angr 9.2.142__py3-none-manylinux2014_aarch64.whl → 9.2.144__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/clinic.py

@@ -12,6 +12,7 @@ import networkx
 import capstone
 
 import ailment
+from angr import SIM_LIBRARIES, SIM_TYPE_COLLECTIONS
 
 from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
@@ -22,6 +23,7 @@ from angr.utils import timethis
 from angr.utils.graph import GraphUtils
 from angr.calling_conventions import SimRegArg, SimStackArg, SimFunctionArgument
 from angr.sim_type import (
+    dereference_simtype,
     SimTypeChar,
     SimTypeInt,
     SimTypeLongLong,
@@ -120,6 +122,7 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
+        max_type_constraints: int = 750,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -130,7 +133,7 @@ class Clinic(Analysis):
         self.cc_graph: networkx.DiGraph | None = None
         self.unoptimized_graph: networkx.DiGraph | None = None
         self.arg_list = None
-        self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimRegArg]] | None = None
+        self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
         self.data_refs: dict[int, list[DataRefDesc]] = {}  # data address to data reference description
@@ -153,6 +156,7 @@ class Clinic(Analysis):
         self.reaching_definitions: ReachingDefinitionsAnalysis | None = None
         self._cache = cache
         self._mode = mode
+        self._max_type_constraints = max_type_constraints
         self.vvar_id_start = vvar_id_start
         self.vvar_to_vvar: dict[int, int] | None = None
         # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
@@ -304,10 +308,10 @@ class Clinic(Analysis):
             self._update_progress(29.0, text="Recovering calling conventions (AIL mode)")
             self._recover_calling_conventions(func_graph=ail_graph)
 
-        return ail_graph
+        return self._apply_callsite_prototype_and_calling_convention(ail_graph)
 
     def _slice_variables(self, ail_graph):
-        assert self.variable_kb is not None
+        assert self.variable_kb is not None and self._desired_variables is not None
 
         nodes_index = {(n.addr, n.idx): n for n in ail_graph.nodes()}
 
@@ -383,7 +387,7 @@ class Clinic(Analysis):
                     # replace the return statement with an assignment to the return register
                     blk.statements.pop(idx)
 
-                    if stmt.ret_exprs:
+                    if stmt.ret_exprs and self.project.arch.ret_offset is not None:
                         assign_to_retreg = ailment.Stmt.Assignment(
                             self._ail_manager.next_atom(),
                             ailment.Expr.Register(
@@ -430,14 +434,17 @@ class Clinic(Analysis):
         if callee_clinic.arg_vvars:
             for arg_idx in sorted(callee_clinic.arg_vvars.keys()):
                 param_vvar, reg_arg = callee_clinic.arg_vvars[arg_idx]
-                reg_offset = reg_arg.reg
-                stmt = ailment.Stmt.Assignment(
-                    self._ail_manager.next_atom(),
-                    param_vvar,
-                    ailment.Expr.Register(self._ail_manager.next_atom(), None, reg_offset, reg_arg.bits),
-                    ins_addr=caller_block.addr + caller_block.original_size,
-                )
-                caller_block.statements.append(stmt)
+                if isinstance(reg_arg, SimRegisterVariable):
+                    reg_offset = reg_arg.reg
+                    stmt = ailment.Stmt.Assignment(
+                        self._ail_manager.next_atom(),
+                        param_vvar,
+                        ailment.Expr.Register(self._ail_manager.next_atom(), None, reg_offset, reg_arg.bits),
+                        ins_addr=caller_block.addr + caller_block.original_size,
+                    )
+                    caller_block.statements.append(stmt)
+                else:
+                    raise NotImplementedError("Unsupported parameter type")
 
         ail_graph.add_edge(caller_block, callee_start)
 
@@ -669,6 +676,7 @@ class Clinic(Analysis):
         self._convert_all()
 
         # there must be at least one Load or one Store
+        assert self._blocks_by_addr_and_size is not None
         found_load_or_store = False
         for ail_block in self._blocks_by_addr_and_size.values():
             for stmt in ail_block.statements:
@@ -726,7 +734,7 @@ class Clinic(Analysis):
         self.arg_list = None
         self.variable_kb = None
         self.cc_graph = None
-        self.externs = None
+        self.externs = set()
         self.data_refs: dict[int, list[DataRefDesc]] = self._collect_data_refs(ail_graph)
 
     @staticmethod
@@ -754,7 +762,7 @@ class Clinic(Analysis):
         return graph_copy
 
     def copy_graph(self, graph=None) -> networkx.DiGraph:
-        return self._copy_graph(graph or self.graph)
+        return self._copy_graph(graph or self.graph)  # type:ignore
 
     @timethis
     def _set_function_graph(self):
@@ -765,6 +773,7 @@ class Clinic(Analysis):
         """
         Alignment blocks are basic blocks that only consist of nops. They should not be included in the graph.
         """
+        assert self._func_graph is not None
         for node in list(self._func_graph.nodes()):
             if self._func_graph.in_degree(node) == 0 and CFGBase._is_noop_block(
                 self.project.arch, self.project.factory.block(node.addr, node.size)
@@ -872,7 +881,7 @@ class Clinic(Analysis):
                     callsite_block_addr=callsite.addr,
                     callsite_insn_addr=callsite_ins_addr,
                     func_graph=func_graph,
-                    fail_fast=self._fail_fast,
+                    fail_fast=self._fail_fast,  # type:ignore
                 )
 
                 if cc.cc is not None and cc.prototype is not None:
@@ -953,6 +962,7 @@ class Clinic(Analysis):
 
         :return:    None
         """
+        assert self._func_graph is not None
 
         for block_node in self._func_graph.nodes():
             ail_block = self._convert(block_node)
@@ -1063,7 +1073,9 @@ class Clinic(Analysis):
                         self.project.hooked_by(successors[0].addr), UnresolvableCallTarget
                     ):
                         # found a single successor - replace the last statement
+                        assert isinstance(last_stmt.target, ailment.Expr.Expression)  # not a string
                         new_last_stmt = last_stmt.copy()
+                        assert isinstance(successors[0].addr, int)
                         new_last_stmt.target = ailment.Expr.Const(None, None, successors[0].addr, last_stmt.target.bits)
                         block.statements[-1] = new_last_stmt
 
@@ -1105,7 +1117,7 @@ class Clinic(Analysis):
                     if self.kb.functions.contains_addr(target_addr):
                         # replace the statement
                         target_func = self.kb.functions.get_by_addr(target_addr)
-                        if target_func.returning:
+                        if target_func.returning and self.project.arch.ret_offset is not None:
                             ret_reg_offset = self.project.arch.ret_offset
                             ret_expr = ailment.Expr.Register(
                                 None,
@@ -1136,6 +1148,74 @@ class Clinic(Analysis):
 
