angr 9.2.143__py3-none-macosx_11_0_arm64.whl → 9.2.145__py3-none-macosx_11_0_arm64.whl

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -1,7 +1,7 @@
 # pylint:disable=wrong-import-position,wrong-import-order
 from __future__ import annotations
 import enum
-from typing import TYPE_CHECKING, Any, Literal, cast
+from typing import TYPE_CHECKING, Literal, cast
 from collections.abc import Sequence
 from collections import defaultdict, OrderedDict
 import logging
@@ -16,7 +16,6 @@ from claripy.annotation import UninitializedAnnotation
 from angr import sim_options as o
 from angr import BP, BP_BEFORE, BP_AFTER
 from angr.misc.ux import once
-from angr.code_location import CodeLocation
 from angr.concretization_strategies import SimConcretizationStrategyAny
 from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
 from angr.engines.vex.claripy import ccall
@@ -27,13 +26,11 @@ from angr.annocfg import AnnotatedCFG
 from angr.exploration_techniques.slicecutor import Slicecutor
 from angr.exploration_techniques.local_loop_seer import LocalLoopSeer
 from angr.exploration_techniques.explorer import Explorer
-from angr.project import Project
 from angr.utils.constants import DEFAULT_STATEMENT
-from angr.analyses.propagator.vex_vars import VEXReg
 from angr.analyses.propagator.top_checker_mixin import ClaripyDataVEXEngineMixin
 from angr.engines.vex.claripy.datalayer import value
 from .resolver import IndirectJumpResolver
-from .propagator_utils import PropagatorLoadCallback
+from .constant_value_manager import ConstantValueManager
 
 try:
     from angr.engines import pcode
@@ -41,7 +38,6 @@ except ImportError:
     pcode = None
 
 if TYPE_CHECKING:
-    from angr import SimState
     from angr.knowledge_plugins import Function
 
 l = logging.getLogger(name=__name__)
@@ -134,101 +130,6 @@ class JumpTargetBaseAddr:
         return self.base_addr is not None
 
 
-#
-# Constant register resolving support
-#
-
-
-class ConstantValueManager:
-    """
-    Manages the loading of registers who hold constant values.
-    """
-
-    __slots__ = (
-        "func",
-        "indirect_jump_addr",
-        "kb",
-        "mapping",
-        "project",
-    )
-
-    def __init__(self, project: Project, kb, func: Function, ij_addr: int):
-        self.project = project
-        self.kb = kb
-        self.func = func
-        self.indirect_jump_addr = ij_addr
-
-        self.mapping: dict[Any, dict[Any, claripy.ast.Base]] | None = None
-
-    def reg_read_callback(self, state: SimState):
-        if self.mapping is None:
-            self._build_mapping()
-            assert self.mapping is not None
-
-        codeloc = CodeLocation(state.scratch.bbl_addr, state.scratch.stmt_idx, ins_addr=state.scratch.ins_addr)
-        if codeloc in self.mapping:
-            reg_read_offset = state.inspect.reg_read_offset
-            if isinstance(reg_read_offset, claripy.ast.BV) and reg_read_offset.op == "BVV":
-                reg_read_offset = reg_read_offset.args[0]
-            variable = VEXReg(reg_read_offset, state.inspect.reg_read_length)
-            if variable in self.mapping[codeloc]:
-                v = self.mapping[codeloc][variable]
-                if isinstance(v, int):
-                    v = claripy.BVV(v, state.inspect.reg_read_length * state.arch.byte_width)
-                state.inspect.reg_read_expr = v
-
-    def _build_mapping(self):
-        # constant propagation
-        l.debug("JumpTable: Propagating for %r at %#x.", self.func, self.indirect_jump_addr)
-
-        # determine blocks to run FCP on
-
-        # - include at most three levels of superblock successors from the entrypoint
-        self.mapping = {}
-        startpoint = self.func.startpoint
-        if startpoint is None:
-            return
-
-        blocks = set()
-        succ_and_levels = [(startpoint, 0)]
-        while succ_and_levels:
-            new_succs = []
-            for node, level in succ_and_levels:
-                if node in blocks:
-                    continue
-                blocks.add(node)
-                if node.addr == self.indirect_jump_addr:
-                    # stop at the indirect jump block
-                    continue
-                for _, succ, data in self.func.graph.out_edges(node, data=True):
-                    new_level = level if data.get("type") == "fake_return" else level + 1
-                    if new_level <= 3:
-                        new_succs.append((succ, new_level))
-            succ_and_levels = new_succs
-
-        # - include at most six levels of predecessors from the indirect jump block
-        ij_block = self.func.get_node(self.indirect_jump_addr)
-        preds = [ij_block]
-        for _ in range(6):
-            new_preds = []
-            for node in preds:
-                if node in blocks:
-                    continue
-                blocks.add(node)
-                new_preds += list(self.func.graph.predecessors(node))
-            preds = new_preds
-            if not preds:
-                break
-
-        prop = self.project.analyses.FastConstantPropagation(
-            self.func,
-            blocks=blocks,
-            vex_cross_insn_opt=True,
-            load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-        )
-        self.mapping = prop.replacements
-
-
 #
 # Jump table pre-check
 #

angr/analyses/cfg/indirect_jump_resolvers/syscall_resolver.py

@@ -0,0 +1,92 @@
+from __future__ import annotations
+import contextlib
+from typing import TYPE_CHECKING
+import logging
+
+from angr import sim_options as o
+from angr import BP, BP_AFTER
+from angr.errors import (
+    AngrUnsupportedSyscallError,
+    SimOperationError,
+    SimError,
+)
+
+from .resolver import IndirectJumpResolver
+from .constant_value_manager import ConstantValueManager
+
+if TYPE_CHECKING:
+    from angr import Block
+    from angr.engines import SimSuccessors
+    from angr.sim_state import SimState
+    from angr.sim_procedure import SimProcedure
+
+
+_l = logging.getLogger(name=__name__)
+
+
+class SyscallResolver(IndirectJumpResolver):
+    """
+    Resolve syscalls to SimProcedures.
+    """
+
+    def __init__(self, project):
+        super().__init__(project, timeless=True)
+
+    def filter(self, cfg, addr, func_addr, block, jumpkind):
+        return jumpkind.startswith("Ijk_Sys")
+
+    def resolve(  # pylint:disable=unused-argument
+        self, cfg, addr: int, func_addr: int, block: Block, jumpkind: str, func_graph_complete: bool = True, **kwargs
+    ):
+        stub = self._resolve_syscall_to_stub(cfg, addr, func_addr, block)
+        return (True, [stub.addr]) if stub else (False, [])
+
+    def _resolve_syscall_to_stub(self, cfg, addr: int, func_addr: int, block: Block) -> SimProcedure | None:
+        if not cfg.functions.contains_addr(func_addr):
+            return None
+        func = cfg.functions.get_by_addr(func_addr)
+
+        cv_manager = ConstantValueManager(self.project, cfg.kb, func, addr)
+        constant_value_reg_read_bp = BP(when=BP_AFTER, enabled=True, action=cv_manager.reg_read_callback)
+
+        state = self.project.factory.blank_state(
+            mode="fastpath",
+            addr=block.addr,
+            add_options={o.SYMBOL_FILL_UNCONSTRAINED_MEMORY, o.SYMBOL_FILL_UNCONSTRAINED_REGISTERS},
+        )
+        state.inspect.add_breakpoint("reg_read", constant_value_reg_read_bp)
+
+        successors = self._simulate_block_with_resilience(state)
+        if successors:
+            state = self._get_syscall_state_from_successors(successors)
+            if state:
+                with contextlib.suppress(AngrUnsupportedSyscallError):
+                    return self.project.simos.syscall(state)
+        return None
+
+    def _simulate_block_with_resilience(self, state: SimState) -> SimSuccessors | None:
+        """
+        Execute a basic block with "On Error Resume Next". Give up when there is no way moving forward.
+        """
+
+        stmt_idx = 0
+        successors = None  # make PyCharm's linting happy
+
+        while True:
+            try:
+                successors = self.project.factory.successors(state, skip_stmts=stmt_idx)
+                break
+            except SimOperationError:
+                stmt_idx += 1
+                continue
+            except SimError:
+                return None
+
+        return successors
+
+    @staticmethod
+    def _get_syscall_state_from_successors(successors: SimSuccessors) -> SimState | None:
+        for state in successors.flat_successors:
+            if state.history.jumpkind and state.history.jumpkind.startswith("Ijk_Sys"):
+                return state
+        return None

angr/analyses/decompiler/ail_simplifier.py

@@ -1307,6 +1307,11 @@ class AILSimplifier(Analysis):
                 # check its predecessors
                 succ_predecessors = list(self.func_graph.predecessors(succ))
                 if len(succ_predecessors) == 1:
+                    if succ in lst:
+                        # we are about to form a loop - bad!
+                        # example: binary ce1897b492c80bf94083dd783aefb413ab1f6d8d4981adce8420f6669d0cb3e1, block
+                        # 0x2976EF7.
+                        break
                     lst.append(succ)
                 else:
                     break

angr/analyses/decompiler/clinic.py

@@ -12,6 +12,7 @@ import networkx
 import capstone
 
 import ailment
+from angr import SIM_LIBRARIES, SIM_TYPE_COLLECTIONS
 
 from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
@@ -22,6 +23,7 @@ from angr.utils import timethis
 from angr.utils.graph import GraphUtils
 from angr.calling_conventions import SimRegArg, SimStackArg, SimFunctionArgument
 from angr.sim_type import (
+    dereference_simtype,
     SimTypeChar,
     SimTypeInt,
     SimTypeLongLong,
@@ -120,6 +122,7 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
+        max_type_constraints: int = 750,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -130,7 +133,7 @@ class Clinic(Analysis):
         self.cc_graph: networkx.DiGraph | None = None
         self.unoptimized_graph: networkx.DiGraph | None = None
         self.arg_list = None
-        self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimRegArg]] | None = None
+        self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
         self.data_refs: dict[int, list[DataRefDesc]] = {}  # data address to data reference description
@@ -153,6 +156,7 @@ class Clinic(Analysis):
         self.reaching_definitions: ReachingDefinitionsAnalysis | None = None
         self._cache = cache
         self._mode = mode
+        self._max_type_constraints = max_type_constraints
         self.vvar_id_start = vvar_id_start
         self.vvar_to_vvar: dict[int, int] | None = None
         # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
@@ -304,10 +308,10 @@ class Clinic(Analysis):
             self._update_progress(29.0, text="Recovering calling conventions (AIL mode)")
             self._recover_calling_conventions(func_graph=ail_graph)
 
-        return ail_graph
+        return self._apply_callsite_prototype_and_calling_convention(ail_graph)
 
     def _slice_variables(self, ail_graph):
-        assert self.variable_kb is not None
+        assert self.variable_kb is not None and self._desired_variables is not None
 
         nodes_index = {(n.addr, n.idx): n for n in ail_graph.nodes()}
 
@@ -383,7 +387,7 @@ class Clinic(Analysis):
                     # replace the return statement with an assignment to the return register
                     blk.statements.pop(idx)
 
-                    if stmt.ret_exprs:
+                    if stmt.ret_exprs and self.project.arch.ret_offset is not None:
                         assign_to_retreg = ailment.Stmt.Assignment(
                             self._ail_manager.next_atom(),
                             ailment.Expr.Register(
@@ -430,14 +434,17 @@ class Clinic(Analysis):
         if callee_clinic.arg_vvars:
             for arg_idx in sorted(callee_clinic.arg_vvars.keys()):
                 param_vvar, reg_arg = callee_clinic.arg_vvars[arg_idx]
-                reg_offset = reg_arg.reg
-                stmt = ailment.Stmt.Assignment(
-                    self._ail_manager.next_atom(),
-                    param_vvar,
-                    ailment.Expr.Register(self._ail_manager.next_atom(), None, reg_offset, reg_arg.bits),
-                    ins_addr=caller_block.addr + caller_block.original_size,
-                )
-                caller_block.statements.append(stmt)
+                if isinstance(reg_arg, SimRegisterVariable):
+                    reg_offset = reg_arg.reg
+                    stmt = ailment.Stmt.Assignment(
+                        self._ail_manager.next_atom(),
+                        param_vvar,
+                        ailment.Expr.Register(self._ail_manager.next_atom(), None, reg_offset, reg_arg.bits),
+                        ins_addr=caller_block.addr + caller_block.original_size,
+                    )
+                    caller_block.statements.append(stmt)
+                else:
+                    raise NotImplementedError("Unsupported parameter type")
 
         ail_graph.add_edge(caller_block, callee_start)
 
@@ -669,6 +676,7 @@ class Clinic(Analysis):
         self._convert_all()
 
         # there must be at least one Load or one Store
+        assert self._blocks_by_addr_and_size is not None
         found_load_or_store = False
         for ail_block in self._blocks_by_addr_and_size.values():
             for stmt in ail_block.statements:
@@ -726,7 +734,7 @@ class Clinic(Analysis):
         self.arg_list = None
         self.variable_kb = None
         self.cc_graph = None
-        self.externs = None
+        self.externs = set()
         self.data_refs: dict[int, list[DataRefDesc]] = self._collect_data_refs(ail_graph)
 
     @staticmethod
@@ -754,7 +762,7 @@ class Clinic(Analysis):
         return graph_copy
 
     def copy_graph(self, graph=None) -> networkx.DiGraph:
-        return self._copy_graph(graph or self.graph)
+        return self._copy_graph(graph or self.graph)  # type:ignore
 
     @timethis
     def _set_function_graph(self):
@@ -765,6 +773,7 @@ class Clinic(Analysis):
         """
         Alignment blocks are basic blocks that only consist of nops. They should not be included in the graph.
         """
+        assert self._func_graph is not None
         for node in list(self._func_graph.nodes()):
             if self._func_graph.in_degree(node) == 0 and CFGBase._is_noop_block(
                 self.project.arch, self.project.factory.block(node.addr, node.size)
@@ -872,7 +881,7 @@ class Clinic(Analysis):
                     callsite_block_addr=callsite.addr,
                     callsite_insn_addr=callsite_ins_addr,
                     func_graph=func_graph,
-                    fail_fast=self._fail_fast,
+                    fail_fast=self._fail_fast,  # type:ignore
                 )
 
                 if cc.cc is not None and cc.prototype is not None:
@@ -953,6 +962,7 @@ class Clinic(Analysis):
 
         :return:    None
         """
+        assert self._func_graph is not None
 
         for block_node in self._func_graph.nodes():
             ail_block = self._convert(block_node)
@@ -1063,7 +1073,9 @@ class Clinic(Analysis):
                         self.project.hooked_by(successors[0].addr), UnresolvableCallTarget
                     ):
                         # found a single successor - replace the last statement
+                        assert isinstance(last_stmt.target, ailment.Expr.Expression)  # not a string
                         new_last_stmt = last_stmt.copy()
+                        assert isinstance(successors[0].addr, int)
                         new_last_stmt.target = ailment.Expr.Const(None, None, successors[0].addr, last_stmt.target.bits)
                         block.statements[-1] = new_last_stmt
 
@@ -1105,7 +1117,7 @@ class Clinic(Analysis):
                     if self.kb.functions.contains_addr(target_addr):
                         # replace the statement
                         target_func = self.kb.functions.get_by_addr(target_addr)
-                        if target_func.returning:
+                        if target_func.returning and self.project.arch.ret_offset is not None:
                             ret_reg_offset = self.project.arch.ret_offset
                             ret_expr = ailment.Expr.Register(
                                 None,
@@ -1136,6 +1148,74 @@ class Clinic(Analysis):
 
         return ail_graph
 
+    def _apply_callsite_prototype_and_calling_convention(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+        for block in ail_graph.nodes():
+            if not block.statements:
+                continue
+
+            last_stmt = block.statements[-1]
+            if not isinstance(last_stmt, ailment.Stmt.Call):
+                continue
+
+            cc = last_stmt.calling_convention
+            prototype = last_stmt.prototype
+            if cc and prototype:
+                continue
+
+            # manually-specified call-site prototype
+            has_callsite_prototype = self.kb.callsite_prototypes.has_prototype(block.addr)
+            if has_callsite_prototype:
+                manually_specified = self.kb.callsite_prototypes.get_prototype_type(block.addr)
+                if manually_specified:
+                    cc = self.kb.callsite_prototypes.get_cc(block.addr)
+                    prototype = self.kb.callsite_prototypes.get_prototype(block.addr)
+
+            # function-specific prototype
+            func = None
+            if cc is None or prototype is None:
+                target = None
+                if isinstance(last_stmt.target, ailment.Expr.Const):
+                    target = last_stmt.target.value
+
+                if target is not None and target in self.kb.functions:
+                    # function-specific logic when the calling target is known
+                    func = self.kb.functions[target]
+                    if func.prototype is None:
+                        func.find_declaration()
+                    cc = func.calling_convention
+                    prototype = func.prototype
+
+            # automatically recovered call-site prototype
+            if (cc is None or prototype is None) and has_callsite_prototype:
+                cc = self.kb.callsite_prototypes.get_cc(block.addr)
+                prototype = self.kb.callsite_prototypes.get_prototype(block.addr)
+
+            # ensure the prototype has been resolved
+            if prototype is not None and func is not None:
+                # make sure the function prototype is resolved.
+                # TODO: Cache resolved function prototypes globally
+                prototype_libname = func.prototype_libname
+                type_collections = []
+                if prototype_libname is not None:
+                    prototype_lib = SIM_LIBRARIES[prototype_libname]
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                if type_collections:
+                    prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
+                        self.project.arch
+                    )
+
+            if cc is None:
+                l.warning("Call site %#x (callee %s) has an unknown calling convention.", block.addr, repr(func))
+
+            new_last_stmt = last_stmt.copy()
+            new_last_stmt.calling_convention = cc
+            new_last_stmt.prototype = prototype
+            block.statements[-1] = new_last_stmt
+
+        return ail_graph
+
     @timethis
     def _make_ailgraph(self) -> networkx.DiGraph:
         return self._function_graph_to_ail_graph(self._func_graph)
@@ -1589,9 +1669,9 @@ class Clinic(Analysis):
         tmp_kb.functions = self.kb.functions
         vr = self.project.analyses.VariableRecoveryFast(
             self.function,  # pylint:disable=unused-variable
-            fail_fast=self._fail_fast,
+            fail_fast=self._fail_fast,  # type:ignore
             func_graph=ail_graph,
-            kb=tmp_kb,
+            kb=tmp_kb,  # type:ignore
             track_sp=False,
             func_args=arg_list,
             unify_variables=False,
@@ -1610,9 +1690,13 @@ class Clinic(Analysis):
         stackvar_max_sizes = var_manager.get_stackvar_max_sizes(self.stack_items)
         tv_max_sizes = {}
         for v, s in stackvar_max_sizes.items():
+            assert isinstance(v, SimStackVariable)
             if v in vr.var_to_typevars:
                 for tv in vr.var_to_typevars[v]:
                     tv_max_sizes[tv] = s
+            if v.offset in vr.stack_offset_typevars:
+                tv = vr.stack_offset_typevars[v.offset]
+                tv_max_sizes[tv] = s
         # clean up existing types for this function
         var_manager.remove_types()
         # TODO: Type inference for global variables
@@ -1624,35 +1708,49 @@ class Clinic(Analysis):
                     must_struct |= typevars
         else:
             must_struct = None
-        try:
-            tp = self.project.analyses.Typehoon(
-                vr.type_constraints,
-                vr.func_typevar,
-                kb=tmp_kb,
-                fail_fast=self._fail_fast,
-                var_mapping=vr.var_to_typevars,
-                must_struct=must_struct,
-                ground_truth=groundtruth,
-                stackvar_max_sizes=tv_max_sizes,
-            )
-            # tp.pp_constraints()
-            # tp.pp_solution()
-            tp.update_variable_types(
-                self.function.addr,
-                {v: t for v, t in vr.var_to_typevars.items() if isinstance(v, (SimRegisterVariable, SimStackVariable))},
-            )
-            tp.update_variable_types(
-                "global",
-                {
-                    v: t
-                    for v, t in vr.var_to_typevars.items()
-                    if isinstance(v, SimMemoryVariable) and not isinstance(v, SimStackVariable)
-                },
-            )
-        except Exception:  # pylint:disable=broad-except
-            l.warning(
-                "Typehoon analysis failed. Variables will not have types. Please report to GitHub.", exc_info=True
+        total_type_constraints = sum(len(tc) for tc in vr.type_constraints.values()) if vr.type_constraints else 0
+        if total_type_constraints > self._max_type_constraints:
+            l.info(
+                "The number of type constraints (%d) is greater than the threshold (%d). Skipping type inference.",
+                total_type_constraints,
+                self._max_type_constraints,
             )
+        else:
+            try:
+                tp = self.project.analyses.Typehoon(
+                    vr.type_constraints,
+                    vr.func_typevar,
+                    kb=tmp_kb,
+                    fail_fast=self._fail_fast,
+                    var_mapping=vr.var_to_typevars,
+                    stack_offset_tvs=vr.stack_offset_typevars,
+                    must_struct=must_struct,
+                    ground_truth=groundtruth,
+                    stackvar_max_sizes=tv_max_sizes,
+                )
+                # tp.pp_constraints()
+                # tp.pp_solution()
+                tp.update_variable_types(
+                    self.function.addr,
+                    {
+                        v: t
+                        for v, t in vr.var_to_typevars.items()
+                        if isinstance(v, (SimRegisterVariable, SimStackVariable))
+                    },
+                    vr.stack_offset_typevars,
+                )
+                tp.update_variable_types(
+                    "global",
+                    {
+                        v: t
+                        for v, t in vr.var_to_typevars.items()
+                        if isinstance(v, SimMemoryVariable) and not isinstance(v, SimStackVariable)
+                    },
+                )
+            except Exception:  # pylint:disable=broad-except
+                l.warning(
+                    "Typehoon analysis failed. Variables will not have types. Please report to GitHub.", exc_info=True
+                )
 
         # for any left-over variables, assign Bottom type (which will get "corrected" into a default type in
         # VariableManager)
@@ -1671,14 +1769,10 @@ class Clinic(Analysis):
             func_blocks=list(ail_graph),
         )
 
-        # Link variables to each statement
+        # Link variables and struct member information to every statement and expression
         for block in ail_graph.nodes():
             self._link_variables_on_block(block, tmp_kb)
 
-        # Link struct member info to Store statements
-        for block in ail_graph.nodes():
-            self._link_struct_member_info_on_block(block, tmp_kb)
-
         if self._cache is not None:
             self._cache.type_constraints = vr.type_constraints
             self._cache.func_typevar = vr.func_typevar
@@ -1686,22 +1780,6 @@ class Clinic(Analysis):
 
         return tmp_kb
 
-    def _link_struct_member_info_on_block(self, block, kb):
-        variable_manager = kb.variables[self.function.addr]
-        for stmt in block.statements:
-            if isinstance(stmt, ailment.Stmt.Store) and isinstance((var := stmt.variable), SimStackVariable):
-                offset = var.offset
-                if offset in variable_manager.stack_offset_to_struct_member_info:
-                    stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[offset]
-            elif (
-                isinstance(stmt, ailment.Stmt.Assignment)
-                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                and stmt.dst.was_stack
-            ):
-                offset = stmt.dst.stack_offset
-                if offset in variable_manager.stack_offset_to_struct_member_info:
-                    stmt.dst.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[offset]
-
     def _link_variables_on_block(self, block, kb):
         """
         Link atoms (AIL expressions) in the given block to corresponding variables identified previously.
@@ -1737,6 +1815,12 @@ class Clinic(Analysis):
                         )
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.data)
 
+                # link struct member info
+                if isinstance(stmt.variable, SimStackVariable):
+                    off = stmt.variable.offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
             elif stmt_type is ailment.Stmt.Assignment:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.dst)
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.src)
@@ -1804,6 +1888,11 @@ class Clinic(Analysis):
                 expr.variable = var
                 expr.variable_offset = offset
 
+                if isinstance(expr, ailment.Expr.VirtualVariable) and expr.was_stack:
+                    off = expr.stack_offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        expr.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
         elif type(expr) is ailment.Expr.Load:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
             if len(variables) == 0:
@@ -1838,6 +1927,11 @@ class Clinic(Analysis):
                 expr.variable = var
                 expr.variable_offset = offset
 
+                if isinstance(var, SimStackVariable):
+                    off = var.offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        expr.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
         elif type(expr) is ailment.Expr.BinaryOp:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
             if len(variables) >= 1:
@@ -2683,7 +2777,7 @@ class Clinic(Analysis):
     def _next_atom(self) -> int:
         return self._ail_manager.next_atom()
 
-    def parse_variable_addr(self, addr: ailment.Expr.Expression) -> tuple[Any, Any] | None:
+    def parse_variable_addr(self, addr: ailment.Expr.Expression) -> tuple[Any, Any]:
         if isinstance(addr, ailment.Expr.Const):
             return addr, 0
         if isinstance(addr, ailment.Expr.BinaryOp) and addr.op == "Add":
@@ -2857,7 +2951,7 @@ class Clinic(Analysis):
                     if self.project.kb.functions.contains_addr(last_stmt.target.value)
                     else None
                 )
-                if func is not None and func.name == "__chkstk":
+                if func is not None and (func.name == "__chkstk" or func.info.get("is_alloca_probe", False) is True):
                     # get rid of this call
                     node.statements = node.statements[:-1]
                     if self.project.arch.call_pushes_ret and node.statements: