Failed to detect the function of the stripped ELF binary.

[yomaytk]

Environment

$ date -I
2025-03-19
$ r2 -v
radare2 5.8.9 30833 @ linux-arm-64
birth: git.5.8.9 2023-08-17__12:04:39
commit: 96d73c12d42e87ad5565cee686960c0b3f514117
options: gpl -O? cs:5 cl:2 make
$ uname -ms
Linux aarch64

Description

When analyzing a “hello world” ELF/aarch64 binary generated by clang‑16 (version 16.0.6) with radare2, I discovered that one function was not detected. First, in the stripped binary, radare2 reported that address 0x40f4a4 belongs to a function spanning 0x40ef6c–0x40f4ac.

# The case of stripped ELF binary
$ radare2 ~/workspace/compiler/elfconv/examples/hello/a.aarch64
 -- V is for Visual
[0x00400580]> e anal.vars=false
[0x00400580]> e anal.hasnext=true
[0x00400580]> aaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Finding function preludes (aap)
INFO: Finding xrefs in noncode section (e anal.in=io.maps.x)
INFO: Analyze value pointers (aav)
INFO: aav: 0x00400000-0x0047f482 in 0x400000-0x47f482
INFO: Emulate functions to find computed references (aaef)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Use -AA or aaaa to perform additional experimental analysis
[0x00400580]> afi @ 0x40f4a4
#
offset: 0x0040f4a4
name: sym._IO_file_stat
size: 8
is-pure: true
realsz: 8
stackframe: 0
call-convention: arm64
cyclomatic-cost: 0
cyclomatic-complexity: 1
bits: 64
type: fcn [NEW]
num-bbs: 1
num-instrs: 2
edges: 0
minbound: 0x0040f4a4
maxbound: 0x0040f4ac
is-lineal: true
end-bbs: 1
trace-coverage: 100
noreturn: false
in-degree: 0
out-degree: 0
locals: 0
args: 0

However, in the unstripped binary, address 0x40f4a4 corresponds to the entry address of the function named sym._IO_file_stat. In other words, radare2 fails to detect the sym._IO_file_stat function in the stripped binary. Also, this function is called by the instruction blr x2 of address 0x0043a1d8.
I have attached both binaries.

sample.zip

Is it possible to fix this?

# The case of unstripped ELF binary
$ radare2 ~/workspace/compiler/elfconv/examples/hello/a_stripped.aarch64
 -- Dissasemble? No dissasemble, no dissassemble!!!!!
[0x00400580]> e anal.vars=false
[0x00400580]> e anal.hasnext=true
[0x00400580]> aaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Finding function preludes (aap)
INFO: Finding xrefs in noncode section (e anal.in=io.maps.x)
INFO: Analyze value pointers (aav)
INFO: aav: 0x00400000-0x0047f482 in 0x400000-0x47f482
INFO: Emulate functions to find computed references (aaef)
INFO: Type matching analysis for all functions (aaft)
aINFO: Propagate noreturn information (aanr)
INFO: Use -AA or aaaa to perform additional experimental analysis
[0x00400580]> afi @ 0x40f4a4
#
offset: 0x0040ef6c
name: fcn.0040ef6c
size: 1344
is-pure: false
realsz: 1344
stackframe: 256
call-convention: arm64
cyclomatic-cost: 81
cyclomatic-complexity: 49
bits: 64
type: fcn [NEW]
num-bbs: 81
num-instrs: 336
edges: 126
minbound: 0x0040ef6c
maxbound: 0x0040f4ac
is-lineal: true
end-bbs: 2
trace-coverage: 87
noreturn: false
in-degree: 0
out-degree: 14
locals: 16
args: 0
var int64_t var_100h @ sp+0x0
var int64_t var_100h_2 @ sp+0x8
var int64_t var_10h @ sp+0x10
var int64_t var_10h_2 @ sp+0x18
var int64_t var_20h @ sp+0x20
var int64_t var_20h_2 @ sp+0x28
var int64_t var_30h @ sp+0x30
var int64_t var_30h_2 @ sp+0x38
var int64_t var_40h @ sp+0x40
var int64_t var_40h_2 @ sp+0x48
var int64_t var_0h_2 @ sp+0x50
var int64_t var_0h_3 @ sp+0x68
var int64_t var_78h @ sp+0x78
var int64_t var_88h @ sp+0x88
var int64_t var_a8h @ sp+0xa8
var int64_t var_0h @ sp+0xf8

[trufae]

the function doesnt starts at 0x0040ef6c, see the nop in there, its skipped because anal.nopskip is set. and therefor the analysis assumes thats not the start of a function. you can also use anal.hasnext=true to improve code coverage, but thats not the case for your binary.

also the reason for some non covered functions is because of the missing relocs warnings listed on loading time. would you like to submit a patch adding support for them?

0$ r2 sample/hello_world_stripped
WARN: Unsupported reloc type 1032 for aarch64
WARN: Unsupported reloc type 1032 for aarch64
WARN: Unsupported reloc type 1032 for aarch64
WARN: Unsupported reloc type 1032 for aarch64
WARN: Unsupported reloc type 1032 for aarch64
WARN: Unsupported reloc type 1032 for aarch64
WARN: Unsupported reloc type 1032 for aarch64
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
 -- May the segfault be with you.
[0x00400580]>

[yomaytk]

Thanks. However, the instruction 0x40f4a4 is reached only by the indirect jump of blr x2 of address 0x0043a1d8, which seems to be difficult to detect (and also there is no function prologue at all). I have an additional question: can radare2 detect to some extent even functions that are reached only by indirect jumps?