Add "pass by reference" instruction to mark parameters that are passed by reference according to calling convention

Author: D0ntPanic

binaryninjaapi.h

@@ -15752,6 +15752,7 @@ namespace BinaryNinja {
 		    const ILSourceLocation& loc = ILSourceLocation());
 		ExprId AddressOf(const Variable& var, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId AddressOfField(const Variable& var, uint64_t offset, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId PassByRef(size_t size, ExprId src, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId Const(size_t size, uint64_t val, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId ConstPointer(size_t size, uint64_t val, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId ExternPointer(
@@ -16147,6 +16148,7 @@ namespace BinaryNinja {
 		ExprId DerefFieldSSA(size_t size, ExprId src, size_t srcMemVersion, uint64_t offset, size_t memberIndex,
 		    const ILSourceLocation& loc = ILSourceLocation());
 		ExprId AddressOf(ExprId src, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId PassByRef(size_t size, ExprId src, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId Const(size_t size, uint64_t val, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId ConstPointer(size_t size, uint64_t val, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId ExternPointer(

binaryninjacore.h

@@ -1362,6 +1362,7 @@ extern "C"
 		MLIL_VAR_SPLIT,      // Not valid in SSA form (see MLIL_VAR_SPLIT_SSA)
 		MLIL_ADDRESS_OF,
 		MLIL_ADDRESS_OF_FIELD,
+		MLIL_PASS_BY_REF,
 		MLIL_CONST,
 		MLIL_CONST_DATA,
 		MLIL_CONST_PTR,
@@ -1564,6 +1565,7 @@ extern "C"
 		HLIL_DEREF,
 		HLIL_DEREF_FIELD,
 		HLIL_ADDRESS_OF,
+		HLIL_PASS_BY_REF,
 		HLIL_CONST,
 		HLIL_CONST_DATA,
 		HLIL_CONST_PTR,

highlevelilinstruction.cpp

@@ -159,6 +159,7 @@ static constexpr std::array s_instructionOperandUsage = {
 	OperandUsage{HLIL_DEREF, {SourceExprHighLevelOperandUsage}},
 	OperandUsage{HLIL_DEREF_FIELD, {SourceExprHighLevelOperandUsage, OffsetHighLevelOperandUsage, MemberIndexHighLevelOperandUsage}},
 	OperandUsage{HLIL_ADDRESS_OF, {SourceExprHighLevelOperandUsage}},
+	OperandUsage{HLIL_PASS_BY_REF, {SourceExprHighLevelOperandUsage}},
 	OperandUsage{HLIL_CONST, {ConstantHighLevelOperandUsage}},
 	OperandUsage{HLIL_CONST_DATA, {ConstantDataHighLevelOperandUsage}},
 	OperandUsage{HLIL_CONST_PTR, {ConstantHighLevelOperandUsage}},
@@ -1265,6 +1266,7 @@ void HighLevelILInstruction::CollectSubExprs(stack<size_t>& toProcess) const
 	case HLIL_FLOOR:
 	case HLIL_CEIL:
 	case HLIL_FTRUNC:
+	case HLIL_PASS_BY_REF:
 		toProcess.push(AsOneOperand().GetSourceExpr().exprIndex);
 		break;
 	case HLIL_ADD:
@@ -1571,6 +1573,7 @@ ExprId HighLevelILInstruction::CopyTo(
 	case HLIL_FLOOR:
 	case HLIL_CEIL:
 	case HLIL_FTRUNC:
+	case HLIL_PASS_BY_REF:
 		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()));
 	case HLIL_ADD:
 	case HLIL_SUB:
@@ -2129,6 +2132,7 @@ bool HighLevelILInstruction::operator<(const HighLevelILInstruction& other) cons
 	case HLIL_FLOOR:
 	case HLIL_CEIL:
 	case HLIL_FTRUNC:
+	case HLIL_PASS_BY_REF:
 		if (size < other.size)
 			return true;
 		if (size > other.size)
@@ -2841,6 +2845,12 @@ ExprId HighLevelILFunction::AddressOf(ExprId src, const ILSourceLocation& loc)
 }
 
