Merge remote-tracking branch 'origin/patch'

Ghidra/Features/Decompiler/src/decompile/cpp/architecture.cc

@@ -1404,6 +1404,7 @@ void Architecture::resetDefaultsInternal(void)
   alias_block_level = 2;	// Block structs and arrays by default, but not more primitive data-types
   split_datatype_config = OptionSplitDatatypes::option_struct | OptionSplitDatatypes::option_array
       | OptionSplitDatatypes::option_pointer;
+  max_jumptable_size = 1024;
 }
 
 /// Reset options that can be modified by the OptionDatabase. This includes

Ghidra/Features/Decompiler/src/decompile/cpp/architecture.hh

@@ -172,6 +172,7 @@ public:
   int4 max_term_duplication;	///< Max terms duplicated without a new variable
   int4 max_basetype_size;	///< Maximum size of an "integer" type before creating an array type
   int4 min_funcsymbol_size;	///< Minimum size of a function symbol
+  uint4 max_jumptable_size;	///< Maximum number of entries in a single JumpTable
   bool aggressive_ext_trim;	///< Aggressively trim inputs that look like they are sign extended
   bool readonlypropagate;	///< true if readonly values should be treated as constants
   bool infer_pointers;		///< True if we should infer pointers from constants that are likely addresses

Ghidra/Features/Decompiler/src/decompile/cpp/double.cc

@@ -787,10 +787,14 @@ bool SplitVarnode::isAddrTiedContiguous(Varnode *lo,Varnode *hi,Address &res)
   if (!hi->isAddrTied()) return false;
 
   // Make sure there is no explicit symbol that would prevent the pieces from being joined
-  SymbolEntry *entry = lo->getSymbolEntry();
-  if ((entry != (SymbolEntry *)0)&&(entry->getOffset()==0)) return false;
-  entry = hi->getSymbolEntry();
-  if ((entry != (SymbolEntry *)0)&&(entry->getOffset()==0)) return false;
+  SymbolEntry *entryLo = lo->getSymbolEntry();
+  SymbolEntry *entryHi = hi->getSymbolEntry();
+  if (entryLo != (SymbolEntry *)0 || entryHi != (SymbolEntry *)0) {
+    if (entryLo == (SymbolEntry *)0 || entryHi == (SymbolEntry *)0)
+      return false;		// One is marked with a symbol, the other is not
+    if (entryLo->getSymbol() != entryHi->getSymbol())
+      return false;		// They are part of different symbols
+  }
   AddrSpace *spc = lo->getSpace();
   if (spc != hi->getSpace()) return false;
   uintb looffset = lo->getOffset();
@@ -3093,6 +3097,12 @@ bool IndirectForm::verify(Varnode *h,Varnode *l,PcodeOp *ind)
     if (affector != PcodeOp::getOpFromConst(indlo->getIn(1)->getAddr())) continue;	// hi and lo must be affected by same op
     reslo = indlo->getOut();
     if (reslo->getSpace()->getType() == IPTR_INTERNAL) return false;		// Indirect must not be through a temporary
+    if (reslo->isAddrTied() || reshi->isAddrTied()) {
+      Address addr;
+      // If one piece is address tied, the other must be as well, and they must fit together as contiguous whole
+      if (!SplitVarnode::isAddrTiedContiguous(reslo, reshi, addr))
+	return false;
+    }
     return true;
   }
   return false;

Ghidra/Features/Decompiler/src/decompile/cpp/jumptable.cc

@@ -2217,7 +2217,7 @@ void JumpTable::recoverModel(Funcdata *fd)
 {
   if (jmodel != (JumpModel *)0) {
     if (jmodel->isOverride()) {	// If preexisting model is override
-      jmodel->recoverModel(fd,indirect,0,maxtablesize);
+      jmodel->recoverModel(fd,indirect,0,glb->max_jumptable_size);
       return;
     }
     delete jmodel;		// Otherwise this is an old attempt we should remove
@@ -2228,18 +2228,18 @@ void JumpTable::recoverModel(Funcdata *fd)
     if (op->code() == CPUI_CALLOTHER) {
       JumpAssisted *jassisted = new JumpAssisted(this);
       jmodel = jassisted;
-      if (jmodel->recoverModel(fd,indirect,addresstable.size(),maxtablesize))
+      if (jmodel->recoverModel(fd,indirect,addresstable.size(),glb->max_jumptable_size))
 	return;
     }
   }
   JumpBasic *jbasic = new JumpBasic(this);
   jmodel = jbasic;
-  if (jmodel->recoverModel(fd,indirect,addresstable.size(),maxtablesize))
+  if (jmodel->recoverModel(fd,indirect,addresstable.size(),glb->max_jumptable_size))
     return;
   jmodel = new JumpBasic2(this);
   ((JumpBasic2 *)jmodel)->initializeStart(jbasic->getPathMeld());
   delete jbasic;
-  if (jmodel->recoverModel(fd,indirect,addresstable.size(),maxtablesize))
+  if (jmodel->recoverModel(fd,indirect,addresstable.size(),glb->max_jumptable_size))
     return;
   delete jmodel;
   jmodel = (JumpModel *)0;
@@ -2343,7 +2343,6 @@ JumpTable::JumpTable(Architecture *g,Address ad)
   switchVarConsume = ~((uintb)0);
   defaultBlock = -1;
   lastBlock = -1;
-  maxtablesize = 1024;
   maxaddsub = 1;
   maxleftright = 1;
   maxext = 1;
@@ -2364,7 +2363,6 @@ JumpTable::JumpTable(const JumpTable *op2)
   switchVarConsume = ~((uintb)0);
   defaultBlock = -1;
   lastBlock = op2->lastBlock;
-  maxtablesize = op2->maxtablesize;
   maxaddsub = op2->maxaddsub;
   maxleftright = op2->maxleftright;
   maxext = op2->maxext;
@@ -2682,7 +2680,7 @@ bool JumpTable::recoverLabels(Funcdata *fd)
   }
   else {
     jmodel = new JumpModelTrivial(this);
-    jmodel->recoverModel(fd,indirect,addresstable.size(),maxtablesize);
+    jmodel->recoverModel(fd,indirect,addresstable.size(),glb->max_jumptable_size);
     jmodel->buildAddresses(fd,indirect,addresstable,(vector<LoadTable> *)0);
     trivialSwitchOver();
     jmodel->buildLabels(fd,addresstable,label,origmodel);

Ghidra/Features/Decompiler/src/decompile/cpp/jumptable.hh

@@ -535,7 +535,6 @@ class JumpTable {
   uintb switchVarConsume;	///< Bits of the switch variable being consumed
   int4 defaultBlock;		///< The out-edge corresponding to the \e default switch destination (-1 = undefined)
   int4 lastBlock;		///< Block out-edge corresponding to last entry in the address table
-  uint4 maxtablesize;		///< Maximum table size we allow to be built (sanity check)
   uint4 maxaddsub;		///< Maximum ADDs or SUBs to normalize
   uint4 maxleftright;		///< Maximum shifts to normalize
   uint4 maxext;			///< Maximum extensions to normalize
@@ -561,7 +560,6 @@ public:
   const Address &getOpAddress(void) const { return opaddress; }	///< Get the address of the BRANCHIND for the switch
   PcodeOp *getIndirectOp(void) const { return indirect; }	///< Get the BRANCHIND PcodeOp
   void setIndirectOp(PcodeOp *ind) { opaddress = ind->getAddr(); indirect = ind; }	///< Set the BRANCHIND PcodeOp
-  void setMaxTableSize(uint4 val) { maxtablesize = val; }	///< Set the maximum entries allowed in the address table
   void setNormMax(uint4 maddsub,uint4 mleftright,uint4 mext) {
     maxaddsub = maddsub; maxleftright = mleftright; maxext = mext; }	///< Set the switch variable normalization model restrictions
   void setOverride(const vector<Address> &addrtable,const Address &naddr,uintb h,uintb sv);

