New Features
- Build. Ghidra now builds on 64-bit Linux ARM and macOS M1 platforms. (GP-1106, Issue #3197)
- Build. Native binaries for the current platform can now be built/rebuilt from within a release using the support/buildNatives(.bat) script. Please see the "Building Ghidra Native Components" section of the Installation Guide for additional information. (GP-1209, Issue #3387)
-- Data Types. Added encoding methods to DataType. (GP-1265)
+- Data Types. DataType API: Added
encodeValueandencodeRepresentationmethods which facilitate patching. (GP-1265)- Debugger. Added Memory view (raw bytes) to the Debugger. (GP-80)
-- Debugger. Added new agent for lldb on macOS and Linux. (GP-1005, Issue #2591, #2967)
+- Debugger. Added new agent for LLDB on macOS and Linux. (GP-1005, Issue #2591, #2967)
+- Debugger. Added Copy Into Current Program and Copy Into New Program actions to Debugger. (GP-1214)
+- Debugger. Added Compare action to Dynamic Listing to compare points in time. (GP-1222)
- Debugger. Added Events/Exceptions to Objects View. (GP-1288, Issue #3049)
- Debugger:Emulator. Added Emulate Program and Add Emulated Thread actions for loading a program into a purely emulated trace. (GP-660)
- Decompiler. Added support for
@@ -24,23 +26,29 @@else ifsyntax in Decompiler output. (GP-1172, Issue #1609)
Improvements
-
- Analysis. The ___chkstk_ms() function is now properly recognized and handled. (GP-1347, Issue #1888, #1889)
+- Analysis. The called
___chkstk_ms()function is now properly recognized and handled with a call fixup for windows x86-64. (GP-1347, Issue #1888, #1889)- Analysis. Added support for Objective-C small methods. (GP-1397, Issue #2719, #2732)
-- Analysis. Several memory usage issues with constant propagation for very large functions have been fixed. These fixes have also resulted in an average 10-20 percent time savings for constant propagation and stack analysis. (GP-1418, Issue #3508)
+- Analysis. Fixed several memory usage issues with constant propagation for very large functions, resulting in an average 10-20 percent time savings for constant propagation and stack analysis. (GP-1418, Issue #3508)
- API. Updated API methods of the DataTypeChooserDialog. (GP-1349, Issue #3140)
- Basic Infrastructure. Symbol performance in Ghidra was significantly improved. Specifically, new database indexes were created to improve finding primary symbols as well as improving lookups by combinations of name, namespace, and address. (GP-1082)
- Basic Infrastructure. Added optional columns in the Functions table for several boolean-valued function attributes. (GP-1393)
- Build. Extension builds can now declare jar dependencies from standard Gradle repositories such as Maven Central. (GP-1144, Issue #2219, #2226)
+- Build. Increased minimum supported Gradle version from 6.0 to 6.4. (GP-1521, Issue #3650)
- Data Types. Added support for zero-element arrays and zero-length components within structures and unions. Eliminated flex-array API methods and added/improved other Structure methods to handle multiple components which share the same offset. (GP-943)
- Data Types. Added the ability to set comments on enum values. (GP-1316, Issue #1680, #2421)
+- Data Types. Updated Windows and generic clib data type archives to take advantage of improved CParser including changes to handle sizeof() correctly. (GP-1551, Issue #615)
- Debugger. Respond to CLI-driven memory changes in dbgeng. (GP-853)
- Debugger. User can now override the Debugger's processor selection when manually activating the Record (R) action. (GP-1233)
- Debugger. User can now double-click in Listing margin to toggle breakpoints. (GP-1395)
- Debugger. Adjusted alignment of Description tag in Debugger's Connect dialog. (GP-1416)
- Debugger:Emulator. Added more accessor methods to PcodeThread, Machine, Executor, and similar classes. (GP-1223)
- Debugger:Emulator. Added more accessor methods to PairedCodeArithmetic, ExecutorState, ExecutorStatePiece, and similar classes. (GP-1224)
+- Debugger:Emulator. Emulator now responds better to memory and register edits. (GP-1486)
+- Debugger:Emulator. Registers window can now modify emulated register values. (GP-1530)
- Debugger:GDB. GDB manager handles
=cmd-param-changedevents. (GP-1330)- Debugger:GDB. Ported GDB's SSH connector to JSch. (GP-1387)
+- Debugger:LLDB. Improved build scripts for LLDB Java language bindings. (GP-1477)
+- Debugger:Memory. Added Force Full View override toggle to Debugger's Regions window. (GP-1447)
- Debugger:Stack. Fixed various
NullPointerExceptionsamong the Debugger Stack and Threads windows. (GP-1475)- Debugger:Trace. Trace API now supports Overlay spaces. (GP-484)
- Decompiler. Added the Rename Label Decompiler action to allow label name editing. (GP-1195, Issue #1751)
@@ -66,7 +74,7 @@- GUI. Added an option to group the XRef field in the Listing by function. (GP-1093, Issue #1305)
- GUI. Symbol tree has been changed to improve its behavior in the presence of large scale changes such as analysis, loading PDB, etc. It now will auto-close the label or function category if the internal organization becomes too much out of balance. This will also improve the analysis performance when the root category nodes are closed. (GP-1198)
- GUI. Improved composite interior selection of components with shared offset such as bit-fields. Previous behavior was forcing selection of multiple components. (GP-1261)
-- GUI. Fixed exception due to the Patch action incorrectly being added to the Function Graph context menu. (GP-1334, Issue #3288)
+- GUI. Fixed ClassCastException due to the Patch action incorrectly being added to the Function Graph context menu. (GP-1334, Issue #3288)
- GUI. Updated the Search Memory dialog to allow the user to enter a single wildcard character to search for any byte value. Previously, two consecutive wildcard characters were required. (GP-1358, Issue #3351)
- GUI. Updated auto-comments to show user-defined repeatable comments from the reference destination. (GP-1361, Issue #2475)
- GUI. Changed the Context column to allow for filtering of special characters in the results table of the Find Uses of action. (GP-1370, Issue #3473)
@@ -77,12 +85,13 @@- GUI. Updated the Comments Dialog to allow the Shift-Enter keystroke to insert a newline at the cursor position. (GP-1428, Issue #3548)
- GUI. Updated the Symbol Table to allow users to enter optional namespaces when editing a symbol name. (GP-1430)
- GUI. Fixed issue with shared actions across windows sometimes getting the wrong (non-focused) context. This was mostly related to windows with snapshot components. (GP-1440)
-- GUI. Fixed issue when attempting to rename a datatype that has the same name as a category in the same parent cateogory. The rename would attempt to rename the category instead of the datatype. (GP-1445)
+- GUI. Updated the Data Types context menu to include all actions when showing the menu from the keyboard via Shift-F10. (GP-1566, Issue #3678)
- Importer. Added support for new Mach-O load commands and file types. (GP-398, Issue #2487, #3572)
- Importer. Added method to Memory to find addresses where a specific byte from a loaded FileBytes object is used in memory. (GP-1166)
- Importer:Mach-O. The Mach-O loader now outputs a warning when it encounters encrypted sections. (GP-1406, Issue #1935)
-- Importer:PE. Added support for long section names (e.g., "/1234" as offset in the string table) in PE binaries. (GP-1177, Issue #1267)
-- Multi-User. Upgraded YAJSW to 13.01. Ghidra Server can now run with JDK 17. (GP-1266, Issue #3406)
+- Importer:Mach-O. Added support for the new iOS 15 and macOS Monterey dyld_shared_cache format. (GP-1524, Issue #3345, #3666)
+- Importer:PE. Added support for long section names (e.g., "/1234" indicates offset into string table where actual section name is found) in PE binaries. (GP-1177, Issue #1267)
+- Multi-User. Upgraded YAJSW to 13.01-beta. Ghidra Server can now run with JDK 17. (GP-1266, Issue #3406)
- PDB. Improved processing time on huge PDBs, especially when many labels are seen at the same address, such as with Identical COMDAT Folding. This change also allows some additional valid labels to be applied at these addresses. (GP-1298)
- Processors. Added pcodetests for ARM version 5, which does not support thumb mode. (GP-1078)
- Processors. Added 65C02 opcodes to the 6502 processor. (GP-1112, Issue #1261, #3170)
@@ -92,42 +101,55 @@- Processors. Updated x86 and AARCH64 processor manual index files. (GP-1234)
- Processors. Added
longModebit to x64 language spec for mixed 32-/64-bit use cases; e.g., WoW64. (GP-1255)- Processors. Made minor improvements to the RISC-V language module. (GP-1409)
+- Processors. Corrected
swapinstruction semantics for PIC-24,30,33 processors. (GP-1565, Issue #3670)- Scripting. Improved RecoverClassesFromRTTIScript to better define virtual function data definitions to be more generically used by all related class structures. (GP-1311, Issue #3417)
- Scripting. Added options to allow removal of replaced class structure data types when replaced with ones created by RecoverClassesFromRTTIScript. (GP-1315, Issue #3443)
- Scripting. Changed class structures created by RecoverClassesfromRTTI so that the vftable pointers are separated from the class data structures inside a derived class. This allows the derived class vftables structures to be accessed correctly by the Decompiler. (GP-1408)
- Sleigh. Modeled undocumented encoding of
+REPprefix for x86 instructions. (GP-1294, Issue #731)- Version Tracking. Updated Version Tracking to address multiple performance issues. (GP-1421, Issue #3221)
- Version Tracking. Slightly relaxed score thresholds for the reference correlator portions of auto version tracking to enable discovery of more high scoring matches. (GP-1448)
Bugs
-
- Analysis. Fixed a bug that would result in the COFF Header Annotation analyzer from running on PIC binaries when it was not intended to. (GP-1366, Issue #3386)
+- Analysis. Fixed a bug that would result in the COFF Header Annotation analyzer running on PIC binaries when it was not intended to. (GP-1366, Issue #3386)
- Analysis. The Objective-C analyzer no longer crashes when encountering categories with an implementation in an external binary. (GP-1413, Issue #3510)
- Analysis. Fixed a stack overflow in the Objective-C 2 Class analyzer. (GP-1420, Issue #2378)
+- Analysis. Fixed a bug with recovering Objective-C method names. (GP-1548, Issue #3611)
+- Analysis. Corrected a potential infinite loop in stack analysis and constant propagation due to recurring call-fixup injection to the same location. (GP-1554, Issue #3683)
+- Analysis. Fixed certain ELF exception records in ELF binaries marked as
DW_EH_PE_absptrthat are not relocated correctly when the binary is loaded in an alternate image base. (GP-1575)- API. Fixed issues related to moving memory blocks where the source and/or destination have pinned symbols. This could have resulted in addresses with symbols where no symbol is primary or having multiple symbols at an address that are primary. It could also have resulted in pinned symbols being moved from the destination to the source address range. (GP-1103)
- API. Fixed an issue with the SymbolManager method getClassNamespaces() where it was only returning class namespaces in the global namespace. (GP-1346)
+- API. Critical Ghidra 10.1-BETA Issue: Corrected external function bug introduced in Ghidra 10.1-BETA which caused new functions to not be marked as primary. This is a critical bug which could impact most programs imported with 10.1-BETA. Such imports should be re-imported with this fix in place. (GP-1525)
- C Parsing. Several issues parsing C header files have been fixed including ternary macro expression evaluation, #line preprocessor markup within functions and structures, far/near recognized as a keyword, and handling of __asm syntax. (GP-1335, Issue #1069, #1082, #2667, #464, #929)
- Debugger. Fixed program actions (Save, Close, Undo, etc.) to work properly in the Debugger. (GP-508)
- Debugger. Fixed issue getting registers on ARM targets with GDB where command exceeded 4096 characters. (GP-1356, Issue #3297, #3509)
- Debugger. Fixed several issues with the GDB connector's use existing session option. (GP-1365)
- Debugger. Fixed a NullPointerException from canceling a debug launch. (GP-1442)
- Debugger. Fixed Select Addresses button for Debugger Modules pane. (GP-1450)
-- Debugger. Fixed issue with duplicate selection actions in the debugger tool. (GP-1452)
+- Debugger. Fixed issue with duplicate selection actions in the Debugger tool. (GP-1452)
+- Debugger. Fixed a bug in emulation where read/write ranges include the max address. (GP-1493)
+- Debugger. Fixed exception behavior for toggled Continue/Handled options. (GP-1558, Issue #3049)
- Debugger:Emulator. Fixed Debugger integration and trace emulation for WoW64. (GP-1245)
+- Debugger:Emulator. Relaxed and corrected some logging of UNKNOWN/uninitialized values during emulation. (GP-1488)
+- Debugger:Emulator. Fixed several issues in Emulator with respect to Harvard architectures, memory-mapped registers, and word-addressable systems. (GP-1540)
- Debugger:GDB. Fixed issue with GDB/GADP hang in development mode. (GP-1360)
- Debugger:GDB. Fixed issue interrupting GDB targets launched without temporary breakpoint on main. (GP-1362)
- Debugger:GDB. Fixed issues parsing and displaying various types of GDB breakpoints. (GP-1364)
- Debugger:GDB. Fixed problem passing arguments to GDB in IN-VM and SSH modes. (GP-1368)
- Debugger:GDB. Fixed a NullPointerException when terminating GDB. Changed PtySession API to prevent future occurrence. (GP-1399, Issue #3487)
-- Debugger:Trace. Fixed ram not in this trace/language error. (GP-1411, Issue #3509)
+- Debugger:Listing. Fixed stack trace when switching to trace of a different processor language. (GP-1547)
+- Debugger:Trace. Fixed 'ram' not in this trace/language error. (GP-1411, Issue #3509)
- Decompiler. Fixed a corner case in the manipulation of integer ranges by the Decompiler. (GP-1243, Issue #3064)
- Decompiler. Fixed a bug in the Decompiler's renaming algorithm that could cause memory corruption in rare cases. (GP-1380, Issue #3429)
- Demangler. Fixed GNU Demangling bug encountered when Address Table types have spaces in the parent namespace name. (GP-1051)
+- DWARF. Fixed check for invalid function addresses. (GP-1573)
- Eclipse Integration. Fixed an exception in the GhidraDev Eclipse plugin that occurred when performing a Link Ghidra operation on projects that use a Gradle classpath container. (GP-1149, Issue #3087, #3088)
- Exporter. IDA exporter no longer fails when function stack variables have comments. (GP-1190, Issue #2350, #3309, #748)
+- Exporter. Fixed an issue with the ElfExporter not correctly undoing relocations when they spanned partially file-backed memory blocks. (GP-1570, Issue #3696)
- FileSystems. Fixed Ext4 handling of longer symlink paths and added support for inline data. (GP-1088)
- FileSystems. Fixed Ext4 file system to handle volumes with blocksize 1024 and a first data block value of 1. Also added support for old style block maps. (GP-1094, Issue #1877)
-- Framework. Fixed error causing exception in the Specification Extensions panel, when importing a new callotherfixup. (GP-1414, Issue #3502)
+- Framework. Fixed error causing exception in the Specification Extensions panel when importing a new callotherfixup. (GP-1414, Issue #3502)
- GUI. Fixed potential infinite loop in Function Graph edge painting. (GP-1019, Issue #2114)
- GUI. Fixed minor memory leak encountered when using Search -> For Address Tables. (GP-1030, Issue #3013)
- GUI. Fixed bug that prevented the Decompiler scalar hover tooltip from showing. (GP-1071, Issue #3142)
@@ -139,8 +161,9 @@- GUI. Fixed stack trace in the Function Call Graph when using the Show Incoming Level Edges action. (GP-1302, Issue #3327)
- GUI. Fixed the Search Memory dialog issue that caused odd resize behavior when using the Advanced button. (GP-1333, Issue #3158)
- GUI. Fixed tracking of Favorite data types when switching between multiple open programs. (GP-1391)
-- GUI. Fix user list scrollbar in shared project dialog when there is a large number of users. (GP-1410)
+- GUI. Fixed user list scrollbar in shared project dialog when there is a large number of users. (GP-1410)
- GUI. Fixed bug that cause a structure field name to change when using the Retype Field action without picking a new data type. (GP-1429, Issue #3483)
+- GUI. Fixed issue when attempting to rename a datatype that has the same name as a category in the same parent cateogory. The rename would attempt to rename the category instead of the datatype. (GP-1445)
- Importer. Fixed issue with Extract and Import action trying to create invalid filenames. (GP-1024, Issue #3114)
- Importer. Fixed Extract and Import action when highlighting bytes in the debugger view. (GP-1449)
- Importer:ELF. Corrected ELF importer error which could occur when processing memory section overlay blocks caused by AddressOutOfBoundsException exception. (GP-1052, Issue #3128)
@@ -152,6 +175,7 @@- Processors. Corrected pcode for ARM/ARM-Thumb
adcsandsbcscarry and overflow flag updates. (GP-1043)- Processors. Corrected flag handling for some 6502 instructions. (GP-1054, Issue #3096)
- Processors. Fixed issues with PPC register overwrites. (GP-1075, Issue #1672)
+- Processors. Fixed 6502
bitinstruction semantics. (GP-1115, Issue #2558, #3095)- Processors. Fixed MIPS 32-bit little endian floating point register ordering. (GP-1129, Issue #3212)
- Processors. Corrected PowerPC ISA instruction manual index page numbers. (GP-1218, Issue #2927)
- Processors. Updated Tricore manual index file to match correct page numbers. (GP-1220, Issue #2926)
@@ -166,9 +190,14 @@- Processors. Corrected MIPS pcodeop error in
tlbrinstruction. (GP-1363, Issue #3463)- Processors. Corrected ARM Thumb conditional instruction
itto allow theal(always) conditional. (GP-1402, Issue #3499)- Processors. Removed extraneous
+sbfrom ARMldrsbinstruction. (GP-1412, Issue #3522)- Processors. Implemented M68000
+CHK,CHK2, andCMP2instructions. (GP-1478, Issue #2856, #3616)- Processors. Corrected SuperH
+trapainstruction to use acallp-code op instead of agoto. (GP-1504, Issue #3600)- Processors. Corrected x86 instruction parse and semantics for
RDRANDandRDSEED. (GP-1564)- ProgramDB. Corrected language upgrade issue which could result in lost memory reference due to
RefTypechange. (GP-1392)- Scripting. RecoverClassesFromRTTIScript now consistently applies its class structures in programs that have PDB information applied. Also, an option was added so users can decide whether to replace existing class data in thiscall functions regardless of whether they originated as PDB or not. (GP-1464)
+- Scripting. Fixed an issue where some GhidraScript print methods were not getting output to the script log file. (GP-1541, Issue #3657)
- Sleigh. Corrected sleigh-language endian-mismatch error-message formatting. (GP-1132, Issue #3215)
+- Sleigh. Made numerous fixes to the PowerPC SLEIGH language module. Note: minor language version upgrade. (GP-1250)
- Version Tracking. Fixed UnsupportedOperationException in Version Tracking when attempting to find references to register or stack addresses. (GP-1084, Issue #1152)
- Version Tracking. Fixed Version Tracking Swap button to not trigger the reloading of programs. (GP-1183)