angr 9.2.162__cp310-abi3-macosx_11_0_arm64.whl → 9.2.164__cp310-abi3-macosx_11_0_arm64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.162"
+__version__ = "9.2.164"
 
 if bytes is str:
     raise Exception(

angr/ailment/converter_vex.py

@@ -606,7 +606,7 @@ class VEXStmtConverter(Converter):
         expd_hi = VEXExprConverter.convert(stmt.expdHi, manager) if stmt.expdHi is not None else None
         old_lo = VEXExprConverter.tmp(stmt.oldLo, manager.tyenv.sizeof(stmt.oldLo), manager)
         old_hi = (
-            VEXExprConverter.tmp(stmt.oldHi, stmt.oldHi.result_size(manager.tyenv), manager)
+            VEXExprConverter.tmp(stmt.oldHi, manager.tyenv.sizeof(stmt.oldHi), manager)
             if stmt.oldHi != 0xFFFFFFFF
             else None
         )

angr/ailment/expression.py

@@ -102,6 +102,18 @@ class Const(Atom):
         self.value = value
         self.bits = bits
 
+    @property
+    def value_int(self) -> int:
+        if isinstance(self.value, int):
+            return self.value
+        raise TypeError(f"Incorrect value type; expect int, got {type(self.value)}")
+
+    @property
+    def value_float(self) -> float:
+        if isinstance(self.value, float):
+            return self.value
+        raise TypeError(f"Incorrect value type; expect float, got {type(self.value)}")
+
     @property
     def size(self):
         return self.bits // 8
@@ -604,7 +616,11 @@ class Convert(UnaryOp):
         self.rounding_mode = rounding_mode
 
     def __str__(self):
-        return f"Conv({self.from_bits}->{'s' if self.is_signed else ''}{self.to_bits}, {self.operand})"
+        from_type = "I" if self.from_type == Convert.TYPE_INT else "F"
+        to_type = "I" if self.to_type == Convert.TYPE_INT else "F"
+        return (
+            f"Conv({self.from_bits}{from_type}->{'s' if self.is_signed else ''}{self.to_bits}{to_type}, {self.operand})"
+        )
 
     def __repr__(self):
         return str(self)

angr/analyses/cfg/cfg_base.py

@@ -1868,7 +1868,7 @@ class CFGBase(Analysis):
             should_merge = True
             functions_to_merge = set()
             i = func_pos + 1
-            while i < len(all_func_addrs):
+            while i < len(all_func_addrs) and all_func_addrs[i] < endpoint_addr:
                 f_addr = all_func_addrs[i]
                 i += 1
                 f = functions[f_addr]
@@ -1952,11 +1952,11 @@ class CFGBase(Analysis):
                     # skip empty blocks (that are usually caused by lifting failures)
                     continue
                 block = func_0.get_block(block_node.addr, block_node.size)
-                if block.vex_nostmt.jumpkind not in ("Ijk_Boring", "Ijk_InvalICache"):
-                    continue
                 # Skip alignment blocks
                 if self._is_noop_block(self.project.arch, block):
                     continue
+                if block.vex_nostmt.jumpkind not in ("Ijk_Boring", "Ijk_InvalICache"):
+                    continue
 
                 # does the first block transition to the next function?
                 transition_found = False
@@ -2001,17 +2001,20 @@ class CFGBase(Analysis):
 
                 cfgnode_1_merged = False
                 # we only merge two CFG nodes if the first one does not end with a branch instruction
-                if (
-                    len(func_0.block_addrs_set) == 1
-                    and len(out_edges) == 1
-                    and out_edges[0][0].addr == cfgnode_0.addr
-                    and out_edges[0][0].size == cfgnode_0.size
-                    and self.project.factory.block(cfgnode_0.addr, strict_block_end=True).size > cfgnode_0.size
-                ):
-                    cfgnode_1_merged = True
-                    self._merge_cfgnodes(cfgnode_0, cfgnode_1)
-                    adjusted_cfgnodes.add(cfgnode_0)
-                    adjusted_cfgnodes.add(cfgnode_1)
+                if len(func_0.block_addrs_set) == 1 and len(out_edges) == 1:
+                    outedge_src, outedge_dst, outedge_data = out_edges[0]
+                    if (
+                        outedge_src.addr == cfgnode_0.addr
+                        and outedge_src.size == cfgnode_0.size
+                        and outedge_dst.addr == cfgnode_1.addr
+                        and cfgnode_0.addr + cfgnode_0.size == cfgnode_1.addr
+                        and outedge_data.get("type", None) == "transition"
+                        and outedge_data.get("stmt_idx", None) == DEFAULT_STATEMENT
+                    ):
+                        cfgnode_1_merged = True
+                        self._merge_cfgnodes(cfgnode_0, cfgnode_1)
+                        adjusted_cfgnodes.add(cfgnode_0)
+                        adjusted_cfgnodes.add(cfgnode_1)
 
                 # Merge it
                 func_1 = functions[addr_1]

angr/analyses/cfg/cfg_emulated.py

@@ -28,6 +28,7 @@ from angr.errors import (
     AngrCFGError,
     AngrError,
     AngrSkipJobNotice,
+    AngrSyscallError,
     SimError,
     SimValueError,
     SimSolverModeError,
@@ -1806,7 +1807,10 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
         # Fix target_addr for syscalls
         if suc_jumpkind.startswith("Ijk_Sys"):
-            syscall_proc = self.project.simos.syscall(new_state)
+            try:
+                syscall_proc = self.project.simos.syscall(new_state)
+            except AngrSyscallError:
+                syscall_proc = None
             if syscall_proc is not None:
                 target_addr = syscall_proc.addr
 

angr/analyses/cfg/cfg_fast.py

@@ -1077,12 +1077,12 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         # no wide string is found
         return 0
 
-    def _scan_for_repeating_bytes(self, start_addr: int, repeating_byte: int, threshold: int = 2) -> int:
+    def _scan_for_repeating_bytes(self, start_addr: int, repeating_byte: int | None, threshold: int = 2) -> int:
         """
         Scan from a given address and determine the occurrences of a given byte.
 
         :param start_addr:      The address in memory to start scanning.
-        :param repeating_byte:  The repeating byte to scan for.
+        :param repeating_byte:  The repeating byte to scan for; None for *any* repeating byte.
         :param threshold:       The minimum occurrences.
         :return:                The occurrences of a given byte.
         """
@@ -1090,12 +1090,15 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         addr = start_addr
 
         repeating_length = 0
+        last_byte = repeating_byte
 
         while self._inside_regions(addr):
             val = self._load_a_byte_as_int(addr)
             if val is None:
                 break
-            if val == repeating_byte:
+            if last_byte is None:
+                last_byte = val
+            elif val == last_byte:
                 repeating_length += 1
             else:
                 break
@@ -1249,6 +1252,16 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 self.model.memory_data[start_addr] = MemoryData(start_addr, zeros_length, MemoryDataSort.Alignment)
                 start_addr += zeros_length
 
+            # we consider over 16 bytes of any repeated bytes to be bad
+            repeating_byte_length = self._scan_for_repeating_bytes(start_addr, None, threshold=16)
+            if repeating_byte_length:
+                matched_something = True
+                self._seg_list.occupy(start_addr, repeating_byte_length, "nodecode")
+                self.model.memory_data[start_addr] = MemoryData(
+                    start_addr, repeating_byte_length, MemoryDataSort.Unknown
+                )
+                start_addr += repeating_byte_length
+
             if not matched_something:
                 # umm now it's probably code
                 break
@@ -1259,7 +1272,16 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if start_addr % instr_alignment > 0:
             # occupy those few bytes
             size = instr_alignment - (start_addr % instr_alignment)
-            self._seg_list.occupy(start_addr, size, "alignment")
+
+            # to avoid extremely fragmented segmentation, we mark the current segment as the same type as the previous
+            # adjacent segment if its type is nodecode
+            segment_sort = "alignment"
+            if start_addr >= 1:
+                previous_segment_sort = self._seg_list.occupied_by_sort(start_addr - 1)
+                if previous_segment_sort == "nodecode":
+                    segment_sort = "nodecode"
+
+            self._seg_list.occupy(start_addr, size, segment_sort)
             self.model.memory_data[start_addr] = MemoryData(start_addr, size, MemoryDataSort.Unknown)
             start_addr = start_addr - start_addr % instr_alignment + instr_alignment
             # trickiness: aligning the start_addr may create a new address that is outside any mapped region.
@@ -4504,6 +4526,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
                 if not self._arch_options.has_arm_code and addr % 2 == 0:
                     # No ARM code for this architecture!
+                    self._seg_list.occupy(real_addr, 2, "nodecode")
                     return None, None, None, None
 
             initial_regs = self._get_initial_registers(addr, cfg_job, current_function_addr)

angr/analyses/cfg/indirect_jump_resolvers/arm_elf_fast.py

@@ -125,7 +125,17 @@ class ArmElfFastResolver(IndirectJumpResolver):
         # Note that this function assumes the IRSB is optimized (opt_level > 0)
         # the logic will be vastly different if the IRSB is not optimized (opt_level == 0)
 
-        b = Blade(cfg.graph, addr, -1, cfg=cfg, project=self.project, ignore_sp=True, ignore_bp=True, max_level=2)
+        b = Blade(
+            cfg.graph,
+            addr,
+            -1,
+            cfg=cfg,
+            project=self.project,
+            ignore_sp=True,
+            ignore_bp=True,
+            max_level=2,
+            control_dependence=False,
+        )
         sources = [n for n in b.slice.nodes() if b.slice.in_degree(n) == 0]
         if not sources:
             return False, []

angr/analyses/cfg/indirect_jump_resolvers/const_resolver.py

@@ -5,10 +5,12 @@ import logging
 import claripy
 import pyvex
 
+from angr.knowledge_plugins.propagations import PropagationModel
 from angr.utils.constants import DEFAULT_STATEMENT
 from angr.code_location import CodeLocation
 from angr.blade import Blade
 from angr.analyses.propagator import vex_vars
+from angr.utils.vex import get_tmp_def_stmt
 from .resolver import IndirectJumpResolver
 from .propagator_utils import PropagatorLoadCallback
 
@@ -47,6 +49,12 @@ class ConstantResolver(IndirectJumpResolver):
         super().__init__(project, timeless=False)
         self.max_func_nodes = max_func_nodes
 
+        # stats
+        self._resolved = 0
+        self._unresolved = 0
+        self._cache_hits = 0
+        self._props_saved = 0
+
     def filter(self, cfg, addr, func_addr, block, jumpkind):
         if not cfg.functions.contains_addr(func_addr):
             # the function does not exist
@@ -122,58 +130,203 @@ class ConstantResolver(IndirectJumpResolver):
                 max_level=3,
                 stop_at_calls=True,
                 cross_insn_opt=True,
+                control_dependence=False,
             )
             stmt_loc = addr, DEFAULT_STATEMENT
-            preds = list(b.slice.predecessors(stmt_loc))
-            while preds:
-                if len(preds) == 1:
-                    # skip all IMarks
-                    pred_addr, stmt_idx = preds[0]
-                    if stmt_idx != DEFAULT_STATEMENT:
-                        block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
-                        if isinstance(block.statements[stmt_idx], pyvex.IRStmt.IMark):
-                            preds = list(b.slice.predecessors(preds[0]))
-                            continue
+            if self._check_jump_target_is_loaded_from_dynamic_addr(b, stmt_loc):
+                # loading from memory - unsupported
+                return False, []
+            if self._check_jump_target_is_compared_against(b, stmt_loc):
+                # the jump/call target is compared against another value, which means it's not deterministic
+                # ConstantResolver does not support such cases by design
+                return False, []
 
-                for pred_addr, stmt_idx in preds:
-                    block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
-                    if stmt_idx != DEFAULT_STATEMENT:
-                        stmt = block.statements[stmt_idx]
-                        if (
-                            isinstance(stmt, pyvex.IRStmt.WrTmp)
-                            and isinstance(stmt.data, pyvex.IRExpr.Load)
-                            and not isinstance(stmt.data.addr, pyvex.IRExpr.Const)
-                        ):
-                            # loading from memory - unsupported
-                            return False, []
-                break
+            # first check the replacements cache
+            resolved_tmp = None
+            is_full_func_prop = None
+            block_loc = CodeLocation(block.addr, tmp_stmt_idx, ins_addr=tmp_ins_addr)
+            tmp_var = vex_vars.VEXTmp(vex_block.next.tmp)
+            prop_key = "FCP", func_addr
+            cached_prop = cfg.kb.propagations.get(prop_key)
+            if cached_prop is not None:
+                is_full_func_prop = len(func.block_addrs_set) == cached_prop.function_block_count
+                replacements = cached_prop.replacements
+                if exists_in_replacements(replacements, block_loc, tmp_var):
+                    self._cache_hits += 1
+                    resolved_tmp = replacements[block_loc][tmp_var]
 
-            _l.debug("ConstantResolver: Propagating for %r at %#x.", func, addr)
-            prop = self.project.analyses.FastConstantPropagation(
-                func,
-                vex_cross_insn_opt=False,
-                load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-            )
+            if resolved_tmp is None and is_full_func_prop:
+                self._props_saved += 1
 
-            replacements = prop.replacements
-            if replacements:
-                block_loc = CodeLocation(block.addr, tmp_stmt_idx, ins_addr=tmp_ins_addr)
-                tmp_var = vex_vars.VEXTmp(vex_block.next.tmp)
+            if resolved_tmp is None and not is_full_func_prop:
+                _l.debug("ConstantResolver: Propagating for %r at %#x.", func, addr)
+                prop = self.project.analyses.FastConstantPropagation(
+                    func,
+                    vex_cross_insn_opt=False,
+                    load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
+                )
+                # update the cache
+                model = PropagationModel(
+                    prop_key, replacements=prop.replacements, function_block_count=len(func.block_addrs_set)
+                )
+                cfg.kb.propagations.update(prop_key, model)
 
-                if exists_in_replacements(replacements, block_loc, tmp_var):
+                replacements = prop.replacements
+                if replacements and exists_in_replacements(replacements, block_loc, tmp_var):
                     resolved_tmp = replacements[block_loc][tmp_var]
 
-                    if (
-                        isinstance(resolved_tmp, claripy.ast.Base)
-                        and resolved_tmp.op == "BVV"
-                        and self._is_target_valid(cfg, resolved_tmp.args[0])
-                    ):
-                        return True, [resolved_tmp.args[0]]
-                    if isinstance(resolved_tmp, int) and self._is_target_valid(cfg, resolved_tmp):
-                        return True, [resolved_tmp]
+            if resolved_tmp is not None:
+                if (
+                    isinstance(resolved_tmp, claripy.ast.Base)
+                    and resolved_tmp.op == "BVV"
+                    and self._is_target_valid(cfg, resolved_tmp.args[0])
+                ):
+                    self._resolved += 1
+                    # print(f"{self._resolved} ({self._props_saved} saved, {self._cache_hits} cached) / "
+                    #       f"{self._resolved + self._unresolved}")
+                    # print(f"+ Function: {func_addr:#x}, block {addr:#x}, target {resolved_tmp.args[0]:#x}")
+                    return True, [resolved_tmp.args[0]]
+                if isinstance(resolved_tmp, int) and self._is_target_valid(cfg, resolved_tmp):
+                    self._resolved += 1
+                    # print(f"{self._resolved} ({self._props_saved} saved, {self._cache_hits} cached) / "
+                    #       f"{self._resolved + self._unresolved}")
+                    # print(f"+ Function: {func_addr:#x}, block {addr:#x}, target {resolved_tmp:#x}")
+                    return True, [resolved_tmp]
 
+        self._unresolved += 1
+        # print(f"{RESOLVED} ({SAVED_PROPS} saved, {HIT_CACHE} cached) / {RESOLVED + UNRESOLVED}")
+        # print(f"- Function: {func_addr:#x}, block {addr:#x}, FAILED")
         return False, []
 
+    def _check_jump_target_is_loaded_from_dynamic_addr(self, b, stmt_loc) -> bool:
+        queue: list[tuple[int, int, int]] = []  # depth, block_addr, stmt_idx
+        seen_locs: set[tuple[int, int]] = set()
+        for block_addr, stmt_idx in b.slice.predecessors(stmt_loc):
+            if (block_addr, stmt_idx) in seen_locs:
+                continue
+            seen_locs.add((block_addr, stmt_idx))
+            queue.append((0, block_addr, stmt_idx))
+        while queue:
+            depth, pred_addr, stmt_idx = queue.pop(0)
+            if depth >= 3:
+                break
+
+            # skip all IMarks
+            if stmt_idx != DEFAULT_STATEMENT:
+                block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
+                stmt = block.statements[stmt_idx]
+                if isinstance(stmt, pyvex.IRStmt.IMark):
+                    for succ_addr, succ_stmt_idx in b.slice.predecessors((pred_addr, stmt_idx)):
+                        if (succ_addr, succ_stmt_idx) in seen_locs:
+                            continue
+                        seen_locs.add((succ_addr, succ_stmt_idx))
+                        queue.append((depth + 1 if succ_addr != pred_addr else depth, succ_addr, succ_stmt_idx))
+                    continue
+
+                if (
+                    isinstance(stmt, pyvex.IRStmt.WrTmp)
+                    and isinstance(stmt.data, pyvex.IRExpr.Load)
+                    and not isinstance(stmt.data.addr, pyvex.IRExpr.Const)
+                ):
+                    # loading from memory
+                    return True
+
+            for succ_addr, succ_stmt_idx in b.slice.predecessors((pred_addr, stmt_idx)):
+                if (succ_addr, succ_stmt_idx) in seen_locs:
+                    continue
+                seen_locs.add((succ_addr, succ_stmt_idx))
+                queue.append((depth + 1 if succ_addr != pred_addr else depth, succ_addr, succ_stmt_idx))
+
+        return False
+
+    def _check_jump_target_is_compared_against(self, b, stmt_loc) -> bool:
+        # let's find which register the jump uses
+        jump_site = self.project.factory.block(stmt_loc[0], cross_insn_opt=True).vex
+        if not isinstance(jump_site.next, pyvex.IRExpr.RdTmp):
+            return False
+        next_tmp = jump_site.next.tmp
+        # find its definition
+        next_tmp_def = get_tmp_def_stmt(jump_site, next_tmp)
+        if next_tmp_def is None:
+            return False
+        next_tmp_def_stmt = jump_site.statements[next_tmp_def]
+        if not (
+            isinstance(next_tmp_def_stmt, pyvex.IRStmt.WrTmp) and isinstance(next_tmp_def_stmt.data, pyvex.IRExpr.Get)
+        ):
+            return False
+        next_reg = next_tmp_def_stmt.data.offset
+
+        # traverse back at most one level and check:
+        # - this register has never been updated
+        # - a comparison is conducted on this register (via a tmp, most likely)
+        queue = []
+        seen = set()
+        for block_addr, stmt_idx in b.slice.predecessors(stmt_loc):
+            if (block_addr, stmt_idx) in seen:
+                continue
+            seen.add((block_addr, stmt_idx))
+            queue.append((0, block_addr, stmt_idx))
+        while queue:
+            depth, pred_addr, stmt_idx = queue.pop(0)
+            if depth > 1:
+                continue
+
+            # skip all IMarks
+            pred = pred_addr, stmt_idx
+            if stmt_idx != DEFAULT_STATEMENT:
+                block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
+                stmt = block.statements[stmt_idx]
+                if isinstance(stmt, pyvex.IRStmt.IMark):
+                    for succ_addr, succ_stmt_idx in b.slice.predecessors(pred):
+                        if (succ_addr, succ_stmt_idx) in seen:
+                            continue
+                        seen.add((succ_addr, succ_stmt_idx))
+                        queue.append((depth + 1 if succ_addr != pred_addr else depth, succ_addr, succ_stmt_idx))
+                    continue
+
+                if isinstance(stmt, pyvex.IRStmt.Put) and stmt.offset == next_reg:
+                    # this register has been updated before we find a comparison; do not continue along this path
+                    continue
+
+                if (
+                    isinstance(stmt, pyvex.IRStmt.WrTmp)
+                    and isinstance(stmt.data, pyvex.IRExpr.Binop)
+                    and stmt.data.op.startswith("Iop_Cmp")
+                ):
+                    # what is it comparing against?
+                    for arg in stmt.data.args:
+                        if isinstance(arg, pyvex.IRExpr.RdTmp):
+                            arg_tmp_def = get_tmp_def_stmt(block, arg.tmp)
+                            if arg_tmp_def is not None:
+                                arg_tmp_def_stmt = block.statements[arg_tmp_def]
+                                if (
+                                    isinstance(arg_tmp_def_stmt, pyvex.IRStmt.WrTmp)
+                                    and isinstance(arg_tmp_def_stmt.data, pyvex.IRExpr.Get)
+                                    and arg_tmp_def_stmt.data.offset == next_reg
+                                ):
+                                    # the jump target is compared against this register
+                                    return True
+                                # another case: VEX optimization may have caused the tmp to be stored in the target
+                                # register. we need handle this case as well.
+                                if any(
+                                    isinstance(stmt_, pyvex.IRStmt.Put)
+                                    and stmt_.offset == next_reg
+                                    and isinstance(stmt_.data, pyvex.IRExpr.RdTmp)
+                                    and stmt_.data.tmp == arg.tmp
+                                    for stmt_ in block.statements[arg_tmp_def + 1 : stmt_idx]
+                                ):
+                                    # the jump target is compared against this register
+                                    return True
+
+            # continue traversing predecessors
+            for succ_addr, succ_stmt_idx in b.slice.predecessors(pred):
+                if (succ_addr, succ_stmt_idx) in seen:
+                    continue
+                seen.add((succ_addr, succ_stmt_idx))
+                queue.append((depth + 1 if succ_addr != pred_addr else depth, succ_addr, succ_stmt_idx))
+
+        return False
+
     @staticmethod
     def _find_tmp_write_stmt_and_ins(vex_block, tmp: int) -> tuple[int | None, int | None]:
         stmt_idx = None

angr/analyses/decompiler/ail_simplifier.py

@@ -397,9 +397,11 @@ class AILSimplifier(Analysis):
             if isinstance(def_.atom, atoms.VirtualVariable) and (def_.atom.was_reg or def_.atom.was_parameter):
                 # only do this for general purpose register
                 skip_def = False
+                reg = None
                 for reg in self.project.arch.register_list:
-                    if not reg.artificial and reg.vex_offset == def_.atom.reg_offset and not reg.general_purpose:
-                        skip_def = True
+                    if reg.vex_offset == def_.atom.reg_offset:
+                        if not reg.artificial and not reg.general_purpose and not reg.vector:
+                            skip_def = True
                         break
 
                 if skip_def:
@@ -659,6 +661,16 @@ class AILSimplifier(Analysis):
             first_op = ops[0]
         if isinstance(first_op, Convert) and first_op.to_bits >= self.project.arch.byte_width:
             # we need at least one byte!
+            if (
+                len({(op.from_bits, op.to_bits) for op in ops if isinstance(op, Convert) and op.operand.likes(expr)})
+                > 1
+            ):
+                # there are more Convert operations; it's probably because there are multiple expressions involving the
+                # same core expr. just give up (for now)
+                return None, None
+            if any(op for op in ops if isinstance(op, BinaryOp) and op.op == "Shr" and op.operands[0].likes(expr)):
+                # the expression is right-shifted, which means higher bits might be used.
+                return None, None
             return first_op.to_bits // self.project.arch.byte_width, ("convert", (first_op,))
         if isinstance(first_op, BinaryOp):
             second_op = None
@@ -1816,13 +1828,11 @@ class AILSimplifier(Analysis):
                         if codeloc in self._assignments_to_remove:
                             # it should be removed
                             simplified = True
-                            self._assignments_to_remove.discard(codeloc)
                             continue
 
                         if self._statement_has_call_exprs(stmt):
                             if codeloc in self._calls_to_remove:
                                 # it has a call and must be removed
-                                self._calls_to_remove.discard(codeloc)
                                 simplified = True
                                 continue
                             if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
@@ -1845,7 +1855,6 @@ class AILSimplifier(Analysis):
                         codeloc = CodeLocation(block.addr, idx, ins_addr=stmt.ins_addr, block_idx=block.idx)
                         if codeloc in self._calls_to_remove:
                             # this call can be removed
-                            self._calls_to_remove.discard(codeloc)
                             simplified = True
                             continue
 
@@ -1865,6 +1874,11 @@ class AILSimplifier(Analysis):
             new_block.statements = new_statements
             self.blocks[old_block] = new_block
 
+        # we can only use calls_to_remove and assignments_to_remove once; if any statements in blocks are removed, then
+        # the statement IDs in calls_to_remove and assignments_to_remove no longer match!
+        self._calls_to_remove.clear()
+        self._assignments_to_remove.clear()
+
         return simplified
 
     @staticmethod

angr/analyses/decompiler/callsite_maker.py

@@ -17,7 +17,15 @@ from angr.sim_type import (
     SimTypeFunction,
     SimTypeLongLong,
 )
-from angr.calling_conventions import SimReferenceArgument, SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
+from angr.calling_conventions import (
+    SimReferenceArgument,
+    SimRegArg,
+    SimStackArg,
+    SimCC,
+    SimStructArg,
+    SimComboArg,
+    SimFunctionArgument,
+)
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE
 from angr.analyses import Analysis, register_analysis
 from angr.analyses.s_reaching_definitions import SRDAView
@@ -137,22 +145,7 @@ class CallSiteMaker(Analysis):
                         arg_locs = cc.arg_locs(callsite_ty)
 
         if arg_locs is not None and cc is not None:
-            expanded_arg_locs: list[SimStackArg | SimRegArg | SimReferenceArgument] = []
-            for arg_loc in arg_locs:
-                if isinstance(arg_loc, SimComboArg):
-                    # a ComboArg spans across multiple locations (mostly stack but *in theory* can also be spanning
-                    # across registers). most importantly, a ComboArg represents one variable, not multiple, but we
-                    # have no way to know that until later down the pipeline.
-                    expanded_arg_locs += arg_loc.locations
-                elif isinstance(arg_loc, SimStructArg):
-                    expanded_arg_locs += [  # type: ignore
-                        arg_loc.locs[field_name] for field_name in arg_loc.struct.fields if field_name in arg_loc.locs
-                    ]
-                elif isinstance(arg_loc, (SimRegArg, SimStackArg, SimReferenceArgument)):
-                    expanded_arg_locs.append(arg_loc)
-                else:
-                    raise NotImplementedError("Not implemented yet.")
-
+            expanded_arg_locs = self._expand_arglocs(arg_locs)
             for arg_loc in expanded_arg_locs:
                 if isinstance(arg_loc, SimReferenceArgument):
                     if not isinstance(arg_loc.ptr_loc, (SimRegArg, SimStackArg)):
@@ -548,6 +541,29 @@ class CallSiteMaker(Analysis):
             return None
         return len(specifiers)
 
+    def _expand_arglocs(
+        self, arg_locs: list[SimFunctionArgument]
+    ) -> list[SimStackArg | SimRegArg | SimReferenceArgument]:
+        expanded_arg_locs: list[SimStackArg | SimRegArg | SimReferenceArgument] = []
+
+        for arg_loc in arg_locs:
+            if isinstance(arg_loc, SimComboArg):
+                # a ComboArg spans across multiple locations (mostly stack but *in theory* can also be spanning
+                # across registers). most importantly, a ComboArg represents one variable, not multiple, but we
+                # have no way to know that until later down the pipeline.
+                expanded_arg_locs += arg_loc.locations
+            elif isinstance(arg_loc, SimStructArg):
+                for field_name in arg_loc.struct.fields:
+                    if field_name not in arg_loc.locs:
+                        continue
+                    expanded_arg_locs += self._expand_arglocs([arg_loc.locs[field_name]])
+            elif isinstance(arg_loc, (SimRegArg, SimStackArg, SimReferenceArgument)):
+                expanded_arg_locs.append(arg_loc)
+            else:
+                raise NotImplementedError("Not implemented yet.")
+
+        return expanded_arg_locs
+
     def _atom_idx(self) -> int | None:
         return self._ail_manager.next_atom() if self._ail_manager is not None else None