Missing `this` parameter for C++ methods with symbols

[SlidyBat]

Version and Platform (required):

• Binary Ninja Version: 5.1.7363-dev Personal (acd6c39c)
• OS: Mac
• OS Version: 14.6.1
• CPU Architecture: M1

Bug Description:
When analyzing any C++ binary that has symbols, it seems that binja tries to automatically set the function arguments based on this symbol information. However, it misses any hidden parameters, e.g. this or the return value pointer for functions that return an object.

Steps To Reproduce:

I made this small test program to demonstrate the issue:

#include <stdio.h>
#include <string.h>

class MyClass
{
public:
    void Init()
    {
        x = 1.0f;
        y = true;
        strcpy(z, "Hello");
    }

    void Print(const char* prefix)
    {
        printf("%s: x=%g y=%i z=%s\n", prefix, x, y, z);
    }

    MyClass Copy()
    {
        return *this;
    }
private:
    float x;
    bool y;
    char z[0x10];
};

int main(int argc, const char* argv[])
{
    MyClass a;
    a.Init();
    a.Print("a");

    MyClass b;
    b = a.Copy();
    b.Print("b");

    return 0;
}

Please provide all steps required to reproduce the behavior:

1. Compile the binary with symbols g++ test.cpp -o symbols_test and open in binja
2. Look at MyClass::Init and MyClass::Print methods and observe that they're missing the this argument
3. Look at MyClass::Copy method and observe that it is missing return value argument and this argument
4. Strip the binary strip symbols_test -o nosymbols_test and open in binja
5. Look at the same methods and see that they now have the correct number of arguments (1 for Init/Print, 2 for Copy)

Incorrect output screenshot:

Expected Behavior:

For thiscall methods, the implicit this parameter should be accounted for. For methods that return an object, a return value argument should also be accounted for.

For the example case above, this is what the manually fixed up output looks like:

Screenshots/Video Recording:
If applicable, please add screenshots/video recording here to help explain your problem.

Binary:

test.zip

Additional Information:
Please add any other context about the problem here.

[psifertex]

One temporary work-around is to disable extracting types from demangled symbols. We actually debated making this the default for 5.0 but due to some other complications were unable to make that change safely.

Additionally the following snippet may be useful (install the snippets plugin, run the example update script and restart and this snippet will be available)
https://gist.github.com/psifertex/6fbc7532f536775194edd26290892ef7#file-demangle_this-py

[psifertex]

Not quite a duplicate since #3216 is specifically about PE files but the end-result is exactly the same. Whatever solution we do for one we should do for the other.

[kiddo-pwn]

Hello, I'm also interested in this issue and hope it gets resolved soon! I'm working on enhancing @psifertex's snippet, and if anyone is interested, it would be great to move more:

I tried to enhance to automatically extract class names and create properly typed this parameters. For Foo::Bar::Baz() -> set Foo::Bar* this as first parameter:

# demangle this with proper naming and typing
#
# demangle all functions and add an extra "this" parameter with correct type

def search_types(name: str):
    for t in bv.types:
        if t[0] == name:
            return t[1]
    return None

for f in bv.functions:
    demangleResult = demangle_gnu3(bv.arch, f.symbol.raw_name)
    demangleType = demangleResult[0]
    demangleNameParts = demangleResult[1]
    
    if demangleType is not None:
        if isinstance(demangleType, FunctionType):
            returnType = demangleType.return_value

            # Extract class name for this pointer type
            class_name = "::".join(demangleNameParts[:-1])
            this_type = Type.pointer(bv.arch, Type.void())  # default fallback

            # Try to find existing type or create named type
            if not (class_type := search_types(class_name)):
                bv.define_user_type(class_name, Type.structure(members=[], type=StructureVariant.ClassStructureType))
                class_type = bv.types.get(class_name)
            this_type = Type.pointer(bv.arch, class_type)
            
            # Create new parameter list with named this pointer
            this_param = FunctionParameter(this_type, "this")
            newParams = [this_param] + demangleType.parameters
            
            newType = FunctionType.create(ret=returnType, params=newParams)
            f.type = newType
            print(f"Replaced {f} type with {newType}")

Current limitations:
Cannot distinguish between Classes and Non-Classes (namespaces, operators, etc.), so functions that don't have this get incorrect type inference.

Proposed improvements:

1. Check (for example) constructor existence and only apply demangle-this for actual classes that have constructors.
2. For other functions, fall back to using symbol information for type extraction.

Note that improvements-2 was already available through the analysis.extractTypesFromMangledNames option, so I'm curious if the Vector35 team has any ideas.

[kiddo-pwn]

I've created a version that implements#1 - checking for constructor existence and only applying demangle-this for classes that have constructors.

There are still many edge cases to handle (templates, operators, etc.), but I believe this approach would be faster than manually applying this types in the large binaries. If anyone has improvements, please let me know!

# demangle this with proper naming and typing
#
# demangle all functions and add an extra "this" parameter with correct type

def is_class_function(name: str, name_set:set) -> bool:
    # Check if the function name contains '::' indicating a class method
    if not '::' in name:
        return False
    parts = name.split('::')
    if len(parts) < 2:
        return False
    class_name = parts[-2]
    class_prefix = '::'.join(parts[:-1])  # Everything except the last part
    class_constructor = class_prefix + '::' + class_name

    # check if is class_constructor in the name_set
    return class_constructor in name_set

def search_types(name: str):
    for t in bv.types:
        if t[0] == name:
            return t[1]
    return None

demangledNames = set()
for f in bv.functions:
    demangleResult = demangle_gnu3(bv.arch, f.symbol.raw_name)
    demangleType = demangleResult[0]
    if demangleType is not None:
        if isinstance(demangleResult[0], FunctionType):
            demangleNameParts = demangleResult[1]
            demangledNames.add("::".join(demangleNameParts))

for f in bv.functions:
    demangleResult = demangle_gnu3(bv.arch, f.symbol.raw_name)
    demangleType = demangleResult[0]

    if demangleType is not None:
        if isinstance(demangleType, FunctionType):
            demangleNameParts = demangleResult[1]
            func_name = "::".join(demangleNameParts)
            if not is_class_function(func_name, demangledNames):
                continue

            # Extract class name for this pointer type
            class_name = "::".join(demangleNameParts[:-1])
            this_type = Type.pointer(bv.arch, Type.void())  # default fallback

            # Try to find existing type or create named type
            if not (class_type := search_types(class_name)):
                bv.define_user_type(class_name, Type.structure(members=[], type=StructureVariant.ClassStructureType))
                class_type = bv.types.get(class_name)
            this_type = Type.pointer(bv.arch, class_type)
            
            # Create new parameter list with named this pointer
            thisParam = FunctionParameter(this_type, "this")
            newParams = [thisParam] + demangleType.parameters
            
            returnType = demangleType.return_value
            newType = FunctionType.create(ret=returnType, params=newParams)
            f.type = newType
            print(f"Replaced {f} type with {newType}")

[psifertex]

I think we have plenty of examples, but here's another from nushy: express beacon creates highly