angr 9.2.139__py3-none-manylinux2014_x86_64.whl → 9.2.140__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/clinic.py

@@ -89,6 +89,8 @@ class Clinic(Analysis):
     A Clinic deals with AILments.
     """
 
+    _ail_manager: ailment.Manager
+
     def __init__(
         self,
         func,
@@ -117,7 +119,6 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
-        unsound_fix_abnormal_switches: bool = True,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -135,7 +136,6 @@ class Clinic(Analysis):
         self.optimization_scratch = optimization_scratch if optimization_scratch is not None else {}
 
         self._func_graph: networkx.DiGraph | None = None
-        self._ail_manager = None
         self._blocks_by_addr_and_size = {}
         self.entry_node_addr: tuple[int, int | None] = self.function.addr, None
 
@@ -149,7 +149,6 @@ class Clinic(Analysis):
         self._must_struct = must_struct
         self._reset_variable_names = reset_variable_names
         self._rewrite_ites_to_diamonds = rewrite_ites_to_diamonds
-        self._unsound_fix_abnormal_switches = unsound_fix_abnormal_switches
         self.reaching_definitions: ReachingDefinitionsAnalysis | None = None
         self._cache = cache
         self._mode = mode
@@ -167,6 +166,7 @@ class Clinic(Analysis):
         self._complete_successors = complete_successors
 
         self._register_save_areas_removed: bool = False
+        self.edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]] = []
 
         self._new_block_addrs = set()
 
@@ -209,6 +209,7 @@ class Clinic(Analysis):
 
         :return:
         """
+        assert self.graph is not None
 
         s = ""
 
@@ -297,6 +298,8 @@ class Clinic(Analysis):
         return ail_graph
 
     def _slice_variables(self, ail_graph):
+        assert self.variable_kb is not None
+
         nodes_index = {(n.addr, n.idx): n for n in ail_graph.nodes()}
 
         vfm = self.variable_kb.variables.function_managers[self.function.addr]
@@ -344,7 +347,7 @@ class Clinic(Analysis):
             optimization_passes=[StackCanarySimplifier],
             sp_shift=self._max_stack_depth,
             vvar_id_start=self.vvar_id_start,
-            fail_fast=self._fail_fast,
+            fail_fast=self._fail_fast,  # type: ignore
         )
         self.vvar_id_start = callee_clinic.vvar_id_start + 1
         self._max_stack_depth = callee_clinic._max_stack_depth
@@ -618,6 +621,7 @@ class Clinic(Analysis):
 
         # remove empty nodes from the graph
         ail_graph = self.remove_empty_nodes(ail_graph)
+        # note that there are still edges to remove before we can structure this graph!
 
         self.arg_list = arg_list
         self.arg_vvars = arg_vvars
@@ -800,7 +804,7 @@ class Clinic(Analysis):
 
             # case 2: the callee is a SimProcedure
             if target_func.is_simprocedure:
-                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)
+                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)  # type: ignore
                 if cc.cc is not None and cc.prototype is not None:
                     target_func.calling_convention = cc.cc
                     target_func.prototype = cc.prototype
@@ -808,7 +812,7 @@ class Clinic(Analysis):
 
             # case 3: the callee is a PLT function
             if target_func.is_plt:
-                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)
+                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)  # type: ignore
                 if cc.cc is not None and cc.prototype is not None:
                     target_func.calling_convention = cc.cc
                     target_func.prototype = cc.prototype
@@ -878,7 +882,7 @@ class Clinic(Analysis):
         # finally, recover the calling convention of the current function
         if self.function.prototype is None or self.function.calling_convention is None:
             self.project.analyses.CompleteCallingConventions(
-                fail_fast=self._fail_fast,
+                fail_fast=self._fail_fast,  # type: ignore
                 recover_variables=True,
                 prioritize_func_addrs=[self.function.addr],
                 skip_other_funcs=True,
@@ -2109,49 +2113,60 @@ class Clinic(Analysis):
             # the overlapped instructions and add an unconditional jump so that it jumps to 0x41da9d.
             # this is the most common case created by jump threading optimization in compilers. it's easy to handle.
 
