuring.structurer_nodes import SequenceNode
 from .presets import DECOMPILATION_PRESETS, DecompilationPreset
@@ -30,7 +31,6 @@ from .presets import DECOMPILATION_PRESETS, DecompilationPreset
 if TYPE_CHECKING:
     from angr.knowledge_plugins.cfg.cfg_model import CFGModel
     from .peephole_optimizations import PeepholeOptimizationExprBase, PeepholeOptimizationStmtBase
-    from .structured_codegen.c import CStructuredCodeGenerator
 
 l = logging.getLogger(name=__name__)
 
@@ -157,6 +157,8 @@ class Decompiler(Analysis):
                             self.kb.decompilations[(self.func.addr, self._flavor)].errors.append(error.format())
 
     def _can_use_decompilation_cache(self, cache: DecompilationCache) -> bool:
+        if self._cache_parameters is None or cache.parameters is None:
+            return False
         a, b = self._cache_parameters, cache.parameters
         id_checks = {"cfg", "variable_kb"}
         return all(a[k] is b[k] if k in id_checks else a[k] == b[k] for k in self._cache_parameters)
@@ -201,7 +203,7 @@ class Decompiler(Analysis):
 
         variable_kb = self._variable_kb
         # fall back to old codegen
-        if variable_kb is None and old_codegen is not None:
+        if variable_kb is None and old_codegen is not None and isinstance(old_codegen, CStructuredCodeGenerator):
             variable_kb = old_codegen._variable_kb
 
         if variable_kb is None:
@@ -223,7 +225,8 @@ class Decompiler(Analysis):
             fold_callexprs_into_conditions = True
 
         cache = DecompilationCache(self.func.addr)
-        cache.parameters = self._cache_parameters
+        if self._cache_parameters is not None:
+            cache.parameters = self._cache_parameters
         cache.ite_exprs = ite_exprs
         cache.binop_operators = binop_operators
 
@@ -288,14 +291,22 @@ class Decompiler(Analysis):
         )
         ri = self._recover_regions(clinic.graph, cond_proc, update_graph=not delay_graph_updates)
 
+        self._update_progress(73.0, text="Running region-simplification passes")
+
         # run optimizations that may require re-RegionIdentification
         clinic.graph, ri = self._run_region_simplification_passes(
             clinic.graph,
             ri,
             clinic.reaching_definitions,
             ite_exprs=ite_exprs,
+            arg_vvars=set(clinic.arg_vvars),
+            edges_to_remove=clinic.edges_to_remove,
         )
 
+        # finally (no more graph-based simplifications will run in the future), we can remove the edges that should be
+        # removed!
+        remove_edges_in_ailgraph(clinic.graph, clinic.edges_to_remove)
+
         # Rewrite the graph to remove phi expressions
         # this is probably optional if we do not pretty-print clinic.graph
         clinic.graph = self._transform_graph_from_ssa(clinic.graph)
@@ -323,9 +334,9 @@ class Decompiler(Analysis):
             s = self.project.analyses.RegionSimplifier(
                 self.func,
                 rs.result,
+                arg_vvars=set(self.clinic.arg_vvars),
                 kb=self.kb,
                 fail_fast=self._fail_fast,
-                variable_kb=clinic.variable_kb,
                 **self.options_to_params(self.options_by_class["region_simplifier"]),
             )
             seq_node = s.result
@@ -437,7 +448,7 @@ class Decompiler(Analysis):
         return ail_graph
 
     @timethis
-    def _run_region_simplification_passes(self, ail_graph, ri, reaching_definitions, **kwargs):
+    def _run_region_simplification_passes(self, ail_graph, ri, reaching_definitions, arg_vvars: set[int], **kwargs):
         """
         Runs optimizations that should be executed after a single region identification. This function will return
         two items: the new RegionIdentifier object and the new AIL Graph, which should probably be written
@@ -481,6 +492,7 @@ class Decompiler(Analysis):
                 blocks_by_addr_and_idx=addr_and_idx_to_blocks,
                 graph=ail_graph,
                 variable_kb=self._variable_kb,
+                arg_vvars=arg_vvars,
                 region_identifier=ri,
                 reaching_definitions=reaching_definitions,
                 vvar_id_start=self.vvar_id_start,

angr/analyses/decompiler/dephication/rewriting_engine.py

@@ -15,6 +15,7 @@ from ailment.expression import (
     ITE,
     VEXCCallExpression,
     DirtyExpression,
+    Reinterpret,
 )
 
 from angr.engines.light import SimEngineNostmtAIL
@@ -164,7 +165,7 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             return Load(expr.idx, new_addr, expr.size, expr.endness, guard=expr.guard, alt=expr.alt, **expr.tags)
         return None
 
-    def _handle_expr_Convert(self, expr):
+    def _handle_expr_Convert(self, expr: Convert) -> Convert | None:
         new_operand = self._expr(expr.operand)
         if new_operand is not None:
             return Convert(
@@ -180,6 +181,20 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             )
         return None
 
+    def _handle_expr_Reinterpret(self, expr: Reinterpret) -> Reinterpret | None:
+        new_operand = self._expr(expr.operand)
+        if new_operand is not None:
+            return Reinterpret(
+                expr.idx,
+                expr.from_bits,
+                expr.from_type,
+                expr.to_bits,
+                expr.to_type,
+                new_operand,
+                **expr.tags,
+            )
+        return None
+
     def _handle_expr_Const(self, expr):
         return None
 
@@ -346,18 +361,12 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             )
         return None
 
-    def _handle_expr_DirtyExpression(self, expr):
-        return None
-
     def _handle_expr_MultiStatementExpression(self, expr):
         return None
 
     def _handle_expr_Register(self, expr):
         return None
 
-    def _handle_expr_Reinterpret(self, expr):
-        return None
-
     def _handle_expr_Tmp(self, expr):
         return None
 

angr/analyses/decompiler/expression_narrower.py

@@ -38,7 +38,7 @@ class ExprNarrowingInfo:
         narrowable: bool,
         to_size: int | None = None,
         use_exprs: list[tuple[atoms.VirtualVariable, CodeLocation, tuple[str, tuple[Expression, ...]]]] | None = None,
-        phi_vars: set[atoms.VirtualVariable] | None = None,
+        phi_vars: set[VirtualVariable] | None = None,
     ):
         self.narrowable = narrowable
         self.to_size = to_size