Ghidra 11.2.1 Change History (November 2024)

New Features

Debugger:GDB. Added GDB batch scripts for Windows. Also, updated ssh+gdb scripts to take path to ssh as an option. (GP-4957, Issue #7069)

Improvements

Analysis. Updated RTTI Analyzer to fix incorrect PDB symbols in anonymous namespaces when the PDB does not have complete namespace information and RTTI structures do. (GP-5053, Issue #3213)

Decompiler. Added support for detecting optimized strings loaded from labeled memory. (GP-4979, Issue #6925, #6985)

Bugs

Analysis. Clearing of bad flow after a call that is found to be non-returning will no longer clear DLL Import table entries or defined data beyond Undefined<n>. (GP-4696, Issue #6636)

BSim. Fixed the Elasticsearch lsh.zip plug-in for the BSimElasticPlugin extension. (GP-5043, Issue #7051, #7054)

BSim. Corrected synchronous_commit setting for BSim postgresql database and eliminated some warnings in the postgresql logs. We now ensure that all DB connections are closed properly when the Ghidra process exits normally to avoid unnecessary server logging of failed DB connection errors. (GP-5082, Issue #6951)

DB. Corrected issue closing FileDataTypeManager affecting use of DataType Archives on Windows platforms which could produce an error during resource cleanup. (GP-5090)

Debugger. Fixed issue launching debuggers on Windows where the installation path contains spaces. (GP-5015, Issue #6999)

Debugger:Emulator. Fixed issue with stale disassembly in Emulator. (GP-4483)

Debugger:Emulator. Fixed Emulator to heed UI-driven patches to the program counter. (GP-4889, Issue #6867)

Debugger:Trace. Fixed bug in Listing with Force Full View enabled. (GP-2032)

Decompiler. Fixed a bug in the Decompiler causing "Case block has become detached from switch" exceptions. (GP-4899, Issue #6819)

Decompiler. Fixed bug that could cause an infinite loop in the Decompiler on functions accessing a 1-byte structure. (GP-4972, Issue #6969)

Decompiler. Fixed infinite loop in the Decompiler associated with overlapping fields in a structure. (GP-4985, Issue #6991)

Emulator. Fixed issue with slow stepping that occurred in the Emulator after an interrupt. (GP-4231, Issue #6109)

Importer:Mach-O. Fixed an exception that could occur in the MachoLoader when an External Program had a space in its name/path. (GP-4997, Issue #6989)

Importer:PE. Fixed an exception that could occur while parsing PE Control Flow Guard structures, preventing the binary from successfully importing. (GP-5009, Issue #6960)

Scripting. Fixed a typo in VSCodeProjectScript.java that resulted in the Extensions/Ghidra/Skeleton directory not being found. (GP-4971, Issue #6971)

Scripting. Added vxworks external symbol markup, which was previously ignored. (GP-5000)

Ghidra 11.2 Change History (September 2024)

New Features

Basic Infrastructure. Ghidra now requires JDK 21 to run. (GP-4122)

Build. A Gradle wrapper script is now included at support/gradle/gradlew(.bat) which can be used to perform all Gradle commands without the need for prior Gradle installation. The Gradle wrapper requires an Internet connection to work. Offline Gradle installations on the PATH continue to work the same way as before. (GP-4486, Issue #455)

Debugger. Provided new launchers/features for the traceRMI version of dbgeng, including extended launch options, kernel debugging, and remote process server connections. (GP-4686)

Debugger. The Debugger Python components now require Python 3.9 to Python 3.12. (GP-4842)

Decompiler. The Decompiler now supports the automatic recovery of stack strings. (GP-3307, Issue #1380, #2285, #6431, #6592)

Decompiler. Added a Search All button to the Decompiler Find dialog. This button will show all results of the search in a table. (GP-3491, Issue #5317, #538)

GUI. Added Create Table action to the Symbol Tree and Symbol Table to create a new temporary table of symbols. (GP-4574)

GUI. Added a Find Uses of field action to the Enum Editor. (GP-4577, Issue #6475)

GUI. Added support for Ctrl-A to select all in the Python window. (GP-4605, Issue #6502)

Headless. Added a JShell launcher with the full Ghidra classpath. (GP-4876)

Processors. Added Intel MC16/60 and MC16/80 processor specifications. (GP-4879)

Scripting. Added VSCodeProjectScript, which can create a new Visual Studio Code project that is setup to do Ghidra scripting and module development, with similar capabilities to the Eclipse GhidraDev plugin. (GP-4795)

Search. Updated the Memory Search feature to show results in the query window and added two new features: (1) dynamic updating of results that change, stay the same, increment, or decrement; and (2) combining results from successive searches using boolean set operations. (GP-4559)

Improvements

Analysis. Refactored Sparc processor detection and mitigation of Call/Return behavior due to an instruction in the delay slot that changes the o7 link register. Also fixed 64/32 relocations, sparc calling conventions, and added several missing instructions and hidden structure return pointer location. (GP-3808, Issue #5646, #6300)

Analysis. Added support for Golang 1.15 and 1.16. Versions supported are now 1.15-1.22. (GP-4482)

Analysis. Added a new MIDIDataType and audio player for embedded MIDI scores. (GP-4516, Issue #6337)

Analysis. Refactored eBPF analyzers and expanded on applied BPF Helper functions. (GP-4682)

Analysis. Updated the RTTIAnalyzer to improve its determination of the end of virtual function tables. (GP-4748)

BSim. Added BSim database connect/disconnect actions to BSim Server Manager. This will allow an idle connection to be disconnected without the need to exit Ghidra or removing a server entry, which, in the case of a local H2 database, will allow another process to use it. (GP-4867, Issue #6703)

Byte Viewer. Extended HexInteger to other integral data types. (GP-4709, Issue #6658, #6659)

CodeCompare. Added ability to add functions to the last function comparison window. (GP-4634)

Data Types. Added Edit Data Type action that allows users to edit a chosen data type from anywhere in the tool by using the Ctrl-Shift-D keyboard shortcut. (GP-4148, Issue #5975, #6576)

Data Types. Added Undo/Redo popup menu actions for Archives within datatype tree. (GP-4719)

Data Types. Added Undo/Redo support to the structure and union datatype editors as well as other minor improvements. (GP-4740)

Data Types. Improved performance of various structure editor behaviors including setting the structure size. (GP-4949, Issue #6504, #6936)

Debugger. Provided more complete compiler matching using ldefs language definition files. (GP-4675)

Debugger:Agents. Deprecated Framework-Debugging module and Model-based debug connectors, moving toward removal. (GP-4801)

Debugger:Agents. User may now use binary (0b prefix), octal (0 prefix), or hex (0x prefix) in integer-valued launcher option fields. (GP-4847)

Debugger:Registers. Changed how Go To [address] actions are presented with regard to Force Full View. (GP-3898, Issue #5817)

Decompiler. Added Go To Next/Previous Highlight actions to allow navigating Decompiler middle-mouse highlights. (GP-3494, Issue #538)

Decompiler. Improved Function Editor to facilitate partial changes which limit impact to Decompiler results (e.g., only change calling convention) and avoid locking full function signature. (GP-4324)

Decompiler. Improved multi-threaded decompilation performance and possibly disassembly by removing some unnecessary locking. (GP-4712, Issue #6649, #6650)

Decompiler. Provided initial support for recovering optimized heap strings in the Decompiler. (GP-4733)

Decompiler. The Decompiler now forces casting to a signed value when converting integers to floating-point. (GP-4871, Issue #6760)

Demangler. Added support for GNU Demangler output simplification. (GP-3810, Issue #5725)

Demangler. Improved Microsoft Demangler to include handling of noexcept attributes and certain type name suffixes. (GP-4626)

Demangler. Modified MDMang: added calling conventions and custom data type; added end, empty parameter, and unnamed template types; modified reference modifiers and guard name processing; fixed empty member pointer qualification; and worked around LLVM embedded object issue. (GP-4663)

Demangler. Changed application of MDMang `anonymous namespace' strings to their underlying anonymous name to avoid namespace conflicts. (GP-4717, Issue #6661)

Demangler. Added char8_t primitive type to DemangledDataType. (GP-4823)

Demangler. Updated the GNU Demangler to support global constructors and destructors. (GP-4825, Issue #6791)

Documentation. Added discussions of program specification extensions and instruction length modification to the advanced Ghidra class slides, along with miscellaneous clarifications and improvements. (GP-3774, Issue #5667, #5702)

DWARF. Added DWARF analyzer option to ignore parameter storage location info and to use calling convention default layout instead. Also added DWARF analyzer option to specify the calling convention name for functions created by the analyzer. (GP-4150)

Eclipse Integration. The latest Eclipse GhidraDev plugin (4.0.0) now requires Eclipse 2023-12 or later running under JDK 21 or later. (GP-4846)

Function Compare. Added actions to compare functions from the Listing, Decompiler, and Functions Table. (GP-4619)

GUI. Updated the Listing and Byte Viewer title bars to show the number of addresses or bytes selected while dragging. (GP-1359, Issue #2482)

GUI. Added Show Namespace action to the Function Call Trees to display the function's namespace in each node. (GP-3251, Issue #5115)

GUI. Add Filter Thunks action to the Function Call Trees to hide think functions. (GP-3252, Issue #5116)

GUI. Added the Simplified Name column to the Symbol Table. (GP-3377, Issue #6125)

GUI. Added the ability to Snapshot the Symbol Tree. (GP-3849)

GUI. Added the structure member comment to the Decompiler tooltip window. (GP-4661)

GUI. Added single option in the Front End Tool to control whether or not cursors blink in any field panel or text component. (GP-4676, Issue #6570)

GUI. The Edit Data Type action in the Decompiler will now select the structure field row when launching the editor. (GP-4728, Issue #5717)

GUI. New Listing fields and Copy Special actions have been added for imagebase offset, memory block offset, and function offset (disabled by default). (GP-4855, Issue #6794)

Headless. Improved handling of headless command-line arguments when the optional list of arguments passed to a pre/post script contain arguments that start with a dash. (GP-4707, Issue #6639)

Importer. Added a new Add Library Search Path action to files and folders in the File System Browser that will allow library files to be loaded from within a GFileSystem. (GP-4563)

Importer. Added a new -librarySearchPaths command line argument to the headless analyzer, which allows a semicolon-delimited list of library search paths to be specified. (GP-4564)

Importer. OMF records are now marked up. (GP-4722)

Importer:ELF. Improved ELF handling of unresolved symbols during relocation-processing to prevent import failure. (GP-4737, Issue #6673)

Multi-User. Upgraded yajsw to 13.12. (GP-4860)

PDB. Changed the PDB symbol server search config dialog to allow marking symbol servers as trusted/untrusted instead of using the symbol server's connection type. (GP-4735)

PDB. Improved PDB class namespaces determination and standardized some naming between PDB and MDMang. (GP-4773)

PDB. Added char8_t primitive type to PDB Universal analyzer. (GP-4822)

PDB. Modified PDB MSDIA interpretation of malformed datatype fields with no underlying datatype. (GP-4827, Issue #6744)

Processors. Fixed several PPC EVX instructions that were not affecting the destination register as a return value assigned from a pseudoOp call. (GP-4702)

Processors. Added PSPEC label description tag and addr="next" which allows for a large number of contiguous labels placed at an address based on the previous label without specifying the exact address of each label. (GP-4742)

Processors. Processor specs now accept the volatile attribute in tags. (GP-4849, Issue #6755)

ProgramTree. Updated the Program Tree default double-click behavior. Double-clicking now navigates instead of replacing the view. This can be changed in the tool options. (GP-4691)

Scripting. GhidraScripts can now declare an @runtime metadata comment to specify which GhidraScriptProvider is required to run them (e.g., Jython). This will allow different GhidraScriptProviders that use the same script file extension (e.g., .py) to coexist. (GP-4706)

Scripting. Improved RecoverClassesFromRTTIScript heuristics for determining class constructors and destructors. (GP-4764)

Scripting. Changed RecoverClassesFromRTTIScript virtual function definitions from using the formal signature (i.e., no this param) to using void *this param. This will improve the Decompiler output while continuing to not force a particular class structure on the generic definition's this param. (GP-4812)

Scripting. RecoverClassesFromRTTIScript now caches vfunction list in order to speed up processing. (GP-4863, Issue #6834)

Scripting. Fixed a recursion issue in RecoverClassesFromRTTIScript. (GP-4865, Issue #6832, #6833)

Scripting. Changed PasteCopiedListingBytesScript to handle hexdump format and listing bytes field split to multiple lines. (GP-4928)

Terminal. Added Select All action to Terminal window. (GP-4631, Issue #6502)

Version Tracking. The Version Tracking Matches table now has table column filters and now allows users to delete matches from the table (although this is not recommended). (GP-4410, Issue #6066, #6281)

Bugs

Basic Infrastructure. Fixed a ClassSearcher exception that could occur when launching Ghidra in single jar mode. (GP-4844, Issue #6809)

Data Types. Corrected concurrency exception related to use of EnumDataType.getNames() method. (GP-4797, Issue #6765)

Data Types. Fixed StructureDB.delete(Set ordinals) and UnionDB.delete(Set ordinals) method implementations which failed to properly remove component records from database and update remaining components correctly. This method is used by the Structure and Union editors when removing components. (GP-4814)

Data Types. Fixed issue in the Data Type Chooser dialog that caused inconsistent auto-complete behavior. (GP-4854)

Debugger. Fixed catchpoint-related errors in GDB versions <= 10. (GP-4745, Issue #6666)

Debugger. Provided an initial fix for dealing with error induced by the occurrence of continue during another GDB command. (GP-4750, Issue #6678)

Debugger. Fixed potential register description errors when info registers all or info registers general are invalid. (GP-4757)

Debugger. Added attach script for dbgeng (WinDbg). (GP-4784, Issue #6735)

Debugger. Fixed an issue with Listing display when trace overlay spaces are present. This issue had affected the dbgmodel connector. (GP-4788)

Debugger. Removed test logic that was accidentally left in place. (GP-4841, Issue #6802)

Debugger. Fix for potentially missing Attributes field from older versions of dbgmodel. (GP-4856, Issue #6825)

Debugger. The default Emulator was updated to remove TraceRmi launchers. Users should delete and re-import Emulator.tool, or remove the TraceRmiPlugin manually. (GP-4953)

Debugger:Emulator. Fixed memory-space issues, especially in RegistersProvider. (GP-4781)

Debugger:Emulator. Changed stack allocation to adhere to SP in program register context at PC. (GP-4834, Issue #6427)

Debugger:GDB. Fixed issue with GDB continuing instead of stepping over (or out of) library function calls. (GP-4858, Issue #6822)

Debugger:Mappings. Fixed launchers to adhere to Modules window's Auto-Map setting. Fixed DebuggerStaticMappingService to update properly on changes. (GP-4713, Issue #6662)

Debugger:Mappings. Fixed/rewrote buggy StaticMappingService. (GP-4868)

Debugger:Memory. Fixed stale Force Full View menu toggle when tabbing between traces. (GP-4835)

Debugger:Registers. Fixed issue preventing Registers panel from displaying frames other than 0. (GP-4850)

Debugger:Watches. Fixed issue in Watches where evaluation of concatenations failed. The error reported was "index -1 in array of size 2" or similar. (GP-4952)

Decompiler. Fixed analysis of floating-point expressions in the Decompiler that could sometimes cause loss of precision in constants. (GP-2559, Issue #4586, #5785, #6708)

Decompiler. Fixed a bug causing the Decompiler to fail to resolve array references properly in nested structures. (GP-4887)

Decompiler. Fixed a corner case in the Decompiler for optimized division simplification where the division operands are extended from different-sized variables. (GP-4890, Issue #6648)

Decompiler. Corrected a use after free vulnerability in Sleigh decompiler backend. (GP-4929, Issue #6890)

Diff Tool. Fixed the Save Default Diff Apply Settings action in the Diff Apply Settings window. (GP-4670)

Eclipse Integration. Fixed a GhidraDev issue that could result in a NullPointerException within GhidraHelpService when launching Ghidra. (GP-3490, Issue #6734)

Function. Fixed an issue with incomplete function body creation due to the removal of a branching reference when the branch destination was to the next instruction and the instruction flowType had no fallthrough. (GP-4926)

GUI. Fixed the Structure Editor Tab key traversal. (GP-4716, Issue #5738)

GUI. Fixed issue in add references dialog where moving the mouse sometimes reset the address space combo box back to the default ram space. (GP-4779)

GUI. Fixed minor rendering issues with combo boxes when using the Metal Look and Feel. (GP-4818)

GUI. Fixed Structure Editor sometimes not getting focus when opening. (GP-4857, Issue #6782)

GUI. Fixed an exception in the Stack editor when editing and using the down arrow. (GP-4891, Issue #6883)

GUI. Fixed incorrect cell being edited on Tab key press while editing in the Enum Editor. (GP-4892, Issue #6873)

Importer. Fixed an IndexOutOfBoundsException that could occur when loading OMF binaries. (GP-4884, Issue #6862)

Importer:ELF. Corrected regression bug where ELF Importer was ignoring option to disable relocation processing. (GP-4799, Issue #6751)

Importer:ELF. Added missing mips opinion for R3/4 n32 automatic processor identification during import. (GP-4939)

Listing. Fixed bug in the GoTo dialog where it wouldn't find a label if you had more than one namespace in the path. (GP-4761, Issue #6699)

Multi-User. Fixed regression causing Version Control status not updated after check-in. (GP-4921)

PDB. Supplied work-around for class that contains inner member with same class name as containing class name; pertaining to LLVM lambdas. (GP-4595)

PDB. Fixed a bug in the processing of PDB MSDIA names passed from the native pdb.exe processing component. Members that had a bit-field type or that had a namespace delimiter in the name were affected. (GP-4843, Issue #6788)

Processors. Fixed PIC16 PCLATH and RP0 code flow and data reference issues. (GP-4596, Issue #3239, #6466)

Processors. Fixed ARM ldaexd instruction semantics. (GP-4645, Issue #6526)

Processors. Fixed ARM sha1su0.32 instruction semantics. (GP-4646, Issue #6529)

Processors. Fixed ARM sha1su1.32 instruction semantics. (GP-4647, Issue #6530)

Processors. Corrected CMOV semantics when destination and source overlap. (GP-4714, Issue #6523)

Processors. Fixed bug in SPARC sdivcc instruction. (GP-4747, Issue #6689)

Processors. Fixed m68000 ext instruction not updating flags. (GP-4749, Issue #6679, #6690)

Processors. Fixed extension of immediates for certain variants of the x86 SBB instruction. (GP-4754, Issue #6521)

Processors. Corrected semantics for x86 PEXTR instructions which write to memory. (GP-4769, Issue #6511)

Processors. Corrected semantics of x86 CMPPS instruction. (GP-4772, Issue #6512)

Processors. Added semantics for several x86 AVX instructions in use by GCC: VCVTTSx2Sx, VDIVSx, VINSTERT128, and VEXTRACT128. (GP-4776)

Processors. Corrected semantics of x86 PACKUSWB instruction. (GP-4777, Issue #6514)

Processors. Added missing float-to-integer cast operation, trunc(), to x86 CVTSD2SI instruction. (GP-4778, Issue #6513)

Processors. Fixed aliasing issues in certain x86 SIMD instructions. (GP-4783, Issue #6524)

Processors. Fixed incorrect .sla file reference in PPC e500mc processor specification. (GP-4826)

Processors. Fixed issue with the M68000 fmovem.l instruction using FPCR in place of FPIAR. (GP-4845, Issue #6810)

Processors. Fixed sparc 32/64-bit multiply instructions. (GP-4912, Issue #6287, #6346)

ProgramDB. Corrected NullPointerException when setting instruction length override for a non-fallthrough instruction. (GP-4775)

References. Fixed spurious replacement of small constants when the low byte of an offset matches the low byte of the reference address. Also turned the option to manipulate constants with masks and shifts to be off by default. (GP-4667, Issue #1564)

Scripting. Added check in the RecoverClassesFromRTTIScript to make sure ClassHierarchyDescriptor symbols are in a non-Global namespace before trying to promote their namespace to a class namespace. If such symbols are found in the Global namespace it indicates potential issues with either the RTTI data or the processing of the RTTI data; in these cases, no class recovery will be done for the associated classes. (GP-4763, Issue #6704)

Scripting. Fixed NullPointerException in PropagateExternalParametersScript. (GP-4883, Issue #6841)

Scripting. Fixed CodeUnitInsertionException error in RecoverClassesFromRTTIScript.java script. (GP-4932, Issue #6848)

Notable API Changess

Search. (GP-4559) The MemorySearchService has been changed. This had been a very specific service API created to support just one plugin and was not generally useful. The three existing methods have been consolidated into one method. The old service has been marked as deprecated and may be removed in future releases. If, in the unlikely event that anyone is using this service, please contact the Ghidra team to discuss your use case.

Data Types. (GP-4949) Added API method Structure.setLength(int length) which allows the size of a non-packed structure to be set.

Debugger:Agents. (GP-4847) LaunchConfigurator.configureLauncher() is changed such that arguments now requires ValStr<?> instead of just ? for its values. This affects both the new Trace-RMI launchers and the deprecated object-model launchers.

Ghidra 11.1.2 Change History (July 2024)

New Features

Basic Infrastructure. Ghidra native components (Decompiler, GNU Demangler, etc.) now run properly on Windows ARM using x86 emulation. Building natively for Windows ARM is not yet supported (Gradle limitation). (GP-4738)

Improvements

Data Types. Corrected resolution of typedefs whose name matches the underlying type name. (GP-4751, Issue #6493)

Processors. Made minor semantic changes to the X86 processor specification for several AVX instructions as well as changes to UDF undefined instructions. (GP-4724)

Bugs

Data Types. Fixed Structure bug where DB may not be updated properly with length change induced by certain operations (e.g., insertBitFieldAt). (GP-4756)

Data Types. Fixed formatting of float value -0.0 within assembly Listing view. (GP-4759, Issue #6677)

Debugger. Added .bat launchers for GDB and LLDB on Windows. (GP-4677)

Debugger. Fixed GDB show version parse error. (GP-4698, Issue #6646)

Debugger. Fixed an issue with handling of memory read errors in GDB TraceRMI connector. (GP-4701, Issue #6647)

Debugger. Fixed GDB endianness calculation. (GP-4704, Issue #6656)

Debugger:GDB. Provided fall-back to refresh all registers when general is not recognized by GDB as a register group. (GP-4710, Issue #6635)

Importer:ELF. Fixed ELF X86-64 GOT allocation bug which could cause exception during import. Also added unverified ELF relocation support for R_X86_64_GOT64 and R_X86_64_PLTOFF64. (GP-4758, Issue #6691)

Importer:Mach-O. Fixed an issue with importing Mach-O binaries that have an empty __chain_starts section. (GP-4695)

Importer:Mach-O. Fixed a regression in the MachoLoader that prevented some KDK binaries from being loaded. (GP-4699)

Multi-User:Merge. Fixed assertion error which occured for multi-user merge of register context within overlay memory blocks. (GP-4508, Issue #6403)

Processors. Fixed AARCH64 Windows stack alignment. (GP-4752, Issue #6680)

Ghidra 11.1.1 Change History (June 2024)

Bugs

Debugger. Fixes an error in dbgeng launcher. (GP-4674)

Debugger:GDB. Fixed issue with using QEMU launchers in Trace RMI (ClassCastException from String to PathIsFile) (GP-4690, Issue #6634)

Decompiler. Fixed a bug in the Decompiler that could cause it to drop a control-flow edge from a switch's case statement that looped back to the switch. (GP-4582, Issue #6282)

Decompiler. Fixed bug causing "Undefined Pullsub" exceptions. (GP-4672, Issue #6614)

Decompiler. Corrected Decompiler process issue which can occur when analysis is cancelled. Issue would incorrectly popup error indicating "Decompiler executable may not be compatible with your system...". (GP-4689)

GUI. Fixed mouse button 4/5 processing failure that caused the left-click to stop working. (GP-4681, Issue #6624)

Processors. Added support for the Z80 processor undocumented registers. (GP-2881, Issue #4485)

Processors. Fixed 6805 branch conditional instruction semantics. (GP-4585, Issue #6482)

Project. Fixed a severe regression bug introduced with Ghidra 11.1 which could prevent a user from completing a project file add-to-version-control, checkin or merge when they currently have the file open in a tool. The corresponding open project file would remain in a bad state following the operation. (GP-4692)

Ghidra 11.1 Change History (June 2024)

New Features

Assembler. Added the WildcardAssembler module and API for allowing the masking of operands. (GP-4287, Issue #6118)

Basic Infrastructure. Replaced the Show VM Memory dialog with an upgraded Runtime Information dialog. The dialog contains more information which can aid in debugging, including version information, classpath, defined properties, environment variables, and more. (GP-3844, Issue #5760)

Debugger. Added a Trace RMI launcher for Windows targets on Linux using Wine. (GP-3891)

Debugger. Added Trace RMI connector for Microsoft Time-Travel Debugging. (GP-4182)

Debugger:Agents. Added TraceRMI protocol to provide access to the trace database API over protobufs. This is a simpler alternative to GADP. Implemented TraceRMI client for Python3; added TraceRMI plugins for GDB, LLDB, and WinDbg (dbgeng). Added services, APIs and GUI components for managing TraceRMI connections. (GP-3816)

Debugger:dbgeng.dll. Extended dbgeng Trace RMI connector to support dbgmodel. (GP-4290)

Debugger:GDB. Added Trace RMI connector for QEMU with GDB. (GP-3838)

Debugger:GDB. Added raw GDB and Python 3 connectors. (GP-4439)

DWARF. Added DWARF5 support. (GP-2798, Issue #4088)

Eclipse Integration. The GhidraDev Eclipse plugin has a new wizard for importing an existing Ghidra module source directory. This will work best with Ghidra module projects created against Ghidra 11.1 or later. (GP-707, Issue #284)

FileSystems. Added a new GFileSystem for Mach-O file sets (i.e., the kernelcache). (GP-3770, Issue #4827)

FileSystems. Added support for SquashFS FileSystems. (GP-3946)

FileSystems. Added support for decompressing LZFSE files (iOS/macOS kernelcache) to the File System Browser. (GP-4391)

GhidraGo. Remote and local GhidraURL's that locate DomainFolders are now acceptable input for GhidraGo. Both result in opening the read-only view for the project and selecting the DomainFolder in the FrontEnd. If the local URL refers to the currently active project, the domain folder will be selected within that. (GP-4433)

Languages. Improved Swift support by adding Swift Demangler, Swift cspecs, Swift opinions, and by applying type metadata where possible. (GP-3535)

Version Tracking. Added ability for Version Tracking Session files to be checked into a version control repository. Versioned use is restricted to exclusive checkout use only since there no ability to merge VT Session data. (GP-4085)

Improvements

Accessibility. Improved filter options dialog for accessibility. (GP-2264)

Accessibility. Fixed several focus traversal issues. Also, added convenience actions for moving to next/previous window (Ctrl-F3/Shift-Ctrl-F3) and next/previous component provider (Ctrl-J/Shift-Ctrl-J). (GP-4227)

Accessibility. Added quick action dialog to make actions accessible and more convenient for users who prefer to use keyboard more than mouse. Ctrl-3 will bring up the dialog. (GP-4267)

Accessibility. Added accessible names to most main provider components. (GP-4275)

Accessibility. Improved analyzer enablement so that checkboxes can be changed via the keyboard using the spacebar. (GP-4375, Issue #6261)

Accessibility. Improved export options window to allow changing checkboxes via keyboard using the spacebar. (GP-4414, Issue #6279)

Accessibility. Improved keyboard navigation in Add Reference dialog. (GP-4491, Issue #5761)

Accessibility. Improved Accessibility for assorted Memory Map dialogs. (GP-4511)

Analysis. Sped up switch recovery analysis on AArch64 objectiveC binaries where BRK instruction is used throughout the code for exceptions. (GP-4364)

Analysis. Added pattern to recognize PPC get_pc_thunk_lr position-independent-code-related function. (GP-4474)

Analysis. The speed of the Create Address Tables analyzer has been improved for large runs of addresses. (GP-4477)

API. Created builder for DomainObjectListeners to express even-handling logic more concisely. (GP-4222)

API. Revised DomainObject java interface while eliminating separate UndoableDomainObject and Undoable java interface classes. Revised tool-based foreground Command-processing to defer event-flushing into a background task. Additional execute methods were added to PluginTool which allow lambda functions to be used in the place of a Command object. (GP-4390)

Assembler. Added context hints to Patch Instruction (Assembler) results. (GP-3993)

Assembler. Context is re-flowed and instructions re-disassembled following the Patch Instruction action. (GP-4014)

Assembler. By virtue of API changes, the Assembler is now more extensible by plugins for advanced use cases. (GP-4185)

Basic Infrastructure. Ghidra now supports the XDG Base Directory Specification. Default locations of the user settings, cache, and temporary directories have moved to more standardized platform-specific locations. See comments in the support/launch.properties file for more detailed information on how these directories are determined and overridden. (GP-1164, Issue #908)

Basic Infrastructure. Improved the start up time of Ghidra by only loading ExtensionPoints when they are first requested. (GP-4515)

Build. Fixed compilation of TreeValueSortedMap for Java 21. (GP-3923, Issue #6083)

Build. Ghidra will now run on FreeBSD with user-built native components using the support/buildNatives script. See the Installation Guide for more information on building native components. NOTE: bash is required to be installed in order for Ghidra to launch on FreeBSD. Additionally, the Debugger is not currently supported on FreeBSD. (GP-4235, Issue #6117)

Byte Viewer. Added the ability to resize the Address column in the ByteViewer window. (GP-2147)

Data. Added writable Mutability data setting to allow chosen data within a read-only memory block to deviate from the block setting. Decompiler was updated to respect this setting. (GP-4505)

Data Types. Improved datatype resolution and conflict handling as well as datatype name sorting. (GP-3632)

Debugger. Domain Object event ID numbers have been refactored to be enums. (GP-2076)

Debugger. Removed TargetRecorder-dependent methods from FlatDebuggerAPI. Moved them to deprecated FlatDebuggerRecorderAPI. Ported FlatDebuggerAPI to Target interface. Added FlatDebuggerRmiAPI. (GP-3872)

Debugger. Moved launch and control command progress monitors to the Debug Console. (GP-3997)

Debugger. The Sections Table pane can now be toggled on and off in the Modules window. (GP-4156)

Debugger. Upgraded to most current release of llvm/lldb (17.x). (GP-4385)

Debugger. Added Trace RMI connector for GDB target remote. (GP-4437)

Debugger. Made modifications to accommodate remote embedded targets. (GP-4441)

Debugger. Released Trace RMI as the default Debugger back end. (GP-4485)

Debugger. Made modifications to enable traceRMI dialog-driven methods. (GP-4527)

Debugger:Agents. Released version 11.1 of Trace RMI python packages and protocol. (GP-4487)

Debugger:Agents. The launch failure dialog now previews the last two lines of each Terminal. Selecting Keep will automatically bring those terminals to the front. (GP-4637)

Debugger:Emulator. Pure emulation use cases can now involve thread creation and destruction and they can be recorded linearly in a trace. (GP-4374)

Debugger:Listing. Added context menu to location label in Dynamic Listing and Memory Bytes windows. (GP-4311)

Debugger:Listing. Progress for memory reads now displays in the Debug Console window. (GP-4399)

Debugger:Mappings. Moved initial mapping failure at launch to the Debug Console, rather than popping the launch failure dialog. (GP-4636)

Debugger:Memory. Made Memory window more consistent with Dynamic Listing window in terms of appearance and operation. (GP-1625)

Debugger:Stack. Added Module column to Stack window. (GP-4093)

Debugger:Threads. Moved trace selection tabs to Dynamic Listing. (GP-1608)

Debugger:Threads. Added PC, Function, Module, and SP columns to the Threads table. (GP-4236)

Debugger:Threads. Removed Synchronize Target Activation toggle. Time navigation is now prohibited in Target control mode, especially using the Plot column header. (GP-4334)

Decompiler. Added Edit Signature Override action to Decompiler. Improved cleanup of unused override signature datatypes. (GP-4263, Issue #6000)

Decompiler. The Decompiler is now able to simplify additional forms of 64-bit optimized integer division. (GP-4300, Issue #5733)

Decompiler. Added additional Decompiler support for recovering the addresses of calls and other global symbols for MIPS binaries compiled with Position-Independent Code (PIC) options. (GP-4370)

Decompiler. The Decompiler now displays array index constants using the configured Integer format, rather than always using base 10. (GP-4394, Issue #6019)

Disassembly. Created FixOffcutInstructionScript that attempts to automatically fix an offcut instruction and its references in a restricted fashion. This script can be bound to a hotkey for a user to quickly attempt fixups throughout a program. Also, updated the set instruction length override action to automatically suggest a reasonable length, based on offcut flows, and to disassemble these flows if used. (GP-4034, Issue #5928)

Disassembly. Fixed storage of default disassembly context to the program database. Programs with no stored context, which is most, will disassemble faster. (GP-4535)

Disassembly. Improved disassembly speed and use of instructions for any purpose by delaying check of instruction overrides until needed. (GP-4536)

Documentation. Updated Debugger training materials for Trace RMI. (GP-3887)

Eclipse Integration. Upgraded the GhidraDev Eclipse plugin to make it compatible with Ghidra 11.1. (GP-4176)

Eclipse Integration. The Ghidra Eclipse preferences and formatter files are now included in the release under support/eclipse/. (GP-4233, Issue #5999)

Framework. Updated system actions to allow for user-defined key bindings. (GP-4317)

GUI. Added tool option to remove quotes from strings before putting into clipboard. (GP-3871, Issue #1155)

GUI. Simplified the dialog for switching themes. (GP-4172, Issue #6024)

GUI. Updated the Help Info keybinding to Ctrl-Shift-F1 in order for components to allow Ctrl-F1 to work for showing tooltips. (GP-4304)

GUI. Added a Copy Special action to the Listing to copy the byte source offset of the selected address. (GP-4318, Issue #6195)

GUI. Updated Key Binding options for actions to allow users to set mouse bindings. (GP-4436, Issue #208)

Importer. Added ability to import/export multiple program trees using SARIF. (GP-4079)

Importer. The MzLoader can now load binaries whose file size is less than the size that is reported in its header. (GP-4260, Issue #6029)

Importer. The Importer post-load message log is now echoed to the application.log file. This behavior can be disabled in the support/launch.properties file by uncommenting the VMARGS=-Ddisable.loader.logging=true line. (GP-4313)

Importer. The PeLoader now pads memory blocks with zeros instead of creating an uninitialized block with the same name. (GP-4347, Issue #6238)

Importer. Fixed an issue in the MzLoader where the default Program Tree was out of sync with the Memory Map. (GP-4432, Issue #6277)

Importer:COFF. COFF headers are now marked up. (GP-4184)

Importer:ELF. Added relocation handlers for the TI_MSP430 and TI_MSP430X processors. (GP-4152)

Importer:ELF. Added ELF Import option to enable/disable the creation of undefined data for data symbols with known sizes. This option is enabled by default. (GP-4178)

Importer:ELF. Transitioned to new AbstractElfRelocationHandler implementation which uses ElfRelocationType enums specific to each handler. (GP-4239)

Importer:ELF. Relaxed ELF PT_DYNAMIC restriction to allow it to be processed when not covered by a PT_LOAD. (GP-4291, Issue #5784)

Importer:Mach-O. Improved handling of Mach-O DYLD_CHAINED_PTR_ARM64E_KERNEL chained pointer fixups. (GP-4259, Issue #6144, #6145)

Importer:Mach-O. The dyld_shared_cache loader now implements pointer fixups for newer versions that use dyld_cache_slide_info5. (GP-4380)

Importer:Mach-O. The MachoLoader now does a better job at importing binaries with corrupted load commands. (GP-4561, Issue #6271)

Languages. Added support for structured data-type parameters for x86 64-bit System V ABI. (GP-4031)

Languages. Added Golang 1.21 support. (GP-4183, Issue #6072)

Languages. Added support for Apple Silicon and AARCH64 Golang binaries. (GP-4465)

Languages. Added support for Golang 1.22. Versions supported are now 1.17-1.22. (GP-4579)

Listing. Added options to wrap operand fields on semicolons. This is to better support processors that have more than one instruction at an address. (GP-4289)

Memory. Added Artificial memory block flag intended to identify those blocks that the Debugger should not map into a running target. (GP-4125)

Memory. Removed lock contention on reading and update of memory AddressSet cache. (GP-4534)

Multi-User. Significantly improved shared project directory performance when directories contain a very large number of files. (GP-4456)

PDB. Modified LoadPdbTask to schedule EntryPointAnalyzer. (GP-4244)

PDB. Modified PdbUniversalAnalyzer to do work into multiple phases so that this work can benefit from work done in interim analyzers. (GP-4245)

PDB. Reduced number of data type conflicts by delaying the resolve step in the multi-phased resolve process. Also refactored the multi-phased resolve, removing placeholder types. (GP-4246)

PDB. Stubbed additional larger-than-64-bit pointers to ensure they do not cause problem when used. (GP-4264)

PDB. Improved mechanism for setting primary symbols; reduced memory footprint by removing primary symbol map and using the now-more-performant ghidra primary symbol methods. (GP-4335, Issue #3497)

Processors. Added subset of Tricore relocations as well as function start patterns. (GP-3110, Issue #1449)

Processors. Corrected errors in the MSP430 SLEIGH specification. (GP-4401, Issue #4120)

Processors. Corrected implementation of ZR (aka R0) register access for MCS-96 processor. (GP-4407, Issue #6181)

Processors. Added callfixup for __chkstk() found in windows AARCH64 binaries. (GP-4513)

ProgramDB. Improved locking behavior of Instructions and Data when retrieving bytes from memory. (GP-4568)

Project. Added an abstract GhidraURLQueryTask and related GhidraURLQuery utlity class to failitate proper GhidraURL queries and to avoid replication of code. (GP-4447)

Scripting. Python scripts now have access to the this variable, which is a reference to its parent GhidraScript object. It may be necessary to refer to this in certain scenarios, such as when releasing the consumer of a Program object returned by askProgram(). (GP-4157)

Scripting. Updated RecoverClassesFromRTTIScript's GCC class recovery to handle copy relocations. (GP-4396)

Scripting. Added script to paste address/bytes copied as text from a Ghidra Listing. (GP-4480)

Scripting. Upgraded OSGi-related jars. (GP-4550)

Sleigh. Compiled SLEIGH (.sla) files are now stored in a compressed format to save disk space and shorten language load times. (GP-4285)

Testing. Upgraded jacoco to version 0.8.11. (GP-4262)

Version Tracking. Added Function Compare action to the Version Tracking main match table and associated match tables. (GP-4251, Issue #6010)

Bugs

Analysis. Improved recovery of additional windows resource references in certain cases by handling the decompiler produced MULTI_EQUAL pcode operation. (GP-7)

Analysis. Exported symbols are now checked that they are not symbols internal to a function before creating a function. (GP-4506)

Data. Corrected improper Data pointer stacking behavior when applying a pointer data type onto an existing pointer. (GP-4181)

Data Types. Corrected various Data settings issues where Listing display failed to update properly with settings change. (GP-4212, Issue #5922)

Data Types. Corrected transaction error when disassociating a datatype from an archive not open for update. (GP-4524, Issue #6424)

Data Types. Fixed searching for references to structure fields when the field is referenced in a local structure that is then passed to an external function. This has a major effect on Windows programs. (GP-4592, Issue #5652)

Data Types. Corrected data type source archive transaction error when performing bulk archive revert, update, and disassociate actions. (GP-4615, Issue #6503)

Debugger. Fixed module map to ignore artificial blocks, especially tdb on Windows. (GP-4072, Issue #5994)

Debugger. Fixed thread-specific stepping in dbgmodel. (GP-4279)

