MIPS: Instruction Disassembly/Lifting Completion

[plafosse]

The following is the list of instructions which we currently disassemble and lift (Fully or Partially). If you have any instructions which differ from this table, there is likely a bug or a documentation failure, please let us know (also if you could provide the opcodes that would be great).

Mnem	Disasm	Lifting
add	Full	Full
addi	Full	Full
addiu	Full	Full
addu	Full	Full
and	Full	Full
andi	Full	Full
clo	Full	Full
clz	Full	Full
daddu	Full	None
divu	Full	Full
ins	Full	Full
lb	Full	Full
ld	Full	None
lbu	Full	Full
lh	Full	Full
lhu	Full	Full
lui	Full	Full
lw	Full	Full
mfc0	Full	Full
mfc1	Full	Full
mfc2	Full	Full
mfhi	Full	Full
mflo	Full	Full
move	Full	Full
msub	Full	Full
msubu	Full	Full
mtc0	Full	Full
mtc1	Full	Full
mtc2	Full	Full
mthi	Full	Full
mtlo	Full	Full
mult	Full	Full
multu	Full	Full
neg	Full	Full
negu	Full	Full
nor	Full	Full
not	Full	Full
or	Full	Full
ori	Full	Full
sb	Full	Full
sll	Full	Full
sllv	Full	Full
slt	Full	Full
slti	Full	Full
sltiu	Full	Full
sltu	Full	Full
sra	Full	Full
srav	Full	Full
sub	Full	Full
subu	Full	Full
sw	Full	Full
swc1	Full	Full
swc2	Full	Full
swl	Full	Full
xor	Full	Full
xori	Full	Full
abs.d	Full	None
abs.s	Full	None
add.d	Full	None
add.s	Full	None
c.eq.d	Full	None
c.eq.s	Full	None
c.f.d	Full	None
c.f.s	Full	None
c.le.d	Full	None
c.le.s	Full	None
c.lt.d	Full	None
c.lt.s	Full	None
c.nge.d	Full	None
c.nge.s	Full	None
c.ngl.d	Full	None
c.ngl.s	Full	None
c.ngle.d	Full	None
c.ngle.s	Full	None
c.ngt.d	Full	None
c.ngt.s	Full	None
c.ole.d	Full	None
c.ole.s	Full	None
c.olt.d	Full	None
c.olt.s	Full	None
c.seq.d	Full	None
c.seq.s	Full	None
c.sf.d	Full	None
c.sf.s	Full	None
c.ueq.d	Full	None
c.ueq.s	Full	None
c.ule.d	Full	None
c.ule.s	Full	None
c.ult.d	Full	None
c.ult.s	Full	None
c.un.d	Full	None
c.un.s	Full	None
ceil.w.d	Full	None
ceil.w.s	Full	None
cfc1	Full	None
ctc1	Full	None
cvt.d.s	Full	None
cvt.d.w	Full	None
cvt.s.d	Full	None
cvt.s.w	Full	None
cvt.w.d	Full	None
cvt.w.s	Full	None
floor.w.d	Full	None
floor.w.s	Full	None
ldc2	Full	None
ll	Full	None
luxc1	Full	None
lwc2	Full	None
lwxc1	Full	None
madd	Full	None
maddu	Full	None
mfhc1	Full	None
mov.d	Full	None
mov.s	Full	None
movf	Full	None
movf.d	Full	None
movf.s	Full	None
movt	Full	None
mthc1	Full	None
mul.d	Full	None
mul.s	Full	None
neg.d	Full	None
neg.s	Full	None
rotr	Full	None
rotrv	Full	None
round.w.d	Full	None
round.w.s	Full	None
sc	Full	None
sdc2	Full	None
sh	Full	None
sqrt.d	Full	None
sqrt.s	Full	None
srl	Full	None
srlv	Full	None
sub.d	Full	None
sub.s	Full	None
suxc1	Full	None
swxc1	Full	None
trunc.w.d	Full	None
trunc.w.s	Full	None
wsbh	Full	None

[aschmitz]

#261 and #263 may just belong here instead.

[aschmitz]

Bug: sltu doesn't properly set value to 0 in LLIR.

In disassembling 00 62 18 2b, binja correctly gets sltu $v1, $v1, $v0, but the LLIR tree looks instead like:

if ($v1 u< $v0) {
  $v1 = 1
} else {
  $v1 = $v0
}

The real interpretation in the "else" case should be $v1 = 0.

[Arcnor]

This list is missing lwl (Load Word Left) and lwr (Load Word Right) as I mentioned on #1140

[Arcnor]

It's also missing (at least) cop2 from the coprocessor, as mentioned on Vector35/binaryninja-api#1131

[psifertex]

Thanks for aggregating these -- makes it easier to track when we're working on them. If there's one in particular that is slowing you down versus the others please let us know, or you can subclass our architecture and implement it yourself even. See, eg: https://github.com/Vector35/binaryninja-api/tree/dev/examples/x86_extension

[Arcnor]

Yep, just found that you had this generic issue. In my case the missing lifting is breaking the whole lifting for the function, so that one is the one that matters me the most.

I just found out that you can do it yourself as you mention, so I might try that soon.

[zznop]

daddu and ld are not being lifted (current stable 1.3)

[psifertex]

Thanks -- updated the original list.

[zznop]

dsll32 doesn't even disassemble.

[nshp]

Seems like the MIPS coprocessor registers aren't classified as "system registers", so e.g. HLIL optimizes a function full of side-effectful mtc0 and mfc0 instructions down to nothing.

Also, maybe ehb should be lifted to an intrinsic?

[nshp]

The CACHE instruction OP is not decoded correctly.
Examples:

• bc 85 00 00 is cache 5, 0($a0), but binja shows cache load, ($a0)
• bc 88 00 00 is cache 8, 0($a0), but binja still shows cache load, ($a0)
• bc 89 00 00 is cache 9, 0($a0), but binja still shows cache load, ($a0)

The cache op is 5 bits, 20:16, split into two subfields:

• 17:16: Which cache
• 20:18: Operation

The above cases were (if my numbers are right):

• 5: data cache load tag
• 8: instruction cache store tag
• 9: data cache store tag