Heads and tails

Ero Carrera in his eye-catching blog talks about multi-chunk function related shortcomings in IDA Pro:


This results in that, from the disassembler point of view, one has to allow for those chunks and also for those chunks to be assigned to an arbitrary number of “owning” or parent functions.


If you look at the IDA menus, you will not find a command to assign a tail chunk to several functions.

This is true, a command for that does not exist. However, IDA can take into account
that a chunk belongs to several functions at once.
If the append_func_tail() function is called with an existing tail area,
then the tail will be assigned to the specified function. It will still retain its original
parent function. This way we can assign it to as many functions as we want. The original
parent function is considered to be the owner of the tail chunk. The owner function
has one special property: its stack frame is used to display the stack variables in the
tail. It is possible to change the owner at any time by calling the
set_tail_owner() function.

There is also a helper class to facilitate enumeration of the tail parents. It is called
func_parent_iterator_t and it can be used this way:

func_t *function_tail;
...
func_parent_iterator_t fpi(function_tail);
for ( bool ok=fpi.first(); ok; ok=fpi.next() )
{
  ea_t parent = fpi.parent();
  ...
}

IDA does not automatically assign a tail chunk to several functions.
When we implemented the multi-chunk support there were not many applications using
this optimization trick, but now it might be the time to consider this improvement.

This entry was posted in IDA Pro. Bookmark the permalink.

One Response to Heads and tails

  1. gera says:

    :-)
    The option is actually in the menus, and I have used it several times, although I just now tried it for the first time to assign several parents to the same chunk, and it worked:
    assuming the functions are defined, select a range of code and Edit->Functions->Append function tail…
    do it once, and do it twice :-)
    It will say, on top of the chunk something like:
    Function chunk for function firstfunction, additional parent on function secondfunction.