Xrefs to THUMB functions from data pointer don't appear

[raminri]

Version and Platform (required):

• Binary Ninja Version: 4.3.6844
• OS: Windows
• OS Version: 10
• CPU Architecture: x64

Bug Description:
When clicking on a function that has a pointer to it with the bottom bit set (indicating it is a THUMB function), the xref does not show up.

Steps To Reproduce:
I made this simple program for illustrating the issue:

#include <stdio.h>

void foo() {
  printf("foo\n");
}

void bar() {
  printf("bar\n");
}

void (*func_ptr)() = foo;

int main(int argc, const char* argv[]) {
  if (argc > 1)
    func_ptr = bar;
  func_ptr();
  return 0;
}

1. Open test from attached zip file
2. Go to func_ptr symbol and set the type to a pointer (I also think binja should be recognizing that this is a pointer automatically)
3. You should now see void* func_ptr = foo
4. Go to the foo function and click on the function name to see the xrefs, and see that there are 0 xrefs to the function

Expected Behavior:
I expect to see an xref to func_ptr from foo

Screenshots/Video Recording:
N/A

Binary:
test.zip

Additional Information:
I believe the issue is that the xref system is not accounting for the bottom bit being set in the function pointer, which causes the xref to be missing.

[xusheng6]

Hi, thx for the bug report! However, I am unable to reproduce it -- if I select the start of the foo function, there is 1 xref showing up as expected

[xusheng6]

Btw you might wish to test and see if the issue is already fixed on the latest dev

[raminri]

From your screenshot it seems like you are selecting the first 2 lines of the function rather than the function itself. I've noticed this makes the xref show up. My guess is this is probably because highlighting multiple lines causes xrefs to show up for a range of addresses, which includes the address that has LSB set.

If you select just the foo symbol, the xref won't show up.

Just foo symbol selected (no xref):

First 2 lines of function selected like your screenshot (xref shows up):

I updated to latest dev and retested to confirm this.

[xusheng6]

From your screenshot it seems like you are selecting the first 2 lines of the function rather than the function itself. I've noticed this makes the xref show up. My guess is this is probably because highlighting multiple lines causes xrefs to show up for a range of addresses, which includes the address that has LSB set.

If you select just the foo symbol, the xref won't show up.

Just foo symbol selected (no xref):

First 2 lines of function selected like your screenshot (xref shows up):

I updated to latest dev and retested to confirm this.

I see what you are saying. Interestingly, if I think the line of the function header, it actually shows up:

But if I select the address token 0x10424, it does not show up:

I am not super familiar with the thumb arch, I known there has been some similar issues in the past, and I will bring this up with the team