angr 9.2.148__py3-none-manylinux2014_x86_64.whl → 9.2.150__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/clinic.py

@@ -18,6 +18,7 @@ from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.functions import Function
 from angr.knowledge_plugins.cfg.memory_data import MemoryDataSort
+from angr.knowledge_plugins.key_definitions import atoms
 from angr.codenode import BlockNode
 from angr.utils import timethis
 from angr.utils.graph import GraphUtils
@@ -122,7 +123,7 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
-        max_type_constraints: int = 750,
+        max_type_constraints: int = 4000,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -505,17 +506,29 @@ class Clinic(Analysis):
         self._update_progress(37.0, text="Tracking stack pointers")
         spt = self._track_stack_pointers()
 
+        preserve_vvar_ids: set[int] = set()
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] = []
+
         # Simplify blocks
         # we never remove dead memory definitions before making callsites. otherwise stack arguments may go missing
         # before they are recognized as stack arguments.
         self._update_progress(38.0, text="Simplifying blocks 1")
-        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
+        ail_graph = self._simplify_blocks(
+            ail_graph,
+            stack_pointer_tracker=spt,
+            cache=block_simplification_cache,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
+        )
         self._rewrite_alloca(ail_graph)
 
         # Run simplification passes
         self._update_progress(40.0, text="Running simplifications 1")
         ail_graph = self._run_simplification_passes(
-            ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.AFTER_SINGLE_BLOCK_SIMPLIFICATION
+            ail_graph,
+            stack_pointer_tracker=spt,
+            stack_items=self.stack_items,
+            stage=OptimizationPassStage.AFTER_SINGLE_BLOCK_SIMPLIFICATION,
         )
 
         # Simplify the entire function for the first time
@@ -532,7 +545,19 @@ class Clinic(Analysis):
         # Run simplification passes again. there might be more chances for peephole optimizations after function-level
         # simplification
         self._update_progress(48.0, text="Simplifying blocks 2")
-        ail_graph = self._simplify_blocks(ail_graph, stack_pointer_tracker=spt, cache=block_simplification_cache)
+        ail_graph = self._simplify_blocks(
+            ail_graph,
+            stack_pointer_tracker=spt,
+            cache=block_simplification_cache,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
+        )
+
+        # Run simplification passes
+        self._update_progress(49.0, text="Running simplifications 2")
+        ail_graph = self._run_simplification_passes(
+            ail_graph, stage=OptimizationPassStage.BEFORE_SSA_LEVEL1_TRANSFORMATION
+        )
 
         # rewrite (qualified) stack variables into SSA form
         ail_graph = self._transform_to_ssa_level1(ail_graph, func_args)
@@ -544,11 +569,13 @@ class Clinic(Analysis):
         # Rust-specific; only call this on Rust binaries when we can identify language and compiler
         ail_graph = self._rewrite_rust_probestack_call(ail_graph)
         # Windows-specific
-        ail_graph = self._rewrite_windows_stkchk_call(ail_graph)
+        ail_graph = self._rewrite_windows_chkstk_call(ail_graph)
 
         # Make call-sites
         self._update_progress(50.0, text="Making callsites")
-        _, stackarg_offsets, removed_vvar_ids = self._make_callsites(ail_graph, func_args, stack_pointer_tracker=spt)
+        _, stackarg_offsets, removed_vvar_ids = self._make_callsites(
+            ail_graph, func_args, stack_pointer_tracker=spt, preserve_vvar_ids=preserve_vvar_ids
+        )
 
         # Run simplification passes
         self._update_progress(53.0, text="Running simplifications 2")
@@ -565,6 +592,7 @@ class Clinic(Analysis):
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
             removed_vvar_ids=removed_vvar_ids,
             arg_vvars=arg_vvars,
+            preserve_vvar_ids=preserve_vvar_ids,
         )
 
         # After global optimization, there might be more chances for peephole optimizations.
@@ -574,10 +602,12 @@ class Clinic(Analysis):
             ail_graph,
             stack_pointer_tracker=spt,
             cache=block_simplification_cache,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
         )
 
         # Run simplification passes
-        self._update_progress(65.0, text="Running simplifications 3 ")
+        self._update_progress(65.0, text="Running simplifications 3")
         ail_graph = self._run_simplification_passes(
             ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
         )
@@ -592,6 +622,7 @@ class Clinic(Analysis):
             narrow_expressions=True,
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
             arg_vvars=arg_vvars,
+            preserve_vvar_ids=preserve_vvar_ids,
         )
 
         self._update_progress(75.0, text="Simplifying blocks 4")
@@ -599,6 +630,8 @@ class Clinic(Analysis):
             ail_graph,
             stack_pointer_tracker=spt,
             cache=block_simplification_cache,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
         )
 
         # Simplify the entire function for the fourth time
@@ -611,6 +644,12 @@ class Clinic(Analysis):
             narrow_expressions=True,
             fold_callexprs_into_conditions=self._fold_callexprs_into_conditions,
             arg_vvars=arg_vvars,
+            preserve_vvar_ids=preserve_vvar_ids,
+        )
+
+        self._update_progress(79.0, text="Running simplifications 4")
+        ail_graph = self._run_simplification_passes(
+            ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.BEFORE_VARIABLE_RECOVERY
         )
 
         # update arg_list
@@ -623,7 +662,7 @@ class Clinic(Analysis):
 
         # Recover variables on AIL blocks
         self._update_progress(80.0, text="Recovering variables")
-        variable_kb = self._recover_and_link_variables(ail_graph, arg_list, arg_vvars, vvar2vvar)
+        variable_kb = self._recover_and_link_variables(ail_graph, arg_list, arg_vvars, vvar2vvar, type_hints)
 
         # Run simplification passes
         self._update_progress(85.0, text="Running simplifications 4")
@@ -1226,6 +1265,8 @@ class Clinic(Analysis):
         ail_graph: networkx.DiGraph,
         stack_pointer_tracker=None,
         cache: dict[ailment.Block, NamedTuple] | None = None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
     ):
         """
         Simplify all blocks in self._blocks.
@@ -1244,6 +1285,8 @@ class Clinic(Analysis):
                 ail_block,
                 stack_pointer_tracker=stack_pointer_tracker,
                 cache=cache,
+                preserve_vvar_ids=preserve_vvar_ids,
+                type_hints=type_hints,
             )
             key = ail_block.addr, ail_block.idx
             blocks_by_addr_and_idx[key] = simplified
@@ -1259,7 +1302,14 @@ class Clinic(Analysis):
 
         return ail_graph
 
-    def _simplify_block(self, ail_block, stack_pointer_tracker=None, cache=None):
+    def _simplify_block(
+        self,
+        ail_block,
+        stack_pointer_tracker=None,
+        cache=None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
+    ):
         """
         Simplify a single AIL block.
 
@@ -1286,6 +1336,8 @@ class Clinic(Analysis):
             peephole_optimizations=self.peephole_optimizations,
             cached_reaching_definitions=cached_rd,
             cached_propagator=cached_prop,
+            preserve_vvar_ids=preserve_vvar_ids,
+            type_hints=type_hints,
         )
         # update the cache
         if cache is not None:
@@ -1308,6 +1360,7 @@ class Clinic(Analysis):
         rewrite_ccalls=True,
         removed_vvar_ids: set[int] | None = None,
         arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None,
+        preserve_vvar_ids: set[int] | None = None,
     ) -> None:
         """
         Simplify the entire function until it reaches a fixed point.
@@ -1326,6 +1379,7 @@ class Clinic(Analysis):
                 rewrite_ccalls=rewrite_ccalls,
                 removed_vvar_ids=removed_vvar_ids,
                 arg_vvars=arg_vvars,
+                preserve_vvar_ids=preserve_vvar_ids,
             )
             if not simplified:
                 break
@@ -1343,6 +1397,7 @@ class Clinic(Analysis):
         rewrite_ccalls=True,
         removed_vvar_ids: set[int] | None = None,
         arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None,
+        preserve_vvar_ids: set[int] | None = None,
     ):
         """
         Simplify the entire function once.
@@ -1367,6 +1422,7 @@ class Clinic(Analysis):
             removed_vvar_ids=removed_vvar_ids,
             arg_vvars=arg_vvars,
             secondary_stackvars=self.secondary_stackvars,
+            avoid_vvar_ids=preserve_vvar_ids,
         )
         # cache the simplifier's RDA analysis
         self.reaching_definitions = simp._reaching_definitions
@@ -1381,6 +1437,7 @@ class Clinic(Analysis):
         stage: OptimizationPassStage = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION,
         variable_kb=None,
         stack_items: dict[int, StackItem] | None = None,
+        stack_pointer_tracker=None,
         **kwargs,
     ):
         addr_and_idx_to_blocks: dict[tuple[int, int | None], ailment.Block] = {}
@@ -1415,6 +1472,7 @@ class Clinic(Analysis):
                 scratch=self.optimization_scratch,
                 force_loop_single_exit=self._force_loop_single_exit,
                 complete_successors=self._complete_successors,
+                stack_pointer_tracker=stack_pointer_tracker,
                 **kwargs,
             )
             if a.out_graph:
@@ -1550,7 +1608,13 @@ class Clinic(Analysis):
         return []
 
     @timethis
-    def _make_callsites(self, ail_graph, func_args: set[ailment.Expr.VirtualVariable], stack_pointer_tracker=None):
+    def _make_callsites(
+        self,
+        ail_graph,
+        func_args: set[ailment.Expr.VirtualVariable],
+        stack_pointer_tracker=None,
+        preserve_vvar_ids: set[int] | None = None,
+    ):
         """
         Simplify all function call statements.
         """
@@ -1588,6 +1652,7 @@ class Clinic(Analysis):
                     fail_fast=self._fail_fast,
                     stack_pointer_tracker=stack_pointer_tracker,
                     peephole_optimizations=self.peephole_optimizations,
+                    preserve_vvar_ids=preserve_vvar_ids,
                 )
                 return simp.result_block
             return None
@@ -1663,6 +1728,7 @@ class Clinic(Analysis):
         arg_list: list,
         arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]],
         vvar2vvar: dict[int, int],
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]],
     ):
         # variable recovery
         tmp_kb = KnowledgeBase(self.project) if self.variable_kb is None else self.variable_kb
@@ -1677,6 +1743,7 @@ class Clinic(Analysis):
             unify_variables=False,
             func_arg_vvars=arg_vvars,
             vvar_to_vvar=vvar2vvar,
+            type_hints=type_hints,
         )
         # get ground-truth types
         var_manager = tmp_kb.variables[self.function.addr]
@@ -1710,7 +1777,7 @@ class Clinic(Analysis):
             must_struct = None
         total_type_constraints = sum(len(tc) for tc in vr.type_constraints.values()) if vr.type_constraints else 0
         if total_type_constraints > self._max_type_constraints:
-            l.info(
+            l.warning(
                 "The number of type constraints (%d) is greater than the threshold (%d). Skipping type inference.",
                 total_type_constraints,
                 self._max_type_constraints,
@@ -1821,7 +1888,7 @@ class Clinic(Analysis):
                     if off in variable_manager.stack_offset_to_struct_member_info:
                         stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
 
-            elif stmt_type is ailment.Stmt.Assignment:
+            elif stmt_type is ailment.Stmt.Assignment or stmt_type is ailment.Stmt.WeakAssignment:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.dst)
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.src)
 
@@ -2937,7 +3004,7 @@ class Clinic(Analysis):
                     break
         return ail_graph
 
-    def _rewrite_windows_stkchk_call(self, ail_graph) -> networkx.DiGraph:
+    def _rewrite_windows_chkstk_call(self, ail_graph) -> networkx.DiGraph:
         if not (self.project.simos is not None and self.project.simos.name == "Win32"):
             return ail_graph
 

angr/analyses/decompiler/dephication/rewriting_engine.py

@@ -3,7 +3,16 @@ from __future__ import annotations
 import logging
 
 from ailment.block import Block
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement
+from ailment.statement import (
+    Statement,
+    Assignment,
+    Store,
+    Call,
+    Return,
+    ConditionalJump,
+    DirtyStatement,
+    WeakAssignment,
+)
 from ailment.expression import (
     Expression,
     VirtualVariable,
@@ -99,6 +108,19 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             return Assignment(stmt.idx, dst, src, **stmt.tags)
         return None
 
+    def _handle_stmt_WeakAssignment(self, stmt) -> WeakAssignment | None:
+        new_src = self._expr(stmt.src)
+        new_dst = self._expr(stmt.dst)
+
+        if new_dst is not None or new_src is not None:
+            return WeakAssignment(
+                stmt.idx,
+                stmt.dst if new_dst is None else new_dst,  # type: ignore
+                stmt.src if new_src is None else new_src,
+                **stmt.tags,
+            )
+        return None
+
     def _handle_stmt_Store(self, stmt):
         new_addr = self._expr(stmt.addr)
         new_data = self._expr(stmt.data)
@@ -299,7 +321,7 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             return VEXCCallExpression(
                 expr.idx,
                 expr.callee,
-                new_operands,
+                tuple(new_operands),
                 bits=expr.bits,
                 **expr.tags,
             )

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -33,6 +33,8 @@ from .call_stmt_rewriter import CallStatementRewriter
 from .duplication_reverter import DuplicationReverter
 from .switch_reused_entry_rewriter import SwitchReusedEntryRewriter
 from .condition_constprop import ConditionConstantPropagation
+from .determine_load_sizes import DetermineLoadSizes
+from .eager_std_string_concatenation import EagerStdStringConcatenationPass
 
 if TYPE_CHECKING:
     from angr.analyses.decompiler.presets import DecompilationPreset
@@ -68,6 +70,8 @@ ALL_OPTIMIZATION_PASSES = [
     CallStatementRewriter,
     TagSlicer,
     ConditionConstantPropagation,
+    DetermineLoadSizes,
+    EagerStdStringConcatenationPass,
 ]
 
 # these passes may duplicate code to remove gotos or improve the structure of the graph
@@ -122,6 +126,7 @@ __all__ = (
     "DeadblockRemover",
     "DivSimplifier",
     "DuplicationReverter",
+    "EagerStdStringConcatenationPass",
     "ExprOpSwapper",
     "FlipBooleanCmp",
     "ITEExprConverter",

angr/analyses/decompiler/optimization_passes/base_ptr_save_simplifier.py

@@ -98,20 +98,22 @@ class BasePointerSaveSimplifier(OptimizationPass):
                 and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
                 and stmt.dst.was_stack
                 and stmt.dst.stack_offset < 0
-                and isinstance(stmt.src, ailment.Expr.VirtualVariable)
-                and stmt.src.was_reg
-                and stmt.src.reg_offset == self.project.arch.bp_offset
             ):
-                return first_block, idx, stmt.dst
-            if (
-                isinstance(stmt, ailment.Stmt.Assignment)
-                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                and stmt.dst.was_stack
-                and stmt.dst.stack_offset < 0
-                and isinstance(stmt.src, ailment.Expr.StackBaseOffset)
-                and stmt.src.offset == 0
-            ):
-                return first_block, idx, stmt.dst
+                if (
+                    isinstance(stmt.src, ailment.Expr.VirtualVariable)
+                    and stmt.src.was_reg
+                    and stmt.src.reg_offset == self.project.arch.bp_offset
+                ):
+                    return first_block, idx, stmt.dst
+                if isinstance(stmt.src, ailment.Expr.StackBaseOffset) and stmt.src.offset == 0:
+                    return first_block, idx, stmt.dst
+                if (
+                    isinstance(stmt.src, ailment.Expr.UnaryOp)
+                    and isinstance(stmt.src.operand, ailment.Expr.VirtualVariable)
+                    and stmt.src.operand.was_stack
+                    and stmt.src.operand.stack_offset == 0
+                ):
+                    return first_block, idx, stmt.dst
 
         # Not found
         return None

angr/analyses/decompiler/optimization_passes/determine_load_sizes.py

@@ -0,0 +1,64 @@
+from __future__ import annotations
+import logging
+
+from ailment.constant import UNDETERMINED_SIZE
+from ailment.expression import BinaryOp, Load, Const
+from ailment.statement import Assignment, WeakAssignment
+
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+
+
+_l = logging.getLogger(name=__name__)
+
+
+class DetermineLoadSizes(OptimizationPass):
+    """
+    Determine the sizes of Load expressions whose sizes are undetermined.
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
+    NAME = "Determine sizes of loads whose sizes are undetermined"
+    DESCRIPTION = __doc__.strip()  # type: ignore
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+
+        self.analyze()
+
+    def _check(self):
+        return True, None
+
+    def _analyze(self, cache=None):
+
+        changed = False
+
+        for block in self._graph.nodes:
+            for idx in range(len(block.statements)):  # pylint:disable=consider-using-enumerate
+                stmt = block.statements[idx]
+                if isinstance(stmt, (Assignment, WeakAssignment)):
+                    if isinstance(stmt.src, BinaryOp) and stmt.src.op == "Add" and stmt.src.operands:
+                        operands = stmt.src.operands
+                    elif isinstance(stmt.src, Load):
+                        operands = [stmt.src]
+                    else:
+                        continue
+
+                    for operand in operands:
+                        if (
+                            isinstance(operand, Load)
+                            and isinstance(operand.addr, Const)
+                            and operand.size == UNDETERMINED_SIZE
+                        ):
+                            # probably a string!
+                            bs = self.project.loader.memory.load_null_terminated_bytes(
+                                operand.addr.value, max_size=4096
+                            )
+                            if bs is not None:
+                                operand.size = len(bs)
+                                operand.bits = len(bs) * 8
+                    changed = True
+
+        if changed:
+            self.out_graph = self._graph

angr/analyses/decompiler/optimization_passes/eager_std_string_concatenation.py

@@ -0,0 +1,165 @@
+# pylint:disable=too-many-boolean-expressions,unused-argument
+from __future__ import annotations
+from typing import TYPE_CHECKING
+import logging
+import re
+
+from archinfo import Endness
+
+from ailment.constant import UNDETERMINED_SIZE
+from ailment.statement import Assignment, WeakAssignment
+from ailment.expression import VirtualVariable, BinaryOp, Const, Load
+
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+
+if TYPE_CHECKING:
+    from angr.analyses.s_reaching_definitions import SRDAModel
+
+
+_l = logging.getLogger(name=__name__)
+
+
+class EagerStdStringConcatenationPass(OptimizationPass):
+    """
+    TODO: Unfinished
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.BEFORE_VARIABLE_RECOVERY
+    NAME = "Condense multiple constant std::string creation calls into one when possible"
+    DESCRIPTION = __doc__.strip()  # type: ignore
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+        self.analyze()
+
+    def _check(self):
+        # TODO: ensure func calls std::string::operator+ and std::string::operator=
+        return False, {}
+
+    def _analyze(self, cache=None):
+        rd = self.project.analyses.SReachingDefinitions(subject=self._func, func_graph=self._graph).model
+        cfg = self.kb.cfgs.get_most_accurate()
+        assert cfg is not None
+
+        # update each block
+        for key in list(self.blocks_by_addr_and_idx):
+            block = self.blocks_by_addr_and_idx[key]
+            new_block = None
+            for idx, stmt in enumerate(block.statements):
+                if (
+                    isinstance(stmt, Assignment)
+                    and hasattr(stmt, "type")
+                    and "dst" in stmt.type
+                    and "src" in stmt.type
+                    and isinstance(stmt.dst, VirtualVariable)
+                    and isinstance(stmt.src, BinaryOp)
+                    and stmt.src.op == "Add"
+                ):
+                    dst_ty, src_ty = stmt.type["dst"], stmt.type["src"]
+                    if self._is_std_string_type(dst_ty.c_repr()) and self._is_std_string_type(src_ty.c_repr()):
+                        op0, op1 = stmt.src.operands
+                        if isinstance(op1, VirtualVariable) and isinstance(op0, Load):
+                            op0, op1 = op1, op0
+                        if (
+                            isinstance(op0, VirtualVariable)
+                            and isinstance(op1, Load)
+                            and isinstance(op1.addr, Const)
+                            and isinstance(op1.addr.value, int)
+                            # is op1 a constant string?
+                            and op1.addr.value in cfg.memory_data
+                            and cfg.memory_data[op1.addr.value].sort == "string"
+                        ):
+                            op1_str = cfg.memory_data[op1.addr.value].content
+                            # is op0 also an std::string?
+                            op0_str = self._get_vvar_def_string(op0.varid, rd, cfg, block.addr, block.idx)
+                            if op0_str is not None and op1_str is not None:
+                                # let's create a new string
+                                final_str = op0_str + op1_str
+                                str_id = self.kb.custom_strings.allocate(final_str)
+                                # replace the assignment with a new assignment
+                                new_stmt = WeakAssignment(
+                                    stmt.idx,
+                                    stmt.dst,
+                                    Load(
+                                        None,
+                                        Const(None, None, str_id, self.project.arch.bits, custom_string=True),
+                                        UNDETERMINED_SIZE,
+                                        Endness.BE,
+                                    ),
+                                    **stmt.tags,
+                                )
+                                new_block = block.copy() if new_block is None else new_block
+                                new_block.statements[idx] = new_stmt
+            if new_block is not None:
+                self._update_block(block, new_block)
+
+    def _get_vvar_def_string(self, vvar_id: int, rd: SRDAModel, cfg, block_addr, block_idx) -> bytes | None:
+        # search for the closest weak definition of the specified variable
+        # TODO: Optimize this logic in the future
+
+        starting_block = self.blocks_by_addr_and_idx[(block_addr, block_idx)]
+        queue = [starting_block]
+        visited = set()
+        while queue:
+            block = queue.pop(0)
+            if block in visited:
+                continue
+            visited.add(block)
+
+            if not (block.addr == block_addr and block.idx == block_idx):
+                for stmt in block.statements:
+                    if (
+                        isinstance(stmt, WeakAssignment)
+                        and isinstance(stmt.dst, VirtualVariable)
+                        and stmt.dst.varid == vvar_id
+                    ):
+                        if (
+                            isinstance(stmt.src, Load)
+                            and isinstance(stmt.src.addr, Const)
+                            and stmt.src.addr.value in cfg.memory_data
+                        ):
+                            if cfg.memory_data[stmt.src.addr.value].sort == "string":
+                                return cfg.memory_data[stmt.src.addr.value].content
+                        elif (
+                            isinstance(stmt.src, Const)
+                            and hasattr(stmt.src, "custom_string")
+                            and stmt.src.custom_string
+                        ):
+                            return self.kb.custom_strings.get(stmt.src.value)
+
+            preds = list(self._graph.predecessors(block))
+            if len(preds) == 1:
+                queue.append(preds[0])
+
+        return None
+
+    @staticmethod
+    def _is_std_string_type(type_str: str) -> bool:
+        type_str = type_str.removeprefix("const ")
+        return (
+            re.match(
+                r"class std::basic_string<char a\d+, struct std::char_traits<char> a\d+, class std::allocator<char>>",
+                type_str,
+            )
+            is not None
+        )
+
+        # pcreg_offset = self.project.arch.registers[getpc_reg][0]
+
+
+#
+# old_block = self.blocks_by_addr_and_idx[block_key]
+# block = old_block.copy()
+# old_stmt = block.statements[stmt_idx]
+# block.statements[stmt_idx] = ailment.Stmt.Assignment(
+#     old_stmt.idx,
+#     ailment.Expr.Register(None, None, pcreg_offset, 32, reg_name=getpc_reg),
+#     ailment.Expr.Const(None, None, getpc_reg_value, 32),
+#     **old_stmt.tags,
+# )
+# # remove the statement that pushes return address onto the stack
+# if stmt_idx > 0 and isinstance(block.statements[stmt_idx - 1], ailment.Stmt.Store):
+#     block.statements = block.statements[: stmt_idx - 1] + block.statements[stmt_idx:]
+# self._update_block(old_block, block)

angr/analyses/decompiler/optimization_passes/engine_base.py

@@ -73,7 +73,16 @@ class SimplifierAILEngine(
             self.state.store_variable(dst, src)
 
         if (src, dst) != (stmt.src, stmt.dst):
-            return ailment.statement.Assignment(stmt.idx, dst, src, **stmt.tags)
+            return ailment.statement.Assignment(stmt.idx, dst, src, **stmt.tags)  # type:ignore
+
+        return stmt
+
+    def _handle_stmt_WeakAssignment(self, stmt: ailment.statement.WeakAssignment):
+        src = self._expr(stmt.src)
+        dst = self._expr(stmt.dst)
+
+        if (src, dst) != (stmt.src, stmt.dst):
+            return ailment.statement.WeakAssignment(stmt.idx, dst, src, **stmt.tags)  # type:ignore
 
         return stmt
 
@@ -150,7 +159,7 @@ class SimplifierAILEngine(
     def _handle_stmt_DirtyStatement(self, stmt):
         expr = self._expr(stmt.dirty)
         if expr != stmt.dirty:
-            return ailment.statement.DirtyStatement(stmt.idx, expr, **stmt.tags)
+            return ailment.statement.DirtyStatement(stmt.idx, expr, **stmt.tags)  # type:ignore
         return stmt
 
     def _handle_stmt_Label(self, stmt):

angr/analyses/decompiler/optimization_passes/flip_boolean_cmp.py

@@ -8,6 +8,7 @@ from ailment.expression import Op
 from angr.analyses.decompiler.structuring.structurer_nodes import ConditionNode
 from angr.analyses.decompiler.utils import (
     structured_node_is_simple_return,
+    structured_node_is_simple_return_strict,
     sequence_to_statements,
     structured_node_has_multi_predecessors,
 )
@@ -44,7 +45,7 @@ class FlipBooleanWalker(SequenceWalker):
                 and node.true_node is not None
                 and node.false_node is None
                 and idx < len(seq_node.nodes) - 1
-                and structured_node_is_simple_return(seq_node.nodes[idx + 1], self._graph)
+                and structured_node_is_simple_return_strict(seq_node.nodes[idx + 1])
                 and node not in type1_condition_nodes
             ):
                 # Type 2: Special Filter: