angr 9.2.181__cp310-abi3-macosx_10_12_x86_64.whl → 9.2.182__cp310-abi3-macosx_10_12_x86_64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.181"
+__version__ = "9.2.182"
 
 if bytes is str:
     raise Exception(

angr/ailment/expression.py

@@ -345,9 +345,9 @@ class VirtualVariable(Atom):
         ori_str = ""
         match self.category:
             case VirtualVariableCategory.REGISTER:
-                ori_str = f"{{reg {self.reg_offset}}}"
+                ori_str = f"{{r{self.reg_offset}|{self.size}b}}"
             case VirtualVariableCategory.STACK:
-                ori_str = f"{{stack {self.oident}}}"
+                ori_str = f"{{s{self.oident}|{self.size}b}}"
         return f"vvar_{self.varid}{ori_str}"
 
     __hash__ = TaggedObject.__hash__  # type: ignore

angr/analyses/decompiler/ail_simplifier.py

@@ -37,7 +37,7 @@ from angr.ailment.expression import (
 
 from angr.analyses.s_propagator import SPropagatorAnalysis
 from angr.analyses.s_reaching_definitions import SRDAModel
-from angr.utils.ail import is_phi_assignment, HasExprWalker
+from angr.utils.ail import is_phi_assignment, HasExprWalker, is_expr_used_as_reg_base_value
 from angr.utils.ssa import (
     has_call_in_between_stmts,
     has_store_stmt_in_between_stmts,
@@ -315,7 +315,7 @@ class AILSimplifier(Analysis):
             subject=self.func,
             func_graph=self.func_graph,
             func_args=func_args,
-            # use_callee_saved_regs_at_return=self._use_callee_saved_regs_at_return,
+            use_callee_saved_regs_at_return=self._use_callee_saved_regs_at_return,
             # track_tmps=True,
         ).model
         self._reaching_definitions = rd
@@ -406,6 +406,10 @@ class AILSimplifier(Analysis):
 
         rd = self._compute_reaching_definitions()
         sorted_defs = sorted(rd.all_definitions, key=lambda d: d.codeloc, reverse=True)
+
+        # compute effective sizes for each vvar
+        effective_sizes = self._compute_effective_sizes(rd, sorted_defs, addr_and_idx_to_block)
+
         narrowing_candidates: dict[int, tuple[Definition, ExprNarrowingInfo]] = {}
         for def_ in (d_ for d_ in sorted_defs if d_.codeloc.context is None):
             if isinstance(def_.atom, atoms.VirtualVariable) and (def_.atom.was_reg or def_.atom.was_parameter):
@@ -421,7 +425,7 @@ class AILSimplifier(Analysis):
                 if skip_def:
                     continue
 
-                narrow = self._narrowing_needed(def_, rd, addr_and_idx_to_block)
+                narrow = self._narrowing_needed(def_, rd, addr_and_idx_to_block, effective_sizes)
                 if narrow.narrowable:
                     # we cannot narrow it immediately because any definition that is used by phi variables must be
                     # narrowed together with all other definitions that can reach the phi variables.
@@ -466,6 +470,47 @@ class AILSimplifier(Analysis):
 
         return narrowed
 
+    def _compute_effective_sizes(self, rd, defs, addr_and_idx_to_block) -> dict[int, int]:
+
+        vvar_effective_sizes: dict[int, int] = {}
+
+        # determine effective sizes for non-phi vvars
+        for def_ in defs:
+            # find its def statement
+            old_block = addr_and_idx_to_block.get((def_.codeloc.block_addr, def_.codeloc.block_idx), None)
+            if old_block is None:
+                continue
+            block = self.blocks.get(old_block, old_block)
+            if def_.codeloc.stmt_idx is None or def_.codeloc.stmt_idx >= len(block.statements):
+                continue
+            def_stmt = block.statements[def_.codeloc.stmt_idx]
+            if (
+                isinstance(def_stmt, Assignment)
+                and isinstance(def_stmt.src, Convert)
+                and not def_stmt.src.is_signed
+                and def_stmt.src.from_type == Convert.TYPE_INT
+                and def_stmt.src.to_type == Convert.TYPE_INT
+                and def_stmt.src.from_bits < def_stmt.src.to_bits
+            ):
+                effective_size = def_stmt.src.from_bits // self.project.arch.byte_width
+                vvar_effective_sizes[def_.atom.varid] = effective_size
+
+        # update effective sizes for phi vvars
+        changed = True
+        while changed:
+            changed = False
+            for phi_vvar in rd.phivarid_to_varids:
+                if phi_vvar in vvar_effective_sizes:
+                    continue
+                if rd.phivarid_to_varids[phi_vvar] and all(
+                    src_vvar in vvar_effective_sizes for src_vvar in rd.phivarid_to_varids[phi_vvar]
+                ):
+                    effective_size = max(vvar_effective_sizes[src_vvar] for src_vvar in rd.phivarid_to_varids[phi_vvar])
+                    vvar_effective_sizes[phi_vvar] = effective_size
+                    changed = True
+
+        return vvar_effective_sizes
+
     @staticmethod
     def _compute_narrowables_once(
         rd, narrowing_candidates: dict, vvar_to_narrowing_size: dict[int, int], blacklist_varids: set
@@ -513,7 +558,9 @@ class AILSimplifier(Analysis):
 
         return repeat, narrowables
 
-    def _narrowing_needed(self, def_, rd: SRDAModel, addr_and_idx_to_block) -> ExprNarrowingInfo:
+    def _narrowing_needed(
+        self, def_: Definition, rd: SRDAModel, addr_and_idx_to_block, effective_sizes: dict[int, int]
+    ) -> ExprNarrowingInfo:
 
         def_size = def_.size
         # find its uses
@@ -524,6 +571,7 @@ class AILSimplifier(Analysis):
         use_and_exprs, phi_vars = result
 
         all_used_sizes = set()
+        noncall_used_sizes = set()
         used_by: list[tuple[atoms.VirtualVariable, CodeLocation, tuple[str, tuple[Expression, ...]]]] = []
         used_by_loc = defaultdict(list)
 
@@ -543,10 +591,16 @@ class AILSimplifier(Analysis):
             # special case: if the statement is a Call statement and expr is None, it means we have not been able to
             # determine if the expression is really used by the call or not. skip it in this case
             if isinstance(stmt, Call) and expr is None:
+                all_used_sizes.add(atom.size)
                 continue
             # special case: if the statement is a phi statement, we ignore it
             if is_phi_assignment(stmt):
                 continue
+            # special case: if the statement is an assignment to a destination vvar A, and the source is the bitwise-or
+            # of two expressions where one of them is the high bits of expr, and expr is a phi var that relies on
+            # vvar A, then we skip it.
+            if is_expr_used_as_reg_base_value(stmt, expr, rd):
+                continue
 
             expr_size, used_by_exprs = self._extract_expression_effective_size(stmt, expr)
             if expr_size is None:
@@ -554,9 +608,27 @@ class AILSimplifier(Analysis):
                 return ExprNarrowingInfo(False)
 
             all_used_sizes.add(expr_size)
+            if not isinstance(stmt, Call):
+                noncall_used_sizes.add(expr_size)
             used_by_loc[loc].append((atom, used_by_exprs))
 
+        target_size = None
         if len(all_used_sizes) == 1 and next(iter(all_used_sizes)) < def_size:
+            target_size = next(iter(all_used_sizes))
+        else:
+            effective_size = effective_sizes.get(def_.atom.varid, None)
+            if (
+                effective_size is not None
+                and any(used_size <= effective_size for used_size in all_used_sizes)
+                and all(used_size <= effective_size for used_size in noncall_used_sizes)
+            ):
+                # special case: sometimes we have an explicit Convert that narrows the value, all other uses are either
+                # in the effective size or narrower, but we pass the full register to a function call as an argument
+                # because we do not know the real type of the argument, or there are cases like putchar(int ch) while
+                # ch is actually a char. We use effective size in such cases to narrow the variable.
+                target_size = effective_size
+
+        if target_size is not None:
             for loc, atom_expr_pairs in used_by_loc.items():
                 if len(atom_expr_pairs) == 1:
                     atom, used_by_exprs = atom_expr_pairs[0]
@@ -582,7 +654,7 @@ class AILSimplifier(Analysis):
                     for atom, used_by_exprs in ordered:
                         used_by.append((atom, loc, used_by_exprs))
 
-            return ExprNarrowingInfo(True, to_size=next(iter(all_used_sizes)), use_exprs=used_by, phi_vars=phi_vars)
+            return ExprNarrowingInfo(True, to_size=target_size, use_exprs=used_by, phi_vars=phi_vars)
 
         return ExprNarrowingInfo(False)
 

angr/analyses/decompiler/callsite_maker.py

@@ -364,7 +364,12 @@ class CallSiteMaker(Analysis):
             # Find its definition
             view = SRDAView(self._reaching_definitions.model)
             vvar = view.get_reg_vvar_by_stmt(
-                offset, self.block.addr, self.block.idx, len(self.block.statements) - 1, OP_BEFORE
+                offset,
+                arg_loc.size,
+                self.block.addr,
+                self.block.idx,
+                len(self.block.statements) - 1,
+                OP_BEFORE,
             )
 
             if vvar is not None:

angr/analyses/decompiler/clinic.py

@@ -1740,7 +1740,7 @@ class Clinic(Analysis):
             func_graph=ail_graph,
             func_args=func_args,
             fail_fast=self._fail_fast,
-            # use_callee_saved_regs_at_return=not self._register_save_areas_removed,  FIXME
+            use_callee_saved_regs_at_return=not self._register_save_areas_removed,
         )
 
         class TempClass:  # pylint:disable=missing-class-docstring
@@ -2008,9 +2008,7 @@ class Clinic(Analysis):
 
                 # link struct member info
                 if isinstance(stmt.variable, SimStackVariable):
-                    off = stmt.variable.offset
-                    if off in variable_manager.stack_offset_to_struct_member_info:
-                        stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+                    self._map_stackvar_to_struct_member(variable_manager, stmt, stmt.variable.offset)
 
             elif stmt_type is ailment.Stmt.Assignment or stmt_type is ailment.Stmt.WeakAssignment:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.dst)
@@ -2094,9 +2092,7 @@ class Clinic(Analysis):
                 expr.variable_offset = offset
 
                 if isinstance(expr, ailment.Expr.VirtualVariable) and expr.was_stack:
-                    off = expr.stack_offset
-                    if off in variable_manager.stack_offset_to_struct_member_info:
-                        expr.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+                    self._map_stackvar_to_struct_member(variable_manager, expr, expr.stack_offset)
 
         elif type(expr) is ailment.Expr.Load:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
@@ -2133,9 +2129,7 @@ class Clinic(Analysis):
                 expr.variable_offset = offset
 
                 if isinstance(var, SimStackVariable):
-                    off = var.offset
-                    if off in variable_manager.stack_offset_to_struct_member_info:
-                        expr.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+                    self._map_stackvar_to_struct_member(variable_manager, expr, var.offset)
 
         elif type(expr) is ailment.Expr.BinaryOp:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
@@ -2227,6 +2221,24 @@ class Clinic(Analysis):
                 if vvar is not None:
                     self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, vvar)
 
+    def _map_stackvar_to_struct_member(
+        self,
+        variable_manager,
+        expr_or_stmt: ailment.expression.Expression | ailment.statement.Statement,
+        the_stack_offset: int,
+    ) -> bool:
+        any_struct_found = False
+        off = the_stack_offset
+        for stack_off in variable_manager.stack_offset_to_struct.irange(maximum=off, reverse=True):
+            the_var, vartype = variable_manager.stack_offset_to_struct[stack_off]
+            if stack_off <= off < stack_off + vartype.size // self.project.arch.byte_width:
+                expr_or_stmt.tags["struct_member_info"] = off - stack_off, the_var, vartype
+                any_struct_found = True
+                break
+            if stack_off + vartype.size // self.project.arch.byte_width <= off:
+                break
+        return any_struct_found
+
     def _function_graph_to_ail_graph(self, func_graph, blocks_by_addr_and_size=None):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size

angr/analyses/decompiler/dephication/graph_vvar_mapping.py

@@ -4,14 +4,14 @@ from collections import defaultdict
 
 from angr.ailment import AILBlockWalker
 from angr.ailment.block import Block
-from angr.ailment.expression import Phi, VirtualVariable, VirtualVariableCategory
+from angr.ailment.expression import Phi, VirtualVariable
 from angr.ailment.statement import Assignment, Jump, ConditionalJump, Label
 
 from angr.analyses import Analysis
 from angr.analyses.s_reaching_definitions import SRDAModel
 from angr.knowledge_plugins.functions import Function
 from angr.analyses import register_analysis
-from angr.utils.ssa import is_phi_assignment, DEPHI_VVAR_REG_OFFSET
+from angr.utils.ssa import is_phi_assignment
 
 l = logging.getLogger(name=__name__)
 
@@ -232,14 +232,8 @@ class GraphDephicationVVarMapping(Analysis):  # pylint:disable=abstract-method
                         # we have not yet appended a statement to this block
                         the_block = self._blocks[src]
                         ins_addr = the_block.addr + the_block.original_size - 1
-                        if vvar.category == VirtualVariableCategory.PARAMETER:
-                            # it's a parameter, so we copy the variable into a dummy register vvar
-                            # a parameter vvar should never be assigned to
-                            new_category = VirtualVariableCategory.REGISTER
-                            new_oident = DEPHI_VVAR_REG_OFFSET
-                        else:
-                            new_category = vvar.category
-                            new_oident = vvar.oident
+                        new_category = phi_stmt.dst.category
+                        new_oident = phi_stmt.dst.oident
                         new_vvar = VirtualVariable(
                             None, new_vvar_id, vvar.bits, new_category, oident=new_oident, ins_addr=ins_addr
                         )

angr/analyses/decompiler/ssailification/rewriting.py

@@ -9,12 +9,13 @@ import networkx
 import angr.ailment as ailment
 from angr.ailment import Block
 from angr.ailment.expression import Phi, VirtualVariable, VirtualVariableCategory
-from angr.ailment.statement import Assignment, Label
+from angr.ailment.statement import Assignment, Label, Statement
 
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
 from angr.analyses.forward_analysis import FunctionGraphVisitor
-from angr.utils.ail import is_head_controlled_loop_block
+from angr.utils.ail import is_head_controlled_loop_block, extract_partial_expr
+from angr.utils.ssa import get_reg_offset_base_and_size, is_phi_assignment
 from .rewriting_engine import SimEngineSSARewriting, DefExprType, AT
 from .rewriting_state import RewritingState
 
@@ -192,6 +193,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
             else self.out_states[(node_.addr, node_.idx)]
         )
         if reg_offset in out_state.registers and reg_size in out_state.registers[reg_offset]:
+            # we found a perfect hit
             existing_var = out_state.registers[reg_offset][reg_size]
             if existing_var is None:
                 # the vvar is not set. it should never be referenced
@@ -199,6 +201,25 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
             vvar = existing_var.copy()
             vvar.idx = self._ail_manager.next_atom()
             return True, vvar
+
+        # try to see if any register writes overlap with the requested one
+        # note that we only support full overlaps for now...
+        for off in out_state.registers:
+            if reg_offset + reg_size <= off or (
+                out_state.registers[off] and reg_offset > off + max(out_state.registers[off])
+            ):
+                continue
+            for sz in sorted(out_state.registers[off], reverse=True):
+                if reg_offset >= off and reg_offset + reg_size <= off + sz:
+                    existing_var = out_state.registers[off][sz]
+                    if existing_var is None:
+                        # the vvar is not set.
+                        return True, None
+
+                    # return the base vvar
+                    base_vvar = existing_var.copy()
+                    base_vvar.idx = self._ail_manager.next_atom()
+                    return True, base_vvar
         return False, None
 
     def _stack_predicate(self, node_: Block, *, stack_offset: int, stackvar_size: int) -> tuple[bool, Any]:
@@ -319,19 +340,26 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
                 for stmt in node.statements
             ):
                 # there we go
-                new_stmts = []
+                phi_stmts = []
+                phi_extraction_stmts = []
+                other_stmts = []
                 for stmt in node.statements:
-                    if not (
+                    if (
                         isinstance(stmt, Assignment)
                         and isinstance(stmt.dst, VirtualVariable)
                         and isinstance(stmt.src, Phi)
-                        and len(stmt.src.src_and_vvars) == 0  # avoid re-assignment
+                        and len(stmt.src.src_and_vvars) > 0
                     ):
-                        new_stmts.append(stmt)
+                        # avoid re-assignment
+                        phi_stmts.append(stmt)
+                        continue
+                    if not is_phi_assignment(stmt):
+                        other_stmts.append(stmt)
                         continue
 
                     src_and_vvars = []
                     if stmt.dst.was_reg:
+                        perfect_matches = []
                         for pred in self.graph.predecessors(original_node):
                             vvar = self._follow_one_path_backward(
                                 self.graph,
@@ -339,6 +367,36 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
                                 partial(self._reg_predicate, reg_offset=stmt.dst.reg_offset, reg_size=stmt.dst.size),
                             )
                             src_and_vvars.append(((pred.addr, pred.idx), vvar))
+                            perfect_matches.append(
+                                (vvar.reg_offset == stmt.dst.reg_offset and vvar.size == stmt.dst.size)
+                                if vvar is not None
+                                else True
+                            )
+                        if all(perfect_matches):
+                            phi_var = Phi(stmt.src.idx, stmt.src.bits, src_and_vvars=src_and_vvars)
+                            phi_stmt = Assignment(stmt.idx, stmt.dst, phi_var, **stmt.tags)
+                            phi_stmts.append(phi_stmt)
+                        else:
+                            # different sizes of vvars found; we need to resort to the base register and extract the
+                            # requested register out of the base register
+                            # here we rely on the fact that the larger register vvar must be created in this block when
+                            # the smaller register has been created
+                            base_reg_offset, max_reg_size = get_reg_offset_base_and_size(
+                                stmt.dst.reg_offset, self.project.arch, size=stmt.dst.size
+                            )
+                            # find the phi assignment statement of the larger base register
+                            base_vvar = self._find_phi_vvar_for_reg(base_reg_offset, max_reg_size, node.statements)
+                            assert base_vvar is not None
+                            partial_base_vvar = extract_partial_expr(
+                                base_vvar,
+                                stmt.dst.reg_offset - base_reg_offset,
+                                stmt.dst.size,
+                                self._ail_manager,
+                                byte_width=self.project.arch.byte_width,
+                            )
+                            new_stmt = Assignment(stmt.idx, stmt.dst, partial_base_vvar, **base_vvar.tags)
+                            phi_extraction_stmts.append(new_stmt)
+
                     elif stmt.dst.was_stack:
                         for pred in self.graph.predecessors(original_node):
                             vvar = self._follow_one_path_backward(
@@ -351,13 +409,14 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
                                 ),
                             )
                             src_and_vvars.append(((pred.addr, pred.idx), vvar))
+
+                        phi_var = Phi(stmt.src.idx, stmt.src.bits, src_and_vvars=src_and_vvars)
+                        phi_stmt = Assignment(stmt.idx, stmt.dst, phi_var, **stmt.tags)
+                        phi_stmts.append(phi_stmt)
                     else:
                         raise NotImplementedError
 
-                    phi_var = Phi(stmt.src.idx, stmt.src.bits, src_and_vvars=src_and_vvars)
-                    new_stmt = Assignment(stmt.idx, stmt.dst, phi_var, **stmt.tags)
-                    new_stmts.append(new_stmt)
-                node = node.copy(statements=new_stmts)
+                node = node.copy(statements=phi_stmts + phi_extraction_stmts + other_stmts)
                 self.out_blocks[node_key] = node
 
     @staticmethod
@@ -377,3 +436,16 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, ailment.Block, object, o
                 break
             the_node = more_preds[0]
         return return_value
+
+    @staticmethod
+    def _find_phi_vvar_for_reg(reg_offset: int, reg_size: int, stmts: list[Statement]) -> VirtualVariable | None:
+        for stmt in stmts:
+            if (
+                is_phi_assignment(stmt)
+                and isinstance(stmt.dst, VirtualVariable)
+                and stmt.dst.was_reg
+                and stmt.dst.reg_offset == reg_offset
+                and stmt.dst.size == reg_size
+            ):
+                return stmt.dst
+        return None

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -153,7 +153,7 @@ class SimEngineSSARewriting(
         else:
             new_dst = self._replace_def_expr(self.block.addr, self.block.idx, self.stmt_idx, stmt.dst)
 
-        stmt_base_reg = None
+        additional_stmts = []
         if new_dst is not None:
             if isinstance(stmt.dst, Register):
                 # remove everything else that is an alias
@@ -163,10 +163,11 @@ class SimEngineSSARewriting(
 
                 self.state.registers[stmt.dst.reg_offset][stmt.dst.size] = new_dst
 
-                # generate an assignment that updates the base register if needed
                 base_offset, base_size = get_reg_offset_base_and_size(
                     stmt.dst.reg_offset, self.arch, size=stmt.dst.size
                 )
+
+                # generate an assignment that updates the base register if needed
                 if base_offset != stmt.dst.reg_offset or base_size != stmt.dst.size:
                     base_reg_expr = Register(
                         self.ail_manager.next_atom(),
@@ -180,15 +181,25 @@ class SimEngineSSARewriting(
                         self.block.addr, self.block.idx, self.stmt_idx, base_reg_expr
                     )
                     assert base_reg_vvar is not None
+                    base_reg_value = self._partial_update_expr(
+                        existing_base_reg_vvar,
+                        base_offset,
+                        base_size,
+                        new_dst,
+                        stmt.dst.reg_offset,
+                        stmt.dst.size,
+                    )
                     stmt_base_reg = Assignment(
                         self.ail_manager.next_atom(),
                         base_reg_vvar,
-                        self._partial_update_expr(
-                            existing_base_reg_vvar, base_offset, base_size, new_dst, stmt.dst.reg_offset, stmt.dst.size
-                        ),
+                        base_reg_value,
                         **stmt.tags,
                     )
+                    additional_stmts.append(stmt_base_reg)
                     self.state.registers[base_offset][base_size] = base_reg_vvar
+                else:
+                    base_reg_vvar = new_dst
+
             elif isinstance(stmt.dst, Tmp):
                 pass
             else:
@@ -201,8 +212,8 @@ class SimEngineSSARewriting(
                 stmt.src if new_src is None else new_src,
                 **stmt.tags,
             )
-            if stmt_base_reg is not None:
-                return new_stmt, stmt_base_reg
+            if additional_stmts:
+                return new_stmt, *additional_stmts
             return new_stmt
         return None
 
@@ -612,12 +623,12 @@ class SimEngineSSARewriting(
         existing_vvar: Expression,
         base_offset: int,
         base_size: int,
-        new_vvar: VirtualVariable,
+        new_value: Expression,
         offset: int,
         size: int,
     ) -> VirtualVariable | Expression:
         if offset == base_offset and base_size == size:
-            return new_vvar
+            return new_value
         if base_offset > offset:
             raise ValueError(f"Base offset {base_offset} is greater than expression offset {offset}")
 
@@ -639,8 +650,8 @@ class SimEngineSSARewriting(
             size * self.arch.byte_width,
             base_size * self.arch.byte_width,
             False,
-            new_vvar,
-            **new_vvar.tags,
+            new_value,
+            **new_value.tags,
         )
         if base_offset < offset:
             shift_amount = Const(

angr/analyses/decompiler/ssailification/ssailification.py

@@ -85,9 +85,9 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
         )
 
         # calculate virtual variables and phi nodes
-        self._udef_to_phiid: dict[tuple, set[int]] = None
-        self._phiid_to_loc: dict[int, tuple[int, int | None]] = None
-        self._stackvar_locs: dict[int, set[int]] = None
+        self._udef_to_phiid: dict[tuple, set[int]] = {}
+        self._phiid_to_loc: dict[int, tuple[int, int | None]] = {}
+        self._stackvar_locs: dict[int, set[int]] = {}
         self._calculate_virtual_variables(ail_graph, traversal.def_to_loc, traversal.loc_to_defs)
 
         # insert phi variables and rewrite uses
@@ -140,14 +140,16 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             # handle function arguments
             if self._func_args:
                 for func_arg in self._func_args:
-                    if func_arg.oident[0] == VirtualVariableCategory.STACK:
-                        stackvar_locs[func_arg.oident[1]] = {func_arg.size}
+                    if func_arg.parameter_category == VirtualVariableCategory.STACK:
+                        assert isinstance(func_arg.parameter_stack_offset, int)
+                        stackvar_locs[func_arg.parameter_stack_offset] = {func_arg.size}
             sorted_stackvar_offs = sorted(stackvar_locs)
         else:
             stackvar_locs = {}
             sorted_stackvar_offs = []
 
         # compute phi node locations for each unified definition
+        # compute udef_to_blockkeys
         udef_to_defs = defaultdict(set)
         udef_to_blockkeys = defaultdict(set)
         for def_, loc in def_to_loc: