metasm 1.0.0 → 1.0.5

data/{lib/metasm → metasm}/disassemble.rb

@@ -24,6 +24,10 @@ class DecodedInstruction
 	attr_accessor :comment
 	# a cache of the binding used by the backtracker to emulate this instruction
 	attr_accessor :backtrace_binding
+	# used during fixed-size instruction decoding to hold the decoded raw opcode
+	attr_accessor :raw_data
+	# arbitrary data used during decoding, architecture-specific
+	attr_accessor :misc
 
 	# create a new DecodedInstruction with an Instruction whose cpu is the argument
 	# can take an existing Instruction as argument
@@ -60,7 +64,13 @@ class DecodedInstruction
 		ret = []
 		ret << Expression[address] << ' ' if address
 		ret << @instruction
-		ret << ' ; ' << @comment if comment
+		if comment
+			ret << ' ; '
+			@comment.each { |c|
+				ret << c << ' '
+			}
+			ret.pop
+		end
 		ret
 	end
 
@@ -98,11 +108,11 @@ class BacktraceTrace
 	attr_accessor :detached
 	# maxdepth at the point of the object creation
 	attr_accessor :maxdepth
+	# disassembler cpu_context
+	attr_accessor :cpu_context
 
-	def initialize(expr, origin, orig_expr, type, len=nil, maxdepth=nil)
-		@expr, @origin, @orig_expr, @type = expr, origin, orig_expr, type
-		@len = len if len
-		@maxdepth = maxdepth if maxdepth
+	def initialize(expr, origin, orig_expr, type, len=nil, maxdepth=nil, cpu_context=nil)
+		@expr, @origin, @orig_expr, @type, @len, @maxdepth, @cpu_context = expr, origin, orig_expr, type, len, maxdepth, cpu_context
 	end
 
 	def hash ; [origin, expr].hash ; end
@@ -233,14 +243,19 @@ class DecodedFunction
 	attr_accessor :finalized
 	# bool, if true the function does not return (eg exit() or ExitProcess())
 	attr_accessor :noreturn
+	# hash stackoff => varname
+	# varname is a single String object shared by all ExpressionStrings (to allow renames)
+	attr_accessor :localvars
+	# hash stack offset => di address
+	attr_accessor :localvars_xrefs
 
 	# if btbind_callback is defined, calls it with args [dasm, binding, funcaddr, calladdr, expr, origin, maxdepth]
 	# else update lazily the binding from expr.externals, and return backtrace_binding
 	def get_backtrace_binding(dasm, funcaddr, calladdr, expr, origin, maxdepth)
-		if btbind_callback
-			@btbind_callback[dasm, @backtrace_binding, funcaddr, calladdr, expr, origin, maxdepth]
-		elsif backtrace_binding and dest = @backtrace_binding[:thunk] and target = dasm.function[dest]
+		if backtrace_binding and dest = @backtrace_binding[:thunk] and target = dasm.function[dest]
 			target.get_backtrace_binding(dasm, funcaddr, calladdr, expr, origin, maxdepth)
+		elsif btbind_callback
+			@btbind_callback[dasm, @backtrace_binding, funcaddr, calladdr, expr, origin, maxdepth]
 		else
 			unk_regs = expr.externals.grep(Symbol).uniq - @backtrace_binding.keys - [:unknown]
 			dasm.cpu.backtrace_update_function_binding(dasm, funcaddr, self, return_address, *unk_regs) if not unk_regs.empty?
@@ -251,10 +266,10 @@ class DecodedFunction
 	# if btfor_callback is defined, calls it with args [dasm, bt_for, funcaddr, calladdr]
 	# else return backtracked_for
 	def get_backtracked_for(dasm, funcaddr, calladdr)
-		if btfor_callback
-			@btfor_callback[dasm, @backtracked_for, funcaddr, calladdr]
-		elsif backtrace_binding and dest = @backtrace_binding[:thunk] and target = dasm.function[dest]
+		if backtrace_binding and dest = @backtrace_binding[:thunk] and target = dasm.function[dest]
 			target.get_backtracked_for(dasm, funcaddr, calladdr)
+		elsif btfor_callback
+			@btfor_callback[dasm, @backtracked_for, funcaddr, calladdr]
 		else
 			@backtracked_for
 		end
@@ -264,9 +279,30 @@ class DecodedFunction
 		@backtracked_for = []
 		@backtrace_binding = {}
 	end
+
+	def get_localvar_stackoff(off, di=nil, str=nil)
+		if di
+			@localvars_xrefs ||= {}
+			@localvars_xrefs[off] ||= []
+			@localvars_xrefs[off] |= [di.address]
+		end
+		@localvars ||= {}
+		@localvars[off] ||= (str || (off > 0 ? 'arg_%X' % off : 'var_%X' % -off))
+	end
 end
 
 class CPU
+	# decode an instruction with a dasm context
+	# context is a hash, should be modified inplace by the CPU
+	# will be passed to the next instruction(s) in the code flow
+	def decode_instruction_context(dasm, edata, di_addr, context)
+		decode_instruction(edata, di_addr)
+	end
+
+	# return the initial context for the disassembler, starts disassembling from addr
+	def disassemble_init_context(dasm, addr)
+	end
+
 	# return the thing to backtrace to find +value+ before the execution of this instruction
 	# eg backtrace_emu('inc eax', Expression[:eax]) => Expression[:eax + 1]
 	#  (the value of :eax after 'inc eax' is the value of :eax before plus 1)
@@ -275,8 +311,10 @@ class CPU
 		Expression[Expression[value].bind(di.backtrace_binding ||= get_backtrace_binding(di)).reduce]
 	end
 
-	# returns a list of Expressions/Integer to backtrace to find an execution target
+	# return the list of jump targets for insturctions modifying the control flow
 	def get_xrefs_x(dasm, di)
+		return [] if not di.opcode.props[:setip]
+		[symbolic(di.instruction.args.last, di)]
 	end
 
 	# returns a list of [type, address, len]
@@ -319,7 +357,7 @@ class CPU
 	def replace_instr_arg_immediate(i, old, new)
 		i.args.map! { |a|
 			case a
-			when Expression; Expression[a.bind(old => new).reduce]
+			when Expression; a == old ? new : Expression[a.bind(old => new).reduce]
 			else a
 			end
 		}
@@ -377,6 +415,8 @@ class Disassembler
 	attr_accessor :disassemble_maxblocklength
 	# a cparser that parsed some C header files, prototypes are converted to DecodedFunction when jumped to
 	attr_accessor :c_parser
+	# if false, disassembler skips internal functions with a prototype defined in a C header (eg static libraries)
+	attr_accessor :disassemble_known_functions
 	# hash address => array of strings
 	# default dasm dump will only show comments at beginning of code blocks
 	attr_accessor :comment
@@ -399,6 +439,8 @@ class Disassembler
 	attr_accessor :callback_finished
 	# pointer to the gui widget we're displayed in
 	attr_accessor :gui
+	# arbitrary data stored by other objects
+	attr_accessor :misc
 
 	@@backtrace_maxblocks = 50
 
@@ -433,12 +475,14 @@ class Disassembler
 	# adds a section, updates prog_binding
 	# base addr is an Integer or a String (label name for offset 0)
 	def add_section(encoded, base)
-		encoded, base = base, encoded if base.kind_of? EncodedData
+		encoded, base = base, encoded if base.kind_of?(EncodedData)
 		case base
 		when ::Integer
 		when ::String
 			raise "invalid section base #{base.inspect} - not at section start" if encoded.export[base] and encoded.export[base] != 0
-			raise "invalid section base #{base.inspect} - already seen at #{@prog_binding[base]}" if @prog_binding[base] and @prog_binding[base] != Expression[base]
+			if ed = get_edata_at(base)
+				ed.del_export(base)
+			end
 			encoded.add_export base, 0
 		else raise "invalid section base #{base.inspect} - expected string or integer"
 		end
@@ -451,7 +495,7 @@ class Disassembler
 
 		# update section_edata.reloc
 		# label -> list of relocs that refers to it
-		@inv_section_reloc = {}
+		@inv_section_reloc ||= {}
 		@sections.each { |b, e|
 			e.reloc.each { |o, r|
 				r.target.externals.grep(::String).each { |ext| (@inv_section_reloc[ext] ||= []) << [b, e, o, r] }
@@ -470,7 +514,7 @@ class Disassembler
 		end
 	end
 
-	# yields each xref to a given address, optionnaly restricted to a type
+	# yields each xref to a given address, optionaly restricted to a type
 	def each_xref(addr, type=nil)
 		addr = normalize addr
 
@@ -485,14 +529,16 @@ class Disassembler
 
 		# add pseudo-xrefs for exe relocs
 		if (not type or type == :reloc) and l = get_label_at(addr) and a = @inv_section_reloc[l]
+			x_more = []
 			a.each { |b, e, o, r|
 				addr = Expression[b]+o
 				# ignore relocs embedded in an already-listed instr
-				x << Xref.new(:reloc, addr) if not x.find { |x_|
+				x_more << Xref.new(:reloc, addr) if not x.find { |x_|
 					next if not x_.origin or not di_at(x_.origin)
-					(addr - x_.origin rescue 50) < @decoded[x_.origin].bin_length
+					(addr - x_.origin) < @decoded[x_.origin].bin_length rescue false
 				}
 			}
+			x.concat x_more
 		end
 
 		x.each { |x_| yield x_ }
@@ -505,16 +551,24 @@ class Disassembler
 
 	# parses a C string for function prototypes
 	def parse_c(str, filename=nil, lineno=1)
+		@c_parser_constcache = nil
 		@c_parser ||= @cpu.new_cparser
 		@c_parser.lexer.define_weak('__METASM__DECODE__')
 		@c_parser.parse(str, filename, lineno)
+	rescue ParseError
+		@c_parser.lexer.feed! ''
+		raise
+	end
+
+	# list the constants ([name, integer value]) defined in the C code (#define / enums)
+	def c_constants
+		@c_parser_constcache ||= @c_parser.numeric_constants
 	end
 
 	# returns the canonical form of addr (absolute address integer or label of start of section + section offset)
 	def normalize(addr)
 		return addr if not addr or addr == :default
-		addr = Expression[addr].bind(@old_prog_binding).reduce if not addr.kind_of? Integer
-		addr %= 1 << [@cpu.size, 32].max if @cpu and addr.kind_of? Integer
+		addr = Expression[addr].bind(@old_prog_binding).reduce if not addr.kind_of?(Integer)
 		addr
 	end
 
@@ -523,18 +577,18 @@ class Disassembler
 	def get_section_at(addr, memcheck=true)
 		case addr = normalize(addr)
 		when ::Integer
-			if s =  @sections.find { |b, e| b.kind_of? ::Integer and addr >= b and addr < b + e.length } ||
-				@sections.find { |b, e| b.kind_of? ::Integer and addr == b + e.length }		# end label
+			if s =  @sections.find { |b, e| b.kind_of?(::Integer) and addr >= b and addr < b + e.length } ||
+				@sections.find { |b, e| b.kind_of?(::Integer) and addr == b + e.length }		# end label
 				s[1].ptr = addr - s[0]
 				return if memcheck and s[1].data.respond_to?(:page_invalid?) and s[1].data.page_invalid?(s[1].ptr)
 				[s[1], s[0]]
 			end
 		when Expression
-			if addr.op == :+ and addr.rexpr.kind_of? ::Integer and addr.rexpr >= 0 and addr.lexpr.kind_of? ::String and e = @sections[addr.lexpr]
+			if addr.op == :+ and addr.rexpr.kind_of?(::Integer) and addr.rexpr >= 0 and addr.lexpr.kind_of?(::String) and e = @sections[addr.lexpr]
 				e.ptr = addr.rexpr
 				return if memcheck and e.data.respond_to?(:page_invalid?) and e.data.page_invalid?(e.ptr)
 				[e, Expression[addr.lexpr]]
-			elsif addr.op == :+ and addr.rexpr.kind_of? ::String and not addr.lexpr and e = @sections[addr.rexpr]
+			elsif addr.op == :+ and addr.rexpr.kind_of?(::String) and not addr.lexpr and e = @sections[addr.rexpr]
 				e.ptr = 0
 				return if memcheck and e.data.respond_to?(:page_invalid?) and e.data.page_invalid?(e.ptr)
 				[e, addr.rexpr]
@@ -551,12 +605,14 @@ class Disassembler
 		return if addrstr !~ /^\w+$/
 		e, b = get_section_at(addr)
 		if not e
-			l = Expression[addr].reduce_rec if Expression[addr].reduce_rec.kind_of? ::String
-			l ||= addrstr if addr.kind_of? Expression and addr.externals.grep(::Symbol).empty?
+			l = Expression[addr].reduce_rec if Expression[addr].reduce_rec.kind_of?(::String)
+			l ||= addrstr if addr.kind_of?(Expression) and addr.externals.grep(::Symbol).empty?
 		elsif not l = e.inv_export[e.ptr]
 			l = @program.new_label(addrstr)
 			e.add_export l, e.ptr
-			@label_alias_cache = nil
+			if @label_alias_cache ||= nil
+				(@label_alias_cache[b + e.ptr] ||= []) << l
+			end
 			@old_prog_binding[l] = @prog_binding[l] = b + e.ptr
 		elsif rewritepfx.find { |p| base != p and addrstr.sub(base, p) == l }
 			newl = addrstr
@@ -568,6 +624,7 @@ class Disassembler
 	end
 
 	# returns a hash associating addr => list of labels at this addr
+	# label_alias[a] may be nil if a new label is created elsewhere in the edata with the same name
 	def label_alias
 		if not @label_alias_cache
 			@label_alias_cache = {}
@@ -597,19 +654,24 @@ class Disassembler
 			return false
 		elsif @addrs_todo.empty?
 			ep = entrypoints.shift
-			l = auto_label_at(normalize(ep), 'entrypoint')
+			cpu_context = get_initial_cpu_context(ep)
+			l = auto_label_at(normalize(ep), 'entrypoint') || normalize(ep)
 			puts "start disassemble from #{l} (#{entrypoints.length})" if $VERBOSE and not entrypoints.empty?
 			@entrypoints << l
-			@addrs_todo << [ep]
+			@addrs_todo << { :addr => ep, :cpu_context => cpu_context }
 		else
 			disassemble_step
 		end
 		true
 	end
 
+	def get_initial_cpu_context(addr)
+		@cpu.disassemble_init_context(self, addr)
+	end
+
 	def post_disassemble
 		@decoded.each_value { |di|
-			next if not di.kind_of? DecodedInstruction
+			next if not di.kind_of?(DecodedInstruction)
 			next if not di.opcode or not di.opcode.props[:saveip]
 			if not di.block.to_subfuncret
 				di.add_comment 'noreturn'
@@ -622,17 +684,16 @@ class Disassembler
 			if not f.finalized
 				f.finalized = true
 puts "  finalize subfunc #{Expression[addr]}" if debug_backtrace
-				@cpu.backtrace_update_function_binding(self, addr, f, f.return_address)
+				backtrace_update_function_binding(addr, f)
 				if not f.return_address
 					detect_function_thunk(addr)
 				end
 			end
-			@comment[addr] ||= []
 			bd = f.backtrace_binding.reject { |k, v| Expression[k] == Expression[v] or Expression[v] == Expression::Unknown }
 			unk = f.backtrace_binding.map { |k, v| k if v == Expression::Unknown }.compact
 			bd[unk.map { |u| Expression[u].to_s }.sort.join(',')] = Expression::Unknown if not unk.empty?
-			@comment[addr] |= ["function binding: " + bd.map { |k, v| "#{k} -> #{v}" }.sort.join(', ')]
-			@comment[addr] |= ["function ends at " + f.return_address.map { |ra| Expression[ra] }.join(', ')] if f.return_address
+			add_comment(addr, "function binding: " + bd.map { |k, v| "#{k} -> #{v}" }.sort.join(', '))
+			add_comment(addr, "function ends at " + f.return_address.map { |ra| Expression[ra] }.join(', ')) if f.return_address
 		}
 	end
 
@@ -640,25 +701,26 @@ puts "  finalize subfunc #{Expression[addr]}" if debug_backtrace
 	# adds next addresses to handle to addrs_todo
 	# if @function[:default] exists, jumps to unknows locations are interpreted as to @function[:default]
 	def disassemble_step
-		return if not todo = @addrs_todo.pop or @addrs_done.include? todo
-		@addrs_done << todo if todo[1]
+		return if not x = @addrs_todo.pop or @addrs_done.include?(x)
+		@addrs_done << x if x[:from]
 
-		# from_sfret is true if from is the address of a function call that returns to addr
-		addr, from, from_subfuncret = todo
+		addr = x[:addr]
+		from = x[:from]
+		# from_subfuncret is true if from is the address of a function call that returns to addr
 
 		return if from == Expression::Unknown
 
-		puts "disassemble_step #{Expression[addr]} #{Expression[from] if from} #{from_subfuncret}  (/#{@addrs_todo.length})" if $DEBUG
+		puts "disassemble_step #{Expression[addr]} #{Expression[from] if from} #{x[:from_subfuncret]}  (/#{@addrs_todo.length})" if $DEBUG
 
 		addr = normalize(addr)
 
-		if from and from_subfuncret and di_at(from)
+		if from and x[:from_subfuncret] and di_at(from)
 			@decoded[from].block.each_to_normal { |subfunc|
 				subfunc = normalize(subfunc)
 				next if not f = @function[subfunc] or f.finalized
 				f.finalized = true
 puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
-				@cpu.backtrace_update_function_binding(self, subfunc, f, f.return_address)
+				backtrace_update_function_binding(subfunc, f)
 				if not f.return_address
 					detect_function_thunk(subfunc)
 				end
@@ -666,27 +728,36 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 		end
 
 		if di = @decoded[addr]
-			if di.kind_of? DecodedInstruction
-				split_block(di.block, di.address) if not di.block_head?	# this updates di.block
-				di.block.add_from(from, from_subfuncret ? :subfuncret : :normal) if from and from != :default
+			if di.kind_of?(DecodedInstruction)
+				split_block(di.block, di.address, true) if not di.block_head?	# this updates di.block
+				di.block.add_from(from, x[:from_subfuncret] ? :subfuncret : :normal) if from and from != :default
 				bf = di.block
 			elsif di == true
 				bf = @function[addr]
 			end
-		elsif bf = @function[addr]
+		elsif from and bf = @function[addr]
 			detect_function_thunk_noreturn(from) if bf.noreturn
 		elsif s = get_section_at(addr)
-			block = InstructionBlock.new(normalize(addr), s[0])
-			block.add_from(from, from_subfuncret ? :subfuncret : :normal) if from and from != :default
-			disassemble_block(block)
-		elsif from and c_parser and name = Expression[addr].reduce_rec and name.kind_of? ::String and
-				s = c_parser.toplevel.symbol[name] and s.type.untypedef.kind_of? C::Function
-			bf = @function[addr] = @cpu.decode_c_function_prototype(@c_parser, s)
+			if from and c_parser and not disassemble_known_functions and name = get_all_labels_at(addr).find { |n|
+					cs = c_parser.toplevel.symbol[n] and cs.type.untypedef.kind_of?(C::Function) }
+				# do not disassemble internal function for which we have a prototype (eg static library)
+				puts "found known function #{name} at #{Expression[addr]}" if $VERBOSE
+				bf = @function[addr] = @cpu.decode_c_function_prototype(@c_parser, c_parser.toplevel.symbol[name])
+				detect_function_thunk_noreturn(from) if bf.noreturn
+			else
+				block = InstructionBlock.new(normalize(addr), s[0])
+				block.add_from(from, x[:from_subfuncret] ? :subfuncret : :normal) if from and from != :default
+				disassemble_block(block, x[:cpu_context])
+			end
+		elsif from and c_parser and name = Expression[addr].reduce_rec and name.kind_of?(::String) and
+				cs = c_parser.toplevel.symbol[name] and cs.type.untypedef.kind_of?(C::Function)
+			# use C header prototype for external functions if available
+			bf = @function[addr] = @cpu.decode_c_function_prototype(@c_parser, cs)
 			detect_function_thunk_noreturn(from) if bf.noreturn
-		elsif from
+		elsif from and not @function[addr]
 			if bf = @function[:default]
 				puts "using default function for #{Expression[addr]} from #{Expression[from]}" if $DEBUG
-				if name = Expression[addr].reduce_rec and name.kind_of? ::String
+				if name = Expression[addr].reduce_rec and name.kind_of?(::String)
 					@function[addr] = @function[:default].dup
 				else
 					addr = :default
@@ -706,7 +777,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 		end
 
 		if bf and from and from != :default
-			if bf.kind_of? DecodedFunction
+			if bf.kind_of?(DecodedFunction)
 				bff = bf.get_backtracked_for(self, addr, from)
 			else
 				bff = bf.backtracked_for
@@ -714,37 +785,39 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 		end
 		bff.each { |btt|
 			next if btt.address
-			if @decoded[from].kind_of? DecodedInstruction and @decoded[from].opcode.props[:saveip] and not from_subfuncret and not @function[addr]
-				backtrace_check_found(btt.expr, @decoded[addr], btt.origin, btt.type, btt.len, btt.maxdepth, btt.detached)
+			if @decoded[from].kind_of?(DecodedInstruction) and @decoded[from].opcode.props[:saveip] and not x[:from_subfuncret] and not @function[addr]
+				backtrace_check_found(btt.expr, @decoded[addr], btt.origin, btt.type, btt.len, btt.maxdepth, btt.detached, btt.cpu_context)
 			end
 			next if backtrace_check_funcret(btt, addr, from)
 			backtrace(btt.expr, from,
-				  :include_start => true, :from_subfuncret => from_subfuncret,
+				  :include_start => true, :from_subfuncret => x[:from_subfuncret],
 				  :origin => btt.origin, :orig_expr => btt.orig_expr, :type => btt.type,
-				  :len => btt.len, :detached => btt.detached, :maxdepth => btt.maxdepth)
+				  :len => btt.len, :detached => btt.detached, :maxdepth => btt.maxdepth, :cpu_context => btt.cpu_context)
 		} if bff
 	end
 
 	# splits an InstructionBlock, updates the blocks backtracked_for
-	def split_block(block, address=nil)
+	def split_block(block, address=nil, rebacktrace=false)
 		if not address	# invoked as split_block(0x401012)
-			return if not @decoded[block].kind_of? DecodedInstruction
+			return if not @decoded[block].kind_of?(DecodedInstruction)
 			block, address = @decoded[block].block, block
 		end
 		return block if address == block.address
 		new_b = block.split address
-		new_b.backtracked_for.dup.each { |btt|
-			backtrace(btt.expr, btt.address,
-				  :only_upto => block.list.last.address,
-				  :include_start => !btt.exclude_instr, :from_subfuncret => btt.from_subfuncret,
-				  :origin => btt.origin, :orig_expr => btt.orig_expr, :type => btt.type, :len => btt.len,
-				  :detached => btt.detached, :maxdepth => btt.maxdepth)
-		}
+		if rebacktrace
+			new_b.backtracked_for.dup.each { |btt|
+				backtrace(btt.expr, btt.address,
+					  :only_upto => block.list.last.address,
+					  :include_start => !btt.exclude_instr, :from_subfuncret => btt.from_subfuncret,
+					  :origin => btt.origin, :orig_expr => btt.orig_expr, :type => btt.type, :len => btt.len,
+					  :detached => btt.detached, :maxdepth => btt.maxdepth, :cpu_context => btt.cpu_context)
+			}
+		end
 		new_b
 	end
 
 	# disassembles a new instruction block at block.address (must be normalized)
-	def disassemble_block(block)
+	def disassemble_block(block, cpu_context)
 		raise if not block.list.empty?
 		di_addr = block.address
 		delay_slot = nil
@@ -763,8 +836,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 				each_xref(waddr, :w) { |x|
 					#next if off + x.len < 0
 					puts "W: disasm: self-modifying code at #{Expression[waddr]}" if $VERBOSE
-					@comment[di_addr] ||= []
-					@comment[di_addr] |= ["overwritten by #{@decoded[x.origin]}"]
+					add_comment(di_addr, "overwritten by #{@decoded[x.origin]}")
 					@callback_selfmodifying[di_addr] if callback_selfmodifying
 					return
 				}
@@ -773,9 +845,11 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 
 			# decode instruction
 			block.edata.ptr = di_addr - block.address + block.edata_ptr
-			if not di = @cpu.decode_instruction(block.edata, di_addr)
+			cpu_context = cpu_context.dup if cpu_context
+			if not di = @cpu.decode_instruction_context(self, block.edata, di_addr, cpu_context)
 				ed = block.edata
-				puts "#{ed.ptr >= ed.length ? "end of section reached" : "unknown instruction #{ed.data[di_addr-block.address+block.edata_ptr, 4].to_s.unpack('H*')}"} at #{Expression[di_addr]}" if $VERBOSE
+				break if ed.ptr >= ed.length and get_section_at(di_addr) and di = block.list.last
+				puts "#{ed.ptr >= ed.length ? "end of section reached" : "unknown instruction #{ed.data[di_addr-block.address+block.edata_ptr, 4].to_s.unpack('H*').first}"} at #{Expression[di_addr]}" if $VERBOSE
 				return
 			end
 
@@ -783,7 +857,18 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 			block.add_di di
 			puts di if $DEBUG
 
-			di = @callback_newinstr[di] if callback_newinstr
+			if callback_newinstr
+				ndi = @callback_newinstr[di]
+				if not ndi or not ndi.block
+					block.list.delete di
+					if ndi
+						block.add_di ndi
+						ndi.bin_length = di.bin_length if ndi.bin_length == 0
+						@decoded[di_addr] = ndi
+					end
+				end
+				di = ndi
+			end
 			return if not di
 			block = di.block
 
@@ -793,7 +878,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 
 			if not di_addr or di.opcode.props[:stopexec] or not @program.get_xrefs_x(self, di).empty?
 				# do not backtrace until delay slot is finished (eg MIPS: di is a
-			       	#  ret and the delay slot holds stack fixup needed to calc func_binding)
+				#  ret and the delay slot holds stack fixup needed to calc func_binding)
 				# XXX if the delay slot is also xref_x or :stopexec it is ignored
 				delay_slot ||= [di, @cpu.delay_slot(di)]
 			end
@@ -801,18 +886,23 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 			if delay_slot
 				di, delay = delay_slot
 				if delay == 0 or not di_addr
-					backtrace_xrefs_di_x(di)
+					backtrace_xrefs_di_x(di, cpu_context)
 					if di.opcode.props[:stopexec] or not di_addr; return
 					else break
 					end
 				end
 				delay_slot[1] = delay - 1
 			end
+
+			if block.edata.inv_export[di_addr - block.address + block.edata_ptr]
+				# ensure there is a block split if we have a label defined
+				break
+			end
 		}
 
 		ar = [di_addr]
 		ar = @callback_newaddr[block.list.last.address, ar] || ar if callback_newaddr
-		ar.each { |di_addr_| backtrace(di_addr_, di.address, :origin => di.address, :type => :x) }
+		ar.each { |di_addr_| backtrace(di_addr_, di.address, :origin => di.address, :type => :x, :cpu_context => cpu_context) }
 
 		block
 	end
@@ -834,51 +924,60 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 		@entrypoints ||= []
 		@entrypoints |= entrypoints
 
-		entrypoints.each { |ep| do_disassemble_fast_deep(normalize(ep)) }
+		entrypoints.each { |ep| do_disassemble_fast_deep(:addr => normalize(ep)) }
+
+		@callback_finished[] if callback_finished
 	end
 
 	def do_disassemble_fast_deep(ep)
 		disassemble_fast(ep) { |fa, di|
-			fa = normalize(fa)
-			do_disassemble_fast_deep(fa)
-			if di and ndi = di_at(fa)
-				ndi.block.add_from_normal(di.address)
-			end
+			do_disassemble_fast_deep(:addr => normalize(fa), :from => di.address)
 		}
 	end
 
 	# disassembles fast from a list of entrypoints
 	# see disassemble_fast_step
 	def disassemble_fast(entrypoint, maxdepth=-1, &b)
-		ep = [entrypoint]
-		until ep.empty?
-			disassemble_fast_step(ep, &b)
+		td = entrypoint
+		td = { :addr => entrypoint } unless td.kind_of?(::Hash)
+		td[:cpu_context] ||= get_initial_cpu_context(td[:addr])
+		todo = [td]
+		until todo.empty?
+			disassemble_fast_step(todo, &b)
 			maxdepth -= 1
-			ep.delete_if { |a| not @decoded[normalize(a[0])] } if maxdepth == 0
+			todo.delete_if { |a| not @decoded[normalize(a[:addr])] } if maxdepth == 0
 		end
-		check_noreturn_function(entrypoint)
+		check_noreturn_function(td[:addr])
 	end
 
 	# disassembles one block from the ary, see disassemble_fast_block
 	def disassemble_fast_step(todo, &b)
 		return if not x = todo.pop
-		addr, from, from_subfuncret = x
 
-		addr = normalize(addr)
+		addr = normalize(x[:addr])
 
 		if di = @decoded[addr]
-			if di.kind_of? DecodedInstruction
+			if di.kind_of?(DecodedInstruction)
 				split_block(di.block, di.address) if not di.block_head?
-				di.block.add_from(from, from_subfuncret ? :subfuncret : :normal) if from and from != :default
+				di.block.add_from(x[:from], x[:from_subfuncret] ? :subfuncret : :normal) if x[:from] and x[:from] != :default
 			end
+		elsif @function[addr] and x[:from]
 		elsif s = get_section_at(addr)
-			block = InstructionBlock.new(normalize(addr), s[0])
-			block.add_from(from, from_subfuncret ? :subfuncret : :normal) if from and from != :default
-			todo.concat disassemble_fast_block(block, &b)
-		elsif name = Expression[addr].reduce_rec and name.kind_of? ::String and not @function[addr]
-			if c_parser and s = c_parser.toplevel.symbol[name] and s.type.untypedef.kind_of? C::Function
-				@function[addr] = @cpu.decode_c_function_prototype(@c_parser, s)
-				detect_function_thunk_noreturn(from) if @function[addr].noreturn
+			if x[:from] and c_parser and not disassemble_known_functions and name = get_all_labels_at(addr).find { |n|
+					cs = c_parser.toplevel.symbol[n] and cs.type.untypedef.kind_of?(C::Function) }
+				# do not disassemble internal function for which we have a prototype (eg static library)
+				puts "found known function #{name} at #{Expression[addr]}" if $VERBOSE
+				@function[addr] = @cpu.decode_c_function_prototype(@c_parser, c_parser.toplevel.symbol[name])
+				detect_function_thunk_noreturn(x[:from]) if @function[addr].noreturn
+			else
+				block = InstructionBlock.new(addr, s[0])
+				block.add_from(x[:from], x[:from_subfuncret] ? :subfuncret : :normal) if x[:from] and x[:from] != :default
+				todo.concat disassemble_fast_block(block, x[:cpu_context], &b)
+			end
+		elsif name = Expression[addr].reduce_rec and name.kind_of?(::String) and not @function[addr]
+			if c_parser and cs = c_parser.toplevel.symbol[name] and cs.type.untypedef.kind_of?(C::Function)
+				@function[addr] = @cpu.decode_c_function_prototype(@c_parser, cs)
+				detect_function_thunk_noreturn(x[:from]) if @function[addr].noreturn
 			elsif @function[:default]
 				@function[addr] = @function[:default].dup
 			end
@@ -889,15 +988,14 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 
 	# check if an addr has an xref :x from a :saveip, if so mark as Function
 	def disassemble_fast_checkfunc(addr)
-		if @decoded[addr].kind_of? DecodedInstruction and not @function[addr]
+		if @decoded[addr].kind_of?(DecodedInstruction) and not @function[addr]
 			func = false
 			each_xref(addr, :x) { |x_|
 				func = true if odi = di_at(x_.origin) and odi.opcode.props[:saveip]
 			}
 			if func
 				auto_label_at(addr, 'sub', 'loc', 'xref')
-				# XXX use default_btbind_callback ?
-				@function[addr] = DecodedFunction.new
+				@function[addr] = (@function[:default] || DecodedFunction.new).dup
 				@function[addr].finalized = true
 				detect_function_thunk(addr)
 				puts "found new function #{get_label_at(addr)} at #{Expression[addr]}" if $VERBOSE
@@ -909,11 +1007,11 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 	# does not recurse into subfunctions
 	# assumes all :saveip returns, except those pointing to a subfunc with noreturn
 	# yields subfunction addresses (targets of :saveip)
-	# only backtrace for :x with maxdepth 1 (ie handles only basic push+ret)
+	# no backtrace for :x (change with backtrace_maxblocks_fast)
 	# returns a todo-style ary
 	# assumes @addrs_todo is empty
-	def disassemble_fast_block(block, &b)
-		block = InstructionBlock.new(normalize(block), get_section_at(block)[0]) if not block.kind_of? InstructionBlock
+	def disassemble_fast_block(block, cpu_context, &b)
+		block = InstructionBlock.new(normalize(block), get_section_at(block)[0]) if not block.kind_of?(InstructionBlock)
 		di_addr = block.address
 		delay_slot = nil
 		di = nil
@@ -926,7 +1024,9 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 
 			# decode instruction
 			block.edata.ptr = di_addr - block.address + block.edata_ptr
-			if not di = @cpu.decode_instruction(block.edata, di_addr)
+			cpu_context = cpu_context.dup if cpu_context
+			if not di = @cpu.decode_instruction_context(self, block.edata, di_addr, cpu_context)
+				break if block.edata.ptr >= block.edata.length and get_section_at(di_addr) and di = block.list.last
 				return ret
 			end
 
@@ -934,7 +1034,18 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 			block.add_di di
 			puts di if $DEBUG
 
-			di = @callback_newinstr[di] if callback_newinstr
+			if callback_newinstr
+				ndi = @callback_newinstr[di]
+				if not ndi or not ndi.block
+					block.list.delete di
+					if ndi
+						block.add_di ndi
+						ndi.bin_length = di.bin_length if ndi.bin_length == 0
+						@decoded[di_addr] = ndi
+					end
+				end
+				di = ndi
+			end
 			return ret if not di
 
 			di_addr = di.next_addr
@@ -942,13 +1053,15 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 			if di.opcode.props[:stopexec] or di.opcode.props[:setip]
 				if di.opcode.props[:setip]
 					@addrs_todo = []
-					@program.get_xrefs_x(self, di).each { |expr|
-						backtrace(expr, di.address, :origin => di.address, :type => :x, :maxdepth => @backtrace_maxblocks_fast)
+					ar = @program.get_xrefs_x(self, di)
+					ar = @callback_newaddr[di.address, ar] || ar if callback_newaddr
+					ar.each { |expr|
+						backtrace(expr, di.address, :origin => di.address, :type => :x, :maxdepth => @backtrace_maxblocks_fast, :cpu_context => cpu_context)
 					}
 				end
 				if di.opcode.props[:saveip]
 					@addrs_todo = []
-					ret.concat disassemble_fast_block_subfunc(di, &b)
+					ret.concat disassemble_fast_block_subfunc(di, cpu_context, &b)
 				else
 					ret.concat @addrs_todo
 					@addrs_todo = []
@@ -965,12 +1078,17 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 			end
 		}
 
-		di.block.add_to_normal(di_addr)
-		ret << [di_addr, di.address]
+		ar = [di_addr]
+		ar = @callback_newaddr[block.list.last.address, ar] || ar if callback_newaddr
+		ar.each { |a|
+			di.block.add_to_normal(a)
+			ret << { :addr => a, :from => di.address, :cpu_context => cpu_context }
+		}
+		ret
 	end
 
 	# handles when disassemble_fast encounters a call to a subfunction
-	def disassemble_fast_block_subfunc(di)
+	def disassemble_fast_block_subfunc(di, cpu_context)
 		funcs = di.block.to_normal.to_a
 		do_ret = funcs.empty?
 		ret = []
@@ -983,10 +1101,10 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 				# this includes retaddr unless f is noreturn
 				bf.each { |btt|
 					next if btt.type != :x
-					bt = backtrace(btt.expr, di.address, :include_start => true, :origin => btt.origin, :maxdepth => [@backtrace_maxblocks_fast, 1].max)
+					bt = backtrace(btt.expr, di.address, :include_start => true, :origin => btt.origin, :maxdepth => [@backtrace_maxblocks_fast, 1].max, :cpu_context => cpu_context)
 					if btt.detached
-						ret.concat bt	# callback argument
-					elsif bt.find { |a| normalize(a) == na }
+						ret.concat bt.map { |a| { :addr => a } }	# callback argument
+					elsif not f.noreturn and bt.find { |a| normalize(a) == na }
 						do_ret = true
 					end
 				}
@@ -996,9 +1114,10 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 		}
 		if do_ret
 			di.block.add_to_subfuncret(na)
-			ret << [na, di.address, true]
+			ret << { :addr => na, :from => di.address, :from_subfuncret => true, :cpu_context => cpu_context }
 			di.block.add_to_normal :default if not di.block.to_normal and @function[:default]
 		end
+		di.add_comment 'noreturn' if ret.empty?
 		ret
 	end
 
@@ -1021,10 +1140,10 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 	end
 
 	# trace xrefs for execution
-	def backtrace_xrefs_di_x(di)
+	def backtrace_xrefs_di_x(di, cpu_context)
 		ar = @program.get_xrefs_x(self, di)
 		ar = @callback_newaddr[di.address, ar] || ar if callback_newaddr
-		ar.each { |expr| backtrace(expr, di.address, :origin => di.address, :type => :x) }
+		ar.each { |expr| backtrace(expr, di.address, :origin => di.address, :type => :x, :cpu_context => cpu_context) }
 	end
 
 	# checks if the function starting at funcaddr is an external function thunk (eg jmp [SomeExtFunc])
@@ -1032,12 +1151,12 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 	#  which must not have return_addresses
 	# returns the new thunk name if it was changed
 	def detect_function_thunk(funcaddr)
-		# check thunk linearity (no conditionnal branch etc)
+		# check thunk linearity (no conditional branch etc)
 		addr = funcaddr
 		count = 0
 		while b = block_at(addr)
 			count += 1
-			return if count > 5 or b.list.length > 4
+			return if count > 5 or b.list.length > 5
 			if b.to_subfuncret and not b.to_subfuncret.empty?
 				return if b.to_subfuncret.length != 1
 				addr = normalize(b.to_subfuncret.first)
@@ -1047,7 +1166,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 				return if not btb = sf.backtrace_binding
 				btb = btb.dup
 				btb.delete_if { |k, v| Expression[k] == Expression[v] }
-			       	return if btb.length > 2 or btb.values.include? Expression::Unknown
+				return if btb.length > 2 or btb.values.include? Expression::Unknown
 			else
 				return if not bt = b.to_normal
 				if bt.include? :default
@@ -1065,7 +1184,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 			f.backtrace_binding = { :thunk => addr }
 			f.noreturn = true if @function[addr] and @function[addr].noreturn
 		end
-		return if not fname.kind_of? ::String
+		return if not fname.kind_of?(::String)
 		l = auto_label_at(funcaddr, 'sub', 'loc')
 		return if l[0, 4] != 'sub_'
 		puts "found thunk for #{fname} at #{Expression[funcaddr]}" if $DEBUG
@@ -1103,14 +1222,14 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 	# should only be called with fa = target of a call
 	def check_noreturn_function(fa)
 		fb = function_blocks(fa, false, false)
+		return if fb.empty?
 		lasts = fb.keys.find_all { |k| fb[k] == [] }
-		return if lasts.empty?
 		if lasts.all? { |la|
 			b = block_at(la)
 			next if not di = b.list.last
 			(di.opcode.props[:saveip] and b.to_normal.to_a.all? { |tfa|
 				tf = function_at(tfa) and tf.noreturn
-			}) or (di.opcode.props[:stopexec] and not di.opcode.props[:setip])
+			}) or (di.opcode.props[:stopexec] and not (di.opcode.props[:setip] or not get_xrefs_x(di).empty?))
 		}
 			# yay
 			@function[fa] ||= DecodedFunction.new
@@ -1165,7 +1284,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 	#  (defaults to dasm.backtrace_maxblocks, which defaults do Dasm.backtrace_maxblocks)
 	def backtrace_walk(obj, addr, include_start, from_subfuncret, stopaddr, maxdepth)
 		start_addr = normalize(addr)
-		stopaddr = [stopaddr] if stopaddr and not stopaddr.kind_of? ::Array
+		stopaddr = [stopaddr] if stopaddr and not stopaddr.kind_of?(::Array)
 
 		# array of [obj, addr, from_subfuncret, loopdetect]
 		# loopdetect is an array of [obj, addr, from_type] of each end of block encountered
@@ -1192,7 +1311,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 					next if f_type == :indirect
 					hadsomething = true
 					o_f_addr = f_addr
-					f_addr = @decoded[f_addr].block.list.last.address if @decoded[f_addr].kind_of? DecodedInstruction	# delay slot
+					f_addr = @decoded[f_addr].block.list.last.address if @decoded[f_addr].kind_of?(DecodedInstruction)	# delay slot
 					if l = w_loopdetect.find { |l_obj, l_addr, l_type| l_addr == f_addr and l_type == f_type }
 						f_obj = yield(:loop, w_obj, :looptrace => w_loopdetect[w_loopdetect.index(l)..-1], :loopdetect => w_loopdetect)
 						if f_obj and f_obj != w_obj	# should avoid infinite loops
@@ -1206,7 +1325,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 					f_loopdetect ||= w_loopdetect
 					# only count non-trivial paths in loopdetect (ignore linear links)
 					add_detect = [[f_obj, f_addr, f_type]]
-					add_detect = [] if @decoded[f_addr].kind_of? DecodedInstruction and tmp = @decoded[f_addr].block and
+					add_detect = [] if @decoded[f_addr].kind_of?(DecodedInstruction) and tmp = @decoded[f_addr].block and
 							((w_di.block.from_subfuncret.to_a == [] and w_di.block.from_normal == [f_addr] and
 							 tmp.to_normal == [w_di.address] and tmp.to_subfuncret.to_a == []) or
 							(w_di.block.from_subfuncret == [f_addr] and tmp.to_subfuncret == [w_di.address]))
@@ -1219,7 +1338,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 				each_xref(w_addr, :x) { |x|
 					f_addr = x.origin
 					o_f_addr = f_addr
-					f_addr = @decoded[f_addr].block.list.last.address if @decoded[f_addr].kind_of? DecodedInstruction	# delay slot
+					f_addr = @decoded[f_addr].block.list.last.address if @decoded[f_addr].kind_of?(DecodedInstruction)	# delay slot
 					if l = w_loopdetect.find { |l_obj, l_addr, l_type| l_addr == w_addr }
 						f_obj = yield(:loop, w_obj, :looptrace => w_loopdetect[w_loopdetect.index(l)..-1], :loopdetect => w_loopdetect)
 						if f_obj and f_obj != w_obj
@@ -1291,6 +1410,88 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 		end
 	end
 
+	# iterates over all instructions of a function from a given entrypoint
+	# carries an object while walking, the object is yielded every instruction
+	# every block is walked only once, after all previous blocks are done (if possible)
+	# on a 'jz', a [:clone] event is yielded for every path beside the first
+	# on a juction (eg a -> b -> d, a -> c -> d), a [:merge] event occurs if froms have different objs
+	# event list:
+	#  [:di, <addr>, <decoded_instruction>, <object>]
+	#  [:clone, <newaddr>, <oldaddr>, <object>]
+	#  [:merge, <newaddr>, {<oldaddr1> => <object1>, <oldaddr2> => <object2>, ...}, <object1>]
+	#  [:subfunc, <subfunc_addr>, <call_addr>, <object>]
+	# all events should return an object
+	# :merge has a copy of object1 at the end so that uninterested callers can always return args[-1]
+	# if an event returns false, the trace stops for the current branch
+	def function_walk(addr_start, obj_start)
+		# addresses of instrs already seen => obj
+		done = {}
+		todo = [[addr_start, obj_start]]
+
+		while hop = todo.pop
+			addr, obj = hop
+			next if done.has_key?(done)
+
+			di = di_at(addr)
+			next if not di
+
+			if done.empty?
+				dilist = di.block.list[di.block.list.index(di)..-1]
+			else
+				# new block, check all 'from' have been seen
+				if not hop[2]
+					# may retry later
+					all_ok = true
+					di.block.each_from_samefunc(self) { |fa| all_ok = false unless done.has_key?(fa) }
+					if not all_ok
+						todo.unshift([addr, obj, true])
+						next
+					end
+				end
+
+				froms = {}
+				di.block.each_from_samefunc(self) { |fa| froms[fa] = done[fa] if done[fa] }
+				if froms.values.uniq.length > 1
+					obj = yield([:merge, addr, froms, froms.values.first])
+					next if obj == false
+				end
+
+				dilist = di.block.list
+			end
+
+			if dilist.each { |_di|
+					break if done.has_key?(_di.address)	# looped back into addr_start
+					done[_di.address] = obj
+					obj = yield([:di, _di.address, _di, obj])
+					break if obj == false	# also return false for the previous 'if'
+				}
+
+				from = dilist.last.address
+
+				if di.block.to_normal and di.block.to_normal[0] and
+						di.block.to_subfuncret and di.block.to_subfuncret[0]
+					# current instruction block calls into a subfunction
+					obj = di.block.to_normal.map { |subf|
+						yield([:subfunc, subf, from, obj])
+					}.first		# propagate 1st subfunc result
+					next if obj == false
+				end
+
+				wantclone = false
+				di.block.each_to_samefunc(self) { |ta|
+					if wantclone
+						nobj = yield([:clone, ta, from, obj])
+						next if obj == false
+						todo << [ta, nobj]
+					else
+						todo << [ta, obj]
+						wantclone = true
+					end
+				}
+			end
+		end
+	end
+
 	# holds a backtrace result until a snapshot_addr is encountered
 	class StoppedExpr
 		attr_accessor :exprs
@@ -1320,6 +1521,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 	#  :only_upto => backtrace only to update bt_for for current block & previous ending at only_upto
 	#  :no_check => don't use backtrace_check_found (will not backtrace indirection static values)
 	#  :terminals => array of symbols with constant value (stop backtracking if all symbols in the expr are terminals) (only supported with no_check)
+	#  :cpu_context => disassembler cpu_context
 	def backtrace(expr, start_addr, nargs={})
 		include_start   = nargs.delete :include_start
 		from_subfuncret = nargs.delete :from_subfuncret
@@ -1336,6 +1538,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 		only_upto       = nargs.delete :only_upto
 		no_check        = nargs.delete :no_check
 		terminals       = nargs.delete(:terminals) || []
+		cpu_context	= nargs.delete :cpu_context
 		raise ArgumentError, "invalid argument to backtrace #{nargs.keys.inspect}" if not nargs.empty?
 
 		expr = Expression[expr]
@@ -1356,7 +1559,7 @@ puts "  not backtracking stack address #{expr}" if debug_backtrace
 		end
 
 		if vals = (no_check ? (!need_backtrace(expr, terminals) and [expr]) : backtrace_check_found(expr,
-				di, origin, type, len, maxdepth, detached))
+				di, origin, type, len, maxdepth, detached, cpu_context, snapshot_addr))
 			# no need to update backtracked_for
 			return vals
 		elsif maxdepth <= 0
@@ -1365,7 +1568,7 @@ puts "  not backtracking stack address #{expr}" if debug_backtrace
 
 		# create initial backtracked_for
 		if type and origin == start_addr and di
-			btt = BacktraceTrace.new(expr, origin, origexpr, type, len, maxdepth-1)
+			btt = BacktraceTrace.new(expr, origin, origexpr, type, len, maxdepth-1, cpu_context)
 			btt.address = di.address
 			btt.exclude_instr = true if not include_start
 			btt.from_subfuncret = true if from_subfuncret and include_start
@@ -1386,9 +1589,9 @@ puts "backtracking #{type} #{expr} from #{di || Expression[start_addr || 0]} for
 			when :unknown_addr, :maxdepth
 puts "  backtrace end #{ev} #{expr}" if debug_backtrace
 				result |= [expr] if not snapshot_addr
-				@addrs_todo << [expr, (detached ? nil : origin)] if not snapshot_addr and type == :x and origin
+				@addrs_todo << { :addr => expr, :from => (detached ? nil : origin), :cpu_context => cpu_context } if not snapshot_addr and type == :x and origin
 			when :end
-				if not expr.kind_of? StoppedExpr
+				if not expr.kind_of?(StoppedExpr)
 					oldexpr = expr
 					expr = backtrace_emu_blockup(h[:addr], expr)
 puts "  backtrace up #{Expression[h[:addr]]}  #{oldexpr}#{" => #{expr}" if expr != oldexpr}" if debug_backtrace
@@ -1396,7 +1599,7 @@ puts "  backtrace up #{Expression[h[:addr]]}  #{oldexpr}#{" => #{expr}" if expr
 					if expr != oldexpr and not snapshot_addr and vals = (no_check ?
 							(!need_backtrace(expr, terminals) and [expr]) :
 							backtrace_check_found(expr, nil, origin, type, len,
-								maxdepth-h[:loopdetect].length, detached))
+								maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr))
 						result |= vals
 						next
 					end
@@ -1405,14 +1608,14 @@ puts "  backtrace end #{ev} #{expr}" if debug_backtrace
 				if not snapshot_addr
 					result |= [expr]
 
-					btt = BacktraceTrace.new(expr, origin, origexpr, type, len, maxdepth-h[:loopdetect].length-1)
+					btt = BacktraceTrace.new(expr, origin, origexpr, type, len, maxdepth-h[:loopdetect].length-1, cpu_context)
 					btt.detached = true if detached
 					@decoded[h[:addr]].block.backtracked_for |= [btt] if @decoded[h[:addr]]
 					@function[h[:addr]].backtracked_for |= [btt] if @function[h[:addr]] and h[:addr] != :default
-					@addrs_todo << [expr, (detached ? nil : origin)] if type == :x and origin
+					@addrs_todo << { :addr => expr, :from => (detached ? nil : origin), :cpu_context => cpu_context } if type == :x and origin
 				end
 			when :stopaddr
-				if not expr.kind_of? StoppedExpr
+				if not expr.kind_of?(StoppedExpr)
 					oldexpr = expr
 					expr = backtrace_emu_blockup(h[:addr], expr)
 puts "  backtrace up #{Expression[h[:addr]]}  #{oldexpr}#{" => #{expr}" if expr != oldexpr}" if debug_backtrace
@@ -1421,15 +1624,16 @@ puts "  backtrace up #{Expression[h[:addr]]}  #{oldexpr}#{" => #{expr}" if expr
 puts "  backtrace end #{ev} #{expr}" if debug_backtrace
 				result |= ((expr.kind_of?(StoppedExpr)) ? expr.exprs : [expr])
 			when :loop
-				next false if expr.kind_of? StoppedExpr
+				next false if expr.kind_of?(StoppedExpr)
 				t = h[:looptrace]
 				oldexpr = t[0][0]
 				next false if expr == oldexpr		# unmodifying loop
 puts "  bt loop at #{Expression[t[0][1]]}: #{oldexpr} => #{expr} (#{t.map { |z| Expression[z[1]] }.join(' <- ')})" if debug_backtrace
+				bt_log << [:loop, expr, oldexpr, t.map { |z| z[1] }] if bt_log
 				false
 			when :up
 				next false if only_upto and h[:to] != only_upto
-				next expr if expr.kind_of? StoppedExpr
+				next expr if expr.kind_of?(StoppedExpr)
 				oldexpr = expr
 				expr = backtrace_emu_blockup(h[:from], expr)
 puts "  backtrace up #{Expression[h[:from]]}->#{Expression[h[:to]]}  #{oldexpr}#{" => #{expr}" if expr != oldexpr}" if debug_backtrace
@@ -1437,7 +1641,7 @@ puts "  backtrace up #{Expression[h[:from]]}->#{Expression[h[:to]]}  #{oldexpr}#
 
 				if expr != oldexpr and vals = (no_check ? (!need_backtrace(expr, terminals) and [expr]) :
 						backtrace_check_found(expr, @decoded[h[:from]], origin, type, len,
-							maxdepth-h[:loopdetect].length, detached))
+							maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr))
 					if snapshot_addr
 						expr = StoppedExpr.new vals
 						next expr
@@ -1459,7 +1663,7 @@ puts "  backtrace up #{Expression[h[:from]]}->#{Expression[h[:to]]}  #{oldexpr}#
 						end
 					}
 
-					btt = BacktraceTrace.new(expr, origin, origexpr, type, len, maxdepth-h[:loopdetect].length-1)
+					btt = BacktraceTrace.new(expr, origin, origexpr, type, len, maxdepth-h[:loopdetect].length-1, cpu_context)
 					btt.detached = true if detached
 					if x = di_at(h[:from])
 						update_btf[x.block.backtracked_for, btt]
@@ -1483,7 +1687,7 @@ puts "   already backtraced" if debug_backtrace
 				end
 				expr
 			when :di, :func
-				next if expr.kind_of? StoppedExpr
+				next if expr.kind_of?(StoppedExpr)
 				if not snapshot_addr and @cpu.backtrace_is_stack_address(expr)
 puts "  not backtracking stack address #{expr}" if debug_backtrace
 					next false
@@ -1498,7 +1702,7 @@ oldexpr = expr
 				when :func
 					expr = backtrace_emu_subfunc(h[:func], h[:funcaddr], h[:addr], expr, origin, maxdepth-h[:loopdetect].length)
 					if snapshot_addr and snapshot_addr == h[:funcaddr]
-						# XXX recursiveness detection needs to be fixed						
+						# XXX recursiveness detection needs to be fixed
 puts "  backtrace: recursive function #{Expression[h[:funcaddr]]}" if debug_backtrace
 						next false
 					end
@@ -1506,7 +1710,7 @@ puts "  backtrace: recursive function #{Expression[h[:funcaddr]]}" if debug_back
 				end
 puts "  backtrace #{h[:di] || Expression[h[:funcaddr]]}  #{oldexpr} => #{expr}" if debug_backtrace and expr != oldexpr
 				if vals = (no_check ? (!need_backtrace(expr, terminals) and [expr]) : backtrace_check_found(expr,
-						h[:di], origin, type, len, maxdepth-h[:loopdetect].length, detached))
+						h[:di], origin, type, len, maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr))
 					if snapshot_addr
 						expr = StoppedExpr.new vals
 					else
@@ -1538,7 +1742,7 @@ puts '  backtrace result: ' + result.map { |r| Expression[r] }.join(', ') if deb
 				not need_backtrace(retaddr)
 puts "  backtrace addrs_todo << #{Expression[retaddr]} from #{di} (funcret)" if debug_backtrace
 			di.block.add_to_subfuncret normalize(retaddr)
-			if @decoded[funcaddr].kind_of? DecodedInstruction
+			if @decoded[funcaddr].kind_of?(DecodedInstruction)
 				# check that all callers :saveip returns (eg recursive call that was resolved
 				# before we found funcaddr was a function)
 				@decoded[funcaddr].block.each_from_normal { |fm|
@@ -1556,17 +1760,17 @@ puts "  backtrace addrs_todo << #{Expression[retaddr]} from #{di} (funcret)" if
 				todo = []
 				di.block.each_to_normal { |t| todo << normalize(t) }
 				while a = todo.pop
-					next if faddrlist.include? a or not get_section_at(a)
+					next if faddrlist.include?(a) or not get_section_at(a)
 					faddrlist << a
-					if @decoded[a].kind_of? DecodedInstruction
+					if @decoded[a].kind_of?(DecodedInstruction)
 						@decoded[a].block.each_to_samefunc(self) { |t| todo << normalize(t) }
 					end
 				end
 
-				idx = @addrs_todo.index(@addrs_todo.find { |r, i, sfr| faddrlist.include? normalize(r) }) || -1
-				@addrs_todo.insert(idx, [retaddr, instraddr, true])
+				idx = @addrs_todo.index(@addrs_todo.find { |aa| faddrlist.include? normalize(aa[:addr]) }) || -1
+				@addrs_todo.insert(idx, { :addr => retaddr, :from => instraddr, :from_subfuncret => true, :cpu_context => btt.cpu_context })
 			else
-				@addrs_todo << [retaddr, instraddr, true]
+				@addrs_todo << { :addr => retaddr, :from => instraddr, :from_subfuncret => true, :cpu_context => btt.cpu_context }
 			end
 			true
 		end
@@ -1588,10 +1792,14 @@ puts "  backtrace addrs_todo << #{Expression[retaddr]} from #{di} (funcret)" if
 		(ab = @address_binding[addr]) ? Expression[expr.bind(ab).reduce] : expr
 	end
 
+	def backtrace_update_function_binding(addr, func=@function[addr], retaddrs=func.return_address)
+		@cpu.backtrace_update_function_binding(self, addr, func, retaddrs)
+	end
+
 	# static resolution of indirections
 	def resolve(expr)
 		binding = Expression[expr].expr_indirections.inject(@old_prog_binding) { |binding_, ind|
-			e, b = get_section_at(resolve(ind.target))
+			e = get_edata_at(resolve(ind.target))
 			return expr if not e
 			binding_.merge ind => Expression[ e.decode_imm("u#{8*ind.len}".to_sym, @cpu.endianness) ]
 		}
@@ -1601,7 +1809,7 @@ puts "  backtrace addrs_todo << #{Expression[retaddr]} from #{di} (funcret)" if
 	# returns true if the expression needs more backtrace
 	# it checks for the presence of a symbol (not :unknown), which means it depends on some register value
 	def need_backtrace(expr, terminals=[])
-		return if expr.kind_of? ::Integer
+		return if expr.kind_of?(::Integer)
 		!(expr.externals.grep(::Symbol) - [:unknown] - terminals).empty?
 	end
 
@@ -1619,7 +1827,7 @@ puts "  backtrace addrs_todo << #{Expression[retaddr]} from #{di} (funcret)" if
 	# TODO trace expr evolution through backtrace, to modify immediates to an expr involving label names
 	# TODO mov [ptr], imm ; <...> ; jmp [ptr] => rename imm as loc_XX
 	#  eg. mov eax, 42 ; add eax, 4 ; jmp eax  =>  mov eax, some_label-4
-	def backtrace_check_found(expr, di, origin, type, len, maxdepth, detached)
+	def backtrace_check_found(expr, di, origin, type, len, maxdepth, detached, cpu_context, snapshot_addr=nil)
 		# only entrypoints or block starts called by a :saveip are checked for being a function
 		# want to execute [esp] from a block start
 		if type == :x and di and di == di.block.list.first and @cpu.backtrace_is_function_return(expr, @decoded[origin]) and (
@@ -1649,16 +1857,19 @@ puts "  backtrace addrs_todo << #{Expression[retaddr]} from #{di} (funcret)" if
 		end
 
 		return if need_backtrace(expr)
+		if snapshot_addr
+			return if expr.expr_externals(true).find { |ee| ee.kind_of?(Indirection) }
+		end
 
 puts "backtrace #{type} found #{expr} from #{di} orig #{@decoded[origin] || Expression[origin] if origin}" if debug_backtrace
 		result = backtrace_value(expr, maxdepth)
 		# keep the ori pointer in the results to emulate volatile memory (eg decompiler prefers this)
-		result << expr if not type
+		#result << expr if not type	# XXX returning multiple values for nothing is too confusing, TODO fix decompiler
 		result.uniq!
 
 		# create xrefs/labels
 		result.each { |e|
-			backtrace_found_result(e, di, type, origin, len, detached)
+			backtrace_found_result(e, di, type, origin, len, detached, cpu_context)
 		} if type and origin
 
 		result
@@ -1695,7 +1906,7 @@ puts "backtrace #{type} found #{expr} from #{di} orig #{@decoded[origin] || Expr
 		ret = []
 
 		decode_imm = lambda { |addr, len|
-			edata, foo = get_section_at(addr)
+			edata = get_edata_at(addr)
 			if edata
 				Expression[ edata.decode_imm("u#{8*len}".to_sym, @cpu.endianness) ]
 			else
@@ -1787,7 +1998,7 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 	end
 
 	# creates xrefs, updates addrs_todo, updates instr args
-	def backtrace_found_result(expr, di, type, origin, len, detached)
+	def backtrace_found_result(expr, di, type, origin, len, detached, cpu_context)
 		n = normalize(expr)
 		fallthrough = true if type == :x and o = di_at(origin) and not o.opcode.props[:stopexec] and n == o.block.list.last.next_addr	# delay_slot
 		add_xref(n, Xref.new(type, origin, len)) if origin != :default and origin != Expression::Unknown and not fallthrough
@@ -1803,7 +2014,7 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 		# TODO trace expression evolution to allow handling of
 		#  mov eax, 28 ; add eax, 4 ; jmp eax
 		#  => mov eax, (loc_xx-4)
-		if di and not unk # and di.address == origin
+		if di and not unk and expr != n # and di.address == origin
 			@cpu.replace_instr_arg_immediate(di.instruction, expr, n)
 		end
 		if @decoded[origin] and not unk
@@ -1846,22 +2057,26 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 			else
 				@decoded[origin].block.add_to_normal(normalize(n)) if @decoded[origin] and not unk
 			end
-			@addrs_todo << [n, origin]
+			@addrs_todo << { :addr => n, :from => origin, :cpu_context => cpu_context }
 		end
 	end
 
+	def inspect
+		"<Metasm::Disassembler @%x>" % object_id
+	end
+
 	def to_s
 		a = ''
 		dump { |l| a << l << "\n" }
 		a
 	end
 
-	# dumps the source, optionnally including data
+	# dumps the source, optionally including data
 	# yields (defaults puts) each line
 	def dump(dump_data=true, &b)
 		b ||= lambda { |l| puts l }
 		@sections.sort_by { |addr, edata| addr.kind_of?(::Integer) ? addr : 0 }.each { |addr, edata|
-			addr = Expression[addr] if addr.kind_of? ::String
+			addr = Expression[addr] if addr.kind_of?(::String)
 			blockoffs = @decoded.values.grep(DecodedInstruction).map { |di| Expression[di.block.address, :-, addr].reduce if di.block_head? }.grep(::Integer).sort.reject { |o| o < 0 or o >= edata.length }
 			b[@program.dump_section_header(addr, edata)]
 			if not dump_data and edata.length > 16*1024 and blockoffs.empty?
@@ -1876,7 +2091,7 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 					di = @decoded[addr+unk_off]
 					if unk_off != di.block.edata_ptr
 						b["\n// ------ overlap (#{unk_off-di.block.edata_ptr}) ------"]
-					elsif di.block.from_normal.kind_of? ::Array
+					elsif di.block.from_normal.kind_of?(::Array)
 						b["\n"]
 					end
 					dump_block(di.block, &b)
@@ -1916,12 +2131,12 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 		if not xr.empty?
 			b["\n// Xrefs: #{xr[0, 8].join(' ')}#{' ...' if xr.length > 8}"]
 		end
-		if block.edata.inv_export[block.edata_ptr]
+		if block.edata.inv_export[block.edata_ptr] and label_alias[block.address]
 			b["\n"] if xr.empty?
 			label_alias[block.address].each { |name| b["#{name}:"] }
 		end
 		if c = @comment[block.address]
-			c = c.join("\n") if c.kind_of? ::Array
+			c = c.join("\n") if c.kind_of?(::Array)
 			c.each_line { |l| b["// #{l}"] }
 		end
 	end
@@ -1933,8 +2148,8 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 	# TODO array-style data access
 	def dump_data(addr, edata, off, &b)
 		b ||= lambda { |l| puts l }
-		if l = edata.inv_export[off]
-			l_list = label_alias[addr].to_a.sort
+		if l = edata.inv_export[off] and label_alias[addr]
+			l_list = label_alias[addr].sort
 			l = l_list.pop || l
 			l_list.each { |ll|
 				b["#{ll}:"]
@@ -1966,11 +2181,11 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 			dups = edata.virtsize - off
 			@prog_binding.each_value { |a|
 				tmp = Expression[a, :-, addr].reduce
-				dups = tmp if tmp.kind_of? ::Integer and tmp > 0 and tmp < dups
+				dups = tmp if tmp.kind_of?(::Integer) and tmp > 0 and tmp < dups
 			}
 			@xrefs.each_key { |a|
 				tmp = Expression[a, :-, addr].reduce
-				dups = tmp if tmp.kind_of? ::Integer and tmp > 0 and tmp < dups
+				dups = tmp if tmp.kind_of?(::Integer) and tmp > 0 and tmp < dups
 			}
 			dups /= elemlen
 			dups = 1 if dups < 1
@@ -2016,7 +2231,7 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 			if (elemlen == 1 or elemlen == 2)
 				case value
 				when 0x20..0x7e, 0x0a, 0x0d
-					if vals_.last.kind_of? ::String; vals_.last << value ; vals_
+					if vals_.last.kind_of?(::String); vals_.last << value ; vals_
 					else vals_ << value.chr
 					end
 				else vals_ << value
@@ -2026,7 +2241,7 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 		}
 
 		vals.map! { |value|
-			if value.kind_of? ::String
+			if value.kind_of?(::String)
 				if value.length > 2 # or value == vals.first or value == vals.last # if there is no xref, don't care
 					value.inspect
 				else