angr 9.2.141__py3-none-manylinux2014_aarch64.whl → 9.2.143__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from collections.abc import Iterable
 import logging
@@ -7,6 +8,7 @@ import ailment
 
 from angr.calling_conventions import SimRegArg
 from angr.code_location import CodeLocation
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
@@ -82,6 +84,14 @@ class RegisterSaveAreaSimplifier(OptimizationPass):
             # update it
             self._update_block(old_block, new_block)
 
+        if updated_blocks:
+            # update stack_items
+            for data in info.values():
+                for stack_offset, _ in data["stored"]:
+                    self.stack_items[stack_offset] = StackItem(
+                        stack_offset, self.project.arch.bytes, "regs", StackItemType.SAVED_REGS
+                    )
+
     def _find_registers_stored_on_stack(self) -> list[tuple[int, int, CodeLocation]]:
         first_block = self._get_block(self._func.addr)
         if first_block is None:
@@ -94,14 +104,26 @@ class RegisterSaveAreaSimplifier(OptimizationPass):
                 isinstance(stmt, ailment.Stmt.Store)
                 and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
                 and isinstance(stmt.addr.offset, int)
-                and isinstance(stmt.data, ailment.Expr.VirtualVariable)
-                and stmt.data.was_reg
             ):
-                # it's storing registers to the stack!
-                stack_offset = stmt.addr.offset
-                reg_offset = stmt.data.reg_offset
-                codeloc = CodeLocation(first_block.addr, idx, block_idx=first_block.idx, ins_addr=stmt.ins_addr)
-                results.append((reg_offset, stack_offset, codeloc))
+                if isinstance(stmt.data, ailment.Expr.VirtualVariable) and stmt.data.was_reg:
+                    # it's storing registers to the stack!
+                    stack_offset = stmt.addr.offset
+                    reg_offset = stmt.data.reg_offset
+                    codeloc = CodeLocation(first_block.addr, idx, block_idx=first_block.idx, ins_addr=stmt.ins_addr)
+                    results.append((reg_offset, stack_offset, codeloc))
+                elif (
+                    self.project.arch.name == "AMD64"
+                    and isinstance(stmt.data, ailment.Expr.Convert)
+                    and isinstance(stmt.data.operand, ailment.Expr.VirtualVariable)
+                    and stmt.data.operand.was_reg
+                    and stmt.data.from_bits == 256
+                    and stmt.data.to_bits == 128
+                ):
+                    # storing xmm registers to the stack
+                    stack_offset = stmt.addr.offset
+                    reg_offset = stmt.data.operand.reg_offset
+                    codeloc = CodeLocation(first_block.addr, idx, block_idx=first_block.idx, ins_addr=stmt.ins_addr)
+                    results.append((reg_offset, stack_offset, codeloc))
 
         return results
 

angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py

@@ -6,6 +6,7 @@ import logging
 import ailment
 
 from angr.utils.bits import s2u
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
@@ -168,6 +169,11 @@ class StackCanarySimplifier(OptimizationPass):
             first_block_copy.statements.pop(stmt_idx)
             self._update_block(first_block, first_block_copy)
 
+            # update stack_items
+            self.stack_items[store_offset] = StackItem(
+                store_offset, canary_init_stmt.dst.size, "canary", StackItemType.STACK_CANARY
+            )
+
         # Done!
 
     def _find_canary_init_stmt(self):

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -7,6 +7,7 @@ import ailment
 import cle
 
 from angr.utils.funcid import is_function_security_check_cookie
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
@@ -62,7 +63,9 @@ class WinStackCanarySimplifier(OptimizationPass):
         first_block, canary_init_stmt_ids = init_stmts
         canary_init_stmt = first_block.statements[canary_init_stmt_ids[-1]]
         # where is the stack canary stored?
-        if not isinstance(canary_init_stmt.addr, ailment.Expr.StackBaseOffset):
+        if not isinstance(canary_init_stmt, ailment.Stmt.Store) or not isinstance(
+            canary_init_stmt.addr, ailment.Expr.StackBaseOffset
+        ):
             _l.debug(
                 "Unsupported canary storing location %s. Expects an ailment.Expr.StackBaseOffset.",
                 canary_init_stmt.addr,
@@ -143,6 +146,11 @@ class WinStackCanarySimplifier(OptimizationPass):
                 first_block_copy.statements.pop(stmt_idx)
             self._update_block(first_block, first_block_copy)
 
