main

This is the main module of the datalog disassembler. The disassembly has 3 main components:

1- code_inference.dl

-code_inference_postprocess.dl -cfg.dl

2- symbolization.pl

• use_def_analysis.dl

• value_analysis.dl

• data_access_analysis.dl

• pointer_reattribution.dl

In addition there are several modules that consider special cases, generic components and tables.

Special cases:

-relative_jump_tables.dl

Generic components:

-ordered_set.dl -empty_range.dl

Tables:

-float_operations.dl -jump_operations.dl

This module: - defines the input generated by the decoder - defines a series of auxiliary predicates and basic facts that are used everywhere. - defines some hard-code parameters of the analysis, such as the code and data sections

explored.

entry_point(ea:address)

• Used by: basic_target, block_needs_merging, data_region, function_inference.function_entry_initial, inferred_special_symbol, known_block, start_function

endianness(End:symbol)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

base_address(ea:address)

• Used by: +disconnected0, +disconnected2, data_segment, inferred_special_symbol, jump_table_start, labeled_data_candidate, moved_data_label, moved_label_candidate, moved_label_class, possible_rva_operand, reg_has_base_image, relative_address, relative_address_start, seh_handler_entry, symbol_minus_symbol, symbolic_expr_from_relocation, symbolic_operand_candidate

symbol(ea:address, size:unsigned, type:symbol, scope:symbol, visibility:symbol, sectionIndex:unsigned, originTable:symbol, tableIndex:unsigned, name:symbol)

• Uses: pe_export_entry, pe_import_entry

• Used by: abi_intrinsic, base_addr_offset_operand, best_ifunc_symbol, block_heuristic, cinf_symbol_minus_symbol_candidate_arm, copy_relocated_symbol, data_block_candidate, defined_symbol, function_symbol, got_reference, got_relative_operand, gp_relative_operand, ifunc_scope_score, inferred_special_symbol, init_symbol_minus_symbol_candidate_arm, labeled_data_candidate, moved_data_label, negative_block_heuristic, no_return_call, pc_relative_operand, plt_entry, plt_entry_candidate, relative_jump_table_entry, relative_jump_table_entry_candidate, relocation_adjustment, resolved_transfer_to_symbol, symbol_at_end, symbol_at_section_end, symbol_before_section_beg, symbol_minus_symbol, symbol_scope_score, symbol_set, symbol_type_score, symbol_visibility_score, symbolic_data, symbolic_expr_attribute, symbolic_expr_from_relocation, symbolic_operand_attribute, symbolic_operand_candidate, synchronous_access_barrier, tls_descriptor, trivial_relocation

section(Name:symbol, Size:unsigned, EA:address, Align:unsigned, Index:unsigned)

• Used by: __agg_subclause1, code_section, known_block, loaded_section, symbol_at_end, symbol_at_section_end, symbol_before_section_beg, symbolic_expr_from_relocation

section_property(Name:symbol, Property:symbol)

• Used by: bss_section, code_section, data_section, loaded_section, tls_section

section_type(Name:symbol, Type:unsigned)

• Used by: data_section, function_pointer_section

byte_interval(BegAddr:address, EndAddr:address)

• Used by: basic_target, data_in_code, data_in_code_propagate, first_block_in_byte_interval

relocation(EA:address, Type:symbol, Name:symbol, Addend:number, SymbolIndex:unsigned, Section:symbol, RelType:symbol)

• Used by: address_in_data_refined, bad_symbol_constant, basic_target, best_ifunc_symbol, block_heuristic, cinf_symbol_minus_symbol_candidate_arm, copy_relocated_symbol, data_access_pattern_candidate_refined, data_block_candidate, data_object_point, direct_call, direct_jump, false_negative, false_positive, got_reference, got_relative_operand, inferred_special_symbol, init_symbol_minus_symbol_candidate_arm, instruction_has_relocation, known_block, may_have_symbolic_immediate, missing_relocation_handling, no_return_call, pc_relative_operand, plt_entry, plt_entry_arm_candidate, relative_address_start, relocation_adjustment, relocation_adjustment_total, relocation_in_operand, symbol_minus_symbol, symbol_minus_symbol_from_relocation, symbol_score, symbolic_data, symbolic_expr, symbolic_expr_attribute, symbolic_expr_from_relocation, symbolic_operand_attribute, symbolic_operand_candidate, symbolic_operand_point, tls_descriptor, tls_global_dynamic, tls_index, trivial_relocation, value_reg, zero_relocation

relocation_size(Type:symbol, Size:unsigned)

• Uses: binary_format, elf_relocation_size, pe_relocation_size

• Used by: block_heuristic, relocation_adjustment, symbolic_expr_from_relocation

relocation_adjustment(EA:address, Adjustment:number, Reason:symbol)

Defines adjustments to relocation values.

• Uses: binary_format, instruction, reloc_type_relpc, relocation, relocation_size, symbol

• Recursive: arm_jump_table_block_instruction, stack_def_use.live_var_at_prior_used, possible_target_from, data_access, stack_def_use.ref_in_block, code_in_block_candidate, candidate_block_is_padding, relocation_adjustment, data_in_code, cmp_reg_to_reg, __agg_single3, jump_table_candidate_refined, invalid, inferred_main_in_reg, base_relative_operand, relative_address, wis_has_prior, compare_and_jump_indirect_op_valid, litpool_confidence, block_boundaries, resolved_reaches, indexed_pc_relative_load_relative, unresolved_block, split_load_for_symbolization, base_relative_jump, last_value_reg_limit, instruction_memory_access_size, plt_block, straight_line_last_def, __agg_subclause2, symbol_minus_symbol_litpool_access_pattern, jump_table_element_access, block_points, const_value_reg_used, reg_reg_arithmetic_operation_defs, stack_def_use.live_var_def, stack_def_use.live_var_used_in_block, composite_data_access, jump_table_target, value_reg_limit, block_candidate_dependency_edge, tls_get_addr, indefinite_litpool_ref, reg_def_use.used_in_block, simple_data_access_pattern, arch.simple_data_load, split_load, value_reg, stack_def_use.live_var_at_block_end, block_limit, arm_jump_table_data_block, value_reg_unsupported, stack_def_use.last_def_in_block, overlapping_instruction, next_start, block, wis_memo, next_type, cinf_ldr_add_pc, possible_target, relative_jump_table_entry_candidate, arm_jump_table_data_block_limit, reg_def_use.last_def_in_block, __agg_subclause6, stack_def_use.live_var_used, def_used_for_address, known_block, contains_plausible_instr_seq, reg_def_use.live_var_at_block_end, arch.reg_relative_load, split_load_point, candidate_block_is_not_padding, split_load_candidate, split_load_conflict, incomplete_block, wis_schedule_iter, reg_def_use.defined_in_block, __agg_subclause3, reg_def_use.ref_in_block, contains_implausible_instr_seq, base_relative_operation, negative_block_heuristic, no_return_call, reg_def_use.used, block_total_points, reg_def_use.block_last_def, discarded_block, reg_has_base_image, no_return_call_propagated, block_points_proportional, nop_in_padding_candidate, reg_def_use.live_var_used, block_heuristic, litpool_ref, after_end, reg_def_use.flow_def, transition_block_limit, unresolved_interval_order, cmp_defines, block_last_instruction, block_overlap, jump_table_max, arch.extend_load, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, impossible_block, hi_load_prop, block_candidate_boundaries, is_padding, may_fallthrough, gp_relative_operand, segment_target_range, arm_jump_table_candidate_start, discarded_split_load, arm_jump_table_cmp_limit, first_block_in_byte_interval, arm_jump_table_candidate, jump_table_signed, stack_def_use.used_in_block, no_value_reg_limit, tls_desc_call, reg_used_for, branch_to_calculated_pc_rel_addr, __agg_single2, init_symbol_minus_symbol_candidate_arm, data_block_candidate, start_function, basic_target, reg_def_use.return_val_used, padding_block_limit, straight_line_def_used, data_block_limit, reg_def_use.ambiguous_block_last_def, wis_prior, stack_def_use.def_used, split_load_operand, init_ldr_add_pc, got_relative_operand, next_block_in_byte_interval, data_in_code_propagate, no_return_call_refined, call_tls_get_addr, inferred_main_dispatch, reg_def_use.def_used, must_fallthrough, block_next, value_reg_edge, unlikely_have_symbolic_immediate, adjusts_stack_in_block, self_contained_segment, block_implies_block, __agg_subclause7, __agg_single6, stack_def_use.defined_in_block, relocation_adjustment_total, compare_and_jump_indirect, flags_and_jump_pair, jump_table_candidate, function_inference.function_entry_initial, invalid_jump_table_candidate, reg_def_use.return_block_end, plt_entry, jump_table_start, reg_has_got, code_in_block_candidate_refined, code_in_block, no_return_block, unresolved_interval, litpool_symbolic_operand, split_load_total_points, unresolved_block_overlap, symbolic_expr_from_relocation, compare_and_jump_register, indexed_pc_relative_load, reg_def_use.live_var_def, arm_jump_table_block_start, overlap_with_litpool, compare_and_jump_immediate, initialized_data_segment, litpool_boundaries, padding_block_candidate, relative_address_start, stack_def_use.block_last_def, jump_table_prelude, correlated_live_reg, inter_procedural_edge, likely_fallthrough, adrp_used, next_end, common_tail, wis_schedule, stack_base_reg_move, reg_def_use.live_var_at_prior_used, data_segment, block_instruction_next

relocation_adjustment_total(EA:address, Adjustment:number)

The total relocation adjustment for a location

• Uses: relocation

• Recursive: arm_jump_table_block_instruction, stack_def_use.live_var_at_prior_used, possible_target_from, data_access, stack_def_use.ref_in_block, code_in_block_candidate, candidate_block_is_padding, relocation_adjustment, data_in_code, cmp_reg_to_reg, __agg_single3, jump_table_candidate_refined, invalid, inferred_main_in_reg, base_relative_operand, relative_address, wis_has_prior, compare_and_jump_indirect_op_valid, litpool_confidence, block_boundaries, resolved_reaches, indexed_pc_relative_load_relative, unresolved_block, split_load_for_symbolization, base_relative_jump, last_value_reg_limit, instruction_memory_access_size, plt_block, straight_line_last_def, __agg_subclause2, symbol_minus_symbol_litpool_access_pattern, jump_table_element_access, block_points, const_value_reg_used, reg_reg_arithmetic_operation_defs, stack_def_use.live_var_def, stack_def_use.live_var_used_in_block, composite_data_access, jump_table_target, value_reg_limit, block_candidate_dependency_edge, tls_get_addr, indefinite_litpool_ref, reg_def_use.used_in_block, simple_data_access_pattern, arch.simple_data_load, split_load, value_reg, stack_def_use.live_var_at_block_end, block_limit, arm_jump_table_data_block, value_reg_unsupported, stack_def_use.last_def_in_block, overlapping_instruction, next_start, block, wis_memo, next_type, cinf_ldr_add_pc, possible_target, relative_jump_table_entry_candidate, arm_jump_table_data_block_limit, reg_def_use.last_def_in_block, __agg_subclause6, stack_def_use.live_var_used, def_used_for_address, known_block, contains_plausible_instr_seq, reg_def_use.live_var_at_block_end, arch.reg_relative_load, split_load_point, candidate_block_is_not_padding, split_load_candidate, split_load_conflict, incomplete_block, wis_schedule_iter, reg_def_use.defined_in_block, __agg_subclause3, reg_def_use.ref_in_block, contains_implausible_instr_seq, base_relative_operation, negative_block_heuristic, no_return_call, reg_def_use.used, block_total_points, reg_def_use.block_last_def, discarded_block, reg_has_base_image, no_return_call_propagated, block_points_proportional, nop_in_padding_candidate, reg_def_use.live_var_used, block_heuristic, litpool_ref, after_end, reg_def_use.flow_def, transition_block_limit, unresolved_interval_order, cmp_defines, block_last_instruction, block_overlap, jump_table_max, arch.extend_load, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, impossible_block, hi_load_prop, block_candidate_boundaries, is_padding, may_fallthrough, gp_relative_operand, segment_target_range, arm_jump_table_candidate_start, discarded_split_load, arm_jump_table_cmp_limit, first_block_in_byte_interval, arm_jump_table_candidate, jump_table_signed, stack_def_use.used_in_block, no_value_reg_limit, tls_desc_call, reg_used_for, branch_to_calculated_pc_rel_addr, __agg_single2, init_symbol_minus_symbol_candidate_arm, data_block_candidate, start_function, basic_target, reg_def_use.return_val_used, padding_block_limit, straight_line_def_used, data_block_limit, reg_def_use.ambiguous_block_last_def, wis_prior, stack_def_use.def_used, split_load_operand, init_ldr_add_pc, got_relative_operand, next_block_in_byte_interval, data_in_code_propagate, no_return_call_refined, call_tls_get_addr, inferred_main_dispatch, reg_def_use.def_used, must_fallthrough, block_next, value_reg_edge, unlikely_have_symbolic_immediate, adjusts_stack_in_block, self_contained_segment, block_implies_block, __agg_subclause7, __agg_single6, stack_def_use.defined_in_block, relocation_adjustment_total, compare_and_jump_indirect, flags_and_jump_pair, jump_table_candidate, function_inference.function_entry_initial, invalid_jump_table_candidate, reg_def_use.return_block_end, plt_entry, jump_table_start, reg_has_got, code_in_block_candidate_refined, code_in_block, no_return_block, unresolved_interval, litpool_symbolic_operand, split_load_total_points, unresolved_block_overlap, symbolic_expr_from_relocation, compare_and_jump_register, indexed_pc_relative_load, reg_def_use.live_var_def, arm_jump_table_block_start, overlap_with_litpool, compare_and_jump_immediate, initialized_data_segment, litpool_boundaries, padding_block_candidate, relative_address_start, stack_def_use.block_last_def, jump_table_prelude, correlated_live_reg, inter_procedural_edge, likely_fallthrough, adrp_used, next_end, common_tail, wis_schedule, stack_base_reg_move, reg_def_use.live_var_at_prior_used, data_segment, block_instruction_next

binary_type(Type:symbol)

• Used by: address_in_data_refined, arch.delay_slot, basic_target, boundary_sym_expr, data_object_point, inferred_main_dispatch, inferred_special_symbol, instruction_has_relocation, known_block, may_have_symbolic_immediate, moved_displacement_candidate, moved_immediate_candidate, moved_label_candidate, moved_label_class, relocation_active_symbol_table, symbol_minus_symbol_from_relocation, symbolic_expr_attribute, symbolic_expr_from_relocation, symbolic_operand_attribute, symbolic_operand_candidate, symbolic_operand_point

binary_format(Format:symbol)

• Used by: address_array_aux, after_end, arch.integer_reg_param, avoid_symbols, basic_reg_def_use.def, best_func_symbol, block_heuristic, bss_section, call_tls_get_addr, data_block_candidate, data_object_conflict, data_region, data_section, data_segment, direct_call, direct_jump, function_pointer_section, get_pc_thunk, incremental_linking_candidate, inferred_main_dispatch, inferred_special_symbol, inferred_symbol, invalid, is_padding, known_block, main_function, merged_data_region, moved_displacement_candidate, moved_label_candidate, moved_label_class, moved_pc_relative_candidate, no_return_function, plt_block, reg_def_use.def, reg_has_base_image, relative_address_start, relocation_active_symbol_table, relocation_adjustment, relocation_size, seh_handler_table, start_function, symbolic_expr_from_relocation, symbolic_operand_attribute, symbolic_operand_candidate, symbolic_operand_point, tls_get_addr, tls_global_dynamic, tls_index, tls_local_dynamic, tls_relative_operand, tls_segment_register, value_reg

arch_info(Key:symbol, Value:symbol)

ArchInfo auxdata derived ELF metadata

• Used by: +disconnected7, inferred_arch_info

binary_isa(ArchName:symbol)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

option(Option:symbol)

• Used by: cfi_directive, symbol_minus_symbol, symbol_special_encoding, symbolic_data

dynamic_entry(tag:symbol, value:unsigned)

• Used by: +disconnected0, abi_intrinsic, basic_target, block_needs_merging, got_reference, known_block

instruction(ea:address, size:unsigned, prefix:symbol, opcode:symbol, op1:operand_code, op2:operand_code, op3:operand_code, op4:operand_code, immOffset:unsigned, displacementOffset:unsigned)

• Used by: +disconnected2, +disconnected3, +disconnected4, +disconnected5, __agg_subclause3, adrp_used, after_end, alignment, arch.adr_dest, arch.alignment_required, arch.call, arch.cmp_operation, arch.cmp_zero_operation, arch.conditional, arch.conditional_operation, arch.dangling_thumb_instr, arch.data_access_size, arch.delay_slot, arch.extend_load, arch.extend_reg, arch.instruction_at, arch.is_nop, arch.it_conditional, arch.jump, arch.load_operation, arch.logic_operation, arch.memory_access, arch.memory_access_aggregated, arch.move_operation, arch.move_reg_imm, arch.move_reg_reg, arch.multiplication_operation, arch.op_access_override, arch.operation_alignment_required, arch.pc_relative_addr, arch.reg_arithmetic_operation, arch.reg_imm_bitwise_binary_op, arch.reg_reg_arithmetic_operation, arch.reg_reg_bitwise_binary_op, arch.reg_relative_load, arch.return, arch.shift_rotate_operation, arch.store_immediate, arch.store_operation, arm_jump_table_candidate, arm_jump_table_candidate_start, arm_jump_table_skip_first_entry, bad_symbol_constant, base_addr_offset_operand, base_relative_operand, basic_target, block_heuristic, block_information, branch_to_calculated_pc_rel_addr, cinf_ldr_add_pc, cmp_reg_to_reg, code_in_block_candidate, compare_and_jump_immediate, compare_and_jump_indirect, contains_implausible_instr_seq, contains_plausible_instr_seq, data_access_pattern_candidate_refined, def_register_is_not_base_address, direct_call, direct_jump, discarded_block, get_pc_thunk, gp_relative_operand, halt, hi_load, indirect_jump, inferred_main_in_reg, inferred_special_symbol, init_ldr_add_pc, instruction_displacement_offset, instruction_get_op, instruction_has_loop_prefix, instruction_has_relocation, instruction_immediate_offset, instruction_memory_access_size, invalid, invalid_jump_table_candidate, is_padding, is_xor_reset, jump_table_prelude, jump_table_start, litpool_confidence, litpool_symbolic_operand, max_instruction_size, may_have_symbolic_immediate, misaligned_fde_start, moved_displacement_candidate, moved_label_candidate, moved_label_class, moved_pc_relative_candidate, movw_movt, movw_movt_pair, must_fallthrough, negative_block_heuristic, next, no_value_reg_limit, npad, op_immediate_and_reg, overlapping_instruction, pc_load_call, pc_relative_operand, plt_bx_pc, plt_entry, plt_entry_arm_candidate, plt_entry_candidate, reg_has_base_image, reg_jump, relative_address, relative_address_start, relocation_adjustment, resolved_transfer, split_load, split_load_candidate, split_load_point, split_load_tail, stack_def_use.def, straight_line_last_def, symbol_minus_symbol, symbolic_operand_candidate, symbolic_operand_point, take_address, tls_global_dynamic, unlikely_have_symbolic_immediate, value_reg, value_reg_edge

instruction_writeback(EA:address)

The instruction at EA has capstone’s cs_arm.writeback set.

• Used by: arch.memory_access, arch.reg_arithmetic_operation, arch.reg_reg_arithmetic_operation, invalid

instruction_cond_code(EA:address, CondCode:symbol)

The instruction at EA has capstone’s cs_arm.cc set.

• Used by: arch.conditional

register_access(EA:address, Register:input_reg, AccessMode:access_mode)

The register Register is accessed at EA with AccessMode.

AccessMode may be “R” or “W”

• Used by: basic_reg_def_use.def, basic_reg_def_use.used, compare_and_jump_immediate, reg_def_use.def, reg_def_use.used, reg_map_nullable

instruction_op_access(EA:address, Index:operand_index, AccessMode:access_mode)

The operand at index Index is accessed at EA with AccessMode

• Used by: instruction_get_dest_op, instruction_get_src_op

op_register_bitfield(Code:operand_code, Index:unsigned, RegisterName:input_reg)

Index: The index of the register in bitfield (starts with 0)

• Used by: arch.memory_access, arch.memory_access_aggregated, arch.reg_relative_load, op_regdirect_contains_reg, reg_map_nullable

invalid_op_code(EA:address)

• Used by: invalid

op_regdirect(Code:operand_code, RegisterName:input_reg)

• Used by: arch.data_access_size, arch.extend_reg, arch.is_nop, arch.memory_access, arch.reg_arithmetic_operation, instruction_memory_access_size, jump_table_signed, npad, op_regdirect_contains_reg, reg_map_nullable

op_fp_immediate(Code:operand_code, Imm:float)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

op_immediate(Code:operand_code, Offset:number, SizeBytes:unsigned)

• Used by: +disconnected2, arch.adr_dest, arch.memory_access, arch.move_reg_imm, arch.pc_relative_addr, arch.reg_arithmetic_operation, arch.reg_imm_bitwise_binary_op, arch.store_immediate, block_limit, compare_and_jump_indirect, direct_call, direct_jump, hi_load, inferred_special_symbol, instruction_immediate_offset, may_have_symbolic_immediate, movw_movt, op_immediate_and_reg, plt_entry_candidate, split_load, split_load_tail, symbolic_expr_from_relocation, symbolic_operand_candidate, symbolic_operand_point

op_special(Code:operand_code, Type:symbol, Value:symbol)

• Used by: arch.conditional

op_indirect(Code:operand_code, Reg1:input_reg, Reg2:input_reg, Reg3:input_reg, Multiplier:number, Offset:number, SizeBytes:unsigned)

• Used by: arch.reg_arithmetic_operation, base_relative_operand, base_relative_symbolic_operand, compare_and_jump_indirect, gp_relative_operand, indirect_call, indirect_jump, instruction_displacement_offset, instruction_memory_access_size, invalid, moved_label_candidate, moved_label_class, op_indirect_contains_reg, op_indirect_mapped, plt_entry, plt_entry_candidate, possible_rva_operand, reg_map_nullable, relative_address_start, stack_def_use.def, symbol_minus_symbol, symbolic_expr_from_relocation, symbolic_operand_candidate, symbolic_operand_point, tls_relative_operand, value_reg

op_shifted(EA:address, Index:operand_index, Shift:unsigned, Type:symbol)

The operand identified by Index should be shifted with an immediate.

Used on ARM/ARM64, but not x86 or MIPS. Type is architecure-dependent.

• Used by: arch.extend_reg, arch.non_mult_shift, arch.reg_imm_bitwise_binary_op, arch.reg_reg_arithmetic_operation, arch.reg_reg_bitwise_binary_op

op_shifted_w_reg(EA:address, Index:operand_index, Reg:input_reg, Type:symbol)

The operand identified by Index should be shifted with a register.

Used on ARM/ARM64, but not x86 or MIPS. Type is architecure-dependent.

• Used by: arch.non_mult_shift, reg_map_nullable

address_in_data(EA:address, Value:address)

There is a potential address at ‘EA’ pointing to ‘Value’.

• Used by: address_in_data_refined, aligned_address_in_data, arm_jump_table_candidate, arm_jump_table_skip_first_entry, basic_target, block_heuristic, data_access_pattern_candidate_refined, data_block_candidate, data_object_point, inferred_main_function, inferred_special_symbol, known_block, moved_label_candidate, moved_label_class, relative_address_start, symbolic_operand_candidate

data_region(Begin:address, Size:unsigned)

• Uses: __agg_single4, binary_format, entry_point, incremental_linking, loaded_section, next, pe_data_directory, pe_debug_data, seh_handler_table

• Used by: invalid

ascii_string(EA:address, End:address)

Possible null-terminated ASCII string of ‘Size’ bytes begins at address ‘EA’.

• Used by: block_heuristic, data_block_candidate, indefinite_litpool_ref, negative_block_heuristic, string_candidate

reg_map_nullable(RegIn:input_reg, Reg:reg_nullable)

Maps input_reg to registers referred to by a single name. This is used to allow different register names that refer to the same storage to be tracked together, e.g., on x86, both AX and EAX are members of the EAX register.

• Uses: arch.reg_map_rule, op_indirect, op_regdirect, op_register_bitfield, op_shifted_w_reg, register_access

• Used by: op_indirect_mapped, reg_map, tls_relative_operand

reg_nonnull(RegNullable:reg_nullable, Reg:register)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

reg_map(RegIn:input_reg, Reg:register)

• Uses: reg_map_nullable

• Used by: arch.extend_reg, arch.memory_access, arch.memory_access_aggregated, arch.register_size_bytes, basic_reg_def_use.def, basic_reg_def_use.used, compare_and_jump_immediate, invalid, jump_table_signed, op_indirect_contains_reg, op_regdirect_contains_reg, reg_def_use.def, reg_def_use.used

instruction_immediate_offset(EA:address, Index:operand_index, Offset:unsigned, Size:unsigned)

This predicate determines the Offset and Size of an immediate operand of index Index. This is used to place symbolic expressions at the right address. The Offset is non-zero only for the x86 ISA, for other ISAs the symbolic expressions point to the beginning of the instruction.

• Uses: instruction, instruction_get_op, op_immediate

• Used by: block_heuristic, boundary_sym_expr, cfg_edge_to_symbol, direct_call, direct_jump, false_negative, false_positive, instruction_has_relocation, litpool_ref, may_have_symbolic_immediate, no_return_call, relocation_in_operand, symbol_minus_symbol, symbolic_expr, symbolic_expr_attribute, symbolic_expr_from_relocation, symbolic_operand_attribute, symbolic_operand_candidate

instruction_displacement_offset(EA:address, Index:operand_index, Offset:unsigned, Size:unsigned)

This predicate determines the Offset and Size of a displacement in an indirect operand of index Index. This is used to place symbolic expressions at the right address. The Offset is non-zero only for the x86 ISA, for other ISAs the symbolic expressions point to the beginning of the instruction.

• Uses: instruction, instruction_get_op, op_indirect

• Used by: base_relative_symbolic_operand, block_heuristic, boundary_sym_expr, false_negative, false_positive, got_relative_operand, instruction_has_relocation, moved_data_label, moved_label_class, pc_relative_operand, relocation_in_operand, symbol_minus_symbol, symbol_minus_symbol_candidate, symbolic_expr, symbolic_expr_attribute, symbolic_expr_from_relocation, symbolic_operand_attribute, symbolic_operand_candidate

instruction_get_operation(ea:address, operation:symbol)

WARNING: Predicate not present in compiled Datalog program (Dead Code)

instruction_get_op(ea:address, index:operand_index, operator:operand_code)

• Uses: instruction

• Used by: +disconnected2, arch.conditional, arch.extend_reg, arch.non_mult_shift, arch.op_access_override, arch.pc_relative_addr, arch.register_access_override, arch.return, base_relative_operand, base_relative_symbolic_operand, basic_reg_def_use.used_explicit, branch_to_calculated_pc_rel_addr, cmp_reg_to_reg, compare_and_jump_immediate, compare_and_jump_indirect, compare_and_jump_indirect_op_valid, data_access, direct_call, direct_jump, got_relative_operand, gp_relative_operand, hi_load, indirect_call, indirect_jump, inferred_main_function, instruction_displacement_offset, instruction_get_dest_op, instruction_get_src_op, instruction_immediate_offset, instruction_memory_access_size, invalid, may_have_symbolic_immediate, moved_label_candidate, moved_label_class, op_immediate_and_reg, pc_relative_operand, plt_bx_pc, plt_entry, possible_rva_operand, reg_call, reg_def_use.used_explicit, reg_jump, reg_used_for, relative_address_start, split_load, symbol_minus_symbol, symbol_minus_symbol_candidate, symbolic_expr_from_relocation, symbolic_operand_candidate, symbolic_operand_point, tls_relative_operand, value_reg, value_reg_limit

instruction_get_src_op(EA:address, Index:operand_index, Op:operand_code)

Source operands

• Uses: arch.op_access_override, instruction_get_op, instruction_op_access

• Used by: arch.pc_relative_addr, basic_reg_def_use.used_explicit, basic_target, inferred_main_in_reg, invalid, jump_table_signed, litpool_symbolic_operand, plt_entry, plt_entry_arm_candidate, reg_def_use.used_explicit, relative_address_start, stack_def_use.used

instruction_get_dest_op(EA:address, Index:operand_index, Op:operand_code)

Destination operands

• Uses: arch.op_access_override, instruction_get_op, instruction_op_access

• Used by: __agg_subclause6, alignment, arch.pc_relative_addr, arch.reg_relative_load, instruction_memory_access_size, invalid, jump_table_signed, litpool_confidence, litpool_symbolic_operand, moved_pc_relative_candidate, negative_block_heuristic, plt_entry_arm_candidate, split_load, value_reg_edge

next(n:address, m:address)

• Uses: instruction

• Used by: __agg_subclause3, after_end, arch.dangling_thumb_instr, arch.delay_slot, arch.it_conditional, arm_jump_table_block_start, block_candidate_boundaries, block_heuristic, block_instruction_next, block_last_instruction, code_in_block_candidate_refined, code_in_split_block, common_tail, contains_plausible_instr_seq, data_region, incremental_linking, incremental_linking_candidate, inferred_main_in_reg, is_padding, main_function, may_fallthrough, misaligned_fde_start, moved_immediate_candidate, moved_label_candidate, moved_label_class, movw_movt_pair, must_fallthrough, negative_block_heuristic, nop_in_padding_candidate, padding, padding_block_candidate, padding_prefix, padding_prefix_end, pc_load_call, pc_relative_operand, plt_entry, plt_entry_arm_candidate, plt_entry_candidate, refined_block_last_instruction, reg_def_use.flow_def, relative_address_start, split_load, stack_def_use.live_var_used_in_block, transition_block_limit, value_reg_edge

pc_relative_operand(EA:address, Index:operand_index, Dest:address)

EA has a PC-relative operand at Index, which is computed and stored in Dest. NOTE: Currently, we define pc_relative_operand only for X64.

• Uses: instruction, instruction_displacement_offset, instruction_get_op, instruction_has_relocation, next, op_indirect_mapped, relocation, symbol

• Used by: alignment_candidate, arch.pc_relative_addr, arch.simple_data_load, bad_symbol_constant, base_relative_symbolic_operand, block_limit, boundary_sym_expr, false_positive, inferred_special_symbol, jump_table_element_access, moved_displacement_candidate, moved_label_class, moved_pc_relative_candidate, pc_relative_call, pc_relative_jump, possible_target_from, reg_has_base_image, simple_data_access_pattern, symbol_minus_symbol, symbolic_expr_from_relocation, symbolic_operand_attribute, symbolic_operand_candidate, symbolic_operand_point, take_address, tls_desc_call, tls_get_addr, tls_global_dynamic

split_load_operand(src:address, index:operand_index, dest:address)

• Used by: moved_displacement_candidate, moved_label_class, symbolic_operand_candidate

• Recursive: arm_jump_table_block_instruction, stack_def_use.live_var_at_prior_used, possible_target_from, data_access, stack_def_use.ref_in_block, code_in_block_candidate, candidate_block_is_padding, relocation_adjustment, data_in_code, cmp_reg_to_reg, __agg_single3, jump_table_candidate_refined, invalid, inferred_main_in_reg, base_relative_operand, relative_address, wis_has_prior, compare_and_jump_indirect_op_valid, litpool_confidence, block_boundaries, resolved_reaches, indexed_pc_relative_load_relative, unresolved_block, split_load_for_symbolization, base_relative_jump, last_value_reg_limit, instruction_memory_access_size, plt_block, straight_line_last_def, __agg_subclause2, symbol_minus_symbol_litpool_access_pattern, jump_table_element_access, block_points, const_value_reg_used, reg_reg_arithmetic_operation_defs, stack_def_use.live_var_def, stack_def_use.live_var_used_in_block, composite_data_access, jump_table_target, value_reg_limit, block_candidate_dependency_edge, tls_get_addr, indefinite_litpool_ref, reg_def_use.used_in_block, simple_data_access_pattern, arch.simple_data_load, split_load, value_reg, stack_def_use.live_var_at_block_end, block_limit, arm_jump_table_data_block, value_reg_unsupported, stack_def_use.last_def_in_block, overlapping_instruction, next_start, block, wis_memo, next_type, cinf_ldr_add_pc, possible_target, relative_jump_table_entry_candidate, arm_jump_table_data_block_limit, reg_def_use.last_def_in_block, __agg_subclause6, stack_def_use.live_var_used, def_used_for_address, known_block, contains_plausible_instr_seq, reg_def_use.live_var_at_block_end, arch.reg_relative_load, split_load_point, candidate_block_is_not_padding, split_load_candidate, split_load_conflict, incomplete_block, wis_schedule_iter, reg_def_use.defined_in_block, __agg_subclause3, reg_def_use.ref_in_block, contains_implausible_instr_seq, base_relative_operation, negative_block_heuristic, no_return_call, reg_def_use.used, block_total_points, reg_def_use.block_last_def, discarded_block, reg_has_base_image, no_return_call_propagated, block_points_proportional, nop_in_padding_candidate, reg_def_use.live_var_used, block_heuristic, litpool_ref, after_end, reg_def_use.flow_def, transition_block_limit, unresolved_interval_order, cmp_defines, block_last_instruction, block_overlap, jump_table_max, arch.extend_load, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, impossible_block, hi_load_prop, block_candidate_boundaries, is_padding, may_fallthrough, gp_relative_operand, segment_target_range, arm_jump_table_candidate_start, discarded_split_load, arm_jump_table_cmp_limit, first_block_in_byte_interval, arm_jump_table_candidate, jump_table_signed, stack_def_use.used_in_block, no_value_reg_limit, tls_desc_call, reg_used_for, branch_to_calculated_pc_rel_addr, __agg_single2, init_symbol_minus_symbol_candidate_arm, data_block_candidate, start_function, basic_target, reg_def_use.return_val_used, padding_block_limit, straight_line_def_used, data_block_limit, reg_def_use.ambiguous_block_last_def, wis_prior, stack_def_use.def_used, split_load_operand, init_ldr_add_pc, got_relative_operand, next_block_in_byte_interval, data_in_code_propagate, no_return_call_refined, call_tls_get_addr, inferred_main_dispatch, reg_def_use.def_used, must_fallthrough, block_next, value_reg_edge, unlikely_have_symbolic_immediate, adjusts_stack_in_block, self_contained_segment, block_implies_block, __agg_subclause7, __agg_single6, stack_def_use.defined_in_block, relocation_adjustment_total, compare_and_jump_indirect, flags_and_jump_pair, jump_table_candidate, function_inference.function_entry_initial, invalid_jump_table_candidate, reg_def_use.return_block_end, plt_entry, jump_table_start, reg_has_got, code_in_block_candidate_refined, code_in_block, no_return_block, unresolved_interval, litpool_symbolic_operand, split_load_total_points, unresolved_block_overlap, symbolic_expr_from_relocation, compare_and_jump_register, indexed_pc_relative_load, reg_def_use.live_var_def, arm_jump_table_block_start, overlap_with_litpool, compare_and_jump_immediate, initialized_data_segment, litpool_boundaries, padding_block_candidate, relative_address_start, stack_def_use.block_last_def, jump_table_prelude, correlated_live_reg, inter_procedural_edge, likely_fallthrough, adrp_used, next_end, common_tail, wis_schedule, stack_base_reg_move, reg_def_use.live_var_at_prior_used, data_segment, block_instruction_next

instruction_has_loop_prefix(EA:address)

• Uses: arch.loop_prefix, instruction

• Used by: block_limit, block_needs_merging, direct_jump, likely_fallthrough, must_fallthrough, symbolic_operand_candidate

instruction_has_relocation(EA:address, Rel:address)

Instruction at address “EA” has a relocation for address “Relocation”.

• Uses: binary_type, instruction, instruction_displacement_offset, instruction_immediate_offset, relocation

• Used by: data_block_candidate, direct_call, direct_jump, known_block, pc_relative_operand, simple_data_access_pattern, symbol_minus_symbol_candidate, symbolic_operand_attribute, value_reg

unconditional_jump(n:address)

• Uses: arch.conditional, arch.jump

• Used by: cfg_edge_to_top, incremental_linking_candidate, inter_procedural_edge, may_fallthrough, npad, plt_block

conditional_jump(src:address)

• Uses: arch.conditional, arch.jump

• Used by: cfg_edge_to_top, contains_plausible_instr_seq, last_value_reg_limit, likely_fallthrough, must_fallthrough, negative_block_heuristic

direct_jump(src:address, dest:address)

This predicate represents a direct jump from address src to destination dest. It captures only direct jump whose destination is known. E.g. a direct jump that depends on a relocation will not produce a direct_jump term.

• Uses: arch.jump, arch.jump_operation_op_index, binary_format, defined_symbol, instruction, instruction_get_op, instruction_has_loop_prefix, instruction_has_relocation, instruction_immediate_offset, op_immediate, op_regdirect_contains_reg, relocation, relocation_active_symbol_table

• Used by: arch.delay_slot, arm_jump_table_data_block_limit, block_candidate_dependency_edge, block_heuristic, block_next, cfg_edge, cmp_defines, direct_or_pcrel_jump, false_positive, function_inference.function_entry, incremental_linking_candidate, inter_procedural_edge, invalid, negative_block_heuristic, npad, possible_target_from, reg_def_use.flow_def, resolved_reaches, segment_target_range, symbolic_operand_attribute, symbolic_operand_candidate, value_reg_limit

impossible_jump_target(EA:address)

• Uses: arch.it_conditional, code_in_block

• Used by: data_object_candidate

pc_relative_jump(Src:address, DataPointer:address)

This predicate represents a indirect jump

from address ‘Src’ to a destination contained in the data pointer located at address ‘DataPointer’. The location of the pointer can be easily inferred because it only depends on the program counter.

• Uses: arch.jump, pc_relative_operand

• Used by: direct_or_pcrel_jump, incomplete_block, invalid, plt_block, plt_entry, possible_target_from

reg_jump(Src:address, Reg:register)

The instruction at address ‘Src’ has a jump using register ‘Reg’. The destination of the jump will be the value of the register.

• Uses: arch.jump, arch.jump_operation_op_index, instruction, instruction_get_op, op_regdirect_contains_reg

• Used by: arm_jump_table_candidate_start, base_relative_jump, cfg_edge_to_top, incomplete_block, jump_table_prelude, jump_table_start, missed_jump_table, plt_entry, reg_used_for, resolved_transfer, resolved_transfer_to_symbol, value_reg_address_before

indirect_jump(Src:address)

The instruction at address ‘Src’ has an indirect jump. I.e. a jump that reads its destination from memory.

• Uses: arch.jump, arch.jump_operation_op_index, instruction, instruction_get_op, op_indirect

• Used by: cfg_edge_to_top, data_access_pattern_candidate_refined, incomplete_block, jump_table, moved_label_candidate, moved_label_class, plt_entry, relative_address_start, resolved_transfer, resolved_transfer_to_symbol, symbolic_operand_candidate

direct_call(EA:address, Dest:address)

This predicate represents a direct call from address ‘EA’ to destination Dest. It captures only direct calls whose destination is known. E.g. a direct call that depends on a relocation will not produce a direct_call term.

• Uses: arch.call, binary_format, defined_symbol, instruction, instruction_get_op, instruction_has_relocation, instruction_immediate_offset, op_immediate, relocation, relocation_active_symbol_table

• Used by: arch.delay_slot, arch.pc_relative_addr, basic_reg_def_use.def, block_candidate_dependency_edge, block_heuristic, call_tls_get_addr, cfg_edge, data_block_candidate, false_positive, function_inference.function_entry_initial, get_pc_thunk, invalid, main_function, negative_block_heuristic, no_return_block, no_return_call, no_return_call_propagated, no_return_call_refined, pc_load_call, possible_target_from, reg_def_use.def, reg_def_use.return_block_end, reg_def_use.return_val_used, resolved_reaches, symbolic_operand_attribute, symbolic_operand_candidate

pc_relative_call(Src:address, DataPointer:address)

This predicate represents a indirect call

from address ‘Src’ to a destination contained in the data pointer located at address ‘DataPointer’. The location of the pointer can be easily inferred because it only depends on the program counter.

• Uses: arch.call, pc_relative_operand

• Used by: invalid, possible_target_from

reg_call(Src:address, Reg:register)

The instruction at address ‘Src’ has a call using register ‘Reg’. The destination of the call will be the value of the register.

• Uses: arch.call, instruction_get_op, op_regdirect_contains_reg

• Used by: cfg_edge_to_top, jump_table_prelude, jump_table_start, missed_jump_table, reg_used_for, relative_address_start, resolved_transfer, resolved_transfer_to_symbol

indirect_call(Src:address)

The instruction at address ‘Src’ has an indirect call. I.e. a call that reads its destination from memory.

• Uses: arch.call, arch.return, instruction_get_op, op_indirect

• Used by: cfg_edge_to_top, data_access_pattern_candidate_refined, resolved_transfer, resolved_transfer_to_symbol, symbolic_operand_attribute, symbolic_operand_candidate

pc_load_call(Src:address, Dest:address)

Identify edge case direct calls that are used to load the program counter and not as control-flow (e.g. call-to-pop sequences).

• Uses: direct_call, instruction, next

• Used by: arch.pc_relative_addr, cfg_edge, function_inference.function_entry_initial, inter_procedural_edge, no_return_call_propagated

halt(EA:address)

• Uses: arch.halt_operation, instruction

• Used by: may_fallthrough

alignment_from_address(EA:address, AlignInBits:unsigned)

Find alignment depending on EA

WARNING: Predicate not present in compiled Datalog program (Dead Code)

alignment_candidate(EA:address, AlignInBits:unsigned)

Auxiliary predicate that builds initial alignments from alignment_required: the max alignment is picked for an EA later.

• Uses: arch.alignment_required, code_in_block, composite_data_access, data_segment, function_inference.function_entry, pc_relative_operand

• Used by: alignment

alignment(EA:address, AlignInBits:unsigned)

Information about alignment in bits for a given address

• Uses: alignment_candidate, arch.float_reg, instruction, instruction_get_dest_op, litpool_ref, op_regdirect_contains_reg

op_indirect_contains_reg(Op:operand_code, Reg:register)

• Uses: op_indirect, reg_map

• Used by: arch.register_access_override, basic_reg_def_use.used_explicit, inferred_main_function, inferred_main_in_reg, reg_def_use.used_explicit, reg_used_for

op_indirect_mapped(Op:operand_code, Reg1:reg_nullable, Reg2:reg_nullable, Reg3:reg_nullable, Mult:number, Offset:number, Size:unsigned)

• Uses: op_indirect, reg_map_nullable

• Used by: arch.memory_access, arch.memory_access_aggregated, arch.reg_arithmetic_operation, arch.reg_reg_arithmetic_operation, arch.store_immediate, arm_jump_table_candidate_start, compare_and_jump_indirect_op_valid, data_access, get_pc_thunk, got_relative_operand, invalid, litpool_symbolic_operand, moved_label_candidate, moved_label_class, pc_relative_operand, plt_entry, plt_entry_arm_candidate, relative_address_start, split_load, stack_def_use.used, symbol_minus_symbol_candidate, tls_relative_operand

op_regdirect_contains_reg(Op:operand_code, Reg:register)

• Uses: op_regdirect, op_register_bitfield, reg_map

• Used by: __agg_subclause6, alignment, arch.adr_dest, arch.extend_reg, arch.memory_access, arch.move_reg_imm, arch.move_reg_reg, arch.op_access_override, arch.pc_relative_addr, arch.reg_arithmetic_operation, arch.reg_imm_bitwise_binary_op, arch.reg_reg_arithmetic_operation, arch.reg_reg_bitwise_binary_op, arch.register_access_override, arch.return, basic_reg_def_use.used_explicit, basic_target, branch_to_calculated_pc_rel_addr, cmp_reg_to_reg, compare_and_jump_immediate, contains_implausible_instr_seq, direct_jump, get_pc_thunk, hi_load, inferred_main_in_reg, invalid, is_xor_reset, litpool_confidence, litpool_symbolic_operand, moved_pc_relative_candidate, movw_movt, negative_block_heuristic, op_immediate_and_reg, plt_bx_pc, plt_entry, plt_entry_arm_candidate, plt_entry_candidate, reg_call, reg_def_use.used_explicit, reg_jump, resolved_transfer, split_load, symbolic_operand_point, value_reg, value_reg_edge

op_immediate_and_reg(EA:address, Operation:symbol, Reg:register, Imm_index:operand_index, Immediate:number)

• Uses: instruction, instruction_get_op, op_immediate, op_regdirect_contains_reg

• Used by: cmp_immediate_to_reg, got_relative_operand, low_pass_filter, symbol_minus_symbol, symbolic_expr, symbolic_operand_attribute, symbolic_operand_point

cmp_immediate_to_reg(EA:address, Reg:register, Imm_index:operand_index, Immediate:number)

• Uses: arch.cmp_operation, arch.jump, arch.jump_operation_op_index, op_immediate_and_reg

• Used by: arm_jump_table_cmp_limit, boundary_sym_expr, compare_and_jump_immediate, def_register_is_not_base_address, moved_immediate_candidate, moved_label_class, reg_def_use.flow_def, symbolic_operand_point

symbol_set(ea:address, size:unsigned, type:symbol, scope:symbol, visibility:symbol, sectionIndex:unsigned, name:symbol)

• Uses: symbol

• Used by: ambiguous_symbol

ambiguous_symbol(name:symbol)

• Uses: symbol_set

• Used by: symbol_score

function_symbol(ea:address, name:symbol)

• Uses: symbol

• Used by: block_heuristic, block_needs_merging, function_inference.function_entry_initial, inferred_main_dispatch, inferred_special_symbol, known_block, main_function, moved_data_label, moved_label_candidate, moved_label_class, negative_block_heuristic, start_function, symbolic_operand_candidate

defined_symbol(ea:address, size:unsigned, type:symbol, scope:symbol, visibility:symbol, sectionIndex:unsigned, originTable:symbol, tableIndex:unsigned, name:symbol)

• Uses: symbol

• Used by: arm_jump_table_candidate, arm_sym, basic_target, block_heuristic, block_needs_merging, data_block_candidate, data_sym, direct_call, direct_jump, ifunc_symbol_score, impossible_block, invalid, known_block, labeled_ea, moved_immediate_candidate, moved_label_candidate, moved_label_class, no_return_call, pointer_to_external_symbol, resolved_transfer, symbol_score, thumb_sym, value_reg

relocation_active_symbol_table(Name:symbol)

The name of symbol table to use when looking up symbols from relocations

Although it’d be better to check what symbol table is referenced by the relocation section’s sh_link attribute, LIEF (as of 0.13.0) does not expose this metadata in the LIEF::ELF::Relocation object. LIEF actually uses a similar strategy to this, using dynsym if it exists, and otherwise symtab - rather than using the sh_link metadata.

This strategy will fail for binaries built with –emit-relocs, since they can have relocations referencing both symbol tables.

• Uses: binary_format, binary_type

• Used by: direct_call, direct_jump

loaded_section(Beg:address, End:address, Name:symbol)

• Uses: section, section_property

• Used by: +disconnected1, __agg_subclause, __agg_subclause0, __agg_subclause4, __agg_subclause5, abi_intrinsic, addr_outside_section_used_for_memory_access, bad_symbol_constant, basic_target, block_heuristic, block_needs_merging, boundary_sym_expr, bss_data, cfg_edge, data_block_candidate, data_in_code, data_object_point, data_region, data_segment, dest_enlarged_data_section, false_negative, false_positive, first_block_in_byte_interval, function_inference.function_entry, function_inference.function_entry_initial, got_reference, got_reference_pointer, incremental_linking_candidate, inferred_special_symbol, initialized_data_segment, merged_data_region, moved_displacement_candidate, moved_label_class, moved_pc_relative_candidate, plt_block, plt_entry, plt_entry_arm_candidate, plt_entry_candidate, possible_rva_operand, reg_has_got, relative_jump_table_entry_candidate, symbol_minus_symbol, symbolic_data, symbolic_expr_attribute, symbolic_operand_attribute, symbolic_operand_point

data_section(name:symbol)

• Uses: binary_format, elf_section_type, section_property, section_type

• Used by: data_segment, non_zero_data_section, regular_data_section, tls_section

exception_section(name:symbol)

• Used by: data_object_point, moved_pc_relative_candidate, special_data_section, symbolic_operand_point

special_data_section(name:symbol)

• Uses: exception_section

• Used by: boundary_sym_expr, data_object_point, regular_data_section

regular_data_section(name:symbol)

• Uses: data_section, special_data_section

• Used by: addr_outside_section_used_for_memory_access, dest_enlarged_data_section, false_negative, false_positive, moved_displacement_candidate, moved_label_class, moved_pc_relative_candidate

code_section(name:symbol)

• Uses: section, section_property

• Used by: basic_target, block_heuristic, data_block_candidate, data_in_code, first_block_in_byte_interval, incremental_linking_candidate

tls_section(name:symbol)

• Uses: data_section, section_property

• Used by: __agg_subclause, __agg_subclause0, __agg_subclause1

bss_section(name:symbol)

• Uses: binary_format, section_property

• Used by: __agg_subclause4, __agg_subclause5, bss_data, bss_section_limits, inferred_special_symbol, non_zero_data_section

non_zero_data_section(name:symbol)

• Uses: bss_section, data_section

• Used by: initialized_data_segment

bss_section_limits(Begin:address, End:address)

• Uses: __agg_single7, __agg_single8, bss_section

• Used by: base_addr_offset_operand, moved_displacement_candidate, moved_label_class

initialized_data_segment(Begin:address, End:address)

• Uses: loaded_section, non_zero_data_section

• Recursive: arm_jump_table_block_instruction, stack_def_use.live_var_at_prior_used, possible_target_from, data_access, stack_def_use.ref_in_block, code_in_block_candidate, candidate_block_is_padding, relocation_adjustment, data_in_code, cmp_reg_to_reg, __agg_single3, jump_table_candidate_refined, invalid, inferred_main_in_reg, base_relative_operand, relative_address, wis_has_prior, compare_and_jump_indirect_op_valid, litpool_confidence, block_boundaries, resolved_reaches, indexed_pc_relative_load_relative, unresolved_block, split_load_for_symbolization, base_relative_jump, last_value_reg_limit, instruction_memory_access_size, plt_block, straight_line_last_def, __agg_subclause2, symbol_minus_symbol_litpool_access_pattern, jump_table_element_access, block_points, const_value_reg_used, reg_reg_arithmetic_operation_defs, stack_def_use.live_var_def, stack_def_use.live_var_used_in_block, composite_data_access, jump_table_target, value_reg_limit, block_candidate_dependency_edge, tls_get_addr, indefinite_litpool_ref, reg_def_use.used_in_block, simple_data_access_pattern, arch.simple_data_load, split_load, value_reg, stack_def_use.live_var_at_block_end, block_limit, arm_jump_table_data_block, value_reg_unsupported, stack_def_use.last_def_in_block, overlapping_instruction, next_start, block, wis_memo, next_type, cinf_ldr_add_pc, possible_target, relative_jump_table_entry_candidate, arm_jump_table_data_block_limit, reg_def_use.last_def_in_block, __agg_subclause6, stack_def_use.live_var_used, def_used_for_address, known_block, contains_plausible_instr_seq, reg_def_use.live_var_at_block_end, arch.reg_relative_load, split_load_point, candidate_block_is_not_padding, split_load_candidate, split_load_conflict, incomplete_block, wis_schedule_iter, reg_def_use.defined_in_block, __agg_subclause3, reg_def_use.ref_in_block, contains_implausible_instr_seq, base_relative_operation, negative_block_heuristic, no_return_call, reg_def_use.used, block_total_points, reg_def_use.block_last_def, discarded_block, reg_has_base_image, no_return_call_propagated, block_points_proportional, nop_in_padding_candidate, reg_def_use.live_var_used, block_heuristic, litpool_ref, after_end, reg_def_use.flow_def, transition_block_limit, unresolved_interval_order, cmp_defines, block_last_instruction, block_overlap, jump_table_max, arch.extend_load, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, impossible_block, hi_load_prop, block_candidate_boundaries, is_padding, may_fallthrough, gp_relative_operand, segment_target_range, arm_jump_table_candidate_start, discarded_split_load, arm_jump_table_cmp_limit, first_block_in_byte_interval, arm_jump_table_candidate, jump_table_signed, stack_def_use.used_in_block, no_value_reg_limit, tls_desc_call, reg_used_for, branch_to_calculated_pc_rel_addr, __agg_single2, init_symbol_minus_symbol_candidate_arm, data_block_candidate, start_function, basic_target, reg_def_use.return_val_used, padding_block_limit, straight_line_def_used, data_block_limit, reg_def_use.ambiguous_block_last_def, wis_prior, stack_def_use.def_used, split_load_operand, init_ldr_add_pc, got_relative_operand, next_block_in_byte_interval, data_in_code_propagate, no_return_call_refined, call_tls_get_addr, inferred_main_dispatch, reg_def_use.def_used, must_fallthrough, block_next, value_reg_edge, unlikely_have_symbolic_immediate, adjusts_stack_in_block, self_contained_segment, block_implies_block, __agg_subclause7, __agg_single6, stack_def_use.defined_in_block, relocation_adjustment_total, compare_and_jump_indirect, flags_and_jump_pair, jump_table_candidate, function_inference.function_entry_initial, invalid_jump_table_candidate, reg_def_use.return_block_end, plt_entry, jump_table_start, reg_has_got, code_in_block_candidate_refined, code_in_block, no_return_block, unresolved_interval, litpool_symbolic_operand, split_load_total_points, unresolved_block_overlap, symbolic_expr_from_relocation, compare_and_jump_register, indexed_pc_relative_load, reg_def_use.live_var_def, arm_jump_table_block_start, overlap_with_litpool, compare_and_jump_immediate, initialized_data_segment, litpool_boundaries, padding_block_candidate, relative_address_start, stack_def_use.block_last_def, jump_table_prelude, correlated_live_reg, inter_procedural_edge, likely_fallthrough, adrp_used, next_end, common_tail, wis_schedule, stack_base_reg_move, reg_def_use.live_var_at_prior_used, data_segment, block_instruction_next

data_segment(Begin:address, End:address)

• Uses: base_address, binary_format, data_section, loaded_section

• Used by: address_array_aux, address_in_data_refined, alignment_candidate, base_addr_offset_operand, data_access_limit, data_access_pattern_candidate, data_limit, data_limit_after_access, discarded_jump_table_entry, labeled_data_candidate, next_data_access, next_data_limit, relative_jump_table_entry, string_candidate, symbol_minus_symbol, symbolic_operand_attribute, symbolic_operand_candidate, synchronous_access_barrier

• Recursive: arm_jump_table_block_instruction, stack_def_use.live_var_at_prior_used, possible_target_from, data_access, stack_def_use.ref_in_block, code_in_block_candidate, candidate_block_is_padding, relocation_adjustment, data_in_code, cmp_reg_to_reg, __agg_single3, jump_table_candidate_refined, invalid, inferred_main_in_reg, base_relative_operand, relative_address, wis_has_prior, compare_and_jump_indirect_op_valid, litpool_confidence, block_boundaries, resolved_reaches, indexed_pc_relative_load_relative, unresolved_block, split_load_for_symbolization, base_relative_jump, last_value_reg_limit, instruction_memory_access_size, plt_block, straight_line_last_def, __agg_subclause2, symbol_minus_symbol_litpool_access_pattern, jump_table_element_access, block_points, const_value_reg_used, reg_reg_arithmetic_operation_defs, stack_def_use.live_var_def, stack_def_use.live_var_used_in_block, composite_data_access, jump_table_target, value_reg_limit, block_candidate_dependency_edge, tls_get_addr, indefinite_litpool_ref, reg_def_use.used_in_block, simple_data_access_pattern, arch.simple_data_load, split_load, value_reg, stack_def_use.live_var_at_block_end, block_limit, arm_jump_table_data_block, value_reg_unsupported, stack_def_use.last_def_in_block, overlapping_instruction, next_start, block, wis_memo, next_type, cinf_ldr_add_pc, possible_target, relative_jump_table_entry_candidate, arm_jump_table_data_block_limit, reg_def_use.last_def_in_block, __agg_subclause6, stack_def_use.live_var_used, def_used_for_address, known_block, contains_plausible_instr_seq, reg_def_use.live_var_at_block_end, arch.reg_relative_load, split_load_point, candidate_block_is_not_padding, split_load_candidate, split_load_conflict, incomplete_block, wis_schedule_iter, reg_def_use.defined_in_block, __agg_subclause3, reg_def_use.ref_in_block, contains_implausible_instr_seq, base_relative_operation, negative_block_heuristic, no_return_call, reg_def_use.used, block_total_points, reg_def_use.block_last_def, discarded_block, reg_has_base_image, no_return_call_propagated, block_points_proportional, nop_in_padding_candidate, reg_def_use.live_var_used, block_heuristic, litpool_ref, after_end, reg_def_use.flow_def, transition_block_limit, unresolved_interval_order, cmp_defines, block_last_instruction, block_overlap, jump_table_max, arch.extend_load, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, impossible_block, hi_load_prop, block_candidate_boundaries, is_padding, may_fallthrough, gp_relative_operand, segment_target_range, arm_jump_table_candidate_start, discarded_split_load, arm_jump_table_cmp_limit, first_block_in_byte_interval, arm_jump_table_candidate, jump_table_signed, stack_def_use.used_in_block, no_value_reg_limit, tls_desc_call, reg_used_for, branch_to_calculated_pc_rel_addr, __agg_single2, init_symbol_minus_symbol_candidate_arm, data_block_candidate, start_function, basic_target, reg_def_use.return_val_used, padding_block_limit, straight_line_def_used, data_block_limit, reg_def_use.ambiguous_block_last_def, wis_prior, stack_def_use.def_used, split_load_operand, init_ldr_add_pc, got_relative_operand, next_block_in_byte_interval, data_in_code_propagate, no_return_call_refined, call_tls_get_addr, inferred_main_dispatch, reg_def_use.def_used, must_fallthrough, block_next, value_reg_edge, unlikely_have_symbolic_immediate, adjusts_stack_in_block, self_contained_segment, block_implies_block, __agg_subclause7, __agg_single6, stack_def_use.defined_in_block, relocation_adjustment_total, compare_and_jump_indirect, flags_and_jump_pair, jump_table_candidate, function_inference.function_entry_initial, invalid_jump_table_candidate, reg_def_use.return_block_end, plt_entry, jump_table_start, reg_has_got, code_in_block_candidate_refined, code_in_block, no_return_block, unresolved_interval, litpool_symbolic_operand, split_load_total_points, unresolved_block_overlap, symbolic_expr_from_relocation, compare_and_jump_register, indexed_pc_relative_load, reg_def_use.live_var_def, arm_jump_table_block_start, overlap_with_litpool, compare_and_jump_immediate, initialized_data_segment, litpool_boundaries, padding_block_candidate, relative_address_start, stack_def_use.block_last_def, jump_table_prelude, correlated_live_reg, inter_procedural_edge, likely_fallthrough, adrp_used, next_end, common_tail, wis_schedule, stack_base_reg_move, reg_def_use.live_var_at_prior_used, data_segment, block_instruction_next

plt_block(block:address, function:symbol)

The basic block ‘Block’ implements a PLT thunk that refers to function ‘Function’.

• Uses: binary_format, loaded_section, pc_relative_jump, pe_import_entry, plt_bx_pc, plt_section, unconditional_jump

• Used by: cfg_edge, main_function, symbolic_operand_attribute

• Recursive: arm_jump_table_block_instruction, stack_def_use.live_var_at_prior_used, possible_target_from, data_access, stack_def_use.ref_in_block, code_in_block_candidate, candidate_block_is_padding, relocation_adjustment, data_in_code, cmp_reg_to_reg, __agg_single3, jump_table_candidate_refined, invalid, inferred_main_in_reg, base_relative_operand, relative_address, wis_has_prior, compare_and_jump_indirect_op_valid, litpool_confidence, block_boundaries, resolved_reaches, indexed_pc_relative_load_relative, unresolved_block, split_load_for_symbolization, base_relative_jump, last_value_reg_limit, instruction_memory_access_size, plt_block, straight_line_last_def, __agg_subclause2, symbol_minus_symbol_litpool_access_pattern, jump_table_element_access, block_points, const_value_reg_used, reg_reg_arithmetic_operation_defs, stack_def_use.live_var_def, stack_def_use.live_var_used_in_block, composite_data_access, jump_table_target, value_reg_limit, block_candidate_dependency_edge, tls_get_addr, indefinite_litpool_ref, reg_def_use.used_in_block, simple_data_access_pattern, arch.simple_data_load, split_load, value_reg, stack_def_use.live_var_at_block_end, block_limit, arm_jump_table_data_block, value_reg_unsupported, stack_def_use.last_def_in_block, overlapping_instruction, next_start, block, wis_memo, next_type, cinf_ldr_add_pc, possible_target, relative_jump_table_entry_candidate, arm_jump_table_data_block_limit, reg_def_use.last_def_in_block, __agg_subclause6, stack_def_use.live_var_used, def_used_for_address, known_block, contains_plausible_instr_seq, reg_def_use.live_var_at_block_end, arch.reg_relative_load, split_load_point, candidate_block_is_not_padding, split_load_candidate, split_load_conflict, incomplete_block, wis_schedule_iter, reg_def_use.defined_in_block, __agg_subclause3, reg_def_use.ref_in_block, contains_implausible_instr_seq, base_relative_operation, negative_block_heuristic, no_return_call, reg_def_use.used, block_total_points, reg_def_use.block_last_def, discarded_block, reg_has_base_image, no_return_call_propagated, block_points_proportional, nop_in_padding_candidate, reg_def_use.live_var_used, block_heuristic, litpool_ref, after_end, reg_def_use.flow_def, transition_block_limit, unresolved_interval_order, cmp_defines, block_last_instruction, block_overlap, jump_table_max, arch.extend_load, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, impossible_block, hi_load_prop, block_candidate_boundaries, is_padding, may_fallthrough, gp_relative_operand, segment_target_range, arm_jump_table_candidate_start, discarded_split_load, arm_jump_table_cmp_limit, first_block_in_byte_interval, arm_jump_table_candidate, jump_table_signed, stack_def_use.used_in_block, no_value_reg_limit, tls_desc_call, reg_used_for, branch_to_calculated_pc_rel_addr, __agg_single2, init_symbol_minus_symbol_candidate_arm, data_block_candidate, start_function, basic_target, reg_def_use.return_val_used, padding_block_limit, straight_line_def_used, data_block_limit, reg_def_use.ambiguous_block_last_def, wis_prior, stack_def_use.def_used, split_load_operand, init_ldr_add_pc, got_relative_operand, next_block_in_byte_interval, data_in_code_propagate, no_return_call_refined, call_tls_get_addr, inferred_main_dispatch, reg_def_use.def_used, must_fallthrough, block_next, value_reg_edge, unlikely_have_symbolic_immediate, adjusts_stack_in_block, self_contained_segment, block_implies_block, __agg_subclause7, __agg_single6, stack_def_use.defined_in_block, relocation_adjustment_total, compare_and_jump_indirect, flags_and_jump_pair, jump_table_candidate, function_inference.function_entry_initial, invalid_jump_table_candidate, reg_def_use.return_block_end, plt_entry, jump_table_start, reg_has_got, code_in_block_candidate_refined, code_in_block, no_return_block, unresolved_interval, litpool_symbolic_operand, split_load_total_points, unresolved_block_overlap, symbolic_expr_from_relocation, compare_and_jump_register, indexed_pc_relative_load, reg_def_use.live_var_def, arm_jump_table_block_start, overlap_with_litpool, compare_and_jump_immediate, initialized_data_segment, litpool_boundaries, padding_block_candidate, relative_address_start, stack_def_use.block_last_def, jump_table_prelude, correlated_live_reg, inter_procedural_edge, likely_fallthrough, adrp_used, next_end, common_tail, wis_schedule, stack_base_reg_move, reg_def_use.live_var_at_prior_used, data_segment, block_instruction_next

got_reference(Got_entry:address, Symbol:symbol)

• Uses: dynamic_entry, loaded_section, pe_import_entry, relocation, symbol, tls_descriptor, tls_index, tls_segment

• Used by: missing_relocation_handling

• Recursive: symbol_score, discarded_jump_table_entry, symbolic_data, split_block, +disconnected3, data_limit, data_object_conflict, discarded_data_object, moved_pc_relative_candidate, inferred_special_symbol, symbol_minus_symbol_from_relocation, best_symexpr_symbol, preferred_data_access, symbolic_expr, data_limit_after_access, symbolic_expr_attribute, next_address_in_data, symbolic_operand, symbol_minus_symbol, code_in_split_block, inferred_main_function, resolved_transfer, base_relative_symbolic_operand, label_conflict, relative_jump_table_entry, data_access_limit, function_inference.function_entry, +disconnected6, string_candidate_refined, +disconnected2, moved_label_candidate, moved_label, moved_displacement_candidate, symbolic_operand_point, data_object_candidate, data_object, value_reg_address_before, block_needs_merging, data_object_total_points, data_object_point, symbol_minus_symbol_candidate, address_array_aux, symbolic_operand_attribute, main_function, address_array, labeled_ea, best_func_symbol, next_data_limit, moved_data_label, labeled_data_candidate, boundary_sym_expr, +disconnected1, refined_block, jump_table, block_needs_splitting_at, got_reference, code_in_refined_block, symbolic_expr_symbol_minus_symbol, code_pointer_in_data, string_candidate, after_address_in_data

main_function(ea:address)

• Uses: binary_format, code_in_block, direct_call, function_symbol, next, plt_block

• Recursive: symbol_score, discarded_jump_table_entry, symbolic_data, split_block, +disconnected3, data_limit, data_object_conflict, discarded_data_object, moved_pc_relative_candidate, inferred_special_symbol, symbol_minus_symbol_from_relocation, best_symexpr_symbol, preferred_data_access, symbolic_expr, data_limit_after_access, symbolic_expr_attribute, next_address_in_data, symbolic_operand, symbol_minus_symbol, code_in_split_block, inferred_main_function, resolved_transfer, base_relative_symbolic_operand, label_conflict, relative_jump_table_entry, data_access_limit, function_inference.function_entry, +disconnected6, string_candidate_refined, +disconnected2, moved_label_candidate, moved_label, moved_displacement_candidate, symbolic_operand_point, data_object_candidate, data_object, value_reg_address_before, block_needs_merging, data_object_total_points, data_object_point, symbol_minus_symbol_candidate, address_array_aux, symbolic_operand_attribute, main_function, address_array, labeled_ea, best_func_symbol, next_data_limit, moved_data_label, labeled_data_candidate, boundary_sym_expr, +disconnected1, refined_block, jump_table, block_needs_splitting_at, got_reference, code_in_refined_block, symbolic_expr_symbol_minus_symbol, code_pointer_in_data, string_candidate, after_address_in_data

conditional_return(EA:address)

• Uses: arch.conditional, arch.return

• Used by: cfg_edge, cfg_edge_to_top, contains_plausible_instr_seq, must_fallthrough, negative_block_heuristic

unconditional_return(EA:address)

• Uses: arch.conditional, arch.return

• Used by: cfg_edge, cfg_edge_to_top, may_fallthrough

no_return_call(EA:address)

Detects non-returning calls before even must/may fallthrough relations.

Calculated even before code inference.

• Uses: defined_symbol, direct_call, instruction_immediate_offset, no_return_function, relocation, symbol

• Recursive: arm_jump_table_block_instruction, stack_def_use.live_var_at_prior_used, possible_target_from, data_access, stack_def_use.ref_in_block, code_in_block_candidate, candidate_block_is_padding, relocation_adjustment, data_in_code, cmp_reg_to_reg, __agg_single3, jump_table_candidate_refined, invalid, inferred_main_in_reg, base_relative_operand, relative_address, wis_has_prior, compare_and_jump_indirect_op_valid, litpool_confidence, block_boundaries, resolved_reaches, indexed_pc_relative_load_relative, unresolved_block, split_load_for_symbolization, base_relative_jump, last_value_reg_limit, instruction_memory_access_size, plt_block, straight_line_last_def, __agg_subclause2, symbol_minus_symbol_litpool_access_pattern, jump_table_element_access, block_points, const_value_reg_used, reg_reg_arithmetic_operation_defs, stack_def_use.live_var_def, stack_def_use.live_var_used_in_block, composite_data_access, jump_table_target, value_reg_limit, block_candidate_dependency_edge, tls_get_addr, indefinite_litpool_ref, reg_def_use.used_in_block, simple_data_access_pattern, arch.simple_data_load, split_load, value_reg, stack_def_use.live_var_at_block_end, block_limit, arm_jump_table_data_block, value_reg_unsupported, stack_def_use.last_def_in_block, overlapping_instruction, next_start, block, wis_memo, next_type, cinf_ldr_add_pc, possible_target, relative_jump_table_entry_candidate, arm_jump_table_data_block_limit, reg_def_use.last_def_in_block, __agg_subclause6, stack_def_use.live_var_used, def_used_for_address, known_block, contains_plausible_instr_seq, reg_def_use.live_var_at_block_end, arch.reg_relative_load, split_load_point, candidate_block_is_not_padding, split_load_candidate, split_load_conflict, incomplete_block, wis_schedule_iter, reg_def_use.defined_in_block, __agg_subclause3, reg_def_use.ref_in_block, contains_implausible_instr_seq, base_relative_operation, negative_block_heuristic, no_return_call, reg_def_use.used, block_total_points, reg_def_use.block_last_def, discarded_block, reg_has_base_image, no_return_call_propagated, block_points_proportional, nop_in_padding_candidate, reg_def_use.live_var_used, block_heuristic, litpool_ref, after_end, reg_def_use.flow_def, transition_block_limit, unresolved_interval_order, cmp_defines, block_last_instruction, block_overlap, jump_table_max, arch.extend_load, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, impossible_block, hi_load_prop, block_candidate_boundaries, is_padding, may_fallthrough, gp_relative_operand, segment_target_range, arm_jump_table_candidate_start, discarded_split_load, arm_jump_table_cmp_limit, first_block_in_byte_interval, arm_jump_table_candidate, jump_table_signed, stack_def_use.used_in_block, no_value_reg_limit, tls_desc_call, reg_used_for, branch_to_calculated_pc_rel_addr, __agg_single2, init_symbol_minus_symbol_candidate_arm, data_block_candidate, start_function, basic_target, reg_def_use.return_val_used, padding_block_limit, straight_line_def_used, data_block_limit, reg_def_use.ambiguous_block_last_def, wis_prior, stack_def_use.def_used, split_load_operand, init_ldr_add_pc, got_relative_operand, next_block_in_byte_interval, data_in_code_propagate, no_return_call_refined, call_tls_get_addr, inferred_main_dispatch, reg_def_use.def_used, must_fallthrough, block_next, value_reg_edge, unlikely_have_symbolic_immediate, adjusts_stack_in_block, self_contained_segment, block_implies_block, __agg_subclause7, __agg_single6, stack_def_use.defined_in_block, relocation_adjustment_total, compare_and_jump_indirect, flags_and_jump_pair, jump_table_candidate, function_inference.function_entry_initial, invalid_jump_table_candidate, reg_def_use.return_block_end, plt_entry, jump_table_start, reg_has_got, code_in_block_candidate_refined, code_in_block, no_return_block, unresolved_interval, litpool_symbolic_operand, split_load_total_points, unresolved_block_overlap, symbolic_expr_from_relocation, compare_and_jump_register, indexed_pc_relative_load, reg_def_use.live_var_def, arm_jump_table_block_start, overlap_with_litpool, compare_and_jump_immediate, initialized_data_segment, litpool_boundaries, padding_block_candidate, relative_address_start, stack_def_use.block_last_def, jump_table_prelude, correlated_live_reg, inter_procedural_edge, likely_fallthrough, adrp_used, next_end, common_tail, wis_schedule, stack_base_reg_move, reg_def_use.live_var_at_prior_used, data_segment, block_instruction_next

function_pointer_section(Name:symbol)

• Uses: binary_format, elf_pointer_array_section_type, elf_section_type, section_type

• Used by: function_inference.function_entry, known_block

no_return_function(Name:symbol)

• Uses: binary_format

• Used by: no_return_call, no_return_call_refined

is_padding(EA:address)

• Uses: arch.is_nop, binary_format, instruction, next, npad

• Used by: data_object_point, padding, relative_jump_table_entry

• Recursive: arm_jump_table_block_instruction, stack_def_use.live_var_at_prior_used, possible_target_from, data_access, stack_def_use.ref_in_block, code_in_block_candidate, candidate_block_is_padding, relocation_adjustment, data_in_code, cmp_reg_to_reg, __agg_single3, jump_table_candidate_refined, invalid, inferred_main_in_reg, base_relative_operand, relative_address, wis_has_prior, compare_and_jump_indirect_op_valid, litpool_confidence, block_boundaries, resolved_reaches, indexed_pc_relative_load_relative, unresolved_block, split_load_for_symbolization, base_relative_jump, last_value_reg_limit, instruction_memory_access_size, plt_block, straight_line_last_def, __agg_subclause2, symbol_minus_symbol_litpool_access_pattern, jump_table_element_access, block_points, const_value_reg_used, reg_reg_arithmetic_operation_defs, stack_def_use.live_var_def, stack_def_use.live_var_used_in_block, composite_data_access, jump_table_target, value_reg_limit, block_candidate_dependency_edge, tls_get_addr, indefinite_litpool_ref, reg_def_use.used_in_block, simple_data_access_pattern, arch.simple_data_load, split_load, value_reg, stack_def_use.live_var_at_block_end, block_limit, arm_jump_table_data_block, value_reg_unsupported, stack_def_use.last_def_in_block, overlapping_instruction, next_start, block, wis_memo, next_type, cinf_ldr_add_pc, possible_target, relative_jump_table_entry_candidate, arm_jump_table_data_block_limit, reg_def_use.last_def_in_block, __agg_subclause6, stack_def_use.live_var_used, def_used_for_address, known_block, contains_plausible_instr_seq, reg_def_use.live_var_at_block_end, arch.reg_relative_load, split_load_point, candidate_block_is_not_padding, split_load_candidate, split_load_conflict, incomplete_block, wis_schedule_iter, reg_def_use.defined_in_block, __agg_subclause3, reg_def_use.ref_in_block, contains_implausible_instr_seq, base_relative_operation, negative_block_heuristic, no_return_call, reg_def_use.used, block_total_points, reg_def_use.block_last_def, discarded_block, reg_has_base_image, no_return_call_propagated, block_points_proportional, nop_in_padding_candidate, reg_def_use.live_var_used, block_heuristic, litpool_ref, after_end, reg_def_use.flow_def, transition_block_limit, unresolved_interval_order, cmp_defines, block_last_instruction, block_overlap, jump_table_max, arch.extend_load, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, impossible_block, hi_load_prop, block_candidate_boundaries, is_padding, may_fallthrough, gp_relative_operand, segment_target_range, arm_jump_table_candidate_start, discarded_split_load, arm_jump_table_cmp_limit, first_block_in_byte_interval, arm_jump_table_candidate, jump_table_signed, stack_def_use.used_in_block, no_value_reg_limit, tls_desc_call, reg_used_for, branch_to_calculated_pc_rel_addr, __agg_single2, init_symbol_minus_symbol_candidate_arm, data_block_candidate, start_function, basic_target, reg_def_use.return_val_used, padding_block_limit, straight_line_def_used, data_block_limit, reg_def_use.ambiguous_block_last_def, wis_prior, stack_def_use.def_used, split_load_operand, init_ldr_add_pc, got_relative_operand, next_block_in_byte_interval, data_in_code_propagate, no_return_call_refined, call_tls_get_addr, inferred_main_dispatch, reg_def_use.def_used, must_fallthrough, block_next, value_reg_edge, unlikely_have_symbolic_immediate, adjusts_stack_in_block, self_contained_segment, block_implies_block, __agg_subclause7, __agg_single6, stack_def_use.defined_in_block, relocation_adjustment_total, compare_and_jump_indirect, flags_and_jump_pair, jump_table_candidate, function_inference.function_entry_initial, invalid_jump_table_candidate, reg_def_use.return_block_end, plt_entry, jump_table_start, reg_has_got, code_in_block_candidate_refined, code_in_block, no_return_block, unresolved_interval, litpool_symbolic_operand, split_load_total_points, unresolved_block_overlap, symbolic_expr_from_relocation, compare_and_jump_register, indexed_pc_relative_load, reg_def_use.live_var_def, arm_jump_table_block_start, overlap_with_litpool, compare_and_jump_immediate, initialized_data_segment, litpool_boundaries, padding_block_candidate, relative_address_start, stack_def_use.block_last_def, jump_table_prelude, correlated_live_reg, inter_procedural_edge, likely_fallthrough, adrp_used, next_end, common_tail, wis_schedule, stack_base_reg_move, reg_def_use.live_var_at_prior_used, data_segment, block_instruction_next

printable_char(N:unsigned)

The set of printable ASCII characters.

WARNING: Predicate not present in compiled Datalog program (Dead Code)

align_addr(AddrAligned:address, AddrOrig:address)

Align address in 4-byte boundary

WARNING: Predicate not present in compiled Datalog program (Dead Code)

abi_intrinsic(EA:address, Name:symbol)

• Uses: +disconnected0, +disconnected1, dynamic_entry, inferred_special_symbol, loaded_section, symbol