-            # Case 2: the intended head and the other heads do not share the same suffix of instructions. in this case,
-            # we cannot reliably convert the blocks into a properly structured switch-case construct. we will alter the
-            # last instruction of all other heads to jump to the cmp instruction in the intended head, but do not remove
-            # any other instructions in these other heads. this is unsound, but is the best we can do in this case.
+            # Case 2 & 3: the intended head and the other heads do not share the same suffix of instructions. in this
+            # case, we have two choices:
+            #   Case 2: The intended head has two successors, but at least one unintended head has only one successor.
+            #           we cannot reliably convert the blocks into a properly structured switch-case construct. we will
+            #           last instruction of all other heads to jump to the cmp instruction in the intended head, but do
+            #           not remove any other instructions in these other heads. this is unsound, but is the best we can
+            #           do in this case.
+            #   Case 3: The intended head has only one successor (which is the indirect jump node). during structuring,
+            #           we expect it will be structured as a no-default-node switch-case construct. in this case, we
+            #           can simply remove the edges from all other heads to the jump node and only leave the edge from
+            #           the intended head to the jump node. we will see goto statements in the output, but this will
+            #           lead to correct structuring result.
 
             overlaps = [self._get_overlapping_suffix_instructions(intended_head, head) for head in other_heads]
             if overlaps and (overlap := min(overlaps)) > 0:
                 # Case 1
                 self._fix_abnormal_switch_case_heads_case1(ail_graph, candidate, intended_head, other_heads, overlap)
-            else:
-                if self._unsound_fix_abnormal_switches:
-                    # Case 2
-                    l.warning("Switch-case at %#x has multiple head nodes but cannot be fixed soundly.", candidate.addr)
-                    # find the comparison instruction in the intended head
-                    comparison_stmt = None
-                    if "cc_op" in self.project.arch.registers:
-                        comparison_stmt = next(
-                            iter(
-                                stmt
-                                for stmt in intended_head.statements
-                                if isinstance(stmt, ailment.Stmt.Assignment)
-                                and isinstance(stmt.dst, ailment.Expr.Register)
-                                and stmt.dst.reg_offset == self.project.arch.registers["cc_op"][0]
-                            ),
-                            None,
-                        )
-                    intended_head_block = self.project.factory.block(
-                        intended_head.addr, size=intended_head.original_size
+            elif ail_graph.out_degree[intended_head] == 2:
+                # Case 2
+                l.warning("Switch-case at %#x has multiple head nodes but cannot be fixed soundly.", candidate.addr)
+                # find the comparison instruction in the intended head
+                comparison_stmt = None
+                if "cc_op" in self.project.arch.registers:
+                    comparison_stmt = next(
+                        iter(
+                            stmt
+                            for stmt in intended_head.statements
+                            if isinstance(stmt, ailment.Stmt.Assignment)
+                            and isinstance(stmt.dst, ailment.Expr.Register)
+                            and stmt.dst.reg_offset == self.project.arch.registers["cc_op"][0]
+                        ),
+                        None,
                     )
-                    if comparison_stmt is not None:
-                        cmp_rpos = len(
-                            intended_head_block.instruction_addrs
-                        ) - intended_head_block.instruction_addrs.index(comparison_stmt.ins_addr)
-                    else:
-                        cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
-                    self._fix_abnormal_switch_case_heads_case2(
-                        ail_graph,
-                        candidate,
-                        intended_head,
-                        other_heads,
-                        intended_head_split_insns=cmp_rpos,
-                        other_head_split_insns=0,
+                intended_head_block = self.project.factory.block(intended_head.addr, size=intended_head.original_size)
+                if comparison_stmt is not None:
+                    cmp_rpos = len(intended_head_block.instruction_addrs) - intended_head_block.instruction_addrs.index(
+                        comparison_stmt.ins_addr
                     )
+                else:
+                    cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
+                self._fix_abnormal_switch_case_heads_case2(
+                    ail_graph,
+                    candidate,
+                    intended_head,
+                    other_heads,
+                    intended_head_split_insns=cmp_rpos,
+                    other_head_split_insns=0,
+                )
+            else:
+                # Case 3
+                self._fix_abnormal_switch_case_heads_case3(
+                    candidate,
+                    other_heads,
+                )
 
     def _get_overlapping_suffix_instructions(self, ailblock_0: ailment.Block, ailblock_1: ailment.Block) -> int:
         # we first compare their ending conditional jumps
@@ -2360,6 +2375,16 @@ class Clinic(Analysis):
                     # it should be going to the default node. ignore it
                     pass
 
+    def _fix_abnormal_switch_case_heads_case3(
+        self, indirect_jump_node: ailment.Block, other_heads: list[ailment.Block]
+    ) -> None:
+        # remove all edges from other_heads to the indirect jump node
+        for other_head in other_heads:
+            # delay the edge removal so that we don't mess up the SSA analysis
+            self.edges_to_remove.append(
+                ((other_head.addr, other_head.idx), (indirect_jump_node.addr, indirect_jump_node.idx))
+            )
+
     @staticmethod
     def _remove_redundant_jump_blocks(ail_graph):
         def first_conditional_jump(block: ailment.Block) -> ailment.Stmt.ConditionalJump | None:

angr/analyses/decompiler/decompiler.py

@@ -2,8 +2,8 @@
 from __future__ import annotations
 import logging
 from collections import defaultdict
-from typing import Optional, Union, Any, TYPE_CHECKING
 from collections.abc import Iterable
+from typing import Optional, Union, Any, TYPE_CHECKING
 
 import networkx
 from cle import SymbolType
@@ -15,6 +15,7 @@ from angr.knowledge_base import KnowledgeBase
 from angr.sim_variable import SimMemoryVariable, SimRegisterVariable, SimStackVariable
 from angr.utils import timethis
 from angr.analyses import Analysis, AnalysesHub
+from .structured_codegen.c import CStructuredCodeGenerator
 from .structuring import RecursiveStructurer, PhoenixStructurer, DEFAULT_STRUCTURER
 from .region_identifier import RegionIdentifier
 from .optimization_passes.optimization_pass import OptimizationPassStage
@@ -22,7 +23,7 @@ from .ailgraph_walker import AILGraphWalker
 from .condition_processor import ConditionProcessor
 from .decompilation_options import DecompilationOption
 from .decompilation_cache import DecompilationCache
-from .utils import remove_labels
+from .utils import remove_labels, remove_edges_in_ailgraph
 from .sequence_walker import SequenceWalker
 from .structuring.structurer_nodes import SequenceNode
 from .presets import DECOMPILATION_PRESETS, DecompilationPreset
@@ -30,7 +31,6 @@ from .presets import DECOMPILATION_PRESETS, DecompilationPreset
 if TYPE_CHECKING:
     from angr.knowledge_plugins.cfg.cfg_model import CFGModel
     from .peephole_optimizations import PeepholeOptimizationExprBase, PeepholeOptimizationStmtBase
-    from .structured_codegen.c import CStructuredCodeGenerator
 
 l = logging.getLogger(name=__name__)
 
@@ -157,6 +157,8 @@ class Decompiler(Analysis):
                             self.kb.decompilations[(self.func.addr, self._flavor)].errors.append(error.format())
 
     def _can_use_decompilation_cache(self, cache: DecompilationCache) -> bool:
+        if self._cache_parameters is None or cache.parameters is None:
+            return False
         a, b = self._cache_parameters, cache.parameters
         id_checks = {"cfg", "variable_kb"}
         return all(a[k] is b[k] if k in id_checks else a[k] == b[k] for k in self._cache_parameters)
@@ -201,7 +203,7 @@ class Decompiler(Analysis):
 
         variable_kb = self._variable_kb
         # fall back to old codegen
-        if variable_kb is None and old_codegen is not None:
+        if variable_kb is None and old_codegen is not None and isinstance(old_codegen, CStructuredCodeGenerator):
             variable_kb = old_codegen._variable_kb
 
         if variable_kb is None:
@@ -223,7 +225,8 @@ class Decompiler(Analysis):
             fold_callexprs_into_conditions = True
 
         cache = DecompilationCache(self.func.addr)
-        cache.parameters = self._cache_parameters
+        if self._cache_parameters is not None:
+            cache.parameters = self._cache_parameters
         cache.ite_exprs = ite_exprs
         cache.binop_operators = binop_operators
 
@@ -296,8 +299,14 @@ class Decompiler(Analysis):
             ri,
             clinic.reaching_definitions,
             ite_exprs=ite_exprs,
+            arg_vvars=set(clinic.arg_vvars),
+            edges_to_remove=clinic.edges_to_remove,
         )
 
