angr 9.2.140__py3-none-manylinux2014_x86_64.whl → 9.2.142__py3-none-manylinux2014_x86_64.whl

angr/analyses/class_identifier.py

@@ -1,6 +1,8 @@
 from __future__ import annotations
+
 from angr.sim_type import SimCppClass, SimTypeCppFunction
 from angr.analyses import AnalysesHub
+from angr.utils.cpp import is_cpp_funcname_ctor
 from . import Analysis, CFGFast, VtableFinder
 
 
@@ -33,17 +35,13 @@ class ClassIdentifier(Analysis):
             class_name = class_name.removeprefix("non-virtual thunk for ")
             if col_ind != -1:
                 if class_name not in self.classes:
-                    ctor = False
-                    if func.demangled_name.find("{ctor}"):
-                        ctor = True
+                    ctor = is_cpp_funcname_ctor(func.demangled_name)
                     function_members = {func.addr: SimTypeCppFunction([], None, label=func.demangled_name, ctor=ctor)}
                     new_class = SimCppClass(name=class_name, function_members=function_members)
                     self.classes[class_name] = new_class
 
                 else:
-                    ctor = False
-                    if func.demangled_name.find("{ctor}"):
-                        ctor = True
+                    ctor = is_cpp_funcname_ctor(func.demangled_name)
                     cur_class = self.classes[class_name]
                     cur_class.function_members[func.addr] = SimTypeCppFunction(
                         [], None, label=func.demangled_name, ctor=ctor
@@ -55,7 +53,10 @@ class ClassIdentifier(Analysis):
                 vtable_calling_func = self.project.kb.functions.floor_func(ref.ins_addr)
                 tmp_col_ind = vtable_calling_func.demangled_name.rfind("::")
                 possible_constructor_class_name = vtable_calling_func.demangled_name[:tmp_col_ind]
-                if "ctor" in vtable_calling_func.demangled_name and possible_constructor_class_name in self.classes:
+                if (
+                    is_cpp_funcname_ctor(vtable_calling_func.demangled_name)
+                    and possible_constructor_class_name in self.classes
+                ):
                     self.classes[possible_constructor_class_name].vtable_ptrs.append(vtable.vaddr)
 
 

angr/analyses/complete_calling_conventions.py

@@ -383,7 +383,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
             return (
                 cc_analysis.cc,
                 cc_analysis.prototype,
-                func.prototype_libname,
+                cc_analysis.prototype_libname if cc_analysis.prototype_libname is not None else func.prototype_libname,
                 self.kb.variables.get_function_manager(func_addr),
             )
         _l.info("Cannot determine calling convention for %r.", func)

angr/analyses/decompiler/ail_simplifier.py

@@ -99,6 +99,7 @@ class AILSimplifier(Analysis):
         removed_vvar_ids: set[int] | None = None,
         arg_vvars: dict[int, tuple[VirtualVariable, SimVariable]] | None = None,
         avoid_vvar_ids: set[int] | None = None,
+        secondary_stackvars: set[int] | None = None,
     ):
         self.func = func
         self.func_graph = func_graph if func_graph is not None else func.graph
@@ -117,8 +118,9 @@ class AILSimplifier(Analysis):
         self._should_rewrite_ccalls = rewrite_ccalls
         self._removed_vvar_ids = removed_vvar_ids if removed_vvar_ids is not None else set()
         self._arg_vvars = arg_vvars
-        self._avoid_vvar_ids = avoid_vvar_ids
+        self._avoid_vvar_ids = avoid_vvar_ids if avoid_vvar_ids is not None else set()
         self._propagator_dead_vvar_ids: set[int] = set()
+        self._secondary_stackvars: set[int] = secondary_stackvars if secondary_stackvars is not None else set()
 
         self._calls_to_remove: set[CodeLocation] = set()
         self._assignments_to_remove: set[CodeLocation] = set()
@@ -130,12 +132,10 @@ class AILSimplifier(Analysis):
     def _simplify(self):
         if self._narrow_expressions:
             _l.debug("Removing dead assignments before narrowing expressions")
-            r = self._remove_dead_assignments()
+            r = self._iteratively_remove_dead_assignments()
             if r:
                 _l.debug("... dead assignments removed")
                 self.simplified = True
-                self._rebuild_func_graph()
-                self._clear_cache()
 
