Partially Recompilable Decompilation Overview

• Partially Recompilable Decompilation (PRD) is a reverse engineering technique that reconstructs high-level code for specific binary segments to enable localized recompilation.
• It employs targeted fault localization, partial decompilation, type recovery, and binary rewriting to achieve high recompilability rates, often reaching 70–89% for isolated functions.
• Hybrid static-neural methods and iterative repair strategies underpin PRD, addressing semantic recovery challenges and facilitating applications like vulnerability mitigation and program repair.

Partially Recompilable Decompilation (PRD) is a methodology in program analysis and reverse engineering that focuses on reconstructing recompilable high-level code for only a subset of a compiled artifact—such as specific functions or classes—instead of the entire binary. PRD enables the localized decompilation, recompilation, and patching of target regions in executables or bytecode, supporting applications like vulnerability mitigation, automated repair, and migration when full-program recompilation is infeasible. PRD leverages advances in fault localization, hybrid static-neural decompilers, and fragment-merging strategies to maximize recompilability and semantic preservation, producing code that integrates with existing binaries or larger codebases while relaxing the unattainable requirement of whole-program recompilation.

1. Formal Definitions and Central Metrics

PRD is grounded in explicit, compiler-checked metrics that quantify partial syntactic and semantic recovery. In C/C++ and binary-centric PRD, the foundational metrics are:

• Re-compilability rate (RC):

$\mathrm{RC} = \frac{1}{N}\sum_{i=1}^N I_i$

where $N$ is the number of decompiled functions, and $I_i=1$ if function $i$ compiles (0 otherwise). This captures the fraction of isolated functions successfully recompiled by the original compiler under matching optimization flags (Tan et al., 2024).

• Re-executability rate (RE):

$\mathrm{RE} = \frac{1}{N}\sum_{i=1}^N J_i$

with $J_i=1$ when function $i$ both compiles and passes all original test assertions (semantic equivalence) (Tan et al., 2024). ESR (Executable Success Rate) (Wang et al., 3 Nov 2025) is an equivalent metric in recent work.

In Java meta-decompilation, "syntactic correctness" (successful compilation of the synthesized source) and "semantic equivalence modulo inputs" (passing all original test cases) are analogously defined (Harrand et al., 2020). Syntactic distortion quantifies the minimal normalized AST edit distance between the original and decompiled code.

A central insight is that partial recompilability—typically RC levels of 70–90% for functions/classes extracted from real-world artifacts—enables practical workflows even as full-program recompilation rarely exceeds 1.7% for complex binaries (Reiter et al., 2022).

2. Fundamental Methodologies and Pipelines

PRD pipelines share a common structure:

1. Target Localization: Identify binary regions or type members (functions, fields, classes) of interest via fault localization, test coverage, or user guidance (Reiter et al., 2022).
2. Partial Decompilation: Apply decompilers (e.g., Hex-Rays, Ghidra, or LLM-based) to selected units, extracting C code or Java source for those only (Tan et al., 2024, Harrand et al., 2020).
3. Type/Signature Recovery: Recover only the types, field layouts, and prototypes actively required by the extracted units, avoiding unnecessary global dependencies (Reiter et al., 2022).
4. Compatibility Wrapping: Synthesize binary–source interface stubs, PLT wrappers, or fragment stores to bridge the decompiled units to the original binary (or class) and to other dependencies (Reiter et al., 2022, Harrand et al., 2020).
5. Partial Recompilation: Compile the extracted code as position-independent code (C) or validate Java source through an embedded compiler.
6. Binary/Class Rewriting and Integration: Rewrite the target binary or bytecode to detour calls/fields into the recompilable code; in Java, merge correct AST fragments from multiple decompilers (Harrand et al., 2020, Reiter et al., 2022).
7. Test oracles: Validate recompiled units through compilation status and semantic equivalence tests (Wang et al., 3 Nov 2025, Harrand et al., 2020).

Distinct strategies exist for different ecosystems. The Arlecchino system for Java constructs a fragment store mapping member signatures to error-free ASTs from diverse decompilers, incrementally merging fragments until a recompilable class is synthesized (Harrand et al., 2020). In native binaries, detour mechanics in ELF via relative JMP insertion and static PIC code linking are employed (Reiter et al., 2022).

3. Neural and Classical Techniques for PRD

Recent approaches exploit the complementary strengths of neural LLMs, static analysis, and decompiler diversity. Notably:

• Hybrid Static–Neural Decompilation:

LLMs can be fine-tuned to directly translate disassembled code to syntactically valid C, guided by techniques like context retrieval of similar assembly–source pairs (ICL4Decomp) or optimization-aware prompting (Wang et al., 3 Nov 2025, Tan et al., 2024).

• LLM-Aided Correction:

A two-step pipeline (e.g., DecGPT) uses LLMs to fix static compilation errors and then dynamic (ASAN-guided) runtime faults, iteratively patching decompiler outputs until recompilation and test-passing status are achieved (Wong et al., 2023).

• Meta-Decompilation via Diversity:

PRD leverages the fact that modern decompilers succeed on different, non-overlapping subsets of classes or functions. By error-guided AST fragment selection and merging (as in Arlecchino for Java), a union of their strengths significantly boosts overall recompilability and semantic coverage (Harrand et al., 2020).

The table below summarizes representative pipelines and their methodological cores:

Domain	Core PRD Mechanism	Notable Tool/Paper
Native Binaries (C)	Fault loc., partial decompilation, binary rewriting	(Reiter et al., 2022)
LLM-based Binaries	End-to-end LLM decompilation, context retrieval	(Tan et al., 2024, Wang et al., 3 Nov 2025)
Java Bytecode	Multi-decompiler AST fragment merging	(Harrand et al., 2020)
C Decompiler Repair	Iterative LLM+sanitizer-guided correction	(Wong et al., 2023)

4. Empirical Results and Success Rates

Empirical evaluations consistently show PRD outperforms conventional whole-program recompilation or single-decompiler workflows:

• Binary PRD (C):
  • 70–89% of isolated functions can be successfully decompiled and recompiled with sufficient type recovery; only 1.7% of entire binaries are directly recompilable (Reiter et al., 2022).
  • When successful, 93% of these recompiled functions yield test-equivalent binaries (Reiter et al., 2022).
• LLM-based Decompilation:
  • LLM4Decompile achieves ≈87% RC, ≈21% RE for C functions, surpassing GPT-4 and Ghidra (Tan et al., 2024).
  • Context-guided ICL4Decomp attains 35–42% executable success rates on challenging system-level benchmarks, adding ≈40% absolute improvement over prior baselines when restricted to function-level slices (Wang et al., 3 Nov 2025).
• Java Meta-Decompilation:
  • Best single decompiler achieves 84% recompilable output and 78% semantic equivalence; Arlecchino meta-decompiler lifts this to 89% and 87% respectively by merging partial fragment successes (Harrand et al., 2020). On previously unhandled ("hard") classes, PRD recovers 37.6%.
• LLM-aided repair:
  • DecGPT demonstrates 75% end-to-end recompilation and test-passing on decompiler outputs after static and dynamic LLM-driven correction, versus 0% for baseline IDA-Pro and 45% for single-prompt baselines (Wong et al., 2023).

5. Representative Applications and Use Cases

A primary application of PRD is the automated mitigation of vulnerabilities in binaries or bytecode where source code is absent or rebuilding the entire program is infeasible. Typical workflows include:

• Vulnerability Patching: PRD pinpoints and decompiles only "suspicious" functions (via spectrum-based fault localization), recompiles patched versions as PIC, then rewrites the binary to invoke the new code. Empirical studies on DARPA CGC binaries demonstrate automated tools using PRD match or outperform full-source repair techniques, with 85/148 vulnerabilities mitigated (Reiter et al., 2022).
• Automated Program Repair (APR): Integration with source-level frameworks (e.g., GenProg, Prophet) is rendered possible by PRD's ability to produce isolated, recompilable C code for use in genetic or patch-search workflows, maintaining binary compatibility via source–binary interfaces (Reiter et al., 2022).
• Hot patching and dynamic update: PRD enables targeted patch or feature insertion into deployed binaries, regardless of the ability to rebuild or relink the whole system (Wang et al., 3 Nov 2025).
• Reverse Engineering and Porting: By extracting only fully recompilable classes or functions, PRD provides verifiable migration pathways for legacy Java classes across bytecode versions or vendor toolchains (Harrand et al., 2020).

6. Technical Challenges, Limitations, and Future Research

Several limitations persist in PRD implementations:

• Precision of Type Recovery: Accurate type inference for decompiled functions is non-trivial; complex struct dependencies and compiler optimizations may obstruct recompilation (Reiter et al., 2022).
• Fragment Granularity and Oracles: In Java, the success of fragment merges depends on agreement in member signatures across decompilers; order of decompiler runs can affect final output (Harrand et al., 2020). Finer-grained oracles (e.g., AST edits, test-asserting fragments) might yield better selection.
• Obfuscated or Aggressively Optimized Code: Most PRD success is demonstrated on non-obfuscated binaries; resilience against hostile transformations remains an open frontier (Reiter et al., 2022, Harrand et al., 2020).
• Incomplete Semantic Recovery: Even with high RC, semantic mismatch (measured as RE or ESR) lags behind due to ambiguous control flow, missing invariants, or type errors that pass compilation but fail tests (Tan et al., 2024, Wang et al., 3 Nov 2025).
• Whole-program effects: PRD does not address global analyses, inter-procedural type resolution, or certain symbolic analyses that require full source context (Reiter et al., 2022).

Future directions highlighted in primary sources include the incorporation of more expressive semantic oracles (symbolic execution, E-Graph rewriting), advances in neural type inference and AST repair, and extension to other architectures and languages. Preliminary work on ML-guided APR and evolutionary meta-decompilers is viewed as a promising vector for fully-automated, high-quality PRD systems (Reiter et al., 2022, Harrand et al., 2020).

7. Comparative Perspectives and Ecosystem Integration

PRD is positioned as a bridge between traditional decompilation, which often prioritizes readability over recompilability, and practical patching or migration needs. Its principal strengths arise from leveraging partial correctness: error-guided merging across diverse decompilers (e.g., Arlecchino (Harrand et al., 2020)), the capacity of LLMs to perform source synthesis aligned to compiler constraints (Tan et al., 2024), iterative repair via feedback (DecGPT (Wong et al., 2023)), and targeted function-level integration with binary rewriting (Reiter et al., 2022). By shifting from token-level similarities to execution- and compilation-centric metrics, PRD fundamentally reorients how the quality of decompilation is measured and operationalized. Its empirical success and extensible architectures suggest an increasingly central role in binary analysis, repair, and reverse engineering research.