angr 9.2.139__py3-none-manylinux2014_aarch64.whl → 9.2.141__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/region_simplifiers/region_simplifier.py

@@ -12,7 +12,13 @@ from .if_ import IfSimplifier
 from .cascading_ifs import CascadingIfsRemover
 from .ifelse import IfElseFlattener
 from .loop import LoopSimplifier
-from .expr_folding import ExpressionCounter, ExpressionFolder, StoreStatementFinder, ExpressionLocation
+from .expr_folding import (
+    ExpressionCounter,
+    ExpressionFolder,
+    StoreStatementFinder,
+    ExpressionLocation,
+    InterferenceChecker,
+)
 from .cascading_cond_transformer import CascadingConditionTransformer
 from .switch_expr_simplifier import SwitchExpressionSimplifier
 from .switch_cluster_simplifier import SwitchClusterFinder, simplify_switch_clusters, simplify_lowered_switches
@@ -23,10 +29,17 @@ class RegionSimplifier(Analysis):
     Simplifies a given region.
     """
 
-    def __init__(self, func, region, variable_kb=None, simplify_switches: bool = True, simplify_ifelse: bool = True):
+    def __init__(
+        self,
+        func,
+        region,
+        arg_vvars: set[int] | None = None,
+        simplify_switches: bool = True,
+        simplify_ifelse: bool = True,
+    ):
         self.func = func
         self.region = region
-        self.variable_kb = variable_kb
+        self.arg_vvars = arg_vvars
         self._simplify_switches = simplify_switches
         self._should_simplify_ifelses = simplify_ifelse
 
@@ -54,7 +67,7 @@ class RegionSimplifier(Analysis):
         # Remove empty nodes again
         r = self._remove_empty_nodes(r)
 
-        if self.variable_kb is not None:
+        if self.arg_vvars is not None:
             # Fold expressions that are only used once into their use sites
             r = self._fold_oneuse_expressions(r)
             r = self._remove_empty_nodes(r)
@@ -88,12 +101,8 @@ class RegionSimplifier(Analysis):
     #
 
     def _fold_oneuse_expressions(self, region):
-        # Disabled until https://github.com/angr/angr/issues/5110 and related folding issues fixed
-        return region
-
         # pylint:disable=unreachable
-        variable_manager = self.variable_kb.variables[self.func.addr]
-        expr_counter = ExpressionCounter(region, variable_manager)
+        expr_counter = ExpressionCounter(region)
 
         variable_assignments = {}
         variable_uses = {}
@@ -107,10 +116,13 @@ class RegionSimplifier(Analysis):
         for var, uses in expr_counter.uses.items():
             if len(uses) == 1 and var in expr_counter.assignments and len(expr_counter.assignments[var]) == 1:
                 definition, deps, loc, has_loads = next(iter(expr_counter.assignments[var]))
+                _, use_expr_loc = next(iter(uses))
+                if isinstance(use_expr_loc, ExpressionLocation) and use_expr_loc.phi_stmt:
+                    # we cannot fold expressions that are used in phi statements
+                    continue
                 if has_loads:
                     # the definition has at least one load expression. we need to ensure there are no store statements
                     # between the definition site and the use site
-                    _, use_expr_loc = next(iter(uses))
                     if isinstance(use_expr_loc, ExpressionLocation):
                         use_loc = use_expr_loc.statement_location()
                     else:
@@ -130,7 +142,7 @@ class RegionSimplifier(Analysis):
             # make sure all variables that var depends on has been assigned at most once
             fail = False
             for dep_var in deps:
-                if dep_var.is_function_argument:
+                if self.arg_vvars is not None and dep_var in self.arg_vvars:
                     continue
                 if dep_var in expr_counter.assignments and len(expr_counter.assignments[dep_var]) > 1:
                     fail = True
@@ -155,8 +167,14 @@ class RegionSimplifier(Analysis):
                 del variable_assignments[var]
                 del variable_uses[var]
 
-        # replace them
-        ExpressionFolder(variable_assignments, variable_uses, region, variable_manager)
+        # ensure there is no interference between the call site and the use site
+        checker = InterferenceChecker(variable_assignments, variable_uses, region)
+        for varid in checker.interfered_assignments:
+            if varid in variable_assignments:
+                del variable_assignments[varid]
+                del variable_uses[varid]
+        # fold these expressions if possible
+        ExpressionFolder(variable_assignments, variable_uses, region)
         return region
 
     @staticmethod

angr/analyses/decompiler/ssailification/rewriting.py

@@ -8,21 +8,20 @@ import networkx
 
 import ailment
 from ailment import Block
-from ailment.expression import Expression, Phi, VirtualVariable, VirtualVariableCategory
-from ailment.statement import Statement, Assignment, Label
+from ailment.expression import Phi, VirtualVariable, VirtualVariableCategory
+from ailment.statement import Assignment, Label
 
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
-from angr.analyses.forward_analysis.visitors.graph import NodeType
 from angr.analyses.forward_analysis import FunctionGraphVisitor
-from .rewriting_engine import SimEngineSSARewriting
+from .rewriting_engine import SimEngineSSARewriting, DefExprType, AT
 from .rewriting_state import RewritingState
 
 
 l = logging.getLogger(__name__)
 
 
-class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object]):
+class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, object]):
     """
     RewritingAnalysis traverses the AIL graph, inserts phi nodes, and rewrites all expression uses to virtual variables
     when necessary.
@@ -37,7 +36,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         bp_as_gpr: bool,
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
-        stackvar_locs: dict[int, int],
+        stackvar_locs: dict[int, set[int]],
         rewrite_tmps: bool,
         ail_manager,
         func_args: set[VirtualVariable],
@@ -75,7 +74,11 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
 
         self._analyze()
 
-        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = self._engine_ail.def_to_vvid
+        self.def_to_vvid: dict[tuple[int, int | None, int, DefExprType, AT], int] = self._engine_ail.def_to_vvid
+        # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
+        # actual stack variables. these secondary stack variables can be safely eliminated during dead assignment
+        # elimination if not used by anything else.
+        self.secondary_stackvars: set[int] = self._engine_ail.secondary_stackvars
         self.out_graph = self._make_new_graph(ail_graph)
 
     @property
@@ -177,10 +180,11 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
     def _reg_predicate(self, node_, *, reg_offset: int, reg_size: int) -> tuple[bool, Any]:
         out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
         if reg_offset in out_state.registers and reg_size in out_state.registers[reg_offset]:
-            if out_state.registers[reg_offset][reg_size] is None:
+            existing_var = out_state.registers[reg_offset][reg_size]
+            if existing_var is None:
                 # the vvar is not set. it should never be referenced
                 return True, None
-            vvar = out_state.registers[reg_offset][reg_size].copy()
+            vvar = existing_var.copy()
             vvar.idx = self._ail_manager.next_atom()
             return True, vvar
         return False, None
@@ -188,10 +192,11 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
     def _stack_predicate(self, node_, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
         out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
         if stack_offset in out_state.stackvars and stackvar_size in out_state.stackvars[stack_offset]:
-            if out_state.stackvars[stack_offset][stackvar_size] is None:
+            existing_var = out_state.stackvars[stack_offset][stackvar_size]
+            if existing_var is None:
                 # the vvar is not set. it should never be referenced
                 return True, None
-            vvar = out_state.stackvars[stack_offset][stackvar_size].copy()
+            vvar = existing_var.copy()
             vvar.idx = self._ail_manager.next_atom()
             return True, vvar
         return False, None
@@ -215,11 +220,14 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         )
         # update state with function arguments
         for func_arg in self._func_args:
-            if func_arg.oident[0] == VirtualVariableCategory.REGISTER:
-                reg_offset, reg_size = func_arg.oident[1], func_arg.size
+            if func_arg.parameter_category == VirtualVariableCategory.REGISTER:
+                reg_offset, reg_size = func_arg.parameter_reg_offset, func_arg.size
+                assert reg_offset is not None and reg_size is not None
                 state.registers[reg_offset][reg_size] = func_arg
-            elif func_arg.oident[0] == VirtualVariableCategory.STACK:
-                state.stackvars[func_arg.oident[1]][func_arg.size] = func_arg
+            elif func_arg.parameter_category == VirtualVariableCategory.STACK:
+                parameter_stack_offset: int = func_arg.oident[1]  # type: ignore
+                assert parameter_stack_offset is not None and func_arg.size is not None
+                state.stackvars[parameter_stack_offset][func_arg.size] = func_arg
         return state
 
     def _run_on_node(self, node, state: RewritingState):

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -1,7 +1,9 @@
 # pylint:disable=no-self-use,unused-argument
 from __future__ import annotations
+from typing import Literal
 import logging
 
+from archinfo import Endness
 from ailment.manager import Manager
 from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement, Jump
 from ailment.expression import (
@@ -22,6 +24,7 @@ from ailment.expression import (
     Reinterpret,
 )
 
+from angr.knowledge_plugins.key_definitions import atoms
 from angr.engines.light.engine import SimEngineNostmtAIL
 from angr.utils.ssa import get_reg_offset_base_and_size
 from .rewriting_state import RewritingState
@@ -30,6 +33,10 @@ from .rewriting_state import RewritingState
 _l = logging.getLogger(__name__)
 
 
+DefExprType = atoms.Register | atoms.Tmp | atoms.MemoryLocation
+AT = Literal["l", "s"] | None
+
+
 class SimEngineSSARewriting(
     SimEngineNostmtAIL[RewritingState, Expression | None, Statement | tuple[Statement, ...], None]
 ):
@@ -38,6 +45,8 @@ class SimEngineSSARewriting(
     copies at each use location.
     """
 
+    state: RewritingState
+
     def __init__(
         self,
         project,
@@ -45,7 +54,7 @@ class SimEngineSSARewriting(
         sp_tracker,
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
-        stackvar_locs: dict[int, int],
+        stackvar_locs: dict[int, set[int]],
         ail_manager: Manager,
         vvar_id_start: int = 0,
         bp_as_gpr: bool = False,
@@ -55,13 +64,15 @@ class SimEngineSSARewriting(
 
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
-        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = {}
+        self.def_to_vvid: dict[tuple[int, int | None, int, DefExprType, AT], int] = {}
         self.stackvar_locs = stackvar_locs
         self.udef_to_phiid = udef_to_phiid
         self.phiid_to_loc = phiid_to_loc
         self.rewrite_tmps = rewrite_tmps
         self.ail_manager = ail_manager
 
+        self.secondary_stackvars: set[int] = set()
+
         self._current_vvar_id = vvar_id_start
 
     @property
@@ -103,6 +114,7 @@ class SimEngineSSARewriting(
             elif stmt.dst.category == VirtualVariableCategory.STACK:
                 self.state.stackvars[stmt.dst.stack_offset][stmt.dst.size] = stmt.dst
             elif stmt.dst.category == VirtualVariableCategory.TMP:
+                assert stmt.dst.tmp_idx is not None
                 self.state.tmps[stmt.dst.tmp_idx] = stmt.dst
             new_dst = None
         else:
@@ -134,10 +146,11 @@ class SimEngineSSARewriting(
                     base_reg_vvar = self._replace_def_expr(
                         self.block.addr, self.block.idx, self.stmt_idx, base_reg_expr
                     )
+                    assert base_reg_vvar is not None
                     stmt_base_reg = Assignment(
                         self.ail_manager.next_atom(),
                         base_reg_vvar,
-                        self._reg_update_expr(
+                        self._partial_update_expr(
                             existing_base_reg_vvar, base_offset, base_size, new_dst, stmt.dst.reg_offset, stmt.dst.size
                         ),
                         **stmt.tags,
@@ -160,12 +173,40 @@ class SimEngineSSARewriting(
             return new_stmt
         return None
 
-    def _handle_stmt_Store(self, stmt: Store) -> Store | Assignment | None:
+    def _handle_stmt_Store(self, stmt: Store) -> Store | Assignment | tuple[Assignment, ...] | None:
         new_data = self._expr(stmt.data)
         if stmt.guard is None:
+            # the variable
             vvar = self._replace_def_store(self.block.addr, self.block.idx, self.stmt_idx, stmt)
             if vvar is not None:
-                return Assignment(stmt.idx, vvar, stmt.data if new_data is None else new_data, **stmt.tags)
+                assert isinstance(stmt.addr, StackBaseOffset) and isinstance(stmt.addr.offset, int)
+
+                # remove everything else that overlaps with the full (base) stack variable
+                # the full stack variable is kept around because it's always updated immediately and will be used in
+                # case of partial stack variable update
+                self._clear_overlapping_stackvars(stmt.addr.offset, stmt.size, remove_base_stackvar=False)
+
+                data = stmt.data if new_data is None else new_data
+                vvar_assignment = Assignment(stmt.idx, vvar, data, **stmt.tags)
+
+                full_size = self._get_stack_var_full_size(stmt)
+                assert full_size is not None
+                if vvar.size >= full_size:
+                    return vvar_assignment
+
+                # update the full variable
+                existing_full_vvar = self._replace_use_load(Load(None, stmt.addr, full_size, stmt.endness))
+                vvar_full = self._replace_def_store(
+                    self.block.addr, self.block.idx, self.stmt_idx, stmt, force_size=full_size
+                )
+                if existing_full_vvar is not None and vvar_full is not None:
+                    self.secondary_stackvars.add(vvar_full.varid)
+                    full_data = self._partial_update_expr(
+                        existing_full_vvar, stmt.addr.offset, full_size, vvar, stmt.addr.offset, stmt.size
+                    )
+                    full_assignment = Assignment(stmt.idx, vvar_full, full_data, **stmt.tags)
+                    return vvar_assignment, full_assignment
+                return vvar_assignment
 
         # fall back to Store
         new_addr = self._expr(stmt.addr)
@@ -210,7 +251,7 @@ class SimEngineSSARewriting(
     def _handle_stmt_Call(self, stmt: Call) -> Call | None:
         changed = False
 
-        new_target = self._replace_use_expr(stmt.target)
+        new_target = self._replace_use_expr(stmt.target) if not isinstance(stmt.target, str) else None
         new_ret_expr = (
             self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.ret_expr)
             if stmt.ret_expr is not None
@@ -275,7 +316,7 @@ class SimEngineSSARewriting(
         assert isinstance(dirty, DirtyExpression)
         return DirtyStatement(stmt.idx, dirty, **stmt.tags)
 
-    def _handle_expr_Register(self, expr: Register) -> VirtualVariable | None:
+    def _handle_expr_Register(self, expr: Register) -> VirtualVariable | Expression | None:
         return self._replace_use_reg(expr)
 
     def _handle_expr_Tmp(self, expr: Tmp) -> VirtualVariable | None:
@@ -460,9 +501,9 @@ class SimEngineSSARewriting(
     # Expression replacement
     #
 
-    def _reg_update_expr(
+    def _partial_update_expr(
         self,
-        existing_vvar: VirtualVariable,
+        existing_vvar: Expression,
         base_offset: int,
         base_size: int,
         new_vvar: VirtualVariable,
@@ -546,7 +587,7 @@ class SimEngineSSARewriting(
         """
 
         # get the virtual variable ID
-        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, atoms.Register(expr.reg_offset, expr.size), "s")
         return VirtualVariable(
             expr.idx,
             vvid,
@@ -578,32 +619,51 @@ class SimEngineSSARewriting(
             )
             self.state.registers[base_off][base_size] = vvar
             return vvar
-        return self.state.registers[base_off][base_size]
+        existing_var = self.state.registers[base_off][base_size]
+        assert existing_var is not None
+        return existing_var
+
+    def _get_stack_var_full_size(self, stmt: Store) -> int | None:
+        if (
+            isinstance(stmt.addr, StackBaseOffset)
+            and isinstance(stmt.addr.offset, int)
+            and stmt.addr.offset in self.stackvar_locs
+            and stmt.size in self.stackvar_locs[stmt.addr.offset]
+        ):
+            return max(self.stackvar_locs[stmt.addr.offset])
+        return None
 
     def _replace_def_store(
-        self, block_addr: int, block_idx: int | None, stmt_idx: int, stmt: Store
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, stmt: Store, force_size: int | None = None
     ) -> VirtualVariable | None:
         if (
             isinstance(stmt.addr, StackBaseOffset)
             and isinstance(stmt.addr.offset, int)
             and stmt.addr.offset in self.stackvar_locs
-            and stmt.size == self.stackvar_locs[stmt.addr.offset]
+            and stmt.size in self.stackvar_locs[stmt.addr.offset]
         ):
-            vvar_id = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, stmt)
+            size = stmt.size if force_size is None else force_size
+            vvar_id = self.get_vvid_by_def(
+                block_addr,
+                block_idx,
+                stmt_idx,
+                atoms.MemoryLocation(stmt.addr.offset, size, Endness(stmt.endness)),
+                "s",
+            )
             vvar = VirtualVariable(
                 self.ail_manager.next_atom(),
                 vvar_id,
-                stmt.size * self.arch.byte_width,
+                size * self.arch.byte_width,
                 category=VirtualVariableCategory.STACK,
                 oident=stmt.addr.offset,
                 **stmt.tags,
             )
-            self.state.stackvars[stmt.addr.offset][stmt.size] = vvar
+            self.state.stackvars[stmt.addr.offset][size] = vvar
             return vvar
         return None
 
     def _replace_def_tmp(self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Tmp) -> VirtualVariable:
-        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, atoms.Tmp(expr.tmp_idx, expr.size), "s")
         vvar = VirtualVariable(
             expr.idx,
             vvid,
@@ -615,7 +675,7 @@ class SimEngineSSARewriting(
         self.state.tmps[expr.tmp_idx] = vvar
         return vvar
 
-    def _replace_use_expr(self, thing: Expression | Statement) -> VirtualVariable | None:
+    def _replace_use_expr(self, thing: Expression | Statement) -> VirtualVariable | Expression | None:
         """
         Return a new virtual variable for the given defined expression.
         """
@@ -670,7 +730,7 @@ class SimEngineSSARewriting(
                 elif reg_expr.size > existing_size:
                     # part of the variable exists... maybe it's a parameter?
                     vvar = self.state.registers[reg_expr.reg_offset][existing_size]
-                    if vvar.category == VirtualVariableCategory.PARAMETER:
+                    if vvar is not None and vvar.category == VirtualVariableCategory.PARAMETER:
                         # just zero-extend it
                         return Convert(
                             self.ail_manager.next_atom(),
@@ -698,7 +758,7 @@ class SimEngineSSARewriting(
             shift_amount = Const(
                 self.ail_manager.next_atom(),
                 None,
-                (reg_expr.reg_offset - vvar.oident) * self.arch.byte_width,
+                (reg_expr.reg_offset - vvar.reg_offset) * self.arch.byte_width,
                 8,
                 **reg_expr.tags,
             )
@@ -729,11 +789,17 @@ class SimEngineSSARewriting(
             isinstance(expr.addr, StackBaseOffset)
             and isinstance(expr.addr.offset, int)
             and expr.addr.offset in self.stackvar_locs
-            and expr.size == self.stackvar_locs[expr.addr.offset]
+            and expr.size in self.stackvar_locs[expr.addr.offset]
         ):
             if expr.size not in self.state.stackvars[expr.addr.offset]:
                 # create it on the fly
-                vvar_id = self.get_vvid_by_def(self.block.addr, self.block.idx, self.stmt_idx, expr)
+                vvar_id = self.get_vvid_by_def(
+                    self.block.addr,
+                    self.block.idx,
+                    self.stmt_idx,
+                    atoms.MemoryLocation(expr.addr.offset, expr.size, Endness(expr.endness)),
+                    "l",
+                )
                 return VirtualVariable(
                     self.ail_manager.next_atom(),
                     vvar_id,
@@ -783,9 +849,9 @@ class SimEngineSSARewriting(
     #
 
     def get_vvid_by_def(
-        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: Expression | Statement
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: DefExprType, access_type: AT
     ) -> int:
-        key = block_addr, block_idx, stmt_idx, thing
+        key = block_addr, block_idx, stmt_idx, thing, access_type
         if key in self.def_to_vvid:
             return self.def_to_vvid[key]
         vvid = self.next_vvar_id()
@@ -802,6 +868,21 @@ class SimEngineSSARewriting(
                 else:
                     del self.state.registers[off]
 
+    def _clear_overlapping_stackvars(self, stack_offset: int, size: int, remove_base_stackvar: bool = True) -> None:
+        for off in range(stack_offset, stack_offset + size):
+            if off in self.state.stackvars:
+                if (
+                    not remove_base_stackvar
+                    and off in self.stackvar_locs
+                    and off == stack_offset
+                    and (base_size := max(self.stackvar_locs[off])) == size
+                    and base_size in self.state.stackvars[off]
+                ):
+                    if len(self.state.stackvars[off]) > 1:
+                        self.state.stackvars[off] = {base_size: self.state.stackvars[off][base_size]}
+                else:
+                    del self.state.stackvars[off]
+
     def _unreachable(self, *args, **kwargs):
         assert False
 

angr/analyses/decompiler/ssailification/ssailification.py

@@ -79,7 +79,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         # calculate virtual variables and phi nodes
         self._udef_to_phiid: dict[tuple, set[int]] = None
         self._phiid_to_loc: dict[int, tuple[int, int | None]] = None
-        self._stackvar_locs: dict[int, int] = None
+        self._stackvar_locs: dict[int, set[int]] = None
         self._calculate_virtual_variables(ail_graph, traversal.def_to_loc, traversal.loc_to_defs)
 
         # insert phi variables and rewrite uses
@@ -97,6 +97,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             self._func_args,
             vvar_id_start=vvar_id_start,
         )
+        self.secondary_stackvars = rewriter.secondary_stackvars
         self.out_graph = rewriter.out_graph
         self.max_vvar_id = rewriter.max_vvar_id
 
@@ -130,7 +131,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             if self._func_args:
                 for func_arg in self._func_args:
                     if func_arg.oident[0] == VirtualVariableCategory.STACK:
-                        stackvar_locs[func_arg.oident[1]] = func_arg.size
+                        stackvar_locs[func_arg.oident[1]] = {func_arg.size}
             sorted_stackvar_offs = sorted(stackvar_locs)
         else:
             stackvar_locs = {}
@@ -157,8 +158,13 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                         off = sorted_stackvar_offs[i]
                         if off >= def_.addr.offset + def_.size:
                             break
-                        udef_to_defs[("stack", off, stackvar_locs[off])].add(def_)
-                        udef_to_blockkeys[("stack", off, stackvar_locs[off])].add((loc.block_addr, loc.block_idx))
+                        full_sz = max(stackvar_locs[off])
+                        udef_to_defs[("stack", off, full_sz)].add(def_)
+                        udef_to_blockkeys[("stack", off, full_sz)].add((loc.block_addr, loc.block_idx))
+                        # add a definition for the partial stack variable
+                        if def_.size in stackvar_locs[off] and def_.size < full_sz:
+                            udef_to_defs[("stack", off, def_.size)].add(def_)
+                            udef_to_blockkeys[("stack", off, def_.size)].add((loc.block_addr, loc.block_idx))
             elif isinstance(def_, Tmp):
                 # Tmps are local to each block and do not need phi nodes
                 pass
@@ -197,7 +203,15 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         return last_frontier
 
     @staticmethod
-    def _synthesize_stackvar_locs(defs: list[Store]) -> dict[int, int]:
+    def _synthesize_stackvar_locs(defs: list[Store]) -> dict[int, set[int]]:
+        """
+        Derive potential locations (in terms of offsets and sizes) for stack variables based on all stack variable
+        definitions provided.
+
+        :param defs:    Store definitions.
+        :return:        A dictionary of stack variable offsets and their sizes.
+        """
+
         accesses: defaultdict[int, set[int]] = defaultdict(set)
         offs: set[int] = set()
 
@@ -208,7 +222,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                 offs.add(stack_off)
 
         sorted_offs = sorted(offs)
-        locs: dict[int, int] = {}
+        locs: dict[int, set[int]] = {}
         for idx, off in enumerate(sorted_offs):
             sorted_sizes = sorted(accesses[off])
             if idx < len(sorted_offs) - 1:
@@ -217,14 +231,8 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             else:
                 allowed_sizes = sorted_sizes
 
-            if len(allowed_sizes) == 1:
-                locs[off] = allowed_sizes[0]
-            # else:
-            #     last_off = off
-            #     for a in allowed_sizes:
-            #         locs[off + a] = off + a - last_off
-            #         last_off = off + a
-            # TODO: Update locs for sizes beyond allowed_sizes
+            if allowed_sizes:
+                locs[off] = set(allowed_sizes)
 
         return locs