Changing a function type does not trigger re-analysis for functions which call the changed function through a function pointer as a data variable #6249
Labels
Component: Core
Issue needs changes to the core
Effort: Low
Issue should take < 1 week
Impact: Medium
Issue is impactful with a bad, or no, workaround
Type: Bug
Issue is a non-crashing bug with repro steps
Version and Platform (required):
Bug Description:
I have a situation where I'm creating external symbols that have a type thats a pointer to a function. Modifying that prototype to change the return value type is not causing the functions, that make a call using the external symbol, to run re-analysis. If I right-click
Reanalyze Current Function
then the variable being assigned the return value is updated to have a type that corresponds to the new return type of the external symbol. This is what I would expect to happen but without me having to manually do the right-clickReanalyze Current Function
.Its a bit of a weird scenario because I've basically modified the Objective-C workflow plugin to create external symbols, in a new section that doesn't exist in the binary, and replace the
objc_msgSend
call with a call to the external symbol. The external symbol once created has a data variable defined at its location with a function pointer type. The section, symbols and data variables are invisible in the UI, I believe due to #6132. I'm doubtful thats anything to do with it because its a UI issue and I'd imagine thats separate to the analysis engine that triggers re-analysis, but thought I'd mention it.The reason for the creation of the external symbols is to handle
objc_msgSend
call inlining more eloquently. Currently the plugin just chooses the first Objective-C function with a matching selector as the actual target for the call. This is wrong alot of the time. I've modified the plugin to behave more like IDA does, which is to look at the type or symbol name (for Objective-C classes) for theself
parameter and to use that combined with the selector to more accurately identify the target function. If the target function does not appear to exist in the binary, IDA will create an external symbol and then reference that symbol at the call site. I've essentially implemented the same feature in Binary Ninja, except now I've uncovered the issue that if I modify the function prototype of the external symbol, re-analysis for callers of the symbol, where the call has been inlined from another function, won't be triggered.The text was updated successfully, but these errors were encountered: