Version and Platform (required):
- Binary Ninja Version: 5.4.9502-dev Commercial
- OS: macos
- OS Version: 26.3.2
- CPU Architecture: arm64
Bug Description:
A user on Slack reported a crash on a firmware binary they are unable to share that occurs when "trying to inline a function for the main state machine".
The most relevant parts of the crash report are:
Triggered by Thread: 9 Worker T module:core.module.update core.function.advancedAna...
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Subtype: KERN_PROTECTION_FAILURE at 0x000000016e693f90
Exception Message: Thread stack size exceeded due to excessive recursion
Exception Codes: 0x0000000000000002, 0x000000016e693f90
Termination Reason: Namespace SIGNAL, Code 10, Bus error: 10
Terminating Process: exc handler [12389]
Thread 9 Crashed:: Worker T module:core.module.update core.function.advancedAna...
0 libarch_armv7.dylib 0x1175f9914 Push(BinaryNinja::LowLevelILFunction&, unsigned int) (in A6C206163DCD) (il_thumb2.cpp:559) + 350484
1 libarch_armv7.dylib 0x1175f62a0 GetLowLevelILForThumbInstruction(BinaryNinja::Architecture*, BinaryNinja::LowLevelILFunction&, decomp_result*, bool) (in A6C206163DCD) (il_thumb2.cpp:0) + 336544
2 libarch_armv7.dylib 0x1175e8224 Thumb2Architecture::GetInstructionLowLevelIL(unsigned char const*, unsigned long long, unsigned long&, BinaryNinja::LowLevelILFunction&) (in A6C206163DCD) (arch_thumb2.cpp:1856) + 279076
3 libarch_armv7.dylib 0x11763bcd4 BinaryNinja::Architecture::GetInstructionLowLevelILCallback(void*, unsigned char const*, unsigned long long, unsigned long*, BNLowLevelILFunction*) (in A6C206163DCD) (architecture.cpp:0) + 621780
4 libarch_armv7.dylib 0x1176baab8 BinaryNinja::Architecture::DefaultLiftFunction(BinaryNinja::LowLevelILFunction*, BinaryNinja::FunctionLifterContext&) (in A6C206163DCD) (defaultarch.cpp:812) + 1141432
5 libarch_armv7.dylib 0x11763bf68 BinaryNinja::Architecture::LiftFunctionCallback(void*, BNLowLevelILFunction*, BNFunctionLifterContext*) (in A6C206163DCD) (architecture.cpp:0) + 622440
-------- RECURSION LEVEL 4069
6 libbinaryninjacore.1.dylib 0x11bc1c790 BNGetForeignFunctionLiftedIL + 324
7 libarch_armv7.dylib 0x11763b5c8 BinaryNinja::FunctionLifterContext::GetForeignFunctionLiftedIL(BinaryNinja::Ref<BinaryNinja::Function>) (in A6C206163DCD) (architecture.cpp:628) + 619976
8 libarch_armv7.dylib 0x1176bc650 BinaryNinja::FunctionLifterContext::CheckForInlinedCall(BinaryNinja::BasicBlock*, unsigned long, unsigned long, unsigned long long, unsigned long long, unsigned char const*, unsigned long, std::__1::optional<std::__1::pair<BinaryNinja::ArchAndAddr, BinaryNinja::ArchAndAddr>>) (in A6C206163DCD) (defaultarch.cpp:974) + 1148496
9 libarch_armv7.dylib 0x1176bb168 BinaryNinja::Architecture::DefaultLiftFunction(BinaryNinja::LowLevelILFunction*, BinaryNinja::FunctionLifterContext&) (in A6C206163DCD) (defaultarch.cpp:847) + 1143144
10 libarch_armv7.dylib 0x11763bf68 BinaryNinja::Architecture::LiftFunctionCallback(void*, BNLowLevelILFunction*, BNFunctionLifterContext*) (in A6C206163DCD) (architecture.cpp:0) + 622440
[ … ]
20346 libbinaryninjacore.1.dylib 0x11bb0ace0 BinaryNinjaCore::Function::GenerateLiftedIL() (in 51A20D414613) (function.cpp:6668) + 5024992
20347 libbinaryninjacore.1.dylib 0x11bbd2458 BinaryNinjaCore::InstanceMethodDelegate<BinaryNinjaCore::Function, void ()>::InvokeDelegate(BinaryNinjaCore::Ref<BinaryNinjaCore::AnalysisContext, BinaryNinjaCore::detail::RefTraits<BinaryNinjaCore::AnalysisContext>>) (in 51A20D414613) (activity.h:265) + 5842008
Steps To Reproduce:
Unknown.
Additional Information:
The user mentioned that this happens "on 2 months old dev version and current 5.4-dev", so presumably this also happens in the 5.3 stable release.
Full user-provided crash report is available at rain branch launches quickly, with a symbolicated version at modular path gates supremely.
Version and Platform (required):
Bug Description:
A user on Slack reported a crash on a firmware binary they are unable to share that occurs when "trying to inline a function for the main state machine".
The most relevant parts of the crash report are:
Steps To Reproduce:
Unknown.
Additional Information:
The user mentioned that this happens "on 2 months old dev version and current 5.4-dev", so presumably this also happens in the 5.3 stable release.
Full user-provided crash report is available at
rain branch launches quickly, with a symbolicated version atmodular path gates supremely.