arch/mips_symbolization

MIPS architecture-specific rules for symbolization

MIPS Symbolic Operand Attributes

1. %hi(symbol) / %lo(symbol)

• Used to form full 32-bit addresses in non-PIC code.

• Represents the high and low 16-bit parts of a symbol’s address.

• Generates R_MIPS_HI16 and R_MIPS_LO16 relocations.

E.g.,

lui $t0, %hi(foo) # $t0 gets the upper 16 bits of foo lw $t1, %lo(foo)($t0) # Add the lower 16 bits of foo to $t0

# and load from the address.

2. %got(symbol)

• Used to access a symbol’s address through GOT.

• The assembler emits an offset from $gp to the GOT entry for the symbol, which the dynamic linker resolves at runtime.

• Generates an R_MIPS_GOT16 relocation.

E.g,

lw $t9, %got(foo)($gp) # Load address of foo via GOT

3. %pcrel_hi(symbol) / %pcrel_lo(symbol)

• Used in PIC to compute PC-relative addresses.

• Generates R_MIPS_PCHI16 and R_MIPS_PCLO16 relocations.

E.g.,

lui $t0, %pcrel_hi(foo) lw $t1, %pcrel_lo(foo)($t0)

4. %got_page(symbol) / %got_ofst(symbol)

• Used in PIC to compute GOT-relative addresses more efficiently.

• %got_page(symbol) gives the GOT entry page base and %got_ofst(symbol) gives the offset within that page.

• Generates R_MIPS_GOT_PAGE and R_MIPS_GOT_OFST relocations.

E.g.,

lw $t0, %got_page(foo)($gp) # $t0 gets the GOT page base for foo addiu $t1, $t0, %got_ofst(foo) # Add the offset to get the address of foo

gp_relative_operand(src:address, index:operand_index, dest:address)

Instructions with an indirect operand with GP(Global Pointer)-relative address

• Uses: arch.load_operation, arch.store_operation, instruction, instruction_get_op, op_indirect, symbol

• Used by: base_addr_load, symbolic_expr, symbolic_operand_attribute, symbolic_operand_mips_candidate, tls_relative_operand

• Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

got_reference_mips_global(Got_entry:address, Symbol:symbol)

MIPS-specific got_reference using MIPS_GOTSYM and MIPS_LOCAL_GOTNO

The main reason for this is to avoid potential issues in stratification. Some generic versions of got_reference rely on symbolic_expr, which can lead to cyclic negation or cyclic aggregation.

• Uses: dynamic_entry, loaded_section, symbol

• Used by: base_addr_load, call_tls_get_addr_mips, got_reference, symbolic_expr, symbolic_operand_attribute

hi_load(ea:address, reg:register, upper:number)

• Uses: instruction, instruction_get_op, op_immediate, op_regdirect_contains_reg

• Used by: hi_load_prop, local_dynamic_tls_candidate, plt_entry, split_load_candidate

hi_load_prop(reg_restore_ea:address, ea:address, reg:register, upper:number, type:symbol)

HI load propagation to recover hi_load value from stack or simple data-flow

• Uses: arch.memory_access, arch.move_reg_reg, hi_load

• Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

split_load_candidate(ea_hi:address, ea_lo:address, dest:address, type:symbol)

• Uses: arch.logic_operation, arch.memory_access, arch.multiplication_operation, arch.reg_arithmetic_operation, arch.reg_reg_arithmetic_operation, arch.shift_rotate_operation, hi_load, instruction

• Used by: moved_label_candidate, resolved_transfer, split_loadstore, symbolic_operand_attribute, symbolic_operand_candidate, symbolic_operand_point

• Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

split_load_point(ea:address, nextea:address, dest:address, type:symbol, point:number, why:symbol)

• Uses: arch.reg_reg_arithmetic_operation, fde_addresses, instruction

• Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

split_load_conflict(ea:address, nextea:address, dest:address, type:symbol, ea2:address, nextea2:address, dest2:address, type2:symbol)

• Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

split_load_total_points(ea:address, nextea:address, dest:address, type:symbol, points:number)

• Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

discarded_split_load(ea:address, nextea:address, dest:address, type:symbol, points:number)

• Used by: split_loadstore

• Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

split_load(ea:address, nextea:address, dest:address, type:symbol)

• Uses: arch.load_operation, arch.store_operation, instruction, instruction_get_dest_op, instruction_get_op, next, op_immediate, op_indirect_mapped, op_regdirect_contains_reg, symbol

• Used by: __agg_subclause8, base_addr_offset_operand_candidate, symbol_minus_symbol, symbolic_operand_attribute, symbolic_operand_mips_candidate

• Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

split_loadstore(ea:address, nextea:address, dest:address)

• Uses: code_in_block, data_segment, discarded_split_load, split_load_candidate, symbol

• Used by: base_addr_load, symbolic_operand_attribute, symbolic_operand_mips_candidate

valid_address(EA:address)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

symbol_type(Addr:address, Type:symbol)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

base_addr_offset_operand_candidate(EA:address, NextEA:address, Index2:operand_index, Reg:register, Dest_addr:address, SymType:symbol, Got_entry:address, Offset:number, Type:symbol)

got_page / got_fst instructions pairs

EA: Instruction for got_page NextEA: Instruction for got_ofst Index2: Operand index for got_ofst Reg: Base register in NextEA Dest_addr: Target symbol address SymType: Type of target symbol (either “code” or “data”) Got_entry: GOT entry containing page base Offset: Raw offset in NextEA Index2 operand Type: Type of got_ofst instruction (either ADDIU or LoadStore)

• Uses: arch.memory_access, arch.reg_arithmetic_operation, base_addr_load, bss_section_limits, code_in_block, data_segment, split_load, symbol

• Used by: base_addr_offset_operand, base_addr_offset_operand_point, base_addr_offset_operand_total_points, mips_page_base_in_got

base_addr_offset_operand(EA:address, NextEA:address, Index2:operand_index, Dest_addr:address, SymType:symbol, Type:symbol)

• Uses: base_addr_offset_operand_candidate, base_addr_offset_operand_total_points

• Used by: block_needs_splitting_at, inferred_symbol_mips, symbolic_operand_attribute, symbolic_operand_candidate

base_addr_offset_operand_point(EA:address, NextEA:address, Index2:operand_index, Points:number, Why:symbol)

• Uses: address_in_data_refined, arch.reg_arithmetic_operation, base_addr_offset_operand_candidate, data_segment, function_inference.function_entry_initial, reg_def_use.def_used, symbol

• Used by: base_addr_offset_operand_total_points

base_addr_offset_operand_total_points(EA:address, NextEA:address, Index2:operand_index, Points:number)

• Uses: base_addr_offset_operand_candidate, base_addr_offset_operand_point

• Used by: base_addr_offset_operand, mips_page_base_in_got

base_addr_load(EA:address, NextEA:address, Reg:register, Reg2:register, Got_entry:address, BaseAddr:address)

• Uses: arch.load_operation, got_reference_mips_global, gp_relative_operand, instruction, loaded_section, reg_def_use.def_used, relocation, split_loadstore, stack_def_use.def_used, symbol, value_reg

• Used by: base_addr_offset_operand_candidate

mips_page_base_in_got(Got_entry:address)

• Uses: base_addr_offset_operand_candidate, base_addr_offset_operand_total_points

• Used by: data_object_point, inferred_symbol_mips, symbolic_operand_attribute

match_symbol_dest_addr(Dest_addr:address)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

symbolic_operand_mips_candidate(ea:address, index:operand_index, dest:address)

• Uses: gp_relative_operand, split_load, split_loadstore

• Used by: symbolic_operand_attribute, symbolic_operand_candidate

inferred_symbol_mips(EA:address, SymbolName:symbol, Scope:symbol, Visibility:symbol, Type:symbol, Pos:symbol_position)

MIPS-specific inferred_symbol:

The MIPS assembler requires any symbol referenced by a GOT-related relocation to be global; otherwise, assembly fails (e.g., with an error that local symbols cannot use %got).

However, in a fully linked shared object, symbols originally accessed via %got(sym) may appear as local in the ELF symbol table. This happens because the linker performs symbol binding reduction – localizing symbols that are not exported – even if they were originally global during assembly and relocation processing.

As a result, some GOT entries correspond to symbols that now appear local, and reassembling such code would fail because the assembler rejects %got references to local symbols.

This discrepancy arises from the difference between what the assembler allows and what the linker produces.

To resolve this issue, we create a new inferred symbol with GLOBAL binding and HIDDEN visibility for such cases. ——————————————————————————-

• Uses: aligned_address_in_data, ambiguous_symbol, base_addr_offset_operand, defined_symbol, loaded_section, mips_page_base_in_got, symbol, tls_relative_operand_mips, tls_segment

• Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

mips_stubs_section(name:symbol)

• Used by: mips_stubs_entry

mips_stubs_entry(Block:address, Function:symbol)

• Uses: code_in_refined_block, loaded_section, mips_stubs_section, plt_entry_candidate, symbol

• Used by: abi_intrinsic

plt_entry_candidate(EA:address, GotIndex:unsigned)

• Uses: instruction, loaded_section, next, op_immediate, op_indirect, op_regdirect_contains_reg, symbol

• Used by: mips_stubs_entry, plt_entry

mips_attribute_target_to_mid_function(EA:address, Dest_addr:address, Attribute:symbol)

Some relocations may reference labels inside the body of a function, not just function entry points. Log any symbolic operands with attribute whose target lies in the middle of function.

• Uses: code_in_block, function_inference.function_entry, symbolic_operand, symbolic_operand_attribute