From d934e7aace392cab07375fe3b96cee094288b68e Mon Sep 17 00:00:00 2001
From: emteere <47253321+emteere@users.noreply.github.com>
Date: Fri, 29 Mar 2024 15:39:41 -0400
Subject: [PATCH 1/2] GP-4474 Add pattern to automatically set callfixup on
 blrl PIC related routine

---
 .../PowerPC/data/languages/ppc_32_be.cspec    |  1 +
 .../data/languages/ppc_32_e500_be.cspec       |  1 +
 .../data/languages/ppc_32_e500_le.cspec       |  1 +
 .../data/languages/ppc_32_e500mc_be.cspec     |  1 +
 .../data/languages/ppc_32_e500mc_le.cspec     |  1 +
 .../PowerPC/data/languages/ppc_32_le.cspec    |  1 +
 .../PowerPC/data/languages/ppc_64_32.cspec    |  1 +
 .../PowerPC/data/patterns/PPC_BE_patterns.xml |  5 ++
 .../cmd/function/CreateFunctionThunkTest.java | 52 +++++++++++++++++++
 9 files changed, 64 insertions(+)

diff --git a/Ghidra/Processors/PowerPC/data/languages/ppc_32_be.cspec b/Ghidra/Processors/PowerPC/data/languages/ppc_32_be.cspec
index ded16f678d..c855a0b582 100644
--- a/Ghidra/Processors/PowerPC/data/languages/ppc_32_be.cspec
+++ b/Ghidra/Processors/PowerPC/data/languages/ppc_32_be.cspec
@@ -116,6 +116,7 @@
   </default_proto>
 
   <callfixup name="get_pc_thunk_lr">
+    <target name="__get_pc_thunk_lr"/>
     <pcode>
       <body><![CDATA[
       LR = inst_dest + 4;
diff --git a/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500_be.cspec b/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500_be.cspec
index 2703acccd2..69117dc2ef 100644
--- a/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500_be.cspec
+++ b/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500_be.cspec
@@ -72,6 +72,7 @@
   </default_proto>
 
   <callfixup name="get_pc_thunk_lr">
+    <target name="__get_pc_thunk_lr"/>
     <pcode>
       <body><![CDATA[
       LR = inst_dest + 4;
diff --git a/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500_le.cspec b/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500_le.cspec
index d7f8752597..89498c121c 100644
--- a/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500_le.cspec
+++ b/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500_le.cspec
@@ -71,6 +71,7 @@
   </default_proto>
 
   <callfixup name="get_pc_thunk_lr">
+    <target name="__get_pc_thunk_lr"/>
     <pcode>
       <body><![CDATA[
       LR = inst_dest + 4;
diff --git a/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500mc_be.cspec b/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500mc_be.cspec
index a55a0b4f8c..c5b9eefcc2 100644
--- a/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500mc_be.cspec
+++ b/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500mc_be.cspec
@@ -70,6 +70,7 @@
   </default_proto>
 
   <callfixup name="get_pc_thunk_lr">
+    <target name="__get_pc_thunk_lr"/>
     <pcode>
       <body><![CDATA[
       LR = inst_dest + 4;
diff --git a/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500mc_le.cspec b/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500mc_le.cspec
index 845fbb9e3f..f5fbbb7ae3 100644
--- a/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500mc_le.cspec
+++ b/Ghidra/Processors/PowerPC/data/languages/ppc_32_e500mc_le.cspec
@@ -70,6 +70,7 @@
   </default_proto>
 
   <callfixup name="get_pc_thunk_lr">
+    <target name="__get_pc_thunk_lr"/>
     <pcode>
       <body><![CDATA[
       LR = inst_dest + 4;
diff --git a/Ghidra/Processors/PowerPC/data/languages/ppc_32_le.cspec b/Ghidra/Processors/PowerPC/data/languages/ppc_32_le.cspec
index 1e36de335d..655b4b1abd 100644
--- a/Ghidra/Processors/PowerPC/data/languages/ppc_32_le.cspec
+++ b/Ghidra/Processors/PowerPC/data/languages/ppc_32_le.cspec
@@ -116,6 +116,7 @@
   </default_proto>
 
   <callfixup name="get_pc_thunk_lr">
+    <target name="__get_pc_thunk_lr"/>
     <pcode>
       <body><![CDATA[
       LR = inst_dest + 4;
diff --git a/Ghidra/Processors/PowerPC/data/languages/ppc_64_32.cspec b/Ghidra/Processors/PowerPC/data/languages/ppc_64_32.cspec
index 109b980e35..d91f7d4bbf 100644
--- a/Ghidra/Processors/PowerPC/data/languages/ppc_64_32.cspec
+++ b/Ghidra/Processors/PowerPC/data/languages/ppc_64_32.cspec
@@ -119,6 +119,7 @@
   </default_proto>
 
   <callfixup name="get_pc_thunk_lr">
+    <target name="__get_pc_thunk_lr"/>
     <pcode>
       <body><![CDATA[
       LR = inst_dest + 4;
diff --git a/Ghidra/Processors/PowerPC/data/patterns/PPC_BE_patterns.xml b/Ghidra/Processors/PowerPC/data/patterns/PPC_BE_patterns.xml
index 2d640dbbbd..f17b4813ab 100644
--- a/Ghidra/Processors/PowerPC/data/patterns/PPC_BE_patterns.xml
+++ b/Ghidra/Processors/PowerPC/data/patterns/PPC_BE_patterns.xml
@@ -31,4 +31,9 @@
       <possiblefuncstart after="defined" /> <!-- must be something defined right before this -->
   </pattern>
   
+  <pattern> 
+      <data> 0x4e 0x80 0x00 0x21</data> <!-- blrl -->
+      <possiblefuncstart validcode="function" label="__get_pc_thunk_lr" /> <!-- must be a function here -->
+  </pattern>
+  
 </patternlist>
diff --git a/Ghidra/Test/IntegrationTest/src/test.slow/java/ghidra/app/cmd/function/CreateFunctionThunkTest.java b/Ghidra/Test/IntegrationTest/src/test.slow/java/ghidra/app/cmd/function/CreateFunctionThunkTest.java
index d5ae3a942c..d81677c609 100644
--- a/Ghidra/Test/IntegrationTest/src/test.slow/java/ghidra/app/cmd/function/CreateFunctionThunkTest.java
+++ b/Ghidra/Test/IntegrationTest/src/test.slow/java/ghidra/app/cmd/function/CreateFunctionThunkTest.java
@@ -29,6 +29,7 @@ import ghidra.program.model.address.AddressSet;
 import ghidra.program.model.data.DWordDataType;
 import ghidra.program.model.data.DataType;
 import ghidra.program.model.listing.*;
+import ghidra.program.model.symbol.Reference;
 import ghidra.program.model.symbol.SourceType;
 import ghidra.test.AbstractGhidraHeadedIntegrationTest;
 import ghidra.test.TestEnv;
@@ -208,4 +209,55 @@ public class CreateFunctionThunkTest extends AbstractGhidraHeadedIntegrationTest
 		assertEquals(true, isThunk.isThunk());
 		assertEquals("thunker", isThunk.getName());
 	}
+	
+	/**
+	 * Tests that the Function start analyzer will create a thunk given the thunk tag on a matching function
+	 * Tests that constant propagation creates a reference using the callfixup value in LR
+	 * 
+	 */
+	@Test
+	public void testPPCblrlThunk() throws Exception {
+
+		builder = new ProgramBuilder("thunk", ProgramBuilder._PPC_32);
+
+		/**
+         *  bl         __get_pc_thunk_lr
+         *  mfspr      r30,LR
+         *  lbz        r3,0x0(r30)
+         *  blr
+		 */
+		builder.setBytes("0x00002000", "42 80 00 31 7f c8 02 a6 88 1e 00 00 4e 80 00 20");
+		builder.disassemble("0x00002000", 27, true);
+
+		/**
+         *  blrl
+         *  lbz        r12,0x0(r10)
+         *  blr
+		 */
+		builder.setBytes("0x0002030", "4e 80 00 21 89 8a 00 00 4e 80 00 20");
+		builder.disassemble("0x0002030", 27, true);
+
+		builder.createFunction("0x0002000");
+		
+		builder.createFunction("0x0002030");
+
+		program = builder.getProgram();
+
+		analyze();
+		
+		
+		Instruction instruction = program.getListing().getInstructionAt(builder.addr(0x2008));
+		assertNotNull(instruction);
+		Reference[] referencesFrom = instruction.getReferencesFrom();
+		
+		// Thunk will set a value in LR that is not normal from the assumed return of a function
+		// used to calculate a constant reference
+		// TODO: There is a left-over BAD reference.  Need to clean references on re-analysis
+		assertEquals(0x2034L, referencesFrom[1].getToAddress().getOffset());
+		
+
+		Function thunker = program.getFunctionManager().getFunctionAt(builder.addr(0x0002030));
+		assertEquals("__get_pc_thunk_lr", thunker.getName());
+		assertEquals("get_pc_thunk_lr", thunker.getCallFixup());
+	}
 }

From 631056a5cc14293f3e2ec7ec9db10fa47f11f024 Mon Sep 17 00:00:00 2001
From: emteere <47253321+emteere@users.noreply.github.com>
Date: Mon, 15 Apr 2024 15:53:05 -0400
Subject: [PATCH 2/2] GP-4474 Added PPC LE patterns

---
 .../Processors/PowerPC/certification.manifest |  1 +
 .../PowerPC/data/patterns/PPC_LE_patterns.xml | 39 +++++++++++++++++++
 .../data/patterns/patternconstraints.xml      |  5 ++-
 3 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 Ghidra/Processors/PowerPC/data/patterns/PPC_LE_patterns.xml

diff --git a/Ghidra/Processors/PowerPC/certification.manifest b/Ghidra/Processors/PowerPC/certification.manifest
index 7734824f8b..992387aed2 100644
--- a/Ghidra/Processors/PowerPC/certification.manifest
+++ b/Ghidra/Processors/PowerPC/certification.manifest
@@ -63,5 +63,6 @@ data/languages/vsx.sinc||GHIDRA||||END|
 data/manuals/PowerISA.idx||GHIDRA||||END|
 data/manuals/PowerPC.idx||GHIDRA||||END|
 data/patterns/PPC_BE_patterns.xml||GHIDRA||||END|
+data/patterns/PPC_LE_patterns.xml||GHIDRA||||END|
 data/patterns/patternconstraints.xml||GHIDRA||||END|
 data/ppc64-r2CallStubs.xml||GHIDRA||||END|
diff --git a/Ghidra/Processors/PowerPC/data/patterns/PPC_LE_patterns.xml b/Ghidra/Processors/PowerPC/data/patterns/PPC_LE_patterns.xml
new file mode 100644
index 0000000000..cdfb496d21
--- /dev/null
+++ b/Ghidra/Processors/PowerPC/data/patterns/PPC_LE_patterns.xml
@@ -0,0 +1,39 @@
+<patternlist>
+  <patternpairs totalbits="32" postbits="16">
+    <prepatterns>
+      <data>0x2000804e </data> <!-- BLR -->
+      <data>......00 0x.. 0x..  010010.. </data> <!-- B xxxxx -->
+    </prepatterns>
+    <postpatterns>
+      <data>.....000 11...... 00100001 10010100 </data>             <!-- STWU r1,xx(r1) -->
+      <data>0x780b2c7c   ........ ........ 0x21 0x38   0x00008191 </data> <!--  or r12,r1,r1; stw r12,0x0(r1) -->
+      <codeboundary />              <!-- it is at least code -->
+      <possiblefuncstart/>
+    </postpatterns>
+  </patternpairs>
+  <patternpairs totalbits="32" postbits="16">
+    <prepatterns>
+      <data> ......00 0x.. 0x.. 010010.. </data> <!-- B xxxxx -->
+    </prepatterns>
+    <postpatterns>
+     <data>.....000 11...... 00100001 10010100             10100110 00000010 ...01000 011111.. </data> <!-- STWU r1,xx(r1); MFSPR rx,lr -->
+     <data>.....000 11...... 00100001 10010100  0x........ 10100110 00000010 ...01000 011111.. </data> <!-- STWU r1,xx(r1); xxx_instr; MFSPR rx,lr -->
+     <data>.....000 11...... 00100001 10010100  0x........ 0x........ 10100110 00000010 ...01000 011111.. </data> <!-- STWU r1,xx(r1); xxx_instr; xxx_instr; MFSPR rx,lr -->
+     <data>0x780b2c7c  ........ ........  0x21 0x38   0x00008191 </data> <!--  or r12,r1,r1; stw r12,0x0(r1) -->
+     <codeboundary />              <!-- it is at least code -->
+     <possiblefuncstart/>
+    </postpatterns>
+  </patternpairs>
+  
+  <pattern> 
+      <data>.....000 11...... 00100001 10010100      10100110 00000010 ...01000 011111.. </data> <!-- STWU r1,xx(r1); MFSPR rx,lr -->
+      <codeboundary />
+      <possiblefuncstart after="defined" /> <!-- must be something defined right before this -->
+  </pattern>
+
+  <pattern> 
+      <data>0x21 0x00 0x80 0x4e</data> <!-- blrl -->
+      <possiblefuncstart validcode="function" label="__get_pc_thunk_lr" /> <!-- must be a function here -->
+  </pattern>
+  
+</patternlist>
diff --git a/Ghidra/Processors/PowerPC/data/patterns/patternconstraints.xml b/Ghidra/Processors/PowerPC/data/patterns/patternconstraints.xml
index eb73db5d34..70fd6c7667 100644
--- a/Ghidra/Processors/PowerPC/data/patterns/patternconstraints.xml
+++ b/Ghidra/Processors/PowerPC/data/patterns/patternconstraints.xml
@@ -2,4 +2,7 @@
   <language id="PowerPC:BE:*:*">
     <patternfile>PPC_BE_patterns.xml</patternfile>
   </language>
-</patternconstraints>
+  <language id="PowerPC:LE:*:*">
+    <patternfile>PPC_LE_patterns.xml</patternfile>
+  </language>
+</patternconstraints>
\ No newline at end of file