angr 9.2.139__py3-none-manylinux2014_x86_64.whl → 9.2.141__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py

@@ -7,7 +7,7 @@ import networkx
 
 from ailment import Block, AILBlockWalkerBase
 from ailment.statement import ConditionalJump, Label, Assignment, Jump
-from ailment.expression import Expression, BinaryOp, Const, Load
+from ailment.expression import VirtualVariable, Expression, BinaryOp, Const, Load
 
 from angr.utils.graph import GraphUtils
 from angr.analyses.decompiler.utils import first_nonlabel_nonphi_statement, remove_last_statement
@@ -257,6 +257,24 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                     _l.debug("Skipping switch-case conversion due to too few distinct cases for %s", real_cases[0])
                     continue
 
+                # RULE 4: the default case should not reach other case nodes in the subregion
+                default_addr_and_idx = next(
+                    ((case.target, case.target_idx) for case in cases if case.value == "default"), None
+                )
+                if default_addr_and_idx is None:
+                    continue
+                default_addr, default_idx = default_addr_and_idx
+                default_node = self._get_block(default_addr, idx=default_idx)
+                default_reachable_from_case = False
+                for case in cases:
+                    if case.value == "default":
+                        continue
+                    if self._node_reachable_from_node_in_region(case.original_node, default_node):
+                        default_reachable_from_case = True
+                        break
+                if default_reachable_from_case:
+                    continue
+
                 original_nodes = [case.original_node for case in real_cases]
                 original_head: Block = original_nodes[0]
                 original_nodes = original_nodes[1:]
@@ -320,6 +338,10 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                             node_to_heads[succ].add(new_head)
                     graph_copy.remove_node(onode)
                 for onode in redundant_nodes:
+                    if onode in original_nodes:
+                        # sometimes they overlap
+                        # e.g., 0x402cc7 in mv_-O2
+                        continue
                     # ensure all nodes that are only reachable from onode are also removed
                     # FIXME: Remove the entire path of nodes instead of only the immediate successors
                     successors = list(graph_copy.successors(onode))
@@ -396,6 +418,7 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
             default_case_candidates = {}
             last_comp = None
             stack = [(head, 0, 0xFFFF_FFFF_FFFF_FFFF)]
+            head_varhash = variable_comparisons[head][1]
 
             # cursed: there is an infinite loop in the following loop that
             # occurs rarely. we need to keep track of the nodes we've seen
@@ -418,12 +441,11 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                     next_addr,
                     next_addr_idx,
                 ) = variable_comparisons[comp]
-                last_varhash = cases[-1].variable_hash if cases else None
 
                 if op == "eq":
                     # eq always indicates a new case
 
-                    if last_varhash is None or last_varhash == variable_hash:
+                    if head_varhash == variable_hash:
                         if target == comp.addr and target_idx == comp.idx:
                             # invalid
                             break
@@ -443,9 +465,10 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                         # new variable!
                         if last_comp is not None and comp.addr not in default_case_candidates:
                             default_case_candidates[comp.addr] = Case(
-                                last_comp, None, last_varhash, None, "default", comp.addr, comp.idx, None
+                                last_comp, None, head_varhash, None, "default", comp.addr, comp.idx, None
                             )
-                        break
+                            break
+                        continue
 
                     successors = [succ for succ in self._graph.successors(comp) if succ is not comp]
                     succ_addrs = {(succ.addr, succ.idx) for succ in successors}
@@ -505,7 +528,7 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                     # gt always indicates new subtrees
                     gt_addr, gt_idx, le_addr, le_idx = target, target_idx, next_addr, next_addr_idx
                     # TODO: We don't yet support gt nodes acting as the head of a switch
-                    if last_varhash is not None and last_varhash == variable_hash:
+                    if head_varhash == variable_hash:
                         successors = [succ for succ in self._graph.successors(comp) if succ is not comp]
                         succ_addrs = {(succ.addr, succ.idx) for succ in successors}
                         if succ_addrs != {(gt_addr, gt_idx), (le_addr, le_idx)}:
@@ -526,21 +549,34 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                             le_added = True
                         if gt_added or le_added:
                             if not le_added:
-                                if le_addr not in default_case_candidates:
+                                # if min_ + 1 == value, it means we actually have another case! it's not a default case
+                                if min_ + 1 == value:
+                                    cases.append(
+                                        Case(comp, comp_type, variable_hash, expr, min_ + 1, le_addr, le_idx, None)
+                                    )
+                                    used_nodes.add(comp)
+                                elif le_addr not in default_case_candidates:
                                     default_case_candidates[le_addr] = Case(
                                         comp, None, variable_hash, expr, "default", le_addr, le_idx, None
                                     )
-                            elif not gt_added and gt_addr not in default_case_candidates:
-                                default_case_candidates[gt_addr] = Case(
-                                    comp, None, variable_hash, expr, "default", gt_addr, gt_idx, None
-                                )
+                            if not gt_added:
+                                # likewise, this means we have another non-default case
+                                if value == max_:
+                                    cases.append(
+                                        Case(comp, comp_type, variable_hash, expr, max_, gt_addr, gt_idx, None)
+                                    )
+                                    used_nodes.add(comp)
+                                elif gt_addr not in default_case_candidates:
+                                    default_case_candidates[gt_addr] = Case(
+                                        comp, None, variable_hash, expr, "default", gt_addr, gt_idx, None
+                                    )
                             extra_cmp_nodes.append(comp)
                             used_nodes.add(comp)
                         else:
                             break
                     else:
                         # checking on a new variable... it probably was not a switch-case
-                        break
+                        continue
 
             if cases and len(default_case_candidates) <= 1:
                 if default_case_candidates:
@@ -606,6 +642,27 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
 
         return varhash_to_caselists
 
+    def _node_reachable_from_node_in_region(self, to_node, from_node) -> bool:
+        # find the region that contains the to_node
+        to_node_region = None
+        from_node_region = None
+        for region in self._ri.regions_by_block_addrs:
+            if (to_node.addr, to_node.idx) in region:
+                to_node_region = region
+            if (from_node.addr, from_node.idx) in region:
+                from_node_region = region
+
+        if to_node_region is None or from_node_region is None:
+            return False
+        if to_node_region != from_node_region:
+            return False
+
+        # get a subgraph
+        all_nodes = [self._get_block(a, idx=idx) for a, idx in to_node_region]
+        subgraph = self._graph.subgraph(all_nodes)
+
+        return networkx.has_path(subgraph, from_node, to_node)
+
     @staticmethod
     def _find_switch_variable_comparison_type_a(
         node,
@@ -625,7 +682,11 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                 )
             ):
                 cond = stmt.condition
-                if isinstance(cond, BinaryOp) and isinstance(cond.operands[1], Const):
+                if (
+                    isinstance(cond, BinaryOp)
+                    and isinstance(cond.operands[0], VirtualVariable)
+                    and isinstance(cond.operands[1], Const)
+                ):
                     variable_hash = StableVarExprHasher(cond.operands[0]).hash
                     value = cond.operands[1].value
                     if cond.op == "CmpEQ":
@@ -672,7 +733,11 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                 )
             ):
                 cond = stmt.condition
-                if isinstance(cond, BinaryOp) and isinstance(cond.operands[1], Const):
+                if (
+                    isinstance(cond, BinaryOp)
+                    and isinstance(cond.operands[0], VirtualVariable)
+                    and isinstance(cond.operands[1], Const)
+                ):
                     variable_hash = StableVarExprHasher(cond.operands[0]).hash
                     value = cond.operands[1].value
                     if cond.op == "CmpEQ":
@@ -719,7 +784,11 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                 )
             ):
                 cond = stmt.condition
-                if isinstance(cond, BinaryOp) and isinstance(cond.operands[1], Const):
+                if (
+                    isinstance(cond, BinaryOp)
+                    and isinstance(cond.operands[0], VirtualVariable)
+                    and isinstance(cond.operands[1], Const)
+                ):
                     variable_hash = StableVarExprHasher(cond.operands[0]).hash
                     value = cond.operands[1].value
                     op = cond.op

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -1,8 +1,9 @@
 # pylint:disable=unused-argument
 from __future__ import annotations
 import logging
-from typing import Any, TYPE_CHECKING
+from collections import namedtuple
 from collections.abc import Generator
+from typing import Any, TYPE_CHECKING
 from enum import Enum
 
 import networkx
@@ -10,10 +11,11 @@ import networkx
 import ailment
 
 from angr.analyses.decompiler import RegionIdentifier
+from angr.analyses.decompiler.ailgraph_walker import AILGraphWalker
 from angr.analyses.decompiler.condition_processor import ConditionProcessor
 from angr.analyses.decompiler.goto_manager import Goto, GotoManager
 from angr.analyses.decompiler.structuring import RecursiveStructurer, SAILRStructurer
-from angr.analyses.decompiler.utils import add_labels
+from angr.analyses.decompiler.utils import add_labels, remove_edges_in_ailgraph
 from angr.analyses.decompiler.counters import ControlFlowStructureCounter
 from angr.project import Project
 
@@ -24,6 +26,9 @@ if TYPE_CHECKING:
 _l = logging.getLogger(__name__)
 
 
+BlockCache = namedtuple("BlockCache", ("rd", "prop"))
+
+
 class MultipleBlocksException(Exception):
     """
     An exception that is raised in _get_block() where multiple blocks satisfy the criteria but only one block was
@@ -129,6 +134,8 @@ class OptimizationPass(BaseOptimizationPass):
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
         avoid_vvar_ids: set[int] | None = None,
+        arg_vvars: set[int] | None = None,
+        peephole_optimizations=None,
         **kwargs,
     ):
         super().__init__(func)
@@ -141,6 +148,7 @@ class OptimizationPass(BaseOptimizationPass):
         self._rd = reaching_definitions
         self._scratch = scratch if scratch is not None else {}
         self._new_block_addrs = set()
+        self._arg_vvars = arg_vvars
         self.vvar_id_start = vvar_id_start
         self.entry_node_addr: tuple[int, int | None] = (
             entry_node_addr if entry_node_addr is not None else (func.addr, None)
@@ -148,6 +156,7 @@ class OptimizationPass(BaseOptimizationPass):
         self._force_loop_single_exit = force_loop_single_exit
         self._complete_successors = complete_successors
         self._avoid_vvar_ids = avoid_vvar_ids or set()
+        self._peephole_optimizations = peephole_optimizations
 
         # output
         self.out_graph: networkx.DiGraph | None = None
@@ -265,9 +274,77 @@ class OptimizationPass(BaseOptimizationPass):
     def _is_sub(expr):
         return isinstance(expr, ailment.Expr.BinaryOp) and expr.op == "Sub"
 
