angr 9.2.174__cp310-abi3-macosx_11_0_arm64.whl → 9.2.176__cp310-abi3-macosx_11_0_arm64.whl

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -46,8 +46,8 @@ from .rol_ror import RolRorRewriter
 from .inlined_memcpy import InlinedMemcpy
 from .inlined_strcpy import InlinedStrcpy
 from .inlined_strcpy_consolidation import InlinedStrcpyConsolidation
-from .inlined_wstrcpy import InlinedWstrcpy
-from .inlined_wstrcpy_consolidation import InlinedWstrcpyConsolidation
+from .inlined_wcscpy import InlinedWcscpy
+from .inlined_wcscpy_consolidation import InlinedWcscpyConsolidation
 from .cmpord_rewriter import CmpORDRewriter
 from .coalesce_adjacent_shrs import CoalesceAdjacentShiftRights
 from .a_mul_const_sub_a import AMulConstSubA
@@ -104,8 +104,8 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     InlinedMemcpy,
     InlinedStrcpy,
     InlinedStrcpyConsolidation,
-    InlinedWstrcpy,
-    InlinedWstrcpyConsolidation,
+    InlinedWcscpy,
+    InlinedWcscpyConsolidation,
     CmpORDRewriter,
     CoalesceAdjacentShiftRights,
     ShlToMul,

angr/analyses/decompiler/peephole_optimizations/{inlined_wstrcpy.py → inlined_wcscpy.py}

@@ -17,17 +17,20 @@ ASCII_PRINTABLES = {ord(x) for x in string.printable}
 ASCII_DIGITS = {ord(x) for x in string.digits}
 
 
-class InlinedWstrcpy(PeepholeOptimizationStmtBase):
+class InlinedWcscpy(PeepholeOptimizationStmtBase):
     """
-    Simplifies inlined wide string copying logic into calls to wstrcpy.
+    Simplifies inlined wide string copying logic into calls to wcscpy.
     """
 
     __slots__ = ()
 
-    NAME = "Simplifying inlined wstrcpy"
+    NAME = "Simplifying inlined wcscpy"
     stmt_classes = (Assignment, Store)
 
     def optimize(self, stmt: Assignment | Store, stmt_idx: int | None = None, block=None, **kwargs):
+        assert self.project is not None
+        assert self.kb is not None
+
         if (
             isinstance(stmt, Assignment)
             and isinstance(stmt.dst, VirtualVariable)
@@ -48,11 +51,12 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
         r, s = self.is_integer_likely_a_wide_string(value, value_size, self.project.arch.memory_endness)
         if r:
             # replace it with a call to strncpy
+            assert s is not None
             str_id = self.kb.custom_strings.allocate(s)
             wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
             return Call(
                 stmt.idx,
-                "wstrncpy",
+                "wcsncpy",
                 args=[
                     dst,
                     Const(None, None, str_id, self.project.arch.bits, custom_string=True, type=wstr_type),
@@ -83,6 +87,7 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
                 integer, size = self.stride_to_int(stride)
                 r, s = self.is_integer_likely_a_wide_string(integer, size, Endness.BE, min_length=3)
                 if r:
+                    assert s is not None
                     # we remove all involved statements whose statement IDs are greater than the current one
                     for _, stmt_idx_, _ in reversed(stride):
                         if stmt_idx_ <= stmt_idx:
@@ -94,7 +99,7 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
                     wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
                     return Call(
                         stmt.idx,
-                        "wstrncpy",
+                        "wcsncpy",
                         args=[
                             dst,
                             Const(None, None, str_id, self.project.arch.bits, custom_string=True, type=wstr_type),
@@ -112,11 +117,14 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
         size = 0
         for _, _, v in stride:
             size += v.size
+            assert isinstance(v.value, int)
             n <<= v.bits
             n |= v.value
         return n, size
 
     def collect_constant_stores(self, block, starting_stmt_idx: int) -> dict[int, tuple[int, Const | None]]:
+        assert self.project is not None
+
         r = {}
         expected_store_varid: int | None = None
         starting_stmt = block.statements[starting_stmt_idx]
@@ -224,7 +232,7 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
             # unsupported endness
             return False, None
 
-        if not (InlinedWstrcpy.even_offsets_are_zero(chars) or InlinedWstrcpy.odd_offsets_are_zero(chars)):
+        if not (InlinedWcscpy.even_offsets_are_zero(chars) or InlinedWcscpy.odd_offsets_are_zero(chars)):
             return False, None
 
         if chars and len(chars) >= 2 and chars[-1] == 0 and chars[-2] == 0:
@@ -236,11 +244,11 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
         return False, None
 
     @staticmethod
-    def is_inlined_wstrncpy(stmt: Statement) -> bool:
+    def is_inlined_wcsncpy(stmt: Statement) -> bool:
         return (
             isinstance(stmt, Call)
             and isinstance(stmt.target, str)
-            and stmt.target == "wstrncpy"
+            and stmt.target == "wcsncpy"
             and stmt.args is not None
             and len(stmt.args) == 3
             and isinstance(stmt.args[1], Const)

angr/analyses/decompiler/peephole_optimizations/{inlined_wstrcpy_consolidation.py → inlined_wcscpy_consolidation.py}

@@ -6,31 +6,31 @@ from angr.ailment.statement import Call, Store
 
 from angr.sim_type import SimTypePointer, SimTypeWideChar
 from .base import PeepholeOptimizationMultiStmtBase
-from .inlined_wstrcpy import InlinedWstrcpy
+from .inlined_wcscpy import InlinedWcscpy
 
 
-class InlinedWstrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
+class InlinedWcscpyConsolidation(PeepholeOptimizationMultiStmtBase):
     """
-    Consolidate multiple inlined wstrcpy/wstrncpy calls.
+    Consolidate multiple inlined wcscpy/wcsncpy calls.
     """
 
     __slots__ = ()
 
-    NAME = "Consolidate multiple inlined wstrncpy calls"
+    NAME = "Consolidate multiple inlined wcsncpy calls"
     stmt_classes = ((Call, Call), (Call, Store))
 
     def optimize(  # type:ignore
         self, stmts: list[Call], stmt_idx: int | None = None, block=None, **kwargs
     ):  # pylint:disable=unused-argument
         last_stmt, stmt = stmts
-        if InlinedWstrcpy.is_inlined_wstrncpy(last_stmt):
+        if InlinedWcscpy.is_inlined_wcsncpy(last_stmt):
             assert last_stmt.args is not None
             assert self.kb is not None
             s_last: bytes = self.kb.custom_strings[last_stmt.args[1].value]
             addr_last = last_stmt.args[0]
             new_str = None  # will be set if consolidation should happen
 
-            if isinstance(stmt, Call) and InlinedWstrcpy.is_inlined_wstrncpy(stmt):
+            if isinstance(stmt, Call) and InlinedWcscpy.is_inlined_wcsncpy(stmt):
                 assert stmt.args is not None
                 # consolidating two calls
                 s_curr: bytes = self.kb.custom_strings[stmt.args[1].value]
@@ -50,7 +50,7 @@ class InlinedWstrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
                         # it's probably the terminating null byte
                         r, s = True, b"\x00\x00"
                     else:
-                        r, s = InlinedWstrcpy.is_integer_likely_a_wide_string(
+                        r, s = InlinedWcscpy.is_integer_likely_a_wide_string(
                             stmt.data.value, stmt.size, stmt.endness, min_length=1  # type:ignore
                         )
                     if r and s is not None:
@@ -60,7 +60,7 @@ class InlinedWstrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
                 assert self.project is not None
                 wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
                 if new_str.endswith(b"\x00\x00"):
-                    call_name = "wstrcpy"
+                    call_name = "wcsncpy"
                     new_str_idx = self.kb.custom_strings.allocate(new_str[:-2])
                     args = [
                         last_stmt.args[0],
@@ -68,7 +68,7 @@ class InlinedWstrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
                     ]
                     prototype = None
                 else:
-                    call_name = "wstrncpy"
+                    call_name = "wcsncpy"
                     new_str_idx = self.kb.custom_strings.allocate(new_str)
                     args = [
                         last_stmt.args[0],
@@ -96,18 +96,18 @@ class InlinedWstrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
             return StackBaseOffset(None, addr.bits, 0), addr.operand.stack_offset
         if isinstance(addr, BinaryOp):
             if addr.op == "Add" and isinstance(addr.operands[1], Const) and isinstance(addr.operands[1].value, int):
-                base_0, offset_0 = InlinedWstrcpyConsolidation._parse_addr(addr.operands[0])
+                base_0, offset_0 = InlinedWcscpyConsolidation._parse_addr(addr.operands[0])
                 return base_0, offset_0 + addr.operands[1].value
             if addr.op == "Sub" and isinstance(addr.operands[1], Const) and isinstance(addr.operands[1].value, int):
-                base_0, offset_0 = InlinedWstrcpyConsolidation._parse_addr(addr.operands[0])
+                base_0, offset_0 = InlinedWcscpyConsolidation._parse_addr(addr.operands[0])
                 return base_0, offset_0 - addr.operands[1].value
 
         return addr, 0
 
     @staticmethod
     def _get_delta(addr_0: Expression, addr_1: Expression) -> int | None:
-        base_0, offset_0 = InlinedWstrcpyConsolidation._parse_addr(addr_0)
-        base_1, offset_1 = InlinedWstrcpyConsolidation._parse_addr(addr_1)
+        base_0, offset_0 = InlinedWcscpyConsolidation._parse_addr(addr_0)
+        base_1, offset_1 = InlinedWcscpyConsolidation._parse_addr(addr_1)
         if base_0.likes(base_1):
             return offset_1 - offset_0
         return None

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -97,6 +97,19 @@ class SimEngineSSARewriting(
         self._current_vvar_id += 1
         return self._current_vvar_id
 
+    #
+    # Util functions
+    #
+
+    @staticmethod
+    def _is_head_controlled_loop_jump(block, jump_stmt: ConditionalJump) -> bool:
+        concrete_targets = []
+        if isinstance(jump_stmt.true_target, Const):
+            concrete_targets.append(jump_stmt.true_target.value)
+        if isinstance(jump_stmt.false_target, Const):
+            concrete_targets.append(jump_stmt.false_target.value)
+        return not all(block.addr <= t < block.addr + block.original_size for t in concrete_targets)
+
     #
     # Handlers
     #
@@ -303,7 +316,7 @@ class SimEngineSSARewriting(
         new_true_target = self._expr(stmt.true_target) if stmt.true_target is not None else None
         new_false_target = self._expr(stmt.false_target) if stmt.false_target is not None else None
 
-        if self.stmt_idx != len(self.block.statements) - 1:
+        if self.stmt_idx != len(self.block.statements) - 1 and self._is_head_controlled_loop_jump(self.block, stmt):
             # the conditional jump is in the middle of the block (e.g., the block generated from lifting rep stosq).
             # we need to make a copy of the state and use the state of this point in its successor
             self.head_controlled_loop_outstate = self.state.copy()

angr/analyses/decompiler/structured_codegen/c.py

@@ -42,6 +42,7 @@ from angr.utils.constants import is_alignment_mask
 from angr.utils.library import get_cpp_function_name
 from angr.utils.loader import is_in_readonly_segment, is_in_readonly_section
 from angr.utils.types import unpack_typeref, unpack_pointer_and_array, dereference_simtype_by_lib
+from angr.utils.strings import decode_utf16_string
 from angr.analyses.decompiler.utils import structured_node_is_simple_return
 from angr.analyses.decompiler.notes.deobfuscated_strings import DeobfuscatedStringsNote
 from angr.errors import UnsupportedNodeTypeError, AngrRuntimeError
@@ -2269,9 +2270,9 @@ class CConstant(CExpression):
                 elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeWideChar):
                     refval = self.reference_values[self._type]
                     v = (
-                        refval.content.decode("utf_16_le")
+                        decode_utf16_string(refval.content)
                         if isinstance(refval, MemoryData)
-                        else refval.decode("utf_16_le")
+                        else decode_utf16_string(refval)
                     )  # it's a string
                     yield CConstant.str_to_c_str(v, prefix="L"), self
                     return
@@ -4076,9 +4077,9 @@ class MakeTypecastsImplicit(CStructuredCodeWalker):
 class FieldReferenceCleanup(CStructuredCodeWalker):
     def handle_CTypeCast(self, obj):
         if isinstance(obj.dst_type, SimTypePointer) and not isinstance(obj.dst_type.pts_to, SimTypeBottom):
-            obj = obj.codegen._access_reference(obj.expr, obj.dst_type.pts_to)
-            if not isinstance(obj, CTypeCast):
-                return self.handle(obj)
+            new_obj = obj.codegen._access_reference(obj.expr, obj.dst_type.pts_to)
+            if not isinstance(new_obj, CTypeCast):
+                return self.handle(new_obj)
         return super().handle_CTypeCast(obj)
 
 

angr/analyses/decompiler/structuring/dream.py

@@ -548,7 +548,7 @@ class DreamStructurer(StructurerBase):
         cmp = switch_extract_cmp_bounds(last_stmt)
         if not cmp:
             return False
-        cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+        cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
 
         # the real indirect jump
         if len(addr2nodes[target]) != 1:
@@ -619,7 +619,7 @@ class DreamStructurer(StructurerBase):
         cmp = switch_extract_cmp_bounds(last_stmt)
         if not cmp:
             return False
-        cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+        cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
 
         jumptable_entries = jump_table.jumptable_entries
         assert jumptable_entries is not None

angr/analyses/decompiler/structuring/phoenix.py

@@ -929,23 +929,55 @@ class PhoenixStructurer(StructurerBase):
                             )
                             break_node = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
                         else:
-                            break_stmt = Jump(
-                                None,
-                                Const(None, None, successor.addr, self.project.arch.bits),
-                                target_idx=successor.idx if isinstance(successor, Block) else None,
-                                ins_addr=last_src_stmt.ins_addr,
-                            )
-                            break_node_inner = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
-                            fallthrough_node = next(iter(succ for succ in fullgraph.successors(src) if succ is not dst))
-                            fallthrough_stmt = Jump(
-                                None,
-                                Const(None, None, fallthrough_node.addr, self.project.arch.bits),
-                                target_idx=successor.idx if isinstance(successor, Block) else None,
-                                ins_addr=last_src_stmt.ins_addr,
-                            )
-                            break_node_inner_fallthrough = Block(
-                                last_src_stmt.ins_addr, None, statements=[fallthrough_stmt]
+                            fallthrough_node = next(
+                                iter(succ for succ in fullgraph.successors(src) if succ is not dst), None
                             )
+                            if fallthrough_node is not None:
+                                # we create a conditional jump that will be converted to a conditional break later
+                                break_stmt = Jump(
+                                    None,
+                                    Const(None, None, successor.addr, self.project.arch.bits),
+                                    target_idx=successor.idx if isinstance(successor, Block) else None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node_inner = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
+                                fallthrough_stmt = Jump(
+                                    None,
+                                    Const(None, None, fallthrough_node.addr, self.project.arch.bits),
+                                    target_idx=successor.idx if isinstance(successor, Block) else None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node_inner_fallthrough = Block(
+                                    last_src_stmt.ins_addr, None, statements=[fallthrough_stmt]
+                                )
+                            else:
+                                # the fallthrough node does not exist in the graph. we create a conditional jump that
+                                # jumps to an address
+                                if not isinstance(last_src_stmt, ConditionalJump):
+                                    raise TypeError(f"Unexpected last_src_stmt type {type(last_src_stmt)}")
+                                other_target = (
+                                    last_src_stmt.true_target
+                                    if isinstance(last_src_stmt.false_target, Const)
+                                    and last_src_stmt.false_target.value == successor.addr
+                                    else last_src_stmt.false_target
+                                )
+                                assert other_target is not None
+                                break_stmt = Jump(
+                                    None,
+                                    Const(None, None, successor.addr, self.project.arch.bits),
+                                    target_idx=successor.idx if isinstance(successor, Block) else None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node_inner = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
+                                fallthrough_stmt = Jump(
+                                    None,
+                                    other_target,
+                                    target_idx=successor.idx if isinstance(successor, Block) else None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node_inner_fallthrough = Block(
+                                    last_src_stmt.ins_addr, None, statements=[fallthrough_stmt]
+                                )
                             break_node = ConditionNode(
                                 last_src_stmt.ins_addr,
                                 None,
@@ -1454,7 +1486,7 @@ class PhoenixStructurer(StructurerBase):
                 )
                 if not cmp:
                     return False
-                cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+                cmp_expr, cmp_lb, _cmp_ub = cmp
 
                 assert cond_node.addr is not None
                 switch_head_addr = cond_node.addr
@@ -1477,7 +1509,7 @@ class PhoenixStructurer(StructurerBase):
             cmp = switch_extract_cmp_bounds(last_stmt)
             if not cmp:
                 return False
-            cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+            cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
 
             switch_head_addr = last_stmt.ins_addr
 
@@ -1849,7 +1881,7 @@ class PhoenixStructurer(StructurerBase):
         cmp = switch_extract_cmp_bounds(last_stmt)
         if not cmp:
             return False
-        cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+        cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
 
         if isinstance(last_stmt.false_target, Const):
             default_addr = last_stmt.false_target.value
@@ -2148,19 +2180,54 @@ class PhoenixStructurer(StructurerBase):
                     jump_node = Block(out_src.addr, 0, statements=[jump_stmt])
                     case_node.nodes.append(jump_node)
 
-            if out_edges_to_head:  # noqa:SIM108
+            # out_dst_succ is the successor within the current region
+            # out_dst_succ_fullgraph is the successor outside the current region
+            if out_edges_to_head:
                 # add an edge from SwitchCaseNode to head so that a loop will be structured later
                 out_dst_succ = head
+                out_dst_succ_fullgraph = None
             else:
                 # add an edge from SwitchCaseNode to its most immediate successor (if there is one)
-                out_dst_succ = other_out_edges[0][1] if other_out_edges else None
+                # there might be an in-region successor and an out-of-region successor (especially due to the
+                # introduction of self.dowhile_known_tail_nodes)!
+                # example: 7995a0325b446c462bdb6ae10b692eee2ecadd8e888e9d7729befe4412007afb, function 1400EF820
+                out_dst_succs = []
+                out_dst_succs_fullgraph = []
+                for _, o in other_out_edges:
+                    if o in graph:
+                        out_dst_succs.append(o)
+                    elif o in full_graph:
+                        out_dst_succs_fullgraph.append(o)
+                out_dst_succ = sorted(out_dst_succs, key=lambda o: o.addr)[0] if out_dst_succs else None
+                out_dst_succ_fullgraph = (
+                    sorted(out_dst_succs_fullgraph, key=lambda o: o.addr)[0] if out_dst_succs_fullgraph else None
+                )
+                if len(out_dst_succs) > 1:
+                    assert out_dst_succ is not None
+                    l.warning(
+                        "Multiple in-region successors detected for switch-case node at %#x. Picking %#x as the "
+                        "successor and dropping others.",
+                        scnode.addr,
+                        out_dst_succ.addr,
+                    )
+                if len(out_dst_succs_fullgraph) > 1:
+                    assert out_dst_succ_fullgraph is not None
+                    l.warning(
+                        "Multiple out-of-region successors detected for switch-case node at %#x. Picking %#x as the "
+                        "successor and dropping others.",
+                        scnode.addr,
+                        out_dst_succ_fullgraph.addr,
+                    )
 
             if out_dst_succ is not None:
-                if out_dst_succ in graph:
-                    graph.add_edge(scnode, out_dst_succ)
+                graph.add_edge(scnode, out_dst_succ)
                 full_graph.add_edge(scnode, out_dst_succ)
                 if full_graph.has_edge(head, out_dst_succ):
                     full_graph.remove_edge(head, out_dst_succ)
+            if out_dst_succ_fullgraph is not None:
+                full_graph.add_edge(scnode, out_dst_succ_fullgraph)
+                if full_graph.has_edge(head, out_dst_succ_fullgraph):
+                    full_graph.remove_edge(head, out_dst_succ_fullgraph)
 
             # fix full_graph if needed: remove successors that are no longer needed
             for _out_src, out_dst in other_out_edges:
@@ -2925,6 +2992,17 @@ class PhoenixStructurer(StructurerBase):
             ordered_nodes.remove(postorder_head)
             acyclic_graph.remove_node(postorder_head)
         node_seq = {nn: (len(ordered_nodes) - idx) for (idx, nn) in enumerate(ordered_nodes)}  # post-order
+        if len(node_seq) < len(acyclic_graph):
+            # some nodes are not reachable from head - add them to node_seq as well
+            # but this is usually the result of incorrect structuring, so we may still fail at a later point
+            l.warning("Adding %d unreachable nodes to node_seq", len(acyclic_graph) - len(node_seq))
+            unreachable_nodes = sorted(
+                (nn for nn in acyclic_graph if nn not in node_seq),
+                key=lambda n: (n.addr, (-1 if n.idx is None else n.idx) if hasattr(n, "idx") else 0),
+            )
+            max_seq = max(node_seq.values(), default=0)
+            for i, nn in enumerate(unreachable_nodes):
+                node_seq[nn] = max_seq + i
 
         if all_edges_wo_dominance:
             all_edges_wo_dominance = self._order_virtualizable_edges(full_graph, all_edges_wo_dominance, node_seq)

angr/analyses/decompiler/utils.py

@@ -989,7 +989,7 @@ def decompile_functions(
     show_casts: bool = True,
     base_address: int | None = None,
     preset: str | None = None,
-) -> str | None:
+) -> str:
     """
     Decompile a binary into a set of functions.
 

angr/analyses/smc.py

@@ -146,7 +146,7 @@ class SelfModifyingCodeAnalysis(Analysis):
 
         for n in range(100):
             self._update_progress(n)
-            simgr.step(n=3)
+            simgr.run(n=3)
             random.shuffle(simgr.active)
             simgr.split(from_stash="active", to_stash=simgr.DROP, limit=10)
 

angr/analyses/stack_pointer_tracker.py

@@ -787,9 +787,10 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                                 ):
                                     sp_adjusted = True
                                     sp_v = state.regs[self.project.arch.sp_offset]
-                                    sp_v -= Constant(stmt.data.con.value)
-                                    state.put(self.project.arch.sp_offset, sp_v, force=True)  # sp -= OFFSET
-                                    state.put(stmt.offset, Constant(0), force=True)  # rax = 0
+                                    if sp_v is not None:
+                                        sp_v -= Constant(stmt.data.con.value)
+                                        state.put(self.project.arch.sp_offset, sp_v, force=True)  # sp -= OFFSET
+                                        state.put(stmt.offset, Constant(0), force=True)  # rax = 0
                                     break
 
                 callee_cleanups = [

angr/analyses/typehoon/lifter.py

@@ -1,4 +1,5 @@
 from __future__ import annotations
+import itertools
 from typing import TYPE_CHECKING
 
 from angr.sim_type import (
@@ -26,45 +27,53 @@ class TypeLifter:
     Lift SimTypes to type constants.
     """
 
-    __slots__ = ("bits", "memo")
+    __slots__ = ("bits", "memo", "named_struct_id_counter", "struct_name_to_idx")
 
     def __init__(self, bits: int):
         if bits not in (32, 64):
             raise ValueError("TypeLifter only supports 32-bit or 64-bit pointers.")
         self.bits = bits
         self.memo = {}
+        self.named_struct_id_counter = itertools.count(133337)
+        self.struct_name_to_idx = {}
 
     def lift(self, ty: SimType):
         handler = _mapping.get(type(ty), None)
         if handler is None:
-            return BottomType()
+            return BottomType(name=ty.label)
 
         return handler(self, ty)
 
-    def _lift_SimTypeChar(self, ty):  # pylint:disable=unused-argument,no-self-use
-        return Int8()
+    def _lift_SimTypeChar(self, ty):  # pylint:disable=no-self-use
+        return Int8(name=ty.label)
 
-    def _lift_SimTypeShort(self, ty):  # pylint:disable=unused-argument,no-self-use
-        return Int16()
+    def _lift_SimTypeShort(self, ty):  # pylint:disable=no-self-use
+        return Int16(name=ty.label)
 
-    def _lift_SimTypeInt(self, ty):  # pylint:disable=unused-argument,no-self-use
-        return Int32()
+    def _lift_SimTypeInt(self, ty):  # pylint:disable=no-self-use
+        return Int32(name=ty.label)
 
-    def _lift_SimTypeLongLong(self, ty):  # pylint:disable=unused-argument,no-self-use
-        return Int64()
+    def _lift_SimTypeLongLong(self, ty):  # pylint:disable=no-self-use
+        return Int64(name=ty.label)
 
     def _lift_SimTypePointer(self, ty: SimTypePointer):
         if self.bits == 32:
-            return Pointer32(self.lift(ty.pts_to))
+            return Pointer32(self.lift(ty.pts_to), name=ty.label)
         if self.bits == 64:
-            return Pointer64(self.lift(ty.pts_to))
+            return Pointer64(self.lift(ty.pts_to), name=ty.label)
         raise ValueError(f"Unsupported bits {self.bits}.")
 
     def _lift_SimStruct(self, ty: SimStruct) -> TypeConstant | BottomType:
         if ty in self.memo:
             return BottomType()
 
-        obj = Struct(fields={}, name=ty.name)
+        struct_idx = {}
+        if ty.name:
+            if ty.name not in self.struct_name_to_idx:
+                self.struct_name_to_idx[ty.name] = next(self.named_struct_id_counter)
+            struct_idx["idx"] = self.struct_name_to_idx[ty.name]
+
+        obj = Struct(fields={}, name=ty.name, **struct_idx)
         self.memo[ty] = obj
         converted_fields = {}
         field_names = {}
@@ -76,6 +85,7 @@ class TypeLifter:
             field_names[ty_offsets[field_name]] = field_name
         obj.fields = converted_fields
         obj.field_names = field_names
+        del self.memo[ty]
         return obj
 
     def _lift_SimCppClass(self, ty: SimCppClass) -> TypeConstant | BottomType:
@@ -94,17 +104,18 @@ class TypeLifter:
             field_names[ty_offsets[field_name]] = field_name
         obj.fields = converted_fields
         obj.field_names = field_names
+        del self.memo[ty]
         return obj
 
     def _lift_SimTypeArray(self, ty: SimTypeArray) -> Array:
         elem_type = self.lift(ty.elem_type)
-        return Array(elem_type, count=ty.length)
+        return Array(elem_type, count=ty.length, name=ty.label)
 
-    def _lift_SimTypeFloat(self, ty: SimTypeFloat) -> Float32:  # pylint:disable=unused-argument,no-self-use
-        return Float32()
+    def _lift_SimTypeFloat(self, ty: SimTypeFloat) -> Float32:  # pylint:disable=no-self-use
+        return Float32(name=ty.label)
 
-    def _lift_SimTypeDouble(self, ty: SimTypeDouble) -> Float64:  # pylint:disable=unused-argument,no-self-use
-        return Float64()
+    def _lift_SimTypeDouble(self, ty: SimTypeDouble) -> Float64:  # pylint:disable=no-self-use
+        return Float64(name=ty.label)
 
 
 _mapping = {