angr 9.2.140__py3-none-win_amd64.whl → 9.2.142__py3-none-win_amd64.whl

angr/analyses/decompiler/region_simplifiers/expr_folding.py

@@ -36,19 +36,21 @@ class StatementLocation(LocationBase):
     __slots__ = (
         "block_addr",
         "block_idx",
+        "phi_stmt",
         "stmt_idx",
     )
 
-    def __init__(self, block_addr, block_idx, stmt_idx):
+    def __init__(self, block_addr, block_idx, stmt_idx, phi_stmt: bool = False):
         self.block_addr = block_addr
         self.block_idx = block_idx
         self.stmt_idx = stmt_idx
+        self.phi_stmt = phi_stmt
 
     def __repr__(self):
-        return f"Loc: Statement@{self.block_addr:x}.{self.block_idx}-{self.stmt_idx}"
+        return f"Loc: Statement@{self.block_addr:x}.{self.block_idx}-{self.stmt_idx}{' phi' if self.phi_stmt else ''}"
 
     def __hash__(self):
-        return hash((StatementLocation, self.block_addr, self.block_idx, self.stmt_idx))
+        return hash((StatementLocation, self.block_addr, self.block_idx, self.stmt_idx, self.phi_stmt))
 
     def __eq__(self, other):
         return (
@@ -56,10 +58,11 @@ class StatementLocation(LocationBase):
             and self.block_addr == other.block_addr
             and self.block_idx == other.block_idx
             and self.stmt_idx == other.stmt_idx
+            and self.phi_stmt == other.phi_stmt
         )
 
     def copy(self):
-        return StatementLocation(self.block_addr, self.block_idx, self.stmt_idx)
+        return StatementLocation(self.block_addr, self.block_idx, self.stmt_idx, phi_stmt=self.phi_stmt)
 
 
 class ExpressionLocation(LocationBase):
@@ -71,23 +74,28 @@ class ExpressionLocation(LocationBase):
         "block_addr",
         "block_idx",
         "expr_idx",
+        "phi_stmt",
         "stmt_idx",
     )
 
-    def __init__(self, block_addr, block_idx, stmt_idx, expr_idx):
+    def __init__(self, block_addr, block_idx, stmt_idx, expr_idx, phi_stmt: bool = False):
         self.block_addr = block_addr
         self.block_idx = block_idx
         self.stmt_idx = stmt_idx
         self.expr_idx = expr_idx
+        self.phi_stmt = phi_stmt
 
     def __repr__(self):
-        return f"Loc: Expression@{self.block_addr:x}.{self.block_idx}-{self.stmt_idx}[{self.expr_idx}]"
+        return (
+            f"Loc: Expression@{self.block_addr:x}.{self.block_idx}-{self.stmt_idx}[{self.expr_idx}]"
+            f"{'phi' if self.phi_stmt else ''}"
+        )
 
     def statement_location(self) -> StatementLocation:
-        return StatementLocation(self.block_addr, self.block_idx, self.stmt_idx)
+        return StatementLocation(self.block_addr, self.block_idx, self.stmt_idx, phi_stmt=self.phi_stmt)
 
     def __hash__(self):
-        return hash((ExpressionLocation, self.block_addr, self.block_idx, self.stmt_idx, self.expr_idx))
+        return hash((ExpressionLocation, self.block_addr, self.block_idx, self.stmt_idx, self.expr_idx, self.phi_stmt))
 
     def __eq__(self, other):
         return (
@@ -96,6 +104,7 @@ class ExpressionLocation(LocationBase):
             and self.block_idx == other.block_idx
             and self.stmt_idx == other.stmt_idx
             and self.expr_idx == other.expr_idx
+            and self.phi_stmt == other.phi_stmt
         )
 
 
@@ -201,7 +210,18 @@ class ExpressionUseFinder(AILBlockWalker):
         if isinstance(expr, ailment.Expr.VirtualVariable) and expr.was_reg:
             if not (isinstance(stmt, ailment.Stmt.Assignment) and stmt.dst is expr):
                 if block is not None:
-                    self.uses[expr.varid].add((expr, ExpressionLocation(block.addr, block.idx, stmt_idx, expr_idx)))
+                    self.uses[expr.varid].add(
+                        (
+                            expr,
+                            ExpressionLocation(
+                                block.addr,
+                                block.idx,
+                                stmt_idx,
+                                expr_idx,
+                                phi_stmt=stmt is not None and is_phi_assignment(stmt),
+                            ),
+                        )
+                    )
                 else:
                     self.uses[expr.varid].add((expr, None))
             return None
@@ -239,11 +259,7 @@ class ExpressionCounter(SequenceWalker):
         if isinstance(stmt, ailment.Stmt.Assignment):
             if is_phi_assignment(stmt):
                 return
-            if (
-                isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                and stmt.dst.was_reg
-                and stmt.dst.variable is not None
-            ):
+            if isinstance(stmt.dst, ailment.Expr.VirtualVariable) and stmt.dst.was_reg:
                 # dependency
                 dependency_finder = ExpressionUseFinder()
                 dependency_finder.walk_expression(stmt.src)
@@ -260,7 +276,6 @@ class ExpressionCounter(SequenceWalker):
             isinstance(stmt, ailment.Stmt.Call)
             and isinstance(stmt.ret_expr, ailment.Expr.VirtualVariable)
             and stmt.ret_expr.was_reg
-            and stmt.ret_expr.variable is not None
         ):
             dependency_finder = ExpressionUseFinder()
             dependency_finder.walk_expression(stmt)
@@ -279,8 +294,7 @@ class ExpressionCounter(SequenceWalker):
         use_finder = ExpressionUseFinder()
         for idx, stmt in enumerate(node.statements):
             self._handle_Statement(idx, stmt, node)
-            if not is_phi_assignment(stmt):
-                use_finder.walk_statement(stmt)
+            use_finder.walk_statement(stmt, block=node)
 
         for varid, content in use_finder.uses.items():
             if varid not in self.uses:
@@ -407,7 +421,7 @@ class InterferenceChecker(SequenceWalker):
             the_call = None
             if isinstance(stmt, Assignment) and isinstance(stmt.src, ailment.Stmt.Call):
                 the_call = stmt.src
-            elif isinstance(stmt, ailment.Stmt.Call):
+            elif isinstance(stmt, ailment.Stmt.Call) and not isinstance(stmt.target, str):
                 the_call = stmt
             if the_call is not None:
                 spotter.walk_expression(the_call.target)

angr/analyses/decompiler/region_simplifiers/region_simplifier.py

@@ -116,10 +116,13 @@ class RegionSimplifier(Analysis):
         for var, uses in expr_counter.uses.items():
             if len(uses) == 1 and var in expr_counter.assignments and len(expr_counter.assignments[var]) == 1:
                 definition, deps, loc, has_loads = next(iter(expr_counter.assignments[var]))
+                _, use_expr_loc = next(iter(uses))
+                if isinstance(use_expr_loc, ExpressionLocation) and use_expr_loc.phi_stmt:
+                    # we cannot fold expressions that are used in phi statements
+                    continue
                 if has_loads:
                     # the definition has at least one load expression. we need to ensure there are no store statements
                     # between the definition site and the use site
-                    _, use_expr_loc = next(iter(uses))
                     if isinstance(use_expr_loc, ExpressionLocation):
                         use_loc = use_expr_loc.statement_location()
                     else:

angr/analyses/decompiler/ssailification/rewriting.py

@@ -8,21 +8,20 @@ import networkx
 
 import ailment
 from ailment import Block
-from ailment.expression import Expression, Phi, VirtualVariable, VirtualVariableCategory
-from ailment.statement import Statement, Assignment, Label
+from ailment.expression import Phi, VirtualVariable, VirtualVariableCategory
+from ailment.statement import Assignment, Label
 
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
-from angr.analyses.forward_analysis.visitors.graph import NodeType
 from angr.analyses.forward_analysis import FunctionGraphVisitor
-from .rewriting_engine import SimEngineSSARewriting
+from angr.utils.ail import is_head_controlled_loop_block
+from .rewriting_engine import SimEngineSSARewriting, DefExprType, AT
 from .rewriting_state import RewritingState
 
-
 l = logging.getLogger(__name__)
 
 
-class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object]):
+class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, object]):
     """
     RewritingAnalysis traverses the AIL graph, inserts phi nodes, and rewrites all expression uses to virtual variables
     when necessary.
@@ -37,7 +36,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         bp_as_gpr: bool,
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
-        stackvar_locs: dict[int, int],
+        stackvar_locs: dict[int, set[int]],
         rewrite_tmps: bool,
         ail_manager,
         func_args: set[VirtualVariable],
@@ -72,10 +71,22 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         self._visited_blocks: set[Any] = set()
         self.out_blocks = {}
         self.out_states = {}
+        # loop_states stores states at the beginning of a loop block *after a loop iteration*, where the block is the
+        # following:
+        #    0x4036df | t4 = (rcx<8> == 0x0<64>)
+        #    0x4036df | if (t4) { Goto 0x4036e2<64> } else { Goto 0x4036df<64> }
+        #    0x4036df | STORE(addr=t3, data=t2, size=8, endness=Iend_LE, guard=None)
+        #    0x4036df | rdi<8> = t8
+        #
+        self.head_controlled_loop_outstates = {}
 
         self._analyze()
 
-        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = self._engine_ail.def_to_vvid
+        self.def_to_vvid: dict[tuple[int, int | None, int, DefExprType, AT], int] = self._engine_ail.def_to_vvid
+        # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
+        # actual stack variables. these secondary stack variables can be safely eliminated during dead assignment
+        # elimination if not used by anything else.
+        self.secondary_stackvars: set[int] = self._engine_ail.secondary_stackvars
         self.out_graph = self._make_new_graph(ail_graph)
 
     @property
@@ -174,24 +185,34 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         else:
             node.statements = node.statements[:idx] + phi_stmts + node.statements[idx:]
 
-    def _reg_predicate(self, node_, *, reg_offset: int, reg_size: int) -> tuple[bool, Any]:
-        out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
+    def _reg_predicate(self, node_: Block, *, reg_offset: int, reg_size: int) -> tuple[bool, Any]:
+        out_state: RewritingState = (
+            self.head_controlled_loop_outstates[(node_.addr, node_.idx)]
+            if is_head_controlled_loop_block(node_)
+            else self.out_states[(node_.addr, node_.idx)]
+        )
         if reg_offset in out_state.registers and reg_size in out_state.registers[reg_offset]:
-            if out_state.registers[reg_offset][reg_size] is None:
+            existing_var = out_state.registers[reg_offset][reg_size]
+            if existing_var is None:
                 # the vvar is not set. it should never be referenced
                 return True, None
-            vvar = out_state.registers[reg_offset][reg_size].copy()
+            vvar = existing_var.copy()
             vvar.idx = self._ail_manager.next_atom()
             return True, vvar
         return False, None
 
-    def _stack_predicate(self, node_, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
-        out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
+    def _stack_predicate(self, node_: Block, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
+        out_state: RewritingState = (
+            self.head_controlled_loop_outstates[(node_.addr, node_.idx)]
+            if is_head_controlled_loop_block(node_)
+            else self.out_states[(node_.addr, node_.idx)]
+        )
         if stack_offset in out_state.stackvars and stackvar_size in out_state.stackvars[stack_offset]:
-            if out_state.stackvars[stack_offset][stackvar_size] is None:
+            existing_var = out_state.stackvars[stack_offset][stackvar_size]
+            if existing_var is None:
                 # the vvar is not set. it should never be referenced
                 return True, None
-            vvar = out_state.stackvars[stack_offset][stackvar_size].copy()
+            vvar = existing_var.copy()
             vvar.idx = self._ail_manager.next_atom()
             return True, vvar
         return False, None
@@ -215,11 +236,14 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         )
         # update state with function arguments
         for func_arg in self._func_args:
-            if func_arg.oident[0] == VirtualVariableCategory.REGISTER:
-                reg_offset, reg_size = func_arg.oident[1], func_arg.size
+            if func_arg.parameter_category == VirtualVariableCategory.REGISTER:
+                reg_offset, reg_size = func_arg.parameter_reg_offset, func_arg.size
+                assert reg_offset is not None and reg_size is not None
                 state.registers[reg_offset][reg_size] = func_arg
-            elif func_arg.oident[0] == VirtualVariableCategory.STACK:
-                state.stackvars[func_arg.oident[1]][func_arg.size] = func_arg
+            elif func_arg.parameter_category == VirtualVariableCategory.STACK:
+                parameter_stack_offset: int = func_arg.oident[1]  # type: ignore
+                assert parameter_stack_offset is not None and func_arg.size is not None
+                state.stackvars[parameter_stack_offset][func_arg.size] = func_arg
         return state
 
     def _run_on_node(self, node, state: RewritingState):
@@ -254,18 +278,32 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         )
 
         self._visited_blocks.add(block_key)
-        self.out_states[block_key] = state
-
-        if state.out_block is not None:
-            assert state.out_block.addr == block.addr
-
-            if self.out_blocks.get(block_key, None) == state.out_block:
-                return True, state
-            self.out_blocks[block_key] = state.out_block
-            state.out_block = None
-            return True, state
-
-        return True, state
+        # get the output state (which is the input state for the successor node)
+        # if head_controlled_loop_outstate is set, then it is the output state of the successor node; in this case, the
+        # input state for the head-controlled loop block itself is out.state.
+        # otherwise (if head_controlled_loop_outstate is not set), engine.state is the input state of the successor
+        # node.
+        if engine.head_controlled_loop_outstate is None:
+            # this is a normal block
+            out_state = state
+        else:
+            # this is a head-controlled loop block
+            out_state = engine.head_controlled_loop_outstate
+            self.head_controlled_loop_outstates[block_key] = state
+        self.out_states[block_key] = out_state
+        # the final block is always in state
+        out_block = state.out_block
+
+        if out_block is not None:
+            assert out_block.addr == block.addr
+
+            if self.out_blocks.get(block_key, None) == out_block:
+                return True, out_state
+            self.out_blocks[block_key] = out_block
+            out_state.out_block = None
+            return True, out_state
+
+        return True, out_state
 
     def _intra_analysis(self):
         pass

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -1,7 +1,10 @@
 # pylint:disable=no-self-use,unused-argument
 from __future__ import annotations
+from typing import Literal
 import logging
 
+from archinfo import Endness
+from ailment.block import Block
 from ailment.manager import Manager
 from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement, Jump
 from ailment.expression import (
@@ -22,6 +25,7 @@ from ailment.expression import (
     Reinterpret,
 )
 
+from angr.knowledge_plugins.key_definitions import atoms
 from angr.engines.light.engine import SimEngineNostmtAIL
 from angr.utils.ssa import get_reg_offset_base_and_size
 from .rewriting_state import RewritingState
@@ -30,6 +34,10 @@ from .rewriting_state import RewritingState
 _l = logging.getLogger(__name__)
 
 
+DefExprType = atoms.Register | atoms.Tmp | atoms.MemoryLocation
+AT = Literal["l", "s"] | None
+
+
 class SimEngineSSARewriting(
     SimEngineNostmtAIL[RewritingState, Expression | None, Statement | tuple[Statement, ...], None]
 ):
@@ -38,6 +46,8 @@ class SimEngineSSARewriting(
     copies at each use location.
     """
 
+    state: RewritingState
+
     def __init__(
         self,
         project,
@@ -45,7 +55,7 @@ class SimEngineSSARewriting(
         sp_tracker,
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
-        stackvar_locs: dict[int, int],
+        stackvar_locs: dict[int, set[int]],
         ail_manager: Manager,
         vvar_id_start: int = 0,
         bp_as_gpr: bool = False,
@@ -55,12 +65,15 @@ class SimEngineSSARewriting(
 
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
-        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = {}
+        self.def_to_vvid: dict[tuple[int, int | None, int, DefExprType, AT], int] = {}
         self.stackvar_locs = stackvar_locs
         self.udef_to_phiid = udef_to_phiid
         self.phiid_to_loc = phiid_to_loc
         self.rewrite_tmps = rewrite_tmps
         self.ail_manager = ail_manager
+        self.head_controlled_loop_outstate: RewritingState | None = None
+
+        self.secondary_stackvars: set[int] = set()
 
         self._current_vvar_id = vvar_id_start
 
@@ -76,6 +89,12 @@ class SimEngineSSARewriting(
     # Handlers
     #
 
+    def process(
+        self, state: RewritingState, *, block: Block | None = None, whitelist: set[int] | None = None, **kwargs
+    ) -> None:
+        self.head_controlled_loop_outstate = None
+        super().process(state, block=block, whitelist=whitelist, **kwargs)
+
     def _top(self, bits):
         assert False, "Unreachable"
 
@@ -103,6 +122,7 @@ class SimEngineSSARewriting(
             elif stmt.dst.category == VirtualVariableCategory.STACK:
                 self.state.stackvars[stmt.dst.stack_offset][stmt.dst.size] = stmt.dst
             elif stmt.dst.category == VirtualVariableCategory.TMP:
+                assert stmt.dst.tmp_idx is not None
                 self.state.tmps[stmt.dst.tmp_idx] = stmt.dst
             new_dst = None
         else:
@@ -134,10 +154,11 @@ class SimEngineSSARewriting(
                     base_reg_vvar = self._replace_def_expr(
                         self.block.addr, self.block.idx, self.stmt_idx, base_reg_expr
                     )
+                    assert base_reg_vvar is not None
                     stmt_base_reg = Assignment(
                         self.ail_manager.next_atom(),
                         base_reg_vvar,
-                        self._reg_update_expr(
+                        self._partial_update_expr(
                             existing_base_reg_vvar, base_offset, base_size, new_dst, stmt.dst.reg_offset, stmt.dst.size
                         ),
                         **stmt.tags,
@@ -160,12 +181,40 @@ class SimEngineSSARewriting(
             return new_stmt
         return None
 
-    def _handle_stmt_Store(self, stmt: Store) -> Store | Assignment | None:
+    def _handle_stmt_Store(self, stmt: Store) -> Store | Assignment | tuple[Assignment, ...] | None:
         new_data = self._expr(stmt.data)
         if stmt.guard is None:
+            # the variable
             vvar = self._replace_def_store(self.block.addr, self.block.idx, self.stmt_idx, stmt)
             if vvar is not None:
-                return Assignment(stmt.idx, vvar, stmt.data if new_data is None else new_data, **stmt.tags)
+                assert isinstance(stmt.addr, StackBaseOffset) and isinstance(stmt.addr.offset, int)
+
+                # remove everything else that overlaps with the full (base) stack variable
+                # the full stack variable is kept around because it's always updated immediately and will be used in
+                # case of partial stack variable update
+                self._clear_overlapping_stackvars(stmt.addr.offset, stmt.size, remove_base_stackvar=False)
+
+                data = stmt.data if new_data is None else new_data
+                vvar_assignment = Assignment(stmt.idx, vvar, data, **stmt.tags)
+
+                full_size = self._get_stack_var_full_size(stmt)
+                assert full_size is not None
+                if vvar.size >= full_size:
+                    return vvar_assignment
+
+                # update the full variable
+                existing_full_vvar = self._replace_use_load(Load(None, stmt.addr, full_size, stmt.endness))
+                vvar_full = self._replace_def_store(
+                    self.block.addr, self.block.idx, self.stmt_idx, stmt, force_size=full_size
+                )
+                if existing_full_vvar is not None and vvar_full is not None:
+                    self.secondary_stackvars.add(vvar_full.varid)
+                    full_data = self._partial_update_expr(
+                        existing_full_vvar, stmt.addr.offset, full_size, vvar, stmt.addr.offset, stmt.size
+                    )
+                    full_assignment = Assignment(stmt.idx, vvar_full, full_data, **stmt.tags)
+                    return vvar_assignment, full_assignment
+                return vvar_assignment
 
         # fall back to Store
         new_addr = self._expr(stmt.addr)
@@ -195,6 +244,11 @@ class SimEngineSSARewriting(
         new_true_target = self._expr(stmt.true_target) if stmt.true_target is not None else None
         new_false_target = self._expr(stmt.false_target) if stmt.false_target is not None else None
 
+        if self.stmt_idx != len(self.block.statements) - 1:
+            # the conditional jump is in the middle of the block (e.g., the block generated from lifting rep stosq).
+            # we need to make a copy of the state and use the state of this point in its successor
+            self.head_controlled_loop_outstate = self.state.copy()
+
         if new_cond is not None or new_true_target is not None or new_false_target is not None:
             return ConditionalJump(
                 stmt.idx,
@@ -210,7 +264,7 @@ class SimEngineSSARewriting(
     def _handle_stmt_Call(self, stmt: Call) -> Call | None:
         changed = False
 
-        new_target = self._replace_use_expr(stmt.target)
+        new_target = self._replace_use_expr(stmt.target) if not isinstance(stmt.target, str) else None
         new_ret_expr = (
             self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.ret_expr)
             if stmt.ret_expr is not None
@@ -275,7 +329,7 @@ class SimEngineSSARewriting(
         assert isinstance(dirty, DirtyExpression)
         return DirtyStatement(stmt.idx, dirty, **stmt.tags)
 
-    def _handle_expr_Register(self, expr: Register) -> VirtualVariable | None:
+    def _handle_expr_Register(self, expr: Register) -> VirtualVariable | Expression | None:
         return self._replace_use_reg(expr)
 
     def _handle_expr_Tmp(self, expr: Tmp) -> VirtualVariable | None:
@@ -460,9 +514,9 @@ class SimEngineSSARewriting(
     # Expression replacement
     #
 
-    def _reg_update_expr(
+    def _partial_update_expr(
         self,
-        existing_vvar: VirtualVariable,
+        existing_vvar: Expression,
         base_offset: int,
         base_size: int,
         new_vvar: VirtualVariable,
@@ -546,7 +600,7 @@ class SimEngineSSARewriting(
         """
 
         # get the virtual variable ID
-        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, atoms.Register(expr.reg_offset, expr.size), "s")
         return VirtualVariable(
             expr.idx,
             vvid,
@@ -578,32 +632,51 @@ class SimEngineSSARewriting(
             )
             self.state.registers[base_off][base_size] = vvar
             return vvar
-        return self.state.registers[base_off][base_size]
+        existing_var = self.state.registers[base_off][base_size]
+        assert existing_var is not None
+        return existing_var
+
+    def _get_stack_var_full_size(self, stmt: Store) -> int | None:
+        if (
+            isinstance(stmt.addr, StackBaseOffset)
+            and isinstance(stmt.addr.offset, int)
+            and stmt.addr.offset in self.stackvar_locs
+            and stmt.size in self.stackvar_locs[stmt.addr.offset]
+        ):
+            return max(self.stackvar_locs[stmt.addr.offset])
+        return None
 
     def _replace_def_store(
-        self, block_addr: int, block_idx: int | None, stmt_idx: int, stmt: Store
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, stmt: Store, force_size: int | None = None
     ) -> VirtualVariable | None:
         if (
             isinstance(stmt.addr, StackBaseOffset)
             and isinstance(stmt.addr.offset, int)
             and stmt.addr.offset in self.stackvar_locs
-            and stmt.size == self.stackvar_locs[stmt.addr.offset]
+            and stmt.size in self.stackvar_locs[stmt.addr.offset]
         ):
-            vvar_id = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, stmt)
+            size = stmt.size if force_size is None else force_size
+            vvar_id = self.get_vvid_by_def(
+                block_addr,
+                block_idx,
+                stmt_idx,
+                atoms.MemoryLocation(stmt.addr.offset, size, Endness(stmt.endness)),
+                "s",
+            )
             vvar = VirtualVariable(
                 self.ail_manager.next_atom(),
                 vvar_id,
-                stmt.size * self.arch.byte_width,
+                size * self.arch.byte_width,
                 category=VirtualVariableCategory.STACK,
                 oident=stmt.addr.offset,
                 **stmt.tags,
             )
-            self.state.stackvars[stmt.addr.offset][stmt.size] = vvar
+            self.state.stackvars[stmt.addr.offset][size] = vvar
             return vvar
         return None
 
     def _replace_def_tmp(self, block_addr: int, block_idx: int | None, stmt_idx: int, expr: Tmp) -> VirtualVariable:
-        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, expr)
+        vvid = self.get_vvid_by_def(block_addr, block_idx, stmt_idx, atoms.Tmp(expr.tmp_idx, expr.size), "s")
         vvar = VirtualVariable(
             expr.idx,
             vvid,
@@ -615,7 +688,7 @@ class SimEngineSSARewriting(
         self.state.tmps[expr.tmp_idx] = vvar
         return vvar
 
-    def _replace_use_expr(self, thing: Expression | Statement) -> VirtualVariable | None:
+    def _replace_use_expr(self, thing: Expression | Statement) -> VirtualVariable | Expression | None:
         """
         Return a new virtual variable for the given defined expression.
         """
@@ -670,7 +743,7 @@ class SimEngineSSARewriting(
                 elif reg_expr.size > existing_size:
                     # part of the variable exists... maybe it's a parameter?
                     vvar = self.state.registers[reg_expr.reg_offset][existing_size]
-                    if vvar.category == VirtualVariableCategory.PARAMETER:
+                    if vvar is not None and vvar.category == VirtualVariableCategory.PARAMETER:
                         # just zero-extend it
                         return Convert(
                             self.ail_manager.next_atom(),
@@ -698,7 +771,7 @@ class SimEngineSSARewriting(
             shift_amount = Const(
                 self.ail_manager.next_atom(),
                 None,
-                (reg_expr.reg_offset - vvar.oident) * self.arch.byte_width,
+                (reg_expr.reg_offset - vvar.reg_offset) * self.arch.byte_width,
                 8,
                 **reg_expr.tags,
             )
@@ -729,11 +802,17 @@ class SimEngineSSARewriting(
             isinstance(expr.addr, StackBaseOffset)
             and isinstance(expr.addr.offset, int)
             and expr.addr.offset in self.stackvar_locs
-            and expr.size == self.stackvar_locs[expr.addr.offset]
+            and expr.size in self.stackvar_locs[expr.addr.offset]
         ):
             if expr.size not in self.state.stackvars[expr.addr.offset]:
                 # create it on the fly
-                vvar_id = self.get_vvid_by_def(self.block.addr, self.block.idx, self.stmt_idx, expr)
+                vvar_id = self.get_vvid_by_def(
+                    self.block.addr,
+                    self.block.idx,
+                    self.stmt_idx,
+                    atoms.MemoryLocation(expr.addr.offset, expr.size, Endness(expr.endness)),
+                    "l",
+                )
                 return VirtualVariable(
                     self.ail_manager.next_atom(),
                     vvar_id,
@@ -783,9 +862,9 @@ class SimEngineSSARewriting(
     #
 
     def get_vvid_by_def(
-        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: Expression | Statement
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, thing: DefExprType, access_type: AT
     ) -> int:
-        key = block_addr, block_idx, stmt_idx, thing
+        key = block_addr, block_idx, stmt_idx, thing, access_type
         if key in self.def_to_vvid:
             return self.def_to_vvid[key]
         vvid = self.next_vvar_id()
@@ -802,6 +881,21 @@ class SimEngineSSARewriting(
                 else:
                     del self.state.registers[off]
 
+    def _clear_overlapping_stackvars(self, stack_offset: int, size: int, remove_base_stackvar: bool = True) -> None:
+        for off in range(stack_offset, stack_offset + size):
+            if off in self.state.stackvars:
+                if (
+                    not remove_base_stackvar
+                    and off in self.stackvar_locs
+                    and off == stack_offset
+                    and (base_size := max(self.stackvar_locs[off])) == size
+                    and base_size in self.state.stackvars[off]
+                ):
+                    if len(self.state.stackvars[off]) > 1:
+                        self.state.stackvars[off] = {base_size: self.state.stackvars[off][base_size]}
+                else:
+                    del self.state.stackvars[off]
+
     def _unreachable(self, *args, **kwargs):
         assert False