+    def _simplify_blocks(
+        self,
+        ail_graph: networkx.DiGraph,
+        cache: dict | None = None,
+    ):
+        """
+        Simplify all blocks in self._blocks.
+
+        :param ail_graph:               The AIL function graph.
+        :param cache:                   A block-level cache that stores reaching definition analysis results and
+                                        propagation results.
+        :return:                        None
+        """
+
+        blocks_by_addr_and_idx: dict[tuple[int, int | None], ailment.Block] = {}
+
+        for ail_block in ail_graph.nodes():
+            simplified = self._simplify_block(
+                ail_block,
+                cache=cache,
+            )
+            key = ail_block.addr, ail_block.idx
+            blocks_by_addr_and_idx[key] = simplified
+
+        # update blocks_map to allow node_addr to node lookup
+        def _replace_node_handler(node):
+            key = node.addr, node.idx
+            if key in blocks_by_addr_and_idx:
+                return blocks_by_addr_and_idx[key]
+            return None
+
+        AILGraphWalker(ail_graph, _replace_node_handler, replace_nodes=True).walk()
+
+        return ail_graph
+
+    def _simplify_block(self, ail_block, cache=None):
+        """
+        Simplify a single AIL block.
+
+        :param ailment.Block ail_block: The AIL block to simplify.
+        :return:                        A simplified AIL block.
+        """
+
+        cached_rd, cached_prop = None, None
+        cache_item = None
+        cache_key = ail_block.addr, ail_block.idx
+        if cache:
+            cache_item = cache.get(cache_key, None)
+            if cache_item:
+                # cache hit
+                cached_rd = cache_item.rd
+                cached_prop = cache_item.prop
+
+        simp = self.project.analyses.AILBlockSimplifier(
+            ail_block,
+            self._func.addr,
+            peephole_optimizations=self._peephole_optimizations,
+            cached_reaching_definitions=cached_rd,
+            cached_propagator=cached_prop,
+        )
+        # update the cache
+        if cache is not None:
+            if cache_item:
+                del cache[cache_key]
+            cache[cache_key] = BlockCache(simp._reaching_definitions, simp._propagator)
+        return simp.result_block
+
     def _simplify_graph(self, graph):
         MAX_SIMP_ITERATION = 8
         for _ in range(MAX_SIMP_ITERATION):
+            self._simplify_blocks(graph)
             simp = self.project.analyses.AILSimplifier(
                 self._func,
                 func_graph=graph,
@@ -331,14 +408,15 @@ class StructuringOptimizationPass(OptimizationPass):
     def __init__(
         self,
         func,
-        prevent_new_gotos=True,
-        strictly_less_gotos=False,
-        recover_structure_fails=True,
-        must_improve_rel_quality=True,
-        max_opt_iters=1,
-        simplify_ail=True,
-        require_gotos=True,
-        readd_labels=False,
+        prevent_new_gotos: bool = True,
+        strictly_less_gotos: bool = False,
+        recover_structure_fails: bool = True,
+        must_improve_rel_quality: bool = True,
+        max_opt_iters: int = 1,
+        simplify_ail: bool = True,
+        require_gotos: bool = True,
+        readd_labels: bool = False,
+        edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]] | None = None,
         **kwargs,
     ):
         super().__init__(func, **kwargs)
@@ -350,6 +428,7 @@ class StructuringOptimizationPass(OptimizationPass):
         self._require_gotos = require_gotos
         self._must_improve_rel_quality = must_improve_rel_quality
         self._readd_labels = readd_labels
+        self._edges_to_remove = edges_to_remove or []
 
         # relative quality metrics (excludes gotos)
         self._initial_structure_counter = None
@@ -452,6 +531,8 @@ class StructuringOptimizationPass(OptimizationPass):
         if readd_labels:
             graph = add_labels(graph)
 
+        remove_edges_in_ailgraph(graph, self._edges_to_remove)
+
         self._ri = self.project.analyses[RegionIdentifier].prep(kb=self.kb)(
             self._func,
             graph=graph,
@@ -482,7 +563,7 @@ class StructuringOptimizationPass(OptimizationPass):
         if not rs or not rs.result or not rs.result.nodes or rs.result_incomplete:
             return False
 
-        rs = self.project.analyses.RegionSimplifier(self._func, rs.result, kb=self.kb, variable_kb=self._variable_kb)
+        rs = self.project.analyses.RegionSimplifier(self._func, rs.result, arg_vvars=self._arg_vvars, kb=self.kb)
         if not rs or rs.goto_manager is None or rs.result is None:
             return False
 

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -34,13 +34,23 @@ class FreshVirtualVariableRewriter(AILBlockWalker):
     def _handle_Assignment(self, stmt_idx: int, stmt: Assignment, block: Block | None):
         new_stmt = super()._handle_Assignment(stmt_idx, stmt, block)
         dst = new_stmt.dst if new_stmt is not None else stmt.dst
+        src = new_stmt.src if new_stmt is not None else stmt.src
         if isinstance(dst, VirtualVariable):
             self.vvar_mapping[dst.varid] = self.vvar_idx
             self.vvar_idx += 1
 
-            dst = VirtualVariable(dst.idx, self.vvar_mapping[dst.varid], dst.bits, dst.category, dst.oident, **dst.tags)
+            dst = VirtualVariable(
+                dst.idx,
+                self.vvar_mapping[dst.varid],
+                dst.bits,
+                dst.category,
+                dst.oident,
+                variable=dst.variable,
+                variable_offset=dst.variable_offset,
+                **dst.tags,
+            )
 
-            return Assignment(stmt.idx, dst, stmt.src, **stmt.tags)
+            return Assignment(stmt.idx, dst, src, **stmt.tags)
 
         return new_stmt
 
@@ -133,18 +143,31 @@ class ReturnDuplicatorBase:
         self._supergraph = to_ail_supergraph(graph)
         for region_head, (in_edges, region) in endnode_regions.items():
             is_single_const_ret_region = self._is_simple_return_graph(region)
+            dup_pred_nodes = []
+            # duplicate the entire region if at least (N-2) in-edges for the region head is deemed should be duplicated.
+            # otherwise we only duplicate the edges that should be duplicated
             for in_edge in in_edges:
                 pred_node = in_edge[0]
                 if self._should_duplicate_dst(
                     pred_node, region_head, graph, dst_is_const_ret=is_single_const_ret_region
                 ):
+                    dup_pred_nodes.append(pred_node)
+
+            dup_count = len(dup_pred_nodes)
+            dup_all = dup_count >= len(in_edges) - 2 > 0
+            if dup_all:
+                for pred_node in sorted((in_edge[0] for in_edge in in_edges), key=lambda x: x.addr):
                     # every eligible pred gets a new region copy
                     self._copy_region([pred_node], region_head, region, graph)
+                    graph_changed = True
+            else:
+                for pred_node in dup_pred_nodes:
+                    self._copy_region([pred_node], region_head, region, graph)
+                    graph_changed = True
 
             if region_head in graph and graph.in_degree(region_head) == 0:
                 graph.remove_nodes_from(region)
-
-            graph_changed = True
+                graph_changed = True
 
         return graph_changed
 
@@ -199,10 +222,10 @@ class ReturnDuplicatorBase:
 
         return end_node_regions
 
-    def _copy_region(self, pred_nodes, region_head, region, graph):
+    def _copy_region(self, pred_nodes: list[Block], region_head, region, graph):
         # copy the entire return region
         copies: dict[Block, Block] = {}
-        queue = [(pred_node, region_head) for pred_node in pred_nodes]
+        queue: list[tuple[Block, Block]] = [(pred_node, region_head) for pred_node in pred_nodes]
         vvar_mapping: dict[int, int] = {}
         while queue:
             pred, node = queue.pop(0)
@@ -224,12 +247,33 @@ class ReturnDuplicatorBase:
                 last_stmt = ConditionProcessor.get_last_statement(pred)
                 if isinstance(last_stmt, Jump):
                     if isinstance(last_stmt.target, Const) and last_stmt.target.value == node_copy.addr:
-                        last_stmt.target_idx = node_copy.idx
+                        updated_last_stmt = Jump(
+                            last_stmt.idx, last_stmt.target, target_idx=node_copy.idx, **last_stmt.tags
+                        )
+                        pred.statements[-1] = updated_last_stmt
                 elif isinstance(last_stmt, ConditionalJump):
                     if isinstance(last_stmt.true_target, Const) and last_stmt.true_target.value == node_copy.addr:
-                        last_stmt.true_target_idx = node_copy.idx
+                        updated_last_stmt = ConditionalJump(
+                            last_stmt.idx,
+                            last_stmt.condition,
+                            last_stmt.true_target,
+                            last_stmt.false_target,
+                            true_target_idx=node_copy.idx,
+                            false_target_idx=last_stmt.false_target_idx,
+                            **last_stmt.tags,
+                        )
+                        pred.statements[-1] = updated_last_stmt
                     elif isinstance(last_stmt.false_target, Const) and last_stmt.false_target.value == node_copy.addr:
-                        last_stmt.false_target_idx = node_copy.idx
+                        updated_last_stmt = ConditionalJump(
+                            last_stmt.idx,
+                            last_stmt.condition,
+                            last_stmt.true_target,
+                            last_stmt.false_target,
+                            true_target_idx=last_stmt.true_target_idx,
+                            false_target_idx=node_copy.idx,
+                            **last_stmt.tags,
+                        )
+                        pred.statements[-1] = updated_last_stmt
             except EmptyBlockNotice:
                 pass
 

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -29,7 +29,12 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
     @staticmethod
     def _optimize_binaryop(expr: BinaryOp):
         if expr.op == "Add":
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
+            if (
+                isinstance(expr.operands[0], Const)
+                and isinstance(expr.operands[0].value, int)
+                and isinstance(expr.operands[1], Const)
+                and isinstance(expr.operands[1].value, int)
+            ):
                 mask = (1 << expr.bits) - 1
                 return Const(
                     expr.idx, None, (expr.operands[0].value + expr.operands[1].value) & mask, expr.bits, **expr.tags
@@ -99,13 +104,19 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                     new_const = Const(const1.idx, None, const1.value + 1, const1.bits, **const1.tags)
                     return BinaryOp(expr.idx, "Mul", [x1, new_const], expr.signed, **expr.tags)
             elif op0_is_mulconst and op1_is_mulconst:
+                assert x0 is not None and x1 is not None and const0 is not None and const1 is not None
                 if x0.likes(x1):
                     # x * A + x * B => (A + B) * x
                     new_const = Const(const0.idx, None, const0.value + const1.value, const0.bits, **const0.tags)
                     return BinaryOp(expr.idx, "Mul", [x0, new_const], expr.signed, **expr.tags)
 
         elif expr.op == "Sub":
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
+            if (
+                isinstance(expr.operands[0], Const)
+                and isinstance(expr.operands[0].value, int)
+                and isinstance(expr.operands[1], Const)
+                and isinstance(expr.operands[1].value, int)
+            ):
                 mask = (1 << expr.bits) - 1
                 return Const(
                     expr.idx, None, (expr.operands[0].value - expr.operands[1].value) & mask, expr.bits, **expr.tags
@@ -138,12 +149,19 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                 return UnaryOp(expr.idx, "Neg", expr.operands[1], **expr.tags)
 
             if isinstance(expr.operands[0], StackBaseOffset) and isinstance(expr.operands[1], StackBaseOffset):
+                assert isinstance(expr.operands[0].offset, int) and isinstance(expr.operands[1].offset, int)
                 return Const(expr.idx, None, expr.operands[0].offset - expr.operands[1].offset, expr.bits, **expr.tags)
 
         elif expr.op == "And":
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
-                return Const(expr.idx, None, (expr.operands[0].value & expr.operands[1].value), expr.bits, **expr.tags)
-            if isinstance(expr.operands[1], Const) and expr.operands[1].value == 0:
+            op0, op1 = expr.operands
+            if (
+                isinstance(op0, Const)
+                and isinstance(op0.value, int)
+                and isinstance(op1, Const)
+                and isinstance(op1.value, int)
+            ):
+                return Const(expr.idx, None, (op0.value & op1.value), expr.bits, **expr.tags)
+            if isinstance(op1, Const) and op1.value == 0:
                 return Const(expr.idx, None, 0, expr.bits, **expr.tags)
 
         elif expr.op == "Mul":
@@ -156,6 +174,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                 and isinstance(expr.operands[1], Const)
                 and expr.operands[1].is_int
             ):
+                assert isinstance(expr.operands[0].value, int) and isinstance(expr.operands[1].value, int)
                 # constant multiplication
                 mask = (1 << expr.bits) - 1
                 return Const(
@@ -235,7 +254,13 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                 return Const(expr0.idx, None, (const_a << expr1.value) & mask, expr0.bits, **expr0.tags)
 
         elif expr.op == "Or":
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
+            op0, op1 = expr.operands
+            if (
+                isinstance(op0, Const)
+                and isinstance(op0.value, int)
+                and isinstance(op1, Const)
+                and isinstance(op1.value, int)
+            ):
                 return Const(expr.idx, None, expr.operands[0].value | expr.operands[1].value, expr.bits, **expr.tags)
             if isinstance(expr.operands[0], Const) and expr.operands[0].value == 0:
                 return expr.operands[1]
@@ -248,6 +273,16 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             if expr.operands[0].likes(expr.operands[1]):
                 return expr.operands[0]
 
+        elif expr.op == "Xor":
+            op0, op1 = expr.operands
+            if (
+                isinstance(op0, Const)
+                and isinstance(op0.value, int)
+                and isinstance(op1, Const)
+                and isinstance(op1.value, int)
+            ):
+                return Const(expr.idx, None, expr.operands[0].value ^ expr.operands[1].value, expr.bits, **expr.tags)
+
         elif expr.op in {"CmpEQ", "CmpLE", "CmpGE"}:
             if expr.operands[0].likes(expr.operands[1]):
                 # x == x => 1
@@ -288,7 +323,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
 
     @staticmethod
     def _optimize_unaryop(expr: UnaryOp):
-        if expr.op == "Neg" and isinstance(expr.operand, Const):
+        if expr.op == "Neg" and isinstance(expr.operand, Const) and isinstance(expr.operand.value, int):
             const_a = expr.operand.value
             mask = (2**expr.bits) - 1
             return Const(expr.idx, None, (~const_a) & mask, expr.bits, **expr.tags)
@@ -304,6 +339,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             and expr.to_type == Convert.TYPE_INT
             and expr.from_bits > expr.to_bits
         ):
+            assert isinstance(expr.operand.value, int)
             # truncation
             mask = (1 << expr.to_bits) - 1
             v = expr.operand.value & mask
@@ -315,6 +351,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             and expr.to_type == Convert.TYPE_INT
             and expr.from_bits <= expr.to_bits
         ):
+            assert isinstance(expr.operand.value, int)
             if expr.is_signed is False:
                 # unsigned extension
                 return Const(expr.idx, expr.operand.variable, expr.operand.value, expr.to_bits, **expr.operand.tags)

angr/analyses/decompiler/region_identifier.py

@@ -106,7 +106,7 @@ class RegionIdentifier(Analysis):
         # make regions into block address lists
         self.regions_by_block_addrs = self._make_regions_by_block_addrs()
 
-    def _make_regions_by_block_addrs(self) -> list[list[int]]:
+    def _make_regions_by_block_addrs(self) -> list[list[tuple[int, int | None]]]:
         """
         Creates a list of addr lists representing each region without recursion. A single region is defined
         as a set of only blocks, no Graphs containing nested regions. The list contains the address of each
@@ -124,13 +124,15 @@ class RegionIdentifier(Analysis):
                 children_blocks = []
                 for node in region.graph.nodes:
                     if isinstance(node, Block):
-                        children_blocks.append(node.addr)
+                        children_blocks.append((node.addr, node.idx))
                     elif isinstance(node, MultiNode):
-                        children_blocks += [n.addr for n in node.nodes]
+                        children_blocks += [(n.addr, node.idx) for n in node.nodes]
                     elif isinstance(node, GraphRegion):
                         if node not in seen_regions:
                             children_regions.append(node)
-                            children_blocks.append(node.head.addr)
+                            children_blocks.append(
+                                (node.head.addr, node.head.idx if hasattr(node.head, "idx") else None)
+                            )
                             seen_regions.add(node)
                     else:
                         continue