Wrong order of arguments of C function

Question

Wrong order of arguments of C function

hehaoqian opened this issue 3 years ago · 5 comments

Version: radare2 5.6.6 and r2dec-js 5.6.6
OS: Ubuntu 20.04.3 LTS
gcc: 9.3.0

The original function

int sub(int a, int b){
   return a - b;
}

Compiled with gcc test.c -c -o test.o

The disassembly:

endbr64                         
push rbp          
mov rbp, rsp          
mov dword [rbp - 4], edi       
mov dword [rbp - 8], esi       
mov eax, dword [rbp - 4]         
sub eax, dword [rbp - 8]         
pop rbp                          
ret

The disassembled code generated by pdd

/* r2dec pseudo code output */
/* ./test.o @ 0x8000040 */
#include <stdint.h>

int32_t sub (int64_t arg2, int64_t arg1) {
    int64_t var_8h;
    int64_t var_4h;
    rsi = arg2;
    rdi = arg1;
    /* [01] -r-x section size 22 named .text */
    *((rbp - 4)) = edi;
    *((rbp - 8)) = esi;
    eax = *((rbp - 4));
    eax -= *((rbp - 8));
    return eax;
}

I think the function prototype should be

int32_t sub (int64_t arg1, int64_t arg2)

Component

x86-64

Reproduce via JSON (pddi)

{"name":"issue_1648271483599","arch":"x86","archbits":64,"agj":[{"name":"sym.sub","offset":134217792,"ninstr":9,"nargs":2,"nlocals":2,"size":22,"stack":8,"type":"sym","blocks":[{"offset":134217792,"size":22,"ops":[{"offset":134217792,"esil":"","refptr":false,"fcn_addr":134217792,"fcn_last":134217810,"size":4,"opcode":"endbr64","disasm":"endbr64","bytes":"f30f1efa","family":"cpu","type":"null","reloc":false,"type_num":0,"type2_num":0,"flags":["section..text","sym..text","sym.sub","rip"],"comment":"WzAxXSAtci14IHNlY3Rpb24gc2l6ZSAyMiBuYW1lZCAudGV4dA=="},{"offset":134217796,"esil":"rbp,8,rsp,-,=[8],8,rsp,-=","refptr":false,"fcn_addr":134217792,"fcn_last":134217813,"size":1,"opcode":"push rbp","disasm":"push rbp","bytes":"55","family":"cpu","type":"rpush","reloc":false,"type_num":268435468,"type2_num":0},{"offset":134217797,"esil":"rsp,rbp,=","refptr":false,"fcn_addr":134217792,"fcn_last":134217811,"size":3,"opcode":"mov rbp, rsp","disasm":"mov rbp, rsp","bytes":"4889e5","family":"cpu","type":"mov","reloc":false,"type_num":9,"type2_num":0},{"offset":134217800,"esil":"edi,0x4,rbp,-,=[4]","refptr":true,"fcn_addr":134217792,"fcn_last":134217811,"size":3,"opcode":"mov dword [rbp - 4], edi","disasm":"mov dword [rbp - 4], edi","bytes":"897dfc","family":"cpu","type":"mov","reloc":false,"type_num":268435465,"type2_num":0},{"offset":134217803,"esil":"esi,0x8,rbp,-,=[4]","refptr":true,"fcn_addr":134217792,"fcn_last":134217811,"size":3,"opcode":"mov dword [rbp - 8], esi","disasm":"mov dword [rbp - 8], esi","bytes":"8975f8","family":"cpu","type":"mov","reloc":false,"type_num":268435465,"type2_num":0},{"offset":134217806,"esil":"0x4,rbp,-,[4],rax,=","refptr":true,"fcn_addr":134217792,"fcn_last":134217811,"size":3,"opcode":"mov eax, dword [rbp - 4]","disasm":"mov eax, dword [rbp - 4]","bytes":"8b45fc","family":"cpu","type":"mov","reloc":false,"type_num":9,"type2_num":0},{"offset":134217809,"esil":"0x8,rbp,-,[4],eax,-=,0x8,rbp,-,[4],0x80000000,-,!,31,$o,^,of,:=,31,$s,sf,:=,$z,zf,:=,$p,pf,:=,32,$b,cf,:=,3,$b,af,:=","refptr":true,"fcn_addr":134217792,"fcn_last":134217811,"size":3,"opcode":"sub eax, dword [rbp - 8]","disasm":"sub eax, dword [rbp - 8]","bytes":"2b45f8","family":"cpu","type":"sub","reloc":false,"type_num":18,"type2_num":0},{"offset":134217812,"esil":"rsp,[8],rbp,=,8,rsp,+=","refptr":false,"fcn_addr":134217792,"fcn_last":134217813,"size":1,"opcode":"pop rbp","disasm":"pop rbp","bytes":"5d","family":"cpu","type":"pop","reloc":false,"type_num":14,"type2_num":0},{"offset":134217813,"esil":"rsp,[8],rip,=,8,rsp,+=","refptr":false,"fcn_addr":134217792,"fcn_last":134217813,"size":1,"opcode":"ret","disasm":"ret","bytes":"c3","family":"cpu","type":"ret","reloc":false,"type_num":5,"type2_num":0}]}]}],"isj":[{"name":"test.c","flagname":"sym.test.c","realname":"test.c","ordinal":1,"bind":"LOCAL","size":0,"type":"FILE","vaddr":134217728,"paddr":0,"is_imported":false},{"name":".text","flagname":"sym..text","realname":".text","ordinal":2,"bind":"LOCAL","size":0,"type":"SECT","vaddr":134217792,"paddr":64,"is_imported":false},{"name":".data","flagname":"sym..data","realname":".data","ordinal":3,"bind":"LOCAL","size":0,"type":"SECT","vaddr":134217814,"paddr":86,"is_imported":false},{"name":".bss","flagname":"sym..bss","realname":".bss","ordinal":4,"bind":"LOCAL","size":0,"type":"SECT","vaddr":134217814,"paddr":86,"is_imported":false},{"name":".note.GNU-stack","flagname":"sym..note.GNU_stack","realname":".note.GNU-stack","ordinal":5,"bind":"LOCAL","size":0,"type":"SECT","vaddr":134217857,"paddr":129,"is_imported":false},{"name":".note.gnu.property","flagname":"sym..note.gnu.property","realname":".note.gnu.property","ordinal":6,"bind":"LOCAL","size":0,"type":"SECT","vaddr":134217864,"paddr":136,"is_imported":false},{"name":".eh_frame","flagname":"sym..eh_frame","realname":".eh_frame","ordinal":7,"bind":"LOCAL","size":0,"type":"SECT","vaddr":134217896,"paddr":168,"is_imported":false},{"name":".comment","flagname":"sym..comment","realname":".comment","ordinal":8,"bind":"LOCAL","size":0,"type":"SECT","vaddr":134217814,"paddr":86,"is_imported":false},{"name":"sub","flagname":"sym.sub","realname":"sub","ordinal":9,"bind":"GLOBAL","size":22,"type":"FUNC","vaddr":134217792,"paddr":64,"is_imported":false}],"Csj":[],"icj":[],"afvj":{"sp":[],"bp":[{"name":"var_8h","kind":"var","type":"int64_t","ref":{"base":"rbp","offset":-8}},{"name":"var_4h","kind":"var","type":"int64_t","ref":{"base":"rbp","offset":-4}}],"reg":[{"name":"arg2","kind":"reg","type":"int64_t","ref":"rsi"},{"name":"arg1","kind":"reg","type":"int64_t","ref":"rdi"}]},"afcfj":[],"aflj":[{"offset":134217792,"name":"sym.sub","size":22,"is-pure":"true","realsz":22,"noreturn":false,"stackframe":8,"calltype":"amd64","cost":11,"cc":1,"bits":64,"type":"sym","nbbs":1,"is-lineal":true,"ninstrs":9,"edges":0,"ebbs":1,"signature":"sym.sub (int64_t arg1, int64_t arg2);","minbound":134217792,"maxbound":134217814,"indegree":0,"outdegree":0,"nlocals":2,"nargs":2,"bpvars":[{"name":"var_8h","kind":"var","type":"int64_t","ref":{"base":"rbp","offset":-8}},{"name":"var_4h","kind":"var","type":"int64_t","ref":{"base":"rbp","offset":-4}}],"spvars":[],"regvars":[{"name":"arg2","kind":"reg","type":"int64_t","ref":"rsi"},{"name":"arg1","kind":"reg","type":"int64_t","ref":"rdi"}],"difftype":"new"}]}

Answer 1 · 2022-03-26T10:36:11.000Z

can you check the output from r2? because those args (arg1, arg2) comes from r2

Answer 2 · 2022-03-26T12:07:56.000Z

Output of "afv"

var int64_t var_8h @ rbp-0x8
var int64_t var_4h @ rbp-0x4
arg int64_t arg2 @ rsi
arg int64_t arg1 @ rdi

Answer 3 · 2022-03-26T12:16:01.000Z

i can confirm that the problem is that those 2 args are inverted by r2 in the json structure.

Answer 4 · 2022-03-26T12:54:49.000Z

fixed in d986d45

Answer 5 · 2022-04-04T08:37:15.000Z

I don't think this is a correct fix. the arguments must be sorted depending on the calling convention associated with the function. not sorted by name or by register index. Right now the json output doesn't order them in any specific way because it's assume that's part of the frontend who understand the calling convention. but I can fix that in the r2 side so we can ensure the listing honours the calling convention which is probably the expected output.