angr 9.2.148__py3-none-manylinux2014_x86_64.whl → 9.2.150__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/peephole_optimizations/rewrite_conv_mul.py

@@ -0,0 +1,40 @@
+from __future__ import annotations
+from ailment.expression import BinaryOp, Const, Convert
+
+from .base import PeepholeOptimizationExprBase
+
+
+class RewriteConvMul(PeepholeOptimizationExprBase):
+    """
+    Rewrites multiplication to be inside conversion.
+    """
+
+    __slots__ = ()
+
+    NAME = "Rewrite Conv Mul"
+    expr_classes = (BinaryOp,)
+
+    # Conv(64->32, (Conv(32->64, expr) * N<64>)) * N<32>)
+    # => Conv(64->32, (Conv(32->64, expr) * N<64>) * Conv(32->64,N<32>))
+    def optimize(self, expr: BinaryOp, **kwargs):
+        if (
+            expr.op == "Mul"
+            and isinstance(expr.operands[1], Const)
+            and expr.operands[1].bits == 32
+            and isinstance(expr.operands[0], Convert)
+            and expr.operands[0].from_bits > expr.operands[0].to_bits
+        ):
+            op0, op1 = expr.operands
+            operand_expr = op0.operand
+            if (
+                isinstance(operand_expr, BinaryOp)
+                and operand_expr.op == "Mul"
+                and isinstance(operand_expr.operands[1], Const)
+                and operand_expr.operands[1].bits == 64
+            ):
+                new_op1 = Convert(op1.idx, op1.bits, op0.from_bits, False, op1, **op1.tags)
+                new_op0 = op0.operand
+                new_expr = BinaryOp(expr.idx, "Mul", [new_op0, new_op1], expr.signed, **expr.tags)
+                return Convert(new_expr.idx, op0.from_bits, op0.to_bits, False, new_expr, **expr.tags)
+
+        return None

angr/analyses/decompiler/peephole_optimizations/rewrite_cxx_operator_calls.py

@@ -0,0 +1,90 @@
+# pylint:disable=arguments-differ,too-many-boolean-expressions,no-self-use
+from __future__ import annotations
+
+from archinfo import Endness
+from ailment.constant import UNDETERMINED_SIZE
+from ailment.expression import Const, VirtualVariable, BinaryOp, UnaryOp, Load
+from ailment.statement import Call, WeakAssignment
+
+from angr.sim_type import SimTypeReference, SimCppClass
+from angr.knowledge_plugins.key_definitions import atoms
+from .base import PeepholeOptimizationStmtBase
+
+
+class RewriteCxxOperatorCalls(PeepholeOptimizationStmtBase):
+    """
+    Rewrite C++ operator function calls into operations.
+    """
+
+    __slots__ = ()
+
+    NAME = "Rewrite C++ operator function calls into operations"
+    stmt_classes = (Call,)
+
+    def optimize(self, stmt: Call, block=None, **kwargs):  # type: ignore
+        assert self.project is not None
+
+        # are we calling a function that we deem as an overridden operator function?
+        if isinstance(stmt.target, Const):
+            func_addr = stmt.target.value
+            if not self.project.kb.functions.contains_addr(func_addr):
+                return None
+            func = self.project.kb.functions[func_addr]
+            if "operator=" in func.demangled_name and stmt.args is not None:
+                return self._optimize_operator_equal(stmt)
+            if "operator+" in func.demangled_name and stmt.args is not None:
+                return self._optimize_operator_add(stmt)
+            # TODO: Support other types of C++ operator functions
+
+        return None
+
+    def _optimize_operator_equal(self, stmt: Call) -> WeakAssignment | None:
+        if stmt.args and len(stmt.args) == 2 and isinstance(stmt.args[0], UnaryOp) and stmt.args[0].op == "Reference":
+            dst = stmt.args[0].operand
+            if isinstance(dst, VirtualVariable):
+                self.preserve_vvar_ids.add(dst.varid)
+                atom = atoms.VirtualVariable(dst.varid, dst.size, dst.category, dst.oident)
+                if stmt.prototype is not None and isinstance(stmt.prototype.returnty, SimTypeReference):
+                    type_hint = self._type_hint_from_typeref(stmt.prototype.returnty)
+                    if type_hint is not None:
+                        self.type_hints.append((atom, type_hint))
+            arg1 = (
+                Load(None, stmt.args[1], UNDETERMINED_SIZE, Endness.BE, **stmt.tags)
+                if isinstance(stmt.args[1], Const)
+                else stmt.args[1]
+            )
+            type_ = None
+            if stmt.prototype is not None:
+                dst_ty = stmt.prototype.returnty
+                if isinstance(dst_ty, SimTypeReference):
+                    dst_ty = dst_ty.refs
+                type_ = {"dst": dst_ty, "src": stmt.prototype.args[1]}
+            return WeakAssignment(stmt.idx, stmt.args[0].operand, arg1, type=type_, **stmt.tags)  # type:ignore
+        return None
+
+    def _optimize_operator_add(self, stmt: Call) -> WeakAssignment | None:
+        if (
+            stmt.args
+            and len(stmt.args) == 3
+            and isinstance(stmt.args[1], UnaryOp)
+            and stmt.args[1].op == "Reference"
+            and isinstance(stmt.args[1].operand, VirtualVariable)
+            and isinstance(stmt.args[2], Const)
+            and isinstance(stmt.ret_expr, VirtualVariable)
+        ):
+            arg2 = Load(None, stmt.args[2], UNDETERMINED_SIZE, Endness.BE, **stmt.tags)
+            addition = BinaryOp(None, "Add", [stmt.args[1].operand, arg2], **stmt.tags)
+            type_ = None
+            if stmt.prototype is not None:
+                dst_ty = stmt.prototype.returnty
+                if isinstance(dst_ty, SimTypeReference):
+                    dst_ty = dst_ty.refs
+                type_ = {"dst": dst_ty, "src": stmt.prototype.args[1]}
+            return WeakAssignment(stmt.idx, stmt.ret_expr, addition, type=type_, **stmt.tags)
+        return None
+
+    @staticmethod
+    def _type_hint_from_typeref(typeref: SimTypeReference) -> str | None:
+        if isinstance(typeref.refs, SimCppClass) and typeref.refs.unique_name:
+            return typeref.refs.unique_name
+        return None

angr/analyses/decompiler/presets/fast.py

@@ -22,6 +22,7 @@ from angr.analyses.decompiler.optimization_passes import (
     DeadblockRemover,
     SwitchReusedEntryRewriter,
     ConditionConstantPropagation,
+    DetermineLoadSizes,
 )
 
 
@@ -49,6 +50,7 @@ preset_fast = DecompilationPreset(
         InlinedStringTransformationSimplifier,
         CallStatementRewriter,
         ConditionConstantPropagation,
+        DetermineLoadSizes,
     ],
 )
 

angr/analyses/decompiler/presets/full.py

@@ -27,6 +27,7 @@ from angr.analyses.decompiler.optimization_passes import (
     CallStatementRewriter,
     SwitchReusedEntryRewriter,
     ConditionConstantPropagation,
+    DetermineLoadSizes,
 )
 
 
@@ -59,6 +60,7 @@ preset_full = DecompilationPreset(
         CallStatementRewriter,
         SwitchReusedEntryRewriter,
         ConditionConstantPropagation,
+        DetermineLoadSizes,
     ],
 )
 

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -6,7 +6,17 @@ import logging
 from archinfo import Endness
 from ailment.block import Block
 from ailment.manager import Manager
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement, Jump
+from ailment.statement import (
+    Statement,
+    Assignment,
+    Store,
+    Call,
+    Return,
+    ConditionalJump,
+    DirtyStatement,
+    Jump,
+    WeakAssignment,
+)
 from ailment.expression import (
     Expression,
     Register,
@@ -181,6 +191,19 @@ class SimEngineSSARewriting(
             return new_stmt
         return None
 
+    def _handle_stmt_WeakAssignment(self, stmt) -> WeakAssignment | None:
+        new_src = self._expr(stmt.src)
+        new_dst = self._expr(stmt.dst)
+
+        if new_dst is not None or new_src is not None:
+            return WeakAssignment(
+                stmt.idx,
+                stmt.dst if new_dst is None else new_dst,  # type: ignore
+                stmt.src if new_src is None else new_src,
+                **stmt.tags,
+            )
+        return None
+
     def _handle_stmt_Store(self, stmt: Store) -> Store | Assignment | tuple[Assignment, ...] | None:
         new_data = self._expr(stmt.data)
         if stmt.guard is None:
@@ -505,7 +528,28 @@ class SimEngineSSARewriting(
         return None
 
     def _handle_expr_StackBaseOffset(self, expr):
-        return None
+        if expr.offset not in self.state.stackvars:
+            # create it on the fly
+            vvar_id = self.get_vvid_by_def(
+                self.block.addr,
+                self.block.idx,
+                self.stmt_idx,
+                atoms.MemoryLocation(expr.offset, 1, self.project.arch.memory_endness),
+                "l",
+            )
+            vvar = VirtualVariable(
+                self.ail_manager.next_atom(),
+                vvar_id,
+                1 * self.arch.byte_width,
+                category=VirtualVariableCategory.STACK,
+                oident=expr.offset,
+                **expr.tags,
+            )
+            self.state.stackvars[expr.offset][1] = vvar
+        else:
+            sz = 1 if 1 in self.state.stackvars[expr.offset] else max(self.state.stackvars[expr.offset])
+            vvar = self.state.stackvars[expr.offset][sz]
+        return UnaryOp(expr.idx, "Reference", vvar, bits=expr.bits, **expr.tags)
 
     def _handle_expr_VirtualVariable(self, expr):
         return None
@@ -807,7 +851,8 @@ class SimEngineSSARewriting(
             and expr.size in self.stackvar_locs[expr.addr.offset]
         ):
             if expr.size not in self.state.stackvars[expr.addr.offset]:
-                # create it on the fly
+                # we have not seen its use before (which does not necessarily mean it's never created!), so we create
+                # it on the fly and record it in self.state.stackvars
                 vvar_id = self.get_vvid_by_def(
                     self.block.addr,
                     self.block.idx,
@@ -815,7 +860,7 @@ class SimEngineSSARewriting(
                     atoms.MemoryLocation(expr.addr.offset, expr.size, Endness(expr.endness)),
                     "l",
                 )
-                return VirtualVariable(
+                var = VirtualVariable(
                     self.ail_manager.next_atom(),
                     vvar_id,
                     expr.size * self.arch.byte_width,
@@ -823,6 +868,8 @@ class SimEngineSSARewriting(
                     oident=expr.addr.offset,
                     **expr.tags,
                 )
+                self.state.stackvars[expr.addr.offset][expr.size] = var
+                return var
 
             # TODO: Support truncation
             # TODO: Maybe also support concatenation

angr/analyses/decompiler/ssailification/ssailification.py

@@ -134,7 +134,9 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         if self._ssa_stackvars:
             # for stack variables, we collect all definitions and identify stack variable locations using heuristics
 
-            stackvar_locs = self._synthesize_stackvar_locs([def_ for def_, _ in def_to_loc if isinstance(def_, Store)])
+            stackvar_locs = self._synthesize_stackvar_locs(
+                [def_ for def_, _ in def_to_loc if isinstance(def_, (Store, StackBaseOffset))]
+            )
             # handle function arguments
             if self._func_args:
                 for func_arg in self._func_args:
@@ -173,6 +175,20 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
                         if def_.size in stackvar_locs[off] and def_.size < full_sz:
                             udef_to_defs[("stack", off, def_.size)].add(def_)
                             udef_to_blockkeys[("stack", off, def_.size)].add((loc.block_addr, loc.block_idx))
+            elif isinstance(def_, StackBaseOffset):
+                sz = 1
+                idx_begin = bisect_left(sorted_stackvar_offs, def_.offset)
+                for i in range(idx_begin, len(sorted_stackvar_offs)):
+                    off = sorted_stackvar_offs[i]
+                    if off >= def_.offset + sz:
+                        break
+                    full_sz = max(stackvar_locs[off])
+                    udef_to_defs[("stack", off, full_sz)].add(def_)
+                    udef_to_blockkeys[("stack", off, full_sz)].add((loc.block_addr, loc.block_idx))
+                    # add a definition for the partial stack variable
+                    if sz in stackvar_locs[off] and sz < full_sz:
+                        udef_to_defs[("stack", off, sz)].add(def_)
+                        udef_to_blockkeys[("stack", off, sz)].add((loc.block_addr, loc.block_idx))
             elif isinstance(def_, Tmp):
                 # Tmps are local to each block and do not need phi nodes
                 pass
@@ -211,7 +227,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         return last_frontier
 
     @staticmethod
-    def _synthesize_stackvar_locs(defs: list[Store]) -> dict[int, set[int]]:
+    def _synthesize_stackvar_locs(defs: list[Store | StackBaseOffset]) -> dict[int, set[int]]:
         """
         Derive potential locations (in terms of offsets and sizes) for stack variables based on all stack variable
         definitions provided.
@@ -224,7 +240,11 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         offs: set[int] = set()
 
         for def_ in defs:
-            if isinstance(def_.addr, StackBaseOffset):
+            if isinstance(def_, StackBaseOffset):
+                stack_off = def_.offset
+                accesses[stack_off].add(1)
+                offs.add(stack_off)
+            elif isinstance(def_, Store) and isinstance(def_.addr, StackBaseOffset):
                 stack_off = def_.addr.offset
                 accesses[stack_off].add(def_.size)
                 offs.add(stack_off)

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -60,6 +60,10 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
 
         self._expr(stmt.src)
 
+    def _handle_stmt_WeakAssignment(self, stmt):
+        self._expr(stmt.src)
+        self._expr(stmt.dst)
+
     def _handle_stmt_Store(self, stmt: Store):
         self._expr(stmt.addr)
         self._expr(stmt.data)
@@ -149,6 +153,17 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
             self.loc_to_defs[codeloc].add(expr)
             self.state.live_stackvars.add((expr.addr.offset, expr.size))
 
+    def _handle_expr_StackBaseOffset(self, expr: StackBaseOffset):
+        # we don't know the size, so we assume the size is 1 for now...
+        sz = 1
+        if isinstance(expr.offset, int) and (expr.offset, sz) not in self.state.live_stackvars:
+            codeloc = self._codeloc()
+            self.def_to_loc.append((expr, codeloc))
+            if codeloc not in self.loc_to_defs:
+                self.loc_to_defs[codeloc] = OrderedSet()
+            self.loc_to_defs[codeloc].add(expr)
+            self.state.live_stackvars.add((expr.offset, sz))
+
     def _handle_expr_Tmp(self, expr: Tmp):
         if self.use_tmps:
             codeloc = self._codeloc()
@@ -269,6 +284,5 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
     _handle_expr_Phi = _handle_Dummy
     _handle_expr_Const = _handle_Dummy
     _handle_expr_MultiStatementExpression = _handle_Dummy
-    _handle_expr_StackBaseOffset = _handle_Dummy
     _handle_expr_BasePointerOffset = _handle_Dummy
     _handle_expr_Call = _handle_Dummy

angr/analyses/decompiler/structured_codegen/c.py

@@ -5,8 +5,10 @@ from collections.abc import Callable
 from collections import defaultdict, Counter
 import logging
 import struct
+import re
 
 from ailment import Block, Expr, Stmt, Tmp
+from ailment.constant import UNDETERMINED_SIZE
 from ailment.expression import StackBaseOffset, BinaryOp
 from unique_log_filter import UniqueLogFilter
 
@@ -34,6 +36,7 @@ from angr.sim_type import (
     SimTypeInt128,
     SimTypeInt256,
     SimTypeInt512,
+    SimCppClass,
 )
 from angr.knowledge_plugins.functions import Function
 from angr.sim_variable import SimVariable, SimTemporaryVariable, SimStackVariable, SimMemoryVariable
@@ -156,6 +159,18 @@ def guess_value_type(value: int, project: angr.Project) -> SimType | None:
     return None
 
 
+def type_equals(t0: SimType, t1: SimType) -> bool:
+    # special logic for C++ classes
+    if isinstance(t0, SimCppClass) and isinstance(t1, SimCppClass):  # noqa: SIM102
+        # TODO: Use the information (class names, etc.) in types_stl
+        if {t1.name, t0.name} == {
+            "std::string",
+            "class std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>",
+        }:
+            return True
+    return t0 == t1
+
+
 def type_to_c_repr_chunks(ty: SimType, name=None, name_type=None, full=False, indent_str=""):
     """
     Helper generator function to turn a SimType into generated tuples of (C-string, AST node).
@@ -164,7 +179,10 @@ def type_to_c_repr_chunks(ty: SimType, name=None, name_type=None, full=False, in
         if full:
             # struct def preamble
             yield indent_str, None
-            yield "typedef struct ", None
+            if isinstance(ty, SimCppClass):
+                yield "class ", None
+            else:
+                yield "typedef struct ", None
             yield ty.name, ty
             yield " {\n", None
 
@@ -1242,6 +1260,7 @@ class CFunctionCall(CStatement, CExpression):
         "callee_func",
         "callee_target",
         "is_expr",
+        "prettify_thiscall",
         "ret_expr",
         "returning",
         "show_demangled_name",
@@ -1258,6 +1277,7 @@ class CFunctionCall(CStatement, CExpression):
         is_expr: bool = False,
         show_demangled_name=True,
         show_disambiguated_name: bool = True,
+        prettify_thiscall: bool = True,
         tags=None,
         codegen=None,
         **kwargs,
@@ -1273,6 +1293,7 @@ class CFunctionCall(CStatement, CExpression):
         self.is_expr = is_expr
         self.show_demangled_name = show_demangled_name
         self.show_disambiguated_name = show_disambiguated_name
+        self.prettify_thiscall = prettify_thiscall
 
     @property
     def prototype(self) -> SimTypeFunction | None:  # TODO there should be a prototype for each callsite!
@@ -1313,6 +1334,13 @@ class CFunctionCall(CStatement, CExpression):
 
         return False
 
+    @staticmethod
+    def _is_func_likely_cxx_class_method(func_name: str) -> bool:
+        if "::" not in func_name:
+            return False
+        chunks = func_name.split("::")
+        return re.match(r"[a-zA-Z_][a-zA-Z0-9_]*", chunks[-1]) is not None
+
     def c_repr_chunks(self, indent=0, asexpr: bool = False):
         """
 
@@ -1332,8 +1360,13 @@ class CFunctionCall(CStatement, CExpression):
                 func_name = get_cpp_function_name(self.callee_func.demangled_name, specialized=False, qualified=True)
             else:
                 func_name = self.callee_func.name
+            if self.prettify_thiscall and self.args and self._is_func_likely_cxx_class_method(func_name):
+                func_name = self.callee_func.short_name
+                yield from self._c_repr_chunks_thiscall(func_name, asexpr=asexpr)
+                return
             if self.show_disambiguated_name and self._is_target_ambiguous(func_name):
                 func_name = self.callee_func.get_unambiguous_name(display_name=func_name)
+
             yield func_name, self
         elif isinstance(self.callee_target, str):
             yield self.callee_target, self
@@ -1356,6 +1389,37 @@ class CFunctionCall(CStatement, CExpression):
                 yield " /* do not return */", None
             yield "\n", None
 
+    def _c_repr_chunks_thiscall(self, func_name: str, asexpr: bool = False):
+        # The first argument is the `this` pointer
+        assert self.args
+        this_ref = self.args[0]
+        if isinstance(this_ref, CUnaryOp) and this_ref.op == "Reference":
+            yield from CExpression._try_c_repr_chunks(this_ref.operand)
+        else:
+            yield from CExpression._try_c_repr_chunks(this_ref)
+
+        yield ".", None
+        yield func_name, self
+
+        # the remaining arguments
+        paren = CClosingObject("(")
+        yield "(", paren
+
+        for i, arg in enumerate(self.args):
+            if i == 0:
+                continue
+            if i > 1:
+                yield ", ", None
+            yield from CExpression._try_c_repr_chunks(arg)
+
+        yield ")", paren
+
+        if not self.is_expr and not asexpr:
+            yield ";", None
+            if not self.returning:
+                yield " /* do not return */", None
+            yield "\n", None
+
 
 class CReturn(CStatement):
     __slots__ = ("retval",)
@@ -1761,6 +1825,13 @@ class CBinaryOp(CExpression):
         # C spec https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2596.pdf 6.3.1.8 Usual arithmetic conversions
         rhs_ptr = isinstance(rhs_ty, SimTypePointer)
         lhs_ptr = isinstance(lhs_ty, SimTypePointer)
+        rhs_cls = isinstance(unpack_typeref(rhs_ty), SimCppClass)
+        lhs_cls = isinstance(unpack_typeref(lhs_ty), SimCppClass)
+
+        if lhs_cls:
+            return lhs_ty
+        if rhs_cls:
+            return rhs_ty
 
         if op in ("Add", "Sub"):
             if lhs_ptr and rhs_ptr:
@@ -2462,6 +2533,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             # AIL statements
             Stmt.Store: self._handle_Stmt_Store,
             Stmt.Assignment: self._handle_Stmt_Assignment,
+            Stmt.WeakAssignment: self._handle_Stmt_WeakAssignment,
             Stmt.Call: self._handle_Stmt_Call,
             Stmt.Jump: self._handle_Stmt_Jump,
             Stmt.ConditionalJump: self._handle_Stmt_ConditionalJump,
@@ -2798,17 +2870,17 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         if offset == 0:
             data_type = renegotiate_type(data_type, base_type)
-            if base_type == data_type or (
+            if type_equals(base_type, data_type) or (
                 base_type.size is not None and data_type.size is not None and base_type.size < data_type.size
             ):
                 # case 1: we're done because we found it
                 # case 2: we're done because we can never find it and we might as well stop early
                 if base_expr:
-                    if base_type != data_type:
+                    if not type_equals(base_type, data_type):
                         return _force_type_cast(base_type, data_type, base_expr)
                     return base_expr
 
-                if base_type != data_type:
+                if not type_equals(base_type, data_type):
                     return _force_type_cast(base_type, data_type, expr)
                 return CUnaryOp("Dereference", expr, codegen=self)
 
@@ -3265,13 +3337,58 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         csrc = self._handle(stmt.src, lvalue=False)
         cdst = None
 
+        src_type = csrc.type
+        dst_type = src_type
+        if hasattr(stmt, "type"):
+            src_type = stmt.type.get("src", None)
+            dst_type = stmt.type.get("dst", None)
+
+        if isinstance(stmt.dst, Expr.VirtualVariable) and stmt.dst.was_stack:
+
+            def negotiate(old_ty, proposed_ty):
+                # transfer casts from the dst to the src if possible
+                # if we see something like *(size_t*)&v4 = x; where v4 is a pointer, change to v4 = (void*)x;
+                nonlocal csrc
+                if not type_equals(old_ty, proposed_ty) and qualifies_for_simple_cast(old_ty, proposed_ty):
+                    csrc = CTypeCast(csrc.type, proposed_ty, csrc, codegen=self)
+                    return proposed_ty
+                return old_ty
+
+            if stmt.dst.variable is not None:
+                if "struct_member_info" in stmt.dst.tags:
+                    offset, var, _ = stmt.dst.struct_member_info
+                    cvar = self._variable(var, stmt.dst.size, vvar_id=stmt.dst.varid)
+                else:
+                    cvar = self._variable(stmt.dst.variable, stmt.dst.size, vvar_id=stmt.dst.varid)
+                    offset = stmt.dst.variable_offset or 0
+                assert type(offset) is int  # I refuse to deal with the alternative
+
+                cdst = self._access_constant_offset(
+                    self._get_variable_reference(cvar), offset, dst_type, True, negotiate
+                )
+
+        if cdst is None:
+            cdst = self._handle(stmt.dst, lvalue=True)
+
+        return CAssignment(cdst, csrc, tags=stmt.tags, codegen=self)
+
+    def _handle_Stmt_WeakAssignment(self, stmt, **kwargs):
+        csrc = self._handle(stmt.src, lvalue=False)
+        cdst = None
+
+        src_type = csrc.type
+        dst_type = src_type
+        if hasattr(stmt, "type"):
+            src_type = stmt.type.get("src", None)
+            dst_type = stmt.type.get("dst", None)
+
         if isinstance(stmt.dst, Expr.VirtualVariable) and stmt.dst.was_stack:
 
             def negotiate(old_ty, proposed_ty):
                 # transfer casts from the dst to the src if possible
                 # if we see something like *(size_t*)&v4 = x; where v4 is a pointer, change to v4 = (void*)x;
                 nonlocal csrc
-                if old_ty != proposed_ty and qualifies_for_simple_cast(old_ty, proposed_ty):
+                if not type_equals(old_ty, proposed_ty) and qualifies_for_simple_cast(old_ty, proposed_ty):
                     csrc = CTypeCast(csrc.type, proposed_ty, csrc, codegen=self)
                     return proposed_ty
                 return old_ty
@@ -3286,7 +3403,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                 assert type(offset) is int  # I refuse to deal with the alternative
 
                 cdst = self._access_constant_offset(
-                    self._get_variable_reference(cvar), offset, csrc.type, True, negotiate
+                    self._get_variable_reference(cvar), offset, dst_type, True, negotiate
                 )
 
         if cdst is None:
@@ -3413,7 +3530,18 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         return CRegister(expr, tags=expr.tags, codegen=self)
 
     def _handle_Expr_Load(self, expr: Expr.Load, **kwargs):
-        ty = self.default_simtype_from_bits(expr.bits)
+        if expr.size == UNDETERMINED_SIZE:
+            # the size is undetermined; we force it to 1
+            expr_size = 1
+            expr_bits = 8
+        else:
+            expr_size = expr.size
+            expr_bits = expr.bits
+
+        if expr.size > 100 and isinstance(expr.addr, Expr.Const):
+            return self._handle_Expr_Const(expr.addr, type_=SimTypePointer(SimTypeChar()).with_arch(self.project.arch))
+
+        ty = self.default_simtype_from_bits(expr_bits)
 
         def negotiate(old_ty: SimType, proposed_ty: SimType) -> SimType:
             # we do not allow returning a struct for a primitive type
@@ -3430,7 +3558,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                 offset, var, _ = expr.struct_member_info
                 cvar = self._variable(var, var.size)
             else:
-                cvar = self._variable(expr.variable, expr.size)
+                cvar = self._variable(expr.variable, expr_size)
                 offset = expr.variable_offset or 0
 
             assert type(offset) is int  # I refuse to deal with the alternative
@@ -3449,7 +3577,10 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         inline_string = False
         function_pointer = False
 
-        if reference_values is None and hasattr(expr, "reference_values"):
+        if type_ is None and hasattr(expr, "type"):
+            type_ = expr.type
+
+        if type_ is None and reference_values is None and hasattr(expr, "reference_values"):
             reference_values = expr.reference_values.copy()
             if reference_values:
                 type_ = next(iter(reference_values))
@@ -3665,7 +3796,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         if expr.variable is not None:
             if "struct_member_info" in expr.tags:
                 offset, var, _ = expr.struct_member_info
-                cbasevar = self._variable(var, expr.size)
+                cbasevar = self._variable(var, expr.size, vvar_id=expr.varid)
                 cvar = self._access_constant_offset(
                     self._get_variable_reference(cbasevar), offset, cbasevar.type, False, negotiate
                 )