feat(r2ssa,r2dec): propagate semantic var hints into decompiler typing

Author: 0verflowme

crates/r2dec/src/types.rs

@@ -5,6 +5,7 @@
 
 use std::collections::{HashMap, HashSet};
 
+use r2il::{PointerHint, ScalarKind};
 use r2ssa::{SSAFunction, SSAOp, SSAVar};
 use r2types::{
     CTypeLike, Constraint, ConstraintSource, ExternalTypeDb, MemoryCapability, ResolvedSignature,
@@ -119,6 +120,7 @@ impl TypeInference {
         let deref_consumers = collect_deref_consumers(func, &defs);
         let mut struct_hints: HashMap<SSAVar, String> = HashMap::new();
 
+        self.emit_semantic_hint_constraints(func, &mut arena, &mut constraints);
         self.emit_inferred_constraints(
             func,
             &defs,
@@ -148,6 +150,65 @@ impl TypeInference {
         self.solved_types = Some(solved);
     }
 
+    fn emit_semantic_hint_constraints(
+        &self,
+        func: &SSAFunction,
+        arena: &mut TypeArena,
+        constraints: &mut Vec<Constraint>,
+    ) {
+        for var in collect_vars(func) {
+            if var.is_const() {
+                continue;
+            }
+            let Some(meta) = func.semantic_var_metadata(&var) else {
+                continue;
+            };
+
+            if let Some(pointer_hint) = meta.pointer_hint
+                && !matches!(pointer_hint, PointerHint::Unknown)
+            {
+                let pointee = self.integer_type_id(1, Signedness::Unknown, arena);
+                constraints.push(Constraint::SetType {
+                    var: var.clone(),
+                    ty: arena.ptr(pointee),
+                    source: ConstraintSource::External,
+                });
+                continue;
+            }
+
+            let Some(kind) = meta.scalar_kind else {
+                continue;
+            };
+            let Some(ty) = self.semantic_scalar_kind_type(kind, var.size, arena) else {
+                continue;
+            };
+            constraints.push(Constraint::SetType {
+                var: var.clone(),
+                ty,
+                source: ConstraintSource::External,
+            });
+        }
+    }
+
+    fn semantic_scalar_kind_type(
+        &self,
+        kind: ScalarKind,
+        size: u32,
+        arena: &mut TypeArena,
+    ) -> Option<TypeId> {
+        match kind {
+            ScalarKind::Bool => Some(arena.bool_ty()),
+            ScalarKind::Float if size > 0 => Some(arena.float(size.saturating_mul(8))),
+            ScalarKind::SignedInt => Some(self.integer_type_id(size, Signedness::Signed, arena)),
+            ScalarKind::UnsignedInt => {
+                Some(self.integer_type_id(size, Signedness::Unsigned, arena))
+            }
+            ScalarKind::Bitvector => Some(self.integer_type_id(size, Signedness::Unknown, arena)),
+            ScalarKind::Unknown => None,
+            ScalarKind::Float => None,
+        }
+    }
+
     fn emit_inferred_constraints(
         &self,
         func: &SSAFunction,
@@ -1370,7 +1431,9 @@ fn struct_name_from_type(arena: &TypeArena, ty: TypeId) -> Option<&str> {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use r2il::{ArchSpec, R2ILBlock, R2ILOp, RegisterDef, SpaceId, Varnode};
+    use r2il::{
+        ArchSpec, PointerHint, R2ILBlock, R2ILOp, RegisterDef, SpaceId, Varnode, VarnodeMetadata,
+    };
     use r2types::Type;
 
     fn ssa_from_ops(ops: Vec<R2ILOp>, arch: Option<&ArchSpec>) -> SSAFunction {
@@ -1437,6 +1500,36 @@ mod tests {
         assert_eq!(parse_const_addr("RAX_1"), None);
     }
 
+    #[test]
+    fn test_semantic_pointer_hint_promotes_register_to_pointer_type() {
+        let mut hinted_src = Varnode::register(0x10, 8);
+        hinted_src.set_meta(VarnodeMetadata {
+            pointer_hint: Some(PointerHint::PointerLike),
+            ..Default::default()
+        });
+        let func = ssa_from_ops(
+            vec![R2ILOp::Copy {
+                dst: Varnode::unique(0x10, 8),
+                src: hinted_src,
+            }],
+            None,
+        );
+
+        let mut ti = TypeInference::new(64);
+        ti.infer_function(&func);
+
+        let arg = func
+            .used_vars()
+            .into_iter()
+            .find(|v| v.name == "reg:10" && v.version == 0)
+            .expect("expected source register SSA var");
+        let ty = ti.get_type(&arg);
+        assert!(
+            ty.is_pointer(),
+            "semantic pointer hint should yield pointer type, got {ty}"
+        );
+    }
+
     #[test]
     fn test_emit_inferred_constraints_copy_emits_equal() {
         let ti = TypeInference::new(64);

crates/r2ssa/src/function.rs

@@ -6,7 +6,7 @@
 
 use std::collections::HashMap;
 
-use r2il::{ArchSpec, R2ILBlock};
+use r2il::{ArchSpec, PointerHint, R2ILBlock, ScalarKind, StorageClass, Varnode, VarnodeMetadata};
 use serde::{Deserialize, Serialize};
 
 use crate::cfg::{CFG, CFGEdge};
@@ -39,6 +39,8 @@ pub struct SSAFunction {
     blocks: HashMap<u64, SSABlock>,
     /// Block addresses in reverse postorder.
     block_order: Vec<u64>,
+    /// Semantic metadata hints keyed by canonical SSA base variable name.
+    semantic_var_hints: HashMap<String, VarnodeMetadata>,
 }
 
 /// A basic block in SSA form.
@@ -99,6 +101,133 @@ pub struct DefRef<'a> {
     pub site: DefSite,
 }
 
+fn pointer_hint_rank(hint: PointerHint) -> u8 {
+    match hint {
+        PointerHint::Unknown => 0,
+        PointerHint::PointerLike => 1,
+        PointerHint::CodePointer => 2,
+    }
+}
+
+fn scalar_kind_rank(kind: ScalarKind) -> u8 {
+    match kind {
+        ScalarKind::Unknown => 0,
+        ScalarKind::Bitvector => 1,
+        ScalarKind::Bool | ScalarKind::SignedInt | ScalarKind::UnsignedInt | ScalarKind::Float => 2,
+    }
+}
+
+fn storage_class_rank(class: StorageClass) -> u8 {
+    match class {
+        StorageClass::Unknown => 0,
+        StorageClass::Register => 1,
+        StorageClass::Stack
+        | StorageClass::Heap
+        | StorageClass::Global
+        | StorageClass::ThreadLocal
+        | StorageClass::ConstData
+        | StorageClass::Volatile => 2,
+    }
+}
+
+fn merge_ranked_hint<T: Copy>(dst: &mut Option<T>, src: Option<T>, rank: impl Fn(T) -> u8) {
+    let Some(src_val) = src else {
+        return;
+    };
+    match *dst {
+        Some(dst_val) if rank(dst_val) >= rank(src_val) => {}
+        _ => *dst = Some(src_val),
+    }
+}
+
+fn merge_varnode_metadata(dst: &mut VarnodeMetadata, src: &VarnodeMetadata) {
+    merge_ranked_hint(
+        &mut dst.storage_class,
+        src.storage_class,
+        storage_class_rank,
+    );
+    merge_ranked_hint(&mut dst.pointer_hint, src.pointer_hint, pointer_hint_rank);
+    merge_ranked_hint(&mut dst.scalar_kind, src.scalar_kind, scalar_kind_rank);
+
+    if dst.float_encoding.is_none() {
+        dst.float_encoding = src.float_encoding;
+    }
+    if dst.endianness.is_none() {
+        dst.endianness = src.endianness;
+    }
+    if dst.permissions.is_none() {
+        dst.permissions = src.permissions;
+    }
+    if dst.valid_range.is_none() {
+        dst.valid_range = src.valid_range.clone();
+    }
+    if dst.bank_id.is_none() {
+        dst.bank_id = src.bank_id.clone();
+    }
+    if dst.segment_id.is_none() {
+        dst.segment_id = src.segment_id.clone();
+    }
+}
+
+fn normalized_varnode_metadata(meta: &VarnodeMetadata) -> Option<VarnodeMetadata> {
+    let mut out = meta.clone();
+    if matches!(out.storage_class, Some(StorageClass::Unknown)) {
+        out.storage_class = None;
+    }
+    if matches!(out.pointer_hint, Some(PointerHint::Unknown)) {
+        out.pointer_hint = None;
+    }
+    if matches!(out.scalar_kind, Some(ScalarKind::Unknown)) {
+        out.scalar_kind = None;
+    }
+
+    let has_hint = out.storage_class.is_some()
+        || out.pointer_hint.is_some()
+        || out.scalar_kind.is_some()
+        || out.float_encoding.is_some()
+        || out.endianness.is_some()
+        || out.permissions.is_some()
+        || out.valid_range.is_some()
+        || out.bank_id.is_some()
+        || out.segment_id.is_some();
+
+    has_hint.then_some(out)
+}
+
+fn collect_semantic_var_hints(
+    blocks: &[R2ILBlock],
+    reg_names: Option<&crate::naming::RegisterNameMap>,
+) -> HashMap<String, VarnodeMetadata> {
+    let mut hints: HashMap<String, VarnodeMetadata> = HashMap::new();
+
+    let mut collect_var = |vn: &Varnode| {
+        let Some(meta) = vn.meta.as_ref() else {
+            return;
+        };
+        let Some(meta) = normalized_varnode_metadata(meta) else {
+            return;
+        };
+        let key = crate::naming::varnode_to_name(vn, reg_names).to_ascii_lowercase();
+        hints
+            .entry(key)
+            .and_modify(|existing| merge_varnode_metadata(existing, &meta))
+            .or_insert(meta);
+    };
+
+    for block in blocks {
+        for op in &block.ops {
+            if let Some(dst) = op.output() {
+                collect_var(dst);
+            }
+            for src in op.inputs() {
+                collect_var(src);
+            }
+        }
+    }
+
+    hints
+}
+
 impl SSAFunction {
     /// Build an SSA function from a sequence of r2il blocks.
     pub fn from_blocks(blocks: &[R2ILBlock]) -> Option<Self> {
@@ -144,6 +273,7 @@ impl SSAFunction {
 
         let reg_names = arch.map(build_register_name_map);
         let reg_names_ref = reg_names.as_ref();
+        let semantic_var_hints = collect_semantic_var_hints(blocks, reg_names_ref);
 
         // Collect variable definitions and sizes
         let (defs, var_sizes) = collect_defs_from_cfg_with_names(&cfg, reg_names_ref);
@@ -203,6 +333,7 @@ impl SSAFunction {
             domtree,
             blocks: ssa_blocks,
             block_order: renamed.block_order,
+            semantic_var_hints,
         })
     }
 
@@ -244,6 +375,16 @@ impl SSAFunction {
         &self.block_order
     }
 
+    /// Look up semantic metadata hints for an SSA variable.
+    pub fn semantic_var_metadata(&self, var: &SSAVar) -> Option<&VarnodeMetadata> {
+        self.semantic_var_metadata_by_name(&var.name)
+    }
+
+    /// Look up semantic metadata hints by canonical SSA base variable name.
+    pub fn semantic_var_metadata_by_name(&self, name: &str) -> Option<&VarnodeMetadata> {
+        self.semantic_var_hints.get(&name.to_ascii_lowercase())
+    }
+
     /// Get the number of blocks.
     pub fn num_blocks(&self) -> usize {
         self.blocks.len()
@@ -629,7 +770,7 @@ impl SSABlock {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use r2il::{R2ILOp, SpaceId, Varnode};
+    use r2il::{PointerHint, R2ILOp, SpaceId, Varnode, VarnodeMetadata};
 
     fn make_const(val: u64, size: u32) -> Varnode {
         Varnode {
@@ -926,6 +1067,33 @@ mod tests {
         assert_eq!(func.idom(0x1008), Some(0x1000));
     }
 
+    #[test]
+    fn test_semantic_var_metadata_is_collected_from_source_blocks() {
+        let mut src = make_reg(0x10, 8);
+        src.set_meta(VarnodeMetadata {
+            pointer_hint: Some(PointerHint::PointerLike),
+            ..Default::default()
+        });
+
+        let blocks = vec![R2ILBlock {
+            addr: 0x1000,
+            size: 4,
+            ops: vec![R2ILOp::Copy {
+                dst: make_reg(0, 8),
+                src,
+            }],
+            switch_info: None,
+            op_metadata: Default::default(),
+        }];
+
+        let func = SSAFunction::from_blocks_raw_no_arch(&blocks).expect("raw SSA should build");
+        let meta = func
+            .semantic_var_metadata_by_name("reg:10")
+            .expect("expected semantic metadata for source register");
+
+        assert_eq!(meta.pointer_hint, Some(PointerHint::PointerLike));
+    }
+
     #[test]
     fn test_for_each_source_reports_phi_and_op_sites() {
         let blocks = vec![