Feature/ttd next prev memory access (#1011)

* Add TTD NextMemoryAccess/PrevMemoryAccess API and UI

Add efficient methods to find the next/previous memory access from
the current TTD position using @$curprocess.TTD.NextMemoryAccess and
PrevMemoryAccess, avoiding the need to pull all accesses and search.

Adds API through all layers (adapter, controller, FFI, C++ API, Python).

UI changes:
- Right-click context menu actions (TTD Next/Prev Memory Access with
  Read, Write, Read/Write sub-options) that use the selection range and
  immediately time travel to the result.
- Next/Prev buttons in the TTD Memory sidebar widget that add the found
  event to the results table and highlight it.
- When the returned position is 0:0, show an informational dialog
  instead of navigating.

Fix #997

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Various UI fixes

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: xusheng6

api/debuggerapi.h

@@ -828,6 +828,8 @@ namespace BinaryNinjaDebuggerAPI {
 		std::vector<TTDEvent> GetAllTTDEvents();
 		TTDPosition GetCurrentTTDPosition();
 		bool SetTTDPosition(const TTDPosition& position);
+		std::pair<bool, TTDMemoryEvent> GetTTDNextMemoryAccess(uint64_t address, uint64_t size, TTDMemoryAccessType accessType);
+		std::pair<bool, TTDMemoryEvent> GetTTDPrevMemoryAccess(uint64_t address, uint64_t size, TTDMemoryAccessType accessType);
 
 		// TTD Code Coverage Analysis Methods
 		bool IsInstructionExecuted(uint64_t address);

api/debuggercontroller.cpp

@@ -1182,6 +1182,62 @@ bool DebuggerController::SetTTDPosition(const TTDPosition& position)
 	return BNDebuggerSetTTDPosition(m_object, pos);
 }
 
+std::pair<bool, TTDMemoryEvent> DebuggerController::GetTTDNextMemoryAccess(uint64_t address, uint64_t size, TTDMemoryAccessType accessType)
+{
+	BNDebuggerTTDMemoryEvent bnEvent = {};
+	BNDebuggerTTDMemoryAccessType type = static_cast<BNDebuggerTTDMemoryAccessType>(accessType);
+
+	bool success = BNDebuggerGetTTDNextMemoryAccess(m_object, address, size, type, &bnEvent);
+	if (!success)
+		return {false, TTDMemoryEvent()};
+
+	TTDMemoryEvent event;
+	event.eventType = bnEvent.eventType ? std::string(bnEvent.eventType) : "";
+	event.threadId = bnEvent.threadId;
+	event.uniqueThreadId = bnEvent.uniqueThreadId;
+	event.timeStart = TTDPosition(bnEvent.timeStart.sequence, bnEvent.timeStart.step);
+	event.timeEnd = TTDPosition(bnEvent.timeEnd.sequence, bnEvent.timeEnd.step);
+	event.address = bnEvent.address;
+	event.size = bnEvent.size;
+	event.memoryAddress = bnEvent.memoryAddress;
+	event.instructionAddress = bnEvent.instructionAddress;
+	event.value = bnEvent.value;
+	event.accessType = static_cast<TTDMemoryAccessType>(bnEvent.accessType);
+
+	if (bnEvent.eventType)
+		BNDebuggerFreeString(bnEvent.eventType);
+
+	return {true, event};
+}
+
+std::pair<bool, TTDMemoryEvent> DebuggerController::GetTTDPrevMemoryAccess(uint64_t address, uint64_t size, TTDMemoryAccessType accessType)
+{
+	BNDebuggerTTDMemoryEvent bnEvent = {};
+	BNDebuggerTTDMemoryAccessType type = static_cast<BNDebuggerTTDMemoryAccessType>(accessType);
+
+	bool success = BNDebuggerGetTTDPrevMemoryAccess(m_object, address, size, type, &bnEvent);
+	if (!success)
+		return {false, TTDMemoryEvent()};
+
+	TTDMemoryEvent event;
+	event.eventType = bnEvent.eventType ? std::string(bnEvent.eventType) : "";
+	event.threadId = bnEvent.threadId;
+	event.uniqueThreadId = bnEvent.uniqueThreadId;
+	event.timeStart = TTDPosition(bnEvent.timeStart.sequence, bnEvent.timeStart.step);
+	event.timeEnd = TTDPosition(bnEvent.timeEnd.sequence, bnEvent.timeEnd.step);
+	event.address = bnEvent.address;
+	event.size = bnEvent.size;
+	event.memoryAddress = bnEvent.memoryAddress;
+	event.instructionAddress = bnEvent.instructionAddress;
+	event.value = bnEvent.value;
+	event.accessType = static_cast<TTDMemoryAccessType>(bnEvent.accessType);
+
+	if (bnEvent.eventType)
+		BNDebuggerFreeString(bnEvent.eventType);
+
+	return {true, event};
+}
+
 std::vector<TTDCallEvent> DebuggerController::GetTTDCallsForSymbols(const std::string& symbols, uint64_t startReturnAddress, uint64_t endReturnAddress)
 {
 	std::vector<TTDCallEvent> result;

api/ffi.h

@@ -692,6 +692,10 @@ extern "C"
 	DEBUGGER_FFI_API BNDebuggerTTDEvent* BNDebuggerGetAllTTDEvents(BNDebuggerController* controller, size_t* count);
 	DEBUGGER_FFI_API BNDebuggerTTDPosition BNDebuggerGetCurrentTTDPosition(BNDebuggerController* controller);
 	DEBUGGER_FFI_API bool BNDebuggerSetTTDPosition(BNDebuggerController* controller, BNDebuggerTTDPosition position);
+	DEBUGGER_FFI_API bool BNDebuggerGetTTDNextMemoryAccess(BNDebuggerController* controller,
+		uint64_t address, uint64_t size, BNDebuggerTTDMemoryAccessType accessType, BNDebuggerTTDMemoryEvent* result);
+	DEBUGGER_FFI_API bool BNDebuggerGetTTDPrevMemoryAccess(BNDebuggerController* controller,
+		uint64_t address, uint64_t size, BNDebuggerTTDMemoryAccessType accessType, BNDebuggerTTDMemoryEvent* result);
 	DEBUGGER_FFI_API void BNDebuggerFreeTTDMemoryEvents(BNDebuggerTTDMemoryEvent* events, size_t count);
 	DEBUGGER_FFI_API void BNDebuggerFreeTTDPositionRangeIndexedMemoryEvents(BNDebuggerTTDPositionRangeIndexedMemoryEvent* events, size_t count);
 	DEBUGGER_FFI_API void BNDebuggerFreeTTDCallEvents(BNDebuggerTTDCallEvent* events, size_t count);

api/python/debuggercontroller.py

@@ -2553,6 +2553,74 @@ def navigate_to_timestamp(self, timestamp_str):
             binaryninja.log_error(f"Invalid timestamp format: {e}")
             return False
 
+    def get_ttd_next_memory_access(self, address: int, size: int, access_type = DebuggerTTDMemoryAccessType.DebuggerTTDMemoryRead):
+        """
+        Get the next memory access to a specific address from the current TTD position.
+
+        This is more efficient than pulling all accesses and searching, as it uses
+        the TTD NextMemoryAccess API directly.
+
+        :param address: memory address to monitor
+        :param size: size of the memory region in bytes
+        :param access_type: type of memory access to query (read/write/execute)
+        :return: TTDMemoryEvent if found, None if no subsequent access exists
+        """
+        parsed_access_type = parse_ttd_access_type(access_type)
+        result = dbgcore.BNDebuggerTTDMemoryEvent()
+        success = dbgcore.BNDebuggerGetTTDNextMemoryAccess(self.handle, address, size, parsed_access_type, result)
+        if not success:
+            return None
+
+        time_start = TTDPosition(result.timeStart.sequence, result.timeStart.step)
+        time_end = TTDPosition(result.timeEnd.sequence, result.timeEnd.step)
+        return TTDMemoryEvent(
+            event_type=result.eventType if result.eventType else "",
+            thread_id=result.threadId,
+            unique_thread_id=result.uniqueThreadId,
+            time_start=time_start,
+            time_end=time_end,
+            address=result.address,
+            size=result.size,
+            memory_address=result.memoryAddress,
+            instruction_address=result.instructionAddress,
+            value=result.value,
+            access_type=result.accessType
+        )
+
+    def get_ttd_prev_memory_access(self, address: int, size: int, access_type = DebuggerTTDMemoryAccessType.DebuggerTTDMemoryRead):
+        """
+        Get the previous memory access to a specific address from the current TTD position.
+
+        This is more efficient than pulling all accesses and searching, as it uses
+        the TTD PrevMemoryAccess API directly.
+
+        :param address: memory address to monitor
+        :param size: size of the memory region in bytes
+        :param access_type: type of memory access to query (read/write/execute)
+        :return: TTDMemoryEvent if found, None if no prior access exists
+        """
+        parsed_access_type = parse_ttd_access_type(access_type)
+        result = dbgcore.BNDebuggerTTDMemoryEvent()
+        success = dbgcore.BNDebuggerGetTTDPrevMemoryAccess(self.handle, address, size, parsed_access_type, result)
+        if not success:
+            return None
+
+        time_start = TTDPosition(result.timeStart.sequence, result.timeStart.step)
+        time_end = TTDPosition(result.timeEnd.sequence, result.timeEnd.step)
+        return TTDMemoryEvent(
+            event_type=result.eventType if result.eventType else "",
+            thread_id=result.threadId,
+            unique_thread_id=result.uniqueThreadId,
+            time_start=time_start,
+            time_end=time_end,
+            address=result.address,
+            size=result.size,
+            memory_address=result.memoryAddress,
+            instruction_address=result.instructionAddress,
+            value=result.value,
+            access_type=result.accessType
+        )
+
     def get_ttd_memory_access_for_address(self, address: int, end_address: int, access_type = DebuggerTTDMemoryAccessType.DebuggerTTDMemoryRead) -> List[TTDMemoryEvent]:
         """
         Get TTD memory access events for a specific address range.

core/adapters/dbgengttdadapter.cpp

@@ -531,6 +531,75 @@ bool DbgEngTTDAdapter::SetTTDPosition(const TTDPosition& position)
 	return success;
 }
 
+
+std::pair<bool, TTDMemoryEvent> DbgEngTTDAdapter::GetTTDNextMemoryAccess(uint64_t address, uint64_t size, TTDMemoryAccessType accessType)
+{
+	if (!m_debugControl)
+	{
+		LogError("Debug control interface not available");
+		return {false, TTDMemoryEvent()};
+	}
+
+	try
+	{
+		std::string accessTypeStr;
+		if (accessType & TTDMemoryRead) accessTypeStr += "r";
+		if (accessType & TTDMemoryWrite) accessTypeStr += "w";
+		if (accessType & TTDMemoryExecute) accessTypeStr += "e";
+
+		if (accessTypeStr.empty())
+		{
+			LogError("Invalid access type specified");
+			return {false, TTDMemoryEvent()};
+		}
+
+		std::string expression = fmt::format("@$curprocess.TTD.NextMemoryAccess(\"{}\",0x{:x},0x{:x})", accessTypeStr, address, size);
+		LogInfo("Executing TTD NextMemoryAccess query: %s", expression.c_str());
+
+		return ParseSingleTTDMemoryObject(expression, accessType);
+	}
+	catch (const std::exception& e)
+	{
+		LogError("Exception in GetTTDNextMemoryAccess: %s", e.what());
+		return {false, TTDMemoryEvent()};
+	}
+}
+
+
+std::pair<bool, TTDMemoryEvent> DbgEngTTDAdapter::GetTTDPrevMemoryAccess(uint64_t address, uint64_t size, TTDMemoryAccessType accessType)
+{
+	if (!m_debugControl)
+	{
+		LogError("Debug control interface not available");
+		return {false, TTDMemoryEvent()};
+	}
+
+	try
+	{
+		std::string accessTypeStr;
+		if (accessType & TTDMemoryRead) accessTypeStr += "r";
+		if (accessType & TTDMemoryWrite) accessTypeStr += "w";
+		if (accessType & TTDMemoryExecute) accessTypeStr += "e";
+
+		if (accessTypeStr.empty())
+		{
+			LogError("Invalid access type specified");
+			return {false, TTDMemoryEvent()};
+		}
+
+		std::string expression = fmt::format("@$curprocess.TTD.PrevMemoryAccess(\"{}\",0x{:x},0x{:x})", accessTypeStr, address, size);
+		LogInfo("Executing TTD PrevMemoryAccess query: %s", expression.c_str());
+
+		return ParseSingleTTDMemoryObject(expression, accessType);
+	}
+	catch (const std::exception& e)
+	{
+		LogError("Exception in GetTTDPrevMemoryAccess: %s", e.what());
+		return {false, TTDMemoryEvent()};
+	}
+}
+
+
 bool DbgEngTTDAdapter::QueryMemoryAccessByAddress(uint64_t startAddress, uint64_t endAddress, TTDMemoryAccessType accessType, std::vector<TTDMemoryEvent>& events)
 {
 	if (!m_debugControl)
@@ -1272,6 +1341,146 @@ bool DbgEngTTDAdapter::ParseTTDPositionRangeIndexedMemoryObjects(const std::stri
 }
 
 
+std::pair<bool, TTDMemoryEvent> DbgEngTTDAdapter::ParseSingleTTDMemoryObject(const std::string& expression, TTDMemoryAccessType accessType)
+{
+	TTDMemoryEvent event;
+
+	if (!m_hostEvaluator)
+	{
+		LogError("Data model evaluator not available");
+		return {false, event};
+	}
+
+	try
+	{
+		std::wstring wExpression(expression.begin(), expression.end());
+
+		ComPtr<IDebugHostContext> hostContext;
+		if (FAILED(m_debugHost->GetCurrentContext(hostContext.GetAddressOf())))
+		{
+			LogError("Failed to get current debug host context");
+			return {false, event};
+		}
+
+		ComPtr<IModelObject> result;
+		ComPtr<IKeyStore> metadata;
+		HRESULT hr = m_hostEvaluator->EvaluateExtendedExpression(
+			hostContext.Get(),
+			wExpression.c_str(),
+			nullptr,
+			result.GetAddressOf(),
+			metadata.GetAddressOf()
+		);
+
+		if (FAILED(hr))
+		{
+			LogError("Failed to evaluate expression '%s': 0x%08x", expression.c_str(), hr);
+			return {false, event};
+		}
+
+		if (!result)
+		{
+			LogError("Null result from expression '%s'", expression.c_str());
+			return {false, event};
+		}
+
+		// The result is a single memory access object (not a collection).
+		// Parse Position
+		ComPtr<IModelObject> positionObj;
+		if (SUCCEEDED(result->GetKeyValue(L"Position", &positionObj, nullptr)))
+		{
+			ParseTTDPosition(positionObj.Get(), event.timeStart);
+		}
+
+		// Parse OriginalPosition into timeEnd (represents the position from which the query was made)
+		ComPtr<IModelObject> origPositionObj;
+		if (SUCCEEDED(result->GetKeyValue(L"OriginalPosition", &origPositionObj, nullptr)))
+		{
+			ParseTTDPosition(origPositionObj.Get(), event.timeEnd);
+		}
+
+		// Get UniqueThreadId
+		ComPtr<IModelObject> uniqueThreadIdObj;
+		if (SUCCEEDED(result->GetKeyValue(L"UniqueThreadId", &uniqueThreadIdObj, nullptr)))
+		{
+			VARIANT vtUniqueThreadId;
+			VariantInit(&vtUniqueThreadId);
+			if (SUCCEEDED(uniqueThreadIdObj->GetIntrinsicValueAs(VT_UI4, &vtUniqueThreadId)))
+			{
+				event.uniqueThreadId = vtUniqueThreadId.ulVal;
+			}
+			VariantClear(&vtUniqueThreadId);
+		}
+
+		// Get Address
+		ComPtr<IModelObject> addressObj;
+		if (SUCCEEDED(result->GetKeyValue(L"Address", &addressObj, nullptr)))
+		{
+			VARIANT vtAddress;
+			VariantInit(&vtAddress);
+			if (SUCCEEDED(addressObj->GetIntrinsicValueAs(VT_UI8, &vtAddress)))
+			{
+				event.address = vtAddress.ullVal;
+			}
+			VariantClear(&vtAddress);
+		}
+
+		// Get Size
+		ComPtr<IModelObject> sizeObj;
+		if (SUCCEEDED(result->GetKeyValue(L"Size", &sizeObj, nullptr)))
+		{
+			VARIANT vtSize;
+			VariantInit(&vtSize);
+			if (SUCCEEDED(sizeObj->GetIntrinsicValueAs(VT_UI8, &vtSize)))
+			{
+				event.size = vtSize.ullVal;
+			}
+			VariantClear(&vtSize);
+		}
+
+		// Get AccessType
+		ComPtr<IModelObject> accessTypeObj;
+		if (SUCCEEDED(result->GetKeyValue(L"AccessType", &accessTypeObj, nullptr)))
+		{
+			VARIANT vtAccessType;
+			VariantInit(&vtAccessType);
+			if (SUCCEEDED(accessTypeObj->GetIntrinsicValueAs(VT_BSTR, &vtAccessType)))
+			{
+				_bstr_t bstr(vtAccessType.bstrVal);
+				std::string accessTypeStr = std::string(bstr);
+
+				TTDMemoryAccessType parsedAccessType = static_cast<TTDMemoryAccessType>(0);
+				if (accessTypeStr.find("Read") != std::string::npos)
+					parsedAccessType = static_cast<TTDMemoryAccessType>(parsedAccessType | TTDMemoryRead);
+				if (accessTypeStr.find("Write") != std::string::npos)
+					parsedAccessType = static_cast<TTDMemoryAccessType>(parsedAccessType | TTDMemoryWrite);
+				if (accessTypeStr.find("Execute") != std::string::npos)
+					parsedAccessType = static_cast<TTDMemoryAccessType>(parsedAccessType | TTDMemoryExecute);
+
+				event.accessType = parsedAccessType;
+			}
+			else
+			{
+				event.accessType = accessType;
+			}
+			VariantClear(&vtAccessType);
+		}
+		else
+		{
+			event.accessType = accessType;
+		}
+
+		LogInfo("Successfully parsed single TTD memory access at position %llx:%llx", event.timeStart.sequence, event.timeStart.step);
+		return {true, event};
+	}
+	catch (const std::exception& e)
+	{
+		LogError("Exception in ParseSingleTTDMemoryObject: %s", e.what());
+		return {false, event};
+	}
+}
+
+
 std::vector<TTDCallEvent> DbgEngTTDAdapter::GetTTDCallsForSymbols(const std::string& symbols, uint64_t startReturnAddress, uint64_t endReturnAddress)
 {
 	std::vector<TTDCallEvent> events;

core/adapters/dbgengttdadapter.h

@@ -54,6 +54,10 @@ namespace BinaryNinjaDebugger {
 		TTDPosition GetCurrentTTDPosition() override;
 		bool SetTTDPosition(const TTDPosition& position) override;
 
+		// TTD Next/Prev Memory Access Methods
+		std::pair<bool, TTDMemoryEvent> GetTTDNextMemoryAccess(uint64_t address, uint64_t size, TTDMemoryAccessType accessType) override;
+		std::pair<bool, TTDMemoryEvent> GetTTDPrevMemoryAccess(uint64_t address, uint64_t size, TTDMemoryAccessType accessType) override;
+
     	// TTD Calls Analysis Methods
     	std::vector<TTDCallEvent> GetTTDCallsForSymbols(const std::string& symbols, uint64_t startReturnAddress = 0, uint64_t endReturnAddress = 0) override;
 
@@ -92,6 +96,7 @@ namespace BinaryNinjaDebugger {
 		std::string EvaluateDataModelExpression(const std::string& expression);
 		bool ParseTTDMemoryObjects(const std::string& expression, TTDMemoryAccessType accessType, std::vector<TTDMemoryEvent>& events);
 		bool ParseTTDPositionRangeIndexedMemoryObjects(const std::string& expression, TTDMemoryAccessType accessType, std::vector<TTDPositionRangeIndexedMemoryEvent>& events);
+		std::pair<bool, TTDMemoryEvent> ParseSingleTTDMemoryObject(const std::string& expression, TTDMemoryAccessType accessType);
 
 		// Data model interfaces for TTD
 		IHostDataModelAccess* m_dataModelManager;