Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Improper struct parameter/return storage, unset parameter storage, etc etc

See original GitHub issue

Describe the bug The storage for structs returned or passed by value is incorrect. A struct should always be returned as __return_storage_ptr__. After a certain amount of parameters their storage is not set. Also seen is the Windows x86 PE Exception Handling analyzer not functioning?

To Reproduce Steps to reproduce the behavior:

Load the attached program/pdb/source. It’s a disaster all around and much easier to just provide it.

Expected behavior All structs should be returned as __return_storage_ptr__ even if they will fit in a register. Structs passed by value should be passed as pointer to the stack location and not all it’s components CONCATed together. The TEB * and exception handling function should either be marked up or hidden instead of in_FS_OFFSET and an uncreated function. Comments like the gcc exception handler analyzer produces would be appreciated.

Attachments

4051.zip issue number is one off.

Environment (please complete the following information):

Java Version: 11
Ghidra Version: 10.1.2 and 1996cdacd1d1bd7442c97cf694b6f27efb2b4fdb

Additional context This monstrosity was inspired by real programs out in the wild I’ve have had the pleasure of reversing.

Disclaimer: I am not responsible for any further hair loss that may come as a result of looking into this issue or the source code which produced it.

Issue Analytics

State:
Created 2 years ago
Comments:15 (12 by maintainers)

Top GitHub Comments

2reactions

dragonmachercommented, Mar 4, 2022

Disclaimer: I am not responsible for any further hair loss that may come as a result of looking into this issue or the source code which produced it.

Strong hair required for deep source code spelunking.

0reactions

astrelskycommented, May 2, 2022

I did some experimentation, and this monstrosity seems to work for x86-64:
        <pentry minsize="1" maxsize="8">
          <register name="RDI"/>
        </pentry>
        <pentry minsize="1" maxsize="8">
          <register name="RSI"/>
        </pentry>
        <pentry minsize="9" maxsize="16">
          <addr space="join" piece1="RSI" piece2="RDI"/>
        </pentry>
        <pentry minsize="1" maxsize="8">
          <register name="RDX"/>
        </pentry>
        <pentry minsize="9" maxsize="16">
          <addr space="join" piece1="RDX" piece2="RSI"/>
        </pentry>
        <pentry minsize="1" maxsize="8">
          <register name="RCX"/>
        </pentry>
        <pentry minsize="9" maxsize="16">
          <addr space="join" piece1="RCX" piece2="RDX"/>
        </pentry>
        <pentry minsize="1" maxsize="8">
          <register name="R8"/>
        </pentry>
        <pentry minsize="9" maxsize="16">
          <addr space="join" piece1="R8" piece2="RCX"/>
        </pentry>
        <pentry minsize="1" maxsize="8">
          <register name="R9"/>
        </pentry>
        <pentry minsize="9" maxsize="16">
          <addr space="join" piece1="R9" piece2="R8"/>
        </pentry>
        <pentry minsize="1" maxsize="500" align="8">
          <addr offset="8" space="stack"/>
        </pentry>
One minor issue is that it doesn’t handle the (Rust-specific) case of splitting a struct between the last register and the first QWORD of the stack. (In theory, joining with the piece stack:8:8 should work based on my read of AddressXML, but I did not get it to work.) Admittedly, this is an uncommon occurrence, since it requires a two-qword-argument to be exactly the 6th and 7th qword. Otherwise, it works for a few samples I threw at it, and it is at least better than the alternative of having to fix the signatures on every struct-passing function.

@astrelsky The example cspec XML above uses non-contiguous registers to construct larger arguments. Maybe an approach like this would work for you?

I tried to do something similar yesterday for use with go and unfortunately the xml specification file only allows up to join4 even though I think the decompiler has no such limitation. By that point it was about as gross as you would expect. There has to be a better way.

Even though it did work I ultimately still faced part of the same problem as the original issue which was the unnecessary CONCAT to join the structure all over the place in the function call.

Top Results From Across the Web

PHP - Enforce classes to have method with parameter/return ...

That's why I want to take out the common interface to its own structure) You have a good point, I don't really need...

swift - How to pass one SwiftUI View as a variable to another ...

It's a struct that conforms to View and implements var body : some View which contains a NavigationLink . I need to somehow...

Multi-Value All The Wasm! - the Web developer blog

The new v4 value is the struct return pointer parameter. The notrap annotation on the store instruction is saying that this store can't...

C++

Means we don't have to write std::vector, std::out_of_range, etc. using namespace std; // Function accepts a single int parameter and returns a string...

Splint Manual - Appendix B. Flags

A flag is not recognized or used in an incorrect way. ... Storage derivable from a parameter, return value or global variable is...