+        # finally (no more graph-based simplifications will run in the future), we can remove the edges that should be
+        # removed!
+        remove_edges_in_ailgraph(clinic.graph, clinic.edges_to_remove)
+
         # Rewrite the graph to remove phi expressions
         # this is probably optional if we do not pretty-print clinic.graph
         clinic.graph = self._transform_graph_from_ssa(clinic.graph)
@@ -325,9 +334,9 @@ class Decompiler(Analysis):
             s = self.project.analyses.RegionSimplifier(
                 self.func,
                 rs.result,
+                arg_vvars=set(self.clinic.arg_vvars),
                 kb=self.kb,
                 fail_fast=self._fail_fast,
-                variable_kb=clinic.variable_kb,
                 **self.options_to_params(self.options_by_class["region_simplifier"]),
             )
             seq_node = s.result
@@ -439,7 +448,7 @@ class Decompiler(Analysis):
         return ail_graph
 
     @timethis
-    def _run_region_simplification_passes(self, ail_graph, ri, reaching_definitions, **kwargs):
+    def _run_region_simplification_passes(self, ail_graph, ri, reaching_definitions, arg_vvars: set[int], **kwargs):
         """
         Runs optimizations that should be executed after a single region identification. This function will return
         two items: the new RegionIdentifier object and the new AIL Graph, which should probably be written
@@ -483,6 +492,7 @@ class Decompiler(Analysis):
                 blocks_by_addr_and_idx=addr_and_idx_to_blocks,
                 graph=ail_graph,
                 variable_kb=self._variable_kb,
+                arg_vvars=arg_vvars,
                 region_identifier=ri,
                 reaching_definitions=reaching_definitions,
                 vvar_id_start=self.vvar_id_start,

angr/analyses/decompiler/expression_narrower.py

@@ -38,7 +38,7 @@ class ExprNarrowingInfo:
         narrowable: bool,
         to_size: int | None = None,
         use_exprs: list[tuple[atoms.VirtualVariable, CodeLocation, tuple[str, tuple[Expression, ...]]]] | None = None,
-        phi_vars: set[atoms.VirtualVariable] | None = None,
+        phi_vars: set[VirtualVariable] | None = None,
     ):
         self.narrowable = narrowable
         self.to_size = to_size

angr/analyses/decompiler/optimization_passes/const_prop_reverter.py

@@ -8,7 +8,7 @@ import claripy
 from ailment import Const
 from ailment.block_walker import AILBlockWalkerBase
 from ailment.statement import Call, Statement, ConditionalJump, Assignment, Store, Return
-from ailment.expression import Convert, Register, Expression
+from ailment.expression import Convert, Register, Expression, Load
 
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 from angr.analyses.decompiler.structuring import SAILRStructurer, DreamStructurer
@@ -207,16 +207,17 @@ class ConstPropOptReverter(OptimizationPass):
                     continue
 
                 unwrapped_sym_arg = sym_arg.operands[0] if isinstance(sym_arg, Convert) else sym_arg
-                try:
+                if (
+                    isinstance(unwrapped_sym_arg, Load)
+                    and isinstance(unwrapped_sym_arg.addr, Const)
+                    and isinstance(unwrapped_sym_arg.addr.value, int)
+                ):
                     # TODO: make this support more than just Loads
                     # target must be a Load of a memory location
                     target_atom = MemoryLocation(unwrapped_sym_arg.addr.value, unwrapped_sym_arg.size, "Iend_LE")
                     const_state = self.rd.get_reaching_definitions_by_node(blks[calls[const_arg]].addr, OP_BEFORE)
-
-                    state_load_vals = const_state.get_value_from_atom(target_atom)
-                except AttributeError:
-                    continue
-                except KeyError:
+                    state_load_vals = const_state.get_values(target_atom)
+                else:
                     continue
 
                 if not state_load_vals:

angr/analyses/decompiler/optimization_passes/ite_region_converter.py

@@ -287,19 +287,27 @@ class ITERegionConverter(OptimizationPass):
                     ((region_head.addr, region_head.idx), original_vvars[0] if original_vvars else None)
                 )
 