             _l.debug("Narrowing expressions")
             narrowed_exprs = self._narrow_exprs()
@@ -168,12 +168,10 @@ class AILSimplifier(Analysis):
 
         if self._unify_vars:
             _l.debug("Removing dead assignments")
-            r = self._remove_dead_assignments()
+            r = self._iteratively_remove_dead_assignments()
             if r:
                 _l.debug("... dead assignments removed")
                 self.simplified = True
-                self._rebuild_func_graph()
-                self._clear_cache()
 
             _l.debug("Unifying local variables")
             r = self._unify_local_variables()
@@ -192,11 +190,10 @@ class AILSimplifier(Analysis):
                 self._clear_cache()
 
         _l.debug("Removing dead assignments")
-        r = self._remove_dead_assignments()
+        r = self._iteratively_remove_dead_assignments()
         if r:
             _l.debug("... dead assignments removed")
             self.simplified = True
-            self._rebuild_func_graph()
 
     def _rebuild_func_graph(self):
         def _handler(node):
@@ -1317,14 +1314,27 @@ class AILSimplifier(Analysis):
 
         return False, None
 
+    def _iteratively_remove_dead_assignments(self) -> bool:
+        anything_removed = False
+        while True:
+            r = self._remove_dead_assignments()
+            if not r:
+                return anything_removed
+            self._rebuild_func_graph()
+            self._clear_cache()
+
     def _remove_dead_assignments(self) -> bool:
 
         # keeping tracking of statements to remove and statements (as well as dead vvars) to keep allows us to handle
-        # cases where a statement defines more than one atoms, e.g., a call statement that defines both the return
+        # cases where a statement defines more than one atom, e.g., a call statement that defines both the return
         # value and the floating-point return value.
         stmts_to_remove_per_block: dict[tuple[int, int | None], set[int]] = defaultdict(set)
         stmts_to_keep_per_block: dict[tuple[int, int | None], set[int]] = defaultdict(set)
         dead_vvar_ids: set[int] = set()
+        dead_vvar_codelocs: set[CodeLocation] = set()
+        blocks: dict[tuple[int, int | None], Block] = {
+            (node.addr, node.idx): self.blocks.get(node, node) for node in self.func_graph.nodes()
+        }
 
         # Find all statements that should be removed
         mask = (1 << self.project.arch.bits) - 1
@@ -1333,54 +1343,64 @@ class AILSimplifier(Analysis):
         stackarg_offsets = (
             {(tpl[1] & mask) for tpl in self._stack_arg_offsets} if self._stack_arg_offsets is not None else None
         )
-        for def_ in rd.all_definitions:
-            if def_.dummy:
-                continue
-            # we do not remove references to global memory regions no matter what
-            if isinstance(def_.atom, atoms.MemoryLocation) and isinstance(def_.atom.addr, int):
-                continue
-            if isinstance(def_.atom, atoms.VirtualVariable):
-                if def_.atom.varid in self._propagator_dead_vvar_ids:
+        while True:
+            new_dead_vars_found = False
+            for vvar, codeloc in rd.all_vvar_definitions.items():
+                if vvar.varid in dead_vvar_ids:
+                    continue
+                if vvar.varid in self._propagator_dead_vvar_ids:
                     # we are definitely removing this variable if it has no uses
-                    uses = rd.get_vvar_uses(def_.atom)
-                elif def_.atom.was_stack:
+                    uses = rd.all_vvar_uses[vvar]
+                elif vvar.was_stack:
                     if not self._remove_dead_memdefs:
-                        if rd.is_phi_vvar_id(def_.atom.varid):
+                        if rd.is_phi_vvar_id(vvar.varid):
                             # we always remove unused phi variables
                             pass
+                        elif vvar.varid in self._secondary_stackvars:
+                            # secondary stack variables are potentially removable
+                            pass
                         elif stackarg_offsets is not None:
                             # we always remove definitions for stack arguments
-                            assert def_.atom.stack_offset is not None
-                            if (def_.atom.stack_offset & mask) not in stackarg_offsets:
+                            assert vvar.stack_offset is not None
+                            if (vvar.stack_offset & mask) not in stackarg_offsets:
                                 continue
                         else:
                             continue
-                    uses = rd.get_vvar_uses(def_.atom)
+                    uses = rd.all_vvar_uses[vvar]
 
-                elif def_.atom.was_tmp or def_.atom.was_reg or def_.atom.was_parameter:
-                    uses = rd.get_vvar_uses(def_.atom)
+                elif vvar.was_tmp or vvar.was_reg or vvar.was_parameter:
+                    uses = rd.all_vvar_uses[vvar]
 
                 else:
                     uses = set()
 
-            else:
-                continue
-
-            if not uses:
-                if isinstance(def_.atom, atoms.VirtualVariable):
-                    dead_vvar_ids.add(def_.atom.varid)
+                # remove uses where vvars are going to be removed
+                filtered_uses_count = 0
+                for _, loc in uses:
+                    if loc in dead_vvar_codelocs and loc.block_addr is not None and loc.stmt_idx is not None:
+                        stmt = blocks[(loc.block_addr, loc.block_idx)].statements[loc.stmt_idx]
+                        if not self._statement_has_call_exprs(stmt) and not isinstance(stmt, (DirtyStatement, Call)):
+                            continue
+                    filtered_uses_count += 1
+
+                if filtered_uses_count == 0:
+                    new_dead_vars_found = True
+                    dead_vvar_ids.add(vvar.varid)
+                    dead_vvar_codelocs.add(codeloc)
+                    if not isinstance(codeloc, ExternalCodeLocation):
+                        assert codeloc.block_addr is not None
+                        assert codeloc.stmt_idx is not None
+                        stmts_to_remove_per_block[(codeloc.block_addr, codeloc.block_idx)].add(codeloc.stmt_idx)
+                        stmts_to_keep_per_block[(codeloc.block_addr, codeloc.block_idx)].discard(codeloc.stmt_idx)
+                else:
+                    if not isinstance(codeloc, ExternalCodeLocation):
+                        assert codeloc.block_addr is not None
+                        assert codeloc.stmt_idx is not None
+                        stmts_to_keep_per_block[(codeloc.block_addr, codeloc.block_idx)].add(codeloc.stmt_idx)
 
-                if not isinstance(def_.codeloc, ExternalCodeLocation):
-                    assert def_.codeloc.block_addr is not None
-                    assert def_.codeloc.stmt_idx is not None
-                    stmts_to_remove_per_block[(def_.codeloc.block_addr, def_.codeloc.block_idx)].add(
-                        def_.codeloc.stmt_idx
-                    )
-            else:
-                if not isinstance(def_.codeloc, ExternalCodeLocation):
-                    assert def_.codeloc.block_addr is not None
-                    assert def_.codeloc.stmt_idx is not None
-                stmts_to_keep_per_block[(def_.codeloc.block_addr, def_.codeloc.block_idx)].add(def_.codeloc.stmt_idx)
+            if not new_dead_vars_found:
+                # nothing more is found. let's end the loop
+                break
 
         # find all phi variables that rely on variables that no longer exist
         all_removed_var_ids = self._removed_vvar_ids.copy()
@@ -1455,6 +1475,7 @@ class AILSimplifier(Analysis):
                         if codeloc in self._assignments_to_remove:
                             # it should be removed
                             simplified = True
+                            self._assignments_to_remove.discard(codeloc)
                             continue
 
                         if self._statement_has_call_exprs(stmt):
@@ -1482,6 +1503,7 @@ class AILSimplifier(Analysis):
                         codeloc = CodeLocation(block.addr, idx, ins_addr=stmt.ins_addr, block_idx=block.idx)
                         if codeloc in self._calls_to_remove:
                             # this call can be removed
+                            self._calls_to_remove.discard(codeloc)
                             simplified = True
                             continue
 
@@ -1503,8 +1525,36 @@ class AILSimplifier(Analysis):
 
         return simplified
 
+    @staticmethod
+    def _get_vvar_used_by(
+        vvar_id: int, rd: SRDAModel, blocks_dict: dict[tuple[int, int | None], Block]
+    ) -> set[int | None]:
+        """
+        Get all atoms that use a specified virtual variable. The atoms are in the form of virtual variable ID or None
+        (indicating the virtual variable is used by another statement like Store).
+
+        :param vvar_id:     ID of the virtual variable.
+        :param rd:          The SRDA model.
+        :return:            The set of vvar use atoms.
+        """
+
+        vvar = rd.varid_to_vvar[vvar_id]
+        used_by: set[int | None] = set()
+        for used_vvar, loc in rd.all_vvar_uses[vvar]:
+            if used_vvar is None:
+                # no explicit reference
+                used_by.add(None)
+            elif loc.block_addr is not None:
+                assert loc.stmt_idx is not None
+                stmt = blocks_dict[(loc.block_addr, loc.block_idx)].statements[loc.stmt_idx]
+                if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
+                    used_by.add(stmt.dst.varid)
+                else:
+                    used_by.add(None)
+        return used_by
+
     def _find_cyclic_dependent_phis_and_dirty_vvars(self, rd: SRDAModel) -> set[int]:
-        blocks_dict = {(bb.addr, bb.idx): bb for bb in self.func_graph}
+        blocks_dict: dict[tuple[int, int | None], Block] = {(bb.addr, bb.idx): bb for bb in self.func_graph}
 
         # find dirty vvars and vexccall vvars
         dirty_vvar_ids = set()
@@ -1520,25 +1570,14 @@ class AILSimplifier(Analysis):
 
         phi_and_dirty_vvar_ids = rd.phi_vvar_ids | dirty_vvar_ids
 
-        vvar_used_by: dict[int, set[int]] = defaultdict(set)
+        vvar_used_by: dict[int, set[int | None]] = defaultdict(set)
         for var_id in phi_and_dirty_vvar_ids:
             if var_id in rd.phivarid_to_varids:
                 for used_by_varid in rd.phivarid_to_varids[var_id]:
-                    vvar_used_by[used_by_varid].add(var_id)
-
-            vvar = rd.varid_to_vvar[var_id]
-            used_by = set()
-            for used_vvar, loc in rd.all_vvar_uses[vvar]:
-                if used_vvar is None:
-                    # no explicit reference
-                    used_by.add(None)
-                else:
-                    stmt = blocks_dict[loc.block_addr, loc.block_idx].statements[loc.stmt_idx]
-                    if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
-                        used_by.add(stmt.dst.varid)
-                    else:
-                        used_by.add(None)
-            vvar_used_by[var_id] |= used_by
+                    if used_by_varid not in vvar_used_by:
+                        vvar_used_by[used_by_varid] |= self._get_vvar_used_by(used_by_varid, rd, blocks_dict)
+                    vvar_used_by[used_by_varid].add(var_id)  # probably unnecessary
+            vvar_used_by[var_id] |= self._get_vvar_used_by(var_id, rd, blocks_dict)
 
         g = networkx.DiGraph()
         dummy_vvar_id = -1
@@ -1557,8 +1596,12 @@ class AILSimplifier(Analysis):
 
             bail = False
             for varid in scc:
-                # if this vvar is a phi var, ensure this vvar is not used by anything else outside the scc
-                if varid in rd.phi_vvar_ids:
+                # ensure this vvar is not used by anything else outside the scc (regardless of whether this vvar is a
+                # phi variable or not)
+                if varid in vvar_used_by and None in vvar_used_by[varid]:
+                    bail = True
+                    break
+                if bail is False:
                     succs = list(g.successors(varid))
                     if any(succ_varid not in scc for succ_varid in succs):
                         bail = True

angr/analyses/decompiler/callsite_maker.py

@@ -45,7 +45,7 @@ class CallSiteMaker(Analysis):
         self._ail_manager = ail_manager
 
         self.result_block = None
-        self.stack_arg_offsets: set[tuple[int, int]] | None = None  # ins_addr, stack_offset
+        self.stack_arg_offsets: set[tuple[int, int]] | None = None  # call ins addr, stack_offset
         self.removed_vvar_ids: set[int] = set()
 
         self._analyze()
@@ -372,7 +372,9 @@ class CallSiteMaker(Analysis):
 
         return None
 
-    def _resolve_stack_argument(self, call_stmt, arg_loc) -> tuple[Any, Any]:  # pylint:disable=unused-argument
+    def _resolve_stack_argument(
+        self, call_stmt: Stmt.Call, arg_loc
+    ) -> tuple[Any, Any]:  # pylint:disable=unused-argument
         assert self._stack_pointer_tracker is not None
 
         size = arg_loc.size
@@ -399,15 +401,26 @@ class CallSiteMaker(Analysis):
                     # FIXME: vvar may be larger than that we ask; we may need to chop the correct value of vvar
                     value = view.get_vvar_value(vvar)
                     if value is not None and not isinstance(value, Expr.Phi):
-                        return None, value
-                    return None, Expr.VirtualVariable(
-                        self._atom_idx(),
-                        vvar.varid,
-                        vvar.bits,
-                        vvar.category,
-                        oident=vvar.oident,
-                        ins_addr=call_stmt.ins_addr,
-                    )
+                        v: Expr.Expression = value
+                    else:
+                        v: Expr.Expression = Expr.VirtualVariable(
+                            self._atom_idx(),
+                            vvar.varid,
+                            vvar.bits,
+                            vvar.category,
+                            oident=vvar.oident,
+                            ins_addr=call_stmt.ins_addr,
+                        )
+                    if v.size > size:
+                        v = Expr.Convert(
+                            self._atom_idx(),
+                            v.bits,
+                            size * self.project.arch.byte_width,
+                            False,
+                            v,
+                            ins_addr=call_stmt.ins_addr,
+                        )
+                    return None, v
 
             return None, Expr.Load(
                 self._atom_idx(),

angr/analyses/decompiler/clinic.py

@@ -13,7 +13,6 @@ import capstone
 
 import ailment
 
-from angr.analyses.decompiler.ssailification.ssailification import Ssailification
 from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.functions import Function
@@ -39,6 +38,8 @@ from angr.procedures.stubs.UnresolvableJumpTarget import UnresolvableJumpTarget
 from angr.analyses import Analysis, register_analysis
 from angr.analyses.cfg.cfg_base import CFGBase
 from angr.analyses.reaching_definitions import ReachingDefinitionsAnalysis
+from .ssailification.ssailification import Ssailification
+from .stack_item import StackItem, StackItemType
 from .return_maker import ReturnMaker
 from .ailgraph_walker import AILGraphWalker, RemoveNodeNotice
 from .optimization_passes import (
@@ -154,6 +155,9 @@ class Clinic(Analysis):
         self._mode = mode
         self.vvar_id_start = vvar_id_start
         self.vvar_to_vvar: dict[int, int] | None = None
+        # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
+        # actual stack variables. these secondary stack variables can be safely eliminated if not used by anything.
+        self.secondary_stackvars: set[int] = set()
 
         # inlining help
         self._sp_shift = sp_shift
@@ -167,6 +171,7 @@ class Clinic(Analysis):
 
         self._register_save_areas_removed: bool = False
         self.edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]] = []
+        self.copied_var_ids: set[int] = set()
 
         self._new_block_addrs = set()
 
@@ -179,6 +184,10 @@ class Clinic(Analysis):
         else:
             self._optimization_passes = []
 
+        self.stack_items: dict[int, StackItem] = {}
+        if self.project.arch.call_pushes_ret:
+            self.stack_items[0] = StackItem(0, self.project.arch.bytes, "ret_addr", StackItemType.RET_ADDR)
+
         if self._mode == ClinicMode.DECOMPILE:
             self._analyze_for_decompiling()
         elif self._mode == ClinicMode.COLLECT_DATA_REFS:
@@ -499,7 +508,7 @@ class Clinic(Analysis):
         # Run simplification passes
         self._update_progress(40.0, text="Running simplifications 1")
         ail_graph = self._run_simplification_passes(
-            ail_graph, stage=OptimizationPassStage.AFTER_SINGLE_BLOCK_SIMPLIFICATION
+            ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.AFTER_SINGLE_BLOCK_SIMPLIFICATION
         )
 
         # Simplify the entire function for the first time
@@ -562,7 +571,9 @@ class Clinic(Analysis):
 
         # Run simplification passes
         self._update_progress(65.0, text="Running simplifications 3 ")
-        ail_graph = self._run_simplification_passes(ail_graph, stage=OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION)
+        ail_graph = self._run_simplification_passes(
+            ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
+        )
 
         # Simplify the entire function for the third time
         self._update_progress(70.0, text="Simplifying function 3")
@@ -629,6 +640,7 @@ class Clinic(Analysis):
         self.cc_graph = self.copy_graph(ail_graph)
         self.externs = self._collect_externs(ail_graph, variable_kb)
         self.vvar_to_vvar = vvar2vvar
+        self.copied_var_ids = copied_vvar_ids
         return ail_graph
 
     def _analyze_for_data_refs(self):
@@ -777,6 +789,8 @@ class Clinic(Analysis):
         :return: None
         """
 
+        attempted_funcs: set[int] = set()
+
         for node in self.function.transition_graph:
             if (
                 isinstance(node, BlockNode)
@@ -788,7 +802,12 @@ class Clinic(Analysis):
             elif isinstance(node, Function):
                 target_func = node
             else:
+                # TODO: Enable call-site analysis for indirect calls
+                continue
+
+            if target_func.addr in attempted_funcs:
                 continue
+            attempted_funcs.add(target_func.addr)
 
             # case 0: the calling convention and prototype are available
             if target_func.calling_convention is not None and target_func.prototype is not None:
@@ -808,6 +827,7 @@ class Clinic(Analysis):
                 if cc.cc is not None and cc.prototype is not None:
                     target_func.calling_convention = cc.cc
                     target_func.prototype = cc.prototype
+                    target_func.prototype_libname = cc.prototype_libname
                     continue
 
             # case 3: the callee is a PLT function
@@ -816,6 +836,7 @@ class Clinic(Analysis):
                 if cc.cc is not None and cc.prototype is not None:
                     target_func.calling_convention = cc.cc
                     target_func.prototype = cc.prototype
+                    target_func.prototype_libname = cc.prototype_libname
                     continue
 
             # case 4: fall back to call site analysis
@@ -967,7 +988,29 @@ class Clinic(Analysis):
             return ailment.Block(block_node.addr, 0, statements=[])
 
         block = self.project.factory.block(block_node.addr, block_node.size, cross_insn_opt=False)
-        return self._convert_vex(block)
+        converted = self._convert_vex(block)
+
+        # architecture-specific setup
+        if block.addr == self.function.addr and self.project.arch.name in {"X86", "AMD64"}:
+            # setup dflag; this is a hack for most sane ABIs. we may move this logic elsewhere if there are adversarial
+            # binaries that mess with dflags and pass them across functions
+            dflag_offset, dflag_size = self.project.arch.registers["d"]
+            dflag = ailment.Expr.Register(
+                self._ail_manager.next_atom(),
+                None,
+                dflag_offset,
+                dflag_size * self.project.arch.byte_width,
+                ins_addr=block.addr,
+            )
+            forward = ailment.Expr.Const(
+                self._ail_manager.next_atom(), None, 1, dflag_size * self.project.arch.byte_width, ins_addr=block.addr
+            )
+            dflag_assignment = ailment.Stmt.Assignment(
+                self._ail_manager.next_atom(), dflag, forward, ins_addr=block.addr
+            )
+            converted.statements.insert(0, dflag_assignment)
+
+        return converted
 
     def _convert_vex(self, block):
         if block.vex.jumpkind not in {"Ijk_Call", "Ijk_Boring", "Ijk_Ret"} and not block.vex.jumpkind.startswith(
@@ -1009,7 +1052,11 @@ class Clinic(Analysis):
                 node = self._cfg.get_any_node(block.addr)
                 if node is None:
                     continue
-                successors = self._cfg.get_successors(node, excluding_fakeret=True, jumpkind="Ijk_Call")
+                successors = [
+                    node
+                    for node, jk in self._cfg.get_successors_and_jumpkinds(node)
+                    if jk == "Ijk_Call" or jk.startswith("Ijk_Sys")
+                ]
                 if len(successors) == 1:
                     succ_addr = successors[0].addr
                     if not self.project.is_hooked(succ_addr) or not isinstance(
@@ -1239,6 +1286,7 @@ class Clinic(Analysis):
             rewrite_ccalls=rewrite_ccalls,
             removed_vvar_ids=removed_vvar_ids,
             arg_vvars=arg_vvars,
+            secondary_stackvars=self.secondary_stackvars,
         )
         # cache the simplifier's RDA analysis
         self.reaching_definitions = simp._reaching_definitions
@@ -1252,6 +1300,7 @@ class Clinic(Analysis):
         ail_graph,
         stage: OptimizationPassStage = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION,
         variable_kb=None,
+        stack_items: dict[int, StackItem] | None = None,
         **kwargs,
     ):
         addr_and_idx_to_blocks: dict[tuple[int, int | None], ailment.Block] = {}
@@ -1297,6 +1346,8 @@ class Clinic(Analysis):
                     # clear the cached RDA result
                     self.reaching_definitions = None
                 self.vvar_id_start = a.vvar_id_start
+            if stack_items is not None and a.stack_items:
+                stack_items.update(a.stack_items)
 
         return ail_graph
 
@@ -1364,6 +1415,7 @@ class Clinic(Analysis):
             vvar_id_start=self.vvar_id_start,
         )
         self.vvar_id_start = ssailification.max_vvar_id + 1
+        self.secondary_stackvars = ssailification.secondary_stackvars
         return ssailification.out_graph
 
     @timethis
@@ -1554,6 +1606,13 @@ class Clinic(Analysis):
             if vartype is not None:
                 for tv in vr.var_to_typevars[variable]:
                     groundtruth[tv] = vartype
+        # get maximum sizes of each stack variable, regardless of its original type
+        stackvar_max_sizes = var_manager.get_stackvar_max_sizes(self.stack_items)
+        tv_max_sizes = {}
+        for v, s in stackvar_max_sizes.items():
+            if v in vr.var_to_typevars:
+                for tv in vr.var_to_typevars[v]:
+                    tv_max_sizes[tv] = s
         # clean up existing types for this function
         var_manager.remove_types()
         # TODO: Type inference for global variables
@@ -1574,6 +1633,7 @@ class Clinic(Analysis):
                 var_mapping=vr.var_to_typevars,
                 must_struct=must_struct,
                 ground_truth=groundtruth,
+                stackvar_max_sizes=tv_max_sizes,
             )
             # tp.pp_constraints()
             # tp.pp_solution()
@@ -1864,6 +1924,11 @@ class Clinic(Analysis):
             if expr.guard:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.guard)
 
+        elif isinstance(expr, ailment.Expr.Phi):
+            for _, vvar in expr.src_and_vvars:
+                if vvar is not None:
+                    self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, vvar)
+
     def _function_graph_to_ail_graph(self, func_graph, blocks_by_addr_and_size=None):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size
@@ -2429,6 +2494,19 @@ class Clinic(Analysis):
                                     last_stmt.target.value = succs[0].addr
                                 elif isinstance(last_stmt, ailment.Stmt.ConditionalJump):
                                     patch_conditional_jump_target(last_stmt, node.addr, succs[0].addr)
+                                    # if both branches jump to the same location, we replace it with a jump
+                                    if (
+                                        isinstance(last_stmt.true_target, ailment.Expr.Const)
+                                        and isinstance(last_stmt.false_target, ailment.Expr.Const)
+                                        and last_stmt.true_target.value == last_stmt.false_target.value
+                                    ):
+                                        last_stmt = ailment.Stmt.Jump(
+                                            last_stmt.idx,
+                                            last_stmt.true_target,
+                                            target_idx=last_stmt.true_target.idx,
+                                            ins_addr=last_stmt.ins_addr,
+                                        )
+                                        pred.statements[-1] = last_stmt
                                 first_cond_jump = first_conditional_jump(pred)
                                 if first_cond_jump is not None and first_cond_jump is not last_stmt:
                                     patch_conditional_jump_target(first_cond_jump, node.addr, succs[0].addr)

angr/analyses/decompiler/condition_processor.py

@@ -16,6 +16,7 @@ from angr.utils.graph import GraphUtils
 from angr.utils.lazy_import import lazy_import
 from angr.utils import is_pyinstaller
 from angr.utils.graph import dominates, inverted_idoms
+from angr.utils.ail import is_head_controlled_loop_block
 from angr.block import Block, BlockNode
 from angr.errors import AngrRuntimeError
 from .peephole_optimizations import InvertNegatedLogicalConjunctionsAndDisjunctions, RemoveRedundantNots
@@ -34,7 +35,7 @@ from .structuring.structurer_nodes import (
     IncompleteSwitchCaseNode,
 )
 from .graph_region import GraphRegion
-from .utils import first_nonlabel_nonphi_statement, peephole_optimize_expr
+from .utils import peephole_optimize_expr
 
 if is_pyinstaller():
     # PyInstaller is not happy with lazy import
@@ -671,12 +672,11 @@ class ConditionProcessor:
             return claripy.true()
 
         # sometimes the last statement is the conditional jump. sometimes it's the first statement of the block
-        if (
-            isinstance(src_block, ailment.Block)
-            and src_block.statements
-            and isinstance(first_nonlabel_nonphi_statement(src_block), ailment.Stmt.ConditionalJump)
-        ):
-            last_stmt = first_nonlabel_nonphi_statement(src_block)
+        if isinstance(src_block, ailment.Block) and src_block.statements and is_head_controlled_loop_block(src_block):
+            last_stmt = next(
+                iter(stmt for stmt in src_block.statements[:-1] if isinstance(stmt, ailment.Stmt.ConditionalJump)), None
+            )
+            assert last_stmt is not None
         else:
             last_stmt = self.get_last_statement(src_block)