marfrit/rk3588-ddr-analysis
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e30127d056a3c2567cbbcd1a6ccdf964fbfb26c1
rk3588-ddr-analysis/benchmark/README.md
T
marfrit 00d655187a benchmark/: three-way RE-tool comparison + first real C-lift 
Three small functions extracted from the v1.19 conservative blob with
ground-truth C and per-tool (Ghidra / retdec / decomp.me) docs:
  01_memset        — byte memset, 28 B
  02_memcpy32      — word-aligned memcpy, 36 B
  03_magic_memset  — magic check + tail-call to memset, 40 B
  04_train_phy_block — first real poll-site function (104 B, 26 insts),
                       contains poll sites 12-15

Results in RESULTS.md:
  - Ghidra: A on all four. Auto-decompile is close to final.
  - retdec: A on #3, F on #1 and #2 (no register-arg inference on raw),
    C on #4 (mistakes & 0xF0000000 for < 0x10000000).

GRIND_LOG.md (in 04_train_phy_block/) records the matching-decomp
iteration: 116-byte candidate.c at -Os vs vendor 104 bytes = 89.7%
size match on first real iteration. Remaining gap is GCC's choice of
`cmp w, w_const; b.ls` over vendor's `tst w, #imm; b.eq` for the
mask tests.

gdb_debug/ holds a native-aarch64 GDB single-stepper for the three
benchmark functions — boltzmann smoke test passed (memset:
buf[10] 0x00→0xab).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 07:26:23 +02:00

37 lines
1.8 KiB
Markdown
Raw Blame History

# RE-tool benchmark — three functions from the RK3588 DDR blob
Three small, self-contained functions extracted from
`rk3588_ddr_lp4_1848MHz_lp5_2112MHz_v1.19.bin`, each with canonical
ground-truth semantics so you can judge decompiler output against a
known answer.
| dir | blob offset | size | ground truth |
|-----|-------------|------|--------------|
| `01_memset/` | `0x0aac` | 28 B / 7 insts | `memset(void*, u8, size_t)` byte-wise |
| `02_memcpy32/` | `0x1200` | 36 B / 9 insts | `memcpy32(u32*, const u32*, size_t)` word-aligned |
| `03_magic_memset/` | `0x0da4` | 40 B / 9 insts | `if (*(u32*)0x1fe004 == 0x54410001) memset(0x1fe000, 0, 0x32c);` |
Each subdir contains:
- `func.bin` — raw little-endian AArch64 machine code
- `func.s` — objdump'd GNU asm, same absolute addresses as the blob
- `reference.c` — ground-truth C (our belief)
- `ghidra.md` — load-in-Ghidra recipe + expected output
- `decompme.md` — decomp.me scratch recipe (matching-decomp)
- `retdec.md` — retdec command line
- `retdec.c` — retdec's actual output (captured 2026-04-15)
**Summary of findings**: see [`RESULTS.md`](RESULTS.md). Short version:
- Ghidra got all three right with minor type-label cleanup needed.
- retdec failed on #1 and #2 (can't infer register-passed arguments on
raw binary), did well on #3 (the one with absolute-address refs).
- decomp.me is a matching-decomp comparator, not a decompiler — judged
on a different axis.
## Load address matters
All three functions are extracted as raw bytes starting at offset 0 in
their `func.bin`. When loading into Ghidra / retdec, set the base
address to the function's original blob offset (first column above),
otherwise branch targets and absolute-address refs in function #3 will
be off.
Reference in New Issue View Git Blame Copy Permalink