Generate disassemblers from QEMU's decodetree

[thestr4ng3r]

QEMU generates (some of) its disassembling C code from so-called decodetrees, specified for example at https://gitlab.com/qemu-project/qemu/-/blob/31f59af395922b7f40799e75db6e15ff52d8f94a/target/arm/a32.decode

In qemu, this then results in code like this:

...
    switch ((insn >> 25) & 0x7) {
    case 0x0:
        /* ....000. ........ ........ ........ */
        switch (insn & 0x01000010) {
        case 0x00000000:
            /* ....0000 ........ ........ ...0.... */
            disas_a32_extract_s_rrr_shi(ctx, &u.f_s_rrr_shi, insn);
            switch ((insn >> 21) & 0x7) {
            case 0x0:
                /* ....0000 000..... ........ ...0.... */
                /* ../target/arm/a32.decode:62 */
                if (trans_AND_rrri(ctx, &u.f_s_rrr_shi)) return true;
                break;
            case 0x1:
                /* ....0000 001..... ........ ...0.... */
                /* ../target/arm/a32.decode:63 */
                if (trans_EOR_rrri(ctx, &u.f_s_rrr_shi)) return true;
                break;
...

It is documented in more detail here: https://qemu.readthedocs.io/en/latest/devel/decodetree.html

The generator is here: https://gitlab.com/qemu-project/qemu/-/blob/31f59af395922b7f40799e75db6e15ff52d8f94a/scripts/decodetree.py And they call it from their build system like so: https://gitlab.com/qemu-project/qemu/-/blob/31f59af395922b7f40799e75db6e15ff52d8f94a/meson.build#L2593-2599

For rizin, it will probably make more sense to have the generator somewhere outside the main repo and update a generated version in the rizin repo whenever needed, like rz-hexagon: https://github.com/rizinorg/rz-hexagon

[thestr4ng3r]

Care has to be taken to not use any GPL-d decodetree specifications, QEMU licensing is detailed here: https://gitlab.com/qemu-project/qemu/-/blob/31f59af395922b7f40799e75db6e15ff52d8f94a/LICENSE