angr 9.2.140__py3-none-manylinux2014_x86_64.whl → 9.2.141__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/region_simplifiers/expr_folding.py

@@ -36,19 +36,21 @@ class StatementLocation(LocationBase):
     __slots__ = (
         "block_addr",
         "block_idx",
+        "phi_stmt",
         "stmt_idx",
     )
 
-    def __init__(self, block_addr, block_idx, stmt_idx):
+    def __init__(self, block_addr, block_idx, stmt_idx, phi_stmt: bool = False):
         self.block_addr = block_addr
         self.block_idx = block_idx
         self.stmt_idx = stmt_idx
+        self.phi_stmt = phi_stmt
 
     def __repr__(self):
-        return f"Loc: Statement@{self.block_addr:x}.{self.block_idx}-{self.stmt_idx}"
+        return f"Loc: Statement@{self.block_addr:x}.{self.block_idx}-{self.stmt_idx}{' phi' if self.phi_stmt else ''}"
 
     def __hash__(self):
-        return hash((StatementLocation, self.block_addr, self.block_idx, self.stmt_idx))
+        return hash((StatementLocation, self.block_addr, self.block_idx, self.stmt_idx, self.phi_stmt))
 
     def __eq__(self, other):
         return (
@@ -56,10 +58,11 @@ class StatementLocation(LocationBase):
             and self.block_addr == other.block_addr
             and self.block_idx == other.block_idx
             and self.stmt_idx == other.stmt_idx
+            and self.phi_stmt == other.phi_stmt
         )
 
     def copy(self):
-        return StatementLocation(self.block_addr, self.block_idx, self.stmt_idx)
+        return StatementLocation(self.block_addr, self.block_idx, self.stmt_idx, phi_stmt=self.phi_stmt)
 
 
 class ExpressionLocation(LocationBase):
@@ -71,23 +74,28 @@ class ExpressionLocation(LocationBase):
         "block_addr",
         "block_idx",
         "expr_idx",
+        "phi_stmt",
         "stmt_idx",
     )
 
-    def __init__(self, block_addr, block_idx, stmt_idx, expr_idx):
+    def __init__(self, block_addr, block_idx, stmt_idx, expr_idx, phi_stmt: bool = False):
         self.block_addr = block_addr
         self.block_idx = block_idx
         self.stmt_idx = stmt_idx
         self.expr_idx = expr_idx
+        self.phi_stmt = phi_stmt
 
     def __repr__(self):
-        return f"Loc: Expression@{self.block_addr:x}.{self.block_idx}-{self.stmt_idx}[{self.expr_idx}]"
+        return (
+            f"Loc: Expression@{self.block_addr:x}.{self.block_idx}-{self.stmt_idx}[{self.expr_idx}]"
+            f"{'phi' if self.phi_stmt else ''}"
+        )
 
     def statement_location(self) -> StatementLocation:
-        return StatementLocation(self.block_addr, self.block_idx, self.stmt_idx)
+        return StatementLocation(self.block_addr, self.block_idx, self.stmt_idx, phi_stmt=self.phi_stmt)
 
     def __hash__(self):
-        return hash((ExpressionLocation, self.block_addr, self.block_idx, self.stmt_idx, self.expr_idx))
+        return hash((ExpressionLocation, self.block_addr, self.block_idx, self.stmt_idx, self.expr_idx, self.phi_stmt))
 
     def __eq__(self, other):
         return (
@@ -96,6 +104,7 @@ class ExpressionLocation(LocationBase):
             and self.block_idx == other.block_idx
             and self.stmt_idx == other.stmt_idx
             and self.expr_idx == other.expr_idx
+            and self.phi_stmt == other.phi_stmt
         )
 
