angr 9.2.139__py3-none-manylinux2014_x86_64.whl → 9.2.141__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/clinic.py

@@ -89,6 +89,8 @@ class Clinic(Analysis):
     A Clinic deals with AILments.
     """
 
+    _ail_manager: ailment.Manager
+
     def __init__(
         self,
         func,
@@ -117,7 +119,6 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
-        unsound_fix_abnormal_switches: bool = True,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -135,7 +136,6 @@ class Clinic(Analysis):
         self.optimization_scratch = optimization_scratch if optimization_scratch is not None else {}
 
         self._func_graph: networkx.DiGraph | None = None
-        self._ail_manager = None
         self._blocks_by_addr_and_size = {}
         self.entry_node_addr: tuple[int, int | None] = self.function.addr, None
 
@@ -149,12 +149,14 @@ class Clinic(Analysis):
         self._must_struct = must_struct
         self._reset_variable_names = reset_variable_names
         self._rewrite_ites_to_diamonds = rewrite_ites_to_diamonds
-        self._unsound_fix_abnormal_switches = unsound_fix_abnormal_switches
         self.reaching_definitions: ReachingDefinitionsAnalysis | None = None
         self._cache = cache
         self._mode = mode
         self.vvar_id_start = vvar_id_start
         self.vvar_to_vvar: dict[int, int] | None = None
+        # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
+        # actual stack variables. these secondary stack variables can be safely eliminated if not used by anything.
+        self.secondary_stackvars: set[int] = set()
 
         # inlining help
         self._sp_shift = sp_shift
@@ -167,6 +169,7 @@ class Clinic(Analysis):
         self._complete_successors = complete_successors
 
         self._register_save_areas_removed: bool = False
+        self.edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]] = []
 
         self._new_block_addrs = set()
 
@@ -209,6 +212,7 @@ class Clinic(Analysis):
 
         :return:
         """
+        assert self.graph is not None
 
         s = ""
 
@@ -297,6 +301,8 @@ class Clinic(Analysis):
         return ail_graph
 
     def _slice_variables(self, ail_graph):
+        assert self.variable_kb is not None
+
         nodes_index = {(n.addr, n.idx): n for n in ail_graph.nodes()}
 
         vfm = self.variable_kb.variables.function_managers[self.function.addr]
@@ -344,7 +350,7 @@ class Clinic(Analysis):
             optimization_passes=[StackCanarySimplifier],
             sp_shift=self._max_stack_depth,
             vvar_id_start=self.vvar_id_start,
-            fail_fast=self._fail_fast,
+            fail_fast=self._fail_fast,  # type: ignore
         )
         self.vvar_id_start = callee_clinic.vvar_id_start + 1
         self._max_stack_depth = callee_clinic._max_stack_depth
@@ -618,6 +624,7 @@ class Clinic(Analysis):
 
         # remove empty nodes from the graph
         ail_graph = self.remove_empty_nodes(ail_graph)
+        # note that there are still edges to remove before we can structure this graph!
 
         self.arg_list = arg_list
         self.arg_vvars = arg_vvars
@@ -800,7 +807,7 @@ class Clinic(Analysis):
 
             # case 2: the callee is a SimProcedure
             if target_func.is_simprocedure:
-                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)
+                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)  # type: ignore
                 if cc.cc is not None and cc.prototype is not None:
                     target_func.calling_convention = cc.cc
                     target_func.prototype = cc.prototype
@@ -808,7 +815,7 @@ class Clinic(Analysis):
 
             # case 3: the callee is a PLT function
             if target_func.is_plt:
-                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)
+                cc = self.project.analyses.CallingConvention(target_func, fail_fast=self._fail_fast)  # type: ignore
                 if cc.cc is not None and cc.prototype is not None:
                     target_func.calling_convention = cc.cc
                     target_func.prototype = cc.prototype
@@ -878,7 +885,7 @@ class Clinic(Analysis):
         # finally, recover the calling convention of the current function
         if self.function.prototype is None or self.function.calling_convention is None:
             self.project.analyses.CompleteCallingConventions(
-                fail_fast=self._fail_fast,
+                fail_fast=self._fail_fast,  # type: ignore
                 recover_variables=True,
                 prioritize_func_addrs=[self.function.addr],
                 skip_other_funcs=True,
@@ -1235,6 +1242,7 @@ class Clinic(Analysis):
             rewrite_ccalls=rewrite_ccalls,
             removed_vvar_ids=removed_vvar_ids,
             arg_vvars=arg_vvars,
+            secondary_stackvars=self.secondary_stackvars,
         )
         # cache the simplifier's RDA analysis
         self.reaching_definitions = simp._reaching_definitions
@@ -1360,6 +1368,7 @@ class Clinic(Analysis):
             vvar_id_start=self.vvar_id_start,
         )
         self.vvar_id_start = ssailification.max_vvar_id + 1
+        self.secondary_stackvars = ssailification.secondary_stackvars
         return ssailification.out_graph
 
     @timethis
@@ -1860,6 +1869,11 @@ class Clinic(Analysis):
             if expr.guard:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.guard)
 
+        elif isinstance(expr, ailment.Expr.Phi):
+            for _, vvar in expr.src_and_vvars:
+                if vvar is not None:
+                    self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, vvar)
+
     def _function_graph_to_ail_graph(self, func_graph, blocks_by_addr_and_size=None):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size
@@ -2109,49 +2123,60 @@ class Clinic(Analysis):
             # the overlapped instructions and add an unconditional jump so that it jumps to 0x41da9d.
             # this is the most common case created by jump threading optimization in compilers. it's easy to handle.
 
-            # Case 2: the intended head and the other heads do not share the same suffix of instructions. in this case,
-            # we cannot reliably convert the blocks into a properly structured switch-case construct. we will alter the
-            # last instruction of all other heads to jump to the cmp instruction in the intended head, but do not remove
-            # any other instructions in these other heads. this is unsound, but is the best we can do in this case.
+            # Case 2 & 3: the intended head and the other heads do not share the same suffix of instructions. in this
+            # case, we have two choices:
+            #   Case 2: The intended head has two successors, but at least one unintended head has only one successor.
+            #           we cannot reliably convert the blocks into a properly structured switch-case construct. we will
+            #           last instruction of all other heads to jump to the cmp instruction in the intended head, but do
+            #           not remove any other instructions in these other heads. this is unsound, but is the best we can
+            #           do in this case.
+            #   Case 3: The intended head has only one successor (which is the indirect jump node). during structuring,
+            #           we expect it will be structured as a no-default-node switch-case construct. in this case, we
+            #           can simply remove the edges from all other heads to the jump node and only leave the edge from
+            #           the intended head to the jump node. we will see goto statements in the output, but this will
+            #           lead to correct structuring result.
 
             overlaps = [self._get_overlapping_suffix_instructions(intended_head, head) for head in other_heads]
             if overlaps and (overlap := min(overlaps)) > 0:
                 # Case 1
                 self._fix_abnormal_switch_case_heads_case1(ail_graph, candidate, intended_head, other_heads, overlap)
-            else:
-                if self._unsound_fix_abnormal_switches:
-                    # Case 2
-                    l.warning("Switch-case at %#x has multiple head nodes but cannot be fixed soundly.", candidate.addr)
-                    # find the comparison instruction in the intended head
-                    comparison_stmt = None
-                    if "cc_op" in self.project.arch.registers:
-                        comparison_stmt = next(
-                            iter(
-                                stmt
-                                for stmt in intended_head.statements
-                                if isinstance(stmt, ailment.Stmt.Assignment)
-                                and isinstance(stmt.dst, ailment.Expr.Register)
-                                and stmt.dst.reg_offset == self.project.arch.registers["cc_op"][0]
-                            ),
-                            None,
-                        )
-                    intended_head_block = self.project.factory.block(
-                        intended_head.addr, size=intended_head.original_size
+            elif ail_graph.out_degree[intended_head] == 2:
+                # Case 2
+                l.warning("Switch-case at %#x has multiple head nodes but cannot be fixed soundly.", candidate.addr)
+                # find the comparison instruction in the intended head
+                comparison_stmt = None
+                if "cc_op" in self.project.arch.registers:
+                    comparison_stmt = next(
+                        iter(
+                            stmt
+                            for stmt in intended_head.statements
+                            if isinstance(stmt, ailment.Stmt.Assignment)
+                            and isinstance(stmt.dst, ailment.Expr.Register)
+                            and stmt.dst.reg_offset == self.project.arch.registers["cc_op"][0]
+                        ),
+                        None,
                     )
-                    if comparison_stmt is not None:
-                        cmp_rpos = len(
-                            intended_head_block.instruction_addrs
-                        ) - intended_head_block.instruction_addrs.index(comparison_stmt.ins_addr)
-                    else:
-                        cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
-                    self._fix_abnormal_switch_case_heads_case2(
-                        ail_graph,
-                        candidate,
-                        intended_head,
-                        other_heads,
-                        intended_head_split_insns=cmp_rpos,
-                        other_head_split_insns=0,
+                intended_head_block = self.project.factory.block(intended_head.addr, size=intended_head.original_size)
+                if comparison_stmt is not None:
+                    cmp_rpos = len(intended_head_block.instruction_addrs) - intended_head_block.instruction_addrs.index(
+                        comparison_stmt.ins_addr
                     )
+                else:
+                    cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
+                self._fix_abnormal_switch_case_heads_case2(
+                    ail_graph,
+                    candidate,
+                    intended_head,
+                    other_heads,
+                    intended_head_split_insns=cmp_rpos,
+                    other_head_split_insns=0,
+                )
+            else:
+                # Case 3
+                self._fix_abnormal_switch_case_heads_case3(
+                    candidate,
+                    other_heads,
+                )
 
     def _get_overlapping_suffix_instructions(self, ailblock_0: ailment.Block, ailblock_1: ailment.Block) -> int:
         # we first compare their ending conditional jumps
@@ -2360,6 +2385,16 @@ class Clinic(Analysis):
                     # it should be going to the default node. ignore it
                     pass
 
+    def _fix_abnormal_switch_case_heads_case3(
+        self, indirect_jump_node: ailment.Block, other_heads: list[ailment.Block]
+    ) -> None:
+        # remove all edges from other_heads to the indirect jump node
+        for other_head in other_heads:
+            # delay the edge removal so that we don't mess up the SSA analysis
+            self.edges_to_remove.append(
+                ((other_head.addr, other_head.idx), (indirect_jump_node.addr, indirect_jump_node.idx))
+            )
+
     @staticmethod
     def _remove_redundant_jump_blocks(ail_graph):
         def first_conditional_jump(block: ailment.Block) -> ailment.Stmt.ConditionalJump | None:

angr/analyses/decompiler/decompiler.py

@@ -2,8 +2,8 @@
 from __future__ import annotations
 import logging
 from collections import defaultdict
-from typing import Optional, Union, Any, TYPE_CHECKING
 from collections.abc import Iterable
+from typing import Optional, Union, Any, TYPE_CHECKING
 
 import networkx
 from cle import SymbolType
@@ -15,6 +15,7 @@ from angr.knowledge_base import KnowledgeBase
 from angr.sim_variable import SimMemoryVariable, SimRegisterVariable, SimStackVariable
 from angr.utils import timethis
 from angr.analyses import Analysis, AnalysesHub
+from .structured_codegen.c import CStructuredCodeGenerator
 from .structuring import RecursiveStructurer, PhoenixStructurer, DEFAULT_STRUCTURER
 from .region_identifier import RegionIdentifier
 from .optimization_passes.optimization_pass import OptimizationPassStage
@@ -22,7 +23,7 @@ from .ailgraph_walker import AILGraphWalker
 from .condition_processor import ConditionProcessor
 from .decompilation_options import DecompilationOption
 from .decompilation_cache import DecompilationCache
-from .utils import remove_labels
+from .utils import remove_labels, remove_edges_in_ailgraph
 from .sequence_walker import SequenceWalker
 from .structuring.structurer_nodes import SequenceNode
 from .presets import DECOMPILATION_PRESETS, DecompilationPreset
@@ -30,7 +31,6 @@ from .presets import DECOMPILATION_PRESETS, DecompilationPreset
 if TYPE_CHECKING:
     from angr.knowledge_plugins.cfg.cfg_model import CFGModel
     from .peephole_optimizations import PeepholeOptimizationExprBase, PeepholeOptimizationStmtBase
-    from .structured_codegen.c import CStructuredCodeGenerator
 
 l = logging.getLogger(name=__name__)
 
@@ -157,6 +157,8 @@ class Decompiler(Analysis):
                             self.kb.decompilations[(self.func.addr, self._flavor)].errors.append(error.format())
 
     def _can_use_decompilation_cache(self, cache: DecompilationCache) -> bool:
+        if self._cache_parameters is None or cache.parameters is None:
+            return False
         a, b = self._cache_parameters, cache.parameters
         id_checks = {"cfg", "variable_kb"}
         return all(a[k] is b[k] if k in id_checks else a[k] == b[k] for k in self._cache_parameters)
@@ -201,7 +203,7 @@ class Decompiler(Analysis):
 
         variable_kb = self._variable_kb
         # fall back to old codegen
-        if variable_kb is None and old_codegen is not None:
+        if variable_kb is None and old_codegen is not None and isinstance(old_codegen, CStructuredCodeGenerator):
             variable_kb = old_codegen._variable_kb
 
         if variable_kb is None:
@@ -223,7 +225,8 @@ class Decompiler(Analysis):
             fold_callexprs_into_conditions = True
 
         cache = DecompilationCache(self.func.addr)
-        cache.parameters = self._cache_parameters
+        if self._cache_parameters is not None:
+            cache.parameters = self._cache_parameters
         cache.ite_exprs = ite_exprs
         cache.binop_operators = binop_operators
 
@@ -296,8 +299,14 @@ class Decompiler(Analysis):
             ri,
             clinic.reaching_definitions,
             ite_exprs=ite_exprs,
+            arg_vvars=set(clinic.arg_vvars),
+            edges_to_remove=clinic.edges_to_remove,
         )
 
+        # finally (no more graph-based simplifications will run in the future), we can remove the edges that should be
+        # removed!
+        remove_edges_in_ailgraph(clinic.graph, clinic.edges_to_remove)
+
         # Rewrite the graph to remove phi expressions
         # this is probably optional if we do not pretty-print clinic.graph
         clinic.graph = self._transform_graph_from_ssa(clinic.graph)
@@ -325,9 +334,9 @@ class Decompiler(Analysis):
             s = self.project.analyses.RegionSimplifier(
                 self.func,
                 rs.result,
+                arg_vvars=set(self.clinic.arg_vvars),
                 kb=self.kb,
                 fail_fast=self._fail_fast,
-                variable_kb=clinic.variable_kb,
                 **self.options_to_params(self.options_by_class["region_simplifier"]),
             )
             seq_node = s.result
@@ -439,7 +448,7 @@ class Decompiler(Analysis):
         return ail_graph
 
     @timethis
-    def _run_region_simplification_passes(self, ail_graph, ri, reaching_definitions, **kwargs):
+    def _run_region_simplification_passes(self, ail_graph, ri, reaching_definitions, arg_vvars: set[int], **kwargs):
         """
         Runs optimizations that should be executed after a single region identification. This function will return
         two items: the new RegionIdentifier object and the new AIL Graph, which should probably be written
@@ -483,6 +492,7 @@ class Decompiler(Analysis):
                 blocks_by_addr_and_idx=addr_and_idx_to_blocks,
                 graph=ail_graph,
                 variable_kb=self._variable_kb,
+                arg_vvars=arg_vvars,
                 region_identifier=ri,
                 reaching_definitions=reaching_definitions,
                 vvar_id_start=self.vvar_id_start,
@@ -490,6 +500,7 @@ class Decompiler(Analysis):
                 scratch=self._optimization_scratch,
                 force_loop_single_exit=self._force_loop_single_exit,
                 complete_successors=self._complete_successors,
+                peephole_optimizations=self._peephole_optimizations,
                 **kwargs,
             )
 

angr/analyses/decompiler/expression_narrower.py

@@ -38,7 +38,7 @@ class ExprNarrowingInfo:
         narrowable: bool,
         to_size: int | None = None,
         use_exprs: list[tuple[atoms.VirtualVariable, CodeLocation, tuple[str, tuple[Expression, ...]]]] | None = None,
-        phi_vars: set[atoms.VirtualVariable] | None = None,
+        phi_vars: set[VirtualVariable] | None = None,
     ):
         self.narrowable = narrowable
         self.to_size = to_size

angr/analyses/decompiler/optimization_passes/const_prop_reverter.py

@@ -8,7 +8,7 @@ import claripy
 from ailment import Const
 from ailment.block_walker import AILBlockWalkerBase
 from ailment.statement import Call, Statement, ConditionalJump, Assignment, Store, Return
-from ailment.expression import Convert, Register, Expression
+from ailment.expression import Convert, Register, Expression, Load
 
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 from angr.analyses.decompiler.structuring import SAILRStructurer, DreamStructurer
@@ -207,16 +207,17 @@ class ConstPropOptReverter(OptimizationPass):
                     continue
 
                 unwrapped_sym_arg = sym_arg.operands[0] if isinstance(sym_arg, Convert) else sym_arg
-                try:
+                if (
+                    isinstance(unwrapped_sym_arg, Load)
+                    and isinstance(unwrapped_sym_arg.addr, Const)
+                    and isinstance(unwrapped_sym_arg.addr.value, int)
+                ):
                     # TODO: make this support more than just Loads
                     # target must be a Load of a memory location
                     target_atom = MemoryLocation(unwrapped_sym_arg.addr.value, unwrapped_sym_arg.size, "Iend_LE")
                     const_state = self.rd.get_reaching_definitions_by_node(blks[calls[const_arg]].addr, OP_BEFORE)
-
-                    state_load_vals = const_state.get_value_from_atom(target_atom)
-                except AttributeError:
-                    continue
-                except KeyError:
+                    state_load_vals = const_state.get_values(target_atom)
+                else:
                     continue
 
                 if not state_load_vals:

angr/analyses/decompiler/optimization_passes/duplication_reverter/duplication_reverter.py

@@ -950,7 +950,9 @@ class DuplicationReverter(StructuringOptimizationPass):
     #
 
     def _share_subregion(self, blocks: list[Block]) -> bool:
-        return any(all(block.addr in region for block in blocks) for region in self._ri.regions_by_block_addrs)
+        return any(
+            all((block.addr, block.idx) in region for block in blocks) for region in self._ri.regions_by_block_addrs
+        )
 
     def _is_valid_candidate(self, b0, b1):
         # blocks must have statements

angr/analyses/decompiler/optimization_passes/flip_boolean_cmp.py

@@ -6,7 +6,11 @@ import ailment
 from ailment.expression import Op
 
 from angr.analyses.decompiler.structuring.structurer_nodes import ConditionNode
-from angr.analyses.decompiler.utils import structured_node_is_simple_return, sequence_to_statements
+from angr.analyses.decompiler.utils import (
+    structured_node_is_simple_return,
+    sequence_to_statements,
+    structured_node_has_multi_predecessors,
+)
 from angr.analyses.decompiler.sequence_walker import SequenceWalker
 from .optimization_pass import SequenceOptimizationPass, OptimizationPassStage
 
@@ -43,7 +47,22 @@ class FlipBooleanWalker(SequenceWalker):
                 and structured_node_is_simple_return(seq_node.nodes[idx + 1], self._graph)
                 and node not in type1_condition_nodes
             ):
-                type2_condition_nodes.append((idx, node, seq_node.nodes[idx + 1]))
+                # Type 2: Special Filter:
+                # consider code that looks like the following:
+                # {if (cond) {LABEL: ... } return;}; goto LABEL;
+                #
+                # if we were to do the normal flip, this happens:
+                # {if (!cond) return; LABEL: ...}; goto LABEL;
+                #
+                # This is incorrect because we've now created an infinite loop in the event that cond is false,
+                # which is not what the original code was. The gist here is that you can't ever flip these cases
+                # in the presence of more than one incoming edge to `...` region.
+                #
+                # To eliminate this illegal case, we simply need to find all the condition nodes of the above structure
+                # that have multiple incoming edges to the `...` region.
+                illegal_flip = structured_node_has_multi_predecessors(node.true_node, self._graph)
+                if not illegal_flip:
+                    type2_condition_nodes.append((idx, node, seq_node.nodes[idx + 1]))
 
         for node in type1_condition_nodes:
             if isinstance(node.condition, Op) and structured_node_is_simple_return(node.false_node, self._graph):

angr/analyses/decompiler/optimization_passes/ite_region_converter.py

@@ -287,19 +287,27 @@ class ITERegionConverter(OptimizationPass):
                     ((region_head.addr, region_head.idx), original_vvars[0] if original_vvars else None)
                 )
 
-            new_phi = Phi(
-                stmt.src.idx,
-                stmt.src.bits,
-                new_src_and_vvars,
-                **stmt.src.tags,
-            )
-            new_phi_assignment = Assignment(
-                stmt.idx,
-                stmt.dst,
-                new_phi,
-                **stmt.tags,
-            )
-            stmts.append(new_phi_assignment)
+            if len(new_src_and_vvars) == 1:
+                new_assignment = Assignment(
+                    stmt.idx,
+                    stmt.dst,
+                    new_src_and_vvars[0][1],
+                    **stmt.tags,
+                )
+            else:
+                new_phi = Phi(
+                    stmt.src.idx,
+                    stmt.src.bits,
+                    new_src_and_vvars,
+                    **stmt.src.tags,
+                )
+                new_assignment = Assignment(
+                    stmt.idx,
+                    stmt.dst,
+                    new_phi,
+                    **stmt.tags,
+                )
+            stmts.append(new_assignment)
         new_region_tail = Block(region_tail.addr, region_tail.original_size, statements=stmts, idx=region_tail.idx)
 
         #