angr 9.2.97__py3-none-manylinux2014_x86_64.whl → 9.2.99__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/peephole_optimizations/inlined_strcpy.py

@@ -1,10 +1,10 @@
 # pylint:disable=arguments-differ
-from typing import Tuple, Optional
+from typing import Tuple, Optional, Dict, List
 import string
 
 from archinfo import Endness
 
-from ailment.expression import Const
+from ailment.expression import Const, StackBaseOffset
 from ailment.statement import Call, Store
 
 from .base import PeepholeOptimizationStmtBase
@@ -24,7 +24,7 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
     NAME = "Simplifying inlined strcpy"
     stmt_classes = (Store,)
 
-    def optimize(self, stmt: Store, **kwargs):
+    def optimize(self, stmt: Store, stmt_idx: int = None, block=None, **kwargs):
         if isinstance(stmt.data, Const):
             r, s = self.is_integer_likely_a_string(stmt.data.value, stmt.data.size, stmt.endness)
             if r:
@@ -41,8 +41,76 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
                     **stmt.tags,
                 )
 
+            # scan forward in the current block to find all consecutive constant stores
+            if block is not None and stmt_idx is not None:
+                all_constant_stores: Dict[int, Tuple[int, Optional[Const]]] = self.collect_constant_stores(
+                    block, stmt_idx
+                )
+                if all_constant_stores:
+                    offsets = sorted(all_constant_stores.keys())
+                    next_offset = min(offsets)
+                    stride = []
+                    for offset in offsets:
+                        if next_offset is not None and offset != next_offset:
+                            next_offset = None
+                            stride = []
+                        stmt_idx_, v = all_constant_stores[offset]
+                        if v is not None:
+                            stride.append((offset, stmt_idx_, v))
+                            next_offset = offset + v.size
+                        else:
+                            next_offset = None
+                            stride = []
+
+                    integer, size = self.stride_to_int(stride)
+                    r, s = self.is_integer_likely_a_string(integer, size, Endness.BE)
+                    if r:
+                        # we remove all involved statements whose statement IDs are greater than the current one
+                        for _, stmt_idx_, _ in reversed(stride):
+                            if stmt_idx_ <= stmt_idx:
+                                continue
+                            block.statements[stmt_idx_] = None
+                        block.statements = [ss for ss in block.statements if ss is not None]
+
+                        str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
+                        return Call(
+                            stmt.idx,
+                            "strncpy",
+                            args=[
+                                stmt.addr,
+                                Const(None, None, str_id, stmt.addr.bits, custom_string=True),
+                                Const(None, None, len(s), self.project.arch.bits),
+                            ],
+                            **stmt.tags,
+                        )
+
         return None
 
+    @staticmethod
+    def stride_to_int(stride: List[Tuple[int, int, Const]]) -> Tuple[int, int]:
+        stride = sorted(stride, key=lambda x: x[0])
+        n = 0
+        size = 0
+        for _, _, v in stride:
+            size += v.size
+            n <<= v.bits
+            n |= v.value
+        return n, size
+
+    @staticmethod
+    def collect_constant_stores(block, starting_stmt_idx: int) -> Dict[int, Tuple[int, Optional[Const]]]:
+        r = {}
+        for idx, stmt in enumerate(block.statements):
+            if idx < starting_stmt_idx:
+                continue
+            if isinstance(stmt, Store) and isinstance(stmt.addr, StackBaseOffset) and isinstance(stmt.addr.offset, int):
+                if isinstance(stmt.data, Const):
+                    r[stmt.addr.offset] = idx, stmt.data
+                else:
+                    r[stmt.addr.offset] = idx, None
+
+        return r
+
     @staticmethod
     def is_integer_likely_a_string(
         v: int, size: int, endness: Endness, min_length: int = 4

angr/analyses/decompiler/peephole_optimizations/inlined_wstrcpy.py

@@ -0,0 +1,162 @@
+# pylint:disable=arguments-differ
+from typing import Tuple, Optional, Dict, List
+import string
+
+from archinfo import Endness
+
+from ailment.expression import Const, StackBaseOffset
+from ailment.statement import Call, Store
+
+from .base import PeepholeOptimizationStmtBase
+
+
+ASCII_PRINTABLES = set(string.printable)
+ASCII_DIGITS = set(string.digits)
+
+
+class InlinedWstrcpy(PeepholeOptimizationStmtBase):
+    """
+    Simplifies inlined wide string copying logic into calls to wstrcpy.
+    """
+
+    __slots__ = ()
+
+    NAME = "Simplifying inlined wstrcpy"
+    stmt_classes = (Store,)
+
+    def optimize(self, stmt: Store, stmt_idx: int = None, block=None, **kwargs):
+        if isinstance(stmt.data, Const):
+            r, s = self.is_integer_likely_a_wide_string(stmt.data.value, stmt.data.size, stmt.endness)
+            if r:
+                # replace it with a call to strncpy
+                str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
+                return Call(
+                    stmt.idx,
+                    "wstrncpy",
+                    args=[
+                        stmt.addr,
+                        Const(None, None, str_id, stmt.addr.bits, custom_string=True),
+                        Const(None, None, len(s), self.project.arch.bits),
+                    ],
+                    **stmt.tags,
+                )
+
+            # scan forward in the current block to find all consecutive constant stores
+            if block is not None and stmt_idx is not None:
+                all_constant_stores: Dict[int, Tuple[int, Optional[Const]]] = self.collect_constant_stores(
+                    block, stmt_idx
+                )
+                if all_constant_stores:
+                    offsets = sorted(all_constant_stores.keys())
+                    next_offset = min(offsets)
+                    stride = []
+                    for offset in offsets:
+                        if next_offset is not None and offset != next_offset:
+                            next_offset = None
+                            stride = []
+                        stmt_idx_, v = all_constant_stores[offset]
+                        if v is not None:
+                            stride.append((offset, stmt_idx_, v))
+                            next_offset = offset + v.size
+                        else:
+                            next_offset = None
+                            stride = []
+
+                    integer, size = self.stride_to_int(stride)
+                    r, s = self.is_integer_likely_a_wide_string(integer, size, Endness.BE)
+                    if r:
+                        # we remove all involved statements whose statement IDs are greater than the current one
+                        for _, stmt_idx_, _ in reversed(stride):
+                            if stmt_idx_ <= stmt_idx:
+                                continue
+                            block.statements[stmt_idx_] = None
+                        block.statements = [ss for ss in block.statements if ss is not None]
+
+                        str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
+                        return Call(
+                            stmt.idx,
+                            "wstrncpy",
+                            args=[
+                                stmt.addr,
+                                Const(None, None, str_id, stmt.addr.bits, custom_string=True),
+                                Const(None, None, len(s), self.project.arch.bits),
+                            ],
+                            **stmt.tags,
+                        )
+
+        return None
+
+    @staticmethod
+    def stride_to_int(stride: List[Tuple[int, int, Const]]) -> Tuple[int, int]:
+        stride = sorted(stride, key=lambda x: x[0])
+        n = 0
+        size = 0
+        for _, _, v in stride:
+            size += v.size
+            n <<= v.bits
+            n |= v.value
+        return n, size
+
+    @staticmethod
+    def collect_constant_stores(block, starting_stmt_idx: int) -> Dict[int, Tuple[int, Optional[Const]]]:
+        r = {}
+        for idx, stmt in enumerate(block.statements):
+            if idx < starting_stmt_idx:
+                continue
+            if isinstance(stmt, Store) and isinstance(stmt.addr, StackBaseOffset) and isinstance(stmt.addr.offset, int):
+                if isinstance(stmt.data, Const):
+                    r[stmt.addr.offset] = idx, stmt.data
+                else:
+                    r[stmt.addr.offset] = idx, None
+
+        return r
+
+    @staticmethod
+    def even_offsets_are_zero(lst: List[str]) -> bool:
+        return all(ch == "\x00" for i, ch in enumerate(lst) if i % 2 == 0)
+
+    @staticmethod
+    def odd_offsets_are_zero(lst: List[str]) -> bool:
+        return all(ch == "\x00" for i, ch in enumerate(lst) if i % 2 == 1)
+
+    @staticmethod
+    def is_integer_likely_a_wide_string(
+        v: int, size: int, endness: Endness, min_length: int = 4
+    ) -> Tuple[bool, Optional[str]]:
+        # we need at least four bytes of printable characters
+
+        chars = []
+        if endness == Endness.LE:
+            while v != 0:
+                byt = v & 0xFF
+                if byt != 0 and chr(byt) not in ASCII_PRINTABLES:
+                    return False, None
+                chars.append(chr(byt))
+                v >>= 8
+
+        elif endness == Endness.BE:
+            for _ in range(size):
+                byt = v & 0xFF
+                v >>= 8
+                if byt != 0 and chr(byt) not in ASCII_PRINTABLES:
+                    return False, None
+                chars.append(chr(byt))
+            chars = chars[::-1]
+        else:
+            # unsupported endness
+            return False, None
+
+        if InlinedWstrcpy.even_offsets_are_zero(chars):
+            chars = [ch for i, ch in enumerate(chars) if i % 2 == 1]
+        elif InlinedWstrcpy.odd_offsets_are_zero(chars):
+            chars = [ch for i, ch in enumerate(chars) if i % 2 == 0]
+        else:
+            return False, None
+
+        if chars and chars[-1] == "\x00":
+            chars = chars[:-1]
+        if len(chars) >= min_length and all(ch in ASCII_PRINTABLES for ch in chars):
+            if len(chars) <= 4 and all(ch in ASCII_DIGITS for ch in chars):
+                return False, None
+            return True, "".join(chars)
+        return False, None

