/src/capstonenext/arch/BPF/BPFInstPrinter.c

Source (jump to first uncovered line)
/* Capstone Disassembly Engine */
/* BPF Backend by david942j <david942j@gmail.com>, 2019 */
/* SPDX-FileCopyrightText: 2024 Roee Toledano <roeetoledano10@gmail.com> */
/* SPDX-License-Identifier: BSD-3 */

#include <capstone/platform.h>

#include "BPFConstants.h"
#include "BPFInstPrinter.h"
#include "BPFMapping.h"
#include "../../Mapping.h"

static cs_bpf_op *expand_bpf_operands(cs_bpf *bpf)
{
  assert(bpf->op_count < 3);
  return &bpf->operands[bpf->op_count++];
}

static void push_op_reg(cs_bpf *bpf, bpf_op_type val, uint8_t ac_mode)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_REG;
  op->reg = val;
  op->access = ac_mode;
}

static void push_op_imm(cs_bpf *bpf, uint64_t val, const bool is_signed)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_IMM;
  op->imm = val;
  op->is_signed = is_signed;
}

static void push_op_off(cs_bpf *bpf, uint32_t val, const bool is_signed)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_OFF;
  op->off = val;
  op->is_signed = is_signed;
}

static void push_op_mem(cs_bpf *bpf, bpf_reg reg, uint32_t val,
      const bool is_signed, const bool is_pkt)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_MEM;
  op->mem.base = reg;
  op->mem.disp = val;
  op->is_signed = is_signed;
  op->is_pkt = is_pkt;
}

static void push_op_mmem(cs_bpf *bpf, uint32_t val)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_MMEM;
  op->mmem = val;
}

static void push_op_msh(cs_bpf *bpf, uint32_t val)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_MSH;
  op->msh = val;
}

static void push_op_ext(cs_bpf *bpf, bpf_ext_type val)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_EXT;
  op->ext = val;
}

static void convert_operands(MCInst *MI, cs_bpf *bpf)
{
  unsigned opcode = MCInst_getOpcode(MI);
  unsigned mc_op_count = MCInst_getNumOperands(MI);
  MCOperand *op;
  MCOperand *op2;

  bpf->op_count = 0;
  if (BPF_CLASS(opcode) == BPF_CLASS_LD ||
      BPF_CLASS(opcode) == BPF_CLASS_LDX) {
    switch (BPF_MODE(opcode)) {
    case BPF_MODE_IMM:
      if (EBPF_MODE(MI->csh->mode)) {
        push_op_reg(bpf,
              MCOperand_getReg(
                MCInst_getOperand(MI, 0)),
              CS_AC_WRITE);
        push_op_imm(bpf,
              MCOperand_getImm(
                MCInst_getOperand(MI, 1)),
              false);
      } else {
        push_op_imm(bpf,
              MCOperand_getImm(
                MCInst_getOperand(MI, 0)),
              false);
      }
      break;
    case BPF_MODE_ABS:
      op = MCInst_getOperand(MI, 0);
      push_op_mem(bpf, BPF_REG_INVALID,
            (uint32_t)MCOperand_getImm(op), EBPF_MODE(MI->csh->mode), true);
      break;
    case BPF_MODE_IND:
      op = MCInst_getOperand(MI, 0);
      if (EBPF_MODE(MI->csh->mode))
        push_op_mem(bpf, MCOperand_getReg(op), 0x0,
              true, true);
      else {
        op2 = MCInst_getOperand(MI, 1);
        push_op_mem(bpf, MCOperand_getReg(op),
              (uint32_t)MCOperand_getImm(op2),
              false, true);
      }
      break;
    case BPF_MODE_MEM:
      if (EBPF_MODE(MI->csh->mode)) {
        /* ldx{w,h,b,dw} dst, [src+off] */
        push_op_reg(bpf,
              MCOperand_getReg(
                MCInst_getOperand(MI, 0)),
              CS_AC_WRITE);
        op = MCInst_getOperand(MI, 1);
        op2 = MCInst_getOperand(MI, 2);
        push_op_mem(bpf, MCOperand_getReg(op),
              (uint32_t)MCOperand_getImm(op2),
              true, false);
      } else {
        push_op_mmem(bpf,
               (uint32_t)MCOperand_getImm(
                 MCInst_getOperand(MI, 0)));
      }
      break;
    case BPF_MODE_LEN:
      push_op_ext(bpf, BPF_EXT_LEN);
      break;
    case BPF_MODE_MSH:
      op = MCInst_getOperand(MI, 0);
      push_op_msh(bpf, (uint32_t)MCOperand_getImm(op));
      break;
      /* case BPF_MODE_XADD: // not exists */
    }
    return;
  }
  if (BPF_CLASS(opcode) == BPF_CLASS_ST ||
      BPF_CLASS(opcode) == BPF_CLASS_STX) {
    if (!EBPF_MODE(MI->csh->mode)) {
      // cBPF has only one case - st* M[k]
      push_op_mmem(bpf, (uint32_t)MCOperand_getImm(
              MCInst_getOperand(MI, 0)));
      return;
    }
    /* eBPF has two cases:
     * - st [dst + off], src
     * - xadd [dst + off], src
     * they have same form of operands.
     */
    op = MCInst_getOperand(MI, 0);
    op2 = MCInst_getOperand(MI, 1);
    push_op_mem(bpf, MCOperand_getReg(op),
          (uint32_t)MCOperand_getImm(op2), true, false);

    op = MCInst_getOperand(MI, 2);
    if (MCOperand_isImm(op))
      push_op_imm(bpf, MCOperand_getImm(op), false);
    else if (MCOperand_isReg(op))
      push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ);
    return;
  }

  {
    const bool is_jmp32 = EBPF_MODE(MI->csh->mode) &&
              (BPF_CLASS(opcode) == BPF_CLASS_JMP32);
    if (BPF_CLASS(opcode) == BPF_CLASS_JMP || is_jmp32) {
      for (size_t i = 0; i < mc_op_count; i++) {
        op = MCInst_getOperand(MI, i);
        if (MCOperand_isImm(op)) {
          /* Decide if we're using IMM or OFF here (and if OFF, then signed or unsigned):
           *
           * 1. any jump/jump32 + signed off (not including exit/call and ja on jump32) // eBPF 
           * 2. exit/call/ja + k // eBPF
           * 3. ja + unsigned off // cBPF (cBPF programs can only jump forwards) 
           * 4. any jump {x,k}, +jt, +jf // cBPF 
           * */

          if ((BPF_OP(opcode) == BPF_JUMP_JA &&
               !is_jmp32) ||
              (!EBPF_MODE(MI->csh->mode) &&
               i >= 1) ||
              (EBPF_MODE(MI->csh->mode) &&
               i == 2))
            push_op_off(
              bpf,
              MCOperand_getImm(op),
              EBPF_MODE(
                MI->csh->mode));
          else
            push_op_imm(
              bpf,
              MCOperand_getImm(op),
              true);
        } else if (MCOperand_isReg(op)) {
          push_op_reg(bpf, MCOperand_getReg(op),
                CS_AC_READ);
        }
      }
      return;
    }
  }

  if (!EBPF_MODE(MI->csh->mode)) {
    /* In cBPF mode, all registers in operands are accessed as read */
    for (size_t i = 0; i < mc_op_count; i++) {
      op = MCInst_getOperand(MI, i);
      if (MCOperand_isImm(op))
        push_op_imm(bpf, MCOperand_getImm(op), false);
      else if (MCOperand_isReg(op))
        push_op_reg(bpf, MCOperand_getReg(op),
              CS_AC_READ);
    }
    return;
  }

  /* remain cases are: eBPF mode && ALU */
  /* if (BPF_CLASS(opcode) == BPF_CLASS_ALU || BPF_CLASS(opcode) == BPF_CLASS_ALU64) */

  /* We have three types:
   * 1. {l,b}e dst               // dst = byteswap(dst)
   * 2. neg dst                  // dst = -dst
   * 3. <op> dst, {src_reg, imm} // dst = dst <op> src
   * so we can simply check the number of operands,
   * exactly one operand means we are in case 1. and 2.,
   * otherwise in case 3.
   */
  if (mc_op_count == 1) {
    op = MCInst_getOperand(MI, 0);
    push_op_reg(bpf, MCOperand_getReg(op),
          CS_AC_READ | CS_AC_WRITE);
  } else { // if (mc_op_count == 2)
    op = MCInst_getOperand(MI, 0);
    push_op_reg(bpf, MCOperand_getReg(op),
          CS_AC_READ | CS_AC_WRITE);

    op = MCInst_getOperand(MI, 1);
    if (MCOperand_isImm(op))
      push_op_imm(bpf, MCOperand_getImm(op), false);
    else if (MCOperand_isReg(op))
      push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ);
  }
}

static void print_operand(MCInst *MI, struct SStream *O, const cs_bpf_op *op)
{
  switch (op->type) {
  case BPF_OP_INVALID:
    SStream_concat(O, "invalid");
    break;
  case BPF_OP_REG:
    SStream_concat(O, BPF_reg_name((csh)MI->csh, op->reg));
    break;
  case BPF_OP_IMM:
    if (op->is_signed)
      printInt32Hex(O, op->imm);
    else
      SStream_concat(O, "0x%" PRIx64, op->imm);
    break;
  case BPF_OP_OFF:
    if (op->is_signed)
      printInt16HexOffset(O, op->off);
    else
      SStream_concat(O, "+0x%" PRIx32, op->off);
    break;
  case BPF_OP_MEM:
    SStream_concat(O, "[");

    if (op->is_pkt && EBPF_MODE(MI->csh->mode)) {
      SStream_concat(O, "skb");

      if (op->mem.base != BPF_REG_INVALID)
        SStream_concat(O, "+%s",
                 BPF_reg_name((csh)MI->csh,
                  op->mem.base));
      else {
        if (op->is_signed)
          printInt32HexOffset(O, op->mem.disp);
        else
          SStream_concat(O, "+0x%" PRIx32,
                   op->mem.disp);
      }
    } else {
      if (op->mem.base != BPF_REG_INVALID)
        SStream_concat(O, BPF_reg_name((csh)MI->csh,
                     op->mem.base));
      if (op->mem.disp != 0) {
        if (op->mem.base != BPF_REG_INVALID) {
          // if operation is signed, then it always uses off, not k
          if (op->is_signed)
            printInt16HexOffset(
              O, op->mem.disp);
          else if (op->is_pkt)
            SStream_concat(O, "+0x%" PRIx32,
                     op->mem.disp);
          else
            SStream_concat(O, "+0x%" PRIx16,
                     op->mem.disp);
        } else
          SStream_concat(O, "0x%" PRIx32,
                   op->mem.disp);
      }

      if (op->mem.base == BPF_REG_INVALID &&
          op->mem.disp == 0)
        SStream_concat(O, "0x0");
    }

    SStream_concat(O, "]");
    break;
  case BPF_OP_MMEM:
    SStream_concat(O, "m[0x%x]", op->mmem);
    break;
  case BPF_OP_MSH:
    SStream_concat(O, "4*([0x%x]&0xf)", op->msh);
    break;
  case BPF_OP_EXT:
    switch (op->ext) {
    case BPF_EXT_LEN:
      SStream_concat(O, "#len");
      break;
    }
    break;
  }
}

/*
 * 1. human readable mnemonic
 * 2. set pubOpcode (BPF_INSN_*)
 * 3. set detail->bpf.operands
 * */
void BPF_printInst(MCInst *MI, struct SStream *O, void *PrinterInfo)
{
  cs_bpf bpf = { 0 };

  /* set pubOpcode as instruction id */
  SStream_concat(O, BPF_insn_name((csh)MI->csh, MCInst_getOpcodePub(MI)));
  convert_operands(MI, &bpf);
  for (size_t i = 0; i < bpf.op_count; i++) {
    if (i == 0)
      SStream_concat(O, "\t");
    else
      SStream_concat(O, ", ");
    print_operand(MI, O, &bpf.operands[i]);
  }

#ifndef CAPSTONE_DIET
  if (detail_is_set(MI)) {
    MI->flat_insn->detail->bpf = bpf;
  }
#endif
}

Coverage Report

Created: 2025-07-04 06:11

Line	Count	Source (jump to first uncovered line)
1		/* Capstone Disassembly Engine */
2		/* BPF Backend by david942j <david942j@gmail.com>, 2019 */
3		/* SPDX-FileCopyrightText: 2024 Roee Toledano <roeetoledano10@gmail.com> */
4		/* SPDX-License-Identifier: BSD-3 */
5
6		#include <capstone/platform.h>
7
8		#include "BPFConstants.h"
9		#include "BPFInstPrinter.h"
10		#include "BPFMapping.h"
11		#include "../../Mapping.h"
12
13		static cs_bpf_op expand_bpf_operands(cs_bpf bpf)
14	34.4k	{
15	34.4k	assert(bpf->op_count < 3);
16	34.4k	return &bpf->operands[bpf->op_count++];
17	34.4k	}
18
19		static void push_op_reg(cs_bpf *bpf, bpf_op_type val, uint8_t ac_mode)
20	19.4k	{
21	19.4k	cs_bpf_op *op = expand_bpf_operands(bpf);
22
23	19.4k	op->type = BPF_OP_REG;
24	19.4k	op->reg = val;
25	19.4k	op->access = ac_mode;
26	19.4k	}
27
28		static void push_op_imm(cs_bpf *bpf, uint64_t val, const bool is_signed)
29	15.6k	{
30	15.6k	cs_bpf_op *op = expand_bpf_operands(bpf);
31
32	15.6k	op->type = BPF_OP_IMM;
33	15.6k	op->imm = val;
34	15.6k	op->is_signed = is_signed;
35	15.6k	}
36
37		static void push_op_off(cs_bpf *bpf, uint32_t val, const bool is_signed)
38	9.25k	{
39	9.25k	cs_bpf_op *op = expand_bpf_operands(bpf);
40
41	9.25k	op->type = BPF_OP_OFF;
42	9.25k	op->off = val;
43	9.25k	op->is_signed = is_signed;
44	9.25k	}
45
46		static void push_op_mem(cs_bpf *bpf, bpf_reg reg, uint32_t val,
47		const bool is_signed, const bool is_pkt)
48	9.29k	{
49	9.29k	cs_bpf_op *op = expand_bpf_operands(bpf);
50
51	9.29k	op->type = BPF_OP_MEM;
52	9.29k	op->mem.base = reg;
53	9.29k	op->mem.disp = val;
54	9.29k	op->is_signed = is_signed;
55	9.29k	op->is_pkt = is_pkt;
56	9.29k	}
57
58		static void push_op_mmem(cs_bpf *bpf, uint32_t val)
59	550	{
60	550	cs_bpf_op *op = expand_bpf_operands(bpf);
61
62	550	op->type = BPF_OP_MMEM;
63	550	op->mmem = val;
64	550	}
65
66		static void push_op_msh(cs_bpf *bpf, uint32_t val)
67	596	{
68	596	cs_bpf_op *op = expand_bpf_operands(bpf);
69
70	596	op->type = BPF_OP_MSH;
71	596	op->msh = val;
72	596	}
73
74		static void push_op_ext(cs_bpf *bpf, bpf_ext_type val)
75	469	{
76	469	cs_bpf_op *op = expand_bpf_operands(bpf);
77
78	469	op->type = BPF_OP_EXT;
79	469	op->ext = val;
80	469	}
81
82		static void convert_operands(MCInst MI, cs_bpf bpf)
83	19.3k	{
84	19.3k	unsigned opcode = MCInst_getOpcode(MI);
85	19.3k	unsigned mc_op_count = MCInst_getNumOperands(MI);
86	19.3k	MCOperand *op;
87	19.3k	MCOperand *op2;
88
89	19.3k	bpf->op_count = 0;
90	19.3k	if (BPF_CLASS(opcode) == BPF_CLASS_LD \|\|
91	19.3k	BPF_CLASS(opcode) == BPF_CLASS_LDX) {
92	5.62k	switch (BPF_MODE(opcode)) {
93	579	case BPF_MODE_IMM:
94	579	if (EBPF_MODE(MI->csh->mode)) {
95	252	push_op_reg(bpf,
96	252	MCOperand_getReg(
97	252	MCInst_getOperand(MI, 0)),
98	252	CS_AC_WRITE);
99	252	push_op_imm(bpf,
100	252	MCOperand_getImm(
101	252	MCInst_getOperand(MI, 1)),
102	252	false);
103	327	} else {
104	327	push_op_imm(bpf,
105	327	MCOperand_getImm(
106	327	MCInst_getOperand(MI, 0)),
107	327	false);
108	327	}
109	579	break;
110	2.08k	case BPF_MODE_ABS:
111	2.08k	op = MCInst_getOperand(MI, 0);
112	2.08k	push_op_mem(bpf, BPF_REG_INVALID,
113	2.08k	(uint32_t)MCOperand_getImm(op), EBPF_MODE(MI->csh->mode), true);
114	2.08k	break;
115	778	case BPF_MODE_IND:
116	778	op = MCInst_getOperand(MI, 0);
117	778	if (EBPF_MODE(MI->csh->mode))
118	479	push_op_mem(bpf, MCOperand_getReg(op), 0x0,
119	479	true, true);
120	299	else {
121	299	op2 = MCInst_getOperand(MI, 1);
122	299	push_op_mem(bpf, MCOperand_getReg(op),
123	299	(uint32_t)MCOperand_getImm(op2),
124	299	false, true);
125	299	}
126	778	break;
127	1.51k	case BPF_MODE_MEM:
128	1.51k	if (EBPF_MODE(MI->csh->mode)) {
129		/* ldx{w,h,b,dw} dst, [src+off] */
130	1.25k	push_op_reg(bpf,
131	1.25k	MCOperand_getReg(
132	1.25k	MCInst_getOperand(MI, 0)),
133	1.25k	CS_AC_WRITE);
134	1.25k	op = MCInst_getOperand(MI, 1);
135	1.25k	op2 = MCInst_getOperand(MI, 2);
136	1.25k	push_op_mem(bpf, MCOperand_getReg(op),
137	1.25k	(uint32_t)MCOperand_getImm(op2),
138	1.25k	true, false);
139	1.25k	} else {
140	268	push_op_mmem(bpf,
141	268	(uint32_t)MCOperand_getImm(
142	268	MCInst_getOperand(MI, 0)));
143	268	}
144	1.51k	break;
145	209	case BPF_MODE_LEN:
146	209	push_op_ext(bpf, BPF_EXT_LEN);
147	209	break;
148	459	case BPF_MODE_MSH:
149	459	op = MCInst_getOperand(MI, 0);
150	459	push_op_msh(bpf, (uint32_t)MCOperand_getImm(op));
151	459	break;
152		/* case BPF_MODE_XADD: // not exists */
153	5.62k	}
154	5.62k	return;
155	5.62k	}
156	13.6k	if (BPF_CLASS(opcode) == BPF_CLASS_ST \|\|
157	13.6k	BPF_CLASS(opcode) == BPF_CLASS_STX) {
158	1.38k	if (!EBPF_MODE(MI->csh->mode)) {
159		// cBPF has only one case - st* M[k]
160	36	push_op_mmem(bpf, (uint32_t)MCOperand_getImm(
161	36	MCInst_getOperand(MI, 0)));
162	36	return;
163	36	}
164		/* eBPF has two cases:
165		* - st [dst + off], src
166		* - xadd [dst + off], src
167		* they have same form of operands.
168		*/
169	1.34k	op = MCInst_getOperand(MI, 0);
170	1.34k	op2 = MCInst_getOperand(MI, 1);
171	1.34k	push_op_mem(bpf, MCOperand_getReg(op),
172	1.34k	(uint32_t)MCOperand_getImm(op2), true, false);
173
174	1.34k	op = MCInst_getOperand(MI, 2);
175	1.34k	if (MCOperand_isImm(op))
176	605	push_op_imm(bpf, MCOperand_getImm(op), false);
177	739	else if (MCOperand_isReg(op))
178	739	push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ);
179	1.34k	return;
180	1.38k	}
181
182	12.3k	{
183	12.3k	const bool is_jmp32 = EBPF_MODE(MI->csh->mode) &&
184	12.3k	(BPF_CLASS(opcode) == BPF_CLASS_JMP32);
185	12.3k	if (BPF_CLASS(opcode) == BPF_CLASS_JMP \|\| is_jmp32) {
186	21.8k	for (size_t i = 0; i < mc_op_count; i++) {
187	15.9k	op = MCInst_getOperand(MI, i);
188	15.9k	if (MCOperand_isImm(op)) {
189		/* Decide if we're using IMM or OFF here (and if OFF, then signed or unsigned):
190		*
191		* 1. any jump/jump32 + signed off (not including exit/call and ja on jump32) // eBPF
192		* 2. exit/call/ja + k // eBPF
193		* 3. ja + unsigned off // cBPF (cBPF programs can only jump forwards)
194		* 4. any jump {x,k}, +jt, +jf // cBPF
195		* */
196
197	11.3k	if ((BPF_OP(opcode) == BPF_JUMP_JA &&
198	11.3k	!is_jmp32) \|\|
199	11.3k	(!EBPF_MODE(MI->csh->mode) &&
200	11.0k	i >= 1) \|\|
201	11.3k	(EBPF_MODE(MI->csh->mode) &&
202	9.34k	i == 2))
203	6.21k	push_op_off(
204	6.21k	bpf,
205	6.21k	MCOperand_getImm(op),
206	6.21k	EBPF_MODE(
207	6.21k	MI->csh->mode));
208	5.11k	else
209	5.11k	push_op_imm(
210	5.11k	bpf,
211	5.11k	MCOperand_getImm(op),
212	5.11k	true);
213	11.3k	} else if (MCOperand_isReg(op)) {
214	4.60k	push_op_reg(bpf, MCOperand_getReg(op),
215	4.60k	CS_AC_READ);
216	4.60k	}
217	15.9k	}
218	5.95k	return;
219	5.95k	}
220	12.3k	}
221
222	6.34k	if (!EBPF_MODE(MI->csh->mode)) {
223		/* In cBPF mode, all registers in operands are accessed as read */
224	5.69k	for (size_t i = 0; i < mc_op_count; i++) {
225	2.72k	op = MCInst_getOperand(MI, i);
226	2.72k	if (MCOperand_isImm(op))
227	953	push_op_imm(bpf, MCOperand_getImm(op), false);
228	1.76k	else if (MCOperand_isReg(op))
229	1.76k	push_op_reg(bpf, MCOperand_getReg(op),
230	1.76k	CS_AC_READ);
231	2.72k	}
232	2.97k	return;
233	2.97k	}
234
235		/* remain cases are: eBPF mode && ALU */
236		/* if (BPF_CLASS(opcode) == BPF_CLASS_ALU \|\| BPF_CLASS(opcode) == BPF_CLASS_ALU64) */
237
238		/* We have three types:
239		* 1. {l,b}e dst // dst = byteswap(dst)
240		* 2. neg dst // dst = -dst
241		* 3. <op> dst, {src_reg, imm} // dst = dst <op> src
242		* so we can simply check the number of operands,
243		* exactly one operand means we are in case 1. and 2.,
244		* otherwise in case 3.
245		*/
246	3.36k	if (mc_op_count == 1) {
247	808	op = MCInst_getOperand(MI, 0);
248	808	push_op_reg(bpf, MCOperand_getReg(op),
249	808	CS_AC_READ \| CS_AC_WRITE);
250	2.56k	} else { // if (mc_op_count == 2)
251	2.56k	op = MCInst_getOperand(MI, 0);
252	2.56k	push_op_reg(bpf, MCOperand_getReg(op),
253	2.56k	CS_AC_READ \| CS_AC_WRITE);
254
255	2.56k	op = MCInst_getOperand(MI, 1);
256	2.56k	if (MCOperand_isImm(op))
257	2.30k	push_op_imm(bpf, MCOperand_getImm(op), false);
258	259	else if (MCOperand_isReg(op))
259	259	push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ);
260	2.56k	}
261	3.36k	}
262
263		static void print_operand(MCInst MI, struct SStream O, const cs_bpf_op *op)
264	34.4k	{
265	34.4k	switch (op->type) {
266	0	case BPF_OP_INVALID:
267	0	SStream_concat(O, "invalid");
268	0	break;
269	12.2k	case BPF_OP_REG:
270	12.2k	SStream_concat(O, BPF_reg_name((csh)MI->csh, op->reg));
271	12.2k	break;
272	9.55k	case BPF_OP_IMM:
273	9.55k	if (op->is_signed)
274	5.11k	printInt32Hex(O, op->imm);
275	4.43k	else
276	4.43k	SStream_concat(O, "0x%" PRIx64, op->imm);
277	9.55k	break;
278	6.21k	case BPF_OP_OFF:
279	6.21k	if (op->is_signed)
280	4.40k	printInt16HexOffset(O, op->off);
281	1.80k	else
282	1.80k	SStream_concat(O, "+0x%" PRIx32, op->off);
283	6.21k	break;
284	5.45k	case BPF_OP_MEM:
285	5.45k	SStream_concat(O, "[");
286
287	5.45k	if (op->is_pkt && EBPF_MODE(MI->csh->mode)) {
288	2.10k	SStream_concat(O, "skb");
289
290	2.10k	if (op->mem.base != BPF_REG_INVALID)
291	479	SStream_concat(O, "+%s",
292	479	BPF_reg_name((csh)MI->csh,
293	479	op->mem.base));
294	1.62k	else {
295	1.62k	if (op->is_signed)
296	1.62k	printInt32HexOffset(O, op->mem.disp);
297	0	else
298	0	SStream_concat(O, "+0x%" PRIx32,
299	0	op->mem.disp);
300	1.62k	}
301	3.34k	} else {
302	3.34k	if (op->mem.base != BPF_REG_INVALID)
303	2.89k	SStream_concat(O, BPF_reg_name((csh)MI->csh,
304	2.89k	op->mem.base));
305	3.34k	if (op->mem.disp != 0) {
306	3.26k	if (op->mem.base != BPF_REG_INVALID) {
307		// if operation is signed, then it always uses off, not k
308	2.82k	if (op->is_signed)
309	2.52k	printInt16HexOffset(
310	2.52k	O, op->mem.disp);
311	298	else if (op->is_pkt)
312	298	SStream_concat(O, "+0x%" PRIx32,
313	298	op->mem.disp);
314	0	else
315	0	SStream_concat(O, "+0x%" PRIx16,
316	0	op->mem.disp);
317	2.82k	} else
318	434	SStream_concat(O, "0x%" PRIx32,
319	434	op->mem.disp);
320	3.26k	}
321
322	3.34k	if (op->mem.base == BPF_REG_INVALID &&
323	3.34k	op->mem.disp == 0)
324	20	SStream_concat(O, "0x0");
325	3.34k	}
326
327	5.45k	SStream_concat(O, "]");
328	5.45k	break;
329	304	case BPF_OP_MMEM:
330	304	SStream_concat(O, "m[0x%x]", op->mmem);
331	304	break;
332	459	case BPF_OP_MSH:
333	459	SStream_concat(O, "4*([0x%x]&0xf)", op->msh);
334	459	break;
335	209	case BPF_OP_EXT:
336	209	switch (op->ext) {
337	209	case BPF_EXT_LEN:
338	209	SStream_concat(O, "#len");
339	209	break;
340	209	}
341	209	break;
342	34.4k	}
343	34.4k	}
344
345		/*
346		* 1. human readable mnemonic
347		* 2. set pubOpcode (BPF_INSN_*)
348		* 3. set detail->bpf.operands
349		* */
350		void BPF_printInst(MCInst MI, struct SStream O, void *PrinterInfo)
351	32.5k	{
352	32.5k	cs_bpf bpf = { 0 };
353
354		/* set pubOpcode as instruction id */
355	32.5k	SStream_concat(O, BPF_insn_name((csh)MI->csh, MCInst_getOpcodePub(MI)));
356	32.5k	convert_operands(MI, &bpf);
357	87.8k	for (size_t i = 0; i < bpf.op_count; i++) {
358	55.3k	if (i == 0)
359	31.4k	SStream_concat(O, "\t");
360	23.8k	else
361	23.8k	SStream_concat(O, ", ");
362	55.3k	print_operand(MI, O, &bpf.operands[i]);
363	55.3k	}
364
365	32.5k	#ifndef CAPSTONE_DIET
366	32.5k	if (detail_is_set(MI)) {
367	32.5k	MI->flat_insn->detail->bpf = bpf;
368	32.5k	}
369	32.5k	#endif
370	32.5k	}