emteere
commented
4 years ago I see the incorrect R12 reference. Somehow the value in local_88 appears to be tracked incorrectly. I'd need to see more of the code to know why that happened. Posting the bytes of the function using copy/paste would help. Although if it is a large function and ARM code, the data the function references might be important.
I agree there should be better documentation on what those values in the analyzer do. They wouldn't affect this problematic reference unless it was in the first 1024 bytes of memory, or the last 256 bytes of memory. The SPECULATIVE references are for values, mostly parameters, where only the value is known, and not how it is used. The MIN is the offset from the minimum possible address. MAX is the offset from the maximum address possible. In this case 0x0+1024 or 0xFFFFFFFF-256. Normally a reference would only be created if the memory existed, not just because it was above the MIN, or below the MAX.
There are many things that can cause issues with the references. Possibly there is a non-returning function somewhere in the routine. It is also possible since it is such a large routine that the compiler chose to use BL which are normally calls as long-jumps. This would be most likely my suspicion in this case. Some of the BLX's could even be internal function jumps. It all depends on the compiler. There is a script that tries to fix this issue that can be used on an entire program. Doing it on the entire program can work sometimes, and other times can be problematic. There can be straggler functions that couldn't be fixed due to existing functions, or because of the flow. If you select the real body of the function, it will turn all calls from within that selection which call to an address in the selection into a JUMP instead of a call. The script is: Fix_ARM_Call_JumpsScript.java
If you have a program that exhibits this Call used as Branch issue, it is important to fix the places you find it before doing constant propagation or other types analysis that rely on good flow.
Hello. I have some trouble fully understanding the parameters for this analyzer:
'F1' help : could not find anythings
i belive the code is https://github.com/NationalSecurityAgency/ghidra/blob/ac0a4c92468d80040b2d07c97c4a1a0596bec32a/Ghidra/Features/Base/src/main/java/ghidra/app/plugin/core/analysis/ConstantPropagationAnalyzer.java#L64
Also the MINSPECULATIVEREFADDRESS_OPTION_DEFAULT_VALUE = 1024; is greater than the MAXSPECULATIVEREFADDRESS_OPTION_DEFAULT_VALUE = 256
i don't fully understand why the min > max ... it would max sense if there was some documentation on it.
https://github.com/NationalSecurityAgency/ghidra/blob/ac0a4c92468d80040b2d07c97c4a1a0596bec32a/Ghidra/Features/Base/src/main/java/ghidra/app/plugin/core/analysis/ConstantPropagationAnalyzer.java#L73
https://github.com/NationalSecurityAgency/ghidra/blob/ac0a4c92468d80040b2d07c97c4a1a0596bec32a/Ghidra/Features/Base/src/main/java/ghidra/app/plugin/core/analysis/ConstantPropagationAnalyzer.java#L79
The reason i am asking that is i have an extra huge function where the value of the register (r12) is displayed wrong in the Listing i suppose. At first glance The decompiler did a bit better job at it but casted the function entrypoint address (0x40853aaf) to 'char *' and indeed there is a function code entry-point there . While the listing is trying to BLX r12 where r12 is an address of a string...
also if look at the above screenshot it would make more sense to display either
BLX r8=>sub_40853AAE+1
BLX r8=>sub_40853AAF instead of this:
so at least you know it calling in Thumb mode