Comparison with stack pointer results in register0x00000004 instead of unaff_r1 or similar

[Pokechu22]

Describe the bug
The following code sample that uses addic. to perform a null check on the stack pointer decompiles weirdly.

To Reproduce
Steps to reproduce the behavior:

1. Download and extract addic.zip.
2. Import addic.bin. Use 32-bit powerpc (default variant and compiler) as the language.
3. Open the imported file, and allow analysis to happen.
4. Look at the decompile window.

Expected behavior

I would expect something like this to show up:

void FUN_00000000(int param_1,uint param_2)
{
  short local_6;
  
  if (unaff_r1 != (undefined *)-6) {
    local_6 = *(short *)(param_1 + 4);
  }
  if ((ushort)(local_6 - 1) < param_2) {
    param_2 = (uint)(ushort)(local_6 - 1);
  }
  func_0x00010000(param_1,param_2);
  return;
}

Alternatively, I would expect this (since normally, it's impossible for the stack pointer to be null), though it probably doesn't make sense to hide details like this when analyzing malicious code (instead of code that's just jank/broken).

void FUN_00000000(int param_1,uint param_2)
{
  short local_6 = *(short *)(param_1 + 4);

  if ((ushort)(local_6 - 1) < param_2) {
    param_2 = (uint)(ushort)(local_6 - 1);
  }
  func_0x00010000(param_1,param_2);
  return;
}

Actual behavior

The following shows up:

void FUN_00000000(int param_1,uint param_2)
{
  short local_6;
  
  if ((undefined *)register0x00000004 != (undefined *)0x6) {
    local_6 = *(short *)(param_1 + 4);
  }
  if ((ushort)(local_6 - 1) < param_2) {
    param_2 = (uint)(ushort)(local_6 - 1);
  }
  func_0x00010000(param_1,param_2);
  return;
}

Attachments
addic.zip

Environment (please complete the following information):

• OS: Windows 10
• Java Version: 16.0.1
• Ghidra Version: 10.1
• Ghidra Origin: official ghidra-sre.org distro

Additional context
Here's the disassembly:

                             //
                             // ram 
                             // ram:00000000-ram:0000004f
                             //
                             **************************************************************
                             *                                                            *
                             *  FUNCTION                                                  *
                             **************************************************************
                             undefined FUN_00000000()
             undefined         r3:1           <RETURN>
             undefined4        Stack[0x4]:4   local_res4                              XREF[2]:     0000000c(W), 
                                                                                                   00000040(R)  
             undefined2        Stack[-0x6]:2  local_6                                 XREF[3]:     0000001c(W), 
                                                                                                   00000020(R), 
                                                                                                   00000030(W)  
             undefined4        Stack[-0x10]:4 local_10                                XREF[1]:     00000000(W)  
                             FUN_00000000
        00000000 94 21 ff f0     stwu       r1,local_10(r1)
        00000004 7c 08 02 a6     mfspr      r0,LR
        00000008 7c aa 2b 78     or         r10,r5,r5
        0000000c 90 01 00 14     stw        r0,local_res4(r1)
        00000010 34 01 00 0a     addic.     r0,r1,0xa
        00000014 41 82 00 0c     beq        LAB_00000020
        00000018 a0 03 00 04     lhz        r0,0x4(r3)
        0000001c b0 01 00 0a     sth        r0,local_6(r1)
                             LAB_00000020                                    XREF[1]:     00000014(j)  
        00000020 a1 01 00 0a     lhz        r8,local_6(r1)
        00000024 39 08 ff ff     subi       r8,r8,0x1
        00000028 55 09 04 3e     rlwinm     r9,r8,0x0,0x10,0x1f
        0000002c 7c 04 48 40     cmplw      r4,r9
        00000030 b1 01 00 0a     sth        r8,local_6(r1)
        00000034 40 81 00 08     ble        LAB_0000003c
        00000038 7d 24 4b 78     or         r4,r9,r9
                             LAB_0000003c                                    XREF[1]:     00000034(j)  
        0000003c 48 00 ff c5     bl         SUB_00010000
        00000040 80 01 00 14     lwz        r0,local_res4(r1)
        00000044 7c 08 03 a6     mtspr      LR,r0
        00000048 38 21 00 10     addi       r1,r1,0x10
        0000004c 4e 80 00 20     blr

This was simplified from a more complex function, but the original function was definitely using addic. with r1 (the stack pointer) and skipping over dereferencing it if the address would be null. I don't know why it was doing that, as if the stack pointer were null other bad things would happen (including earlier code breaking). But getting register0x00000004 in the output seems odd.

[mumbel]

This looks like just plain buggy assembly and I not seeing anything to point at an incorrect addic. at all.

This decompile looks basically how I'd think it would look for the weird way its using r1 (It simplifies the stwu r1, -0x10(r1) and addic. r0, r1, 0xa into 0x6). Like you said it checks an address in the stack frame for NULL, which isn't going happen (also ignoring it would make r1 unaligned if the NULL check were true). The calling convention has r1 (register0x00000004) as a global register which is why it gets printed like that. You could edit the stack frame and manually put stuff there maybe or set the r1 register at entry to be any valid value (ie not 6).

[Pokechu22]

Yeah, after looking at this, I think this is just a badly-behaving compiler, and not Ghidra's fault. I found this monstrosity (in a different program for which I have symbols, but from the same compiler (maybe an earlier version of it)):

/* __thiscall JPADrawVisitorContainer::~JPADrawVisitorContainer(void) */

void __thiscall JPADrawVisitorContainer::~JPADrawVisitorContainer(JPADrawVisitorContainer *this)

{
  short in_r4;
  
  if (this != (JPADrawVisitorContainer *)0x0) {
    if (this != (JPADrawVisitorContainer *)&DAT_fffffec8) {
      *(undefined1 **)(this + 0x138) = &JPADrawCalcChildScaleOut::__vt;
      if (this != (JPADrawVisitorContainer *)&DAT_fffffec8) {
        *(undefined1 **)(this + 0x138) = &JPADrawCalcParticleVisitor::__vt;
      }
    }
    if (this != (JPADrawVisitorContainer *)&DAT_fffffecc) {
      *(undefined1 **)(this + 0x134) = &JPADrawCalcChildAlphaOut::__vt;
      if (this != (JPADrawVisitorContainer *)&DAT_fffffecc) {
        *(undefined1 **)(this + 0x134) = &JPADrawCalcParticleVisitor::__vt;
      }
    }
    if (this != (JPADrawVisitorContainer *)&DAT_fffffed4) {
      *(undefined1 **)(this + 300) = &JPADrawCalcTextureAnmIndexRandom::__vt;
      *(undefined **)(this + 0x130) = &DAT_803e407c;
      if (this != (JPADrawVisitorContainer *)&DAT_fffffed0) {
        *(undefined1 **)(this + 0x130) = &JPADrawCalcParticleVisitor::__vt;
      }
      if (this != (JPADrawVisitorContainer *)&DAT_fffffed4) {
        *(undefined1 **)(this + 300) = &JPADrawCalcEmitterVisitor::__vt;
      }
    }
    // ... continues like this for 400 more lines ...
    if (0 < in_r4) {
      JSystem::operator_delete(this);
    }
  }
  return;
}

I think the compiler must have chosen to be more aggressive about adding null checks, even when they don't make sense. Each of those checks is implemented using addic. (with the actual result of addic. ignored, and only the compare result being used), but that doesn't mean addic. itself is being handled wrong in Ghidra, just that the compiler likes using addic. for some reason.

I also got confused because there was also an addic. instruction that used 0x8 as the immediate value, which showed up as (undefined *)0x8 in the decompilation, so the other one using 0xa in the instruction and 0x6 in the decompilation made things more confusing. I thought that it might have been 0x10 being subtracted from the stack pointer, but I overlooked the stwu because it said local_10 instead of -0x10 (a mistake I've made before, but hopefully will stop making soon).

You could edit the stack frame and manually put stuff there maybe or set the r1 register at entry to be any valid value (ie not 6).

If you mean doing that by right-clicking and selecting "set register values", that sorta works, but it breaks local variables (instead it uses that address directly, which makes sense). "Eliminate unreachable code" also is needed to get rid of if (true) statements. I don't think this is a great workaround, but I don't think there really could be a better one either.

The calling convention has r1 (register0x00000004) as a global register which is why it gets printed like that.

Where is it marked as a global? In ppc_32_be.cspec I see it marked as the stack pointer and unaffected, but I don't think either of those mean global (I've seen unaff_r31 show up in some places).

[mumbel]

I just meant it reads from the register without being written to first or a passed in value from arguments. You're correct and I was to vague with "global" in this context. It is marked as "stackpointer", which i'd say somewhat equivalent in this regard.

[Pokechu22]

If I replace r1 with r31 in all places, it decompiles like this:

void FUN_00000000(int param_1,uint param_2)

{
  ushort uVar1;
  int unaff_r31;
  undefined4 in_LR;
  
  *(int *)(unaff_r31 + -0x10) = unaff_r31;
  *(undefined4 *)(unaff_r31 + 4) = in_LR;
  if ((int *)(unaff_r31 + -0x10) != (int *)0xfffffff6) {
    *(undefined2 *)(unaff_r31 + -6) = *(undefined2 *)(param_1 + 4);
  }
  uVar1 = *(short *)(unaff_r31 + -6) - 1;
  *(ushort *)(unaff_r31 + -6) = uVar1;
  if (uVar1 < param_2) {
    param_2 = (uint)uVar1;
  }
  func_0x00010000(param_1,param_2);
  return;
}

And with r13 it looks like this:

void FUN_00000000(int param_1,uint param_2)

{
  ushort uVar1;
  int in_r13;
  undefined4 in_LR;
  
  *(int *)(in_r13 + -0x10) = in_r13;
  *(undefined4 *)(in_r13 + 4) = in_LR;
  if ((int *)(in_r13 + -0x10) != (int *)0xfffffff6) {
    *(undefined2 *)(in_r13 + -6) = *(undefined2 *)(param_1 + 4);
  }
  uVar1 = *(short *)(in_r13 + -6) - 1;
  *(ushort *)(in_r13 + -6) = uVar1;
  if (uVar1 < param_2) {
    param_2 = (uint)uVar1;
  }
  func_0x00010000(param_1,param_2);
  return;
}

I think the only thing that's really bad (but also fixable) is the name being register0x00000004 - it's showing the address of the register within the register space, which is an implementation detail and really shouldn't be visible. It probably should be unaff_r1.

What's particularly odd is that ScopeInternal::buildVariableName doesn't generate the register name,

---

EDIT: I've reworded the issue to focus on the register0x00000004 versus unaff_r1 aspect.

[Pokechu22]

Here's a simplified test case: compare_all_regs.zip (Note that I explicitly set the signature for FUN_00000104 for the disassembly and decompilation; otherwise, the results look a bit weirder.)

Disassembly

                             //
                             // ram 
                             // ram:00000000-ram:00000107
                             //
                             **************************************************************
                             *                                                            *
                             *  FUNCTION                                                  *
                             **************************************************************
                             undefined FUN_00000000()
             undefined         r3:1           <RETURN>
                             FUN_00000000
        00000000 2c 00 00 00     cmpwi      r0,0x0
        00000004 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000008 2c 01 00 00     cmpwi      r1,0x0
        0000000c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000010 2c 02 00 00     cmpwi      r2,0x0
        00000014 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000018 2c 03 00 00     cmpwi      r3,0x0
        0000001c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000020 2c 04 00 00     cmpwi      r4,0x0
        00000024 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000028 2c 05 00 00     cmpwi      r5,0x0
        0000002c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000030 2c 06 00 00     cmpwi      r6,0x0
        00000034 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000038 2c 07 00 00     cmpwi      r7,0x0
        0000003c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000040 2c 08 00 00     cmpwi      r8,0x0
        00000044 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000048 2c 09 00 00     cmpwi      r9,0x0
        0000004c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000050 2c 0a 00 00     cmpwi      r10,0x0
        00000054 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000058 2c 0b 00 00     cmpwi      r11,0x0
        0000005c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000060 2c 0c 00 00     cmpwi      r12,0x0
        00000064 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000068 2c 0d 00 00     cmpwi      r13,0x0
        0000006c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000070 2c 0e 00 00     cmpwi      r14,0x0
        00000074 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000078 2c 0f 00 00     cmpwi      r15,0x0
        0000007c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000080 2c 10 00 00     cmpwi      r16,0x0
        00000084 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000088 2c 11 00 00     cmpwi      r17,0x0
        0000008c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000090 2c 12 00 00     cmpwi      r18,0x0
        00000094 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000098 2c 13 00 00     cmpwi      r19,0x0
        0000009c 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000a0 2c 14 00 00     cmpwi      r20,0x0
        000000a4 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000a8 2c 15 00 00     cmpwi      r21,0x0
        000000ac 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000b0 2c 16 00 00     cmpwi      r22,0x0
        000000b4 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000b8 2c 17 00 00     cmpwi      r23,0x0
        000000bc 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000c0 2c 18 00 00     cmpwi      r24,0x0
        000000c4 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000c8 2c 19 00 00     cmpwi      r25,0x0
        000000cc 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000d0 2c 1a 00 00     cmpwi      r26,0x0
        000000d4 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000d8 2c 1b 00 00     cmpwi      r27,0x0
        000000dc 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000e0 2c 1c 00 00     cmpwi      r28,0x0
        000000e4 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000e8 2c 1d 00 00     cmpwi      r29,0x0
        000000ec 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000f0 2c 1e 00 00     cmpwi      r30,0x0
        000000f4 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        000000f8 2c 1f 00 00     cmpwi      r31,0x0
        000000fc 40 82 01 07     bnela      FUN_00000104                                     void FUN_00000104(void)
        00000100 4e 80 00 20     blr
                             **************************************************************
                             *                                                            *
                             *  FUNCTION                                                  *
                             **************************************************************
                             void __stdcall FUN_00000104(void)
             void              <VOID>         <RETURN>
                             FUN_00000104                                    XREF[32]:    (edited out)
        00000104 4e 80 00 20     blr

Decompilation

void FUN_00000000(int param_1,int param_2,int param_3,int param_4,int param_5,int param_6,
                 int param_7,int param_8)

{
  int in_r0;
  int in_r2;
  int in_r11;
  int in_r12;
  int in_r13;
  int unaff_r14;
  int unaff_r15;
  int unaff_r16;
  int unaff_r17;
  int unaff_r18;
  int unaff_r19;
  int unaff_r20;
  int unaff_r21;
  int unaff_r22;
  int unaff_r23;
  int unaff_r24;
  int unaff_r25;
  int unaff_r26;
  int unaff_r27;
  int unaff_r28;
  int unaff_r29;
  int unaff_r30;
  int unaff_r31;
  
  if (in_r0 != 0) {
    FUN_00000104();
  }
  if ((undefined *)register0x00000004 != (undefined *)0x0) {
    FUN_00000104();
  }
  if (in_r2 != 0) {
    FUN_00000104();
  }
  if (param_1 != 0) {
    FUN_00000104();
  }
  if (param_2 != 0) {
    FUN_00000104();
  }
  if (param_3 != 0) {
    FUN_00000104();
  }
  if (param_4 != 0) {
    FUN_00000104();
  }
  if (param_5 != 0) {
    FUN_00000104();
  }
  if (param_6 != 0) {
    FUN_00000104();
  }
  if (param_7 != 0) {
    FUN_00000104();
  }
  if (param_8 != 0) {
    FUN_00000104();
  }
  if (in_r11 != 0) {
    FUN_00000104();
  }
  if (in_r12 != 0) {
    FUN_00000104();
  }
  if (in_r13 != 0) {
    FUN_00000104();
  }
  if (unaff_r14 != 0) {
    FUN_00000104();
  }
  if (unaff_r15 != 0) {
    FUN_00000104();
  }
  if (unaff_r16 != 0) {
    FUN_00000104();
  }
  if (unaff_r17 != 0) {
    FUN_00000104();
  }
  if (unaff_r18 != 0) {
    FUN_00000104();
  }
  if (unaff_r19 != 0) {
    FUN_00000104();
  }
  if (unaff_r20 != 0) {
    FUN_00000104();
  }
  if (unaff_r21 != 0) {
    FUN_00000104();
  }
  if (unaff_r22 != 0) {
    FUN_00000104();
  }
  if (unaff_r23 != 0) {
    FUN_00000104();
  }
  if (unaff_r24 != 0) {
    FUN_00000104();
  }
  if (unaff_r25 != 0) {
    FUN_00000104();
  }
  if (unaff_r26 != 0) {
    FUN_00000104();
  }
  if (unaff_r27 != 0) {
    FUN_00000104();
  }
  if (unaff_r28 != 0) {
    FUN_00000104();
  }
  if (unaff_r29 != 0) {
    FUN_00000104();
  }
  if (unaff_r30 != 0) {
    FUN_00000104();
  }
  if (unaff_r31 != 0) {
    FUN_00000104();
  }
  return;
}

Only r1 decompiles as register0x00000004 (and also, only r1 is assumed to be a pointer).

[Pokechu22]

This change:

diff --git a/Ghidra/Features/Decompiler/src/decompile/cpp/database.cc b/Ghidra/Features/Decompiler/src/decompile/cpp/database.cc
index c54843332..8684b8ae3 100644
--- a/Ghidra/Features/Decompiler/src/decompile/cpp/database.cc
+++ b/Ghidra/Features/Decompiler/src/decompile/cpp/database.cc
@@ -2382,6 +2382,9 @@ string ScopeInternal::buildVariableName(const Address &addr,
   ostringstream s;
   int4 sz = (ct == (Datatype *)0) ? 1 : ct->getSize();
 
+  if ((flags & Varnode::spacebase) != 0)
+    s << "spacebase_";
+
   if ((flags & Varnode::unaffected)!=0) {
     if ((flags & Varnode::return_address)!=0)
       s << "unaff_retaddr";
diff --git a/Ghidra/Features/Decompiler/src/decompile/cpp/variable.cc b/Ghidra/Features/Decompiler/src/decompile/cpp/variable.cc
index d4f25b44c..23e2ceba1 100644
--- a/Ghidra/Features/Decompiler/src/decompile/cpp/variable.cc
+++ b/Ghidra/Features/Decompiler/src/decompile/cpp/variable.cc
@@ -372,11 +372,6 @@ bool HighVariable::hasName(void) const
   if (isUnaffected()) {
     if (!isInput()) return false;
     if (indirectonly) return false;
-    Varnode *vn = getInputVarnode();
-    if (!vn->isIllegalInput()) { // A leftover unaff illegal input gets named
-      if (vn->isSpacebase())	// A legal input, unaff, gets named
-	return false;		// Unless it is the stackpointer
-    }
   }
   return true;
 }

fixes the decompilation, though it also indicates that this behavior is intended.

New decompilation

void FUN_00000000(int param_1,uint param_2)

{
  BADSPACEBASE *spacebase_unaff_r1;
  short local_6;
  
  if ((undefined *)spacebase_unaff_r1 != (undefined *)0x6) {
    local_6 = *(short *)(param_1 + 4);
  }
  if ((ushort)(local_6 - 1) < param_2) {
    param_2 = (uint)(ushort)(local_6 - 1);
  }
  func_0x00010000(param_1,param_2);
  return;
}

void FUN_00000000(int param_1,int param_2,int param_3,int param_4,int param_5,int param_6,
                 int param_7,int param_8)

{
  int in_r0;
  BADSPACEBASE *spacebase_unaff_r1;
  int in_r2;
  int in_r11;
  int in_r12;
  int in_r13;
  int unaff_r14;
  int unaff_r15;
  int unaff_r16;
  int unaff_r17;
  int unaff_r18;
  int unaff_r19;
  int unaff_r20;
  int unaff_r21;
  int unaff_r22;
  int unaff_r23;
  int unaff_r24;
  int unaff_r25;
  int unaff_r26;
  int unaff_r27;
  int unaff_r28;
  int unaff_r29;
  int unaff_r30;
  int unaff_r31;
  
  if (in_r0 != 0) {
    FUN_00000104();
  }
  if ((undefined *)spacebase_unaff_r1 != (undefined *)0x0) {
    FUN_00000104();
  }
  if (in_r2 != 0) {
    FUN_00000104();
  }
  if (param_1 != 0) {
    FUN_00000104();
  }
  if (param_2 != 0) {
    FUN_00000104();
  }
  if (param_3 != 0) {
    FUN_00000104();
  }
  if (param_4 != 0) {
    FUN_00000104();
  }
  if (param_5 != 0) {
    FUN_00000104();
  }
  if (param_6 != 0) {
    FUN_00000104();
  }
  if (param_7 != 0) {
    FUN_00000104();
  }
  if (param_8 != 0) {
    FUN_00000104();
  }
  if (in_r11 != 0) {
    FUN_00000104();
  }
  if (in_r12 != 0) {
    FUN_00000104();
  }
  if (in_r13 != 0) {
    FUN_00000104();
  }
  if (unaff_r14 != 0) {
    FUN_00000104();
  }
  if (unaff_r15 != 0) {
    FUN_00000104();
  }
  if (unaff_r16 != 0) {
    FUN_00000104();
  }
  if (unaff_r17 != 0) {
    FUN_00000104();
  }
  if (unaff_r18 != 0) {
    FUN_00000104();
  }
  if (unaff_r19 != 0) {
    FUN_00000104();
  }
  if (unaff_r20 != 0) {
    FUN_00000104();
  }
  if (unaff_r21 != 0) {
    FUN_00000104();
  }
  if (unaff_r22 != 0) {
    FUN_00000104();
  }
  if (unaff_r23 != 0) {
    FUN_00000104();
  }
  if (unaff_r24 != 0) {
    FUN_00000104();
  }
  if (unaff_r25 != 0) {
    FUN_00000104();
  }
  if (unaff_r26 != 0) {
    FUN_00000104();
  }
  if (unaff_r27 != 0) {
    FUN_00000104();
  }
  if (unaff_r28 != 0) {
    FUN_00000104();
  }
  if (unaff_r29 != 0) {
    FUN_00000104();
  }
  if (unaff_r30 != 0) {
    FUN_00000104();
  }
  if (unaff_r31 != 0) {
    FUN_00000104();
  }
  return;
}

It's worth noting that although this change adds a local variable (spacebase_unaff_r1), that variable cannot be renamed or have a type set in the local variable declarations. It is a ClangVariableToken, but getHighVariable, getVarnode, and getPcodeOp all return null, so findHighSymbolFromToken returns null. For the other variable declarations, getHighVariable doesn't return null (though the others do). This results in RenameLocalAction being disabled. On the other hand, the local variable can be renamed and retyped in the decompiled code itself (in the if ((undefined *)spacebase_unaff_r1 != (undefined *)0x0) line); all of those functions return non-null values in that case for some reason.

[Danil6969]

On Ghidra 10.3.3 from https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_10.3.3_build
By the way why do you think it should be unaff_r1? It is normally address of local, stack, return address or something else. Stack pointer isn't like general register remember. It is meant to be address of something.

[Pokechu22]

Ideally compilers wouldn't generate code like this at all, but we can't fix that :)

unaff_r1 seems reasonable to me because the value of the stack pointer register shouldn't be changed by a function call (in that when the function returns, unaff_r1 should be the same as it was before the function call, although the value will be different within the function itself).

[ryanmkurtz]

@Pokechu22 can we close this ticket?

[Danil6969]

This bug still occurs on SuperH4 when the stack pointer value is used directly to point to first stack parameter. Should I post bytes to reproduce?

[ryanmkurtz]

Sure, if this ticket's current goal is to address that issue then yes any additional info would be helpful. Thanks!

[Danil6969]

I finally was able to reproduce it. It looks like this but should use &stack0x00000000 or whatever is at that stack frame offset (it is parameter by original meaning) instead which also happens sometimes and sometimes not.

There is a file and I'll post detailed instructions on it as I cropped everything else except bytes to reproduce.
superh4.zip

[Danil6969]

First use SuperH4:LE:32:default. Go to 08077d5c and create function here. Set 08077e00 and 08077e02 mutability to constant. At 08077d5c set register value as: FPSCR_SZ = 0x0. Then open stack editor and create locals at offsets left from register0x0000003c with type int or void* (local1d4)