Missing lifting support for some instructions in iOS kernelcache

[brinlyau]

I'm aware that this is very much of a stretch-goal that I don't actually expect this to be fully done (and some are SVE ones so we don't have a good way to lift this), but I'm gonna post my list, so people have a better idea about what's missing in a typical iOS kernelcache.

I'll keep updating this list over time - so just see the edited comments (iPhone13,3_14.1_18A8395).

This list may be similar for the dyld_shared_cache and other binaries compiled by Apple's clang. Similar idea to issue Vector35/binaryninja-api#4002 but this is for instructions present in kernels as opposed to usermode code - some crossover may exist.

• [x] 2454 fcvtzu [0xfffffff007d66a0c, 0xfffffff007d66a70, 0xfffffff0082e9990, 0xfffffff008395b00, 0xfffffff0083eff84, ...]
• [x] 1634 fmla [0xfffffff009577c58, 0xfffffff009577c60, 0xfffffff009577cb8, 0xfffffff009577cc8, 0xfffffff009577d78, ...]
• [x] 1158 fmls [0xfffffff009577c54, 0xfffffff009577c5c, 0xfffffff009577cb0, 0xfffffff009577cc0, 0xfffffff009577d74, ...]
• [ ] 286 ldset [0xfffffff007b3defc, 0xfffffff007b59e7c, 0xfffffff007b81ba4, 0xfffffff007b81e70, 0xfffffff007b821fc, 0xfffffff007b822c8, 0xfffffff007b82d24, 0xfffffff007b82e60, ...]
• [x] 254 ucvtf [0xfffffff0088da508, 0xfffffff008e9a200, 0xfffffff008e9a4a0, 0xfffffff008e9a6ec, 0xfffffff008e9a8f0, ...]
• [ ] 253 ldclr [0xfffffff007b3e52c, 0xfffffff007b3e3a4, 0xfffffff007b3e440, 0xfffffff007b65b84, 0xfffffff007b65b9c, 0xfffffff007b65bb4, 0xfffffff007b65bcc, 0xfffffff007b65be4, ...]
• [ ] 234 ldclrl [0xfffffff007b3e9f8, 0xfffffff007b3eb68, 0xfffffff007b3ef18, 0xfffffff007b3ef58, 0xfffffff007b3efc8, ...]
• [x] 150 fcvtzs [0xfffffff007bdb4e8, 0xfffffff007bdb6b0, 0xfffffff007bdbae0, 0xfffffff0082e8c88, 0xfffffff0082ed748, 0xfffffff008392c5c, 0xfffffff008395b9c, 0xfffffff008395bb4, ...]
• [x] 131 fdiv [0xfffffff00840269c, 0xfffffff008e9ad40, 0xfffffff008e9adf0, 0xfffffff008e9b204, 0xfffffff008e9b2b4, ...]
• [x] 113 scvtf [0xfffffff007bdb4e0, 0xfffffff007bdb560, 0xfffffff007bdb564, 0xfffffff007bdb618, 0xfffffff007bdb6a8, 0xfffffff007bdbad8, 0xfffffff007d669b4, 0xfffffff00800aa4c, ...]
• [ ] 111 ld2 [0xfffffff007c64ebc, 0xfffffff007c64ec4, 0xfffffff007c64f10, 0xfffffff007c64f14, 0xfffffff007eb48dc, 0xfffffff007f8a8a0, 0xfffffff007f8a8a4, 0xfffffff0081b8f14, ...]
• [x] 83 fccmp [0xfffffff007bdb57c, 0xfffffff007bdb57c, 0xfffffff00841eb54, 0xfffffff0088c6624, 0xfffffff0088ce210, 0xfffffff0088ce294, 0xfffffff0088ce330, 0xfffffff0088ce3e0, ...]
• [x] 73 dup [0xfffffff007b88480, 0xfffffff007bad79c, 0xfffffff007bad7a4, 0xfffffff007c374e4, 0xfffffff007c5a2d8, 0xfffffff007c80d04, 0xfffffff007c811cc, 0xfffffff007de9a6c, ...]
• [ ] 62 ld1r [0xfffffff007c50368, 0xfffffff007c50c1c, 0xfffffff007c5e8ec, 0xfffffff007c828f8, 0xfffffff0082941d8, 0xfffffff008295750, 0xfffffff0082ace00, 0xfffffff00833e5e4, ...]
• [x] 46 fminnm [0xfffffff008f37ec4, 0xfffffff008f420dc, 0xfffffff008f420f8, 0xfffffff008f42110, 0xfffffff008f42134, 0xfffffff008f421a8, 0xfffffff008f49350, 0xfffffff008f5a560, ...]
• [ ] 38 tlbi [0xfffffff007b6e888, 0xfffffff007b6efd8, 0xfffffff007c84d64, 0xfffffff007c84e4c, 0xfffffff007c84e64, ...]
• [x] 37 fneg [0xfffffff008cf6954, 0xfffffff008f59a18, 0xfffffff008f59aa8, 0xfffffff008f64f38, 0xfffffff008f64f4c, 0xfffffff008f64f68, 0xfffffff008f67e70, 0xfffffff008f67ea8, ...]
• [x] 36 fmaxnm [0xfffffff008f7390c, 0xfffffff008f7c160, 0xfffffff00918f7f0, 0xfffffff00918f810, 0xfffffff00918fb58, 0xfffffff00918fb8c, 0xfffffff00918fb9c, 0xfffffff00918fa60, ...]
• [x] 35 caspal [0xfffffff009196660, 0xfffffff0091975e0, 0xfffffff009196fc4, 0xfffffff009196e40, 0xfffffff009196b90, 0xfffffff009197180, 0xfffffff00919807c, 0xfffffff0091985b8, ...]
• [x] 32 sxtl [0xfffffff007bcb3f8, 0xfffffff007bdcea0, 0xfffffff007c7a56c, 0xfffffff007d128a0, 0xfffffff007d12918, ...]
• [ ] 25 ldseth [0xfffffff007bb95a8, 0xfffffff007bbbdf4, 0xfffffff007bbc7b8, 0xfffffff007d3ae30, 0xfffffff007d61bc4, 0xfffffff007d61c1c, 0xfffffff007f725fc, 0xfffffff007f74af8, ...]
• [ ] 24 sys [0xfffffff007c84dfc, 0xfffffff007c84e6c, 0xfffffff0099d20e4, 0xfffffff0099d214c, 0xfffffff0099d25a4, ...]
• [x] 24 fcvtn [0xfffffff0083f01ac, 0xfffffff0083f01c4, 0xfffffff0083f81ec, 0xfffffff0083f8204, 0xfffffff008408fe4, ...]
• [x] 22 fmax [0xfffffff0084200d8, 0xfffffff008420114, 0xfffffff00842035c, 0xfffffff008420394, 0xfffffff0084205fc, 0xfffffff008420674, 0xfffffff00842f5dc, 0xfffffff0084344e8, ...]
• [ ] 20 ldsetalh [0xfffffff007c89518, 0xfffffff007c89538, 0xfffffff007c89648, 0xfffffff007c89660, 0xfffffff007c8972c, ...]
• [ ] 20 st2 [0xfffffff00958282c, 0xfffffff009582830, 0xfffffff0095a9fac, 0xfffffff0095a9fb4, 0xfffffff0095a9fb8, 0xfffffff0095a9dfc, 0xfffffff0095a9e08, 0xfffffff0095a9e18, ...]
• [x] 19 tbl [0xfffffff007c85c54, 0xfffffff007c85c68, 0xfffffff008c25018, 0xfffffff00946e270, 0xfffffff00946e274, 0xfffffff00946e278, 0xfffffff00946e27c, 0xfffffff0094aa8ac, ...]
• [x] 18 fcmeq [0xfffffff008eb7834, 0xfffffff008eb7b24, 0xfffffff008eb7f28, 0xfffffff008eb8218, 0xfffffff008eb862c, ...]
• [ ] 14 ld4 [0xfffffff007b5f250, 0xfffffff007b5f254, 0xfffffff007b6ddec, 0xfffffff007b6ddf0, 0xfffffff009582850, ...]
• [x] 14 casp [0xfffffff007f721b4, 0xfffffff007f73a28, 0xfffffff007f73afc, 0xfffffff007f73e30, 0xfffffff007f74120, ...]
• [ ] 13 ldclrh [0xfffffff007bbbe58, 0xfffffff007d3ae10, 0xfffffff007d626ec, 0xfffffff007d626f8, 0xfffffff007f9adf8, ...]
• [ ] 13 ldclralh [0xfffffff007c865fc, 0xfffffff007c87f18, 0xfffffff007c89520, 0xfffffff007c89548, 0xfffffff007c895b0, ...]
• [x] 13 fcvtl [0xfffffff008f6a65c, 0xfffffff008f6a660, 0xfffffff008f6a8bc, 0xfffffff008f6a8d0, 0xfffffff008f6a8dc, ...]
• [ ] 11 mova [0xfffffff008271d18, 0xfffffff0086708e0, 0xfffffff008c35ce0, 0xfffffff008dbb710, 0xfffffff008e99800, ...]
• [x] 11 fabs [0xfffffff0082c2094, 0xfffffff0082f722c, 0xfffffff0082f727c, 0xfffffff00841dacc, 0xfffffff0084205ec, ...]
• [x] 10 fmin [0xfffffff00841e1c4, 0xfffffff0084205f4, 0xfffffff008420670, 0xfffffff008434518, 0xfffffff008541558, ...]
• [x] 6 uaddl [0xfffffff00826fab8, 0xfffffff00826fb1c, 0xfffffff008dbb5d8, 0xfffffff008dbb63c, 0xfffffff0095b3598, ...]
• [x] 6 ngc [0xfffffff008312d50, 0xfffffff008312f2c, 0xfffffff008313040, 0xfffffff008313830, 0xfffffff008313a3c, ...]
• [ ] 6 ld2r [0xfffffff00946df84, 0xfffffff00946dfc4, 0xfffffff00946e038, 0xfffffff00946e078, 0xfffffff00946e0f8, ...]
• [ ] 5 ldsetal [0xfffffff007b6e414, 0xfffffff0094d1088, 0xfffffff0094d1090, 0xfffffff0099b3f7c, 0xfffffff0099e8c18]
• [ ] 5 ldsetl [0xfffffff007b8b2ec, 0xfffffff007b8b370, 0xfffffff007b8b480, 0xfffffff007b8b5e8, 0xfffffff009947bd4]
• [x] 5 umull2 [0xfffffff00946dd3c, 0xfffffff00946dd54, 0xfffffff00946dd64, 0xfffffff00946dd7c, 0xfffffff00946ddac]
• [ ] 4 at [0xfffffff00826daf0, 0xfffffff00826db28, 0xfffffff00826db58, 0xfffffff0099f29a8]
• [x] 4 raddhn [0xfffffff00946e0a8, 0xfffffff00946e0b0, 0xfffffff00946e18c, 0xfffffff00946e290]
• [x] 3 fnmul [0xfffffff008b565a8, 0xfffffff008b56908, 0xfffffff008cf6970]
• [x] 3 fcmgt [0xfffffff0091af36c, 0xfffffff0091b4d60, 0xfffffff009429fc4]
• [x] 3 fcmge [0xfffffff009443130, 0xfffffff0099235b8, 0xfffffff0099235dc]
• [ ] 2 ldclral [0xfffffff007b6e348, 0xfffffff0099755f4]
• [ ] 2 ldeor [0xfffffff007b8b0dc, 0xfffffff0080cadd4]
• [ ] 2 ic [0xfffffff0082644fc, 0xfffffff00826453c]
• [x] 2 ngcs [0xfffffff008331964, 0xfffffff008337fac]
• [x] 2 smov [0xfffffff0084026b8, 0xfffffff0084026f8]
• [x] 2 faddp [0xfffffff008f7ed00, 0xfffffff00957518c]
• [ ] 2 ldumax [0xfffffff009198924, 0xfffffff009198944]
• [ ] 2 ldumaxb [0xfffffff0091acccc, 0xfffffff0091ad438]
• [x] 2 rshrn [0xfffffff00946df18, 0xfffffff00946e214]
• [ ] 2 st4 [0xfffffff009582884, 0xfffffff009582888]
• [x] 1 hint [0xfffffff007b6e9a0]
• [ ] 1 ldsetlh [0xfffffff007f96868]
• [x] 1 sxtl2 [0xfffffff0080526e8]
• [ ] 1 ldclrb [0xfffffff0080caec0]
• [ ] 1 ldsetb [0xfffffff0080caecc]
• [ ] 1 ldeorb [0xfffffff0080caed8]
• [ ] 1 ldeorh [0xfffffff0080caf20]
• [ ] 1 sb [0xfffffff00826efd4]
• [x] 1 b.al [0xfffffff008341360]
• [ ] 1 ldlar [0xfffffff008c04ee0]
• [ ] 1 st1w [0xfffffff008c0a870]
• [x] 1 fabd [0xfffffff008c1cb38]
• [ ] 1 sysl [0xfffffff008c1d074]
• [ ] 1 ldsetalb [0xfffffff0094bee4c]

[fuzyll]

LDAPUR and STLUR were added when Vector35/arch-arm64#101 was closed recently.

[brinlyau]

reran the script today, updated the OP

[psifertex]

Converted the list to checkboxes so we can better track progress. Thanks for maintaining this! Hoping to make some progress on it now.

[brinlyau]

Thanks! I'm gonna update the table and include the version number each time I update this to make this easier to track.

[psifertex]

Aww, then we can't see our progress. 😉 Yeah, that's totally fine. I do think even the current list we've gotten some on dev already which is why I converted with checkboxes. Just re-running and including the version is fine too and we can just ping you when to re-run it.

[brinlyau]

Including the iPhone13,3_14.1_18A8395 kernelcache here - decompressed

[brinlyau]

Aww, then we can't see our progress. 😉 Yeah, that's totally fine. I do think even the current list we've gotten some on dev already which is why I converted with checkboxes. Just re-running and including the version is fine too and we can just ping you when to re-run it.

fair enough, that saves me effort haha :)

[galenbwill]

Ok, as of b3b4ef25a30452f7f35d9c3f2c9c3fb0030eb89e, this is the current status of the instructions mentioned in this issue:

Some SIMD&FP instructions are a hybrid of intrinsics for vector variants and direct lifting for scalar variants.

System instructions and cache control or memory barrier instructions will remain unimplemented for now (but we could make up intrinsics for them, such as we have for rev and some others).

Load/Store instructions with specific acquire/release or other memory semantics are currently lifted as memory operations, but without any representation of the memory semantics. These could be represented similarly to the ILInstructionAttribute::SrcInstructionUsesPointerAuth attribute.

The LDn* and STn* instructions load and store structures from multiple vector registers, and would require some modifications to the intrinsic code generator.

• x: already done

• -: done in a stash

• n: will not lift

• /: can't figure out

• i: intrinsic

• [ ] [n] at: Address Translate (will not lift)

• [x] b.al

• [x] casp

• [x] caspal

• [x] dup

• [x] [i] fabd

• [x] fabs

• [x] faddp

• [x] fccmp

• [x] [i] fcmeq

• [x] [i] fcmge

• [x] [i] fcmgt

• [x] [i] fcvtl

• [x] [i] fcvtn

• [x] [i] fcvtzs

• [x] [i] fcvtzu

• [x] fdiv

• [x] fmax

• [x] [i] fmaxnm

• [x] [i] fmin

• [x] [i] fminnm

• [x] [i] fmla

• [x] [i] fmls

• [x] fneg

• [x] fnmul

• [x] hint

• [ ] [n] ic: Instruction Cache operation.

• [ ] ld1r

• [ ] ld2

• [ ] ld2r

• [ ] ld4

• [ ] ldclr

• [ ] ldclral

• [ ] ldclralh

• [ ] ldclrb

• [ ] ldclrh

• [ ] ldclrl

• [ ] ldeor

• [ ] ldeorb

• [ ] ldeorh

• [x] [i] ldlar

• [ ] ldset

• [ ] ldsetal

• [ ] ldsetalb

• [ ] ldsetalh

• [ ] ldsetb

• [ ] ldseth

• [ ] ldsetl

• [ ] ldsetlh

• [ ] ldumax

• [ ] ldumaxb

• [ ] [n] mova: Not currently lifting SME instructions (no intrinsics available)

• [x] ngc

• [x] ngcs

• [x] [i] raddhn

• [x] [i] rshrn

• [ ] [n] sb: "Speculation Barrier"

• [x] scvtf

• [x] smov

• [ ] [n] st1w: Not currently lifting SVE instructions

• [ ] st2

• [ ] st4

• [x] sxtl

• [x] sxtl2

• [ ] [n] sys: system instruction

• [ ] [n] sysl: system instruction

• [x] [i] tbl (also tbx)

• [ ] [n] tlbi: TLB Invalidate operation (will not lift)

• [x] [i] uaddl

• [x] ucvtf

• [x] [i] umull2

[galenbwill]

I updated the checklists above, and those changes are merged to dev with c3040ecfc43983af6f05da13cf2242d085b1e230, and should be reflected in builds >= 4.1.5669-dev.

I've made a best effort to lift all the instructions listed here that can be lifted, either directly or via intrinsics, with the possible exception of the ldset and other ld* atomic instructions.

(Note also that ld2 & st2 were already lifted to intrinsics, but I haven't really looked at them. All the (ld|st)[1-4] instructions could probably be handled the same way I handled tbl.)

Continuing to leave this issue open to track the remaining instructions listed.