Debugger:Emulator. Fixed issue where step command is ignored after the emulator encounters an error; e.g., undefined userop. (GP-4248, Issue #6086)

Debugger:Listing. GoTo in Dynamic Listing can now find symbols with external linkage; e.g., IAT entries. (GP-3408)

Debugger:Listing. Fixed issue with incorrect byte values in Debugger's snapshot comparison listing. (GP-4528)

Debugger:Memory. Fixed error message regarding closed programs in the navigation history when using the Memory (dynamic hex) viewer. (GP-4100)

Decompiler. Corrected issue with Decompiler return/param commit which could cause return details to revert to default state. (GP-4434, Issue #6318)

Decompiler. Fixed Decompiler bug causing erroneous case labels for some switches contained in an if block. (GP-4514, Issue #6128)

Demangler. Fixed out-of-memory issue in MDMang due to infinite loop. (GP-4641, Issue #6586)

FID. Corrected FID error caused by Functions defined where no memory block resides. (GP-4584, Issue #6453)

Graphing. Fixed NullPointerException in the ChkDominanceAlgorithm. (GP-4530)

GUI. Fixed Listing to navigate to requested address when opening from a URL. (GP-4281, Issue #6166)

GUI. Fixed Memory Search results to select all matched address when making a selection from the results table. (GP-4538, Issue #6415)

GUI. Fixed stack overflow in Bundle Manager window when trying to remove all bundles. (GP-4604)

Importer. Fixed the handling of non-default address spaces, specific to SARIF. (GP-4097)

Importer. Fixed NullPointerExceptions in the SARIF handlers. (GP-4510)

Importer. Fixed an issue in the MzLoader that would prevent some 16-bit MZ binaries from loading correctly. (GP-4575, Issue #5970)

Importer. Fixed a regression that prevented library search paths from getting saved. (GP-4594)

Importer:Mach-O. The MachoLoader no longer throws an exception when importing DWARF dSYM companion files. (GP-4417, Issue #6302)

Importer:PE. Fixed an EOFException in the PeLoader that could occur when data directories point to section padding bytes. (GP-4496, Issue #6380)

Importer:PE. Fixed an issue with the provided .exports files not getting properly used in some scenarios. (GP-4628)

Languages. Corrected handling of operand-size override prefix with x86 MOVSX/MOVZX instructions. (GP-4629, Issue #6525)

Multi-User. Corrected potential deadlock condition within Ghidra Server. (GP-4531)

PDB. Removed PDB symbol server URLs from default list that don't publish PDBs. (GP-4266, Issue #3109, #6152)

PDB. Fixed issue preventing VS6 PDB from being processed due to unexpected unavailable DebugData streams. (GP-4571, Issue #6464)

Processors. Added support for x86 AVX512 instructions (GP-1561, Issue #2209, #4704, #6458)

Processors. Added PIC16F movlb variant instruction form to processor module. (GP-3723)

Processors. Fixed Xtensa bany semantics and added simplifying cases for sext instruction. (GP-4254, Issue #6113)

Processors. Corrected register sizing for the x86 str instruction. (GP-4272, Issue #6156)

Processors. Fixed bug in the M68000 processor with instructions referencing immediate byte values displaying erroneous two-byte values. (GP-4377, Issue #4191, #6260)

Processors. Fixed operand ordering in x86 FDIVP instruction. (GP-4381, Issue #6266)

Processors. Made several bug fixes for SuperH processor module. (GP-4498, Issue #5967, #6013)

Processors. Fixed AARCH64 ldst instruction to properly support register writeback. (GP-4499)

Processors. Fixed Tricore st.da instruction writing half-words instead of words. (GP-4552, Issue #6456)

Processors. Updated x86-64 RCL and RCR instructions to set CF correctly. (GP-4576, Issue #6423)

References. Updated EditMemoryReferencePanel to enable inclusion of OTHER overlay spaces for address specification. (GP-4345, Issue #6245)

Version Tracking. Improved Version Tracking Implied Match determination to make sure the destination location is a function if the source location is a function. (GP-4283)

Ghidra 11.0.3 Change History (April 2024)

Improvements

Decompiler. Fixed v850 Decompiler treatment of global GP and TP registers as separate registers. (GP-4479, Issue #3515)

Languages. Added thunk patterns for use of BTI C/CJ instruction at start of AARCH64 thunk functions. (GP-3917)

Processors. Added p0/p8 registers as prefer split to Tricore.cspec (GP-4507, Issue #3515)

Bugs

Build. Corrected build problem that causes module src.zip files to be omitted from distribution when a externalGhidraExtension is present. This did not impact the current Public release since it does not include any such modules. (GP-4492)

Decompiler. Fixed bug causing switch analysis to lay down jump tables with extra entries. (GP-4416)

Processors. Fixed regression in Tricore calling convention for parameters and returns that are a smaller datatype than the full register size. (GP-4468, Issue #6354)

Scripting. Fixed NullPointerException in the RecoverClassFromRTTIScript that happened for Windows programs when a class had a hierarchy at least four levels deep, with a single inheritance chain, and with the root being a virtual class. (GP-4459, Issue #6348)

Version Tracking. Corrected potential Exception within address correlators that check function parameters. (GP-4490)

Ghidra 11.0.2 Change History (March 2024)

Improvements

Accessibility. Eliminated redundant screen-reading of text with cursor-up and cursor-down movements in the Decompiler view. (GP-4297, Issue #6177)

Debugger:GDB. Fixed an issue connecting to GDB on some builds of Windows. (GP-4392, Issue #6107)

Decompiler. The Decompiler now treats software breakpoints as indirect calls that do not take parameters and do not return. (GP-4332)

Decompiler. Improved detection of switch variables when their path crosses a call. (GP-4369)

Headless. Updated analyzer options to not create Java Swing components in headless mode. (GP-4309)

Importer:ELF. Revised ELF PowerPC relocation processing for R_PPC_ADDR16_LO and R_PPC_ADDR16_HA to address FreeBSD conventions. (GP-4397)

Multi-User. Updated Ghidra Server server.conf to facilitate specification of enabled TLS cipher suites. Enabled cipher suites have been constrained by default, consistent with RFC 9151. (GP-4330)

Multi-User. Made minor improvement to shared project performance when populating folders containing a large number of files. This was done by caching the FileID associated with each remote project file. (GP-4455)

Processors. Added support for ARM v8-M Custom Datapath Extension. (GP-1791)

Scripting. Added check to RecoverClassesFromRTTIScript to not run if there are unhandled relocations in GCC programs for the necessary RTTI symbols. (GP-4371)

Bugs

Analysis. Fixed analysis lockup if the fall-through of an instruction is overridden to itself. (GP-4312, Issue #6179)

Analysis. Loosened MIPS jump target function-start pattern. (GP-4442, Issue #3677, #4193)

BSim. Corrected BSim command listexes --limit option processing. (GP-4362, Issue #6246)

Build. Removed unused log4j-jcl 2.16.0 jar dependency. Updated postgresql JDBC driver jar to 42.6.2. (GP-4449)

Debugger. Removed leading slash in executable path for Windows launch options. (GP-4331)

Debugger:GDB. Fixed issue parsing breakpoints with command lists, especially with Use existing session (new-ui). (GP-4368, Issue #6257)

Debugger:Listing. Auto-disassembly now ignores UNKNOWN memory (fixed regression) and re-disassembles if PC lands offcut in an existing instruction. (GP-4278)

Debugger:Recorder. Changed register-recording errors to go to log only, not popup. (GP-4305)

Decompiler. The Decompiler will now convert an indirect branch into a return operation if the branch target can be traced to the formal return address storage location. (GP-4226)

Decompiler. Fixed bug causing "Could not find op at target address" exception when applying SwitchOverride script. (GP-4314)

Decompiler. Fixed bug that could cause the Decompiler display to drop characters with a multi-byte UTF8 encoding. (GP-4360)

Function Compare. Corrected handling of thunked functions in the Compare Matching Callees action. (GP-4354, Issue #6159)

GUI. Fixed an IllegalArgumentException that occurred when trying to expand data over a selection in the Listing that spanned addresses from multiple address spaces. (GP-701)

GUI. Fixed screen reader support of tooltips by using the lower-case html tag; some readers could not process an upper-case tag. (GP-4296, Issue #6176)

GUI. Fixed Data Types tree broken Cut operation when the tree is filtered. (GP-4373, Issue #6137)

GUI. Fixed Structure Editor exception when searching with some columns removed. (GP-4426)

Headless. Fixed exception looking for extensions when running Headless Ghidra using the single Ghidra Jar mode. (GP-4294, Issue #6178)

Importer. Fixed an uncaught InvalidPathException that could occur when loading libraries during import. (GP-4326, Issue #5894)

Importer:COFF. Fixed an EOFException in the CoffLoader that could occur when parsing symbols. (GP-4344, Issue #6236)

Importer:Mach-O. The dyld_shared_cache loader no longer throws an exception when importing newer versions that use dyld_cache_slide_info5. (GP-4457)

Memory. Fixed an issue with the GUI sometimes showing incorrect file byte offsets for memory blocks that have been joined. (GP-4357)

Processors. Fixed AARCH64 instructions which could overwrite source registers during reads (ldaxp, ldnp, ldp, ldpsw, ldxp). (GP-3851, Issue #5791)

Processors. Fixed 6809 clr instruction not clearing the carry flag. (GP-3889, Issue #5838)

Processors. Fixed several ARM instructions which could potentially overwrite a source register before reading. (GP-3892, Issue #5822)

Processors. Fixed Z80 8-bit INC instructions' setting of the carry flag. (GP-4273, Issue #2247, #2277)

Processors. Improved Tricore calling conventions. (GP-4319, Issue #5757)

Processors. Corrected semantics for Tricore dextr instruction. (GP-4418, Issue #5756, #6303)

Processors. Fixed semantics of PowerPC lwax instruction. (GP-4419)

Version Tracking. Fixed broken Version Tracking tag filter. (GP-4336)

Version Tracking. Fixed MemoryAccessException in Version Tracking Data Correlator when data is partially contained in uninitialized memory. (GP-4339, Issue #6238)

Ghidra 11.0.1 Change History (January 2024)

Improvements

BSim. The make-postgresql.sh script now uses the uname command instead of the arch command to increase system compatibility. (GP-4174, Issue #6051)

Decompiler. The Decompiler has been improved to recognize a broader class of boolean expressions when identifying and collapsing duplicate predicates. An emphasis was given to ARM executables for this change. (GP-3941, Issue #5611)

Bugs

Analysis. Fixed IndexOutOfBoundsException when decompiling AARCH64 functions with empty structure parameters. (GP-4169, Issue #6047, #6068, #6120)

BSim. Modified bsim and bsim_ctl command line option specification to use the form --option value or --option=value instead of option=value. Also corrected some bugs associated with command processing. (GP-4173, Issue #6054)

Data. Corrected default reference creation for pointers added to byte-mapped memory blocks when a valid address can be produced. (GP-4203, Issue #6081)

Debugger:Agents. Trace RMI clients are now included in the distribution. (GP-4198)

Debugger:Listing. Fixed NullPointerException in TraceDisassembleCommand. (GP-4257)

Decompiler. Fixed rare bug that could cause the Decompiler to crash during construction of Static Single Assignment (SSA) form. (GP-4201, Issue #6034)

Function. Corrected issues related to Function custom storage transition when auto-void-return-storage is used. This situation can occur when the Rust calling convention spec-extension is used. (GP-4234)

Function Compare. Fixed bug causing an IndexOutOfBoundsException in the Decompiler Diff View panel when comparing functions. (GP-4253)

Importer:ELF. Corrected x86-64 ELF GOT allocation for object module import for R_X86_64_GOTPCRELX and R_X86_64_REX_GOTPCRELX relocations. (GP-4228)

Importer:ELF. Corrected ELF x86-64 import error affecting *.o files with the reported error "GLOBAL_OFFSET_TABLE already allocated". (GP-4265)

Importer:PE. The PE loader can now loader PE files with an OptionalHeader.Magic value of 0. (GP-4215, Issue #6093)

Processors. Fixed issues with HC05/HC08 processors including invalid registers and addressing modes. (GP-3181, Issue #4444)

Processors. Fixed issue with PowerPC VLE branch instructions not displaying the cr register used. (GP-3787, Issue #5246)

Processors. Fixed issue with PowerPC VLE load/store instructions showing incorrect index. (GP-3788, Issue #5245)

Processors. Moved several PowerPC 4xx instructions to 4xx-only processor module. (GP-3789, Issue #5243)

Processors. Corrected address calculation for HCS12 call instructions referencing the PPAGE register. (GP-4104)

Processors. Added support for the x86 MOVDIR64B instruction. (GP-4105, Issue #5997)

Processors. Corrected Loongarch CSR register list and added csr77. (GP-4163, Issue #6033)

Processors. Fixed addresses for Tricore TC176x CAN_MO registers. (GP-4204, Issue #5712)

Processors. Renamed pcodeops for x86 fbstp and fbld instructions. (GP-4249, Issue #2426)

Version Tracking. Fixed NullPointerException in Auto Version Tracking implied-match creation. (GP-4268)

Ghidra 11.0 Change History (December 2023)

New Features

Analysis. Added initial Rust support, including the handling of mangled names and calling conventions. (GP-2412)

BSim. Introduced BSim support (see docs/GhidraClass/BSim/). (GP-4009)

Calling Conventions. Added support for the Indirect result location register for ARM64 calling conventions. (GP-3938, Issue #951)

CodeBrowser. Added a right-click Copy action in the CodeBrowser's Listing that copies a Local or Shared GhidraURL to the program. The GhidraURL points to the specific address at which the cursor is located within the program. (GP-3626)

Data Types. Added Search -> For Encoded Strings... dialog that simplifies finding and creating strings with various charsets and alphabets. (GP-2628, Issue #1582, #2106)

Debugger:Breakpoints. Added breakpoint indicators to Function Graph when active in Debugger. (GP-2737, Issue #5532)

Debugger:dbgeng.dll. Implemented Trace RMI connector/plugin for the dbgeng.dll. (GP-3754)

Debugger:dbgeng.dll. Introduced Trace RMI launch script for dbgeng.dll. (GP-3823)

Debugger:GDB. Introduced launchers for Debugger targets using new Trace RMI framework. Introduced Trace RMI launch script for GDB. (GP-3818)

Debugger:Targets. API: Added Target interface to abstract TraceRecorder and TraceRmi. (GP-2740)

Debugger:Targets. Created Connections panel for Trace RMI. (GP-3836)

FileSystems. Added a GFileSystem supporting the CaRT file format. (GP-3748, Issue #5568)

GhidraGo. Implemented GhidraGo, an experimental feature that, when enabled, causes Ghidra to listen for GhidraURLs. The only supported GhidraURLs for GhidraGo currently link to a Ghidra DomainFile handled by the CodeBrowser. The readme for GhidraGo includes instructions on setting up a protocol handler for GhidraURLs. GhidraGo will open Ghidra if a Ghidra is not already running, but Ghidra must be configured to listen (i.e., it has the GhidraGo plugin enabled). (GP-2774)

GUI. Added Select -> Create Table From Ranges action to create a table based on the address ranges in a selection. (GP-2297)

GUI. Added a new GTree filter setting that allows users to filter on the node's path. (GP-2419)

Importer:Mach-O. dyld_shared_cache components extracted from Ghidra's DyldCacheFileSystem can now be added together on-demand with the Add To Program feature. Broken references can be automatically resolved by right-clicking on them and clicking References -> Add To Program. (GP-3753, Issue #5023)

Processors. Added support for the Loongson processor architecture. (GP-3211, Issue #5083)

Version Tracking. Added a new Version Tracking correlator based on BSim function similarity. (GP-4076)

Improvements

Analysis. Golang improvements: Added the Golang String Analyzer that finds and marks up Golang strings. Improved Golang type and interface method markup. Improved Golang function parameter recovery. Using Golang package information to organize Golang type and symbol elements into namespaces. Using Golang run time type information to override the types of objects that are created by calls to malloc-like built-in functions. (GP-2109)

Analysis. Made minor fixes to ARM aggressive instruction finder for stack trace and speed improvement. (GP-3855)

API. Added a program caching system for use by clients that want to open programs, do some work, and then close them without them appearing in the tool. Prior to this, all programs that were opened were kept open by the tool until the user manually closed them. (GP-3979)

API. Updated ApplyFunctionSignatureCmd and FunctionUtility.updateFunction to optionally allow all applied composites to be cleaned (i.e., force to not-yet-defined state) before being applied. In addition, a datatype conflict handler may now be specified which can control how conflicts of applied datatypes should be handled. (GP-4051)

Basic Infrastructure. Upgraded to FlatLaf 3.2.1. (GP-3645, Issue #5539)

Basic Infrastructure. Upgraded Guava to 32.1.3. (GP-4053)

Build. The Ghidra Software Bill of Materials (SBOM) now includes entries for Ghidra's module jars. Jar descriptions are also now provided when available. (GP-3824, Issue #5513)

CodeCompare. The Decompiler Diff View now supports searching via Ctrl-F. (GP-4000)

CodeCompare. Fixed Function Comparison Window to not initially show the same function in both windows. (GP-4005)

Debugger. Introduced a plugin/service that supports proper Terminal Emulation (in contrast to the current Interpreter Panel plugin). (GP-1977)

Debugger. Added process name to Objects display. (GP-3895, Issue #5817)

Debugger. Added console display for exceptions. (GP-3896, Issue #5817)

Debugger:Emulator. Fixed issue starting the Emulator when the PC is in an overlay space. (GP-3904)

Debugger:GDB. Changed Trace RMI plugin for GDB to better obtain module base addresses. (GP-3725)

Debugger:Registers. Go-To actions from Registers panel now honor Force Full View setting from Regions panel. (GP-3886, Issue #5817)

Decompiler. Tokens labeling switch case values in the Decompiler window now support navigation and hovering and can be used to rename or retype the switch variable. (GP-3680, Issue #5286)

Decompiler. Added toggle buttons to quickly change the Eliminate unreachable code and Respect readonly flags Decompiler settings. These settings are local to the Decompiler view and will not persist in the tool. (GP-3919)

Decompiler. Added formatting options for braces, { and }, in Decompiler output. (GP-3965, Issue #1240, #1937, #1938, #4914, #81)

Demangler. Updated the GNU Demangler binary used by Ghidra to version 2.41. (GP-3577)

Demangler. Revised signature source type applied by GNU demanglers to ANALYSIS instead of IMPORTED. (GP-4139)

Exporter. The C/C++ exporter now includes equate definitions if data types are being emitted. (GP-3010, Issue #4878)

Extensions. Added a classpath isolation option for Extensions (settable in launch.properties). (GP-3623)

FileSystems. The dyld_shared_cache filesystem can now extract files for stubs and standalone data. (GP-3860)

GUI. Updated the tool windows to remember when they are fully maximized. (GP-2840, Issue #293, #3788)

GUI. Updated data type tooltips and previews to show size in hex as well as decimal. (GP-3763, Issue #5682)

GUI. Added Collapse and Expand actions to trees. (GP-3812, Issue #5731)

GUI. Added askValues() method to GhidraScripts which allows the script to show a dialog for entering multiple values with a single dialog. (GP-3924)

GUI. Fixed issue with program graph issuing location events in response to receiving location events. (GP-4021)

Importer. Improved library-import log messages. (GP-3910)

Importer:ELF. Completed additional changes to ELF Header code to eliminate unsupported mutability. (GP-3620)

Importer:Mach-O. When loading System Libraries From Disk on macOS, the dyld_shared_cache will be searched for in more default locations. (GP-3909)

Importer:Mach-O. The MachoLoader now uses binding information (if present) to associate libraries with imported symbol name without the need for those libraries to be already present/loaded in the project. (GP-3912)

Importer:Mach-O. The MachoLoader can now load binaries with obfuscated segment and section names. (GP-3926, Issue #3876)

Languages. Removed use of PC as having a valid value in SuperH and M68000. (GP-4049, Issue #5891)

Listing. Added options for disabling various EOL Auto-Comments. (GP-3531)

Listing. Corrected operand markup of offcut instruction references which failed to respect the Display Namespace operand field option. (GP-3985, Issue #5886)

Memory. Updated overlay address space support to allow multiple memory blocks to reside within a single overlay space. (GP-3903)

PDB. Changed the PDB data types processing to use a resolve-as-you-go model, eliminating the dependency graph and the need for holding onto the PDB types within the processing model. The benefits of this change are being made available by other improvements. In addition, changes have been made to improve the accuracy of some data types. (GP-3715)

PDB. In order to reduce memory consumption, modified PdbReader to load certain components and data structures only when needed and provided some iterators to consumers such as PDB Universal Analyzer. (GP-3995)

Processors. Added language module for the Tensilica Xtensa processor. (GP-1062, Issue #1407, #5442)

SARIF. Added support for SARIF data export/import. (GP-3832)

Version Tracking. Updated AutoVersionTrackingScript to create implied matches if option is chosen by the user. (GP-3765)

Version Tracking. Improved and sped up the AutoVersionTracking algorithm to determine and apply good matches from the possible matches returned from the DuplicateFunctionMatchCorrelator. (GP-3854, Issue #5857)

Version Tracking. Added numerous options to Auto Version Tracking that can change which correlators are used and control their individual options. (GP-3934)

Version Tracking. Auto Version Tracking now applies implied matches if the minimum number of votes and maximum number of conflicts conditions are met, as determined by the chosen options. (GP-3953)

Version Tracking. Updated Auto Version Tracking to check related associations for already-accepted matches before accepting new matches. (GP-4008, Issue #4875)

Version Tracking. Improved default Version Tracking session name generated by new session wizard. (GP-4091)

Bugs

Analysis. Fixed StackOverflowError encountered when processing self-referencing Golang slices. (GP-3906, Issue #5847)

Analysis. Fixed function body computation for functions with instructions that branch into delay slots; for example, the Fujitsu FR processor. This affects both function creation and the computation of an Undefined Function for the Decompiler when no function is currently defined. (GP-3962, Issue #5866)

Analysis. Fixed evaluator check before using it in constant analysis. (GP-3970)

Build. Fixed nodepJar task dependencies for Gradle 8. (GP-3977, Issue #5902)

Data Types. Corrected self-referencing data type resolution issue for function definitions which could result in datatype errors. (GP-4078, Issue #5927)

Debugger. Fixed when Control Target can be selected. (GP-4099)

Debugger:Agents. Fixed GADP agent launch scripts to pass arguments through. (GP-4132, Issue #6016)

Debugger:dbgeng.dll. Fixed an error that resulted in quotes being stripped from command-line arguments for dbgeng/dbgmodel. (GP-3846, Issue #5789)

Debugger:dbgeng.dll. Created better updating strategy for dbgeng/model memory. (GP-3899, Issue #5817)

Debugger:Emulator. Fixed issue with resuming after performing p-code steps in the Emulator. (GP-3706)

Debugger:GDB. Made fixes in preparation for changes coming in gdb-14. (GP-3690)

Debugger:GDB. Fixed line ending for Cygwin GDB. (GP-3825, Issue #5755)

Debugger:Objects. Fixed Elements table in Model provider to display array contents. (GP-3932)

Debugger:Registers. Fixed copied values from Registers panel to conform to display settings. (GP-3874, Issue #5820)

Decompiler. Fixed bug in conditional constant propagation that could affect switch recovery. (GP-3840, Issue #5514)

Decompiler. Fixed improper rendering of expressions involving pointer-to-array data-types in Decompiler output. (GP-3842, Issue #5591)

Decompiler. Fixed bug causing "Could not finish collapsing block structure" exceptions. (GP-3911)

Decompiler. Fixed "<unionfacetsymbol> does not have a union type" exception caused by deleting a union data-type. (GP-3942, Issue #5636)

Decompiler. Fixed bug in the brace-highlighting action for the Decompiler window that could cause it not to be able to find matching braces. (GP-3945, Issue #5643)

Decompiler. Fixed bug in Decompiler that could cause crashes when analyzing NaN operations. (GP-3981)

Decompiler. Fixed a bug that causes the Decompiler to fail on some systems with a "Datatype must have a valid id" exception. (GP-4020)

Decompiler. Fixed an infinite loop in the Decompiler caused by small parameters getting passed to subfunctions via larger registers containing stale values in their upper bytes. (GP-4102, Issue #5934)

Decompiler. Fixed a bug that could cause the Decompiler to crash when printing pieces of a dynamic symbol. (GP-4119, Issue #6005)

Demangler. Fixed GNU Demangler analysis live-lock issue. (GP-4071, Issue #5987)

Documentation. Fixed field constraint example in the Sleigh documentation. (GP-4046, Issue #5933)

Eclipse Integration. Ghidra can now launch Eclipse Ubuntu snap installations from the Script Manager. (GP-3473)

Eclipse Integration. The GhidraDev Eclipse plugin now prevents unsupported versions of PyDev from being used. Supported versions are 6.3.1 - 9.3.0. PyDev 10.0 and later no longer support Python 2. (GP-4062, Issue #5980)

Eclipse Integration. The GhidraDev Eclipse plugin no longer throws an IOException when performing a Link Ghidra action on a Ghidra project whose original Ghidra installation moved. (GP-4063, Issue #5981)

Exporter. Proper C-syntax is now used on structs exported to a header file when they contain a pointer to an array field. (GP-3608, Issue #5248)

GUI. Fixed the Data Types Exact Match filter to not include the archive name. (GP-3764, Issue #5685)

GUI. Updated GTableHeaderRenderer to fix an incorrect cast to Component. (GP-3819, Issue #5539)

GUI. Fixed bug in the Find Dialog that caused incorrect text to be selected when pressing Enter for a previous match. (GP-3856)

GUI. Fixed JTextArea not responding to theme font changes. (GP-3908)

GUI. Fixed incorrect Version Tracking foreground color in the Markup Items Table. (GP-3933, Issue #5865)

GUI. Updated how the tool saves window size information to allow better toggling between full-screen modes. (GP-3958, Issue #5879, #5890)

GUI. Fixed the Listing's Auto Comment color for the CDE/Motif theme. (GP-3959, Issue #5903)

GUI. Fixed Structure Editor bugs. Also updated the search to use the default field name as part of the search-matching. (GP-3967, Issue #5715)

GUI. Fixed an issue in the Function Editor dialog that caused incorrect parameter values to be assigned when cancelling an edit. (GP-4041)

GUI. Updated the Note Bookmark dialog to allow users to press Enter to close the dialog when the Category field is focused. (GP-4048, Issue #5962)

GUI. Fixed an issue that caused importing a file via drag-and-drop to silently fail on some Linux distributions. (GP-4066)

GUI. Fixed an IndexOutOfBoundsException that sometimes occurred while adding new entries to the Bundle Manager table or while opening a CodeBrowser tool that included an open Bundle Manager window. (GP-4075, Issue #5956)

Headless. The Headless Analyzer can now recurse into supported GFileSystem container files when a recursion depth of one or more is specified on the command line. (GP-3273, Issue #5167)

Importer. Importing libraries that are referenced by absolute path (such as with Mach-O) now get saved to the project with their folder structure intact. This fixes a potential DuplicateKeyException that could occur when using a Recursive Library Load Depth greater than 1, and removes any ambiguity that could occur when linking a program to its libraries. (GP-3922)

Importer. Fixed an uncaught InvalidPathException that could occur when loading libraries during import. (GP-4050, Issue #5894)

Importer:ELF. Corrected ELF object module GOT allocation for x86-64 object modules during relocation processing. (GP-4118, Issue #5961)

Importer:Mach-O. The MachoLoader now creates thunks on stubs. (GP-3248, Issue #3146)

Importer:PE. Fixed an exception that could sometimes occur when parsing PE files containing debug line number information. (GP-3963, Issue #5899)

Languages. Corrected MIPS pcode for di and ei instructions. (GP-3875)

Languages. Corrected stack pointer update in alloca_probe x64 windows callfixup. (GP-3915, Issue #5844)

Languages. Updated x86 register addressing for ST and MM registers to achieve proper overlap. The upper 16-bits of the ST registers still remain unaffected by MMX instructions which write to the MM registers. (GP-3956)

Multi-User. Corrected potential NullPointerException in Ghidra Server command proceesor. (GP-4056, Issue #5974)

PDB. Fixed memory performance issue created in 10.4. (GP-3890)

Processors. Implemented x86 FINTRZ instruction. (GP-3387, Issue #5205)

Processors. Corrected x86 POP instructions with operands that use the stack pointer. (GP-3677, Issue #4282)

Processors. Fixed missing ARM cbz instruction in the manual index file. (GP-3724)

Processors. Added test-register support back into the x86 processor module. (GP-3784, Issue #5662)

Processors. Fixed issue with 6x09 processor module STU instruction storing the X register instead of the U register. (GP-3786, Issue #5671)

Processors. Added ELF relocation support to Loongarch processor module (GP-3804)

Processors. Replaced or implemented count-leading-zeroes and count-leading-ones instructions with proper pcode operator in several languages. (GP-3879, Issue #5790)

Processors. Changed MIPS TEQ zero, zero into a trap, always-goto flow. (GP-3948)

Processors. Several fixes for some PowerPC VLE instructions (GP-3999, Issue #2843)

Processors. Added the x86 MMX register MXCSR to the compiler global list so that manipulations persist in the decompiled output. (GP-4018)

Processors. Fixed RISC-V custom-0 instruction patterns. (GP-4047, Issue #5932)

Processors. Fixed PIC24 DOEND register offset (GP-4054, Issue #5213)

Processors. Minor fix for the AVR8 DES instruction semantics. (GP-4055, Issue #5235)

Project. Corrected issue with ProjectLocator when using projects located in root directory. (GP-3914, Issue #5802)

Scripting. FixOldSTVariableStorageScript.java Ghidra script has been made available for users to run against x86 Programs created prior to Ghidra 10.0.3. This script will fixup ST0... ST7 variable storage addresses which were not properly migrated during an x86 language revision. (GP-3949, Issue #5640)

Search. Fixed incorrect template implementation of GenericByteSequencePattern. (GP-4024)

Sleigh. Fixed a bug in the Sleigh compiler preventing the declaration of bit-range symbols when their size was not a multiple of 8 bits. (GP-8, Issue #1144, #660)

Sleigh. Added pure 32-bit PowerPC e500mc processor variant (GP-3068)

Sleigh. Fixed stacktrace when a pcode pseudoOp has more than eight parameters. (GP-3986)

Version Tracking. Fixed Version Tracking Undo issue where running a correlator and accepting matches then undoing the results and then rerunning the correlator resulted in incorrectly blocked matches. (GP-3827)

Version Tracking. Fixed bug in Version Tracking matches table that prevented saved filters from being applied. (GP-3901)

Ghidra 10.4 Change History (September 2023)

New Features

Analysis. Swift Type Metadata is now marked up. (GP-2085)

FileSystems. Added cramfs support. (GP-3328)

FileSystems. The File System Browser now supports the Add To Program action. (GP-3730)

Importer. Created parsers and analyzers for Device Tree Blob (DTB) and Flattened Device Tree (FDT) binaries. (GP-1436)

Listing. Added ability to reduce an instruction's length to facilitate overlapping instructions. This can now be accomplished by specifying an instruction length override on the first instruction and disassembling the bytes which follow it. The need for this has been observed with x86 where there may be a flow around a LOCK prefix byte. (GP-3256)

Improvements

Analysis. Added support for Golang 1.17 binaries. (GP-3288)

Analysis. Added call fixups for GCC's spectre-mitigating thunks in x86 and x64. (GP-3320, Issue #299)

Analysis. Added support for Golang 1.19 and 1.20. (GP-3504)

Analysis. Developed additional ARM function start/end patterns. (GP-3805)

Analysis. Fixed PPC Analyzer to create the correct size undefined data type for a read/write reference. (GP-3845, Issue #5425)

API. Undo/Redo now show lists of transactions that can be undone or redone. (GP-3521)

Build. Fixed the buildHelp gradle task to correctly check for up-to-date inputs. (GP-3430)

Data Types. Added ability to establish source archive association when non-sourced data type dependencies get copied into an archive during a commit operation. (GP-3796, Issue #5675)

Debugger. Fixed Copy Into New Program action to use Dynamic Listing for its default context. This means the Dynamic Listing does not have to have focus for those actions to be enabled. (GP-1528)

Debugger:Modules. Changed mapper to use proper local ghidra:// URLs. No more "!" in them. (GP-3695)

Debugger:Trace. Removed the TraceFunction part of the Trace API. (GP-3351)

Decompiler. Removed the limitation preventing the Decompiler from analyzing functions where the this parameter refers to a placeholder class structure. (GP-3590, Issue #5403, #5475)

Decompiler. Added Decompiler support for return value storage at an explicit stack offset relative to the callee's stack pointer. (GP-3613, Issue #1962)

Decompiler. Added a callfixup for __RTC_CheckEsp in x86win.cspec and updated GraphASTScript.java. (GP-3752, Issue #5657)

FileSystems. Libraries extracted from the dyld_shared_cache filesystem now have chained fixups applied. (GP-1574)

FileSystems. Libraries extracted from the dyld_shared_cache filesystem now contain an optimized __LINKEDIT segment, resulting in a significantly smaller binary. (GP-3587, Issue #4175)

FileSystems. Libraries extracted from the dyld_shared_cache filesystem now contain local symbol information, which reduces the occurrence of <redacted> primary symbols. (GP-3728)

GUI. Added accessibility support to the FieldPanel component, which is the base component for the Listing, Byte Viewer, and Decompiler. (GP-2129)

GUI. Simplified the Listing's Plate Field word wrapping. (GP-3425, Issue #5299)

GUI. Added the Address w/ Offset Copy Special action. (GP-3515, Issue #5364)

GUI. Added a filter for the Memory Map provider table. (GP-3755)

Importer:ELF. Added support for ELF R_AARCH64_MOVW_UABS_Gn relocations. (GP-3435, Issue #3545, #3546, #5292)

Importer:Mach-O. Libraries can now be loaded from both local directories and GFileSystems. This enables loading, for example, Mach-O libraries directly from within the dyld_shared_cache file(s). (GP-2277, Issue #4162)

Importer:Mach-O. Improved markup for Mach-O load command data. (GP-3565)

Importer:Mach-O. Added more options to the DyldCacheLoader so its performance can be better controlled by the user. (GP-3566)

Importer:Mach-O. The MachoLoader now supports threaded binding (BIND_OPCODE_THREADED). (GP-3701, Issue #5558)

Languages. Updating the PowerPC index to reference the latest manuals. (GP-3296)

PDB. Improved disassembly and function creation in presence of non-returning functions. (GP-3604)

Processors. Added instruction manual indices for ColdFire instructions. (GP-3327)

Processors. Addressed unnecessary x86 LOAD ops preventing certain decompiler transformations. (GP-3822, Issue #5433)

Scripting. Updated RecoverClassesFromRTTIScript to improve class structure creation for GCC programs. (GP-3464, Issue #5642)

Scripting. Updated RecoverClassesFromRTTIScript to make sure all class thiscall functions are using the class structure created by the script. (GP-3777)

Sleigh. Replaced implementations of _fxsave and _fxsave64 with defined p-code ops in ia.sinc. (GP-3733, Issue #5208)

Version Tracking. Changed Auto Version Tracking duplicate function match to not process overly large duplicate match sets that can be extremely time-consuming. (GP-3527)

Bugs

Analysis. Changed function body creation when functions overlap to favor contiguous functions. Previously, overlapping functions bodies were arbitrary based on order of creation. (GP-2823)

Analysis. Allow values that have the low bit set to be pointers if they are at the top of a function on ARM and MIPS. (GP-3766)

API. Added Function body restrictions to ensure it is contained within a single address space. (GP-567, Issue #2577, #5051)

API. Fixed issue where front end plugins were not having their dispose methods called when exiting Ghidra (GP-3343)

Data Types. Fixed alignment of 8-byte datatypes for 32-bit Windows data organization. (GP-3449)

Data Types. Eliminated use of data type aligned-length when adding components to a non-packed structure. This should allow arbitrary component placement when packing is disabled. (GP-3726, Issue #5602)

Data Types. Corrected problem with the decode of subnormal floating point values. (GP-3775, Issue #5647)

Decompiler. The Decompiler no longer automatically simplifies away code performing NaN tests. (GP-3019, Issue #4588)

Decompiler. Fixed a bug in the Decompiler where assignments to local variables on the stack could be incorrectly reordered before calls. (GP-3429, Issue #5237)

Decompiler. Fixed variable merging bug in the Decompiler that could cause "Unable to merge address forced indirect" exceptions. (GP-3682, Issue #5588)

Decompiler. Fixed bug causing segmentation faults in the Decompiler triggered by Golang binaries. (GP-3783)

Demangler. Fixed minor GNU Demangler parsing bug that caused && to get added to function pointers. (GP-3650)

Eclipse Integration. Exporting a Ghidra Module Extension with the GhidraDev Eclipse plugin produces an intermediate build directory within the project. This build directory now gets automatically cleaned up to avoid Ghidra runtime/debugging issues. (GP-3523, Issue #5327)

Eclipse Integration. The Ghidra Front-End GUI now prevents installation of extension source (unbuilt) directories. (GP-3852)

Framework. Fixed issue preventing Enum Editor actions from appearing in the Key Bindings options. (GP-3708, Issue #5638, #5639)

Graphing. Changed graph DOT exporter to rename our Name attribute to a label attribute, which is what DOT graphs use for display. Also, cleaned up vertex label display when in compact mode and added the vertex id in the tooltip. (GP-3779, Issue #5678)

GUI. The Comments dialog now uses the selected comment text when adding a new annotation. (GP-3560, Issue #5439)

Importer. User can now correctly Add To Program with Microsoft Module-definition (.def) files. Several parsing bugs with this file format were also fixed. (GP-3826, Issue #5676)

Importer:ELF. Made significant improvements to ELF RISCV relocation support. (GP-3707, Issue #3816)

Importer:ELF. Corrected ELF R_RISCV_RVC_BRANCH relocation processing. (GP-3792, Issue #5701)

Importer:ELF. Updated ELF Loader to convert non-displayable ASCII symbol name characters to ASCII Control Characters (e.g., ^A) instead of discarding symbol with an error. Import log will report use of modified name when this occurs. (GP-3793, Issue #5619)

Importer:Mach-O. Improved support for loading Apple watchOS binaries. (GP-3630)

Misc. Fixed bug in table sorting where data could be corrupted if the sort was cancelled before it completed. (GP-3685)

Processors. Fixed issue with M68000 reading from memory multiple times per instruction. (GP-3219, Issue #2492)

Processors. Fixed mnemonic for PowerPC VLE e_sthu instruction. (GP-3434, Issue #5247)

ProgramDB. Data may now be created in a Byte-Mapped Memory Block using a Dynamic datatype. This was previously disallowed due to an ambiguous initialized-memory check. (GP-3208)

Project. Changed project data store close/dispose behavior to resolve issues with open programs getting disconnected by closing of associated project store. Changed GhidraScript.askProgram to always require proper use of Program.release(Object consumer) by scripts which use it. Script's failure to release a program will prevent proper resource disposal. (GP-3697)

Scripting. Fixed ShowConstUse script back-tracking through MultiEqual pcode operations to handle multiple inputs to the same location. (GP-3503, Issue #5242)

Search. Fixed findBytes() to honor the search limit when used regular expressions. (GP-3797, Issue #5672)

Ghidra 10.3.3 Change History (August 2023)

Improvements

Analysis. Fixed potential infinite loop in clear flow and repair if the function found to be non-returning is cleared. (GP-3578)

Debugger:Listing. The items in the Auto-Read Memory drop-down menu are now consistently ordered. (GP-3721)

Debugger:Modules. Added a Mapping column in the Modules window. (GP-3436, Issue #5330)

Decompiler. Decompiler now prints Equate values using constant syntax highlighting. (GP-3679, Issue #5059)

GUI. Updated the Enum Editor to trim whitespace in the name field. (GP-3762, Issue #5650, #5679)

Languages. Added Debugger GNU language mapping mips:3000 to the mips.ldefs specification file in support of 32-bit MIPS processor (default variant). (GP-3453, Issue #5337)

Version Tracking. Improved Version Tracking function signature Apply Markup action to work correctly when both the source and destination functions use custom storage. (GP-3662, Issue #5559)

Bugs

Analysis. Fixed x86 CALL <nextaddr>; POP EBX position-independent code issue that was replacing the branch with a data reference which caused bad code flow. (GP-3687)

Data Types. Corrected issue related to setting architecture immediately after data type archive creation where data types were added. The architecture setting failed to be retained and the existing data types failed to be adjusted. (GP-3727)

Debugger. Fixed issue with default launcher command line when binary name contains spaces. (GP-3553, Issue #5460)

Debugger:Agents. Removed MODULE_[UN]LOADED events (these duplicate elementsChanged on the Modules node). Fixed NullPointerException log messages from library-load events in GDB connector. (GP-3666)

Debugger:Emulator. Fixed display of p-code op listing in P-code Stepper when using Dark Mode. (GP-3592)

Debugger:Emulator. Fixed issue launching emulator with certain architectures with multiple address spaces. (GP-3656, Issue #5556)

Debugger:Emulator. Fixed indirect branching issue when operand size doesn't match PC size. (GP-3700, Issue #5609)

Debugger:GDB. Using a better strategy for module base computation using memory mappings when available. (GP-2223, Issue #5284)

Debugger:Listing. Fixed issue with overlapping module and PC labels in Dynamic Listing and memory viewers. (GP-3469)

Debugger:Listing. Fixed hover in address field of Dynamic Listing with multiple address spaces. (GP-3661)

Debugger:Listing. Fixed issue where address-tracking drop-down cannot be accessed when certain watches are configured; e.g., (RSP+8)+8. (GP-3720)

Debugger:Modules. Fixed issue using Debugger with programs in a shared project. (GP-3664, Issue #5585)

Debugger:Watches. Fixed bug where watches cannot be assigned a type without an active trace. (GP-3718)

Decompiler. Fixed a bug preventing the Decompiler from simplifying double-precision shifts. (GP-3688, Issue #5473)

Decompiler. The Decompiler no longer tries to infer a symbol reference for a constant if a function signature indicates the constant is not a pointer. (GP-3735)

Emulator. Fixed another context flow issue in the Emulator's decoder. (GP-3716)

GUI. Fixed the Flat Dark Theme color of the Version Tracking Matches table's filter field. (GP-3550, Issue #5560)

GUI. Fixed general Structure Editor bugs when using Tab to navigate while editing. (GP-3647, Issue #5566)

GUI. Fixed broken table navigation in the Function Tags dialog. (GP-3683, Issue #5613)

GUI. Fixed incorrect rendering of delimiter fields in table filter options. (GP-3684, Issue #5614)

GUI. Fixed an exception in the Function Call Graph when using the Start Fully Zoomed In mode. (GP-3768)

Headless. Fixed several OSGi-related exceptions that could be thrown when running many instances of analyzeHeadless in parallel. (GP-3653)

Languages. Fixed ARM vcvt instruction semantics. (GP-3729)

Languages. Removed LDS/STS instructions from AVR8 in preparation for AVRtiny support. (GP-3746, Issue #5231)

Processors. Fixed issue with 6809 pshu sometimes pushing to the S register. (GP-3556, Issue #5467)

Processors. Fixed regression in 6x09 compare instructions. (GP-3642)

Processors. Fixed instruction operand parsing for AARCH64 fcadd and fcmla instructions. (GP-3652, Issue #5428)

Processors. Fixed disassembly of x86 LIDT, LGDT, SIDT, and SGDT instructions. (GP-3655, Issue #5577)

Scripting. Fixed a bug that could result in the Python scripting environment using invalid script bundle paths. (GP-3619)

Ghidra 10.3.2 Change History (July 2023)

Improvements

Debugger:Emulator. Fixed bug when starting the Emulator for processors having small memory spaces. (GP-3437, Issue #5331)

Extensions. Updated Extension installation to allow users to bypass the version compatibility check. (GP-3466, Issue #1193)

Importer:Mach-O. The MachoLoader now supports the __chain_starts section. (GP-3568)

PDB. Updated PDB maximum page size to 8 KB. (GP-3603)

Scripting. Added askPassword method to GhidraScript API. (GP-3295)

Bugs

Analysis. Corrected an issue which could result in a duplicated imported symbol within the EXTERNAL memory block for what should be a default thunk function. (GP-3302)

Analysis. Fixed problem with Branch/Return analysis infinite loop waffling on some ARM binaries. (GP-3582)

Analysis. Fixed creation of incorrect function bodies which included addresses with data from flow into non-disassembled code. Also fixed PowerPC disassembly from computed flow in certain circumstances. (GP-3599, Issue #5441)

Analysis. Very large functions that run out of address space IDs used for tracking constants will now only log one error message. (GP-3605)

API. Corrected CreateFunctionCmd issue which could fail with the "Function body must contain the entrypoint" error. (GP-3591, Issue #5412)

CParser. Allow pragma keyword in more places, allow parentheses in #pragma, and fixed silent parse failures. (GP-2808, Issue #4692, #5454)

CParser. Fixed CParser to handle multi-line #pragma directives. (GP-3611, Issue #5524)

CParser. When using the CParser to parse header files directly into a program, the program's processor architecture is now used. (GP-3612, Issue #5502)

Debugger. Cleaned up old Troubleshooting entries in Help. (GP-3468)

Debugger:Listing. Fixed regression in dynamic disassembly of WoW64 targets. (GP-3583)

Debugger:Stack. Fixed various stability and error reporting issues with stack unwinding and runtime value hovers. (GP-3407, Issue #5332)

Debugger:Stack. Fixed several issues in Debugger/Emulator GUIs when using/emulating an architecture with a memory-mapped PC register. (GP-3572, Issue #5410)

Debugger:Stack. Fixed NullPointerException when varnode has no high variable during stack unwinding. (GP-3576, Issue #5487)

Debugger:Watches. Fixed restoration of Watch DataType when it comes from the restored Trace. (GP-3588)

Decompiler. Fixed a bug in the Decompiler where combined constant assignments to an array or structure were incorrectly split out on big endian architectures. (GP-3609, Issue #5424)

Emulator. Fixed issue in Emulator's instruction decoder regarding context. (GP-3571)

GUI. Fixed exception when performing the Convert to Class action in the Symbol Tree while the tree had a filter applied. (GP-3589, Issue #5480)

Importer:ELF. Fixed incorrect error message during import regarding ELF build-ID length. (GP-3546)

Importer:ELF. Corrected exception and ELF GOT allocation issue which could prevent import of X86-64 object modules which contain GOT-based relocations (e.g., R_X86_64_GOTPCREL). (GP-3610, Issue #5519)

Importer:Mach-O. Fixed a regression in the Mach-O Loader that was causing incorrect DYLD_CHAINED_PTR_64_KERNEL_CACHE fixups. (GP-3598)

Importer:PE. Fixed a timestamp encoding bug that caused PE symbol .exports files to not get matched and applied in some circumstances. (GP-3552, Issue #5351)

Importer:PE. Failing to parse PE ExceptionDataDirectory no longer prevents the import from finishing. (GP-3584, Issue #5483, #5496)

Processors. Fixed ARM Neon Thumb vdup instruction, which was using the wrong bits for register value. (GP-3524, Issue #5420)

Processors. Fixed 6x09 leax and leay instructions to update zero flag. (GP-3525, Issue #5414)

Processors. Corrected 6809 macros compare flags and two-byte push/pops in big endian architecture variant. (GP-3606, Issue #5508)

Processors. Fixed flags for the 6809 processor left-shift instructions. (GP-3621, Issue #5523)

Ghidra 10.3.1 Change History (June 2023)

Improvements

Debugger:LLDB. Upgraded SWIG-generated Java (plus docs) to LLVM/lldb 16.x. (GP-3442, Issue #5359)

Decompiler. Added an option to the Decompiler, controlling the maximum size of jumptable that can be recovered. (GP-3266)

Decompiler. Improved Decompiler function call-override to consider calling convention when differentiating function signatures. (GP-3268, Issue #5335)

Decompiler. The Decompiler now respects tool options for shortening template strings within symbol names. (GP-3369)

Importer:ELF. Added Max Zero-Segment Discard Size import option to ELF Loader. Value was previously hard-coded to 255 bytes. (GP-3428, Issue #5273)

Importer:Mach-O. Restored Mach-O indirect symbol creation when binding information is not present, such as when importing a DYLIB extracted from a dyld_shared_cache. (GP-3526)

Languages. Added windows__stdcall calling convention as an alias to the default calling convention for aarch64 and x86-64. (GP-3472)

Scripting. Improved the RecoverClassesFromRTTIScript recognition of special vtables when they are in memory blocks not tied to imported file bytes. (GP-3463)

Scripting. Mitigated a RecoverClassesFromRTTIScript issue where mangled typeinfo names were not always getting extracted from memory when more than one bad data type was created over the memory containing the mangled string. (GP-3467)

Bugs

Analysis. Fixed regression when functions are set as inline that can cause lockups: during analysis, with use of stack depth field, and for Set Stack Depth Change action. (GP-3499, Issue #5378, #5400, #5401)

CParser. Fixed C header file parsing of pragma lines when a comma is found outside of parentheses. (GP-3541, Issue #5427)

Data Types. Corrected issues related to data organization retention and upgrade for data types. (GP-3506)

Debugger:GDB. Reduced frenetic queries for module info at launch time. Fixed 00000000 values in module ranges. (GP-3448, Issue #4456, #5357)

Decompiler. Fixed bug that could cause errors in constant calculations involving 128-bit or larger registers. (GP-3426, Issue #3492)

Decompiler. Fixed a bug that could prevent recovery of a switch if the variable is written indirectly through a pointer alias. (GP-3441, Issue #5307)

Decompiler. Corrected 10.3 regression when Edit Function Signature is invoked from Decompiler, which may ignore the calling convention used with current function decompilation. (GP-3454, Issue #5367)

Decompiler. Fixed hashing bug causing inconsistent results with Force Field action in the Decompiler. (GP-3508, Issue #5372)

Documentation. Fixed missing return in termmines.c exercise file. (GP-3444, Issue #5343)

Exporter. Fixed a regression in the Original File exporter that prevented it from working when unapplied relocations were present in the relocation table. (GP-3446, Issue #5346)

GUI. Fixed bug where Ghidra did not prompt to save GUI Theme changes when exiting via a menu versus the window X (Close Window) button. (GP-3477, Issue #5377)

GUI. Updated the Python Interpreter prompt to use less space. (GP-3509, Issue #5379)

GUI. Fixed issue with menu bar colors on Mac system when using Mac Aqua Look and Feel while in dark mode. (GP-3528, Issue #4454)

Importer. Fixed an exception that occurred when the MzLoader tried to split the HEADER overlay block. (GP-3447, Issue #5320)

Importer:ELF. Corrected potential exception when processing invalid ELF PT_NOTE program header. (GP-3493, Issue #5384)

Importer:ELF. Corrected bugs in ELF Android packed relocation processing and rendering of sleb128 data type. (GP-3543)

Importer:Mach-O. Fixed a regression in the Mach-O Loader that was causing incorrect DYLD_CHAINED_PTR_X86_64_KERNEL_CACHE fixups. (GP-3474)

Importer:Mach-O. Fixed an AddressOutOfBoundsException that could sometimes occur when importing the exports section of dyld_shared_cache files. (GP-3505, Issue #5392)

Importer:PE. Fixed an IllegalStateException that could occur if both Load Local Libraries From Disk and Load System Libraries From Disk options are used during import and the same library is found in both local and system directories. (GP-3445)

Importer:PE. Fixed a bug that caused PE symbol .exports files to always get deleted after import. (GP-3519, Issue #5348)

Languages. Adjusted handling of PowerPC e500 small data area pointer. (GP-3480)

Processors. Fixed operand count mismatch in some M68000 instructions. (GP-2779, Issue #4807, #4808)

Processors. Corrected issue with M68000 pea instruction with address based on SP. (GP-2955, Issue #4795)

Processors. Fixed flag issue in 6502 TSX instruction. (GP-2963, Issue #4838)

Processors. Addressed multiple issues with 8048, including fixing the movp, movp3, and jmpp instructions and correcting the implementation of the memory bank selection. (GP-3009, Issue #2423, #4825)

Processors. Fixed decoding of x86-64 popf and pushf instructions. (GP-3102, Issue #4980)

Processors. Corrected pcode for PowerPC e_stmvsprw instruction. (GP-3325, Issue #4886)

Processors. Fixed PowerPC instruction eieio decode for all valid variants. (GP-3432, Issue #4887)

Processors. Fixed issue with AARCH64 mla instruction using erroneous registers. (GP-3478)

Processors. Restored original M68000 calling convention to only use stack, and added an additional .cspec file for the optional Register ABI calling convention for ColdFire. Also added bonus function start patterns identified during testing. (GP-3532, Issue #5390)

Sleigh. Fixed SleighEditor to allow 2 to n arguments in CPOOL Sleigh operator. (GP-3534, Issue #2148)

Ghidra 10.3 Change History (May 2023)

New Features

Analysis. Initial Golang binary analysis for Go 1.18. (GP-2114, Issue #2327)

Debugger. Added breakpoint indicators to the Decompiler's margin, when used in the Debugger. (GP-1280)

Debugger. Added Debugger control actions to global toolbar. (GP-1595, Issue #3742)

Debugger. Created new independent launchers for Debugger agents. (GP-1999)

Debugger. Added ability to set node timeout. (GP-2502)

Debugger. Added class materials for the Debugger. (GP-2641)

Debugger. Added hover tooltips for variable values in the Static Listing, Decompiler, and Dynamic Listing. Added Unwind Stack action. (GP-2834, Issue #4732)

Debugger. Added ability to set initial directory and other parameters. (GP-2839, Issue #4732)

Debugger. Added a dedicated Emulator tool. (GP-3074, Issue #4931)

Debugger. Added ability to export/serve symbols and types as Volatility ISF JSON. (GP-3222)

Debugger:Emulator. Added Invalidate Emulator Cache action. (GP-2970)

Debugger:Emulator. Added Add Region and Delete Regions actions to the Regions window. (GP-3357)

Debugger:Objects. Added commands Advance to GDB, Step/Trace to Address to dbgeng/model, and Run to Address to LLDB in address context menus. (GP-1808, Issue #4056)

DWARF. Added support for some Apple-specific DWARF tags. (GP-3175)

GUI. Added theming support to Ghidra, including a dark theme. (GP-1981, Issue #4145)

GUI. By default, programs will now open to their location when last closed. (GP-2939, Issue #1196)

Pcode. Support for a new p-code operator lzcount has been introduced into SLEIGH, the Decompiler, emulation, etc. It returns the count of leading zero bits in its operand. (GP-3155, Issue #2810)

Processors. Added eBPF and BPF processors. (GP-2257, Issue #4258, #4378)

Project. Added Restore Previous Project option to the Front End Tool that controls whether or not the previously opened project is automatically restored on startup. (GP-2695, Issue #4650)

Scripting. Created AssociateExternalPELibrariesScript that associates imported library files for PE programs in order to fix up external references from the program to the libraries. This is useful for users who forgot to load the libraries on program import and want to fix up the references after the fact. (GP-3098)

Version Tracking. Updated the Version Tracking API to make extension of correlators easier. (GP-3199, Issue #4950)

Improvements

Analysis. Added support for pointer Typedef values passed as parameters to functions. (GP-2160)

Analysis. Added identification and side-effect fixes for windows AARCH64 __security_push_cookie to fix poor Decompiler and stack reference results. (GP-3124, Issue #5018)

Analysis. Added support for processing PE MinGW pseudo-relocations during auto-analysis immediately after import. (GP-3236, Issue #5155)

API. Added ability to associate a specific program architecture with a datatype archive. This allows associated types to preserve proper type sizing and alignment characteristics based upon a designated architecture. Delivered archives will reflect the architecture they were created with instead of utilizing the default data organization. (GP-1633, Issue #4898)

API. Changed FunctionDefinition and FunctionSignature to use calling convention names as strings instead of being limited to GenericCallingConvention. Also added noreturn support to these interfaces. (GP-2308, Issue #3267, #4537)

API. Added methods to TaskMonitor to address spelling inconsistencies. (GP-2982, Issue #4870)

API. Revised program Relocation table to include status and a more accurate length of affected bytes when applied. (GP-3013)

API. Added by-name index method SymbolTable.scanSymbolsByName(String startName). This has been utilized by the assembler UI to resolve a hang on large programs. (GP-3015, Issue #2630)

Basic Infrastructure. Upgraded dependencies to guava 31.1-jre (from 19.0), baksmali 2.5.2 (from 1.4.0), and dex2jar 2.1 (from 2.0). (GP-3154)

Basic Infrastructure. Improved error handling of module directories not being readable during launch. (GP-3347, Issue #5244)

Build. Added support for building with Gradle 8. (GP-2476, Issue #3527, #5003)

Build. The build now enforces a maximum-supported Gradle version. The current supported versions are Gradle 7.3 or later. (GP-3111)

Build. Ghidra can now run from development/repository mode using Gradle's compiled jars, instead of just relying on Eclipse's compilation output. (GP-3140)

C Parsing. Provided GDT archives have been updated to include new ProgramArchitecture settings for processor, data organization, and endianness. (GP-1377)

CParser. Removed unnecessary -D defines related to wchar_t from CParser prf files and GDT parsing scripts. (GP-3294, Issue #5196)

Data Types. Function definitions can now be applied from selected Category instead of only from an entire Archive. (GP-199)

Data Types. Changed Structure/Union editor to show numbers in hex format by default. Also added Shift-H keybinding action for toggling hex/decimal view. (GP-2943)

Data Types. Improved DataTypeParser to handle type names which include the :: namespace delimiter. (GP-3003, Issue #4841)

Data Types. Changed Apply Data Archives analyzer to allow user to choose a data type archive to apply to their binary during analysis. (GP-3344, Issue #5184)

Debugger. Added option to memorize a program-module association when confirming mapped modules. (GP-1527, Issue #3641, #3675)

Debugger. Improved the Go To... dialog. It now accepts simple addresses or Sleigh expressions. (GP-1539)

Debugger. Removed Guava from Debugger's dependencies. (GP-1542)

Debugger. Replaced Guava's Cache. (GP-1545)

Debugger. Improvements to allow dbgmodel kernel debugging. (GP-1768)

Debugger. Upgraded protobuf to 3.21.8. (GP-2302, Issue #4415, #4540)

Debugger. Improved default connector selection, based on current program and last successful connection. (GP-2623)

Debugger. Added remote connectivity for LLDB. (GP-2709)

Debugger. Made modifications in support of iPhone work. (GP-2870)

Debugger. Better instructions for LLDB/Swig. (GP-3055, Issue #4774)

Debugger. Made LLDB-related improvements in support of iPhone work. (GP-3063)

Debugger. Changed refresh option from boolean to RefreshBehavior enum to allow opportunistic use of caches. (GP-3142)

Debugger. Providing convenience script for LLDB builds. (GP-3247, Issue #5061)

Debugger. Changed Go To Time action to use the Time selection dialog. (GP-3317)

Debugger:Agents. Limited debug agents to accept a single GADP connection and to terminate automatically when disconnected. (GP-1976)

Debugger:Agents. API: Removed TargetObject.add/removeListener() in favor of DebuggerObjectModel.add/removeModelListener(). (GP-2752)

Debugger:Agents. Enable opportunistic uses of caching. (GP-3162)

Debugger:Breakpoints. Breakpoints window can now interact with the integrated emulator. It also supports custom Sleigh injections or conditions. (GP-2676)

Debugger:Emulator. Dynamic views can now show (lazily) loaded bytes for pure emulation. (GP-2989)

Debugger:Emulator. Moved new Emulator into its own module. (GP-3071)

Debugger:Listing. Added visual indicator when PC (or other tracked location) is not located in the listing. (GP-2750)

Debugger:Registers. Changed Registers and Watches to use pointer typedefs. This allows a user to specify the target space of a pointer, especially in Harvard architectures. (GP-2653)

Debugger:Registers. Added consideration for aliases when matching target registers to Ghidra registers. (GP-2966)

Debugger:Threads. Changed Threads, Stack, and Time panes to require double-click to activate the selection in the rest of the UI. (GP-3018)

Debugger:Trace. Replaced Range<T> with Lifespan, ULongSpan, KeySpan, FieldSpan, etc. (GP-1543)

Decompiler. Compiler specification (cspec) files allow more flexibility when describing overlapping parameter-passing storage locations. (GP-2544, Issue #4568)

Decompiler. Decompiler analysis of functions with multiple switch statements is substantially faster in many cases. (GP-2560, Issue #4558)

Decompiler. The Decompiler can now split a copy operation that simultaneously moves multiple fields in a structure or multiple elements of an array. (GP-2563, Issue #3884)

Decompiler. The Decompiler propagates constants, in more situations, into blocks that are executed conditionally. (GP-2603, Issue #4527)

Decompiler. Added DecompilerStackProblemsFinderScript, which searches the decompiled code for certain local variables that can be indicators of stack analysis issues. (GP-2697)

Decompiler. Added Decompiler actions to convert constants to Double and Float. (GP-3001, Issue #3689)

Decompiler. The Decompiler's Rename actions now allow the user to reclaim an automatically generated name on another symbol. (GP-3224, Issue #4863)

Diff. Added ability to initiate a Program Diff with another program selected from a list of compatible open programs already open in the tool. (GP-2897)

DWARF. Added support for ELF-compressed sections. (GP-2363, Issue #3659, #4460)

Eclipse Integration. Eclipse now recognizes test source folders. (GP-3130)

ELF. Added support for tagging ELF informational sections. Added support for Golang metadata in ELF binaries. (GP-2111)

Exporter. The PE and ELF exporters have been replaced by a new Original File Exporter that will work on all programs that store original file bytes. The Original File Exporter has an option to export both user-modified bytes as well as original bytes. (GP-2770)

Graphing. Upgraded jungrapht-visualization and jungrapht-layout to version 1.4. (GP-3249, Issue #5156)

GUI. Improved support for Ghidra URLs and their use in comment annotations. (GP-2509)

GUI. Updated the Navigation History Plugin's maximum history limit. (GP-2843)

GUI. Improved table-sorting performance. (GP-2908, Issue #4782)

GUI. Updated the Structure Editor to maintain the table selection during external updates. (GP-2945, Issue #4820)

GUI. Added new feature where programs can automatically go to a newly discovered start symbol (e.g., "main") after analysis completes. If the user has navigated to another program location before analysis completes, a popup dialog will appear asking if the user would like to go to the new symbol. Both of these behaviors can be turned off via the Navigation tool options. (GP-3064)

GUI. Added ability for default tool launch (e.g., project file double-click) to reuse existing tool instead of always launching a new tool. This behavior controlled via Project Window Default Tool Launch Mode option. (GP-3080)

GUI. Updated the Memory Map table to use a fixed-width font for the Start, End, and Length columns. (GP-3103)

GUI. Updated Create Enums From Selection action to handle duplicate-named enum entries when merging selected enums together into a new enum. (GP-3204, Issue #5036)

GUI. Added a Front End tool option to disable application-wide tooltip popups. (GP-3254, Issue #5095)

GUI. Fixed several issues with enums and the GUI for editing them. The API supported both unsigned and signed enums, but the GUI only supported unsigned enums. Also added extra checking so that enums can't support negative values and large unsigned values at the same time. (GP-3255, Issue #3806)

GUI. Clicking a sound icon in the Listing will now stop any currently playing sound. (GP-3393, Issue #5278)

Importer. Headless Ghidra and the AutoImporter API now support loading more than one program, such as when importing a program results in additional libraries getting loaded. (GP-2877, Issue #4929)

Importer. The OMF Loader now handles LPUBDEF symbols. (GP-2976, Issue #4854)

Importer. The OMF Loader now handles unsupported/unknown record types more gracefully. (GP-2997, Issue #4856, #4857)

Importer. Improved GZF/GDT import and export to allow unforced upgrade of older files. This is particularly important when a user has a version-sensitive issue and needs to have the project file triaged. (GP-3034)

Importer. The OMF Loader now handles CEXTDEF symbols. Known functions are now also created by the OMF loader to improve analysis. (GP-3117, Issue #4912)

Importer. Made improvements to the OMF Loader's relocation handler. (GP-3141, Issue #4909)

Importer. Improved support for loading old-style DOS MZ binaries. (GP-3353, Issue #5229)

Importer:ELF. Eliminated the public mutability and writing of ELF Headers whose implementation is not well suited for this in the absence of any ELF Linker support or related processor extension API. (GP-3152)

Importer:Mach-O. Mach-O external libraries are now linked during analysis. (GP-2602)

Importer:PE. The PE Loader has been updated to correctly recognize and mark the program compiler ID for MinGW programs. GNU Demangler has been updated to recognize and run on programs with GCC compiler option. (GP-1851, Issue #2208, #4513, #4514, #4520, #4906, #5155)

Importer:PE. The PE Loader can now load sections that extend beyond the end of the imported file without error. (GP-2826, Issue #4705)

Importer:PE. The PE Loader no longer rebases images to 0x10000 when the preferred image base is very large. (GP-2827, Issue #2361, #4710)

Importer:PE. Improved PE header parsing so binaries with corrupt symbol/string tables do not prevent Ghidra from recognizing them as PE. (GP-2973)

Jython. Improved Python interpreter code-completion behavior. (GP-2759, Issue #4678, #4699)

Languages. Reverted disassembly of x86 two-byte xchg ax,ax back to nop. (GP-3372)

Listing. Added Simplify Template Names option (on by default) to simplify symbol and datatype names with complex template info as part of their name. This only affects the Listing display and doesn't affect the actual symbol or datatype name. (GP-388)

Listing. Added options for the starting location of a program when it is opened, which will move the location to a specific function or label. See Preferred Symbol Name under the Navigation tool options. (GP-2141, Issue #4267)

Listing. Changed overlapping markers to blend rather than occlude. (GP-2723)

Multi-User. The Ghidra Server's temp directory can now be controlled by setting the WRAPPER_TMPDIR variable in ghidraSvr(.bat). (GP-3053, Issue #4925)

Multi-User. Upgraded YAJSW to 13.09. (GP-3119)

Processors. Corrected treatment of x86 LOCK prefix. (GP-2487, Issue #4336)

Processors. Added support for ARM v4T and v5T bl lr and blx lr pseudo-instructions. (GP-2872, Issue #4320)

Project. Added support for Ghidra-URL-linked project files and folders. Copy/Paste-Link actions are added to project file tree when copying from viewed repository or another project. (GP-2644)

Prototypes. PrototypeModel.getReturnAddress() now returns the default return address of the compiler spec when a prototype does not define its own. (GP-2612, Issue #4611)

Scripting. The RecoverClassesFromRTTIScript has been updated to recognize and process Windows PE programs compiled with GCC (i.e., MinGW, Cygwin programs). (GP-1856)

Scripting. The RecoverClassesFromRTTIScript has a few improvements for GCC-compiled programs. (GP-2679, Issue #4414)

Scripting. Added the RTTI Found RTTI Analyzer option to the program information, which is used to determine whether to rerun the analyzer and also to decide whether to run the RTTI script. (GP-3293)

Sleigh. Improved Sleigh compiler warning and error messages. (GP-2913, Issue #4595)

Bugs

Analysis. Removed check for instruction falling into a location being considered for a shared return function. (GP-3044)

Analysis. Added support for stack parameter tracking, PointerTypedef parameters, restrictions of parameter values to known pointer parameters, and a prototype-setting for propagation of pointer parameter types to memory. (GP-3077)

Analysis. Fixed deadlock in Arm Analyzer waffling between overriding the return instruction as a return and branch. (GP-3150)

Analysis. Removed duplicate references placed on different operands of instructions. (GP-3214)

Analysis. Fixed issues related to analysis flag and how it affects asking the user to analyze a new program. (GP-3282)

Analysis. By default, pointer-to-pointer analysis is turned off for ARM binaries in the Operand and Data Reference analyzers. This can result in fewer references created, and can be turned back on if your binaries use pointer data in memory instead of offset values from the current PC. (GP-3335)

API. Fixed bug on pinned symbols when changing image base. (GP-3178, Issue #4290)

API. Revised ApplyFunctionSignatureCmd to allow use where function should not get renamed when signature applied. (GP-3350)

Byte Viewer. Fixed bug in Byte Viewer where the last byte in a block could not be selected if the field group size was larger than 1. (GP-1593)

CParser. Fixed parsing of Windows wdm.h header file with multi-line strings passed as arguments to a macro. (GP-2809, Issue #4690)

CParser. CParser.parse(String) method no longer throws an exception, and, when parsing a structure as a string, the return type will be the structure—not the last member of the structure. (GP-3183, Issue #4903)

CParser. Removed wchar_t as a keyword when parsing header files. wchar_t will always use the built-in wchar_t datatype even if defined with a typedef within a header file. (GP-3215, Issue #5108)

CParser. Fixed issue with CParser creating #define enum values if unsigned long is specified with parentheses around the value; for example, #define X (4ul). (GP-3216, Issue #5069)

CParser. Pressing Cancel during parsing of header files is now more responsive. (GP-3284, Issue #5181)

CParser. Enum constants are now created by the CParser when #define expressions ending in ULL, LLU, LL, and LU are found in parentheses. (GP-3285, Issue #5161)

CParser. Fixed expansion of #define statements embedded in #include files and parsing of constants with UL/LL size specifications. (GP-3310, Issue #5207)

CParser. Fixed CParser issues with forward-declared Enums and typedefs used within the body of functions. (GP-3371, Issue #3526, #5271)

CParser. Enum sizes are now set to the size of an int for the processor (formerly 4), and enums from #defines are set to the the smallest enum size that will fit the number (formerly 8). Future change will add packed enum sizes. (GP-3385)

Data. Corrected handling of zero-length components in the form of Listing DataComponent CodeUnits. These were incorrectly reporting a length of 0 instead 1; all Listing Data, including DataComponents, must report a positive non-zero length. (GP-3314)

Data Types. Automatically created class structures now respect the Preferred Root Namespace Category property. (GP-1123, Issue #3196)

Data Types. Added support for floating-point data types to parse decimal string representation. A significant refactor of FloatFormat and BigFloat was completed. BigFloat is now used as the value class for all float data types. Introduced DataType.getAlignedLength() method which was needed to differentiate between the raw encoding size and the aligned (i.e., padded) size used by a compiler when allocating storage (i.e., sizeof). Example: for x86-32 gcc, 80-bit float has an aligned-length of 12-bytes which reflects compiler's sizeof(long double). (GP-1379)

Data Types. Corrected 80-bit floating point support to include decode, encode, and computation via the FloatFormat and BigFloat support classes. (GP-3022, Issue #4853)

Debugger. Fixed issue with default renaming of traces when auto-saving with conflicting names. (GP-1484)

Debugger. Fixed bug in refresh logic. (GP-1884)

Debugger. Fixed various errors in breakpoint logic for dbgeng/model. (GP-2177)

Debugger. Fixed occasional stack trace in auto-saving traces when closing Debugger. (GP-2732)

Debugger. Miscellaneous fixes for LLDB agent. (GP-2781)

Debugger. Provided greater flexibility with library load error messages. (GP-3012)

Debugger. Emulate Program and Map Identically actions now exclude EXTERNAL block. (GP-3087)

Debugger. Removed Tool Options: Colors sections from Debugger help. (GP-3218)

Debugger:Agents. Fixed some issues with GADP agent no-dep jars. (GP-1007, Issue #3076)

Debugger:Agents. Fixed a NullPointerException in GadpValueUtils. (GP-2915, Issue #4791)

Debugger:Agents. Fixed GADP connectors to use the same JRE/JDK as Ghidra. (GP-2979)

Debugger:dbgeng.dll. A register modification now updates the Stack and other windows. (GP-2636)

Debugger:Emulator. The emulator will now halt when trying to decode an instruction from uninitialized memory. (GP-1529)

Debugger:Emulator. Fixed Emulator for processors that use crossbuild. (GP-1904)

Debugger:Emulator. Removed 4 unnecessary classes in emulator: RequireHasKnownTraceCachedWriteBytesPcodeExecutorState, RequireHasKnownTraceCachedWriteBytesPcodeExecutorStatePiece, RequireIsKnownTraceCachedWriteBytesPcodeExecutorState, and RequireIsKnownTraceCachedWriteBytesPcodeExecutorStatePiece. (GP-3280)

Debugger:GDB. Fixed missing stack frames when single-stepping. (GP-1470)

Debugger:GDB. Fixed unnecessary error popup when user rejects HostKey while connecting to GDB via SSH. (GP-1710)

Debugger:GDB. Fixed Erase In Line ANSI escape decoding issue for GDB on Windows. (GP-3135, Issue #3562, #5026)

Debugger:GDB. Fixed issue launching binaries in GDB with spaces in the path. (GP-3311, Issue #5203)

Debugger:Listing. Fixed a bug where closing a cloned Dynamic Listing resulted in an extraneous stale PC marker in the Static Listing. (GP-2991)

Debugger:Mappings. Map Identically and Map Manually actions will now refuse to overwrite existing mappings. (GP-3086)

Debugger:Trace. Fixed a bug that allowed the user to undo a trace's initial transaction. This would lead to a subsequent NullPointerException. (GP-3213)

Debugger:Trace. Fixed issue with Undo not being effective immediately. (GP-3358)

Decompiler. Fixed a Decompiler decoding error that occurred when a pre-comment contained a null character. (GP-3002, Issue #4836)

Decompiler. Line breaks in Decompiler output can no longer disable a comment annotation. (GP-3029)

Demangler. Fixed missing use of wchar_t, wchar16, and wchar32 primitives in Demanglers. (GP-3184, Issue #5080)

Documentation. Made minor fixes and improvements to the Advanced Ghidra training class documentation. (GP-2944)

ELF. Corrected ELF MIPS Relocation processing for R_MIPS_32. Added support for R_MIPS_PC21_S2 and R_MIPS_PC26_S2. (GP-3260, Issue #5160)

Exporter. Corrected operand formatting issues with ProgramTextWriter, which affected HTML/ASCII exports. (GP-1868, Issue #793)

Framework. Fixed an IllegalStateException that occurred while refreshing the Bundle Manager after the Code Browser tool had been closed. (GP-2711, Issue #4656)

Graphing. Changed default Call Graph action to always use the isolated entry block model, which will give the best results most of the time. (GP-3250, Issue #5157)

Graphing. Fixed stack trace when reusing graphs. (GP-3399)

GUI. Updated tables to correctly take focus when pressing F2 to start an edit. (GP-366)

GUI. Fixed issue where add/edit label dialog would grow ridiculously large. (GP-543)

GUI. Improved function-signature-parsing within Function Editor dialog to handled sized pointers. (GP-1100, Issue #3178)

GUI. Fixed bug where symbol tree category nodes could not be closed when there was a filter in place. (GP-2187)

GUI. Updated the Data Type Manager tree to maintain the tree selection when opening an archive for editing. (GP-2423)

GUI. Fixed the Enum Editor to allow sorting on the Comments column. (GP-2776, Issue #4693)

GUI. Updated the Equates Table to allow multiple selection. (GP-2887, Issue #4771)

GUI. Added rapid Ghidra Server timeout during initial connection to avoid lengthy connection delay when the server system is offline. (GP-2935)

GUI. Added support for HTML rendering in TableChooserDialog. (GP-2996, Issue #4880)

GUI. Fixed bug that prevented editing of function variable data types in the Edit Function dialog. (GP-3115, Issue #4970)

GUI. Updated the Function Signature dialog to allow editing the parameter table using only the keyboard. (GP-3173, Issue #3561)

GUI. Fixed bug where scroll bar didn't appear when the view size was just slightly smaller than the actual text to be displayed. This affected the Listing, Bytes, and Decompiler views. (GP-3202, Issue #3938)

GUI. Added the ability to copy details from the Missing Processor Manual dialog. (GP-3205, Issue #4218)

GUI. Fixed issue where opening multiple file datatype archives with the same name would not appear in the Datatypes tree. (GP-3281)

GUI. Changed function custom storage editor to permit larger storage to be specified. Undefined datatype size will expand to match storage size up to 8 bytes. (GP-3286, Issue #4983)

GUI. Fixed bug in Plate Comment that caused truncation during word wrapping. (GP-3403, Issue #5297, #5298)

Headless. Fixed a bug that caused a program to have an invalid Executable Location property when the program was imported headlessly from a relative path. (GP-3054)

Importer. The OMF Loader now parses COMMENT_CLASS_LIB correctly. (GP-3118, Issue #5016)

Importer. Fixed an issue that could cause the Importer to not respect the Load System Libraries From Disk and Load Local Libraries From Disk options if the Perform Library Ordinal Lookup option was used. (GP-3272, Issue #4849)

Importer:ELF. Corrected ELF Loader issue which could improperly set memory blocks as read-only. (GP-2730)

Importer:ELF. Added support for ELF X86-64 GOTPCREL relocation processing. Revised ELF relocation processing context API to utilize a single instance per import instead of one per relocation table. (GP-2984, Issue #4859)

Importer:ELF. Corrected ELF Loader issue with INIT/FINI array processing when entries have relocations applied. (GP-3176, Issue #5039)

Importer:ELF. Changed ELF relocation processing to avoid creating offset-pointers in memory blocks whch have execute permission or for section based relocations. (GP-3339, Issue #5238)

Importer:Mach-O. Fixed Mach-O external symbol namespace issues that prevented demangling. (GP-2511)

Importer:Mach-O. Fixed an exception that could occur while parsing DYLD chained fixups in some Mach-O binaries. (GP-3151)

Importer:Mach-O. Fixed a bug that prevented the Mach-O loader from finding and loading libraries that reside in a Universal Binary file. (GP-3167)

Importer:Mach-O. The Mach-O Loader now correctly handles DYLD_CHAINED_PTR_64_OFFSET fixups. (GP-3194, Issue #4986)

Importer:Mach-O. Fixed an exception that occurred when importing Mach-O PowerPC binaries with relocations. (GP-3259)

Importer:PE. Added a PE Loader Show Debug Line Number Comments option to show/hide debug line number comments. (GP-714, Issue #1184)

Importer:PE. Fixed some issues with parsing Windows Dialog resources. (GP-2821, Issue #3807, #3808)

Languages. Added the HALT instruction to the Coldfire processor. (GP-3326, Issue #5194)

Multi-User. Corrected issue where shared project creation would retain canonical server name instead of the original, specified hostname. (GP-3050, Issue #4924, #4928)

Multi-User. Corrected issue which disallowed Ghidra Server user IDs starting with a 0–9 digit. (GP-3121)

PDB. Overriding overzealous thunk detection on function creation when PDB knows better. (GP-3127)

PDB. Stubbed in some structures to represent class Member Pointers. Details need to be determined with future research. (GP-3171, Issue #5055)

PDB. A function is now created for a global label only if there are function indicators; otherwise, only a label is applied. Reverts the forced-function creation part of GP-2505. (GP-3200)

PDB. Fixed PDB handling of same-named __unnamed anonymous data types with different definitions used within a common structure. These could be emitted by VS 2005. (GP-3279)

Processors. Fixed issues with M68000 shift and rotate instruction behavior. (GP-2013, Issue #4217)

Processors. Added missing x87 FDESI, FENI, FNDESI, and FNENI instructions. (GP-2093, Issue #4262)

Processors. Added support for SuperH fsrra, fsca, and movua.l instructions. (GP-2374, Issue #4210)

Processors. Added extended floating point instructions to V850 processor. (GP-2565, Issue #4453, #4481)

Processors. Corrected 6809 and H6309 processors Jump address calculations and fixed issue with Extended Address bit-pattern disassembly. (GP-2650, Issue #4630)

Processors. Corrected addresses for ARM Cortex interrupt vectors. (GP-2706, Issue #4638)

Processors. Added support for MIPS DSP instructions. (GP-2775, Issue #4526)

Processors. Fixed operand ordering for M68000 abcd and sbcd instructions. (GP-2880, Issue #4183, #4189)

Processors. Fixed regression in x86 with disassembling the pause instruction. (GP-2892)

Processors. Corrected semantics for TriCore nor.t instruction. (GP-2895, Issue #4775)

Processors. Corrected issues in the SPARC language involving delay slots and ordering. (GP-2932, Issue #4805)

Processors. Corrected implementation of PowerPC fsel instruction. (GP-2937, Issue #4664)

Processors. Fixed semantics of 65C02 TRB and TSB instructions. (GP-3039, Issue #4921)

Processors. Fixed operand parsing of ARM Neon vld and vst instructions. (GP-3043, Issue #4814)

Processors. Corrected x86 MOV REX, MOFFS64 disassembly with address size prefix. (GP-3078, Issue #4942)

Processors. Corrected x86 FBLD instruction semantics. (GP-3079, Issue #2427)

Processors. Fixed ARM neon VMOV.U16 instruction decode. (GP-3096)

Processors. Fixed issue with ARM Thumb push {register_list} not disassembling when the last two registers in the list are r2 and r3. (GP-3132, Issue #5024)

Processors. Supplied additional register field support to AARCH64 MSR instruction. (GP-3156)

Processors. Fixed issue with ARM Thumb Neon vqdmull instruction not disassembling. (GP-3157, Issue #5053)

Processors. Fixed issue with HCS12 TSTA instruction not clearing carry flag. (GP-3169, Issue #5067)

Processors. Fixed issue with M68000 processor having a varnode of zero size. (GP-3187, Issue #5093, #5094)

Processors. Corrected RISC-V jal/jalr instructions to be a call instead of goto, when link register is T0. (GP-3217, Issue #5092)

Processors. Fixed PowerPC branch-conditional-and-link semantics for assigning LR register. (GP-3341, Issue #5218)

Processors. Fixed stack alignment in x86 far call instructions (GP-3398, Issue #1715, #1723)

Scripting. Fixed an issue that prevented the default script log file from getting used in the user's .ghidra directory. (GP-2936)

Scripting. Fixed a bug in FlatProgramAPI.getLastInstruction(). (GP-3198, Issue #5090)

Scripting. Improved how the interactive Python interpreter handles transactions. This fixed an uncaught exception that occurred when GhidraScript.openProgram() was called. (GP-3321, Issue #5215)

Search. Increased performance related to Search Results table markers. (GP-2828)

Search. Fixed exceptions in ReferenceUtils when searching for structure members with no size. (GP-3283)

Search. Fixed bug that caused search highlights to sometimes disappear from the Listing when the user moves the cursor. (GP-3329)

Sleigh. Addressed a bug in the SLEIGH compiler that allowed inconsistent exporting of sizeless varnodes. (GP-3186)

Ghidra 10.2.3 Change History (February 2023)

Improvements

Basic Infrastructure. Addressed CVE-2023-22671 by removing eval usage from launch.sh. (GP-2987, Issue #4869, #4872)

Build. Ghidra's Windows native binaries can now be built using Microsoft C++ Build Tools. (GP-2786, Issue #1733, #4647)

Build. Providing better error reporting when a supported version of Visual Studio (2017+) cannot be found. (GP-2928)

Decompiler. Added fail-fast logic to improve efficiency of switch analysis for software breakpoints. (GP-2866)

Decompiler. Updated the limit of the Auto Fill in Structure action to take the larger of 0x1000 and the size of the structure. (GP-3020, Issue #4879)

GUI. Updated the Front End Project Table to allow users to change selected rows by clicking any already-selected row. (GP-3051)

Processors. Added ColdFire EMAC instruction variants. (GP-2197)

Processors. Added volatile and size attributes to individual default_symbols/symbol elements in pspec files. Symbols with these volatile and size attributes are treated as volatile by the Decompiler. (GP-2606)

Bugs

Analysis. Corrected RISC-V function start patterns. The values of totalbits and postbits were set such that no patterns would ever match. Call instructions split into call/jump based on return addressing saving in RA. (GP-2878)

Analysis. Corrected potentially bad constant propagation where the subtraction two unknown values can result in the placement of an erroneous memory reference. (GP-3066)

Assembler. Fixed parsing of 64-bit unsigned immediates. (GP-2789, Issue #4688)

Assembler. Fixed display and assembly of THUMB tbb [pc, rm] instruction. (GP-2946, Issue #4824)

Debugger:Watches. Fixed endless read loop in Watches pane when read results in error. (GP-2815)

Decompiler. Fixed Decompiler bug that can cause Symbols... assigned to the same variable exceptions. (GP-2859)

Decompiler. Fixed regression in handling of spacebase register values that cause a stack trace in the Decompiler for RISC-V. Removed unnecessary spacebase settings in TriCore, MIPS, RISC-V. (GP-2905)

Decompiler. Fixed bug preventing some format conversions of negative constants in the Decompiler window. (GP-2927, Issue #3747)

Decompiler. Fixed error in dynamic hash algorithm which could cause the rename/retype actions in the Decompiler to fail. (GP-3014, Issue #193)

Decompiler. Fixed Decompiler marshaling parsing error for function prototypes with an unknown stack purge. (GP-3065)

Decompiler. Fixed bug causing switch analysis on x86 16-bit executables to fail. (GP-3075)

Decompiler. Fixed bug causing Expecting unsigned integer attribute exceptions when decompiling for architectures with a word size greater than 1 byte. (GP-3088)

DWARF. Fixed issue with DWARF not marking object-oriented methods as a __thiscall. (GP-2904)

Exporter:XML. Corrected XML export bug that improperly output custom property values, such as Analysis Times, which was causing failure at time of subsequent import. (GP-1453)

GUI. Updated the Structure Editor's Create Structure from Selection action to work around a focus issue experienced by some users. (GP-3069, Issue #4066)

Importer. Improved support for loading old-style DOS MZ binaries. (GP-2210, Issue #1876, #1892, #254, #4318)

Importer:PE. Fixed an issue that prevented PE ordinal symbols from getting their true names resolved during headless mode import. (GP-2947, Issue #4821)

Importer:PE. Fixed an issue with label addresses in the PeLoader that occurred when sections had an uninitialized padding block appended to their initialized block. (GP-2948, Issue #4815)

Multi-User. Fixed svrAdmin to handle projects that contain a space character in the name. (GP-2852, Issue #4750)

PDB. Corrected a PDB Universal analysis regression error in Ghidra 10.2.2 that caused an internal anonymous function definition name to be set on a function instead of the function symbol name. (GP-2864, Issue #4842)

Processors. Fixed pcode for the PowerPC mtmsr instruction. (GP-2245)

Processors. Corrected flag updates for the z80 adc instruction. (GP-2882, Issue #4553)

Processors. Set 8051 bit-mapped SFR register range to volatile. (GP-2910, Issue #3061)

Processors. Fixed issue with x86 VEX prefix colliding with the LDS instruction. (GP-2959, Issue #4832)

Processors. Corrected implementations of x86 SHUFPS and PSHUFD instructions in ia.sinc. (GP-3023, Issue #4868)

Processors. Fixed ARM Thumb issues with ldr instructions disassembling as incorrect variants. (GP-3083, Issue #4959)

Version Tracking. Fixed ArrayIndexOutOfBoundsException encountered when using HashedFunctionAddressCorrelation for version tracking. (GP-2758, Issue #4683)

Ghidra 10.2.2 Change History (November 2022)

Bugs

Debugger. Improved error reporting for failed GADP-based Debugger connections. (GP-994)

Debugger:Breakpoints. Fixed breakpoint margin display in the Listing for breakpoints spanning multiple lines (code units). (GP-2733)

Debugger:GDB. Fixed parsing of AArch64 vector registers in GDB connector. (GP-1459, Issue #3541)

Disassembly. Corrected regression error in Ghidra 10.2 which could prevent proper disassembly flow within overlay memory blocks. (GP-2800)

Graphing. Corrected code flow graph node rendering issue which improperly displayed HTML tags. This was a regression error introduced with Ghidra 10.2. (GP-2842)

PDB. Fixed logic for overriding primary, public symbols on functions. This will allow function definitions to be retrieved from mangled symbols when rich data types are not found with the global symbols. (GP-2838, Issue #4735)

Ghidra 10.2.1 Change History (November 2022)

Improvements

Data Types. Added performance improvements for Structure build-up and resolution when simplifying assumptions can be made. (GP-2777)

Bugs

DB. Corrected database table key iterator regression error introduced with Ghidra 10.2 which could result in a NullPointerException. An internal long key iterator transition may fail under certain conditions when the iterator has already been exhausted. (GP-2805, Issue #4716)

Debugger. Removed a timeout when prompting the user for Debugger launch options. (GP-2722)

Debugger:Agents. Fixed error text rendering in Debugger agent windows. (GP-2724)

Decompiler. Fixed a bug in the Decompiler preventing local variables outside of the normal stack region from being renamed or retyped. (GP-2818)

Disassembly. Corrected regression error in Ghidra 10.2 which prevented proper disassembly flow within overlay memory blocks. (GP-2800)

GUI. Fixed table column filtering to correctly match input data containing newline characters when using the Contains string column filter. (GP-2797, Issue #4722)

GUI. Fixed the Front End's running Tool Button tooltip text to include the tool's title. (GP-2810)

Importer:Mach-O. Fixed an issue that prevented some Mach-O binaries from being imported if there were unexpected issues while creating the Program Tree. (GP-2802, Issue #4724)

Importer:Mach-O. Fixed an issue that prevented some Mach-O binaries from being imported if they did not define a __LINKEDIT segment. (GP-2803)

Importer:PE. Fixed .Net/x86 disassembly protection code which prevents disassembly of CLI code in an x86 processor. (GP-2807)

Processors. Corrected ARMv5 disassembly regression errors (GP-2812, Issue #4717)

Ghidra 10.2 Change History (November 2022)

New Features

Basic Infrastructure. Ghidra now requires JDK 17 to run. (GP-2132, Issue #4316)

Build. A CycloneDX Software Bill of Materials (SBOM) is now included with a Ghidra distribution. (GP-1782)

Data Types. Added getSelectedDatatypes() method to DataTypeManagerService to get a list of selected data types in the data type tree. (GP-1631)

Debugger. Added a basic Frida debugger connector. (GP-1681, Issue #3134)

Debugger. Added cursor header to Plot columns in Debugger's experimental Model window. (GP-2067)

Debugger. Added Choose Platform actions to Debugger. (GP-2163)

Debugger. Enabled debugging using Frida on USB/remote devices. (GP-2312)

Debugger. Added Map Manually action to Modules window. (GP-2474)

Debugger:Emulator. Userops can be defined using Sleigh or Structured Sleigh. (GP-1205)

Debugger:Emulator. Added Linux x86 (64- and 32-bit) read, write, open, close, exit, and exit_group syscalls to the emulation API. (GP-1208)

Debugger:Emulator. Added Taint Analyzer (development prototype). (GP-1230)

Debugger:Emulator. Added a skip instruction button to the emulator (Threads pane). (GP-2062)

Debugger:Emulator. Added prototype EmuDeskCheckScript to emulate and produce a table of expression values for each step. (GP-2289)

Debugger:Listing. Added toggle to automatically synchronize static and dynamic program selections; added actions to manually transfer selections between static and dynamic listings. (GP-1451)

Debugger:Listing. Can now have the Dynamic Listing and Memory windows follow the address of a watch. (GP-2581)

Debugger:Trace. Added Objects Manager to Trace API. (GP-1386)

Debugger:Trace. Added API for user-defined property maps on traces. (GP-2191)

Debugger:Watches. Added data type settings to Registers and Watches windows. (GP-1984)

Decompiler. A new Decompiler highlight service has been added, allowing clients to create highlights in the form of background colors for the syntax tokens in the Decompiler UI. Highlights apply to a full token and not strings of text. To highlight a token, you create a CTokenHighlightMatcher and pass it to the createHighlighter() method of the highlighter service. There is no limit to the number of highlighters that may be installed, and if multiple highlights overlap, their colors will blend. (GP-1435, Issue #2313)

Decompiler. The Decompiler now fully supports union data-types. (GP-1518)

Decompiler. A new Create Relative Pointer action is available from the main Decompiler pop-up menu. It creates pointers that have an offset relative to another data-type—typically a structure. Applying the action, the Decompiler can then follow and label accesses into the structure. (GP-1645)

Decompiler. The Format setting on a Typedef of an integer data-type now affects the display of constants in Decompiler output. A non-default setting forces the format for displaying constants of that data-type. (GP-1652, Issue #3004)

Decompiler. Decompiler line number margin now has fixed horizontal position. (GP-2446)

Extensions. A MachineLearning extension has been added. This contains a plugin for finding code and functions in a binary by training on functions which have already been found. (GP-2204)

Importer. Updated support for Android version 12.x (S): OAT v199, Vendor Boot Image v4, and FPBK v2. (GP-1461)

Importer. Created new Dump File Loader for Windows dump file formats. (GP-1864)

Importer. Added support for APPORT-style crash dumps (Ubuntu) to Dump File Loader. (GP-2049)

Importer. Added support for Android formats (ART, OAT, ODEX, DEX, CDEX, VDEX) and Dalvik VM Sleigh modules for each major Android release up to version 13.x (T). (GP-2060)

Listing. Added right-click menu Patch Data action for modifying bytes in the listing according to the unit's data type. (GP-1684)

Scripting. Added FlatDebuggerAPI interface for GhidraScripts to more easily access the Debugger's API. (GP-2189)

Improvements

Analysis. Added detection of pop to the PC as a return in ARM binaries. (GP-634)

Analysis. PointerTypedefs are now used for Relative Pointers in the Objective_C2 small method data structures. Previously, the value was a DWORD and did not resolve to an address. (GP-1427)

Analysis. The Variadic Function Signature Override Analyzer now handles offcut references to format strings. (GP-2048, Issue #4256)

Analysis. Added to the list of known non-returning windows functions. (GP-2069, Issue #4181)

Analysis. Improved branch-through-a-register return pattern for ARM processor thunk creation. (GP-2391)

Analysis. Enabled Assume Contiguous Functions Only option in Shared Return Calls analyzer. Disabled by default for ARM processors because of use of BL for long jumps in Thumb mode. (GP-2534, Issue #4573, #678)

API. Added the ability to search for enum member usage. (GP-1514, Issue #1967)

API. Added recursive form of Function.getFunctionThunkAddresses() method. (GP-1692)

API. Improved namespace-based data type searching. Also added ability to specify a preferred root category for such searches on the Program API, which can be manipulated via the Program Information options panel. (GP-1994)

API. Eliminated methods from AddressMap interface which are intended for internal use only. (GP-2002)

API. Removed deprecated methods from ProgramPlugin. (GP-2663)

Basic Infrastructure. Updated Gson to 2.9.0. (GP-1909, Issue #3992)

Basic Infrastructure. Updated commons-compress to 1.21. (GP-1910)

Basic Infrastructure. Updated commons-io to 2.11.0. (GP-1911)

Basic Infrastructure. Upgraded commons-text to 1.10.0 and commons-lang3 to 3.12.0. (GP-2753)

C Parsing. Any open archives in the data type manager will be searched for any missing data types during parsing. In addition when parsing header files with open archives there are new options to Use, Don't Use, or Cancel parsing. (GP-1336, Issue #2119, #2885, #716)

Data Types. Updated the Data Types view Paste action to work when pasting on a data type node. (GP-1627, Issue #3568)

Data Types. Added a Home action to the Structure Editor to allow users to show the structure data type in the Data Types tree. Added the Show In Data Type Manager action to the data type nodes in the Data Types tree to allow users to associate types with an archive. (GP-1913)

Data Types. Modified DataType.clone(DatatypeManager) method implementations for StructureDB, UnionDB, FunctionDefinitionDB, and EnumDB to adhere to method documentation which states that a datatype will return the instance itself if its DataTypeManager is the same as the parameter specified. (GP-2236)

DB. Added persistent Name column to Breakpoints table. (GP-1559, Issue #3679)

Debugger. Added GDB connector support for Windows (tested with GDB 11.1 on msys64). (GP-869, Issue #2908)

Debugger. Debugger and Python Interpreter windows now support ANSI colors and styles. (GP-887, Issue #4176)

Debugger. Revised Debugger icons for visual contrast and action clarity. (GP-1538)

Debugger. Added Watch action to Listing, Memory, and Registers context menus. (GP-1560, Issue #3680)

Debugger. Dynamic Listing, Bytes, Registers, and Watches windows all now support editing the machine state. Edits can be directed to the Target, the Trace, or the Emulator. (GP-1584)

Debugger. Upgraded SWIG to match lldb v14. (GP-1760)

Debugger. Added Symbol column to Watches window. (GP-1773)

Debugger. Reworked the breakpoint state system and icons. (GP-1821)

Debugger. Improved breakpoint initialization. (GP-1824)

Debugger. Updated program user data to preserve command-line arguments. (GP-1886)

Debugger. Minimized the number of registers read for dbgeng; eliminated error messages. (GP-1898)

Debugger. Fixed issues with Debugger when dbgeng/dbgmodel connectors load/debug crash dumps. (GP-2023)

Debugger. Improved launcher logic for detecting and remedying trace recording and module mapping failures. (GP-2036)

Debugger. Added remote options to IN-VM dbgeng and dbgmodel connectors, like those for the GADP variants. (GP-2135)

Debugger. Added Track Program Counter (by Stack) and Track Program Counter (by Register) options to Dynamic Listing and Dynamic Memory. (GP-2462)

Debugger:Breakpoints. Improved error feedback for some failures in toggling/enabling (unmappable) breakpoints. (GP-2243)

Debugger:Emulator. Userop library callbacks can now receive more context via annotated parameters. (GP-1203)

Debugger:Emulator. Changed the display of the PcodeStepper window to look like the PCode field in the Listing windows. (GP-1535)

Debugger:GDB. Updated the GDB connector to support version 12.1. Now parses flags for memory map. (GP-2089, Issue #4297)

Debugger:GDB. Added GDB scripts for getting memory map of remote Wine win32 targets. (GP-2495, Issue #4546)

Debugger:GDB. Ported GDB connector to use JNA. (GP-2619)

Debugger:Listing. Added marker margin and overview to the Dynamic Listing window. (GP-1433)

Debugger:Listing. Changed priority so that PC highlights are over breakpoint highlights. (GP-2294)

Debugger:Mappings. Added Map Regions actions to Debugger. (GP-1231)

Debugger:Objects. Creating fewer unsolicited error popups in Debugger by logging these errors to the console. (GP-1329, Issue #3452)

Debugger:Trace. Made address encoding in traces more compact. (GP-2437)

Debugger:Trace. Handling Trace version exceptions more gracefully. Presents a clearer error dialog. (GP-2452)

Debugger:Trace. Simplified Trace database API: Register spaces are no longer a special interface. (GP-2479)

Debugger:Trace. Optimized trace memory access for Dynamic Listing and Memory windows. (GP-2593)

Debugger:Trace. Fixed a possible deadlock in the Trace database. (GP-2595)

Debugger:Watches. Repr column is now modifiable in Registers and Watches windows for supported data types. (GP-1881)

Decompiler. A prototype model, as defined by the tag in a compiler specification, can now be assigned multiple names. The names can be used interchangeably when assigning a calling convention to a function. (GP-1653)

Decompiler. The Decompiler now uses proper syntax when extracting small fields from packed structures. (GP-1683)

Decompiler. Added Decompiler support for the address space attribute on pointer typedefs. (GP-1932)

Decompiler. Updated windows calling convention on x64 to properly handle functions with both floating-point and integer/pointer arguments. Users should re-import and analyze programs with such functions. (GP-1954, Issue #1480, #2952)

Decompiler. The Decompiler better simplifies multi-part boolean expressions that are built using a status register. (GP-2281, Issue #620)

Decompiler. The Decompiler now supports simplification of more forms of optimized modulo/remainder calculations. (GP-2292, Issue #4322)

Decompiler. The Decompiler now uses a new, more efficient protocol to communicate with the rest of Ghidra. (GP-2358)

Decompiler. Auto-generated stack variable names in the Decompiler now show offsets in hexadecimal format. (GP-2486, Issue #4442)

Decompiler. Changed the Decompiler Rename Function action so that if applied to a thunk, the underlying thunked function is renamed instead of the thunk itself. In most cases the rename should be applied to the thunked-function instead of the thunk itself. (GP-2520, Issue #4566)

Decompiler. The Decompiler now displays reads from or writes to volatile variables using simple assignment syntax instead of functional syntax. (GP-2578)

Decompiler. Improved handling of _guard_dispatch_icall and other functions that inject an indirect call into the Decompiler. (GP-2601, Issue #1719, #4591)

Demangler. Added second-pass processing for non-standard Microsoft Demangler forms found in LLVM mangling scheme. (GP-1725, Issue #1162)

Demangler. Improved post-analysis pop-up error messaging. (GP-2429)

Demangler. Changed symbol demanglers to place anonymous function definitions into the /Demangler/!_anon_funcs_ category using a revised naming convention consistent with PDB with a _func_ name prefix. Changed DWARF to use this same anonymous function definition name prefix. (GP-2557)

Demangler. Improved demangling after File -> Load PDB File... task by kicking off standard demangler analyzer instead of the DemanglerCmd. This should improve consistency in Demangler output across a program. (GP-2648)

DWARF. Relaxed DWARF analyzer's requirement of a register-mapping file in order to allow attempted import of function definitions when missing. (GP-1833)

DWARF. Added support for compressed DWARF sections. (GP-2106)

DWARF. Improve DWARFs handling of explicitly sized data types (e.g., int32_t). Added Try To Pack Structs option to DWARF analyzer to enable packing of structure/union data types created by the analyzer. (GP-2526)

Eclipse Integration. The GhidraDev Eclipse plugin now requires Java 17 and Eclipse 2021-12 4.22 or later. (GP-2398, Issue #4496)

Exporter. Updated IDA Pro plugins compatibility for python 3. The plugins remain compatible with python 2. (GP-2567, Issue #1327, #1618, #2642)

Graphing. Created Graph Data Flow action in Decompiler window menu and renamed existing graph action from Graph AST to Graph Control Flow. (GP-1704)

GUI. Fixed dialog text and icon clipping seen on some Linux distributions. (GP-1534, Issue #1506)

GUI. Updated Enum Editor to scroll while using the arrow keys when in edit mode. (GP-1553, Issue #3669)

GUI. Fixed ordering of automatic comments in the Listing. (GP-1568, Issue #3648)

GUI. Updated the UI to allow for setting equate values when an enum has more than one name mapped to a particular value. (GP-1572, Issue #3618)

GUI. Add Shift-key modifier to Previous/Next toolbar buttons that invert the action to jump the cursor to functions, labels, data items, etc. (GP-1578)

GUI. Updated the GTree to allow new nodes to be created while a filter is applied. (GP-1615)

GUI. Added new Mark and Select action that allows users to create selections in a two-step process. The first time the action is invoked, the current location is marked. The next time the action is invoked, a selection is created from the marked location to the current location. (GP-1616)

GUI. The Go To... dialog now supports navigating to file offsets with a file(n) search string, and a new File Offset field has been added to the Listing (disabled by default). (GP-1756)

GUI. Created the new Script Quick Launcher Dialog. (GP-1826)

GUI. Selecting nodes in the ProjectDataTreePanel was made more efficient. This is only noticeable when there is a very large number of programs in a project. (GP-1931)

GUI. Added the Offset table column to the Structure Editor. This column is hidden by default, but can be added by right-clicking on the table's column header. (GP-1943, Issue #3850)

GUI. To reduce memory consumption, revised Symbol Table GUI to avoid hanging onto symbol objects. In some cases this may reduce the speed with which the symbol table updates. (GP-2030)

GUI. Changed Structure Editor Duplicate Component and Duplicate Multiple of Component... actions to select the last component; this allows for repeated uses of the action via key-binding. (GP-2095, Issue #4229)

GUI. Updated the Data Type Manager's right-click menu Replace... action on a selected data type to have a clearer purpose by prompting the user to confirm the replace action. (GP-2405, Issue #4463)

GUI. Updated popup menu key event processing to not apply to combo boxes. (GP-2491, Issue #4545)

GUI. Added the new Does Not Match Regex table column filter to allow clients to show table rows that do not match the given regular expression. (GP-2582, Issue #4608)

GUI. Added the TableChooserExecutor.executeInBulk() method to allow script writers to process multiple selected table rows themselves instead of one at a time. (GP-2583, Issue #4609)

GUI. Updated the XRefs Dialog to allow users to show xrefs to thunk functions. (GP-2594, Issue #3851)

GUI. Updated the Search Memory Dialog to allow users to paste hex values that begin with 0x. (GP-2622, Issue #4623)

GUI. Updated the Instruction Info window to allow users to select and copy cells from the table. (GP-2631, Issue #4626)

GUI. Updated the Component Providers' drop-down button to allow users to add a keybinding to show the popup menu. (GP-2637, Issue #4625)

Importer. Added support for Android Multi-DEX. Created new Android APK loader to load all DEX files at one time and link the method_lookup sections using external references. The APK loader uses the manifest file to determine the Android version. (GP-275, Issue #4276)

Importer. Permanently removed the ContinuesInterceptor, which had allowed the import process to proceed past uncaught exceptions that could be encountered while parsing corrupted headers. (GP-1907)

Importer. The NeLoader now creates memory blocks using the FileBytes API which enables the file offset Listing field and lookup in the Goto dialog. (GP-2521, Issue #4565, #4570)

Importer. Redesigned the Importer's load library option set. The user now has finer-grained control over where libraries are loaded from, as well as how many libraries are loaded. (GP-2541)

Importer. Redesigned the Importer's load library option set. The user now has finer-grained control over where already-imported libraries are searched for in the project, as well as where newly imported libraries are saved to in the project. (GP-2604)

Importer:ELF. Added ELF import-processing of symbols defined in the .gnu_debugdata section. (GP-1592, Issue #1659)

Importer:ELF. Improved ELF import-processing and logging of missing/truncated headers. (GP-1605, Issue #3507)

Importer:ELF. Improved ELF Importer to handle extended program and section header counts (e_phnum, e_shnum) which may be encountered for large core/memory dump files in ELF format. (GP-1936, Issue #4149)

Importer:Mach-O. We now discover more Mach-O functions via the LC_FUNCTION_STARTS load command. (GP-1460, Issue #3586, #3668)

Importer:Mach-O. Improved symbols and exports in Mach-O and DYLD shared cache files. (GP-2008, Issue #2932)

Importer:Mach-O. Improved the Program Tree for Mach-O, DYLD shared cache, and PRELINK files. (GP-2019)

Importer:Mach-O. The Objective-C Class Analyzer now works with dyld_shared_cache files. (GP-2113)

Importer:Mach-O. Improved processing to support changes in iOS 16 and macOS 13 dyld_shared_cache format. (GP-2176, Issue #4346, #4406)

Importer:PE. The Thread Environment Block (TEB) is now automatically populated by an analyzer for PE format programs on x86. (GP-527)

Importer:PE. Added label for _tls_index. (GP-2166, Issue #4285)

Jython. Upgraded Jython to 2.7.3. (GP-2324, Issue #107)

Listing. Added trailing comma on global arrays display. (GP-2165, Issue #4261, #4287)

Multi-User. Improved svrAdmin command for controlling repository access. Eliminated -admin option while adding -grant and -revoke options. (GP-394, Issue #1703, #2467)

Multi-User. Eliminated use of ganymed-ssh2 library in favor of Bouncy Castle library suite. Improved Ghidra Server SSH authentication error reporting. (GP-1769)

Multi-User. The svrAdmin(.bat) script will now run under a JRE in addition to a JDK. (GP-2301, Issue #4394)

Multi-User. Improved Edit Shared Project Information capability which now handles case where user may have checked-out files and is unable to checkin or terminate them when unable to connect to old server (e.g., server name or IP address has changed). (GP-2496)

Multi-User. Upgraded Ghidra Server service wrapper (YAJSW) to 13.05. (GP-2754)

PDB. Crafted additional mechanisms for determining segment addresses. (GP-1777, Issue #3993)

PDB. When PDB has no type information, changed processing order so that mangled symbols become primary symbols, encouraging recovery of their limited type information. (GP-2385, Issue #4489)

PDB. Improved PDB Universal function creation, to include unknown calling convention when a custom calling convention is indicated and noreturn when indicated for a function. Also added initial support for some MIPS and IA64 processors called out in PDB. (GP-2505)

Processors. Implemented semantics for x86/64 POPCNT instruction. (GP-1780)

Processors. Updated ARM Processor specification to V9.3. (GP-1790, Issue #4655)

Processors. Added conditional assignment macro to x86 processor module. (GP-1819)

Processors. Implemented Coldfire bitrev, byterev, and ff1 instructions. (GP-2195, Issue #4270)

Processors. Generalized the 6502 processor spec file. (GP-2332, Issue #1533, #3434)

Processors. Added SLEIGH support for inst_next2, which can be used to implement conditional skip-next-instruction cases in the language spec. (GP-2480)

Processors. Added mips-eabi compiler specification. (GP-2734, Issue #3633, #3634)

References. Added support for use of Pointer-Typedef with Offset setting to signal creation of an OffsetReference. Modified ELF relocation handler to create such pointers for certain relocation types known to be associated which offset-data pointers. Improved Listing operand markup for rendering of OffsetReferences. Took special measures for such data references into the EXTERNAL memory block to remedy XRef and navigation issues. (GP-1036)

References. Reference-finding actions in the Decompiler now work properly when applied to global variables. (GP-1880)

References. CALLOTHER_OVERRIDE_CALL references now cause the inputs of the original CALLOTHER op to be discarded. (GP-2206, Issue #3665, #3936)

Scripting. Upgraded Apache Felix to 7.0.3. (GP-1326, Issue #3450)

Scripting. Improved class recovery discovery mechanisms for determining deleting destructors and clones. (GP-1581)

Scripting. ApplyClassFunctionDefinitionUpdatesScript has been improved to allow users to choose function definition(s) from the Data Type Manager to apply updates from. Previously, users had to put a cursor somewhere in the related class and possibly get possibly unwanted updates from unchanged definitions in selected class(es). (GP-1660)

Scripting. Added a search filter to RunYARAFromGhidra.py to include .yara files. (GP-1794)

Scripting. RecoverClassesFromRTTIScript has been updated to make use of the new shifted pointer data types where applicable. (GP-1947)

Scripting. Updated RecoverClassesFromRTTIScript to prevent it from running more than once on the same program. (GP-1962)

Scripting. Added FixElfExternalOffsetDataRelocationScript to be used in updating EXTERNAL offset data relocations flagged by an ELF Relocation ERROR bookmark. These locations now support the use of an offset pointer-typedef and a resulting offset-reference. (GP-1963)

Scripting. The RecoverClassesFromRTTIScript has been updated to make use of the new program setting allowing use of a preferred data type category for class structure assignment. Due to this change, there is no longer any need to remove existing class structures in order to use those created by this script, so all code related to replacing, other class structures, has been removed. (GP-2010)

Scripting. Added CallotherCensusScript, which determines the most frequent instructions with (partially) unimplemented semantics in a single program or across an entire repository. (GP-2072)

Scripting. Improved RecoverClassesFromRTTIScript to distinguish between and name deleting destructors as either scalar or vector ones or both in Windows programs. (GP-2075)

Scripting. Updated the Script Manager to not close dialogs when the manager is closed. (GP-2216, Issue #4363)

Scripting. Added createNamespace and createClass methods to FlatProgramAPI for Ghidra script use. (GP-2482, Issue #4446)

Search. Added the ability to search for structure fields by offset. (GP-1556)

Search. Added Navigate to Matching Byte Values action to the main toolbar to find the next matching byte value of the item under the cursor. (GP-1679)

Testing. Upgraded hamcrest to 2.2. (GP-1993)

Testing. Upgraded pcodetest build scripts to python 3. (GP-2138, Issue #4307)

Testing. Upgraded Jacoco to 0.8.8. (GP-2208)

Bugs

Analysis. Fixed Windows x86 PE RTTI Analyzer to not duplicate labels on type_info vftables when PDB is present. (GP-854)

Analysis. Fixed long-standing issue with incorrectly named RTTI Type Descriptor symbols; also added correct class namespace. (GP-1703)

Analysis. Fixed issue where, when opening an non-analyzed program with one tool and that tool is connected to another tool, multiple ask-to-analyze dialogs would appear. (GP-1860)

Analysis. The Java Analyzer now parses MethodParameters attributes and gracefully handles unknown or unsupported attributes instead of throwing a RuntimeException. (GP-2012, Issue #4089)

Analysis. The Variadic Function Signature Override analyzer now handles wide-character format strings which are not defined data. (GP-2016, Issue #4165)

Analysis. Improved heuristics used to find strings in the Variadic Function Signature Override analyzer. (GP-2070, Issue #4154, #4281)

Analysis. Improved forced thunk creation from function start patterns files and fixed NullPointerException when thunk analysis got ahead of disassembly. (GP-2378, Issue #4369)

Analysis. Fixed bug in Variadic Function Signature Override analyzer involving examining too many function arguments. (GP-2384, Issue #4478)

Analysis. Changed Analysis to not mark class methods as noreturn unless they are included in the non returning function list as a mangled name. (GP-2471, Issue #2130, #4531)

Analysis. Added switching function identification for ARM RealView compiler. (GP-2504)

Analysis. Fixed an IllegalStateException in the FunctionStartAnalyzer that could occur for ARM thumb binaries. (GP-2543)

Analysis. Corrected Decompiler Switch Analysis issue which could prevent proper function body fixup to include switch code. (GP-2554)

Analysis. Fixed code to use the functions calling convention when computing the stack purge. X86 16-bit binaries now correctly display the correct value in the stack depth listing field. (GP-2683, Issue #4294)

API. Fixed issue where storing a register context across the entire address space had issues if the image base was a non-zero value. There were also numerous other issues that were uncovered, related to this context/image-base issue change, that were also fixed. (GP-1778)

API. Corrected improper instruction context read which could cause issues with delay-slot instructions that rely on context. (GP-2094, Issue #4259)

Assembler. Fixed issue with assembler referring to external functions via the IAT or PLT. (GP-615, Issue #2670)

Assembler. Refactored Assembler. Fixed issue assembling for x64 in 32-bit compatibility mode. (GP-1426)

Assembler. Made Assembler fields obey Listing Display font settings. (GP-1664)

Basic Infrastructure. Fixed an IllegalArgumentException that occurred when initializing 1-byte uninitialized memory blocks. (GP-2523)

C Parsing. Fixed numerous errors in C-Parser, including updated C specification syntax, macros with varargs, anonymous arrays of function pointers, and array definitions. Also providing better error handling. In addition data types in open archives can be used during parsing. (GP-1979, Issue #1455, #1784, #1940, #3908, #3996, #4184, #4377, #4491, #4517)

CParser. C-Parser handles arrays of function pointers and anonymous function signatures correctly. (GP-2258, Issue #3908, #4351)

CParser. C-Parser now accepts static_assert keyword in more places, such as within structure definitions. (GP-2273, Issue #4401)

CParser. C-Parser grammar fixed to parse #pragma keyword in more places such as within enum declarations. (GP-2646, Issue #4628)

CParser. C-Parser now defines a placeholder structure name early in parsing. (GP-2692, Issue #3505)

CParser. Fixed expansion of macros with missing arguments, concatenated string constants, const after type specification, and #pragma found in function calls. (GP-2746, Issue #2896, #4660, #4676, #4677)

Data Types. Added support for pointer typedefs with various settings. (GP-1403)

Data Types. Corrected issues within structure/union editor when specifying a component whose datatype is a pointer to the edited structure (i.e., pointer-to-self). (GP-2134, Issue #3721)

Data Types. Added validation to EnumDataType.setLength(). (GP-2689, Issue #4654)

DB. Corrected JVM shutdown issue which could cause database recovery files to be discarded. (GP-1787, Issue #3994)

Debugger. Fixed occasional, spurious goto-PC when navigating in Debugger listing. (GP-385)

Debugger. Eliminated redundant calls to startRecording. (GP-1443, Issue #3559)

Debugger. Fixed compatibility issue with GDB 11 regarding module and section list. (GP-1666)

Debugger. Corrected Debugger address space mismatch and NullPointerException errors. (GP-1757, Issue #4022, #4023, #4024, #4025)

Debugger. Fixed for numerous failures in dbgeng. (GP-1812, Issue #4059)

Debugger. Fixed problem with memory refresh in dbgeng/dbgmodel targets. (GP-1852, Issue #4059)

Debugger. Fixed a DomainObject deadlock. (GP-1859)

Debugger. Fixed consistency issues when saving/loading target-launch command-line options. (GP-1866, Issue #4106)

Debugger. Fixed bug when refreshing target memory in dbgeng/dbgmodel connectors. (GP-1893, Issue #4112)

Debugger. Fixed register-update failures. (GP-1971)

Debugger. Fixed several bugs in the debug launch target monitor dialog. (GP-2102)

Debugger. Made miscellaneous fixes for errors in the JDI debugger. (GP-2253)

Debugger. Fixed a NullPointerException that occurred when closing the Debugger tool. (GP-2387)

Debugger. Fixed issue with Debugger module list when connected to GDB 10.1 on Debian Bullseye. (GP-2533, Issue #4583)

Debugger. Fixed issue in module list with gdb-11 and later. (GP-2727)

Debugger:Breakpoints. Fixed a bug that caused unexpected behavior when toggling a breakpoint while the cursor is in the Bytes field of the Listing. (GP-2725)

Debugger:Breakpoints. Fix address of watchpoints in GDB. (GP-2726)

Debugger:Emulator. Fixed spurious Emulate read from uninitialized state warnings when P-Code Stepper window is active. (GP-1650)

Debugger:Emulator. Fixed display of internal p-code labels in Pcode Stepper window. (GP-1883)

Debugger:Emulator. Fixed NullPointerException that occurred when adjusting the register-tracking setting on the Dynamic Listing window. (GP-1905)

Debugger:Emulator. Fix bug in Taint analyzer with INT_ZEXT and INT_SEXT. (GP-2489)

Debugger:Emulator. Fixed issue with emulator writing values at space's max address. (GP-2490)

Debugger:GDB. Fixed GDB connector, making it properly parse escaped strings. (GP-1953, Issue #4169)

Debugger:GDB. Fixed AddressOutOfRange issues when GDB's info proc mappings fails on 32-bit and smaller targets. (GP-2241, Issue #4345)

Debugger:GDB. Fixed GDB model so that patching PC updates the listing highlight. (GP-2635)

Debugger:Mappings. Fixed address/range arithmetic in Static Mapping service. (GP-2011)

Debugger:Memory. Fixed font coloring in Dynamic Memory window to indicate changes in the same manner as other Debugger windows. (GP-1890)

Debugger:Memory. Fixed auto-read-memory to work with the Force Full View toggle. (GP-2033)

Debugger:Objects. Fixed NullPointerException in ObjectTree. (GP-2004, Issue #4221)

Debugger:Trace. Fixed Trace API to handle NO_ADDRESS. (GP-2430)

Decompiler. Fixed stack trace sporadically encountered when clicking Decompiler brace tokens. (GP-1602)

Decompiler. Fixed issue with re-data-typing a variable via the Decompiler window in a big-endian binary. (GP-1673, Issue #2809, #3776)

Decompiler. Refactored handling of overlays in the Decompiler to address issues causing it to lose references and enumerations. (GP-1818, Issue #2680, #3900)

Decompiler. Decompiler now appends a size suffix to integer tokens when necessary. (GP-1922, Issue #3592)

Decompiler. The Decompiler now prevents over-propagation of register values that could misleadingly cause global variable assignments to be reordered. (GP-1997)

Decompiler. Fixed a bug in the Decompiler variable hashing system that caused Rename and Retype actions in the Decompiler window to fail. (GP-2006)

Decompiler. Fixed bug causing Bad storage node error when using the Split Out As New Variable action on register pairs. (GP-2027, Issue #4186)

Decompiler. Added key bindings to allow users to navigate to enclosing braces in the Decompiler. See the Decompiler tool options for details. (GP-2090, Issue #4264)

Decompiler. Improved switch analysis, specifically for when constants are stored on the stack. (GP-2359)

Decompiler. Patched comparison error that could cause the Decompiler to crash during variable merging. (GP-2466, Issue #4450)

Decompiler. Fixed bug preventing the Decompiler from seeing certain pointer aliases on to the stack in segmented architectures. (GP-2515, Issue #4529)

Demangler. Fixed issue where changes to the Microsoft Demangler Apply Function Calling Conventions option were not being honored. (GP-2542, Issue #4590)

Diff. Corrected Program Diff to properly ignore ordering differences of non-primary labels at a given address. (GP-2558)

Disassembly. Fixed issue with disassembling an instruction that contains a delay slot that is at the end of an address space. (GP-1668, Issue #3840)

Documentation. Renamed ReloadSleighLangauge.java script to ReloadSleighLanguage.java. (GP-1772)

DWARF. Improved naming of DWARF anonymous structures and unions to fix .conflict-matching issues. (GP-1500)

DWARF. Fixed bad ordering of function parameters when importing DWARF info. (GP-1682, Issue #3874)

DWARF. Fixed DWARF analyzer to support Mach-O .o binaries. (GP-2698, Issue #4659)

Eclipse Integration. Fixed an issue in the GhidraDev Eclipse plugin that could cause old extensions to incorrectly remain on the Ghidra project classpath after performing a Link Ghidra operation. (GP-1733)

FileSystems. Enhanced Ghidra's zip file system to fall back to Java's built-in zip file support when 7-Zip's native libraries fail to load. (GP-1697, Issue #3904)

FileSystems. Fixed issue with 7-Zip native library extraction during initialization that caused core dumps in other Ghidra processes running on the same host. (GP-1770)

FileSystems. Fixed issue handling zip files that contain a file with a blank name. (GP-1944, Issue #4128)

FileSystems. Fixed a hash has changed IOException that would sometimes occur when extracting .dylib files from a dyld_shared_cache file system. (GP-1986, Issue #4208)

FileSystems. By disabling free space checking, fixed problem that occurred when trying to query the available free disk space when in a Linux/Unix chroot environment. (GP-2078, Issue #4291)

Graphing. Updated the Function Call Graph to only save graph view information when visible. (GP-2514, Issue #4564)

Graphing. Corrected potential HTML injection vulnerability for the Graph Service vertex labeling. (GP-2716)

GUI. Fixed GUI lag issues on Windows in the file chooser that occurred when resizing the dialog in a directory with a large number of files. (GP-1634)

GUI. Fixed Ghidra's file chooser to allow refreshing the root locations in My Computer. (GP-1635)

GUI. Fixed bug that triggered a tool Save Tool - Possible Conflict dialog when using multiple tools. (GP-1637)

GUI. Updated the Choose Program dialog to focus the filter field by default so users can start filtering when the dialog opens. (GP-1745)

GUI. Updated the field at the bottom of the tool that displays the current instruction. Now, when the cursor is on a data item, the field shows the current datatype and size instead of being blank. (GP-1803)

GUI. Fixed issue where newly opened programs didn't have their datatypes tree apply any existing filter. (GP-1897)

GUI. Added Ctrl-C/V/X key bindings to the Motif Look and Feel text widgets. (GP-1972)

GUI. Corrected bad action description in the Log Viewer window. (GP-1975, Issue #4198)

GUI. Fixed NullPointerException that occurred when making a selection in the Table Chooser Dialog. (GP-1982, Issue #4204)

GUI. Fixed bug in IntegerTextField when pasting text that doesn't pass internal validation. This could result in an internal corrupted state. (GP-2000)

GUI. Improved the file chooser to not hang the GUI if there are slow file system root locations (drive letters) present. (GP-2059)

GUI. Updated tree and table filters to support undo/redo via Ctrl-Z and Ctrl-Y. (GP-2186)

GUI. Fixed rare exception seen while closing the tool just after a long reference search. (GP-2265)

GUI. Fixed an issue that prevented the One Shot analyzers from being enabled when the Listing did not have focus. (GP-2318, Issue #4589)

GUI. Fixed an IndexOutOfBoundsException in the Listing when the XREF Group by Function option is toggled on and Maximum Number of XREFs to Display is set to 1. (GP-2328, Issue #4445)

GUI. Fixed a NullPointerException that occurred when using the Go To dialog. (GP-2388)

GUI. Corrected Function Editor's Custom Storage editor dialog issues that prevented proper editing behavior. (GP-2483, Issue #4492)

GUI. Fixed a NullPointerException in the Patch action's auto-complete text field. (GP-2616, Issue #4604)

Headless. Fixed analyzeHeadless.bat reporting that Maximum setlocal recursion level reached when a large number of command line arguments were specified. (GP-1735)

Headless. Fixed wildcard '*' path expansion not working properly when calling headless from Linux/macOS. (GP-2209, Issue #3409, #4500)

Help. Fixed issue of help window not opening when help was missing. (GP-2409)

Importer. Fixed NullPointerException in GzfLoader encountered when importing a GZF embedded in a ZIP file. (GP-1667)

Importer. Fixed infinite loop in import dialog that occurred when verifying filename with leading tilde (~) character. (GP-1849, Issue #4034)

Importer. When importing a file, the internal program name has been changed to reflect the name of the imported file and not the user-selected file name where Ghidra stores the program in the project. Ghidra programs have two names; the internal name and the file storage name. The file storage name must be unique within a project. The internal name can be retrieved using program.getName() and the storage name can be retrieved using program.getDomainFile().getName(). (GP-1876)

Importer. External library links produced by the NeLoader are now working correctly. Libraries can now be discovered when loaders specify that library filename extensions are optional. (GP-2497, Issue #2063, #2233)

Importer. Case-insensitive library lookup now works for already-imported libraries. (GP-2498, Issue #906)

Importer. Libraries are now properly recursively imported. (GP-2510, Issue #110)

Importer. Fixed OMF comment record parsing. (GP-2528, Issue #3780, #4560)

Importer:ELF. Added -applyArmElfRelocPCBias import option for relative relocation processing to account for differences in how tool-chains factor in the bias value. (GP-2041)

Importer:ELF. Corrected processing of ELF REL type relocations for R_ARM_JUMP24, R_ARM_CALL and R_ARM_PLT32. (GP-2350, Issue #4455)

Importer:ELF. Fixed problem reading Elf32 binaries that were missing certain sections. (GP-2577, Issue #4605)

Importer:ELF. Corrected MIPS ELF .plt.got markup error which could prevent import. (GP-2592, Issue #4602)

Importer:ELF. Corrected ELF MIPS-64 bit data relocation processing issue for R_MIPS_REL32 and R_MIPS_32. (GP-2678, Issue #4633)

Importer:ELF. Corrected ELF relocation table processing to handle statically linked binaries. (GP-2703)

Importer:ELF. Corrected ELF Import processing of symbol table when associated string table is missing. Previously caused exception. (GP-2744, Issue #4680)

Importer:ELF. Added support for ELF DT_GNU_XHASH symbol hash table. (GP-2749, Issue #4649)

Importer:PE. Fixed several bugs in the PE menu resource parser. (GP-1806, Issue #4017, #4018, #4020, #4021)

Importer:PE. Fixed incorrect PE driver COFF symbol offsets. (GP-1933, Issue #3564, #4139, #4168)

Importer:PE. Changed PE loader to label values found in PE header as PE Property[propertyname] instead of just bare propertyname when inserting the information into the program info list. (GP-2343, Issue #4452)

Importer:PE. Fixed an issue in the PeLoader that sometimes prevented symbols imported by ordinal from getting correctly labeled with their name. (GP-2422, Issue #4474)

Importer:PE. Fixed PE Header PdbInfo structure creation to have correct PDB pathname length. (GP-2428, Issue #4501)

Importer:PE. PE DebugDirectory entries with type IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS are now supported. (GP-2453, Issue #4502)

Importer:PE. Removed setting of TMode in PELoader for ARM PE files. Relying on the default setting of TMode from language variant selection at time of import. (GP-2525)

Listing. Fixed bug that showed incorrect references when double-clicking the XREF text in the Listing. (GP-1891)

Listing. Updated the Go To dialog to respect the tool option that restricts searches to the current program. (GP-2296)

Multi-User. Corrected ConcurrentModificationException condition on Ghidra Server when cleaning-up stale connection registrations. (GP-2441)

PDB. Fixed PDB Universal static local variable processing. (GP-1023)

PDB. Fixed calculation of number of files contributing to a module. (GP-1775)

PDB. Fixed a NullPointerException that would occur when a PDB did not have DebugInfo. (GP-1827)

Processors. Added support for ELF PowerPC R_PPC_EMB_SDA21 relocation and implemented lq instruction pcode. (GP-713, Issue #890)

Processors. Corrected issue with avr32 abs instruction using the floating-point abs pcode operator. (GP-1165)

Processors. Corrected semantics for ARM vcvt instruction. (GP-1503, Issue #3418)

Processors. Fixed TriCore jl instruction semantics. (GP-1638, Issue #3552)

Processors. Corrected carry flag semantics for the M68000 addx instruction. (GP-1644, Issue #3818)

Processors. Reduced complexity of several PA-RISC floating-point instructions. (GP-1656)

Processors. Corrected semantics for x86 FST instruction. (GP-1694, Issue #3894, #3895)

Processors. Corrected missing register definition in V850 processor. (GP-1701, Issue #3865)

Processors. Corrected register operand list for ARM vsub instruction. (GP-1712, Issue #3943, #3944)

Processors. Added undocumented x86 ffreep instruction. (GP-1722, Issue #3883)

Processors. Corrected ARM Neon vraddhn disassembly. (GP-1736, Issue #3978)

Processors. Simplified the TriCore st.t instruction semantics. (GP-1746, Issue #2326)

Processors. Fixed minor issue with TriCore sleigh file missing closing endif statement. (GP-1762, Issue #4029)

Processors. Corrected semantics of ARM bfi instruction. (GP-1763, Issue #4011)

Processors. Fixed some bugs involving JVM switch instructions and JVM switch analysis. (GP-1774, Issue #3980, #3981)

Processors. Included VPFv4 instructions in the ARM language. (GP-1817, Issue #2498, #3222)

Processors. Fixed punctuation consistency issue for ARM instructions with register lists. (GP-1837)

Processors. Fixed disassembly of M68000 fmod caused by manual typo. (GP-1946, Issue #4131)

Processors. Implemented previously unimplemented M68000 pack and unpk instructions. (GP-2014, Issue #4223)

Processors. Fixed an issue with the RISC-V pattern constraints filename. (GP-2046, Issue #4002, #4003)

Processors. Fixed incrementing of the stack pointer in 6502 PLP instruction. (GP-2092, Issue #4249)

Processors. Fixed Coldfire tpf instruction to not consume trailing bytes, which may be valid instructions. (GP-2104)

Processors. Fixed the TI MSP430 RPT instruction to use correct operand types. (GP-2112)

Processors. Fixed RISCV 64-bit long datatype size and alignment. (GP-2161, Issue #2590)

Processors. Fixed register zero reads in microMIPS and MIPS16. (GP-2162)

Processors. Fixed x86 SLEIGH issues that caused disassembly errors in various instructions. (GP-2196, Issue #4344)

Processors. Corrected semantics for SuperH trapa instruction to properly dereference the vector address. (GP-2344, Issue #4396, #4477)

Processors. Renamed avr8 W register to R25R24. (GP-2499, Issue #4516)

Processors. Corrected issue with ARM ldrht, ldrsbt, ldrsht, and strht not disassembling. (GP-2536, Issue #4582)

Processors. Corrected port addresses in ATmega256 for MAFCR0 and MAFPA2L. (GP-2538, Issue #4592)

Processors. Corrected error in 6809 extended-address bit pattern. (GP-2562, Issue #4600)

Processors. Corrected missing S bit in ARM thumb BIC instruction. (GP-2696)

Processors. Added missing parentheses in 6502 indirect JMP instruction. (GP-2701, Issue #783)

Processors. Corrected several instances of ARM instruction parse conflicts. (GP-2718)

References. References in Byte-Mapped memory blocks will now be created correctly. (GP-2420)

Scripting. Added the script setReusePreviousChoices(boolean) method to allow script writers to not reuse the last-entered values in the various ask dialogs. (GP-1743, Issue #3937)

Scripting. Improved script error handling during load and initialization. (GP-2618)

Sleigh. Fixed a bug causing incorrect p-code to be generated when implementing the behavior of a SLEIGH bitrange operator applied to a dynamic symbol. (GP-1583, Issue #3716)

Testing. Fixed issue with pcodetest generation when test directory does not exist. (GP-2091, Issue #4239)

Version Tracking. Fixed a bug in Version Tracking where calling conventions were no longer being applied when applying function signature markup from the source to the destination program. (GP-1045)

Ghidra 10.1.5 Change History (July 2022)

Improvements

Analysis. Changed disassembly of interrupt vectors with pointers to be consistent with interrupt vectors with code, specifically for ARM-cortex-embedded binary disassembly. (GP-2080, Issue #4263)

Processors. Added HC-12 processor support with a Flat 16-bit memory model by splitting HCS12X into HC-12, HCS-12, and HCS-12X processors. (GP-1716, Issue #1570, #4016)

Processors. Added ability to specify byte-mapped and overlay memory blocks from processor specification (*.pspec). (GP-2133, Issue #2703)

Processors. Added PowerPC e500 processor variant. (GP-2272)

Processors. Added support for AARCH64 ilp32 variant. (GP-2355)

Bugs

Analysis. Fixed function purge setting for x86 16-bit functions using RETF to return. (GP-2103, Issue #4293)

Analysis. Protected use of tmodeReg value in ArmAggressiveInstructionFinderAnalyzer when processor does not have a TMode register. (GP-2122)

Analysis. Fixed constant reference analysis bug introduced from refactoring that would not use the Speculative reference min analyzer setting. (GP-2365, Issue #4257)

CParser. Added support for the C11 _Noreturn keyword. (GP-2275, Issue #4273)

Debugger:Trace. Fixed event type numbering issue in Traces, which was causing enormous resource waste. (GP-2153)

Decompiler. Fixed bug that could cause the Decompiler to mislabel a switch case as default. (GP-2082, Issue #4268)

Decompiler. Fixed exception in Decompiler when making a selection on a wrapped line. (GP-2097, Issue #4309)

Decompiler. Fixed a memory error in the decompiler associated with data-types defined as a typedef of a structure. (GP-2178, Issue #4328)

Decompiler. The Decompiler now further simplifies expressions involving return values, parameters, or other variables that are explicitly marked as boolean. (GP-2212, Issue #4338)

Decompiler. Fixed a bug that could cause the Decompiler to crash in the hash method used to map Equate information and other dynamic annotations onto variables. (GP-2288, Issue #4410)

GUI. Fixed GTree rendering bug exhibited on some Linux platforms. (GP-2047, Issue #4260)

GUI. Fixed incorrect error message when pasting bytes. (GP-2164)

GUI. Fixed exception in table column filters. (GP-2317)

Importer:ELF. Corrected ELF import issue which could fail to create an uninitialized block for a SHT_NOBITS section with invalid file offsets. (GP-2098, Issue #4095)

Importer:ELF. Corrected ELF issues related to treatment of absolute symbols (SHN_ABS). (GP-2330)

Importer:PE. Fixed an issue with PE symbol table offset validation that prevented some binaries from being recognized as PE files. (GP-2322)

Multi-User:Merge. Corrected long-standing regression bug affecting datatype merge, which was introduced in Ghidra 9.2. This severe error could surface during a datatype conflict merge with a shared project and could prevent a check-in to a Ghidra Server repository. (GP-2066)

Processors. Refactored AVR8 to handle 24-bit memory and to correctly index the code address space as a byte or word. (GP-2213, Issue #4333)

Processors. ELF PLT import processing changed to avoid static disassembly for ARM/MIPS due to possibility of alternative instruction set. Now relies on disassembly during analysis for such cases. (GP-2256)

Scripting. Creating a new script via the Script Manager now properly handles the situation where the $HOME/ghidra_scripts directory does not exist. (GP-2282)

Sleigh. Fixed a Sleigh Parser threading issue that could cause incorrect p-code generation for languages that use delay slots. (GP-2235, Issue #4332)

Ghidra 10.1.4 Change History (May 2022)

Improvements

Debugger:Listing. Refresh button in Debugger's Dynamic Listing and Memory Bytes views now operates without a selection and is more thorough with respect to cache invalidation. (GP-1930)

Bugs

Analysis. Fixed an exception that occurred when loading programs created in previous versions where the analysis option's type had changed (String to Long). (GP-1738)

Analysis. Constant reference propagation now uses pcode injection for segment and all userops. This affects 16-bit code and the HCS12 processor. (GP-1987, Issue #4252)

C Parsing. Added C-Parser support for static_assert and _Static_assert keywords. (GP-1958, Issue #4038)

C Parsing. Corrected C-Parser to parse sizeof structure members, both sizeof(ptr->member) and sizeof(struct.member). (GP-1964, Issue #4173)

Decompiler. Fixed bug causing the Decompiler to not label pointer references to the first parameter on the stack. (GP-2018)

GUI. Fixed bug that caused some edited functions to appear twice in the Functions window. (GP-2025)

GUI. Fixed potentially slow computer name lookup in the Error Dialog. (GP-2034)

Importer:COFF. Fixed importing of non-Microsoft COFF files when any section crosses address 0x80. COFF sections marked as data that won't fit into the default data address space will be loaded in the code address space. (GP-2045)

Ghidra 10.1.3 Change History (April 2022)

Improvements

API. Added the getActiveGraphDisplay() API method to GraphDisplayProvider to get the active graph. (GP-1804, Issue #4060)

Debugger. Created better comment in Dynamic Listing Go To dialog so users don't default to *:4 EAX syntax. (GP-1820)

Debugger. Created new navigation methods for Objects representing addresses. (GP-1822)

Debugger. Switched to DomainFile name in Debugger dialogs to avoid confusion. (GP-1872)

Debugger:Trace. Improved performance of trace database. (GP-1727)

FID. Updated stale signatures in the FID database files. (GP-1853, Issue #2877)

Importer:ELF. Added support for additional ELF ARM-32 relocations not previously handled (R_ARM_THM_JUMP8, R_ARM_THM_JUMP11, R_ARM_THM_MOVW_ABS_NC, R_ARM_THM_MOVT_ABS, R_ARM_THM_MOVW_PREL_NC, R_ARM_THM_MOVT_PREL, R_ARM_THM_MOVW_BREL_NC, R_ARM_THM_MOVW_BREL, R_ARM_THM_MOVT_BREL). (GP-1742, Issue #2794)

Processors. Refactored the 6805/6809 processor to better allow variants of MC6800 processor line. (GP-1695, Issue #3673)

Processors. Added 16-byte return values for AARCH64 in X0, X1. (GP-1739)

Scripting. Improved RecoverClassesFromRTTIScript's method to validate GCC programs. (GP-1832)

Bugs

Analysis. Fixed FID Analyzer to run only once on programs with call-fixups or identified non-returning flow. (GP-1502)

Analysis. Corrected the creation of Objective-C structures when structures collided with existing generic pointers laid down by chained-pointer processing during import. (GP-1841)

Analysis. Corrected stack reference creation and the display of current instruction stack depth in the stack-depth browser field for MIPS 64-bit language processor with 32-bit addressing. (GP-1862)

Analysis. Fixed placement of constant references when a parent register's value is built up using the smaller sub-registers (hi/low). This is common on MIPS and other 8-bit processors such as AVR8. This would occasionally cause a reference to be placed incorrectly on a previous function call. (GP-1942)

Basic Infrastructure. Fixed a NoClassDefFoundError that occurred when launching Ghidra in single-jar mode. (GP-1741, Issue #3961)

C Parsing. CParser fixes for pragma(push), re-included header files, #if/defined() tests on define values, unicode BOM files, and full evaluation of macro expansion. Added more information to the CParserPlugin.out file prefixed with /// comments which should enable easier diagnosis of parsing issues. Reparsed current standard data archives with correct 64/32 data organizations. Fixed issue where many data types had incorrect pack() values in Windows archives, such as WNDCLASSEXW. To make use of the corrected data types, programs data types will need to be re-synchronized if they depend on the included Windows or clib data type archives. Windows VS2022 and Windows 11 SDK header files can now parse and will be included in the next feature release. (GP-1744, Issue #3756)

Data Types. Corrected UnsupportedOperationException error which could occur when dragging a datatype from one archive to another. (GP-1758)

Data Types. Fixed Data Types filter not being applied when using the various Find actions. (GP-1799)

Debugger. Fixed the defaults for log4j file locations; template patterns for empty values were crashing the process on Windows. (GP-1731, Issue #3965)

Debugger. Fixed NullPointerException caused by Debugger Console's preferred height. (GP-1766)

Debugger. Fixed race condition on right-click of non-selected tree node. (GP-1845, Issue #4093)

Debugger. Fixed missing eflags in Register View for dbgeng. (GP-1873)

Debugger. Fixed IllegalArgumentException in TraceObjectManager. (GP-1874)

Debugger:Breakpoints. Fixed issue with toggling breakpoints from within the Dynamic Listing. (GP-1706)

Debugger:Memory. Fixed timing issue where Debugger Memory view may have incorrect location label. (GP-1882)

Debugger:Trace. Fixed issue with StringDataType null terminators in stale trace ranges. (GP-1737)

Decompiler. Updated the Decompiler Find dialog's default text when showing the dialog with comment text selected. (GP-1721, Issue #3946)

Decompiler. Fixed the Decompiler Find dialog's sometimes incorrect result highlighting. (GP-1765, Issue #3928)

Decompiler. Fixed a bug in the Decompiler preventing prototype overrides from being applied to calls produced by Call-Fixup injection. (GP-1792, Issue #3319)

Decompiler. Updated the Decompiler hover for structure fields to show the parent name and the offset in the parent. (GP-1793, Issue #3920)

Decompiler. Eliminated infinite loop in the Decompiler encountered when applying convert/equate. (GP-1924, Issue #4121)

FID. Fixed bug causing Program ... has different compiler spec... exception when populating FID signatures. (GP-1839, Issue #4042)

FileSystems. Fixed problem opening files in paths that start with a UNC location (\\location\path). (GP-1696, Issue #3912)

Framework. Fixed bug that could cause a NullPointerException when removing custom Compiler Specification extensions from a Program. (GP-1715, Issue #3906)

GUI. Fixed default function Plate Comment formatting. (GP-1717)

GUI. Fixed the Search Memory Dialog buttons to re-enable after closing a long-running search results table. (GP-1753, Issue #4014)

GUI. Updated Symbol Edit dialog to not allow namespaces editing with a blank name. (GP-1754, Issue #4015)

GUI. Fixed table CSV export of boolean values. (GP-1764, Issue #3947, #4026)

Headless. Corrected potential NullPointerException for Headless Analyzer when a specified filename to process does not exist in a searched project folder. (GP-1916)

Help. Fixed Help Viewer Find feature, clearing search result highlights when the search dialog is closed. (GP-1718)

Importer:ELF. Corrected MIPS type 5/6 relocation calculation. Previously, the LO16 value, extracted as an addend from the instruction, was not sign-extended. (GP-1834)

Importer:PE. Fixed a bug that prevented certain types of PE files from being recognized by the PeLoader. (GP-1713, Issue #3830, #3902)

Importer:PE. Detect .NET managed code in mixed Native/MangedCode binaries and only disassemble the correct x86 or CLR routines based on the current processor. (GP-1938, Issue #4159)

Processors. ARM BL conditional call instruction, which calls to the next instruction, has been changed to a branch instead of a call. Calling the next instruction on ARM is generally only to get the LR register loaded for PIC code. (GP-1752)

Processors. Fix bug in MIPS rdhwr instruction to use correct hardware registers. (GP-1879)

Scripting. Fixed the Bytes table column rendering in the scripting TableChooserDialog. (GP-1714)

Scripting. Fixed two bugs in RecoverClassesFromRTTIScript.java encountered when creating class structures. (GP-1781)

Scripting. OSGI jar bundles now correctly load on Windows. (GP-1846, Issue #3995)

Sleigh. Fixed bug preventing prototype model extensions with p-code from being imported. (GP-1915)

Ghidra 10.1.2 Change History (January 2022)

Improvements

Basic Infrastructure. Upgraded Gson to 2.8.9. (GP-1632, Issue #3802)

Basic Infrastructure. Upgraded log4j to 2.17.1. (GP-1641)

Build. Increased minimum supported Gradle version from 6.4 to 6.8. (GP-1680)

Debugger:Emulator. Emulator's PcodeStepper now displays the decoded instruction. (GP-1474)

Debugger:Watches. Double-clicking a pointer value in the Watches window navigates to the pointer rather than its address. (GP-1469)

Listing. Updated the Listing Operands field to support word-wrapping for enum data types. (GP-1665, Issue #3812)

Scripting. Improved the RecoverClassesFromRTTIScript to create function definitions for multi-inheritance and single virtual inheritance classes in the correct ancestor class data type folders. (GP-1663)

Scripting. Updated RecoverClassesFromRTTI script for GCC programs to only create typeinfo structures in non-executable memory. (GP-1686)

Bugs

Analysis. Fixed another bug with recovering Objective-C method names. (GP-1642, Issue #3817)

Analysis. Certain switch cases using the AARCH64 CSEL instruction will now recover correctly. Previously internal CBRANCH instructions could cause switch flow recovery failure in the decompiler switch analyzer. (GP-1687)

Analysis. Fixed unused Microsoft Demangler options. (GP-1688, Issue #3892)

Analysis. Reverted change (GP-1575) introduced with Ghidra 10.1 which improperly factored image-base into analysis of ELF LSDA GCC exception records. (GP-1702)

Build. Fixed gradle buildGhidra issue where a second build doesn't include all the files. This issue appears to be a bug introduced in Gradle 7. (GP-1648, Issue #3827)

Data Types. Fixed display of multiple Enum values. (GP-1657, Issue #3810)

Debugger. Now invalidating caches for dbgeng/dbgmodel in the GADP variants so the memory is not left stale. (GP-846)

Debugger. Fixed exception when cancelling password entry for GDBOverSSH. (GP-1655, Issue #3578)

Debugger:Memory. Fixed Debugger Memory background colors during emulation. (GP-1590)

Debugger:Trace. Fixed issue where emulated state leaked into recorded state. (GP-1620)

Debugger:Trace. Fixed NullPointerException when disassembling stale memory. (GP-1646)

Decompiler. Fixed the Decompiler Retype Field action to not rename the field. (GP-1654, Issue #3783)

Decompiler. Decompiler now recovers jump tables that use PIC mechanisms or other forms relying on injected p-code. (GP-1659)

Demangler. Fixed demangling bug that produced incorrect types such as unsigned_short. (GP-1662)

GUI. Fixed incorrect tool option reference in the Create Table From Selection action. (GP-1676, Issue #3858)

GUI. Fixed the Decompiler Find Text dialog's auto-complete feature to not change the default text entry added to the dialog. (GP-1685, Issue #3890)

Importer:Mach-O. Fixed an IllegalArgumentException that occurred when loading some kernelcache images. (GP-1675, Issue #2487)

Importer:PE. Fixed an exception that occurred when re-parsing PE programs with a .pdata section from memory. (GP-1636, Issue #3347, #3800, #3805)

PDB. Fixed incorrect bounds on item type iteration; one effect of the fix is that the user might notice more unsupported PDB data type messages in the log. (GP-1677)

Processors. Fixed issue with Motorola 6809 immediate operands being set to zero. (GP-1611, Issue #2116, #3755)

Processors. Corrected PowerPC efscmp* and efstst* instructions condition register usage. (GP-1639, Issue #2528)

Processors. Fixed the target of JUMP and JSR for the 6809 to use [target] instead of jumping directly to target which incorrectly jumped to the address of the unique variable. Also fixed a compile issue in the half-finished 6309 EXG and TFR instructions. (GP-1690, Issue #3825)

Scripting. Fixed the ApplyClassFunctionDefinitionUpdatesScript and the ApplyClassFunctionSignatureUpdatesScript to work correctly with the recent RecoverClassesForRTTI changes to function definitions. (GP-1601)

Scripting. Fixed bug in a class recovery helper class that was causing an exception in some cases when trying to replace a component in a structure. (GP-1670)

Scripting. Removed a misplaced space character in the name passed to setLabel in RecoverClassesForRTTIScript. (GP-1671)

Sleigh. Fixed bug that could cause erroneous decompilation of functions in overlays. (GP-1661, Issue #3828)

Ghidra 10.1.1 Change History (December 2021)

Improvements

Analysis. Fixed headless analysis exception related to running UI code from the GNU Demangler analyzer. (GP-1613, Issue #3765)

Basic Infrastructure. Upgrade logging dependency to use log4j 2.17.0 (GP-1621)

Debugger:Memory. Added New Memory Bytes View to Window->Debugger menu. (GP-1465)

Debugger:Memory. Fixed issue with Debugger Memory view scrolling. (GP-1591)

GUI. Removed restriction that prevented renaming tree nodes while the tree is filtered. (GP-1507)

GUI. Fixed issue where renaming a symbol in the symbol tree could result in the symbol appearing more than once (under different organizational nodes) (GP-1587)

Help. Fixed NullPointerException when using the help system with animation disasbled. (GP-1612, Issue #3767)

Bugs

Basic Infrastructure. Fixed the "ERROR StatusLogger Reconfiguration failed" message that appeared in the log when Ghidra was launched with support/ghidraDebug script. (GP-1607)

Debugger. Fixed null pointer exception in Debugger when opening a program from a shared project. (GP-1490)

Debugger. Fixed issue with context menus on the trace selector tabs in Debugger Threads window. (GP-1494)

Debugger. Fix for font resizing (GP-1597, Issue #3752)

Debugger. Fixes null-pointer exceptions in lldb (GP-1600, Issue #3645)

Debugger:Listing. Fixed default configuration problem when cloning the Debugger Listing window. (GP-1479)

Importer. Fix issue importing NE binaries that have a segment number greater than 127. (GP-1576, Issue #3715)

Ghidra 10.1 Change History (December 2021)

New Features

Build. Ghidra now builds on 64-bit Linux ARM and macOS M1 platforms. (GP-1106, Issue #3197)

Build. Native binaries for the current platform can now be built/rebuilt from within a release using the support/buildNatives(.bat) script. Please see the "Building Ghidra Native Components" section of the Installation Guide for additional information. (GP-1209, Issue #3387)

Data Types. DataType API: Added encodeValue and encodeRepresentation methods which facilitate patching. (GP-1265)

Debugger. Added Memory view (raw bytes) to the Debugger. (GP-80)

Debugger. Added new agent for LLDB on macOS and Linux. (GP-1005, Issue #2591, #2967)

Debugger. Added Copy Into Current Program and Copy Into New Program actions to Debugger. (GP-1214)

Debugger. Added Compare action to Dynamic Listing to compare points in time. (GP-1222)

Debugger. Added Events/Exceptions to Objects View. (GP-1288, Issue #3049)

Debugger:Emulator. Added Emulate Program and Add Emulated Thread actions for loading a program into a purely emulated trace. (GP-660)

Decompiler. Added support for else if syntax in Decompiler output. (GP-1172, Issue #1609)

Importer. Added support for Android formats (ART, OAT, ODEX, DEX, CDEX, VDEX) and Dalvik VM Sleigh modules for each major Android release up to version 12.x (S). (GP-1247)

Scripting. Created RunYARAFromGhidra.py to map YARA rules to Ghidra comments. (GP-1199)

Improvements

Analysis. The called ___chkstk_ms() function is now properly recognized and handled with a call fixup for windows x86-64. (GP-1347, Issue #1888, #1889)

Analysis. Added support for Objective-C small methods. (GP-1397, Issue #2719, #2732)

Analysis. Fixed several memory usage issues with constant propagation for very large functions, resulting in an average 10-20 percent time savings for constant propagation and stack analysis. (GP-1418, Issue #3508)

API. Updated API methods of the DataTypeChooserDialog. (GP-1349, Issue #3140)

Basic Infrastructure. Symbol performance in Ghidra was significantly improved. Specifically, new database indexes were created to improve finding primary symbols as well as improving lookups by combinations of name, namespace, and address. (GP-1082)

Basic Infrastructure. Added optional columns in the Functions table for several boolean-valued function attributes. (GP-1393)

Basic Infrastructure. Upgraded log4j dependency from 2.12.1 to 2.15.0 to resolve a security vulnerability. (GP-1588)

Build. Extension builds can now declare jar dependencies from standard Gradle repositories such as Maven Central. (GP-1144, Issue #2219, #2226)

Build. Increased minimum supported Gradle version from 6.0 to 6.4. (GP-1521, Issue #3650)

Data Types. Added support for zero-element arrays and zero-length components within structures and unions. Eliminated flex-array API methods and added/improved other Structure methods to handle multiple components which share the same offset. (GP-943)

Data Types. Added the ability to set comments on enum values. (GP-1316, Issue #1680, #2421)

Data Types. Updated Windows and generic clib data type archives to take advantage of improved CParser including changes to handle sizeof() correctly. (GP-1551, Issue #615)

Debugger. Respond to CLI-driven memory changes in dbgeng. (GP-853)

Debugger. User can now override the Debugger's processor selection when manually activating the Record (R) action. (GP-1233)

Debugger. User can now double-click in Listing margin to toggle breakpoints. (GP-1395)

Debugger. Adjusted alignment of Description tag in Debugger's Connect dialog. (GP-1416)

Debugger:Emulator. Added more accessor methods to PcodeThread, Machine, Executor, and similar classes. (GP-1223)

Debugger:Emulator. Added more accessor methods to PairedCodeArithmetic, ExecutorState, ExecutorStatePiece, and similar classes. (GP-1224)

Debugger:Emulator. Emulator now responds better to memory and register edits. (GP-1486)

Debugger:Emulator. Registers window can now modify emulated register values. (GP-1530)

Debugger:GDB. GDB manager handles =cmd-param-changed events. (GP-1330)

Debugger:GDB. Ported GDB's SSH connector to JSch. (GP-1387)

Debugger:LLDB. Improved build scripts for LLDB Java language bindings. (GP-1477)

Debugger:Memory. Added Force Full View override toggle to Debugger's Regions window. (GP-1447)

Debugger:Stack. Fixed various NullPointerExceptions among the Debugger Stack and Threads windows. (GP-1475)

Debugger:Trace. Trace API now supports Overlay spaces. (GP-484)

Decompiler. Added the Rename Label Decompiler action to allow label name editing. (GP-1195, Issue #1751)

Decompiler. The Decompiler now recognizes typedef relationships between data-types when determining if casts are necessary. (GP-1297, Issue #2393, #3249)

Decompiler. Improved the Decompiler's analysis of pointer calculations affected by common subexpression elimination. (GP-1312)

Decompiler. Added methods to ClangTokenGroup to facilitate iteration and filtering over the Decompiler's output tokens. (GP-1317, Issue #2040)

DWARF. Relaxed DWARF symbol name mangling to allow colons and forward slashes; changed space mangling to use underscores. (GP-1122, Issue #2014, #2043)

DWARF. Improved DWARF analyzer to handle MIPSPro 64-bit file format oddity. (GP-1171, Issue #3223)

DWARF. Improved DWARF analyzer to import DWARF data from PE binaries. (GP-1192, Issue #1267)

DWARF. Add support for DWARF external debug files. (GP-1286, Issue #3513)

DWARF. Added support for DWARF noreturn function attribute. (GP-1390)

Eclipse Integration. Eclipse Python breakpoints now work when Eclipse installs PyDev in .p2 bundle pool directory. (GP-1338, Issue #3453, #3454)

Exporter. Updated the DataTypeWriter to emit enum comments. Furthermore, the enum data type has been updated to return names sorted by enum value, which is now the order in which enum values will be emitted by the DataTypeWriter. (GP-1374, Issue #1664)

Exporter. The PE Exporter no longer forces files to be saved with a .exe extension. (GP-1385, Issue #3391)

Extensions. Building extensions now fails gracefully if an unsupported Gradle version is used. (GP-1189, Issue #3313)

FileSystems. Temporary files created by GFilesystem implementations are now obfuscated when written to disk. (GP-253)

FileSystems. Added support for opening password-protected zip files. (GP-725, Issue #377)

FileSystems. Add support for opening HFS+ volume images. Improved support for ISO9660 images by using 7-Zip library. (GP-807)

Graphing. Created concept of graph types that define specific vertex and edge types so that color and shape attributes can be assigned indirectly to vertices and edges. Created tool options for setting/changing the display attributes for these types. (GP-773)

GUI. Added new layouts to the Function Graph. Each new layout is using one of the Jungrapht layouts. (GP-926)

GUI. Added option to change the background color of the Function Call Graph. (GP-1014)

GUI. Added menu support for the following navigation keys: Page Up, Page Down, Home, End, and number keys 1-9. (GP-1081, Issue #2811)

GUI. Added an option to group the XRef field in the Listing by function. (GP-1093, Issue #1305)

GUI. Symbol tree has been changed to improve its behavior in the presence of large scale changes such as analysis, loading PDB, etc. It now will auto-close the label or function category if the internal organization becomes too much out of balance. This will also improve the analysis performance when the root category nodes are closed. (GP-1198)

GUI. Improved composite interior selection of components with shared offset such as bit-fields. Previous behavior was forcing selection of multiple components. (GP-1261)

GUI. Fixed ClassCastException due to the Patch action incorrectly being added to the Function Graph context menu. (GP-1334, Issue #3288)

GUI. Updated the Search Memory dialog to allow the user to enter a single wildcard character to search for any byte value. Previously, two consecutive wildcard characters were required. (GP-1358, Issue #3351)

GUI. Updated auto-comments to show user-defined repeatable comments from the reference destination. (GP-1361, Issue #2475)

GUI. Changed the Context column to allow for filtering of special characters in the results table of the Find Uses of action. (GP-1370, Issue #3473)

GUI. Updated the CodeBlockIterator interface to extend Iterable. This allows the iterator to be used in Java's foreach loops. (GP-1381, Issue #3478)

GUI. Added Find Structures by Offset... and Find Structures by Size... actions to the Data Type Manager window. (GP-1382, Issue #759)

GUI. Added the ability to remove a non-default symbol by setting the Edit Label dialog text to the empty string; added an action to the Decompiler to remove non-default labels. (GP-1383, Issue #3285)

GUI. Fixed the Function Editor's Storage Address Editor dialog to ensure that the Cancel button will not allow data type changes to be passed through to the primary editor. (GP-1398, Issue #3490)

GUI. Updated the Comments Dialog to allow the Shift-Enter keystroke to insert a newline at the cursor position. (GP-1428, Issue #3548)

GUI. Updated the Symbol Table to allow users to enter optional namespaces when editing a symbol name. (GP-1430)

GUI. Fixed issue with shared actions across windows sometimes getting the wrong (non-focused) context. This was mostly related to windows with snapshot components. (GP-1440)

GUI. Updated the Data Types context menu to include all actions when showing the menu from the keyboard via Shift-F10. (GP-1566, Issue #3678)

Importer. Added support for new Mach-O load commands and file types. (GP-398, Issue #2487, #3572)

Importer. Added method to Memory to find addresses where a specific byte from a loaded FileBytes object is used in memory. (GP-1166)

Importer:Mach-O. The Mach-O loader now outputs a warning when it encounters encrypted sections. (GP-1406, Issue #1935)

Importer:Mach-O. Added support for the new iOS 15 and macOS Monterey dyld_shared_cache format. (GP-1524, Issue #3345, #3666)

Importer:PE. Added support for long section names (e.g., "/1234" indicates offset into string table where actual section name is found) in PE binaries. (GP-1177, Issue #1267)

Multi-User. Upgraded YAJSW to 13.01-beta. Ghidra Server can now run with JDK 17. (GP-1266, Issue #3406)

PDB. Improved processing time on huge PDBs, especially when many labels are seen at the same address, such as with Identical COMDAT Folding. This change also allows some additional valid labels to be applied at these addresses. (GP-1298)

Processors. Added pcodetests for ARM version 5, which does not support thumb mode. (GP-1078)

Processors. Added 65C02 opcodes to the 6502 processor. (GP-1112, Issue #1261, #3170)

Processors. Made numerous improvements to the SPARC language module. (GP-1135)

Processors. Improved and fixed several issues involving the SuperH4 language module. (GP-1212)

Processors. Updated manual index page numbers for AMD VMX instructions. (GP-1219, Issue #2923)

Processors. Updated x86 and AARCH64 processor manual index files. (GP-1234)

Processors. Added longMode bit to x64 language spec for mixed 32-/64-bit use cases; e.g., WoW64. (GP-1255)

Processors. Made minor improvements to the RISC-V language module. (GP-1409)

Processors. Corrected swap instruction semantics for PIC-24,30,33 processors. (GP-1565, Issue #3670)

Scripting. Improved RecoverClassesFromRTTIScript to better define virtual function data definitions to be more generically used by all related class structures. (GP-1311, Issue #3417)

Scripting. Added options to allow removal of replaced class structure data types when replaced with ones created by RecoverClassesFromRTTIScript. (GP-1315, Issue #3443)

Scripting. Changed class structures created by RecoverClassesfromRTTI so that the vftable pointers are separated from the class data structures inside a derived class. This allows the derived class vftables structures to be accessed correctly by the Decompiler. (GP-1408)

Sleigh. Modeled undocumented encoding of REP prefix for x86 instructions. (GP-1294, Issue #731)

Version Tracking. Updated Version Tracking to address multiple performance issues. (GP-1421, Issue #3221)

Version Tracking. Slightly relaxed score thresholds for the reference correlator portions of auto version tracking to enable discovery of more high scoring matches. (GP-1448)

Bugs

Analysis. Fixed a bug that would result in the COFF Header Annotation analyzer running on PIC binaries when it was not intended to. (GP-1366, Issue #3386)

Analysis. The Objective-C analyzer no longer crashes when encountering categories with an implementation in an external binary. (GP-1413, Issue #3510)

Analysis. Fixed a stack overflow in the Objective-C 2 Class analyzer. (GP-1420, Issue #2378)

Analysis. Fixed a bug with recovering Objective-C method names. (GP-1548, Issue #3611)

Analysis. Corrected a potential infinite loop in stack analysis and constant propagation due to recurring call-fixup injection to the same location. (GP-1554, Issue #3683)

Analysis. Fixed certain ELF exception records in ELF binaries marked as DW_EH_PE_absptr that are not relocated correctly when the binary is loaded in an alternate image base. (GP-1575)

API. Fixed issues related to moving memory blocks where the source and/or destination have pinned symbols. This could have resulted in addresses with symbols where no symbol is primary or having multiple symbols at an address that are primary. It could also have resulted in pinned symbols being moved from the destination to the source address range. (GP-1103)

API. Fixed an issue with the SymbolManager method getClassNamespaces() where it was only returning class namespaces in the global namespace. (GP-1346)

API. Critical Ghidra 10.1-BETA Issue: Corrected external function bug introduced in Ghidra 10.1-BETA which caused new functions to not be marked as primary. This is a critical bug which could impact most programs imported with 10.1-BETA. Such imports should be re-imported with this fix in place. (GP-1525)

C Parsing. Several issues parsing C header files have been fixed including ternary macro expression evaluation, #line preprocessor markup within functions and structures, far/near recognized as a keyword, and handling of __asm syntax. (GP-1335, Issue #1069, #1082, #2667, #464, #929)

Debugger. Fixed program actions (Save, Close, Undo, etc.) to work properly in the Debugger. (GP-508)

Debugger. Fixed issue getting registers on ARM targets with GDB where command exceeded 4096 characters. (GP-1356, Issue #3297, #3509)

Debugger. Fixed several issues with the GDB connector's use existing session option. (GP-1365)

Debugger. Fixed a NullPointerException from canceling a debug launch. (GP-1442)

Debugger. Fixed Select Addresses button for Debugger Modules pane. (GP-1450)

Debugger. Fixed issue with duplicate selection actions in the Debugger tool. (GP-1452)

Debugger. Fixed a bug in emulation where read/write ranges include the max address. (GP-1493)

Debugger. Fixed exception behavior for toggled Continue/Handled options. (GP-1558, Issue #3049)

Debugger:Emulator. Fixed Debugger integration and trace emulation for WoW64. (GP-1245)

Debugger:Emulator. Relaxed and corrected some logging of UNKNOWN/uninitialized values during emulation. (GP-1488)

Debugger:Emulator. Fixed several issues in Emulator with respect to Harvard architectures, memory-mapped registers, and word-addressable systems. (GP-1540)

Debugger:GDB. Fixed issue with GDB/GADP hang in development mode. (GP-1360)

Debugger:GDB. Fixed issue interrupting GDB targets launched without temporary breakpoint on main. (GP-1362)

Debugger:GDB. Fixed issues parsing and displaying various types of GDB breakpoints. (GP-1364)

Debugger:GDB. Fixed problem passing arguments to GDB in IN-VM and SSH modes. (GP-1368)

Debugger:GDB. Fixed a NullPointerException when terminating GDB. Changed PtySession API to prevent future occurrence. (GP-1399, Issue #3487)

Debugger:Listing. Fixed stack trace when switching to trace of a different processor language. (GP-1547)

Debugger:Trace. Fixed 'ram' not in this trace/language error. (GP-1411, Issue #3509)

Decompiler. Fixed a corner case in the manipulation of integer ranges by the Decompiler. (GP-1243, Issue #3064)

Decompiler. Fixed a bug in the Decompiler's renaming algorithm that could cause memory corruption in rare cases. (GP-1380, Issue #3429)

Demangler. Fixed GNU Demangling bug encountered when Address Table types have spaces in the parent namespace name. (GP-1051)

DWARF. Fixed check for invalid function addresses. (GP-1573)

Eclipse Integration. Fixed an exception in the GhidraDev Eclipse plugin that occurred when performing a Link Ghidra operation on projects that use a Gradle classpath container. (GP-1149, Issue #3087, #3088)

Exporter. IDA exporter no longer fails when function stack variables have comments. (GP-1190, Issue #2350, #3309, #748)

Exporter. Fixed an issue with the ElfExporter not correctly undoing relocations when they spanned partially file-backed memory blocks. (GP-1570, Issue #3696)

FileSystems. Fixed Ext4 handling of longer symlink paths and added support for inline data. (GP-1088)

FileSystems. Fixed Ext4 file system to handle volumes with blocksize 1024 and a first data block value of 1. Also added support for old style block maps. (GP-1094, Issue #1877)

Framework. Fixed error causing exception in the Specification Extensions panel when importing a new callotherfixup. (GP-1414, Issue #3502)

GUI. Fixed potential infinite loop in Function Graph edge painting. (GP-1019, Issue #2114)

GUI. Fixed minor memory leak encountered when using Search -> For Address Tables. (GP-1030, Issue #3013)

GUI. Fixed bug that prevented the Decompiler scalar hover tooltip from showing. (GP-1071, Issue #3142)

GUI. Fixed NullPointerException in File System Browser when closing the current project. (GP-1096, Issue #3179)

GUI. Fixed the script console to not lock the GUI when a large amount of text is being written. (GP-1148, Issue #3251)

GUI. Fixed long GUI hang when attempting to Set External Program on an import within in a large Ghidra project. (GP-1155, Issue #3245)

GUI. Fixed UI freeze when connecting to a large remote project. (GP-1200, Issue #3305)

GUI. Tweaked enablement of several search actions so that instead of being disabled when on a restricted view provider (e.g., Decompiler, FunctionGraph), they instead are enabled, but apply to the global listing provider. (GP-1259)

GUI. Fixed stack trace in the Function Call Graph when using the Show Incoming Level Edges action. (GP-1302, Issue #3327)

GUI. Fixed the Search Memory dialog issue that caused odd resize behavior when using the Advanced button. (GP-1333, Issue #3158)

GUI. Fixed tracking of Favorite data types when switching between multiple open programs. (GP-1391)

GUI. Fixed user list scrollbar in shared project dialog when there is a large number of users. (GP-1410)

GUI. Fixed bug that cause a structure field name to change when using the Retype Field action without picking a new data type. (GP-1429, Issue #3483)

GUI. Fixed issue when attempting to rename a datatype that has the same name as a category in the same parent cateogory. The rename would attempt to rename the category instead of the datatype. (GP-1445)

Importer. Fixed issue with Extract and Import action trying to create invalid filenames. (GP-1024, Issue #3114)

Importer. Fixed Extract and Import action when highlighting bytes in the debugger view. (GP-1449)

Importer:ELF. Corrected ELF importer error which could occur when processing memory section overlay blocks caused by AddressOutOfBoundsException exception. (GP-1052, Issue #3128)

Importer:ELF. Corrected various markup issues related to packed ELF Android relocations. Added missing ELF Arm 32-bit RELR relocation support. (GP-1352, Issue #3462)

PDB. Fixed short timeout values when downloading PDB files. (GP-1105, Issue #3184)

PDB. Fixed the Load PDB dialog to better handle missing or incomplete metadata. (GP-1180, Issue #3289)

PDB. Fixed NullPointerException encountered for a particular array of enums scenario where the enum definition processing had not completed. (GP-1456, Issue #3484)

Processors. Corrected return type for MIPS32 JIC instruction. (GP-938, Issue #3022)

Processors. Corrected pcode for ARM/ARM-Thumb adcs and sbcs carry and overflow flag updates. (GP-1043)

Processors. Corrected flag handling for some 6502 instructions. (GP-1054, Issue #3096)

Processors. Fixed issues with PPC register overwrites. (GP-1075, Issue #1672)

Processors. Fixed 6502 bit instruction semantics. (GP-1115, Issue #2558, #3095)

Processors. Fixed MIPS 32-bit little endian floating point register ordering. (GP-1129, Issue #3212)

Processors. Corrected PowerPC ISA instruction manual index page numbers. (GP-1218, Issue #2927)

Processors. Updated Tricore manual index file to match correct page numbers. (GP-1220, Issue #2926)

Processors. Fixed bug in SuperH moveml.l instruction which caused a load instead of store register. (GP-1263, Issue #3379)

Processors. Corrected semantics for MIPS INS instruction. (GP-1290, Issue #3405)

Processors. Corrected MIPS64 DINS instruction semantics. (GP-1291, Issue #2232)

Processors. Corrected semantics of PA-RISC shift conditions, which was incorrectly using the register size in bytes, as opposed to bits. (GP-1292)

Processors. Corrected ARM neon vmrs instruction disassembly. (GP-1322, Issue #3446)

Processors. Corrected SuperH bld and movemu instruction semantics. (GP-1331, Issue #3449)

Processors. Removed deprecated ARM condition code 15. (GP-1332)

Processors. Corrected issue with x86 call instructions when stack pointer is used as a reference. (GP-1357, Issue #3455)

Processors. Corrected MIPS pcodeop error in tlbr instruction. (GP-1363, Issue #3463)

Processors. Corrected ARM Thumb conditional instruction it to allow the al (always) conditional. (GP-1402, Issue #3499)

Processors. Removed extraneous sb from ARM ldrsb instruction. (GP-1412, Issue #3522)

Processors. Implemented M68000 CHK, CHK2, and CMP2 instructions. (GP-1478, Issue #2856, #3616)

Processors. Corrected SuperH trapa instruction to use a call p-code op instead of a goto. (GP-1504, Issue #3600)

Processors. Corrected x86 instruction parse and semantics for RDRAND and RDSEED. (GP-1564)

ProgramDB. Corrected language upgrade issue which could result in lost memory reference due to RefType change. (GP-1392)

Scripting. RecoverClassesFromRTTIScript now consistently applies its class structures in programs that have PDB information applied. Also, an option was added so users can decide whether to replace existing class data in thiscall functions regardless of whether they originated as PDB or not. (GP-1464)

Scripting. Fixed an issue where some GhidraScript print methods were not getting output to the script log file. (GP-1541, Issue #3657)

Sleigh. Corrected sleigh-language endian-mismatch error-message formatting. (GP-1132, Issue #3215)

Sleigh. Made numerous fixes to the PowerPC SLEIGH language module. Note: minor language version upgrade. (GP-1250)

Version Tracking. Fixed UnsupportedOperationException in Version Tracking when attempting to find references to register or stack addresses. (GP-1084, Issue #1152)

Version Tracking. Fixed Version Tracking Swap button to not trigger the reloading of programs. (GP-1183)

Ghidra 10.0.4 Change History (September 2021)

Improvements

Multi-User. Added class serialization filter to Ghidra Server as a security measure. (GP-1314)

Bugs

C Parsing. Changes to the CParser have been made to successfully parse a greater number of header files. The CParser will now correctly evaluate the truth of expanded macro substitutions in #if statements. Operator precedence has been corrected and support for additional operators added for constant simplification that is used to specify array sizes during parse. In addition, C17 structure initialization syntax and multiple type casts are now parsed. (GP-1295, Issue #1652, #2665, #2666, #3410)

Debugger. Changed Track Program Counter, etc., to re-track even when clicking them doesn't change the current setting. (GP-1282)

Debugger:GDB. Fixed issue with CRLF using GDB/SSH from Windows. (GP-1309, Issue #3426)

Decompiler. Fixed a NullPointerException encountered when hovering over the name of an Undefined Function in the Decompiler window. (GP-1260)

Decompiler. Fixed bug causing the Missing userop attribute in segmentop tag error message in the Decompiler for Z80 executables. (GP-1305, Issue #3329)

Decompiler. The Decompiler now handles small dynamically sized data types, like Alignment. (GP-1327, Issue #3399)

GUI. Fixed an AssertException in the Default Graph Display encountered when loading a saved graph layout. (GP-1313, Issue #3441)

Headless. Corrected NullPointerException for headless when no opinion results are found. (GP-1323)

Importer:PE. Fixed a regression with parsing COFF Aux symbols for PE/MZ loaders. (GP-1174, Issue #3442)

Multi-User. Corrected and improved specification of TLS version restrictions for client use via launch.properties and Ghidra Server use via server.conf. (GP-1287)

Processors. Corrected endianness mix-up in MIPS function start bit-patterns. (GP-1310, Issue #3421)

Ghidra 10.0.3 Change History (September 2021)

New Features

Debugger:Watches. Added ability to modify target memory and registers via the Watches window. (GP-1264, Issue #2866)

Improvements

Analysis. Improved SH4 constant reference analysis for PIC code, reference placement for jumps/calls, and non-return function analysis. General constant reference analysis has also been improved. (GP-1258)

Basic Infrastructure. Removed usage of the --illegal-access=permit JVM argument for improved JDK 17 runtime support. The Ghidra Server continues to require JDK 11 to successfully run at this time. (GP-1193, Issue #3355)

Debugger. Debugger Agent windows now display log messages. (GP-507)

Debugger. Changed Debugger's Launch action to propose the current program as the command line. (GP-1176)

Debugger. Providing broader defaults for recording GDB-supported architectures. (GP-1237)

Debugger:GDB. GDB connector's Use existing session prompts with more instructions. (GP-1076)

Debugger:GDB. Added use starti option to GDB launcher. (GP-1158)

Debugger:Mappings. Added Map Identically action to Modules window. (GP-1232)

GUI. Changed analysis options to always show current program options when accessed via Edit -> Options for <program>.... Also added warning if the user makes changes to the analysis options and then changes the combo box without saving the changes first. (GP-1188)

Importer. The ContinuesInterceptor, which allows the import process to proceed past uncaught exceptions that can be encountered while parsing corrupted headers, has been disabled by default. Its usage is now deprecated and will be removed in a future Ghidra release. It can be temporarily re-enabled in support/launch.properties. (GP-1248)

Importer:ELF. Added support for additional ELF AARCH64 relocations such as R_AARCH64_LDST64_ABS_LO12_NC. (GP-1278, Issue #3352)

Processors. Corrected semantics for x86/x64 FXSAVE and related instructions. (GP-1228)

Processors. Added semantics for several x86/x64 vector operations. (GP-1262)

Bugs

Byte Viewer. Fixed stack overflow issue in ByteViewer. (GP-1276)

C Parsing. Eliminated static variables that caused follow-on CParser tasks to error because they started in a bad state. (GP-1251, Issue #1421, #3350)

Debugger. Fixed NullPointerException in Objects window's Import/Export actions. (GP-1047)

Debugger. Fixed NullPointerException in DBTraceStack. (GP-1059)

Debugger. Fixed a rare deadlock involving DBTrace.addListener. (GP-1154)

Debugger. Track PC action now scrolls to cursor even if the cursor is already at PC. (GP-1175)

Debugger. Created better mapping of GDB ARM architecture names to Ghidra languages for the Debugger. (GP-1221, Issue #3333)

Debugger. Capture Memory button is more aggressive in finding the correct region to capture, reducing bad region errors. (GP-1227)

Debugger. Fixed delay slot disassembly in Debugger dynamic listing. (GP-1246, Issue #3358)

Debugger:Emulator. Fixed cache-reading issue in trace emulation. (GP-1187)

Debugger:Emulator. Fixed a critical typo in PairedPcodeArithmetic. (GP-1191)

Debugger:Trace. Dynamic listing now updates immediately when changing data type settings. (GP-1215)

Debugger:Trace. Removed Missing Instruction Prototype exception in favor of using InvalidPrototype. (GP-1226)

Debugger:Trace. Adding context fields to Register viewer no longer throws an exception. (GP-1256)

Decompiler. Fixed a bug that could cause an infinite loop in the Decompiler when using bonded register pairs. (GP-1270, Issue #3105)

Decompiler. Fixed a bug causing Exceeded maximum restarts with more pending warnings in the Decompiler. (GP-1277, Issue #3104)

Disassembly. Fixed an IllegalArgumentException in the Non-Returning Functions analyzer caused by processor specifications without a defined context, such as Sparc and SH4. (GP-1216)

DWARF. Corrected potential random errors in DWARF parsing caused by modifications to a shared global static DWARF decoder. (GP-1272)

Exporter. Exporters with empty default extension names will no longer append a dot to the output filename. (GP-1201, Issue #3325)

GUI. Fixed the missing mnemonic of the Graph menu. (GP-1244, Issue #3330)

Processors. Corrected carry flag semantics for the 6502 processor's SBC instruction. (GP-1109, Issue #3189, #3190)

Ghidra 10.0.2 Change History (August 2021)

New Features

Scripting. Created an example script which demonstrates how to use the FileBytes class to do a binary export of the current program. (GP-1157)

Improvements

Data Types. When creating a substructure from existing components, the new structure will adopt the pack setting of the parent structure from which it was created. Note that a packed structure may still move based upon component alignment rules. (GP-1111, Issue #3193)

Decompiler. Added E key binding to the Decompiler's Equate action. (GP-1146, Issue #3195)

GUI. Added Apply button to analysis options dialog. Also added a last chance save/cancel dialog that is shown when a user cancels an options dialog that has unsaved changes. (GP-1169, Issue #3274)

Scripting. For stripped GCC binaries, improved prototype RecoverClassesFromRTTIScript identification of vtables and simple class data, constructors, and destructors. (GP-1055, Issue #3266)

Bugs

Basic Infrastructure. Fixed regression that prevented Ghidra from launching on Windows when its path contained spaces. (GP-1113, Issue #3201, #3205)

Data Types. Fixed IllegalArgumentException error message when adding a duplicate enumerate name for EnumDataType. (GP-1173, Issue #3246)

Debugger. Changed diagnostics to write GDB.log to user directory, not installation. Clarified an error message. (GP-1133, Issue #3218)

Debugger. Improved error reporting when failing to start a Debugger GADP agent. (GP-1136, Issue #3175)

Debugger. Added system property to toggle alternative icons/colors for breakpoints. (GP-1139, Issue #3204)

Debugger. Applying a default everything memory map for GDB targets if info proc mappings fails or produces an empty list. (GP-1142, Issue #3071, #3074, #3161, #3169)

Debugger. Fixed issue with Debugger ignoring JAVA_HOME when launching child JVM. (GP-1143, Issue #3231)

Debugger. Fixed command-reply matching issue when using GDB via SSH. (GP-1153, Issue #3238)

Debugger:Emulator. Fixed bug in Trace Emulation causing ArrayIndexOutOfBoundsExceptions. (GP-1058)

Decompiler. Fixed issue causing Offset must be between... AddressOutOfBoundsException, when decompiling real-mode x86 programs. (GP-1163, Issue #239, #2948)

Decompiler. The decompiler now shows results when a HighGlobal has no associated symbol reference in the program. (GP-1184)

DWARF. Changed processing to ignore incomplete DWARF parameter lists in Rust binaries. (GP-1121, Issue #3060)

Exporter. The C/C++ Exporter now emits semicolons after function prototypes when using the Create Header File option. (GP-1145, Issue #1644)

Framework. Corrected address comparison for 64-bit signed address spaces (e.g., stack space, constant space) which could produce non-transitive comparison results. (GP-1178, Issue #3302)

Graphing. Corrected graph magnification behavior when using a high resolution mouse wheel. (GP-1181, Issue #3281, #3284)

GUI. Fixed NullPointerException when Hovering in Decompiler over a function that is not in memory. (GP-1131)

GUI. Fixed bug in Find References to search results that prevented '<' characters from being rendered. (GP-1137, Issue #3217)

GUI. Fixed issue where duplicate label names could cause the symbol tree to become unstable, evidenced by broken display and scrolling actions. Also, improved grouping algorithm. (GP-1159, Issue #3263)

GUI. Fixed Enter key in Set Equates dialog to choose the selected table row. Updated the Function Signature Editor dialog to allow the Cancel key to close the dialog when the focus is in the top text editor. (GP-1162, Issue #3235)

Headless. Fixed a regression in analyzeHeadless.bat that prevented the headless analyzer from running on Windows in some cases. (GP-1156, Issue #3261)

Importer. The MzLoader now populates the relocation table when relocations are performed. (GP-1160)

Importer:ELF. Corrected dynamic GOT/PLT markup problem for images which do not contain section headers. In cases where image does not define symbols within the PLT, analysis may be relied upon for its disassembly. ELF Importer's goal is to migrate symbols which may be defined within the PLT to the External symbol space. (GP-1110, Issue #3198)

Importer:Mach-O. The Mach-O importer now correctly interprets indirect symbols as references to symbols within another .dylib. (GP-1120)

Importer:PE. Improved ControlFlowGuard markup and creation of functions (GP-1179, Issue #1547, #1565)

Processors. Fixed bug in SuperH4 fmov.s pcode. (GP-1152)

Processors. The ARM instruction semantics for the mulitple-single-element forms of the vld1/vst1 vector instructions have been corrected. (GP-1167)

Sleigh. Fixed a string formatting error in the sleigh compiler. (GP-1124, Issue #3168)

Ghidra 10.0.1 Change History (July 2021)

New Features

Decompiler. The Decompiler now supports conversion (hex, dec, bin, oct, char) and equate actions directly on constant tokens in the Decompiler window. To the extent possible, these actions also affect matching scalar operands in the listing. (GP-1053, Issue #21)

Improvements

Basic Infrastructure. Ghidra now gracefully fails to launch when its path contains an exclamation point. (GP-1057, Issue #1817)

FileSystems. Can now handle multi-level Ext4 extent nodes when reading a file. (GP-1070)

Bugs

Build. No longer building and distributing the Debugger native test binaries. (GP-1080, Issue #3160, #3177)

Debugger. Corrected potential deadlock condition within Debugger which could occur under some circumstances during a breakpoint or while stepping. (GP-1072)

Decompiler. Fixed a bug in the Decompiler causing Overriding symbol with different type size exceptions. (GP-1041)

Exporter. PE and ELF exporters no longer error out when processing non-file-backed relocations. (GP-1091)

FileSystems. Corrected problem mounting Ext4 file systems when the container file is larger than the file system. (GP-1067)

Importer:ELF. Corrected ELF relocation error reporting, including error bookmarks, when relocation handler extension is missing. (GP-1097)

Jython. Added __file__ attribute support in Jython scripts. (GP-1099, Issue #3181)

PDB. Fixed bug that prevented constructor signatures from being created properly. (GP-1086)

PDB. Fixed bug in PDB CLI processing that could kill analysis for binaries imported with older versions of Ghidra. (GP-1104)

Processors. Added ELF Relocation handler for SuperH processors. Only a few common relocation types have been added. (GP-1090)

Scripting. Fixed a potential NullPointerException that could occur when trying to run a script that doesn't exist. (GP-1074, Issue #2742)

Scripting. Improved graphing of class hierarchy in RecoverClassesFromRTTIScript and the GraphClassesScript to handle duplicate class names, class namespace delimiters, and to make better vertex descriptions. (GP-1095)

Scripting. Fixed a flaw in the RecoverClassesFromRTTIScript that was not using PDB information to create data member names in class data structures. (GP-1101)

Ghidra 10.0 Change History (June 2021)

New Features

Debugger. Introduced the Debugger, along with GDB and dbgeng.dll connectors for debugging user-mode applications on Linux and Windows, respectively. The UI includes threads, timeline, modules, memory, registers, watches, etc., for examining and controlling debug targets. See Help -> Contents -> What's New for more details. (GP-986)

Exporter. For programs imported with the PE and ELF loaders, new exporters are available that write back to the original file layout. Any file-backed bytes that were modified by the user in the program database will be reflected in the written file (except on relocations). Writing back a modified Memory Map is not supported. (GP-786, Issue #1501, #1505, #19)

Graphing. Added Graph -> Data actions to the Code Browser, allowing visualization of specified pointer relationships in a graph. (GP-194)

Scripting. Added prototype RecoverClassesFromRTTIScript and that uses RTTI information to enhance Ghidra's knowledge of class hierarchy, class member function types (constructors, destructors, deleting destructors, clones) and class member data. The script will label and put member functions into correct class namespace and apply new class structures created either using PDB information, if available, or Decompiler pcode information. (GP-339)

Scripting. Added an example script, LocateMemoryAddressForFileOffset, to demonstrate mapping of a location in the original imported file to the program memory address. Useful for cases where the original file offset is known; for example, a YARA rule match. (GP-782)

Scripting. Created a script to allow users to search for image base offsets to the current cursor location in 32-bit and 64-bit programs. (GP-863)

Improvements

Analysis. Function signatures, including return types and argument data types, are now decoded from CLI Metadata for .NET binaries. (GP-327)

Analysis. Switched #Strings table processing from ASCII to UTF-8 for CIL binaries. (GP-330, Issue #423)

Analysis. Added Constant, Assembly, and AssemblyRef blob processing for CIL binaries. (GP-465)

Analysis. Added the Variadic Function Signature Override analyzer, which identifies functions that take a format string as a parameter and applies the correct signature override at each call site. (GP-516)

Analysis. Added ability to save and easily reuse analysis options in customer-defined configurations. (GP-544, Issue #2182, #312)

Analysis. Ghidra analysis is now aware of more PE/Windows non-returning functions. (GP-733, Issue #2111)

Analysis. ResolveX86orX64LinuxSyscallsScript now properly marks non-returning syscalls. (GP-868, Issue #2761)

API. Revised Structure and Union API, and associated editor, to eliminate the use of the terms Unaligned/Aligned in favor of a packing enablement designation. Also corrected various change notification issues which may improve archive synchronization and merge behavior. (GP-862, Issue #2681)

API. Renamed Datatype.isDynamicallySized() to DataType.hasLanguageDependantLength() to avoid confusion. This method is used internally to differentiate between fixed-length types and those whose length is determined by the compiler specification's data organization (e.g., pointers). (GP-932)

Basic Infrastructure. Improved error reporting when trying to launch Ghidra from the git repo without Eclipse having compiled it. (GP-815, Issue #2872)

Build. Command gradle -I gradle/support/fetchDependencies.gradle init now downloads the Function ID datasets from the ghidra-data GitHub repository so they will be automatically included in development mode and custom builds. (GP-678, Issue #1007)

Build. Performing a gradle clean no longer deletes downloaded dependencies. The top-level flatRepo directory has been replaced with the dependencies directory. (GP-811, Issue #1663)

Build. Ghidra now requires Gradle 6.0 or later to build. Gradle 7.x is now supported. (GP-849, Issue #2949)

Build. Made changes to gradle code to remove warnings. (GP-993, Issue #3039)

Data Types. Added support for hexadecimal byte offset display within composite bitfield view. (GP-910, Issue #2959)

Decompiler. Decompiler analysis now automatically identifies and displays loop variables using standard for-loop syntax. When a loop variable is discovered, a condition, iteration, and optional initializer statement are displayed at the top of the loop. (GP-565)

Decompiler. Added the Max Instructions per Function Decompiler tool option, specifying the maximum number of instructions the Decompiler will decode in a single function before throwing an exception. Previously, this had been a hard-coded limit. (GP-767, Issue #2557)

Decompiler. The Decompiler now propagates datatypes across signed comparison operations, so constant integer and enum values display correctly. (GP-802, Issue #2565)

Demangler. Updated the GNU Demangler Analyzer options to provide a list of available formats from which to choose. (GP-94, Issue #2214)

Demangler. Updated the GNU Demangler's Namespace-building to improve analysis performance. (GP-706, Issue #2509)

Demangler. Improved Demangler error checking and reporting to give underlying cause of failure. (GP-850)

Documentation. Added basic instructions on how to install, build, and develop Ghidra to README.md. (GP-847)

DWARF. Improved speed and memory usage when importing large DWARF binaries. (GP-419)

DWARF. Added M68000/SVR4 DWARF register mappings. (GP-556, Issue #1610)

DWARF. Improved handling of zero-length structure components during DWARF processing. (GP-851, Issue #2191)

Exporter. Made various improvements and bug fixes and to the IDA Pro exporter. (GP-831, Issue #1897, #2788, #2882, #2891)

FileSystems. Added support for recognizing unencrypted DMG files. (GP-845)

Framework. Added support for program-specific extensions to a compiler specification. Users can now define their own calling conventions and call-fixups to integrate into decompilation and other analysis (see help for Specification Extensions). (GP-653)

Graphing. Added capability to collapse and expand nodes in the default graph display. (GP-371)

Graphing. Upgraded jungrapht to version 1.1. (GP-377)

Graphing. Refactored graph exporters into a more extensible framework. (GP-440)

Graphing. Graph layout algorithms can now be chosen programmatically. (GP-551)

Graphing. Created additional modified versions of the MinCross layout algorithms, all named to start with Vertical Hierarchical Min-Cross, so that they accept a favoredEdge predicate. When an edge is favored, a pass though the graph layers attempts to align those edges vertically. (GP-625)

Graphing. Added an option to change the background color of the Function Graph window. (GP-760, Issue #1324)

Graphing. Updated Function Graph edge routing when applying the Use Condensed Layout option to reduce edges being clipped by vertices. (GP-768)

Graphing. Added option to disable the lightening of edges in the Function Graph. (GP-769, Issue #1106)

Graphing. Added a distinct visual edge highlight beyond just a different color for graph edge selection. (GP-793, Issue #2953)

Graphing. Added Display as Graph action to the Data Type Manager, allowing visualization of embedded and referenced types of the selected types. (GP-808)

Graphing. Fixed function graph bug that prevented the satellite view from showing the primary view lens. Fixed a layout bug that allowed some vertices to get clipped when condensing the graph. (GP-940)

Graphing. Added graph API method to set descriptions (tooltips) on vertices and edges. (GP-949)

Graphing. Added Vertex and Edge attributes to GraphML export format. (GP-957, Issue #2958)

GUI. Added new Copy Special actions: Python Byte String, Python List, and C Array. (GP-210, Issue #744)

GUI. Updated the Listing to allow structure members to display Plate Comments. (GP-421, Issue #2091)

GUI. Copy/Pasting and Dragging data types now uses a progress monitor. (GP-422, Issue #2379)

GUI. Added right-click menu Data -> Save Image action to allow user to export embedded graphic resource images. (GP-426)

GUI. Changed Symbol Comment Annotation to use the existing symbol when available. This allows for the direct navigation of that symbol's address instead of using the search feature of the Go To Service. (GP-675)

GUI. Added the Shift-F10 keybinding to allow users to show the popup context menu over the currently focused item. The Menu Key can also be used on supporting keyboards. (GP-732, Issue #2790)

GUI. Fixed/Improved the behavior of global menu items and toolbar items with respect to which windows they appear in. These actions can now easily be configured to be either 1) only in menu bar and tool bar of the main window, 2) in the menu bar and tool bar of all windows, or 3) only in the windows that have components that generate the type of context that the action consumes. Added methods to the ActionBuilder class to support these three options. Also, updated numerous actions to make sure they appear in the appropriate windows. (GP-759)

GUI. Improved overall UI responsiveness when performing analysis with the Symbol Table open. (GP-788)

GUI. Updated the Function Tags table column so that it may be used in most Ghidra tables. (GP-816, Issue #2873)

GUI. Updated the Defined Strings view to reload less frequently during auto-analysis. (GP-835, Issue #2889)

GUI. Updated function hovering in the Decompiler to find the correct function tooltip when multiple functions exist with the same name. (GP-959, Issue #2604)

Importer:ELF. Added markup to ELF import for .note.gnu.build-id and .gnu_debuglink sections. (GP-468)

Importer:ELF. Added ELF import support for SHN_MIPS_TEXT and SHN_MIPS_DATA symbol section index values and provided ability for other processor-specific ELF extensions to resolve ELF symbol memory addresses. (GP-664)

Importer:ELF. Changed various ELF relocations to detect and mark unsupported data relocations which refer to the EXTERNAL block. Applied EXTERNAL data relocations, which have a non-zero offset from the external symbol, will still be incorrect but will have an error bookmark to flag the condition. The relocation addend will not be applied in this case to avoid references to a completely irrelevant symbol in the EXTERNAL block. (GP-1029)

Importer:Mach-O. Improved support for Mach-O object files. (GP-700)

Importer:PE. CustomAttrib blobs in CLI/.NET metadata are now decoded. (GP-414)

Importer:PE. Created proper external references for PE Delay Load Imports. (GP-674, Issue #2554, #2623)

Importer:PE. PeLoader can now read and interpret the .pdata section of PE files that include exception handling data. (GP-729)

Importer:PE. Added .exports XML files for the mfc71.dll and mfc71u.dll libraries. Having them allows Ghidra to translate ordinal imports from applications compiled against MFC 7.1 (from Visual Studio .NET 2003) to class and function names with parameters. (GP-1010, Issue #3051)

Listing. Improved Listing view performance, especially noticeable on functions with excessively large stack frames. (GP-268, Issue #109, #2351)

Listing. Added a tool option to hide function auto-comments that appear, trailing a function call in the Listing. (GP-752)

PDB. Improved Ghidra's ability to find and pull PDB files from symbol servers and symbol storage locations. (GP-42)

Processors. Simplified PIC24 return instruction semantics. (GP-647)

Processors. Added support for register alias specification within processor spec (*.pspec). Added WREG register aliases for PIC24 processor variants. (GP-901, Issue #2956)

Processors. Fixed issue with the PPAGE register not being properly restored after CALL instructions in the HCS12 processor. (GP-920, Issue #1099)

Processors. Fixed HCS12 IDX1 addressing with negative immediate values. (GP-937, Issue #3008)

Processors. Fixed V850 multiply-by-immediate calculation that produced an incorrect value when the fifth bit was set. (GP-939, Issue #2970)

References. Improved performance of reference management for special cases when large a number of references from the same address exist (e.g., entry point designation). (GP-696)

Scripting. ExportImageScript now exports all images within a user-selected region to files within a user-selected folder. (GP-231)

Scripting. Improved TableChooserDialog, allowing multiple rows to be processed at once. (GP-676)

Scripting. Updated the TableChooserDialog to allow clients to set the default column sort. (GP-792)

Scripting. Added Python script comment block support. (GP-843, Issue #1484, #2846)

Scripting. Added ApplyClassFunctionSignatureUpdatesScript and ApplyClassFunctionDefinitionUpdatesScript fix-up scripts that can be applied if a user makes changes to a virtual function recovered by the RecoverClassesFromRTTIScript. Both scripts identify differences between Function Signatures in the Listing and Function Definitions in the Data Type Manager, but the first script fixes all changes to match the signature and the second to match the definition. (GP-973, Issue #3081)

Sleigh. Debug info for Sleigh constructors now includes source file names. (GP-233)

Sleigh. The Sleigh compiler now issues a warning if it generates a temporary varnode which might be large enough to overlap another temporary varnode. (GP-520)

Sleigh. While register names should remain case-sensitive within a Sleigh spec during compilation/parse, register names must not duplicate in a case-insensitive manner since the Program API provides a case-insensitive register lookup by name. The Sleigh Compiler now enforces this. (GP-927)

Bugs

Analysis. Fixed how managed code entry points in .NET binaries with CIL entry points are detected and labeled. (GP-319)

Analysis. Can now process implementation-specific data structures for Microsoft CIL compilers. (GP-461)

Analysis. Corrected processing for pointers, function pointers, custom modifiers, ValueTypes, static methods, MethodRefs, MethodDefs, and PInvokes found in .NET mixed binaries. (GP-656)

Analysis. Improved constant analysis speed when processing large binaries with a large amount of code not in defined functions, such as exception handlers. (GP-746, Issue #2509)

Analysis. When OverlayAddressSpace was refactored and Decompiler made aware of it for Ghidra 9.2, the VarnodeContext was not aware of the overlays. This was fixed and should eliminate the NullPointerException caused when the Symbolic Propagator calls the Varnode constructor. (GP-751, Issue #2785, #2787)

Assembler. Fixed assembler issue with delay-slotted instructions. (GP-587)

Assembler. Fixed assemble Patch Instruction action to work on listings other than the primary static listing. (GP-623)

Assembler. Modified assembler Patch Instruction action to ignore external symbols which produced bad offsets for instructions. (GP-645)

Basic Infrastructure. Fixed an issue with Ghidra and its supporting launch scripts not being able to run correctly on Windows when an ampersand was in the path. Also fixed an issue with svrAdmin.bat and buildGhidraJar.bat not working if the Ghidra path contained a space. (GP-693, Issue #1726, #1728)

Basic Infrastructure. Corrected "LaunchSupport expected 2 to 4 arguments but got 1" error when starting Ghidra on Windows. (GP-1050, Issue #2176, #3122)

Build. Building of pdb.exe on Windows now works if the path to the Ghidra repository contains a space. (GP-916, Issue #2998)

Build. Corrected GPL DMG module build to properly utilize the jar dependencies included within the repository and distribution. (GP-934)

Build. Corrected an issue with gradle prepDev when the Ghidra repository is on a different drive than the user's home directory on Windows OS. (GP-970, Issue #3047, #3062)

Build. Fixed a bug that prevented Ghidra from launching in Single Jar Mode when its path contained a space. (GP-1039)

C Parsing. The C-Parser bitfield parsing has been relaxed to allow declared bitfield sizes to exceed the base datatype size. The effective bitfield size may be clamped based upon the current data organization while preserving the declared size. (GP-558)

Data Types. Fixed a NullPointerException that occurred when trying to edit a function datatype in a datatype archive when there was no open program in the tool. (GP-356, Issue #2407)

Data Types. Corrected the retention of datatype archive search paths, which did not properly remember disabled paths. (GP-639)

Data Types. Fixed potential deadlock encountered when working with the DataTypes tree. (GP-774, Issue #2832)

Decompiler. Fixed endianness issue for joined, two-register returns of longlong values for MIPS 32-bit little endian variants. (GP-513)

Decompiler. The Decompiler no longer emits comments in the middle of conditional expressions. (GP-621, Issue #1670)

Decompiler. Fixed Redefinition of structure... exceptions in the Decompiler caused by a PNG Image and other opaque datatypes. (GP-820, Issue #2734)

Decompiler. Fixed infinite loop in the Decompiler when analyzing return values. (GP-821, Issue #2851)

Decompiler. Fixed bug in the Decompiler's handling of enumerated datatypes causing Shared type id exceptions. (GP-895, Issue #2909)

DWARF. Fixed and consolidated DEX and DWARF implementations of LEB128. (GP-444, Issue #2512)

DWARF. Fixed unnecessary ELF header parsing when DWARF analyzer checks if it needs to run. Improved DWARF analyzer's run-once logic. (GP-695)

DWARF. Fixed issue with DWARF data type importing that could omit the definition of a structure. (GP-929)

Eclipse Integration. Fixed a GhidraDev bug that prevented Ghidra projects from recognizing extensions installed in the user's ~/.ghidra/.ghidra_<version>/Extensions directory. (GP-873)

Extensions. Changed classpath configuration to not contain paths of removed extension libraries. (GP-522, Issue #2637)

FileSystems. Fixed several issues with extracting and importing DYLIB files contained within a DYLD file system. (GP-719, Issue #2934, #682)

FileSystems. Fixed SevenZipFileSystem to correctly fail when opening password-protected archives. (GP-730)

FileSystems. Fixed Ext4 file system to correctly handle sparse files. (GP-871)

Graphing. Fixed IllegalArgumentException when showing a graph popup window after the source component was hidden. (GP-756, Issue #1643)

Graphing. Fixed bug that caused all address in a function graph node to be colored when only the entry point address had a color applied. (GP-757, Issue #1080)

Graphing. Fixed bug in graph dominance algorithm that could cause the Select -> Scoped Flow actions to go into an infinite loop. (GP-776, Issue #2836)

GUI. Fixed UI lock-up issue related to the Function Tags table. (GP-266, Issue #2366)

GUI. Fixed missing spaces in Front End multi-line log messages. (GP-463, Issue #2534)

GUI. Fixed the following modal dialog issues: z-order changing when showing a modal dialog over a detached window; focusing the incorrect window after showing a modal dialog; script progress dialog not getting placed behind input dialog; script dialogs appearing over different windows. (GP-628, Issue #2398, #2480)

GUI. Fixed NullPointerException encountered when creating a new category in the Data Types tree while the tree is filtered. (GP-745, Issue #2799)

GUI. Fixed Right Alt key that did not work for Ghidra actions on some Windows systems. (GP-747, Issue #2008)

GUI. Fixed Function Graph bug that caused some vertex text to get clipped when using wide address format width. (GP-755, Issue #1008)

GUI. Fixed bug in the Listing scroll bar that caused some screen reader software to deadlock. (GP-772, Issue #2820)

GUI. Fixed bug that caused the UI to freeze when clicking in the Program Tree UI. The bug manifested depending upon the contents of the system clipboard. (GP-775)

GUI. Updated tooltip code to limit data types name length and updated formatting to place pertinent information at the top of the tooltip. (GP-836, Issue #2029)

GUI. Fixed exception triggered when the Bookmarks table failed to remove a deleted symbol. (GP-989, Issue #3066)

GUI. Fixed exception encountered when double-clicking a structure in an archive in the closed for edit state. (GP-998)

GUI. Fixed Function Graph stack trace encountered when changing the graph's background color option after showing and then closing the graph. (GP-1013, Issue #3058)

Importer:ELF. Added support for additional PIC30 ELF relocations (4, 5, 6) and improved register symbol resolution and markup. (GP-710, Issue #2792)

Importer:ELF. Changed processing of ELF absolute symbols (section ID 0xfff1) to treat them as constants by defining equates instead of memory symbols. (GP-902)

Importer:ELF. Corrected EXTERNAL symbol alignment for PIC24, PIC30, PIC33 during ELF import. The improperly aligned symbol addresses would cause incorrect external symbol references to appear on instructions (e.g., RCALL). (GP-906)

Importer:PE. Fixed error when importing a PE file with an uninitialized .textbss section. (GP-397, Issue #2496)

Importer:PE. Fixed a bug processing RUNTIME_INFO structures that caused a failure to load PE files under certain conditions when the list is empty. (GP-924, Issue #2995)

Importer:PE. Fixed an issue in the PeLoader that prevented PE files with 0 data directories from being imported. (GP-997, Issue #2858)

Installation. Renamed database db.Record class to db.DBRecord to avoid naming conflict with java.lang.Record class and potential import issues. (GP-193)

Jython. Fixed pasting multi-line strings into the Python interpreter panel. (GP-487, Issue #2456)

Listing. A default thunk function now reflects the namespace of the thunked function similar to the way it reflects its name. This change also allows thunk functions of a this_call to have the correct this pointer parameter. Symbol table queries based upon name and/or namespace will always exclude default thunk functions. (GP-17)

Listing. Fixed #US table processing to correctly interpret the string as UTF-16LE for CIL binaries. (GP-318)

Listing. Fixed a sporadic listing operand hover stacktrace bug. (GP-987)

PDB. Escaped more character strings in MSDIA pdb.exe XML output. (GP-578, Issue #1690)

Processors. Fixed various issues pertaining to x86 instruction prefixes. (GP-220, Issue #2286, #2297)

Processors. Refactored PPC interrupt returns to include return pcode statement. (GP-703)

Processors. Fixed issue with ARM VMRS instruction parsing in thumb. (GP-735, Issue #2750)

Processors. Corrected issue with M68000 floating point dynamic k-factor instruction semantics. (GP-736, Issue #2754)

Processors. Fixed instruction semantics for x86 MOVUPS instruction. (GP-744, Issue #2789)

Processors. Simplified SuperH div1 instruction. Corrected several SuperH instructions to set flags properly around the delay slot. (GP-753, Issue #2863, #2864)

Processors. Corrected issue with ARM co-processor registers and the MCR instruction. (GP-761, Issue #2451)

Processors. Fixed issued with x86 INSx.rep and OUTSx.rep pcode ordering. (GP-766, Issue #2829)

Processors. Corrected addresses for PIC24 TBLPAG and PSVPAG registers. (GP-798, Issue #2844, #2855)

Processors. Corrected decoding of some MODR/M opcode bytes in x86. (GP-800, Issue #2504)

Processors. Updated 8085 processor definition to disassemble XRA HL instruction. (GP-818, Issue #2447)

Processors. Corrected missing optional rex.w prefix for x86 conditional jump instructions. (GP-837, Issue #1163)

Processors. Added CALLW, ASRF, LSLF, and LSRF instructions to PIC16 language. (GP-841, Issue #1362)

Processors. Fixed ARM Thumb instructions which update the status flags to now correctly append an s to the instruction mnemonic. (GP-881)

Processors. Made corrections to wr instruction for SPARC which in some cases did not write to the appropriate ASR register. (GP-928)

Processors. Corrected issue with x86-64 CALL and RET instructions with 0x67 prefix pushing/popping the wrong address size from the stack. (GP-954, Issue #2976)

Processors. Fixed issue with delay slots modifying some instructions in SuperH processor. (GP-969, Issue #2863)

Processors. Corrected pcode for x86-64 RDMSR instruction. (GP-982, Issue #3046)

Processors. Corrected size of 20-bit signed immediate value in PPC VLE e_li instruction. (GP-1060)

Scripting. Fixed scripting bug where showing a TableChooserDialog while having AnalysisMode.DISABLED in use caused the dialog to be closed. (GP-1018, Issue #3103)

Sleigh. Fixed multiple errors in x64 vector operation semantics. (GP-799)

Ghidra 9.2.4 Change History (April 2021)

Improvements

Basic Infrastructure. Improved support running under JDK 16. Note that Ghidra still only officially supports JDK 11 LTS. (GP-824, Issue #2879, #2888)

Bugs

API. Corrected error condition which could occur if overlay memory block duplicates another memory space name or overlay block name in a case-insensitive manner. The names are intended to be case-sensitive. (GP-839, Issue #2898)

Demangler. Improved handling of mangled names on thunk functions which were previously left unmangled and could prevent name of underlying thunked function from appearing. (GP-809)

Ghidra 9.2.3 Change History (March 2021)

Improvements

Analysis. Added check for vftable entries in .NEP section and relaxed the requirement that the code must have a return. (GP-649)

Analysis. Corrected flaw in RTTI analyzer determination of size of vftables. (GP-688)

Basic Infrastructure. Updated TLS protocol preference to use the most preferred/recent version available to both sides of an SSL connection (e.g., TLSv1.3) instead of forcing use of TLSv1.2. (GP-622)

Build. Corrected build issues which had prevented users from building Ghidra on an Apple M1 (OS X, AARCH64 architecture). (GP-600, Issue #2653)

Demangler. Increased Gnu Demangler parsing performance by changing some regular expressions. (GP-705)

Eclipse Integration. Updated SleighEditor to support new endian tag on define token definitions. (GP-721)

GUI. Updated the Choose Data Type dialog to apply data types in the same manner as dragging types from the Data Types window. This provides users more control when choosing how to overwrite existing types. (GP-521)

Importer:ELF. Added support for ELF relocation R_X86_64_IRELATIVE. (GP-651, Issue #1189)

Importer:ELF. Sped up loading of ELF files with large symbol tables. (GP-697)

Bugs

Analysis. The RTTI analyzer now runs prior to Reference analysis so that references into vftables are not turned into code or data before the vftables are created. (GP-517)

API. Function.getCalledFunctions(TaskMonitor) and Function.getCallingFunctions(TaskMonitor) now support passing null for the task monitor parameter, which previously would have thrown an exception. (GP-589, Issue #2643)

Data Types. Corrected segmented 32-bit pointer datatype address generation for 16:16 x86 far pointers. (GP-534, Issue #2548)

Decompiler. Fixed Decompiler issue where, when a function name extends beyond the line limit, an end-of-line comment could wrap around to additional lines without including additional // comment indicators. (GP-473)

Decompiler. Corrected an exception that could occur when attempting to edit function signature from the Decompiler. (GP-597, Issue #2601)

Demangler. Changed return type applied to constructors by Demangler from void to Undefined, allowing the Decompiler to determine the type. (GP-790)

DWARF. Improved handling of empty DWARF compile units. (GP-743)

DWARF. Improved handling of DWARF function signatures when parameter info contains unsupported location opcodes or failed to resolve datatypes. (GP-794)

Eclipse Integration. When installing the SleighEditor into Eclipse, the plugin will now show up under the Ghidra category. Previously the Group Items by Category option had to be turned off before the SleighEditor would appear as a visible entry. (GP-564)

Eclipse Integration. Fixed an issue with Eclipse PyDev breakpoints not catching. (GP-668, Issue #2713)

Eclipse Integration. Fixed an Eclipse GhidraDev exception that occurred when creating a new Ghidra scripting project if a ~/ghidra_scripts directory did not exist. (GP-669)

Emulator. Replaced Java floating point emulation to fix multiple rounding issues. (GP-357, Issue #2414)

Graphing. Fixed issue with graph filters not updating satellite view when changing edge filters. (GP-557)

Graphing. Fixed Function Graph keybindings that did not work when docked in the main Code Browser window. (GP-586, Issue #2641)

GUI. Fixed NullPointerException due to using Go To action when there was no open program in the Listing. (GP-66)

GUI. Fixed bug in Reference Code Viewer options that caused an exception. (GP-620, Issue #2672)

Importer. Fixed exception caused when importing previously exported XML data where the bookmark override option was turned off. (GP-667)

Importer:ELF. Fixed a NullPointerException caused by importing an ELF with an uninitialized .got section. (GP-360, Issue #2416)

Importer:ELF. Added Support for ELF R_ARM_MOVW_ABS_NC and R_ARM_MOVT_ABS ELF Relocations for ARM. (GP-555, Issue #2510)

Importer:ELF. Corrected ELF processing of .init_array and .fini_array which was incorrectly overadjusting entries for an image base change. (GP-699)

Importer:Mach-O. Corrected Mach-O fat-binary library import issue and resolved error related to unnamed Mach-O segment. (GP-652, Issue #2702)

Importer:Mach-O. Fixed an issue with DYLD Load Command data structures being created in the wrong locations. (GP-689, Issue #2624)

Importer:Mach-O. Fixed an exception that occurred when importing Mach-O files that define zero LC_BUILD_VERSION tool entries. (GP-702, Issue #2192)

PDB. Fixed createPdbXmlFiles.bat to permit spaces in the path name of Ghidra installation folder and the batch argument name. (GP-575, Issue #2167)

PDB. Fixed PDB Universal analyzer to set the run-once flag when finished. (GP-724)

PDB. Changed return type applied to constructors by PDB Universal from void to Undefined, allowing the Decompiler to determine the type. (GP-791)

Processors. Added missing RFE instruction in MIPS up to version R3000. (GP-33, Issue #1766)

Processors. ARM instruction VMUL now decodes correctly. (GP-627, Issue #2677)

Processors. Added missing CFINV instruction to AARCH64 processor specification and added definitions for locals in neon instructions. (GP-655, Issue #2710)

Scripting. Fixed analyzeHeadless -scriptPath option that didn't work for Python and other non-Java scripts located in non-default directories. (GP-528, Issue #2561)

Scripting. Fixed concurrency issue with management of scripting bundle paths. (GP-576)

Scripting. Corrected handling for Ghidra Script files which are symlinks that were broken in Ghidra 9.2. (GP-650, Issue #2698)

Scripting. Fixed the analyzeHeadless -scriptPath option to correctly parse $GHIDRA_HOME and $USER_HOME. (GP-781)

Ghidra 9.2.2 Change History (December 2020)

Bugs

Graphing. Fixed issue with Graph filters not working and satellite view sometimes not matching graph. (GP-526)

Importer:Mach-O. Mach-O DYLD cache incorrect offset use has been fixed. (GP-550, Issue #2560)

Listing. Fixed issue where Edit Label action (L key) did not work on primary function symbols. (GP-537)

Multi-User. Corrected Ghidra Server build issue for version 9.2.1 which had an improperly generated classpath.frag file. Issue caused server to fail startup with a ClassNotFoundException. (GP-542)

Processors. The V850 JMP instruction has been corrected not to use the PC in the address calculation. (GP-548, Issue #2570)

Processors. Removed erroneous VST4 variant, most likely from a copy/paste error. This fixes the ARM Thumb BL instruction disassembly with a negative offset. (GP-549, Issue #2559)

Ghidra 9.2.1 Change History (December 2020)

Improvements

Analysis. Updated RTTI analyzer to find type_info vftable when it cannot be found with its mangled name. This will enable many more Windows programs to have their RTTI structures created that were unable to be parsed in previous Ghidra versions. (GP-141)

API. Relaxed memory block naming restrictions and restored ability to have spaces in memory block names. However, if a memory block is flagged as an overlay, the associated overlay space name may be modified to ensure validity and uniqueness. The DuplicateNameException has been removed from all memory block API methods since this was entirely an overlay space concern. Memory block GUI has also been changed eliminate the duplicate block name restriction. (GP-420, Issue #2465)

Build. Eliminated the need for installation of bison and flex when performing source-based gradle build of Ghidra or the Decompiler module. The generated files are now included with source files and maintained in source control. A separate gradle Decompiler:generateParsers task, which still requires bison and flex, must be used, explicitly, when changes are made to lex/yacc source files. (GP-467)

Graphing. Fixed issue with exporting graphs to DOT format due to invalid vertex IDs. (GP-280)

Graphing. Improved graphing where it did not navigate when clicking on external function nodes. Now it will navigate to the fake function location in the program, which is the location of the pointer to the external function. (GP-493)

Listing:Symbols. Removed restriction for naming labels that resemble default label names. (GT-3185, Issue #1057)

PDB. Crafted PDB type ID records 0x1608 and 0x1609 with presumed class and struct types and follow-on application of these types. Also fixed up some fall-back data type logic and improved some warning messages to reflect the cause of the conditions. (GP-474, Issue #2523)

Scripting. Removed unnecessary 1-second delay when launching a script. (GP-443)

Bugs

Analysis. Fixed the processing of CIL metadata that express arrays of non-primitive types. (GP-331)

API. WrappedMemBuffer methods getInt, getShort, getLong, and getBigInteger have been fixed when allocated at a non-zero offset, wrapping another MemBuffer such as DumbMemBufferImpl. (GP-486)

Decompiler. Fixed issue with the Auto Create/Fill Structure command that caused it to silently miss some pointer accesses. (GP-344)

Decompiler. Jump table recovery now takes into account encoded bits, like ARM/THUMB mode transition, that may be present in address tables. (GP-387, Issue #2420)

Decompiler. Fixed a bug in the Decompiler renaming action when applied to function references. (GP-477, Issue #2415)

Decompiler. Corrected 8-byte return value storage specification in compiler-spec affecting longlong and double return values. Endianness ordering of r0/r1 was incorrect. (GP-512, Issue #2547)

Graphing. Fixed the Function Graph's drag-to-select-nodes feature. (GP-430)

Graphing. Fixed issue where the graph in the satellite view is sometimes truncated. (GP-469)

Graphing. Fixed a stack trace issue caused by reusing a graph display window to show a graph that is larger than is allowed. (GP-492)

Graphing. Fixed issue where graph satellite view did not reflect main graph when graph vertices are hidden using hide actions or filters. (GP-514)

GUI. Fixed stack overflow in TableChooserDialogs. (GP-460, Issue #2536)

PDB. Corrected PDB parser selection bug affecting PDB load/download on Windows. (GP-390)

Processors. Fixed handling of certain ARM/THUMB switch calculation functions. (GP-389)

Ghidra 9.2 Change History (November 2020)

New Features

Graphing. A new graph service and implementation was created. The graph service provides basic graphing capabilities. It was also used to generate several different types of graphs including code block graphs, call graphs, and AST graphs. In addition, an export graph service was created that supports various formats. (GP-211)

PDB. Added a new, prototype, platform-independent PDB analyzer that processes and applies data types and symbols to a program from a raw (non-XML-converted) PDB file, allowing users to more easily take advantage of PDB information. (GT-3112)

Processors. Added M8C SLEIGH processor specification. (GT-3052)

Processors. Added support for the RISC-V processor. (GT-3389, Issue #932)

Processors. Added support for the Motorola 6809 processor. (GT-3390, Issue #1201)

Processors. Added CP1600-series processor support. (GT-3426, Issue #1383)

Processors. Added V850 processor module. (GT-3523, Issue #1430)

Improvements

Analysis. Increased the speed of the Embedded Media Analyzer, which was especially poor for large programs, by doing better checking and reducing the number of passes over the program. (GT-3258)

Analysis. Improved the performance of the RTTI analyzer. (GT-3341, Issue #10)

Analysis. The handling of Exception records found in GCC-compiled binaries has been sped up dramatically. In addition, incorrect code disassembly has been corrected. (GT-3374)

Analysis. Updated Auto-analysis to preserve work when encountering recoverable exceptions. (GT-3599)

Analysis. Improved efficiency when creating or checking for functions and namespaces which overlap. (GP-21)

Analysis. Added partial support of Clang for Windows. (GP-64)

Analysis. RTTI structure processing speed has been improved with a faster technique for finding the root RTTI type descriptor. (GP-168, Issue #2075)

API. The performance of adding large numbers of data types to the same category has been improved. (GT-3535)

API. Added the BigIntegerNumberInputDialog that allows users to enter integer values larger than Integer.MAX_VALUE (2147483647). (GT-3607)

API. Made JSON more available using GSON. (GP-89, Issue #1982)

Basic Infrastructure. Introduced an extension point priority annotation so users can control extension point ordering. (GT-3350, Issue #1260)

Basic Infrastructure. Changed file names in launch.bat to always run executables from System32. (GT-3614, Issue #1599)

Basic Infrastructure. Unknown platforms now default to 64-bit. (GT-3615, Issue #1499)

Basic Infrastructure. Updated sevenzipjbinding library to version 16.02-2.01. (GP-254)

Build. Ghidra's native Windows binaries can now be built using Visual Studio 2019. (GT-3277, Issue #999)

Build. Extension builds now exclude gradlew artifacts from zip file. (GT-3631, Issue #1763)

Build. Reduced the number of duplicated help files among the build jar files. (GP-57, Issue #2144)

Build. Git commit hash has been added to application.properties file for every build (not just releases). (GP-67)

Contrib. Extensions are now installed to the user's settings directory, not the Ghidra installation directory. (GT-3639, Issue #1960)

Data Types. Added mutability data settings (constant, volatile) for Enum datatype. (GT-3415)

Data Types. Improved Structure Editor's Edit Component action to work on array pointers. (GP-205, Issue #1633)

Decompiler. Added Secondary Highlights to the Decompiler. This feature allows the user to create a highlight for a token to show all occurrences of that token. Further, multiple secondary highlights are allowed at the same time, each using a unique color. See the Decompiler help for more information. (GT-3292, Issue #784)

Decompiler. Added heuristics to the Decompiler to better distinguish whether a constant pointer refers to something in the CODE or DATA address space, for Harvard architectures. (GT-3468)

Decompiler. Improved Decompiler analysis of local variables with small data types, eliminating unnecessary casts and mask operations. (GT-3525)

Decompiler. Documentation for the Decompiler, accessible from within the Code Browser, has been rewritten and extended. (GP-166)

Decompiler. The Decompiler can now display the namespace path (or part of it) of symbols it renders. With the default display configuration, the minimal number of path elements necessary are printed to fully resolve the symbol within the current scope. (GP-236)

Decompiler. The Decompiler now respects the Charset and Translate settings for string literals it displays. (GP-237)

Decompiler. The Decompiler's analysis of array accesses is much improved. It can detect more and varied access patterns produced by optimized code, even if the base offset is not contained in the array. Multi-dimensional arrays are detected as well. (GP-238, Issue #461, #1348)

Decompiler. Extended the Decompiler's support for analyzing class methods. The class data type is propagated through the this pointer even in cases where the full prototype of the method is not known. The methods isThisPointer() and isHiddenReturn() are now populated in HighSymbol objects and are accessible in Ghidra scripts. (GP-239, Issue #2151)

Decompiler. The Decompiler will now infer a string pointer from a constant that addresses the interior of a string, not just the beginning. (GP-240, Issue #1502)

Decompiler. The Decompiler now always prints the full precision of floating-point values, using the minimal number of characters in either fixed point or scientific notation. (GP-241, Issue #778)

Decompiler. The Decompiler's Auto Create Structure command now incorporates into new structures data-type information from function prototypes. The Auto Fill in Structure variant of the command will override undefined and other more general data-types with discovered data-types if they are more specific. (GP-242)

Demangler. Modified Microsoft Demangler (MDMang) to handle symbols represented by MD5 hash codes when their normal mangled length exceeds 4096. (GT-3409, Issue #1344)

Demangler. Upgraded the GNU Demangler to version 2.33.1. Added support for the now-deprecated GNU Demangler version 2.24 to be used as a fallback option for demangling. (GT-3481, Issue #1195, #1308, #1451, #1454)

Demangler. The Demangler now more carefully applies information if generic changes have been made. Previously if the function signature had changed in any way from default, the demangler would not attempt to apply any information including the function name. (GP-12)

Demangler. Changed MDMang so cast operator names are complete within the qualified function name, effecting what is available from internal API. (GP-13)

Demangler. Added additional MDMang Extended Types such as char8_t, char16_t, and char32_t. (GP-14)

Documentation. Removed Eclipse BuildShip instructions from the DevGuide. (GT-3634, Issue #1735)

FID. Regenerated FunctionID databases. Added support for Visual Studio versions 2017 and 2019. (GP-170)

Function Diff. Users may now add functions ad-hoc to existing function comparison panels. (GT-2229)

Function Graph. Added Navigation History Tool option for Function Graph to signal it to produce fewer navigation history entries. (GT-3233, Issue #1115)

GUI. Users can now view the Function Tag window to see all functions associated with a tag, without having to inspect the Listing. (GT-3054)

GUI. Updated the Copy Special action to work on the current address when there is no selection. (GT-3155, Issue #1000)

GUI. Significantly improved the performance of filtering trees in the Ghidra GUI. (GT-3225)

GUI. Added many optimizations to increase the speed of table sorting and filtering. (GT-3226, Issue #500)

GUI. Improved performance of bit view component recently introduced to Structure Editor. (GT-3244, Issue #1141)

GUI. Updated usage of timestamps in the UI to be consistent. (GT-3286)

GUI. Added tool actions for navigating to the next/previous functions in the navigation history. (GT-3291, Issue #475)

GUI. Filtering now works on all tables in the Function Tag window. (GT-3329)

GUI. Updated the Ghidra File Chooser so that users can type text into the list and table views in order to quickly jump to a desired file. (GT-3396)

GUI. Improved the performance of the Defined Strings table. (GT-3414, Issue #1259)

GUI. Updated Ghidra to allow users to set a key binding to perform an equivalent operation to double-clicking the XREF field in the Listing. See the Show Xrefs action in the Tool Options... Key Bindings section. (GT-3446)

GUI. Improved mouse wheel scrolling in Listing and Byte Viewers. (GT-3473)

GUI. Ghidra's action context mechanism was changed so that actions that modify the program are not accidentally invoked in the wrong context, thus possibly modifying the program in ways the user did not want or without the user knowing that it happened. This also fixed an issue where the navigation history drop-down menu did not represent the locations that would be used if the next/previous buttons were pressed. (GT-3485)

GUI. Updated Ghidra tables to defer updating while analysis is running. (GT-3604)

GUI. Updated Font Size options to allow the user to set any font size. (GT-3606, Issue #160, #1541)

GUI. Added ability to overlay text on an icon. (GP-41)

GUI. Updated Ghidra options to allow users to clear default key binding values. (GP-61, Issue #1681)

GUI. ToggleDirectionAction button now shows in snapshot windows. (GP-93)

GUI. Added a new action to the Symbol Tree to allow users to convert a Namespace to a Class. (GP-225, Issue #2301)

Importer. Updated the XML Loader to parse symbol names for namespaces. (GT-3293)

Importer:ELF. Added support for processing Android packed ELF Relocation Tables. (GT-3320, Issue #1192)

Importer:ELF. Added ELF import opinion for ARM BE8. (GT-3642, Issue #1187)

Importer:ELF. Added support for ELF RELR relocations, such as those produced for Android. (GP-348)

Importer:Mach-O. DYLD Loader can now load x86_64 DYLD from macOS. (GT-3611, Issue #1566)

Importer:PE. Improved parsing of Microsoft ordinal map files produced with DUMPBIN /EXPORTS (see Ghidra/Features/Base/data/symbols/README.txt). (GT-3235)

Jython. Upgraded Jython to version 2.7.2. (GP-109)

Listing. In the PCode field of the Listing, accesses of varnodes in the unique space are now always shown with the size of the access. Fixed bug which would cause the PCode emulator to reject valid pcode in rare instances. (GP-196)

Listing:Data. Improved handling and display of character sequences embedded in operands or integer values. (GT-3347, Issue #1241)

Multi-User:Ghidra Server. Added ability to specify initial Ghidra Server user password (-a0 mode only) for the svrAdmin add and reset commands. (GT-3640, Issue #321)

Processors. Updated AVR8 ATmega256 processor model to reflect correct memory layout specification. (GT-933)

Processors. Implemented semantics for vstmia/db vldmia/db, added missing instructions, and fixed shift value for several instructions for the ARM/Thumb NEON instruction set. (GT-2567)

Processors. Added the XMEGA variant of the AVR8 processor with general purpose registers moved to a non-memory-mapped register space. (GT-2909)

Processors. Added support for x86 SALC instruction. (GT-3367, Issue #1303)

Processors. Implemented pcode for 6502 BRK instruction. (GT-3375, Issue #1049)

Processors. Implemented x86 PTEST instruction. (GT-3380, Issue #1295)

Processors. Added missing instructions to ARM language module. (GT-3394)

Processors. Added support for RDRAND and RDSEED instructions to x86-32. (GT-3413)

Processors. Improved x86 breakpoint disassembly. (GT-3421, Issue #872)

Processors. Added manual index file for the M6809 processor. (GT-3449, Issue #1414)

Processors. Corrected issues related to retained instruction context during a language upgrade. In some rare cases this retained context could interfere with the instruction re-disassembly. This context-clearing mechanism is controlled by a new pspec property: resetContextOnUpgrade. (GT-3531)

Processors. Updated PIC24/PIC30 index file to match latest manual. Added support for dsPIC33C. (GT-3562)

Processors. Added missing call-fixup to handle call side-effects for 32 bit GCC programs for get_pc_thunk.ax/si. (GP-10)

Processors. Added ExitProcess to PEFunctionsThatDoNotReturn. (GP-35)

Processors. External Disassembly field in the Listing now shows Thumb disassembly when appropriate TMode context has been established on a memory location. (GP-49)

Processors. Changed RISC-V jump instructions to the more appropriate goto instead of call. (GP-54, Issue #2120)

Processors. Updated AARCH64 to v8.5, including new MTE instructions. (GP-124)

Processors. Added support for floating point params and return for SH4 processor calling conventions. (GP-183, Issue #2218)

Processors. Added semantic support for many AARCH64 neon instructions. Addresses for register lanes are now precalculated, reducing the amount of p-code generated. (GP-343)

Processors. Updated RISCV processor to include reorganization, new instructions, and fixes to several instructions. (GP-358, Issue #2333)

Program API. Improved multi-threaded ProgramDB access performance. (GT-3262)

Scripting. Improved ImportSymbolScript.py to import functions in addition to generic labels. (GT-3249, Issue #946)

Scripting. Python scripts can now call protected methods from the GhidraScript API. (GT-3334, Issue #1250)

Scripting. Updated scripting feature with better change detection, external jar dependencies, and modularity. (GP-4)

Scripting. Updated the GhidraDev plugin (v2.1.1) to support Python Debugging when PyDev is installed via the Eclipse dropins directory. (GP-186, Issue #1922)

Sleigh. Error messages produced by the SLEIGH compiler have been reformatted to be more consistent in layout as well as more descriptive and more consistent in providing line number information. (GT-3174)

Bugs

Analysis. Function start patterns found at 0x0, function signatures applied from the Data Type Manager at 0x0, and DWARF debug symbols applied at 0x0 will no longer cause stack traces. In addition, DWARF symbols with zero length address range no longer stack trace. (GT-2817, Issue #386, #1560)

Analysis. Constant propagation will treat an OR with zero (0) as a simple copy. (GT-3548, Issue #1531)

Analysis. Corrected Create Structure from Selection, which failed to use proper data organization during the construction process. This could result in improperly sized components such as pointers and primitive types. (GT-3587)

Analysis. Fixed an issue where stored context is initializing the set of registers constantly. (GP-25)

Analysis. Fixed an RTTI Analyzer regression when analyzing RTTI0 structures with no RTTI4 references to them. (GP-62, Issue #2153)

Analysis. Fixed an issue where the RTTI analyzer was not filling out RTTI3 structures in some cases. (GP-111)

API. Fixed NullPointerException when attempting to delete all bookmarks from a script. (GT-3405)

API. Updated the Class Searcher so that Extension Points found in the Ghidra/patch directory get loaded. (GT-3547, Issue #1515)

Build. Updated dependency fetch script to use HTTPS when downloading CDT. (GP-69, Issue #2173)

Build. Fixed resource leak in Ghidra jar builder. (GP-342)

Byte Viewer. Fixed Byte Viewer to correctly load the middle-mouse highlight color options change. (GT-3471, Issue #1464, #1465)

Data Types. Fixed decoding of static strings that have a character set with a smaller character size than the platform's character size. (GT-3333, Issue #1255)

Data Types. Correctly handle Java character sets that do not support the encoding operation. (GT-3407, Issue #1358)

Data Types. Fixed bug that caused Data Type Manager Editor key bindings to get deleted. (GT-3411, Issue #1355)

Data Types. Updated the DataTypeParser to handle data type names containing templates. (GT-3493, Issue #1417)

Data Types. Corrected pointer data type isEquivalent() method to properly check the equivalence of the base data type. The old implementation could cause a pointer to be replaced by a conflicting pointer with the same name whose base datatype is not equivalent. This change has a negative performance impact associated with it and can cause additional conflict datatypes due to the rigid datatype relationships. (GT-3557)

Data Types. Improved composite conflict resolution performance and corrected composite merge issues when composite bitfields and/or flexible arrays are present. (GT-3571)

Data Types. Fixed bug in SymbolPathParser naive parse method that caused a less-than-adequate fall-back parse when angle bracket immediately followed the namespace delimiter. (GT-3620)

Data Types. Corrected size of long for AARCH64 per LP64 standard. (GP-175)

Decompiler. Fixed bug causing the Decompiler to miss symbol references when they are stored to the heap. (GT-3267)

Decompiler. Fixed bug in the Decompiler that caused Deleting op with descendants exception. (GT-3506)

Decompiler. Decompiler now correctly compensates for integer promotion on shift, division, and remainder operations. (GT-3572)

Decompiler. Fixed handling of 64-bit implementations of alloca_probe in the Decompiler. (GT-3576)

Decompiler. Default Decompiler options now minimize the risk of losing code when renaming or retyping variables. (GT-3577)

Decompiler. The Decompiler no longer inherits a variable name from a subfunction if that variable incorporates additional data-flow unrelated to the subfunction. (GT-3580)

Decompiler. Fixed the Decompiler Override Signature action to be enabled on the entire C-code statement. (GT-3636, Issue #1589)

Decompiler. Fixed frequent ClassCast and IllegalArgument exceptions when performing Auto Create Structure or Auto Create Class actions in the Decompiler. (GP-119)

Decompiler. Fixed a bug in the Decompiler that caused different variables to be assigned the same name in rare instances. (GP-243, Issue #1995)

Decompiler. Fixed a bug in the Decompiler that caused PTRSUB off of non-pointer type exceptions. (GP-244, Issue #1826)

Decompiler. Fixed a bug in the Decompiler that caused load operations from volatile memory to be removed as dead code. (GP-245, Issue #393, #1832)

Decompiler. Fixed a bug causing the Decompiler to miss a stack alias if its offset was, itself, stored on the stack. (GP-246)

Decompiler. Fixed a bug causing the Decompiler to lose Equate references to constants passed to functions that were called indirectly. (GP-247)

Decompiler. Addressed various situations where the Decompiler unexpectedly removes active instructions as dead code after renaming or retyping a stack location. If the location was really an array element or structure field, renaming forced the Decompiler to treat the location as a distinct variable. Subsequently, the Decompiler thought that indirect references based before the location could not alias any following stack locations, which could then by considered dead. As of the 9.2 release, the Decompiler's renaming action no longer switches an annotation to forcing if it wasn't already. A retyping action, although it is forcing, won't trigger alias blocking for atomic data-types (this is configurable). (GP-248, Issue #524, #873)

Decompiler. Fixed decompiler memory issues reported by a community security researcher. (GP-267)

Decompiler. Fix for Decompiler error: Pcode: XML comms: Missing symref attribute in <high> tag. (GP-352, Issue #2360)

Decompiler. Fixed bug preventing the Decompiler from seeing Equates attached to compare instructions. (GP-369, Issue #2386)

Demangler. Fixed the GnuDemangler to parse the full namespace for operator symbols. (GT-3474, Issue #1441, #1448)

Demangler. Fixed numerous GNU Demangler parsing issues. Most notable is the added support for C++ Lambda functions. (GT-3545, Issue #1457, #1569)

Demangler. Updated the GNU Demangler to correctly parse and apply C++ strings using the unnamed type syntax. (GT-3645)

Demangler. Fixed duplicate namespace entry returned from getNamespaceString() on DemangledVariable. (GT-3646, Issue #1729)

Demangler. Fixed a GnuDemangler ClassCastException when parsing a typeinfo string containing operator text. (GP-160, Issue #1870, #2267)

Demangler. Added stdlib.h include to the GNU Demangler to fix a build issue on some systems. (GP-187, Issue #2294)

DWARF. Corrected DWARF relocation handling where the address image base adjustment was factored in twice. (GT-3330)

File Formats. Fixed a potential divide-by-zero exception in the EXT4 file system. (GT-3400, Issue #1342)

File Formats. Fixed date and time parsing of dates in cdrom iso9660 image files. (GT-3451, Issue #1403)

Graphing. Fixed a ClassCastException sometimes encountered when performing Select -> Scoped Flow -> Forward Scoped Flow. (GP-180)

GUI. Fixed inconsistent behavior with the interactive python interpreter's key bindings. (GT-3282)

GUI. Fixed Structure Editor bug that prevented the F2 Edit action from editing the correct table cell after using the arrow keys. (GT-3308, Issue #703)

GUI. Updated the Structure Editor so the Delete action is put into a background task to prevent the UI from locking. (GT-3352)

GUI. Fixed IndexOutOfBoundsException when invoking column filter on Key Bindings table. (GT-3445)

GUI. Fixed the analysis log dialog to not consume all available screen space. (GT-3610)

GUI. Fixed issue where Location column, when used in the column filters, resulted in extraneous dialogs popping up. (GT-3623)

GUI. Fixed Data Type Preview copy action so that newlines are preserved; updated table export to CSV to escape quotes and commas. (GT-3624)

GUI. Fixed tables in Ghidra to copy the text that is rendered. Some tables mistakenly copied the wrong value, such as the Functions Table's Function Signature Column. (GT-3629, Issue #1628)

GUI. Structure editor name now updates in title bar and tab when structure is renamed. (GP-19)

GUI. Fixed an issue where drag-and-drop import locks the Windows File Explorer source window until the import dialog is closed by the user. (GP-27)

GUI. Fixed an issue in GTreeModel where fireNodeChanged had no effect. This could result in stale node information and truncation of the text associated with a node in a GTree. (GP-30)

GUI. Fixed an issue where the file chooser directory list truncated filenames with ellipses on HiDPI Windows. (GP-31)

GUI. Fixed an uncaught exception when double-clicking on UndefinedFunction_ in Decompiler window. (GP-40)

GUI. Updated error handling to only show one dialog when a flurry of errors is encountered. (GP-65, Issue #2185)

GUI. Fixed an issue where Docking Windows are restored incorrectly if a snapshot is present. (GP-92)

GUI. Fixed a File Chooser bug causing a NullPointerException for some users. (GP-171, Issue #1706)

GUI. Fixed an issue that caused the script progress bar to appear intermittently. (GP-179, Issue #1819)

GUI. Fixed a bug that caused Call Tree nodes to go missing when showing more than one function with the same name. (GP-213, Issue #1682)

GUI:Project Window. Fixed Front End copy action to allow for the copy of program names so that users can paste those names into external applications. (GT-3403, Issue #1257)

Headless. Headless Ghidra now properly honors the -processor flag, even if the specified processor is not a valid opinion. (GT-3376, Issue #1311)

Importer. Corrected an NeLoader flags parsing error. (GT-3381, Issue #1312)

Importer. Fixed the File -> Add to Program... action to not show a memory conflict error when the user is creating an overlay. (GT-3491, Issue #1376)

Importer. Updated the XML Importer to apply repeatable comments. (GT-3492, Issue #1423)

Importer. Fixed issue in Batch Import where only one item of a selection was removed when attempting to remove a selection of items. (GP-138)

Importer. Corrected various issues with processing crushed PNG images. (GP-146, Issue #1854, #1874, #1875, #2252)

Importer. Fixed RuntimeException occurrence when trying to load NE programs with unknown resources. (GP-182, Issue #1596, #1713, #2012)

Importer. Fixed batch import to handle IllegalArgumentExceptions thrown by loaders. (GP-227, Issue #2328)

Importer:ELF. Corrected ELF relocation processing for ARM BE8 (mixed-endian). (GT-3527, Issue #1494)

Importer:ELF. Corrected ELF relocation processing for R_ARM_PC24 (Type: 1) that was causing improper flow in ARM disassembly. (GT-3654)

Importer:ELF. Corrected ELF import processing of DT_JMPREL relocations and markup of associated PLT entries. (GP-252, Issue #2334)

Importer:PE. Fixed an IndexOutOfBoundsException in the PeLoader that occurred when the size of a section extends past the end of the file. (GT-3433, Issue #1371)

Listing:Comments. Fixed bug in Comment field that prevented navigation when clicking on an address or symbol where tabs were present in the comment. (GT-3440)

Memory. Fixed bug where sometimes random bytes are inserted instead of 0x00 when expanding a memory block. (GT-3465)

Processors. Corrected the offset in SuperH instructions generated by sign-extending a 20-bit immediate value composed of two sub-fields. (GT-3251, Issue #1161)

Processors. Fixed AVR8 addition/subtraction flag macros. (GT-3276)

Processors. Corrected XGATE ROR instruction semantics. (GT-3278)

Processors. Corrected semantics for SuperH movi20 and movi20s instructions. (GT-3337, Issue #1264)

Processors. Corrected SuperH floating point instruction token definition. (GT-3340, Issue #1265)

Processors. Corrected SuperH movu.b and movu.w instruction semantics. (GT-3345, Issue #1271)

Processors. Corrected AVR8 lpm and elpm instruction semantics. (GT-3346, Issue #631)

Processors. Corrected pcode for the 6805 BSET instruction. (GT-3366, Issue #1307)

Processors. Corrected ARM constructors for instructions vnmla, vnmls, and vnmul. (GT-3368, Issue #1277)

Processors. Corrected bit-pattern for ARM vcvt instruction. (GT-3369, Issue #1278)

Processors. Corrected TriCore abs instructions. (GT-3379, Issue #1286)

Processors. Corrected x86 BT instruction semantics. (GT-3423, Issue #1370)

Processors. Fixed issue where CRC16C LOAD/STOR with abs20 were not mapped correctly. (GT-3529, Issue #1518)

Processors. Fixed M68000 MOVE USP,x and MOVE x,USP opcodes. (GT-3594, Issue #1593)

Processors. Fixed the ARM/Thumb TEQ instruction pcode to be an XOR. (GP-23, Issue #1802)

Processors. Emulation was broken by a regression in version 9.1.2. Emulation and Sleigh Pcodetests now work correctly. (GP-24, Issue #1579)

Processors. Fixed carry flag issue for 6502 CMP, CPX, and CPY instructions. (GP-34)

Processors. Corrected the SuperH high-order bit calculation for the rotr instruction. (GP-47)

Processors. Corrected ELF ARM relocation processing for type 3 (R_ARM_REL32) and added support for type 42 (R_ARM_PREL31). (GP-164, Issue #2261, #2276)

Scripting. Moved Jython cache directory out of tmp. (GP-36)

Scripting. Fixed a NoClassDefFoundError when compiling GhidraScript under JDK14. (GP-59, Issue #2152)

Scripting. Fixed issues with null result when searching for the script directory. (GP-103, Issue #2187)

Scripting. Fixed scripting issue where, if there were non-ASCII characters in the user path, Jython would not work. (GP-204, Issue #1890)

Sleigh. Corrected IndexOutOfBoundsException in SLEIGH when doing simple assignment in disassembly actions block. (GT-3382, Issue #745)

Symbol Tree. Fixed the Symbol Tree so that clicking an already-selected symbol node will still trigger a Listing navigation. (GT-3436, Issue #453)

Symbol Tree. Fixed the Symbol Tree to not continuously rebuild while performing Auto-analysis. (GT-3542)

Version Tracking. Fixed Version Tracking Create Manual Match action. (GT-3305, Issue #2215)

Version Tracking. Fixed a NullPointerException encountered when changing the Version Tracking options for the Listing Code Comparison when no data was loaded. (GT-3437, Issue #1143)

Version Tracking. Fixed Version Tracking exception triggered in the Exact Functions Instructions Match correlator encountered when the two functions being compared differed in their number of instructions. (GT-3438, Issue #1352)

Ghidra 9.1.2 Change History (February 2020)

Bugs

Data Types. Improved PDB composite reconstruction to attempt pack(1) alignment if default alignment fails. (GT-3401)

Data Types. Added missing support for multi-user merge of unions and structures containing bitfields or a trailing flexible array member. (GT-3479)

Data Types. Corrected structure editor save button enablement issue when editing bitfields within a non-packed structure. (GT-3519, Issue #1297)

Disassembly. Corrected potential infinite loop with disassembler caused by branch to self with invalid delay slot instruction. (GT-3511, Issue #1486)

GUI. Corrected processor manual display for Microsoft Windows users, which was not displaying processor manual and was, instead, rendering a blank page in web browser. (GT-3444)

GUI:Bitfield Editor. Added field comment support to composite bitfield editor. (GT-3410)

Importer:Mach-O. A Mach-O loader regression, in Ghidra 9.1.1, when laying down symbols at the correct location, has been fixed. (GT-3487, Issue #1446)

Multi-User:Ghidra Server. Corrected Ghidra Server remote interface errors that occur when running with Java 11.0.6 (and later) release, which would throw RemoteException Method is not Remote errors. (GT-3521, Issue #1440)

PDB. Corrected PDB XML generation for zero-length classes and structures and resolved various datatype dependency issues encountered during PDB Analysis. Changed line numbers from hex to decimal. (GT-3462, Issue #1410)

Processors. Corrected mnemonic for ARM thumb RSB.w instruction. (GT-3420, Issue #1365)

Processors. Corrected issue in M68000 with some move instructions not creating correct array assignments. (GT-3429, Issue #1394)

Processors. Updated x86 processor manual index file with latest Intel and AMD manuals. (GT-3489, Issue #1078)

Ghidra 9.1.1 Change History (December 2019)

Improvements

Importer:Mach-O. Improved import/load time of DYLD shared cache files. (GT-3261)

Program API. Cached the addresses that correspond to executable memory to improve analysis performance. (GT-3260)

Bugs

Analysis. Fixed a symbol name error that occurred in the Objective-C analyzer. (GT-3321, Issue #1200)

Analysis. Constant references are now computed correctly within functions in overlay spaces. (GT-3373)

Build. Corrected build of DMG.jar which was improperly built within Ghidra 9.1 release. (GT-3364)

Decompiler. Fixed bug causing Pcode: XML comms: Badly formed address errors when decompiling HCS12 XGATE code. (GT-3297)

Decompiler. Fixed Array DataType must be Fixed length exceptions related to function pointer data types. (GT-3309)

Decompiler. Fixed bug causing decompiler to drop statements, assigning string constants to global variables. (GT-3315)

Decompiler. Fixed issue with enum name strings causing Low-level Error: XML error: syntax error in the decompiler. (GT-3387, Issue #1329)

GUI. Fixed a potential ConcurrentModificationException in the interactive python interpreter. (GT-3280)

Importer:PE. Fixed an exception in the PeLoader that occurred when the size of the memory block for the headers is larger than the file size. (GT-3344, Issue #1266)

Listing. Fixed missing scroll bar in listing. (GT-3290)

Listing. Fixed issue that was causing a stack trace to be generated when contiguous addresses were cleared for a range greater than Integer.MAX. (GT-3357)

Listing:References. Corrected Create Default Reference action bug which did not handle composite/array data components properly. (GT-3371)

Processors. Corrected Sparc floating point instruction pcode implementation. (GT-3202)

Processors. Corrected the semantics of the PowerPC e_cmpi instruction. (GT-3228, Issue #1127)

Processors. Corrected bit generation for PowerPC instructions se_bclri, se_bgeni, se_bseti, and se_btsti. (GT-3232, Issue #967)

Processors. Corrected register definitions for x86 RDRAND instruction. (GT-3253, Issue #1169)

Processors. Corrected signed immediate calculation for some powerPC VLE offsets being incorrect. (GT-3254, Issue #1160)

Processors. Resolved issue with x86 escape opcodes preventing certain instruction patterns from decoding. (GT-3256)

Processors. Corrected bug in XGATE LDH instruction shifting out high bits. (GT-3268)

Processors. Corrected processing of R_MIPS_REL32, R_X86_64_RELATIVE, and R_X86_64_RELATIVE64 ELF relocations affecting relocatable binaries which have non-zero section/segment load addresses. (GT-3349)

Ghidra 9.1 Change History (October 2019)

New Features

Data Types. Added bit-field support to Structure and Union editor. An additional Bit-field Editor was also added for explicit bit-field placement within non-packed structures. (GT-559)

Eclipse Integration. Added new GhidraSleighEditor Eclipse plugin in the installation directory under Extensions/Eclipse. (GT-113)

GUI. Added method for turning off table sorting by control-clicking the only sorted table column. (GT-2763, Issue #87)

GUI. Hovering on an address will now show where the byte at that address came from in the imported file. (GT-3016, Issue #154)

Importer:Mach-O. Added new importer/loader for DYLD-shared cache files. (GT-2343)

Memory. Added new API to preserve imported program's original bytes and how they map to memory blocks. (GT-2845)

Processors. Implemented Intel MCS-96 processor module. (GT-2350)

Processors. Added SH1/2/2a sleigh processor specification. (GT-3029, Issue #715)

Processors. Added Tricore processor specification. (GT-3041, Issue #567)

Processors. Added HCS12X processor specification. (GT-3049)

Processors. Added HCS05 and HCS08 sleigh processor specifications. (GT-3050)

Processors. Added SH4 sleigh processor specification. (GT-3051, Issue #37)

Processors. Added MCS-48 processor specification. (GT-3058, Issue #638)

Program API. Added Bit-field support for structures and unions. Warning: Version upgrade will be forced on all modified programs and data type archives that are open for update. (GT-557)

Sleigh. Added two new extension modules (SleighDevTools and GnuDisassembler) in support of processor module development. Added support for pcode junit tests which utilize emulation of cross-compiled C test code to verify sleigh pcode (i.e., instruction semantics). The SleighDevTools extension provides the pcode test C source and associated build scripts, as well as external disassembler support for aiding in the validation of disassembled instruction syntax. (GT-3067)

Improvements

Analysis. Added example script, ResolveX86orX64LinuxSyscallsScript.java, for decompiling Linux system calls in x86 and x64. Added syscall-related exercises to Advanced class. (GT-3113)

Basic Infrastructure. Made bash scripts more portable, allowing Ghidra to be launched on additional platforms. (GT-2742, Issue #347)

Build. Created a new Gradle task that automates some installation procedures defined in DevGuide.md. (GT-2897)

Build. The build now allows newer versions of Gradle to be used. (GT-3017, Issue #737)

Data Types. All DataType archives have been regenerated to support the new bit-field functionality. (GT-2878)

Data Types. CategoryPath now accepts forward slashes in its components. (GT-2961)

Data Types. Fixed Structure Editor bug that caused the Data Type field of a row to be edited after a successful name field edit. (GT-3109, Issue #703)

Decompiler. Most forms of unnecessary or redundant copy statements are now removed from the decompiler output. (GT-2839)

Decompiler. Added ability to double-click a Decompiler brace syntax token to navigate to the matching brace. (GT-2846)

Decompiler. Updated the Decompiler to navigate to the label of a goto statement when that label is double-clicked. (GT-2847)

Decompiler. Updated the Decompiler's Copy action to copy the symbol under the cursor when there is no selection. (GT-2914, Issue #411)

Decompiler. Fixed broken External Navigation: Navigate to External Program option found in Edit -> Tool Options.... (GT-2932)

Decompiler. The decompiler's logic for handling optimized division has been updated to recognize forms typically found in executables generated with more recent 64-bit compilers. (GT-2968, Issue #668)

Decompiler. Implemented call-fixup for x64 __chkstk function. (GT-3006, Issue #670, #671)

Decompiler. The decompiler simplifies many new sign-bit extraction forms used in optimized division and comparison expressions. (GT-3036)

Decompiler. Ghidra now supports protected mode addressing when analyzing 16-bit x86 programs. This is the default variant when analyzing NE format executables, but it can also be used for MZ (and other) formats. (GT-3090, Issue #98)

Decompiler. Added the Show References to Address and Find References to Symbol actions to the Decompiler. Added Find Uses of Field action to the Structure Editor. (GT-3115, Issue #474, #542, #543)

Decompiler. Updated the Decompiler's Edit Data Type action to work on more fields. (GT-3116, Issue #275, #511)

Decompiler. Renaming a single parameter within the decompiler window no longer prevents the data types of parameters from floating. Retyping a single parameter locks the data type for that parameter but no longer prevents the data types of other parameters from floating. (GT-3162)

Documentation. Fixed typos and other errors in GitHub-related documentation. (GT-2748, Issue #345, #361, #370, #375, #398)

Documentation. Added documentation to the DevGuide.md on how to run unit/integration tests. (GT-3046, Issue #815, #832)

DWARF. Corrected DWARF analysis to handle binaries that are imported at non-default locations. (GT-2963, Issue #637)

Emulator. Added improved emulation support at the API level including a simplified API exposed via the EmulatorHelper class. Sample GhidraScripts, which utilize this API, have been provided. (GT-3066)

Function Graph. Updated the Function Graph to show the current program selection when zoomed out. (GT-2735)

Function Graph. Added an option to the Function Graph to allow more complex edge routing that will go around non-incident vertices. See the Tool Options for more information and to enable this feature. (GT-3019, Issue #811)

Function Graph. Fixed Function Graph edge layout bugs that caused some edges to get clipped by vertices. (GT-3161)

GUI. Added listener to Script Table Chooser Dialog that will get notified when the dialog closes. (GT-2216)

GUI. Fixed global Tool auto-save option so that it persists between Ghidra sessions. (GT-2818, Issue #231)

GUI. Added the apple.laf.useScreenmenuBar option to hoist the menu bar out of the window on macOS. The option is off by default but can be activated in support/launch.properties. (GT-2859, Issue #562)

GUI. Updated the Repeat Text Search/Repeat Memory Search menu items to show the search dialog for long searches. (GT-2872, Issue #585)

GUI. Updated Structure Editor to allow user key bindings to work. (GT-2894, Issue #504)

GUI. Python interpreter key bindings for sending reset and interrupt commands are now configurable. (GT-2901, Issue #588)

GUI. Tweaked default graphic settings in support/launch.properties to support a wider range of displays out-of-the-box. (GT-2913, Issue #341)

GUI. Added the ability to assign key bindings to activate individual component providers. (GT-2925, Issue #539)

GUI. Fixed rendering issue in the Search Results table's Preview column. (GT-2942, Issue #550)

GUI. Updated the Function Signature Editor's Data Type Chooser dialog to allow for keyboard navigation. (GT-3110, Issue #636)

GUI. Fixed NullPointerException in the DB Viewer component. (GT-3163, Issue #1023)

Importer. Updated x86 16-bit processor binding for IDA. (GT-3004, Issue #771)

Importer:ELF. Improved ELF loader ability to cope with malformed headers including negative file offsets and missing section names. (GT-2933, Issue #35)

Importer:PE. PeLoader better accounts for section alignment when laying out memory blocks, allowing additional bytes from the file to be loaded into memory. (GT-2827, Issue #327, #418)

Importer:PE. Removed out-of-place call to demangler and laying down of types from PeLoader. This fix enables demangling and other analyzers to be applied correctly and in the proper order. (GT-2849)

Importer:PE. PeLoader now adds TLS callback functions as entry points. (GT-2898, Issue #102)

Listing. Updated Listing to support horizontal scrolling by holding the Shift key when using the mouse wheel. (GT-3105, Issue #451)

Listing:References. Created new overriding reference types, which improve and extend the ability to override calls, jumps, and callothers. (GT-2885)

Multi-User. Added a script to allow repository admins the ability to terminate multiple file checkouts belonging to an individual user on a shared project. (GT-2893)

Multi-User:Ghidra Server. Added additional Ghidra Server authentication modes including: Active Directory via Kerberos and JAAS. The JAAS framework can facilitate use of LDAP, PAM, and other JAAS-supported extensions which utilize a login name and password. (GT-2658)

Multi-User:Ghidra Server. Changed Ghidra Server repositories storage to ignore file/folder names which start with a period. This will impose a restriction on naming of Ghidra projects where they can no longer start with a period. (GT-3218)

PDB. Now using HTTPS for Microsoft symbol server URL. (GT-2819, Issue #369)

PDB. PDB processing can now store data types that contain forward slashes under a CategoryPath. (GT-2974, Issue #94, #182)

PDB. PDB Analyzer no longer automatically includes the PDB path specified in the program's PE header when searching for the PDB. However, the filename in this path is considered during the search. The analyzer's Unsafe: Include PE PDB Path in PDB Search option allows the user to revert to the original PDB search algorithm. (GT-3076, Issue #277)

Processors. Added new Task Monitor service to better handle user experience when there are delays in building languages. (GT-2376)

Processors. Corrected ARM/Thumb instruction parsing for Thumb bl and add instructions. (GT-2744, Issue #362)

Processors. Added AVR8 manual index file. (GT-2828, Issue #346)

Processors. Improved support for ARM on Windows. (GT-2880)

Processors. M68000 LSL.W, ASL.B, LSL.B, and ASL.W instructions now correctly set the CF flag. (GT-2907, Issue #619)

Processors. Updated x86 manual index files. (GT-2943, Issue #366)

Processors. Improved macro label-related error reporting in slaspec files. (GT-2995, Issue #522)

Processors. Added MIPS special 0x1f patterns. (GT-3005, Issue #709)

Processors. Added proper updating of the X condition flag register for the M68000 processor lsl and lsr instructions. (GT-3137, Issue #983)

Processors. Implemented PowerPc VLE Interrupt Handler Efficiency Instructions. (GT-3143, Issue #935)

Processors. Ghidra now correctly models SPARC 64-bit stack bias. (GT-3201)

Processors. Updated AVR32 instruction manual index to latest version. (GT-712)

Program API. Added SHA256 hash to Program metadata and API. (GT-2753, Issue #331)

Scripting. Updated Script Table Chooser Dialog: to fix bug with tracking work items, to add new API methods for item removal and dialog closed notification, and to prevent the same item from being worked on more than once. (GT-2724, Issue #307)

Scripting. Fixed MultiInstructionMemReference Ghidra script to place the reference correctly on instructions with a delay slot. (GT-2906)

Sleigh. The sleigh compiler now reports line numbers for the -n NOP command line option. (GT-2905, Issue #561)

Sleigh. SLEIGH compiler now warns when building an operand in a constructor may unintentionally overwrite another operand. (GT-3085)

Testing:Junits. test.gradle getLogFileUrl() no longer searches user .dir for log4j properties file. (GT-2834, Issue #499)

Testing:Junits. Added new Gradle task to run integration tests and generate an HTML report. (GT-3060, Issue #870)

Tool. Fixed bug that caused an exported tool to exclude plugin configuration settings. (GT-3193, Issue #1065)

Bugs

Analysis. Fixed an exception in the EmbeddedMediaAnalyzer that occurred when media was discovered at the very end of the address space. (GT-2890)

Analysis. Recognition and disassembly of the FMA, F16C, and several missing AVX instructions have been added to the base x86 processor specification. The pcode for these instructions is pseudo-op and not a full pcode implementation. (GT-3168)

Basic Infrastructure. Updated the apache-commons-lang3 library to version 3.9 which supports Java 11. (GT-2879)

Basic Infrastructure. Prevented Ghidra from launching with 32-bit Java installations. (GT-3146, Issue #882)

Data Types. Corrected string data default label generation when defined within uninitialized memory, which will now render as STRING_address. (GT-2715, Issue #272)

Data Types. Improved ASCII string data handling for processors with a char size greater than one (1). (GT-2842)

Data Types. Changed BooleanDataType to extend AbstractIntegerDataType including support as a bit-field. (GT-3170)

DbViewer. Corrected concurrent modification issue within DbViewer resulting in NullPointerException. (GT-3192, Issue #1076)

Decompiler. Fixed aliasing issue where the decompiler would sometimes drop initialization or other code writing to the stack. (GT-2369)

Decompiler. Fixed bug causing the decompiler to incorrectly omit the display of infinite loops when they contained switch statements. (GT-2852, Issue #443)

Decompiler. Integer extension casts are no longer printed in the decompiler if the extension is implied. (GT-2857)

Decompiler. Improved handling of overlay spaces. In particular, the decompiler is now able to handle references into overlays defined on the OTHER space. Added SLEIGH version numbers. (GT-2873)

Decompiler. Updated the Decompiler to place the cursor on the function signature when a function is decompiled. (GT-2882)

Decompiler. Fixed a common source of Data type does not fit errors when using the Retype actions in the decompiler. (GT-2956)

Decompiler. Fixed equals() method in Varnode AST. (GT-2959, Issue #677)

Decompiler. Users can no longer rename undefined functions from the decompiler. (GT-3043, Issue #753)

Decompiler. Fixed a bug that did not allow the prototype for a specific CALL to an external function to be overridden in the decompiler. (GT-3145)

Decompiler. Restricted Auto Fill in Structure command to operate only on pointer variables. (GT-3182)

Decompiler. Fixed bug in the analysis of stack variables for SPARC, which caused extraneous local variables and missed stack parameters in the decompiler. (GT-3200)

Decompiler. Fixed one source of Type propagation algorithm not settling warnings in the decompiler. (GT-3213, Issue #839)

Decompiler:Java. Updated Decompiler's hovers to show preview for data types on variables and return types. (GT-2629)

Decompiler:Java. Fixed error involving decompilation of certain invokedynamic instructions in JVM class files. Made numerous minor improvements to decompilation of JVM bytecode. (GT-2757, Issue #287)

Demangler. Fixed a NullPointerException in DemangledFunctionPointer. (GT-2948, Issue #609)

DWARF. Empty DWARF compilation unit sections will now be ignored. (GT-2939, Issue #690)

Exporter. Negative memory references in idaxml.py no longer cause errors. (GT-2696, Issue #213, #885)

Exporter. Fixed Intel Hex Exporter to not ignore the Address Space option value. (GT-2749)

Exporter. Fixed cancellation behavior of the C/C++ exporter. (GT-2881, Issue #591)

File Formats. Fixed an out-of-memory error in the CPIO file system. (GT-2912)

File Formats. DmgClientFileSystem no longer falsely matches zlib compressed files. (GT-2926, Issue #583)

File System Browser. Fixed NullPointerException when clicking Get Info on a directory in a zip file in the file system browser when the element was a directory that did not have a corresponding entry in the zip file. Changed the Get Info action to show information about both the highlighted file and any file system mounted from that file. (GT-2758)

File System Browser. Fixed dialog stacking problem in File System Browser when double-clicking a container file to open the filesystem inside it. (GT-2764)

File System Browser. Reduced the disk usage of the DYLD-shared cache file system. (GT-2887)

Function Graph. Fixed exception encountered when a Function Graph's entry node was put into a group node. (GT-3074)

Function Graph. Fixed Function Graph edge routing bug that sometimes caused edge flowing upward to route unexpectedly. (GT-3153, Issue #994)

GUI. Fixed stack trace when deleting large memory block that is in its own address space. (GT-2699)

GUI. Changed Data Type Preview to allow adding string data types. (GT-2832)

GUI. Fixed display of operand scalar values in tooltip popup of Decompiler and Listing windows. (GT-2836, Issue #120)

GUI. Fixed bug in Data Type Preview that caused a rendering error in Structures as primitive types were deleted. (GT-2844)

GUI. Fixed Symbol Tree ClassCastException that happened when clicking a node while the tree was still loading. (GT-2870, Issue #96)

GUI. Fixed bug that prevented the XRef's Ref Type column from sorting correctly. (GT-2892)

GUI. Fixed Listing bug so that the cursor gets restored to the previous location on Ghidra startup. (GT-2927, Issue #505)

GUI. Updated Edit Function Signature dialog to have focus in the signature field when first opened. Also added undo/redo support. (GT-2947, Issue #635)

GUI. Fixed exception in the References Editor encountered when closing the editor with an active edit in the table. (GT-2951)

GUI. Fixed bug where the Ghidra menu mnemonic was not being set by the ampersand ('&') character in the last field of the menu path. (GT-2954)

GUI. Updated the Component Provider's Close button to allow for key bindings. (GT-2971, Issue #533)

GUI. Fixed tool navigation button enablement when using snapshot windows. (GT-2973)

GUI. Corrected Function Editor issue where parsed signature text resulted in incorrect type sizes which impacted custom storage selection. Also added support for parsing signatures which reference types from an open datatype archive. (GT-3059)

GUI. Updated resizing in Select Bytes dialog. (GT-3072)

GUI. Fixed bug where listing would jump to random location when opening or closing a large structure or array. (GT-3088)

GUI. Fixed bug that caused some tables (e.g., the Symbol Table) to sort twice during their initial loading of data. (GT-3142)

GUI. Drag-and-Drop bug causing incorrect drop highlighting has been fixed. (GT-3219, Issue #1093)

Help. Fixed NullPointerException when navigating the Help UI. (GT-2830, Issue #493)

Importer. Fixed issues in the MapLoader that prevented .map files from being added to an existing program. (GT-2972, Issue #762)

Importer. For batch import, fixed issue where last character of directory name was truncated on Windows workstations. (GT-3012, Issue #797)

Importer. Fixed a bug in how the NE importer creates External Function symbols for the procedures it imports, allowing the decompiler to properly access any available information. (GT-3140, Issue #770)

Importer. Fixed a bug that prevented some old-style Windows executables from getting loaded by the MzLoader. (GT-3180, Issue #1054)

Importer:ELF. Added ELF relocation handler for R_AARCH64_JUMP26. (GT-2999, Issue #775)

Importer:ELF. Improved ELF MIPS support for GP-relative relocations encountered in PIC compiled binaries. Also added support for R_MIPS_RPREL32 relocation. (GT-3026, Issue #764)

Importer:ELF. ELF x86-64 relocations R_X86_64_GOT32, R_X86_64_PLT32, R_X86_64_SIZE32, R_X86_64_SIZE64, and R_X86_64_GOTPC32 have been fixed to relocate correctly. Additional ELF x86-64 relocations, found mostly in unlinked .o files, have been added. (GT-3089, Issue #910)

Importer:PE. Fixed a problem in the PeLoader that would result in section names being incorrectly used as primary symbols. This could result in function names being wrong. (GT-3195, Issue #761, #1051)

Listing. Fixed potential infinite loop when editing long comments. (GT-2824, Issue #437)

Listing. Fixed potential ClassCastException in Listing comments. (GT-3023)

Listing. Cursor in the listing now stays in the proper column after editing a field. (GT-3045, Issue #702)

Listing. Fixed a problem with register highlighting that could occur on certain register/sub-register combinations. (GT-3071, Issue #810)

Multi-User. Corrected terminate checkout from viewed checkout list which was always terminating first row range based upon number of selected rows and not the actual selected rows. (GT-2903)

Multi-User. Corrected ability for user to cancel checkin/checkout to Ghidra Server. (GT-3208)

Multi-User:Ghidra Server. Added proper Ghidra Server interface binding with new -i option. Corrected -ip option to strictly convey remote access hostname to clients. The updated server will only accept connections from Ghidra 9.1 and later clients due to the registry port now employing TLS. (GT-2685, Issue #101, #645)

Multi-User:Ghidra Server. Fixed argument-passing bug in svrAdmin script. (GT-3082, Issue #907)

Multi-User:Merge. Corrected merge problem affecting modified Function Definition datatypes which could result in a NullPointerException. (GT-2922)

PDB. Added char16_t and char32_t to PDB BASIC_TYPE_STRINGS. (GT-2952, Issue #685)

PDB. Addressed memory leaks and string handling issues in pdb.exe. (GT-2975, Issue #674, #597, #598, #599, #600)

PDB. Can now recover stack variables from more recent Visual Studio version PDBs. (GT-3014)

PDB. Fixed PDB validation logic, which caused a more severe error message to be created, masking the real issue. (GT-3209, Issue #198, #1024)

Processors. Utilized FLOAT_NEG pcodeop to simplify PowerPC fneg instructions. (GT-2781, Issue #387)

Processors. Added 6502 I status bit save and restore. (GT-2826, Issue #469)

Processors. Corrected alternate register definitions in z80 processor. (GT-2876, Issue #520)

Processors. Reviewed all processor modules for GhidraSleighEditor syntax errors. (GT-2902)

Processors. Added support for RD, WR, FS, and GSBASE instructions in x86. (GT-2940, Issue #554, #555)

Processors. Added fixes for sign extension of ADD, AND, CMP, and SUB instructions on x86-64bit. (GT-2955, Issue #881)

Processors. Updated PIC-30 division pcode to correct decompilation issue. (GT-3008)

Processors. Fixed x86 AAM instruction. (GT-3015)

Processors. Corrected x86 decode of MOVBE instruction. (GT-3039, Issue #822)

Processors. Corrected M68000 mov3q instruction decode and semantics. (GT-3080, Issue #905)

Processors. The JVM instruction I2D now correctly pushes an 8-byte double on the stack. (GT-3081)

Processors. Fixed problem displaying processor manuals in Windows Firefox. (GT-3084)

Processors. Encoding of MOV into debug registers has been relaxed. (GT-3117)

Processors. Corrected behavior of PowerPC vectorPermute pcodeop for emulation. (GT-3148)

Processors. Corrected MIPS relocation computation for R_MIPS_26, R_MIPS16_26, and R_MICROMIPS_26_S1. (GT-3154, Issue #1001)

Processors. Corrected the bit patterns for PowerPC VLE rlwimi and rlwinm instructions. (GT-3159, Issue #752)

Processors. Corrected instruction semantics for AARCH64 BLR instruction. (GT-3191)

Processors. Corrected fall-through override semantics for cases where pcode simply drops into the next address. (GT-3196, Issue #1083)

Processors. Corrected the semantics of the PowerPC se_bmaski instruction. (GT-3230, Issue #1123)

Program API. Corrected parameter storage which failed to properly refresh after undo/redo. (GT-3130, Issue #960)

Program API. Corrected function parameter ordinal numbering when more than one auto-parameter is present. (GT-3214)

Project Manager. Fixed a problem with creating Ghidra projects in Windows root directories (e.g., Z:\). (GT-2585)

Project Manager. Fixed a path-traversal vulnerability that could occur when restoring a malicious project archive. (GT-3001, Issue #789)

Scripting. GhidraScript.askDomainFile() now correctly throws a CancelledException when the cancel button is clicked. (GT-2841)

Scripting. Removed deprecated scripting methods older than 5 releases. (GT-2949)

Security. Removed use of nonsecure XMLEncoder/XMLDecoder from Ghidra code base. (GT-3198, Issue #1090)

Sleigh. Corrected Sleigh compiler bug which performed improper bounds checking for named register offset specification when space wordsize is not one (1). (GT-3034, Issue #831)

Testing:CUnits. Fixed error logging in pcodetest for reporting an error when running a compile command. (GT-3199, Issue #1089)

Version Tracking. Fixed NullPointerException in Version Tracking hashing algorithm. (GT-2976)

Ghidra 9.0.4 Change History (May 2019)

Bugs

Multi-User:Ghidra Server. Corrected severe script error in svrAdmin.bat introduced with 9.0.3 build. (GT-2874)

GUI. Restored the default 'p' key binding for creating pointers within the listing display. (GT-2854)

Ghidra 9.0.3 Change History (April 2019)

New Features

GUI. Function tags are now viewable from Functions Window table using new column. (GT-2114)

Improvements

Decompiler. Improved modeling of CFG on Windows 10. (GT-2755, Issue #340)

Patcher. Renamed patch directory to /Ghidra/patch and added README.txt that explains how the patch directory is used. (GT-2734)

Search. Updated the Decompiler Data Type Finder to find references inside of nested array access in a line of Decompiler C output. (GT-2756, Issue #416)

Sleigh. Improved error reporting for SLEIGH compiler. (GT-2820, Issue #364)

Bugs

Analysis. Code that checks for thunks no longer throws an exception if the PC is not set for the processor. (GT-2730)

Analysis. Made a fix to enable Apply button when changing tool options. (GT-2801, Issue #40)

Data Types. Fixed concurrent modification exception when replacing one datatype for another that results in some other datatype being renamed. (GT-2736)

Decompiler. Fixed dynamic variables and equates in 16-bit x86 programs. (GT-2745, Issue #336)

Decompiler:Java. Fixed DEX decompilation regression issue. (GT-2743, Issue #350)

Eclipse Integration. Fixed exception in Eclipse GhidraDev plugin that occurred when performing certain actions on a Ghidra project that was imported from a previously exported Archive File. (GT-2721, Issues #283, #383)

GUI. Improved documentation on how to deal with HiDPI monitor issues in Linux. In the <ghidra_installation>/support/launch.properties file, change VMARGS=-Dsun.java2d.xrender from false to true.

Importer. Fixed an exception that occurred when batch importing APK files. (GT-2767, Issue #426)

Multi-User:Ghidra Server. Restored ability to execute svrAdmin script in development mode. (GT-2740)

Processors. The 6502 Zero page indexed addressing has been corrected to only access the Zero page. (GT-2759, Issue #201)

Processors. The M68000 BCD arithmetic instructions now have pcode semantics that allow disassembly to continue. (GT-2807, Issue #227)

Search. Fixed NullPointerException in Decompiler Data Type Reference Finder. (GT-2754, Issue #407)

Ghidra 9.0.2 Change History (April 2019)

Bugs

Analysis. Constant reference analysis boundary controls for speculative references has been fixed. Speculative references are references created from computed constants passed as parameters, stored to a location, or from indexed offsets from a register. (GT-2723, Issue #228)

Decompiler. Fixed Decompiler handling of Function Definition data types. (GT-2704, Issue #247)

Decompiler. Fixed rendering bug in the Decompiler when the "Find" dialog is closed. (GT-2716, Issue #282)

Decompiler. Fixed "Free Varnode" exception in RuleConditionalMove. (GT-2726, Issue #294)

Diff. Fixed exceptions that can occur in the Diff View for programs with overlays. (GT-2706)

Documentation. Corrected the spelling of "listener" throughout the source code. (GT-2702, Issue #235)

Exporter. Exporting a selection as Intel Hex will now allow a selection of any length. Previously this was restricted to multiples of 16 bytes. (GT-2703, Issue #260)

GUI. Fixed exception that occurs after disabling MyProgramChangesDisplayPlugin. (GT-2712)

GUI. Updated the "Open Program" dialog to disallow file drop operations. (GT-2705, Issue #252)

Multi-User:Ghidra Server. Corrected bug introduced into ghidraSvr.bat which could prevent Ghidra Server startup. (GT-2717, Issue #279)

Processors. The ARM Thumb CMP.W and LSL instructions have been changed to correctly decode. There are still issues to work out with Unpredictable execution when Rd is the PC. (GT-2722, Issue #280)

Scripting. MultiInstructionMemReference script has been corrected to consider input and output registers when placing a reference on an instruction. (GT-2723)

Security

Basic Infrastructure. Added a property to support/launch.properties to prevent log4j from using jansi.dll on Windows. (GT-2725, Issue #286)

Ghidra 9.0.1 Change History (March 2019)

New Features

Scripting. Created ShowEquatesInSelectionScript to show all equates within the current selection. (GT-2651, Issue #111)

Improvements

Basic Infrastructure. Updated commons-compress library to version 1.18. (GT-2657, Issue #171)

Eclipse Integration. Ghidra now connects to the Eclipse GhidraDev plugin on 127.0.0.1 rather than localhost. (GT-2691)

GUI. Turned on font anti-aliasing by default for Linux. (GT-2674, Issue #212)

GUI. Fixed Options Dialog slow scrolling speed. (GT-2679, Issue #27)

Importer:ELF. Corrected bug in ELF loader which can improperly process the GOT, PLT and relocations when multiple symbol tables exist within the ELF binary. (GT-2646, Issue #52)

Multi-User:Ghidra Server. Corrected the Ghidra Server service wrapper (YAJSW) configuration for Mac OS X to prevent a startup timeout condition which could occur. (GT-2637)

Processors. Added ARM/Thumb SRS instruction decodes for undefined modes. (GT-2676, Issue #216)

Bugs

API. Fixed equals method on Varnode class. (GT-2648, Issue #97)

API. Fixed a bug in MaskImpl.complementMask(). (GT-2694, Issue #187)

Basic Infrastructure. Fixed special character handling in idaxml.py. (GT-2669, Issue #75)

Basic Infrastructure. Ghidra now forces the locale to en_US by default. Only the en_US is currently supported. This fixes certain unexpected exceptions. (GT-2680, Issue #209)

Diff. Fixed exception occasionally encountered when starting a Diff session. (GT-2672, Issue #211)

Documentation. Fixed javadoc search box redirecting to broken links. (GT-2655, Issue #129)

Function Graph. Fixed Function Graph exception when generating tooltip. (GT-2650, Issue #65)

GUI. Updated window placement to keep windows on screen. (GT-1516, Issue #41)

GUI. Add/Edit References dialog now restricts users to creating refs in valid memory address spaces. (GT-2638)

GUI. Fixed exception when exiting Ghidra while a table is being edited. (GT-2642, Issue #51)

GUI. Fixed some touchpad scrolling issues. (GT-2647, Issue #2)

GUI. Fixed stack trace in the Data Type Manager's tooltip generation. (GT-2656, Issue #133)

GUI. User key binding settings for the Recently Used and Define Pointer actions no longer lost after re-launching tool. (GT-2659, Issue #152)

GUI. Toolbar buttons now respond to fast clicking. (GT-2689)

Importer:Mach-O. The Mach-O loader can now find import libraries found in Universal Binary files. (GT-2663, Issue #136)

Importer:PE. The PeLoader now correctly parses the GuardCFFunctionTable when table entries are more than 4 bytes each. (GT-2671, Issue #220)

Multi-User:Ghidra Server. Removed support for native OS authentication from Ghidra Server (removed modes -a2 and -a3) due to incompatibility with newer OS releases including Windows 10 and Windows Server 2016. Re-introduction of this will be considered for a future release. (GT-2653)

PDB. Corrected NullPointerException when processing PDB files. (GT-2673, Issues #138, #188)

Processors. Added missing PowerPC VLE conditional branch instructions: e_bdnz and e_bdz. (GT-2652, Issue #103)

Processors. Fixed instruction semantics for several instructions and added Control Flow Enforcement, NOP variants, CMP variants, UD1, and prefixed call instructions to X86 processor specification. (GT-2660, Issues #22, #53, #158, #157)

Processors. The M68000 MOVE instruction now correctly sets the CF and VF flags. (GT-2661, Issue #163)

Processors. Added four missing MOVEM instruction variants to the M68000 processor. (GT-2675, Issue #219)

Processors. An incorrect usage of X instead of Y in indexed mode for the 6502 has been corrected. (GT-2677, Issue #201)

Processors. PPC VLE now disassembles base PPC instructions that are valid in VLE mode. (GT-2681, Issue #127)

Processors. Added support for ARM Thumb half BL instruction on processor variants prior to v6. (GT-2684, Issue #39)

Scripting. Fixed a bug in ImportSymbolsScript.py that prevented it from running. (GT-2668, Issue #170)

Security

Basic Infrastructure. Running Ghidra in debug mode no longer opens remotely accessible ports by default. (GT-2641, Issue #6)

GUI. The Defined Strings plugin no longer renders HTML in its table. (GT-2686, Issue #45)

Project Manager. Fixed an XXE vulnerability affecting projects and many other saved components. (GT-2643, Issue #71)