Ghidra/Features/Decompiler/src/decompile/cpp/marshal.cc

@@ -1160,6 +1160,6 @@ ElementId ELEM_VAL = ElementId("val",8);
 ElementId ELEM_VALUE = ElementId("value",9);
 ElementId ELEM_VOID = ElementId("void",10);
 
-ElementId ELEM_UNKNOWN = ElementId("XMLunknown",271); // Number serves as next open index
+ElementId ELEM_UNKNOWN = ElementId("XMLunknown",272); // Number serves as next open index
 
 } // End namespace ghidra

Ghidra/Features/Decompiler/src/decompile/cpp/options.cc

@@ -58,6 +58,7 @@ ElementId ELEM_SPLITDATATYPE = ElementId("splitdatatype",270);
 ElementId ELEM_STRUCTALIGN = ElementId("structalign",208);
 ElementId ELEM_TOGGLERULE = ElementId("togglerule",209);
 ElementId ELEM_WARNING = ElementId("warning",210);
+ElementId ELEM_JUMPTABLEMAX = ElementId("jumptablemax",271);
 
 /// If the parameter is "on" return \b true, if "off" return \b false.
 /// Any other value causes an exception.
@@ -120,6 +121,7 @@ OptionDatabase::OptionDatabase(Architecture *g)
   registerOption(new OptionAllowContextSet());
   registerOption(new OptionSetAction());
   registerOption(new OptionSetLanguage());
+  registerOption(new OptionJumpTableMax());
   registerOption(new OptionJumpLoad());
   registerOption(new OptionToggleRule());
   registerOption(new OptionAliasBlock());
@@ -794,6 +796,26 @@ string OptionSetLanguage::apply(Architecture *glb,const string &p1,const string
   return res;
 }
 
+/// \class OptionJumpTableMax
+/// \brief Set the maximum number of entries that can be recovered for a single jump table
+///
+/// This option is an unsigned integer value used during analysis of jump tables.  It serves as a
+/// sanity check that the recovered number of entries for a jump table is reasonable and
+/// also acts as a resource limit on the number of destination addresses that analysis will attempt
+/// to follow from a single indirect jump.
+string OptionJumpTableMax::apply(Architecture *glb,const string &p1,const string &p2,const string &p3) const
+
+{
+  istringstream s(p1);
+  s.unsetf(ios::dec | ios::hex | ios::oct);
+  uint4 val = 0;
+  s >> val;
+  if (val==0)
+    throw ParseError("Must specify integer maximum");
+  glb->max_jumptable_size = val;
+  return "Maximum jumptable size set to "+p1;
+}
+
 /// \class OptionJumpLoad
 /// \brief Toggle whether the decompiler should try to recover the table used to evaluate a switch
 ///

Ghidra/Features/Decompiler/src/decompile/cpp/options.hh

@@ -64,6 +64,7 @@ extern ElementId ELEM_SPLITDATATYPE;		///< Marshaling element \<splitdatatype>
 extern ElementId ELEM_STRUCTALIGN;		///< Marshaling element \<structalign>
 extern ElementId ELEM_TOGGLERULE;		///< Marshaling element \<togglerule>
 extern ElementId ELEM_WARNING;			///< Marshaling element \<warning>
+extern ElementId ELEM_JUMPTABLEMAX;		///< Marshaling element \<jumptablemax>
 
 /// \brief Base class for options classes that affect the configuration of the Architecture object
 ///
@@ -293,6 +294,12 @@ public:
   virtual string apply(Architecture *glb,const string &p1,const string &p2,const string &p3) const;
 };
 
+class OptionJumpTableMax : public ArchOption {
+public:
+  OptionJumpTableMax(void) { name = "jumptablemax"; }	///< Constructor
+  virtual string apply(Architecture *glb,const string &p1,const string &p2,const string &p3) const;
+};
+
 class OptionJumpLoad : public ArchOption {
 public:
   OptionJumpLoad(void) { name = "jumpload"; }	///< Constructor