angr 9.2.140__py3-none-win_amd64.whl → 9.2.142__py3-none-win_amd64.whl

angr/analyses/decompiler/decompilation_cache.py

@@ -6,6 +6,7 @@ from .structured_codegen import BaseStructuredCodeGenerator
 
 if TYPE_CHECKING:
     from angr.analyses.decompiler.optimization_passes.expr_op_swapper import OpDescriptor
+    from angr.analyses.typehoon.typevars import TypeVariable, TypeConstraint
 
 
 class DecompilationCache:
@@ -29,7 +30,7 @@ class DecompilationCache:
     def __init__(self, addr):
         self.parameters: dict[str, Any] = {}
         self.addr = addr
-        self.type_constraints: set | None = None
+        self.type_constraints: dict[TypeVariable, set[TypeConstraint]] | None = None
         self.func_typevar = None
         self.var_to_typevar: dict | None = None
         self.codegen: BaseStructuredCodeGenerator | None = None

angr/analyses/decompiler/decompiler.py

@@ -31,6 +31,7 @@ from .presets import DECOMPILATION_PRESETS, DecompilationPreset
 if TYPE_CHECKING:
     from angr.knowledge_plugins.cfg.cfg_model import CFGModel
     from .peephole_optimizations import PeepholeOptimizationExprBase, PeepholeOptimizationStmtBase
+    from angr.analyses.typehoon.typevars import TypeVariable, TypeConstraint
 
 l = logging.getLogger(name=__name__)
 
@@ -135,6 +136,7 @@ class Decompiler(Analysis):
         self.unoptimized_ail_graph: networkx.DiGraph | None = None
         self.ail_graph: networkx.DiGraph | None = None
         self.vvar_id_start = None
+        self._copied_var_ids: set[int] = set()
         self._optimization_scratch: dict[str, Any] = {}
         self.expr_collapse_depth = expr_collapse_depth
 
@@ -267,6 +269,7 @@ class Decompiler(Analysis):
         self._variable_kb = clinic.variable_kb
         self._update_progress(70.0, text="Identifying regions")
         self.vvar_id_start = clinic.vvar_id_start
+        self._copied_var_ids = clinic.copied_var_ids
 
         if clinic.graph is None:
             # the function is empty
@@ -500,6 +503,8 @@ class Decompiler(Analysis):
                 scratch=self._optimization_scratch,
                 force_loop_single_exit=self._force_loop_single_exit,
                 complete_successors=self._complete_successors,
+                peephole_optimizations=self._peephole_optimizations,
+                avoid_vvar_ids=self._copied_var_ids,
                 **kwargs,
             )
 
@@ -545,7 +550,9 @@ class Decompiler(Analysis):
                     SimMemoryVariable(symbol.rebased_addr, 1, name=symbol.name, ident=ident),
                 )
 
-    def reflow_variable_types(self, type_constraints: set, func_typevar, var_to_typevar: dict, codegen):
+    def reflow_variable_types(
+        self, type_constraints: dict[TypeVariable, set[TypeConstraint]], func_typevar, var_to_typevar: dict, codegen
+    ):
         """
         Re-run type inference on an existing variable recovery result, then rerun codegen to generate new results.
 
@@ -605,7 +612,9 @@ class Decompiler(Analysis):
                     var = arg.variable
                     new_type = var_manager.get_variable_type(var)
                     if new_type is not None:
-                        self.func.prototype.args[i] = new_type
+                        self.func.prototype.args = (
+                            self.func.prototype.args[:i] + (new_type,) + self.func.prototype.args[i + 1 :]
+                        )
         except Exception:  # pylint:disable=broad-except
             l.warning(
                 "Typehoon analysis failed. Variables will not have types. Please report to GitHub.", exc_info=True

angr/analyses/decompiler/dephication/graph_vvar_mapping.py

@@ -283,14 +283,12 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
 
     @staticmethod
     def _prepend_stmt(block, stmt):
-        # TODO: This insertion breaks the assumption that all phi statements appear before any assignments. We must
-        # TODO: fix the assumption elsewhere in the code base.
-        first_nonlabel_idx = len(block.statements)
+        first_nonlabel_nonphi_idx = len(block.statements)
         for i, s in enumerate(block.statements):
-            if not isinstance(s, Label):
-                first_nonlabel_idx = i
+            if not isinstance(s, Label) and not is_phi_assignment(s):
+                first_nonlabel_nonphi_idx = i
                 break
-        block.statements.insert(first_nonlabel_idx, stmt)
+        block.statements.insert(first_nonlabel_nonphi_idx, stmt)
 
     @staticmethod
     def _used_in_phi(dst_block, src_block, vvar_id: int) -> bool:

angr/analyses/decompiler/optimization_passes/base_ptr_save_simplifier.py

@@ -4,6 +4,7 @@ import logging
 
 import ailment
 
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 _l = logging.getLogger(name=__name__)
@@ -62,11 +63,16 @@ class BasePointerSaveSimplifier(OptimizationPass):
             return
 
         # update the first block
-        block, stmt_idx, _ = save_stmt
+        block, stmt_idx, save_dst = save_stmt
         block_copy = block.copy()
         block_copy.statements.pop(stmt_idx)
         self._update_block(block, block_copy)
 
+        # update stack_items
+        self.stack_items[save_dst.stack_offset] = StackItem(
+            save_dst.stack_offset, save_dst.size, "saved_bp", StackItemType.SAVED_BP
+        )
+
         # update all endpoint blocks
         if restore_stmts:
             for block, stmt_idx, _ in restore_stmts:
@@ -74,7 +80,7 @@ class BasePointerSaveSimplifier(OptimizationPass):
                 block_copy.statements.pop(stmt_idx)
                 self._update_block(block, block_copy)
 
-    def _find_baseptr_save_stmt(self):
+    def _find_baseptr_save_stmt(self) -> tuple[ailment.Block, int, ailment.Expr.VirtualVariable] | None:
         """
         Find the AIL statement that saves the base pointer to a stack slot.
 

angr/analyses/decompiler/optimization_passes/condition_constprop.py

@@ -1,4 +1,5 @@
 from __future__ import annotations
+from typing import TYPE_CHECKING
 
 import networkx
 
@@ -6,9 +7,14 @@ from ailment import AILBlockWalker, Block
 from ailment.statement import ConditionalJump, Statement
 from ailment.expression import Const, BinaryOp, VirtualVariable
 
-from angr.analyses.decompiler.region_identifier import RegionIdentifier
+from angr.analyses.decompiler.utils import first_nonlabel_nonphi_statement
+from angr.utils.graph import dominates
+from angr.utils.timing import timethis
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
+if TYPE_CHECKING:
+    from angr.analyses.s_reaching_definitions import SRDAModel
+
 
 class ConstantCondition:
     """
@@ -78,6 +84,7 @@ class ConditionConstantPropagation(OptimizationPass):
             return False, None
         return True, {"cconds": cconds}
 
+    @timethis
     def _analyze(self, cache=None):
         if not cache or cache.get("cconds", None) is None:  # noqa: SIM108
             cconds = self._find_const_conditions()
@@ -98,23 +105,27 @@ class ConditionConstantPropagation(OptimizationPass):
         # calculate a dominance frontier for each block
         entry_node_addr, entry_node_idx = self.entry_node_addr
         entry_node = self._get_block(entry_node_addr, idx=entry_node_idx)
-        df = networkx.algorithms.dominance_frontiers(self._graph, entry_node)
+        idoms = networkx.algorithms.immediate_dominators(self._graph, entry_node)
+        rda: SRDAModel = self.project.analyses.SReachingDefinitions(self._func, func_graph=self._graph).model
 
         for src, cconds in cconds_by_src.items():
             head_block = self._get_block(src[0], idx=src[1])
             if head_block is None:
                 continue
-            frontier = df.get(head_block)
-            if frontier is None:
-                continue
-            graph_slice = RegionIdentifier.slice_graph(self._graph, head_block, frontier, include_frontier=False)
-            for ccond in cconds:
-                walker = CCondPropBlockWalker(ccond.vvar_id, ccond.value)
-                for block in graph_slice:
-                    new_block = walker.walk(block)
-                    if new_block is not None:
-                        self._update_block(block, new_block)
 
+            for ccond in cconds:
+                for _, loc in rda.all_vvar_uses[rda.varid_to_vvar[ccond.vvar_id]]:
+                    loc_block = self._get_block(loc.block_addr, idx=loc.block_idx)
+                    if loc_block is None:
+                        continue
+                    if dominates(idoms, head_block, loc_block):
+                        # the constant condition dominates the use site
+                        walker = CCondPropBlockWalker(ccond.vvar_id, ccond.value)
+                        new_block = walker.walk(loc_block)
+                        if new_block is not None:
+                            self._update_block(loc_block, new_block)
+
+    @timethis
     def _find_const_conditions(self) -> list[ConstantCondition]:
         cconds = []
 
@@ -122,28 +133,46 @@ class ConditionConstantPropagation(OptimizationPass):
             if block.statements:
                 last_stmt = block.statements[-1]
                 if (
-                    not isinstance(last_stmt, ConditionalJump)
-                    or not isinstance(last_stmt.true_target, Const)
-                    or not isinstance(last_stmt.false_target, Const)
+                    isinstance(last_stmt, ConditionalJump)
+                    and isinstance(last_stmt.true_target, Const)
+                    and isinstance(last_stmt.false_target, Const)
                 ):
-                    continue
-
-                if isinstance(last_stmt.condition, BinaryOp):
-                    cond = last_stmt.condition
-                    op = cond.op
-                    op0, op1 = cond.operands
-                    if isinstance(op0, Const):
-                        op0, op1 = op1, op0
-                    if isinstance(op0, VirtualVariable) and isinstance(op1, Const) and op1.is_int:
-                        if op == "CmpEQ":
-                            ccond = ConstantCondition(
-                                op0.varid, op1, last_stmt.true_target.value, last_stmt.true_target_idx  # type: ignore
-                            )
-                            cconds.append(ccond)
-                        elif op == "CmpNE":
-                            ccond = ConstantCondition(
-                                op0.varid, op1, last_stmt.false_target.value, last_stmt.false_target_idx  # type: ignore
-                            )
-                            cconds.append(ccond)
+                    self._extract_const_condition_from_stmt(last_stmt, cconds)
+                else:
+                    # also check the first non-phi statement; rep stos may generate blocks whose conditional checks
+                    # are at the beginning of the block
+
+                    # we could have used is_head_controlled_loop_block, but at this point the block is simplified enough
+                    # that the first non-label, non-phi statement must be a ConditionalJump that controls the execution
+                    # of the loop body, so the following logic should work fine.
+
+                    first_stmt = first_nonlabel_nonphi_statement(block)
+                    if (
+                        first_stmt is not last_stmt
+                        and isinstance(first_stmt, ConditionalJump)
+                        and isinstance(first_stmt.true_target, Const)
+                        and isinstance(first_stmt.false_target, Const)
+                    ):
+                        self._extract_const_condition_from_stmt(first_stmt, cconds)
 
         return cconds
+
+    @staticmethod
+    def _extract_const_condition_from_stmt(stmt: ConditionalJump, cconds: list[ConstantCondition]) -> None:
+        if isinstance(stmt.condition, BinaryOp):
+            cond = stmt.condition
+            op = cond.op
+            op0, op1 = cond.operands
+            if isinstance(op0, Const):
+                op0, op1 = op1, op0
+            if isinstance(op0, VirtualVariable) and isinstance(op1, Const) and op1.is_int:
+                if op == "CmpEQ":
+                    ccond = ConstantCondition(
+                        op0.varid, op1, stmt.true_target.value, stmt.true_target_idx  # type: ignore
+                    )
+                    cconds.append(ccond)
+                elif op == "CmpNE":
+                    ccond = ConstantCondition(
+                        op0.varid, op1, stmt.false_target.value, stmt.false_target_idx  # type: ignore
+                    )
+                    cconds.append(ccond)

angr/analyses/decompiler/optimization_passes/duplication_reverter/duplication_reverter.py

