TTD code coverage time range filter (#962)

* Add Time Range Filter option for ttd code coverage analysis

* Fix Info message showing in error stream

* add method to query memory accress for a time range in ttd

* use time based memory access query instead of filtering

* use new time based api in TTD memory widget

* Added visual studio build related files to gitignore

revert gitignore changes because i built in the wrong dir, wasnt an issue

* Add in TTD api for GetTTDMemoryAccessForPositionRange and associated structs. In order to fix ttdmemorywidget results display

* increase alpha to 100% for code coverage highlight

* remove note taking comment made before concrete type for PositionRangeIndexedMemoryEvent

* fix results table logical column enum. And tt on double click

* add in address parsing that matches windbg default console output format

* Add in explicit declaration of base and manual trim to 2 acceptable formats, 0x and windbg hex output for addresses

* remove unused vars

* Various fixes

---------

Co-authored-by: Xusheng <xusheng@vector35.com>

Author: NicoleFaye

api/debuggerapi.h

@@ -520,6 +520,23 @@ namespace BinaryNinjaDebuggerAPI {
 		TTDMemoryEvent() : threadId(0), uniqueThreadId(0), accessType(TTDMemoryRead), address(0), size(0), memoryAddress(0), instructionAddress(0), value(0) {}
 	};
 
+	struct TTDPositionRangeIndexedMemoryEvent{
+		TTDPosition position;				// Position of the memory event
+		uint32_t threadId;					// Thread ID that performed the access
+		uint32_t uniqueThreadId;			// Unique thread ID that performed the access
+		uint64_t address;					// Memory address accessed
+		uint64_t instructionAddress;		// Instruction pointer at time of access
+		uint64_t size;  					// Size of memory access
+		TTDMemoryAccessType accessType;		// Type of memory access (parsed from object)
+		uint64_t value;     				// Value that was read/written/executed
+		uint8_t data[8];					// The next 8 bytes of data at the memory address
+
+		TTDPositionRangeIndexedMemoryEvent() : threadId(0), uniqueThreadId(0), address(0), size(0), instructionAddress(0), accessType(TTDMemoryRead), value(0)
+		{
+			memset(data, 0, sizeof(data));
+		}
+	};
+
 	struct TTDCallEvent
 	{
 		std::string eventType;         // Event type (always "Call" for TTD.Calls objects)
@@ -805,6 +822,7 @@ namespace BinaryNinjaDebuggerAPI {
 
 		// TTD Memory Analysis Methods
 		std::vector<TTDMemoryEvent> GetTTDMemoryAccessForAddress(uint64_t address, uint64_t endAddress, TTDMemoryAccessType accessType = TTDMemoryRead);
+		std::vector<TTDPositionRangeIndexedMemoryEvent> GetTTDMemoryAccessForPositionRange(uint64_t startAddress, uint64_t endAddress, TTDMemoryAccessType accessType, const TTDPosition startTime, const TTDPosition endTime);
 		std::vector<TTDCallEvent> GetTTDCallsForSymbols(const std::string& symbols, uint64_t startReturnAddress = 0, uint64_t endReturnAddress = 0);
 		std::vector<TTDEvent> GetTTDEvents(TTDEventType eventType);
 		std::vector<TTDEvent> GetAllTTDEvents();
@@ -813,7 +831,7 @@ namespace BinaryNinjaDebuggerAPI {
 
 		// TTD Code Coverage Analysis Methods
 		bool IsInstructionExecuted(uint64_t address);
-		bool RunCodeCoverageAnalysis(uint64_t startAddress, uint64_t endAddress);
+		bool RunCodeCoverageAnalysis(uint64_t startAddress, uint64_t endAddress, TTDPosition startTime, TTDPosition endTime);
 		size_t GetExecutedInstructionCount() const;
 		bool SaveCodeCoverageToFile(const std::string& filePath) const;
 		bool LoadCodeCoverageFromFile(const std::string& filePath);

api/debuggercontroller.cpp

@@ -1096,6 +1096,43 @@ bool DebuggerController::IsTTD()
 	return BNDebuggerIsTTD(m_object);
 }
 
+std::vector<TTDPositionRangeIndexedMemoryEvent> DebuggerController::GetTTDMemoryAccessForPositionRange(uint64_t address, uint64_t endAddress, TTDMemoryAccessType accessType, const TTDPosition startTime, const TTDPosition endTime)
+{
+	std::vector<TTDPositionRangeIndexedMemoryEvent> result;
+
+	BNDebuggerTTDMemoryAccessType type = static_cast<BNDebuggerTTDMemoryAccessType>(accessType);
+	BNDebuggerTTDPosition bnStartTime = {startTime.sequence, startTime.step};
+	BNDebuggerTTDPosition bnEndTime = {endTime.sequence, endTime.step};
+
+	size_t count = 0;
+	BNDebuggerTTDPositionRangeIndexedMemoryEvent* events = BNDebuggerGetTTDMemoryAccessForPositionRange(m_object, address, endAddress, type, bnStartTime, bnEndTime, &count);
+	
+	if (events && count > 0)
+	{
+		result.reserve(count);
+		for (size_t i = 0; i < count; i++)
+		{
+			TTDPositionRangeIndexedMemoryEvent event;
+			event.threadId = events[i].threadId;
+			event.uniqueThreadId = events[i].uniqueThreadId;
+			event.position.sequence = events[i].position.sequence;
+			event.position.step = events[i].position.step;
+			event.accessType = static_cast<TTDMemoryAccessType>(events[i].accessType);
+			event.address = events[i].address;
+			event.size = events[i].size;
+			event.instructionAddress = events[i].instructionAddress;
+			event.value = events[i].value;
+			for (size_t j = 0; j < 8; j++)
+			{
+				event.data[j] = events[i].data[j];
+			}
+			result.push_back(event);
+		}
+		BNDebuggerFreeTTDPositionRangeIndexedMemoryEvents(events, count);
+	}
+	
+	return result;
+}
 
 std::vector<TTDMemoryEvent> DebuggerController::GetTTDMemoryAccessForAddress(uint64_t address, uint64_t endAddress, TTDMemoryAccessType accessType)
 {
@@ -1343,9 +1380,14 @@ bool DebuggerController::IsInstructionExecuted(uint64_t address)
 }
 
 
-bool DebuggerController::RunCodeCoverageAnalysis(uint64_t startAddress, uint64_t endAddress)
+bool DebuggerController::RunCodeCoverageAnalysis(uint64_t startAddress, uint64_t endAddress, TTDPosition startTime, TTDPosition endTime)
 {
-	return BNDebuggerRunCodeCoverageAnalysisRange(m_object, startAddress, endAddress);
+	BNDebuggerTTDPosition startPos, endPos;
+    startPos.sequence = startTime.sequence;
+    startPos.step = startTime.step;
+    endPos.sequence = endTime.sequence;
+    endPos.step = endTime.step;
+    return BNDebuggerRunCodeCoverageAnalysisRange(m_object, startAddress, endAddress, startPos, endPos);
 }
 
 

api/ffi.h

@@ -335,6 +335,19 @@ extern "C"
 		BNDebuggerTTDMemoryAccessType accessType;
 	} BNDebuggerTTDMemoryEvent;
 
+	typedef struct BNDebuggerTTDPositionRangeIndexedMemoryEvent
+	{
+		BNDebuggerTTDPosition position;
+		uint32_t threadId;
+		uint32_t uniqueThreadId;
+		uint64_t address;
+		uint64_t instructionAddress;
+		uint64_t size;
+		BNDebuggerTTDMemoryAccessType accessType;
+		uint64_t value;
+		uint8_t data[8];
+	} BNDebuggerTTDPositionRangeIndexedMemoryEvent;
+
 	typedef struct BNDebuggerTTDCallEvent
 	{
 		char* eventType;              // Event type (always "Call" for TTD.Calls objects)
@@ -669,6 +682,9 @@ extern "C"
 	// TTD Memory Analysis Functions
 	DEBUGGER_FFI_API BNDebuggerTTDMemoryEvent* BNDebuggerGetTTDMemoryAccessForAddress(BNDebuggerController* controller,
 		uint64_t address, uint64_t endAddress, BNDebuggerTTDMemoryAccessType accessType, size_t* count);
+	DEBUGGER_FFI_API BNDebuggerTTDPositionRangeIndexedMemoryEvent* BNDebuggerGetTTDMemoryAccessForPositionRange(BNDebuggerController* controller,
+		uint64_t address, uint64_t endAddress, BNDebuggerTTDMemoryAccessType accessType ,BNDebuggerTTDPosition startPosition, BNDebuggerTTDPosition endPosition,
+		size_t* count);
 	DEBUGGER_FFI_API BNDebuggerTTDCallEvent* BNDebuggerGetTTDCallsForSymbols(BNDebuggerController* controller,
 		const char* symbols, uint64_t startReturnAddress, uint64_t endReturnAddress, size_t* count);
 	DEBUGGER_FFI_API BNDebuggerTTDEvent* BNDebuggerGetTTDEvents(BNDebuggerController* controller,
@@ -677,12 +693,13 @@ extern "C"
 	DEBUGGER_FFI_API BNDebuggerTTDPosition BNDebuggerGetCurrentTTDPosition(BNDebuggerController* controller);
 	DEBUGGER_FFI_API bool BNDebuggerSetTTDPosition(BNDebuggerController* controller, BNDebuggerTTDPosition position);
 	DEBUGGER_FFI_API void BNDebuggerFreeTTDMemoryEvents(BNDebuggerTTDMemoryEvent* events, size_t count);
+	DEBUGGER_FFI_API void BNDebuggerFreeTTDPositionRangeIndexedMemoryEvents(BNDebuggerTTDPositionRangeIndexedMemoryEvent* events, size_t count);
 	DEBUGGER_FFI_API void BNDebuggerFreeTTDCallEvents(BNDebuggerTTDCallEvent* events, size_t count);
 	DEBUGGER_FFI_API void BNDebuggerFreeTTDEvents(BNDebuggerTTDEvent* events, size_t count);
 
 	// TTD Code Coverage Analysis Functions
 	DEBUGGER_FFI_API bool BNDebuggerIsInstructionExecuted(BNDebuggerController* controller, uint64_t address);
-	DEBUGGER_FFI_API bool BNDebuggerRunCodeCoverageAnalysisRange(BNDebuggerController* controller, uint64_t startAddress, uint64_t endAddress);
+	DEBUGGER_FFI_API bool BNDebuggerRunCodeCoverageAnalysisRange(BNDebuggerController* controller, uint64_t startAddress, uint64_t endAddress, BNDebuggerTTDPosition startTime, BNDebuggerTTDPosition endTime);
 	DEBUGGER_FFI_API size_t BNDebuggerGetExecutedInstructionCount(BNDebuggerController* controller);
 	DEBUGGER_FFI_API bool BNDebuggerSaveCodeCoverageToFile(BNDebuggerController* controller, const char* filePath);
 	DEBUGGER_FFI_API bool BNDebuggerLoadCodeCoverageFromFile(BNDebuggerController* controller, const char* filePath);

api/python/debuggercontroller.py

@@ -804,6 +804,68 @@ def __repr__(self):
         return f"<TTDMemoryEvent: {self.event_type} @ {self.address:#x}, thread {self.thread_id}>"
 
 
+class TTDPositionRangeIndexedMemoryEvent:
+    """
+    TTDPositionRangeIndexedMemoryEvent represents a memory access event in a TTD trace with position information.
+    This is used for memory queries filtered by both address range and time range.
+
+    * ``position``: TTD position when the memory access occurred
+    * ``thread_id``: OS thread ID that performed the memory access
+    * ``unique_thread_id``: unique thread ID across the trace
+    * ``address``: memory address that was accessed
+    * ``instruction_address``: address of the instruction that performed the access
+    * ``size``: size of the memory access in bytes
+    * ``access_type``: type of access (read/write/execute)
+    * ``value``: value that was read/written/executed (truncated to size)
+    * ``data``: the next 8 bytes of data at the memory address (as a bytes object)
+    """
+
+    def __init__(self, position: TTDPosition, thread_id: int, unique_thread_id: int,
+                 address: int, instruction_address: int, size: int,
+                 access_type: int, value: int, data: bytes):
+        self.position = position
+        self.thread_id = thread_id
+        self.unique_thread_id = unique_thread_id
+        self.address = address
+        self.instruction_address = instruction_address
+        self.size = size
+        self.access_type = access_type
+        self.value = value
+        self.data = data
+
+    def __eq__(self, other):
+        if not isinstance(other, self.__class__):
+            return NotImplemented
+        return (self.position == other.position and
+                self.thread_id == other.thread_id and
+                self.unique_thread_id == other.unique_thread_id and
+                self.address == other.address and
+                self.instruction_address == other.instruction_address and
+                self.size == other.size and
+                self.access_type == other.access_type and
+                self.value == other.value and
+                self.data == other.data)
+
+    def __ne__(self, other):
+        if not isinstance(other, self.__class__):
+            return NotImplemented
+        return not (self == other)
+
+    def __hash__(self):
+        return hash((self.position, self.thread_id, self.unique_thread_id,
+                     self.address, self.instruction_address, self.size,
+                     self.access_type, self.value, self.data))
+
+    def __setattr__(self, name, value):
+        try:
+            object.__setattr__(self, name, value)
+        except AttributeError:
+            raise AttributeError(f"attribute '{name}' is read only")
+
+    def __repr__(self):
+        return f"<TTDPositionRangeIndexedMemoryEvent: @ {self.address:#x}, pos {self.position}, thread {self.thread_id}>"
+
+
 class TTDCallEvent:
     """
     TTDCallEvent represents a function call event in a TTD trace. It has the following fields:
@@ -2540,6 +2602,75 @@ def get_ttd_memory_access_for_address(self, address: int, end_address: int, acce
         dbgcore.BNDebuggerFreeTTDMemoryEvents(events, count.value)
         return result
 
+    def get_ttd_memory_access_for_position_range(self, start_address: int, end_address: int, access_type,
+                                                  start_time: TTDPosition = None, end_time: TTDPosition = None) -> List[TTDPositionRangeIndexedMemoryEvent]:
+        """
+        Get TTD memory access events for a specific address range and time range.
+
+        This method is only available when debugging with TTD (Time Travel Debugging).
+        Use the is_ttd property to check if TTD is available before calling this method.
+
+        :param start_address: starting memory address to query
+        :param end_address: ending memory address to query
+        :param access_type: type of memory access to query - can be:
+                           - DebuggerTTDMemoryAccessType enum values
+                           - String specification like "r", "w", "e", "rw", "rwe", etc.
+                           - Integer values (for backward compatibility)
+        :param start_time: starting TTD position (default: start of trace)
+        :param end_time: ending TTD position (default: end of trace)
+        :return: list of TTDPositionRangeIndexedMemoryEvent objects
+        :raises: May raise an exception if TTD is not available
+        """
+        # Parse access type if it's a string
+        parsed_access_type = parse_ttd_access_type(access_type)
+
+        # Set default time range if not provided
+        if start_time is None:
+            start_time = TTDPosition(0, 0)
+        if end_time is None:
+            end_time = TTDPosition(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF)
+
+        # Create ctypes structures for positions
+        bn_start_pos = dbgcore.BNDebuggerTTDPosition()
+        bn_start_pos.sequence = start_time.sequence
+        bn_start_pos.step = start_time.step
+
+        bn_end_pos = dbgcore.BNDebuggerTTDPosition()
+        bn_end_pos.sequence = end_time.sequence
+        bn_end_pos.step = end_time.step
+
+        count = ctypes.c_ulonglong()
+        events = dbgcore.BNDebuggerGetTTDMemoryAccessForPositionRange(
+            self.handle, start_address, end_address, parsed_access_type,
+            bn_start_pos, bn_end_pos, count)
+
+        if not events:
+            return []
+
+        result = []
+        for i in range(count.value):
+            event = events[i]
+            position = TTDPosition(event.position.sequence, event.position.step)
+
+            # Convert data array to bytes
+            data = bytes(event.data[j] for j in range(8))
+
+            memory_event = TTDPositionRangeIndexedMemoryEvent(
+                position=position,
+                thread_id=event.threadId,
+                unique_thread_id=event.uniqueThreadId,
+                address=event.address,
+                instruction_address=event.instructionAddress,
+                size=event.size,
+                access_type=event.accessType,
+                value=event.value,
+                data=data
+            )
+            result.append(memory_event)
+
+        dbgcore.BNDebuggerFreeTTDPositionRangeIndexedMemoryEvents(events, count.value)
+        return result
+
     def get_ttd_calls_for_symbols(self, symbols: str, start_return_address: int = 0, end_return_address: int = 0) -> List[TTDCallEvent]:
         """
         Get TTD call events for specific symbols/functions.
@@ -2748,6 +2879,84 @@ def get_all_ttd_events(self) -> List[TTDEvent]:
         dbgcore.BNDebuggerFreeTTDEvents(events, count.value)
         return result
 
+    def run_code_coverage_analysis(self, start_address: int, end_address: int,
+                                     start_time: TTDPosition = None, end_time: TTDPosition = None) -> bool:
+        """
+        Run code coverage analysis on a specific address range and time range.
+
+        This method is only available when debugging with TTD (Time Travel Debugging).
+        Use the is_ttd property to check if TTD is available before calling this method.
+
+        The code coverage analysis identifies which instructions within the specified address range
+        were executed during the specified time range. Results can be queried using the
+        is_instruction_executed() method.
+
+        :param start_address: starting address of the range to analyze
+        :param end_address: ending address of the range to analyze
+        :param start_time: starting TTD position (default: start of trace)
+        :param end_time: ending TTD position (default: end of trace)
+        :return: True if analysis succeeded, False otherwise
+        :raises: May raise an exception if TTD is not available
+        """
+        # Set default time range if not provided
+        if start_time is None:
+            start_time = TTDPosition(0, 0)
+        if end_time is None:
+            end_time = TTDPosition(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF)
+
+        # Create ctypes structures for positions
+        bn_start_pos = dbgcore.BNDebuggerTTDPosition()
+        bn_start_pos.sequence = start_time.sequence
+        bn_start_pos.step = start_time.step
+
+        bn_end_pos = dbgcore.BNDebuggerTTDPosition()
+        bn_end_pos.sequence = end_time.sequence
+        bn_end_pos.step = end_time.step
+
+        return dbgcore.BNDebuggerRunCodeCoverageAnalysisRange(
+            self.handle, start_address, end_address, bn_start_pos, bn_end_pos)
+
+    def is_instruction_executed(self, address: int) -> bool:
+        """
+        Check if an instruction at a specific address was executed during code coverage analysis.
+
+        This method requires that run_code_coverage_analysis() has been called first.
+
+        :param address: address of the instruction to check
+        :return: True if the instruction was executed, False otherwise
+        """
+        return dbgcore.BNDebuggerIsInstructionExecuted(self.handle, address)
+
+    def get_executed_instruction_count(self) -> int:
+        """
+        Get the count of executed instructions from the last code coverage analysis.
+
+        This method requires that run_code_coverage_analysis() has been called first.
+
+        :return: number of unique executed instructions
+        """
+        return dbgcore.BNDebuggerGetExecutedInstructionCount(self.handle)
+
+    def save_code_coverage_to_file(self, file_path: str) -> bool:
+        """
+        Save code coverage results to a file.
+
+        This method requires that run_code_coverage_analysis() has been called first.
+
+        :param file_path: path to the file where results should be saved
+        :return: True if save succeeded, False otherwise
+        """
+        return dbgcore.BNDebuggerSaveCodeCoverageToFile(self.handle, file_path.encode('utf-8'))
+
+    def load_code_coverage_from_file(self, file_path: str) -> bool:
+        """
+        Load code coverage results from a file.
+
+        :param file_path: path to the file containing code coverage results
+        :return: True if load succeeded, False otherwise
+        """
+        return dbgcore.BNDebuggerLoadCodeCoverageFromFile(self.handle, file_path.encode('utf-8'))
+
     def __del__(self):
         if dbgcore is not None:
             dbgcore.BNDebuggerFreeController(self.handle)