HLIL instruction that sets structure gets removed by optimization #7344
Description
Version and Platform (required):
- Binary Ninja Version:5.2.8211-dev Personal (a464fda8)
- Edition: Non-Commercial
- OS: MacOS
- OS Version: 15.5
- CPU Architecture: M1
Bug Description:
Idk how even describe it properly, sorry.
When there is store instruction outside of structure bounds, in some cases HLIL just drops it and doesn't render at all. For example, i have the function in arm64:
.foo:
stp x1, x2, [x0, #0x8]
ret As pseudocode it is:
*(arg1+8) = arg2
*(arg1+16) = arg3and if arg1 is void* for example, then things works fine and HLIL showing accesses as is it should:
even if i create an empty structure Foo and set arg1 to be struct Foo*, still ok:
even if i append field of 1 byte size to the Foo:
but, if i set the size of Foo to be 8 (the exact amount of shift in stp), then HLIL just loses the instructions:
however in MLIL instructions still there:
Idk may be this is caused by stp instruction, as when i tried to reproduce it with regular function with stack, things worked fine, magick happens only with naked func.
Also, this give me vibes of #7195, i believe this issue has same root cause.
Steps To Reproduce:
Please provide all steps required to reproduce the behavior:
- Open binary
- Create structure of size 8
- Set the type of first argument of
_footo this structure pointer - Done
Expected Behavior:
Anything other than just hiding this accesses in HLIL
Binary:
bin.zip
Additional Information:
Here is code i've tested it on:
__attribute__((naked))
void foo(void* ptr, void* a, void* b) {
__asm __volatile__ (
"stp x1, x2, [x0, 0x8]\n"
"ret\n"
);
}
int main() {
char kek[123];
__asm__ __volatile__(
"mov x0, %0\n" // Move ptr into register r0
"mov x1, %1\n" // Move a into register r1
"mov x2, %2\n" // Move b into register r2
"bl _foo\n" // Branch to the naked function
:
: "r" (kek), "r" (NULL), "r" (NULL)
: "x0", "x1", "x2"
);
return 0;
}