Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changing a function type does not trigger re-analysis for functions which call the changed function through a function pointer as a data variabe #6249

Open
WeiN76LQh opened this issue Dec 11, 2024 · 1 comment
Labels
Component: Core Issue needs changes to the core Effort: Low Issue should take < 1 week Impact: Low Issue is a papercut or has a good, supported workaround Type: Bug Issue is a non-crashing bug with repro steps

Comments

@WeiN76LQh
Copy link

Version and Platform (required):

  • Binary Ninja Version: 4.3.6550-dev (1ae64a95)
  • OS: macOS
  • OS Version: 15.1.1
  • CPU Architecture: M1

Bug Description:
I have a situation where I'm creating external symbols that have a type thats a pointer to a function. Modifying that prototype to change the return value type is not causing the functions, that make a call using the external symbol, to run re-analysis. If I right-click Reanalyze Current Function then the variable being assigned the return value is updated to have a type that corresponds to the new return type of the external symbol. This is what I would expect to happen but without me having to manually do the right-click Reanalyze Current Function.

Its a bit of a weird scenario because I've basically modified the Objective-C workflow plugin to create external symbols, in a new section that doesn't exist in the binary, and replace the objc_msgSend call with a call to the external symbol. The external symbol once created has a data variable defined at its location with a function pointer type. The section, symbols and data variables are invisible in the UI, I believe due to #6132. I'm doubtful thats anything to do with it because its a UI issue and I'd imagine thats separate to the analysis engine that triggers re-analysis, but thought I'd mention it.

The reason for the creation of the external symbols is to handle objc_msgSend call inlining more eloquently. Currently the plugin just chooses the first Objective-C function with a matching selector as the actual target for the call. This is wrong alot of the time. I've modified the plugin to behave more like IDA does, which is to look at the type or symbol name (for Objective-C classes) for the self parameter and to use that combined with the selector to more accurately identify the target function. If the target function does not appear to exist in the binary, IDA will create an external symbol and then reference that symbol at the call site. I've essentially implemented the same feature in Binary Ninja, except now I've uncovered the issue that if I modify the function prototype of the external symbol, re-analysis for callers of the symbol, where the call has been inlined from another function, won't be triggered.

@WeiN76LQh WeiN76LQh changed the title Re-analysis doesn't trigger for functions that make a call to an external symbol when its prototype is changed Re-analysis doesn't trigger for functions that make an inlined call to an external symbol when its prototype is changed Dec 11, 2024
@xusheng6 xusheng6 changed the title Re-analysis doesn't trigger for functions that make an inlined call to an external symbol when its prototype is changed Changing a function type does not trigger re-analysis for functions which call the changed function through a function pointer as a data variabe Dec 23, 2024
@xusheng6
Copy link
Member

This can be reproduced by the following code:

#include <stdio.h>

void functionA(void) {
    printf("Function A called\n");
}

void (*functionPtr)(void) = functionA;

int main() {
    printf("Calling function via function pointer:\n");
    functionPtr();
    return 0;
}

Changing the type of functionA does not cause main to be marked as updated required

Binary:

test 2.zip

@xusheng6 xusheng6 added Type: Bug Issue is a non-crashing bug with repro steps Component: Core Issue needs changes to the core Impact: Low Issue is a papercut or has a good, supported workaround Effort: Low Issue should take < 1 week labels Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component: Core Issue needs changes to the core Effort: Low Issue should take < 1 week Impact: Low Issue is a papercut or has a good, supported workaround Type: Bug Issue is a non-crashing bug with repro steps
Projects
None yet
Development

No branches or pull requests

2 participants