+            # update stack_items
+            self.stack_items[store_offset] = StackItem(
+                store_offset, canary_init_stmt.size, "canary", StackItemType.STACK_CANARY
+            )
+
     def _find_canary_init_stmt(self):
         first_block = self._get_block(self._func.addr)
         if first_block is None:

angr/analyses/decompiler/peephole_optimizations/simplify_pc_relative_loads.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from ailment.expression import BinaryOp, Const, Load
 
@@ -20,10 +21,23 @@ class SimplifyPcRelativeLoads(PeepholeOptimizationExprBase):
         if expr.op == "Add" and len(expr.operands) == 2 and isinstance(expr.operands[0], Load):
             op0, op1 = expr.operands
 
+            assert self.project is not None
+            if not hasattr(expr, "ins_addr"):
+                return expr
+            assert expr.ins_addr is not None
+
             # check if op1 is PC
-            if isinstance(op1, Const) and hasattr(expr, "ins_addr") and is_pc(self.project, expr.ins_addr, op1.value):
+            if (
+                isinstance(op1, Const)
+                and op1.is_int
+                and hasattr(expr, "ins_addr")
+                and is_pc(self.project, expr.ins_addr, op1.value)  # type: ignore
+                and isinstance(op0.addr, Const)
+                and op0.addr.is_int
+            ):
                 # check if op0.addr points to a read-only section
                 addr = op0.addr.value
+                assert isinstance(addr, int)
                 if is_in_readonly_section(self.project, addr) or is_in_readonly_segment(self.project, addr):
                     # found it!
                     # do the load first

angr/analyses/decompiler/region_identifier.py

@@ -11,7 +11,8 @@ from ailment.statement import ConditionalJump, Jump
 from ailment.expression import Const
 
 from angr.utils.graph import GraphUtils
-from angr.utils.graph import dfs_back_edges, subgraph_between_nodes, dominates, shallow_reverse
+from angr.utils.graph import dfs_back_edges, subgraph_between_nodes, dominates
+from angr.utils.doms import IncrementalDominators
 from angr.errors import AngrRuntimeError
 from angr.analyses import Analysis, register_analysis
 from .structuring.structurer_nodes import MultiNode, ConditionNode, IncompleteSwitchCaseHeadStatement
@@ -115,11 +116,11 @@ class RegionIdentifier(Analysis):
         @return: List of addr lists
         """
 
-        work_list = [self.region]
+        work_list: list[GraphRegion] = [self.region]  #  type: ignore
         block_only_regions = []
         seen_regions = set()
         while work_list:
-            children_regions = []
+            children_regions: list[GraphRegion] = []
             for region in work_list:
                 children_blocks = []
                 for node in region.graph.nodes:
@@ -234,7 +235,7 @@ class RegionIdentifier(Analysis):
                 break
 
     def _find_loop_headers(self, graph: networkx.DiGraph) -> list:
-        heads = {t for _, t in dfs_back_edges(graph, self._start_node)}
+        heads = list({t for _, t in dfs_back_edges(graph, self._start_node)})
         return GraphUtils.quasi_topological_sort_nodes(graph, heads)
 
     def _find_initial_loop_nodes(self, graph: networkx.DiGraph, head):
@@ -392,7 +393,7 @@ class RegionIdentifier(Analysis):
 
         while True:
             for node in networkx.dfs_postorder_nodes(graph):
-                preds = graph.predecessors(node)
+                preds = list(graph.predecessors(node))
                 if len(preds) == 1:
                     # merge the two nodes
                     self._absorb_node(graph, preds[0], node)
@@ -473,7 +474,7 @@ class RegionIdentifier(Analysis):
             head = next(iter(n for n in subgraph.nodes() if n.addr == head.addr))
             region.head = head
 
