Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[MIPS] CBRANCH that are always true should be treated like BRANCH

See original GitHub issue

This is using ghidra version 9.1.2.

When compiling PIC code for MIPS, the compiler will emit bgez zero, label (which disassembles into the pseudo-instruction b label), and bal function. When in ghidra, the former isn’t properly processed:

  • b label is being disassembled as bgez zero, label instead of its pseudo-form.
  • the analyzer still sees it as a CONDITIONAL_JUMP, instead of a BRANCH, which confuses the analysis flow, and produces a bunch of errors in the decompiler:

image

A good minimal reproduction case for this would be the attached file: mips-infinite-loop.gz

You can see the problems in this screenshot:

image

What’s wrong in this picture:

  • Instruction at 00000000 is considered “CONDITIONAL_JUMP” as instruction flow.
  • The decompiler complains that it had to remove unreachable block.

Loading this test files is simply done using the MIPS:LE:32:default:default language:

image

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:1
  • Comments:11 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
mumbelcommented, Apr 11, 2020

yeah, totally agree with you there and based on your examples for the CBRANCH.

huh, I must be going crazy (maybe it was the first binary you linked) I could have sworn the CBRANCH had a 1 in the pcode op, but these are variables. You might edit your issue title as something along the lines of CBRANCH that are always true should be treated like BRANCH

0reactions
TellowKrinklecommented, Jan 24, 2021

Ran into this issue as well with a processor definition that was missing the beq zero, zerob entry: https://github.com/beardypig/ghidra-emotionengine/pull/47

Always-true conditional branches also seem to make the decompiler reluctant to move code past them, leading to unnecessarily complicated decompiler output

Read more comments on GitHub >

github_iconTop Results From Across the Web

7.8: How to Calculate Branch Amounts in Machine Code
Branches in MIPS assembly work by adding or subtracting the value of the immediate part of the instruction from the $pc register.
Read more >
ISA 2.4 MIPS: Addresses in branches and jumps - YouTube
Contents: I-type bne/ beq, J-type j, immediate sizes, absolute value, relative offset, branch address example, jump address example, branch ...
Read more >
MIPS Conditional Statement BNE is always branching
Basically the program should not branch when $t0 == $a1 . $a1 is the ' ' character, and then it should move onto...
Read more >
Dynamic Branch Prediction – Computer Architecture
As far as the MIPS pipeline is concerned, we can predict branches as not taken and fetch instructions after the branch, with no...
Read more >
The MIPS R4000, part 8: Control transfer - The Old New Thing
The OR instruction sits in the branch delay slot, and it will execute regardless of whether the branch is taken. It still executes...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

a potential NPE in DmgServer.java

Next page

Will the code of Renoir (graph service provider) be open source?