State-of-the-art binary code analysis tools
You are here: Hex Rays > Decompiler Manual > SDK Reference
hexrays.hpp
Go to the documentation of this file.
1 /*!
2  * Hex-Rays Decompiler project
3  * Copyright (c) 1990-2021 Hex-Rays
4  * ALL RIGHTS RESERVED.
5  * \mainpage
6  * There are 2 representations of the binary code in the decompiler:
7  * - microcode: processor instructions are translated into it and then
8  * the decompiler optimizes and transforms it
9  * - ctree: ctree is built from the optimized microcode and represents
10  * AST-like tree with C statements and expressions. It can
11  * be printed as C code.
12  *
13  * Microcode is represented by the following classes:
14  * - mba_t keeps general info about the decompiled code and
15  * array of basic blocks. usually mba_t is named 'mba'
16  * - mblock_t a basic block. includes list of instructions
17  * - minsn_t an instruction. contains 3 operands: left, right, and
18  * destination
19  * - mop_t an operand. depending on its type may hold various info
20  * like a number, register, stack variable, etc.
21  * - mlist_t list of memory or register locations; can hold vast areas
22  * of memory and multiple registers. this class is used
23  * very extensively in the decompiler. it may represent
24  * list of locations accessed by an instruction or even
25  * an entire basic block. it is also used as argument of
26  * many functions. for example, there is a function
27  * that searches for an instruction that refers to a mlist_t.
28 
29  * See https://www.hex-rays.com/blog/microcode-in-pictures for some pictures.
30  *
31  * Ctree is represented by:
32  * - cfunc_t keeps general info about the decompiled code, including a
33  * pointer to mba_t. deleting cfunc_t will delete
34  * mba_t too (however, decompiler returns cfuncptr_t,
35  * which is a reference counting object and deletes the
36  * underlying function as soon as all references to it go
37  * out of scope). cfunc_t has 'body', which represents the
38  * decompiled function body as cinsn_t.
39  * - cinsn_t a C statement. can be a compound statement or any other
40  * legal C statements (like if, for, while, return,
41  * expression-statement, etc). depending on the statement
42  * type has pointers to additional info. for example, the
43  * 'if' statement has poiner to cif_t, which holds the
44  * 'if' condition, 'then' branch, and optionally 'else'
45  * branch. Please note that despite of the name cinsn_t
46  * we say "statements", not "instructions". For us
47  * instructions are part of microcode, not ctree.
48  * - cexpr_t a C expression. is used as part of a C statement, when
49  * necessary. cexpr_t has 'type' field, which keeps the
50  * expression type.
51  * - citem_t a base class for cinsn_t and cexpr_t, holds common info
52  * like the address, label, and opcode.
53  * - cnumber_t a constant 64-bit number. in addition to its value also
54  * holds information how to represent it: decimal, hex, or
55  * as a symbolic constant (enum member). please note that
56  * numbers are represented by another class (mnumber_t)
57  * in microcode.
58 
59  * See https://www.hex-rays.com/blog/hex-rays-decompiler-primer
60  * for some pictures and more details.
61  *
62  * Both microcode and ctree use the following class:
63  * - lvar_t a local variable. may represent a stack or register
64  * variable. a variable has a name, type, location, etc.
65  * the list of variables is stored in mba->vars.
66  * - lvar_locator_t holds a variable location (vdloc_t) and its definition
67  * address.
68  * - vdloc_t describes a variable location, like a register number,
69  * a stack offset, or, in complex cases, can be a mix of
70  * register and stack locations. very similar to argloc_t,
71  * which is used in ida. the differences between argloc_t
72  * and vdloc_t are:
73  * - vdloc_t never uses ARGLOC_REG2
74  * - vdloc_t uses micro register numbers instead of
75  * processor register numbers
76  * - the stack offsets are never negative in vdloc_t, while
77  * in argloc_t there can be negative offsets
78  *
79  * The above are the most important classes in this header file. There are
80  * many auxiliary classes, please see their definitions in the header file.
81  *
82  * See also the description of \ref vmpage.
83  *
84  */
85 
86 #ifndef __HEXRAYS_HPP
87 #define __HEXRAYS_HPP
88 
89 #include <pro.h>
90 #include <fpro.h>
91 #include <ida.hpp>
92 #include <idp.hpp>
93 #include <gdl.hpp>
94 #include <ieee.h>
95 #include <loader.hpp>
96 #include <kernwin.hpp>
97 #include <typeinf.hpp>
98 #include <deque>
99 #include <queue>
100 
101 /*!
102  * \page vmpage Virtual Machine used by Microcode
103  * We can imagine a virtual micro machine that executes microcode.
104  * This virtual micro machine has many registers.
105  * Each register is 8 bits wide. During translation of processor
106  * instructions into microcode, multibyte processor registers are mapped
107  * to adjacent microregisters. Processor condition codes are also
108  * represented by microregisters. The microregisters are grouped
109  * into following groups:
110  * - 0..7: condition codes
111  * - 8..n: all processor registers (including fpu registers, if necessary)
112  * this range may also include temporary registers used during
113  * the initial microcode generation
114  * - n.. : so called kernel registers; they are used during optimization
115  * see is_kreg()
116  *
117  * Each micro-instruction (minsn_t) has zero to three operands.
118  * Some of the possible operands types are:
119  * - immediate value
120  * - register
121  * - memory reference
122  * - result of another micro-instruction
123  *
124  * The operands (mop_t) are l (left), r (right), d (destination).
125  * An example of a microinstruction:
126  *
127  * add r0.4, #8.4, r2.4
128  *
129  * which means 'add constant 8 to r0 and place the result into r2'.
130  * where
131  * - the left operand is 'r0', its size is 4 bytes (r0.4)
132  * - the right operand is a constant '8', its size is 4 bytes (#8.4)
133  * - the destination operand is 'r2', its size is 4 bytes (r2.4)
134  * Note that 'd' is almost always the destination but there are exceptions.
135  * See mcode_modifies_d(). For example, stx does not modify 'd'.
136  * See the opcode map below for the list of microinstructions and their
137  * operands. Most instructions are very simple and do not need
138  * detailed explanations. There are no side effects in microinstructions.
139  *
140  * Each operand has a size specifier. The following sizes can be used in
141  * practically all contexts: 1, 2, 4, 8, 16 bytes. Floating types may have
142  * other sizes. Functions may return objects of arbitrary size, as well as
143  * operations upon UDT's (user-defined types, i.e. are structs and unions).
144  *
145  * Memory is considered to consist of several segments.
146  * A memory reference is made using a (selector, offset) pair.
147  * A selector is always 2 bytes long. An offset can be 4 or 8 bytes long,
148  * depending on the bitness of the target processor.
149  * Currently the selectors are not used very much. The decompiler tries to
150  * resolve (selector, offset) pairs into direct memory references at each
151  * opportunity and then operates on mop_v operands. In other words,
152  * while the decompiler can handle segmented memory models, internally
153  * it still uses simple linear addresses.
154  *
155  * The following memory regions are recognized:
156  * - GLBLOW global memory: low part, everything below the stack
157  * - LVARS stack: local variables
158  * - RETADDR stack: return address
159  * - SHADOW stack: shadow arguments
160  * - ARGS stack: regular stack arguments
161  * - GLBHIGH global memory: high part, everything above the stack
162  * Any stack region may be empty. Objects residing in one memory region
163  * are considered to be completely distinct from objects in other regions.
164  * We allocate the stack frame in some memory region, which is not
165  * allocated for any purposes in IDA. This permits us to use linear addresses
166  * for all memory references, including the stack frame.
167  *
168  * If the operand size is bigger than 1 then the register
169  * operand references a block of registers. For example:
170  *
171  * ldc #1.4, r8.4
172  *
173  * loads the constant 1 to registers 8, 9, 10, 11:
174  *
175  * #1 -> r8
176  * #0 -> r9
177  * #0 -> r10
178  * #0 -> r11
179  *
180  * This example uses little-endian byte ordering.
181  * Big-endian byte ordering is supported too. Registers are always little-
182  * endian, regardless of the memory endianness.
183  *
184  * Each instruction has 'next' and 'prev' fields that are used to form
185  * a doubly linked list. Such lists are present for each basic block (mblock_t).
186  * Basic blocks have other attributes, including:
187  * - dead_at_start: list of dead locations at the block start
188  * - maybuse: list of locations the block may use
189  * - maybdef: list of locations the block may define (or spoil)
190  * - mustbuse: list of locations the block will certainly use
191  * - mustbdef: list of locations the block will certainly define
192  * - dnu: list of locations the block will certainly define
193  * but will not use (registers or non-aliasable stkack vars)
194  *
195  * These lists are represented by the mlist_t class. It consists of 2 parts:
196  * - rlist_t: list of microregisters (possibly including virtual stack locations)
197  * - ivlset_t: list of memory locations represented as intervals
198  * we use linear addresses in this list.
199  * The mlist_t class is used quite often. For example, to find what an operand
200  * can spoil, we build its 'maybe-use' list. Then we can find out if this list
201  * is accessed using the is_accessed() or is_accessed_globally() functions.
202  *
203  * All basic blocks of the decompiled function constitute an array called
204  * mba_t (array of microblocks). This is a huge class that has too
205  * many fields to describe here (some of the fields are not visible in the sdk)
206  * The most importants ones are:
207  * - stack frame: frregs, stacksize, etc
208  * - memory: aliased, restricted, and other ranges
209  * - type: type of the current function, its arguments (argidx) and
210  * local variables (vars)
211  * - natural: array of pointers to basic blocks. the basic blocks
212  * are also accessible as a doubly linked list starting from 'blocks'.
213  * - bg: control flow graph. the graph gives access to the use-def
214  * chains that describe data dependencies between basic blocks
215  *
216  */
217 
218 #ifdef __NT__
219 #pragma warning(push)
220 #pragma warning(disable:4062) // enumerator 'x' in switch of enum 'y' is not handled
221 #pragma warning(disable:4265) // virtual functions without virtual destructor
222 #endif
223 
224 #define hexapi ///< Public functions are marked with this keyword
225 
226 // Warning suppressions for PVS Studio:
227 //-V:2:654 The condition '2' of loop is always true.
228 //-V::719 The switch statement does not cover all values
229 //-V:verify:678
230 //-V:chain_keeper_t:690 copy ctr will be generated
231 //-V:add_block:656 call to the same function
232 //-V:add:792 The 'add' function located to the right of the operator '|' will be called regardless of the value of the left operand
233 //-V:sub:792 The 'sub' function located to the right of the operator '|' will be called regardless of the value of the left operand
234 //-V:intersect:792 The 'intersect' function located to the right of the operator '|' will be called regardless of the value of the left operand
235 // Lint suppressions:
236 //lint -sem(mop_t::_make_cases, custodial(1))
237 //lint -sem(mop_t::_make_pair, custodial(1))
238 //lint -sem(mop_t::_make_callinfo, custodial(1))
239 //lint -sem(mop_t::_make_insn, custodial(1))
240 //lint -sem(mop_t::make_insn, custodial(1))
241 
242 // Microcode level forward definitions:
243 class mop_t; // microinstruction operand
244 class mop_pair_t; // pair of operands. example, :(edx.4,eax.4).8
245 class mop_addr_t; // address of an operand. example: &global_var
246 class mcallinfo_t; // function call info. example: <cdecl:"int x" #10.4>.8
247 class mcases_t; // jump table cases. example: {0 => 12, 1 => 13}
248 class minsn_t; // microinstruction
249 class mblock_t; // basic block
250 class mba_t; // array of blocks, represents microcode for a function
251 class codegen_t; // helper class to generate the initial microcode
252 class mbl_graph_t; // control graph of microcode
253 struct vdui_t; // widget representing the pseudocode window
254 struct hexrays_failure_t; // decompilation failure object, is thrown by exceptions
255 struct mba_stats_t; // statistics about decompilation of a function
256 struct mlist_t; // list of memory and register locations
257 struct voff_t; // value offset (microregister number or stack offset)
258 typedef std::set<voff_t> voff_set_t;
259 struct vivl_t; // value interval (register or stack range)
260 typedef int mreg_t; ///< Micro register
261 
262 // Ctree level forward definitions:
263 struct cfunc_t; // result of decompilation, the highest level object
264 struct citem_t; // base class for cexpr_t and cinsn_t
265 struct cexpr_t; // C expression
266 struct cinsn_t; // C statement
267 struct cblock_t; // C statement block (sequence of statements)
268 struct cswitch_t; // C switch statement
269 struct carg_t; // call argument
270 struct carglist_t; // vector of call arguments
271 
272 typedef std::set<ea_t> easet_t;
273 typedef std::set<minsn_t *> minsn_ptr_set_t;
274 typedef std::set<qstring> strings_t;
275 typedef qvector<minsn_t*> minsnptrs_t;
276 typedef qvector<mop_t*> mopptrs_t;
277 typedef qvector<mop_t> mopvec_t;
278 typedef qvector<uint64> uint64vec_t;
279 typedef qvector<mreg_t> mregvec_t;
280 typedef qrefcnt_t<cfunc_t> cfuncptr_t;
281 
282 // Function frames must be smaller than this value, otherwise
283 // the decompiler will bail out with MERR_HUGESTACK
284 #define MAX_SUPPORTED_STACK_SIZE 0x100000 // 1MB
285 
286 //-------------------------------------------------------------------------
287 // Original version of macro DEFINE_MEMORY_ALLOCATION_FUNCS
288 // (uses decompiler-specific memory allocation functions)
289 #if defined(SWIG)
290  #define HEXRAYS_MEMORY_ALLOCATION_FUNCS()
291 #elif defined(SWIGPYTHON)
292  #define HEXRAYS_MEMORY_ALLOCATION_FUNCS DEFINE_MEMORY_ALLOCATION_FUNCS
293 #else
294  #define HEXRAYS_PLACEMENT_DELETE void operator delete(void *, void *) {}
295  #define HEXRAYS_MEMORY_ALLOCATION_FUNCS() \
296  void *operator new (size_t _s) { return hexrays_alloc(_s); } \
297  void *operator new[](size_t _s) { return hexrays_alloc(_s); } \
298  void *operator new(size_t /*size*/, void *_v) { return _v; } \
299  void operator delete (void *_blk) { hexrays_free(_blk); } \
300  void operator delete[](void *_blk) { hexrays_free(_blk); } \
301  HEXRAYS_PLACEMENT_DELETE
302 #endif
303 
304 void *hexapi hexrays_alloc(size_t size);
305 void hexapi hexrays_free(void *ptr);
306 
307 typedef uint64 uvlr_t;
308 typedef int64 svlr_t;
309 enum { MAX_VLR_SIZE = sizeof(uvlr_t) };
310 const uvlr_t MAX_VALUE = uvlr_t(-1);
311 const svlr_t MAX_SVALUE = svlr_t(uvlr_t(-1) >> 1);
312 const svlr_t MIN_SVALUE = ~MAX_SVALUE;
313 
314 enum cmpop_t
315 { // the order of comparisons is the same as in microcode opcodes
316  CMP_NZ,
317  CMP_Z,
318  CMP_AE,
319  CMP_B,
320  CMP_A,
321  CMP_BE,
322  CMP_GT,
323  CMP_GE,
324  CMP_LT,
325  CMP_LE,
326 };
327 
328 //-------------------------------------------------------------------------
329 // value-range class to keep possible operand value(s).
330 class valrng_t
331 {
332 protected:
333  int flags;
334 #define VLR_TYPE 0x0F // valrng_t type
335 #define VLR_NONE 0x00 // no values
336 #define VLR_ALL 0x01 // all values
337 #define VLR_IVLS 0x02 // union of disjoint intervals
338 #define VLR_RANGE 0x03 // strided range
339 #define VLR_SRANGE 0x04 // strided range with signed bound
340 #define VLR_BITS 0x05 // known bits
341 #define VLR_SECT 0x06 // intersection of sub-ranges
342  // each sub-range should be simple or union
343 #define VLR_UNION 0x07 // union of sub-ranges
344  // each sub-range should be simple or
345  // intersection
346 #define VLR_UNK 0x08 // unknown value (like 'null' in SQL)
347  int size; // operand size: 1..8 bytes
348  // all values must fall within the size
349  union
350  {
351  struct // VLR_RANGE/VLR_SRANGE
352  { // values that are between VALUE and LIMIT
353  // and conform to: value+stride*N
354  uvlr_t value; // initial value
355  uvlr_t limit; // final value
356  // we adjust LIMIT to be on the STRIDE lattice
357  svlr_t stride; // stride between values
358  };
359  struct // VLR_BITS
360  {
361  uvlr_t zeroes; // bits known to be clear
362  uvlr_t ones; // bits known to be set
363  };
364  char reserved[sizeof(qvector<int>)];
365  // VLR_IVLS/VLR_SECT/VLR_UNION
366  };
367  void hexapi clear(void);
368  void hexapi copy(const valrng_t &r);
369  valrng_t &hexapi assign(const valrng_t &r);
370 
371 public:
372  explicit valrng_t(int size_ = MAX_VLR_SIZE)
373  : flags(VLR_NONE), size(size_), value(0), limit(0), stride(0) {}
374  valrng_t(const valrng_t &r) { copy(r); }
375  ~valrng_t(void) { clear(); }
376  valrng_t &operator=(const valrng_t &r) { return assign(r); }
377  void swap(valrng_t &r) { qswap(*this, r); }
378  DECLARE_COMPARISONS(valrng_t);
379  DEFINE_MEMORY_ALLOCATION_FUNCS()
380 
381  void set_none(void) { clear(); }
382  void set_all(void) { clear(); flags = VLR_ALL; }
383  void set_unk(void) { clear(); flags = VLR_UNK; }
384  void hexapi set_eq(uvlr_t v);
385  void hexapi set_cmp(cmpop_t cmp, uvlr_t _value);
386 
387  // reduce size
388  // it takes the low part of size NEW_SIZE
389  // it returns "true" if size is changed successfully.
390  // e.g.: valrng_t vr(2); vr.set_eq(0x1234);
391  // vr.reduce_size(1);
392  // uvlr_t v; vr.cvt_to_single_value(&v);
393  // assert(v == 0x34);
394  bool hexapi reduce_size(int new_size);
395 
396  // Perform intersection or union or inversion.
397  // \return did we change something in THIS?
398  bool hexapi intersect_with(const valrng_t &r);
399  bool hexapi unite_with(const valrng_t &r);
400  void hexapi inverse(); // works for VLR_IVLS only
401 
402  bool empty(void) const { return flags == VLR_NONE; }
403  bool all_values(void) const { return flags == VLR_ALL; }
404  bool is_unknown(void) const { return flags == VLR_UNK; }
405  bool hexapi has(uvlr_t v) const;
406 
407  void hexapi print(qstring *vout) const;
408  const char *hexapi dstr(void) const;
409 
410  bool hexapi cvt_to_single_value(uvlr_t *v) const;
411  bool hexapi cvt_to_cmp(cmpop_t *cmp, uvlr_t *val, bool strict) const;
412 
413  int get_size() const { return size; }
414  static uvlr_t max_value(int size_)
415  {
416  return size_ == MAX_VLR_SIZE
417  ? MAX_VALUE
418  : (uvlr_t(1) << (size_ * 8)) - 1;
419  }
420  static uvlr_t min_svalue(int size_)
421  {
422  return size_ == MAX_VLR_SIZE
423  ? MIN_SVALUE
424  : (uvlr_t(1) << (size_ * 8 - 1));
425  }
426  static uvlr_t max_svalue(int size_)
427  {
428  return size_ == MAX_VLR_SIZE
429  ? MAX_SVALUE
430  : (uvlr_t(1) << (size_ * 8 - 1)) - 1;
431  }
432  uvlr_t max_value() const { return max_value(size); }
433  uvlr_t min_svalue() const { return min_svalue(size); }
434  uvlr_t max_svalue() const { return max_svalue(size); }
435 };
436 DECLARE_TYPE_AS_MOVABLE(valrng_t);
437 
438 //-------------------------------------------------------------------------
439 // Are we looking for 'must access' or 'may access' information?
440 // 'must access' means that the code will always access the specified location(s)
441 // 'may access' means that the code may in some cases access the specified location(s)
442 // Example: ldx cs.2, r0.4, r1.4
443 // MUST_ACCESS: r0.4 and r1.4, usually displayed as r0.8 because r0 and r1 are adjacent
444 // MAY_ACCESS: r0.4 and r1.4, and all aliasable memory, because
445 // ldx may access any part of the aliasable memory
446 typedef int maymust_t;
447 const maymust_t
448  // One of the following two bits should be specified:
449  MUST_ACCESS = 0x00, // access information we can count on
450  MAY_ACCESS = 0x01, // access information we should take into account
451  // Optionally combined with the following bits:
452  MAYMUST_ACCESS_MASK = 0x01,
453 
454  ONE_ACCESS_TYPE = 0x20, // for find_first_use():
455  // use only the specified maymust access type
456  // (by default it inverts the access type for def-lists)
457  INCLUDE_SPOILED_REGS = 0x40, // for build_def_list() with MUST_ACCESS:
458  // include spoiled registers in the list
459  EXCLUDE_PASS_REGS = 0x80, // for build_def_list() with MAY_ACCESS:
460  // exclude pass_regs from the list
461  FULL_XDSU = 0x100, // for build_def_list():
462  // if xds/xdu source and targets are the same
463  // treat it as if xdsu redefines the entire destination
464  WITH_ASSERTS = 0x200, // for find_first_use():
465  // do not ignore assertions
466  EXCLUDE_VOLATILE = 0x400, // for build_def_list():
467  // exclude volatile memory from the list
468  INCLUDE_UNUSED_SRC = 0x800, // for build_use_list():
469  // do not exclude unused source bytes for m_and/m_or insns
470  INCLUDE_DEAD_RETREGS = 0x1000, // for build_def_list():
471  // include dead returned registers in the list
472  INCLUDE_RESTRICTED = 0x2000,// for MAY_ACCESS: include restricted memory
473  CALL_SPOILS_ONLY_ARGS = 0x4000;// for build_def_list() & MAY_ACCESS:
474  // do not include global memory into the
475  // spoiled list of a call
476 
477 inline THREAD_SAFE bool is_may_access(maymust_t maymust)
478 {
479  return (maymust & MAYMUST_ACCESS_MASK) != MUST_ACCESS;
480 }
481 
482 //-------------------------------------------------------------------------
483 /// \defgroup MERR_ Microcode error codes
484 //@{
485 enum merror_t
486 {
487  MERR_OK = 0, ///< ok
488  MERR_BLOCK = 1, ///< no error, switch to new block
489  MERR_INTERR = -1, ///< internal error
490  MERR_INSN = -2, ///< cannot convert to microcode
491  MERR_MEM = -3, ///< not enough memory
492  MERR_BADBLK = -4, ///< bad block found
493  MERR_BADSP = -5, ///< positive sp value has been found
494  MERR_PROLOG = -6, ///< prolog analysis failed
495  MERR_SWITCH = -7, ///< wrong switch idiom
496  MERR_EXCEPTION = -8, ///< exception analysis failed
497  MERR_HUGESTACK = -9, ///< stack frame is too big
498  MERR_LVARS = -10, ///< local variable allocation failed
499  MERR_BITNESS = -11, ///< only 32/16bit functions can be decompiled
500  MERR_BADCALL = -12, ///< could not determine call arguments
501  MERR_BADFRAME = -13, ///< function frame is wrong
502  MERR_UNKTYPE = -14, ///< undefined type %s (currently unused error code)
503  MERR_BADIDB = -15, ///< inconsistent database information
504  MERR_SIZEOF = -16, ///< wrong basic type sizes in compiler settings
505  MERR_REDO = -17, ///< redecompilation has been requested
506  MERR_CANCELED = -18, ///< decompilation has been cancelled
507  MERR_RECDEPTH = -19, ///< max recursion depth reached during lvar allocation
508  MERR_OVERLAP = -20, ///< variables would overlap: %s
509  MERR_PARTINIT = -21, ///< partially initialized variable %s
510  MERR_COMPLEX = -22, ///< too complex function
511  MERR_LICENSE = -23, ///< no license available
512  MERR_ONLY32 = -24, ///< only 32-bit functions can be decompiled for the current database
513  MERR_ONLY64 = -25, ///< only 64-bit functions can be decompiled for the current database
514  MERR_BUSY = -26, ///< already decompiling a function
515  MERR_FARPTR = -27, ///< far memory model is supported only for pc
516  MERR_EXTERN = -28, ///< special segments cannot be decompiled
517  MERR_FUNCSIZE = -29, ///< too big function
518  MERR_BADRANGES = -30, ///< bad input ranges
519  MERR_BADARCH = -31, ///< current architecture is not supported
520  MERR_DSLOT = -32, ///< bad instruction in the delay slot
521  MERR_STOP = -33, ///< no error, stop the analysis
522  MERR_CLOUD = -34, ///< cloud: %s
523  MERR_MAX_ERR = 34,
524  MERR_LOOP = -35, ///< internal code: redo last loop (never reported)
525 };
526 //@}
527 
528 /// Get textual description of an error code
529 /// \param out the output buffer for the error description
530 /// \param code \ref MERR_
531 /// \param mba the microcode array
532 /// \return the error address
533 
534 ea_t hexapi get_merror_desc(qstring *out, merror_t code, mba_t *mba);
535 
536 //-------------------------------------------------------------------------
537 // List of microinstruction opcodes.
538 // The order of setX and jX insns is important, it is used in the code.
539 
540 // Instructions marked with *F may have the FPINSN bit set and operate on fp values
541 // Instructions marked with +F must have the FPINSN bit set. They always operate on fp values
542 // Other instructions do not operate on fp values.
543 
544 enum mcode_t
545 {
546  m_nop = 0x00, // nop // no operation
547  m_stx = 0x01, // stx l, {r=sel, d=off} // store register to memory *F
548  m_ldx = 0x02, // ldx {l=sel,r=off}, d // load register from memory *F
549  m_ldc = 0x03, // ldc l=const, d // load constant
550  m_mov = 0x04, // mov l, d // move *F
551  m_neg = 0x05, // neg l, d // negate
552  m_lnot = 0x06, // lnot l, d // logical not
553  m_bnot = 0x07, // bnot l, d // bitwise not
554  m_xds = 0x08, // xds l, d // extend (signed)
555  m_xdu = 0x09, // xdu l, d // extend (unsigned)
556  m_low = 0x0A, // low l, d // take low part
557  m_high = 0x0B, // high l, d // take high part
558  m_add = 0x0C, // add l, r, d // l + r -> dst
559  m_sub = 0x0D, // sub l, r, d // l - r -> dst
560  m_mul = 0x0E, // mul l, r, d // l * r -> dst
561  m_udiv = 0x0F, // udiv l, r, d // l / r -> dst
562  m_sdiv = 0x10, // sdiv l, r, d // l / r -> dst
563  m_umod = 0x11, // umod l, r, d // l % r -> dst
564  m_smod = 0x12, // smod l, r, d // l % r -> dst
565  m_or = 0x13, // or l, r, d // bitwise or
566  m_and = 0x14, // and l, r, d // bitwise and
567  m_xor = 0x15, // xor l, r, d // bitwise xor
568  m_shl = 0x16, // shl l, r, d // shift logical left
569  m_shr = 0x17, // shr l, r, d // shift logical right
570  m_sar = 0x18, // sar l, r, d // shift arithmetic right
571  m_cfadd = 0x19, // cfadd l, r, d=carry // calculate carry bit of (l+r)
572  m_ofadd = 0x1A, // ofadd l, r, d=overf // calculate overflow bit of (l+r)
573  m_cfshl = 0x1B, // cfshl l, r, d=carry // calculate carry bit of (l<<r)
574  m_cfshr = 0x1C, // cfshr l, r, d=carry // calculate carry bit of (l>>r)
575  m_sets = 0x1D, // sets l, d=byte SF=1 Sign
576  m_seto = 0x1E, // seto l, r, d=byte OF=1 Overflow of (l-r)
577  m_setp = 0x1F, // setp l, r, d=byte PF=1 Unordered/Parity *F
578  m_setnz = 0x20, // setnz l, r, d=byte ZF=0 Not Equal *F
579  m_setz = 0x21, // setz l, r, d=byte ZF=1 Equal *F
580  m_setae = 0x22, // setae l, r, d=byte CF=0 Above or Equal *F
581  m_setb = 0x23, // setb l, r, d=byte CF=1 Below *F
582  m_seta = 0x24, // seta l, r, d=byte CF=0 & ZF=0 Above *F
583  m_setbe = 0x25, // setbe l, r, d=byte CF=1 | ZF=1 Below or Equal *F
584  m_setg = 0x26, // setg l, r, d=byte SF=OF & ZF=0 Greater
585  m_setge = 0x27, // setge l, r, d=byte SF=OF Greater or Equal
586  m_setl = 0x28, // setl l, r, d=byte SF!=OF Less
587  m_setle = 0x29, // setle l, r, d=byte SF!=OF | ZF=1 Less or Equal
588  m_jcnd = 0x2A, // jcnd l, d // d is mop_v or mop_b
589  m_jnz = 0x2B, // jnz l, r, d // ZF=0 Not Equal *F
590  m_jz = 0x2C, // jz l, r, d // ZF=1 Equal *F
591  m_jae = 0x2D, // jae l, r, d // CF=0 Above or Equal *F
592  m_jb = 0x2E, // jb l, r, d // CF=1 Below *F
593  m_ja = 0x2F, // ja l, r, d // CF=0 & ZF=0 Above *F
594  m_jbe = 0x30, // jbe l, r, d // CF=1 | ZF=1 Below or Equal *F
595  m_jg = 0x31, // jg l, r, d // SF=OF & ZF=0 Greater
596  m_jge = 0x32, // jge l, r, d // SF=OF Greater or Equal
597  m_jl = 0x33, // jl l, r, d // SF!=OF Less
598  m_jle = 0x34, // jle l, r, d // SF!=OF | ZF=1 Less or Equal
599  m_jtbl = 0x35, // jtbl l, r=mcases // Table jump
600  m_ijmp = 0x36, // ijmp {r=sel, d=off} // indirect unconditional jump
601  m_goto = 0x37, // goto l // l is mop_v or mop_b
602  m_call = 0x38, // call l d // l is mop_v or mop_b or mop_h
603  m_icall = 0x39, // icall {l=sel, r=off} d // indirect call
604  m_ret = 0x3A, // ret
605  m_push = 0x3B, // push l
606  m_pop = 0x3C, // pop d
607  m_und = 0x3D, // und d // undefine
608  m_ext = 0x3E, // ext in1, in2, out1 // external insn, not microcode *F
609  m_f2i = 0x3F, // f2i l, d int(l) => d; convert fp -> integer +F
610  m_f2u = 0x40, // f2u l, d uint(l)=> d; convert fp -> uinteger +F
611  m_i2f = 0x41, // i2f l, d fp(l) => d; convert integer -> fp +F
612  m_u2f = 0x42, // i2f l, d fp(l) => d; convert uinteger -> fp +F
613  m_f2f = 0x43, // f2f l, d l => d; change fp precision +F
614  m_fneg = 0x44, // fneg l, d -l => d; change sign +F
615  m_fadd = 0x45, // fadd l, r, d l + r => d; add +F
616  m_fsub = 0x46, // fsub l, r, d l - r => d; subtract +F
617  m_fmul = 0x47, // fmul l, r, d l * r => d; multiply +F
618  m_fdiv = 0x48, // fdiv l, r, d l / r => d; divide +F
619 #define m_max 0x49 // first unused opcode
620 };
621 
622 /// Must an instruction with the given opcode be the last one in a block?
623 /// Such opcodes are called closing opcodes.
624 /// \param mcode instruction opcode
625 /// \param including_calls should m_call/m_icall be considered as the closing opcodes?
626 /// If this function returns true, the opcode cannot appear in the middle
627 /// of a block. Calls are a special case: unknown calls (\ref is_unknown_call)
628 /// are considered as closing opcodes.
629 
630 THREAD_SAFE bool hexapi must_mcode_close_block(mcode_t mcode, bool including_calls);
631 
632 
633 /// May opcode be propagated?
634 /// Such opcodes can be used in sub-instructions (nested instructions)
635 /// There is a handful of non-propagatable opcodes, like jumps, ret, nop, etc
636 /// All other regular opcodes are propagatable and may appear in a nested
637 /// instruction.
638 
639 THREAD_SAFE bool hexapi is_mcode_propagatable(mcode_t mcode);
640 
641 
642 // Is add or sub instruction?
643 inline THREAD_SAFE bool is_mcode_addsub(mcode_t mcode) { return mcode == m_add || mcode == m_sub; }
644 // Is xds or xdu instruction? We use 'xdsu' as a shortcut for 'xds or xdu'
645 inline THREAD_SAFE bool is_mcode_xdsu(mcode_t mcode) { return mcode == m_xds || mcode == m_xdu; }
646 // Is a 'set' instruction? (an instruction that sets a condition code)
647 inline THREAD_SAFE bool is_mcode_set(mcode_t mcode) { return mcode >= m_sets && mcode <= m_setle; }
648 // Is a 1-operand 'set' instruction? Only 'sets' is in this group
649 inline THREAD_SAFE bool is_mcode_set1(mcode_t mcode) { return mcode == m_sets; }
650 // Is a 1-operand conditional jump instruction? Only 'jcnd' is in this group
651 inline THREAD_SAFE bool is_mcode_j1(mcode_t mcode) { return mcode == m_jcnd; }
652 // Is a conditional jump?
653 inline THREAD_SAFE bool is_mcode_jcond(mcode_t mcode) { return mcode >= m_jcnd && mcode <= m_jle; }
654 // Is a 'set' instruction that can be converted into a conditional jump?
655 inline THREAD_SAFE bool is_mcode_convertible_to_jmp(mcode_t mcode) { return mcode >= m_setnz && mcode <= m_setle; }
656 // Is a conditional jump instruction that can be converted into a 'set'?
657 inline THREAD_SAFE bool is_mcode_convertible_to_set(mcode_t mcode) { return mcode >= m_jnz && mcode <= m_jle; }
658 // Is a call instruction? (direct or indirect)
659 inline THREAD_SAFE bool is_mcode_call(mcode_t mcode) { return mcode == m_call || mcode == m_icall; }
660 // Must be an FPU instruction?
661 inline THREAD_SAFE bool is_mcode_fpu(mcode_t mcode) { return mcode >= m_f2i; }
662 // Is a commutative instruction?
663 inline THREAD_SAFE bool is_mcode_commutative(mcode_t mcode)
664 {
665  return mcode == m_add
666  || mcode == m_mul
667  || mcode == m_or
668  || mcode == m_and
669  || mcode == m_xor
670  || mcode == m_setz
671  || mcode == m_setnz
672  || mcode == m_cfadd
673  || mcode == m_ofadd;
674 }
675 // Is a shift instruction?
676 inline THREAD_SAFE bool is_mcode_shift(mcode_t mcode)
677 {
678  return mcode == m_shl
679  || mcode == m_shr
680  || mcode == m_sar;
681 }
682 // Is a kind of div or mod instruction?
683 inline THREAD_SAFE bool is_mcode_divmod(mcode_t op)
684 {
685  return op == m_udiv || op == m_sdiv || op == m_umod || op == m_smod;
686 }
687 // Is an instruction with the selector/offset pair?
688 inline THREAD_SAFE bool has_mcode_seloff(mcode_t op)
689 {
690  return op == m_ldx || op == m_stx || op == m_icall || op == m_ijmp;
691 }
692 
693 // Convert setX opcode into corresponding jX opcode
694 // This function relies on the order of setX and jX opcodes!
695 inline THREAD_SAFE mcode_t set2jcnd(mcode_t code)
696 {
697  return mcode_t(code - m_setnz + m_jnz);
698 }
699 
700 // Convert setX opcode into corresponding jX opcode
701 // This function relies on the order of setX and jX opcodes!
702 inline THREAD_SAFE mcode_t jcnd2set(mcode_t code)
703 {
704  return mcode_t(code + m_setnz - m_jnz);
705 }
706 
707 // Negate a conditional opcode.
708 // Conditional jumps can be negated, example: jle -> jg
709 // 'Set' instruction can be negated, example: seta -> setbe
710 // If the opcode cannot be negated, return m_nop
711 THREAD_SAFE mcode_t hexapi negate_mcode_relation(mcode_t code);
712 
713 
714 // Swap a conditional opcode.
715 // Only conditional jumps and set instructions can be swapped.
716 // The returned opcode the one required for swapped operands.
717 // Example "x > y" is the same as "y < x", therefore swap(m_jg) is m_jl.
718 // If the opcode cannot be swapped, return m_nop
719 
720 THREAD_SAFE mcode_t hexapi swap_mcode_relation(mcode_t code);
721 
722 // Return the opcode that performs signed operation.
723 // Examples: jae -> jge; udiv -> sdiv
724 // If the opcode cannot be transformed into signed form, simply return it.
725 
726 THREAD_SAFE mcode_t hexapi get_signed_mcode(mcode_t code);
727 
728 
729 // Return the opcode that performs unsigned operation.
730 // Examples: jl -> jb; xds -> xdu
731 // If the opcode cannot be transformed into unsigned form, simply return it.
732 
733 THREAD_SAFE mcode_t hexapi get_unsigned_mcode(mcode_t code);
734 
735 // Does the opcode perform a signed operation?
736 inline THREAD_SAFE bool is_signed_mcode(mcode_t code) { return get_unsigned_mcode(code) != code; }
737 // Does the opcode perform a unsigned operation?
738 inline THREAD_SAFE bool is_unsigned_mcode(mcode_t code) { return get_signed_mcode(code) != code; }
739 
740 
741 // Does the 'd' operand gets modified by the instruction?
742 // Example: "add l,r,d" modifies d, while instructions
743 // like jcnd, ijmp, stx does not modify it.
744 // Note: this function returns 'true' for m_ext but it may be wrong.
745 // Use minsn_t::modifes_d() if you have minsn_t.
746 
747 THREAD_SAFE bool hexapi mcode_modifies_d(mcode_t mcode);
748 
749 
750 // Processor condition codes are mapped to the first microregisters
751 // The order is important, see mop_t::is_cc()
752 const mreg_t mr_none = mreg_t(-1);
753 const mreg_t mr_cf = mreg_t(0); // carry bit
754 const mreg_t mr_zf = mreg_t(1); // zero bit
755 const mreg_t mr_sf = mreg_t(2); // sign bit
756 const mreg_t mr_of = mreg_t(3); // overflow bit
757 const mreg_t mr_pf = mreg_t(4); // parity bit
758 const int cc_count = mr_pf - mr_cf + 1; // number of condition code registers
759 const mreg_t mr_cc = mreg_t(5); // synthetic condition code, used internally
760 const mreg_t mr_first = mreg_t(8); // the first processor specific register
761 
762 //-------------------------------------------------------------------------
763 /// Operand locator.
764 /// It is used to denote a particular operand in the ctree, for example,
765 /// when the user right clicks on a constant and requests to represent it, say,
766 /// as a hexadecimal number.
767 struct operand_locator_t
768 {
769 private:
770  // forbid the default constructor, force the user to initialize objects of this class.
771  operand_locator_t(void) {}
772 public:
773  ea_t ea; ///< address of the original processor instruction
774  int opnum; ///< operand number in the instruction
775  operand_locator_t(ea_t _ea, int _opnum) : ea(_ea), opnum(_opnum) {}
776  DECLARE_COMPARISONS(operand_locator_t);
777  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
778 };
779 
780 //-------------------------------------------------------------------------
781 /// Number representation.
782 /// This structure holds information about a number format.
783 struct number_format_t
784 {
785  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
786  flags_t flags; ///< ida flags, which describe number radix, enum, etc
787  char opnum; ///< operand number: 0..UA_MAXOP
788  char props; ///< properties: combination of NF_ bits (\ref NF_)
789 /// \defgroup NF_ Number format property bits
790 /// Used in number_format_t::props
791 //@{
792 #define NF_FIXED 0x01 ///< number format has been defined by the user
793 #define NF_NEGDONE 0x02 ///< temporary internal bit: negation has been performed
794 #define NF_BINVDONE 0x04 ///< temporary internal bit: inverting bits is done
795 #define NF_NEGATE 0x08 ///< The user asked to negate the constant
796 #define NF_BITNOT 0x10 ///< The user asked to invert bits of the constant
797 #define NF_VALID 0x20 ///< internal bit: stroff or enum is valid
798  ///< for enums: this bit is set immediately
799  ///< for stroffs: this bit is set at the end of decompilation
800 //@}
801  uchar serial; ///< for enums: constant serial number
802  char org_nbytes; ///< original number size in bytes
803  qstring type_name; ///< for stroffs: structure for offsetof()\n
804  ///< for enums: enum name
805  /// Contructor
806  number_format_t(int _opnum=0)
807  : flags(0), opnum(char(_opnum)), props(0), serial(0), org_nbytes(0) {}
808  /// Get number radix
809  /// \return 2,8,10, or 16
810  int get_radix(void) const { return ::get_radix(flags, opnum); }
811  /// Is number representation fixed?
812  /// Fixed representation cannot be modified by the decompiler
813  bool is_fixed(void) const { return props != 0; }
814  /// Is a hexadecimal number?
815  bool is_hex(void) const { return ::is_numop(flags, opnum) && get_radix() == 16; }
816  /// Is a decimal number?
817  bool is_dec(void) const { return ::is_numop(flags, opnum) && get_radix() == 10; }
818  /// Is a octal number?
819  bool is_oct(void) const { return ::is_numop(flags, opnum) && get_radix() == 8; }
820  /// Is a symbolic constant?
821  bool is_enum(void) const { return ::is_enum(flags, opnum); }
822  /// Is a character constant?
823  bool is_char(void) const { return ::is_char(flags, opnum); }
824  /// Is a structure field offset?
825  bool is_stroff(void) const { return ::is_stroff(flags, opnum); }
826  /// Is a number?
827  bool is_numop(void) const { return !is_enum() && !is_char() && !is_stroff(); }
828  /// Does the number need to be negated or bitwise negated?
829  /// Returns true if the user requested a negation but it is not done yet
830  bool needs_to_be_inverted(void) const
831  {
832  return (props & (NF_NEGATE|NF_BITNOT)) != 0 // the user requested it
833  && (props & (NF_NEGDONE|NF_BINVDONE)) == 0; // not done yet
834  }
835  // symbolic constants and struct offsets cannot easily change
836  // their sign or size without a cast. only simple numbers can do that.
837  // for example, by modifying the expression type we can convert:
838  // 10u -> 10
839  // but replacing the type of a symbol constant would lead to an inconsistency.
840  bool has_unmutable_type() const
841  {
842  return (props & NF_VALID) != 0 && (is_stroff() || is_enum());
843  }
844 };
845 
846 // Number formats are attached to (ea,opnum) pairs
847 typedef std::map<operand_locator_t, number_format_t> user_numforms_t;
848 
849 //-------------------------------------------------------------------------
850 /// Base helper class to convert binary data structures into text.
851 /// Other classes are derived from this class.
852 struct vd_printer_t
853 {
854  qstring tmpbuf;
855  int hdrlines; ///< number of header lines (prototype+typedef+lvars)
856  ///< valid at the end of print process
857  /// Print.
858  /// This function is called to generate a portion of the output text.
859  /// The output text may contain color codes.
860  /// \return the number of printed characters
861  /// \param indent number of spaces to generate as prefix
862  /// \param format printf-style format specifier
863  /// \return length of printed string
864  AS_PRINTF(3, 4) virtual int hexapi print(int indent, const char *format,...);
865  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
866 };
867 
868 /// Helper class to convert cfunc_t into text.
869 struct vc_printer_t : public vd_printer_t
870 {
871  const cfunc_t *func; ///< cfunc_t to generate text for
872  char lastchar; ///< internal: last printed character
873  /// Constructor
874  vc_printer_t(const cfunc_t *f) : func(f), lastchar(0) {}
875  /// Are we generating one-line text representation?
876  /// \return \c true if the output will occupy one line without line breaks
877  virtual bool idaapi oneliner(void) const newapi { return false; }
878 };
879 
880 /// Helper class to convert binary data structures into text and put into a file.
881 struct file_printer_t : public vd_printer_t
882 {
883  FILE *fp; ///< Output file pointer
884  /// Print.
885  /// This function is called to generate a portion of the output text.
886  /// The output text may contain color codes.
887  /// \return the number of printed characters
888  /// \param indent number of spaces to generate as prefix
889  /// \param format printf-style format specifier
890  /// \return length of printed string
891  AS_PRINTF(3, 4) int hexapi print(int indent, const char *format, ...) override;
892  /// Constructor
893  file_printer_t(FILE *_fp) : fp(_fp) {}
894 };
895 
896 /// Helper class to convert cfunc_t into a text string
897 struct qstring_printer_t : public vc_printer_t
898 {
899  bool with_tags; ///< Generate output with color tags
900  qstring &s; ///< Reference to the output string
901  /// Constructor
902  qstring_printer_t(const cfunc_t *f, qstring &_s, bool tags)
903  : vc_printer_t(f), with_tags(tags), s(_s) {}
904  /// Print.
905  /// This function is called to generate a portion of the output text.
906  /// The output text may contain color codes.
907  /// \return the number of printed characters
908  /// \param indent number of spaces to generate as prefix
909  /// \param format printf-style format specifier
910  /// \return length of the printed string
911  AS_PRINTF(3, 4) int hexapi print(int indent, const char *format, ...) override;
912 };
913 
914 //-------------------------------------------------------------------------
915 /// \defgroup type Type string related declarations
916 /// Type related functions and class.
917 //@{
918 
919 /// Print the specified type info.
920 /// This function can be used from a debugger by typing "tif->dstr()"
921 
922 const char *hexapi dstr(const tinfo_t *tif);
923 
924 
925 /// Verify a type string.
926 /// \return true if type string is correct
927 
928 bool hexapi is_type_correct(const type_t *ptr);
929 
930 
931 /// Is a small structure or union?
932 /// \return true if the type is a small UDT (user defined type).
933 /// Small UDTs fit into a register (or pair or registers) as a rule.
934 
935 bool hexapi is_small_udt(const tinfo_t &tif);
936 
937 
938 /// Is definitely a non-boolean type?
939 /// \return true if the type is a non-boolean type (non bool and well defined)
940 
941 bool hexapi is_nonbool_type(const tinfo_t &type);
942 
943 
944 /// Is a boolean type?
945 /// \return true if the type is a boolean type
946 
947 bool hexapi is_bool_type(const tinfo_t &type);
948 
949 
950 /// Is a pointer or array type?
951 inline THREAD_SAFE bool is_ptr_or_array(type_t t)
952 {
953  return is_type_ptr(t) || is_type_array(t);
954 }
955 
956 /// Is a pointer, array, or function type?
957 inline THREAD_SAFE bool is_paf(type_t t)
958 {
959  return is_ptr_or_array(t) || is_type_func(t);
960 }
961 
962 /// Is struct/union/enum definition (not declaration)?
963 inline THREAD_SAFE bool is_inplace_def(const tinfo_t &type)
964 {
965  return type.is_decl_complex() && !type.is_typeref();
966 }
967 
968 /// Calculate number of partial subtypes.
969 /// \return number of partial subtypes. The bigger is this number, the uglier is the type.
970 
971 int hexapi partial_type_num(const tinfo_t &type);
972 
973 
974 /// Get a type of a floating point value with the specified width
975 /// \returns type info object
976 /// \param width width of the desired type
977 
978 tinfo_t hexapi get_float_type(int width);
979 
980 
981 /// Create a type info by width and sign.
982 /// Returns a simple type (examples: int, short) with the given width and sign.
983 /// \param srcwidth size of the type in bytes
984 /// \param sign sign of the type
985 
986 tinfo_t hexapi get_int_type_by_width_and_sign(int srcwidth, type_sign_t sign);
987 
988 
989 /// Create a partial type info by width.
990 /// Returns a partially defined type (examples: _DWORD, _BYTE) with the given width.
991 /// \param size size of the type in bytes
992 
993 tinfo_t hexapi get_unk_type(int size);
994 
995 
996 /// Generate a dummy pointer type
997 /// \param ptrsize size of pointed object
998 /// \param isfp is floating point object?
999 
1000 tinfo_t hexapi dummy_ptrtype(int ptrsize, bool isfp);
1001 
1002 
1003 /// Get type of a structure field.
1004 /// This function performs validity checks of the field type. Wrong types are rejected.
1005 /// \param mptr structure field
1006 /// \param type pointer to the variable where the type is returned. This parameter can be NULL.
1007 /// \return false if failed
1008 
1009 bool hexapi get_member_type(const member_t *mptr, tinfo_t *type);
1010 
1011 
1012 /// Create a pointer type.
1013 /// This function performs the following conversion: "type" -> "type*"
1014 /// \param type object type.
1015 /// \return "type*". for example, if 'char' is passed as the argument,
1016 // the function will return 'char *'
1017 
1018 tinfo_t hexapi make_pointer(const tinfo_t &type);
1019 
1020 
1021 /// Create a reference to a named type.
1022 /// \param name type name
1023 /// \return type which refers to the specified name. For example, if name is "DWORD",
1024 /// the type info which refers to "DWORD" is created.
1025 
1026 tinfo_t hexapi create_typedef(const char *name);
1027 
1028 
1029 /// Create a reference to an ordinal type.
1030 /// \param n ordinal number of the type
1031 /// \return type which refers to the specified ordinal. For example, if n is 1,
1032 /// the type info which refers to ordinal type 1 is created.
1033 
1034 inline tinfo_t create_typedef(int n)
1035 {
1036  tinfo_t tif;
1037  tif.create_typedef(NULL, n);
1038  return tif;
1039 }
1040 
1041 /// Type source (where the type information comes from)
1042 enum type_source_t
1043 {
1044  GUESSED_NONE, // not guessed, specified by the user
1045  GUESSED_WEAK, // not guessed, comes from idb
1046  GUESSED_FUNC, // guessed as a function
1047  GUESSED_DATA, // guessed as a data item
1048  TS_NOELL = 0x8000000, // can be used in set_type() to avoid merging into ellipsis
1049  TS_SHRINK = 0x4000000, // can be used in set_type() to prefer smaller arguments
1050  TS_DONTREF = 0x2000000, // do not mark type as referenced (referenced_types)
1051  TS_MASK = 0xE000000, // all high bits
1052 };
1053 
1054 
1055 /// Get a global type.
1056 /// Global types are types of addressable objects and struct/union/enum types
1057 /// \param id address or id of the object
1058 /// \param tif buffer for the answer
1059 /// \param guess what kind of types to consider
1060 /// \return success
1061 
1062 bool hexapi get_type(uval_t id, tinfo_t *tif, type_source_t guess);
1063 
1064 
1065 /// Set a global type.
1066 /// \param id address or id of the object
1067 /// \param tif new type info
1068 /// \param source where the type comes from
1069 /// \param force true means to set the type as is, false means to merge the
1070 /// new type with the possibly existing old type info.
1071 /// \return success
1072 
1073 bool hexapi set_type(uval_t id, const tinfo_t &tif, type_source_t source, bool force=false);
1074 
1075 //@}
1076 
1077 //-------------------------------------------------------------------------
1078 // We use our own class to store argument and variable locations.
1079 // It is called vdloc_t that stands for 'vd location'.
1080 // 'vd' is the internal name of the decompiler, it stands for 'visual decompiler'.
1081 // The main differences between vdloc and argloc_t:
1082 // ALOC_REG1: the offset is always 0, so it is not used. the register number
1083 // uses the whole ~VLOC_MASK field.
1084 // ALOCK_STKOFF: stack offsets are always positive because they are based on
1085 // the lowest value of sp in the function.
1086 class vdloc_t : public argloc_t
1087 {
1088  int regoff(void); // inaccessible & undefined: regoff() should not be used
1089 public:
1090  // Get the register number.
1091  // This function works only for ALOC_REG1 and ALOC_REG2 location types.
1092  // It uses all available bits for register number for ALOC_REG1
1093  int reg1(void) const { return atype() == ALOC_REG2 ? argloc_t::reg1() : get_reginfo(); }
1094 
1095  // Set vdloc to point to the specified register without cleaning it up.
1096  // This is a dangerous function, use set_reg1() instead unless you understand
1097  // what it means to cleanup an argloc.
1098  void _set_reg1(int r1) { argloc_t::_set_reg1(r1, r1>>16); }
1099 
1100  // Set vdloc to point to the specified register.
1101  void set_reg1(int r1) { cleanup_argloc(this); _set_reg1(r1); }
1102 
1103  // Use member functions of argloc_t for other location types.
1104 
1105  // Return textual representation.
1106  // Note: this and all other dstr() functions can be used from a debugger.
1107  // It is much easier than to inspect the memory contents byte by byte.
1108  const char *hexapi dstr(int width=0) const;
1109  DECLARE_COMPARISONS(vdloc_t);
1110  bool hexapi is_aliasable(const mba_t *mb, int size) const;
1111 };
1112 
1113 /// Print vdloc.
1114 /// Since vdloc does not always carry the size info, we pass it as NBYTES..
1115 void hexapi print_vdloc(qstring *vout, const vdloc_t &loc, int nbytes);
1116 
1117 //-------------------------------------------------------------------------
1118 /// Do two arglocs overlap?
1119 bool hexapi arglocs_overlap(const vdloc_t &loc1, size_t w1, const vdloc_t &loc2, size_t w2);
1120 
1121 /// Local variable locator.
1122 /// Local variables are located using definition ea and location.
1123 /// Each variable must have a unique locator, this is how we tell them apart.
1124 struct lvar_locator_t
1125 {
1126  vdloc_t location; ///< Variable location.
1127  ea_t defea; ///< Definition address. Usually, this is the address
1128  ///< of the instruction that initializes the variable.
1129  ///< In some cases it can be a fictional address.
1130 
1131  lvar_locator_t(void) : defea(BADADDR) {}
1132  lvar_locator_t(const vdloc_t &loc, ea_t ea) : location(loc), defea(ea) {}
1133  /// Get offset of the varialbe in the stack frame.
1134  /// \return a non-negative value for stack variables. The value is
1135  /// an offset from the bottom of the stack frame in terms of
1136  /// vd-offsets.
1137  /// negative values mean error (not a stack variable)
1138  sval_t get_stkoff(void) const
1139  {
1140  return location.is_stkoff() ? location.stkoff() : -1;
1141  }
1142  /// Is variable located on one register?
1143  bool is_reg1(void) const { return location.is_reg1(); }
1144  /// Is variable located on two registers?
1145  bool is_reg2(void) const { return location.is_reg2(); }
1146  /// Is variable located on register(s)?
1147  bool is_reg_var(void) const { return location.is_reg(); }
1148  /// Is variable located on the stack?
1149  bool is_stk_var(void) const { return location.is_stkoff(); }
1150  /// Is variable scattered?
1151  bool is_scattered(void) const { return location.is_scattered(); }
1152  /// Get the register number of the variable
1153  mreg_t get_reg1(void) const { return location.reg1(); }
1154  /// Get the number of the second register (works only for ALOC_REG2 lvars)
1155  mreg_t get_reg2(void) const { return location.reg2(); }
1156  /// Get information about scattered variable
1157  const scattered_aloc_t &get_scattered(void) const { return location.scattered(); }
1158  scattered_aloc_t &get_scattered(void) { return location.scattered(); }
1159  DECLARE_COMPARISONS(lvar_locator_t);
1160  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
1161  // Debugging: get textual representation of a lvar locator.
1162  const char *hexapi dstr(void) const;
1163 };
1164 
1165 /// Definition of a local variable (register or stack) #var #lvar
1166 class lvar_t : public lvar_locator_t
1167 {
1168  friend class mba_t;
1169  int flags; ///< \ref CVAR_
1170 /// \defgroup CVAR_ Local variable property bits
1171 /// Used in lvar_t::flags
1172 //@{
1173 #define CVAR_USED 0x00000001 ///< is used in the code?
1174 #define CVAR_TYPE 0x00000002 ///< the type is defined?
1175 #define CVAR_NAME 0x00000004 ///< has nice name?
1176 #define CVAR_MREG 0x00000008 ///< corresponding mregs were replaced?
1177 #define CVAR_NOWD 0x00000010 ///< width is unknown
1178 #define CVAR_UNAME 0x00000020 ///< user-defined name
1179 #define CVAR_UTYPE 0x00000040 ///< user-defined type
1180 #define CVAR_RESULT 0x00000080 ///< function result variable
1181 #define CVAR_ARG 0x00000100 ///< function argument
1182 #define CVAR_FAKE 0x00000200 ///< fake variable (return var or va_list)
1183 #define CVAR_OVER 0x00000400 ///< overlapping variable
1184 #define CVAR_FLOAT 0x00000800 ///< used in a fpu insn
1185 #define CVAR_SPOILED 0x00001000 ///< internal flag, do not use: spoiled var
1186 #define CVAR_MAPDST 0x00002000 ///< other variables are mapped to this var
1187 #define CVAR_PARTIAL 0x00004000 ///< variable type is partialy defined
1188 #define CVAR_THISARG 0x00008000 ///< 'this' argument of c++ member functions
1189 #define CVAR_FORCED 0x00010000 ///< variable was created by an explicit request
1190  ///< otherwise we could reuse an existing var
1191 #define CVAR_REGNAME 0x00020000 ///< has a register name (like _RAX): if lvar
1192  ///< is used by an m_ext instruction
1193 #define CVAR_NOPTR 0x00040000 ///< variable cannot be a pointer (user choice)
1194 #define CVAR_DUMMY 0x00080000 ///< dummy argument (added to fill a hole in
1195  ///< the argument list)
1196 #define CVAR_NOTARG 0x00100000 ///< variable cannot be an input argument
1197 #define CVAR_AUTOMAP 0x00200000 ///< variable was automatically mapped
1198 #define CVAR_BYREF 0x00400000 ///< the address of the variable was taken
1199 #define CVAR_INASM 0x00800000 ///< variable is used in instructions translated
1200  ///< into __asm {...}
1201 #define CVAR_UNUSED 0x01000000 ///< user-defined __unused attribute
1202  ///< meaningful only if: is_arg_var() && !mba->final_type
1203 //@}
1204 
1205 public:
1206  qstring name; ///< variable name.
1207  ///< use mba_t::set_nice_lvar_name() and
1208  ///< mba_t::set_user_lvar_name() to modify it
1209  qstring cmt; ///< variable comment string
1210  tinfo_t tif; ///< variable type
1211  int width = 0; ///< variable size in bytes
1212  int defblk = -1; ///< first block defining the variable.
1213  ///< 0 for args, -1 if unknown
1214  uint64 divisor = 0; ///< max known divisor of the variable
1215 
1216  lvar_t(void) : flags(CVAR_USED) {}
1217  lvar_t(const qstring &n, const vdloc_t &l, ea_t e, const tinfo_t &t, int w, int db)
1218  : lvar_locator_t(l, e), flags(CVAR_USED), name(n), tif(t), width(w), defblk(db)
1219  {
1220  }
1221  // Debugging: get textual representation of a local variable.
1222  const char *hexapi dstr(void) const;
1223 
1224  /// Is the variable used in the code?
1225  bool used(void) const { return (flags & CVAR_USED) != 0; }
1226  /// Has the variable a type?
1227  bool typed(void) const { return (flags & CVAR_TYPE) != 0; }
1228  /// Have corresponding microregs been replaced by references to this variable?
1229  bool mreg_done(void) const { return (flags & CVAR_MREG) != 0; }
1230  /// Does the variable have a nice name?
1231  bool has_nice_name(void) const { return (flags & CVAR_NAME) != 0; }
1232  /// Do we know the width of the variable?
1233  bool is_unknown_width(void) const { return (flags & CVAR_NOWD) != 0; }
1234  /// Has any user-defined information?
1235  bool has_user_info(void) const
1236  {
1237  return (flags & (CVAR_UNAME|CVAR_UTYPE|CVAR_NOPTR|CVAR_UNUSED)) != 0
1238  || !cmt.empty();
1239  }
1240  /// Has user-defined name?
