Papers
Topics
Authors
Recent
Search
2000 character limit reached

CoDe-R: Robust LLM-assisted Decompilation

Updated 5 July 2026
  • The paper introduces CoDe-R, a two-stage framework that refines decompiler-generated pseudo-code using semantic rationale guidance and adaptive verification to reduce logical hallucinations.
  • It leverages Semantic Cognitive Enhancement to inject concise functional rationales that mitigate semantic misalignment in LLM-generated code.
  • Dynamic Dual-Path Fallback adaptively selects between semantic-rich and syntactic-robust outputs, enhancing re-executability and ensuring successful compilation.

Searching arXiv for the specified decompiler-refinement papers to ground the article in current literature. Cognitive Decompiler Refinement with Robustness (CoDe-R) denotes a robustness-oriented approach to LLM-assisted binary decompilation in which decompiler-produced pseudo-code is refined under explicit semantic and verification constraints rather than treated as a one-shot translation target. In the narrow sense, CoDe-R is the lightweight two-stage framework introduced in "CoDe-R: Refining Decompiler Output with LLMs via Rationale Guidance and Adaptive Inference" (Zhang et al., 14 Apr 2026). In a broader CoDe-R-style sense suggested by related work, it describes decompiler refinement systems that combine semantic recovery, grounded evidence, or external validation so that readable output remains faithful to the original binary rather than merely plausible as text (Zhou et al., 22 Oct 2025).

1. Problem setting and failure modes

CoDe-R is motivated by a structural property of binary decompilation: compilation destroys high-level semantic information, including variable names, types, loop intent, and other source-level structure. As a result, traditional decompilers such as Ghidra or IDA Pro emit pseudo-code that is often structurally noisy and semantically incomplete. When LLMs are applied to this pseudo-code, they can generate fluent C-like output that nevertheless exhibits logical hallucinations and semantic misalignment: the code may look plausible, or even compile, while failing to preserve the program logic required for correct re-execution (Zhang et al., 14 Apr 2026).

The CoDe-R paper isolates two empirical motivations. First, failure patterns are concentrated in semantic-heavy constructs, especially control flow and other logic-rich structures such as if-conditions and loops. Second, performance drops as token length increases, consistent with the “lost-in-the-middle” problem. These observations support the claim that direct pseudo-code-to-source rewriting is ill-posed: the model must infer both program intent and program expression from an input that has already lost essential semantics.

A closely related motivation appears in fidelity-oriented decompiler refinement for closed-source binaries. FidelityGPT argues that decompilation quality is constrained by fidelity issues: output may be syntactically readable while still diverging from the original source in ways that damage readability and semantic integrity. It identifies six distortion classes relevant to closed-source settings: I1 Non-inertial dereferencing, I2 Character and string literal representation issues, I3 Control flow obfuscation, I4 Redundant code, I5 Unexpected returns, and I6 Use of non-type symbols (Zhou et al., 22 Oct 2025). This broadens the CoDe-R motivation from re-executability alone to the more general problem of semantically safe refinement under information loss.

2. Semantic Cognitive Enhancement

The first stage of the original CoDe-R framework is Semantic Cognitive Enhancement (SCE), a training-time rationale-injection mechanism that reframes decompilation as a rationale-conditional refinement problem rather than direct translation. The paper models generation as

P(yx)P(zx;Mgen)P(yx,z;θ),P(y \mid x) \approx P(z \mid x; \mathcal{M}_{gen}) \cdot P(y \mid x, z; \theta),

where xx is decompiler pseudo-code, zz is a functional rationale, and yy is the target source code (Zhang et al., 14 Apr 2026).

The rationale is deliberately concise. It emphasizes function name and purpose rather than a verbose derivation, and it functions as a semantic anchor rather than a chain-of-thought transcript. In the reported experiments, a separate generator model, Qwen3, synthesizes ziz_i from pseudo-code. The appendix-described prompting is tightly constrained, and the rationale generator is informed by reverse-engineering heuristics such as interpreting certain nested loops as comparisons over all pairs or combinations, or mapping specific float-to-int bitwise patterns to an absolute-value trick.

The refiner is then instruction-tuned on augmented inputs (zixi)(z_i \oplus x_i) using the standard autoregressive objective

LSCE(θ)=t=1ylogP(ytx,z,y<t;θ).\mathcal{L}_{SCE}(\theta) = - \sum_{t=1}^{|y|} \log P(y_t \mid x, z, y_{<t}; \theta).

Within the paper’s formulation, the rationale acts as an information bottleneck: it suppresses low-level implementation noise while preserving higher-level algorithmic meaning. This directly addresses semantic misalignment by teaching the model what the function is doing before asking it to produce source-like code. The reported ablation is consistent with that interpretation: the semantic-rich path alone slightly outperforms the purely syntactic path in average re-executability.

3. Dynamic Dual-Path Fallback and adaptive verification

The second stage of CoDe-R is Dynamic Dual-Path Fallback (DDPF), an inference-time robustness mechanism that explicitly balances semantic recovery against syntactic stability (Zhang et al., 14 Apr 2026). The framework generates two candidates.

The semantic-rich generation path first synthesizes a rationale z^\hat{z} and then conditions the refiner on that rationale:

z^=Mgen(x,Pgen),y^sem=Mref(x,z^).\hat{z} = \mathcal{M}_{gen}(x, \mathcal{P}_{gen}), \qquad \hat{y}_{sem} = \mathcal{M}_{ref}(x, \hat{z}).

The syntactic-robust generation path runs the same refiner directly on pseudo-code with no rationale:

y^syn=Mref(x,).\hat{y}_{syn} = \mathcal{M}_{ref}(x, \emptyset).

Selection between the two outputs is performed by a hybrid verification strategy based on re-compilation consistency. For a candidate xx0, the paper defines

xx1

where xx2 is the assembly obtained by recompiling generated code xx3, and xx4 is the original input assembly. It also defines xx5 when xx6 compiles successfully. The decision rule prefers the semantic-rich output if it compiles and either the syntactic path does not compile or the semantic-rich path has at least as much assembly-level consistency as the syntactic path; otherwise the system falls back to the syntactic path.

This mechanism is central to the framework’s notion of robustness. Rationale-guided generation can recover deeper algorithmic intent, but noisy rationales can propagate errors. Direct generation is more conservative, but less semantically expressive. DDPF therefore uses verification not to prove correctness in a formal sense, but to choose adaptively between a semantically ambitious path and a syntactically stable path. A frequent misconception is to equate CoDe-R with iterative self-repair; the original method is not multi-turn refinement, but a dual-path test-time compute strategy with an assembly-consistency gate.

A broader CoDe-R-style interpretation emerges in related systems that pursue robustness through grounded context, staged correction, or external feedback (Zhou et al., 22 Oct 2025, Liu et al., 15 Jun 2026, Zou et al., 11 Jun 2025).

System Core mechanism Robustness focus
FidelityGPT Detection, RAG, dependency-aware correction Fidelity distortions in closed-source decompiled code
AutoDecompiler Feedback-driven multi-turn RL refinement Recompilability, re-execution, I/O consistency
D-LiFT D-SCORE-gated RL backend Preserving accuracy while improving readability

FidelityGPT is organized as a three-stage pipeline: preprocessing, context generation, and distortion detection/correction. Long functions are split at 50 lines. Context generation combines a Variable Dependency Algorithm, which builds a Program Dependence Graph and recursively traces dependencies, with a Dynamic Semantic Intensity Retrieval Algorithm, which scores lines by syntax-construct weights learned from a distortion database. The detection prompt classifies lines according to I1–I6, and the correction prompt repairs only detected distortions, marking corrected lines with //fixed. Retrieval uses a decompilation distortion database built from manually annotated lines, including 150 lines from IDA Pro and 91 additional lines from Ghidra; selected lines are embedded with text-embedding-ada-002, searched with LangChain, and queried with xx7 retrieval. The method’s robustness claim rests on separating localization from repair so that the model does not rewrite an entire function blindly.

AutoDecompiler addresses a different robustness problem: single-turn decompilers may generate readable or compilable code that still diverges behaviorally from the binary. It therefore formulates decompilation as a feedback-driven multi-turn refinement process. At refinement turn xx8, the state is xx9, where zz0 is assembly or pseudo-code, zz1 are prior outputs, and zz2 are prior feedback messages. The model generates a full C-like function zz3, which is then validated through code validity checking, recompilation, re-execution, and I/O testing. The per-turn reward is a weighted sum of validity, execution, syntactic, and semantic components, with implementation weights zz4, zz5, zz6, and zz7. The method adds progress-aware trajectory rewarding and turn-aware advantage reweighting, and the environment constructs stage-aware diagnostic feedback from compiler errors, execution failures, failed test cases, or success. Here robustness is learned as a policy of revision rather than a one-shot generator.

D-LiFT is an RL-trained decompiler backend whose central rule is “preserving accuracy while improving readability.” Its D-SCORE reward function is hierarchical: it first checks syntactic correctness through recompilation, then semantic correctness through symbolic execution and SMT solving, and only if both pass does it evaluate readability via relative Buse & Weimer and R2I scores. The instantiated penalties are zz8, zz9, and yy0, with readability weights yy1 and yy2. Because any inaccurate output must score below any readable-but-correct output, D-LiFT operationalizes robustness as a constrained optimization problem rather than a style-improvement objective.

5. Empirical performance and ablation evidence

On HumanEval-Decompile, the original CoDe-R framework reaches an Average Re-executability Rate of 50.00%, establishing the reported SOTA in the lightweight regime and becoming the first 1.3B model in that study to exceed 50.00% average re-executability (Zhang et al., 14 Apr 2026). The reported comparison is 19.82% for the Ghidra baseline and 44.82% for the LLM4Decompile-Ref (1.3B) baseline, yielding a 5.18-point improvement over the baseline refiner. By optimization level, CoDe-R reaches 70.73% at O0, 46.34% at O1, 42.07% at O2, and 40.85% at O3.

The ablations clarify the contribution of each CoDe-R component. Path 1 Only (Semantic-Rich) achieves 48.32% average re-executability, while Path 2 Only (Syntactic-Robust) achieves 47.71%. The combined CoDe-R system reaches 50.00%, indicating that adaptive selection improves over either path alone. On compilability, the baseline reaches 90.24%, Path 1 83.99%, Path 2 89.48%, and CoDe-R 90.70%. The rationale studies report 46.80% for detailed rationales and 47.56% for concise rationales; for injection strategy, Full distillation reaches 45.43% and Source-only reaches 47.56%. The paper also reports that CoDe-R reduces failures most in if-condition and memory management patterns, while improvements are smaller for bitwise operations.

FidelityGPT is evaluated on 620 function pairs and reports average Accuracy = 0.89 and Precision = 0.83 for distortion detection, compared with Promptyy3 at Acc 0.87, Pr 0.73 and Promptyy4 at Acc 0.88, Pr 0.75 (Zhou et al., 22 Oct 2025). For correction, it reports FR = 0.94 and CFR = 0.64, compared with DeGPT at FR = 0.83 and CFR = 0.37; Promptyy5 at FR = 0.92, CFR = 0.57; Promptyy6 at FR = 0.91, CFR = 0.54; and Promptyy7 at FR = 0.75, CFR = 0.17. Against domain-specific baselines, LLM4Decompile reaches FR 0.70, CFR 0.44, and ReSym reaches FR 0.84, CFR 0.45. Cross-backend robustness remains strong across IDA and Ghidra, GPT-4o and DeepSeek-chat, and -O1, -O2, -O3, with detection around 0.88–0.90 accuracy, correction FR around 0.92–0.97, and CFR around 0.59–0.72. In its semantic-intensity retrieval ablation, the reported best trade-off is Accuracy = 0.91, Precision = 0.88, Time = 4.51 s, and Tokens = 1502.23. For the variable-dependency ablation, redundant-variable recall declines from 0.31 at 30 lines to 0.00 at 80 lines, and the paper reports that 50 lines gives the best recall/runtime balance under yy8.

AutoDecompiler reports that feedback-driven multi-turn refinement consistently outperforms single-turn counterparts under the same model size and input setting (Liu et al., 15 Jun 2026). On HumanEval, AutoDecompiler-E2E 1.3B improves the prior best Re-exe by 5.19% among comparable-size baselines. On pseudo-code-based decompilation, AutoDecompiler-Pscode 6.7B improves over SK2Decompile 6.7B by 1.58% Re-exe. The stage-wise analysis is especially relevant to robustness: for AutoDecompiler-Pscode 6.7B, average Re-exe rises from 45.73% in the vanilla model to 65.09% after SFT, then to 68.75% with 1-turn RL, 69.51% with 2-turn RL, and 70.58% with 3-turn RL.

D-LiFT reports that D-SCORE-driven fine-tuning produces 55.3% more improved decompiled functions than baseline LLMs without that fine-tuning (Zou et al., 11 Jun 2025). The paper’s baseline study finds that, on average, 44.2% of originally accurate functions become inaccurate after LLM processing; for LLM4Decompile-End-1.3B, the degradation reaches 93.2%. Among originally accurate functions, the best fine-tuned outputs improve 84.9% of functions, compared with 70.2% for the best baseline models. When selecting the best output among the original decompiler, baseline LLM, and fine-tuned model, the fine-tuned model wins for 47.3% of functions on average, versus 20.9% for the baseline model. On originally inaccurate functions, however, only 44 improve when taking the best among all models, while 504 remain unimproved, and the average improvement remains negative.

6. Limitations, misconceptions, and open questions

Across the literature, CoDe-R and CoDe-R-style systems are bounded by the same fundamental constraint: they refine artifacts that have already lost semantics during compilation, so robustness is always partial rather than absolute (Zhang et al., 14 Apr 2026, Liu et al., 15 Jun 2026, Zhou et al., 22 Oct 2025, Zou et al., 11 Jun 2025).

Several misconceptions are explicitly contradicted by the reported evidence. First, robustness-oriented decompiler refinement is not equivalent to variable renaming or structural beautification. FidelityGPT’s distinction between FR and CFR, and its emphasis on six distortion classes, shows that readability-oriented fixes and semantic corrections must be separated. Second, CoDe-R is not inherently iterative self-repair. The original CoDe-R uses rationale guidance plus adaptive fallback; AutoDecompiler is the system that formalizes refinement as a multi-turn RL process. Third, these methods are not full recovery systems for arbitrarily poor decompilation. D-LiFT states directly that it works much better when the front-end decompiler output is already correct and needs readability refinement; originally inaccurate decompiled code remains difficult for all models.

The limitations reported by the papers are also method-specific. In CoDe-R, rationale-guided generation can hallucinate, and DDPF exists precisely because semantic-rich generation may reduce compile success if not checked. In AutoDecompiler, refinement depth is constrained by context length; the system is single-function oriented, does not exploit interprocedural context such as caller-callee relationships or global state, and its robustness on heavily stripped, obfuscated, packed, or protected binaries remains open. The authors also note that hallucinated yet syntactically valid code remains a concern. In FidelityGPT, very high-complexity functions, rare distortion types, and semantics heavily obscured by optimization remain challenging. In D-LiFT, symbolic checking can fail because of timeouts, boundary recovery issues, unsupported floating-point instructions, memory-model issues with double pointers, and imperfect external function-call modeling.

Taken together, these results suggest that CoDe-R is best understood not as a single algorithmic trick but as a design principle for decompiler refinement: recover missing semantics when possible, verify outputs before trusting them, and bias optimization toward behavioral faithfulness rather than surface fluency. Within that principle, rationale guidance, retrieval grounding, dependency analysis, staged correction, compiler and execution feedback, and correctness-gated reward design represent complementary mechanisms for making LLM-refined decompilation more faithful, more readable, and less vulnerable to silent semantic drift.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Cognitive Decompiler Refinement with Robustness (CoDe-R).