angr 9.2.92__py3-none-manylinux2014_x86_64.whl → 9.2.94__py3-none-manylinux2014_x86_64.whl

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -1,4 +1,5 @@
 # pylint:disable=wrong-import-position,wrong-import-order
+import enum
 from typing import Tuple, Optional, Dict, Sequence, Set, List, TYPE_CHECKING
 import logging
 import functools
@@ -53,9 +54,9 @@ class UninitReadMeta:
     uninit_read_base = 0xC000000
 
 
-class AddressTransferringTypes:
+class AddressTransformationTypes(int, enum.Enum):
     """
-    Types of address transfer.
+    Address transformation operations.
     """
 
     Assignment = 0
@@ -65,6 +66,44 @@ class AddressTransferringTypes:
     Or1 = 4
     ShiftLeft = 5
     ShiftRight = 6
+    Add = 7
+    Load = 8
+
+
+class AddressTransformation:
+    """
+    Describe and record an address transformation operation.
+    """
+
+    def __init__(self, op: AddressTransformationTypes, operands: List, first_load: bool = False):
+        self.op = op
+        self.operands = operands
+        self.first_load = first_load
+
+    def __repr__(self):
+        return f"<Transformation: {self.op} {self.operands}>"
+
+
+class AddressOperand:
+    """
+    The class for the singleton class AddressSingleton. It represents the address being transformed before using as an
+    indirect jump target.
+    """
+
+    def __repr__(self):
+        return "ADDR"
+
+
+AddressSingleton = AddressOperand()
+
+
+class Tmp:
+    """
+    For modeling Tmp variables.
+    """
+
+    def __init__(self, tmp_idx):
+        self.tmp_idx = tmp_idx
 
 
 class JumpTargetBaseAddr:
@@ -867,7 +906,7 @@ class JumpTableResolver(IndirectJumpResolver):
 
         :param cfg:       A CFG instance.
         :param addr:      Address of the block where the indirect jump is.
-        :param func:      The Functio instance.
+        :param func:      The Function instance.
         :param b:         The generated backward slice.
         :return:          A bool indicating whether the indirect jump is resolved successfully, and a list of
                           resolved targets.
@@ -887,7 +926,7 @@ class JumpTableResolver(IndirectJumpResolver):
             load_size,
             stmts_to_remove,
             stmts_adding_base_addr,
-            all_addr_holders,
+            transformations,
         ) = self._find_load_statement(b, stmt_loc)
         ite_stmt, ite_stmt_loc = None, None
 
@@ -1043,7 +1082,7 @@ class JumpTableResolver(IndirectJumpResolver):
                         load_stmt,
                         load_size,
                         stmts_adding_base_addr,
-                        all_addr_holders,
+                        transformations,
                         potential_call_table,
                     )
                     if ret is None:
@@ -1145,7 +1184,10 @@ class JumpTableResolver(IndirectJumpResolver):
         # all_addr_holders will be {(0x4c64c4, 11): (AddressTransferringTypes.SignedExtension, 32, 64,),
         #           (0x4c64c4, 12); (AddressTransferringTypes.Assignment,),
         #           }
-        all_addr_holders = OrderedDict()
+        transformations: Dict[Tuple[int, int], AddressTransformation] = OrderedDict()
+
+        initial_block_addr = stmt_loc[0]
+        all_load_stmts = sorted(self._all_qualified_load_stmts_in_slice(b, stmt_loc[0]))
 
         while True:
             preds = list(b.slice.predecessors(stmt_loc))
@@ -1162,7 +1204,9 @@ class JumpTableResolver(IndirectJumpResolver):
                     # data transferring
                     stmts_to_remove.append(stmt_loc)
                     if isinstance(stmt, pyvex.IRStmt.WrTmp):
-                        all_addr_holders[(stmt_loc[0], stmt.tmp)] = (AddressTransferringTypes.Assignment,)
+                        transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                            AddressTransformationTypes.Assignment, [stmt.tmp, AddressSingleton]
+                        )
                     continue
                 elif isinstance(stmt.data, pyvex.IRExpr.ITE):
                     # data transferring
@@ -1170,7 +1214,9 @@ class JumpTableResolver(IndirectJumpResolver):
                     # > t44 = ITE(t43,t16,0x0000c844)
                     stmts_to_remove.append(stmt_loc)
                     if isinstance(stmt, pyvex.IRStmt.WrTmp):
-                        all_addr_holders[(stmt_loc[0], stmt.tmp)] = (AddressTransferringTypes.Assignment,)
+                        transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                            AddressTransformationTypes.Assignment, [stmt.tmp, AddressSingleton]
+                        )
                     continue
                 elif isinstance(stmt.data, pyvex.IRExpr.Unop):
                     if stmt.data.op == "Iop_32Sto64":
@@ -1178,10 +1224,8 @@ class JumpTableResolver(IndirectJumpResolver):
                         # t11 = 32Sto64(t12)
                         stmts_to_remove.append(stmt_loc)
                         if isinstance(stmt, pyvex.IRStmt.WrTmp):
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (
-                                AddressTransferringTypes.SignedExtension,
-                                32,
-                                64,
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.SignedExtension, [32, 64, AddressSingleton]
                             )
                         continue
                     elif stmt.data.op == "Iop_64to32":
@@ -1189,46 +1233,40 @@ class JumpTableResolver(IndirectJumpResolver):
                         # t24 = 64to32(t21)
                         stmts_to_remove.append(stmt_loc)
                         if isinstance(stmt, pyvex.IRStmt.WrTmp):
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (AddressTransferringTypes.Truncation, 64, 32)
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.Truncation, [64, 32, AddressSingleton]
+                            )
                         continue
                     elif stmt.data.op == "Iop_32Uto64":
                         # data transferring with conversion
                         # t21 = 32Uto64(t22)
                         stmts_to_remove.append(stmt_loc)
                         if isinstance(stmt, pyvex.IRStmt.WrTmp):
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (
-                                AddressTransferringTypes.UnsignedExtension,
-                                32,
-                                64,
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.UnsignedExtension, [32, 64, AddressSingleton]
                             )
                         continue
                     elif stmt.data.op == "Iop_16Uto32":
                         # data transferring with conversion
                         stmts_to_remove.append(stmt_loc)
                         if isinstance(stmt, pyvex.IRStmt.WrTmp):
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (
-                                AddressTransferringTypes.UnsignedExtension,
-                                16,
-                                32,
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.UnsignedExtension, [16, 32, AddressSingleton]
                             )
                         continue
                     elif stmt.data.op == "Iop_8Uto32":
                         # data transferring with conversion
                         stmts_to_remove.append(stmt_loc)
                         if isinstance(stmt, pyvex.IRStmt.WrTmp):
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (
-                                AddressTransferringTypes.UnsignedExtension,
-                                8,
-                                32,
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.UnsignedExtension, [8, 32, AddressSingleton]
                             )
                         continue
                     elif stmt.data.op == "Iop_8Uto64":
                         stmts_to_remove.append(stmt_loc)
                         if isinstance(stmt, pyvex.IRStmt.WrTmp):
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (
-                                AddressTransferringTypes.UnsignedExtension,
-                                8,
-                                64,
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.UnsignedExtension, [8, 64, AddressSingleton]
                             )
                         continue
                 elif isinstance(stmt.data, pyvex.IRExpr.Binop):
@@ -1279,25 +1317,34 @@ class JumpTableResolver(IndirectJumpResolver):
                         if isinstance(stmt.data.args[0], pyvex.IRExpr.Const) and isinstance(
                             stmt.data.args[1], pyvex.IRExpr.RdTmp
                         ):
-                            stmts_adding_base_addr.append(
-                                JumpTargetBaseAddr(
-                                    stmt_loc, stmt, stmt.data.args[1].tmp, base_addr=stmt.data.args[0].con.value
-                                )
