angr 9.2.175__cp310-abi3-macosx_11_0_arm64.whl → 9.2.177__cp310-abi3-macosx_11_0_arm64.whl

angr/analyses/decompiler/peephole_optimizations/{inlined_wstrcpy.py → inlined_wcscpy.py}

@@ -17,17 +17,20 @@ ASCII_PRINTABLES = {ord(x) for x in string.printable}
 ASCII_DIGITS = {ord(x) for x in string.digits}
 
 
-class InlinedWstrcpy(PeepholeOptimizationStmtBase):
+class InlinedWcscpy(PeepholeOptimizationStmtBase):
     """
-    Simplifies inlined wide string copying logic into calls to wstrcpy.
+    Simplifies inlined wide string copying logic into calls to wcscpy.
     """
 
     __slots__ = ()
 
-    NAME = "Simplifying inlined wstrcpy"
+    NAME = "Simplifying inlined wcscpy"
     stmt_classes = (Assignment, Store)
 
     def optimize(self, stmt: Assignment | Store, stmt_idx: int | None = None, block=None, **kwargs):
+        assert self.project is not None
+        assert self.kb is not None
+
         if (
             isinstance(stmt, Assignment)
             and isinstance(stmt.dst, VirtualVariable)
@@ -48,11 +51,12 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
         r, s = self.is_integer_likely_a_wide_string(value, value_size, self.project.arch.memory_endness)
         if r:
             # replace it with a call to strncpy
+            assert s is not None
             str_id = self.kb.custom_strings.allocate(s)
             wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
             return Call(
                 stmt.idx,
-                "wstrncpy",
+                "wcsncpy",
                 args=[
                     dst,
                     Const(None, None, str_id, self.project.arch.bits, custom_string=True, type=wstr_type),
@@ -83,6 +87,7 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
                 integer, size = self.stride_to_int(stride)
                 r, s = self.is_integer_likely_a_wide_string(integer, size, Endness.BE, min_length=3)
                 if r:
+                    assert s is not None
                     # we remove all involved statements whose statement IDs are greater than the current one
                     for _, stmt_idx_, _ in reversed(stride):
                         if stmt_idx_ <= stmt_idx:
@@ -94,7 +99,7 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
                     wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
                     return Call(
                         stmt.idx,
-                        "wstrncpy",
+                        "wcsncpy",
                         args=[
                             dst,
                             Const(None, None, str_id, self.project.arch.bits, custom_string=True, type=wstr_type),
@@ -112,11 +117,14 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
         size = 0
         for _, _, v in stride:
             size += v.size
+            assert isinstance(v.value, int)
             n <<= v.bits
             n |= v.value
         return n, size
 
     def collect_constant_stores(self, block, starting_stmt_idx: int) -> dict[int, tuple[int, Const | None]]:
+        assert self.project is not None
+
         r = {}
         expected_store_varid: int | None = None
         starting_stmt = block.statements[starting_stmt_idx]
@@ -224,7 +232,7 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
             # unsupported endness
             return False, None
 
-        if not (InlinedWstrcpy.even_offsets_are_zero(chars) or InlinedWstrcpy.odd_offsets_are_zero(chars)):
+        if not (InlinedWcscpy.even_offsets_are_zero(chars) or InlinedWcscpy.odd_offsets_are_zero(chars)):
             return False, None
 
         if chars and len(chars) >= 2 and chars[-1] == 0 and chars[-2] == 0:
@@ -236,11 +244,11 @@ class InlinedWstrcpy(PeepholeOptimizationStmtBase):
         return False, None
 
     @staticmethod
-    def is_inlined_wstrncpy(stmt: Statement) -> bool:
+    def is_inlined_wcsncpy(stmt: Statement) -> bool:
         return (
             isinstance(stmt, Call)
             and isinstance(stmt.target, str)
-            and stmt.target == "wstrncpy"
+            and stmt.target == "wcsncpy"
             and stmt.args is not None
             and len(stmt.args) == 3
             and isinstance(stmt.args[1], Const)

angr/analyses/decompiler/peephole_optimizations/inlined_wcscpy_consolidation.py

@@ -0,0 +1,296 @@
+# pylint:disable=arguments-differ
+from __future__ import annotations
+from typing import TYPE_CHECKING
+
+from angr.ailment.expression import Expression, BinaryOp, Const, Register, StackBaseOffset, UnaryOp, VirtualVariable
+from angr.ailment.statement import Call, Store, Assignment
+
+from angr.sim_type import SimTypePointer, SimTypeWideChar
+from .base import PeepholeOptimizationMultiStmtBase
+from .inlined_wcscpy import InlinedWcscpy
+
+if TYPE_CHECKING:
+    from angr.ailment.statement import Statement
+
+
+def match_statements(stmts: list[Statement], index: int) -> int:
+    ending = index
+    has_wcsncpy = False
+    for i in range(index, len(stmts)):
+        stmt = stmts[i]
+        if isinstance(stmt, Call):
+            if InlinedWcscpy.is_inlined_wcsncpy(stmt):
+                has_wcsncpy = True
+            else:
+                break
+        elif isinstance(stmt, Store):
+            if not isinstance(stmt.data, Const):
+                break
+            _, off = InlinedWcscpyConsolidation._parse_addr(stmt.addr)
+            if off is None:
+                # unsupported offset - bail
+                break
+        elif (
+            isinstance(stmt, Assignment)
+            and isinstance(stmt.dst, VirtualVariable)
+            and stmt.dst.was_stack
+            and isinstance(stmt.src, Const)
+        ):
+            pass
+        else:
+            break
+        ending = i + 1
+    return ending - index if has_wcsncpy and ending - index >= 2 else 0
+
+
+class InlinedWcscpyConsolidation(PeepholeOptimizationMultiStmtBase):
+    """
+    Consolidate multiple inlined wcscpy/wcsncpy calls.
+    """
+
+    __slots__ = ()
+
+    NAME = "Consolidate multiple inlined wcsncpy calls"
+    stmt_classes = (match_statements,)
+
+    def optimize(  # type:ignore
+        self, stmts: list[Call | Store | Assignment], stmt_idx: int | None = None, block=None, **kwargs
+    ):  # pylint:disable=unused-argument
+        reordered_stmts = self._reorder_stmts(stmts)
+        if not reordered_stmts or len(reordered_stmts) <= 1:
+            return None
+
+        new_stmts = []
+        optimized = False
+        stop = False
+        while not stop:
+            new_stmts = []
+            stop = True
+            for i, stmt0 in enumerate(reordered_stmts):
+                if i == len(reordered_stmts) - 1:
+                    new_stmts.append(reordered_stmts[i])
+                    break
+                stmt1 = reordered_stmts[i + 1]
+                opt_stmts = self._optimize_pair(stmt0, stmt1)
+                if opt_stmts is None:
+                    new_stmts.append(stmt0)
+                else:
+                    new_stmts += opt_stmts
+                    # start again from the beginning
+                    optimized = True
+                    stop = False
+                    reordered_stmts = new_stmts + reordered_stmts[i + 2 :]
+                    break
+
+        return new_stmts if optimized and new_stmts else None
+
+    def _reorder_stmts(self, stmts: list[Call | Store | Assignment]) -> list[Call | Store] | None:
+        """
+        Order a list of statements based on ascending addresses of their destination buffers.
+        """
+
+        if not all(
+            (
+                InlinedWcscpy.is_inlined_wcsncpy(s)
+                or (isinstance(s, Store) and isinstance(s.data, Const))
+                or (
+                    isinstance(s, Assignment)
+                    and isinstance(s.dst, VirtualVariable)
+                    and s.dst.was_stack
+                    and isinstance(s.src, Const)
+                )
+            )
+            for s in stmts
+        ):
+            return None
+        offset_to_stmt = {}
+        updated_offsets: set[int] = set()
+        known_base = None
+        for stmt in stmts:
+            if isinstance(stmt, Call):
+                assert (
+                    stmt.args is not None
+                    and len(stmt.args) == 3
+                    and stmt.args[0] is not None
+                    and stmt.args[2] is not None
+                )
+                base, off = self._parse_addr(stmt.args[0])
+                store_size = stmt.args[2].value * 2 if isinstance(stmt.args[2], Const) else None
+            elif isinstance(stmt, Store):
+                base, off = self._parse_addr(stmt.addr)
+                store_size = stmt.size
+            elif isinstance(stmt, Assignment):
+                base, off = self._parse_addr(stmt.dst)
+                store_size = stmt.dst.size
+            else:
+                # unexpected!
+                return None
+            if off is None or store_size is None:
+                # bad offset or size - bail
+                return None
+            if known_base is None:
+                known_base = base
+            elif not base.likes(known_base):
+                # bail
+                return None
+            if off in offset_to_stmt:
+                # duplicate offset - bail
+                return None
+            assert isinstance(store_size, int)
+            for i in range(store_size):
+                if off + i in updated_offsets:
+                    # overlapping store - bail
+                    return None
+                updated_offsets.add(off + i)
+
+            offset_to_stmt[off] = stmt
+
+        return [offset_to_stmt[k] for k in sorted(offset_to_stmt)]
+
+    def _optimize_pair(
+        self, last_stmt: Call | Store | Assignment, stmt: Call | Store | Assignment
+    ) -> list[Call] | None:
+        # convert (store, wcsncpy()) to (wcsncpy(), store) if they do not overlap
+        if (
+            isinstance(stmt, Call)
+            and InlinedWcscpy.is_inlined_wcsncpy(stmt)
+            and stmt.args is not None
+            and len(stmt.args) == 3
+            and isinstance(stmt.args[2], Const)
+            and isinstance(stmt.args[2].value, int)
+            and isinstance(last_stmt, (Store, Assignment))
+        ):
+            if isinstance(last_stmt, Store) and isinstance(last_stmt.data, Const):
+                store_addr = last_stmt.addr
+                store_size = last_stmt.size
+            elif isinstance(last_stmt, Assignment):
+                store_addr = last_stmt.dst
+                store_size = last_stmt.dst.size
+            else:
+                return None
+            # check if they overlap
+            wcsncpy_addr = stmt.args[0]
+            wcsncpy_size = stmt.args[2].value * 2
+            delta = self._get_delta(store_addr, wcsncpy_addr)
+            if delta is not None:
+                if (0 <= delta <= store_size) or (delta < 0 and -delta <= wcsncpy_size):
+                    # they overlap, do not switch
+                    pass
+                else:
+                    last_stmt, stmt = stmt, last_stmt
+
+        # swap two statements if they are out of order
+        if InlinedWcscpy.is_inlined_wcsncpy(last_stmt) and InlinedWcscpy.is_inlined_wcsncpy(stmt):
+            assert last_stmt.args is not None and stmt.args is not None
+            delta = self._get_delta(last_stmt.args[0], stmt.args[0])
+            if delta is not None and delta < 0:
+                last_stmt, stmt = stmt, last_stmt
+
+        if InlinedWcscpy.is_inlined_wcsncpy(last_stmt):
+            assert last_stmt.args is not None
+            assert self.kb is not None
+            s_last: bytes = self.kb.custom_strings[last_stmt.args[1].value]
+            addr_last = last_stmt.args[0]
+            new_str = None  # will be set if consolidation should happen
+
+            if isinstance(stmt, Call) and InlinedWcscpy.is_inlined_wcsncpy(stmt):
+                assert stmt.args is not None
+                # consolidating two calls
+                s_curr: bytes = self.kb.custom_strings[stmt.args[1].value]
+                addr_curr = stmt.args[0]
+                # determine if the two addresses are consecutive
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    # consolidate both calls!
+                    new_str = s_last + s_curr
+            elif isinstance(stmt, Store) and isinstance(stmt.data, Const) and isinstance(stmt.data.value, int):
+                # consolidating a call and a store, in case the store statement is storing the suffix of a string (but
+                # the suffix is too short to qualify an inlined strcpy optimization)
+                addr_curr = stmt.addr
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    if stmt.size == 2 and stmt.data.value == 0:
+                        # it's probably the terminating null byte
+                        r, s = True, b"\x00\x00"
+                    else:
+                        r, s = InlinedWcscpy.is_integer_likely_a_wide_string(
+                            stmt.data.value, stmt.size, stmt.endness, min_length=1  # type:ignore
+                        )
+                    if r and s is not None:
+                        new_str = s_last + s
+            elif (
+                isinstance(stmt, Assignment)
+                and isinstance(stmt.dst, VirtualVariable)
+                and isinstance(stmt.src, Const)
+                and isinstance(stmt.src.value, int)
+            ):
+                # consolidating a call and an assignment, in case the assignment statement is storing the suffix of a
+                # string (but the suffix is too short to qualify an inlined strcpy optimization)
+                addr_curr = stmt.dst
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    r, s = InlinedWcscpy.is_integer_likely_a_wide_string(
+                        stmt.src.value, stmt.dst.size, self.project.arch.memory_endness, min_length=1  # type:ignore
+                    )
+                    if r and s is not None:
+                        new_str = s_last + s
+
+            if new_str is not None:
+                assert self.project is not None
+                wstr_type = SimTypePointer(SimTypeWideChar()).with_arch(self.project.arch)
+                if new_str.endswith(b"\x00\x00"):
+                    call_name = "wcsncpy"
+                    new_str_idx = self.kb.custom_strings.allocate(new_str[:-2])
+                    args = [
+                        last_stmt.args[0],
+                        Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True, type=wstr_type),
+                    ]
+                    prototype = None
+                else:
+                    call_name = "wcsncpy"
+                    new_str_idx = self.kb.custom_strings.allocate(new_str)
+                    args = [
+                        last_stmt.args[0],
+                        Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True, type=wstr_type),
+                        Const(None, None, len(new_str) // 2, self.project.arch.bits),
+                    ]
+                    prototype = None
+
+                return [Call(stmt.idx, call_name, args=args, prototype=prototype, **stmt.tags)]
+
+        return None
+
+    @staticmethod
+    def _parse_addr(addr: Expression) -> tuple[Expression, int]:
+        # we force the base to 64-bit because it does not really matter when we use it
+
+        if isinstance(addr, VirtualVariable) and addr.was_stack:
+            return StackBaseOffset(None, 64, 0), addr.stack_offset
+        if isinstance(addr, Register):
+            return addr, 0
+        if isinstance(addr, StackBaseOffset):
+            return StackBaseOffset(None, 64, 0), addr.offset
+        if (
+            isinstance(addr, UnaryOp)
+            and addr.op == "Reference"
+            and isinstance(addr.operand, VirtualVariable)
+            and addr.operand.was_stack
+        ):
+            return StackBaseOffset(None, 64, 0), addr.operand.stack_offset
+        if isinstance(addr, BinaryOp):
+            if addr.op == "Add" and isinstance(addr.operands[1], Const) and isinstance(addr.operands[1].value, int):
+                base_0, offset_0 = InlinedWcscpyConsolidation._parse_addr(addr.operands[0])
+                return base_0, offset_0 + addr.operands[1].value
+            if addr.op == "Sub" and isinstance(addr.operands[1], Const) and isinstance(addr.operands[1].value, int):
+                base_0, offset_0 = InlinedWcscpyConsolidation._parse_addr(addr.operands[0])
+                return base_0, offset_0 - addr.operands[1].value
+
+        return addr, 0
+
+    @staticmethod
+    def _get_delta(addr_0: Expression, addr_1: Expression) -> int | None:
+        base_0, offset_0 = InlinedWcscpyConsolidation._parse_addr(addr_0)
+        base_1, offset_1 = InlinedWcscpyConsolidation._parse_addr(addr_1)
+        if base_0.likes(base_1):
+            return offset_1 - offset_0
+        return None

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -97,6 +97,19 @@ class SimEngineSSARewriting(
         self._current_vvar_id += 1
         return self._current_vvar_id
 
+    #
+    # Util functions
+    #
+
+    @staticmethod
+    def _is_head_controlled_loop_jump(block, jump_stmt: ConditionalJump) -> bool:
+        concrete_targets = []
+        if isinstance(jump_stmt.true_target, Const):
+            concrete_targets.append(jump_stmt.true_target.value)
+        if isinstance(jump_stmt.false_target, Const):
+            concrete_targets.append(jump_stmt.false_target.value)
+        return not all(block.addr <= t < block.addr + block.original_size for t in concrete_targets)
+
     #
     # Handlers
     #
@@ -303,7 +316,7 @@ class SimEngineSSARewriting(
         new_true_target = self._expr(stmt.true_target) if stmt.true_target is not None else None
         new_false_target = self._expr(stmt.false_target) if stmt.false_target is not None else None
 
-        if self.stmt_idx != len(self.block.statements) - 1:
+        if self.stmt_idx != len(self.block.statements) - 1 and self._is_head_controlled_loop_jump(self.block, stmt):
             # the conditional jump is in the middle of the block (e.g., the block generated from lifting rep stosq).
             # we need to make a copy of the state and use the state of this point in its successor
             self.head_controlled_loop_outstate = self.state.copy()

angr/analyses/decompiler/structured_codegen/c.py

@@ -42,6 +42,7 @@ from angr.utils.constants import is_alignment_mask
 from angr.utils.library import get_cpp_function_name
 from angr.utils.loader import is_in_readonly_segment, is_in_readonly_section
 from angr.utils.types import unpack_typeref, unpack_pointer_and_array, dereference_simtype_by_lib
+from angr.utils.strings import decode_utf16_string
 from angr.analyses.decompiler.utils import structured_node_is_simple_return
 from angr.analyses.decompiler.notes.deobfuscated_strings import DeobfuscatedStringsNote
 from angr.errors import UnsupportedNodeTypeError, AngrRuntimeError
@@ -2269,9 +2270,9 @@ class CConstant(CExpression):
                 elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeWideChar):
                     refval = self.reference_values[self._type]
                     v = (
-                        refval.content.decode("utf_16_le")
+                        decode_utf16_string(refval.content)
                         if isinstance(refval, MemoryData)
-                        else refval.decode("utf_16_le")
+                        else decode_utf16_string(refval)
                     )  # it's a string
                     yield CConstant.str_to_c_str(v, prefix="L"), self
                     return
@@ -4076,9 +4077,9 @@ class MakeTypecastsImplicit(CStructuredCodeWalker):
 class FieldReferenceCleanup(CStructuredCodeWalker):
     def handle_CTypeCast(self, obj):
         if isinstance(obj.dst_type, SimTypePointer) and not isinstance(obj.dst_type.pts_to, SimTypeBottom):
-            obj = obj.codegen._access_reference(obj.expr, obj.dst_type.pts_to)
-            if not isinstance(obj, CTypeCast):
-                return self.handle(obj)
+            new_obj = obj.codegen._access_reference(obj.expr, obj.dst_type.pts_to)
+            if not isinstance(new_obj, CTypeCast):
+                return self.handle(new_obj)
         return super().handle_CTypeCast(obj)
 
 

angr/analyses/decompiler/structuring/dream.py

@@ -548,7 +548,7 @@ class DreamStructurer(StructurerBase):
         cmp = switch_extract_cmp_bounds(last_stmt)
         if not cmp:
             return False
-        cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+        cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
 
         # the real indirect jump
         if len(addr2nodes[target]) != 1:
@@ -619,7 +619,7 @@ class DreamStructurer(StructurerBase):
         cmp = switch_extract_cmp_bounds(last_stmt)
         if not cmp:
             return False
-        cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+        cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
 
         jumptable_entries = jump_table.jumptable_entries
         assert jumptable_entries is not None

angr/analyses/decompiler/structuring/phoenix.py

@@ -929,23 +929,55 @@ class PhoenixStructurer(StructurerBase):
                             )
                             break_node = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
                         else:
-                            break_stmt = Jump(
-                                None,
-                                Const(None, None, successor.addr, self.project.arch.bits),
-                                target_idx=successor.idx if isinstance(successor, Block) else None,
-                                ins_addr=last_src_stmt.ins_addr,
-                            )
-                            break_node_inner = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
-                            fallthrough_node = next(iter(succ for succ in fullgraph.successors(src) if succ is not dst))
-                            fallthrough_stmt = Jump(
-                                None,
-                                Const(None, None, fallthrough_node.addr, self.project.arch.bits),
-                                target_idx=successor.idx if isinstance(successor, Block) else None,
-                                ins_addr=last_src_stmt.ins_addr,
-                            )
-                            break_node_inner_fallthrough = Block(
-                                last_src_stmt.ins_addr, None, statements=[fallthrough_stmt]
+                            fallthrough_node = next(
+                                iter(succ for succ in fullgraph.successors(src) if succ is not dst), None
                             )
+                            if fallthrough_node is not None:
+                                # we create a conditional jump that will be converted to a conditional break later
+                                break_stmt = Jump(
+                                    None,
+                                    Const(None, None, successor.addr, self.project.arch.bits),
+                                    target_idx=successor.idx if isinstance(successor, Block) else None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node_inner = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
+                                fallthrough_stmt = Jump(
+                                    None,
+                                    Const(None, None, fallthrough_node.addr, self.project.arch.bits),
+                                    target_idx=successor.idx if isinstance(successor, Block) else None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node_inner_fallthrough = Block(
+                                    last_src_stmt.ins_addr, None, statements=[fallthrough_stmt]
+                                )
+                            else:
+                                # the fallthrough node does not exist in the graph. we create a conditional jump that
+                                # jumps to an address
+                                if not isinstance(last_src_stmt, ConditionalJump):
+                                    raise TypeError(f"Unexpected last_src_stmt type {type(last_src_stmt)}")
+                                other_target = (
+                                    last_src_stmt.true_target
+                                    if isinstance(last_src_stmt.false_target, Const)
+                                    and last_src_stmt.false_target.value == successor.addr
+                                    else last_src_stmt.false_target
+                                )
+                                assert other_target is not None
+                                break_stmt = Jump(
+                                    None,
+                                    Const(None, None, successor.addr, self.project.arch.bits),
+                                    target_idx=successor.idx if isinstance(successor, Block) else None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node_inner = Block(last_src_stmt.ins_addr, None, statements=[break_stmt])
+                                fallthrough_stmt = Jump(
+                                    None,
+                                    other_target,
+                                    target_idx=successor.idx if isinstance(successor, Block) else None,
+                                    ins_addr=last_src_stmt.ins_addr,
+                                )
+                                break_node_inner_fallthrough = Block(
+                                    last_src_stmt.ins_addr, None, statements=[fallthrough_stmt]
+                                )
                             break_node = ConditionNode(
                                 last_src_stmt.ins_addr,
                                 None,
@@ -1454,7 +1486,7 @@ class PhoenixStructurer(StructurerBase):
                 )
                 if not cmp:
                     return False
-                cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+                cmp_expr, cmp_lb, _cmp_ub = cmp
 
                 assert cond_node.addr is not None
                 switch_head_addr = cond_node.addr
@@ -1477,7 +1509,7 @@ class PhoenixStructurer(StructurerBase):
             cmp = switch_extract_cmp_bounds(last_stmt)
             if not cmp:
                 return False
-            cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+            cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
 
             switch_head_addr = last_stmt.ins_addr
 
@@ -1849,7 +1881,7 @@ class PhoenixStructurer(StructurerBase):
         cmp = switch_extract_cmp_bounds(last_stmt)
         if not cmp:
             return False
-        cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
+        cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
 
         if isinstance(last_stmt.false_target, Const):
             default_addr = last_stmt.false_target.value
@@ -2148,19 +2180,54 @@ class PhoenixStructurer(StructurerBase):
                     jump_node = Block(out_src.addr, 0, statements=[jump_stmt])
                     case_node.nodes.append(jump_node)
 
-            if out_edges_to_head:  # noqa:SIM108
+            # out_dst_succ is the successor within the current region
+            # out_dst_succ_fullgraph is the successor outside the current region
+            if out_edges_to_head:
                 # add an edge from SwitchCaseNode to head so that a loop will be structured later
                 out_dst_succ = head
+                out_dst_succ_fullgraph = None
             else:
                 # add an edge from SwitchCaseNode to its most immediate successor (if there is one)
-                out_dst_succ = other_out_edges[0][1] if other_out_edges else None
+                # there might be an in-region successor and an out-of-region successor (especially due to the
+                # introduction of self.dowhile_known_tail_nodes)!
+                # example: 7995a0325b446c462bdb6ae10b692eee2ecadd8e888e9d7729befe4412007afb, function 1400EF820
+                out_dst_succs = []
+                out_dst_succs_fullgraph = []
+                for _, o in other_out_edges:
+                    if o in graph:
+                        out_dst_succs.append(o)
+                    elif o in full_graph:
+                        out_dst_succs_fullgraph.append(o)
+                out_dst_succ = sorted(out_dst_succs, key=lambda o: o.addr)[0] if out_dst_succs else None
+                out_dst_succ_fullgraph = (
+                    sorted(out_dst_succs_fullgraph, key=lambda o: o.addr)[0] if out_dst_succs_fullgraph else None
+                )
+                if len(out_dst_succs) > 1:
+                    assert out_dst_succ is not None
+                    l.warning(
+                        "Multiple in-region successors detected for switch-case node at %#x. Picking %#x as the "
+                        "successor and dropping others.",
+                        scnode.addr,
+                        out_dst_succ.addr,
+                    )
+                if len(out_dst_succs_fullgraph) > 1:
+                    assert out_dst_succ_fullgraph is not None
+                    l.warning(
+                        "Multiple out-of-region successors detected for switch-case node at %#x. Picking %#x as the "
+                        "successor and dropping others.",
+                        scnode.addr,
+                        out_dst_succ_fullgraph.addr,
+                    )
 
             if out_dst_succ is not None:
-                if out_dst_succ in graph:
-                    graph.add_edge(scnode, out_dst_succ)
+                graph.add_edge(scnode, out_dst_succ)
                 full_graph.add_edge(scnode, out_dst_succ)
                 if full_graph.has_edge(head, out_dst_succ):
                     full_graph.remove_edge(head, out_dst_succ)
+            if out_dst_succ_fullgraph is not None:
+                full_graph.add_edge(scnode, out_dst_succ_fullgraph)
+                if full_graph.has_edge(head, out_dst_succ_fullgraph):
+                    full_graph.remove_edge(head, out_dst_succ_fullgraph)
 
             # fix full_graph if needed: remove successors that are no longer needed
             for _out_src, out_dst in other_out_edges:
@@ -2925,6 +2992,17 @@ class PhoenixStructurer(StructurerBase):
             ordered_nodes.remove(postorder_head)
             acyclic_graph.remove_node(postorder_head)
         node_seq = {nn: (len(ordered_nodes) - idx) for (idx, nn) in enumerate(ordered_nodes)}  # post-order
+        if len(node_seq) < len(acyclic_graph):
+            # some nodes are not reachable from head - add them to node_seq as well
+            # but this is usually the result of incorrect structuring, so we may still fail at a later point
+            l.warning("Adding %d unreachable nodes to node_seq", len(acyclic_graph) - len(node_seq))
+            unreachable_nodes = sorted(
+                (nn for nn in acyclic_graph if nn not in node_seq),
+                key=lambda n: (n.addr, (-1 if n.idx is None else n.idx) if hasattr(n, "idx") else 0),
+            )
+            max_seq = max(node_seq.values(), default=0)
+            for i, nn in enumerate(unreachable_nodes):
+                node_seq[nn] = max_seq + i
 
         if all_edges_wo_dominance:
             all_edges_wo_dominance = self._order_virtualizable_edges(full_graph, all_edges_wo_dominance, node_seq)

angr/analyses/decompiler/utils.py

@@ -2,6 +2,7 @@
 from __future__ import annotations
 import pathlib
 import copy
+from types import FunctionType
 from typing import Any
 from collections.abc import Iterable
 import logging
@@ -958,9 +959,15 @@ def peephole_optimize_multistmts(block, stmt_opts):
             for opt in stmt_opts:
                 matched = False
                 stmt_seq_len = None
-                for stmt_class_seq in opt.stmt_classes:
-                    if match_stmt_classes(statements, stmt_idx, stmt_class_seq):
-                        stmt_seq_len = len(stmt_class_seq)
+                for stmt_class_seq_or_method in opt.stmt_classes:
+                    if isinstance(stmt_class_seq_or_method, FunctionType):
+                        r = stmt_class_seq_or_method(statements, stmt_idx)
+                        if r > 0:
+                            stmt_seq_len = r
+                            matched = True
+                            break
+                    elif match_stmt_classes(statements, stmt_idx, stmt_class_seq_or_method):
+                        stmt_seq_len = len(stmt_class_seq_or_method)
                         matched = True
                         break