rizin icon indicating copy to clipboard operation
rizin copied to clipboard
verified publisher icon rizinorg

`aac` doesn't add inner functions.

Open Rot127 opened this issue 1 year ago • 0 comments

Work environment

Questions Answers
OS/arch/bits (mandatory) Fedora 40
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86/32
rizin -v full output, not truncated (mandatory) rizin a420733022708ec91fe925fdfa321ac16763c767 - Date: Sat May 4 09:31:02 2024

Expected behavior

Running aac should create a function at every code xref off a call analyzed. Even if a newly discovered function lies within a block of another function.

rizin tests/bins/elf/vim
> aac
> s 0x001b8420
> axt
sym.syntax_start 0x1b9f10 [CALL] call sym.syn_start_line
sym.syntax_start 0x1b9fca [CODE] jmp sym.syn_start_line
sym.syntax_start 0x1ba458 [CALL] call sym.syn_start_line
> fl.
0x001b8420 71 sym.syn_start_line
> afl.
0x001b9b30 sym.syntax_start
# It misses sym.syn_start_line here

For reference the function in question:

:> pd 14 @ 0x001b8420
│           ; CALL XREFS from sym.syntax_start @ 0x1b9f10, 0x1b9fca, 0x1ba458
│           ;-- syn_start_line:
│           0x001b8420      sub   rsp, 8
│           0x001b8424      mov   eax, dword [0x004b3d90]              ; [0x4b3d90:4]=0
│           0x001b842a      mov   dword [0x004b3da8], 0                ; [0x4b3da8:4]=0
│           0x001b8434      mov   dword [0x004b3db0], 0                ; [0x4b3db0:4]=0
│           0x001b843e      test  eax, eax
│       ┌─< 0x001b8440      jle   0x1b8451
│       │   0x001b8442      mov   edi, 1
│       │   0x001b8447      call  sym.syn_update_ends                  ; sym.syn_update_ends
│       │   0x001b844c      call  sym.check_state_ends                 ; sym.check_state_ends
│       └─> 0x001b8451      mov   dword [0x004b3e18], 0xffffffff       ; [0x4b3e18:4]=0
│           0x001b845b      add   dword [0x004b3d74], 1                ; [0x4b3d74:4]=0
│           0x001b8462      add   rsp, 8
│           0x001b8466      ret
            0x001b8467      nop   word [rax + rax]

Actual behavior

It doesn't add the function sym.syn_start_line.

The bug happens likely when it attempts to analyze the function due to these lines:

https://github.com/rizinorg/rizin/blob/2b4aa5351eb1f6721a629bd20a8d659d5c09d99e/librz/core/canalysis.c#L1538-L1564

It enters those lines because at 0x001b8420 a function already exists. In line 1550 it enters the if statement, because the call comes from within sym.syntax_start. So it doesn't add a new function.

Steps to reproduce the behavior

See above.

Rot127 avatar Jul 26 '24 13:07 Rot127