 
+ExprId HighLevelILFunction::PassByRef(size_t size, ExprId src, const ILSourceLocation& loc)
+{
+	return AddExprWithLocation(HLIL_PASS_BY_REF, loc, size, src);
+}
+
+
 ExprId HighLevelILFunction::Const(size_t size, uint64_t val, const ILSourceLocation& loc)
 {
 	return AddExprWithLocation(HLIL_CONST, loc, size, val);

highlevelilinstruction.h

@@ -1497,6 +1497,9 @@ namespace BinaryNinja
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_FTRUNC> : public HighLevelILOneOperandInstruction
 	{};
+	template <>
+	struct HighLevelILInstructionAccessor<HLIL_PASS_BY_REF> : public HighLevelILOneOperandInstruction
+	{};
 
 #undef _STD_VECTOR
 #undef _STD_SET

lang/c/pseudoc.cpp

@@ -1816,6 +1816,23 @@ void PseudoCFunction::GetExprTextInternal(const HighLevelILInstruction& instr, H
 		}();
 		break;
 
+	case HLIL_PASS_BY_REF:
+		[&]() {
+			const auto srcExpr = instr.GetSourceExpr<HLIL_PASS_BY_REF>();
+			if (srcExpr.operation == HLIL_ADDRESS_OF)
+			{
+				GetExprTextInternal(srcExpr.GetSourceExpr<HLIL_ADDRESS_OF>(), tokens, settings, precedence);
+			}
+			else
+			{
+				tokens.Append(OperationToken, "*");
+				GetExprTextInternal(srcExpr, tokens, settings, UnaryOperatorPrecedence);
+			}
+			if (statement)
+				tokens.AppendSemicolon();
+		}();
+		break;
+
 	case HLIL_FCMP_E:
 		[&]() {
 			bool parens = precedence > EqualityOperatorPrecedence;

lang/rust/pseudorust.cpp

@@ -1900,6 +1900,15 @@ void PseudoRustFunction::GetExprText(const HighLevelILInstruction& instr, HighLe
 		}();
 		break;
 
+	case HLIL_PASS_BY_REF:
+		[&]() {
+			const auto srcExpr = instr.GetSourceExpr<HLIL_PASS_BY_REF>();
+			GetExprText(srcExpr, tokens, settings, UnaryOperatorPrecedence);
+			if (exprType != InnerExpression)
+				tokens.AppendSemicolon();
+		}();
+		break;
+
 	case HLIL_FCMP_E:
 	case HLIL_CMP_E:
 		[&]() {

mediumlevelilinstruction.cpp

@@ -167,6 +167,7 @@ static constexpr std::array s_instructionOperandUsage = {
 	OperandUsage{MLIL_VAR_SPLIT, {HighVariableMediumLevelOperandUsage, LowVariableMediumLevelOperandUsage}},
 	OperandUsage{MLIL_ADDRESS_OF, {SourceVariableMediumLevelOperandUsage}},
 	OperandUsage{MLIL_ADDRESS_OF_FIELD, {SourceVariableMediumLevelOperandUsage, OffsetMediumLevelOperandUsage}},
+	OperandUsage{MLIL_PASS_BY_REF, {SourceExprMediumLevelOperandUsage}},
 	OperandUsage{MLIL_CONST, {ConstantMediumLevelOperandUsage}},
 	OperandUsage{MLIL_CONST_DATA, {ConstantDataMediumLevelOperandUsage}},
 	OperandUsage{MLIL_CONST_PTR, {ConstantMediumLevelOperandUsage}},
@@ -1487,6 +1488,7 @@ void MediumLevelILInstruction::VisitExprs(bn::base::function_ref<bool(const Medi
 	case MLIL_FLOOR:
 	case MLIL_CEIL:
 	case MLIL_FTRUNC:
+	case MLIL_PASS_BY_REF:
 		AsOneOperand().GetSourceExpr().VisitExprs(func);
 		break;
 	case MLIL_ADD:
@@ -1774,6 +1776,7 @@ ExprId MediumLevelILInstruction::CopyTo(MediumLevelILFunction* dest,
 	case MLIL_FLOOR:
 	case MLIL_CEIL:
 	case MLIL_FTRUNC:
+	case MLIL_PASS_BY_REF:
 		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()));
 	case MLIL_ADD:
 	case MLIL_SUB:
@@ -2433,6 +2436,12 @@ ExprId MediumLevelILFunction::AddressOfField(const Variable& var, uint64_t offse
 }
 
 
+ExprId MediumLevelILFunction::PassByRef(size_t size, ExprId src, const ILSourceLocation& loc)
+{
+	return AddExprWithLocation(MLIL_PASS_BY_REF, loc, size, src);
+}
+
+
 ExprId MediumLevelILFunction::Const(size_t size, uint64_t val, const ILSourceLocation& loc)
 {
 	return AddExprWithLocation(MLIL_CONST, loc, size, val);

mediumlevelilinstruction.h

@@ -1804,6 +1804,9 @@ namespace BinaryNinja
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_FTRUNC> : public MediumLevelILOneOperandInstruction
 	{};
+	template <>
+	struct MediumLevelILInstructionAccessor<MLIL_PASS_BY_REF> : public MediumLevelILOneOperandInstruction
+	{};
 
 #undef _STD_VECTOR
 #undef _STD_SET

python/highlevelil.py

@@ -210,7 +210,9 @@ class HighLevelILInstruction(BaseILInstruction):
 	    ], HighLevelILOperation.HLIL_DEREF_FIELD_SSA: [
 	        ("src", "expr"), ("src_memory", "int"), ("offset", "int"),
 	        ("member_index", "member_index")
-	    ], HighLevelILOperation.HLIL_ADDRESS_OF: [("src", "expr")], HighLevelILOperation.HLIL_CONST: [
+	    ], HighLevelILOperation.HLIL_ADDRESS_OF: [("src", "expr")], HighLevelILOperation.HLIL_PASS_BY_REF: [
+	        ("src", "expr")
+	    ], HighLevelILOperation.HLIL_CONST: [
 	        ("constant", "int")
 	    ], HighLevelILOperation.HLIL_CONST_PTR: [("constant", "int")], HighLevelILOperation.HLIL_EXTERN_PTR: [
 	        ("constant", "int"), ("offset", "int")
@@ -1743,6 +1745,11 @@ def vars_address_taken(self) -> VariablesList:
 		return [*self.src.vars_address_taken]
 
 
+@dataclass(frozen=True, repr=False, eq=False)
+class HighLevelILPassByRef(HighLevelILUnaryBase):
+	pass
+
+
 @dataclass(frozen=True, repr=False, eq=False)
 class HighLevelILConst(HighLevelILInstruction, Constant):
 	@property
@@ -2429,6 +2436,7 @@ def src(self) -> 'mediumlevelil.SSAVariable':
     HighLevelILOperation.HLIL_DEREF_FIELD_SSA:
         HighLevelILDerefFieldSsa,  #  ("src", "expr"), ("src_memory", "int"), ("offset", "int"), ("member_index", "member_index"),
     HighLevelILOperation.HLIL_ADDRESS_OF: HighLevelILAddressOf,  #  ("src", "expr"),
+	HighLevelILOperation.HLIL_PASS_BY_REF: HighLevelILPassByRef,  #  ("src", "expr"),
     HighLevelILOperation.HLIL_CONST: HighLevelILConst,  #  ("constant", "int"),
     HighLevelILOperation.HLIL_CONST_PTR: HighLevelILConstPtr,  #  ("constant", "int"),
     HighLevelILOperation.HLIL_EXTERN_PTR: HighLevelILExternPtr,  #  ("constant", "int"), ("offset", "int"),
@@ -3380,6 +3388,18 @@ def address_of(self, src: ExpressionIndex, loc: Optional['ILSourceLocation'] = N
 		"""
 		return self.expr(HighLevelILOperation.HLIL_ADDRESS_OF, src, size=0, source_location=loc)
 
+	def pass_by_ref(self, size: int, src: ExpressionIndex, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
+		"""
+		``pass_by_ref`` indicates that ``value`` is being passed by reference to a call with a pointer size of  ``size``
+
+		:param int size: the size of the pointer in bytes
+		:param ExpressionIndex src: the expression containing the reference being passed
+		:param ILSourceLocation loc: location of returned expression
+		:return: The expression ``ref *src``
+		:rtype: ExpressionIndex
+		"""
+		return self.expr(HighLevelILOperation.HLIL_PASS_BY_REF, src, size, source_location=loc)
+
 	def const(self, size: int, value: int, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
 		"""
 		``const`` returns an expression for the constant integer ``value`` of size ``size``

python/mediumlevelil.py

@@ -218,7 +218,9 @@ class MediumLevelILInstruction(BaseILInstruction):
 	    MediumLevelILOperation.MLIL_VAR: [("src", "var")], MediumLevelILOperation.MLIL_VAR_FIELD: [
 	        ("src", "var"), ("offset", "int")
 	    ], MediumLevelILOperation.MLIL_VAR_SPLIT: [("high", "var"), ("low", "var")],
-	    MediumLevelILOperation.MLIL_ADDRESS_OF: [("src", "var")], MediumLevelILOperation.MLIL_ADDRESS_OF_FIELD: [
+	    MediumLevelILOperation.MLIL_ADDRESS_OF: [("src", "var")], MediumLevelILOperation.MLIL_PASS_BY_REF: [
+	        ("src", "expr")
+	    ], MediumLevelILOperation.MLIL_ADDRESS_OF_FIELD: [
 	        ("src", "var"), ("offset", "int")
 	    ], MediumLevelILOperation.MLIL_CONST: [("constant", "int")], MediumLevelILOperation.MLIL_CONST_PTR: [
 	        ("constant", "int")
@@ -1310,6 +1312,11 @@ def vars_address_taken(self) -> List[variable.Variable]:
 		return [self.src]
 
 
+@dataclass(frozen=True, repr=False, eq=False)
+class MediumLevelILPassByRef(MediumLevelILUnaryBase):
+	pass
+
+
 @dataclass(frozen=True, repr=False, eq=False)
 class MediumLevelILConst(MediumLevelILConstBase):
 	@property
@@ -3118,6 +3125,7 @@ def detailed_operands(self) -> List[Tuple[str, MediumLevelILOperandType, str]]:
     MediumLevelILOperation.MLIL_LOAD: MediumLevelILLoad,  # [("src", "expr")],
     MediumLevelILOperation.MLIL_VAR: MediumLevelILVar,  # [("src", "var")],
     MediumLevelILOperation.MLIL_ADDRESS_OF: MediumLevelILAddressOf,  # [("src", "var")],
+    MediumLevelILOperation.MLIL_PASS_BY_REF: MediumLevelILPassByRef,  # [("src", "expr")],
     MediumLevelILOperation.MLIL_CONST: MediumLevelILConst,  # [("constant", "int")],
     MediumLevelILOperation.MLIL_CONST_PTR: MediumLevelILConstPtr,  # [("constant", "int")],
     MediumLevelILOperation.MLIL_FLOAT_CONST: MediumLevelILFloatConst,  # [("constant", "float")],
@@ -3740,6 +3748,9 @@ def do_copy(
 			if expr.operation == MediumLevelILOperation.MLIL_ADDRESS_OF:
 				expr: MediumLevelILAddressOf
 				return dest.address_of(expr.src, loc)
+			if expr.operation == MediumLevelILOperation.MLIL_PASS_BY_REF:
+				expr: MediumLevelILPassByRef
+				return dest.pass_by_ref(expr.size, expr.src, loc)
 			if expr.operation == MediumLevelILOperation.MLIL_ADDRESS_OF_FIELD:
 				expr: MediumLevelILAddressOfField
 				return dest.address_of_field(expr.src, expr.offset, loc)
@@ -4367,6 +4378,18 @@ def address_of(self, var: 'variable.Variable', loc: Optional['ILSourceLocation']
 		"""
 		return self.expr(MediumLevelILOperation.MLIL_ADDRESS_OF, var.identifier, size=0, source_location=loc)
 
+	def pass_by_ref(self, size: int, value: ExpressionIndex, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
+		"""
+		``pass_by_ref`` indicates that ``value`` is being passed by reference to a call with a pointer size of  ``size``
+
+		:param int size: the size of the pointer in bytes
+		:param ExpressionIndex value: the expression containing the reference being passed
+		:param ILSourceLocation loc: location of returned expression
+		:return: The expression ``ref *value``
+		:rtype: ExpressionIndex
+		"""
+		return self.expr(MediumLevelILOperation.MLIL_PASS_BY_REF, value, size=size, source_location=loc)
+
 	def address_of_field(self, var: 'variable.Variable', offset: int, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
 		"""
 		``address_of_field`` takes the address of ``var`` at the offset ``offset``