symbolization

This module performs symbolization. It uses the results of several analysis:

-use_def -value -data_access

Part of symbolization is pointer reattribution, that is detecting cases where a number is the result of a symbol+constant. This is done in an independent module ‘pointer_reattribution’ which also uses the results of these analyses.

The data symbolization itself uses the following heuristics:

address_array: whether we have potential symbols evenly spaced. The more symbols the less likely they are all value collisions. We require at least 3 symbols evenly spaced to consider it an array.

preferred_data_access and data_access_patterns (from the data_access analysis): - if an address is accessed with the size of the pointer, it is more likely to be a pointer. - if an address is accessed with a size other than the size of the pointers, it is almost

certainly not a pointer.

strings: if we have a pointer candidate in what seems to be a string, it is less likely to be a pointer.

aligned location: if a pointer candidate is aligned, it is more likely to be a pointer. Compilers usually (but not always) store pointers aligned.

This module also computes and symbol_minus_symbol.

symbolic_operand(EA:address, Index:operand_index, Value:address, Type:symbol)

Instruction at address ‘EA’ has a symbolic operand with value ‘Value’. ‘Value’ is given as an address. The field ‘Index’ identifies which operand is symbolic and ‘Type’ specifies if the target is “data” or “code”. This predicate only supports symbolic expressions with one symbol and no offset. For symbolic operands with offset see moved_label.

Uses: symbolic_operand_candidate

Used by: bad_symbol_constant, false_negative_symexpr, false_positive_symexpr, mips_attribute_target_to_mid_function, moved_label_class

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

symbolic_data(EA:address, Size:unsigned, Value:address)

There is a symbolic expression in the data at address ‘EA’ of size ‘Size’ pointing to ‘Value’. ‘Value’ is given as an address. This predicate only supports symbolic expressions with one symbol and no offset. For symbolic expressions in data with offset see moved_data_label and for symbol-symbol expressions see symbol_minus_symbol.

Uses: address_in_data_refined, cie_encoding, cie_personality, dwarf_encoding_size, fde_entry, fde_pointer_locations, litpool_symbolic_operand, loaded_section, lsda, lsda_type_entry, option, relocation, symbol

Used by: data_object_boundary, false_negative_symexpr, false_positive_symexpr, moved_label_class

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

symbol_minus_symbol(EA:address, Size:unsigned, Symbol1:address, Symbol2:address, Scale:unsigned, Offset:number)

There is a symbolic expression in data at address ‘EA’ of size ‘Size’ of the form:

’(Symbol2-Symbol1)*Scale+Offset’

Both symbols are given as addresses.

Uses: base_address, base_relative_operand, cie_encoding, cie_entry, code_in_block, data_segment, fde_entry, fde_instruction, fde_instruction_ref, fde_pointer_locations, got_reference_pointer, instruction, instruction_displacement_offset, instruction_get_op, instruction_immediate_offset, invalid, last_fde, litpool_symbolic_operand, loaded_section, lsda_symbol_minus_symbol, op_immediate_and_reg, op_indirect, option, pc_relative_operand, reg_def_use.def_used, reg_has_got, relocation, seh_handler_entry, split_load, symbol, tls_index, tls_segment

Used by: data_object_boundary, false_negative_symexpr, false_positive_symexpr, moved_label_class

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

symbolic_expr_from_relocation(EA:address, Size:unsigned, Symbol:symbol, Offset:number, TargetEA:address)

There is a symbolic expression at address ‘EA’ of size ‘Size’ of the form:

Symbol+Offset

This symbolic expression corresponds to a relocation and the symbol

is referenced by name.

Uses: arch.memory_access, base_address, binary_format, binary_type, elf_relocation_size, instruction_displacement_offset, instruction_get_op, instruction_immediate_offset, lo_reloc_index, op_immediate, op_indirect, pc_relative_operand, reg_def_use.def, reloc_type_nameless, reloc_type_with_name, relocation, relocation_size, section, symbol, tls_operand_attribute, tls_segment

Used by: data_object_boundary, labeled_ea, resolved_transfer, symbolic_expr, symbolic_expr_symbol_minus_symbol, symbolic_operand_attribute

Recursive: block_candidate_boundaries, jump_table_start, candidate_block_is_not_padding, reg_def_use.used_in_block, tls_get_addr, block, inter_procedural_edge, next_end, arch.extend_load, value_reg_unsupported, block_implies_block, last_value_reg_limit, init_symbol_minus_symbol_candidate_arm, block_points_proportional, wis_memo, indefinite_litpool_ref, cmp_defines, arm_jump_table_data_block, reg_def_use.return_block_end, data_access, __agg_subclause6, resolved_reaches, split_load_candidate, possible_target, arm_jump_table_block_instruction, incomplete_block, __agg_subclause7, must_fallthrough, indexed_pc_relative_load, stack_def_use.live_var_at_block_end, overlapping_instruction, gp_relative_operand, invalid, arm_jump_table_data_block_limit, arm_jump_table_cmp_limit, inferred_main_in_reg, reg_def_use.flow_def, arm_jump_table_block_start, wis_schedule, invalid_jump_table_candidate, straight_line_def_used, next_start, wis_has_prior, known_block, jump_table_target, flags_and_jump_pair, block_limit, block_candidate_dependency_edge, jump_table_candidate, split_load_for_symbolization, reg_def_use.def_used, block_next, no_return_call_refined, reg_reg_arithmetic_operation_defs, block_last_instruction, next_block_in_byte_interval, reg_def_use.ambiguous_last_def_in_block, arm_jump_table_skip_first_entry, straight_line_last_def, compare_and_jump_indirect, litpool_ref, relocation_adjustment_total, __agg_subclause3, data_in_code, may_fallthrough, reg_used_for, adrp_used, impossible_block, start_function, wis_prior, reg_def_use.defined_in_block, def_used_for_address, contains_implausible_instr_seq, reg_def_use.block_last_def, reg_def_use.last_def_in_block, stack_def_use.live_var_at_prior_used, data_block_limit, compare_and_jump_indirect_op_valid, simple_data_access_pattern, stack_def_use.live_var_def, tls_relative_operand_mips, segment_target_range, unresolved_block_overlap, __agg_single3, split_load_conflict, nop_in_padding_candidate, plt_block, code_in_block_candidate_refined, data_in_code_propagate, stack_def_use.live_var_used_in_block, block_total_points, reg_has_base_image, arm_jump_table_candidate, initialized_data_segment, possible_target_from, padding_block_limit, after_end, arm_jump_table_candidate_start, code_in_block, stack_base_reg_move, compare_and_jump_immediate, adjusts_stack_in_block, reg_def_use.ref_in_block, overlap_with_litpool, relocation_adjustment, split_load_total_points, reg_def_use.ambiguous_block_last_def, composite_data_access, litpool_boundaries, jump_table_candidate_refined, const_value_reg_used, relative_address_start, inferred_main_dispatch, call_tls_get_addr_mips, no_return_block, value_reg_edge, candidate_block_is_padding, __agg_single2, no_return_call, __agg_subclause4, compare_and_jump_register, jump_table_signed, reg_def_use.live_var_def, block_heuristic, no_return_call_propagated, arch.reg_relative_load, base_relative_operand, got_relative_operand, block_points, call_tls_get_addr, block_boundaries, split_load_point, is_padding, block_overlap, function_inference.function_entry_initial, next_type, common_tail, padding_block_candidate, stack_def_use.last_def_in_block, litpool_symbolic_operand, data_segment, stack_def_use.block_last_def, instruction_memory_access_size, litpool_confidence, init_ldr_add_pc, plt_entry, hi_load_prop, stack_def_use.defined_in_block, basic_target, __agg_subclause2, symbolic_expr_from_relocation, unlikely_have_symbolic_immediate, unresolved_interval, unresolved_interval_order, split_load, symbol_minus_symbol_litpool_access_pattern, negative_block_heuristic, jump_table_element_access, first_block_in_byte_interval, self_contained_segment, cinf_ldr_add_pc, jump_table_prelude, wis_schedule_iter, transition_block_limit, tls_desc_call, jump_table_max, correlated_live_reg, branch_to_calculated_pc_rel_addr, __agg_single10, no_value_reg_limit, data_block_candidate, __agg_single6, block_instruction_next, split_load_operand, stack_def_use.live_var_used, base_relative_operation, discarded_block, contains_plausible_instr_seq, code_in_block_candidate, reg_def_use.return_val_used, arch.simple_data_load, value_reg, stack_def_use.used_in_block, indexed_pc_relative_load_relative, stack_def_use.def_used, relative_address, cmp_reg_to_reg, discarded_split_load, reg_has_got, reg_def_use.live_var_at_prior_used, value_reg_limit, local_dynamic_tls_candidate, stack_def_use.ref_in_block, reg_def_use.live_var_used, relative_jump_table_entry_candidate, reg_def_use.used, likely_fallthrough, unresolved_block, base_relative_jump, reg_def_use.live_var_at_block_end

symbol_minus_symbol_from_relocation(EA:address, Size:unsigned, Symbol1:symbol, Symbol2:symbol, Scale:unsigned, Offset:number)

There is a symbolic expression at address ‘EA’ of size ‘Size’ of the form:

(Symbol2-Symbol1)*Scale+Offset

This symbolic expression corresponds to a relocation and the symbol is referenced by name.

Uses: binary_type, relocation, symbol_minus_symbol_litpool_access_pattern

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

symbolic_expr(EA:address, Size:unsigned, Symbol:symbol, Offset:number)

There is a symbolic expression at address ‘EA’ of size ‘Size’ of the form:

’Symbol+Offset’

In contrast to symbolic_operand and symbolic_data, the symbol in this predicate is referred by name. This allows us to include symbolic expressions from relocations and to choose between multiple symbols at the same location. This predicate captures all symbolic expressions from symbolic_operand, moved_label, symbolic_data, moved_data_label, and symbolic_expr_from_relocation.

Uses: got_reference_mips_global, got_reference_pointer, gp_relative_operand, instruction_displacement_offset, instruction_immediate_offset, op_immediate_and_reg, reg_has_got, relocation, symbolic_expr_from_relocation

Used by: missing_relocation_handling, pointer_to_external_symbol

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

symbolic_expr_symbol_minus_symbol(EA:address, Size:unsigned, Symbol:symbol, Symbol2:symbol, Scale:unsigned, Offset:number)

There is a symbolic expression at address ‘EA’ of size ‘Size’ of the form:: ’(Symbol2-Symbol1)*Scale+Offset’

The symbols in this predicate are referred by name.

Uses: symbolic_expr_from_relocation

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

symbolic_operand_attribute(EA:address, Index:unsigned, Attribute:symbol)

The symbolic operand at address ‘EA’ and ‘Index’ has a symbolic expression attribute ‘Attribute’. Note that some attributes may be inferred but not used, if the corresponding symbolic_operand is not selected.

Uses: __agg_subclause6, __agg_subclause8, arch.reg_arithmetic_operation, base_addr_offset_operand, binary_format, binary_type, bss_section_limits, code_in_block, compare_and_jump_register, const_value_reg_used, data_segment, def_used_for_address, defined_symbol, direct_call, direct_jump, elf_relocation_size, got_reference_mips_global, got_reference_pointer, got_relative_operand, gp_relative_operand, indirect_call, instruction_displacement_offset, instruction_has_relocation, instruction_immediate_offset, litpool_ref, lo_reloc_index, loaded_section, local_dynamic_tls_candidate, local_exec_tls_candidate, mips_page_base_in_got, movw_movt_pair, op_immediate_and_reg, pc_relative_operand, plt_block, reg_def_use.def_used, reg_has_got, relocation, split_load, split_load_candidate, split_load_for_symbolization, split_loadstore, symbol, symbolic_expr_from_relocation, symbolic_operand_candidate, symbolic_operand_mips_candidate, tls_descriptor, tls_global_dynamic, tls_index, tls_local_dynamic, tls_operand_attribute, tls_relative_operand, tls_segment

Used by: mips_attribute_target_to_mid_function

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

symbolic_expr_attribute(ea:address, attribute:symbol)

The symbolic expression at address ‘EA’ has a symbolic expression attribute ‘Attribute’.

Uses: binary_type, instruction_displacement_offset, instruction_immediate_offset, litpool_symbolic_operand, loaded_section, relocation, symbol

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

code_pointer_in_data(EA:address, Val:address)

There is a symbolic expression in data at address ‘EA’ pointing to a code block at address ‘Val’.

Uses: block

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

labeled_ea(Ea:address)

The address ‘Ea’ needs to be labeled so it can be referred in symbolic expressions.

Uses: cie_personality, data_sym, defined_symbol, fde_entry, symbolic_expr_from_relocation, thumb_sym

Used by: bss_data, data_object_boundary

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

data_object_boundary(EA:address)

bss_data(ea:address)

symbolic_operand_candidate(ea:address, operand_index:operand_index, Dest:address, Type:symbol)

symbolic_operand_point(ea:address, operand_index:operand_index, points:number, why:symbol)

symbolic_operand_total_points(ea:address, operand_index:operand_index, points:number)

labeled_data_candidate(EA:address)

symbol_minus_symbol_candidate(EA:address, Size:unsigned, Symbol1:address, Symbol2:address, Scale:unsigned, Offset:number)

A candidate for a symbol-symbol in data (includes jump tables and other relative symbols)

Uses: cinf_symbol_minus_symbol_candidate_arm, code_in_block, instruction_displacement_offset, instruction_get_op, instruction_has_relocation, op_indirect_mapped

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

address_in_data_is_printable(EA:address)

The address appearing at ‘EA’ is within a potential ascii_string and therefore more likely to be spurious.

Uses: address_in_data, ascii_string

Used by: data_object_point

address_in_data_overlaps_string(EA:address, EAString:address)

The address appearing at ‘EA’ overlaps with a potential ascii_string and therefore more likely to be spurious.

Uses: address_in_data, ascii_string

Used by: data_object_point

address_in_data_refined(EA:address, Val:address)

string(EA:address, End:address, Encoding:symbol)

Data-object analysis for string encodings.

Possible string of some ‘Encoding’ at interval [‘EA’,’End’).

Uses: data_object, string_candidate_refined

Used by: data_object_boundary

string_candidate(EA:address, End:address, Encoding:symbol)

string_candidate_refined(EA:address, End:address, Encoding:symbol)

subsequent_string_candidate(EA:address, Next:address)

String at EA is followed by another string at Next.

Uses: padding_block_limit

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

data_object_candidate(ea:address, size:unsigned, type:symbol)

data_object_point(ea:address, size:unsigned, type:symbol, points:number, why:symbol)

data_object_conflict(ea:address, size:unsigned, type:symbol, ea2:address, size2:unsigned, type2:symbol)

discarded_data_object(ea:address, size:unsigned, type:symbol)

data_object(ea:address, size:unsigned, type:symbol)

after_address_in_data(EA:address, EA_next:address)

next_address_in_data(EA:address, EA_next:address)

address_array_aux(EA:address, Distance:unsigned, type:symbol, InitialEA:address)

Auxiliary predicate to compute address_array.

Uses: address_in_data_refined, binary_format, code_in_block, data_segment

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

address_array(EA:address, Distance:unsigned, InitialEA:address)

This predicate is used for the symbolization heuristics. The pointer candidate at address ‘EA’ belongs to a sequence of evenly spaced pointer candidates starting at address ‘InitialEA’. The space between pointers is ‘Distance’. This sequence has at least three pointers. All the pointers in a sequence either point to code or to the same data_segment.

Recursive: symbolic_expr, best_symexpr_symbol, symbol_minus_symbol_from_relocation, inferred_symbol_mips, labeled_ea, moved_label_candidate, jump_table, code_in_refined_block, symbol_score, moved_label, +disconnected4, best_func_symbol, symbolic_data, data_limit, string_candidate_refined, +disconnected6, label_conflict, data_object_point, resolved_transfer, split_block, value_reg_address_before, string_candidate, discarded_jump_table_entry, symbol_minus_symbol_candidate, discarded_data_object, code_in_split_block, symbolic_operand_point, block_needs_splitting_at, next_data_limit, got_reference, preferred_data_access, address_array_aux, moved_pc_relative_candidate, data_object_conflict, symbolic_operand_attribute, symbolic_expr_attribute, moved_data_label, block_needs_merging, main_function, labeled_data_candidate, +disconnected1, inferred_special_symbol, relative_jump_table_entry, data_access_limit, data_object_candidate, symbolic_expr_symbol_minus_symbol, next_address_in_data, code_pointer_in_data, inferred_main_function, +disconnected2, refined_block, boundary_sym_expr, function_inference.function_entry, inferred_symbol, symbolic_operand, data_object, subsequent_string_candidate, symbol_minus_symbol, data_object_total_points, data_limit_after_access, address_array, after_address_in_data, moved_displacement_candidate

label_conflict(EA:address, Size:unsigned, Kind:symbol)

data_object_total_points(EA:address, Size:unsigned, Type:symbol, Points:number)