1241  bool has_user_name(void) const { return (flags & CVAR_UNAME) != 0; }
1242  /// Has user-defined type?
1243  bool has_user_type(void) const { return (flags & CVAR_UTYPE) != 0; }
1244  /// Is the function result?
1245  bool is_result_var(void) const { return (flags & CVAR_RESULT) != 0; }
1246  /// Is the function argument?
1247  bool is_arg_var(void) const { return (flags & CVAR_ARG) != 0; }
1248  /// Is the promoted function argument?
1249  bool hexapi is_promoted_arg(void) const;
1250  /// Is fake return variable?
1251  bool is_fake_var(void) const { return (flags & CVAR_FAKE) != 0; }
1252  /// Is overlapped variable?
1253  bool is_overlapped_var(void) const { return (flags & CVAR_OVER) != 0; }
1254  /// Used by a fpu insn?
1255  bool is_floating_var(void) const { return (flags & CVAR_FLOAT) != 0; }
1256  /// Is spoiled var? (meaningful only during lvar allocation)
1257  bool is_spoiled_var(void) const { return (flags & CVAR_SPOILED) != 0; }
1258  /// Variable type should be handled as a partial one
1259  bool is_partialy_typed(void) const { return (flags & CVAR_PARTIAL) != 0; }
1260  /// Variable type should not be a pointer
1261  bool is_noptr_var(void) const { return (flags & CVAR_NOPTR) != 0; }
1262  /// Other variable(s) map to this var?
1263  bool is_mapdst_var(void) const { return (flags & CVAR_MAPDST) != 0; }
1264  /// Is 'this' argument of a C++ member function?
1265  bool is_thisarg(void) const { return (flags & CVAR_THISARG) != 0; }
1266  /// Is a forced variable?
1267  bool is_forced_var(void) const { return (flags & CVAR_FORCED) != 0; }
1268  /// Has a register name? (like _RAX)
1269  bool has_regname(void) const { return (flags & CVAR_REGNAME) != 0; }
1270  /// Is variable used in an instruction translated into __asm?
1271  bool in_asm(void) const { return (flags & CVAR_INASM) != 0; }
1272  /// Is a dummy argument (added to fill a hole in the argument list)
1273  bool is_dummy_arg(void) const { return (flags & CVAR_DUMMY) != 0; }
1274  /// Is a local variable? (local variable cannot be an input argument)
1275  bool is_notarg(void) const { return (flags & CVAR_NOTARG) != 0; }
1276  /// Was the variable automatically mapped to another variable?
1277  bool is_automapped(void) const { return (flags & CVAR_AUTOMAP) != 0; }
1278  /// Was the address of the variable taken?
1279  bool is_used_byref(void) const { return (flags & CVAR_BYREF) != 0; }
1280  /// Was declared as __unused by the user? See CVAR_UNUSED
1281  bool is_decl_unused(void) const { return (flags & CVAR_UNUSED) != 0; }
1282  void set_used(void) { flags |= CVAR_USED; }
1283  void clear_used(void) { flags &= ~CVAR_USED; }
1284  void set_typed(void) { flags |= CVAR_TYPE; clr_noptr_var(); }
1285  void set_non_typed(void) { flags &= ~CVAR_TYPE; }
1286  void clr_user_info(void) { flags &= ~(CVAR_UNAME|CVAR_UTYPE|CVAR_NOPTR); }
1287  void set_user_name(void) { flags |= CVAR_NAME|CVAR_UNAME; }
1288  void set_user_type(void) { flags |= CVAR_TYPE|CVAR_UTYPE; }
1289  void clr_user_type(void) { flags &= ~CVAR_UTYPE; }
1290  void clr_user_name(void) { flags &= ~CVAR_UNAME; }
1291  void set_mreg_done(void) { flags |= CVAR_MREG; }
1292  void clr_mreg_done(void) { flags &= ~CVAR_MREG; }
1293  void set_unknown_width(void) { flags |= CVAR_NOWD; }
1294  void clr_unknown_width(void) { flags &= ~CVAR_NOWD; }
1295  void set_arg_var(void) { flags |= CVAR_ARG; }
1296  void clr_arg_var(void) { flags &= ~(CVAR_ARG|CVAR_THISARG); }
1297  void set_fake_var(void) { flags |= CVAR_FAKE; }
1298  void clr_fake_var(void) { flags &= ~CVAR_FAKE; }
1299  void set_overlapped_var(void) { flags |= CVAR_OVER; }
1300  void clr_overlapped_var(void) { flags &= ~CVAR_OVER; }
1301  void set_floating_var(void) { flags |= CVAR_FLOAT; }
1302  void clr_floating_var(void) { flags &= ~CVAR_FLOAT; }
1303  void set_spoiled_var(void) { flags |= CVAR_SPOILED; }
1304  void clr_spoiled_var(void) { flags &= ~CVAR_SPOILED; }
1305  void set_mapdst_var(void) { flags |= CVAR_MAPDST; }
1306  void clr_mapdst_var(void) { flags &= ~CVAR_MAPDST; }
1307  void set_partialy_typed(void) { flags |= CVAR_PARTIAL; }
1308  void clr_partialy_typed(void) { flags &= ~CVAR_PARTIAL; }
1309  void set_noptr_var(void) { flags |= CVAR_NOPTR; }
1310  void clr_noptr_var(void) { flags &= ~CVAR_NOPTR; }
1311  void set_thisarg(void) { flags |= CVAR_THISARG; }
1312  void clr_thisarg(void) { flags &= ~CVAR_THISARG; }
1313  void set_forced_var(void) { flags |= CVAR_FORCED; }
1314  void clr_forced_var(void) { flags &= ~CVAR_FORCED; }
1315  void set_dummy_arg(void) { flags |= CVAR_DUMMY; }
1316  void clr_dummy_arg(void) { flags &= ~CVAR_DUMMY; }
1317  void set_notarg(void) { clr_arg_var(); flags |= CVAR_NOTARG; }
1318  void clr_notarg(void) { flags &= ~CVAR_NOTARG; }
1319  void set_automapped(void) { flags |= CVAR_AUTOMAP; }
1320  void clr_automapped(void) { flags &= ~CVAR_AUTOMAP; }
1321  void set_used_byref(void) { flags |= CVAR_BYREF; }
1322  void clr_used_byref(void) { flags &= ~CVAR_BYREF; }
1323  void set_decl_unused(void) { flags |= CVAR_UNUSED; }
1324  void clr_decl_unused(void) { flags &= ~CVAR_UNUSED; }
1325 
1326  /// Do variables overlap?
1327  bool has_common(const lvar_t &v) const
1328  {
1329  return arglocs_overlap(location, width, v.location, v.width);
1330  }
1331  /// Does the variable overlap with the specified location?
1332  bool has_common_bit(const vdloc_t &loc, asize_t width2) const
1333  {
1334  return arglocs_overlap(location, width, loc, width2);
1335  }
1336  /// Get variable type
1337  const tinfo_t &type(void) const { return tif; }
1338  tinfo_t &type(void) { return tif; }
1339 
1340  /// Check if the variable accept the specified type.
1341  /// Some types are forbidden (void, function types, wrong arrays, etc)
1342  bool hexapi accepts_type(const tinfo_t &t, bool may_change_thisarg=false);
1343  /// Set variable type
1344  /// Note: this function does not modify the idb, only the lvar instance
1345  /// in the memory. For permanent changes see modify_user_lvars()
1346  /// Also, the variable type is not considered as final by the decompiler
1347  /// and may be modified later by the type derivation.
1348  /// In some cases set_final_var_type() may work better, but it does not
1349  /// do persistent changes to the database neither.
1350  /// \param t new type
1351  /// \param may_fail if false and type is bad, interr
1352  /// \return success
1353  bool hexapi set_lvar_type(const tinfo_t &t, bool may_fail=false);
1354 
1355  /// Set final variable type.
1356  void set_final_lvar_type(const tinfo_t &t)
1357  {
1358  set_lvar_type(t);
1359  set_typed();
1360  }
1361 
1362  /// Change the variable width.
1363  /// We call the variable size 'width', it is represents the number of bytes.
1364  /// This function may change the variable type using set_lvar_type().
1365  /// \param w new width
1366  /// \param svw_flags combination of SVW_... bits
1367  /// \return success
1368  bool hexapi set_width(int w, int svw_flags=0);
1369 #define SVW_INT 0x00 // integer value
1370 #define SVW_FLOAT 0x01 // floating point value
1371 #define SVW_SOFT 0x02 // may fail and return false;
1372  // if this bit is not set and the type is bad, interr
1373 
1374  /// Append local variable to mlist.
1375  /// \param mba ptr to the current mba_t
1376  /// \param lst list to append to
1377  /// \param if true, append padding bytes in case of scattered lvar
1378  void hexapi append_list(const mba_t *mba, mlist_t *lst, bool pad_if_scattered=false) const;
1379 
1380  /// Is the variable aliasable?
1381  /// \param mba ptr to the current mba_t
1382  /// Aliasable variables may be modified indirectly (through a pointer)
1383  bool is_aliasable(const mba_t *mba) const
1384  {
1385  return location.is_aliasable(mba, width);
1386  }
1387 
1388 };
1389 DECLARE_TYPE_AS_MOVABLE(lvar_t);
1390 
1391 /// Vector of local variables
1392 struct lvars_t : public qvector<lvar_t>
1393 {
1394  /// Find input variable at the specified location.
1395  /// \param argloc variable location
1396  /// \param _size variable size
1397  /// \return -1 if failed, otherwise the index into the variables vector.
1398  int find_input_lvar(const vdloc_t &argloc, int _size) { return find_lvar(argloc, _size, 0); }
1399 
1400 
1401  /// Find stack variable at the specified location.
1402  /// \param spoff offset from the minimal sp
1403  /// \param width variable size
1404  /// \return -1 if failed, otherwise the index into the variables vector.
1405  int hexapi find_stkvar(sval_t spoff, int width);
1406 
1407 
1408  /// Find variable at the specified location.
1409  /// \param ll variable location
1410  /// \return pointer to variable or NULL
1411  lvar_t *hexapi find(const lvar_locator_t &ll);
1412 
1413 
1414  /// Find variable at the specified location.
1415  /// \param location variable location
1416  /// \param width variable size
1417  /// \param defblk definition block of the lvar. -1 means any block
1418  /// \return -1 if failed, otherwise the index into the variables vector.
1419  int hexapi find_lvar(const vdloc_t &location, int width, int defblk=-1) const;
1420 };
1421 
1422 /// Saved user settings for local variables: name, type, comment.
1423 struct lvar_saved_info_t
1424 {
1425  lvar_locator_t ll; ///< Variable locator
1426  qstring name; ///< Name
1427  tinfo_t type; ///< Type
1428  qstring cmt; ///< Comment
1429  ssize_t size; ///< Type size (if not initialized then -1)
1430  int flags; ///< \ref LVINF_
1431 /// \defgroup LVINF_ saved user lvar info property bits
1432 /// Used in lvar_saved_info_t::flags
1433 //@{
1434 #define LVINF_KEEP 0x0001 ///< preserve saved user settings regardless of vars
1435  ///< for example, if a var loses all its
1436  ///< user-defined attributes or even gets
1437  ///< destroyed, keep its lvar_saved_info_t.
1438  ///< this is used for ephemeral variables that
1439  ///< get destroyed by macro recognition.
1440 #define LVINF_FORCE 0x0002 ///< force allocation of a new variable.
1441  ///< forces the decompiler to create a new
1442  ///< variable at ll.defea
1443 #define LVINF_NOPTR 0x0004 ///< variable type should not be a pointer
1444 #define LVINF_NOMAP 0x0008 ///< forbid automatic mapping of the variable
1445 #define LVINF_UNUSED 0x0010 ///< unused argument, corresponds to CVAR_UNUSED
1446 //@}
1447  lvar_saved_info_t(void) : size(BADSIZE), flags(0) {}
1448  bool has_info(void) const
1449  {
1450  return !name.empty()
1451  || !type.empty()
1452  || !cmt.empty()
1453  || is_forced_lvar()
1454  || is_noptr_lvar()
1455  || is_nomap_lvar();
1456  }
1457  bool operator==(const lvar_saved_info_t &r) const
1458  {
1459  return name == r.name
1460  && cmt == r.cmt
1461  && ll == r.ll
1462  && type == r.type;
1463  }
1464  bool operator!=(const lvar_saved_info_t &r) const { return !(*this == r); }
1465  bool is_kept(void) const { return (flags & LVINF_KEEP) != 0; }
1466  void clear_keep(void) { flags &= ~LVINF_KEEP; }
1467  void set_keep(void) { flags |= LVINF_KEEP; }
1468  bool is_forced_lvar(void) const { return (flags & LVINF_FORCE) != 0; }
1469  void set_forced_lvar(void) { flags |= LVINF_FORCE; }
1470  void clr_forced_lvar(void) { flags &= ~LVINF_FORCE; }
1471  bool is_noptr_lvar(void) const { return (flags & LVINF_NOPTR) != 0; }
1472  void set_noptr_lvar(void) { flags |= LVINF_NOPTR; }
1473  void clr_noptr_lvar(void) { flags &= ~LVINF_NOPTR; }
1474  bool is_nomap_lvar(void) const { return (flags & LVINF_NOMAP) != 0; }
1475  void set_nomap_lvar(void) { flags |= LVINF_NOMAP; }
1476  void clr_nomap_lvar(void) { flags &= ~LVINF_NOMAP; }
1477  bool is_unused_lvar(void) const { return (flags & LVINF_UNUSED) != 0; }
1478  void set_unused_lvar(void) { flags |= LVINF_UNUSED; }
1479  void clr_unused_lvar(void) { flags &= ~LVINF_UNUSED; }
1480 };
1481 DECLARE_TYPE_AS_MOVABLE(lvar_saved_info_t);
1482 typedef qvector<lvar_saved_info_t> lvar_saved_infos_t;
1483 
1484 /// Local variable mapping (is used to merge variables)
1485 typedef std::map<lvar_locator_t, lvar_locator_t> lvar_mapping_t;
1486 
1487 /// All user-defined information about local variables
1488 struct lvar_uservec_t
1489 {
1490  /// User-specified names, types, comments for lvars. Variables without
1491  /// user-specified info are not present in this vector.
1492  lvar_saved_infos_t lvvec;
1493 
1494  /// Local variable mapping (used for merging variables)
1495  lvar_mapping_t lmaps;
1496 
1497  /// Delta to add to IDA stack offset to calculate Hex-Rays stack offsets.
1498  /// Should be set by the caller before calling save_user_lvar_settings();
1499  uval_t stkoff_delta;
1500 
1501  /// Various flags. Possible values are from \ref ULV_
1502  int ulv_flags;
1503 /// \defgroup ULV_ lvar_uservec_t property bits
1504 /// Used in lvar_uservec_t::ulv_flags
1505 //@{
1506 #define ULV_PRECISE_DEFEA 0x0001 ///< Use precise defea's for lvar locations
1507 //@}
1508 
1509  lvar_uservec_t(void) : stkoff_delta(0), ulv_flags(ULV_PRECISE_DEFEA) {}
1510  void swap(lvar_uservec_t &r)
1511  {
1512  lvvec.swap(r.lvvec);
1513  lmaps.swap(r.lmaps);
1514  std::swap(stkoff_delta, r.stkoff_delta);
1515  std::swap(ulv_flags, r.ulv_flags);
1516  }
1517  void clear()
1518  {
1519  lvvec.clear();
1520  lmaps.clear();
1521  stkoff_delta = 0;
1522  ulv_flags = ULV_PRECISE_DEFEA;
1523  }
1524  bool empty() const
1525  {
1526  return lvvec.empty()
1527  && lmaps.empty()
1528  && stkoff_delta == 0
1529  && ulv_flags == ULV_PRECISE_DEFEA;
1530  }
1531 
1532  /// find saved user settings for given var
1533  lvar_saved_info_t *find_info(const lvar_locator_t &vloc)
1534  {
1535  for ( lvar_saved_infos_t::iterator p=lvvec.begin(); p != lvvec.end(); ++p )
1536  {
1537  if ( p->ll == vloc )
1538  return p;
1539  }
1540  return NULL;
1541  }
1542 
1543  /// Preserve user settings for given var
1544  void keep_info(const lvar_t &v)
1545  {
1546  lvar_saved_info_t *p = find_info(v);
1547  if ( p != NULL )
1548  p->set_keep();
1549  }
1550 };
1551 
1552 /// Restore user defined local variable settings in the database.
1553 /// \param func_ea entry address of the function
1554 /// \param lvinf ptr to output buffer
1555 /// \return success
1556 
1557 bool hexapi restore_user_lvar_settings(lvar_uservec_t *lvinf, ea_t func_ea);
1558 
1559 
1560 /// Save user defined local variable settings into the database.
1561 /// \param func_ea entry address of the function
1562 /// \param lvinf user-specified info about local variables
1563 
1564 void hexapi save_user_lvar_settings(ea_t func_ea, const lvar_uservec_t &lvinf);
1565 
1566 
1567 /// Helper class to modify saved local variable settings.
1568 struct user_lvar_modifier_t
1569 {
1570  /// Modify lvar settings.
1571  /// Returns: true-modified
1572  virtual bool idaapi modify_lvars(lvar_uservec_t *lvinf) = 0;
1573 };
1574 
1575 /// Modify saved local variable settings.
1576 /// \param entry_ea function start address
1577 /// \param mlv local variable modifier
1578 /// \return true if modified variables
1579 
1580 bool hexapi modify_user_lvars(ea_t entry_ea, user_lvar_modifier_t &mlv);
1581 
1582 
1583 /// Modify saved local variable settings of one variable.
1584 /// \param func_ea function start address
1585 /// \param info local variable info attrs
1586 /// \param mli_flags bits that specify which attrs defined by INFO are to be set
1587 /// \return true if modified, false if invalid MLI_FLAGS passed
1588 
1589 bool hexapi modify_user_lvar_info(
1590  ea_t func_ea,
1591  uint mli_flags,
1592  const lvar_saved_info_t &info);
1593 
1594 /// \defgroup MLI_ user info bits
1595 //@{
1596 #define MLI_NAME 0x01 ///< apply lvar name
1597 #define MLI_TYPE 0x02 ///< apply lvar type
1598 #define MLI_CMT 0x04 ///< apply lvar comment
1599 #define MLI_SET_FLAGS 0x08 ///< set LVINF_... bits
1600 #define MLI_CLR_FLAGS 0x10 ///< clear LVINF_... bits
1601 //@}
1602 
1603 
1604 /// Find a variable by name.
1605 /// \param out output buffer for the variable locator
1606 /// \param func_ea function start address
1607 /// \param varname variable name
1608 /// \return success
1609 /// Since VARNAME is not always enough to find the variable, it may decompile
1610 /// the function.
1611 
1612 bool hexapi locate_lvar(
1613  lvar_locator_t *out,
1614  ea_t func_ea,
1615  const char *varname);
1616 
1617 
1618 /// Rename a local variable.
1619 /// \param func_ea function start address
1620 /// \param oldname old name of the variable
1621 /// \param newname new name of the variable
1622 /// \return success
1623 /// This is a convenience function.
1624 /// For bulk renaming consider using modify_user_lvars.
1625 
1626 inline bool rename_lvar(
1627  ea_t func_ea,
1628  const char *oldname,
1629  const char *newname)
1630 {
1631  lvar_saved_info_t info;
1632  if ( !locate_lvar(&info.ll, func_ea, oldname) )
1633  return false;
1634  info.name = newname;
1635  return modify_user_lvar_info(func_ea, MLI_NAME, info);
1636 }
1637 
1638 //-------------------------------------------------------------------------
1639 /// User-defined function calls
1640 struct udcall_t
1641 {
1642  qstring name; // name of the function
1643  tinfo_t tif; // function prototype
1644  DECLARE_COMPARISONS(udcall_t)
1645  {
1646  int code = ::compare(name, r.name);
1647  if ( code == 0 )
1648  code = ::compare(tif, r.tif);
1649  return code;
1650  }
1651 };
1652 
1653 // All user-defined function calls (map address -> udcall)
1654 typedef std::map<ea_t, udcall_t> udcall_map_t;
1655 
1656 /// Restore user defined function calls from the database.
1657 /// \param udcalls ptr to output buffer
1658 /// \param func_ea entry address of the function
1659 /// \return success
1660 
1661 bool hexapi restore_user_defined_calls(udcall_map_t *udcalls, ea_t func_ea);
1662 
1663 
1664 /// Save user defined local function calls into the database.
1665 /// \param func_ea entry address of the function
1666 /// \param udcalls user-specified info about user defined function calls
1667 
1668 void hexapi save_user_defined_calls(ea_t func_ea, const udcall_map_t &udcalls);
1669 
1670 
1671 /// Convert function type declaration into internal structure
1672 /// \param udc - pointer to output structure
1673 /// \param decl - function type declaration
1674 /// \param silent - if TRUE: do not show warning in case of incorrect type
1675 /// \return success
1676 
1677 bool hexapi parse_user_call(udcall_t *udc, const char *decl, bool silent);
1678 
1679 
1680 /// try to generate user-defined call for an instruction
1681 /// \return \ref MERR_ code:
1682 /// MERR_OK - user-defined call generated
1683 /// else - error (MERR_INSN == inacceptable udc.tif)
1684 
1685 merror_t hexapi convert_to_user_call(const udcall_t &udc, codegen_t &cdg);
1686 
1687 
1688 //-------------------------------------------------------------------------
1689 /// Generic microcode generator class.
1690 /// An instance of a derived class can be registered to be used for
1691 /// non-standard microcode generation. Before microcode generation for an
1692 /// instruction all registered object will be visited by the following way:
1693 /// if ( filter->match(cdg) )
1694 /// code = filter->apply(cdg);
1695 /// if ( code == MERR_OK )
1696 /// continue; // filter generated microcode, go to the next instruction
1697 struct microcode_filter_t
1698 {
1699  /// check if the filter object is to be appied
1700  /// \return success
1701  virtual bool match(codegen_t &cdg) = 0;
1702 
1703  /// generate microcode for an instruction
1704  /// \return MERR_... code:
1705  /// MERR_OK - user-defined call generated, go to the next instruction
1706  /// MERR_INSN - not generated - the caller should try the standard way
1707  /// else - error
1708  virtual merror_t apply(codegen_t &cdg) = 0;
1709 };
1710 
1711 /// register/unregister non-standard microcode generator
1712 /// \param filter - microcode generator object
1713 /// \param install - TRUE - register the object, FALSE - unregister
1714 /// \return success
1715 bool hexapi install_microcode_filter(microcode_filter_t *filter, bool install=true);
1716 
1717 //-------------------------------------------------------------------------
1718 /// Abstract class: User-defined call generator
1719 /// derived classes should implement method 'match'
1720 class udc_filter_t : public microcode_filter_t
1721 {
1722  udcall_t udc;
1723 
1724 public:
1725  /// return true if the filter object should be appied to given instruction
1726  virtual bool match(codegen_t &cdg) override = 0;
1727 
1728  bool hexapi init(const char *decl);
1729  virtual merror_t hexapi apply(codegen_t &cdg) override;
1730 };
1731 
1732 //-------------------------------------------------------------------------
1733 typedef size_t mbitmap_t;
1734 const size_t bitset_width = sizeof(mbitmap_t) * CHAR_BIT;
1735 const size_t bitset_align = bitset_width - 1;
1736 const size_t bitset_shift = 6;
1737 
1738 /// Bit set class. See https://en.wikipedia.org/wiki/Bit_array
1739 class bitset_t
1740 {
1741  mbitmap_t *bitmap; ///< pointer to bitmap
1742  size_t high; ///< highest bit+1 (multiply of bitset_width)
1743 
1744 public:
1745  bitset_t(void) : bitmap(NULL), high(0) {}
1746  hexapi bitset_t(const bitset_t &m); // copy constructor
1747  ~bitset_t(void)
1748  {
1749  qfree(bitmap);
1750  bitmap = NULL;
1751  }
1752  void swap(bitset_t &r)
1753  {
1754  std::swap(bitmap, r.bitmap);
1755  std::swap(high, r.high);
1756  }
1757  bitset_t &operator=(const bitset_t &m) { return copy(m); }
1758  bitset_t &hexapi copy(const bitset_t &m); // assignment operator
1759  bool hexapi add(int bit); // add a bit
1760  bool hexapi add(int bit, int width); // add bits
1761  bool hexapi add(const bitset_t &ml); // add another bitset
1762  bool hexapi sub(int bit); // delete a bit
1763  bool hexapi sub(int bit, int width); // delete bits
1764  bool hexapi sub(const bitset_t &ml); // delete another bitset
1765  bool hexapi cut_at(int maxbit); // delete bits >= maxbit
1766  void hexapi shift_down(int shift); // shift bits down
1767  bool hexapi has(int bit) const; // test presence of a bit
1768  bool hexapi has_all(int bit, int width) const; // test presence of bits
1769  bool hexapi has_any(int bit, int width) const; // test presence of bits
1770  void print(
1771  qstring *vout,
1772  int (*get_bit_name)(qstring *out, int bit, int width, void *ud)=NULL,
1773  void *ud=NULL) const;
1774  const char *hexapi dstr(void) const;
1775  bool hexapi empty(void) const; // is empty?
1776  int hexapi count(void) const; // number of set bits
1777  int hexapi count(int bit) const; // get number set bits starting from 'bit'
1778  int hexapi last(void) const; // get the number of the last bit (-1-no bits)
1779  void clear(void) { high = 0; } // make empty
1780  void hexapi fill_with_ones(int maxbit);
1781  bool hexapi fill_gaps(int total_nbits);
1782  bool hexapi has_common(const bitset_t &ml) const; // has common elements?
1783  bool hexapi intersect(const bitset_t &ml); // intersect sets. returns true if changed
1784  bool hexapi is_subset_of(const bitset_t &ml) const; // is subset of?
1785  bool includes(const bitset_t &ml) const { return ml.is_subset_of(*this); }
1786  void extract(intvec_t &out) const;
1787  DECLARE_COMPARISONS(bitset_t);
1788  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
1789  class iterator
1790  {
1791  friend class bitset_t;
1792  int i;
1793  public:
1794  iterator(int n=-1) : i(n) {}
1795  bool operator==(const iterator &n) const { return i == n.i; }
1796  bool operator!=(const iterator &n) const { return i != n.i; }
1797  int operator*(void) const { return i; }
1798  };
1799  typedef iterator const_iterator;
1800  iterator itat(int n) const { return iterator(goup(n)); }
1801  iterator begin(void) const { return itat(0); }
1802  iterator end(void) const { return iterator(high); }
1803  int front(void) const { return *begin(); }
1804  int back(void) const { return *end(); }
1805  void inc(iterator &p, int n=1) const { p.i = goup(p.i+n); }
1806 private:
1807  int hexapi goup(int reg) const;
1808 };
1809 DECLARE_TYPE_AS_MOVABLE(bitset_t);
1810 typedef qvector<bitset_t> array_of_bitsets;
1811 
1812 //-------------------------------------------------------------------------
1813 template <class T>
1814 struct ivl_tpl // an interval
1815 {
1816 protected:
1817  // forbid the default constructor
1818  ivl_tpl(void) {}
1819 public:
1820  T off;
1821  T size;
1822  ivl_tpl(T _off, T _size) : off(_off), size(_size) {}
1823  bool valid() const { return last() >= off; }
1824  T end() const { return off + size; }
1825  T last() const { return off + size - 1; }
1826 
1827  DEFINE_MEMORY_ALLOCATION_FUNCS()
1828 };
1829 
1830 //-------------------------------------------------------------------------
1831 typedef ivl_tpl<uval_t> uval_ivl_t;
1832 struct ivl_t : public uval_ivl_t
1833 {
1834 private:
1835  typedef ivl_tpl<uval_t> inherited;
1836  // forbid the default constructor
1837  ivl_t(void) {}
1838  // ...except for use in a vector
1839  friend class qvector<ivl_t>;
1840 
1841 public:
1842  ivl_t(uval_t _off, uval_t _size) : inherited(_off,_size) {}
1843  bool empty(void) const { return size == 0; }
1844  void clear(void) { size = 0; }
1845  void print(qstring *vout) const;
1846  const char *hexapi dstr(void) const;
1847 
1848  bool extend_to_cover(const ivl_t &r) // extend interval to cover 'r'
1849  {
1850  uval_t new_end = end();
1851  bool changed = false;
1852  if ( off > r.off )
1853  {
1854  off = r.off;
1855  changed = true;
1856  }
1857  if ( new_end < r.end() )
1858  {
1859  new_end = r.end();
1860  changed = true;
1861  }
1862  if ( changed )
1863  size = new_end - off;
1864  return changed;
1865  }
1866  void intersect(const ivl_t &r)
1867  {
1868  uval_t new_off = qmax(off, r.off);
1869  uval_t new_end = end();
1870  if ( new_end > r.end() )
1871  new_end = r.end();
1872  if ( new_off < new_end )
1873  {
1874  off = new_off;
1875  size = new_end - off;
1876  }
1877  else
1878  {
1879  size = 0;
1880  }
1881  }
1882 
1883  // do *this and ivl overlap?
1884  bool overlap(const ivl_t &ivl) const
1885  {
1886  return interval::overlap(off, size, ivl.off, ivl.size);
1887  }
1888  // does *this include ivl?
1889  bool includes(const ivl_t &ivl) const
1890  {
1891  return interval::includes(off, size, ivl.off, ivl.size);
1892  }
1893  // does *this contain off2?
1894  bool contains(uval_t off2) const
1895  {
1896  return interval::contains(off, size, off2);
1897  }
1898 
1899  DECLARE_COMPARISONS(ivl_t);
1900  static const ivl_t allmem;
1901 #define ALLMEM ivl_t::allmem
1902 };
1903 DECLARE_TYPE_AS_MOVABLE(ivl_t);
1904 
1905 //-------------------------------------------------------------------------
1906 struct ivl_with_name_t
1907 {
1908  ivl_t ivl;
1909  const char *whole; // name of the whole interval
1910  const char *part; // prefix to use for parts of the interval (e.g. sp+4)
1911  ivl_with_name_t(): ivl(0, BADADDR), whole("<unnamed inteval>"), part(NULL) {}
1912  DEFINE_MEMORY_ALLOCATION_FUNCS()
1913 };
1914 
1915 //-------------------------------------------------------------------------
1916 template <class Ivl, class T>
1917 class ivlset_tpl // set of intervals
1918 {
1919 public:
1920  typedef qvector<Ivl> bag_t;
1921 
1922 protected:
1923  bag_t bag;
1924  bool verify(void) const;
1925  // we do not store the empty intervals in bag so size == 0 denotes
1926  // MAX_VALUE<T>+1, e.g. 0x100000000 for uint32
1927  static bool ivl_all_values(const Ivl &ivl) { return ivl.off == 0 && ivl.size == 0; }
1928 
1929 public:
1930  ivlset_tpl(void) {}
1931  ivlset_tpl(const Ivl &ivl) { if ( ivl.valid() ) bag.push_back(ivl); }
1932  DEFINE_MEMORY_ALLOCATION_FUNCS()
1933 
1934  void swap(ivlset_tpl &r) { bag.swap(r.bag); }
1935  const Ivl &getivl(int idx) const { return bag[idx]; }
1936  const Ivl &lastivl(void) const { return bag.back(); }
1937  size_t nivls(void) const { return bag.size(); }
1938  bool empty(void) const { return bag.empty(); }
1939  void clear(void) { bag.clear(); }
1940  void qclear(void) { bag.qclear(); }
1941  bool all_values() const { return nivls() == 1 && ivl_all_values(bag[0]); }
1942  void set_all_values() { clear(); bag.push_back(Ivl(0, 0)); }
1943  bool single_value() const { return nivls() == 1 && bag[0].size == 1; }
1944  bool single_value(T v) const { return single_value() && bag[0].off == v; }
1945 
1946  bool operator==(const Ivl &v) const { return nivls() == 1 && bag[0] == v; }
1947  bool operator!=(const Ivl &v) const { return !(*this == v); }
1948 
1949  typedef typename bag_t::iterator iterator;
1950  typedef typename bag_t::const_iterator const_iterator;
1951  const_iterator begin(void) const { return bag.begin(); }
1952  const_iterator end(void) const { return bag.end(); }
1953  iterator begin(void) { return bag.begin(); }
1954  iterator end(void) { return bag.end(); }
1955 };
1956 
1957 //-------------------------------------------------------------------------
1958 /// Set of address intervals.
1959 /// Bit arrays are efficient only for small sets. Potentially huge
1960 /// sets, like memory ranges, require another representation.
1961 /// ivlset_t is used for a list of memory locations in our decompiler.
1962 typedef ivlset_tpl<ivl_t, uval_t> uval_ivl_ivlset_t;
1963 struct ivlset_t : public uval_ivl_ivlset_t
1964 {
1965  typedef ivlset_tpl<ivl_t, uval_t> inherited;
1966  ivlset_t() {}
1967  ivlset_t(const ivl_t &ivl) : inherited(ivl) {}
1968  bool hexapi add(const ivl_t &ivl);
1969  bool add(ea_t ea, asize_t size) { return add(ivl_t(ea, size)); }
1970  bool hexapi add(const ivlset_t &ivs);
1971  bool hexapi addmasked(const ivlset_t &ivs, const ivl_t &mask);
1972  bool hexapi sub(const ivl_t &ivl);
1973  bool sub(ea_t ea, asize_t size) { return sub(ivl_t(ea, size)); }
1974  bool hexapi sub(const ivlset_t &ivs);
1975  bool hexapi has_common(const ivl_t &ivl, bool strict=false) const;
1976  void hexapi print(qstring *vout) const;
1977  const char *hexapi dstr(void) const;
1978  asize_t hexapi count(void) const;
1979  bool hexapi has_common(const ivlset_t &ivs) const;
1980  bool hexapi contains(uval_t off) const;
1981  bool hexapi includes(const ivlset_t &ivs) const;
1982  bool hexapi intersect(const ivlset_t &ivs);
1983 
1984  DECLARE_COMPARISONS(ivlset_t);
1985 
1986 };
1987 DECLARE_TYPE_AS_MOVABLE(ivlset_t);
1988 typedef qvector<ivlset_t> array_of_ivlsets;
1989 //-------------------------------------------------------------------------
1990 // We use bitset_t to keep list of registers.
1991 // This is the most optimal storage for them.
1992 class rlist_t : public bitset_t
1993 {
1994 public:
1995  rlist_t(void) {}
1996  rlist_t(const rlist_t &m) : bitset_t(m)
1997  {
1998  }
1999  rlist_t(mreg_t reg, int width) { add(reg, width); }
2000  ~rlist_t(void) {}
2001  void hexapi print(qstring *vout) const;
2002  const char *hexapi dstr(void) const;
2003 };
2004 DECLARE_TYPE_AS_MOVABLE(rlist_t);
2005 
2006 //-------------------------------------------------------------------------
2007 // Microlist: list of register and memory locations
2008 struct mlist_t
2009 {
2010  rlist_t reg; // registers
2011  ivlset_t mem; // memory locations
2012 
2013  mlist_t(void) {}
2014  mlist_t(const ivl_t &ivl) : mem(ivl) {}
2015  mlist_t(mreg_t r, int size) : reg(r, size) {}
2016 
2017  void swap(mlist_t &r) { reg.swap(r.reg); mem.swap(r.mem); }
2018  bool hexapi addmem(ea_t ea, asize_t size);
2019  bool add(mreg_t r, int size) { return add(mlist_t(r, size)); } // also see append_def_list()
2020  bool add(const rlist_t &r) { return reg.add(r); }
2021  bool add(const ivl_t &ivl) { return add(mlist_t(ivl)); }
2022  bool add(const mlist_t &lst) { return reg.add(lst.reg) | mem.add(lst.mem); }
2023  bool sub(mreg_t r, int size) { return sub(mlist_t(r, size)); }
2024  bool sub(const ivl_t &ivl) { return sub(mlist_t(ivl)); }
2025  bool sub(const mlist_t &lst) { return reg.sub(lst.reg) | mem.sub(lst.mem); }
2026  asize_t count(void) const { return reg.count() + mem.count(); }
2027  void hexapi print(qstring *vout) const;
2028  const char *hexapi dstr(void) const;
2029  bool empty(void) const { return reg.empty() && mem.empty(); }
2030  void clear(void) { reg.clear(); mem.clear(); }
2031  bool has(mreg_t r) const { return reg.has(r); }
2032  bool has_all(mreg_t r, int size) const { return reg.has_all(r, size); }
2033  bool has_any(mreg_t r, int size) const { return reg.has_any(r, size); }
2034  bool has_memory(void) const { return !mem.empty(); }
2035  bool has_allmem(void) const { return mem == ALLMEM; }
2036  bool has_common(const mlist_t &lst) const { return reg.has_common(lst.reg) || mem.has_common(lst.mem); }
2037  bool includes(const mlist_t &lst) const { return reg.includes(lst.reg) && mem.includes(lst.mem); }
2038  bool intersect(const mlist_t &lst) { return reg.intersect(lst.reg) | mem.intersect(lst.mem); }
2039  bool is_subset_of(const mlist_t &lst) const { return lst.includes(*this); }
2040 
2041  DECLARE_COMPARISONS(mlist_t);
2042  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
2043 };
2044 DECLARE_TYPE_AS_MOVABLE(mlist_t);
2045 typedef qvector<mlist_t> mlistvec_t;
2046 DECLARE_TYPE_AS_MOVABLE(mlistvec_t);
2047 
2048 ///------------------------------------------------------------------------
2049 /// Get list of temporary registers.
2050 /// Tempregs are temporary registers that are used during code generation.
2051 /// They do not map to regular processor registers. They are used only to
2052 /// store temporary values during execution of one instruction.
2053 /// Tempregs may not be used to pass a value from one block to another.
2054 /// In other words, at the end of a block all tempregs must be dead.
2055 const mlist_t &hexapi get_temp_regs(void);
2056 
2057 /// Is a kernel register?
2058 /// Kernel registers are temporary registers that can be used freely.
2059 /// They may be used to store values that cross instruction or basic block
2060 /// boundaries. Kernel registers do not map to regular processor registers.
2061 /// See also \ref mba_t::alloc_kreg()
2062 bool hexapi is_kreg(mreg_t r);
2063 
2064 /// Map a processor register to a microregister.
2065 /// \param reg processor register number
2066 /// \return microregister register id or mr_none
2067 mreg_t hexapi reg2mreg(int reg);
2068 
2069 /// Map a microregister to a processor register.
2070 /// \param reg microregister number
2071 /// \param width size of microregister in bytes
2072 /// \return processor register id or -1
2073 int hexapi mreg2reg(mreg_t reg, int width);
2074 
2075 /// Get the microregister name.
2076 /// \param out output buffer, may be nullptr
2077 /// \param bit microregister number
2078 /// \param width size of microregister in bytes. may be bigger than the real
2079 /// register size.
2080 /// \param ud reserved, must be nullptr
2081 /// \return width of the printed register. this value may be less than
2082 /// the WIDTH argument.
2083 
2084 int hexapi get_mreg_name(qstring *out, mreg_t reg, int width, void *ud=nullptr);
2085 
2086 //-------------------------------------------------------------------------
2087 /// User defined callback to optimize individual microcode instructions
2088 struct optinsn_t
2089 {
2090  /// Optimize an instruction.
2091  /// \param blk current basic block. maybe NULL, which means that
2092  /// the instruction must be optimized without context
2093  /// \param ins instruction to optimize; it is always a top-level instruction.
2094  /// the callback may not delete the instruction but may
2095  /// convert it into nop (see mblock_t::make_nop). to optimize
2096  /// sub-instructions, visit them using minsn_visitor_t.
2097  /// sub-instructions may not be converted into nop but
2098  /// can be converted to "mov x,x". for example:
2099  /// add x,0,x => mov x,x
2100  /// this callback may change other instructions in the block,
2101  /// but should do this with care, e.g. to no break the
2102  /// propagation algorithm if called with OPTI_NO_LDXOPT.
2103  /// \param optflags combination of \ref OPTI_ bits
2104  /// \return number of changes made to the instruction.
2105  /// if after this call the instruction's use/def lists have changed,
2106  /// you must mark the block level lists as dirty (see mark_lists_dirty)
2107  virtual int idaapi func(mblock_t *blk, minsn_t *ins, int optflags) = 0;
2108 };
2109 
2110 /// Install an instruction level custom optimizer
2111 /// \param opt an instance of optinsn_t. cannot be destroyed before calling
2112 /// remove_optinsn_handler().
2113 void hexapi install_optinsn_handler(optinsn_t *opt);
2114 
2115 /// Remove an instruction level custom optimizer
2116 bool hexapi remove_optinsn_handler(optinsn_t *opt);
2117 
2118 /// User defined callback to optimize microcode blocks
2119 struct optblock_t
2120 {
2121  /// Optimize a block.
2122  /// This function usually performs the optimizations that require analyzing
2123  /// the entire block and/or its neighbors. For example it can recognize
2124  /// patterns and perform conversions like:
2125  /// b0: b0:
2126  /// ... ...
2127  /// jnz x, 0, @b2 => jnz x, 0, @b2
2128  /// b1: b1:
2129  /// add x, 0, y mov x, y
2130  /// ... ...
2131  /// \param blk Basic block to optimize as a whole.
2132  /// \return number of changes made to the block. See also mark_lists_dirty.
2133  virtual int idaapi func(mblock_t *blk) = 0;
2134 };
2135 
2136 /// Install a block level custom optimizer.
2137 /// \param opt an instance of optblock_t. cannot be destroyed before calling
2138 /// remove_optblock_handler().
2139 void hexapi install_optblock_handler(optblock_t *opt);
2140 
2141 /// Remove a block level custom optimizer
2142 bool hexapi remove_optblock_handler(optblock_t *opt);
2143 
2144 
2145 //-------------------------------------------------------------------------
2146 // abstract graph interface
2147 class simple_graph_t : public gdl_graph_t
2148 {
2149 public:
2150  qstring title;
2151  bool colored_gdl_edges;
2152 private:
2153  friend class iterator;
2154  virtual int goup(int node) const newapi;
2155 };
2156 
2157 //-------------------------------------------------------------------------
2158 // Since our data structures are quite complex, we use the visitor pattern
2159 // in many of our algorthims. This functionality is available for plugins too.
2160 // https://en.wikipedia.org/wiki/Visitor_pattern
2161 
2162 // All our visitor callbacks return an integer value.
2163 // Visiting is interrupted as soon an the return value is non-zero.
2164 // This non-zero value is returned as the result of the for_all_... function.
2165 // If for_all_... returns 0, it means that it successfully visited all items.
2166 
2167 /// The context info used by visitors
2168 struct op_parent_info_t
2169 {
2170  mba_t *mba; // current microcode
2171  mblock_t *blk; // current block
2172  minsn_t *topins; // top level instruction (parent of curins or curins itself)
2173  minsn_t *curins; // currently visited instruction
2174  op_parent_info_t(
2175  mba_t *_mba=NULL,
2176  mblock_t *_blk=NULL,
2177  minsn_t *_topins=NULL)
2178  : mba(_mba), blk(_blk), topins(_topins), curins(NULL) {}
2179  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
2180  bool really_alloc(void) const;
2181 };
2182 
2183 /// Micro instruction visitor.
2184 /// See mba_t::for_all_topinsns, minsn_t::for_all_insns,
2185 /// mblock_::for_all_insns, mba_t::for_all_insns
2186 struct minsn_visitor_t : public op_parent_info_t
2187 {
2188  minsn_visitor_t(
2189  mba_t *_mba=NULL,
2190  mblock_t *_blk=NULL,
2191  minsn_t *_topins=NULL)
2192  : op_parent_info_t(_mba, _blk, _topins) {}
2193  virtual int idaapi visit_minsn(void) = 0;
2194 };
2195 
2196 /// Micro operand visitor.
2197 /// See mop_t::for_all_ops, minsn_t::for_all_ops, mblock_t::for_all_insns,
2198 /// mba_t::for_all_insns
2199 struct mop_visitor_t : public op_parent_info_t
2200 {
2201  mop_visitor_t(
2202  mba_t *_mba=NULL,
2203  mblock_t *_blk=NULL,
2204  minsn_t *_topins=NULL)
2205  : op_parent_info_t(_mba, _blk, _topins), prune(false) {}
2206  /// Should skip sub-operands of the current operand?
2207  /// visit_mop() may set 'prune=true' for that.
2208  bool prune;
2209  virtual int idaapi visit_mop(mop_t *op, const tinfo_t *type, bool is_target) = 0;
2210 };
2211 
2212 /// Scattered mop: visit each of the scattered locations as a separate mop.
2213 /// See mop_t::for_all_scattered_submops
2214 struct scif_visitor_t
2215 {
2216  virtual int idaapi visit_scif_mop(const mop_t &r, int off) = 0;
2217 };
2218 
2219 // Used operand visitor.
2220 // See mblock_t::for_all_uses
2221 struct mlist_mop_visitor_t
2222 {
2223  minsn_t *topins;
2224  minsn_t *curins;
2225  bool changed;
2226  mlist_t *list;
2227  mlist_mop_visitor_t(void): topins(NULL), curins(NULL), changed(false), list(NULL) {}
2228  virtual int idaapi visit_mop(mop_t *op) = 0;
2229 };
2230 
2231 //-------------------------------------------------------------------------
2232 /// Instruction operand types
2233 
2234 typedef uint8 mopt_t;
2235 const mopt_t
2236  mop_z = 0, ///< none
2237  mop_r = 1, ///< register (they exist until MMAT_LVARS)
2238  mop_n = 2, ///< immediate number constant
2239  mop_str = 3, ///< immediate string constant
2240  mop_d = 4, ///< result of another instruction
2241  mop_S = 5, ///< local stack variable (they exist until MMAT_LVARS)
2242  mop_v = 6, ///< global variable
2243  mop_b = 7, ///< micro basic block (mblock_t)
2244  mop_f = 8, ///< list of arguments
2245  mop_l = 9, ///< local variable
2246  mop_a = 10, ///< mop_addr_t: address of operand (mop_l, mop_v, mop_S, mop_r)
2247  mop_h = 11, ///< helper function
2248  mop_c = 12, ///< mcases
2249  mop_fn = 13, ///< floating point constant
2250  mop_p = 14, ///< operand pair
2251  mop_sc = 15; ///< scattered
2252 
2253 const int NOSIZE = -1; ///< wrong or unexisting operand size
2254 
2255 //-------------------------------------------------------------------------
2256 /// Reference to a local variable. Used by mop_l
2257 struct lvar_ref_t
2258 {
2259  /// Pointer to the parent mba_t object.
2260  /// Since we need to access the 'mba->vars' array in order to retrieve
2261  /// the referenced variable, we keep a pointer to mba_t here.
2262  /// Note: this means this class and consequently mop_t, minsn_t, mblock_t
2263  /// are specific to a mba_t object and cannot migrate between
2264  /// them. fortunately this is not something we need to do.
2265  /// second, lvar_ref_t's appear only after MMAT_LVARS.
2266  mba_t *const mba;
2267  sval_t off; ///< offset from the beginning of the variable
2268  int idx; ///< index into mba->vars
2269  lvar_ref_t(mba_t *m, int i, sval_t o=0) : mba(m), off(o), idx(i) {}
2270  lvar_ref_t(const lvar_ref_t &r) : mba(r.mba), off(r.off), idx(r.idx) {}
2271  lvar_ref_t &operator=(const lvar_ref_t &r)
2272  {
2273  off = r.off;
2274  idx = r.idx;
2275  return *this;
2276  }
2277  DECLARE_COMPARISONS(lvar_ref_t);
2278  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
2279  void swap(lvar_ref_t &r)
2280  {
2281  std::swap(off, r.off);
2282  std::swap(idx, r.idx);
2283  }
2284  lvar_t &hexapi var(void) const; ///< Retrieve the referenced variable
2285 };
2286 
2287 //-------------------------------------------------------------------------
2288 /// Reference to a stack variable. Used for mop_S
2289 struct stkvar_ref_t
2290 {
2291  /// Pointer to the parent mba_t object.
2292  /// We need it in order to retrieve the referenced stack variable.
2293  /// See notes for lvar_ref_t::mba.
2294  mba_t *const mba;
2295 
2296  /// Offset to the stack variable from the bottom of the stack frame.
2297  /// It is called 'decompiler stkoff' and it is different from IDA stkoff.
2298  /// See a note and a picture about 'decompiler stkoff' below.
2299  sval_t off;
2300 
2301  stkvar_ref_t(mba_t *m, sval_t o) : mba(m), off(o) {}
2302  DECLARE_COMPARISONS(stkvar_ref_t);
2303  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
2304  void swap(stkvar_ref_t &r)
2305  {
2306  std::swap(off, r.off);
2307  }
2308  /// Retrieve the referenced stack variable.
2309  /// \param p_off if specified, will hold IDA stkoff after the call.
2310  /// \return pointer to the stack variable
2311  member_t *hexapi get_stkvar(uval_t *p_off=NULL) const;
2312 };
2313 
2314 //-------------------------------------------------------------------------
2315 /// Scattered operand info. Used for mop_sc
2316 struct scif_t : public vdloc_t
2317 {
2318  /// Pointer to the parent mba_t object.
2319  /// Some operations may convert a scattered operand into something simpler,
2320  /// (a stack operand, for example). We will need to create stkvar_ref_t at
2321  /// that moment, this is why we need this pointer.
2322  /// See notes for lvar_ref_t::mba.
2323  mba_t *mba;
2324 
2325  /// Usually scattered operands are created from a function prototype,
2326  /// which has the name information. We preserve it and use it to name
2327  /// the corresponding local variable.
2328  qstring name;
2329 
2330  /// Scattered operands always have type info assigned to them
2331  /// because without it we won't be able to manipulte them.
2332  tinfo_t type;
2333 
2334  scif_t(mba_t *_mba, tinfo_t *tif, qstring *n=nullptr) : mba(_mba)
2335  {
2336  if ( n != nullptr )
2337  n->swap(name);
2338  tif->swap(type);
2339  }
2340  scif_t &operator =(const vdloc_t &loc)
2341  {
2342  *(vdloc_t *)this = loc;
2343  return *this;
2344  }
2345 };
2346 
2347 //-------------------------------------------------------------------------
2348 /// An integer constant. Used for mop_n
2349 /// We support 64-bit values but 128-bit values can be represented with mop_p
2350 struct mnumber_t : public operand_locator_t
2351 {
2352  uint64 value;
2353  uint64 org_value; // original value before changing the operand size
2354  mnumber_t(uint64 v, ea_t _ea=BADADDR, int n=0)
2355  : operand_locator_t(_ea, n), value(v), org_value(v) {}
2356  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
2357  DECLARE_COMPARISONS(mnumber_t)
2358  {
2359  if ( value < r.value )
2360  return -1;
2361  if ( value > r.value )
2362  return -1;
2363  return 0;
2364  }
2365  // always use this function instead of manually modifying the 'value' field
2366  void update_value(uint64 val64)
2367  {
2368  value = val64;
2369  org_value = val64;
2370  }
2371 };
2372 
2373 //-------------------------------------------------------------------------
2374 /// Floating point constant. Used for mop_fn
2375 /// For more details, please see the ieee.h file from IDA SDK.
2376 struct fnumber_t
2377 {
2378  fpvalue_t fnum; ///< Internal representation of the number
2379  int nbytes; ///< Original size of the constant in bytes
2380  operator uint16 *(void) { return fnum.w; }
2381  operator const uint16 *(void) const { return fnum.w; }
2382  void hexapi print(qstring *vout) const;
2383  const char *hexapi dstr(void) const;
2384  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
2385  DECLARE_COMPARISONS(fnumber_t)
2386  {
2387  return ecmp(fnum, r.fnum);
2388  }
2389 };
2390 
2391 //-------------------------------------------------------------------------
2392 /// \defgroup SHINS_ Bits to control how we print instructions
2393 //@{
2394 #define SHINS_NUMADDR 0x01 ///< display definition addresses for numbers
2395 #define SHINS_VALNUM 0x02 ///< display value numbers
2396 #define SHINS_SHORT 0x04 ///< do not display use-def chains and other attrs
2397 #define SHINS_LDXEA 0x08 ///< display address of ldx expressions (not used)
2398 //@}
2399 
2400 //-------------------------------------------------------------------------
2401 /// How to handle side effect of change_size()
2402 /// Sometimes we need to create a temporary operand and change its size in order
2403 /// to check some hypothesis. If we revert our changes, we do not want that the
2404 /// database (global variables, stack frame, etc) changes in any manner.
2405 enum side_effect_t
2406 {
2407  NO_SIDEFF, ///< change operand size but ignore side effects
2408  ///< if you decide to keep the changed operand,
2409  ///< handle_new_size() must be called
2410  WITH_SIDEFF, ///< change operand size and handle side effects
2411  ONLY_SIDEFF, ///< only handle side effects
2412  ANY_REGSIZE = 0x80, ///< any register size is permitted
2413  ANY_FPSIZE = 0x100, ///< any size of floating operand is permitted
2414 };
2415 
2416 //-------------------------------------------------------------------------
2417 /// A microinstruction operand.
2418 /// This is the smallest building block of our microcode.
2419 /// Operands will be part of instructions, which are then grouped into basic blocks.
2420 /// The microcode consists of an array of such basic blocks + some additional info.
2421 class mop_t
2422 {
2423  void hexapi copy(const mop_t &rop);
2424 public:
2425  /// Operand type.
2426  mopt_t t;
2427 
2428  /// Operand properties.
2429  uint8 oprops;
2430 #define OPROP_IMPDONE 0x01 ///< imported operand (a pointer) has been dereferenced
2431 #define OPROP_UDT 0x02 ///< a struct or union
2432 #define OPROP_FLOAT 0x04 ///< possibly floating value
2433 #define OPROP_CCFLAGS 0x08 ///< mop_n: a pc-relative value
2434  ///< else: value of a condition code register (like mr_cc)
2435 #define OPROP_UDEFVAL 0x10 ///< uses undefined value
2436 #define OPROP_LOWADDR 0x20 ///< a low address offset
2437 
2438  /// Value number.
2439  /// Zero means unknown.
2440  /// Operands with the same value number are equal.
2441  uint16 valnum;
2442 
2443  /// Operand size.
2444  /// Usually it is 1,2,4,8 or NOSIZE but for UDTs other sizes are permitted
2445  int size;
2446 
2447  /// The following union holds additional details about the operand.
2448  /// Depending on the operand type different kinds of info are stored.
2449  /// You should access these fields only after verifying the operand type.
2450  /// All pointers are owned by the operand and are freed by its destructor.
2451  union
2452  {
2453  mreg_t r; // mop_r register number
2454  mnumber_t *nnn; // mop_n immediate value
2455  minsn_t *d; // mop_d result (destination) of another instruction
2456  stkvar_ref_t *s; // mop_S stack variable
2457  ea_t g; // mop_v global variable (its linear address)
2458  int b; // mop_b block number (used in jmp,call instructions)
2459  mcallinfo_t *f; // mop_f function call information
2460  lvar_ref_t *l; // mop_l local variable
2461  mop_addr_t *a; // mop_a variable whose address is taken
2462  char *helper; // mop_h helper function name
2463  char *cstr; // mop_str utf8 string constant, user representation
2464  mcases_t *c; // mop_c cases
2465  fnumber_t *fpc; // mop_fn floating point constant
2466  mop_pair_t *pair; // mop_p operand pair
2467  scif_t *scif; // mop_sc scattered operand info
2468  };
2469  // -- End of data fields, member function declarations follow:
2470 
2471  void set_impptr_done(void) { oprops |= OPROP_IMPDONE; }
2472  void set_udt(void) { oprops |= OPROP_UDT; }
2473  void set_undef_val(void) { oprops |= OPROP_UDEFVAL; }
2474  void set_lowaddr(void) { oprops |= OPROP_LOWADDR; }
2475  bool is_impptr_done(void) const { return (oprops & OPROP_IMPDONE) != 0; }
2476  bool is_udt(void) const { return (oprops & OPROP_UDT) != 0; }
2477  bool probably_floating(void) const { return (oprops & OPROP_FLOAT) != 0; }
2478  bool is_undef_val(void) const { return (oprops & OPROP_UDEFVAL) != 0; }
2479  bool is_lowaddr(void) const { return (oprops & OPROP_LOWADDR) != 0; }
2480  bool is_ccflags(void) const
2481  {
2482  return (oprops & OPROP_CCFLAGS) != 0
2483  && (t == mop_l || t == mop_v || t == mop_S || t == mop_r);
2484  }
2485  bool is_pcval(void) const
2486  {
2487  return t == mop_n && (oprops & OPROP_CCFLAGS) != 0;
2488  }
2489 
2490  mop_t(void) { zero(); }
2491  mop_t(const mop_t &rop) { copy(rop); }
2492  mop_t(mreg_t _r, int _s) : t(mop_r), oprops(0), valnum(0), size(_s), r(_r) {}
2493  mop_t &operator=(const mop_t &rop) { return assign(rop); }
2494  mop_t &hexapi assign(const mop_t &rop);
2495  ~mop_t(void)
2496  {
2497  erase();
2498  }
2499  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
2500  void zero(void) { t = mop_z; oprops = 0; valnum = 0; size = NOSIZE; nnn = NULL; }
2501  void hexapi swap(mop_t &rop);
2502  void hexapi erase(void);
2503  void erase_but_keep_size(void) { int s2 = size; erase(); size = s2; }
2504 
2505  void hexapi print(qstring *vout, int shins_flags=SHINS_SHORT|SHINS_VALNUM) const;
2506  const char *hexapi dstr(void) const; // use this function for debugging
2507 
2508  //-----------------------------------------------------------------------
2509  // Operand creation
2510  //-----------------------------------------------------------------------
2511  /// Create operand from mlist_t.
2512  /// Example: if LST contains 4 bits for R0.4, our operand will be
2513  /// (t=mop_r, r=R0, size=4)
2514  /// \param mba pointer to microcode
2515  /// \param lst list of locations
2516  /// \param fullsize mba->fullsize
2517  /// \return success
2518  bool hexapi create_from_mlist(mba_t *mba, const mlist_t &lst, sval_t fullsize);
2519 
2520  /// Create operand from ivlset_t.
2521  /// Example: if IVS contains [glbvar..glbvar+4), our operand will be
2522  /// (t=mop_v, g=&glbvar, size=4)
2523  /// \param mba pointer to microcode
2524  /// \param ivs set of memory intervals
2525  /// \param fullsize mba->fullsize
2526  /// \return success
2527  bool hexapi create_from_ivlset(mba_t *mba, const ivlset_t &ivs, sval_t fullsize);
2528 
2529  /// Create operand from vdloc_t.
2530  /// Example: if LOC contains (type=ALOC_REG1, r=R0), our operand will be
2531  /// (t=mop_r, r=R0, size=_SIZE)
2532  /// \param mba pointer to microcode
2533  /// \param loc location
2534  /// \param _size operand size
2535  /// Note: this function cannot handle scattered locations.
2536  /// \return success
2537  void hexapi create_from_vdloc(mba_t *mba, const vdloc_t &loc, int _size);
2538 
2539  /// Create operand from scattered vdloc_t.
2540  /// Example: if LOC is (ALOC_DIST, {EAX.4, EDX.4}) and TYPE is _LARGE_INTEGER,
2541  /// our operand will be
2542  /// (t=mop_sc, scif={EAX.4, EDX.4})
2543  /// \param mba pointer to microcode
2544  /// \param name name of the operand, if available
2545  /// \param type type of the operand, must be present
2546  /// \param loc a scattered location
2547  /// \return success
2548  void hexapi create_from_scattered_vdloc(
2549  mba_t *mba,
2550  const char *name,
2551  tinfo_t type,
2552  const vdloc_t &loc);
2553 
2554  /// Create operand from an instruction.
2555  /// This function creates a nested instruction that can be used as an operand.
2556  /// Example: if m="add x,y,z", our operand will be (t=mop_d,d=m).
2557  /// The destination operand of 'add' (z) is lost.
2558  /// \param m instruction to embed into operand. may not be NULL.
2559  void hexapi create_from_insn(const minsn_t *m);
2560 
2561  /// Create an integer constant operand.
2562  /// \param _value value to store in the operand
2563  /// \param _size size of the value in bytes (1,2,4,8)
2564  /// \param _ea address of the processor instruction that made the value
2565  /// \param opnum operand number of the processor instruction
2566  void hexapi make_number(uint64 _value, int _size, ea_t _ea=BADADDR, int opnum=0);
2567 
2568  /// Create a floating point constant operand.
2569  /// \param bytes pointer to the floating point value as used by the current
2570  /// processor (e.g. for x86 it must be in IEEE 754)
2571  /// \param _size number of bytes occupied by the constant.
2572  /// \return success
2573  bool hexapi make_fpnum(const void *bytes, size_t _size);
2574 
2575  /// Create a register operand without erasing previous data.
2576  /// \param reg micro register number
2577  /// Note: this function does not erase the previous contents of the operand;
2578  /// call erase() if necessary
2579  void _make_reg(mreg_t reg)
2580  {
2581  t = mop_r;
2582  r = reg;
2583  }
2584  void _make_reg(mreg_t reg, int _size)
2585  {
2586  t = mop_r;
2587  r = reg;
2588  size = _size;
2589  }
2590  /// Create a register operand.
2591  void make_reg(mreg_t reg) { erase(); _make_reg(reg); }
2592  void make_reg(mreg_t reg, int _size) { erase(); _make_reg(reg, _size); }
2593 
2594  /// Create a local variable operand.
2595  /// \param mba pointer to microcode
2596  /// \param idx index into mba->vars
2597  /// \param off offset from the beginning of the variable
2598  /// Note: this function does not erase the previous contents of the operand;
2599  /// call erase() if necessary
2600  void _make_lvar(mba_t *mba, int idx, sval_t off=0)
2601  {
2602  t = mop_l;
2603  l = new lvar_ref_t(mba, idx, off);
2604  }
2605 
2606  /// Create a global variable operand without erasing previous data.
2607  /// \param ea address of the variable
2608  /// Note: this function does not erase the previous contents of the operand;
2609  /// call erase() if necessary
2610  void _make_gvar(ea_t ea)
2611  {
2612  t = mop_v;
2613  g = ea;
2614  }
2615  /// Create a global variable operand.
2616  void make_gvar(ea_t ea) { erase(); _make_gvar(ea); }
2617 
2618  /// Create a stack variable operand.
2619  /// \param mba pointer to microcode
2620  /// \param off decompiler stkoff
2621  /// Note: this function does not erase the previous contents of the operand;
2622  /// call erase() if necessary
2623  void _make_stkvar(mba_t *mba, sval_t off)
2624  {
2625  t = mop_S;
2626  s = new stkvar_ref_t(mba, off);
2627  }
2628  void make_stkvar(mba_t *mba, sval_t off) { erase(); _make_stkvar(mba, off); }
2629 
2630  /// Create pair of registers.
2631  /// \param loreg register holding the low part of the value
2632  /// \param hireg register holding the high part of the value
2633  /// \param halfsize the size of each of loreg/hireg
2634  void hexapi make_reg_pair(int loreg, int hireg, int halfsize);
2635 
2636  /// Create a nested instruction without erasing previous data.
2637  /// \param ea address of the nested instruction
2638  /// Note: this function does not erase the previous contents of the operand;
2639  /// call erase() if necessary
2640  /// See also create_from_insn, which is higher level
2641  void _make_insn(minsn_t *ins);
2642  /// Create a nested instruction.
2643  void make_insn(minsn_t *ins) { erase(); _make_insn(ins); }
2644 
2645  /// Create a block reference operand without erasing previous data.
2646  /// \param blknum block number
2647  /// Note: this function does not erase the previous contents of the operand;
2648  /// call erase() if necessary
2649  void _make_blkref(int blknum)
2650  {
2651  t = mop_b;
2652  b = blknum;
2653  }
2654  /// Create a global variable operand.
2655  void make_blkref(int blknum) { erase(); _make_blkref(blknum); }
2656 
2657  /// Create a helper operand.
2658  /// A helper operand usually keeps a built-in function name like "va_start"
2659  /// It is essentially just an arbitrary identifier without any additional info.
2660  void hexapi make_helper(const char *name);
2661 
2662  /// Create a constant string operand.
2663  void _make_strlit(const char *str)
2664  {
2665  t = mop_str;
2666  cstr = ::qstrdup(str);
2667  }
2668  void _make_strlit(qstring *str) // str is consumed
2669  {
2670  t = mop_str;
2671  cstr = str->extract();
2672  }
2673 
2674  /// Create a call info operand without erasing previous data.
2675  /// \param fi callinfo
2676  /// Note: this function does not erase the previous contents of the operand;
2677  /// call erase() if necessary
2678  void _make_callinfo(mcallinfo_t *fi)
2679  {
2680  t = mop_f;
2681  f = fi;
2682  }
2683 
2684  /// Create a 'switch cases' operand without erasing previous data.
2685  /// Note: this function does not erase the previous contents of the operand;
2686  /// call erase() if necessary
2687  void _make_cases(mcases_t *_cases)
2688  {
2689  t = mop_c;
2690  c = _cases;
2691  }
2692 
2693  /// Create a pair operand without erasing previous data.
2694  /// Note: this function does not erase the previous contents of the operand;
2695  /// call erase() if necessary
2696  void _make_pair(mop_pair_t *_pair)
2697  {
2698  t = mop_p;
2699  pair = _pair;
2700  }
2701 
2702  //-----------------------------------------------------------------------
2703  // Various operand tests
2704  //-----------------------------------------------------------------------
2705  bool empty(void) const { return t == mop_z; }
2706  /// Is a register operand?
2707  /// See also get_mreg_name()
2708  bool is_reg(void) const { return t == mop_r; }
2709  /// Is the specified register?
2710  bool is_reg(mreg_t _r) const { return t == mop_r && r == _r; }
2711  /// Is the specified register of the specified size?
2712  bool is_reg(mreg_t _r, int _size) const { return t == mop_r && r == _r && size == _size; }
2713  /// Is a list of arguments?
2714  bool is_arglist(void) const { return t == mop_f; }
2715  /// Is a condition code?
2716  bool is_cc(void) const { return is_reg() && r >= mr_cf && r < mr_first; }
2717  /// Is a bit register?
2718  /// This includes condition codes and eventually other bit registers
2719  static bool hexapi is_bit_reg(mreg_t reg);
2720  bool is_bit_reg(void) const { return is_reg() && is_bit_reg(r); }
2721  /// Is a kernel register?
2722  bool is_kreg(void) const;
2723  /// Is a block reference to the specified block?
2724  bool is_mob(int serial) const { return t == mop_b && b == serial; }
2725  /// Is a scattered operand?
2726  bool is_scattered(void) const { return t == mop_sc; }
2727  /// Is address of a global memory cell?
2728  bool is_glbaddr() const;
2729  /// Is address of the specified global memory cell?
2730  bool is_glbaddr(ea_t ea) const;
2731  /// Is address of a stack variable?
2732  bool is_stkaddr() const;
2733  /// Is a sub-instruction?
2734  bool is_insn(void) const { return t == mop_d; }
2735  /// Is a sub-instruction with the specified opcode?
2736  bool is_insn(mcode_t code) const;
2737  /// Has any side effects?
2738  /// \param include_ldx_and_divs consider ldx/div/mod as having side effects?
2739  bool has_side_effects(bool include_ldx_and_divs=false) const;
2740  /// Is it possible for the operand to use aliased memory?
2741  bool hexapi may_use_aliased_memory(void) const;
2742 
2743  /// Are the possible values of the operand only 0 and 1?
2744  /// This function returns true for 0/1 constants, bit registers,
2745  /// the result of 'set' insns, etc.
2746  bool hexapi is01(void) const;
2747 
2748  /// Does the high part of the operand consist of the sign bytes?
2749  /// \param nbytes number of bytes that were sign extended.
2750  /// the remaining size-nbytes high bytes must be sign bytes
2751  /// Example: is_sign_extended_from(xds.4(op.1), 1) -> true
2752  /// because the high 3 bytes are certainly sign bits
2753  bool hexapi is_sign_extended_from(int nbytes) const;
2754 
2755  /// Does the high part of the operand consist of zero bytes?
2756  /// \param nbytes number of bytes that were zero extended.
2757  /// the remaining size-nbytes high bytes must be zero
2758  /// Example: is_zero_extended_from(xdu.8(op.1), 2) -> true
2759  /// because the high 6 bytes are certainly zero
2760  bool hexapi is_zero_extended_from(int nbytes) const;
2761 
2762  /// Does the high part of the operand consist of zero or sign bytes?
2763  bool is_extended_from(int nbytes, bool is_signed) const
2764  {
2765  if ( is_signed )
2766  return is_sign_extended_from(nbytes);
2767  else
2768  return is_zero_extended_from(nbytes);
2769  }
2770 
2771  //-----------------------------------------------------------------------
2772  // Comparisons
2773  //-----------------------------------------------------------------------
2774  /// Compare operands.
2775  /// This is the main comparison function for operands.
2776  /// \param rop operand to compare with
2777  /// \param eqflags combination of \ref EQ_ bits
2778  bool hexapi equal_mops(const mop_t &rop, int eqflags) const;
2779  bool operator==(const mop_t &rop) const { return equal_mops(rop, 0); }
2780  bool operator!=(const mop_t &rop) const { return !equal_mops(rop, 0); }
2781 
2782  /// Lexographical operand comparison.
2783  /// It can be used to store mop_t in various containers, like std::set
2784  bool operator <(const mop_t &rop) const { return lexcompare(rop) < 0; }
2785  friend int lexcompare(const mop_t &a, const mop_t &b) { return a.lexcompare(b); }
2786  int hexapi lexcompare(const mop_t &rop) const;
2787 
2788  //-----------------------------------------------------------------------
2789  // Visiting operand parts
2790  //-----------------------------------------------------------------------
2791  /// Visit the operand and all its sub-operands.
2792  /// This function visits the current operand as well.
2793  /// \param mv visitor object
2794  /// \param type operand type
2795  /// \param is_target is a destination operand?
2796  int hexapi for_all_ops(
2797  mop_visitor_t &mv,
2798  const tinfo_t *type=NULL,
2799  bool is_target=false);
2800 
2801  /// Visit all sub-operands of a scattered operand.
2802  /// This function does not visit the current operand, only its sub-operands.
2803  /// All sub-operands are synthetic and are destroyed after the visitor.
2804  /// This function works only with scattered operands.
2805  /// \param sv visitor object
2806  int hexapi for_all_scattered_submops(scif_visitor_t &sv) const;
2807 
2808  //-----------------------------------------------------------------------
2809  // Working with mop_n operands
2810  //-----------------------------------------------------------------------
2811  /// Retrieve value of a constant integer operand.
2812  /// These functions can be called only for mop_n operands.
2813  /// See is_constant() that can be called on any operand.
2814  uint64 value(bool is_signed) const { return extend_sign(nnn->value, size, is_signed); }
2815  int64 signed_value(void) const { return value(true); }
2816  uint64 unsigned_value(void) const { return value(false); }
2817  void update_numop_value(uint64 val)
2818  {
2819  nnn->update_value(extend_sign(val, size, false));
2820  }
2821 
2822  /// Retrieve value of a constant integer operand.
2823  /// \param out pointer to the output buffer
2824  /// \param is_signed should treat the value as signed
2825  /// \return true if the operand is mop_n
2826  bool hexapi is_constant(uint64 *out=NULL, bool is_signed=true) const;
2827 
2828  bool is_equal_to(uint64 n, bool is_signed=true) const
2829  {
2830  uint64 v;
2831  return is_constant(&v, is_signed) && v == n;
2832  }
2833  bool is_zero(void) const { return is_equal_to(0, false); }
2834  bool is_one(void) const { return is_equal_to(1, false); }
2835  bool is_positive_constant(void) const
2836  {
2837  uint64 v;
2838  return is_constant(&v, true) && int64(v) > 0;
2839  }
2840  bool is_negative_constant(void) const
2841  {
2842  uint64 v;
2843  return is_constant(&v, true) && int64(v) < 0;
2844  }
2845 
2846  //-----------------------------------------------------------------------
2847  // Working with mop_S operands
2848  //-----------------------------------------------------------------------
2849  /// Retrieve the referenced stack variable.
2850  /// \param p_off if specified, will hold IDA stkoff after the call.
2851  /// \return pointer to the stack variable
2852  member_t *get_stkvar(uval_t *p_off) const { return s->get_stkvar(p_off); }
2853 
2854  /// Get the referenced stack offset.
2855  /// This function can also handle mop_sc if it is entirely mapped into
2856  /// a continuous stack region.
2857  /// \param p_off the output buffer
2858  /// \return success
2859  bool hexapi get_stkoff(sval_t *p_off) const;
2860 
2861  //-----------------------------------------------------------------------
2862  // Working with mop_d operands
2863  //-----------------------------------------------------------------------
2864  /// Get subinstruction of the operand.
2865  /// If the operand has a subinstruction with the specified opcode, return it.
2866  /// \param code desired opcode
2867  /// \return pointer to the instruction or NULL
2868  const minsn_t *get_insn(mcode_t code) const;
2869  minsn_t *get_insn(mcode_t code);
2870 
2871  //-----------------------------------------------------------------------
2872  // Transforming operands
2873  //-----------------------------------------------------------------------
2874  /// Make the low part of the operand.
2875  /// This function takes into account the memory endianness (byte sex)
2876  /// \param width the desired size of the operand part in bytes
2877  /// \return success
2878  bool hexapi make_low_half(int width);
2879 
2880  /// Make the high part of the operand.
2881  /// This function takes into account the memory endianness (byte sex)
2882  /// \param width the desired size of the operand part in bytes
2883  /// \return success
2884  bool hexapi make_high_half(int width);
2885 
2886  /// Make the first part of the operand.
2887  /// This function does not care about the memory endianness
2888  /// \param width the desired size of the operand part in bytes
2889  /// \return success
2890  bool hexapi make_first_half(int width);
2891 
2892  /// Make the second part of the operand.
2893  /// This function does not care about the memory endianness
2894  /// \param width the desired size of the operand part in bytes
2895  /// \return success
2896  bool hexapi make_second_half(int width);
2897 
2898  /// Shift the operand.
2899  /// This function shifts only the beginning of the operand.
2900  /// The operand size will be changed.
2901  /// Examples: shift_mop(AH.1, -1) -> AX.2
2902  /// shift_mop(qword_00000008.8, 4) -> dword_0000000C.4
2903  /// shift_mop(xdu.8(op.4), 4) -> #0.4
2904  /// shift_mop(#0x12345678.4, 3) -> #12.1
2905  /// \param offset shift count (the number of bytes to shift)
2906  /// \return success
2907  bool hexapi shift_mop(int offset);
2908 
2909  /// Change the operand size.
2910  /// Examples: change_size(AL.1, 2) -> AX.2
2911  /// change_size(qword_00000008.8, 4) -> dword_00000008.4
2912  /// change_size(xdu.8(op.4), 4) -> op.4
2913  /// change_size(#0x12345678.4, 1) -> #0x78.1
2914  /// \param nsize new operand size
2915  /// \param sideff may modify the database because of the size change?
2916  /// \return success
2917  bool hexapi change_size(int nsize, side_effect_t sideff=WITH_SIDEFF);
2918  bool double_size(side_effect_t sideff=WITH_SIDEFF) { return change_size(size*2, sideff); }
2919 
2920  /// Move subinstructions with side effects out of the operand.
2921  /// If we decide to delete an instruction operand, it is a good idea to
2922  /// call this function. Alternatively we should skip such operands
2923  /// by calling mop_t::has_side_effects()
2924  /// For example, if we transform: jnz x, x, @blk => goto @blk
2925  /// then we must call this function before deleting the X operands.
2926  /// \param blk current block
2927  /// \param top top level instruction that contains our operand
2928  /// \param moved_calls pointer to the boolean that will track if all side
2929  /// effects get handled correctly. must be false initially.
2930  /// \return false failed to preserve a side effect, it is not safe to
2931  /// delete the operand
2932  /// true no side effects or successfully preserved them
2933  bool hexapi preserve_side_effects(
2934  mblock_t *blk,
2935  minsn_t *top,
2936  bool *moved_calls=NULL);
2937 
2938  /// Apply a unary opcode to the operand.
2939  /// \param mcode opcode to apply. it must accept 'l' and 'd' operands
2940  /// but not 'r'. examples: m_low/m_high/m_xds/m_xdu
2941  /// \param ea value of minsn_t::ea for the newly created insruction
2942  /// \param newsize new operand size
2943  /// Example: apply_ld_mcode(m_low) will convert op => low(op)
2944  void hexapi apply_ld_mcode(mcode_t mcode, ea_t ea, int newsize);
2945  void apply_xdu(ea_t ea, int newsize) { apply_ld_mcode(m_xdu, ea, newsize); }
2946  void apply_xds(ea_t ea, int newsize) { apply_ld_mcode(m_xds, ea, newsize); }
2947 };
2948 DECLARE_TYPE_AS_MOVABLE(mop_t);
2949 
2950 /// Pair of operands
2951 class mop_pair_t
2952 {
2953 public:
2954  mop_t lop; ///< low operand
2955  mop_t hop; ///< high operand
2956  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
2957 };
2958 
2959 /// Address of an operand (mop_l, mop_v, mop_S, mop_r)
2960 class mop_addr_t : public mop_t
2961 {
2962 public:
2963  int insize; // how many bytes of the pointed operand can be read
2964  int outsize; // how many bytes of the pointed operand can be written
2965 
2966  mop_addr_t(): insize(NOSIZE), outsize(NOSIZE) {}
2967  mop_addr_t(const mop_addr_t &ra)
2968  : mop_t(ra), insize(ra.insize), outsize(ra.outsize) {}
2969  mop_addr_t(const mop_t &ra, int isz, int osz)
2970  : mop_t(ra), insize(isz), outsize(osz) {}
2971 
2972  mop_addr_t &operator=(const mop_addr_t &rop)
2973  {
2974  *(mop_t *)this = mop_t(rop);
2975  insize = rop.insize;
2976  outsize = rop.outsize;
2977  return *this;
2978  }
2979  int lexcompare(const mop_addr_t &ra) const
2980  {
2981  int code = mop_t::lexcompare(ra);
2982  return code != 0 ? code
2983  : insize != ra.insize ? (insize-ra.insize)
2984  : outsize != ra.outsize ? (outsize-ra.outsize)
2985  : 0;
2986  }
2987 };
2988 
2989 /// A call argument
2990 class mcallarg_t : public mop_t // #callarg
2991 {
2992 public:
2993  ea_t ea = BADADDR; ///< address where the argument was initialized.
2994  ///< BADADDR means unknown.
2995  tinfo_t type; ///< formal argument type
2996  qstring name; ///< formal argument name
2997  argloc_t argloc; ///< ida argloc
2998  uint32 flags = 0; ///< FAI_...
2999 
3000  mcallarg_t() {}
3001  mcallarg_t(const mop_t &rarg) : mop_t(rarg) {}
3002  void copy_mop(const mop_t &op) { *(mop_t *)this = op; }
3003  void hexapi print(qstring *vout, int shins_flags=SHINS_SHORT|SHINS_VALNUM) const;
3004  const char *hexapi dstr(void) const;
3005  void hexapi set_regarg(mreg_t mr, int sz, const tinfo_t &tif);
3006  void set_regarg(mreg_t mr, const tinfo_t &tif)
3007  {
3008  set_regarg(mr, tif.get_size(), tif);
3009  }
3010  void set_regarg(mreg_t mr, char dt, type_sign_t sign = type_unsigned)
3011  {
3012  int sz = get_dtype_size(dt);
3013  set_regarg(mr, sz, get_int_type_by_width_and_sign(sz, sign));
3014  }
3015  void make_int(int val, ea_t val_ea, int opno = 0)
3016  {
3017  type = tinfo_t(BTF_INT);
3018  make_number(val, inf_get_cc_size_i(), val_ea, opno);
3019  }
3020  void make_uint(int val, ea_t val_ea, int opno = 0)
3021  {
3022  type = tinfo_t(BTF_UINT);
3023  make_number(val, inf_get_cc_size_i(), val_ea, opno);
3024  }
3025 };
3026 DECLARE_TYPE_AS_MOVABLE(mcallarg_t);
3027 typedef qvector<mcallarg_t> mcallargs_t;
3028 
3029 /// Function roles.
3030 /// They are used to calculate use/def lists and to recognize functions
3031 /// without using string comparisons.
3032 enum funcrole_t
3033 {
3034  ROLE_UNK, ///< unknown function role
3035  ROLE_EMPTY, ///< empty, does not do anything (maybe spoils regs)
3036  ROLE_MEMSET, ///< memset(void *dst, uchar value, size_t count);
3037  ROLE_MEMSET32, ///< memset32(void *dst, uint32 value, size_t count);
3038  ROLE_MEMSET64, ///< memset32(void *dst, uint64 value, size_t count);
3039  ROLE_MEMCPY, ///< memcpy(void *dst, const void *src, size_t count);
3040  ROLE_STRCPY, ///< strcpy(char *dst, const char *src);
3041  ROLE_STRLEN, ///< strlen(const char *src);
3042  ROLE_STRCAT, ///< strcat(char *dst, const char *src);
3043  ROLE_TAIL, ///< char *tail(const char *str);
3044  ROLE_BUG, ///< BUG() helper macro: never returns, causes exception
3045  ROLE_ALLOCA, ///< alloca() function
3046  ROLE_BSWAP, ///< bswap() function (any size)
3047  ROLE_PRESENT, ///< present() function (used in patterns)
3048  ROLE_CONTAINING_RECORD, ///< CONTAINING_RECORD() macro
3049  ROLE_FASTFAIL, ///< __fastfail()
3050  ROLE_READFLAGS, ///< __readeflags, __readcallersflags
3051  ROLE_IS_MUL_OK, ///< is_mul_ok
3052  ROLE_SATURATED_MUL, ///< saturated_mul
3053  ROLE_BITTEST, ///< [lock] bt
3054  ROLE_BITTESTANDSET, ///< [lock] bts
3055  ROLE_BITTESTANDRESET, ///< [lock] btr
3056  ROLE_BITTESTANDCOMPLEMENT, ///< [lock] btc
3057  ROLE_VA_ARG, ///< va_arg() macro
3058  ROLE_VA_COPY, ///< va_copy() function
3059  ROLE_VA_START, ///< va_start() function
3060  ROLE_VA_END, ///< va_end() function
3061  ROLE_ROL, ///< rotate left
3062  ROLE_ROR, ///< rotate right
3063  ROLE_CFSUB3, ///< carry flag after subtract with carry
3064  ROLE_OFSUB3, ///< overflow flag after subtract with carry
3065  ROLE_ABS, ///< integer absolute value
3066  ROLE_3WAYCMP0, ///< 3-way compare helper, returns -1/0/1
3067  ROLE_3WAYCMP1, ///< 3-way compare helper, returns 0/1/2
3068  ROLE_WMEMCPY, ///< wchar_t *wmemcpy(wchar_t *dst, const wchar_t *src, size_t n)
3069  ROLE_WMEMSET, ///< wchar_t *wmemset(wchar_t *dst, wchar_t wc, size_t n)
3070  ROLE_WCSCPY, ///< wchar_t *wcscpy(wchar_t *dst, const wchar_t *src);
3071  ROLE_WCSLEN, ///< size_t wcslen(const wchar_t *s)
3072  ROLE_WCSCAT, ///< wchar_t *wcscat(wchar_t *dst, const wchar_t *src)
3073  ROLE_SSE_CMP4, ///< e.g. _mm_cmpgt_ss
3074  ROLE_SSE_CMP8, ///< e.g. _mm_cmpgt_sd
3075 };
3076 
3077 /// \defgroup FUNC_NAME_ Well known function names
3078 //@{
3079 #define FUNC_NAME_MEMCPY "memcpy"
3080 #define FUNC_NAME_WMEMCPY "wmemcpy"
3081 #define FUNC_NAME_MEMSET "memset"
3082 #define FUNC_NAME_WMEMSET "wmemset"
3083 #define FUNC_NAME_MEMSET32 "memset32"
3084 #define FUNC_NAME_MEMSET64 "memset64"
3085 #define FUNC_NAME_STRCPY "strcpy"
3086 #define FUNC_NAME_WCSCPY "wcscpy"
3087 #define FUNC_NAME_STRLEN "strlen"
3088 #define FUNC_NAME_WCSLEN "wcslen"
3089 #define FUNC_NAME_STRCAT "strcat"
3090 #define FUNC_NAME_WCSCAT "wcscat"
3091 #define FUNC_NAME_TAIL "tail"
3092 #define FUNC_NAME_VA_ARG "va_arg"
3093 #define FUNC_NAME_EMPTY "$empty"
3094 #define FUNC_NAME_PRESENT "$present"
3095 #define FUNC_NAME_CONTAINING_RECORD "CONTAINING_RECORD"
3096 //@}
3097 
3098 
3099 // the default 256 function arguments is too big, we use a lower value
3100 #undef MAX_FUNC_ARGS
3101 #define MAX_FUNC_ARGS 64
3102 
3103 /// Information about a call
3104 class mcallinfo_t // #callinfo
3105 {
3106 public:
3107  ea_t callee; ///< address of the called function, if known
3108  int solid_args; ///< number of solid args.
3109  ///< there may be variadic args in addtion
3110  int call_spd; ///< sp value at call insn
3111  int stkargs_top; ///< first offset past stack arguments
3112  cm_t cc; ///< calling convention
3113  mcallargs_t args; ///< call arguments
3114  mopvec_t retregs; ///< return register(s) (e.g., AX, AX:DX, etc.)
3115  ///< this vector is built from return_regs
3116  tinfo_t return_type; ///< type of the returned value
3117  argloc_t return_argloc; ///< location of the returned value
3118 
3119  mlist_t return_regs; ///< list of values returned by the function
3120  mlist_t spoiled; ///< list of spoiled locations (includes return_regs)
3121  mlist_t pass_regs; ///< passthrough registers: registers that depend on input
3122  ///< values (subset of spoiled)
3123  ivlset_t visible_memory; ///< what memory is visible to the call?
3124  mlist_t dead_regs; ///< registers defined by the function but never used.
3125  ///< upon propagation we do the following:
3126  ///< - dead_regs += return_regs
3127  ///< - retregs.clear() since the call is propagated
3128  int flags; ///< combination of \ref FCI_... bits
3129 /// \defgroup FCI_ Call properties
3130 //@{
3131 #define FCI_PROP 0x001 ///< call has been propagated
3132 #define FCI_DEAD 0x002 ///< some return registers were determined dead
3133 #define FCI_FINAL 0x004 ///< call type is final, should not be changed
3134 #define FCI_NORET 0x008 ///< call does not return
3135 #define FCI_PURE 0x010 ///< pure function
3136 #define FCI_NOSIDE 0x020 ///< call does not have side effects
3137 #define FCI_SPLOK 0x040 ///< spoiled/visible_memory lists have been
3138  ///< optimized. for some functions we can reduce them
3139  ///< as soon as information about the arguments becomes
3140  ///< available. in order not to try optimize them again
3141  ///< we use this bit.
3142 #define FCI_HASCALL 0x080 ///< A function is an synthetic helper combined
3143  ///< from several instructions and at least one
3144  ///< of them was a call to a real functions
3145 #define FCI_HASFMT 0x100 ///< A variadic function with recognized
3146  ///< printf- or scanf-style format string
3147 //@}
3148  funcrole_t role; ///< function role
3149  type_attrs_t fti_attrs; ///< extended function attributes
3150 
3151  mcallinfo_t(ea_t _callee=BADADDR, int _sargs=0)
3152  : callee(_callee), solid_args(_sargs), call_spd(0), stkargs_top(0),
3153  cc(CM_CC_INVALID), flags(0), role(ROLE_UNK) {}
3154  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
3155  int hexapi lexcompare(const mcallinfo_t &f) const;
3156  bool hexapi set_type(const tinfo_t &type);
3157  tinfo_t hexapi get_type(void) const;
3158  bool is_vararg(void) const { return is_vararg_cc(cc); }
3159  void hexapi print(qstring *vout, int size=-1, int shins_flags=SHINS_SHORT|SHINS_VALNUM) const;
3160  const char *hexapi dstr(void) const;
3161 };
3162 
3163 /// List of switch cases and targets
3164 class mcases_t // #cases
3165 {
3166 public:
3167  casevec_t values; ///< expression values for each target
3168  intvec_t targets; ///< target block numbers
3169 
3170  void swap(mcases_t &r) { values.swap(r.values); targets.swap(r.targets); }
3171  DECLARE_COMPARISONS(mcases_t);
3172  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
3173  bool empty(void) const { return targets.empty(); }
3174  size_t size(void) const { return targets.size(); }
3175  void resize(int s) { values.resize(s); targets.resize(s); }
3176  void hexapi print(qstring *vout) const;
3177  const char *hexapi dstr(void) const;
3178 };
3179 
3180 //-------------------------------------------------------------------------
3181 /// Value offset (microregister number or stack offset)
3182 struct voff_t
3183 {
3184  sval_t off; ///< register number or stack offset
3185  mopt_t type; ///< mop_r - register, mop_S - stack, mop_z - undefined
3186 
3187  voff_t() : off(-1), type(mop_z) {}
3188  voff_t(mopt_t _type, sval_t _off) : off(_off), type(_type) {}
3189  voff_t(const mop_t &op) : off(-1), type(mop_z)
3190  {
3191  if ( op.is_reg() || op.t == mop_S )
3192  set(op.t, op.is_reg() ? op.r : op.s->off);
3193  }
3194 
3195  void set(mopt_t _type, sval_t _off) { type = _type; off = _off; }
3196  void set_stkoff(sval_t stkoff) { set(mop_S, stkoff); }
3197  void set_reg(mreg_t mreg) { set(mop_r, mreg); }
3198  void undef() { set(mop_z, -1); }
3199 
3200  bool defined() const { return type != mop_z; }
3201  bool is_reg() const { return type == mop_r; }
3202  bool is_stkoff() const { return type == mop_S; }
3203  mreg_t get_reg() const { QASSERT(51892, is_reg()); return off; }
3204  sval_t get_stkoff() const { QASSERT(51893, is_stkoff()); return off; }
3205 
3206  void inc(sval_t delta) { off += delta; }
3207  voff_t add(int width) const { return voff_t(type, off+width); }
3208  sval_t diff(const voff_t &r) const { QASSERT(51894, type == r.type); return off - r.off; }
3209 
3210  DECLARE_COMPARISONS(voff_t)
3211  {
3212  int code = ::compare(type, r.type);
3213  return code != 0 ? code : ::compare(off, r.off);
3214  }
3215 };
3216 
3217 //-------------------------------------------------------------------------
3218 /// Value interval (register or stack range)
3219 struct vivl_t : voff_t
3220 {
3221  int size; ///< Interval size in bytes
3222 
3223  vivl_t(mopt_t _type = mop_z, sval_t _off = -1, int _size = 0)
3224  : voff_t(_type, _off), size(_size) {}
3225  vivl_t(const class chain_t &ch);
3226  vivl_t(const mop_t &op) : voff_t(op), size(op.size) {}
3227 
3228  // Make a value interval
3229  void set(mopt_t _type, sval_t _off, int _size = 0)
3230  { voff_t::set(_type, _off); size = _size; }
3231  void set(const voff_t &voff, int _size)
3232  { set(voff.type, voff.off, _size); }
3233  void set_stkoff(sval_t stkoff, int sz = 0) { set(mop_S, stkoff, sz); }
3234  void set_reg (mreg_t mreg, int sz = 0) { set(mop_r, mreg, sz); }
3235 
3236  /// Extend a value interval using another value interval of the same type
3237  /// \return success
3238  bool hexapi extend_to_cover(const vivl_t &r);
3239 
3240  /// Intersect value intervals the same type
3241  /// \return size of the resulting intersection
3242  uval_t hexapi intersect(const vivl_t &r);
3243 
3244  /// Do two value intervals overlap?
3245  bool overlap(const vivl_t &r) const
3246  {
3247  return type == r.type
3248  && interval::overlap(off, size, r.off, r.size);
3249  }
3250  /// Does our value interval include another?
3251  bool includes(const vivl_t &r) const
3252  {
3253  return type == r.type
3254  && interval::includes(off, size, r.off, r.size);
3255  }
3256 
3257  /// Does our value interval contain the specified value offset?
3258  bool contains(const voff_t &voff2) const
3259  {
3260  return type == voff2.type
3261  && interval::contains(off, size, voff2.off);
3262  }
3263 
3264  // Comparisons
3265  DECLARE_COMPARISONS(vivl_t)
3266  {
3267  int code = voff_t::compare(r);
3268  return code; //return code != 0 ? code : ::compare(size, r.size);
3269  }
3270  bool operator==(const mop_t &mop) const
3271  {
3272  return type == mop.t && off == (mop.is_reg() ? mop.r : mop.s->off);
3273  }
3274  void hexapi print(qstring *vout) const;
3275  const char *hexapi dstr(void) const;
3276 };
3277 
3278 //-------------------------------------------------------------------------
3279 /// ud (use->def) and du (def->use) chain.
3280 /// We store in chains only the block numbers, not individual instructions
3281 /// See https://en.wikipedia.org/wiki/Use-define_chain
3282 class chain_t : public intvec_t // sequence of block numbers
3283 {
3284  voff_t k; ///< Value offset of the chain.
3285  ///< (what variable is this chain about)
3286 
3287 public:
3288  int width; ///< size of the value in bytes
3289  int varnum; ///< allocated variable index (-1 - not allocated yet)
3290  uchar flags; ///< combination \ref CHF_ bits
3291 /// \defgroup CHF_ Chain properties
3292 //@{
3293 #define CHF_INITED 0x01 ///< is chain initialized? (valid only after lvar allocation)
3294 #define CHF_REPLACED 0x02 ///< chain operands have been replaced?
3295 #define CHF_OVER 0x04 ///< overlapped chain
3296 #define CHF_FAKE 0x08 ///< fake chain created by widen_chains()
3297 #define CHF_PASSTHRU 0x10 ///< pass-thru chain, must use the input variable to the block
3298 #define CHF_TERM 0x20 ///< terminating chain; the variable does not survive across the block
3299 //@}
3300  chain_t() : width(0), varnum(-1), flags(CHF_INITED) {}
3301  chain_t(mopt_t t, sval_t off, int w=1, int v=-1)
3302  : k(t, off), width(w), varnum(v), flags(CHF_INITED) {}
3303  chain_t(const voff_t &_k, int w=1)
3304  : k(_k), width(w), varnum(-1), flags(CHF_INITED) {}
3305  void set_value(const chain_t &r)
3306  { width = r.width; varnum = r.varnum; flags = r.flags; *(intvec_t *)this = (intvec_t &)r; }
3307  const voff_t &key() const { return k; }
3308  bool is_inited(void) const { return (flags & CHF_INITED) != 0; }
3309  bool is_reg(void) const { return k.is_reg(); }
3310  bool is_stkoff(void) const { return k.is_stkoff(); }
3311  bool is_replaced(void) const { return (flags & CHF_REPLACED) != 0; }
3312  bool is_overlapped(void) const { return (flags & CHF_OVER) != 0; }
3313  bool is_fake(void) const { return (flags & CHF_FAKE) != 0; }
3314  bool is_passreg(void) const { return (flags & CHF_PASSTHRU) != 0; }
3315  bool is_term(void) const { return (flags & CHF_TERM) != 0; }
3316  void set_inited(bool b) { setflag(flags, CHF_INITED, b); }
3317  void set_replaced(bool b) { setflag(flags, CHF_REPLACED, b); }
3318  void set_overlapped(bool b) { setflag(flags, CHF_OVER, b); }
3319  void set_term(bool b) { setflag(flags, CHF_TERM, b); }
3320  mreg_t get_reg() const { return k.get_reg(); }
3321  sval_t get_stkoff() const { return k.get_stkoff(); }
3322  bool overlap(const chain_t &r) const
3323  { return k.type == r.k.type && interval::overlap(k.off, width, r.k.off, r.width); }
3324  bool includes(const chain_t &r) const
3325  { return k.type == r.k.type && interval::includes(k.off, width, r.k.off, r.width); }
3326  const voff_t endoff() const { return k.add(width); }
3327 
3328  bool operator<(const chain_t &r) const { return key() < r.key(); }
3329 
3330  void hexapi print(qstring *vout) const;
3331  const char *hexapi dstr(void) const;
3332  /// Append the contents of the chain to the specified list of locations.
3333  void hexapi append_list(const mba_t *mba, mlist_t *list) const;
3334  void clear_varnum(void) { varnum = -1; set_replaced(false); }
3335 };
3336 
3337 //-------------------------------------------------------------------------
3338 #if defined(__NT__)
3339 #define SIZEOF_BLOCK_CHAINS 24
3340 #elif defined(__MAC__)
3341 #define SIZEOF_BLOCK_CHAINS 32
3342 #else
3343 #define SIZEOF_BLOCK_CHAINS 56
3344 #endif
3345 /// Chains of one block.
3346 /// Please note that this class is based on std::map and it must be accessed
3347 /// using the block_chains_begin(), block_chains_find() and similar functions.
3348 /// This is required because different compilers use different implementations
3349 /// of std::map. However, since the size of std::map depends on the compilation
3350 /// options, we replace it with a byte array.
3351 class block_chains_t
3352 {
3353  size_t body[SIZEOF_BLOCK_CHAINS/sizeof(size_t)]; // opaque std::set, uncopyable
3354 public:
3355 
3356  /// Get chain for the specified register
3357  /// \param reg register number
3358  /// \param width size of register in bytes
3359  const chain_t *get_reg_chain(mreg_t reg, int width=1) const
3360  { return get_chain((chain_t(mop_r, reg, width))); }
3361  chain_t *get_reg_chain(mreg_t reg, int width=1)
3362  { return get_chain((chain_t(mop_r, reg, width))); }
3363 
3364  /// Get chain for the specified stack offset
3365  /// \param off stack offset
3366  /// \param width size of stack value in bytes
3367  const chain_t *get_stk_chain(sval_t off, int width=1) const
3368  { return get_chain(chain_t(mop_S, off, width)); }
3369  chain_t *get_stk_chain(sval_t off, int width=1)
3370  { return get_chain(chain_t(mop_S, off, width)); }
3371 
3372  /// Get chain for the specified value offset.
3373  /// \param k value offset (register number or stack offset)
3374  /// \param width size of value in bytes
3375  const chain_t *get_chain(const voff_t &k, int width=1) const
3376  { return get_chain(chain_t(k, width)); }
3377  chain_t *get_chain(const voff_t &k, int width=1)
3378  { return (chain_t*)((const block_chains_t *)this)->get_chain(k, width); }
3379 
3380  /// Get chain similar to the specified chain
3381  /// \param ch chain to search for. only its 'k' and 'width' are used.
3382  const chain_t *hexapi get_chain(const chain_t &ch) const;
3383  chain_t *get_chain(const chain_t &ch)
3384  { return (chain_t*)((const block_chains_t *)this)->get_chain(ch); }
3385 
3386  void hexapi print(qstring *vout) const;
3387  const char *hexapi dstr(void) const;
3388  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
3389 };
3390 //-------------------------------------------------------------------------
3391 /// Chain visitor class
3392 struct chain_visitor_t
3393 {
3394  block_chains_t *parent; ///< parent of the current chain
3395  chain_visitor_t(void) : parent(NULL) {}
3396  virtual int idaapi visit_chain(int nblock, chain_t &ch) = 0;
3397 };
3398 
3399 //-------------------------------------------------------------------------
3400 /// Graph chains.
3401 /// This class represents all ud and du chains of the decompiled function
3402 typedef qvector<block_chains_t> block_chains_vec_t;
3403 class graph_chains_t : public block_chains_vec_t
3404 {
3405  int lock; ///< are chained locked? (in-use)
3406 public:
3407  graph_chains_t(void) : lock(0) {}
3408  ~graph_chains_t(void) { QASSERT(50444, !lock); }
3409  /// Visit all chains
3410  /// \param cv chain visitor
3411  /// \param gca_flags combination of GCA_ bits
3412  int hexapi for_all_chains(chain_visitor_t &cv, int gca_flags);
3413  /// \defgroup GCA_ chain visitor flags
3414  //@{
3415 #define GCA_EMPTY 0x01 ///< include empty chains
3416 #define GCA_SPEC 0x02 ///< include chains for special registers
3417 #define GCA_ALLOC 0x04 ///< enumerate only allocated chains
3418 #define GCA_NALLOC 0x08 ///< enumerate only non-allocated chains
3419 #define GCA_OFIRST 0x10 ///< consider only chains of the first block
3420 #define GCA_OLAST 0x20 ///< consider only chains of the last block
3421  //@}
3422  /// Are the chains locked?
3423  /// It is a good idea to lock the chains before using them. This ensures
3424  /// that they won't be recalculated and reallocated during the use.
3425  /// See the \ref chain_keeper_t class for that.
3426  bool is_locked(void) const { return lock != 0; }
3427  /// Lock the chains
3428  void acquire(void) { lock++; }
3429  /// Unlock the chains
3430  void hexapi release(void);
3431  void swap(graph_chains_t &r)
3432  {
3433  qvector<block_chains_t>::swap(r);
3434  std::swap(lock, r.lock);
3435  }
3436 };
3437 //-------------------------------------------------------------------------
3438 /// Microinstruction class #insn
3439 class minsn_t
3440 {
3441  void hexapi init(ea_t _ea);
3442  void hexapi copy(const minsn_t &m);
3443 public:
3444  mcode_t opcode; ///< instruction opcode
3445  int iprops; ///< combination of \ref IPROP_ bits
3446  minsn_t *next; ///< next insn in doubly linked list. check also nexti()
3447  minsn_t *prev; ///< prev insn in doubly linked list. check also previ()
3448  ea_t ea; ///< instruction address
3449  mop_t l; ///< left operand
3450  mop_t r; ///< right operand
3451  mop_t d; ///< destination operand
3452 
3453  /// \defgroup IPROP_ instruction property bits
3454  //@{
3455  // bits to be used in patterns:
3456 #define IPROP_OPTIONAL 0x0001 ///< optional instruction
3457 #define IPROP_PERSIST 0x0002 ///< persistent insn; they are not destroyed
3458 #define IPROP_WILDMATCH 0x0004 ///< match multiple insns
3459 
3460  // instruction attributes:
3461 #define IPROP_CLNPOP 0x0008 ///< the purpose of the instruction is to clean stack
3462  ///< (e.g. "pop ecx" is often used for that)
3463 #define IPROP_FPINSN 0x0010 ///< floating point insn
3464 #define IPROP_FARCALL 0x0020 ///< call of a far function using push cs/call sequence
3465 #define IPROP_TAILCALL 0x0040 ///< tail call
3466 #define IPROP_ASSERT 0x0080 ///< assertion: usually mov #val, op.
3467  ///< assertions are used to help the optimizer.
3468  ///< assertions are ignored when generating ctree
3469 
3470  // instruction history:
3471 #define IPROP_SPLIT 0x0700 ///< the instruction has been split:
3472 #define IPROP_SPLIT1 0x0100 ///< into 1 byte
3473 #define IPROP_SPLIT2 0x0200 ///< into 2 bytes
3474 #define IPROP_SPLIT4 0x0300 ///< into 4 bytes
3475 #define IPROP_SPLIT8 0x0400 ///< into 8 bytes
3476 #define IPROP_COMBINED 0x0800 ///< insn has been modified because of a partial reference
3477 #define IPROP_EXTSTX 0x1000 ///< this is m_ext propagated into m_stx
3478 #define IPROP_IGNLOWSRC 0x2000 ///< low part of the instruction source operand
3479  ///< has been created artificially
3480  ///< (this bit is used only for 'and x, 80...')
3481 #define IPROP_INV_JX 0x4000 ///< inverted conditional jump
3482 #define IPROP_WAS_NORET 0x8000 ///< was noret icall
3483 #define IPROP_MULTI_MOV 0x10000 ///< the minsn was generated as part of insn that moves multiple registers
3484  ///< (example: STM on ARM may transfer multiple registers)
3485 
3486  ///< bits that can be set by plugins:
3487 #define IPROP_DONT_PROP 0x20000 ///< may not propagate
3488 #define IPROP_DONT_COMB 0x40000 ///< may not combine this instruction with others
3489 #define IPROP_MBARRIER 0x80000 ///< this instruction acts as a memory barrier
3490  ///< (instructions accessing memory may not be reordered past it)
3491  //@}
3492 
3493  bool is_optional(void) const { return (iprops & IPROP_OPTIONAL) != 0; }
3494  bool is_combined(void) const { return (iprops & IPROP_COMBINED) != 0; }
3495  bool is_farcall(void) const { return (iprops & IPROP_FARCALL) != 0; }
3496  bool is_cleaning_pop(void) const { return (iprops & IPROP_CLNPOP) != 0; }
3497  bool is_extstx(void) const { return (iprops & IPROP_EXTSTX) != 0; }
3498  bool is_tailcall(void) const { return (iprops & IPROP_TAILCALL) != 0; }
3499  bool is_fpinsn(void) const { return (iprops & IPROP_FPINSN) != 0; }
3500  bool is_assert(void) const { return (iprops & IPROP_ASSERT) != 0; }
3501  bool is_persistent(void) const { return (iprops & IPROP_PERSIST) != 0; }
3502  bool is_wild_match(void) const { return (iprops & IPROP_WILDMATCH) != 0; }
3503  bool is_propagatable(void) const { return (iprops & IPROP_DONT_PROP) == 0; }
3504  bool is_ignlowsrc(void) const { return (iprops & IPROP_IGNLOWSRC) != 0; }
3505  bool is_inverted_jx(void) const { return (iprops & IPROP_INV_JX) != 0; }
3506  bool was_noret_icall(void) const { return (iprops & IPROP_WAS_NORET) != 0; }
3507  bool is_multimov(void) const { return (iprops & IPROP_MULTI_MOV) != 0; }
3508  bool is_combinable(void) const { return (iprops & IPROP_DONT_COMB) == 0; }
3509  bool was_split(void) const { return (iprops & IPROP_SPLIT) != 0; }
3510  bool is_mbarrier(void) const { return (iprops & IPROP_MBARRIER) != 0; }
3511 
3512  void set_optional(void) { iprops |= IPROP_OPTIONAL; }
3513  void hexapi set_combined(void);
3514  void clr_combined(void) { iprops &= ~IPROP_COMBINED; }
3515  void set_farcall(void) { iprops |= IPROP_FARCALL; }
3516  void set_cleaning_pop(void) { iprops |= IPROP_CLNPOP; }
3517  void set_extstx(void) { iprops |= IPROP_EXTSTX; }
3518  void set_tailcall(void) { iprops |= IPROP_TAILCALL; }
3519  void clr_tailcall(void) { iprops &= ~IPROP_TAILCALL; }
3520  void set_fpinsn(void) { iprops |= IPROP_FPINSN; }
3521  void clr_fpinsn(void) { iprops &= ~IPROP_FPINSN; }
3522  void set_assert(void) { iprops |= IPROP_ASSERT; }
3523  void clr_assert(void) { iprops &= ~IPROP_ASSERT; }
3524  void set_persistent(void) { iprops |= IPROP_PERSIST; }
3525  void set_wild_match(void) { iprops |= IPROP_WILDMATCH; }
3526  void clr_propagatable(void) { iprops |= IPROP_DONT_PROP; }
3527  void set_ignlowsrc(void) { iprops |= IPROP_IGNLOWSRC; }
3528  void clr_ignlowsrc(void) { iprops &= ~IPROP_IGNLOWSRC; }
3529  void set_inverted_jx(void) { iprops |= IPROP_INV_JX; }
3530  void set_noret_icall(void) { iprops |= IPROP_WAS_NORET; }
3531  void clr_noret_icall(void) { iprops &= ~IPROP_WAS_NORET; }
3532  void set_multimov(void) { iprops |= IPROP_MULTI_MOV; }
3533  void clr_multimov(void) { iprops &= ~IPROP_MULTI_MOV; }
3534  void set_combinable(void) { iprops &= ~IPROP_DONT_COMB; }
3535  void clr_combinable(void) { iprops |= IPROP_DONT_COMB; }
3536  void set_mbarrier(void) { iprops |= IPROP_MBARRIER; }
3537  void set_split_size(int s)
3538  { // s may be only 1,2,4,8. other values are ignored
3539  iprops &= ~IPROP_SPLIT;
3540  iprops |= (s == 1 ? IPROP_SPLIT1
3541  : s == 2 ? IPROP_SPLIT2
3542  : s == 4 ? IPROP_SPLIT4
3543  : s == 8 ? IPROP_SPLIT8 : 0);
3544  }
3545  int get_split_size(void) const
3546  {
3547  int cnt = (iprops & IPROP_SPLIT) >> 8;
3548  return cnt == 0 ? 0 : 1 << (cnt-1);
3549  }
3550 
3551  /// Constructor
3552  minsn_t(ea_t _ea) { init(_ea); }
3553  minsn_t(const minsn_t &m) { next = prev = NULL; copy(m); }
3554  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
3555 
3556  /// Assignment operator. It does not copy prev/next fields.
3557  minsn_t &operator=(const minsn_t &m) { copy(m); return *this; }
3558 
3559  /// Swap two instructions.
3560  /// The prev/next fields are not modified by this function
3561  /// because it would corrupt the doubly linked list.
3562  void hexapi swap(minsn_t &m);
3563 
3564  /// Generate insn text into the buffer
3565  void hexapi print(qstring *vout, int shins_flags=SHINS_SHORT|SHINS_VALNUM) const;
3566 
3567  /// Get displayable text without tags in a static buffer
3568  const char *hexapi dstr(void) const;
3569 
3570  /// Change the instruction address.
3571  /// This function modifies subinstructions as well.
3572  void hexapi setaddr(ea_t new_ea);
3573 
3574  /// Optimize one instruction without context.
3575  /// This function does not have access to the instruction context (the
3576  /// previous and next instructions in the list, the block number, etc).
3577  /// It performs only basic optimizations that are available without this info.
3578  /// \param optflags combination of \ref OPTI_ bits
3579  /// \return number of changes, 0-unchanged
3580  /// See also mblock_t::optimize_insn()
3581  int optimize_solo(int optflags=0) { return optimize_subtree(NULL, NULL, NULL, NULL, optflags); }
3582  /// \defgroup OPTI_ optimization flags
3583  //@{
3584 #define OPTI_ADDREXPRS 0x0001 ///< optimize all address expressions (&x+N; &x-&y)
3585 #define OPTI_MINSTKREF 0x0002 ///< may update minstkref
3586 #define OPTI_COMBINSNS 0x0004 ///< may combine insns (only for optimize_insn)
3587 #define OPTI_NO_LDXOPT 0x0008 ///< the function is called after the
3588  ///< propagation attempt, we do not optimize
3589  ///< low/high(ldx) in this case
3590  //@}
3591 
3592  /// Optimize instruction in its context.
3593  /// Do not use this function, use mblock_t::optimize()
3594  int hexapi optimize_subtree(
3595  mblock_t *blk,
3596  minsn_t *top,
3597  minsn_t *parent,
3598  ea_t *converted_call,
3599  int optflags=OPTI_MINSTKREF);
3600 
3601  /// Visit all instruction operands.
3602  /// This function visits subinstruction operands as well.
3603  /// \param mv operand visitor
3604  /// \return non-zero value returned by mv.visit_mop() or zero
3605  int hexapi for_all_ops(mop_visitor_t &mv);
3606 
3607  /// Visit all instructions.
3608  /// This function visits the instruction itself and all its subinstructions.
3609  /// \param mv instruction visitor
3610  /// \return non-zero value returned by mv.visit_mop() or zero
3611  int hexapi for_all_insns(minsn_visitor_t &mv);
3612 
3613  /// Convert instruction to nop.
3614  /// This function erases all info but the prev/next fields.
3615  /// In most cases it is better to use mblock_t::make_nop(), which also
3616  /// marks the block lists as dirty.
3617  void hexapi _make_nop(void);
3618 
3619  /// Compare instructions.
3620  /// This is the main comparison function for instructions.
3621  /// \param m instruction to compare with
3622  /// \param eqflags combination of \ref EQ_ bits
3623  bool hexapi equal_insns(const minsn_t &m, int eqflags) const; // intelligent comparison
3624  /// \defgroup EQ_ comparison bits
3625  //@{
3626 #define EQ_IGNSIZE 0x0001 ///< ignore source operand sizes
3627 #define EQ_IGNCODE 0x0002 ///< ignore instruction opcodes
3628 #define EQ_CMPDEST 0x0004 ///< compare instruction destinations
3629 #define EQ_OPTINSN 0x0008 ///< optimize mop_d operands
3630  //@}
3631 
3632  /// Lexographical comparison
3633  /// It can be used to store minsn_t in various containers, like std::set
3634  bool operator <(const minsn_t &ri) const { return lexcompare(ri) < 0; }
3635  int hexapi lexcompare(const minsn_t &ri) const;
3636 
3637  //-----------------------------------------------------------------------
3638  // Call instructions
3639  //-----------------------------------------------------------------------
3640  /// Is a non-returing call?
3641  /// \param ignore_noret_icall if set, indirect calls to noret functions will
3642  /// return false
3643  bool hexapi is_noret_call(int flags=0);
3644 #define NORET_IGNORE_WAS_NORET_ICALL 0x01 // ignore was_noret_icall() bit
3645 #define NORET_FORBID_ANALYSIS 0x02 // forbid additional analysis
3646 
3647  /// Is an unknown call?
3648  /// Unknown calls are calls without the argument list (mcallinfo_t).
3649  /// Usually the argument lists are determined by mba_t::analyze_calls().
3650  /// Unknown calls exist until the MMAT_CALLS maturity level.
3651  /// See also \ref mblock_t::is_call_block
3652  bool is_unknown_call(void) const { return is_mcode_call(opcode) && d.empty(); }
3653 
3654  /// Is a helper call with the specified name?
3655  /// Helper calls usually have well-known function names (see \ref FUNC_NAME_)
3656  /// but they may have any other name. The decompiler does not assume any
3657  /// special meaning for non-well-known names.
3658  bool hexapi is_helper(const char *name) const;
3659 
3660  /// Find a call instruction.
3661  /// Check for the current instruction and its subinstructions.
3662  /// \param with_helpers consider helper calls as well?
3663  minsn_t *hexapi find_call(bool with_helpers=false) const;
3664 
3665  /// Does the instruction contain a call?
3666  bool contains_call(bool with_helpers=false) const { return find_call(with_helpers) != NULL; }
3667 
3668  /// Does the instruction have a side effect?
3669  /// \param include_ldx_and_divs consider ldx/div/mod as having side effects?
3670  /// stx is always considered as having side effects.
3671  /// Apart from ldx/std only call may have side effects.
3672  bool hexapi has_side_effects(bool include_ldx_and_divs=false) const;
3673 
3674  /// Get the function role of a call
3675  funcrole_t get_role(void) const { return d.is_arglist() ? d.f->role : ROLE_UNK; }
3676  bool is_memcpy(void) const { return get_role() == ROLE_MEMCPY; }
3677  bool is_memset(void) const { return get_role() == ROLE_MEMSET; }
3678  bool is_alloca(void) const { return get_role() == ROLE_ALLOCA; }
3679  bool is_bswap (void) const { return get_role() == ROLE_BSWAP; }
3680  bool is_readflags (void) const { return get_role() == ROLE_READFLAGS; }
3681 
3682  //-----------------------------------------------------------------------
3683  // Misc
3684  //-----------------------------------------------------------------------
3685  /// Does the instruction have the specified opcode?
3686  /// This function searches subinstructions as well.
3687  /// \param mcode opcode to search for.
3688  bool contains_opcode(mcode_t mcode) const { return find_opcode(mcode) != NULL; }
3689 
3690  /// Find a (sub)insruction with the specified opcode.
3691  /// \param mcode opcode to search for.
3692  const minsn_t *find_opcode(mcode_t mcode) const { return (CONST_CAST(minsn_t*)(this))->find_opcode(mcode); }
3693  minsn_t *hexapi find_opcode(mcode_t mcode);
3694 
3695  /// Find an operand that is a subinsruction with the specified opcode.
3696  /// This function checks only the 'l' and 'r' operands of the current insn.
3697  /// \param[out] other pointer to the other operand
3698  /// (&r if we return &l and vice versa)
3699  /// \param op opcode to search for
3700  /// \return &l or &r or NULL
3701  const minsn_t *hexapi find_ins_op(const mop_t **other, mcode_t op=m_nop) const;
3702  minsn_t *find_ins_op(mop_t **other, mcode_t op=m_nop) { return CONST_CAST(minsn_t*)((CONST_CAST(const minsn_t*)(this))->find_ins_op((const mop_t**)other, op)); }
3703 
3704  /// Find a numeric operand of the current instruction.
3705  /// This function checks only the 'l' and 'r' operands of the current insn.
3706  /// \param[out] other pointer to the other operand
3707  /// (&r if we return &l and vice versa)
3708  /// \return &l or &r or NULL
3709  const mop_t *hexapi find_num_op(const mop_t **other) const;
3710  mop_t *find_num_op(mop_t **other) { return CONST_CAST(mop_t*)((CONST_CAST(const minsn_t*)(this))->find_num_op((const mop_t**)other)); }
3711 
3712  bool is_mov(void) const { return opcode == m_mov || (opcode == m_f2f && l.size == d.size); }
3713  bool is_like_move(void) const { return is_mov() || is_mcode_xdsu(opcode) || opcode == m_low; }
3714 
3715  /// Does the instruction modify its 'd' operand?
3716  /// Some instructions (e.g. m_stx) do not modify the 'd' operand.
3717  bool hexapi modifes_d(void) const;
3718  bool modifies_pair_mop(void) const { return d.t == mop_p && modifes_d(); }
3719 
3720  /// Is the instruction in the specified range of instructions?
3721  /// \param m1 beginning of the range in the doubly linked list
3722  /// \param m2 end of the range in the doubly linked list (excluded, may be NULL)
3723  /// This function assumes that m1 and m2 belong to the same basic block
3724  /// and they are top level instructions.
3725  bool hexapi is_between(const minsn_t *m1, const minsn_t *m2) const;
3726 
3727  /// Is the instruction after the specified one?
3728  /// \param m the instruction to compare against in the list
3729  bool is_after(const minsn_t *m) const { return m != NULL && is_between(m->next, NULL); }
3730 
3731  /// Is it possible for the instruction to use aliased memory?
3732  bool hexapi may_use_aliased_memory(void) const;
3733 };
3734 
3735 /// Skip assertions forward
3736 const minsn_t *hexapi getf_reginsn(const minsn_t *ins);
3737 /// Skip assertions backward
3738 const minsn_t *hexapi getb_reginsn(const minsn_t *ins);
3739 inline minsn_t *getf_reginsn(minsn_t *ins) { return CONST_CAST(minsn_t*)(getf_reginsn(CONST_CAST(const minsn_t *)(ins))); }
3740 inline minsn_t *getb_reginsn(minsn_t *ins) { return CONST_CAST(minsn_t*)(getb_reginsn(CONST_CAST(const minsn_t *)(ins))); }
3741 
3742 //-------------------------------------------------------------------------
3743 /// Basic block types
3744 enum mblock_type_t
3745 {
3746  BLT_NONE = 0, ///< unknown block type
3747  BLT_STOP = 1, ///< stops execution regularly (must be the last block)
3748  BLT_0WAY = 2, ///< does not have successors (tail is a noret function)
3749  BLT_1WAY = 3, ///< passes execution to one block (regular or goto block)
3750  BLT_2WAY = 4, ///< passes execution to two blocks (conditional jump)
3751  BLT_NWAY = 5, ///< passes execution to many blocks (switch idiom)
3752  BLT_XTRN = 6, ///< external block (out of function address)
3753 };
3754 
3755 // Maximal bit range
3756 #define MAXRANGE bitrange_t(0, USHRT_MAX)
3757 
3758 //-------------------------------------------------------------------------
3759 /// Microcode of one basic block.
3760 /// All blocks are part of a doubly linked list. They can also be addressed
3761 /// by indexing the mba->natural array. A block contains a doubly linked list
3762 /// of instructions, various location lists that are used for data flow
3763 /// analysis, and other attributes.
3764 class mblock_t
3765 {
3766  friend class codegen_t;
3767  DECLARE_UNCOPYABLE(mblock_t)
3768  void hexapi init(void);
3769 public:
3770  mblock_t *nextb; ///< next block in the doubly linked list
3771  mblock_t *prevb; ///< previous block in the doubly linked list
3772  uint32 flags; ///< combination of \ref MBL_ bits
3773  /// \defgroup MBL_ Basic block properties
3774  //@{
3775 #define MBL_PRIV 0x0001 ///< private block - no instructions except
3776  ///< the specified are accepted (used in patterns)
3777 #define MBL_NONFAKE 0x0000 ///< regular block
3778 #define MBL_FAKE 0x0002 ///< fake block (after a tail call)
3779 #define MBL_GOTO 0x0004 ///< this block is a goto target
3780 #define MBL_TCAL 0x0008 ///< aritifical call block for tail calls
3781 #define MBL_PUSH 0x0010 ///< needs "convert push/pop instructions"
3782 #define MBL_DMT64 0x0020 ///< needs "demote 64bits"
3783 #define MBL_COMB 0x0040 ///< needs "combine" pass
3784 #define MBL_PROP 0x0080 ///< needs 'propagation' pass
3785 #define MBL_DEAD 0x0100 ///< needs "eliminate deads" pass
3786 #define MBL_LIST 0x0200 ///< use/def lists are ready (not dirty)
3787 #define MBL_INCONST 0x0400 ///< inconsistent lists: we are building them
3788 #define MBL_CALL 0x0800 ///< call information has been built
3789 #define MBL_BACKPROP 0x1000 ///< performed backprop_cc
3790 #define MBL_NORET 0x2000 ///< dead end block: doesn't return execution control
3791 #define MBL_DSLOT 0x4000 ///< block for delay slot
3792 #define MBL_VALRANGES 0x8000 ///< should optimize using value ranges
3793 #define MBL_KEEP 0x10000 ///< do not remove even if unreachable
3794  //@}
3795  ea_t start; ///< start address
3796  ea_t end; ///< end address
3797  ///< note: we cannot rely on start/end addresses
3798  ///< very much because instructions are
3799  ///< propagated between blocks
3800  minsn_t *head; ///< pointer to the first instruction of the block
3801  minsn_t *tail; ///< pointer to the last instruction of the block
3802  mba_t *mba; ///< the parent micro block array
3803  int serial; ///< block number
3804  mblock_type_t type; ///< block type (BLT_NONE - not computed yet)
3805 
3806  mlist_t dead_at_start; ///< data that is dead at the block entry
3807  mlist_t mustbuse; ///< data that must be used by the block
3808  mlist_t maybuse; ///< data that may be used by the block
3809  mlist_t mustbdef; ///< data that must be defined by the block
3810  mlist_t maybdef; ///< data that may be defined by the block
3811  mlist_t dnu; ///< data that is defined but not used in the block
3812 
3813  sval_t maxbsp; ///< maximal sp value in the block (0...stacksize)
3814  sval_t minbstkref; ///< lowest stack location accessible with indirect
3815  ///< addressing (offset from the stack bottom)
3816  ///< initially it is 0 (not computed)
3817  sval_t minbargref; ///< the same for arguments
3818 
3819  intvec_t predset; ///< control flow graph: list of our predecessors
3820  ///< use npred() and pred() to access it
3821  intvec_t succset; ///< control flow graph: list of our successors
3822  ///< use nsucc() and succ() to access it
3823 
3824  // the exact size of this class is not documented, there may be more fields
3825  char reserved[];
3826 
3827  void mark_lists_dirty(void) { flags &= ~MBL_LIST; request_propagation(); }
3828  void request_propagation(void) { flags |= MBL_PROP; }
3829  bool needs_propagation(void) const { return (flags & MBL_PROP) != 0; }
3830  void request_demote64(void) { flags |= MBL_DMT64; }
3831  bool lists_dirty(void) const { return (flags & MBL_LIST) == 0; }
3832  bool lists_ready(void) const { return (flags & (MBL_LIST|MBL_INCONST)) == MBL_LIST; }
3833  int make_lists_ready(void) // returns number of changes
3834  {
3835  if ( lists_ready() )
3836  return 0;
3837  return build_lists(false);
3838  }
3839 
3840  /// Get number of block predecessors
3841  int npred(void) const { return predset.size(); } // number of xrefs to the block
3842  /// Get number of block successors
3843  int nsucc(void) const { return succset.size(); } // number of xrefs from the block
3844  // Get predecessor number N
3845  int pred(int n) const { return predset[n]; }
3846  // Get successor number N
3847  int succ(int n) const { return succset[n]; }
3848 
3849  mblock_t(void) = delete;
3850  virtual ~mblock_t(void);
3851  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
3852  bool empty(void) const { return head == NULL; }
3853 
3854  /// Print block contents.
3855  /// \param vp print helpers class. it can be used to direct the printed
3856  /// info to any destination
3857  void hexapi print(vd_printer_t &vp) const;
3858 
3859  /// Dump block info.
3860  /// This function is useful for debugging, see mba_t::dump for info
3861  void hexapi dump(void) const;
3862  AS_PRINTF(2, 0) void hexapi vdump_block(const char *title, va_list va) const;
3863  AS_PRINTF(2, 3) void dump_block(const char *title, ...) const
3864  {
3865  va_list va;
3866  va_start(va, title);
3867  vdump_block(title, va);
3868  va_end(va);
3869  }
3870 
3871  //-----------------------------------------------------------------------
3872  // Functions to insert/remove insns during the microcode optimization phase.
3873  // See codegen_t, microcode_filter_t, udcall_t classes for the initial
3874  // microcode generation.
3875  //-----------------------------------------------------------------------
3876  /// Insert instruction into the doubly linked list
3877  /// \param nm new instruction
3878  /// \param om existing instruction, part of the doubly linked list
3879  /// if NULL, then the instruction will be inserted at the beginning
3880  /// of the list
3881  /// NM will be inserted immediately after OM
3882  /// \return pointer to NM
3883  minsn_t *hexapi insert_into_block(minsn_t *nm, minsn_t *om);
3884 
3885  /// Remove instruction from the doubly linked list
3886  /// \param m instruction to remove
3887  /// The removed instruction is not deleted, the caller gets its ownership
3888  /// \return pointer to the next instruction
3889  minsn_t *hexapi remove_from_block(minsn_t *m);
3890 
3891  //-----------------------------------------------------------------------
3892  // Iterator over instructions and operands
3893  //-----------------------------------------------------------------------
3894  /// Visit all instructions.
3895  /// This function visits subinstructions too.
3896  /// \param mv instruction visitor
3897  /// \return zero or the value returned by mv.visit_insn()
3898  /// See also mba_t::for_all_topinsns()
3899  int hexapi for_all_insns(minsn_visitor_t &mv);
3900 
3901  /// Visit all operands.
3902  /// This function visit subinstruction operands too.
3903  /// \param mv operand visitor
3904  /// \return zero or the value returned by mv.visit_mop()
3905  int hexapi for_all_ops(mop_visitor_t &mv);
3906 
3907  /// Visit all operands that use LIST.
3908  /// \param list ptr to the list of locations. it may be modified:
3909  /// parts that get redefined by the instructions in [i1,i2)
3910  /// will be deleted.
3911  /// \param i1 starting instruction. must be a top level insn.
3912  /// \param i2 ending instruction (excluded). must be a top level insn.
3913  /// \param mmv operand visitor
3914  /// \return zero or the value returned by mmv.visit_mop()
3915  int hexapi for_all_uses(
3916  mlist_t *list,
3917  minsn_t *i1,
3918  minsn_t *i2,
3919  mlist_mop_visitor_t &mmv);
3920 
3921  //-----------------------------------------------------------------------
3922  // Optimization functions
3923  //-----------------------------------------------------------------------
3924  /// Optimize one instruction in the context of the block.
3925  /// \param m pointer to a top level instruction
3926  /// \param optflags combination of \ref OPTI_ bits
3927  /// \return number of changes made to the block
3928  /// This function may change other instructions in the block too.
3929  /// However, it will not destroy top level instructions (it may convert them
3930  /// to nop's). This function performs only intrablock modifications.
3931  /// See also minsn_t::optimize_solo()
3932  int hexapi optimize_insn(minsn_t *m, int optflags=OPTI_MINSTKREF|OPTI_COMBINSNS);
3933 
3934  /// Optimize a basic block.
3935  /// Usually there is no need to call this function explicitly because the
3936  /// decompiler will call it itself if optinsn_t::func or optblock_t::func
3937  /// return non-zero.
3938  /// \return number of changes made to the block
3939  int hexapi optimize_block(void);
3940 
3941  /// Build def-use lists and eliminate deads.
3942  /// \param kill_deads do delete dead instructions?
3943  /// \return the number of eliminated instructions
3944  /// Better mblock_t::call make_lists_ready() rather than this function.
3945  int hexapi build_lists(bool kill_deads);
3946 
3947  /// Remove a jump at the end of the block if it is useless.
3948  /// This function preserves any side effects when removing a useless jump.
3949  /// Both conditional and unconditional jumps are handled (and jtbl too).
3950  /// This function deletes useless jumps, not only replaces them with a nop.
3951  /// (please note that \optimize_insn does not handle useless jumps).
3952  /// \return number of changes made to the block
3953  int hexapi optimize_useless_jump(void);
3954 
3955  //-----------------------------------------------------------------------
3956  // Functions that build with use/def lists. These lists are used to
3957  // reprsent list of registers and stack locations that are either modified
3958  // or accessed by microinstructions.
3959  //-----------------------------------------------------------------------
3960  /// Append use-list of an operand.
3961  /// This function calculates list of locations that may or must be used
3962  /// by the operand and appends it to LIST.
3963  /// \param list ptr to the output buffer. we will append to it.
3964  /// \param op operand to calculate the use list of
3965  /// \param maymust should we calculate 'may-use' or 'must-use' list?
3966  /// see \ref maymust_t for more details.
3967  /// \param mask if only part of the operand should be considered,
3968  /// a bitmask can be used to specify which part.
3969  /// example: op=AX,mask=0xFF means that we will consider only AL.
3970  void hexapi append_use_list(
3971  mlist_t *list,
3972  const mop_t &op,
3973  maymust_t maymust,
3974  bitrange_t mask=MAXRANGE) const;
3975 
3976  /// Append def-list of an operand.
3977  /// This function calculates list of locations that may or must be modified
3978  /// by the operand and appends it to LIST.
3979  /// \param list ptr to the output buffer. we will append to it.
3980  /// \param op operand to calculate the def list of
3981  /// \param maymust should we calculate 'may-def' or 'must-def' list?
3982  /// see \ref maymust_t for more details.
3983  void hexapi append_def_list(
3984  mlist_t *list,
3985  const mop_t &op,
3986  maymust_t maymust) const;
3987 
3988  /// Build use-list of an instruction.
3989  /// This function calculates list of locations that may or must be used
3990  /// by the instruction. Examples:
3991  /// "ldx ds.2, eax.4, ebx.4", may-list: all aliasable memory
3992  /// "ldx ds.2, eax.4, ebx.4", must-list: empty
3993  /// Since LDX uses EAX for indirect access, it may access any aliasable
3994  /// memory. On the other hand, we cannot tell for sure which memory cells
3995  /// will be accessed, this is why the must-list is empty.
3996  /// \param ins instruction to calculate the use list of
3997  /// \param maymust should we calculate 'may-use' or 'must-use' list?
3998  /// see \ref maymust_t for more details.
3999  /// \return the calculated use-list
4000  mlist_t hexapi build_use_list(const minsn_t &ins, maymust_t maymust) const;
4001 
4002  /// Build def-list of an instruction.
4003  /// This function calculates list of locations that may or must be modified
4004  /// by the instruction. Examples:
4005  /// "stx ebx.4, ds.2, eax.4", may-list: all aliasable memory
4006  /// "stx ebx.4, ds.2, eax.4", must-list: empty
4007  /// Since STX uses EAX for indirect access, it may modify any aliasable
4008  /// memory. On the other hand, we cannot tell for sure which memory cells
4009  /// will be modified, this is why the must-list is empty.
4010  /// \param ins instruction to calculate the def list of
4011  /// \param maymust should we calculate 'may-def' or 'must-def' list?
4012  /// see \ref maymust_t for more details.
4013  /// \return the calculated def-list
4014  mlist_t hexapi build_def_list(const minsn_t &ins, maymust_t maymust) const;
4015 
4016  //-----------------------------------------------------------------------
4017  // The use/def lists can be used to search for interesting instructions
4018  //-----------------------------------------------------------------------
4019  /// Is the list used by the specified instruction range?
4020  /// \param list list of locations. LIST may be modified by the function:
4021  /// redefined locations will be removed from it.
4022  /// \param i1 starting instruction of the range (must be a top level insn)
4023  /// \param i2 end instruction of the range (must be a top level insn)
4024  /// i2 is excluded from the range. it can be specified as NULL.
4025  /// i1 and i2 must belong to the same block.
4026  /// \param maymust should we search in 'may-access' or 'must-access' mode?
4027  bool is_used(mlist_t *list, const minsn_t *i1, const minsn_t *i2, maymust_t maymust=MAY_ACCESS) const
4028  { return find_first_use(list, i1, i2, maymust) != NULL; }
4029 
4030  /// Find the first insn that uses the specified list in the insn range.
4031  /// \param list list of locations. LIST may be modified by the function:
4032  /// redefined locations will be removed from it.
4033  /// \param i1 starting instruction of the range (must be a top level insn)
4034  /// \param i2 end instruction of the range (must be a top level insn)
4035  /// i2 is excluded from the range. it can be specified as NULL.
4036  /// i1 and i2 must belong to the same block.
4037  /// \param maymust should we search in 'may-access' or 'must-access' mode?
4038  /// \return pointer to such instruction or NULL.
4039  /// Upon return LIST will contain only locations not redefined
4040  /// by insns [i1..result]
4041  const minsn_t *hexapi find_first_use(mlist_t *list, const minsn_t *i1, const minsn_t *i2, maymust_t maymust=MAY_ACCESS) const;
4042  minsn_t *find_first_use(mlist_t *list, minsn_t *i1, const minsn_t *i2, maymust_t maymust=MAY_ACCESS) const
4043  {
4044  return CONST_CAST(minsn_t*)(find_first_use(list,
4045  CONST_CAST(const minsn_t*)(i1),
4046  i2,
4047  maymust));
4048  }
4049 
4050  /// Is the list redefined by the specified instructions?
4051  /// \param list list of locations to check.
4052  /// \param i1 starting instruction of the range (must be a top level insn)
4053  /// \param i2 end instruction of the range (must be a top level insn)
4054  /// i2 is excluded from the range. it can be specified as NULL.
4055  /// i1 and i2 must belong to the same block.
4056  /// \param maymust should we search in 'may-access' or 'must-access' mode?
4057  bool is_redefined(
4058  const mlist_t &list,
4059  const minsn_t *i1,
4060  const minsn_t *i2,
4061  maymust_t maymust=MAY_ACCESS) const
4062  {
4063  return find_redefinition(list, i1, i2, maymust) != NULL;
4064  }
4065 
4066  /// Find the first insn that redefines any part of the list in the insn range.
4067  /// \param list list of locations to check.
4068  /// \param i1 starting instruction of the range (must be a top level insn)
4069  /// \param i2 end instruction of the range (must be a top level insn)
4070  /// i2 is excluded from the range. it can be specified as NULL.
4071  /// i1 and i2 must belong to the same block.
4072  /// \param maymust should we search in 'may-access' or 'must-access' mode?
4073  /// \return pointer to such instruction or NULL.
4074  const minsn_t *hexapi find_redefinition(
4075  const mlist_t &list,
4076  const minsn_t *i1,
4077  const minsn_t *i2,
4078  maymust_t maymust=MAY_ACCESS) const;
4079  minsn_t *find_redefinition(
4080  const mlist_t &list,
4081  minsn_t *i1,
4082  const minsn_t *i2,
4083  maymust_t maymust=MAY_ACCESS) const
4084  {
4085  return CONST_CAST(minsn_t*)(find_redefinition(list,
4086  CONST_CAST(const minsn_t*)(i1),
4087  i2,
4088  maymust));
4089  }
4090 
4091  /// Is the right hand side of the instruction redefined the insn range?
4092  /// "right hand side" corresponds to the source operands of the instruction.
4093  /// \param ins instruction to consider
4094  /// \param i1 starting instruction of the range (must be a top level insn)
4095  /// \param i2 end instruction of the range (must be a top level insn)
4096  /// i2 is excluded from the range. it can be specified as NULL.
4097  /// i1 and i2 must belong to the same block.
4098  bool hexapi is_rhs_redefined(const minsn_t *ins, const minsn_t *i1, const minsn_t *i2) const;
4099 
4100  /// Find the instruction that accesses the specified operand.
4101  /// This function search inside one block.
4102  /// \param op operand to search for
4103  /// \param p_i1 ptr to ptr to a top level instruction.
4104  /// denotes the beginning of the search range.
4105  /// \param i2 end instruction of the range (must be a top level insn)
4106  /// i2 is excluded from the range. it can be specified as NULL.
4107  /// i1 and i2 must belong to the same block.
4108  /// \fdflags combination of \ref FD_ bits
4109  /// \return the instruction that accesses the operand. this instruction
4110  /// may be a sub-instruction. to find out the top level
4111  /// instruction, check out *p_i1.
4112  /// NULL means 'not found'.
4113  minsn_t *hexapi find_access(
4114  const mop_t &op,
4115  minsn_t **parent,
4116  const minsn_t *mend,
4117  int fdflags) const;
4118  /// \defgroup FD_ bits for mblock_t::find_access
4119  //@{
4120 #define FD_BACKWARD 0x0000 ///< search direction
4121 #define FD_FORWARD 0x0001 ///< search direction
4122 #define FD_USE 0x0000 ///< look for use
4123 #define FD_DEF 0x0002 ///< look for definition
4124 #define FD_DIRTY 0x0004 ///< ignore possible implicit definitions
4125  ///< by function calls and indirect memory access
4126  //@}
4127 
4128  // Convenience functions:
4129  minsn_t *find_def(
4130  const mop_t &op,
4131  minsn_t **p_i1,
4132  const minsn_t *i2,
4133  int fdflags)
4134  {
4135  return find_access(op, p_i1, i2, fdflags|FD_DEF);
4136  }
4137  minsn_t *find_use(
4138  const mop_t &op,
4139  minsn_t **p_i1,
4140  const minsn_t *i2,
4141  int fdflags)
4142  {
4143  return find_access(op, p_i1, i2, fdflags|FD_USE);
4144  }
4145 
4146  /// Find possible values for a block.
4147  /// \param res set of value ranges
4148  /// \param vivl what to search for
4149  /// \param vrflags combination of \ref VR_ bits
4150  bool hexapi get_valranges(
4151  valrng_t *res,
4152  const vivl_t &vivl,
4153  int vrflags) const;
4154 
4155  /// Find possible values for an instruction.
4156  /// \param res set of value ranges
4157  /// \param vivl what to search for
4158  /// \param m insn to search value ranges at. \sa VR_ bits
4159  /// \param vrflags combination of \ref VR_ bits
4160  bool hexapi get_valranges(
4161  valrng_t *res,
4162  const vivl_t &vivl,
4163  const minsn_t *m,
4164  int vrflags) const;
4165 
4166  /// \defgroup VR_ bits for get_valranges
4167  //@{
4168 #define VR_AT_START 0x0000 ///< get value ranges before the instruction or
4169  ///< at the block start (if M is NULL)
4170 #define VR_AT_END 0x0001 ///< get value ranges after the instruction or
4171  ///< at the block end, just after the last
4172  ///< instruction (if M is NULL)
4173 #define VR_EXACT 0x0002 ///< find exact match. if not set, the returned
4174  ///< valrng size will be >= vivl.size
4175  //@}
4176 
4177  /// Erase the instruction (convert it to nop) and mark the lists dirty.
4178  /// This is the recommended function to use because it also marks the block
4179  /// use-def lists dirty.
4180  void make_nop(minsn_t *m) { m->_make_nop(); mark_lists_dirty(); }
4181 
4182  /// Calculate number of regular instructions in the block.
4183  /// Assertions are skipped by this function.
4184  /// \return Number of non-assertion instructions in the block.
4185  size_t hexapi get_reginsn_qty(void) const;
4186 
4187  bool is_call_block(void) const { return tail != NULL && is_mcode_call(tail->opcode); }
4188  bool is_unknown_call(void) const { return tail != NULL && tail->is_unknown_call(); }
4189  bool is_nway(void) const { return type == BLT_NWAY; }
4190  bool is_branch(void) const { return type == BLT_2WAY && tail->d.t == mop_b; }
4191  bool is_simple_goto_block(void) const
4192  {
4193  return get_reginsn_qty() == 1
4194  && tail->opcode == m_goto
4195  && tail->l.t == mop_b;
4196  }
4197  bool is_simple_jcnd_block() const
4198  {
4199  return is_branch()
4200  && npred() == 1
4201  && get_reginsn_qty() == 1
4202  && is_mcode_convertible_to_set(tail->opcode);
4203  }
4204 };
4205 //-------------------------------------------------------------------------
4206 /// Warning ids
4207 enum warnid_t
4208 {
4209  WARN_VARARG_REGS, ///< 0 cannot handle register arguments in vararg function, discarded them
4210  WARN_ILL_PURGED, ///< 1 odd caller purged bytes %d, correcting
4211  WARN_ILL_FUNCTYPE, ///< 2 invalid function type has been ignored
4212  WARN_VARARG_TCAL, ///< 3 cannot handle tail call to vararg
4213  WARN_VARARG_NOSTK, ///< 4 call vararg without local stack
4214  WARN_VARARG_MANY, ///< 5 too many varargs, some ignored
4215  WARN_ADDR_OUTARGS, ///< 6 cannot handle address arithmetics in outgoing argument area of stack frame -- unused
4216  WARN_DEP_UNK_CALLS, ///< 7 found interdependent unknown calls
4217  WARN_ILL_ELLIPSIS, ///< 8 erroneously detected ellipsis type has been ignored
4218  WARN_GUESSED_TYPE, ///< 9 using guessed type %s;
4219  WARN_EXP_LINVAR, ///< 10 failed to expand a linear variable
4220  WARN_WIDEN_CHAINS, ///< 11 failed to widen chains
4221  WARN_BAD_PURGED, ///< 12 inconsistent function type and number of purged bytes
4222  WARN_CBUILD_LOOPS, ///< 13 too many cbuild loops
4223  WARN_NO_SAVE_REST, ///< 14 could not find valid save-restore pair for %s
4224  WARN_ODD_INPUT_REG, ///< 15 odd input register %s
4225  WARN_ODD_ADDR_USE, ///< 16 odd use of a variable address
4226  WARN_MUST_RET_FP, ///< 17 function return type is incorrect (must be floating point)
4227  WARN_ILL_FPU_STACK, ///< 18 inconsistent fpu stack
4228  WARN_SELFREF_PROP, ///< 19 self-referencing variable has been detected
4229  WARN_WOULD_OVERLAP, ///< 20 variables would overlap: %s
4230  WARN_ARRAY_INARG, ///< 21 array has been used for an input argument
4231  WARN_MAX_ARGS, ///< 22 too many input arguments, some ignored
4232  WARN_BAD_FIELD_TYPE,///< 23 incorrect structure member type for %s::%s, ignored
4233  WARN_WRITE_CONST, ///< 24 write access to const memory at %a has been detected
4234  WARN_BAD_RETVAR, ///< 25 wrong return variable
4235  WARN_FRAG_LVAR, ///< 26 fragmented variable at %s may be wrong
4236  WARN_HUGE_STKOFF, ///< 27 exceedingly huge offset into the stack frame
4237  WARN_UNINITED_REG, ///< 28 reference to an uninitialized register has been removed: %s
4238  WARN_FIXED_MACRO, ///< 29 fixed broken macro-insn
4239  WARN_WRONG_VA_OFF, ///< 30 wrong offset of va_list variable
4240  WARN_CR_NOFIELD, ///< 31 CONTAINING_RECORD: no field '%s' in struct '%s' at %d
4241  WARN_CR_BADOFF, ///< 32 CONTAINING_RECORD: too small offset %d for struct '%s'
4242  WARN_BAD_STROFF, ///< 33 user specified stroff has not been processed: %s
4243  WARN_BAD_VARSIZE, ///< 34 inconsistent variable size for '%s'
4244  WARN_UNSUPP_REG, ///< 35 unsupported processor register '%s'
4245  WARN_UNALIGNED_ARG, ///< 36 unaligned function argument '%s'
4246  WARN_BAD_STD_TYPE, ///< 37 corrupted or unexisting local type '%s'
4247  WARN_BAD_CALL_SP, ///< 38 bad sp value at call
4248  WARN_MISSED_SWITCH, ///< 39 wrong markup of switch jump, skipped it
4249  WARN_BAD_SP, ///< 40 positive sp value %a has been found
4250  WARN_BAD_STKPNT, ///< 41 wrong sp change point
4251  WARN_UNDEF_LVAR, ///< 42 variable '%s' is possibly undefined
4252  WARN_JUMPOUT, ///< 43 control flows out of bounds
4253  WARN_BAD_VALRNG, ///< 44 values range analysis failed
4254  WARN_BAD_SHADOW, ///< 45 ignored the value written to the shadow area of the succeeding call
4255  WARN_OPT_VALRNG, ///< 46 conditional instruction was optimized away because %s
4256  WARN_RET_LOCREF, ///< 47 returning address of temporary local variable '%s'
4257  WARN_BAD_MAPDST, ///< 48 too short map destination '%s' for variable '%s'
4258  WARN_BAD_INSN, ///< 49 bad instruction
4259  WARN_ODD_ABI, ///< 50 encountered odd instruction for the current ABI
4260  WARN_UNBALANCED_STACK, ///< 51 unbalanced stack, ignored a potential tail call
4261 
4262  WARN_OPT_VALRNG2, ///< 52 mask 0x%X is shortened because %s <= 0x%X"
4263 
4264  WARN_OPT_VALRNG3, ///< 53 masking with 0X%X was optimized away because %s <= 0x%X
4265  WARN_MAX, ///< may be used in notes as a placeholder when the
4266  ///< warning id is not available
4267 };
4268 
4269 /// Warning instances
4270 struct hexwarn_t
4271 {
4272  ea_t ea; ///< Address where the warning occurred
4273  warnid_t id; ///< Warning id
4274  qstring text; ///< Fully formatted text of the warning
4275  DECLARE_COMPARISONS(hexwarn_t)
4276  {
4277  if ( ea < r.ea )
4278  return -1;
4279  if ( ea > r.ea )
4280  return 1;
4281  if ( id < r.id )
4282  return -1;
4283  if ( id > r.id )
4284  return 1;
4285  return strcmp(text.c_str(), r.text.c_str());
4286  }
4287 };
4288 DECLARE_TYPE_AS_MOVABLE(hexwarn_t);
4289 typedef qvector<hexwarn_t> hexwarns_t;
4290 
4291 //-------------------------------------------------------------------------
4292 /// Microcode maturity levels
4293 enum mba_maturity_t
4294 {
4295  MMAT_ZERO, ///< microcode does not exist
4296  MMAT_GENERATED, ///< generated microcode
4297  MMAT_PREOPTIMIZED, ///< preoptimized pass is complete
4298  MMAT_LOCOPT, ///< local optimization of each basic block is complete.
4299  ///< control flow graph is ready too.
4300  MMAT_CALLS, ///< detected call arguments
4301  MMAT_GLBOPT1, ///< performed the first pass of global optimization
4302  MMAT_GLBOPT2, ///< most global optimization passes are done
4303  MMAT_GLBOPT3, ///< completed all global optimization. microcode is fixed now.
4304  MMAT_LVARS, ///< allocated local variables
4305 };
4306 
4307 //-------------------------------------------------------------------------
4308 enum memreg_index_t ///< memory region types
4309 {
4310  MMIDX_GLBLOW, ///< global memory: low part
4311  MMIDX_LVARS, ///< stack: local variables
4312  MMIDX_RETADDR, ///< stack: return address
4313  MMIDX_SHADOW, ///< stack: shadow arguments
4314  MMIDX_ARGS, ///< stack: regular stack arguments
4315  MMIDX_GLBHIGH, ///< global memory: high part
4316 };
4317 
4318 //-------------------------------------------------------------------------
4319 /// Ranges to decompile. Either a function or an explicit vector of ranges.
4320 struct mba_ranges_t
4321 {
4322  func_t *pfn; ///< function to decompile
4323  rangevec_t ranges; ///< empty ? function_mode : snippet mode
4324  mba_ranges_t(func_t *_pfn=NULL) : pfn(_pfn) {}
4325  mba_ranges_t(const rangevec_t &r) : pfn(NULL), ranges(r) {}
4326  ea_t start(void) const { return (ranges.empty() ? *pfn : ranges[0]).start_ea; }
4327  bool empty(void) const { return pfn == NULL && ranges.empty(); }
4328  void clear(void) { pfn = NULL; ranges.clear(); }
4329  bool is_snippet(void) const { return !ranges.empty(); }
4330  bool hexapi range_contains(ea_t ea) const;
4331  bool is_fragmented(void) const { return ranges.empty() ? pfn->tailqty > 0 : ranges.size() > 1; }
4332 };
4333 
4334 /// Item iterator of arbitrary rangevec items
4335 struct range_item_iterator_t
4336 {
4337  const rangevec_t *ranges;
4338  const range_t *rptr; // pointer into ranges
4339  ea_t cur; // current address
4340  range_item_iterator_t(void) : ranges(NULL), rptr(NULL), cur(BADADDR) {}
4341  bool set(const rangevec_t &r);
4342  bool next_code(void);
4343  ea_t current(void) const { return cur; }
4344 };
4345 
4346 /// Item iterator for mba_ranges_t
4347 struct mba_item_iterator_t
4348 {
4349  range_item_iterator_t rii;
4350  func_item_iterator_t fii; // this is used if rii.ranges==NULL
4351  bool is_snippet(void) const { return rii.ranges != NULL; }
4352  bool set(const mba_ranges_t &mbr)
4353  {
4354  if ( mbr.is_snippet() )
4355  return rii.set(mbr.ranges);
4356  else
4357  return fii.set(mbr.pfn);
4358  }
4359  bool next_code(void)
4360  {
4361  if ( is_snippet() )
4362  return rii.next_code();
4363  else
4364  return fii.next_code();
4365  }
4366  ea_t current(void) const
4367  {
4368  return is_snippet() ? rii.current() : fii.current();
4369  }
4370 };
4371 
4372 /// Chunk iterator of arbitrary rangevec items
4373 struct range_chunk_iterator_t
4374 {
4375  const range_t *rptr; // pointer into ranges
4376  const range_t *rend;
4377  range_chunk_iterator_t(void) : rptr(NULL), rend(NULL) {}
4378  bool set(const rangevec_t &r) { rptr = r.begin(); rend = r.end(); return rptr != rend; }
4379  bool next(void) { return ++rptr != rend; }
4380  const range_t &chunk(void) const { return *rptr; }
4381 };
4382 
4383 /// Chunk iterator for mba_ranges_t
4384 struct mba_range_iterator_t
4385 {
4386  range_chunk_iterator_t rii;
4387  func_tail_iterator_t fii; // this is used if rii.rptr==NULL
4388  bool is_snippet(void) const { return rii.rptr != NULL; }
4389  bool set(const mba_ranges_t &mbr)
4390  {
4391  if ( mbr.is_snippet() )
4392  return rii.set(mbr.ranges);
4393  else
4394  return fii.set(mbr.pfn);
4395  }
4396  bool next(void)
4397  {
4398  if ( is_snippet() )
4399  return rii.next();
4400  else
4401  return fii.next();
4402  }
4403  const range_t &chunk(void) const
4404  {
4405  return is_snippet() ? rii.chunk() : fii.chunk();
4406  }
4407 };
4408 
4409 //-------------------------------------------------------------------------
4410 /// Array of micro blocks representing microcode for a decompiled function.
4411 /// The first micro block is the entry point, the last one is the exit point.
4412 /// The entry and exit blocks are always empty. The exit block is generated
4413 /// at MMAT_LOCOPT maturity level.
4414 class mba_t
4415 {
4416  DECLARE_UNCOPYABLE(mba_t)
4417  uint32 flags;
4418  uint32 flags2;
4419 
4420 public:
4421  // bits to describe the microcode, set by the decompiler
4422 #define MBA_PRCDEFS 0x00000001 ///< use precise defeas for chain-allocated lvars
4423 #define MBA_NOFUNC 0x00000002 ///< function is not present, addresses might be wrong
4424 #define MBA_PATTERN 0x00000004 ///< microcode pattern, callinfo is present
4425 #define MBA_LOADED 0x00000008 ///< loaded gdl, no instructions (debugging)
4426 #define MBA_RETFP 0x00000010 ///< function returns floating point value
4427 #define MBA_SPLINFO 0x00000020 ///< (final_type ? idb_spoiled : spoiled_regs) is valid
4428 #define MBA_PASSREGS 0x00000040 ///< has mcallinfo_t::pass_regs
4429 #define MBA_THUNK 0x00000080 ///< thunk function
4430 #define MBA_CMNSTK 0x00000100 ///< stkvars+stkargs should be considered as one area
4431 
4432  // bits to describe analysis stages and requests
4433 #define MBA_PREOPT 0x00000200 ///< preoptimization stage complete
4434 #define MBA_CMBBLK 0x00000400 ///< request to combine blocks
4435 #define MBA_ASRTOK 0x00000800 ///< assertions have been generated
4436 #define MBA_CALLS 0x00001000 ///< callinfo has been built
4437 #define MBA_ASRPROP 0x00002000 ///< assertion have been propagated
4438 #define MBA_SAVRST 0x00004000 ///< save-restore analysis has been performed
4439 #define MBA_RETREF 0x00008000 ///< return type has been refined
4440 #define MBA_GLBOPT 0x00010000 ///< microcode has been optimized globally
4441 #define MBA_LVARS0 0x00040000 ///< lvar pre-allocation has been performed
4442 #define MBA_LVARS1 0x00080000 ///< lvar real allocation has been performed
4443 #define MBA_DELPAIRS 0x00100000 ///< pairs have been deleted once
4444 #define MBA_CHVARS 0x00200000 ///< can verify chain varnums
4445 
4446  // bits that can be set by the caller:
4447 #define MBA_SHORT 0x00400000 ///< use short display
4448 #define MBA_COLGDL 0x00800000 ///< display graph after each reduction
4449 #define MBA_INSGDL 0x01000000 ///< display instruction in graphs
4450 #define MBA_NICE 0x02000000 ///< apply transformations to c code
4451 #define MBA_REFINE 0x04000000 ///< may refine return value size
4452 #define MBA_WINGR32 0x10000000 ///< use wingraph32
4453 #define MBA_NUMADDR 0x20000000 ///< display definition addresses for numbers
4454 #define MBA_VALNUM 0x40000000 ///< display value numbers
4455 
4456 #define MBA_INITIAL_FLAGS (MBA_INSGDL|MBA_NICE|MBA_CMBBLK|MBA_REFINE\
4457  |MBA_PRCDEFS|MBA_WINGR32|MBA_VALNUM)
4458 
4459 #define MBA2_LVARNAMES_OK 0x00000001 // may verify lvar_names?
4460 #define MBA2_LVARS_RENAMED 0x00000002 // accept empty names now?
4461 #define MBA2_OVER_CHAINS 0x00000004 // has overlapped chains?
4462 #define MBA2_VALRNG_DONE 0x00000008 // calculated valranges?
4463 #define MBA2_IS_CTR 0x00000010 // is constructor?
4464 #define MBA2_IS_DTR 0x00000020 // is destructor?
4465 #define MBA2_ARGIDX_OK 0x00000040 // may verify input argument list?
4466 #define MBA2_NO_DUP_CALLS 0x00000080 // forbid multiple calls with the same ea
4467 #define MBA2_NO_DUP_LVARS 0x00000100 // forbid multiple lvars with the same ea
4468 #define MBA2_UNDEF_RETVAR 0x00000200 // return value is undefined
4469 #define MBA2_ARGIDX_SORTED 0x00000400 // args finally sorted according to ABI
4470  // (e.g. reverse stkarg order in Borland)
4471 #define MBA2_CODE16_BIT 0x00000800 // the code16 bit removed
4472 #define MBA2_STACK_RETVAL 0x00001000 // the return value is on the stack
4473 
4474 #define MBA2_DONT_VERIFY 0x80000000 // Do not verify microcode. This flag is
4475  // dangerous and is recomended to set
4476  // only when debugging decompiler plugins
4477 
4478 #define MBA2_INITIAL_FLAGS (MBA2_LVARNAMES_OK|MBA2_LVARS_RENAMED)
4479 
4480 #define MBA2_ALL_FLAGS 0x00001FFF
4481 
4482  bool precise_defeas(void) const { return (flags & MBA_PRCDEFS) != 0; }
4483  bool optimized(void) const { return (flags & MBA_GLBOPT) != 0; }
4484  bool short_display(void) const { return (flags & MBA_SHORT ) != 0; }
4485  bool show_reduction(void) const { return (flags & MBA_COLGDL) != 0; }
4486  bool graph_insns(void) const { return (flags & MBA_INSGDL) != 0; }
4487  bool loaded_gdl(void) const { return (flags & MBA_LOADED) != 0; }
4488  bool should_beautify(void)const { return (flags & MBA_NICE ) != 0; }
4489  bool rtype_refined(void) const { return (flags & MBA_RETREF) != 0; }
4490  bool may_refine_rettype(void) const { return (flags & MBA_REFINE) != 0; }
4491  bool use_wingraph32(void) const { return (flags & MBA_WINGR32) != 0; }
4492  bool display_numaddrs(void) const { return (flags & MBA_NUMADDR) != 0; }
4493  bool display_valnums(void) const { return (flags & MBA_VALNUM) != 0; }
4494  bool is_pattern(void) const { return (flags & MBA_PATTERN) != 0; }
4495  bool is_thunk(void) const { return (flags & MBA_THUNK) != 0; }
4496  bool saverest_done(void) const { return (flags & MBA_SAVRST) != 0; }
4497  bool callinfo_built(void) const { return (flags & MBA_CALLS) != 0; }
4498  bool really_alloc(void) const { return (flags & MBA_LVARS0) != 0; }
4499  bool lvars_allocated(void)const { return (flags & MBA_LVARS1) != 0; }
4500  bool chain_varnums_ok(void)const { return (flags & MBA_CHVARS) != 0; }
4501  bool returns_fpval(void) const { return (flags & MBA_RETFP) != 0; }
4502  bool has_passregs(void) const { return (flags & MBA_PASSREGS) != 0; }
4503  bool generated_asserts(void) const { return (flags & MBA_ASRTOK) != 0; }
4504  bool propagated_asserts(void) const { return (flags & MBA_ASRPROP) != 0; }
4505  bool deleted_pairs(void) const { return (flags & MBA_DELPAIRS) != 0; }
4506  bool common_stkvars_stkargs(void) const { return (flags & MBA_CMNSTK) != 0; }
4507  bool lvar_names_ok(void) const { return (flags2 & MBA2_LVARNAMES_OK) != 0; }
4508  bool lvars_renamed(void) const { return (flags2 & MBA2_LVARS_RENAMED) != 0; }
4509  bool has_over_chains(void) const { return (flags2 & MBA2_OVER_CHAINS) != 0; }
4510  bool valranges_done(void) const { return (flags2 & MBA2_VALRNG_DONE) != 0; }
4511  bool argidx_ok(void) const { return (flags2 & MBA2_ARGIDX_OK) != 0; }
4512  bool argidx_sorted(void) const { return (flags2 & MBA2_ARGIDX_SORTED) != 0; }
4513  bool code16_bit_removed(void) const { return (flags2 & MBA2_CODE16_BIT) != 0; }
4514  bool has_stack_retval(void) const { return (flags2 & MBA2_STACK_RETVAL) != 0; }
4515  bool is_ctr(void) const { return (flags2 & MBA2_IS_CTR) != 0; }
4516  bool is_dtr(void) const { return (flags2 & MBA2_IS_DTR) != 0; }
4517  bool is_cdtr(void) const { return (flags2 & (MBA2_IS_CTR|MBA2_IS_DTR)) != 0; }
4518  int get_mba_flags(void) const { return flags; }
4519  int get_mba_flags2(void) const { return flags2; }
4520  void set_mba_flags(int f) { flags |= f; }
4521  void clr_mba_flags(int f) { flags &= ~f; }
4522  void set_mba_flags2(int f) { flags2 |= f; }
4523  void clr_mba_flags2(int f) { flags2 &= ~f; }
4524  void clr_cdtr(void) { flags2 &= ~(MBA2_IS_CTR|MBA2_IS_DTR); }
4525  int calc_shins_flags(void) const
4526  {
4527  int shins_flags = 0;
4528  if ( short_display() )
4529  shins_flags |= SHINS_SHORT;
4530  if ( display_valnums() )
4531  shins_flags |= SHINS_VALNUM;
4532  if ( display_numaddrs() )
4533  shins_flags |= SHINS_NUMADDR;
4534  return shins_flags;
4535  }
4536 
4537 /*
4538  +-----------+ <- inargtop
4539  | prmN |
4540  | ... | <- minargref
4541  | prm0 |
4542  +-----------+ <- inargoff
4543  |shadow_args|
4544  +-----------+
4545  | retaddr |
4546  frsize+frregs +-----------+ <- initial esp |
4547  | frregs | |
4548  +frsize +-----------+ <- typical ebp |
4549  | | | |
4550  | | | fpd |
4551  | | | |
4552  | frsize | <- current ebp |
4553  | | |
4554  | | |
4555  | | | stacksize
4556  | | |
4557  | | |
4558  | | <- minstkref |
4559  stkvar base off 0 +---.. | | | current
4560  | | | | stack
4561  | | | | pointer
4562  | | | | range
4563  |tmpstk_size| | | (what getspd() returns)
4564  | | | |
4565  | | | |
4566  +-----------+ <- minimal sp | | offset 0 for the decompiler (vd)
4567 
4568  There is a detail that may add confusion when working with stack variables.
4569  The decompiler does not use the same stack offsets as IDA.
4570  The picture above should explain the difference:
4571  - IDA stkoffs are displayed on the left, decompiler stkoffs - on the right
4572  - Decompiler stkoffs are always >= 0
4573  - IDA stkoff==0 corresponds to stkoff==tmpstk_size in the decompiler
4574  - See stkoff_vd2ida and stkoff_ida2vd below to convert IDA stkoffs to vd stkoff
4575 
4576 */
4577 
4578  // convert a stack offset used in vd to a stack offset used in ida stack frame
4579  sval_t stkoff_vd2ida(sval_t off) const
4580  {
4581  return off - tmpstk_size;
4582  }
4583  // convert a ida stack frame offset to a stack offset used in vd
4584  sval_t stkoff_ida2vd(sval_t off) const
4585  {
4586  return off + tmpstk_size;
4587  }
4588  sval_t argbase() const
4589  {
4590  return retsize + stacksize;
4591  }
4592  static vdloc_t hexapi idaloc2vd(const argloc_t &loc, int width, sval_t spd);
4593  vdloc_t hexapi idaloc2vd(const argloc_t &loc, int width) const;
4594 
4595  static argloc_t hexapi vd2idaloc(const vdloc_t &loc, int width, sval_t spd);
4596  argloc_t hexapi vd2idaloc(const vdloc_t &loc, int width) const;
4597 
4598  bool is_stkarg(const lvar_t &v) const
4599  {
4600  return v.is_stk_var() && v.get_stkoff() >= inargoff;
4601  }
4602  member_t *get_stkvar(sval_t vd_stkoff, uval_t *poff) const;
4603  // get lvar location
4604  argloc_t get_ida_argloc(const lvar_t &v) const
4605  {
4606  return vd2idaloc(v.location, v.width);
4607  }
4608  mba_ranges_t mbr;
4609  ea_t entry_ea;
4610  ea_t last_prolog_ea;
4611  ea_t first_epilog_ea;
4612  int qty; ///< number of basic blocks
4613  int npurged; ///< -1 - unknown
4614  cm_t cc; ///< calling convention
4615  sval_t tmpstk_size; ///< size of the temporary stack part
4616  ///< (which dynamically changes with push/pops)
4617  sval_t frsize; ///< size of local stkvars range in the stack frame
4618  sval_t frregs; ///< size of saved registers range in the stack frame
4619  sval_t fpd; ///< frame pointer delta
4620  int pfn_flags; ///< copy of func_t::flags
4621  int retsize; ///< size of return address in the stack frame
4622  int shadow_args; ///< size of shadow argument area
4623  sval_t fullsize; ///< Full stack size including incoming args
4624  sval_t stacksize; ///< The maximal size of the function stack including
4625  ///< bytes allocated for outgoing call arguments
4626  ///< (up to retaddr)
4627  sval_t inargoff; ///< offset of the first stack argument;
4628  ///< after fix_scattered_movs() INARGOFF may
4629  ///< be less than STACKSIZE
4630  sval_t minstkref; ///< The lowest stack location whose address was taken
4631  ea_t minstkref_ea; ///< address with lowest minstkref (for debugging)
4632  sval_t minargref; ///< The lowest stack argument location whose address was taken
4633  ///< This location and locations above it can be aliased
4634  ///< It controls locations >= inargoff-shadow_args
4635  sval_t spd_adjust; ///< If sp>0, the max positive sp value
4636  ivl_t aliased_vars; ///< Aliased stkvar locations
4637  ivl_t aliased_args; ///< Aliased stkarg locations
4638  ivlset_t gotoff_stkvars; ///< stkvars that hold .got offsets. considered to be unaliasable
4639  ivlset_t restricted_memory;
4640  ivlset_t aliased_memory; ///< aliased_memory+restricted_memory=ALLMEM
4641  mlist_t nodel_memory; ///< global dead elimination may not delete references to this area
4642  rlist_t consumed_argregs; ///< registers converted into stack arguments, should not be used as arguments
4643 
4644  mba_maturity_t maturity; ///< current maturity level
4645  mba_maturity_t reqmat; ///< required maturity level
4646 
4647  bool final_type; ///< is the function type final? (specified by the user)
4648  tinfo_t idb_type; ///< function type as retrieved from the database
4649  reginfovec_t idb_spoiled; ///< MBA_SPLINFO && final_type: info in ida format
4650  mlist_t spoiled_list; ///< MBA_SPLINFO && !final_type: info in vd format
4651  int fti_flags; ///< FTI_... constants for the current function
4652 
4653  netnode deprecated_idb_node; ///< netnode with additional decompiler info.
4654  ///< deprecated, do not use it anymore. it may get
4655  ///< stale after undo.
4656 #define NALT_VD 2 ///< this index is not used by ida
4657 
4658  qstring label; ///< name of the function or pattern (colored)
4659  lvars_t vars; ///< local variables
4660  intvec_t argidx; ///< input arguments (indexes into 'vars')
4661  int retvaridx; ///< index of variable holding the return value
4662  ///< -1 means none
4663 
4664  ea_t error_ea; ///< during microcode generation holds ins.ea
4665  qstring error_strarg;
4666 
4667  mblock_t *blocks; ///< double linked list of blocks
4668  mblock_t **natural; ///< natural order of blocks
4669 
4670  ivl_with_name_t std_ivls[6]; ///< we treat memory as consisting of 6 parts
4671  ///< see \ref memreg_index_t
4672 
4673  mutable hexwarns_t notes;
4674  mutable uchar occurred_warns[32]; // occurred warning messages
4675  // (even disabled warnings are taken into account)
4676  bool write_to_const_detected(void) const
4677  {
4678  return test_bit(occurred_warns, WARN_WRITE_CONST);
4679  }
4680  bool bad_call_sp_detected(void) const
4681  {
4682  return test_bit(occurred_warns, WARN_BAD_CALL_SP);
4683  }
4684  bool regargs_is_not_aligned(void) const
4685  {
4686  return test_bit(occurred_warns, WARN_UNALIGNED_ARG);
4687  }
4688  bool has_bad_sp(void) const
4689  {
4690  return test_bit(occurred_warns, WARN_BAD_SP);
4691  }
4692 
4693  // the exact size of this class is not documented, there may be more fields
4694  char reserved[];
4695  mba_t(void);
4696  ~mba_t(void) { term(); }
4697  HEXRAYS_MEMORY_ALLOCATION_FUNCS()
4698  void hexapi term(void);
4699  func_t *get_curfunc(void) const { return mbr.pfn; }
4700  bool use_frame(void) const { return mbr.pfn != NULL; }
4701  bool range_contains(ea_t ea) const { return mbr.range_contains(ea); }
4702  bool is_snippet(void) const { return mbr.is_snippet(); }
4703 
4704  /// Set maturity level.
4705  /// \param new maturity level
4706  /// \return true if it is time to stop analysis
4707  /// Plugins may use this function to skip some parts of the analysis.
4708  /// The maturity level cannot be decreased.
4709  bool hexapi set_maturity(mba_maturity_t mat);
4710 
4711  /// Optimize each basic block locally
4712  /// \param locopt_bits combination of \ref LOCOPT_ bits
4713  /// \return number of changes. 0 means nothing changed
4714  /// This function is called by the decompiler, usually there is no need to
4715  /// call it explicitly.
4716  int hexapi optimize_local(int locopt_bits);
4717  /// \defgroup LOCOPT_ Bits for optimize_local()
4718  //@{
4719 #define LOCOPT_ALL 0x0001 ///< redo optimization for all blocks. if this bit
4720  ///< is not set, only dirty blocks will be optimized
4721 #define LOCOPT_REFINE 0x0002 ///< refine return type, ok to fail
4722 #define LOCOPT_REFINE2 0x0004 ///< refine return type, try harder
4723  //@}
4724 
4725  /// Build control flow graph.
4726  /// This function may be called only once. It calculates the type of each
4727  /// basic block and the adjacency list. optimize_local() calls this function
4728  /// if necessary. You need to call this function only before MMAT_LOCOPT.
4729  /// \return error code
4730  merror_t hexapi build_graph(void);
4731 
4732  /// Get control graph.
4733  /// Call build_graph() if you need the graph before MMAT_LOCOPT.
4734  mbl_graph_t *hexapi get_graph(void);
4735 
4736  /// Analyze calls and determine calling conventions.
4737  /// \param acflags permitted actions that are necessary for successful detection
4738  /// of calling conventions. See \ref ACFL_
4739  /// \return number of calls. -1 means error.
4740  int hexapi analyze_calls(int acflags);
4741  /// \defgroup ACFL_ Bits for analyze_calls()
4742  //@{
4743 #define ACFL_LOCOPT 0x01 ///< perform local propagation (requires ACFL_BLKOPT)
4744 #define ACFL_BLKOPT 0x02 ///< perform interblock transformations
4745 #define ACFL_GLBPROP 0x04 ///< perform global propagation
4746 #define ACFL_GLBDEL 0x08 ///< perform dead code eliminition
4747 #define ACFL_GUESS 0x10 ///< may guess calling conventions
4748  //@}
4749 
4750  /// Optimize microcode globally.
4751  /// This function applies various optimization methods until we reach the
4752  /// fixed point. After that it preallocates lvars unless reqmat forbids it.
4753  /// \return error code
4754  merror_t hexapi optimize_global(void);
4755 
4756  /// Allocate local variables.
4757  /// Must be called only immediately after optimize_global(), with no
4758  /// modifications to the microcode. Converts registers,
4759  /// stack variables, and similar operands into mop_l. This call will not fail
4760  /// because all necessary checks were performed in optimize_global().
4761  /// After this call the microcode reaches its final state.
4762  void hexapi alloc_lvars(void);
4763 
4764  /// Dump microcode to a file.
4765  /// The file will be created in the directory pointed by IDA_DUMPDIR envvar.
4766  /// Dump will be created only if IDA is run under debugger.
4767  void hexapi dump(void) const;
4768  AS_PRINTF(3, 0) void hexapi vdump_mba(bool _verify, const char *title, va_list va) const;
4769  AS_PRINTF(3, 4) void dump_mba(bool _verify, const char *title, ...) const
4770  {
4771  va_list va;
4772  va_start(va, title);
4773  vdump_mba(_verify, title, va);
4774  va_end(va);
4775  }
4776 
4777  /// Print microcode to any destination.
4778  /// \param vp print sink
4779  void hexapi print(vd_printer_t &vp) const;
4780 
4781  /// Verify microcode consistency.
4782  /// \param always if false, the check will be performed only if ida runs
4783  /// under debugger
4784  /// If any inconsistency is discovered, an internal error will be generated.
4785  /// We strongly recommend you to call this function before returing control
4786  /// to the decompiler from your callbacks, in the case if you modified
4787  /// the microcode.
4788  void hexapi verify(bool always) const;
4789 
4790  /// Mark the microcode use-def chains dirty.
4791  /// Call this function is any inter-block data dependencies got changed
4792  /// because of your modifications to the microcode. Failing to do so may
4793  /// cause an internal error.
4794  void hexapi mark_chains_dirty(void);
4795 
4796  /// Get basic block by its serial number.
4797  const mblock_t *get_mblock(int n) const { return natural[n]; }
4798  mblock_t *get_mblock(int n) { return CONST_CAST(mblock_t*)((CONST_CAST(const mba_t *)(this))->get_mblock(n)); }
4799 
4800  /// Insert a block in the middle of the mbl array.
4801  /// The very first block of microcode must be empty, it is the entry block.
4802  /// The very last block of microcode must be BLT_STOP, it is the exit block.
4803  /// Therefore inserting a new block before the entry point or after the exit
4804  /// block is not a good idea.
4805  /// \param bblk the new block will be inserted before BBLK
4806  /// \return ptr to the new block
4807  mblock_t *hexapi insert_block(int bblk);
4808 
4809  /// Delete a block.
4810  /// \param blk block to delete
4811  /// \return true if at least one of the other blocks became empty or unreachable
4812  bool hexapi remove_block(mblock_t *blk);
4813 
4814  /// Make a copy of a block.
4815  /// This function makes a simple copy of the block. It does not fix the
4816  /// predecessor and successor lists, they must be fixed if necessary.
4817  /// \param blk block to copy
4818  /// \param new_serial position of the copied block
4819  /// \param cpblk_flags combination of \ref CPBLK_... bits
4820  /// \return pointer to the new copy
4821  mblock_t *hexapi copy_block(mblock_t *blk, int new_serial, int cpblk_flags=3);
4822 /// \defgroup CPBLK_ Batch decompilation bits
4823 //@{
4824 #define CPBLK_FAST 0x0000 ///< do not update minbstkref and minbargref
4825 #define CPBLK_MINREF 0x0001 ///< update minbstkref and minbargref
4826 #define CPBLK_OPTJMP 0x0002 ///< del the jump insn at the end of the block
4827  ///< if it becomes useless
4828 //@}
4829 
4830  /// Delete all empty and unreachable blocks.
4831  /// Blocks marked with MBL_KEEP won't be deleted.
4832  bool hexapi remove_empty_and_unreachable_blocks(void);
4833 
4834  /// Combine blocks.
4835  /// This function merges blocks constituting linear flow.
4836  /// It calls remove_empty_and_unreachable_blocks() as well.
4837  /// \return true if changed any blocks
4838  bool hexapi combine_blocks(void);
4839 
4840  /// Visit all operands of all instructions.
4841  /// \param mv operand visitor
4842  /// \return non-zero value returned by mv.visit_mop() or zero
4843  int hexapi for_all_ops(mop_visitor_t &mv);
4844 
4845  /// Visit all instructions.
4846  /// This function visits all instruction and subinstructions.
4847  /// \param mv instruction visitor
4848  /// \return non-zero value returned by mv.visit_mop() or zero
4849  int hexapi for_all_insns(minsn_visitor_t &mv);
4850 
4851  /// Visit all top level instructions.
4852  /// \param mv instruction visitor
4853  /// \return non-zero value returned by mv.visit_mop() or zero
4854  int hexapi for_all_topinsns(minsn_visitor_t &mv);
4855 
4856  /// Find an operand in the microcode.
4857  /// This function tries to find the operand that matches LIST.
4858  /// Any operand that overlaps with LIST is considered as a match.
4859  /// \param[out] ctx context information for the result
4860  /// \param ea desired address of the operand
4861  /// \param is_dest search for destination operand? this argument may be
4862  /// ignored if the exact match could not be found
4863  /// \param list list of locations the correspond to the operand
4864  /// \return pointer to the operand or NULL.
4865  mop_t *hexapi find_mop(op_parent_info_t *ctx, ea_t ea, bool is_dest, const mlist_t &list);
4866 
4867  /// Create a call of a helper function.
4868  /// \param ea The desired address of the instruction
4869  /// \param helper The helper name
4870  /// \param rettype The return type (NULL or empty type means 'void')
4871  /// \param callargs The helper arguments (NULL-no arguments)
4872  /// \param out The operand where the call result should be stored.
4873  /// If this argument is not NULL, "mov helper_call(), out"
4874  /// will be generated. Otherwise "call helper()" will be
4875  /// generated. Note: the size of this operand must be equal
4876  /// to the RETTYPE size
4877  /// \return pointer to the created instruction or NULL if error
4878  minsn_t *hexapi create_helper_call(
4879  ea_t ea,
4880  const char *helper,
4881  const tinfo_t *rettype=nullptr,
4882  const mcallargs_t *callargs=nullptr,
4883  const mop_t *out=nullptr);
4884 
4885  /// Get input argument of the decompiled function.
4886  /// \param n argument number (0..nargs-1)
4887  lvar_t &hexapi arg(int n);
4888  const lvar_t &arg(int n) const { return CONST_CAST(mba_t*)(this)->arg(n); }
4889 
4890  /// Allocate a fictional address.
4891  /// This function can be used to allocate a new unique address for a new
4892  /// instruction, if re-using any existing address leads to conflicts.
4893  /// For example, if the last instruction of the function modifies R0
4894  /// and falls through to the next function, it will be a tail call:
4895  /// LDM R0!, {R4,R7}
4896  /// end of the function
4897  /// start of another function
4898  /// In this case R0 generates two different lvars at the same address:
4899  /// - one modified by LDM
4900  /// - another that represents the return value from the tail call
4901  /// Another example: a third-party plugin makes a copy of an instruction.
4902  /// This may lead to the generation of two variables at the same address.
4903  /// Example 3: fictional addresses can be used for new instructions created
4904  /// while modifying the microcode.
4905  /// This function can be used to allocate a new unique address for a new
4906  /// instruction or a variable.
4907  /// The fictional address is selected from an unallocated address range.
4908  /// \param real_ea real instruction address (BADADDR is ok too)
4909  /// \return a unique fictional address
4910  ea_t hexapi alloc_fict_ea(ea_t real_ea);
4911 
4912  /// Resolve a fictional address.
4913  /// This function provides a reverse of the mapping made by alloc_fict_ea().
4914  /// \param fict_ea fictional definition address
4915  /// \return the real instruction address
4916  ea_t hexapi map_fict_ea(ea_t fict_ea) const;
4917 
4918  /// Get information about various memory regions.
4919  /// We map the stack frame to the global memory, to some unused range.
4920  const ivl_t &get_std_region(memreg_index_t idx) const;
4921  const ivl_t &get_lvars_region(void) const;
4922  const ivl_t &get_shadow_region(void) const;
4923  const ivl_t &get_args_region(void) const;
4924  ivl_t get_stack_region(void) const; // get entire stack region