Handle AppleClang-specific builtins

pgoodman commented 1 year ago

To find them:

strings /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang | grep -E '^__builtin_[a-zA-Z0-9_]+$' | sort | uniq > /tmp/apple_builtins

strings /Users/pag/Build/Release/multiplier/bin/Index/mx-index | grep -E '^__builtin_[a-zA-Z0-9_]+$' | sort | uniq > /tmp/mx_builtins

a = set(l.strip() for l in open("/tmp/apple_builtins"))
v = set(l.strip() for l in open("/tmp/mx_builtins"))
for b in sorted(m for m in a if m not in v):
  print(f" - [ ] {b}")

[x] __builtin_altivec_vec_replace_elt
[x] __builtin_altivec_vec_replace_unaligned
[x] __builtin_coro_param
[ ] __builtin_get_pointer_
[ ] __builtin_get_pointer_lower_bound
[ ] __builtin_get_pointer_upper_bound
[ ] __builtin_get_vtable_pointer
[x] __builtin_load_member_function_pointer
[x] __builtin_ptrauth_auth
[x] __builtin_ptrauth_auth_and_resign
[x] __builtin_ptrauth_blend_discriminator
[x] __builtin_ptrauth_sign_constant
[x] __builtin_ptrauth_sign_generic_data
[x] __builtin_ptrauth_sign_unauthenticated
[x] __builtin_ptrauth_string_discriminator
[x] __builtin_ptrauth_strip
[ ] __builtin_ptrauth_type_discriminator
[ ] __builtin_rvv_vmandnot_mm
[ ] __builtin_rvv_vmornot_mm
[ ] __builtin_rvv_vpopc_m
[ ] __builtin_rvv_vpopc_m_m
[ ] __builtin_terminated_by_to_indexable
[ ] __builtin_tmo_type_get_alignment
[ ] __builtin_tmo_type_get_metadata
[ ] __builtin_tmo_type_get_size
[ ] __builtin_unsafe_forge_bidi_indexable
[ ] __builtin_unsafe_forge_single
[ ] __builtin_unsafe_terminated_by_from_indexable
[ ] __builtin_unsafe_terminated_by_to_indexable
[ ] __builtin_va_lisodulemap
[x] __builtin_virtual_member_address
[ ] __builtin_wasm_trunc_sat_zero_s_f64x2_i32x4
[ ] __builtin_wasm_trunc_sat_zero_u_f64x2_i32x4
[x] __builtin_xnu_type_signature
[x] __builtin_xnu_type_summary
[x] __builtin_xnu_types_compatible

pgoodman commented 1 year ago

Good process to find them for IDA Pro:

strings -t x /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang | grep __builtin_xnu_

That gets us addresses like:

43f4550 __builtin_xnu_type_signature
43f456d __builtin_xnu_type_summary
43f4588 __builtin_xnu_types_compatible
4486b96 __builtin_xnu_type_signature
4486bb3 __builtin_xnu_type_summary
4486bce __builtin_xnu_types_compatible
4487788 __builtin_xnu_type_signature
44877a5 __builtin_xnu_type_summary

Then go to 10<address> in IDA, e.g. 1043f4550:

Then, double click on the data reference, and decompile:

pgoodman commented 1 year ago

Sometimes we won't find a coderef, and if IDA isn't telling us the DREFs, then we can go searching for them using search for bytes, using a hex string of bytes. Those results can get you the TARGET_BUILTIN info, e.g. the feature set:

pgoodman commented 1 year ago

The order of TARGET_BUILTIN info is:


#define TARGET_BUILTIN(id, type, attrs, features) \
  {#id, type, attrs, kNoHeaderName, \
   clang::LanguageID::ALL_LANGUAGES, features},

struct Info {
  const char *Name, *Type, *Attributes, *HeaderName;
  LanguageID Langs;
  const char *Features;
};

We can type it as:

struct clang_Builtin_Info {
  const char *Name, *Type, *Attributes, *HeaderName;
  int Langs;
  const char *Features;
};

In: Open Subviews > Local Types, right click insert.

Click on an address and key in y to apply the new structure type, clang_Builtin_Info. Then right click on the address to make an array if there are a bunch of them that you want to make.

trailofbits / multiplier

Handle AppleClang-specific builtins #331