/src/capstonenext/arch/BPF/BPFInstPrinter.c

Source
/* Capstone Disassembly Engine */
/* BPF Backend by david942j <david942j@gmail.com>, 2019 */
/* SPDX-FileCopyrightText: 2024 Roee Toledano <roeetoledano10@gmail.com> */
/* SPDX-License-Identifier: BSD-3 */

#include <capstone/platform.h>

#include "BPFConstants.h"
#include "BPFInstPrinter.h"
#include "BPFMapping.h"
#include "../../Mapping.h"

static cs_bpf_op *expand_bpf_operands(cs_bpf *bpf)
{
  assert(bpf->op_count < 3);
  return &bpf->operands[bpf->op_count++];
}

static void push_op_reg(cs_bpf *bpf, bpf_op_type val, uint8_t ac_mode)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_REG;
  op->reg = val;
  op->access = ac_mode;
}

static void push_op_imm(cs_bpf *bpf, uint64_t val, const bool is_signed)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_IMM;
  op->imm = val;
  op->is_signed = is_signed;
}

static void push_op_off(cs_bpf *bpf, uint32_t val, const bool is_signed)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_OFF;
  op->off = val;
  op->is_signed = is_signed;
}

static void push_op_mem(cs_bpf *bpf, bpf_reg reg, uint32_t val,
      const bool is_signed, const bool is_pkt)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_MEM;
  op->mem.base = reg;
  op->mem.disp = val;
  op->is_signed = is_signed;
  op->is_pkt = is_pkt;
}

static void push_op_mmem(cs_bpf *bpf, uint32_t val)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_MMEM;
  op->mmem = val;
}

static void push_op_msh(cs_bpf *bpf, uint32_t val)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_MSH;
  op->msh = val;
}

static void push_op_ext(cs_bpf *bpf, bpf_ext_type val)
{
  cs_bpf_op *op = expand_bpf_operands(bpf);

  op->type = BPF_OP_EXT;
  op->ext = val;
}

static void convert_operands(MCInst *MI, cs_bpf *bpf)
{
  unsigned opcode = MCInst_getOpcode(MI);
  unsigned mc_op_count = MCInst_getNumOperands(MI);
  MCOperand *op;
  MCOperand *op2;

  bpf->op_count = 0;
  if (BPF_CLASS(opcode) == BPF_CLASS_LD ||
      BPF_CLASS(opcode) == BPF_CLASS_LDX) {
    switch (BPF_MODE(opcode)) {
    case BPF_MODE_IMM:
      if (EBPF_MODE(MI->csh->mode)) {
        push_op_reg(bpf,
              MCOperand_getReg(
                MCInst_getOperand(MI, 0)),
              CS_AC_WRITE);
        push_op_imm(bpf,
              MCOperand_getImm(
                MCInst_getOperand(MI, 1)),
              false);
      } else {
        push_op_imm(bpf,
              MCOperand_getImm(
                MCInst_getOperand(MI, 0)),
              false);
      }
      break;
    case BPF_MODE_ABS:
      op = MCInst_getOperand(MI, 0);
      push_op_mem(bpf, BPF_REG_INVALID,
            (uint32_t)MCOperand_getImm(op),
            EBPF_MODE(MI->csh->mode), true);
      break;
    case BPF_MODE_IND:
      op = MCInst_getOperand(MI, 0);
      if (EBPF_MODE(MI->csh->mode))
        push_op_mem(bpf, MCOperand_getReg(op), 0x0,
              true, true);
      else {
        op2 = MCInst_getOperand(MI, 1);
        push_op_mem(bpf, MCOperand_getReg(op),
              (uint32_t)MCOperand_getImm(op2),
              false, true);
      }
      break;
    case BPF_MODE_MEM:
      if (EBPF_MODE(MI->csh->mode)) {
        /* ldx{w,h,b,dw} dst, [src+off] */
        push_op_reg(bpf,
              MCOperand_getReg(
                MCInst_getOperand(MI, 0)),
              CS_AC_WRITE);
        op = MCInst_getOperand(MI, 1);
        op2 = MCInst_getOperand(MI, 2);
        push_op_mem(bpf, MCOperand_getReg(op),
              (uint32_t)MCOperand_getImm(op2),
              true, false);
      } else {
        push_op_mmem(bpf,
               (uint32_t)MCOperand_getImm(
                 MCInst_getOperand(MI, 0)));
      }
      break;
    case BPF_MODE_LEN:
      push_op_ext(bpf, BPF_EXT_LEN);
      break;
    case BPF_MODE_MSH:
      op = MCInst_getOperand(MI, 0);
      push_op_msh(bpf, (uint32_t)MCOperand_getImm(op));
      break;
      /* case BPF_MODE_XADD: // not exists */
    }
    return;
  }
  if (BPF_CLASS(opcode) == BPF_CLASS_ST ||
      BPF_CLASS(opcode) == BPF_CLASS_STX) {
    if (!EBPF_MODE(MI->csh->mode)) {
      // cBPF has only one case - st* M[k]
      push_op_mmem(bpf, (uint32_t)MCOperand_getImm(
              MCInst_getOperand(MI, 0)));
      return;
    }
    /* eBPF has two cases:
     * - st [dst + off], src
     * - xadd [dst + off], src
     * they have same form of operands.
     */
    op = MCInst_getOperand(MI, 0);
    op2 = MCInst_getOperand(MI, 1);
    push_op_mem(bpf, MCOperand_getReg(op),
          (uint32_t)MCOperand_getImm(op2), true, false);

    op = MCInst_getOperand(MI, 2);
    if (MCOperand_isImm(op))
      push_op_imm(bpf, MCOperand_getImm(op), false);
    else if (MCOperand_isReg(op))
      push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ);
    return;
  }

  {
    const bool is_jmp32 = EBPF_MODE(MI->csh->mode) &&
              (BPF_CLASS(opcode) == BPF_CLASS_JMP32);
    if (BPF_CLASS(opcode) == BPF_CLASS_JMP || is_jmp32) {
      for (size_t i = 0; i < mc_op_count; i++) {
        op = MCInst_getOperand(MI, i);
        if (MCOperand_isImm(op)) {
          /* Decide if we're using IMM or OFF here (and if OFF, then signed or unsigned):
           *
           * 1. any jump/jump32 + signed off (not including exit/call and ja on jump32) // eBPF 
           * 2. exit/call/ja + k // eBPF
           * 3. ja + unsigned off // cBPF (cBPF programs can only jump forwards) 
           * 4. any jump {x,k}, +jt, +jf // cBPF 
           * */

          if ((BPF_OP(opcode) == BPF_JUMP_JA &&
               !is_jmp32) ||
              (!EBPF_MODE(MI->csh->mode) &&
               i >= 1) ||
              (EBPF_MODE(MI->csh->mode) &&
               i == 2))
            push_op_off(
              bpf,
              MCOperand_getImm(op),
              EBPF_MODE(
                MI->csh->mode));
          else
            push_op_imm(
              bpf,
              MCOperand_getImm(op),
              true);
        } else if (MCOperand_isReg(op)) {
          push_op_reg(bpf, MCOperand_getReg(op),
                CS_AC_READ);
        }
      }
      return;
    }
  }

  if (!EBPF_MODE(MI->csh->mode)) {
    /* In cBPF mode, all registers in operands are accessed as read */
    for (size_t i = 0; i < mc_op_count; i++) {
      op = MCInst_getOperand(MI, i);
      if (MCOperand_isImm(op))
        push_op_imm(bpf, MCOperand_getImm(op), false);
      else if (MCOperand_isReg(op))
        push_op_reg(bpf, MCOperand_getReg(op),
              CS_AC_READ);
    }
    return;
  }

  /* remain cases are: eBPF mode && ALU */
  /* if (BPF_CLASS(opcode) == BPF_CLASS_ALU || BPF_CLASS(opcode) == BPF_CLASS_ALU64) */

  /* We have three types:
   * 1. {l,b}e dst               // dst = byteswap(dst)
   * 2. neg dst                  // dst = -dst
   * 3. <op> dst, {src_reg, imm} // dst = dst <op> src
   * so we can simply check the number of operands,
   * exactly one operand means we are in case 1. and 2.,
   * otherwise in case 3.
   */
  if (mc_op_count == 1) {
    op = MCInst_getOperand(MI, 0);
    push_op_reg(bpf, MCOperand_getReg(op),
          CS_AC_READ | CS_AC_WRITE);
  } else { // if (mc_op_count == 2)
    op = MCInst_getOperand(MI, 0);
    push_op_reg(bpf, MCOperand_getReg(op),
          CS_AC_READ | CS_AC_WRITE);

    op = MCInst_getOperand(MI, 1);
    if (MCOperand_isImm(op))
      push_op_imm(bpf, MCOperand_getImm(op), false);
    else if (MCOperand_isReg(op))
      push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ);
  }
}

static void print_operand(MCInst *MI, struct SStream *O, const cs_bpf_op *op)
{
  switch (op->type) {
  case BPF_OP_INVALID:
    SStream_concat(O, "invalid");
    break;
  case BPF_OP_REG:
    SStream_concat(O, BPF_reg_name((csh)MI->csh, op->reg));
    break;
  case BPF_OP_IMM:
    if (op->is_signed)
      printInt32Hex(O, op->imm);
    else
      SStream_concat(O, "0x%" PRIx64, op->imm);
    break;
  case BPF_OP_OFF:
    if (op->is_signed)
      printInt16HexOffset(O, op->off);
    else
      SStream_concat(O, "+0x%" PRIx32, op->off);
    break;
  case BPF_OP_MEM:
    SStream_concat(O, "[");

    if (op->is_pkt && EBPF_MODE(MI->csh->mode)) {
      SStream_concat(O, "skb");

      if (op->mem.base != BPF_REG_INVALID)
        SStream_concat(O, "+%s",
                 BPF_reg_name((csh)MI->csh,
                  op->mem.base));
      else {
        if (op->is_signed)
          printInt32HexOffset(O, op->mem.disp);
        else
          SStream_concat(O, "+0x%" PRIx32,
                   op->mem.disp);
      }
    } else {
      if (op->mem.base != BPF_REG_INVALID)
        SStream_concat(O, BPF_reg_name((csh)MI->csh,
                     op->mem.base));
      if (op->mem.disp != 0) {
        if (op->mem.base != BPF_REG_INVALID) {
          // if operation is signed, then it always uses off, not k
          if (op->is_signed)
            printInt16HexOffset(
              O, op->mem.disp);
          else if (op->is_pkt)
            SStream_concat(O, "+0x%" PRIx32,
                     op->mem.disp);
          else
            SStream_concat(O, "+0x%" PRIx16,
                     op->mem.disp);
        } else
          SStream_concat(O, "0x%" PRIx32,
                   op->mem.disp);
      }

      if (op->mem.base == BPF_REG_INVALID &&
          op->mem.disp == 0)
        SStream_concat(O, "0x0");
    }

    SStream_concat(O, "]");
    break;
  case BPF_OP_MMEM:
    SStream_concat(O, "m[0x%x]", op->mmem);
    break;
  case BPF_OP_MSH:
    SStream_concat(O, "4*([0x%x]&0xf)", op->msh);
    break;
  case BPF_OP_EXT:
    switch (op->ext) {
    case BPF_EXT_LEN:
      SStream_concat(O, "#len");
      break;
    }
    break;
  }
}

/*
 * 1. human readable mnemonic
 * 2. set pubOpcode (BPF_INSN_*)
 * 3. set detail->bpf.operands
 * */
void BPF_printInst(MCInst *MI, struct SStream *O, void *PrinterInfo)
{
  cs_bpf bpf = { 0 };

  /* set pubOpcode as instruction id */
  SStream_concat(O, BPF_insn_name((csh)MI->csh, MCInst_getOpcodePub(MI)));
  convert_operands(MI, &bpf);
  for (size_t i = 0; i < bpf.op_count; i++) {
    if (i == 0)
      SStream_concat(O, "\t");
    else
      SStream_concat(O, ", ");
    print_operand(MI, O, &bpf.operands[i]);
  }

#ifndef CAPSTONE_DIET
  if (detail_is_set(MI)) {
    MI->flat_insn->detail->bpf = bpf;
  }
#endif
}

Coverage Report

Created: 2025-11-11 06:33

Line	Count	Source
1		/* Capstone Disassembly Engine */
2		/* BPF Backend by david942j <david942j@gmail.com>, 2019 */
3		/* SPDX-FileCopyrightText: 2024 Roee Toledano <roeetoledano10@gmail.com> */
4		/* SPDX-License-Identifier: BSD-3 */
5
6		#include <capstone/platform.h>
7
8		#include "BPFConstants.h"
9		#include "BPFInstPrinter.h"
10		#include "BPFMapping.h"
11		#include "../../Mapping.h"
12
13		static cs_bpf_op expand_bpf_operands(cs_bpf bpf)
14	40.0k	{
15	40.0k	assert(bpf->op_count < 3);
16	40.0k	return &bpf->operands[bpf->op_count++];
17	40.0k	}
18
19		static void push_op_reg(cs_bpf *bpf, bpf_op_type val, uint8_t ac_mode)
20	21.5k	{
21	21.5k	cs_bpf_op *op = expand_bpf_operands(bpf);
22
23	21.5k	op->type = BPF_OP_REG;
24	21.5k	op->reg = val;
25	21.5k	op->access = ac_mode;
26	21.5k	}
27
28		static void push_op_imm(cs_bpf *bpf, uint64_t val, const bool is_signed)
29	17.9k	{
30	17.9k	cs_bpf_op *op = expand_bpf_operands(bpf);
31
32	17.9k	op->type = BPF_OP_IMM;
33	17.9k	op->imm = val;
34	17.9k	op->is_signed = is_signed;
35	17.9k	}
36
37		static void push_op_off(cs_bpf *bpf, uint32_t val, const bool is_signed)
38	9.80k	{
39	9.80k	cs_bpf_op *op = expand_bpf_operands(bpf);
40
41	9.80k	op->type = BPF_OP_OFF;
42	9.80k	op->off = val;
43	9.80k	op->is_signed = is_signed;
44	9.80k	}
45
46		static void push_op_mem(cs_bpf *bpf, bpf_reg reg, uint32_t val,
47		const bool is_signed, const bool is_pkt)
48	10.2k	{
49	10.2k	cs_bpf_op *op = expand_bpf_operands(bpf);
50
51	10.2k	op->type = BPF_OP_MEM;
52	10.2k	op->mem.base = reg;
53	10.2k	op->mem.disp = val;
54	10.2k	op->is_signed = is_signed;
55	10.2k	op->is_pkt = is_pkt;
56	10.2k	}
57
58		static void push_op_mmem(cs_bpf *bpf, uint32_t val)
59	1.03k	{
60	1.03k	cs_bpf_op *op = expand_bpf_operands(bpf);
61
62	1.03k	op->type = BPF_OP_MMEM;
63	1.03k	op->mmem = val;
64	1.03k	}
65
66		static void push_op_msh(cs_bpf *bpf, uint32_t val)
67	411	{
68	411	cs_bpf_op *op = expand_bpf_operands(bpf);
69
70	411	op->type = BPF_OP_MSH;
71	411	op->msh = val;
72	411	}
73
74		static void push_op_ext(cs_bpf *bpf, bpf_ext_type val)
75	506	{
76	506	cs_bpf_op *op = expand_bpf_operands(bpf);
77
78	506	op->type = BPF_OP_EXT;
79	506	op->ext = val;
80	506	}
81
82		static void convert_operands(MCInst MI, cs_bpf bpf)
83	22.7k	{
84	22.7k	unsigned opcode = MCInst_getOpcode(MI);
85	22.7k	unsigned mc_op_count = MCInst_getNumOperands(MI);
86	22.7k	MCOperand *op;
87	22.7k	MCOperand *op2;
88
89	22.7k	bpf->op_count = 0;
90	22.7k	if (BPF_CLASS(opcode) == BPF_CLASS_LD \|\|
91	18.2k	BPF_CLASS(opcode) == BPF_CLASS_LDX) {
92	6.12k	switch (BPF_MODE(opcode)) {
93	1.05k	case BPF_MODE_IMM:
94	1.05k	if (EBPF_MODE(MI->csh->mode)) {
95	245	push_op_reg(bpf,
96	245	MCOperand_getReg(
97	245	MCInst_getOperand(MI, 0)),
98	245	CS_AC_WRITE);
99	245	push_op_imm(bpf,
100	245	MCOperand_getImm(
101	245	MCInst_getOperand(MI, 1)),
102	245	false);
103	810	} else {
104	810	push_op_imm(bpf,
105	810	MCOperand_getImm(
106	810	MCInst_getOperand(MI, 0)),
107	810	false);
108	810	}
109	1.05k	break;
110	1.56k	case BPF_MODE_ABS:
111	1.56k	op = MCInst_getOperand(MI, 0);
112	1.56k	push_op_mem(bpf, BPF_REG_INVALID,
113	1.56k	(uint32_t)MCOperand_getImm(op),
114	1.56k	EBPF_MODE(MI->csh->mode), true);
115	1.56k	break;
116	1.52k	case BPF_MODE_IND:
117	1.52k	op = MCInst_getOperand(MI, 0);
118	1.52k	if (EBPF_MODE(MI->csh->mode))
119	974	push_op_mem(bpf, MCOperand_getReg(op), 0x0,
120	974	true, true);
121	550	else {
122	550	op2 = MCInst_getOperand(MI, 1);
123	550	push_op_mem(bpf, MCOperand_getReg(op),
124	550	(uint32_t)MCOperand_getImm(op2),
125	550	false, true);
126	550	}
127	1.52k	break;
128	1.52k	case BPF_MODE_MEM:
129	1.52k	if (EBPF_MODE(MI->csh->mode)) {
130		/* ldx{w,h,b,dw} dst, [src+off] */
131	1.28k	push_op_reg(bpf,
132	1.28k	MCOperand_getReg(
133	1.28k	MCInst_getOperand(MI, 0)),
134	1.28k	CS_AC_WRITE);
135	1.28k	op = MCInst_getOperand(MI, 1);
136	1.28k	op2 = MCInst_getOperand(MI, 2);
137	1.28k	push_op_mem(bpf, MCOperand_getReg(op),
138	1.28k	(uint32_t)MCOperand_getImm(op2),
139	1.28k	true, false);
140	1.28k	} else {
141	237	push_op_mmem(bpf,
142	237	(uint32_t)MCOperand_getImm(
143	237	MCInst_getOperand(MI, 0)));
144	237	}
145	1.52k	break;
146	240	case BPF_MODE_LEN:
147	240	push_op_ext(bpf, BPF_EXT_LEN);
148	240	break;
149	217	case BPF_MODE_MSH:
150	217	op = MCInst_getOperand(MI, 0);
151	217	push_op_msh(bpf, (uint32_t)MCOperand_getImm(op));
152	217	break;
153		/* case BPF_MODE_XADD: // not exists */
154	6.12k	}
155	6.12k	return;
156	6.12k	}
157	16.5k	if (BPF_CLASS(opcode) == BPF_CLASS_ST \|\|
158	15.3k	BPF_CLASS(opcode) == BPF_CLASS_STX) {
159	2.08k	if (!EBPF_MODE(MI->csh->mode)) {
160		// cBPF has only one case - st* M[k]
161	187	push_op_mmem(bpf, (uint32_t)MCOperand_getImm(
162	187	MCInst_getOperand(MI, 0)));
163	187	return;
164	187	}
165		/* eBPF has two cases:
166		* - st [dst + off], src
167		* - xadd [dst + off], src
168		* they have same form of operands.
169		*/
170	1.89k	op = MCInst_getOperand(MI, 0);
171	1.89k	op2 = MCInst_getOperand(MI, 1);
172	1.89k	push_op_mem(bpf, MCOperand_getReg(op),
173	1.89k	(uint32_t)MCOperand_getImm(op2), true, false);
174
175	1.89k	op = MCInst_getOperand(MI, 2);
176	1.89k	if (MCOperand_isImm(op))
177	1.18k	push_op_imm(bpf, MCOperand_getImm(op), false);
178	715	else if (MCOperand_isReg(op))
179	715	push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ);
180	1.89k	return;
181	2.08k	}
182
183	14.4k	{
184	14.4k	const bool is_jmp32 = EBPF_MODE(MI->csh->mode) &&
185	10.1k	(BPF_CLASS(opcode) == BPF_CLASS_JMP32);
186	14.4k	if (BPF_CLASS(opcode) == BPF_CLASS_JMP \|\| is_jmp32) {
187	25.0k	for (size_t i = 0; i < mc_op_count; i++) {
188	17.9k	op = MCInst_getOperand(MI, i);
189	17.9k	if (MCOperand_isImm(op)) {
190		/* Decide if we're using IMM or OFF here (and if OFF, then signed or unsigned):
191		*
192		* 1. any jump/jump32 + signed off (not including exit/call and ja on jump32) // eBPF
193		* 2. exit/call/ja + k // eBPF
194		* 3. ja + unsigned off // cBPF (cBPF programs can only jump forwards)
195		* 4. any jump {x,k}, +jt, +jf // cBPF
196		* */
197
198	12.4k	if ((BPF_OP(opcode) == BPF_JUMP_JA &&
199	895	!is_jmp32) \|\|
200	11.8k	(!EBPF_MODE(MI->csh->mode) &&
201	1.63k	i >= 1) \|\|
202	10.5k	(EBPF_MODE(MI->csh->mode) &&
203	10.2k	i == 2))
204	6.80k	push_op_off(
205	6.80k	bpf,
206	6.80k	MCOperand_getImm(op),
207	6.80k	EBPF_MODE(
208	6.80k	MI->csh->mode));
209	5.66k	else
210	5.66k	push_op_imm(
211	5.66k	bpf,
212	5.66k	MCOperand_getImm(op),
213	5.66k	true);
214	12.4k	} else if (MCOperand_isReg(op)) {
215	5.47k	push_op_reg(bpf, MCOperand_getReg(op),
216	5.47k	CS_AC_READ);
217	5.47k	}
218	17.9k	}
219	7.13k	return;
220	7.13k	}
221	14.4k	}
222
223	7.35k	if (!EBPF_MODE(MI->csh->mode)) {
224		/* In cBPF mode, all registers in operands are accessed as read */
225	6.45k	for (size_t i = 0; i < mc_op_count; i++) {
226	3.08k	op = MCInst_getOperand(MI, i);
227	3.08k	if (MCOperand_isImm(op))
228	1.49k	push_op_imm(bpf, MCOperand_getImm(op), false);
229	1.58k	else if (MCOperand_isReg(op))
230	1.58k	push_op_reg(bpf, MCOperand_getReg(op),
231	1.58k	CS_AC_READ);
232	3.08k	}
233	3.37k	return;
234	3.37k	}
235
236		/* remain cases are: eBPF mode && ALU */
237		/* if (BPF_CLASS(opcode) == BPF_CLASS_ALU \|\| BPF_CLASS(opcode) == BPF_CLASS_ALU64) */
238
239		/* We have three types:
240		* 1. {l,b}e dst // dst = byteswap(dst)
241		* 2. neg dst // dst = -dst
242		* 3. <op> dst, {src_reg, imm} // dst = dst <op> src
243		* so we can simply check the number of operands,
244		* exactly one operand means we are in case 1. and 2.,
245		* otherwise in case 3.
246		*/
247	3.98k	if (mc_op_count == 1) {
248	593	op = MCInst_getOperand(MI, 0);
249	593	push_op_reg(bpf, MCOperand_getReg(op),
250	593	CS_AC_READ \| CS_AC_WRITE);
251	3.39k	} else { // if (mc_op_count == 2)
252	3.39k	op = MCInst_getOperand(MI, 0);
253	3.39k	push_op_reg(bpf, MCOperand_getReg(op),
254	3.39k	CS_AC_READ \| CS_AC_WRITE);
255
256	3.39k	op = MCInst_getOperand(MI, 1);
257	3.39k	if (MCOperand_isImm(op))
258	3.07k	push_op_imm(bpf, MCOperand_getImm(op), false);
259	320	else if (MCOperand_isReg(op))
260	320	push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ);
261	3.39k	}
262	3.98k	}
263
264		static void print_operand(MCInst MI, struct SStream O, const cs_bpf_op *op)
265	40.0k	{
266	40.0k	switch (op->type) {
267	0	case BPF_OP_INVALID:
268	0	SStream_concat(O, "invalid");
269	0	break;
270	13.6k	case BPF_OP_REG:
271	13.6k	SStream_concat(O, BPF_reg_name((csh)MI->csh, op->reg));
272	13.6k	break;
273	12.4k	case BPF_OP_IMM:
274	12.4k	if (op->is_signed)
275	5.66k	printInt32Hex(O, op->imm);
276	6.79k	else
277	6.79k	SStream_concat(O, "0x%" PRIx64, op->imm);
278	12.4k	break;
279	6.80k	case BPF_OP_OFF:
280	6.80k	if (op->is_signed)
281	5.16k	printInt16HexOffset(O, op->off);
282	1.64k	else
283	1.64k	SStream_concat(O, "+0x%" PRIx32, op->off);
284	6.80k	break;
285	6.27k	case BPF_OP_MEM:
286	6.27k	SStream_concat(O, "[");
287
288	6.27k	if (op->is_pkt && EBPF_MODE(MI->csh->mode)) {
289	1.82k	SStream_concat(O, "skb");
290
291	1.82k	if (op->mem.base != BPF_REG_INVALID)
292	974	SStream_concat(O, "+%s",
293	974	BPF_reg_name((csh)MI->csh,
294	974	op->mem.base));
295	855	else {
296	855	if (op->is_signed)
297	855	printInt32HexOffset(O, op->mem.disp);
298	0	else
299	0	SStream_concat(O, "+0x%" PRIx32,
300	0	op->mem.disp);
301	855	}
302	4.44k	} else {
303	4.44k	if (op->mem.base != BPF_REG_INVALID)
304	3.73k	SStream_concat(O, BPF_reg_name((csh)MI->csh,
305	3.73k	op->mem.base));
306	4.44k	if (op->mem.disp != 0) {
307	4.21k	if (op->mem.base != BPF_REG_INVALID) {
308		// if operation is signed, then it always uses off, not k
309	3.65k	if (op->is_signed)
310	3.11k	printInt16HexOffset(
311	3.11k	O, op->mem.disp);
312	548	else if (op->is_pkt)
313	548	SStream_concat(O, "+0x%" PRIx32,
314	548	op->mem.disp);
315	0	else
316	0	SStream_concat(O, "+0x%" PRIx16,
317	0	op->mem.disp);
318	3.65k	} else
319	553	SStream_concat(O, "0x%" PRIx32,
320	553	op->mem.disp);
321	4.21k	}
322
323	4.44k	if (op->mem.base == BPF_REG_INVALID &&
324	712	op->mem.disp == 0)
325	159	SStream_concat(O, "0x0");
326	4.44k	}
327
328	6.27k	SStream_concat(O, "]");
329	6.27k	break;
330	424	case BPF_OP_MMEM:
331	424	SStream_concat(O, "m[0x%x]", op->mmem);
332	424	break;
333	217	case BPF_OP_MSH:
334	217	SStream_concat(O, "4*([0x%x]&0xf)", op->msh);
335	217	break;
336	240	case BPF_OP_EXT:
337	240	switch (op->ext) {
338	240	case BPF_EXT_LEN:
339	240	SStream_concat(O, "#len");
340	240	break;
341	240	}
342	240	break;
343	40.0k	}
344	40.0k	}
345
346		/*
347		* 1. human readable mnemonic
348		* 2. set pubOpcode (BPF_INSN_*)
349		* 3. set detail->bpf.operands
350		* */
351		void BPF_printInst(MCInst MI, struct SStream O, void *PrinterInfo)
352	36.9k	{
353	36.9k	cs_bpf bpf = { 0 };
354
355		/* set pubOpcode as instruction id */
356	36.9k	SStream_concat(O, BPF_insn_name((csh)MI->csh, MCInst_getOpcodePub(MI)));
357	36.9k	convert_operands(MI, &bpf);
358	98.4k	for (size_t i = 0; i < bpf.op_count; i++) {
359	61.4k	if (i == 0)
360	35.5k	SStream_concat(O, "\t");
361	25.9k	else
362	25.9k	SStream_concat(O, ", ");
363	61.4k	print_operand(MI, O, &bpf.operands[i]);
364	61.4k	}
365
366	36.9k	#ifndef CAPSTONE_DIET
367	36.9k	if (detail_is_set(MI)) {
368	36.9k	MI->flat_insn->detail->bpf = bpf;
369	36.9k	}
370	36.9k	#endif
371	36.9k	}