-            new_phi = Phi(
-                stmt.src.idx,
-                stmt.src.bits,
-                new_src_and_vvars,
-                **stmt.src.tags,
-            )
-            new_phi_assignment = Assignment(
-                stmt.idx,
-                stmt.dst,
-                new_phi,
-                **stmt.tags,
-            )
-            stmts.append(new_phi_assignment)
+            if len(new_src_and_vvars) == 1:
+                new_assignment = Assignment(
+                    stmt.idx,
+                    stmt.dst,
+                    new_src_and_vvars[0][1],
+                    **stmt.tags,
+                )
+            else:
+                new_phi = Phi(
+                    stmt.src.idx,
+                    stmt.src.bits,
+                    new_src_and_vvars,
+                    **stmt.src.tags,
+                )
+                new_assignment = Assignment(
+                    stmt.idx,
+                    stmt.dst,
+                    new_phi,
+                    **stmt.tags,
+                )
+            stmts.append(new_assignment)
         new_region_tail = Block(region_tail.addr, region_tail.original_size, statements=stmts, idx=region_tail.idx)
 
         #

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -13,7 +13,7 @@ from angr.analyses.decompiler import RegionIdentifier
 from angr.analyses.decompiler.condition_processor import ConditionProcessor
 from angr.analyses.decompiler.goto_manager import Goto, GotoManager
 from angr.analyses.decompiler.structuring import RecursiveStructurer, SAILRStructurer
-from angr.analyses.decompiler.utils import add_labels
+from angr.analyses.decompiler.utils import add_labels, remove_edges_in_ailgraph
 from angr.analyses.decompiler.counters import ControlFlowStructureCounter
 from angr.project import Project
 
@@ -129,6 +129,7 @@ class OptimizationPass(BaseOptimizationPass):
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
         avoid_vvar_ids: set[int] | None = None,
+        arg_vvars: set[int] | None = None,
         **kwargs,
     ):
         super().__init__(func)
@@ -141,6 +142,7 @@ class OptimizationPass(BaseOptimizationPass):
         self._rd = reaching_definitions
         self._scratch = scratch if scratch is not None else {}
         self._new_block_addrs = set()
+        self._arg_vvars = arg_vvars
         self.vvar_id_start = vvar_id_start
         self.entry_node_addr: tuple[int, int | None] = (
             entry_node_addr if entry_node_addr is not None else (func.addr, None)
@@ -331,14 +333,15 @@ class StructuringOptimizationPass(OptimizationPass):
     def __init__(
         self,
         func,
-        prevent_new_gotos=True,
-        strictly_less_gotos=False,
-        recover_structure_fails=True,
-        must_improve_rel_quality=True,
-        max_opt_iters=1,
-        simplify_ail=True,
-        require_gotos=True,
-        readd_labels=False,
+        prevent_new_gotos: bool = True,
+        strictly_less_gotos: bool = False,
+        recover_structure_fails: bool = True,
+        must_improve_rel_quality: bool = True,
+        max_opt_iters: int = 1,
+        simplify_ail: bool = True,
+        require_gotos: bool = True,
+        readd_labels: bool = False,
+        edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]] | None = None,
         **kwargs,
     ):
         super().__init__(func, **kwargs)
@@ -350,6 +353,7 @@ class StructuringOptimizationPass(OptimizationPass):
         self._require_gotos = require_gotos
         self._must_improve_rel_quality = must_improve_rel_quality
         self._readd_labels = readd_labels
+        self._edges_to_remove = edges_to_remove or []
 
         # relative quality metrics (excludes gotos)
         self._initial_structure_counter = None
@@ -452,6 +456,8 @@ class StructuringOptimizationPass(OptimizationPass):
         if readd_labels:
             graph = add_labels(graph)
 
+        remove_edges_in_ailgraph(graph, self._edges_to_remove)
+
         self._ri = self.project.analyses[RegionIdentifier].prep(kb=self.kb)(
             self._func,
             graph=graph,
@@ -482,7 +488,7 @@ class StructuringOptimizationPass(OptimizationPass):
         if not rs or not rs.result or not rs.result.nodes or rs.result_incomplete:
             return False
 
-        rs = self.project.analyses.RegionSimplifier(self._func, rs.result, kb=self.kb, variable_kb=self._variable_kb)
+        rs = self.project.analyses.RegionSimplifier(self._func, rs.result, arg_vvars=self._arg_vvars, kb=self.kb)
         if not rs or rs.goto_manager is None or rs.result is None:
             return False
 

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -140,11 +140,11 @@ class ReturnDuplicatorBase:
                 ):
                     # every eligible pred gets a new region copy
                     self._copy_region([pred_node], region_head, region, graph)
+                    graph_changed = True
 
             if region_head in graph and graph.in_degree(region_head) == 0:
                 graph.remove_nodes_from(region)
-
-            graph_changed = True
+                graph_changed = True
 
         return graph_changed