angr 9.2.146__py3-none-macosx_11_0_arm64.whl → 9.2.148__py3-none-macosx_11_0_arm64.whl

angr/analyses/cfg/cfg_base.py

@@ -17,7 +17,6 @@ from archinfo.arch_arm import is_arm_arch, get_real_address_if_arm
 from angr.knowledge_plugins.functions.function_manager import FunctionManager
 from angr.knowledge_plugins.functions.function import Function
 from angr.knowledge_plugins.cfg import IndirectJump, CFGNode, CFGENode, CFGModel  # pylint:disable=unused-import
-from angr.misc.ux import deprecated
 from angr.procedures.stubs.UnresolvableJumpTarget import UnresolvableJumpTarget
 from angr.utils.constants import DEFAULT_STATEMENT
 from angr.procedures.procedure_dict import SIM_PROCEDURES
@@ -354,64 +353,9 @@ class CFGBase(Analysis):
 
         raise NotImplementedError("I'm too lazy to implement it right now")
 
-    @deprecated(replacement="self.model.get_predecessors()")
-    def get_predecessors(self, cfgnode, excluding_fakeret=True, jumpkind=None):
-        return self._model.get_predecessors(cfgnode, excluding_fakeret=excluding_fakeret, jumpkind=jumpkind)
-
-    @deprecated(replacement="self.model.get_successors()")
-    def get_successors(self, node, excluding_fakeret=True, jumpkind=None):
-        return self._model.get_successors(node, excluding_fakeret=excluding_fakeret, jumpkind=jumpkind)
-
-    @deprecated(replacement="self.model.get_successors_and_jumpkind")
-    def get_successors_and_jumpkind(self, node, excluding_fakeret=True):
-        return self._model.get_successors_and_jumpkind(node, excluding_fakeret=excluding_fakeret)
-
-    @deprecated(replacement="self.model.get_all_predecessors()")
-    def get_all_predecessors(self, cfgnode, depth_limit=None):
-        return self._model.get_all_predecessors(cfgnode, depth_limit)
-
-    @deprecated(replacement="self.model.get_all_successors()")
-    def get_all_successors(self, cfgnode, depth_limit=None):
-        return self._model.get_all_successors(cfgnode, depth_limit)
-
-    @deprecated(replacement="self.model.get_node()")
-    def get_node(self, block_id):
-        return self._model.get_node(block_id)
-
-    @deprecated(replacement="self.model.get_any_node()")
-    def get_any_node(self, addr, is_syscall=None, anyaddr=False, force_fastpath=False):
-        return self._model.get_any_node(addr, is_syscall=is_syscall, anyaddr=anyaddr, force_fastpath=force_fastpath)
-
-    @deprecated(replacement="self.model.get_all_nodes()")
-    def get_all_nodes(self, addr, is_syscall=None, anyaddr=False):
-        return self._model.get_all_nodes(addr, is_syscall=is_syscall, anyaddr=anyaddr)
-
-    @deprecated(replacement="self.model.nodes()")
-    def nodes(self):
-        return self._model.nodes()
-
-    @deprecated(replacement="nodes")
-    def nodes_iter(self):
-        """
-        (Decrepated) An iterator of all nodes in the graph. Will be removed in the future.
-
-        :return: The iterator.
-        :rtype: iterator
-        """
-
-        return self.nodes()
-
     def get_loop_back_edges(self):
         return self._loop_back_edges
 
-    @deprecated(replacement="self.model.get_branching_nodes()")
-    def get_branching_nodes(self):
-        return self._model.get_branching_nodes()
-
-    @deprecated(replacement="self.model.get_exit_stmt_idx")
-    def get_exit_stmt_idx(self, src_block, dst_block):
-        return self._model.get_exit_stmt_idx(src_block, dst_block)
-
     @property
     def graph(self) -> networkx.DiGraph[CFGNode]:
         raise NotImplementedError
@@ -1550,10 +1494,12 @@ class CFGBase(Analysis):
                 block = next((b for b in function.blocks), None)
                 if block is None:
                     continue
-                if all(self._is_noop_insn(insn) for insn in block.capstone.insns):
+                if self._is_noop_block(self.project.arch, block) or all(
+                    self._is_noop_insn(insn) for insn in block.capstone.insns
+                ):
                     # all nops. mark this function as a function alignment
                     l.debug("Function chunk %#x is probably used as a function alignment (all nops).", func_addr)
-                    self.kb.functions[func_addr].alignment = True
+                    self.kb.functions[func_addr].is_alignment = True
                     continue
                 node = function.get_node(block.addr)
                 assert node is not None
@@ -1561,7 +1507,7 @@ class CFGBase(Analysis):
                 if len(successors) == 1 and successors[0].addr == node.addr:
                     # self loop. mark this function as a function alignment
                     l.debug("Function chunk %#x is probably used as a function alignment (self-loop).", func_addr)
-                    self.kb.functions[func_addr].alignment = True
+                    self.kb.functions[func_addr].is_alignment = True
                     continue
 
     def make_functions(self):
@@ -2108,7 +2054,7 @@ class CFGBase(Analysis):
                 continue
             if func_addr in jumptable_entries:
                 # is there any call edge pointing to it?
-                func_node = self.get_any_node(func_addr, force_fastpath=True)
+                func_node = self.model.get_any_node(func_addr, force_fastpath=True)
                 if func_node is not None:
                     in_edges = self.graph.in_edges(func_node, data=True)
                     has_transition_pred = None
@@ -2205,10 +2151,6 @@ class CFGBase(Analysis):
             out_edges = [e for e in g.out_edges(node_) if g.get_edge_data(*e)["jumpkind"] != "Ijk_FakeRet"]
             return len(out_edges) > 1
 
-        if len(src_function.block_addrs_set) > 10:
-            # ignore functions unless they are extremely small
-            return False
-
         if len(all_edges) == 1 and dst_addr != src_addr:
             the_edge = next(iter(all_edges))
             _, dst, data = the_edge
@@ -2251,15 +2193,41 @@ class CFGBase(Analysis):
                 candidate = True
 
             if candidate:
-                regs = {self.project.arch.sp_offset}
-                if hasattr(self.project.arch, "bp_offset") and self.project.arch.bp_offset is not None:
-                    regs.add(self.project.arch.bp_offset)
-                sptracker = self.project.analyses[StackPointerTracker].prep()(
-                    src_function, regs, track_memory=self._sp_tracking_track_memory
-                )
-                sp_delta = sptracker.offset_after_block(src_addr, self.project.arch.sp_offset)
-                if sp_delta == 0:
-                    return True
+                # we have two strategies; for small functions, we run SPTracker on the entire function and see if the
+                # stack pointer changes or not; for large functions, we simply detect how far away we jump as well as
+                # if there are any other functions identified between the source and the destination.
+                if len(src_function.block_addrs_set) <= 10:
+                    regs = {self.project.arch.sp_offset}
+                    if hasattr(self.project.arch, "bp_offset") and self.project.arch.bp_offset is not None:
+                        regs.add(self.project.arch.bp_offset)
+                    sptracker = self.project.analyses[StackPointerTracker].prep()(
+                        src_function, regs, track_memory=self._sp_tracking_track_memory
+                    )
+                    sp_delta = sptracker.offset_after_block(src_addr, self.project.arch.sp_offset)
+                    if sp_delta == 0:
+                        return True
+                else:
+                    # large function; to speed things up, we don't track sp
+                    minaddr, maxaddr = None, None
+                    if dst_addr - src_addr >= 0x100:
+                        minaddr = src_addr
+                        maxaddr = dst_addr
+                    elif dst_addr < src_addr:
+                        # jumping back; is it jumping beyond the function header?
+                        src_func = blockaddr_to_function[src_addr]
+                        if dst_addr < src_func.addr and src_func.addr - dst_addr >= 0x100:
+                            minaddr = dst_addr
+                            maxaddr = src_func.addr
+
+                    if minaddr is not None and maxaddr is not None:
+                        # are there other function in between?
+                        funcaddrs_in_between = list(
+                            known_functions._function_map.irange(minimum=minaddr + 1, maximum=maxaddr - 1)
+                        )
+                        funcs_in_between = [known_functions.get_by_addr(a) for a in funcaddrs_in_between]
+                        funcs_in_between = [func for func in funcs_in_between if not func.is_alignment]
+                        if len(funcs_in_between) >= 3:
+                            return True
 
         return False
 
@@ -2639,7 +2607,7 @@ class CFGBase(Analysis):
         :return: True if the instruction does no-op, False otherwise.
         """
 
-        insn_name = insn.insn_name()
+        insn_name = insn.mnemonic
 
         if insn_name == "nop":
             # nops

angr/analyses/cfg/cfg_emulated.py

@@ -472,7 +472,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                 src_blocknode: BlockNode = back_edge[0]
                 dst_blocknode: BlockNode = back_edge[1]
 
-                for src in self.get_all_nodes(src_blocknode.addr):
+                for src in self.model.get_all_nodes(src_blocknode.addr):
                     for dst in graph.successors(src):
                         if dst.addr != dst_blocknode.addr:
                             continue
@@ -524,7 +524,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         start = self._starts[0]
         if isinstance(start, tuple):
             start, _ = start  # pylint: disable=unpacking-non-sequence
-        start_node = self.get_any_node(start)
+        start_node = self.model.get_any_node(start)
         if start_node is None:
             raise AngrCFGError("Cannot find start node when trying to unroll loops. The CFG might be empty.")
 
@@ -720,7 +720,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         # FIXME: syscalls are not supported
         # FIXME: start should also take a CFGNode instance
 
-        start_node = self.get_any_node(start)
+        start_node = self.model.get_any_node(start)
         assert start_node is not None
 
         node_wrapper = (start_node, 0)
@@ -2286,9 +2286,9 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                     # Remove that edge!
                     graph.remove_edge(call_func_addr, return_to_addr)
                     # Remove the edge in CFG
-                    nodes = self.get_all_nodes(callsite_block_addr)
+                    nodes = self.model.get_all_nodes(callsite_block_addr)
                     for n in nodes:
-                        successors = self.get_successors_and_jumpkind(n, excluding_fakeret=False)
+                        successors = self.model.get_successors_and_jumpkind(n, excluding_fakeret=False)
                         for successor, jumpkind in successors:
                             if jumpkind == "Ijk_FakeRet" and successor.addr == return_to_addr:
                                 self.remove_edge(n, successor)
@@ -2548,7 +2548,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         for start in starts:
             l.debug("Start symbolic execution at 0x%x on program slice.", start)
             # Get the state from our CFG
-            node = self.get_any_node(start)
+            node = self.model.get_any_node(start)
             if node is None:
                 # Well, we have to live with an empty state
                 base_state = self.project.factory.blank_state(addr=start)
@@ -2561,7 +2561,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                 initial_nodes = [n for n in bc.taint_graph.nodes() if bc.taint_graph.in_degree(n) == 0]
                 for cl in initial_nodes:
                     # Iterate in all actions of this node, and pick corresponding actions
-                    cfg_nodes = self.get_all_nodes(cl.block_addr)
+                    cfg_nodes = self.model.get_all_nodes(cl.block_addr)
                     for n in cfg_nodes:
                         if not n.final_states:
                             continue
@@ -3376,9 +3376,9 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
         all_predecessors = []
 
-        nodes = self.get_all_nodes(function_address)
+        nodes = self.model.get_all_nodes(function_address)
         for n in nodes:
-            predecessors = list(self.get_predecessors(n))
+            predecessors = list(self.model.get_predecessors(n))
             all_predecessors.extend(predecessors)
 
         return all_predecessors
@@ -3391,8 +3391,8 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         Return: a list of lists of nodes representing paths.
         """
         if isinstance(begin, int) and isinstance(end, int):
-            n_begin = self.get_any_node(begin)
-            n_end = self.get_any_node(end)
+            n_begin = self.model.get_any_node(begin)
+            n_end = self.model.get_any_node(end)
 
         elif isinstance(begin, CFGENode) and isinstance(end, CFGENode):
             n_begin = begin
@@ -3417,7 +3417,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
         for ep in self._entry_points:
             # FIXME: This is not always correct. We'd better store CFGNodes in self._entry_points
-            ep_node = self.get_any_node(ep)
+            ep_node = self.model.get_any_node(ep)
 
             if not ep_node:
                 continue

angr/analyses/cfg/cfg_fast.py

@@ -22,10 +22,10 @@ from archinfo.arch_soot import SootAddressDescriptor
 from archinfo.arch_arm import is_arm_arch, get_real_address_if_arm
 
 from angr.analyses import AnalysesHub
+from angr.misc.ux import once
 from angr.knowledge_plugins.cfg import CFGNode, MemoryDataSort, MemoryData, IndirectJump, IndirectJumpType
 from angr.knowledge_plugins.xrefs import XRef, XRefType
 from angr.knowledge_plugins.functions import Function
-from angr.misc.ux import deprecated
 from angr.codenode import HookNode
 from angr import sim_options as o
 from angr.errors import (
@@ -589,10 +589,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         regions=None,
         pickle_intermediate_results=False,
         symbols=True,
-        function_prologues=True,
+        function_prologues: bool | None = None,
         resolve_indirect_jumps=True,
         force_segment=False,
-        force_smart_scan=True,
+        force_smart_scan: bool | None = None,
         force_complete_scan=False,
         indirect_jump_target_limit=100000,
         data_references=True,
@@ -712,6 +712,20 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if binary is not None and not objects:
             objects = [binary]
 
+        is_dotnet = (
+            isinstance(self.project.loader.main_object, cle.backends.pe.PE)
+            and self.project.loader.main_object.is_dotnet
+        )
+
+        if function_prologues is None:
+            function_prologues = not is_dotnet
+            if is_dotnet and once("dotnet_native"):
+                l.warning("You're trying to analyze a .NET binary as native code. Are you sure?")
+        if force_smart_scan is None:
+            force_smart_scan = not is_dotnet
+            if is_dotnet and once("dotnet_native"):
+                l.warning("You're trying to analyze a .NET binary as native code. Are you sure?")
+
         CFGBase.__init__(
             self,
             "fast",
@@ -1649,6 +1663,13 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             if addr is not None:
                 # if this is ARM and addr % 4 != 0, it has to be THUMB
                 if is_arm_arch(self.project.arch):
+                    if (
+                        "has_arm_code" in self._arch_options
+                        and self._arch_options["has_arm_code"] is False
+                        and addr % 2 == 0
+                    ):
+                        addr |= 1
+
                     if addr % 2 == 0 and addr % 4 != 0:
                         # it's not aligned by 4, so it's definitely not ARM mode
                         addr |= 1
@@ -1968,9 +1989,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         # Pre-compile all regexes
         regexes = []
-        for ins_regex in self.project.arch.function_prologs:
-            r = re.compile(ins_regex)
-            regexes.append(r)
+        if "has_arm_code" not in self._arch_options or self._arch_options["has_arm_code"]:
+            for ins_regex in self.project.arch.function_prologs:
+                r = re.compile(ins_regex)
+                regexes.append(r)
         # EDG says: I challenge anyone bothering to read this to come up with a better
         # way to handle CPU modes that affect instruction decoding.
         # Since the only one we care about is ARM/Thumb right now
@@ -2109,6 +2131,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 src_func = self.functions.function(addr=cfg_job.src_node.addr, create=True)
             else:
                 src_func = self.functions.get_by_addr(cfg_job.src_node.addr)
+            assert src_func is not None
             if len(src_func.block_addrs_set) <= 1 and src_func.is_default_name:
                 # assign a name to the caller function that jumps to this procedure
                 src_func.name = procedure.display_name
@@ -2832,6 +2855,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     and not self._seg_list.is_occupied(v)
                     and v % self.project.arch.instruction_alignment == 0
                 ):
+                    if is_arm_arch(self.project.arch) and not self._arch_options.has_arm_code and v % 2 != 1:
+                        # no ARM code in this binary!
+                        return
+
                     # create a new CFG job
                     ce = CFGJob(
                         v,
@@ -3831,6 +3858,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
             for ep in endpoints:
                 src = self.model.get_any_node(ep.addr)
+                assert src is not None
                 for rt in return_targets:
                     if not src.instruction_addrs:
                         ins_addr = None
@@ -4321,7 +4349,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
             # extra check for ARM
             if is_arm_arch(self.project.arch) and self._seg_list.occupied_by_sort(addr) == "code":
-                existing_node = self.get_any_node(addr, anyaddr=True)
+                existing_node = self.model.get_any_node(addr, anyaddr=True)
                 if existing_node is not None and (addr & 1) != (existing_node.addr & 1):
                     # we are trying to break an existing ARM node with a THUMB node, or vice versa
                     # this is probably because our current node is unexpected
@@ -4430,6 +4458,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                                 self._cascading_remove_lifted_blocks(cfg_job.src_node.addr & 0xFFFF_FFFE)
                             return None, None, None, None
 
+                if not self._arch_options.has_arm_code and addr % 2 == 0:
+                    # No ARM code for this architecture!
+                    return None, None, None, None
+
             initial_regs = self._get_initial_registers(addr, cfg_job, current_function_addr)
 
             # Let's try to create the pyvex IRSB directly, since it's much faster
@@ -5196,18 +5228,5 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
     def output(self):
         return f"{self._graph.edges(data=True)}"
 
-    @deprecated(replacement="angr.analyses.CFB")
-    def generate_code_cover(self):
-        """
-        Generate a list of all recovered basic blocks.
-        """
-
-        lst = []
-        for cfg_node in self.graph.nodes():
-            size = cfg_node.size
-            lst.append((cfg_node.addr, size))
-
-        return sorted(lst, key=lambda x: x[0])
-
 
 AnalysesHub.register_default("CFGFast", CFGFast)

angr/analyses/cfg/cfg_fast_soot.py

@@ -487,7 +487,7 @@ class CFGFastSoot(CFGFast):
                 # it might be a jumpout
                 target_func_addr = None
                 if target_addr in self._traced_addresses:
-                    node = self.get_any_node(target_addr)
+                    node = self.model.get_any_node(target_addr)
                     if node is not None:
                         target_func_addr = node.function_address
                 if target_func_addr is None:
@@ -578,7 +578,7 @@ class CFGFastSoot(CFGFast):
             if jumpkind == "Ijk_Call" or jumpkind.startswith("Ijk_Sys"):
                 function_nodes.add(dst)
 
-        entry_node = self.get_any_node(self._binary.entry)
+        entry_node = self.model.get_any_node(self._binary.entry)
         if entry_node is not None:
             function_nodes.add(entry_node)
 
@@ -616,7 +616,7 @@ class CFGFastSoot(CFGFast):
         secondary_function_nodes = set()
         # add all function chunks ("functions" that are not called from anywhere)
         for func_addr in tmp_functions:
-            node = self.get_any_node(func_addr)
+            node = self.model.get_any_node(func_addr)
             if node is None:
                 continue
             if node.addr not in blockaddr_to_function:

angr/analyses/decompiler/callsite_maker.py

@@ -18,7 +18,7 @@ from angr.sim_type import (
     SimTypeFunction,
     SimTypeLongLong,
 )
-from angr.calling_conventions import SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
+from angr.calling_conventions import SimReferenceArgument, SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE
 from angr.analyses import Analysis, register_analysis
 from angr.analyses.s_reaching_definitions import SRDAView
@@ -111,10 +111,10 @@ class CallSiteMaker(Analysis):
             prototype_libname = func.prototype_libname
             type_collections = []
             if prototype_libname is not None:
-                prototype_lib = SIM_LIBRARIES[prototype_libname]
-                if prototype_lib.type_collection_names:
-                    for typelib_name in prototype_lib.type_collection_names:
-                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
             if type_collections:
                 prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
                     self.project.arch
@@ -144,17 +144,30 @@ class CallSiteMaker(Analysis):
                         arg_locs = cc.arg_locs(callsite_ty)
 
         if arg_locs is not None and cc is not None:
-            expanded_arg_locs = []
+            expanded_arg_locs: list[SimStackArg | SimRegArg | SimReferenceArgument] = []
             for arg_loc in arg_locs:
                 if isinstance(arg_loc, SimComboArg):
                     # a ComboArg spans across multiple locations (mostly stack but *in theory* can also be spanning
                     # across registers). most importantly, a ComboArg represents one variable, not multiple, but we
                     # have no way to know that until later down the pipeline.
                     expanded_arg_locs += arg_loc.locations
-                else:
+                elif isinstance(arg_loc, (SimRegArg, SimStackArg, SimReferenceArgument)):
                     expanded_arg_locs.append(arg_loc)
+                else:
+                    raise NotImplementedError("Not implemented yet.")
 
             for arg_loc in expanded_arg_locs:
+                if isinstance(arg_loc, SimReferenceArgument):
+                    if not isinstance(arg_loc.ptr_loc, (SimRegArg, SimStackArg)):
+                        raise NotImplementedError("Why would a calling convention produce this?")
+                    if isinstance(arg_loc.main_loc, SimStructArg):
+                        dereference_size = arg_loc.main_loc.struct.size // self.project.arch.byte_width
+                    else:
+                        dereference_size = arg_loc.main_loc.size
+                    arg_loc = arg_loc.ptr_loc
+                else:
+                    dereference_size = None
+
                 if isinstance(arg_loc, SimRegArg):
                     size = arg_loc.size
                     offset = arg_loc.check_offset(cc.arch)
@@ -202,7 +215,7 @@ class CallSiteMaker(Analysis):
                                 vvar_use,
                                 **vvar_use.tags,
                             )
-                        args.append(vvar_use)
+                        arg_expr = vvar_use
                     else:
                         reg = Expr.Register(
                             self._atom_idx(),
@@ -212,20 +225,17 @@ class CallSiteMaker(Analysis):
                             reg_name=arg_loc.reg_name,
                             ins_addr=last_stmt.ins_addr,
                         )
-                        args.append(reg)
+                        arg_expr = reg
                 elif isinstance(arg_loc, SimStackArg):
                     stack_arg_locs.append(arg_loc)
                     _, the_arg = self._resolve_stack_argument(call_stmt, arg_loc)
-
-                    if the_arg is not None:
-                        args.append(the_arg)
-                    else:
-                        args.append(None)
-                elif isinstance(arg_loc, SimStructArg):
-                    l.warning("SimStructArg is not yet supported")
-
+                    arg_expr = the_arg if the_arg is not None else None
                 else:
-                    raise NotImplementedError("Not implemented yet.")
+                    assert False, "Unreachable"
+
+                if arg_expr is not None and dereference_size is not None:
+                    arg_expr = Expr.Load(self._atom_idx(), arg_expr, dereference_size, endness=archinfo.Endness.BE)
+                args.append(arg_expr)
 
         # Remove the old call statement
         new_stmts = self.block.statements[:-1]

angr/analyses/decompiler/clinic.py

@@ -1197,10 +1197,10 @@ class Clinic(Analysis):
                 prototype_libname = func.prototype_libname
                 type_collections = []
                 if prototype_libname is not None:
-                    prototype_lib = SIM_LIBRARIES[prototype_libname]
-                    if prototype_lib.type_collection_names:
-                        for typelib_name in prototype_lib.type_collection_names:
-                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                    for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                        if prototype_lib.type_collection_names:
+                            for typelib_name in prototype_lib.type_collection_names:
+                                type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
                 if type_collections:
                     prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
                         self.project.arch

angr/analyses/decompiler/condition_processor.py

@@ -961,27 +961,6 @@ class ConditionProcessor:
         sympy_expr = ConditionProcessor.claripy_ast_to_sympy_expr(cond, memo=memo)
         return ConditionProcessor.sympy_expr_to_claripy_ast(sympy.simplify_logic(sympy_expr, deep=False), memo)
 
-    @staticmethod
-    def simplify_condition_deprecated(cond):
-        # Z3's simplification may yield weird and unreadable results
-        # hence we mostly rely on our own simplification. we only use Z3's simplification results when it returns a
-        # concrete value.
-        claripy_simplified = claripy.simplify(cond)
-        if not claripy_simplified.symbolic:
-            return claripy_simplified
-
-        simplified = ConditionProcessor._fold_double_negations(cond)
-        cond = simplified if simplified is not None else cond
-        simplified = ConditionProcessor._revert_short_circuit_conditions(cond)
-        cond = simplified if simplified is not None else cond
-        simplified = ConditionProcessor._extract_common_subexpressions(cond)
-        cond = simplified if simplified is not None else cond
-        # simplified = ConditionProcessor._remove_redundant_terms(cond)
-        # cond = simplified if simplified is not None else cond
-        # in the end, use claripy's simplification to handle really easy cases again
-        simplified = ConditionProcessor._simplify_trivial_cases(cond)
-        return simplified if simplified is not None else cond
-
     @staticmethod
     def _simplify_trivial_cases(cond):
         if cond.op == "And":

angr/analyses/decompiler/counters/call_counter.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 from typing import TYPE_CHECKING
 
 from ailment import Block
+from ailment.statement import Label
 from ailment.block_walker import AILBlockWalkerBase
 
 from angr.analyses.decompiler.sequence_walker import SequenceWalker
@@ -37,8 +38,10 @@ class AILCallCounter(SequenceWalker):
         }
         super().__init__(handlers)
         self.calls = 0
+        self.non_label_stmts = 0
 
     def _handle_Block(self, node: Block, **kwargs):  # pylint:disable=unused-argument
         ctr = AILBlockCallCounter()
         ctr.walk(node)
         self.calls += ctr.calls
+        self.non_label_stmts += sum(1 for stmt in node.statements if not isinstance(stmt, Label))

angr/analyses/decompiler/optimization_passes/const_prop_reverter.py

@@ -66,7 +66,7 @@ class PairAILBlockWalker:
         def _handle_call_expr(expr_idx: int, expr: Call, stmt_idx: int, stmt: Statement, block_):
             walked_objs[Call].add(expr)
 
-        _stmt_handlers = {typ: _handle_ail_obj for typ in walked_objs}
+        _stmt_handlers = dict.fromkeys(walked_objs, _handle_ail_obj)
         walker.stmt_handlers = _stmt_handlers
         walker.expr_handlers[Call] = _handle_call_expr
 

angr/analyses/decompiler/peephole_optimizations/remove_redundant_conversions.py

@@ -164,6 +164,20 @@ class RemoveRedundantConversions(PeepholeOptimizationExprBase):
                                 **expr.tags,
                             )
 
+        # simpler cases
+        # (A & mask) & mask  ==>  A & mask
+        if (
+            expr.op == "And"
+            and isinstance(expr.operands[1], Const)
+            and isinstance(expr.operands[0], BinaryOp)
+            and expr.operands[0].op == "And"
+        ):
+            inner_op0, inner_op1 = expr.operands[0].operands
+            if (isinstance(inner_op0, Const) and inner_op0.value == expr.operands[1].value) or (
+                isinstance(inner_op1, Const) and inner_op1.value == expr.operands[1].value
+            ):
+                return expr.operands[0]
+
         return None
 
     @staticmethod

angr/analyses/decompiler/structured_codegen/c.py

@@ -1281,11 +1281,11 @@ class CFunctionCall(CStatement, CExpression):
             if self.callee_func.prototype_libname is not None:
                 # we need to deref the prototype in case it uses SimTypeRef internally
                 type_collections = []
-                prototype_lib = SIM_LIBRARIES[self.callee_func.prototype_libname]
-                if prototype_lib.type_collection_names:
-                    for typelib_name in prototype_lib.type_collection_names:
-                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
-                    proto = dereference_simtype(proto, type_collections)
+                for prototype_lib in SIM_LIBRARIES[self.callee_func.prototype_libname]:
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                proto = dereference_simtype(proto, type_collections)
             return proto
         returnty = SimTypeInt(signed=False)
         return SimTypeFunction([arg.type for arg in self.args], returnty).with_arch(self.codegen.project.arch)