search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.35k stars 2.97k forks source link

`af` doesn't create a new function at the address which is reached by jump from two or more functions #16842

Open pelijah opened 4 years ago

pelijah commented 4 years ago

If you would like to report a bug, please fill the template below

Work environment

Questions Answers
OS/arch/bits (mandatory) any
File format of the file you reverse (mandatory) any
Architecture/bits of the file (mandatory) any
r2 -v full output, not truncated (mandatory) radare2 4.5.0-git 24654 @ linux-x86-64 git.4.4.0-187-g95ba22b5c commit: 95ba22b5c288bc16db3df50669653910e09c99b8 build: 2020-05-17__11:52:34

Expected behavior

af creates a new function

Actual behavior

no new function

Steps to reproduce the behavior

1) radare2 ls.odd (elf/ls.odd from radare2-testbins repo) 2) af @ sym._obstack_begin 3) af @ sym._obstack_begin_1 4) afl~14e60 is empty

Additional Logs, screenshots, source-code, configuration dump, ...

[0x00005310]> afl
0x00014ef0    7 161  -> 158  sym._obstack_begin
0x00014f10    1 21           sym._obstack_begin_1
[0x00005310]> pd 4 @ sym._obstack_begin
┌ 158: sym._obstack_begin (int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5);
│ bp: 0 (vars 0, args 0)
│ sp: 0 (vars 0, args 0)
│ rg: 5 (vars 0, args 5)
│       ╎   0x00014ef0      806750fe       and byte [rdi + 0x50], 0xfe ; [0xfe:1]=0 ; arg1
│       ╎   0x00014ef4      48894f38       mov qword [rdi + 0x38], rcx ; arg4
│       ╎   0x00014ef8      4c894740       mov qword [rdi + 0x40], r8  ; arg5
│       └─< 0x00014efc      e95fffffff     jmp 0x14e60
[0x00005310]> pd 5 @ sym._obstack_begin_1
┌ 21: sym._obstack_begin_1 (int64_t arg1, int64_t arg4, int64_t arg5, int64_t arg6);
│ bp: 0 (vars 0, args 0)
│ sp: 0 (vars 0, args 0)
│ rg: 4 (vars 0, args 4)
│       ╎   0x00014f10      804f5001       or byte [rdi + 0x50], 1     ; arg1
│       ╎   0x00014f14      48894f38       mov qword [rdi + 0x38], rcx ; arg4
│       ╎   0x00014f18      4c894740       mov qword [rdi + 0x40], r8  ; arg5
│       ╎   0x00014f1c      4c894f48       mov qword [rdi + 0x48], r9  ; arg6
└       └─< 0x00014f20      e93bffffff     jmp 0x14e60                 ; sym._obstack_begin-0x90
[0x00005310]> e anal.verbose=1
[0x00005310]> af @ sym._obstack_begin
Overlapped at 0x00014ef0
r_anal_fcn_bb() fails at 0x14e60.
RET 0x00014ecc. overlap=false 54 161
Overlapped at 0x00014e73
r_anal_fcn_bb() fails at 0x14edd.
r_anal_fcn_bb() fails at 0x14e97.
Failed to analyze basic block at 0x14ef0
[0x00005310]> af @ sym._obstack_begin_1
r_anal_fcn_bb() fails at 0x14e60.
Failed to analyze basic block at 0x14f10
pelijah commented 4 years ago

If you change the order, af doesn't even create sym._obstack_begin function. Related to #16833.

[0x00005310]> e anal.verbose=1
[0x00005310]> af @ sym._obstack_begin_1
r_anal_fcn_bb() fails at 0x14e60.
RET 0x00014ecc. overlap=false 54 197
Overlapped at 0x00014e73
r_anal_fcn_bb() fails at 0x14edd.
r_anal_fcn_bb() fails at 0x14e97.
Failed to analyze basic block at 0x14f10
[0x00005310]> af @ sym._obstack_begin
Message: Invalid address for function 0x00014ef0
[0x00005310]> afl
0x00014f10    7 197  -> 179  sym._obstack_begin_1