marfrit
00d655187a
Three small functions extracted from the v1.19 conservative blob with
ground-truth C and per-tool (Ghidra / retdec / decomp.me) docs:
01_memset — byte memset, 28 B
02_memcpy32 — word-aligned memcpy, 36 B
03_magic_memset — magic check + tail-call to memset, 40 B
04_train_phy_block — first real poll-site function (104 B, 26 insts),
contains poll sites 12-15
Results in RESULTS.md:
- Ghidra: A on all four. Auto-decompile is close to final.
- retdec: A on #3, F on #1 and #2 (no register-arg inference on raw),
C on #4 (mistakes & 0xF0000000 for < 0x10000000).
GRIND_LOG.md (in 04_train_phy_block/) records the matching-decomp
iteration: 116-byte candidate.c at -Os vs vendor 104 bytes = 89.7%
size match on first real iteration. Remaining gap is GCC's choice of
`cmp w, w_const; b.ls` over vendor's `tst w, #imm; b.eq` for the
mask tests.
gdb_debug/ holds a native-aarch64 GDB single-stepper for the three
benchmark functions — boltzmann smoke test passed (memset:
buf[10] 0x00→0xab).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
25 lines
837 B
C
25 lines
837 B
C
/* Ground-truth C for FUN_00000aac @ blob offset 0xaac (28 bytes / 7 insts).
|
|
*
|
|
* Pattern: byte-wise memset with a simple counting loop.
|
|
* Signature: void memset_byte(void *buf, uint8_t val, size_t len);
|
|
*
|
|
* AArch64 ABI: X0 = buf, W1 = val (low byte), X2 = len
|
|
* Scratch: X3 = index i
|
|
*
|
|
* Notes the decompiler should ideally recover:
|
|
* - This is unambiguously "memset" semantics; bonus points for naming it so.
|
|
* - The loop structure is pre-test (cmp before body) — tools should emit
|
|
* `while (i != len)` or `for (; i < len; ...)`.
|
|
* - W1 is truncated to a byte by the STRB; decompiler should mark val as u8.
|
|
*/
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
|
|
void memset_byte(void *buf, uint8_t val, size_t len) {
|
|
size_t i = 0;
|
|
while (i != len) {
|
|
((uint8_t *)buf)[i] = val;
|
|
i++;
|
|
}
|
|
}
|