angr 9.2.61__py3-none-macosx_10_9_x86_64.whl → 9.2.63__py3-none-macosx_10_9_x86_64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.61"
+__version__ = "9.2.63"
 
 if bytes is str:
     raise Exception(

angr/analyses/cfg/cfg_fast.py

@@ -2714,30 +2714,28 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             for segment in self.project.loader.main_object.segments:
                 if segment.vaddr + segment.memsize == data_addr:
                     # yeah!
-                    new_data = self.model.add_memory_data(data_addr, MemoryDataSort.SegmentBoundary, data_size=0)
-                    if new_data or self._cross_references:
-                        cr = XRef(
-                            ins_addr=insn_addr,
-                            block_addr=irsb_addr,
-                            stmt_idx=stmt_idx,
-                            memory_data=self.model.memory_data[data_addr],
-                            xref_type=XRefType.Offset,
-                        )
-                        self.kb.xrefs.add_xref(cr)
+                    self.model.add_memory_data(data_addr, MemoryDataSort.SegmentBoundary, data_size=0)
+                    cr = XRef(
+                        ins_addr=insn_addr,
+                        block_addr=irsb_addr,
+                        stmt_idx=stmt_idx,
+                        memory_data=self.model.memory_data[data_addr],
+                        xref_type=XRefType.Offset,
+                    )
+                    self.kb.xrefs.add_xref(cr)
                     break
 
             return
 
-        new_data = self.model.add_memory_data(data_addr, data_type, data_size=data_size)
-        if new_data or self._cross_references:
-            cr = XRef(
-                ins_addr=insn_addr,
-                block_addr=irsb_addr,
-                stmt_idx=stmt_idx,
-                memory_data=self.model.memory_data[data_addr],
-                xref_type=XRefType.Offset,
-            )
-            self.kb.xrefs.add_xref(cr)
+        self.model.add_memory_data(data_addr, data_type, data_size=data_size)
+        cr = XRef(
+            ins_addr=insn_addr,
+            block_addr=irsb_addr,
+            stmt_idx=stmt_idx,
+            memory_data=self.model.memory_data[data_addr],
+            xref_type=XRefType.Offset,
+        )
+        self.kb.xrefs.add_xref(cr)
 
         if is_arm_arch(self.project.arch):
             if (irsb_addr & 1) == 1 and data_addr == (insn_addr & 0xFFFF_FFFF_FFFF_FFFE) + 4:

angr/analyses/decompiler/ail_simplifier.py

@@ -18,7 +18,6 @@ from ailment.expression import (
     BinaryOp,
 )
 
-from ...errors import SimMemoryMissingError
 from ...engines.light import SpOffset
 from ...code_location import CodeLocation
 from ...analyses.reaching_definitions.external_codeloc import ExternalCodeLocation
@@ -35,7 +34,7 @@ from .ccall_rewriters import CCALL_REWRITERS
 
 if TYPE_CHECKING:
     from ailment.manager import Manager
-    from angr.analyses.reaching_definitions import ReachingDefinitionsAnalysis
+    from angr.analyses.reaching_definitions import ReachingDefinitionsModel
 
 
 _l = logging.getLogger(__name__)
@@ -103,7 +102,7 @@ class AILSimplifier(Analysis):
     ):
         self.func = func
         self.func_graph = func_graph if func_graph is not None else func.graph
-        self._reaching_definitions: Optional[ReachingDefinitionsAnalysis] = None
+        self._reaching_definitions: Optional["ReachingDefinitionsModel"] = None
         self._propagator = None
 
         self._remove_dead_memdefs = remove_dead_memdefs
@@ -191,7 +190,7 @@ class AILSimplifier(Analysis):
         AILGraphWalker(self.func_graph, _handler, replace_nodes=True).walk()
         self.blocks = {}
 
-    def _compute_reaching_definitions(self) -> "ReachingDefinitionsAnalysis":
+    def _compute_reaching_definitions(self) -> "ReachingDefinitionsModel":
         # Computing reaching definitions or return the cached one
         if self._reaching_definitions is not None:
             return self._reaching_definitions
@@ -199,17 +198,12 @@ class AILSimplifier(Analysis):
             subject=self.func,
             func_graph=self.func_graph,
             # init_context=(),    <-- in case of fire break glass
-            observe_all=True,  # observe_callback=self._simplify_function_rd_observe_callback
+            observe_all=False,
             use_callee_saved_regs_at_return=self._use_callee_saved_regs_at_return,
-        )
+        ).model
         self._reaching_definitions = rd
         return rd
 
-    @staticmethod
-    # pylint:disable=unused-argument
-    def _simplify_function_rd_observe_callback(ob_type, **kwargs):
-        return ob_type == "node" or (ob_type == "insn" and kwargs.get("op_type", None) == OP_BEFORE)
-
     def _compute_propagation(self):
         # Propagate expressions or return the existing result
         if self._propagator is not None:
@@ -772,7 +766,7 @@ class AILSimplifier(Analysis):
                 # ensure the expression that we want to replace with is still up-to-date
                 replace_with_original_def = self._find_atom_def_at(replace_with, rd, def_.codeloc)
                 if replace_with_original_def is not None and not self._check_atom_last_def(
-                    replace_with, used_expr.size, u.ins_addr, rd, replace_with_original_def
+                    replace_with, u, rd, replace_with_original_def
                 ):
                     all_uses_replaced = False
                     continue
@@ -813,26 +807,18 @@ class AILSimplifier(Analysis):
     @staticmethod
     def _find_atom_def_at(atom, rd, codeloc: CodeLocation) -> Optional[Definition]:
         if isinstance(atom, Register):
-            observ = rd.observed_results[("insn", codeloc.ins_addr, OP_BEFORE)]
-            try:
-                reg_vals = observ.register_definitions.load(atom.reg_offset, size=atom.size)
-                defs = list(observ.extract_defs_from_mv(reg_vals))
-                return defs[0] if len(defs) == 1 else None
-            except SimMemoryMissingError:
-                pass
+            defs = rd.get_defs(atom, codeloc, OP_BEFORE)
+            return next(iter(defs)) if len(defs) == 1 else None
+
         return None
 
     @staticmethod
-    def _check_atom_last_def(atom, size, ins_addr, rd, the_def) -> bool:
+    def _check_atom_last_def(atom, codeloc, rd, the_def) -> bool:
         if isinstance(atom, Register):
-            observ = rd.observed_results[("insn", ins_addr, OP_BEFORE)]
-            try:
-                reg_vals = observ.register_definitions.load(atom.reg_offset, size=size)
-                for existing_def in observ.extract_defs_from_mv(reg_vals):
-                    if existing_def.codeloc != the_def.codeloc:
-                        return False
-            except SimMemoryMissingError:
-                pass
+            defs = rd.get_defs(atom, codeloc, OP_BEFORE)
+            for d in defs:
+                if d.codeloc != the_def.codeloc:
+                    return False
 
         return True
 
@@ -961,10 +947,9 @@ class AILSimplifier(Analysis):
                 defsite_defs_per_atom = defaultdict(set)
                 for dd in defsite_all_expr_uses:
                     defsite_defs_per_atom[dd.atom].add(dd)
-                usesite_rdstate = rd.observed_results[("stmt", (u.block_addr, u.block_idx, u.stmt_idx), 0)]
                 usesite_expr_def_outdated = False
                 for defsite_expr_atom, defsite_expr_uses in defsite_defs_per_atom.items():
-                    usesite_expr_uses = set(usesite_rdstate.get_definitions(defsite_expr_atom))
+                    usesite_expr_uses = set(rd.get_defs(defsite_expr_atom, u, OP_BEFORE))
                     if not usesite_expr_uses:
                         # the atom is not defined at the use site - it's fine
                         continue

angr/analyses/decompiler/block_simplifier.py

@@ -123,15 +123,19 @@ class BlockSimplifier(Analysis):
 
     def _compute_reaching_definitions(self, block):
         def observe_callback(ob_type, addr=None, op_type=None, **kwargs) -> bool:  # pylint:disable=unused-argument
-            return ob_type == "stmt" or ob_type == "node" and addr == block.addr and op_type == OP_AFTER
+            return ob_type == "node" and addr == block.addr and op_type == OP_AFTER
 
         if self._reaching_definitions is None:
-            self._reaching_definitions = self.project.analyses[ReachingDefinitionsAnalysis].prep()(
-                subject=block,
-                track_tmps=True,
-                stack_pointer_tracker=self._stack_pointer_tracker,
-                observe_all=False,
-                observe_callback=observe_callback,
+            self._reaching_definitions = (
+                self.project.analyses[ReachingDefinitionsAnalysis]
+                .prep()(
+                    subject=block,
+                    track_tmps=True,
+                    stack_pointer_tracker=self._stack_pointer_tracker,
+                    observe_all=False,
+                    observe_callback=observe_callback,
+                )
+                .model
             )
         return self._reaching_definitions
 

angr/analyses/decompiler/clinic.py

@@ -176,6 +176,7 @@ class Clinic(Analysis):
         self._convert_all()
 
         ail_graph = self._make_ailgraph()
+        self._rewrite_ite_expressions(ail_graph)
         self._remove_redundant_jump_blocks(ail_graph)
         if self._insert_labels:
             self._insert_block_labels(ail_graph)
@@ -1000,6 +1001,7 @@ class Clinic(Analysis):
             kb=tmp_kb,
             track_sp=False,
             func_args=arg_list,
+            unify_variables=False,
         )
         # get ground-truth types
         var_manager = tmp_kb.variables[self.function.addr]
@@ -1284,6 +1286,148 @@ class Clinic(Analysis):
 
         return graph
 
+    def _rewrite_ite_expressions(self, ail_graph):
+        for block in list(ail_graph):
+            ite_ins_addrs = []
+            for stmt in block.statements:
+                if isinstance(stmt, ailment.Stmt.Assignment) and isinstance(stmt.src, ailment.Expr.ITE):
+                    if stmt.ins_addr not in ite_ins_addrs:
+                        ite_ins_addrs.append(stmt.ins_addr)
+
+            if ite_ins_addrs:
+                block_addr = block.addr
+                for ite_ins_addr in ite_ins_addrs:
+                    block_addr = self._create_triangle_for_ite_expression(ail_graph, block_addr, ite_ins_addr)
+                    if block_addr is None or block_addr >= block.addr + block.original_size:
+                        break
+
+    def _create_triangle_for_ite_expression(self, ail_graph, block_addr: int, ite_ins_addr: int):
+        # lift the ite instruction to get its size
+        ite_insn_size = self.project.factory.block(ite_ins_addr, num_inst=1).size
+        if ite_insn_size <= 1:  # we need an address for true_block and another address for false_block
+            return None
+
+        # relift the head and the ITE instruction
+        new_head = self.project.factory.block(
+            block_addr, size=ite_ins_addr - block_addr + ite_insn_size, cross_insn_opt=False
+        )
+        new_head_ail = ailment.IRSBConverter.convert(new_head.vex, self._ail_manager)
+        # remove all statements between the ITE expression and the very end of the block
+        ite_expr_stmt_idx = None
+        ite_expr_stmt = None
+        for idx, stmt in enumerate(new_head_ail.statements):
+            if isinstance(stmt, ailment.Stmt.Assignment) and isinstance(stmt.src, ailment.Expr.ITE):
+                ite_expr_stmt_idx = idx
+                ite_expr_stmt = stmt
+                break
+        if ite_expr_stmt_idx is None:
+            return None
+
+        ite_expr: ailment.Expr.ITE = ite_expr_stmt.src
+        new_head_ail.statements = new_head_ail.statements[:ite_expr_stmt_idx]
+        # build the conditional jump
+        true_block_addr = ite_ins_addr
+        false_block_addr = ite_ins_addr + 1
+        cond_jump_stmt = ailment.Stmt.ConditionalJump(
+            ite_expr_stmt.idx,
+            ite_expr.cond,
+            ailment.Expr.Const(None, None, true_block_addr, self.project.arch.bits),
+            ailment.Expr.Const(None, None, false_block_addr, self.project.arch.bits),
+            **ite_expr_stmt.tags,
+        )
+        new_head_ail.statements.append(cond_jump_stmt)
+
+        # build the true block
+        true_block = self.project.factory.block(ite_ins_addr, num_inst=1)
+        true_block_ail = ailment.IRSBConverter.convert(true_block.vex, self._ail_manager)
+        true_block_ail.addr = true_block_addr
+
+        ite_expr_stmt_idx = None
+        ite_expr_stmt = None
+        for idx, stmt in enumerate(true_block_ail.statements):
+            if isinstance(stmt, ailment.Stmt.Assignment) and isinstance(stmt.src, ailment.Expr.ITE):
+                ite_expr_stmt_idx = idx
+                ite_expr_stmt = stmt
+                break
+        if ite_expr_stmt_idx is None:
+            return None
+
+        true_block_ail.statements[ite_expr_stmt_idx] = ailment.Stmt.Assignment(
+            ite_expr_stmt.idx, ite_expr_stmt.dst, ite_expr_stmt.src.iftrue, **ite_expr_stmt.tags
+        )
+
+        # build the false block
+        false_block = self.project.factory.block(ite_ins_addr, num_inst=1)
+        false_block_ail = ailment.IRSBConverter.convert(false_block.vex, self._ail_manager)
+        false_block_ail.addr = false_block_addr
+
+        ite_expr_stmt_idx = None
+        ite_expr_stmt = None
+        for idx, stmt in enumerate(false_block_ail.statements):
+            if isinstance(stmt, ailment.Stmt.Assignment) and isinstance(stmt.src, ailment.Expr.ITE):
+                ite_expr_stmt_idx = idx
+                ite_expr_stmt = stmt
+                break
+        if ite_expr_stmt_idx is None:
+            return None
+
+        false_block_ail.statements[ite_expr_stmt_idx] = ailment.Stmt.Assignment(
+            ite_expr_stmt.idx, ite_expr_stmt.dst, ite_expr_stmt.src.iffalse, **ite_expr_stmt.tags
+        )
+
+        original_block = next(iter(b for b in ail_graph if b.addr == block_addr))
+
+        original_block_in_edges = list(ail_graph.in_edges(original_block))
+        original_block_out_edges = list(ail_graph.out_edges(original_block))
+
+        # build the target block if the target block does not exist in the current function
+        end_block_addr = ite_ins_addr + ite_insn_size
+        if block_addr < end_block_addr < block_addr + original_block.original_size:
+            end_block = self.project.factory.block(
+                ite_ins_addr + ite_insn_size,
+                size=block_addr + original_block.original_size - (ite_ins_addr + ite_insn_size),
+                cross_insn_opt=False,
+            )
+            end_block_ail = ailment.IRSBConverter.convert(end_block.vex, self._ail_manager)
+        else:
+            end_block_ail = next(iter(b for b in ail_graph if b.addr == end_block_addr))
+
+        # last check: if the first instruction of the end block has Sar, then we bail (due to the peephole optimization
+        # SarToSignedDiv)
+        for stmt in end_block_ail.statements:
+            if stmt.ins_addr > end_block_ail.addr:
+                break
+            if (
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.src, ailment.Expr.BinaryOp)
+                and stmt.src.op == "Sar"
+            ):
+                return None
+
+        ail_graph.remove_node(original_block)
+
+        if end_block_ail not in ail_graph:
+            # newly created. add it and the necessary edges into the graph
+            for _, dst in original_block_out_edges:
+                if dst is original_block:
+                    ail_graph.add_edge(end_block_ail, new_head_ail)
+                else:
+                    ail_graph.add_edge(end_block_ail, dst)
+
+        # in edges
+        for src, _ in original_block_in_edges:
+            if src is original_block:
+                raise ValueError("Unexpected...")
+            ail_graph.add_edge(src, new_head_ail)
+
+        # triangle
+        ail_graph.add_edge(new_head_ail, true_block_ail)
+        ail_graph.add_edge(new_head_ail, false_block_ail)
+        ail_graph.add_edge(true_block_ail, end_block_ail)
+        ail_graph.add_edge(false_block_ail, end_block_ail)
+
+        return end_block_ail.addr
+
     @staticmethod
     def _remove_redundant_jump_blocks(ail_graph):
         def first_conditional_jump(block: ailment.Block) -> Optional[ailment.Stmt.ConditionalJump]:

angr/analyses/decompiler/condition_processor.py

@@ -93,7 +93,8 @@ _ail2claripy_op_mapping = {
     "Div": lambda expr, conv, _: conv(expr.operands[0], nobool=True) / conv(expr.operands[1], nobool=True),
     "Mod": lambda expr, conv, _: conv(expr.operands[0], nobool=True) % conv(expr.operands[1], nobool=True),
     "Not": lambda expr, conv, _: claripy.Not(conv(expr.operand)),
-    "Neg": lambda expr, conv, _: ~conv(expr.operand),
+    "Neg": lambda expr, conv, _: -conv(expr.operand),
+    "BitwiseNeg": lambda expr, conv, _: ~conv(expr.operand),
     "Xor": lambda expr, conv, _: conv(expr.operands[0], nobool=True) ^ conv(expr.operands[1], nobool=True),
     "And": lambda expr, conv, _: conv(expr.operands[0], nobool=True) & conv(expr.operands[1], nobool=True),
     "Or": lambda expr, conv, _: conv(expr.operands[0], nobool=True) | conv(expr.operands[1], nobool=True),
@@ -642,7 +643,8 @@ class ConditionProcessor:
 
         _mapping = {
             "Not": lambda cond_, tags: _unary_op_reduce("Not", cond_.args[0], tags),
-            "__invert__": lambda cond_, tags: _unary_op_reduce("Neg", cond_.args[0], tags),
+            "__neg__": lambda cond_, tags: _unary_op_reduce("Not", cond_.args[0], tags),
+            "__invert__": lambda cond_, tags: _unary_op_reduce("BitwiseNeg", cond_.args[0], tags),
             "And": lambda cond_, tags: _binary_op_reduce("LogicalAnd", cond_.args, tags),
             "Or": lambda cond_, tags: _binary_op_reduce("LogicalOr", cond_.args, tags),
             "__le__": lambda cond_, tags: _binary_op_reduce("CmpLE", cond_.args, tags, signed=True),

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -88,6 +88,8 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                         expr.signed,
                         **expr.tags,
                     )
+            if isinstance(expr.operands[0], Const) and expr.operands[0].value == 0:
+                return UnaryOp(expr.idx, "Neg", expr.operands[1], **expr.tags)
 
         elif expr.op == "And":
             if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):

angr/analyses/decompiler/structured_codegen/c.py

@@ -829,12 +829,13 @@ class CForLoop(CStatement):
             yield from self.iterator.c_repr_chunks(indent=0, asexpr=True)
         yield ")", paren
 
-        if self.codegen.braces_on_own_lines:
-            yield "\n", None
-            yield indent_str, None
-        else:
-            yield " ", None
         if self.body is not None:
+            if self.codegen.braces_on_own_lines:
+                yield "\n", None
+                yield indent_str, None
+            else:
+                yield " ", None
+
             yield "{", brace
             yield "\n", None
             yield from self.body.c_repr_chunks(indent=indent + INDENT_DELTA)
@@ -937,17 +938,12 @@ class CIfElse(CStatement):
                 yield from self.else_node.c_repr_chunks(indent=indent)
             else:
                 if single_stmt_else:
-                    if self.codegen.braces_on_own_lines:
-                        yield indent_str, None
-                    else:
-                        yield " ", None
-                        yield indent_str, None
+                    yield indent_str, None
+                elif self.codegen.braces_on_own_lines:
+                    yield "\n", None
+                    yield indent_str, None
                 else:
-                    if self.codegen.braces_on_own_lines:
-                        yield "\n", None
-                        yield indent_str, None
-                    else:
-                        yield " ", None
+                    yield " ", None
 
                 yield "else", self
                 if self.codegen.braces_on_own_lines or single_stmt_else:
@@ -1580,6 +1576,7 @@ class CUnaryOp(CExpression):
         OP_MAP = {
             "Not": self._c_repr_chunks_not,
             "Neg": self._c_repr_chunks_neg,
+            "BitwiseNeg": self._c_repr_chunks_bitwiseneg,
             "Reference": self._c_repr_chunks_reference,
             "Dereference": self._c_repr_chunks_dereference,
         }
@@ -1601,13 +1598,20 @@ class CUnaryOp(CExpression):
         yield from CExpression._try_c_repr_chunks(self.operand)
         yield ")", paren
 
-    def _c_repr_chunks_neg(self):
+    def _c_repr_chunks_bitwiseneg(self):
         paren = CClosingObject("(")
         yield "~", self
         yield "(", paren
         yield from CExpression._try_c_repr_chunks(self.operand)
         yield ")", paren
 
+    def _c_repr_chunks_neg(self):
+        paren = CClosingObject("(")
+        yield "-", self
+        yield "(", paren
+        yield from CExpression._try_c_repr_chunks(self.operand)
+        yield ")", paren
+
     def _c_repr_chunks_reference(self):
         yield "&", self
         yield from CExpression._try_c_repr_chunks(self.operand)

angr/analyses/decompiler/structuring/phoenix.py

@@ -13,7 +13,7 @@ from ailment.expression import Const, UnaryOp, MultiStatementExpression
 from angr.utils.graph import GraphUtils
 from ....knowledge_plugins.cfg import IndirectJumpType
 from ....utils.constants import SWITCH_MISSING_DEFAULT_NODE_ADDR
-from ....utils.graph import dominates, inverted_idoms, to_acyclic_graph
+from ....utils.graph import dominates, to_acyclic_graph
 from ..sequence_walker import SequenceWalker
 from ..utils import (
     remove_last_statement,
@@ -1913,21 +1913,16 @@ class PhoenixStructurer(StructurerBase):
         other_edges = []
         idoms = networkx.immediate_dominators(full_graph, head)
         if networkx.is_directed_acyclic_graph(full_graph):
-            _, inv_idoms = inverted_idoms(full_graph)
             acyclic_graph = full_graph
         else:
             acyclic_graph = to_acyclic_graph(full_graph, loop_heads=[head])
-            _, inv_idoms = inverted_idoms(acyclic_graph)
         for src, dst in acyclic_graph.edges:
             if src is dst:
                 continue
-            if not graph.has_edge(src, dst):
-                # the edge might be from full_graph but not in graph
-                continue
-            if not dominates(idoms, src, dst) and not dominates(inv_idoms, dst, src):
+            if not dominates(idoms, src, dst) and not dominates(idoms, dst, src):
                 if (src.addr, dst.addr) not in self.whitelist_edges:
                     all_edges_wo_dominance.append((src, dst))
-            elif not dominates(idoms, src, dst) and dominates(inv_idoms, dst, src):
+            elif not dominates(idoms, src, dst):
                 if (src.addr, dst.addr) not in self.whitelist_edges:
                     secondary_edges.append((src, dst))
             else:
@@ -1935,7 +1930,7 @@ class PhoenixStructurer(StructurerBase):
                     other_edges.append((src, dst))
 
         ordered_nodes = GraphUtils.quasi_topological_sort_nodes(acyclic_graph, loop_heads=[head])
-        node_seq = {nn: idx for (idx, nn) in enumerate(ordered_nodes)}
+        node_seq = {nn: (len(ordered_nodes) - idx) for (idx, nn) in enumerate(ordered_nodes)}  # post-order
 
         if all_edges_wo_dominance:
             all_edges_wo_dominance = self._chick_order_edges(all_edges_wo_dominance, node_seq)
@@ -2008,7 +2003,8 @@ class PhoenixStructurer(StructurerBase):
             )
             new_src = SequenceNode(src.addr, nodes=[src, goto_node])
 
-        graph.remove_edge(src, dst)
+        if graph.has_edge(src, dst):
+            graph.remove_edge(src, dst)
         if new_src is not None:
             self.replace_nodes(graph, src, new_src)
         if full_graph is not None:

angr/analyses/disassembly.py

@@ -214,10 +214,6 @@ class Instruction(DisassemblyPiece):
         assert hasattr(self.insn, "operands")
 
         op_str = self.insn.op_str
-        # NOTE: the size of dummy_operands is not necessarily equal to
-        # operands count of capstone disasm result. If we check
-        # len(self.operands) == len(self.insn.operands)
-        # special cases in arm disassembly will mess up the code
         dummy_operands = self.split_arm_op_string(op_str)
 
         for operand in dummy_operands:
@@ -278,16 +274,16 @@ class Instruction(DisassemblyPiece):
 
     @staticmethod
     def split_arm_op_string(op_str: str):
-        # Split arm operand string by comma outside brackets
+        # Split arm operand string with commas outside the square brackets
         pieces = []
-        outside_brackets = True
+        in_square_brackets = False
         cur_opr = ""
         for c in op_str:
-            if c == "[" or c == "{":
-                outside_brackets = False
-            if c == "]" or c == "}":
-                outside_brackets = True
-            if c == "," and outside_brackets:
+            if c == "[":
+                in_square_brackets = True
+            if c == "]":
+                in_square_brackets = False
+            if c == "," and not in_square_brackets:
                 pieces.append(cur_opr)
                 cur_opr = ""
                 continue

angr/analyses/propagator/engine_ail.py

@@ -5,13 +5,13 @@ import logging
 import claripy
 from ailment import Stmt, Expr
 
-from angr.errors import SimMemoryMissingError
 from angr.knowledge_plugins.propagations.prop_value import PropValue, Detail
 from angr.analyses.reaching_definitions.external_codeloc import ExternalCodeLocation
+from angr.knowledge_plugins.key_definitions.atoms import Register
 from ...utils.constants import is_alignment_mask
 from ...engines.light import SimEngineLightAILMixin
 from ...sim_variable import SimStackVariable, SimMemoryVariable
-from ..reaching_definitions.reaching_definitions import OP_BEFORE, OP_AFTER
+from ..reaching_definitions.reaching_definitions import OP_BEFORE
 from .engine_base import SimEnginePropagatorBase
 
 if TYPE_CHECKING:
@@ -378,26 +378,17 @@ class SimEnginePropagatorAIL(
         reg_defat = None
         if self._reaching_definitions is not None:
             codeloc = self._codeloc()
-            key = "stmt", (codeloc.block_addr, codeloc.block_idx, codeloc.stmt_idx), OP_BEFORE
-            if key in self._reaching_definitions.observed_results:
-                o = self._reaching_definitions.observed_results[key]
-                try:
-                    mv = o.register_definitions.load(expr.reg_offset, size=expr.size)
-                except SimMemoryMissingError:
-                    mv = None
-                if mv is not None:
-                    reg_defs = o.extract_defs_from_mv(mv)
-                    reg_defat_codelocs = {reg_def.codeloc for reg_def in reg_defs}
-                    if len(reg_defat_codelocs) == 1:
-                        reg_defat = next(iter(reg_defat_codelocs))
-                        defat_key = "stmt", (reg_defat.block_addr, reg_defat.block_idx, reg_defat.stmt_idx), OP_BEFORE
-                        if defat_key not in self._reaching_definitions.observed_results:
-                            # the observation point does not exist. probably it's because te observation point is in a
-                            # callee function.
-                            reg_defat = None
-                        if isinstance(reg_defat, ExternalCodeLocation):
-                            # there won't be an observed result for external code location. give up
-                            reg_defat = None
+            reg_defat_defs = self._reaching_definitions.get_defs(
+                Register(expr.reg_offset, expr.size), codeloc, OP_BEFORE
+            )
+            reg_defat_codelocs = {reg_def.codeloc for reg_def in reg_defat_defs}
+            if len(reg_defat_codelocs) == 1:
+                reg_defat = next(iter(reg_defat_codelocs))
+                if reg_defat.stmt_idx is None:
+                    # the observation point is in a callee function
+                    reg_defat = None
+                if isinstance(reg_defat, ExternalCodeLocation):
+                    reg_defat = None
 
         if new_expr is not None:
             # check if this new_expr uses any expression that has been overwritten
@@ -1139,36 +1130,17 @@ class SimEnginePropagatorAIL(
             l.warning("Unknown where the expression is defined. Assume the definition is out-dated.")
             return True, False
 
-        key_defat = "stmt", (expr_defat.block_addr, expr_defat.block_idx, expr_defat.stmt_idx), OP_AFTER
-        if key_defat not in self._reaching_definitions.observed_results:
-            l.warning(
-                "Required reaching definition state at instruction address %#x is not found. Assume the definition is "
-                "out-dated.",
-                expr_defat.ins_addr,
-            )
-            return True, False
-
-        key_currloc = "stmt", (current_loc.block_addr, current_loc.block_idx, current_loc.stmt_idx), OP_BEFORE
-        if key_currloc not in self._reaching_definitions.observed_results:
-            l.warning(
-                "Required reaching definition state at instruction address %#x is not found. Assume the definition is "
-                "out-dated.",
-                current_loc.ins_addr,
-            )
-            return True, False
-
         from .outdated_definition_walker import OutdatedDefinitionWalker  # pylint:disable=import-outside-toplevel
 
         walker = OutdatedDefinitionWalker(
             expr,
             expr_defat,
-            self._reaching_definitions.observed_results[key_defat],
             current_loc,
-            self._reaching_definitions.observed_results[key_currloc],
             self.state,
             self.arch,
             avoid=avoid,
             extract_offset_to_sp=self.extract_offset_to_sp,
+            rda=self._reaching_definitions,
         )
         walker.walk_expression(expr)
         return walker.out_dated, walker.has_avoid