Demangled type names reference missing types

[CouleeApps]

Version and Platform (required):

• Binary Ninja Version: 3.5.4288-dev
• OS: macOS
• OS Version: 12.4
• CPU Architecture: M1

Bug Description: When the Demangler constructs a type from a name, it can create Named Type References to types that do not yet exist in the analysis. These types are not created even afterwards, leaving you with a bunch of broken type references to missing names. This is especially noticeable when loading a PDB with mangled names and stripped type information.

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

1. Grab the binary from https://github.com/Vector35/binaryninja-api/issues/4235
2. In the load options, disable pdb.features.createMissingNamedTypes (it is a workaround for PDBs for this bug)
3. Go to 0x140056c08
4. Try to navigate to the type of that variable
5. Notice it does not exist

Expected Behavior: I expected types used in the analysis to exist, even if just as forward declared empty structures or something.

Screenshots:

This type does not exist.

Additional Information: ~Demangler plugins #467 is blocking on this~ Demangler plugins proceeded without fixing this haha

[0xdevalias]

I've run into another variant of this when reversing a macOS C++ binary. Asking on Slack, it was suggested that it's another case of this issue, so wanted to include the context here.

In the linear view, there are a bunch of struct vtable_for_* entries, but there are no corresponding types created for them:

On slack, @CouleeApps said (Ref): "those are an artifact of the binary having a symbol for "here's where the vtable is" but it doesn't actually define a type for it"

This also seems to apply to the typeinfo_for_* entries as well:

[0xdevalias]

This issue seems somewhat related (at least to the variant I mentioned in my previous comment above):

• https://github.com/Vector35/binaryninja-api/issues/1163

Also this comment/references:

I'm not 100%, so correct me if i'm wrong, but I believe this may be related to automatically creating the structs for vtable_for_* and typeinfo_for_* and similar?

If so, I was wondering why this didn't seem to currently be a thing, I first found myself at this issue (due to the empty structs not being visible in the types):

• https://github.com/Vector35/binaryninja-api/issues/4551

And then found the following blog series, which helped me understand the in-memory layout of the vtables/etc in clang binaries a lot better:

• https://shaharmike.com/cpp/vtable-part1/

  • C++ vtables - Part 1 - Basics

• https://shaharmike.com/cpp/vtable-part2/

  • C++ vtables - Part 2 - Multiple Inheritance

• https://shaharmike.com/cpp/vtable-part3/

  • C++ vtables - Part 3 - Virtual Inheritance

• https://shaharmike.com/cpp/vtable-part4/

  • C++ vtables - Part 4 - Compiler-Generated Code

Or for something way more low-level:

• https://clang.llvm.org/doxygen/VTableBuilder_8cpp_source.html

This may also be of interest:

• https://blog.trailofbits.com/2017/02/13/devirtualizing-c-with-binary-ninja/

As well as the existing vtable docs:

• https://docs.binary.ninja/guide/cpp.html#virtual-function-tables

It would be awesome if Binary Ninja core was able to handle this automagically!

---

Also, since they don't seem to be cross-linked currently, here is the issue for MSVC for easier findability:

• https://github.com/Vector35/binaryninja-api/issues/3930

Originally posted by @0xdevalias in https://github.com/Vector35/binaryninja-api/issues/3857#issuecomment-2049192814

[ccarpenter04]

I've also ran into this issue when dealing with a x86-64 Linux ELF.