         return ail_graph
 
+    def _apply_callsite_prototype_and_calling_convention(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+        for block in ail_graph.nodes():
+            if not block.statements:
+                continue
+
+            last_stmt = block.statements[-1]
+            if not isinstance(last_stmt, ailment.Stmt.Call):
+                continue
+
+            cc = last_stmt.calling_convention
+            prototype = last_stmt.prototype
+            if cc and prototype:
+                continue
+
+            # manually-specified call-site prototype
+            has_callsite_prototype = self.kb.callsite_prototypes.has_prototype(block.addr)
+            if has_callsite_prototype:
+                manually_specified = self.kb.callsite_prototypes.get_prototype_type(block.addr)
+                if manually_specified:
+                    cc = self.kb.callsite_prototypes.get_cc(block.addr)
+                    prototype = self.kb.callsite_prototypes.get_prototype(block.addr)
+
+            # function-specific prototype
+            func = None
+            if cc is None or prototype is None:
+                target = None
+                if isinstance(last_stmt.target, ailment.Expr.Const):
+                    target = last_stmt.target.value
+
+                if target is not None and target in self.kb.functions:
+                    # function-specific logic when the calling target is known
+                    func = self.kb.functions[target]
+                    if func.prototype is None:
+                        func.find_declaration()
+                    cc = func.calling_convention
+                    prototype = func.prototype
+
+            # automatically recovered call-site prototype
+            if (cc is None or prototype is None) and has_callsite_prototype:
+                cc = self.kb.callsite_prototypes.get_cc(block.addr)
+                prototype = self.kb.callsite_prototypes.get_prototype(block.addr)
+
+            # ensure the prototype has been resolved
+            if prototype is not None and func is not None:
+                # make sure the function prototype is resolved.
+                # TODO: Cache resolved function prototypes globally
+                prototype_libname = func.prototype_libname
+                type_collections = []
+                if prototype_libname is not None:
+                    prototype_lib = SIM_LIBRARIES[prototype_libname]
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                if type_collections:
+                    prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
+                        self.project.arch
+                    )
+
+            if cc is None:
+                l.warning("Call site %#x (callee %s) has an unknown calling convention.", block.addr, repr(func))
+
+            new_last_stmt = last_stmt.copy()
+            new_last_stmt.calling_convention = cc
+            new_last_stmt.prototype = prototype
+            block.statements[-1] = new_last_stmt
+
+        return ail_graph
+
     @timethis
     def _make_ailgraph(self) -> networkx.DiGraph:
         return self._function_graph_to_ail_graph(self._func_graph)
@@ -1589,9 +1669,9 @@ class Clinic(Analysis):
         tmp_kb.functions = self.kb.functions
         vr = self.project.analyses.VariableRecoveryFast(
             self.function,  # pylint:disable=unused-variable
-            fail_fast=self._fail_fast,
+            fail_fast=self._fail_fast,  # type:ignore
             func_graph=ail_graph,
-            kb=tmp_kb,
+            kb=tmp_kb,  # type:ignore
             track_sp=False,
             func_args=arg_list,
             unify_variables=False,
@@ -1610,9 +1690,13 @@ class Clinic(Analysis):
         stackvar_max_sizes = var_manager.get_stackvar_max_sizes(self.stack_items)
         tv_max_sizes = {}
         for v, s in stackvar_max_sizes.items():
+            assert isinstance(v, SimStackVariable)
             if v in vr.var_to_typevars:
                 for tv in vr.var_to_typevars[v]:
                     tv_max_sizes[tv] = s
+            if v.offset in vr.stack_offset_typevars:
+                tv = vr.stack_offset_typevars[v.offset]
+                tv_max_sizes[tv] = s
         # clean up existing types for this function
         var_manager.remove_types()
         # TODO: Type inference for global variables
@@ -1624,35 +1708,49 @@ class Clinic(Analysis):
                     must_struct |= typevars
         else:
             must_struct = None
-        try:
-            tp = self.project.analyses.Typehoon(
-                vr.type_constraints,
-                vr.func_typevar,
-                kb=tmp_kb,
-                fail_fast=self._fail_fast,
-                var_mapping=vr.var_to_typevars,
-                must_struct=must_struct,
-                ground_truth=groundtruth,
-                stackvar_max_sizes=tv_max_sizes,
-            )
-            # tp.pp_constraints()
-            # tp.pp_solution()
-            tp.update_variable_types(
-                self.function.addr,
-                {v: t for v, t in vr.var_to_typevars.items() if isinstance(v, (SimRegisterVariable, SimStackVariable))},
-            )
-            tp.update_variable_types(
-                "global",
-                {
-                    v: t
-                    for v, t in vr.var_to_typevars.items()
-                    if isinstance(v, SimMemoryVariable) and not isinstance(v, SimStackVariable)
-                },
-            )
-        except Exception:  # pylint:disable=broad-except
-            l.warning(
-                "Typehoon analysis failed. Variables will not have types. Please report to GitHub.", exc_info=True
+        total_type_constraints = sum(len(tc) for tc in vr.type_constraints.values()) if vr.type_constraints else 0
+        if total_type_constraints > self._max_type_constraints:
+            l.info(
+                "The number of type constraints (%d) is greater than the threshold (%d). Skipping type inference.",
+                total_type_constraints,
+                self._max_type_constraints,
             )
+        else:
+            try:
+                tp = self.project.analyses.Typehoon(
+                    vr.type_constraints,
+                    vr.func_typevar,
+                    kb=tmp_kb,
+                    fail_fast=self._fail_fast,
+                    var_mapping=vr.var_to_typevars,
+                    stack_offset_tvs=vr.stack_offset_typevars,
+                    must_struct=must_struct,
+                    ground_truth=groundtruth,
+                    stackvar_max_sizes=tv_max_sizes,
+                )
+                # tp.pp_constraints()
+                # tp.pp_solution()
+                tp.update_variable_types(
+                    self.function.addr,
+                    {
+                        v: t
+                        for v, t in vr.var_to_typevars.items()
+                        if isinstance(v, (SimRegisterVariable, SimStackVariable))
+                    },
+                    vr.stack_offset_typevars,
+                )
+                tp.update_variable_types(
+                    "global",
+                    {
+                        v: t
+                        for v, t in vr.var_to_typevars.items()
+                        if isinstance(v, SimMemoryVariable) and not isinstance(v, SimStackVariable)
+                    },
+                )
+            except Exception:  # pylint:disable=broad-except
+                l.warning(
+                    "Typehoon analysis failed. Variables will not have types. Please report to GitHub.", exc_info=True
+                )
 
         # for any left-over variables, assign Bottom type (which will get "corrected" into a default type in
         # VariableManager)
@@ -1671,14 +1769,10 @@ class Clinic(Analysis):
             func_blocks=list(ail_graph),
         )
 
-        # Link variables to each statement
+        # Link variables and struct member information to every statement and expression
         for block in ail_graph.nodes():
             self._link_variables_on_block(block, tmp_kb)
 
-        # Link struct member info to Store statements
-        for block in ail_graph.nodes():
-            self._link_struct_member_info_on_block(block, tmp_kb)
-
         if self._cache is not None:
             self._cache.type_constraints = vr.type_constraints
             self._cache.func_typevar = vr.func_typevar
@@ -1686,22 +1780,6 @@ class Clinic(Analysis):
 
         return tmp_kb
 
-    def _link_struct_member_info_on_block(self, block, kb):
-        variable_manager = kb.variables[self.function.addr]
-        for stmt in block.statements:
-            if isinstance(stmt, ailment.Stmt.Store) and isinstance((var := stmt.variable), SimStackVariable):
-                offset = var.offset
-                if offset in variable_manager.stack_offset_to_struct_member_info:
-                    stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[offset]
-            elif (
-                isinstance(stmt, ailment.Stmt.Assignment)
-                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                and stmt.dst.was_stack
-            ):
-                offset = stmt.dst.stack_offset
-                if offset in variable_manager.stack_offset_to_struct_member_info:
-                    stmt.dst.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[offset]
-
     def _link_variables_on_block(self, block, kb):
         """
         Link atoms (AIL expressions) in the given block to corresponding variables identified previously.
@@ -1737,6 +1815,12 @@ class Clinic(Analysis):
                         )
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.data)
 
+                # link struct member info
+                if isinstance(stmt.variable, SimStackVariable):
+                    off = stmt.variable.offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
             elif stmt_type is ailment.Stmt.Assignment:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.dst)
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.src)
@@ -1804,6 +1888,11 @@ class Clinic(Analysis):
                 expr.variable = var
                 expr.variable_offset = offset
 
+                if isinstance(expr, ailment.Expr.VirtualVariable) and expr.was_stack:
+                    off = expr.stack_offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        expr.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
         elif type(expr) is ailment.Expr.Load:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
             if len(variables) == 0:
@@ -1838,6 +1927,11 @@ class Clinic(Analysis):
                 expr.variable = var
                 expr.variable_offset = offset
 
+                if isinstance(var, SimStackVariable):
+                    off = var.offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        expr.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
         elif type(expr) is ailment.Expr.BinaryOp:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
             if len(variables) >= 1:
@@ -2683,7 +2777,7 @@ class Clinic(Analysis):
     def _next_atom(self) -> int:
         return self._ail_manager.next_atom()
 
-    def parse_variable_addr(self, addr: ailment.Expr.Expression) -> tuple[Any, Any] | None:
+    def parse_variable_addr(self, addr: ailment.Expr.Expression) -> tuple[Any, Any]:
         if isinstance(addr, ailment.Expr.Const):
             return addr, 0
         if isinstance(addr, ailment.Expr.BinaryOp) and addr.op == "Add":

angr/analyses/decompiler/decompiler.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 from collections import defaultdict
 from collections.abc import Iterable
-from typing import Optional, Union, Any, TYPE_CHECKING
+from typing import Any, TYPE_CHECKING
 
 import networkx
 from cle import SymbolType
@@ -35,9 +35,9 @@ if TYPE_CHECKING:
 
 l = logging.getLogger(name=__name__)
 
-_PEEPHOLE_OPTIMIZATIONS_TYPE = Optional[
-    Iterable[Union[type["PeepholeOptimizationStmtBase"], type["PeepholeOptimizationExprBase"]]]
-]
+_PEEPHOLE_OPTIMIZATIONS_TYPE = (
+    Iterable[type["PeepholeOptimizationStmtBase"] | type["PeepholeOptimizationExprBase"]] | None
+)
 
 
 class Decompiler(Analysis):

angr/analyses/decompiler/optimization_passes/base_ptr_save_simplifier.py

@@ -16,7 +16,7 @@ class BasePointerSaveSimplifier(OptimizationPass):
     """
 
     ARCHES = ["X86", "AMD64", "ARMEL", "ARMHF", "ARMCortexM", "MIPS32", "MIPS64"]
-    PLATFORMS = ["cgc", "linux"]
+    PLATFORMS = None
     STAGE = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
     NAME = "Simplify base pointer saving"
     DESCRIPTION = __doc__.strip()

angr/analyses/decompiler/optimization_passes/condition_constprop.py

@@ -1,10 +1,11 @@
 from __future__ import annotations
 from typing import TYPE_CHECKING
+from collections import defaultdict
 
 import networkx
 
 from ailment import AILBlockWalker, Block
-from ailment.statement import ConditionalJump, Statement
+from ailment.statement import ConditionalJump, Statement, Assignment
 from ailment.expression import Const, BinaryOp, VirtualVariable
 
 from angr.analyses.decompiler.utils import first_nonlabel_nonphi_statement
@@ -41,6 +42,7 @@ class CCondPropBlockWalker(AILBlockWalker):
         self._new_block: Block | None = None  # output
         self.vvar_id = vvar_id
         self.const_value = const_value
+        self.abort = False
 
     def walk(self, block: Block):
         self._new_block = None
@@ -48,6 +50,17 @@ class CCondPropBlockWalker(AILBlockWalker):
         return self._new_block
 
     def _handle_stmt(self, stmt_idx: int, stmt: Statement, block: Block):  # type: ignore
+        if self.abort:
+            return
+
+        if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable) and stmt.dst.varid == self.vvar_id:
+            # we see the assignment of this virtual variable; this is the original block that creates this variable
+            # and checks if this variable is equal to a constant value. as such, we stop processing this block.
+            # an example appears in binary 1de5cda760f9ed80bb6f4a35edcebc86ccec14c49cf4775ddf2ffc3e05ff35f4, function
+            # 0x4657C0, blocks 0x465bd6 and 0x465a5c
+            self.abort = True
+            return
+
         r = super()._handle_stmt(stmt_idx, stmt, block)
         if r is not None:
             # replace the original statement
@@ -58,7 +71,9 @@ class CCondPropBlockWalker(AILBlockWalker):
     def _handle_VirtualVariable(  # type: ignore
         self, expr_idx: int, expr: VirtualVariable, stmt_idx: int, stmt: Statement, block: Block | None
     ) -> Const | None:
-        if expr.varid == self.vvar_id:
+        if expr.varid == self.vvar_id and not (
+            isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable) and stmt.dst.varid == self.vvar_id
+        ):
             return Const(expr.idx, None, self.const_value.value, self.const_value.bits, **expr.tags)
         return None
 
@@ -80,19 +95,9 @@ class ConditionConstantPropagation(OptimizationPass):
 
     def _check(self):
         cconds = self._find_const_conditions()
-        if not cconds:
-            return False, None
-        return True, {"cconds": cconds}
-
-    @timethis
-    def _analyze(self, cache=None):
-        if not cache or cache.get("cconds", None) is None:  # noqa: SIM108
-            cconds = self._find_const_conditions()
-        else:
-            cconds = cache["cconds"]
 
         if not cconds:
-            return
+            return False, None
 
         # group cconds according to their sources
         cconds_by_src: dict[tuple[int, int | None], list[ConstantCondition]] = {}
@@ -102,6 +107,36 @@ class ConditionConstantPropagation(OptimizationPass):
                 cconds_by_src[src] = []
             cconds_by_src[src].append(ccond)
 
+        # eliminate conflicting conditions
+        for src in list(cconds_by_src):
+            cconds = cconds_by_src[src]
+            vvar_id_to_values = defaultdict(set)
+            ccond_dict = {}  # keyed by vvar_id; used for deduplication
+            for ccond in cconds:
+                vvar_id_to_values[ccond.vvar_id].add(ccond.value)
+                ccond_dict[ccond.vvar_id] = ccond
+            new_cconds = []
+            for vid, vvalues in vvar_id_to_values.items():
+                if len(vvalues) == 1:
+                    new_cconds.append(ccond_dict[vid])
+            if new_cconds:
+                cconds_by_src[src] = new_cconds
+            else:
+                del cconds_by_src[src]
+
+        if not cconds_by_src:
+            return False, None
+        return True, {"cconds_by_src": cconds_by_src}
+
+    @timethis
+    def _analyze(self, cache=None):
+        if not cache or cache.get("cconds_by_src", None) is None:
+            return
+        cconds_by_src = cache["cconds_by_src"]
+
+        if not cconds_by_src:
+            return
+
         # calculate a dominance frontier for each block
         entry_node_addr, entry_node_idx = self.entry_node_addr
         entry_node = self._get_block(entry_node_addr, idx=entry_node_idx)
@@ -114,7 +149,7 @@ class ConditionConstantPropagation(OptimizationPass):
                 continue
 
             for ccond in cconds:
-                for _, loc in rda.all_vvar_uses[rda.varid_to_vvar[ccond.vvar_id]]:
+                for _, loc in rda.all_vvar_uses[ccond.vvar_id]:
                     loc_block = self._get_block(loc.block_addr, idx=loc.block_idx)
                     if loc_block is None:
                         continue

angr/analyses/decompiler/optimization_passes/ite_region_converter.py

@@ -192,6 +192,14 @@ class ITERegionConverter(OptimizationPass):
         if region_head not in self._graph or region_tail not in self._graph:
             return False
 
+        # ensure all phi statements in region_tail have valid source vvars
+        for stmt in region_tail.statements:
+            if not is_phi_assignment(stmt):
+                continue
+            for _, vvar in stmt.src.src_and_vvars:
+                if vvar is None:
+                    return False
+
         #
         # create a new region_head
         #

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -443,6 +443,11 @@ class StructuringOptimizationPass(OptimizationPass):
         """
         Wrapper for _analyze() that verifies the graph is structurable before and after the optimization.
         """
+        # replace the normal check in OptimizationPass.analyze()
+        ret, cache = self._check()
+        if not ret:
+            return
+
         if not self._graph_is_structurable(self._graph, initial=True):
             return
 
@@ -450,11 +455,6 @@ class StructuringOptimizationPass(OptimizationPass):
         if self._require_gotos and not self._initial_gotos:
             return
 
-        # replace the normal check in OptimizationPass.analyze()
-        ret, cache = self._check()
-        if not ret:
-            return
-
         # setup for the very first analysis
         self.out_graph = networkx.DiGraph(self._graph)
         if self._max_opt_iters > 1:

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -95,6 +95,7 @@ class ReturnDuplicatorBase:
         minimize_copies_for_regions: bool = True,
         ri: RegionIdentifier | None = None,
         scratch: dict[str, Any] | None = None,
+        max_func_blocks: int = 1500,
     ):
         self._max_calls_in_region = max_calls_in_regions
         self._minimize_copies_for_regions = minimize_copies_for_regions
@@ -105,6 +106,7 @@ class ReturnDuplicatorBase:
         self._func = func
         self._ri: RegionIdentifier | None = ri
         self.vvar_id_start = vvar_id_start
+        self._max_func_blocks = max_func_blocks
 
     def next_node_idx(self) -> int:
         node_idx = self.scratch.get("returndup_node_idx", 0) + 1
@@ -123,6 +125,9 @@ class ReturnDuplicatorBase:
     #
 
     def _check(self):
+        # is this function too large?
+        if len(self._func.block_addrs_set) > self._max_func_blocks:
+            return False, None
         # does this function have end points?
         return bool(self._func.endpoints), None
 

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -5,6 +5,7 @@ from .a_mul_const_div_shr_const import AMulConstDivShrConst
 from .a_shl_const_sub_a import AShlConstSubA
 from .a_sub_a_div import ASubADiv
 from .a_sub_a_div_const_mul_const import ASubADivConstMulConst
+from .a_sub_a_shr_const_shr_const import ASubAShrConstShrConst
 from .arm_cmpf import ARMCmpF
 from .bswap import Bswap
 from .coalesce_same_cascading_ifs import CoalesceSameCascadingIfs
@@ -57,6 +58,7 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     AMulConstSubA,
     ASubADiv,
     ASubADivConstMulConst,
+    ASubAShrConstShrConst,
     ARMCmpF,
     Bswap,
     CoalesceSameCascadingIfs,