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.Add, [stmt.data.args[0].con.value, AddressSingleton]
                             )
+                            # we no longer update stmts_adding_base_addr in this case because it's replaced by
+                            # transformations
                             stmts_to_remove.append(stmt_loc)
                         elif isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp) and isinstance(
                             stmt.data.args[1], pyvex.IRExpr.Const
                         ):
-                            stmts_adding_base_addr.append(
-                                JumpTargetBaseAddr(
-                                    stmt_loc, stmt, stmt.data.args[0].tmp, base_addr=stmt.data.args[1].con.value
-                                )
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.Add, [AddressSingleton, stmt.data.args[1].con.value]
                             )
+                            # we no longer update stmts_adding_base_addr in this case because it's replaced by
+                            # transformations
                             stmts_to_remove.append(stmt_loc)
                         elif isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp) and isinstance(
                             stmt.data.args[1], pyvex.IRExpr.RdTmp
                         ):
-                            # one of the tmps must be holding a concrete value at this point
+                            # one of the tmps must be holding a concrete value at this point. we will know this when
+                            # we perform constant propagation before running JumpTableResolver. this can act as an
+                            # indicator that we need to run constant propagation for this function.
+                            # for now, we don't support it :)
+                            # FIXME: Run constant propagation for the function when necessary. we can also remove
+                            #  stmts_adding_base_addr and the surrounding logic then.
+                            # transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                            #     AddressTransferringTypes.Add,
+                            #     [Tmp(stmt.data.args[0].tmp), Tmp(stmt.data.args[1].tmp)],
+                            # )
                             stmts_adding_base_addr.append(
                                 JumpTargetBaseAddr(stmt_loc, stmt, stmt.data.args[0].tmp, tmp_1=stmt.data.args[1].tmp)
                             )
@@ -1329,7 +1376,9 @@ class JumpTableResolver(IndirectJumpResolver):
                         ):
                             # great. here it is
                             stmts_to_remove.append(stmt_loc)
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (AddressTransferringTypes.Or1,)
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.Or1, [AddressSingleton]
+                            )
                             continue
                     elif stmt.data.op.startswith("Iop_Shl"):
                         # this is sometimes used when dealing with TBx instructions in ARM code.
@@ -1351,9 +1400,8 @@ class JumpTableResolver(IndirectJumpResolver):
                         ):
                             # found it
                             stmts_to_remove.append(stmt_loc)
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (
-                                AddressTransferringTypes.ShiftLeft,
-                                stmt.data.args[1].con.value,
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.ShiftLeft, [AddressSingleton, stmt.data.args[1].con.value]
                             )
                             continue
                     elif stmt.data.op.startswith("Iop_Sar"):
@@ -1388,9 +1436,8 @@ class JumpTableResolver(IndirectJumpResolver):
                         ):
                             # found it
                             stmts_to_remove.append(stmt_loc)
-                            all_addr_holders[(stmt_loc[0], stmt.tmp)] = (
-                                AddressTransferringTypes.ShiftRight,
-                                stmt.data.args[1].con.value,
+                            transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                                AddressTransformationTypes.ShiftRight, [AddressSingleton, stmt.data.args[1].con.value]
                             )
                             continue
                 elif isinstance(stmt.data, pyvex.IRExpr.Load):
@@ -1401,7 +1448,15 @@ class JumpTableResolver(IndirectJumpResolver):
                         block.tyenv.sizeof(stmt.tmp) // self.project.arch.byte_width,
                     )
                     stmts_to_remove.append(stmt_loc)
-                    all_addr_holders[(stmt_loc[0], stmt.tmp)] = (AddressTransferringTypes.Assignment,)
+                    is_first_load_stmt = (
+                        True if not all_load_stmts else (stmt_loc == (initial_block_addr, all_load_stmts[0]))
+                    )
+                    transformations[(stmt_loc[0], stmt.tmp)] = AddressTransformation(
+                        AddressTransformationTypes.Load, [AddressSingleton, load_size], first_load=is_first_load_stmt
+                    )
+                    if not is_first_load_stmt:
+                        # This is not the first load statement in the block. more to go
+                        continue
             elif isinstance(stmt, pyvex.IRStmt.LoadG):
                 # Got it!
                 #
@@ -1418,7 +1473,7 @@ class JumpTableResolver(IndirectJumpResolver):
 
             break
 
-        return load_stmt_loc, load_stmt, load_size, stmts_to_remove, stmts_adding_base_addr, all_addr_holders
+        return load_stmt_loc, load_stmt, load_size, stmts_to_remove, stmts_adding_base_addr, transformations
 
     def _find_load_pc_ite_statement(self, b: Blade, stmt_loc: Tuple[int, int]):
         """
@@ -1598,7 +1653,7 @@ class JumpTableResolver(IndirectJumpResolver):
         load_stmt,
         load_size,
         stmts_adding_base_addr,
-        all_addr_holders,
+        transformations: Dict[Tuple[int, int], AddressTransformation],
         potential_call_table: bool = False,
     ):
         """
@@ -1633,7 +1688,29 @@ class JumpTableResolver(IndirectJumpResolver):
         # sanity check and necessary pre-processing
         jump_base_addr = None
         if stmts_adding_base_addr:
-            if len(stmts_adding_base_addr) != 1:
+            if len(stmts_adding_base_addr) == 1:
+                jump_base_addr = stmts_adding_base_addr[0]
+                if jump_base_addr.base_addr_available:
+                    addr_holders = {(jump_base_addr.stmt_loc[0], jump_base_addr.tmp)}
+                else:
+                    addr_holders = {
+                        (jump_base_addr.stmt_loc[0], jump_base_addr.tmp),
+                        (jump_base_addr.stmt_loc[0], jump_base_addr.tmp_1),
+                    }
+                if len(set(transformations.keys()).intersection(addr_holders)) != 1:
+                    # for some reason it's trying to add a base address onto a different temporary variable that we
+                    # are not aware of. skip.
+                    return None
+
+                if not jump_base_addr.base_addr_available:
+                    # we need to decide which tmp is the address holder and which tmp holds the base address
+                    addr_holder = next(iter(set(transformations.keys()).intersection(addr_holders)))
+                    if jump_base_addr.tmp_1 == addr_holder[1]:
+                        # swap the two tmps
+                        jump_base_addr.tmp, jump_base_addr.tmp_1 = jump_base_addr.tmp_1, jump_base_addr.tmp
+                    # Load the concrete base address
+                    jump_base_addr.base_addr = state.solver.eval(state.scratch.temps[jump_base_addr.tmp_1])
+            else:
                 # We do not support the cases where the base address involves more than one addition.
                 # One such case exists in libc-2.27.so shipped with Ubuntu x86 where esi is used as the address of the
                 # data region.
@@ -1650,28 +1727,6 @@ class JumpTableResolver(IndirectJumpResolver):
                 # region (in this case, 0x1d8000). we give up in such cases until we can reasonably perform a
                 # full-function data propagation before performing jump table recovery.
                 l.debug("Multiple statements adding bases, not supported yet")  # FIXME: Just check the addresses?
-                return None
-            jump_base_addr = stmts_adding_base_addr[0]
-            if jump_base_addr.base_addr_available:
-                addr_holders = {(jump_base_addr.stmt_loc[0], jump_base_addr.tmp)}
-            else:
-                addr_holders = {
-                    (jump_base_addr.stmt_loc[0], jump_base_addr.tmp),
-                    (jump_base_addr.stmt_loc[0], jump_base_addr.tmp_1),
-                }
-            if len(set(all_addr_holders.keys()).intersection(addr_holders)) != 1:
-                # for some reason it's trying to add a base address onto a different temporary variable that we
-                # are not aware of. skip.
-                return None
-
-            if not jump_base_addr.base_addr_available:
-                # we need to decide which tmp is the address holder and which tmp holds the base address
-                addr_holder = next(iter(set(all_addr_holders.keys()).intersection(addr_holders)))
-                if jump_base_addr.tmp_1 == addr_holder[1]:
-                    # swap the two tmps
-                    jump_base_addr.tmp, jump_base_addr.tmp_1 = jump_base_addr.tmp_1, jump_base_addr.tmp
-                # Load the concrete base address
-                jump_base_addr.base_addr = state.solver.eval(state.scratch.temps[jump_base_addr.tmp_1])
 
         jumptable_addr_vsa = jumptable_addr._model_vsa
 
@@ -1785,66 +1840,86 @@ class JumpTableResolver(IndirectJumpResolver):
             return None
 
         # Adjust entries inside the jump table
-        if stmts_adding_base_addr:
-            stmt_adding_base_addr = stmts_adding_base_addr[0]
-            base_addr = stmt_adding_base_addr.base_addr
-            conversions = list(
-                reversed(list(v for v in all_addr_holders.values() if v[0] is not AddressTransferringTypes.Assignment))
-            )
-            if conversions:
+        mask = (2**self.project.arch.bits) - 1
+        transformation_list = list(reversed(list(v for v in transformations.values() if not v.first_load)))
+        if transformation_list:
+
+            def handle_signed_ext(a):
+                return (a | 0xFFFFFFFF00000000) if a >= 0x80000000 else a
 
-                def handle_signed_ext(a):
-                    return (a | 0xFFFFFFFF00000000) if a >= 0x80000000 else a
+            def handle_unsigned_ext(a):
+                return a
 
-                def handle_unsigned_ext(a):
-                    return a
+            def handle_trunc_64_32(a):
+                return a & 0xFFFFFFFF
 
-                def handle_trunc_64_32(a):
-                    return a & 0xFFFFFFFF
+            def handle_or1(a):
+                return a | 1
 
-                def handle_or1(a):
-                    return a | 1
+            def handle_lshift(num_bits, a):
+                return a << num_bits
 
-                def handle_lshift(num_bits, a):
-                    return a << num_bits
+            def handle_rshift(num_bits, a):
+                return a >> num_bits
 
-                def handle_rshift(num_bits, a):
-                    return a >> num_bits
+            def handle_add(con, a):
+                return (a + con) & mask
 
-                invert_conversion_ops = []
-                for conv in conversions:
-                    if len(conv) == 1:
-                        conversion_op, args = conv[0], None
+            def handle_load(size, a):
+                return cfg._fast_memory_load_pointer(a, size=size)
+
+            invert_conversion_ops = []
+            for tran in transformation_list:
+                tran_op, args = tran.op, tran.operands
+                if tran_op is AddressTransformationTypes.SignedExtension:
+                    if args == [32, 64, AddressSingleton]:
+                        lam = handle_signed_ext
                     else:
-                        conversion_op, args = conv[0], conv[1:]
-                    if conversion_op is AddressTransferringTypes.SignedExtension:
-                        if args == (32, 64):
-                            lam = handle_signed_ext
-                        else:
-                            raise NotImplementedError("Unsupported signed extension operation.")
-                    elif conversion_op is AddressTransferringTypes.UnsignedExtension:
-                        lam = handle_unsigned_ext
-                    elif conversion_op is AddressTransferringTypes.Truncation:
-                        if args == (64, 32):
-                            lam = handle_trunc_64_32
-                        else:
-                            raise NotImplementedError("Unsupported truncation operation.")
-                    elif conversion_op is AddressTransferringTypes.Or1:
-                        lam = handle_or1
-                    elif conversion_op is AddressTransferringTypes.ShiftLeft:
-                        lam = functools.partial(handle_lshift, args[0])
-                    elif conversion_op is AddressTransferringTypes.ShiftRight:
-                        lam = functools.partial(handle_rshift, args[0])
+                        raise NotImplementedError("Unsupported signed extension operation.")
+                elif tran_op is AddressTransformationTypes.UnsignedExtension:
+                    lam = handle_unsigned_ext
+                elif tran_op is AddressTransformationTypes.Truncation:
+                    if args == [64, 32, AddressSingleton]:
+                        lam = handle_trunc_64_32
                     else:
-                        raise NotImplementedError("Unsupported conversion operation.")
-                    invert_conversion_ops.append(lam)
-                all_targets_copy = all_targets
-                all_targets = []
-                for target_ in all_targets_copy:
-                    for lam in invert_conversion_ops:
-                        target_ = lam(target_)
-                    all_targets.append(target_)
-            mask = (2**self.project.arch.bits) - 1
+                        raise NotImplementedError("Unsupported truncation operation.")
+                elif tran_op is AddressTransformationTypes.Or1:
+                    lam = handle_or1
+                elif tran_op is AddressTransformationTypes.ShiftLeft:
+                    lam = functools.partial(
+                        handle_lshift, next(iter(arg for arg in args if arg is not AddressSingleton))
+                    )
+                elif tran_op is AddressTransformationTypes.ShiftRight:
+                    lam = functools.partial(
+                        handle_rshift, next(iter(arg for arg in args if arg is not AddressSingleton))
+                    )
+                elif tran_op is AddressTransformationTypes.Add:
+                    add_arg = next(iter(arg for arg in args if arg is not AddressSingleton))
+                    if not isinstance(add_arg, int):
+                        # unsupported cases (Tmp, for example). abort
+                        return None
+                    lam = functools.partial(handle_add, add_arg)
+                elif tran_op is AddressTransformationTypes.Load:
+                    lam = functools.partial(handle_load, args[1])
+                elif tran_op is AddressTransformationTypes.Assignment:
+                    continue
+                else:
+                    raise NotImplementedError("Unsupported transformation operation.")
+                invert_conversion_ops.append(lam)
+            all_targets_copy = all_targets
+            all_targets = []
+            for target_ in all_targets_copy:
+                for lam in invert_conversion_ops:
+                    target_ = lam(target_)
+                    if target_ is None:
+                        # transformation failed. abort
+                        return None
+                all_targets.append(target_)
+            if None in all_targets:
+                return None
+        if len(stmts_adding_base_addr) == 1:
+            stmt_adding_base_addr = stmts_adding_base_addr[0]
+            base_addr = stmt_adding_base_addr.base_addr
             all_targets = [(target + base_addr) & mask for target in all_targets]
 
         # special case for ARM: if the source block is in THUMB mode, all jump targets should be in THUMB mode, too
@@ -2071,20 +2146,21 @@ class JumpTableResolver(IndirectJumpResolver):
             print(s)
 
     def _initial_state(self, block_addr, cfg, func_addr: int):
+        add_options = {
+            o.DO_RET_EMULATION,
+            o.TRUE_RET_EMULATION_GUARD,
+            o.AVOID_MULTIVALUED_READS,
+            # Keep IP symbolic to avoid unnecessary concretization
+            o.KEEP_IP_SYMBOLIC,
+            o.NO_IP_CONCRETIZATION,
+            # be quiet!!!!!!
+            o.SYMBOL_FILL_UNCONSTRAINED_REGISTERS,
+            o.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
+        }
         state = self.project.factory.blank_state(
             addr=block_addr,
             mode="static",
-            add_options={
-                o.DO_RET_EMULATION,
-                o.TRUE_RET_EMULATION_GUARD,
-                o.AVOID_MULTIVALUED_READS,
-                # Keep IP symbolic to avoid unnecessary concretization
-                o.KEEP_IP_SYMBOLIC,
-                o.NO_IP_CONCRETIZATION,
-                # be quiet!!!!!!
-                o.SYMBOL_FILL_UNCONSTRAINED_REGISTERS,
-                o.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
-            },
+            add_options=add_options,
             remove_options={
                 o.CGC_ZERO_FILL_UNCONSTRAINED_MEMORY,
                 o.UNINITIALIZED_ACCESS_AWARENESS,
@@ -2215,5 +2291,72 @@ class JumpTableResolver(IndirectJumpResolver):
             return False
         return True
 
+    def _is_address_mapped(self, addr: int) -> bool:
+        return (
+            self.project.loader.find_segment_containing(addr) is not None
+            or self.project.loader.find_section_containing(addr) is not None
+        )
+
+    def _all_qualified_load_stmts_in_slice(self, b: Blade, addr: int) -> List[int]:
+        """
+        Recognize all qualified load statements in a slice. A qualified load statements refers to those that are
+        loading jump targets (or jump offsets) from a jump table, or loading jump table offsets from a jump-table
+        offset table.
+
+        :param b:       The Blade object.
+        :param addr:    Address of the last block.
+        :return:        A list of qualified load statement IDs.
+        """
+
+        stmt_ids = []
+        for block_addr, stmt_id in b.slice.nodes:
+            if block_addr == addr and stmt_id != DEFAULT_STATEMENT:
+                stmt_ids.append(stmt_id)
+
+        if not stmt_ids:
+            return []
+        stmt_ids = sorted(stmt_ids)
+        qualified_load_stmt_ids = []
+        load_stmt_ids = []
+        block = self.project.factory.block(addr, cross_insn_opt=True, backup_state=self.base_state).vex
+        tmp_values = {}
+        mask = (2**self.project.arch.bits) - 1
+        for stmt_id in stmt_ids:
+            stmt = block.statements[stmt_id]
+            if isinstance(stmt, pyvex.IRStmt.WrTmp):
+                if isinstance(stmt.data, pyvex.IRExpr.Const):
+                    tmp_values[stmt.tmp] = stmt.data.con.value
+                elif isinstance(stmt.data, pyvex.IRExpr.Binop) and stmt.data.op.startswith("Iop_Add"):
+                    op0 = None
+                    if isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp):
+                        op0 = tmp_values.get(stmt.data.args[0].tmp, None)
+                    elif isinstance(stmt.data.args[0], pyvex.IRExpr.Const):
+                        op0 = stmt.data.args[0].con.value
+                    op1 = None
+                    if isinstance(stmt.data.args[1], pyvex.IRExpr.RdTmp):
+                        op1 = tmp_values.get(stmt.data.args[1].tmp, None)
+                    elif isinstance(stmt.data.args[1], pyvex.IRExpr.Const):
+                        op1 = stmt.data.args[1].con.value
+                    if isinstance(op1, int) and not isinstance(op0, int):
+                        op0, op1 = op1, op0
+                    if isinstance(op0, int):
+                        if op1 is None:
+                            tmp_values[stmt.tmp] = ("+", op0, op1)
+                        elif isinstance(op1, int):
+                            tmp_values[stmt.tmp] = (op0 + op1) & mask
+                        elif isinstance(op1, tuple) and op1[0] == "+":
+                            tmp_values[stmt.tmp] = ("+", (op0 + op1[1]) & mask, op1[2])
+                elif isinstance(stmt.data, pyvex.IRExpr.Load) and isinstance(stmt.data.addr, pyvex.IRExpr.RdTmp):
+                    # is this load statement loading from a static address + an offset?
+                    v = tmp_values.get(stmt.data.addr.tmp, None)
+                    if isinstance(v, tuple) and v[0] == "+" and v[2] is None and self._is_address_mapped(v[1]):
+                        qualified_load_stmt_ids.append(stmt_id)
+                    load_stmt_ids.append(stmt_id)
+        if qualified_load_stmt_ids and len(qualified_load_stmt_ids) <= 2:
+            return qualified_load_stmt_ids
+        if load_stmt_ids:
+            return [load_stmt_ids[-1]]
+        return []
+
 
 from angr.analyses.propagator import PropagatorAnalysis

angr/analyses/complete_calling_conventions.py

@@ -373,7 +373,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
         for callee in self.kb.functions.callgraph.successors(caller_func_addr):
             if callee != caller_func_addr and callee not in d:
                 func = self.kb.functions.get_by_addr(callee)
-                tpl = func.calling_convention, func.prototype, func.prototype.name
+                tpl = func.calling_convention, func.prototype, func.prototype_libname
                 d[callee] = tpl
         return d
 

angr/analyses/decompiler/ail_simplifier.py

@@ -23,6 +23,7 @@ from ...code_location import CodeLocation, ExternalCodeLocation
 from ...sim_variable import SimStackVariable, SimMemoryVariable
 from ...knowledge_plugins.propagations.states import Equivalence
 from ...knowledge_plugins.key_definitions import atoms
+from ...knowledge_plugins.key_definitions.atoms import Register as RegisterAtom
 from ...knowledge_plugins.key_definitions.definition import Definition
 from ...knowledge_plugins.key_definitions.constants import OP_BEFORE
 from .. import Analysis, AnalysesHub
@@ -856,6 +857,25 @@ class AILSimplifier(Analysis):
             all_uses_replaced = True
             for def_, use_and_expr in all_uses_with_def:
                 u, used_expr = use_and_expr
+
+                use_expr_defns = []
+                for d in rd.all_uses.get_uses_by_location(u):
+                    if (
+                        isinstance(d.atom, RegisterAtom)
+                        and isinstance(def_.atom, RegisterAtom)
+                        and d.atom.reg_offset == def_.atom.reg_offset
+                    ):
+                        use_expr_defns.append(d)
+                    elif d.atom == def_.atom:
+                        use_expr_defns.append(d)
+                # you can never replace a use with dependencies from outside the checked defn
+                if len(use_expr_defns) != 1 or list(use_expr_defns)[0] != def_:
+                    if not use_expr_defns:
+                        _l.warning("There was no use_expr_defns for %s, this is likely a bug", u)
+                    # TODO: can you have multiple definitions which can all be eliminated?
+                    all_uses_replaced = False
+                    continue
+
                 if u == eq.codeloc:
                     # skip the very initial assignment location
                     continue