angr 9.2.147__py3-none-manylinux2014_x86_64.whl → 9.2.149__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/ail_simplifier.py

@@ -9,7 +9,7 @@ import networkx
 
 from ailment import AILBlockWalker
 from ailment.block import Block
-from ailment.statement import Statement, Assignment, Store, Call, ConditionalJump, DirtyStatement
+from ailment.statement import Statement, Assignment, Store, Call, ConditionalJump, DirtyStatement, WeakAssignment
 from ailment.expression import (
     Register,
     Convert,
@@ -247,6 +247,9 @@ class AILSimplifier(Analysis):
                     ):
                         codeloc = CodeLocation(block.addr, stmt_idx, block_idx=block.idx, ins_addr=stmt.ins_addr)
                         equivalence.add(Equivalence(codeloc, stmt.dst, stmt.src))
+                elif isinstance(stmt, WeakAssignment):
+                    codeloc = CodeLocation(block.addr, stmt_idx, block_idx=block.idx, ins_addr=stmt.ins_addr)
+                    equivalence.add(Equivalence(codeloc, stmt.dst, stmt.src, is_weakassignment=True))
                 elif isinstance(stmt, Call):
                     if isinstance(stmt.ret_expr, (VirtualVariable, Load)):
                         codeloc = CodeLocation(block.addr, stmt_idx, block_idx=block.idx, ins_addr=stmt.ins_addr)
@@ -1172,6 +1175,9 @@ class AILSimplifier(Analysis):
                     # register variable = Convert(Call)
                     call = eq.atom1
                     # call_addr = call.operand.target.value if isinstance(call.operand.target, Const) else None
+                elif eq.is_weakassignment:
+                    # variable =w something else
+                    call = eq.atom1
                 else:
                     continue
 
@@ -1196,6 +1202,9 @@ class AILSimplifier(Analysis):
                 assert the_def.codeloc.stmt_idx is not None
 
                 all_uses: set[tuple[Any, CodeLocation]] = rd.get_vvar_uses_with_expr(the_def.atom)
+                if eq.is_weakassignment:
+                    # eliminate the "use" at the weak assignment site
+                    all_uses = {use for use in all_uses if use[1] != eq.codeloc}
 
                 if len(all_uses) != 1:
                     continue
@@ -1218,10 +1227,13 @@ class AILSimplifier(Analysis):
                         continue
 
                 # check if the use and the definition is within the same supernode
-                super_node_blocks = self._get_super_node_blocks(
-                    addr_and_idx_to_block[(the_def.codeloc.block_addr, the_def.codeloc.block_idx)]
-                )
-                if u.block_addr not in {b.addr for b in super_node_blocks}:
+                # also we do not allow any calls between the def site and the use site
+                if not self._loc_within_superblock(
+                    addr_and_idx_to_block[(the_def.codeloc.block_addr, the_def.codeloc.block_idx)],
+                    u.block_addr,
+                    u.block_idx,
+                    terminate_with_calls=True,
+                ):
                     continue
 
                 # ensure there are no other calls between the def site and the use site.
@@ -1247,10 +1259,6 @@ class AILSimplifier(Analysis):
                 ):
                     continue
 
-                # check if there are any calls in between the def site and the use site
-                if self._count_calls_in_supernodeblocks(super_node_blocks, the_def.codeloc, u) > 0:
-                    continue
-
                 # replace all uses
                 old_block = addr_and_idx_to_block.get((u.block_addr, u.block_idx), None)
                 if old_block is None:
@@ -1262,7 +1270,7 @@ class AILSimplifier(Analysis):
 
                 if isinstance(eq.atom0, VirtualVariable):
                     src = used_expr
-                    dst: Call | Convert = call.copy()
+                    dst: Expression = call.copy()
 
                     if isinstance(dst, Call) and dst.ret_expr is not None:
                         dst_bits = dst.ret_expr.bits
@@ -1272,7 +1280,7 @@ class AILSimplifier(Analysis):
                         dst.fp_ret_expr = None
                         dst.bits = dst_bits
 
-                    if src.bits != dst.bits:
+                    if src.bits != dst.bits and not eq.is_weakassignment:
                         dst = Convert(None, dst.bits, src.bits, False, dst)
                 else:
                     continue
@@ -1320,6 +1328,42 @@ class AILSimplifier(Analysis):
                 break
         return lst
 
+    def _loc_within_superblock(
+        self, start_node: Block, block_addr: int, block_idx: int | None, terminate_with_calls=False
+    ) -> bool:
+        b = start_node
+        if block_addr == b.addr and block_idx == b.idx:
+            return True
+
+        encountered_block_addrs: set[tuple[int, int | None]] = {(b.addr, b.idx)}
+        while True:
+            if terminate_with_calls and b.statements and isinstance(b.statements[-1], Call):
+                return False
+
+            encountered_block_addrs.add((b.addr, b.idx))
+            successors = list(self.func_graph.successors(b))
+            if len(successors) == 0:
+                # did not encounter the block before running out of successors
+                return False
+            if len(successors) == 1:
+                succ = successors[0]
+                # check its predecessors
+                succ_predecessors = list(self.func_graph.predecessors(succ))
+                if len(succ_predecessors) == 1:
+                    if (succ.addr, succ.idx) in encountered_block_addrs:
+                        # we are about to form a loop - bad!
+                        # example: binary ce1897b492c80bf94083dd783aefb413ab1f6d8d4981adce8420f6669d0cb3e1, block
+                        # 0x2976EF7.
+                        return False
+                    if block_addr == succ.addr and block_idx == succ.idx:
+                        return True
+                    b = succ
+                else:
+                    return False
+            else:
+                # too many successors
+                return False
+
     @staticmethod
     def _replace_expr_and_update_block(block, stmt_idx, stmt, src_expr, dst_expr) -> tuple[bool, Block | None]:
         replaced, new_stmt = stmt.replace(src_expr, dst_expr)
@@ -1492,9 +1536,18 @@ class AILSimplifier(Analysis):
                         simplified = True
 
                 if idx in stmts_to_remove and idx not in stmts_to_keep and not isinstance(stmt, DirtyStatement):
-                    if isinstance(stmt, (Assignment, Store)):
+                    if isinstance(stmt, (Assignment, WeakAssignment, Store)):
                         # Special logic for Assignment and Store statements
 
+                        # if this statement writes to a virtual variable that must be preserved, we ignore it
+                        if (
+                            isinstance(stmt, Assignment)
+                            and isinstance(stmt.dst, VirtualVariable)
+                            and stmt.dst.varid in self._avoid_vvar_ids
+                        ):
+                            new_statements.append(stmt)
+                            continue
+
                         # if this statement triggers a call, it should only be removed if it's in self._calls_to_remove
                         codeloc = CodeLocation(block.addr, idx, ins_addr=stmt.ins_addr, block_idx=block.idx)
                         if codeloc in self._assignments_to_remove:
@@ -1716,26 +1769,6 @@ class AILSimplifier(Analysis):
 
         return False
 
-    @staticmethod
-    def _count_calls_in_supernodeblocks(blocks: list[Block], start: CodeLocation, end: CodeLocation) -> int:
-        """
-        Count the number of call statements in a list of blocks for a single super block between two given code
-        locations (exclusive).
-        """
-        calls = 0
-        started = False
-        for b in blocks:
-            if b.addr == start.block_addr:
-                started = True
-                continue
-            if b.addr == end.block_addr:
-                started = False
-                continue
-
-            if started and b.statements and isinstance(b.statements[-1], Call):
-                calls += 1
-        return calls
-
     @staticmethod
     def _exprs_contain_vvar(exprs: Iterable[Expression], vvar_ids: set[int]) -> bool:
         def _handle_VirtualVariable(expr_idx, expr, stmt_idx, stmt, block):  # pylint:disable=unused-argument

angr/analyses/decompiler/block_simplifier.py

@@ -10,6 +10,7 @@ from ailment import AILBlockWalkerBase
 
 from angr.code_location import ExternalCodeLocation, CodeLocation
 
+from angr.knowledge_plugins.key_definitions import atoms
 from angr.analyses.s_propagator import SPropagatorAnalysis
 from angr.analyses.s_reaching_definitions import SReachingDefinitionsAnalysis, SRDAModel
 from angr.analyses import Analysis, register_analysis
@@ -62,6 +63,8 @@ class BlockSimplifier(Analysis):
         peephole_optimizations: None | (
             Iterable[type[PeepholeOptimizationStmtBase] | type[PeepholeOptimizationExprBase]]
         ) = None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
         cached_reaching_definitions=None,
         cached_propagator=None,
     ):
@@ -74,24 +77,35 @@ class BlockSimplifier(Analysis):
         self.func_addr = func_addr
 
         self._stack_pointer_tracker = stack_pointer_tracker
+        self._preserve_vvar_ids = preserve_vvar_ids
+        self._type_hints = type_hints
 
         if peephole_optimizations is None:
-            self._expr_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in EXPR_OPTS]
-            self._stmt_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in STMT_OPTS]
-            self._multistmt_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in MULTI_STMT_OPTS]
+            self._expr_peephole_opts = [
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
+                for cls in EXPR_OPTS
+            ]
+            self._stmt_peephole_opts = [
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
+                for cls in STMT_OPTS
+            ]
+            self._multistmt_peephole_opts = [
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
+                for cls in MULTI_STMT_OPTS
+            ]
         else:
             self._expr_peephole_opts = [
-                cls(self.project, self.kb, self.func_addr)
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
                 for cls in peephole_optimizations
                 if issubclass(cls, PeepholeOptimizationExprBase)
             ]
             self._stmt_peephole_opts = [
-                cls(self.project, self.kb, self.func_addr)
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
                 for cls in peephole_optimizations
                 if issubclass(cls, PeepholeOptimizationStmtBase)
             ]
             self._multistmt_peephole_opts = [
-                cls(self.project, self.kb, self.func_addr)
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
                 for cls in peephole_optimizations
                 if issubclass(cls, PeepholeOptimizationMultiStmtBase)
             ]

angr/analyses/decompiler/callsite_maker.py

@@ -18,7 +18,7 @@ from angr.sim_type import (
     SimTypeFunction,
     SimTypeLongLong,
 )
-from angr.calling_conventions import SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
+from angr.calling_conventions import SimReferenceArgument, SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE
 from angr.analyses import Analysis, register_analysis
 from angr.analyses.s_reaching_definitions import SRDAView
@@ -111,10 +111,10 @@ class CallSiteMaker(Analysis):
             prototype_libname = func.prototype_libname
             type_collections = []
             if prototype_libname is not None:
-                prototype_lib = SIM_LIBRARIES[prototype_libname]
-                if prototype_lib.type_collection_names:
-                    for typelib_name in prototype_lib.type_collection_names:
-                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
             if type_collections:
                 prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
                     self.project.arch
@@ -144,17 +144,30 @@ class CallSiteMaker(Analysis):
                         arg_locs = cc.arg_locs(callsite_ty)
 
         if arg_locs is not None and cc is not None:
-            expanded_arg_locs = []
+            expanded_arg_locs: list[SimStackArg | SimRegArg | SimReferenceArgument] = []
             for arg_loc in arg_locs:
                 if isinstance(arg_loc, SimComboArg):
                     # a ComboArg spans across multiple locations (mostly stack but *in theory* can also be spanning
                     # across registers). most importantly, a ComboArg represents one variable, not multiple, but we
                     # have no way to know that until later down the pipeline.
                     expanded_arg_locs += arg_loc.locations
-                else:
+                elif isinstance(arg_loc, (SimRegArg, SimStackArg, SimReferenceArgument)):
                     expanded_arg_locs.append(arg_loc)
+                else:
+                    raise NotImplementedError("Not implemented yet.")
 
             for arg_loc in expanded_arg_locs:
+                if isinstance(arg_loc, SimReferenceArgument):
+                    if not isinstance(arg_loc.ptr_loc, (SimRegArg, SimStackArg)):
+                        raise NotImplementedError("Why would a calling convention produce this?")
+                    if isinstance(arg_loc.main_loc, SimStructArg):
+                        dereference_size = arg_loc.main_loc.struct.size // self.project.arch.byte_width
+                    else:
+                        dereference_size = arg_loc.main_loc.size
+                    arg_loc = arg_loc.ptr_loc
+                else:
+                    dereference_size = None
+
                 if isinstance(arg_loc, SimRegArg):
                     size = arg_loc.size
                     offset = arg_loc.check_offset(cc.arch)
@@ -202,7 +215,7 @@ class CallSiteMaker(Analysis):
                                 vvar_use,
                                 **vvar_use.tags,
                             )
-                        args.append(vvar_use)
+                        arg_expr = vvar_use
                     else:
                         reg = Expr.Register(
                             self._atom_idx(),
@@ -212,20 +225,17 @@ class CallSiteMaker(Analysis):
                             reg_name=arg_loc.reg_name,
                             ins_addr=last_stmt.ins_addr,
                         )
-                        args.append(reg)
+                        arg_expr = reg
                 elif isinstance(arg_loc, SimStackArg):
                     stack_arg_locs.append(arg_loc)
                     _, the_arg = self._resolve_stack_argument(call_stmt, arg_loc)
-
-                    if the_arg is not None:
-                        args.append(the_arg)
-                    else:
-                        args.append(None)
-                elif isinstance(arg_loc, SimStructArg):
-                    l.warning("SimStructArg is not yet supported")
-
+                    arg_expr = the_arg if the_arg is not None else None
                 else:
-                    raise NotImplementedError("Not implemented yet.")
+                    assert False, "Unreachable"
+
+                if arg_expr is not None and dereference_size is not None:
+                    arg_expr = Expr.Load(self._atom_idx(), arg_expr, dereference_size, endness=archinfo.Endness.BE)
+                args.append(arg_expr)
 
         # Remove the old call statement
         new_stmts = self.block.statements[:-1]

angr/analyses/decompiler/clinic.py

@@ -18,6 +18,7 @@ from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.functions import Function
 from angr.knowledge_plugins.cfg.memory_data import MemoryDataSort
+from angr.knowledge_plugins.key_definitions import atoms
 from angr.codenode import BlockNode
 from angr.utils import timethis
 from angr.utils.graph import GraphUtils
@@ -122,7 +123,7 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
-        max_type_constraints: int = 750,
+        max_type_constraints: int = 4000,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -505,17 +506,29 @@ class Clinic(Analysis):
         self._update_progress(37.0, text="Tracking stack pointers")
         spt = self._track_stack_pointers()
 
+        preserve_vvar_ids: set[int] = set()
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] = []
+
         # Simplify blocks
         # we never remove dead memory definitions before making callsites. otherwise stack arguments may go missing
         # before they are recognized as stack arguments.
         self._update_progress(38.0, text="Simplifying blocks 1")
-        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
+        ail_graph = self._simplify_blocks(
+            ail_graph,
+            stack_pointer_tracker=spt,
+            cache=block_simplification_cache,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
+        )
         self._rewrite_alloca(ail_graph)
 
         # Run simplification passes
         self._update_progress(40.0, text="Running simplifications 1")
         ail_graph = self._run_simplification_passes(
-            ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.AFTER_SINGLE_BLOCK_SIMPLIFICATION
+            ail_graph,
+            stack_pointer_tracker=spt,
+            stack_items=self.stack_items,
+            stage=OptimizationPassStage.AFTER_SINGLE_BLOCK_SIMPLIFICATION,
         )
 
         # Simplify the entire function for the first time
@@ -532,7 +545,19 @@ class Clinic(Analysis):
         # Run simplification passes again. there might be more chances for peephole optimizations after function-level
         # simplification
         self._update_progress(48.0, text="Simplifying blocks 2")
-        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
+        ail_graph = self._simplify_blocks(
+            ail_graph,
+            stack_pointer_tracker=spt,
+            cache=block_simplification_cache,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
+        )
+
+        # Run simplification passes
+        self._update_progress(49.0, text="Running simplifications 2")
+        ail_graph = self._run_simplification_passes(
+            ail_graph, stage=OptimizationPassStage.BEFORE_SSA_LEVEL1_TRANSFORMATION
+        )
 
         # rewrite (qualified) stack variables into SSA form
         ail_graph = self._transform_to_ssa_level1(ail_graph, func_args)
@@ -544,11 +569,13 @@ class Clinic(Analysis):
         # Rust-specific; only call this on Rust binaries when we can identify language and compiler
         ail_graph = self._rewrite_rust_probestack_call(ail_graph)
         # Windows-specific
-        ail_graph = self._rewrite_windows_stkchk_call(ail_graph)
+        ail_graph = self._rewrite_windows_chkstk_call(ail_graph)
 
         # Make call-sites
         self._update_progress(50.0, text="Making callsites")
-        _, stackarg_offsets, removed_vvar_ids = self._make_callsites(ail_graph, func_args, stack_pointer_tracker=spt)
+        _, stackarg_offsets, removed_vvar_ids = self._make_callsites(
+            ail_graph, func_args, stack_pointer_tracker=spt, preserve_vvar_ids=preserve_vvar_ids
+        )
 
         # Run simplification passes
         self._update_progress(53.0, text="Running simplifications 2")
@@ -565,6 +592,7 @@ class Clinic(Analysis):
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
             removed_vvar_ids=removed_vvar_ids,
             arg_vvars=arg_vvars,
+            preserve_vvar_ids=preserve_vvar_ids,
         )
 
         # After global optimization, there might be more chances for peephole optimizations.
@@ -574,10 +602,12 @@ class Clinic(Analysis):
             ail_graph,
             stack_pointer_tracker=spt,
             cache=block_simplification_cache,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
         )
 
         # Run simplification passes
-        self._update_progress(65.0, text="Running simplifications 3 ")
+        self._update_progress(65.0, text="Running simplifications 3")
         ail_graph = self._run_simplification_passes(
             ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
         )
@@ -592,6 +622,7 @@ class Clinic(Analysis):
             narrow_expressions=True,
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
             arg_vvars=arg_vvars,
+            preserve_vvar_ids=preserve_vvar_ids,
         )
 
         self._update_progress(75.0, text="Simplifying blocks 4")
@@ -599,6 +630,8 @@ class Clinic(Analysis):
             ail_graph,
             stack_pointer_tracker=spt,
             cache=block_simplification_cache,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
         )
 
         # Simplify the entire function for the fourth time
@@ -611,6 +644,12 @@ class Clinic(Analysis):
             narrow_expressions=True,
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
             arg_vvars=arg_vvars,
+            preserve_vvar_ids=preserve_vvar_ids,
+        )
+
+        self._update_progress(79.0, text="Running simplifications 4")
+        ail_graph = self._run_simplification_passes(
+            ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.BEFORE_VARIABLE_RECOVERY
         )
 
         # update arg_list
@@ -623,7 +662,7 @@ class Clinic(Analysis):
 
         # Recover variables on AIL blocks
         self._update_progress(80.0, text="Recovering variables")
-        variable_kb = self._recover_and_link_variables(ail_graph, arg_list, arg_vvars, vvar2vvar)
+        variable_kb = self._recover_and_link_variables(ail_graph, arg_list, arg_vvars, vvar2vvar, type_hints)
 
         # Run simplification passes
         self._update_progress(85.0, text="Running simplifications 4")
@@ -1197,10 +1236,10 @@ class Clinic(Analysis):
                 prototype_libname = func.prototype_libname
                 type_collections = []
                 if prototype_libname is not None:
-                    prototype_lib = SIM_LIBRARIES[prototype_libname]
-                    if prototype_lib.type_collection_names:
-                        for typelib_name in prototype_lib.type_collection_names:
-                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                    for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                        if prototype_lib.type_collection_names:
+                            for typelib_name in prototype_lib.type_collection_names:
+                                type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
                 if type_collections:
                     prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
                         self.project.arch
@@ -1226,6 +1265,8 @@ class Clinic(Analysis):
         ail_graph: networkx.DiGraph,
         stack_pointer_tracker=None,
         cache: dict[ailment.Block, NamedTuple] | None = None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
     ):
         """
         Simplify all blocks in self._blocks.
@@ -1244,6 +1285,8 @@ class Clinic(Analysis):
                 ail_block,
                 stack_pointer_tracker=stack_pointer_tracker,
                 cache=cache,
+                preserve_vvar_ids=preserve_vvar_ids,
+                type_hints=type_hints,
             )
             key = ail_block.addr, ail_block.idx
             blocks_by_addr_and_idx[key] = simplified
@@ -1259,7 +1302,14 @@ class Clinic(Analysis):
 
         return ail_graph
 
-    def _simplify_block(self, ail_block, stack_pointer_tracker=None, cache=None):
+    def _simplify_block(
+        self,
+        ail_block,
+        stack_pointer_tracker=None,
+        cache=None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
+    ):
         """
         Simplify a single AIL block.
 
@@ -1286,6 +1336,8 @@ class Clinic(Analysis):
             peephole_optimizations=self.peephole_optimizations,
             cached_reaching_definitions=cached_rd,
             cached_propagator=cached_prop,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
         )
         # update the cache
         if cache is not None:
@@ -1308,6 +1360,7 @@ class Clinic(Analysis):
         rewrite_ccalls=True,
         removed_vvar_ids: set[int] | None = None,
         arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None,
+        preserve_vvar_ids: set[int] | None = None,
     ) -> None:
         """
         Simplify the entire function until it reaches a fixed point.
@@ -1326,6 +1379,7 @@ class Clinic(Analysis):
                 rewrite_ccalls=rewrite_ccalls,
                 removed_vvar_ids=removed_vvar_ids,
                 arg_vvars=arg_vvars,
+                preserve_vvar_ids=preserve_vvar_ids,
             )
             if not simplified:
                 break
@@ -1343,6 +1397,7 @@ class Clinic(Analysis):
         rewrite_ccalls=True,
         removed_vvar_ids: set[int] | None = None,
         arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None,
+        preserve_vvar_ids: set[int] | None = None,
     ):
         """
         Simplify the entire function once.
@@ -1367,6 +1422,7 @@ class Clinic(Analysis):
             removed_vvar_ids=removed_vvar_ids,
             arg_vvars=arg_vvars,
             secondary_stackvars=self.secondary_stackvars,
+            avoid_vvar_ids=preserve_vvar_ids,
         )
         # cache the simplifier's RDA analysis
         self.reaching_definitions = simp._reaching_definitions
@@ -1381,6 +1437,7 @@ class Clinic(Analysis):
         stage: OptimizationPassStage = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION,
         variable_kb=None,
         stack_items: dict[int, StackItem] | None = None,
+        stack_pointer_tracker=None,
         **kwargs,
     ):
         addr_and_idx_to_blocks: dict[tuple[int, int | None], ailment.Block] = {}
@@ -1415,6 +1472,7 @@ class Clinic(Analysis):
                 scratch=self.optimization_scratch,
                 force_loop_single_exit=self._force_loop_single_exit,
                 complete_successors=self._complete_successors,
+                stack_pointer_tracker=stack_pointer_tracker,
                 **kwargs,
             )
             if a.out_graph:
@@ -1550,7 +1608,13 @@ class Clinic(Analysis):
         return []
 
     @timethis
-    def _make_callsites(self, ail_graph, func_args: set[ailment.Expr.VirtualVariable], stack_pointer_tracker=None):
+    def _make_callsites(
+        self,
+        ail_graph,
+        func_args: set[ailment.Expr.VirtualVariable],
+        stack_pointer_tracker=None,
+        preserve_vvar_ids: set[int] | None = None,
+    ):
         """
         Simplify all function call statements.
         """
@@ -1588,6 +1652,7 @@ class Clinic(Analysis):
                     fail_fast=self._fail_fast,
                     stack_pointer_tracker=stack_pointer_tracker,
                     peephole_optimizations=self.peephole_optimizations,
+                    preserve_vvar_ids=preserve_vvar_ids,
                 )
                 return simp.result_block
             return None
@@ -1663,6 +1728,7 @@ class Clinic(Analysis):
         arg_list: list,
         arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]],
         vvar2vvar: dict[int, int],
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]],
     ):
         # variable recovery
         tmp_kb = KnowledgeBase(self.project) if self.variable_kb is None else self.variable_kb
@@ -1677,6 +1743,7 @@ class Clinic(Analysis):
             unify_variables=False,
             func_arg_vvars=arg_vvars,
             vvar_to_vvar=vvar2vvar,
+            type_hints=type_hints,
         )
         # get ground-truth types
         var_manager = tmp_kb.variables[self.function.addr]
@@ -1710,7 +1777,7 @@ class Clinic(Analysis):
             must_struct = None
         total_type_constraints = sum(len(tc) for tc in vr.type_constraints.values()) if vr.type_constraints else 0
         if total_type_constraints > self._max_type_constraints:
-            l.info(
+            l.warning(
                 "The number of type constraints (%d) is greater than the threshold (%d). Skipping type inference.",
                 total_type_constraints,
                 self._max_type_constraints,
@@ -1821,7 +1888,7 @@ class Clinic(Analysis):
                     if off in variable_manager.stack_offset_to_struct_member_info:
                         stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
 
-            elif stmt_type is ailment.Stmt.Assignment:
+            elif stmt_type is ailment.Stmt.Assignment or stmt_type is ailment.Stmt.WeakAssignment:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.dst)
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.src)
 
@@ -2937,7 +3004,7 @@ class Clinic(Analysis):
                     break
         return ail_graph
 
-    def _rewrite_windows_stkchk_call(self, ail_graph) -> networkx.DiGraph:
+    def _rewrite_windows_chkstk_call(self, ail_graph) -> networkx.DiGraph:
         if not (self.project.simos is not None and self.project.simos.name == "Win32"):
             return ail_graph
 

angr/analyses/decompiler/condition_processor.py

@@ -961,27 +961,6 @@ class ConditionProcessor:
         sympy_expr = ConditionProcessor.claripy_ast_to_sympy_expr(cond, memo=memo)
         return ConditionProcessor.sympy_expr_to_claripy_ast(sympy.simplify_logic(sympy_expr, deep=False), memo)
 
-    @staticmethod
-    def simplify_condition_deprecated(cond):
-        # Z3's simplification may yield weird and unreadable results
-        # hence we mostly rely on our own simplification. we only use Z3's simplification results when it returns a
-        # concrete value.
-        claripy_simplified = claripy.simplify(cond)
-        if not claripy_simplified.symbolic:
-            return claripy_simplified
-
-        simplified = ConditionProcessor._fold_double_negations(cond)
-        cond = simplified if simplified is not None else cond
-        simplified = ConditionProcessor._revert_short_circuit_conditions(cond)
-        cond = simplified if simplified is not None else cond
-        simplified = ConditionProcessor._extract_common_subexpressions(cond)
-        cond = simplified if simplified is not None else cond
-        # simplified = ConditionProcessor._remove_redundant_terms(cond)
-        # cond = simplified if simplified is not None else cond
-        # in the end, use claripy's simplification to handle really easy cases again
-        simplified = ConditionProcessor._simplify_trivial_cases(cond)
-        return simplified if simplified is not None else cond
-
     @staticmethod
     def _simplify_trivial_cases(cond):
         if cond.op == "And":