binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Inlining of `objc_msgSend` calls can cause unrelated comments to appear in the decompilation

Open WeiN76LQh opened this issue 1 year ago • 0 comments

Version and Platform (required):

  • Binary Ninja Version: 4.1.5902 (f2165c5d) and 4.2.6228-dev (312c3c99)
  • OS: macOS
  • OS Version: 15.0
  • CPU Architecture: M1

Bug Description: Functions that inline objc_msgSend calls with the instructions from the objc_msgSend function will display comments, in the caller function's decompilation, that exist anywhere in the address range from the objc_msgSend call site to the objc_msgSend function that is inlined. This is often a very large address range. See the screenshots below for a visual example.

Steps To Reproduce:

  1. Add a comment somewhere between a function that calls objc_msgSend and the objc_msgSend function.
  2. Go back to the calling function and observe that the comment appears in the disassembly above the objc_msgSend call.

Expected Behavior: Comments outside the address range of the caller's function block, or the inlined objc_msgSend function should not appear in the decompilation for the caller's function block. This can create situations where there are many lines of comments filling up lots of functions making those functions pretty hard to navigate/read.

Screenshots/Video Recording: The following is a screenshot of a function that inlines an objc_msgSend call, which is the final expression thats a jump. Due to the location of that jump call being at a substantially higher address than code in the rest of the function, the comment at 0x1823f1922 is added to the function decompilation even though it has nothing to do with it. SCR-20241018-qw6

Here is the comment at its intended location: SCR-20241018-qx0

And here is the objc_msgSend stub thats being inlined: SCR-20241018-qyr

Screenshots were taken from Binary Ninja 4.2.6201-dev (301b815d).

Binary: Any library from the DYLD Shared Cache can be used. The issue occurs in cases where the conditions are met. In the screenshots above, an extracted copy of the library /System/Library/Frameworks/Foundation.framework/Foundation from the DSC from an IPSW for an iPhone 16 Pro Max (iPhone17,2) with iOS 18.0 (22A3354).

WeiN76LQh avatar Oct 18 '24 19:10 WeiN76LQh