Thumb2: Missing and disappearing cross-references to functions

[joelreymont]

Version and Platform (required):

• Binary Ninja Version: 3.5.4286-dev, 58311b01
• OS: macos
• OS Version: 13.3
• CPU Architecture: arm64

Unlike IDA, it appears that BN does not track function pointers used in functions as cross-references.

Consider

0004dae6      task.ctx = do_init_tab

in the HLIL below. IDA adds a cross-reference from create_root_task to do_init_tab but BN does not.

0004daac  int32_t create_root_task(int32_t arg1, int32_t arg2, int32_t arg3, int32_t arg4)

0004dab0      create_sys_timer_task(arg1, arg2, arg3, arg4)  // no data processing
0004dab4      add_sys_tick_task()  // no processing
0004dac0      create_root_task_4da38()
0004dac4      add_scheduler_task()
0004dace      struct task_t task
0004dace      memset(&task.stack_size, 0, 0x54)
0004dad8      task.name = "root"
0004dae0      task.proc = root_task_proc
0004dae4      task.data = &ROOT_TASK_DATA
0004dae6      task.ctx = do_init_tab
0004daec      ROOT_TASK_20057b58 = 0
0004daf0      task.stack_size.w = 0x1000
0004daf6      task.f1 = 0x19
0004daf6      task.f2 = 0x32
0004daf6      task.f3 = 0
0004dafe      task.type = 1
0004db04      ROOT_TASK_NAME = "soft timer"
0004db08      create_task(task_data: &ROOT_TASK_DATA, task_desc: &task, task_index: 0)
0004db0c      create_idle_task()
0004db14      return 0

Anyone from V35 should search for "Encourage Salesman Prompt Delay" to find the database.

[joelreymont]

Consider sub_c0014 that's not tracked despite the following in sub_2d508

0002d63a  2560       str     r5, [r4]  {sub_c0014}

Putting the cursor on the first instruction

000c0014  0b68       ldr     r3, [r1]

does show references to sub_2d508.

Also, the HLIL shows the address despite of the disassembly pointing to the function

0002d63a      *(r3 + 0x15a0) = 0xc0015

Converting the above to display as a pointer (O) like below

0002d63a      *(r3 + 0x15a0) = sub_c0014

and then clicking through to sub_c0014 now shows proper references to sub_2d508 when you are on the name of the function in HLIL but... Click on the first line of the code and then back on the name of the function and the references disappear again!

[plafosse]

This is specifically related to Thumb2 if you look at the xrefs to the function + 1 (you have to got to hex mode. Then you can see the xrefs. This is obviously a bug where we're not clearing the thumb mode bit somewhere.

[plafosse]

This is fixed in 3.5.4341