 
@@ -201,7 +210,18 @@ class ExpressionUseFinder(AILBlockWalker):
         if isinstance(expr, ailment.Expr.VirtualVariable) and expr.was_reg:
             if not (isinstance(stmt, ailment.Stmt.Assignment) and stmt.dst is expr):
                 if block is not None:
-                    self.uses[expr.varid].add((expr, ExpressionLocation(block.addr, block.idx, stmt_idx, expr_idx)))
+                    self.uses[expr.varid].add(
+                        (
+                            expr,
+                            ExpressionLocation(
+                                block.addr,
+                                block.idx,
+                                stmt_idx,
+                                expr_idx,
+                                phi_stmt=stmt is not None and is_phi_assignment(stmt),
+                            ),
+                        )
+                    )
                 else:
                     self.uses[expr.varid].add((expr, None))
             return None
@@ -239,11 +259,7 @@ class ExpressionCounter(SequenceWalker):
         if isinstance(stmt, ailment.Stmt.Assignment):
             if is_phi_assignment(stmt):
                 return
-            if (
-                isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                and stmt.dst.was_reg
-                and stmt.dst.variable is not None
-            ):
+            if isinstance(stmt.dst, ailment.Expr.VirtualVariable) and stmt.dst.was_reg:
                 # dependency
                 dependency_finder = ExpressionUseFinder()
                 dependency_finder.walk_expression(stmt.src)
@@ -260,7 +276,6 @@ class ExpressionCounter(SequenceWalker):
             isinstance(stmt, ailment.Stmt.Call)
             and isinstance(stmt.ret_expr, ailment.Expr.VirtualVariable)
             and stmt.ret_expr.was_reg
-            and stmt.ret_expr.variable is not None
         ):
             dependency_finder = ExpressionUseFinder()
             dependency_finder.walk_expression(stmt)
@@ -279,8 +294,7 @@ class ExpressionCounter(SequenceWalker):
         use_finder = ExpressionUseFinder()
         for idx, stmt in enumerate(node.statements):
             self._handle_Statement(idx, stmt, node)
-            if not is_phi_assignment(stmt):
-                use_finder.walk_statement(stmt)
+            use_finder.walk_statement(stmt, block=node)
 
         for varid, content in use_finder.uses.items():
             if varid not in self.uses:
@@ -407,7 +421,7 @@ class InterferenceChecker(SequenceWalker):
             the_call = None
             if isinstance(stmt, Assignment) and isinstance(stmt.src, ailment.Stmt.Call):
                 the_call = stmt.src
-            elif isinstance(stmt, ailment.Stmt.Call):
+            elif isinstance(stmt, ailment.Stmt.Call) and not isinstance(stmt.target, str):
                 the_call = stmt
             if the_call is not None:
                 spotter.walk_expression(the_call.target)

angr/analyses/decompiler/region_simplifiers/region_simplifier.py

@@ -116,10 +116,13 @@ class RegionSimplifier(Analysis):
         for var, uses in expr_counter.uses.items():
             if len(uses) == 1 and var in expr_counter.assignments and len(expr_counter.assignments[var]) == 1:
                 definition, deps, loc, has_loads = next(iter(expr_counter.assignments[var]))
+                _, use_expr_loc = next(iter(uses))
+                if isinstance(use_expr_loc, ExpressionLocation) and use_expr_loc.phi_stmt:
+                    # we cannot fold expressions that are used in phi statements
+                    continue
                 if has_loads:
                     # the definition has at least one load expression. we need to ensure there are no store statements
                     # between the definition site and the use site
-                    _, use_expr_loc = next(iter(uses))
                     if isinstance(use_expr_loc, ExpressionLocation):
                         use_loc = use_expr_loc.statement_location()
                     else:

angr/analyses/decompiler/ssailification/rewriting.py

@@ -8,21 +8,20 @@ import networkx
 
 import ailment
 from ailment import Block
-from ailment.expression import Expression, Phi, VirtualVariable, VirtualVariableCategory
-from ailment.statement import Statement, Assignment, Label
+from ailment.expression import Phi, VirtualVariable, VirtualVariableCategory
+from ailment.statement import Assignment, Label
 
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
-from angr.analyses.forward_analysis.visitors.graph import NodeType
 from angr.analyses.forward_analysis import FunctionGraphVisitor
-from .rewriting_engine import SimEngineSSARewriting
+from .rewriting_engine import SimEngineSSARewriting, DefExprType, AT
 from .rewriting_state import RewritingState
 
 
 l = logging.getLogger(__name__)
 
 
-class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object]):
+class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, object]):
     """
     RewritingAnalysis traverses the AIL graph, inserts phi nodes, and rewrites all expression uses to virtual variables
     when necessary.
@@ -37,7 +36,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         bp_as_gpr: bool,
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
-        stackvar_locs: dict[int, int],
+        stackvar_locs: dict[int, set[int]],
         rewrite_tmps: bool,
         ail_manager,
         func_args: set[VirtualVariable],
@@ -75,7 +74,11 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
 
         self._analyze()
 
-        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = self._engine_ail.def_to_vvid
+        self.def_to_vvid: dict[tuple[int, int | None, int, DefExprType, AT], int] = self._engine_ail.def_to_vvid
+        # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
+        # actual stack variables. these secondary stack variables can be safely eliminated during dead assignment
+        # elimination if not used by anything else.
+        self.secondary_stackvars: set[int] = self._engine_ail.secondary_stackvars
         self.out_graph = self._make_new_graph(ail_graph)
 
     @property
@@ -177,10 +180,11 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
     def _reg_predicate(self, node_, *, reg_offset: int, reg_size: int) -> tuple[bool, Any]:
         out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
         if reg_offset in out_state.registers and reg_size in out_state.registers[reg_offset]:
-            if out_state.registers[reg_offset][reg_size] is None:
+            existing_var = out_state.registers[reg_offset][reg_size]
+            if existing_var is None:
                 # the vvar is not set. it should never be referenced
                 return True, None
-            vvar = out_state.registers[reg_offset][reg_size].copy()
+            vvar = existing_var.copy()
             vvar.idx = self._ail_manager.next_atom()
             return True, vvar
         return False, None
@@ -188,10 +192,11 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
     def _stack_predicate(self, node_, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
         out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
         if stack_offset in out_state.stackvars and stackvar_size in out_state.stackvars[stack_offset]:
-            if out_state.stackvars[stack_offset][stackvar_size] is None:
+            existing_var = out_state.stackvars[stack_offset][stackvar_size]
+            if existing_var is None:
                 # the vvar is not set. it should never be referenced
                 return True, None
-            vvar = out_state.stackvars[stack_offset][stackvar_size].copy()
+            vvar = existing_var.copy()
             vvar.idx = self._ail_manager.next_atom()
             return True, vvar
         return False, None
@@ -215,11 +220,14 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         )
         # update state with function arguments
         for func_arg in self._func_args:
-            if func_arg.oident[0] == VirtualVariableCategory.REGISTER:
-                reg_offset, reg_size = func_arg.oident[1], func_arg.size
+            if func_arg.parameter_category == VirtualVariableCategory.REGISTER:
+                reg_offset, reg_size = func_arg.parameter_reg_offset, func_arg.size
+                assert reg_offset is not None and reg_size is not None
                 state.registers[reg_offset][reg_size] = func_arg
-            elif func_arg.oident[0] == VirtualVariableCategory.STACK:
-                state.stackvars[func_arg.oident[1]][func_arg.size] = func_arg
+            elif func_arg.parameter_category == VirtualVariableCategory.STACK:
+                parameter_stack_offset: int = func_arg.oident[1]  # type: ignore
+                assert parameter_stack_offset is not None and func_arg.size is not None
+                state.stackvars[parameter_stack_offset][func_arg.size] = func_arg
         return state
 
     def _run_on_node(self, node, state: RewritingState):

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -1,7 +1,9 @@
 # pylint:disable=no-self-use,unused-argument
 from __future__ import annotations
+from typing import Literal
 import logging
 
+from archinfo import Endness
 from ailment.manager import Manager
 from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement, Jump
 from ailment.expression import (
@@ -22,6 +24,7 @@ from ailment.expression import (
     Reinterpret,
 )
 
+from angr.knowledge_plugins.key_definitions import atoms
 from angr.engines.light.engine import SimEngineNostmtAIL
 from angr.utils.ssa import get_reg_offset_base_and_size
 from .rewriting_state import RewritingState
@@ -30,6 +33,10 @@ from .rewriting_state import RewritingState
 _l = logging.getLogger(__name__)
 
 
+DefExprType = atoms.Register | atoms.Tmp | atoms.MemoryLocation
+AT = Literal["l", "s"] | None
+
+
 class SimEngineSSARewriting(
     SimEngineNostmtAIL[RewritingState, Expression | None, Statement | tuple[Statement, ...], None]
 ):
@@ -38,6 +45,8 @@ class SimEngineSSARewriting(
     copies at each use location.
     """
 
+    state: RewritingState
+
     def __init__(
         self,
         project,
@@ -45,7 +54,7 @@ class SimEngineSSARewriting(
         sp_tracker,
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
-        stackvar_locs: dict[int, int],
+        stackvar_locs: dict[int, set[int]],
         ail_manager: Manager,
         vvar_id_start: int = 0,
         bp_as_gpr: bool = False,
@@ -55,13 +64,15 @@ class SimEngineSSARewriting(
 
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
-        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = {}
+        self.def_to_vvid: dict[tuple[int, int | None, int, DefExprType, AT], int] = {}
         self.stackvar_locs = stackvar_locs
         self.udef_to_phiid = udef_to_phiid
         self.phiid_to_loc = phiid_to_loc
         self.rewrite_tmps = rewrite_tmps
         self.ail_manager = ail_manager
 
+        self.secondary_stackvars: set[int] = set()
+
         self._current_vvar_id = vvar_id_start
 
     @property
@@ -103,6 +114,7 @@ class SimEngineSSARewriting(
             elif stmt.dst.category == VirtualVariableCategory.STACK:
                 self.state.stackvars[stmt.dst.stack_offset][stmt.dst.size] = stmt.dst
             elif stmt.dst.category == VirtualVariableCategory.TMP:
+                assert stmt.dst.tmp_idx is not None
                 self.state.tmps[stmt.dst.tmp_idx] = stmt.dst
             new_dst = None
         else:
@@ -134,10 +146,11 @@ class SimEngineSSARewriting(
                     base_reg_vvar = self._replace_def_expr(
                         self.block.addr, self.block.idx, self.stmt_idx, base_reg_expr
                     )
+                    assert base_reg_vvar is not None
                     stmt_base_reg = Assignment(
                         self.ail_manager.next_atom(),
                         base_reg_vvar,
-                        self._reg_update_expr(
+                        self._partial_update_expr(
                             existing_base_reg_vvar, base_offset, base_size, new_dst, stmt.dst.reg_offset, stmt.dst.size
                         ),
                         **stmt.tags,
@@ -160,12 +173,40 @@ class SimEngineSSARewriting(
             return new_stmt
         return None
 
-    def _handle_stmt_Store(self, stmt: Store) -> Store | Assignment | None:
+    def _handle_stmt_Store(self, stmt: Store) -> Store | Assignment | tuple[Assignment, ...] | None:
         new_data = self._expr(stmt.data)
         if stmt.guard is None:
+            # the variable
             vvar = self._replace_def_store(self.block.addr, self.block.idx, self.stmt_idx, stmt)
             if vvar is not None:
-                return Assignment(stmt.idx, vvar, stmt.data if new_data is None else new_data, **stmt.tags)
+                assert isinstance(stmt.addr, StackBaseOffset) and isinstance(stmt.addr.offset, int)
+
+                # remove everything else that overlaps with the full (base) stack variable
+                # the full stack variable is kept around because it's always updated immediately and will be used in
+                # case of partial stack variable update
+                self._clear_overlapping_stackvars(stmt.addr.offset, stmt.size, remove_base_stackvar=False)
+
+                data = stmt.data if new_data is None else new_data
+                vvar_assignment = Assignment(stmt.idx, vvar, data, **stmt.tags)
+
+                full_size = self._get_stack_var_full_size(stmt)
+                assert full_size is not None
+                if vvar.size >= full_size:
+                    return vvar_assignment
+
+                # update the full variable
+                existing_full_vvar = self._replace_use_load(Load(None, stmt.addr, full_size, stmt.endness))
+                vvar_full = self._replace_def_store(
+                    self.block.addr, self.block.idx, self.stmt_idx, stmt, force_size=full_size
+                )
+                if existing_full_vvar is not None and vvar_full is not None:
+                    self.secondary_stackvars.add(vvar_full.varid)
+                    full_data = self._partial_update_expr(
+                        existing_full_vvar, stmt.addr.offset, full_size, vvar, stmt.addr.offset, stmt.size
+                    )
+                    full_assignment = Assignment(stmt.idx, vvar_full, full_data, **stmt.tags)
+                    return vvar_assignment, full_assignment
+                return vvar_assignment
 
         # fall back to Store
         new_addr = self._expr(stmt.addr)
@@ -210,7 +251,7 @@ class SimEngineSSARewriting(
     def _handle_stmt_Call(self, stmt: Call) -> Call | None:
         changed = False
 
-        new_target = self._replace_use_expr(stmt.target)
+        new_target = self._replace_use_expr(stmt.target) if not isinstance(stmt.target, str) else None
         new_ret_expr = (
             self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.ret_expr)
             if stmt.ret_expr is not None
@@ -275,7 +316,7 @@ class SimEngineSSARewriting(
         assert isinstance(dirty, DirtyExpression)
         return DirtyStatement(stmt.idx, dirty, **stmt.tags)
 
-    def _handle_expr_Register(self, expr: Register) -> VirtualVariable | None:
+    def _handle_expr_Register(self, expr: Register) -> VirtualVariable | Expression | None:
         return self._replace_use_reg(expr)
 
     def _handle_expr_Tmp(self, expr: Tmp) -> VirtualVariable | None:
@@ -460,9 +501,9 @@ class SimEngineSSARewriting(
     # Expression replacement
     #
 
-    def _reg_update_expr(
+    def _partial_update_expr(
         self,
-        existing_vvar: VirtualVariable,
+        existing_vvar: Expression,
         base_offset: int,
         base_size: int,
         new_vvar: VirtualVariable,
@@ -546,7 +587,7 @@ class SimEngineSSARewriting(
         """
 
         # get the virtual variable ID
-        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, atoms.Register(expr.reg_offset, expr.size), "s")
         return VirtualVariable(
             expr.idx,
             vvid,
@@ -578,32 +619,51 @@ class SimEngineSSARewriting(
             )
             self.state.registers[base_off][base_size] = vvar
             return vvar
-        return self.state.registers[base_off][base_size]
+        existing_var = self.state.registers[base_off][base_size]
+        assert existing_var is not None
+        return existing_var
+
+    def _get_stack_var_full_size(self, stmt: Store) -> int | None:
+        if (
+            isinstance(stmt.addr, StackBaseOffset)
+            and isinstance(stmt.addr.offset, int)
+            and stmt.addr.offset in self.stackvar_locs
+            and stmt.size in self.stackvar_locs[stmt.addr.offset]
+        ):
+            return max(self.stackvar_locs[stmt.addr.offset])
+        return None
 
     def _replace_def_store(
-        self, block_addr: int, block_idx: int | None, stmt_idx: int, stmt: Store
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, stmt: Store, force_size: int | None = None
     ) -> VirtualVariable | None:
         if (
             isinstance(stmt.addr, StackBaseOffset)
             and isinstance(stmt.addr.offset, int)
             and stmt.addr.offset in self.stackvar_locs
-            and stmt.size == self.stackvar_locs[stmt.addr.offset]
+            and stmt.size in self.stackvar_locs[stmt.addr.offset]
         ):
-            vvar_id = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, stmt)
+            size = stmt.size if force_size is None else force_size
+            vvar_id = self.get_vvid_by_def(
+                block_addr,
+                block_idx,
+                stmt_idx,
+                atoms.MemoryLocation(stmt.addr.offset, size, Endness(stmt.endness)),
+                "s",
+            )
             vvar = VirtualVariable(
                 self.ail_manager.next_atom(),
                 vvar_id,
-                stmt.size * self.arch.byte_width,
+                size * self.arch.byte_width,
                 category=VirtualVariableCategory.STACK,
                 oident=stmt.addr.offset,
                 **stmt.tags,
             )
-            self.state.stackvars[stmt.addr.offset][stmt.size] = vvar
+            self.state.stackvars[stmt.addr.offset][size] = vvar
             return vvar
         return None
 
     def _replace_def_tmp(self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Tmp) -> VirtualVariable:
-        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, atoms.Tmp(expr.tmp_idx, expr.size), "s")
         vvar = VirtualVariable(
             expr.idx,
             vvid,
@@ -615,7 +675,7 @@ class SimEngineSSARewriting(
         self.state.tmps[expr.tmp_idx] = vvar
         return vvar
 
-    def _replace_use_expr(self, thing: Expression | Statement) -> VirtualVariable | None:
+    def _replace_use_expr(self, thing: Expression | Statement) -> VirtualVariable | Expression | None:
         """
         Return a new virtual variable for the given defined expression.
         """
@@ -670,7 +730,7 @@ class SimEngineSSARewriting(
                 elif reg_expr.size > existing_size:
                     # part of the variable exists... maybe it's a parameter?
                     vvar = self.state.registers[reg_expr.reg_offset][existing_size]
-                    if vvar.category == VirtualVariableCategory.PARAMETER:
+                    if vvar is not None and vvar.category == VirtualVariableCategory.PARAMETER:
                         # just zero-extend it
                         return Convert(
                             self.ail_manager.next_atom(),
@@ -698,7 +758,7 @@ class SimEngineSSARewriting(
             shift_amount = Const(
                 self.ail_manager.next_atom(),
                 None,
-                (reg_expr.reg_offset - vvar.oident) * self.arch.byte_width,
+                (reg_expr.reg_offset - vvar.reg_offset) * self.arch.byte_width,
                 8,
                 **reg_expr.tags,
             )
@@ -729,11 +789,17 @@ class SimEngineSSARewriting(
             isinstance(expr.addr, StackBaseOffset)
             and isinstance(expr.addr.offset, int)
             and expr.addr.offset in self.stackvar_locs
-            and expr.size == self.stackvar_locs[expr.addr.offset]
+            and expr.size in self.stackvar_locs[expr.addr.offset]
         ):
             if expr.size not in self.state.stackvars[expr.addr.offset]:
                 # create it on the fly
-                vvar_id = self.get_vvid_by_def(self.block.addr, self.block.idx, self.stmt_idx, expr)
+                vvar_id = self.get_vvid_by_def(
+                    self.block.addr,
+                    self.block.idx,
+                    self.stmt_idx,
+                    atoms.MemoryLocation(expr.addr.offset, expr.size, Endness(expr.endness)),
+                    "l",
+                )
                 return VirtualVariable(
                     self.ail_manager.next_atom(),
                     vvar_id,
@@ -783,9 +849,9 @@ class SimEngineSSARewriting(
     #
 
     def get_vvid_by_def(
-        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: Expression | Statement
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: DefExprType, access_type: AT
     ) -> int:
-        key = block_addr, block_idx, stmt_idx, thing
+        key = block_addr, block_idx, stmt_idx, thing, access_type
         if key in self.def_to_vvid:
             return self.def_to_vvid[key]
         vvid = self.next_vvar_id()
@@ -802,6 +868,21 @@ class SimEngineSSARewriting(
                 else:
                     del self.state.registers[off]
 
+    def _clear_overlapping_stackvars(self, stack_offset: int, size: int, remove_base_stackvar: bool = True) -> None:
+        for off in range(stack_offset, stack_offset + size):
+            if off in self.state.stackvars:
+                if (
+                    not remove_base_stackvar
+                    and off in self.stackvar_locs
+                    and off == stack_offset
+                    and (base_size := max(self.stackvar_locs[off])) == size
+                    and base_size in self.state.stackvars[off]
+                ):
+                    if len(self.state.stackvars[off]) > 1:
+                        self.state.stackvars[off] = {base_size: self.state.stackvars[off][base_size]}
+                else:
+                    del self.state.stackvars[off]
+
     def _unreachable(self, *args, **kwargs):
         assert False
 

angr/analyses/decompiler/ssailification/ssailification.py

@@ -79,7 +79,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         # calculate virtual variables and phi nodes
         self._udef_to_phiid: dict[tuple, set[int]] = None
         self._phiid_to_loc: dict[int, tuple[int, int | None]] = None
-        self._stackvar_locs: dict[int, int] = None
+        self._stackvar_locs: dict[int, set[int]] = None
         self._calculate_virtual_variables(ail_graph, traversal.def_to_loc, traversal.loc_to_defs)
 
         # insert phi variables and rewrite uses
@@ -97,6 +97,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             self._func_args,
             vvar_id_start=vvar_id_start,
         )
+        self.secondary_stackvars = rewriter.secondary_stackvars
         self.out_graph = rewriter.out_graph
         self.max_vvar_id = rewriter.max_vvar_id
 
@@ -130,7 +131,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             if self._func_args:
                 for func_arg in self._func_args:
                     if func_arg.oident[0] == VirtualVariableCategory.STACK:
-                        stackvar_locs[func_arg.oident[1]] = func_arg.size
+                        stackvar_locs[func_arg.oident[1]] = {func_arg.size}
             sorted_stackvar_offs = sorted(stackvar_locs)
         else:
             stackvar_locs = {}
@@ -157,8 +158,13 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                         off = sorted_stackvar_offs[i]
                         if off >= def_.addr.offset + def_.size:
                             break
-                        udef_to_defs[("stack", off, stackvar_locs[off])].add(def_)
-                        udef_to_blockkeys[("stack", off, stackvar_locs[off])].add((loc.block_addr, loc.block_idx))
+                        full_sz = max(stackvar_locs[off])
+                        udef_to_defs[("stack", off, full_sz)].add(def_)
+                        udef_to_blockkeys[("stack", off, full_sz)].add((loc.block_addr, loc.block_idx))
+                        # add a definition for the partial stack variable
+                        if def_.size in stackvar_locs[off] and def_.size < full_sz:
+                            udef_to_defs[("stack", off, def_.size)].add(def_)
+                            udef_to_blockkeys[("stack", off, def_.size)].add((loc.block_addr, loc.block_idx))
             elif isinstance(def_, Tmp):
                 # Tmps are local to each block and do not need phi nodes
                 pass
@@ -197,7 +203,15 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         return last_frontier
 
     @staticmethod
-    def _synthesize_stackvar_locs(defs: list[Store]) -> dict[int, int]:
+    def _synthesize_stackvar_locs(defs: list[Store]) -> dict[int, set[int]]:
+        """
+        Derive potential locations (in terms of offsets and sizes) for stack variables based on all stack variable
+        definitions provided.
+
+        :param defs:    Store definitions.
+        :return:        A dictionary of stack variable offsets and their sizes.
+        """
+
         accesses: defaultdict[int, set[int]] = defaultdict(set)
         offs: set[int] = set()
 
@@ -208,7 +222,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                 offs.add(stack_off)
 
         sorted_offs = sorted(offs)
-        locs: dict[int, int] = {}
+        locs: dict[int, set[int]] = {}
         for idx, off in enumerate(sorted_offs):
             sorted_sizes = sorted(accesses[off])
             if idx < len(sorted_offs) - 1:
@@ -217,14 +231,8 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             else:
                 allowed_sizes = sorted_sizes
 
-            if len(allowed_sizes) == 1:
-                locs[off] = allowed_sizes[0]
-            # else:
-            #     last_off = off
-            #     for a in allowed_sizes:
-            #         locs[off + a] = off + a - last_off
-            #         last_off = off + a
-            # TODO: Update locs for sizes beyond allowed_sizes
+            if allowed_sizes:
+                locs[off] = set(allowed_sizes)
 
         return locs