Description
Version and Platform (required):
- Binary Ninja Version: 5.0.7266-dev Ultimate (37487031)
- OS: Debian
- OS Version: trixie
- CPU Architecture: x64
Bug Description:
While basically every MLIL instruction that can appear in operands of another instruction (that I've looked so far) has a .expr_type indicating what its type is, MediumLevelILVarSsaField in the Python bindings seems to lack it.
Steps To Reproduce:
Please provide all steps required to reproduce the behavior:
- Download the archive
- Open
sample.owith default settings - Run the commands below:
>>> var_ssa_field = bv.get_function_at(0x400004).mlil.ssa_form[1].params[0]; var_ssa_field
<MediumLevelILVarSsaField: arg1#0.edi>
>>> var_ssa_field.src, var_ssa_field.offset, var_ssa_field.size, var_ssa_field.expr_type
(<SSAVariable: arg1 version 0>, 0, 4, None)
Expected Behavior:
expr_type contains something like <type: immutable:IntegerTypeClass 'int32_t', 0% confidence>
Binary:
repro.zip
Additional Information:
Not being able to rely on expr_type being present for all "expression-type" instructions (ones that can appear deep within the MLIL instruction tree) makes writing custom lifters a fair bit more annoying. At first I thought that maybe only MediumLevelILExpr descendants have expr_type, but MediumLevelILAddressOf has it as well.
Also, at first I thought the issue is much more serious in that it is not enough information to figure out what is being extracted, since the documentation does not mention offset nor size:
Eventually I stumbled onto offset and then guessed my way into figuring out size must have the information I want, but this took me like a hour. I would say this is a serious documentation footgun.
(Also, is the edi rendering taken from arch register info or something? It doesn't seem to ever surface in the MLIL itself.)