angr/analyses/decompiler/region_simplifiers/expr_folding.py

@@ -4,6 +4,7 @@ from typing import Optional, Any, Dict, Set, Tuple, Iterable, Union, DefaultDict
 
 import ailment
 from ailment import Expression, Block, AILBlockWalker
+from ailment.expression import ITE
 from ailment.statement import Statement, Assignment, Call
 
 from ..sequence_walker import SequenceWalker
@@ -385,11 +386,11 @@ class ExpressionReplacer(AILBlockWalker):
         return None
 
     def _handle_Assignment(self, stmt_idx: int, stmt: Assignment, block: Optional[Block]):
-        # override the base handler and make sure we do not replace .dst with a Call expression
+        # override the base handler and make sure we do not replace .dst with a Call expression or an ITE expression
         changed = False
 
         dst = self._handle_expr(0, stmt.dst, stmt_idx, stmt, block)
-        if dst is not None and dst is not stmt.dst and not isinstance(dst, Call):
+        if dst is not None and dst is not stmt.dst and not isinstance(dst, (Call, ITE)):
             changed = True
         else:
             dst = stmt.dst
@@ -446,7 +447,8 @@ class ExpressionFolder(SequenceWalker):
         for stmt in node.statements:
             if isinstance(stmt, ailment.Stmt.Assignment):
                 if isinstance(stmt.dst, ailment.Expr.Register) and stmt.dst.variable is not None:
-                    if stmt.dst.variable in self._assignments:
+                    unified_var = self._u(stmt.dst.variable)
+                    if unified_var in self._assignments:
                         # remove this statement
                         continue
             if (

angr/analyses/decompiler/return_maker.py

@@ -0,0 +1,71 @@
+from typing import Optional
+import logging
+
+import ailment
+
+from angr.sim_type import SimTypeBottom
+from angr.calling_conventions import SimRegArg
+from .ailgraph_walker import AILGraphWalker
+
+l = logging.getLogger(__name__)
+
+
+class ReturnMaker(AILGraphWalker):
+    """
+    Traverse the AILBlock graph of a function and update .ret_exprs of all return statements.
+    """
+
+    def __init__(self, ail_manager, arch, function, ail_graph):
+        super().__init__(ail_graph, self._handler, replace_nodes=True)
+        self.ail_manager = ail_manager
+        self.arch = arch
+        self.function = function
+        self._new_block = None
+
+        self.walk()
+
+    def _next_atom(self) -> int:
+        return self.ail_manager.next_atom()
+
+    def _handle_Return(
+        self, stmt_idx: int, stmt: ailment.Stmt.Return, block: Optional[ailment.Block]
+    ):  # pylint:disable=unused-argument
+        if (
+            block is not None
+            and not stmt.ret_exprs
+            and self.function.prototype is not None
+            and self.function.prototype.returnty is not None
+            and type(self.function.prototype.returnty) is not SimTypeBottom
+        ):
+            new_stmt = stmt.copy()
+            ret_val = self.function.calling_convention.return_val(self.function.prototype.returnty)
+            if isinstance(ret_val, SimRegArg):
+                reg = self.arch.registers[ret_val.reg_name]
+                new_stmt.ret_exprs.append(
+                    ailment.Expr.Register(
+                        self._next_atom(),
+                        None,
+                        reg[0],
+                        ret_val.size * self.arch.byte_width,
+                        reg_name=self.arch.translate_register_name(reg[0], ret_val.size),
+                    )
+                )
+            else:
+                l.warning("Unsupported type of return expression %s.", type(ret_val))
+            new_statements = block.statements[::]
+            new_statements[stmt_idx] = new_stmt
+            self._new_block = block.copy(statements=new_statements)
+
+    def _handler(self, block):
+        walker = ailment.AILBlockWalker()
+        # we don't need to handle any statement besides Returns
+        walker.stmt_handlers.clear()
+        walker.expr_handlers.clear()
+        walker.stmt_handlers[ailment.Stmt.Return] = self._handle_Return
+
+        self._new_block = None
+        walker.walk(block)
+
+        if self._new_block is not None:
+            return self._new_block
+        return None

angr/analyses/decompiler/structured_codegen/__init__.py

@@ -5,6 +5,6 @@ from .base import (
     PositionMappingElement,
     PositionMapping,
 )
-from .c import CStructuredCodeGenerator
+from .c import CStructuredCodeGenerator, CStructuredCodeWalker
 from .dwarf_import import ImportSourceCode
 from .dummy import DummyStructuredCodeGenerator

angr/analyses/decompiler/structured_codegen/c.py

@@ -1,4 +1,4 @@
-# pylint:disable=missing-class-docstring,too-many-boolean-expressions,unused-argument
+# pylint:disable=missing-class-docstring,too-many-boolean-expressions,unused-argument,no-self-use
 from typing import Optional, Dict, List, Tuple, Set, Any, Union, TYPE_CHECKING, Callable
 from collections import defaultdict
 import logging
@@ -2524,9 +2524,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             codegen=self,
             omit_header=self.omit_func_header,
         )
-        self.cfunc = FieldReferenceCleanup.handle(self.cfunc)
-        self.cfunc = PointerArithmeticFixer.handle(self.cfunc)
-        self.cfunc = MakeTypecastsImplicit.handle(self.cfunc)
+        self.cfunc = FieldReferenceCleanup().handle(self.cfunc)
+        self.cfunc = PointerArithmeticFixer().handle(self.cfunc)
+        self.cfunc = MakeTypecastsImplicit().handle(self.cfunc)
 
         # TODO store extern fallback size somewhere lol
         self.cexterns = {
@@ -3554,120 +3554,100 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
 
 class CStructuredCodeWalker:
-    @classmethod
-    def handle(cls, obj):
-        handler = getattr(cls, "handle_" + type(obj).__name__, cls.handle_default)
+    def handle(self, obj):
+        handler = getattr(self, "handle_" + type(obj).__name__, self.handle_default)
         return handler(obj)
 
-    @classmethod
-    def handle_default(cls, obj):
+    def handle_default(self, obj):
         return obj
 
-    @classmethod
-    def handle_CFunction(cls, obj):
-        obj.statements = cls.handle(obj.statements)
+    def handle_CFunction(self, obj):
+        obj.statements = self.handle(obj.statements)
         return obj
 
-    @classmethod
-    def handle_CStatements(cls, obj):
-        obj.statements = [cls.handle(stmt) for stmt in obj.statements]
+    def handle_CStatements(self, obj):
+        obj.statements = [self.handle(stmt) for stmt in obj.statements]
         return obj
 
-    @classmethod
-    def handle_CWhileLoop(cls, obj):
-        obj.condition = cls.handle(obj.condition)
-        obj.body = cls.handle(obj.body)
+    def handle_CWhileLoop(self, obj):
+        obj.condition = self.handle(obj.condition)
+        obj.body = self.handle(obj.body)
         return obj
 
-    @classmethod
-    def handle_CDoWhileLoop(cls, obj):
-        obj.condition = cls.handle(obj.condition)
-        obj.body = cls.handle(obj.body)
+    def handle_CDoWhileLoop(self, obj):
+        obj.condition = self.handle(obj.condition)
+        obj.body = self.handle(obj.body)
         return obj
 
-    @classmethod
-    def handle_CForLoop(cls, obj):
-        obj.initializer = cls.handle(obj.initializer)
-        obj.condition = cls.handle(obj.condition)
-        obj.iterator = cls.handle(obj.iterator)
-        obj.body = cls.handle(obj.body)
+    def handle_CForLoop(self, obj):
+        obj.initializer = self.handle(obj.initializer)
+        obj.condition = self.handle(obj.condition)
+        obj.iterator = self.handle(obj.iterator)
+        obj.body = self.handle(obj.body)
         return obj
 
-    @classmethod
-    def handle_CIfElse(cls, obj):
+    def handle_CIfElse(self, obj):
         obj.condition_and_nodes = [
-            (cls.handle(condition), cls.handle(node)) for condition, node in obj.condition_and_nodes
+            (self.handle(condition), self.handle(node)) for condition, node in obj.condition_and_nodes
         ]
-        obj.else_node = cls.handle(obj.else_node)
+        obj.else_node = self.handle(obj.else_node)
         return obj
 
-    @classmethod
-    def handle_CIfBreak(cls, obj):
-        obj.condition = cls.handle(obj.condition)
+    def handle_CIfBreak(self, obj):
+        obj.condition = self.handle(obj.condition)
         return obj
 
-    @classmethod
-    def handle_CSwitchCase(cls, obj):
-        obj.switch = cls.handle(obj.switch)
-        obj.cases = [(case, cls.handle(body)) for case, body in obj.cases]
-        obj.default = cls.handle(obj.default)
+    def handle_CSwitchCase(self, obj):
+        obj.switch = self.handle(obj.switch)
+        obj.cases = [(case, self.handle(body)) for case, body in obj.cases]
+        obj.default = self.handle(obj.default)
         return obj
 
-    @classmethod
-    def handle_CAssignment(cls, obj):
-        obj.lhs = cls.handle(obj.lhs)
-        obj.rhs = cls.handle(obj.rhs)
+    def handle_CAssignment(self, obj):
+        obj.lhs = self.handle(obj.lhs)
+        obj.rhs = self.handle(obj.rhs)
         return obj
 
-    @classmethod
-    def handle_CFunctionCall(cls, obj):
-        obj.callee_target = cls.handle(obj.callee_target)
-        obj.args = [cls.handle(arg) for arg in obj.args]
-        obj.ret_expr = cls.handle(obj.ret_expr)
+    def handle_CFunctionCall(self, obj):
+        obj.callee_target = self.handle(obj.callee_target)
+        obj.args = [self.handle(arg) for arg in obj.args]
+        obj.ret_expr = self.handle(obj.ret_expr)
         return obj
 
-    @classmethod
-    def handle_CReturn(cls, obj):
-        obj.retval = cls.handle(obj.retval)
+    def handle_CReturn(self, obj):
+        obj.retval = self.handle(obj.retval)
         return obj
 
-    @classmethod
-    def handle_CGoto(cls, obj):
-        obj.target = cls.handle(obj.target)
+    def handle_CGoto(self, obj):
+        obj.target = self.handle(obj.target)
         return obj
 
-    @classmethod
-    def handle_CIndexedVariable(cls, obj):
-        obj.variable = cls.handle(obj.variable)
-        obj.index = cls.handle(obj.index)
+    def handle_CIndexedVariable(self, obj):
+        obj.variable = self.handle(obj.variable)
+        obj.index = self.handle(obj.index)
         return obj
 
-    @classmethod
-    def handle_CVariableField(cls, obj):
-        obj.variable = cls.handle(obj.variable)
+    def handle_CVariableField(self, obj):
+        obj.variable = self.handle(obj.variable)
         return obj
 
-    @classmethod
-    def handle_CUnaryOp(cls, obj):
-        obj.operand = cls.handle(obj.operand)
+    def handle_CUnaryOp(self, obj):
+        obj.operand = self.handle(obj.operand)
         return obj
 
-    @classmethod
-    def handle_CBinaryOp(cls, obj):
-        obj.lhs = cls.handle(obj.lhs)
-        obj.rhs = cls.handle(obj.rhs)
+    def handle_CBinaryOp(self, obj):
+        obj.lhs = self.handle(obj.lhs)
+        obj.rhs = self.handle(obj.rhs)
         return obj
 
-    @classmethod
-    def handle_CTypeCast(cls, obj):
-        obj.expr = cls.handle(obj.expr)
+    def handle_CTypeCast(self, obj):
+        obj.expr = self.handle(obj.expr)
         return obj
 
-    @classmethod
-    def handle_CITE(cls, obj):
-        obj.cond = cls.handle(obj.cond)
-        obj.iftrue = cls.handle(obj.iftrue)
-        obj.iffalse = cls.handle(obj.iffalse)
+    def handle_CITE(self, obj):
+        obj.cond = self.handle(obj.cond)
+        obj.iftrue = self.handle(obj.iftrue)
+        obj.iffalse = self.handle(obj.iffalse)
         return obj
 
 
@@ -3702,34 +3682,30 @@ class MakeTypecastsImplicit(CStructuredCodeWalker):
             return cls.collapse(dst_ty, result)
         return result
 
-    @classmethod
-    def handle_CAssignment(cls, obj):
-        obj.rhs = cls.collapse(obj.lhs.type, obj.rhs)
+    def handle_CAssignment(self, obj):
+        obj.rhs = self.collapse(obj.lhs.type, obj.rhs)
         return super().handle_CAssignment(obj)
 
-    @classmethod
-    def handle_CFunctionCall(cls, obj: CFunctionCall):
+    def handle_CFunctionCall(self, obj: CFunctionCall):
         for i, (c_arg, arg_ty) in enumerate(zip(obj.args, obj.prototype.args)):
-            obj.args[i] = cls.collapse(arg_ty, c_arg)
+            obj.args[i] = self.collapse(arg_ty, c_arg)
         return super().handle_CFunctionCall(obj)
 
-    @classmethod
-    def handle_CReturn(cls, obj: CReturn):
-        obj.retval = cls.collapse(obj.codegen._func.prototype.returnty, obj.retval)
+    def handle_CReturn(self, obj: CReturn):
+        obj.retval = self.collapse(obj.codegen._func.prototype.returnty, obj.retval)
         return super().handle_CReturn(obj)
 
-    @classmethod
-    def handle_CBinaryOp(cls, obj: CBinaryOp):
+    def handle_CBinaryOp(self, obj: CBinaryOp):
         obj = super().handle_CBinaryOp(obj)
         while True:
-            new_lhs = cls.collapse(obj.common_type, obj.lhs)
+            new_lhs = self.collapse(obj.common_type, obj.lhs)
             if (
                 new_lhs is not obj.lhs
                 and CBinaryOp.compute_common_type(obj.op, new_lhs.type, obj.rhs.type) == obj.common_type
             ):
                 obj.lhs = new_lhs
             else:
-                new_rhs = cls.collapse(obj.common_type, obj.rhs)
+                new_rhs = self.collapse(obj.common_type, obj.rhs)
                 if (
                     new_rhs is not obj.rhs
                     and CBinaryOp.compute_common_type(obj.op, obj.lhs.type, new_rhs.type) == obj.common_type
@@ -3739,11 +3715,10 @@ class MakeTypecastsImplicit(CStructuredCodeWalker):
                     break
         return obj
 
-    @classmethod
-    def handle_CTypeCast(cls, obj: CTypeCast):
+    def handle_CTypeCast(self, obj: CTypeCast):
         # note that the expression that this method returns may no longer be a CTypeCast
         obj = super().handle_CTypeCast(obj)
-        inner = cls.collapse(obj.dst_type, obj.expr)
+        inner = self.collapse(obj.dst_type, obj.expr)
         if inner is not obj.expr:
             obj.src_type = inner.type
             obj.expr = inner
@@ -3753,12 +3728,11 @@ class MakeTypecastsImplicit(CStructuredCodeWalker):
 
 
 class FieldReferenceCleanup(CStructuredCodeWalker):
-    @classmethod
-    def handle_CTypeCast(cls, obj):
+    def handle_CTypeCast(self, obj):
         if isinstance(obj.dst_type, SimTypePointer) and not isinstance(obj.dst_type.pts_to, SimTypeBottom):
             obj = obj.codegen._access_reference(obj.expr, obj.dst_type.pts_to)
             if not isinstance(obj, CTypeCast):
-                return cls.handle(obj)
+                return self.handle(obj)
         return super().handle_CTypeCast(obj)
 
 
@@ -3776,8 +3750,7 @@ class PointerArithmeticFixer(CStructuredCodeWalker):
     a_ptr = a_ptr + 1.
     """
 
-    @classmethod
-    def handle_CBinaryOp(cls, obj):
+    def handle_CBinaryOp(self, obj):
         obj: CBinaryOp = super().handle_CBinaryOp(obj)
         if (
             obj.op in ("Add", "Sub")

angr/analyses/decompiler/utils.py

@@ -569,7 +569,10 @@ def peephole_optimize_stmts(block, stmt_opts):
     statements = []
 
     # run statement optimizers
-    for stmt_idx, stmt in enumerate(block.statements):
+    # note that an optimizer may optionally edit or remove statements whose statement IDs are greater than stmt_idx
+    stmt_idx = 0
+    while stmt_idx < len(block.statements):
+        stmt = block.statements[stmt_idx]
         old_stmt = stmt
         redo = True
         while redo:
@@ -587,6 +590,7 @@ def peephole_optimize_stmts(block, stmt_opts):
             any_update = True
         else:
             statements.append(old_stmt)
+        stmt_idx += 1
 
     return statements, any_update