angr 9.2.171__cp310-abi3-win_amd64.whl → 9.2.173__cp310-abi3-win_amd64.whl

angr/analyses/decompiler/peephole_optimizations/inlined_wstrcpy.py

@@ -4,15 +4,17 @@ import string
 
 from archinfo import Endness
 
+from angr.ailment import BinaryOp
 from angr.ailment.expression import Const, StackBaseOffset, VirtualVariable
-from angr.ailment.statement import Call, Assignment
+from angr.ailment.statement import Call, Assignment, Statement, Store
 
+from angr.sim_type import SimTypePointer, SimTypeWideChar
 from angr.utils.endness import ail_const_to_be
 from .base import PeepholeOptimizationStmtBase
 
 
-ASCII_PRINTABLES = set(string.printable)
-ASCII_DIGITS = set(string.digits)
+ASCII_PRINTABLES = {ord(x) for x in string.printable}
+ASCII_DIGITS = {ord(x) for x in string.digits}
 
 
 class InlinedWstrcpy(PeepholeOptimizationStmtBase):
@@ -23,70 +25,83 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
     __slots__ = ()
 
     NAME = "Simplifying inlined wstrcpy"
-    stmt_classes = (Assignment,)
+    stmt_classes = (Assignment, Store)
 
-    def optimize(self, stmt: Assignment, stmt_idx: int | None = None, block=None, **kwargs):
+    def optimize(self, stmt: Assignment | Store, stmt_idx: int | None = None, block=None, **kwargs):
         if (
-            isinstance(stmt.dst, VirtualVariable)
+            isinstance(stmt, Assignment)
+            and isinstance(stmt.dst, VirtualVariable)
             and stmt.dst.was_stack
             and isinstance(stmt.src, Const)
             and isinstance(stmt.src.value, int)
         ):
-            r, s = self.is_integer_likely_a_wide_string(stmt.src.value, stmt.src.size, self.project.arch.memory_endness)
-            if r:
-                # replace it with a call to strncpy
-                str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
-                return Call(
-                    stmt.idx,
-                    "wstrncpy",
-                    args=[
-                        StackBaseOffset(None, self.project.arch.bits, stmt.dst.stack_offset),
-                        Const(None, None, str_id, self.project.arch.bits, custom_string=True),
-                        Const(None, None, len(s), self.project.arch.bits),
-                    ],
-                    **stmt.tags,
-                )
-
-            # scan forward in the current block to find all consecutive constant stores
-            if block is not None and stmt_idx is not None:
-                all_constant_stores: dict[int, tuple[int, Const | None]] = self.collect_constant_stores(block, stmt_idx)
-                if all_constant_stores:
-                    offsets = sorted(all_constant_stores.keys())
-                    next_offset = min(offsets)
-                    stride = []
-                    for offset in offsets:
-                        if next_offset is not None and offset != next_offset:
-                            next_offset = None
-                            stride = []
-                        stmt_idx_, v = all_constant_stores[offset]
-                        if v is not None:
-                            stride.append((offset, stmt_idx_, v))
-                            next_offset = offset + v.size
-                        else:
-                            next_offset = None
-                            stride = []
-
-                    integer, size = self.stride_to_int(stride)
-                    r, s = self.is_integer_likely_a_wide_string(integer, size, Endness.BE)
-                    if r:
-                        # we remove all involved statements whose statement IDs are greater than the current one
-                        for _, stmt_idx_, _ in reversed(stride):
-                            if stmt_idx_ <= stmt_idx:
-                                continue
-                            block.statements[stmt_idx_] = None
-                        block.statements = [ss for ss in block.statements if ss is not None]
-
-                        str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
-                        return Call(
-                            stmt.idx,
-                            "wstrncpy",
-                            args=[
-                                StackBaseOffset(None, self.project.arch.bits, stmt.dst.stack_offset),
-                                Const(None, None, str_id, self.project.arch.bits, custom_string=True),
-                                Const(None, None, len(s), self.project.arch.bits),
-                            ],
-                            **stmt.tags,
-                        )
+            dst = StackBaseOffset(None, self.project.arch.bits, stmt.dst.stack_offset)
+            value_size = stmt.src.size
+            value = stmt.src.value
+        elif isinstance(stmt, Store) and isinstance(stmt.data, Const) and isinstance(stmt.data.value, int):
+            dst = stmt.addr
+            value_size = stmt.data.size
+            value = stmt.data.value
+        else:
+            return None
+
+        r, s = self.is_integer_likely_a_wide_string(value, value_size, self.project.arch.memory_endness)
+        if r:
+            # replace it with a call to strncpy
+            str_id = self.kb.custom_strings.allocate(s)
+            wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
+            return Call(
+                stmt.idx,
+                "wstrncpy",
+                args=[
+                    dst,
+                    Const(None, None, str_id, self.project.arch.bits, custom_string=True, type=wstr_type),
+                    Const(None, None, len(s) // 2, self.project.arch.bits),
+                ],
+                **stmt.tags,
+            )
+
+        # scan forward in the current block to find all consecutive constant stores
+        if block is not None and stmt_idx is not None:
+            all_constant_stores: dict[int, tuple[int, Const | None]] = self.collect_constant_stores(block, stmt_idx)
+            if all_constant_stores:
+                offsets = sorted(all_constant_stores.keys())
+                next_offset = min(offsets)
+                stride = []
+                for offset in offsets:
+                    if next_offset is not None and offset != next_offset:
+                        next_offset = None
+                        stride = []
+                    stmt_idx_, v = all_constant_stores[offset]
+                    if v is not None:
+                        stride.append((offset, stmt_idx_, v))
+                        next_offset = offset + v.size
+                    else:
+                        next_offset = None
+                        stride = []
+
+                integer, size = self.stride_to_int(stride)
+                r, s = self.is_integer_likely_a_wide_string(integer, size, Endness.BE, min_length=3)
+                if r:
+                    # we remove all involved statements whose statement IDs are greater than the current one
+                    for _, stmt_idx_, _ in reversed(stride):
+                        if stmt_idx_ <= stmt_idx:
+                            continue
+                        block.statements[stmt_idx_] = None
+                    block.statements = [ss for ss in block.statements if ss is not None]
+
+                    str_id = self.kb.custom_strings.allocate(s)
+                    wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
+                    return Call(
+                        stmt.idx,
+                        "wstrncpy",
+                        args=[
+                            dst,
+                            Const(None, None, str_id, self.project.arch.bits, custom_string=True, type=wstr_type),
+                            Const(None, None, len(s) // 2, self.project.arch.bits),
+                        ],
+                        **stmt.tags,
+                    )
 
         return None
 
@@ -103,68 +118,131 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
 
     def collect_constant_stores(self, block, starting_stmt_idx: int) -> dict[int, tuple[int, Const | None]]:
         r = {}
+        expected_store_varid: int | None = None
+        starting_stmt = block.statements[starting_stmt_idx]
+        if (
+            isinstance(starting_stmt, Assignment)
+            and isinstance(starting_stmt.dst, VirtualVariable)
+            and starting_stmt.dst.was_stack
+            and isinstance(starting_stmt.dst.stack_offset, int)
+        ):
+            expected_type = "stack"
+        elif isinstance(starting_stmt, Store):
+            if isinstance(starting_stmt.addr, VirtualVariable):
+                expected_store_varid = starting_stmt.addr.varid
+            elif (
+                isinstance(starting_stmt.addr, BinaryOp)
+                and starting_stmt.addr.op == "Add"
+                and isinstance(starting_stmt.addr.operands[0], VirtualVariable)
+                and isinstance(starting_stmt.addr.operands[1], Const)
+            ):
+                expected_store_varid = starting_stmt.addr.operands[0].varid
+            else:
+                expected_store_varid = None
+            expected_type = "store"
+        else:
+            return r
+
         for idx, stmt in enumerate(block.statements):
             if idx < starting_stmt_idx:
                 continue
             if (
-                isinstance(stmt, Assignment)
+                expected_type == "stack"
+                and isinstance(stmt, Assignment)
                 and isinstance(stmt.dst, VirtualVariable)
                 and stmt.dst.was_stack
                 and isinstance(stmt.dst.stack_offset, int)
             ):
-                if isinstance(stmt.src, Const):
-                    r[stmt.dst.stack_offset] = idx, ail_const_to_be(stmt.src, self.project.arch.memory_endness)
+                offset = stmt.dst.stack_offset
+                value = (
+                    ail_const_to_be(stmt.src, self.project.arch.memory_endness) if isinstance(stmt.src, Const) else None
+                )
+            elif expected_type == "store" and isinstance(stmt, Store):
+                if isinstance(stmt.addr, VirtualVariable) and stmt.addr.varid == expected_store_varid:
+                    offset = 0
+                elif (
+                    isinstance(stmt.addr, BinaryOp)
+                    and stmt.addr.op == "Add"
+                    and isinstance(stmt.addr.operands[0], VirtualVariable)
+                    and isinstance(stmt.addr.operands[1], Const)
+                    and stmt.addr.operands[0].varid == expected_store_varid
+                ):
+                    offset = stmt.addr.operands[1].value
                 else:
-                    r[stmt.dst.stack_offset] = idx, None
+                    offset = None
+                value = (
+                    ail_const_to_be(stmt.data, self.project.arch.memory_endness)
+                    if isinstance(stmt.data, Const)
+                    else None
+                )
+            else:
+                continue
+
+            if offset is not None:
+                r[offset] = idx, value
 
         return r
 
     @staticmethod
-    def even_offsets_are_zero(lst: list[str]) -> bool:
-        return all(ch == "\x00" for i, ch in enumerate(lst) if i % 2 == 0)
+    def even_offsets_are_zero(lst: list[int]) -> bool:
+        if len(lst) >= 2 and lst[-1] == 0 and lst[-2] == 0:
+            lst = lst[:-2]
+        return all((ch == 0 if i % 2 == 0 else ch != 0) for i, ch in enumerate(lst))
 
     @staticmethod
-    def odd_offsets_are_zero(lst: list[str]) -> bool:
-        return all(ch == "\x00" for i, ch in enumerate(lst) if i % 2 == 1)
+    def odd_offsets_are_zero(lst: list[int]) -> bool:
+        if len(lst) >= 2 and lst[-1] == 0 and lst[-2] == 0:
+            lst = lst[:-2]
+        return all((ch == 0 if i % 2 == 1 else ch != 0) for i, ch in enumerate(lst))
 
     @staticmethod
     def is_integer_likely_a_wide_string(
         v: int, size: int, endness: Endness, min_length: int = 4
-    ) -> tuple[bool, str | None]:
+    ) -> tuple[bool, bytes | None]:
         # we need at least four bytes of printable characters
 
-        chars = []
+        chars: list[int] = []
         if endness == Endness.LE:
             while v != 0:
                 byt = v & 0xFF
-                if byt != 0 and chr(byt) not in ASCII_PRINTABLES:
+                if byt != 0 and byt not in ASCII_PRINTABLES:
                     return False, None
-                chars.append(chr(byt))
+                chars.append(byt)
                 v >>= 8
+            if len(chars) % 2 == 1:
+                chars.append(0)
 
         elif endness == Endness.BE:
             for _ in range(size):
                 byt = v & 0xFF
                 v >>= 8
-                if byt != 0 and chr(byt) not in ASCII_PRINTABLES:
+                if byt != 0 and byt not in ASCII_PRINTABLES:
                     return False, None
-                chars.append(chr(byt))
+                chars.append(byt)
             chars.reverse()
         else:
             # unsupported endness
             return False, None
 
-        if InlinedWstrcpy.even_offsets_are_zero(chars):
-            chars = [ch for i, ch in enumerate(chars) if i % 2 == 1]
-        elif InlinedWstrcpy.odd_offsets_are_zero(chars):
-            chars = [ch for i, ch in enumerate(chars) if i % 2 == 0]
-        else:
+        if not (InlinedWstrcpy.even_offsets_are_zero(chars) or InlinedWstrcpy.odd_offsets_are_zero(chars)):
             return False, None
 
-        if chars and chars[-1] == "\x00":
+        if chars and len(chars) >= 2 and chars[-1] == 0 and chars[-2] == 0:
             chars = chars[:-1]
-        if len(chars) >= min_length and all(ch in ASCII_PRINTABLES for ch in chars):
-            if len(chars) <= 4 and all(ch in ASCII_DIGITS for ch in chars):
+        if len(chars) >= min_length * 2 and all((ch == 0 or ch in ASCII_PRINTABLES) for ch in chars):
+            if len(chars) <= 4 * 2 and all((ch == 0 or ch in ASCII_DIGITS) for ch in chars):
                 return False, None
-            return True, "".join(chars)
+            return True, bytes(chars)
         return False, None
+
+    @staticmethod
+    def is_inlined_wstrncpy(stmt: Statement) -> bool:
+        return (
+            isinstance(stmt, Call)
+            and isinstance(stmt.target, str)
+            and stmt.target == "wstrncpy"
+            and stmt.args is not None
+            and len(stmt.args) == 3
+            and isinstance(stmt.args[1], Const)
+            and hasattr(stmt.args[1], "custom_string")
+        )

angr/analyses/decompiler/peephole_optimizations/inlined_wstrcpy_consolidation.py

@@ -0,0 +1,113 @@
+# pylint:disable=arguments-differ
+from __future__ import annotations
+
+from angr.ailment.expression import Expression, BinaryOp, Const, Register, StackBaseOffset, UnaryOp, VirtualVariable
+from angr.ailment.statement import Call, Store
+
+from angr.sim_type import SimTypePointer, SimTypeWideChar
+from .base import PeepholeOptimizationMultiStmtBase
+from .inlined_wstrcpy import InlinedWstrcpy
+
+
+class InlinedWstrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
+    """
+    Consolidate multiple inlined wstrcpy/wstrncpy calls.
+    """
+
+    __slots__ = ()
+
+    NAME = "Consolidate multiple inlined wstrncpy calls"
+    stmt_classes = ((Call, Call), (Call, Store))
+
+    def optimize(  # type:ignore
+        self, stmts: list[Call], stmt_idx: int | None = None, block=None, **kwargs
+    ):  # pylint:disable=unused-argument
+        last_stmt, stmt = stmts
+        if InlinedWstrcpy.is_inlined_wstrncpy(last_stmt):
+            assert last_stmt.args is not None
+            assert self.kb is not None
+            s_last: bytes = self.kb.custom_strings[last_stmt.args[1].value]
+            addr_last = last_stmt.args[0]
+            new_str = None  # will be set if consolidation should happen
+
+            if isinstance(stmt, Call) and InlinedWstrcpy.is_inlined_wstrncpy(stmt):
+                assert stmt.args is not None
+                # consolidating two calls
+                s_curr: bytes = self.kb.custom_strings[stmt.args[1].value]
+                addr_curr = stmt.args[0]
+                # determine if the two addresses are consecutive
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    # consolidate both calls!
+                    new_str = s_last + s_curr
+            elif isinstance(stmt, Store) and isinstance(stmt.data, Const) and isinstance(stmt.data.value, int):
+                # consolidating a call and a store, in case the store statement is storing the suffix of a string (but
+                # the suffix is too short to qualify an inlined strcpy optimization)
+                addr_curr = stmt.addr
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    if stmt.size == 2 and stmt.data.value == 0:
+                        # it's probably the terminating null byte
+                        r, s = True, b"\x00\x00"
+                    else:
+                        r, s = InlinedWstrcpy.is_integer_likely_a_wide_string(
+                            stmt.data.value, stmt.size, stmt.endness, min_length=1  # type:ignore
+                        )
+                    if r and s is not None:
+                        new_str = s_last + s
+
+            if new_str is not None:
+                assert self.project is not None
+                wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
+                if new_str.endswith(b"\x00\x00"):
+                    call_name = "wstrcpy"
+                    new_str_idx = self.kb.custom_strings.allocate(new_str[:-2])
+                    args = [
+                        last_stmt.args[0],
+                        Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True, type=wstr_type),
+                    ]
+                    prototype = None
+                else:
+                    call_name = "wstrncpy"
+                    new_str_idx = self.kb.custom_strings.allocate(new_str)
+                    args = [
+                        last_stmt.args[0],
+                        Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True, type=wstr_type),
+                        Const(None, None, len(new_str) // 2, self.project.arch.bits),
+                    ]
+                    prototype = None
+
+                return [Call(stmt.idx, call_name, args=args, prototype=prototype, **stmt.tags)]
+
+        return None
+
+    @staticmethod
+    def _parse_addr(addr: Expression) -> tuple[Expression, int]:
+        if isinstance(addr, Register):
+            return addr, 0
+        if isinstance(addr, StackBaseOffset):
+            return StackBaseOffset(None, addr.bits, 0), addr.offset
+        if (
+            isinstance(addr, UnaryOp)
+            and addr.op == "Reference"
+            and isinstance(addr.operand, VirtualVariable)
+            and addr.operand.was_stack
+        ):
+            return StackBaseOffset(None, addr.bits, 0), addr.operand.stack_offset
+        if isinstance(addr, BinaryOp):
+            if addr.op == "Add" and isinstance(addr.operands[1], Const) and isinstance(addr.operands[1].value, int):
+                base_0, offset_0 = InlinedWstrcpyConsolidation._parse_addr(addr.operands[0])
+                return base_0, offset_0 + addr.operands[1].value
+            if addr.op == "Sub" and isinstance(addr.operands[1], Const) and isinstance(addr.operands[1].value, int):
+                base_0, offset_0 = InlinedWstrcpyConsolidation._parse_addr(addr.operands[0])
+                return base_0, offset_0 - addr.operands[1].value
+
+        return addr, 0
+
+    @staticmethod
+    def _get_delta(addr_0: Expression, addr_1: Expression) -> int | None:
+        base_0, offset_0 = InlinedWstrcpyConsolidation._parse_addr(addr_0)
+        base_1, offset_1 = InlinedWstrcpyConsolidation._parse_addr(addr_1)
+        if base_0.likes(base_1):
+            return offset_1 - offset_0
+        return None

angr/analyses/decompiler/presets/basic.py

@@ -10,6 +10,7 @@ from angr.analyses.decompiler.optimization_passes import (
     X86GccGetPcSimplifier,
     CallStatementRewriter,
     SwitchReusedEntryRewriter,
+    PostStructuringPeepholeOptimizationPass,
 )
 
 
@@ -25,6 +26,7 @@ preset_basic = DecompilationPreset(
         X86GccGetPcSimplifier,
         CallStatementRewriter,
         SwitchReusedEntryRewriter,
+        PostStructuringPeepholeOptimizationPass,
     ],
 )
 

angr/analyses/decompiler/presets/fast.py

@@ -23,6 +23,7 @@ from angr.analyses.decompiler.optimization_passes import (
     SwitchReusedEntryRewriter,
     ConditionConstantPropagation,
     DetermineLoadSizes,
+    PostStructuringPeepholeOptimizationPass,
 )
 
 
@@ -51,6 +52,7 @@ preset_fast = DecompilationPreset(
         CallStatementRewriter,
         ConditionConstantPropagation,
         DetermineLoadSizes,
+        PostStructuringPeepholeOptimizationPass,
     ],
 )
 

angr/analyses/decompiler/presets/full.py

@@ -28,6 +28,7 @@ from angr.analyses.decompiler.optimization_passes import (
     SwitchReusedEntryRewriter,
     ConditionConstantPropagation,
     DetermineLoadSizes,
+    PostStructuringPeepholeOptimizationPass,
 )
 
 
@@ -61,6 +62,7 @@ preset_full = DecompilationPreset(
         SwitchReusedEntryRewriter,
         ConditionConstantPropagation,
         DetermineLoadSizes,
+        PostStructuringPeepholeOptimizationPass,
     ],
 )
 

angr/analyses/decompiler/presets/preset.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 
 from archinfo import Arch
 
-from angr.analyses.decompiler.optimization_passes.optimization_pass import OptimizationPass
+from angr.analyses.decompiler.optimization_passes.optimization_pass import BaseOptimizationPass
 
 
 class DecompilationPreset:
@@ -10,7 +10,7 @@ class DecompilationPreset:
     A DecompilationPreset provides a preconfigured set of optimizations and configurations for the Decompiler analysis.
     """
 
-    def __init__(self, name: str, opt_passes: list[type[OptimizationPass]]):
+    def __init__(self, name: str, opt_passes: list[type[BaseOptimizationPass]]):
         self.name = name
         self.opt_passes = opt_passes
 

angr/analyses/decompiler/structured_codegen/c.py

@@ -2230,52 +2230,68 @@ class CConstant(CExpression):
         return f'{prefix}"{base_str}"'
 
     def c_repr_chunks(self, indent=0, asexpr=False):
+
+        def _default_output(v) -> str | None:
+            if isinstance(v, MemoryData) and v.sort == MemoryDataSort.String:
+                return CConstant.str_to_c_str(v.content.decode("utf-8"))
+            if isinstance(v, Function):
+                return get_cpp_function_name(v.demangled_name)
+            if isinstance(v, str):
+                return CConstant.str_to_c_str(v)
+            if isinstance(v, bytes):
+                return CConstant.str_to_c_str(v.replace(b"\x00", b"").decode("utf-8"))
+            return None
+
         if self.collapsed:
             yield "...", self
             return
 
-        # default priority: string references -> variables -> other reference values
         if self.reference_values is not None:
-            for _ty, v in self.reference_values.items():  # pylint:disable=unused-variable
-                if isinstance(v, MemoryData) and v.sort == MemoryDataSort.String:
-                    yield CConstant.str_to_c_str(v.content.decode("utf-8")), self
-                    return
-                elif isinstance(v, Function):
-                    yield get_cpp_function_name(v.demangled_name), self
+            if self._type is not None and self._type in self.reference_values:
+                if isinstance(self._type, SimTypeInt):
+                    if isinstance(self.reference_values[self._type], int):
+                        yield self.fmt_int(self.reference_values[self._type]), self
+                        return
+                    yield hex(self.reference_values[self._type]), self
                     return
-                elif isinstance(v, str):
+                elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeChar):
+                    refval = self.reference_values[self._type]
+                    if isinstance(refval, MemoryData):
+                        v = refval.content.decode("utf-8")
+                    elif isinstance(refval, bytes):
+                        v = refval.decode("latin1")
+                    else:
+                        # it must be a string
+                        v = refval
+                        assert isinstance(v, str)
                     yield CConstant.str_to_c_str(v), self
                     return
-                elif isinstance(v, bytes):
-                    yield CConstant.str_to_c_str(v.replace(b"\x00", b"").decode("utf-8")), self
+                elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeWideChar):
+                    refval = self.reference_values[self._type]
+                    v = (
+                        refval.content.decode("utf_16_le")
+                        if isinstance(refval, MemoryData)
+                        else refval.decode("utf_16_le")
+                    )  # it's a string
+                    yield CConstant.str_to_c_str(v, prefix="L"), self
                     return
-
-        if self.reference_values is not None and self._type is not None and self._type in self.reference_values:
-            if isinstance(self._type, SimTypeInt):
-                if isinstance(self.reference_values[self._type], int):
-                    yield self.fmt_int(self.reference_values[self._type]), self
-                    return
-                yield hex(self.reference_values[self._type]), self
-            elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeChar):
-                refval = self.reference_values[self._type]
-                if isinstance(refval, MemoryData):
-                    v = refval.content.decode("utf-8")
                 else:
-                    # it's a string
-                    v = refval
-                    assert isinstance(v, str)
-                yield CConstant.str_to_c_str(v), self
-            elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeWideChar):
-                refval = self.reference_values[self._type]
-                v = refval.content.decode("utf_16_le") if isinstance(refval, MemoryData) else refval  # it's a string
-                yield CConstant.str_to_c_str(v, prefix="L"), self
-            else:
-                if isinstance(self.reference_values[self._type], int):
-                    yield self.fmt_int(self.reference_values[self._type]), self
+                    if isinstance(self.reference_values[self._type], int):
+                        yield self.fmt_int(self.reference_values[self._type]), self
+                        return
+                    o = _default_output(self.reference_values[self.type])
+                    if o is not None:
+                        yield o, self
+                        return
+
+            # default priority: string references -> variables -> other reference values
+            for _ty, v in self.reference_values.items():  # pylint:disable=unused-variable
+                o = _default_output(v)
+                if o is not None:
+                    yield o, self
                     return
-                yield self.reference_values[self.type], self
 
-        elif isinstance(self.value, int) and self.value == 0 and isinstance(self.type, SimTypePointer):
+        if isinstance(self.value, int) and self.value == 0 and isinstance(self.type, SimTypePointer):
             # print NULL instead
             yield "NULL", self
 
@@ -3622,10 +3638,10 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         if type_ is None and hasattr(expr, "type"):
             type_ = expr.type
 
-        if type_ is None and reference_values is None and hasattr(expr, "reference_values"):
+        if reference_values is None and hasattr(expr, "reference_values"):
             reference_values = expr.reference_values.copy()
-            if len(reference_values) == 1:  # type: ignore
-                type_ = next(iter(reference_values))  # type: ignore
+        if type_ is None and reference_values is not None and len(reference_values) == 1:  # type: ignore
+            type_ = next(iter(reference_values))  # type: ignore
 
         if reference_values is None:
             reference_values = {}
@@ -3714,10 +3730,10 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             offset = getattr(expr, "reference_variable_offset", 0)
             var_access = self._access_constant_offset_reference(self._get_variable_reference(cvar), offset, None)
 
-        if var_access is not None and expr.value >= self.min_data_addr:
-            return var_access
-
-        reference_values["offset"] = var_access
+        if var_access is not None:
+            if expr.value >= self.min_data_addr:
+                return var_access
+            reference_values["offset"] = var_access
         return CConstant(expr.value, type_, reference_values=reference_values, tags=expr.tags, codegen=self)
 
     def _handle_Expr_UnaryOp(self, expr, **kwargs):

angr/analyses/s_reaching_definitions/s_rda_view.py

@@ -30,6 +30,9 @@ class RegVVarPredicate:
         self.arch = arch
 
     def _get_call_clobbered_regs(self, stmt: Call) -> set[int]:
+        if isinstance(stmt.target, str):
+            # pseudo calls do not clobber any registers
+            return set()
         cc = stmt.calling_convention
         if cc is None:
             # get the default calling convention