-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RISC-V: Lifting bug in JALR rd, rs1, imm
when rd == rs1
#6003
Comments
I patched it as follows, and it seems to work: let target = il.add(max_width, Register::from(rs1), imm).build();
match (rd.id(), rs1.id(), imm) {
(0, 1, 0) => il.ret(target).append(), // jalr zero, ra, 0
(1, _, _) => il.call(target).append(), // indirect call
(0, _, _) => il.jump(target).append(), // indirect jump
(_, _, _) => {
// indirect jump with storage of next address to non-`ra` register
if rd.id() == rs1.id() {
let tmp: llil::Register<Register<D>> = llil::Register::Temp(0);
il.set_reg(max_width, tmp, target).append();
il.set_reg(
max_width,
Register::from(rd),
il.const_ptr(addr.wrapping_add(inst_len)),
)
.append();
il.jump(tmp).append();
} else {
il.set_reg(
max_width,
Register::from(rd),
il.const_ptr(addr.wrapping_add(inst_len)),
)
.append();
il.jump(target).append();
}
}
} However, I encountered another problem: "functions" that are called with As a matter of fact, this target "function" (ending with Is there any way to tell BN to treat these target "functions" as such ? (i.e. not functions, but basic blocks to reattach to different parent functions). Or maybe my patch is incomplete, and this is already handled. Anyway, thanks in advance |
I found that modifying the following code solves the problem: binaryninja-api/arch/riscv/src/lib.rs Lines 704 to 715 in 7d0b6bc
There is a missing branch information for the case where Op::Jalr(ref i) => {
// TODO handle the calls with rs1 == 0?
if i.rd().id() == 0 {
let branch_type = if i.rs1().id() == 1 {
BranchInfo::FunctionReturn
} else {
BranchInfo::Unresolved
};
res.add_branch(branch_type, None);
} else {
res.add_branch(BranchInfo::Unresolved, None); // This
}
} And now everything works as intended |
@jeanmicheldeva would you like to submit a PR for this? |
Half of this issue is done with the other portion (adding unresolved branch for For the other fix (the one named in the issue) see #6213 |
For the sake of discoverability I am going to make a new issue to describe Here: #6273 |
See here:
binaryninja-api/arch/riscv/src/lib.rs
Lines 1220 to 1234 in 7d0b6bc
If
rd == rs1
, but is neitherzero
orra
(x0
orx1
resp.), the above code will lift thejalr rd, rs1, imm
instruction as follows:Whereas the intended code should be lifted as:
The text was updated successfully, but these errors were encountered: