relative_jump_tables

take_address(Src:address, Address_taken:address)

This module deals exclusively with detecting jump tables with relative addresses.

Uses: instruction, pc_relative_operand

Used by: jump_table_element_access, relative_address_start

relative_address(EA:address, Size:unsigned, TableStart:address, Reference:address, Dest:address, DestIsFirstOrSecond:symbol)

relative_address_start(EA:address, Size:unsigned, Reference:address, Dest:address, DestIsFirstOrSecond:symbol)

jump_table_element_access(EA:address, Size:unsigned, TableStart:address, RegIndex:register)

jump_table_signed(TableStart:address, Signed:unsigned)

Find sign extensions of the jump table element.

Uses: arch.extend_reg, arch.register_size_bytes, instruction_get_dest_op, instruction_get_src_op, op_regdirect, reg_map

Used by: relative_jump_table_entry

Recursive: __agg_subclause3, jump_table_candidate_refined, unresolved_interval, self_contained_segment, unresolved_interval_order, symbolic_expr_from_relocation, no_return_call_refined, adrp_used, compare_and_jump_indirect, block_overlap, adjusts_stack_in_block, contains_plausible_instr_seq, wis_has_prior, branch_to_calculated_pc_rel_addr, split_load_operand, jump_table_element_access, base_relative_operand, reg_def_use.live_var_def, compare_and_jump_indirect_op_valid, split_load_for_symbolization, base_relative_operation, symbol_minus_symbol_litpool_access_pattern, invalid_jump_table_candidate, data_block_candidate, padding_block_candidate, arch.simple_data_load, reg_def_use.live_var_used, reg_def_use.flow_def, split_load, reg_def_use.last_def_in_block, arm_jump_table_block_start, stack_def_use.ref_in_block, __agg_single10, compare_and_jump_register, block_boundaries, value_reg_edge, jump_table_target, jump_table_candidate, reg_def_use.ambiguous_last_def_in_block, overlap_with_litpool, relative_jump_table_entry_candidate, jump_table_max, stack_def_use.live_var_at_block_end, base_relative_jump, data_segment, inter_procedural_edge, wis_schedule_iter, __agg_subclause2, code_in_block, reg_def_use.used, __agg_single6, relocation_adjustment, reg_def_use.used_in_block, may_fallthrough, gp_relative_operand, stack_def_use.live_var_used, arm_jump_table_block_instruction, plt_block, litpool_boundaries, unresolved_block_overlap, resolved_reaches, data_access, reg_used_for, init_ldr_add_pc, padding_block_limit, known_block, unlikely_have_symbolic_immediate, next_function_entry_initial, segment_target_range, start_function, arm_jump_table_skip_first_entry, stack_def_use.live_var_used_in_block, indefinite_litpool_ref, __agg_subclause6, relative_address, jump_table_prelude, relocation_adjustment_total, inferred_main_dispatch, const_value_reg_used, initialized_data_segment, stack_def_use.live_var_def, last_value_reg_limit, next_start, data_in_code_propagate, no_return_block, tls_relative_operand_mips, indexed_pc_relative_load, litpool_confidence, fallthrough_over_padding, data_in_code, first_block_in_byte_interval, reg_def_use.ref_in_block, arm_jump_table_candidate, call_tls_get_addr, __agg_single2, block_instruction_next, stack_def_use.def_used, __agg_single3, block_points, next_end, data_block_limit, split_load_point, negative_block_heuristic, block_last_instruction, init_symbol_minus_symbol_candidate_arm, block_candidate_dependency_edge, stack_def_use.used_in_block, value_reg, split_load_candidate, stack_base_reg_move, arm_jump_table_data_block, discarded_split_load, reg_def_use.live_var_at_prior_used, reg_reg_arithmetic_operation_defs, next_block_in_byte_interval, hi_load_prop, jump_table_signed, inferred_main_in_reg, basic_target, initial_function_containing_return, transition_block_limit, possible_target_from, code_in_block_candidate, impossible_block, call_target_has_other_fallthrough_inter, reg_def_use.live_var_at_block_end, got_relative_operand, unresolved_block, value_reg_limit, litpool_symbolic_operand, tls_desc_call, common_tail, is_padding, block_candidate_boundaries, wis_prior, block_next, call_tls_get_addr_mips, stack_def_use.defined_in_block, plt_entry, nop_in_padding_candidate, block_implies_block, code_in_block_candidate_refined, tls_get_addr, compare_and_jump_immediate, block_total_points, straight_line_def_used, arch.reg_relative_load, split_load_conflict, straight_line_last_def, candidate_block_is_not_padding, stack_def_use.block_last_def, discarded_block, reg_def_use.ambiguous_block_last_def, def_used_for_address, must_fallthrough, reg_def_use.def_used, simple_data_access_pattern, possible_target, composite_data_access, reg_def_use.block_last_def, stack_def_use.last_def_in_block, reg_def_use.defined_in_block, split_load_total_points, litpool_ref, local_dynamic_tls_candidate, overlapping_instruction, candidate_block_is_padding, block_heuristic, invalid, reg_def_use.return_block_end, wis_memo, reg_has_got, cinf_ldr_add_pc, __agg_subclause4, call_may_fallthrough_inter, block_limit, no_value_reg_limit, no_return_call, relative_address_start, jump_table_start, value_reg_unsupported, correlated_live_reg, arm_jump_table_candidate_start, no_return_call_propagated, flags_and_jump_pair, instruction_memory_access_size, cmp_reg_to_reg, incomplete_block, likely_fallthrough, reg_has_base_image, arm_jump_table_cmp_limit, block, arm_jump_table_data_block_limit, function_inference.function_entry_initial, reg_def_use.return_val_used, contains_implausible_instr_seq, __agg_subclause7, next_type, block_points_proportional, cmp_defines, indexed_pc_relative_load_relative, wis_schedule, stack_def_use.live_var_at_prior_used, arch.extend_load, after_end

jump_table_max(TableStart:address, TableEnd:address)

The end of a jump table as identified by a boundary value of the index register.

Used by: relative_jump_table_entry

Recursive: __agg_subclause3, jump_table_candidate_refined, unresolved_interval, self_contained_segment, unresolved_interval_order, symbolic_expr_from_relocation, no_return_call_refined, adrp_used, compare_and_jump_indirect, block_overlap, adjusts_stack_in_block, contains_plausible_instr_seq, wis_has_prior, branch_to_calculated_pc_rel_addr, split_load_operand, jump_table_element_access, base_relative_operand, reg_def_use.live_var_def, compare_and_jump_indirect_op_valid, split_load_for_symbolization, base_relative_operation, symbol_minus_symbol_litpool_access_pattern, invalid_jump_table_candidate, data_block_candidate, padding_block_candidate, arch.simple_data_load, reg_def_use.live_var_used, reg_def_use.flow_def, split_load, reg_def_use.last_def_in_block, arm_jump_table_block_start, stack_def_use.ref_in_block, __agg_single10, compare_and_jump_register, block_boundaries, value_reg_edge, jump_table_target, jump_table_candidate, reg_def_use.ambiguous_last_def_in_block, overlap_with_litpool, relative_jump_table_entry_candidate, jump_table_max, stack_def_use.live_var_at_block_end, base_relative_jump, data_segment, inter_procedural_edge, wis_schedule_iter, __agg_subclause2, code_in_block, reg_def_use.used, __agg_single6, relocation_adjustment, reg_def_use.used_in_block, may_fallthrough, gp_relative_operand, stack_def_use.live_var_used, arm_jump_table_block_instruction, plt_block, litpool_boundaries, unresolved_block_overlap, resolved_reaches, data_access, reg_used_for, init_ldr_add_pc, padding_block_limit, known_block, unlikely_have_symbolic_immediate, next_function_entry_initial, segment_target_range, start_function, arm_jump_table_skip_first_entry, stack_def_use.live_var_used_in_block, indefinite_litpool_ref, __agg_subclause6, relative_address, jump_table_prelude, relocation_adjustment_total, inferred_main_dispatch, const_value_reg_used, initialized_data_segment, stack_def_use.live_var_def, last_value_reg_limit, next_start, data_in_code_propagate, no_return_block, tls_relative_operand_mips, indexed_pc_relative_load, litpool_confidence, fallthrough_over_padding, data_in_code, first_block_in_byte_interval, reg_def_use.ref_in_block, arm_jump_table_candidate, call_tls_get_addr, __agg_single2, block_instruction_next, stack_def_use.def_used, __agg_single3, block_points, next_end, data_block_limit, split_load_point, negative_block_heuristic, block_last_instruction, init_symbol_minus_symbol_candidate_arm, block_candidate_dependency_edge, stack_def_use.used_in_block, value_reg, split_load_candidate, stack_base_reg_move, arm_jump_table_data_block, discarded_split_load, reg_def_use.live_var_at_prior_used, reg_reg_arithmetic_operation_defs, next_block_in_byte_interval, hi_load_prop, jump_table_signed, inferred_main_in_reg, basic_target, initial_function_containing_return, transition_block_limit, possible_target_from, code_in_block_candidate, impossible_block, call_target_has_other_fallthrough_inter, reg_def_use.live_var_at_block_end, got_relative_operand, unresolved_block, value_reg_limit, litpool_symbolic_operand, tls_desc_call, common_tail, is_padding, block_candidate_boundaries, wis_prior, block_next, call_tls_get_addr_mips, stack_def_use.defined_in_block, plt_entry, nop_in_padding_candidate, block_implies_block, code_in_block_candidate_refined, tls_get_addr, compare_and_jump_immediate, block_total_points, straight_line_def_used, arch.reg_relative_load, split_load_conflict, straight_line_last_def, candidate_block_is_not_padding, stack_def_use.block_last_def, discarded_block, reg_def_use.ambiguous_block_last_def, def_used_for_address, must_fallthrough, reg_def_use.def_used, simple_data_access_pattern, possible_target, composite_data_access, reg_def_use.block_last_def, stack_def_use.last_def_in_block, reg_def_use.defined_in_block, split_load_total_points, litpool_ref, local_dynamic_tls_candidate, overlapping_instruction, candidate_block_is_padding, block_heuristic, invalid, reg_def_use.return_block_end, wis_memo, reg_has_got, cinf_ldr_add_pc, __agg_subclause4, call_may_fallthrough_inter, block_limit, no_value_reg_limit, no_return_call, relative_address_start, jump_table_start, value_reg_unsupported, correlated_live_reg, arm_jump_table_candidate_start, no_return_call_propagated, flags_and_jump_pair, instruction_memory_access_size, cmp_reg_to_reg, incomplete_block, likely_fallthrough, reg_has_base_image, arm_jump_table_cmp_limit, block, arm_jump_table_data_block_limit, function_inference.function_entry_initial, reg_def_use.return_val_used, contains_implausible_instr_seq, __agg_subclause7, next_type, block_points_proportional, cmp_defines, indexed_pc_relative_load_relative, wis_schedule, stack_def_use.live_var_at_prior_used, arch.extend_load, after_end

jump_table_start(EA_jump:address, Size:unsigned, TableStart:address, TableRef:address, Scale:number)

A jump table begins at TableStart.

Uses: arch.reg_reg_arithmetic_operation, base_address, got_reference_pointer, instruction, reg_call, reg_jump

Used by: data_object_point, discarded_jump_table_entry, missed_jump_table, resolved_transfer, value_reg_address_before

Recursive: __agg_subclause3, jump_table_candidate_refined, unresolved_interval, self_contained_segment, unresolved_interval_order, symbolic_expr_from_relocation, no_return_call_refined, adrp_used, compare_and_jump_indirect, block_overlap, adjusts_stack_in_block, contains_plausible_instr_seq, wis_has_prior, branch_to_calculated_pc_rel_addr, split_load_operand, jump_table_element_access, base_relative_operand, reg_def_use.live_var_def, compare_and_jump_indirect_op_valid, split_load_for_symbolization, base_relative_operation, symbol_minus_symbol_litpool_access_pattern, invalid_jump_table_candidate, data_block_candidate, padding_block_candidate, arch.simple_data_load, reg_def_use.live_var_used, reg_def_use.flow_def, split_load, reg_def_use.last_def_in_block, arm_jump_table_block_start, stack_def_use.ref_in_block, __agg_single10, compare_and_jump_register, block_boundaries, value_reg_edge, jump_table_target, jump_table_candidate, reg_def_use.ambiguous_last_def_in_block, overlap_with_litpool, relative_jump_table_entry_candidate, jump_table_max, stack_def_use.live_var_at_block_end, base_relative_jump, data_segment, inter_procedural_edge, wis_schedule_iter, __agg_subclause2, code_in_block, reg_def_use.used, __agg_single6, relocation_adjustment, reg_def_use.used_in_block, may_fallthrough, gp_relative_operand, stack_def_use.live_var_used, arm_jump_table_block_instruction, plt_block, litpool_boundaries, unresolved_block_overlap, resolved_reaches, data_access, reg_used_for, init_ldr_add_pc, padding_block_limit, known_block, unlikely_have_symbolic_immediate, next_function_entry_initial, segment_target_range, start_function, arm_jump_table_skip_first_entry, stack_def_use.live_var_used_in_block, indefinite_litpool_ref, __agg_subclause6, relative_address, jump_table_prelude, relocation_adjustment_total, inferred_main_dispatch, const_value_reg_used, initialized_data_segment, stack_def_use.live_var_def, last_value_reg_limit, next_start, data_in_code_propagate, no_return_block, tls_relative_operand_mips, indexed_pc_relative_load, litpool_confidence, fallthrough_over_padding, data_in_code, first_block_in_byte_interval, reg_def_use.ref_in_block, arm_jump_table_candidate, call_tls_get_addr, __agg_single2, block_instruction_next, stack_def_use.def_used, __agg_single3, block_points, next_end, data_block_limit, split_load_point, negative_block_heuristic, block_last_instruction, init_symbol_minus_symbol_candidate_arm, block_candidate_dependency_edge, stack_def_use.used_in_block, value_reg, split_load_candidate, stack_base_reg_move, arm_jump_table_data_block, discarded_split_load, reg_def_use.live_var_at_prior_used, reg_reg_arithmetic_operation_defs, next_block_in_byte_interval, hi_load_prop, jump_table_signed, inferred_main_in_reg, basic_target, initial_function_containing_return, transition_block_limit, possible_target_from, code_in_block_candidate, impossible_block, call_target_has_other_fallthrough_inter, reg_def_use.live_var_at_block_end, got_relative_operand, unresolved_block, value_reg_limit, litpool_symbolic_operand, tls_desc_call, common_tail, is_padding, block_candidate_boundaries, wis_prior, block_next, call_tls_get_addr_mips, stack_def_use.defined_in_block, plt_entry, nop_in_padding_candidate, block_implies_block, code_in_block_candidate_refined, tls_get_addr, compare_and_jump_immediate, block_total_points, straight_line_def_used, arch.reg_relative_load, split_load_conflict, straight_line_last_def, candidate_block_is_not_padding, stack_def_use.block_last_def, discarded_block, reg_def_use.ambiguous_block_last_def, def_used_for_address, must_fallthrough, reg_def_use.def_used, simple_data_access_pattern, possible_target, composite_data_access, reg_def_use.block_last_def, stack_def_use.last_def_in_block, reg_def_use.defined_in_block, split_load_total_points, litpool_ref, local_dynamic_tls_candidate, overlapping_instruction, candidate_block_is_padding, block_heuristic, invalid, reg_def_use.return_block_end, wis_memo, reg_has_got, cinf_ldr_add_pc, __agg_subclause4, call_may_fallthrough_inter, block_limit, no_value_reg_limit, no_return_call, relative_address_start, jump_table_start, value_reg_unsupported, correlated_live_reg, arm_jump_table_candidate_start, no_return_call_propagated, flags_and_jump_pair, instruction_memory_access_size, cmp_reg_to_reg, incomplete_block, likely_fallthrough, reg_has_base_image, arm_jump_table_cmp_limit, block, arm_jump_table_data_block_limit, function_inference.function_entry_initial, reg_def_use.return_val_used, contains_implausible_instr_seq, __agg_subclause7, next_type, block_points_proportional, cmp_defines, indexed_pc_relative_load_relative, wis_schedule, stack_def_use.live_var_at_prior_used, arch.extend_load, after_end

relative_jump_table_entry_target(EA:address, TableStart:address, Size:unsigned, Reference:address, Dest:address, Scale:number)

Calculate the target for a relative jump table entry.

WARNING: Predicate not present in compiled Datalog program (Dead Code)

relative_jump_table_entry_candidate(EA:address, TableStart:address, Size:unsigned, Reference:address, Dest:address, Scale:number, Offset:number)

An entry in a relative jump table of the form (Dest-Reference)/Scale

These are generated during value analysis, and referenced by value analysis, so cannot negate any results of value analysis.

Some of these are discarded to form relative_jump_table_entry, which is used by symbolization.

Uses: loaded_section, symbol

Used by: discarded_jump_table_entry, relative_jump_table_entry

Recursive: __agg_subclause3, jump_table_candidate_refined, unresolved_interval, self_contained_segment, unresolved_interval_order, symbolic_expr_from_relocation, no_return_call_refined, adrp_used, compare_and_jump_indirect, block_overlap, adjusts_stack_in_block, contains_plausible_instr_seq, wis_has_prior, branch_to_calculated_pc_rel_addr, split_load_operand, jump_table_element_access, base_relative_operand, reg_def_use.live_var_def, compare_and_jump_indirect_op_valid, split_load_for_symbolization, base_relative_operation, symbol_minus_symbol_litpool_access_pattern, invalid_jump_table_candidate, data_block_candidate, padding_block_candidate, arch.simple_data_load, reg_def_use.live_var_used, reg_def_use.flow_def, split_load, reg_def_use.last_def_in_block, arm_jump_table_block_start, stack_def_use.ref_in_block, __agg_single10, compare_and_jump_register, block_boundaries, value_reg_edge, jump_table_target, jump_table_candidate, reg_def_use.ambiguous_last_def_in_block, overlap_with_litpool, relative_jump_table_entry_candidate, jump_table_max, stack_def_use.live_var_at_block_end, base_relative_jump, data_segment, inter_procedural_edge, wis_schedule_iter, __agg_subclause2, code_in_block, reg_def_use.used, __agg_single6, relocation_adjustment, reg_def_use.used_in_block, may_fallthrough, gp_relative_operand, stack_def_use.live_var_used, arm_jump_table_block_instruction, plt_block, litpool_boundaries, unresolved_block_overlap, resolved_reaches, data_access, reg_used_for, init_ldr_add_pc, padding_block_limit, known_block, unlikely_have_symbolic_immediate, next_function_entry_initial, segment_target_range, start_function, arm_jump_table_skip_first_entry, stack_def_use.live_var_used_in_block, indefinite_litpool_ref, __agg_subclause6, relative_address, jump_table_prelude, relocation_adjustment_total, inferred_main_dispatch, const_value_reg_used, initialized_data_segment, stack_def_use.live_var_def, last_value_reg_limit, next_start, data_in_code_propagate, no_return_block, tls_relative_operand_mips, indexed_pc_relative_load, litpool_confidence, fallthrough_over_padding, data_in_code, first_block_in_byte_interval, reg_def_use.ref_in_block, arm_jump_table_candidate, call_tls_get_addr, __agg_single2, block_instruction_next, stack_def_use.def_used, __agg_single3, block_points, next_end, data_block_limit, split_load_point, negative_block_heuristic, block_last_instruction, init_symbol_minus_symbol_candidate_arm, block_candidate_dependency_edge, stack_def_use.used_in_block, value_reg, split_load_candidate, stack_base_reg_move, arm_jump_table_data_block, discarded_split_load, reg_def_use.live_var_at_prior_used, reg_reg_arithmetic_operation_defs, next_block_in_byte_interval, hi_load_prop, jump_table_signed, inferred_main_in_reg, basic_target, initial_function_containing_return, transition_block_limit, possible_target_from, code_in_block_candidate, impossible_block, call_target_has_other_fallthrough_inter, reg_def_use.live_var_at_block_end, got_relative_operand, unresolved_block, value_reg_limit, litpool_symbolic_operand, tls_desc_call, common_tail, is_padding, block_candidate_boundaries, wis_prior, block_next, call_tls_get_addr_mips, stack_def_use.defined_in_block, plt_entry, nop_in_padding_candidate, block_implies_block, code_in_block_candidate_refined, tls_get_addr, compare_and_jump_immediate, block_total_points, straight_line_def_used, arch.reg_relative_load, split_load_conflict, straight_line_last_def, candidate_block_is_not_padding, stack_def_use.block_last_def, discarded_block, reg_def_use.ambiguous_block_last_def, def_used_for_address, must_fallthrough, reg_def_use.def_used, simple_data_access_pattern, possible_target, composite_data_access, reg_def_use.block_last_def, stack_def_use.last_def_in_block, reg_def_use.defined_in_block, split_load_total_points, litpool_ref, local_dynamic_tls_candidate, overlapping_instruction, candidate_block_is_padding, block_heuristic, invalid, reg_def_use.return_block_end, wis_memo, reg_has_got, cinf_ldr_add_pc, __agg_subclause4, call_may_fallthrough_inter, block_limit, no_value_reg_limit, no_return_call, relative_address_start, jump_table_start, value_reg_unsupported, correlated_live_reg, arm_jump_table_candidate_start, no_return_call_propagated, flags_and_jump_pair, instruction_memory_access_size, cmp_reg_to_reg, incomplete_block, likely_fallthrough, reg_has_base_image, arm_jump_table_cmp_limit, block, arm_jump_table_data_block_limit, function_inference.function_entry_initial, reg_def_use.return_val_used, contains_implausible_instr_seq, __agg_subclause7, next_type, block_points_proportional, cmp_defines, indexed_pc_relative_load_relative, wis_schedule, stack_def_use.live_var_at_prior_used, arch.extend_load, after_end

discarded_jump_table_entry(TableStart:address, TableRef:address, EA:address)

relative_jump_table_entry(EA:address, TableStart:address, Size:unsigned, Reference:address, Dest:address, Scale:number, Offset:number)

An entry in a relative jump table of the form (Dest-Reference)/Scale.

These are generated after data access analysis, and used for symbolization and final CFG generation. This allows using the final results of value analysis to resolve overlapping jump tables.

Uses: after_end, code_in_block, data_segment, is_padding, jump_table_max, jump_table_signed, relative_jump_table_entry_candidate, symbol

Recursive: block_needs_splitting_at, code_in_split_block, address_array, resolved_transfer, moved_label, symbol_score, data_limit, best_symexpr_symbol, moved_data_label, moved_label_candidate, inferred_main_function, data_object_total_points, inferred_special_symbol, jump_table, data_object_conflict, next_address_in_data, refined_block, symbolic_operand_point, got_reference, moved_displacement_candidate, symbolic_expr_symbol_minus_symbol, code_in_refined_block, moved_pc_relative_candidate, next_data_limit, main_function, preferred_data_access, symbolic_data, symbol_minus_symbol_from_relocation, inferred_symbol_mips, discarded_jump_table_entry, string_candidate_refined, value_reg_address_before, discarded_data_object, split_block, relative_jump_table_entry, label_conflict, +disconnected1, after_address_in_data, data_object_point, data_access_limit, subsequent_string_candidate, symbolic_operand_attribute, data_object, data_object_candidate, code_pointer_in_data, symbolic_expr_attribute, block_needs_merging, symbol_minus_symbol_candidate, +disconnected4, symbol_minus_symbol, labeled_ea, inferred_symbol, best_func_symbol, address_array_aux, function_inference.function_entry, labeled_data_candidate, data_limit_after_access, symbolic_operand, +disconnected6, boundary_sym_expr, +disconnected2, symbolic_expr, string_candidate