Add skip_cfa_ranges option to config.yml

This allows configuring the function analyzer to skip certain
problematic ranges in the program. Only for exceptional cases
that prevents analysis from finishing.

When using this feature, ensure that no `function` symbols
exist for the affected range in symbols.txt, otherwise CFA
will run for the defined functions, regardless of this setting.

Author: encounter

src/analysis/cfa.rs

@@ -11,14 +11,13 @@ use itertools::Itertools;
 use crate::{
     analysis::{
         executor::{ExecCbData, ExecCbResult, Executor},
-        skip_alignment,
         slices::{FunctionSlices, TailCallResult},
         vm::{BranchTarget, GprValue, StepResult, VM},
         RelocationTarget,
     },
     obj::{
-        ObjInfo, ObjSectionKind, ObjSymbol, ObjSymbolFlagSet, ObjSymbolFlags, ObjSymbolKind,
-        SectionIndex,
+        ObjInfo, ObjSection, ObjSectionKind, ObjSymbol, ObjSymbolFlagSet, ObjSymbolFlags,
+        ObjSymbolKind, SectionIndex,
     },
     util::config::create_auto_symbol_name,
 };
@@ -125,9 +124,21 @@ pub struct AnalyzerState {
     pub jump_tables: BTreeMap<SectionAddress, u32>,
     pub known_symbols: BTreeMap<SectionAddress, Vec<ObjSymbol>>,
     pub known_sections: BTreeMap<SectionIndex, String>,
+    pub skip_ranges: BTreeMap<SectionAddress, SectionAddress>,
 }
 
 impl AnalyzerState {
+    pub fn new(skip_ranges: BTreeMap<SectionAddress, SectionAddress>) -> Self {
+        Self {
+            sda_bases: None,
+            functions: BTreeMap::new(),
+            jump_tables: BTreeMap::new(),
+            known_symbols: BTreeMap::new(),
+            known_sections: BTreeMap::new(),
+            skip_ranges,
+        }
+    }
+
     pub fn apply(&self, obj: &mut ObjInfo) -> Result<()> {
         for (&section_index, section_name) in &self.known_sections {
             obj.sections[section_index].rename(section_name.clone())?;
@@ -371,12 +382,7 @@ impl AnalyzerState {
                 log::trace!("Finalizing {:#010X}", addr);
                 slices.finalize(obj, &self.functions)?;
                 for address in slices.function_references.iter().cloned() {
-                    // Only create functions for code sections
-                    // Some games use branches to data sections to prevent dead stripping (Mario Party)
-                    if matches!(obj.sections.get(address.section), Some(section) if section.kind == ObjSectionKind::Code)
-                    {
-                        self.functions.entry(address).or_default();
-                    }
+                    self.try_add_function(obj, address);
                 }
                 self.jump_tables.append(&mut slices.jump_table_references.clone());
                 let end = slices.end();
@@ -390,6 +396,25 @@ impl AnalyzerState {
         Ok(finalized_any)
     }
 
+    fn try_add_function(&mut self, obj: &ObjInfo, address: SectionAddress) {
+        // Only create functions for code sections
+        // Some games use branches to data sections to prevent dead stripping (Mario Party)
+        if !matches!(obj.sections.get(address.section), Some(section) if section.kind == ObjSectionKind::Code)
+            // Avoid creating functions in skipped ranges
+            || self.in_skipped_range(address)
+        {
+            return;
+        }
+        self.functions.entry(address).or_default();
+    }
+
+    fn in_skipped_range(&self, address: SectionAddress) -> bool {
+        match self.skip_ranges.range(..=address).next_back() {
+            Some((&start, &end)) => address >= start && address < end,
+            None => false,
+        }
+    }
+
     fn first_unbounded_function(&self) -> Option<SectionAddress> {
         self.functions.iter().find(|(_, info)| !info.is_analyzed()).map(|(&addr, _)| addr)
     }
@@ -414,12 +439,7 @@ impl AnalyzerState {
     pub fn process_function_at(&mut self, obj: &ObjInfo, addr: SectionAddress) -> Result<bool> {
         Ok(if let Some(mut slices) = self.process_function(obj, addr)? {
             for address in slices.function_references.iter().cloned() {
-                // Only create functions for code sections
-                // Some games use branches to data sections to prevent dead stripping (Mario Party)
-                if matches!(obj.sections.get(address.section), Some(section) if section.kind == ObjSectionKind::Code)
-                {
-                    self.functions.entry(address).or_default();
-                }
+                self.try_add_function(obj, address);
             }
             self.jump_tables.append(&mut slices.jump_table_references.clone());
             if slices.can_finalize() {
@@ -470,7 +490,7 @@ impl AnalyzerState {
                         if first_end > second {
                             bail!("Overlapping functions {}-{} -> {}", first, first_end, second);
                         }
-                        let addr = match skip_alignment(section, first_end, second) {
+                        let addr = match self.skip_alignment(section, first_end, second) {
                             Some(addr) => addr,
                             None => continue,
                         };
@@ -489,7 +509,7 @@ impl AnalyzerState {
                     (Some((last, last_info)), None) => {
                         let Some(last_end) = last_info.end else { continue };
                         if last_end < section_end {
-                            let addr = match skip_alignment(section, last_end, section_end) {
+                            let addr = match self.skip_alignment(section, last_end, section_end) {
                                 Some(addr) => addr,
                                 None => continue,
                             };
@@ -516,6 +536,33 @@ impl AnalyzerState {
         }
         Ok(found_new)
     }
+
+    fn skip_alignment(
+        &self,
+        section: &ObjSection,
+        mut addr: SectionAddress,
+        end: SectionAddress,
+    ) -> Option<SectionAddress> {
+        loop {
+            if let Some((&start, &end)) = self.skip_ranges.range(..=addr).next_back() {
+                if addr >= start && addr < end {
+                    addr = end;
+                }
+            };
+            if addr.address + 4 > end.address {
+                break None;
+            }
+            let data = match section.data_range(addr.address, addr.address + 4) {
+                Ok(data) => data,
+                Err(_) => return None,
+            };
+            if data == [0u8; 4] {
+                addr += 4;
+            } else {
+                break Some(addr);
+            }
+        }
+    }
 }
 
 /// Execute VM from entry point following branches and function calls

src/analysis/mod.rs

@@ -249,25 +249,3 @@ pub fn uniq_jump_table_entries(
         )?;
     Ok((BTreeSet::from_iter(entries.iter().cloned()), size))
 }
-
-pub fn skip_alignment(
-    section: &ObjSection,
-    mut addr: SectionAddress,
-    end: SectionAddress,
-) -> Option<SectionAddress> {
-    let mut data = match section.data_range(addr.address, end.address) {
-        Ok(data) => data,
-        Err(_) => return None,
-    };
-    loop {
-        if data.is_empty() {
-            break None;
-        }
-        if data[0..4] == [0u8; 4] {
-            addr += 4;
-            data = &data[4..];
-        } else {
-            break Some(addr);
-        }
-    }
-}

src/cmd/dol.rs

@@ -301,6 +301,8 @@ pub struct ModuleConfig {
     /// Process exception tables and zero out uninitialized data.
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub clean_extab: Option<bool>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub skip_cfa_ranges: Vec<SkipCfaRangeConfig>,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq)]
@@ -367,6 +369,16 @@ pub struct AddRelocationConfig {
     pub addend: i64,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq)]
+pub struct SkipCfaRangeConfig {
+    /// The start address of the range to skip.
+    /// Format: `section:address`, e.g. `.text:0x80001234`.
+    pub start: SectionAddressRef,
+    /// The end address of the range to skip.
+    /// Format: `section:address`, e.g. `.text:0x80001234`.
+    pub end: SectionAddressRef,
+}
+
 impl ModuleConfig {
     pub fn file_name(&self) -> &str { self.object.file_name().unwrap_or(self.object.as_str()) }
 
@@ -376,6 +388,19 @@ impl ModuleConfig {
     }
 
     pub fn name(&self) -> &str { self.name.as_deref().unwrap_or_else(|| self.file_prefix()) }
+
+    pub fn skip_cfa_ranges(
+        &self,
+        obj: &ObjInfo,
+    ) -> Result<BTreeMap<SectionAddress, SectionAddress>> {
+        let mut skip_cfa_ranges = BTreeMap::new();
+        for range in &self.skip_cfa_ranges {
+            let start = range.start.resolve(obj)?;
+            let end = range.end.resolve(obj)?;
+            skip_cfa_ranges.insert(start, end);
+        }
+        Ok(skip_cfa_ranges)
+    }
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone)]
@@ -916,7 +941,9 @@ fn load_analyze_dol(config: &ProjectConfig, object_base: &ObjectBase) -> Result<
         apply_signatures(&mut obj)?;
 
         if !config.quick_analysis {
-            let mut state = AnalyzerState::default();
+            let skip_ranges =
+                config.base.skip_cfa_ranges(&obj).context("Resolving skip CFA ranges")?;
+            let mut state = AnalyzerState::new(skip_ranges);
             debug!("Detecting function boundaries");
             FindSaveRestSleds::execute(&mut state, &obj)?;
             state.detect_functions(&obj)?;
@@ -1216,7 +1243,9 @@ fn load_analyze_rel(
     if !config.symbols_known {
         debug!("Analyzing module {}", module_obj.module_id);
         if !config.quick_analysis {
-            let mut state = AnalyzerState::default();
+            let skip_ranges =
+                module_config.skip_cfa_ranges(&module_obj).context("Resolving skip CFA ranges")?;
+            let mut state = AnalyzerState::new(skip_ranges);
             FindSaveRestSleds::execute(&mut state, &module_obj)?;
             state.detect_functions(&module_obj)?;
             FindRelCtorsDtors::execute(&mut state, &module_obj)?;