-        if len(graph.nodes()) == 1 and isinstance(next(iter(graph.nodes())), GraphRegion):
+        if len(graph) == 1 and isinstance(next(iter(graph.nodes())), GraphRegion):
             return next(iter(graph.nodes()))
         # create a large graph region
         new_head = self._get_start_node(graph)
@@ -491,6 +492,7 @@ class RegionIdentifier(Analysis):
         l.debug("Initial loop nodes %s", self._dbg_block_list(initial_loop_nodes))
 
         # Make sure no other loops are contained in the current loop
+        assert self._loop_headers is not None
         if {n for n in initial_loop_nodes if n.addr != head.addr}.intersection(self._loop_headers):
             return None
 
@@ -535,7 +537,7 @@ class RegionIdentifier(Analysis):
         region = self._abstract_cyclic_region(
             graph, refined_loop_nodes, head, normal_entries, abnormal_entries, normal_exit_node, abnormal_exit_nodes
         )
-        if len(region.successors) > 1 and self._force_loop_single_exit:
+        if region.successors is not None and len(region.successors) > 1 and self._force_loop_single_exit:
             # multi-successor region. refinement is required
             self._refine_loop_successors_to_guarded_successors(region, graph)
 
@@ -705,23 +707,20 @@ class RegionIdentifier(Analysis):
         else:
             dummy_endnode = None
 
-        # compute dominator tree
-        doms = networkx.immediate_dominators(graph_copy, head)
-
-        # compute post-dominator tree
-        inverted_graph = shallow_reverse(graph_copy)
-        postdoms = networkx.immediate_dominators(inverted_graph, endnodes[0])
-
-        # dominance frontiers
-        df = networkx.algorithms.dominance_frontiers(graph_copy, head)
+        # dominators and post-dominators, computed incrementally
+        doms = IncrementalDominators(graph_copy, head)
+        postdoms = IncrementalDominators(graph_copy, endnodes[0], post=True)
 
         # visit the nodes in post-order
-        for node in networkx.dfs_postorder_nodes(graph_copy, source=head):
+        region_created = False
+        for node in list(networkx.dfs_postorder_nodes(graph_copy, source=head)):
             if node is dummy_endnode:
                 # skip the dummy endnode
                 continue
             if cyclic and node is head:
                 continue
+            if node not in graph_copy:
+                continue
 
             out_degree = graph_copy.out_degree[node]
             if out_degree == 0:
@@ -740,10 +739,10 @@ class RegionIdentifier(Analysis):
 
             # test if this node is an entry to a single-entry, single-successor region
             levels = 0
-            postdom_node = postdoms.get(node, None)
+            postdom_node = postdoms.idom(node)
             while postdom_node is not None:
                 if (node, postdom_node) not in failed_region_attempts and self._check_region(
-                    graph_copy, node, postdom_node, doms, df
+                    graph_copy, node, postdom_node, doms
                 ):
                     frontier = [postdom_node]
                     region = self._compute_region(
@@ -752,6 +751,8 @@ class RegionIdentifier(Analysis):
                     if region is not None:
                         # update region.graph_with_successors
                         if secondary_graph is not None:
+                            assert region.graph_with_successors is not None
+                            assert region.successors is not None
                             if self._complete_successors:
                                 for nn in list(region.graph_with_successors.nodes):
                                     original_successors = secondary_graph.successors(nn)
@@ -782,52 +783,75 @@ class RegionIdentifier(Analysis):
                             graph, region, frontier, dummy_endnode=dummy_endnode, secondary_graph=secondary_graph
                         )
                         # assert dummy_endnode not in graph
-                        return True
+                        region_created = True
+                        # we created a new region to replace one or more nodes in the graph.
+                        replaced_nodes = set(region.graph)
+                        # update graph_copy; doms and postdoms are updated as well because they hold references to
+                        # graph_copy internally.
+                        if graph_copy is not graph:
+                            self._update_graph(graph_copy, region, replaced_nodes)
+                        doms.graph_updated(region, replaced_nodes, region.head)
+                        postdoms.graph_updated(region, replaced_nodes, region.head)
+                        # break out of the inner loop
+                        break
 
                 failed_region_attempts.add((node, postdom_node))
-                if not dominates(doms, node, postdom_node):
+                if not doms.dominates(node, postdom_node):
                     break
-                if postdom_node is postdoms.get(postdom_node, None):
+                if postdom_node is postdoms.idom(postdom_node):
                     break
-                postdom_node = postdoms.get(postdom_node, None)
+                postdom_node = postdoms.idom(postdom_node)
                 levels += 1
             # l.debug("Walked back %d levels in postdom tree and did not find anything for %r. Next.", levels, node)
 
-        return False
+        return region_created
 
     @staticmethod
-    def _check_region(graph, start_node, end_node, doms, df):
-        """
+    def _update_graph(graph: networkx.DiGraph, new_region, replaced_nodes: set) -> None:
+        region_in_edges = RegionIdentifier._region_in_edges(graph, new_region, data=True)
+        region_out_edges = RegionIdentifier._region_out_edges(graph, new_region, data=True)
+        for node in replaced_nodes:
+            graph.remove_node(node)
+        graph.add_node(new_region)
+        for src, _, data in region_in_edges:
+            graph.add_edge(src, new_region, **data)
+        for _, dst, data in region_out_edges:
+            graph.add_edge(new_region, dst, **data)
 
-        :param graph:
-        :param start_node:
-        :param end_node:
-        :param doms:
-        :param df:
-        :return:
+    @staticmethod
+    def _check_region(graph, start_node, end_node, doms) -> bool:
+        """
+        Determine the graph slice between start_node and end_node forms a good region.
         """
 
         # if the exit node is the header of a loop that contains the start node, the dominance frontier should only
         # contain the exit node.
-        if not dominates(doms, start_node, end_node):
-            frontier = df.get(start_node, set())
-            for node in frontier:
+        start_node_frontier = None
+        end_node_frontier = None
+
+        if not doms.dominates(start_node, end_node):
+            start_node_frontier = doms.df(start_node)
+            for node in start_node_frontier:
                 if node is not start_node and node is not end_node:
                     return False
 
         # no edges should enter the region.
-        for node in df.get(end_node, set()):
-            if dominates(doms, start_node, node) and node is not end_node:
+        end_node_frontier = doms.df(end_node)
+        for node in end_node_frontier:
+            if doms.dominates(start_node, node) and node is not end_node:
                 return False
 
+        if start_node_frontier is None:
+            start_node_frontier = doms.df(start_node)
+
         # no edges should leave the region.
-        for node in df.get(start_node, set()):
+        for node in start_node_frontier:
             if node is start_node or node is end_node:
                 continue
-            if node not in df.get(end_node, set()):
+            if node not in end_node_frontier:
                 return False
             for pred in graph.predecessors(node):
-                if dominates(doms, start_node, pred) and not dominates(doms, end_node, pred):
+                if doms.dominates(start_node, pred) and not doms.dominates(end_node, pred):
                     return False
 
         return True
@@ -978,14 +1002,13 @@ class RegionIdentifier(Analysis):
             subgraph_with_exits.add_edge(src, dst)
         region.graph = subgraph
         region.graph_with_successors = subgraph_with_exits
-        if normal_exit_node is not None:
-            region.successors = [normal_exit_node]
-        else:
-            region.successors = []
-        region.successors += list(abnormal_exit_nodes)
+        succs = [normal_exit_node] if normal_exit_node is not None else []
+        succs += list(abnormal_exit_nodes)
+        succs = sorted(set(succs), key=lambda x: x.addr)
+        region.successors = set(succs)
 
-        for succ_0 in region.successors:
-            for succ_1 in region.successors:
+        for succ_0 in succs:
+            for succ_1 in succs:
                 if succ_0 is not succ_1 and graph.has_edge(succ_0, succ_1):
                     region.graph_with_successors.add_edge(succ_0, succ_1)
 

angr/analyses/decompiler/sequence_walker.py

@@ -186,6 +186,14 @@ class SequenceWalker:
         new_condition = (
             self._handle(node.condition, parent=node, label="condition") if node.condition is not None else None
         )
+
+        # note that initializer and iterator are both statements, so they can return empty tuples
+        # TODO: Handle the case where multiple statements are returned
+        if new_initializer == ():
+            new_initializer = None
+        if new_iterator == ():
+            new_iterator = None
+
         seq_node = self._handle(node.sequence_node, parent=node, label="body", index=0)
         if seq_node is not None or new_initializer is not None or new_iterator is not None or new_condition is not None:
             return LoopNode(

angr/analyses/decompiler/ssailification/rewriting.py

@@ -14,10 +14,10 @@ from ailment.statement import Assignment, Label
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
 from angr.analyses.forward_analysis import FunctionGraphVisitor
+from angr.utils.ail import is_head_controlled_loop_block
 from .rewriting_engine import SimEngineSSARewriting, DefExprType, AT
 from .rewriting_state import RewritingState
 
-
 l = logging.getLogger(__name__)
 
 
@@ -71,6 +71,14 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
         self._visited_blocks: set[Any] = set()
         self.out_blocks = {}
         self.out_states = {}
+        # loop_states stores states at the beginning of a loop block *after a loop iteration*, where the block is the
+        # following:
+        #    0x4036df | t4 = (rcx<8> == 0x0<64>)
+        #    0x4036df | if (t4) { Goto 0x4036e2<64> } else { Goto 0x4036df<64> }
+        #    0x4036df | STORE(addr=t3, data=t2, size=8, endness=Iend_LE, guard=None)
+        #    0x4036df | rdi<8> = t8
+        #
+        self.head_controlled_loop_outstates = {}
 
         self._analyze()
 
@@ -177,8 +185,12 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
         else:
             node.statements = node.statements[:idx] + phi_stmts + node.statements[idx:]
 
-    def _reg_predicate(self, node_, *, reg_offset: int, reg_size: int) -> tuple[bool, Any]:
-        out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
+    def _reg_predicate(self, node_: Block, *, reg_offset: int, reg_size: int) -> tuple[bool, Any]:
+        out_state: RewritingState = (
+            self.head_controlled_loop_outstates[(node_.addr, node_.idx)]
+            if is_head_controlled_loop_block(node_)
+            else self.out_states[(node_.addr, node_.idx)]
+        )
         if reg_offset in out_state.registers and reg_size in out_state.registers[reg_offset]:
             existing_var = out_state.registers[reg_offset][reg_size]
             if existing_var is None:
@@ -189,8 +201,12 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
             return True, vvar
         return False, None
 
-    def _stack_predicate(self, node_, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
-        out_state: RewritingState = self.out_states[(node_.addr, node_.idx)]
+    def _stack_predicate(self, node_: Block, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
+        out_state: RewritingState = (
+            self.head_controlled_loop_outstates[(node_.addr, node_.idx)]
+            if is_head_controlled_loop_block(node_)
+            else self.out_states[(node_.addr, node_.idx)]
+        )
         if stack_offset in out_state.stackvars and stackvar_size in out_state.stackvars[stack_offset]:
             existing_var = out_state.stackvars[stack_offset][stackvar_size]
             if existing_var is None:
@@ -262,18 +278,32 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
         )
 
         self._visited_blocks.add(block_key)
-        self.out_states[block_key] = state
-
-        if state.out_block is not None:
-            assert state.out_block.addr == block.addr
-
-            if self.out_blocks.get(block_key, None) == state.out_block:
-                return True, state
-            self.out_blocks[block_key] = state.out_block
-            state.out_block = None
-            return True, state
-
-        return True, state
+        # get the output state (which is the input state for the successor node)
+        # if head_controlled_loop_outstate is set, then it is the output state of the successor node; in this case, the
+        # input state for the head-controlled loop block itself is out.state.
+        # otherwise (if head_controlled_loop_outstate is not set), engine.state is the input state of the successor
+        # node.
+        if engine.head_controlled_loop_outstate is None:
+            # this is a normal block
+            out_state = state
+        else:
+            # this is a head-controlled loop block
+            out_state = engine.head_controlled_loop_outstate
+            self.head_controlled_loop_outstates[block_key] = state
+        self.out_states[block_key] = out_state
+        # the final block is always in state
+        out_block = state.out_block
+
+        if out_block is not None:
+            assert out_block.addr == block.addr
+
+            if self.out_blocks.get(block_key, None) == out_block:
+                return True, out_state
+            self.out_blocks[block_key] = out_block
+            out_state.out_block = None
+            return True, out_state
+
+        return True, out_state
 
     def _intra_analysis(self):
         pass

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -4,6 +4,7 @@ from typing import Literal
 import logging
 
 from archinfo import Endness
+from ailment.block import Block
 from ailment.manager import Manager
 from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement, Jump
 from ailment.expression import (
@@ -70,6 +71,7 @@ class SimEngineSSARewriting(
         self.phiid_to_loc = phiid_to_loc
         self.rewrite_tmps = rewrite_tmps
         self.ail_manager = ail_manager
+        self.head_controlled_loop_outstate: RewritingState | None = None
 
         self.secondary_stackvars: set[int] = set()
 
@@ -87,6 +89,12 @@ class SimEngineSSARewriting(
     # Handlers
     #
 
+    def process(
+        self, state: RewritingState, *, block: Block | None = None, whitelist: set[int] | None = None, **kwargs
+    ) -> None:
+        self.head_controlled_loop_outstate = None
+        super().process(state, block=block, whitelist=whitelist, **kwargs)
+
     def _top(self, bits):
         assert False, "Unreachable"
 
@@ -236,6 +244,11 @@ class SimEngineSSARewriting(
         new_true_target = self._expr(stmt.true_target) if stmt.true_target is not None else None
         new_false_target = self._expr(stmt.false_target) if stmt.false_target is not None else None
 
+        if self.stmt_idx != len(self.block.statements) - 1:
+            # the conditional jump is in the middle of the block (e.g., the block generated from lifting rep stosq).
+            # we need to make a copy of the state and use the state of this point in its successor
+            self.head_controlled_loop_outstate = self.state.copy()
+
         if new_cond is not None or new_true_target is not None or new_false_target is not None:
             return ConditionalJump(
                 stmt.idx,

angr/analyses/decompiler/stack_item.py

@@ -0,0 +1,36 @@
+from __future__ import annotations
+
+from enum import Enum
+
+
+class StackItemType(Enum):
+    """
+    Enum for the type of stack items.
+    """
+
+    UNKNOWN = 0
+    SAVED_BP = 1
+    SAVED_REGS = 2
+    ARGUMENT = 3
+    RET_ADDR = 4
+    STACK_CANARY = 5
+
+
+class StackItem:
+    """
+    A stack item describes a piece of data that is stored on the stack at a certain offset (usually negative).
+    """
+
+    offset: int
+    size: int
+    name: str
+    item_type: StackItemType
+
+    def __init__(self, offset: int, size: int, name: str, item_type: StackItemType = StackItemType.UNKNOWN):
+        self.offset = offset
+        self.size = size
+        self.name = name
+        self.item_type = item_type
+
+    def __repr__(self):
+        return f"<StackItem {self.name} {self.item_type!s} at {self.offset:#x} ({self.size}b)>"

angr/analyses/decompiler/structured_codegen/c.py

@@ -40,7 +40,7 @@ from angr.sim_variable import SimVariable, SimTemporaryVariable, SimStackVariabl
 from angr.utils.constants import is_alignment_mask
 from angr.utils.library import get_cpp_function_name
 from angr.utils.loader import is_in_readonly_segment, is_in_readonly_section
-from angr.utils.types import unpack_typeref, unpack_pointer
+from angr.utils.types import unpack_typeref, unpack_pointer_and_array
 from angr.analyses.decompiler.utils import structured_node_is_simple_return
 from angr.errors import UnsupportedNodeTypeError, AngrRuntimeError
 from angr.knowledge_plugins.cfg.memory_data import MemoryData, MemoryDataSort
@@ -539,6 +539,8 @@ class CFunction(CConstruct):  # pylint:disable=abstract-method
 
         if self.codegen.show_externs and self.codegen.cexterns:
             for v in sorted(self.codegen.cexterns, key=lambda v: str(v.variable.name)):
+                if v.variable not in self.variables_in_use:
+                    continue
                 varname = v.c_repr() if v.type is None else v.variable.name
                 yield "extern ", None
                 yield from type_to_c_repr_chunks(v.type, name=varname, name_type=v, full=False)
@@ -2581,7 +2583,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         # TODO store extern fallback size somewhere lol
         self.cexterns = {
-            self._variable(v, 1)
+            self._variable(v, 1, mark_used=False)
             for v in self.externs
             if v not in self._inlined_strings and v not in self._function_pointers
         }
@@ -2698,7 +2700,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             return _mapping.get(n)(signed=signed).with_arch(self.project.arch)
         return SimTypeNum(n, signed=signed).with_arch(self.project.arch)
 
-    def _variable(self, variable: SimVariable, fallback_type_size: int | None, vvar_id: int | None = None) -> CVariable:
+    def _variable(
+        self, variable: SimVariable, fallback_type_size: int | None, vvar_id: int | None = None, mark_used: bool = True
+    ) -> CVariable:
         # TODO: we need to fucking make sure that variable recovery and type inference actually generates a size
         # TODO: for each variable it links into the fucking ail. then we can remove fallback_type_size.
         unified = self._variable_kb.variables[self._func.addr].unified_variable(variable)
@@ -2710,7 +2714,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                 (fallback_type_size or self.project.arch.bytes) * self.project.arch.byte_width
             )
         cvar = CVariable(variable, unified_variable=unified, variable_type=variable_type, codegen=self, vvar_id=vvar_id)
-        self._variables_in_use[variable] = cvar
+        if mark_used:
+            self._variables_in_use[variable] = cvar
         return cvar
 
     def _get_variable_reference(self, cvar: CVariable) -> CExpression:
@@ -2776,7 +2781,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         # expr must express a POINTER to the base
         # returns a value which has a simtype of data_type as if it were dereferenced out of expr
         data_type = unpack_typeref(data_type)
-        base_type = unpack_typeref(unpack_pointer(expr.type))
+        base_type = unpack_typeref(unpack_pointer_and_array(expr.type))
         if base_type is None:
             # well, not much we can do
             if data_type is None:
@@ -2899,7 +2904,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
     ) -> CExpression:
         # same rule as _access_constant_offset wrt pointer expressions
         data_type = unpack_typeref(data_type)
-        base_type = unpack_pointer(expr.type)
+        base_type = unpack_pointer_and_array(expr.type)
         if base_type is None:
             # use the fallback from above
             return self._access_constant_offset(expr, 0, data_type, lvalue, renegotiate_type)
@@ -2959,7 +2964,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         kernel = None
         while i < len(terms):
             c, t = terms[i]
-            if isinstance(unpack_typeref(t.type), SimTypePointer):
+            if isinstance(unpack_typeref(t.type), (SimTypePointer, SimTypeArray)):
                 if kernel is not None:
                     l.warning("Summing two different pointers together. Uh oh!")
                     return bail_out()
@@ -2982,7 +2987,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         # suffering.
         while terms:
-            kernel_type = unpack_typeref(unpack_pointer(kernel.type))
+            kernel_type = unpack_typeref(unpack_pointer_and_array(kernel.type))
             assert kernel_type
 
             if kernel_type.size is None:
@@ -3049,7 +3054,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                     kernel = inner.operand
                 else:
                     kernel = CUnaryOp("Reference", inner, codegen=self)
-                if unpack_typeref(unpack_pointer(kernel.type)) == kernel_type:
+                if unpack_typeref(unpack_pointer_and_array(kernel.type)) == kernel_type:
                     # we are not making progress
                     pass
                 else: