Architecture plugin delay slot breaks branching logic

[mothran]

While developing a Architecture plugin for SuperH via the Python api, I found that adding:

InstructionInfo.branch_delay = True

To any single branching instruction in the get_instruction_info() method, caused the branching logic to fail. Including overriding the True/False branch information for conditions with a single True branch and a False branch that ends in a tailcall. Even if the conditional branch does not have a delay slot.

The second error case is functions that end with a Indirect jump get the delay slot instruction marked with a tailcall jump reference to the next instruction address (PC+2).

The full plugin code can be found at:
https://github.com/mothran/binaryninja_superh

And branches are marked with delay slots here:
https://github.com/mothran/binaryninja_superh/blob/master/superh.py#L127

Binaryninja version: 2.0.2193-dev (Build ID 2d6f53af) (commercial)

Conditional branching:

Conditional branch error (the 'bt' instruction does not have a delay slot but it still is effected):

branch_delay Disabled (for all delay-slot branch instructions)

ASM:

00401026  2fe5       mov 0x2f, R5  {0x2f}
00401028  0820       tst R0, R0
0040102a  0189       bt 0x401030
0040102c  0368       mov R0, R8
0040102e  0178       add 0x1, R8
00401030  5dd2       mov.l @(0x5d, PC), R2  {0x4011a8}
00401032  0302       bsrf R2  {sub_400ccc}
00401034  12e4       mov 0x12, R4  {0x12}

LLIL:

  27 @ 00401026  R5 = sx.d(0x2f)
  28 @ 00401028  if (R0 == 0) then 29 else 31
  29 @ 00401028  flag:t = 1
  30 @ 00401028  goto 33 @ data_40102a
  31 @ 00401028  flag:t = 0
  32 @ 00401028  goto 33 @ data_40102a
  33 @ 0040102a  if (flag:t) then 34 @ data_40102e+2 else 37
  34 @ 00401030  R2 = [(0x5d << 2) + (0x401030 & 0xfffffffc) + 4 {0x4011a8}].d
  35 @ 00401032  call(0x401032 + R2 + 4)
  36 @ 00401032  goto 38 @ data_401032+2
  37 @ 0040102a  goto 40 @ data_40102a+2
  38 @ 00401034  R4 = sx.d(0x12)

branch_delay Enabled

ASM:

sub_401028:
00401028  0820       tst R0, R0
0040102a  0189       bt 0x401030  {sub_40102c}

int32_t sub_40102c(int32_t arg1 @ R0)
int32_t arg1  {Register R0}
sub_40102c:
0040102c  0368       mov R0, R8
0040102e  0178       add 0x1, R8
00401030  5dd2       mov.l @(0x5d, PC), R2  {0x4011a8}
00401032  0302       bsrf R2  {sub_400ccc}
00401034  12e4       mov 0x12, R4  {0x12}  {data_401036}

LLIL:

sub_401028:
   0 @ 00401028  if (R0 == 0) then 1 else 3
   1 @ 00401028  flag:t = 1
   2 @ 00401028  goto 5 @ 0x40102a
   3 @ 00401028  flag:t = 0
   4 @ 00401028  goto 5 @ 0x40102a
   5 @ 0040102a  if (flag:t) then 6 @ 0x401030 else 10
   6 @ 00401030  R2 = [(0x5d << 2) + (0x401030 & 0xfffffffc) + 4 {0x4011a8}].d
   7 @ 00401032  call(0x401032 + R2 + 4)
   8 @ 00401034  R4 = sx.d(0x12)
   9 @ 00401034  jump(data_401036)
  10 @ 0040102a  <return> tailcall(sub_40102c)

Indirect branching

The 'jsr' instruction does have a delay slot)

branch_delay Disabled

ASM:

_start:
00401960  00ee       mov 0x0, R14
00401962  f665       mov.l @R15+, R5 {arg2}
00401964  f366       mov R15, R6 {arg2}
00401966  462f       mov.l R4, @-R15 {arg2}
00401968  06d0       mov.l @(0x6, PC), R0  {0x401984}  {sub_401c92+0x2e}
0040196a  062f       mov.l R0, @-R15 {var_4}  {sub_401c92+0x2e}
0040196c  03d4       mov.l @(0x3, PC), R4  {sub_401000}  {0x40197c}
0040196e  04d7       mov.l @(0x4, PC), R7  {0x401980}  {sub_401a0c+0x234}
00401970  05d1       mov.l @(0x5, PC), R1  {sub_400ee0}  {0x401988}
00401972  0b41       jsr @R1  {sub_400ee0}
00401974  0900       nop 
00401976  05d1       mov.l @(0x5, PC), R1  {sub_400dac}  {0x40198c}

LLIL

_start:
   0 @ 00401960  R14 = sx.d(0)
   1 @ 00401962  R5 = [R15 {arg2}].d
   2 @ 00401964  R6 = R15 {arg2}
   3 @ 00401966  [R15 {arg2}].d = R4
   4 @ 00401966  R15 = R15 - 4
   5 @ 00401968  R0 = [(6 << 2) + (0x401968 & 0xfffffffc) + 4 {0x401984}].d
   6 @ 0040196a  [R15 {var_4}].d = R0
   7 @ 0040196a  R15 = R15 - 4
   8 @ 0040196c  R4 = [(3 << 2) + (0x40196c & 0xfffffffc) + 4 {0x40197c}].d
   9 @ 0040196e  R7 = [(4 << 2) + (0x40196e & 0xfffffffc) + 4 {0x401980}].d
  10 @ 00401970  R1 = [(5 << 2) + (0x401970 & 0xfffffffc) + 4 {0x401988}].d
  11 @ 00401972  call(R1)
  12 @ 00401972  goto 13 @ 0x401976
  13 @ 00401976  R1 = [(5 << 2) + (0x401976 & 0xfffffffc) + 4 {0x40198c}].d

branch_delay Enabled

ASM:

_start:
00401960  00ee       mov 0x0, R14
00401962  f665       mov.l @R15+, R5 {arg2}
00401964  f366       mov R15, R6 {arg2}
00401966  462f       mov.l R4, @-R15 {arg2}
00401968  06d0       mov.l @(0x6, PC), R0  {sub_40197c+8}  {sub_401c94+0x2c}
0040196a  062f       mov.l R0, @-R15 {var_4}  {sub_401c94+0x2c}
0040196c  03d4       mov.l @(0x3, PC), R4  {sub_401000}  {sub_40197c}
0040196e  04d7       mov.l @(0x4, PC), R7  {sub_40197c+4}  {sub_4019e2+0x25e}
00401970  05d1       mov.l @(0x5, PC), R1  {sub_400ee0}  {sub_40197c+0xc}
00401972  0b41       jsr @R1  {sub_400ee0}
00401974  0900       nop   {sub_401976}

int32_t sub_401976()
int32_t* R0  {Register R0}
sub_401976:
00401976  05d1       mov.l @(0x5, PC), R1  {sub_400dac}  {sub_40197c+0x10}

LLIL:

_start:
   0 @ 00401960  R14 = sx.d(0)
   1 @ 00401962  R5 = [R15 {arg2}].d
   2 @ 00401964  R6 = R15 {arg2}
   3 @ 00401966  [R15 {arg2}].d = R4
   4 @ 00401966  R15 = R15 - 4
   5 @ 00401968  R0 = [(6 << 2) + (0x401968 & 0xfffffffc) + 4 {sub_40197c+8}].d
   6 @ 0040196a  [R15 {var_4}].d = R0
   7 @ 0040196a  R15 = R15 - 4
   8 @ 0040196c  R4 = [(3 << 2) + (0x40196c & 0xfffffffc) + 4 {sub_40197c}].d
   9 @ 0040196e  R7 = [(4 << 2) + (0x40196e & 0xfffffffc) + 4 {sub_40197c+4}].d
  10 @ 00401970  R1 = [(5 << 2) + (0x401970 & 0xfffffffc) + 4 {sub_40197c+0xc}].d
  11 @ 00401972  call(R1)
  12 @ 00401974  <return> tailcall(sub_401976)

int32_t sub_401976()
int32_t* R0  {Register R0}
sub_401976:
   0 @ 00401976  R1 = [(5 << 2) + (0x401976 & 0xfffffffc) + 4 {sub_40197c+0x10}].d

It is possible that I am incorrectly using the BranchType or branch_delay flag but I was unable to find a example usage of 'branch_delay' in a architecture plugin.

[mothran]

I get to answer my own question!

So the issue is that the architecture plugin itself has to handle the lifting reordering. The binaryninja arch-mips plugin is a great example of how this works:

First double the max instruction width, example:
https://github.com/Vector35/arch-mips/blob/master/arch_mips.cpp#L381

Then, detect the branch delay in the lifting code and lift the delay slot first, then lift the branch:
https://github.com/Vector35/arch-mips/blob/master/arch_mips.cpp#L457

[psifertex]

Sorry for not answering it sooner, thanks very much for coming back to post the answer!