SamboyCoding
diff --git a/‎Cpp2IL.Core/Analysis/LocalVariables.cs‎
Lines changed: 143 additions & 59 deletions b/‎Cpp2IL.Core/Analysis/LocalVariables.cs‎
Lines changed: 143 additions & 59 deletions
diff --git a/‎Cpp2IL.Core/Analysis/MetadataResolver.cs‎
Lines changed: 82 additions & 2 deletions b/‎Cpp2IL.Core/Analysis/MetadataResolver.cs‎
Lines changed: 82 additions & 2 deletions
@@ -189,63 +189,154 @@ private static List<Register> GetRegisters(Instruction instruction)
         return registers;
     }
 
-    public static void PropagateTypes(MethodAnalysisContext method)
+    /// <summary>
+    /// Resolves field accesses and propagates types together, to a fixpoint, while the method is
+    /// still in SSA form (every local has a single, version-stable definition).
+    ///
+    /// The two are mutually enabling and so cannot be ordered as separate passes: a typed base lets
+    /// <see cref="MetadataResolver.ResolveFieldOffsets"/> turn <c>[base + offset]</c> into a
+    /// <see cref="FieldReference"/>, a resolved field load types its result with the field's type,
+    /// and that result is in turn the base of the next access (directly, or after flowing through
+    /// moves/phis). Both steps are monotonic - each only ever resolves an operand or fills a
+    /// previously-unknown type - so the loop converges.
+    /// </summary>
+    public static void ResolveTypesAndFields(MethodAnalysisContext method)
     {
+        // Seed types from fixed ground truth - the method's own signature, and type-metadata global
+        // loads. Applied once up front and, being applied first, they win over anything inferred later.
         PropagateFromReturn(method);
         PropagateFromParameters(method);
-        PropagateFromCallParameters(method);
-        PropagateThroughMoves(method);
-    }
+        SeedRuntimeClassTypes(method);
 
-    private static void PropagateThroughMoves(MethodAnalysisContext method)
-    {
+        // Everything else is mutually enabling and so runs to a fixpoint: a typed receiver lets an
+        // ambiguous call resolve, a resolved call types its return value and arguments, a typed base
+        // lets a field offset resolve, a field load types its result, and any of those can be the
+        // receiver/base of the next step. Every pass is monotonic - it only resolves an operand or
+        // fills a previously-unknown type - so the loop converges.
         var changed = true;
         var loopCount = 0;
 
         while (changed)
         {
+            if (MaxTypePropagationLoopCount != -1 && ++loopCount > MaxTypePropagationLoopCount)
+                throw new DecompilerException($"Type and field resolution not settling! (looped {MaxTypePropagationLoopCount} times)");
+
             changed = false;
-            loopCount++;
+            changed |= MetadataResolver.ResolveAmbiguousCalls(method);
+            changed |= PropagateFromCallParameters(method);
+            changed |= MetadataResolver.ResolveFieldOffsets(method);
+            changed |= PropagateTypesOnce(method);
+        }
+    }
+
+    // A type-metadata global load (Move local, typeof(T)) puts the runtime class pointer for T into
+    // the local - an Il2CppClass*, not an instance of T. That is known exactly from the instruction,
+    // so it is seeded as ground truth (overriding any prior guess) before the inference fixpoint,
+    // rather than letting a monotonic pass first mistype the local as T itself.
+    private static void SeedRuntimeClassTypes(MethodAnalysisContext method)
+    {
+        foreach (var instruction in method.ControlFlowGraph!.Instructions)
+        {
+            if (instruction.OpCode != OpCode.Move || instruction.Operands.Count < 2)
+                continue;
+
+            if (instruction.Operands[0] is LocalVariable destination && instruction.Operands[1] is TypeAnalysisContext type)
+                destination.Type = new RuntimeClassTypeAnalysisContext(type, type.DeclaringAssembly);
+        }
+    }
+
+    // Fills in a local's type only when it is currently unknown, keeping propagation monotonic (a
+    // type, once set, is never changed) so the fixpoint terminates. Returns whether it set anything.
+    private static bool SetTypeIfUnknown(LocalVariable local, TypeAnalysisContext? type)
+    {
+        if (type == null || local.Type != null)
+            return false;
 
-            if (MaxTypePropagationLoopCount != -1 && loopCount > MaxTypePropagationLoopCount)
-                throw new DecompilerException($"Type propagation through moves not settling! (looped {MaxTypePropagationLoopCount} times)");
+        local.Type = type;
+        return true;
+    }
 
-            foreach (var instruction in method.ControlFlowGraph!.Instructions)
+    // A single propagation sweep over every move and phi. Returns whether it filled in any type.
+    private static bool PropagateTypesOnce(MethodAnalysisContext method)
+    {
+        var changed = false;
+
+        foreach (var instruction in method.ControlFlowGraph!.Instructions)
+        {
+            switch (instruction.OpCode)
             {
-                if (instruction.OpCode != OpCode.Move)
-                    continue;
+                case OpCode.Move:
+                    changed |= PropagateMove(instruction);
+                    break;
+                case OpCode.Phi:
+                    changed |= PropagatePhi(instruction);
+                    break;
+            }
+        }
 
-                if (instruction.Operands[0] is LocalVariable destination && instruction.Operands[1] is LocalVariable source)
-                {
-                    // Move ??, local
-                    if (destination.Type == null && source.Type != null)
-                    {
-                        destination.Type = source.Type;
-                        changed = true;
-                    }
-                    // Move local, ??
-                    else if (source.Type == null && destination.Type != null)
-                    {
-                        source.Type = destination.Type;
-                        changed = true;
-                    }
-                }
+        return changed;
+    }
+
+    private static bool PropagateMove(Instruction move)
+    {
+        var destination = move.Operands[0];
+        var source = move.Operands[1];
+
+        // Move local, local: copy a known type in whichever direction is missing it.
+        if (destination is LocalVariable destLocal && source is LocalVariable sourceLocal)
+            return SetTypeIfUnknown(destLocal, sourceLocal.Type) || SetTypeIfUnknown(sourceLocal, destLocal.Type);
+
+        // Move local, field: a field load types its result with the field's type. This is the edge
+        // that lets the loaded value go on to be the base of a further field access.
+        if (destination is LocalVariable loadDest && source is FieldReference loadField)
+            return SetTypeIfUnknown(loadDest, loadField.Field.FieldType);
+
+        // Move field, local: a field store types the stored value with the field's type.
+        if (destination is FieldReference storeField && source is LocalVariable storeSource)
+            return SetTypeIfUnknown(storeSource, storeField.Field.FieldType);
+
+        return false;
+    }
+
+    // A phi is a copy from each predecessor's value, so types flow both ways across it - mirroring
+    // the bidirectional Move copies it decays into once SSA is destroyed.
+    private static bool PropagatePhi(Instruction phi)
+    {
+        if (phi.Operands[0] is not LocalVariable destination)
+            return false;
 
-                if (instruction.Operands[0] is LocalVariable destination2 && instruction.Operands[1] is TypeAnalysisContext source2)
+        var changed = false;
+
+        // Forward: an untyped phi result takes the type of any typed input.
+        if (destination.Type == null)
+        {
+            for (var i = 1; i < phi.Operands.Count; i++)
+            {
+                if (phi.Operands[i] is LocalVariable { Type: { } inputType })
                 {
-                    // Move ??, type
-                    if (destination2.Type == null)
-                    {
-                        destination2.Type = source2;
-                        changed = true;
-                    }
+                    changed = SetTypeIfUnknown(destination, inputType);
+                    break;
                 }
             }
         }
+
+        // Backward: a typed phi result types each of its still-untyped inputs.
+        if (destination.Type != null)
+        {
+            for (var i = 1; i < phi.Operands.Count; i++)
+            {
+                if (phi.Operands[i] is LocalVariable input)
+                    changed |= SetTypeIfUnknown(input, destination.Type);
+            }
+        }
+
+        return changed;
     }
 
-    private static void PropagateFromCallParameters(MethodAnalysisContext method)
+    private static bool PropagateFromCallParameters(MethodAnalysisContext method)
     {
+        var changed = false;
+
         foreach (var instruction in method.ControlFlowGraph!.Instructions)
         {
             if (!instruction.IsCall)
@@ -254,46 +345,39 @@ private static void PropagateFromCallParameters(MethodAnalysisContext method)
             if (instruction.Operands[0] is not MethodAnalysisContext calledMethod)
                 continue;
 
-            // Constructor, set return variable type
-            if (calledMethod.Name == ".ctor" || calledMethod.Name == ".cctor")
+            // Return value: a constructor yields its declaring type, otherwise the declared return type.
+            if (instruction.Destination is LocalVariable returnValue)
             {
-                if (instruction.Destination is LocalVariable constructorReturn)
-                {
-                    constructorReturn.Type = calledMethod.DeclaringType;
-                    continue;
-                }
-            }
-            else // Return value
-            {
-                if (instruction.Destination is LocalVariable returnValue)
-                    returnValue.Type = calledMethod.ReturnType;
+                changed |= SetTypeIfUnknown(returnValue,
+                    calledMethod.Name is ".ctor" or ".cctor" ? calledMethod.DeclaringType : calledMethod.ReturnType);
             }
 
             // 'this' param
-            if (!calledMethod.IsStatic)
+            if (!calledMethod.IsStatic
+                && instruction.Operands[instruction.OpCode == OpCode.CallVoid ? 1 : 2] is LocalVariable thisParam)
             {
-                if (instruction.Operands[instruction.OpCode == OpCode.CallVoid ? 1 : 2] is LocalVariable thisParam)
-                    thisParam.Type = calledMethod.DeclaringType;
+                changed |= SetTypeIfUnknown(thisParam, calledMethod.DeclaringType);
             }
 
-            // Set types
+            // Remaining arguments map positionally onto the callee's declared parameters.
             var paramOffset = calledMethod.IsStatic ? 1 : 2;
-            if (instruction.OpCode == OpCode.Call) // Skip return value
+            if (instruction.OpCode == OpCode.Call) // Skip the return value operand
                 paramOffset += 1;
 
             for (var i = paramOffset; i < instruction.Operands.Count; i++)
             {
-                var operand = instruction.Operands[i];
+                if (instruction.Operands[i] is not LocalVariable local)
+                    continue;
 
-                if (operand is LocalVariable local)
-                {
-                    if ((i - paramOffset) > calledMethod.Parameters.Count - 1) // Probably MethodInfo*
-                        continue;
+                var parameterIndex = i - paramOffset;
+                if (parameterIndex > calledMethod.Parameters.Count - 1) // Probably MethodInfo*
+                    continue;
 
-                    local.Type = calledMethod.Parameters[i - paramOffset].ParameterType;
-                }
+                changed |= SetTypeIfUnknown(local, calledMethod.Parameters[parameterIndex].ParameterType);
             }
         }
+
+        return changed;
     }
 
     private static void PropagateFromParameters(MethodAnalysisContext method)
 
@@ -14,7 +14,6 @@ public static class MetadataResolver
     public static void ResolveAll(MethodAnalysisContext method)
     {
         ResolveCalls(method);
-        ResolveFieldOffsets(method);
         ResolveGetter(method);
         ResolveStrings(method);
     }
@@ -52,8 +51,17 @@ private static void ResolveStrings(MethodAnalysisContext method)
         }
     }
 
-    private static void ResolveFieldOffsets(MethodAnalysisContext method)
+    /// <summary>
+    /// Replaces every <c>[base + addend]</c> memory operand whose base is a typed local with a
+    /// <see cref="FieldReference"/> to the field at that offset. Returns whether any operand was
+    /// resolved this pass, so the type/field fixpoint can detect convergence: as more bases become
+    /// typed (a field load types its result, which is the base of the next load), more offsets
+    /// resolve, so this is re-run until it stops finding new fields.
+    /// </summary>
+    public static bool ResolveFieldOffsets(MethodAnalysisContext method)
     {
+        var changed = false;
+
         foreach (var instruction in method.ControlFlowGraph!.Instructions)
         {
             for (var i = 0; i < instruction.Operands.Count; i++)
@@ -76,8 +84,11 @@ private static void ResolveFieldOffsets(MethodAnalysisContext method)
                     continue;
 
                 instruction.Operands[i] = new FieldReference(field, local, (int)memory.Addend);
+                changed = true;
             }
         }
+
+        return changed;
     }
 
     private static void ResolveCalls(MethodAnalysisContext method)
@@ -107,6 +118,9 @@ private static void ResolveCalls(MethodAnalysisContext method)
             if (!method.AppContext.MethodsByAddress.TryGetValue(target, out var targetMethods))
                 continue;
 
+            // Several methods can share one address (identical native code merged by the linker, or
+            // generic sharing). Those are left as a numeric target here and disambiguated later by
+            // receiver type in ResolveAmbiguousCalls, once types are known.
             if (targetMethods is not [{ } singleTargetMethod])
                 continue;
 
@@ -116,6 +130,72 @@ private static void ResolveCalls(MethodAnalysisContext method)
         method.ControlFlowGraph.MergeCallBlocks();
     }
 
+    /// <summary>
+    /// Resolves calls whose address maps to more than one method by matching the receiver's known
+    /// type against the candidates' declaring types. Runs inside the type/field fixpoint and so
+    /// re-fires as receivers become typed - a resolved call types its return value, which can type
+    /// the receiver of a further call. Returns whether any call was resolved this pass.
+    ///
+    /// Conservative by design: it commits only when exactly one non-static candidate's declaring
+    /// type matches the receiver's type. Anything still untyped or ambiguous is left for a later
+    /// pass, or left unresolved - it never guesses.
+    /// </summary>
+    public static bool ResolveAmbiguousCalls(MethodAnalysisContext method)
+    {
+        var changed = false;
+
+        foreach (var instruction in method.ControlFlowGraph!.Instructions)
+        {
+            if (!instruction.IsCall)
+                continue;
+
+            var target = instruction.Operands[0];
+
+            // A resolved call's target is a method/key-function name; only unresolved ones are still numeric.
+            if (!target.IsNumeric())
+                continue;
+
+            if (!method.AppContext.MethodsByAddress.TryGetValue((ulong)target, out var candidates) || candidates.Count < 2)
+                continue;
+
+            if (GetReceiver(instruction) is not { Type: { } receiverType })
+                continue;
+
+            MethodAnalysisContext? match = null;
+            var ambiguous = false;
+
+            foreach (var candidate in candidates)
+            {
+                if (candidate.IsStatic || !ReferenceEquals(candidate.DeclaringType, receiverType))
+                    continue;
+
+                if (match != null)
+                {
+                    ambiguous = true;
+                    break;
+                }
+
+                match = candidate;
+            }
+
+            if (ambiguous || match == null)
+                continue;
+
+            instruction.Operands[0] = match;
+            changed = true;
+        }
+
+        return changed;
+    }
+
+    // The receiver ('this') of a call is the first integer-slot argument: operand 1 for CallVoid
+    // (after the target), operand 2 for Call (after the target and the return value).
+    private static LocalVariable? GetReceiver(Instruction call)
+    {
+        var index = call.OpCode == OpCode.CallVoid ? 1 : 2;
+        return index < call.Operands.Count ? call.Operands[index] as LocalVariable : null;
+    }
+
     private static void HandleKeyFunction(ApplicationAnalysisContext appContext, Instruction instruction, ulong target, BaseKeyFunctionAddresses kFA)
     {
         var method = "";