@@ -950,7 +950,9 @@ class DuplicationReverter(StructuringOptimizationPass):
     #
 
     def _share_subregion(self, blocks: list[Block]) -> bool:
-        return any(all(block.addr in region for block in blocks) for region in self._ri.regions_by_block_addrs)
+        return any(
+            all((block.addr, block.idx) in region for block in blocks) for region in self._ri.regions_by_block_addrs
+        )
 
     def _is_valid_candidate(self, b0, b1):
         # blocks must have statements

angr/analyses/decompiler/optimization_passes/flip_boolean_cmp.py

@@ -6,7 +6,11 @@ import ailment
 from ailment.expression import Op
 
 from angr.analyses.decompiler.structuring.structurer_nodes import ConditionNode
-from angr.analyses.decompiler.utils import structured_node_is_simple_return, sequence_to_statements
+from angr.analyses.decompiler.utils import (
+    structured_node_is_simple_return,
+    sequence_to_statements,
+    structured_node_has_multi_predecessors,
+)
 from angr.analyses.decompiler.sequence_walker import SequenceWalker
 from .optimization_pass import SequenceOptimizationPass, OptimizationPassStage
 
@@ -43,7 +47,22 @@ class FlipBooleanWalker(SequenceWalker):
                 and structured_node_is_simple_return(seq_node.nodes[idx + 1], self._graph)
                 and node not in type1_condition_nodes
             ):
-                type2_condition_nodes.append((idx, node, seq_node.nodes[idx + 1]))
+                # Type 2: Special Filter:
+                # consider code that looks like the following:
+                # {if (cond) {LABEL: ... } return;}; goto LABEL;
+                #
+                # if we were to do the normal flip, this happens:
+                # {if (!cond) return; LABEL: ...}; goto LABEL;
+                #
+                # This is incorrect because we've now created an infinite loop in the event that cond is false,
+                # which is not what the original code was. The gist here is that you can't ever flip these cases
+                # in the presence of more than one incoming edge to `...` region.
+                #
+                # To eliminate this illegal case, we simply need to find all the condition nodes of the above structure
+                # that have multiple incoming edges to the `...` region.
+                illegal_flip = structured_node_has_multi_predecessors(node.true_node, self._graph)
+                if not illegal_flip:
+                    type2_condition_nodes.append((idx, node, seq_node.nodes[idx + 1]))
 
         for node in type1_condition_nodes:
             if isinstance(node.condition, Op) and structured_node_is_simple_return(node.false_node, self._graph):

angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py

@@ -7,7 +7,7 @@ import networkx
 
 from ailment import Block, AILBlockWalkerBase
 from ailment.statement import ConditionalJump, Label, Assignment, Jump
-from ailment.expression import Expression, BinaryOp, Const, Load
+from ailment.expression import VirtualVariable, Expression, BinaryOp, Const, Load
 
 from angr.utils.graph import GraphUtils
 from angr.analyses.decompiler.utils import first_nonlabel_nonphi_statement, remove_last_statement
@@ -216,7 +216,7 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
     def _analyze(self, cache=None):
         variablehash_to_cases = self._find_cascading_switch_variable_comparisons()
 
-        if not variablehash_to_cases:
+        if not variablehash_to_cases or all(not caselists for caselists in variablehash_to_cases.values()):
             return False
 
         graph_copy = networkx.DiGraph(self._graph)
@@ -257,6 +257,24 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                     _l.debug("Skipping switch-case conversion due to too few distinct cases for %s", real_cases[0])
                     continue
 
+                # RULE 4: the default case should not reach other case nodes in the subregion
+                default_addr_and_idx = next(
+                    ((case.target, case.target_idx) for case in cases if case.value == "default"), None
+                )
+                if default_addr_and_idx is None:
+                    continue
+                default_addr, default_idx = default_addr_and_idx
+                default_node = self._get_block(default_addr, idx=default_idx)
+                default_reachable_from_case = False
+                for case in cases:
+                    if case.value == "default":
+                        continue
+                    if self._node_reachable_from_node_in_region(case.original_node, default_node):
+                        default_reachable_from_case = True
+                        break
+                if default_reachable_from_case:
+                    continue
+
                 original_nodes = [case.original_node for case in real_cases]
                 original_head: Block = original_nodes[0]
                 original_nodes = original_nodes[1:]
@@ -320,6 +338,10 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                             node_to_heads[succ].add(new_head)
                     graph_copy.remove_node(onode)
                 for onode in redundant_nodes:
+                    if onode in original_nodes:
+                        # sometimes they overlap
+                        # e.g., 0x402cc7 in mv_-O2
+                        continue
                     # ensure all nodes that are only reachable from onode are also removed
                     # FIXME: Remove the entire path of nodes instead of only the immediate successors
                     successors = list(graph_copy.successors(onode))
@@ -396,6 +418,7 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
             default_case_candidates = {}
             last_comp = None
             stack = [(head, 0, 0xFFFF_FFFF_FFFF_FFFF)]
+            head_varhash = variable_comparisons[head][1]
 
             # cursed: there is an infinite loop in the following loop that
             # occurs rarely. we need to keep track of the nodes we've seen
@@ -418,12 +441,11 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                     next_addr,
                     next_addr_idx,
                 ) = variable_comparisons[comp]
-                last_varhash = cases[-1].variable_hash if cases else None
 
                 if op == "eq":
                     # eq always indicates a new case
 
-                    if last_varhash is None or last_varhash == variable_hash:
+                    if head_varhash == variable_hash:
                         if target == comp.addr and target_idx == comp.idx:
                             # invalid
                             break
@@ -443,9 +465,10 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                         # new variable!
                         if last_comp is not None and comp.addr not in default_case_candidates:
                             default_case_candidates[comp.addr] = Case(
-                                last_comp, None, last_varhash, None, "default", comp.addr, comp.idx, None
+                                last_comp, None, head_varhash, None, "default", comp.addr, comp.idx, None
                             )
-                        break
+                            break
+                        continue
 
                     successors = [succ for succ in self._graph.successors(comp) if succ is not comp]
                     succ_addrs = {(succ.addr, succ.idx) for succ in successors}
@@ -505,7 +528,7 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                     # gt always indicates new subtrees
                     gt_addr, gt_idx, le_addr, le_idx = target, target_idx, next_addr, next_addr_idx
                     # TODO: We don't yet support gt nodes acting as the head of a switch
-                    if last_varhash is not None and last_varhash == variable_hash:
+                    if head_varhash == variable_hash:
                         successors = [succ for succ in self._graph.successors(comp) if succ is not comp]
                         succ_addrs = {(succ.addr, succ.idx) for succ in successors}
                         if succ_addrs != {(gt_addr, gt_idx), (le_addr, le_idx)}:
@@ -526,21 +549,34 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                             le_added = True
                         if gt_added or le_added:
                             if not le_added:
-                                if le_addr not in default_case_candidates:
+                                # if min_ + 1 == value, it means we actually have another case! it's not a default case
+                                if min_ + 1 == value:
+                                    cases.append(
+                                        Case(comp, comp_type, variable_hash, expr, min_ + 1, le_addr, le_idx, None)
+                                    )
+                                    used_nodes.add(comp)
+                                elif le_addr not in default_case_candidates:
                                     default_case_candidates[le_addr] = Case(
                                         comp, None, variable_hash, expr, "default", le_addr, le_idx, None
                                     )
-                            elif not gt_added and gt_addr not in default_case_candidates:
-                                default_case_candidates[gt_addr] = Case(
-                                    comp, None, variable_hash, expr, "default", gt_addr, gt_idx, None
-                                )
+                            if not gt_added:
+                                # likewise, this means we have another non-default case
+                                if value == max_:
+                                    cases.append(
+                                        Case(comp, comp_type, variable_hash, expr, max_, gt_addr, gt_idx, None)
+                                    )
+                                    used_nodes.add(comp)
+                                elif gt_addr not in default_case_candidates:
+                                    default_case_candidates[gt_addr] = Case(
+                                        comp, None, variable_hash, expr, "default", gt_addr, gt_idx, None
+                                    )
                             extra_cmp_nodes.append(comp)
                             used_nodes.add(comp)
                         else:
                             break
                     else:
                         # checking on a new variable... it probably was not a switch-case
-                        break
+                        continue
 
             if cases and len(default_case_candidates) <= 1:
                 if default_case_candidates:
@@ -606,6 +642,27 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
 
         return varhash_to_caselists
 
+    def _node_reachable_from_node_in_region(self, to_node, from_node) -> bool:
+        # find the region that contains the to_node
+        to_node_region = None
+        from_node_region = None
+        for region in self._ri.regions_by_block_addrs:
+            if (to_node.addr, to_node.idx) in region:
+                to_node_region = region
+            if (from_node.addr, from_node.idx) in region:
+                from_node_region = region
+
+        if to_node_region is None or from_node_region is None:
+            return False
+        if to_node_region != from_node_region:
+            return False
+
+        # get a subgraph
+        all_nodes = [self._get_block(a, idx=idx) for a, idx in to_node_region]
+        subgraph = self._graph.subgraph(all_nodes)
+
+        return networkx.has_path(subgraph, from_node, to_node)
+
     @staticmethod
     def _find_switch_variable_comparison_type_a(
         node,
@@ -625,7 +682,11 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                 )
             ):
                 cond = stmt.condition
-                if isinstance(cond, BinaryOp) and isinstance(cond.operands[1], Const):
+                if (
+                    isinstance(cond, BinaryOp)
+                    and isinstance(cond.operands[0], VirtualVariable)
+                    and isinstance(cond.operands[1], Const)
+                ):
                     variable_hash = StableVarExprHasher(cond.operands[0]).hash
                     value = cond.operands[1].value
                     if cond.op == "CmpEQ":
@@ -672,7 +733,11 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                 )
             ):
                 cond = stmt.condition
-                if isinstance(cond, BinaryOp) and isinstance(cond.operands[1], Const):
+                if (
+                    isinstance(cond, BinaryOp)
+                    and isinstance(cond.operands[0], VirtualVariable)
+                    and isinstance(cond.operands[1], Const)
+                ):
                     variable_hash = StableVarExprHasher(cond.operands[0]).hash
                     value = cond.operands[1].value
                     if cond.op == "CmpEQ":
@@ -719,7 +784,11 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                 )
             ):
                 cond = stmt.condition
-                if isinstance(cond, BinaryOp) and isinstance(cond.operands[1], Const):
+                if (
+                    isinstance(cond, BinaryOp)
+                    and isinstance(cond.operands[0], VirtualVariable)
+                    and isinstance(cond.operands[1], Const)
+                ):
                     variable_hash = StableVarExprHasher(cond.operands[0]).hash
                     value = cond.operands[1].value
                     op = cond.op

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -1,8 +1,9 @@
 # pylint:disable=unused-argument
 from __future__ import annotations
 import logging
-from typing import Any, TYPE_CHECKING
+from collections import namedtuple
 from collections.abc import Generator
+from typing import Any, TYPE_CHECKING
 from enum import Enum
 
 import networkx
@@ -10,6 +11,7 @@ import networkx
 import ailment
 
 from angr.analyses.decompiler import RegionIdentifier
+from angr.analyses.decompiler.ailgraph_walker import AILGraphWalker
 from angr.analyses.decompiler.condition_processor import ConditionProcessor
 from angr.analyses.decompiler.goto_manager import Goto, GotoManager
 from angr.analyses.decompiler.structuring import RecursiveStructurer, SAILRStructurer
@@ -19,11 +21,15 @@ from angr.project import Project
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins.functions import Function
+    from angr.analyses.decompiler.stack_item import StackItem
 
 
 _l = logging.getLogger(__name__)
 
 
+BlockCache = namedtuple("BlockCache", ("rd", "prop"))
+
+
 class MultipleBlocksException(Exception):
     """
     An exception that is raised in _get_block() where multiple blocks satisfy the criteria but only one block was
@@ -130,6 +136,7 @@ class OptimizationPass(BaseOptimizationPass):
         complete_successors: bool = False,
         avoid_vvar_ids: set[int] | None = None,
         arg_vvars: set[int] | None = None,
+        peephole_optimizations=None,
         **kwargs,
     ):
         super().__init__(func)
@@ -150,9 +157,11 @@ class OptimizationPass(BaseOptimizationPass):
         self._force_loop_single_exit = force_loop_single_exit
         self._complete_successors = complete_successors
         self._avoid_vvar_ids = avoid_vvar_ids or set()
+        self._peephole_optimizations = peephole_optimizations
 
         # output
         self.out_graph: networkx.DiGraph | None = None
+        self.stack_items: dict[int, StackItem] = {}
 
     @property
     def blocks_by_addr(self) -> dict[int, set[ailment.Block]]:
@@ -267,9 +276,77 @@ class OptimizationPass(BaseOptimizationPass):
     def _is_sub(expr):
         return isinstance(expr, ailment.Expr.BinaryOp) and expr.op == "Sub"
 
+    def _simplify_blocks(
+        self,
+        ail_graph: networkx.DiGraph,
+        cache: dict | None = None,
+    ):
+        """
+        Simplify all blocks in self._blocks.
+
+        :param ail_graph:               The AIL function graph.
+        :param cache:                   A block-level cache that stores reaching definition analysis results and
+                                        propagation results.
+        :return:                        None
+        """
+
+        blocks_by_addr_and_idx: dict[tuple[int, int | None], ailment.Block] = {}
+
+        for ail_block in ail_graph.nodes():
+            simplified = self._simplify_block(
+                ail_block,
+                cache=cache,
+            )
+            key = ail_block.addr, ail_block.idx
+            blocks_by_addr_and_idx[key] = simplified
+
+        # update blocks_map to allow node_addr to node lookup
+        def _replace_node_handler(node):
+            key = node.addr, node.idx
+            if key in blocks_by_addr_and_idx:
+                return blocks_by_addr_and_idx[key]
+            return None
+
+        AILGraphWalker(ail_graph, _replace_node_handler, replace_nodes=True).walk()
+
+        return ail_graph
+
+    def _simplify_block(self, ail_block, cache=None):
+        """
+        Simplify a single AIL block.
+
+        :param ailment.Block ail_block: The AIL block to simplify.
+        :return:                        A simplified AIL block.
+        """
+
+        cached_rd, cached_prop = None, None
+        cache_item = None
+        cache_key = ail_block.addr, ail_block.idx
+        if cache:
+            cache_item = cache.get(cache_key, None)
+            if cache_item:
+                # cache hit
+                cached_rd = cache_item.rd
+                cached_prop = cache_item.prop
+
+        simp = self.project.analyses.AILBlockSimplifier(
+            ail_block,
+            self._func.addr,
+            peephole_optimizations=self._peephole_optimizations,
+            cached_reaching_definitions=cached_rd,
+            cached_propagator=cached_prop,
+        )
+        # update the cache
+        if cache is not None:
+            if cache_item:
+                del cache[cache_key]
+            cache[cache_key] = BlockCache(simp._reaching_definitions, simp._propagator)
+        return simp.result_block
+
     def _simplify_graph(self, graph):
         MAX_SIMP_ITERATION = 8
         for _ in range(MAX_SIMP_ITERATION):
+            self._simplify_blocks(graph)
             simp = self.project.analyses.AILSimplifier(
                 self._func,
                 func_graph=graph,