metasm 1.0.2 → 1.0.3

data/metasm/cpu/mcs51/opcodes.rb

@@ -0,0 +1,120 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2015-2016 Google
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'metasm/cpu/mcs51/main'
+
+module Metasm
+
+class MCS51
+	def addop(name, bin, *args)
+		o = Opcode.new name, bin
+		args.each { |a|
+			o.args << a if @fields_mask[a] or @valid_args[a]
+			o.fields[a] = @fields_shift[a] if @fields_mask[a]
+			raise "unknown #{a.inspect}" unless @valid_args[a] or @fields_mask[a]
+		}
+		@opcode_list << o
+	end
+
+	def init_mcs51
+		@opcode_list = []
+		@valid_args.update [:rd, :r_a, :r_b, :r_c, :d8, :rel8, :m8,
+		                    :addr_11, :addr_16].inject({}) { |h, v| h.update v => true }
+		@fields_mask.update :rd => 15, :addr_11 => 7
+		@fields_shift.update :rd => 0, :addr_11 => 5
+
+		addop 'nop',   0x00
+		addop 'ret',   0x22
+		addop 'reti',  0x32
+		addop 'swap',  0xc4, :r_a
+		addop '???',   0xa5
+		addop 'rr',    0x03, :r_a
+		addop 'rrc',   0x13, :r_a
+		addop 'rl',    0x23, :r_a
+		addop 'rlc',   0x33, :r_a
+
+		addop 'jc',    0x40, :rel8
+		addop 'jnc',   0x50, :rel8
+		addop 'jz',    0x60, :rel8
+		addop 'jnz',   0x70, :rel8
+		addop 'sjmp',  0x80, :rel8
+
+		addop 'div',   0x84, :r_a, :r_b
+		addop 'mul',   0xa4, :r_a, :r_b
+
+		addop 'push',  0xc0, :m8
+		addop 'pop',   0xd0, :m8
+
+		addop 'clr',   0xc3, :r_c
+		addop 'clr',   0xe4, :r_a
+		addop 'cpl',   0xb3, :r_c
+		addop 'cpl',   0xf4, :r_a
+		addop 'da',    0xd4
+
+		addop 'ajmp',  0x01, :addr_11
+		addop 'acall', 0x11, :addr_11
+		addop 'ljmp',  0x02, :addr_16
+		addop 'lcall', 0x12, :addr_16
+
+		addop 'inc',   0x04, :r_a
+		addop 'inc',   0x05, :m8
+		addop 'inc',   0x00, :rd
+
+		addop 'dec',   0x14, :r_a
+		addop 'dec',   0x15, :m8
+		addop 'dec',   0x10, :rd
+
+		addop 'add',   0x24, :r_a, :d8
+		addop 'add',   0x25, :r_a, :m8
+		addop 'add',   0x20, :r_a, :rd
+
+		addop 'addc',  0x34, :r_a, :d8
+		addop 'addc',  0x35, :r_a, :m8
+		addop 'addc',  0x30, :r_a, :rd
+
+		addop 'orl',   0x42, :m8, :r_a
+		addop 'orl',   0x43, :m8, :d8
+		addop 'orl',   0x44, :r_a, :d8
+		addop 'orl',   0x45, :r_a, :m8
+		addop 'orl',   0x40, :r_a, :rd
+
+		addop 'anl',   0x52, :m8, :r_a
+		addop 'anl',   0x53, :m8, :d8
+		addop 'anl',   0x54, :r_a, :d8
+		addop 'anl',   0x55, :r_a, :m8
+		addop 'anl',   0x50, :r_a, :rd
+
+		addop 'xrl',   0x62, :m8, :r_a
+		addop 'xrl',   0x63, :m8, :d8
+		addop 'xrl',   0x64, :r_a, :d8
+		addop 'xrl',   0x65, :r_a, :m8
+		addop 'xrl',   0x60, :r_a, :rd
+
+		addop 'mov',   0x74, :r_a, :d8
+		addop 'mov',   0x75, :m8, :d8
+		addop 'mov',   0x70, :rd, :d8
+		addop 'mov',   0xa0, :rd, :m8
+		addop 'mov',   0x85, :m8, :m8
+		addop 'mov',   0x80, :m8, :rd
+		addop 'mov',   0xe0, :r_a, :rd
+		addop 'mov',   0xf0, :rd, :r_a
+
+		addop 'subb',  0x94, :r_a, :d8
+		addop 'subb',  0x95, :r_a, :m8
+		addop 'subb',  0x90, :r_a, :rd
+
+		addop 'cnje',  0xb4, :r_a, :d8, :rel8
+		addop 'cnje',  0xb5, :r_a, :m8, :rel8
+		addop 'cnje',  0xb0, :rd, :d8, :rel8
+
+		addop 'xch',   0xc5, :r_a, :m8
+		addop 'xch',   0xc0, :r_a, :rd
+
+		addop 'djnz',  0xd5, :m8, :rel8
+		addop 'djnz',  0xd0, :rd, :rel8
+
+	end
+end
+end

data/metasm/cpu/mips/decode.rb

@@ -149,11 +149,12 @@ class MIPS
 			when 'and', 'andi'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :&, a2] } }
 			when 'or', 'ori';   lambda { |di, a0, a1, a2|   { a0 => Expression[a1, :|, a2] } }
 			when 'nor'; lambda { |di, a0, a1, a2| { a0 => Expression[:~, [a1, :|, a2]] } }
+			when 'not'; lambda { |di, a0, a1| { a0 => Expression[:~, a1] } }
 			when 'xor'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :^, a2] } }
 			when 'sll', 'sllv'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :>>, a2] } }
 			when 'srl', 'srlv', 'sra', 'srav'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :<<, a2] } }	# XXX sign-extend
-			when 'lw';        lambda { |di, a0, a1| { a0 => Expression[a1] } }
-			when 'sw';        lambda { |di, a0, a1| { a1 => Expression[a0] } }
+			when 'lw', 'lwl', 'lwr'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
+			when 'sw', 'swl', 'swr'; lambda { |di, a0, a1| { a1 => Expression[a0] } }
 			when 'lh', 'lhu'; lambda { |di, a0, a1| { a0 => Expression[a1] } }	# XXX sign-extend
 			when 'sh';        lambda { |di, a0, a1| { a1 => Expression[a0] } }
 			when 'lb', 'lbu'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
@@ -161,8 +162,8 @@ class MIPS
 			when /^slti?u?/;  lambda { |di, a0, a1, a2| { a0 => Expression[a1, :<, a2] } }	# XXX signedness
 			when 'mfhi'; lambda { |di, a0| { a0 => Expression[:hi] } }
 			when 'mflo'; lambda { |di, a0| { a0 => Expression[:lo] } }
-			when 'mult'; lambda { |di, a0, a1| { :hi => Expression[[a0, :*, a1], :>>, 32], :lo => Expression[[a0, :*, a1], :&, 0xffff_ffff] } }
-			when 'div';  lambda { |di, a0, a1| { :hi => Expression[a0, :%, a1], :lo => Expression[a0, :/, a1] } }
+			when 'mult', 'multu'; lambda { |di, a0, a1| { :hi => Expression[[a0, :*, a1], :>>, 32], :lo => Expression[[a0, :*, a1], :&, 0xffff_ffff] } }
+			when 'div', 'divu';  lambda { |di, a0, a1| { :hi => Expression[a0, :%, a1], :lo => Expression[a0, :/, a1] } }
 			when 'jal', 'jalr'; lambda { |di, a0| { :$ra => Expression[Expression[di.address, :+, 2*di.bin_length].reduce] } }
 			when 'li', 'mov'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
 			when 'syscall'; lambda { |di, *a| { :$v0 => Expression::Unknown } }

data/metasm/cpu/st20.rb

@@ -0,0 +1,9 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/main'
+require 'metasm/cpu/st20/decode'
+require 'metasm/cpu/st20/decompile'

data/metasm/cpu/st20/decode.rb

@@ -0,0 +1,180 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/st20/opcodes'
+require 'metasm/decode'
+
+module Metasm
+class ST20
+	# decodes the instruction at edata.ptr, mapped at virtual address off
+	def decode_instruction(edata, addr)
+		return if edata.ptr >= edata.length
+		di = DecodedInstruction.new self
+		di.address = addr
+		di = decode_instr_op(edata, di)
+		decode_instr_interpret(di, addr)
+	end
+
+	def decode_instr_op(edata, di, pfx=0)
+		# decode one byte from the bitstream, recurse if the byte is a prefix
+
+		if edata.ptr >= edata.length or di.bin_length >= 4
+			di.instruction.args << Expression[pfx]
+			return di
+		end
+
+		# bytestream structure :
+		# sequence of prefixes, which build a word 4 bits at a time
+		# last element = function code
+		# 'opr' is a special function, means use the prefix word as an opcode number from 'operate'
+		byte = edata.read(1).unpack('C')[0]
+		fcode = byte & 0xf0
+		arg   = byte & 0x0f
+		pfx = (pfx << 4) | arg
+		di.opcode = @opcode_list[fcode >> 4]
+		di.instruction.opname = di.opcode.name
+		di.bin_length += 1
+
+		case di.instruction.opname
+		when 'pfix'
+			return decode_instr_op(edata, di, pfx)
+
+		when 'nfix'
+			pfx ^= -1
+			di.instruction.opname = 'pfix'	# will be displayed on EOS, and we cannot represent the whole decoded pfx with 'nfix'
+			return decode_instr_op(edata, di, pfx)
+
+		when 'opr'
+			if op = @op_operate[pfx]
+				# operands have no arg (they work on the implicit 3-register stack A B C)
+				di.instruction.opname = op
+				di.opcode = @opc_operate[op] || di.opcode
+			else
+				# unknown operand, keep the generic form
+				di.instruction.args << Expression[pfx]
+			end
+		else
+			di.instruction.args << Expression[pfx]
+		end
+
+		di
+	end
+
+	def decode_instr_interpret(di, addr)
+		case di.instruction.opname
+		when 'j', 'cj', 'fcall'
+			delta = di.instruction.args.last.reduce
+			arg = Expression[[addr, :+, di.bin_length], :+, delta].reduce
+			di.instruction.args[-1] = Expression[arg]
+		end
+
+		di
+	end
+
+	def get_backtrace_binding(di)
+		arg = di.instruction.args[0]
+		sz = @size/8
+		unk = Expression::Unknown
+		case di.instruction.opname
+		when 'j'; {}
+		when 'ldlp';  { :a => Expression[:wspace, :+, [sz, :*, arg]], :b => :a, :c => :b }
+		when 'ldnl';  { :a => Indirection[[:a, :+, [sz, :*, arg]], sz, di] }
+		when 'ldc';   { :a => arg, :b => :a, :c => :b }
+		when 'ldnlp'; { :a => Expression[:a, :+, [sz, :*, arg]] }
+		when 'ldl';   { :a => Indirection[[:wspace, :+, [sz, :*, arg]], sz, di], :b => :a, :c => :b }
+		when 'adc';   { :a => Expression[:a, :+, arg] }
+		when 'fcall'; {
+			:a => Expression[di.next_addr],
+			:wspace => Expression[:wspace, :-, [4*sz]],
+			Indirection[[:wspace, :-, [4*sz]], sz, di] => di.next_addr,
+			Indirection[[:wspace, :-, [3*sz]], sz, di] => :a,
+			Indirection[[:wspace, :-, [2*sz]], sz, di] => :b,
+			Indirection[[:wspace, :-, [1*sz]], sz, di] => :c,
+		}
+		# cj+(:a != 0) => a=b, b=c, c=unk ; (:a == 0) => jump, a=a, b=b, c=c
+		when 'cj';   { :a => unk, :b => unk, :c => unk }
+		when 'ajw';  { :wspace => Expression[:wspace, :+, [4, :*, arg]] }
+		when 'eqc';  { :a => Expression[:a, :==, arg] }
+		when 'stl';  { Indirection[[:wspace, :+, [sz, :*, arg]], sz, di] => :a, :a => :b, :b => :c, :c => unk }
+		when 'stnl'; { Indirection[[:a, :+, [sz, :*, arg]], sz, di] => :b, :a => :c, :b => unk, :c => unk }
+
+		when 'add';  { :a => Expression[:b, :+, :a], :b => :c, :c => unk }
+		when 'sub';  { :a => Expression[:b, :-, :a], :b => :c, :c => unk }
+		when 'prod'; { :a => Expression[:b, :*, :a], :b => :c, :c => unk }
+		when 'xor';  { :a => Expression[:b, :^, :a], :b => :c, :c => unk }
+		when 'ldpi'; { :a => Indirection[[di.next_addr, :+, :a], sz, di] }
+		when 'mint'; { :a => Expression[-1 << (@size-1)], :b => :a, :c => :b }
+		when 'in';   { :a => unk, :b => unk, :c => unk }	# read a bytes from channel b at buffer c
+		when 'out';  { :a => unk, :b => unk, :c => unk }	# write a bytes to channel b from buffer c
+		when 'lb';   { :a => Indirection[:a, 1, di] }
+		when 'sb';   { Indirection[:a, 1, di] => Expression[:b, :&, 0xff], :a => :c, :b => unk, :c => unk }
+		when 'bsub'; { :a => Expression[:a, :+, :b], :b => :c, :c => unk }
+		when 'ssub'; { :a => Expression[:a, :+, [2, :*, :b]], :b => :c, :c => unk }
+		when 'wsub'; { :a => Expression[:a, :+, [sz, :*, :b]], :b => :c, :c => unk }
+		when 'gajw'; { :wspace => Expression[:a], :a => Expression[:wspace] }
+		when 'dup';  { :b => :a, :c => :b }
+		else
+			puts "unhandled instruction to backtrace: #{di}" if $VERBOSE
+			{ :incomplete_binding => Expression[1], :a => unk, :b => unk, :c => unk }
+		end
+	end
+
+	def get_xrefs_x(dasm, di)
+		return [] if not di.opcode.props[:setip]
+
+		case di.opcode.basename
+		when 'j', 'cj'
+			[Expression[di.instruction.args.first]]
+		#when 'ret'
+			#[Indirection[:sp, 2, di.address]]
+		else
+			[]
+		end
+	end
+
+	# checks if expr is a valid return expression matching the :saveip instruction
+	def backtrace_is_function_return(expr, di=nil)
+		expr = Expression[expr].reduce_rec
+		expr.kind_of?(Indirection) and expr.len == 2 and expr.target == Expression[:sp]
+	end
+
+	# updates the function backtrace_binding
+	def backtrace_update_function_binding(dasm, faddr, f, retaddrlist, *wantregs)
+		b = f.backtrace_binding
+
+		bt_val = lambda { |r|
+			next if not retaddrlist
+			b[r] = Expression::Unknown
+			bt = []
+			retaddrlist.each { |retaddr|
+				bt |= dasm.backtrace(Expression[r], retaddr, :include_start => true,
+					     :snapshot_addr => faddr, :origin => retaddr)
+			}
+			if bt.length != 1
+				b[r] = Expression::Unknown
+			else
+				b[r] = bt.first
+			end
+		}
+
+		wantregs.each(&bt_val)
+
+		b
+	end
+
+	# returns true if the expression is an address on the stack
+	def backtrace_is_stack_address(expr)
+		Expression[expr].expr_externals.include?(:sp)
+	end
+
+	# updates an instruction's argument replacing an expression with another (eg label renamed)
+	def replace_instr_arg_immediate(i, old, new)
+		i.args.map! { |a|
+			a == old ? new : Expression[a.bind(old => new).reduce]
+		}
+	end
+end
+end

data/metasm/cpu/st20/decompile.rb

@@ -0,0 +1,283 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/st20/main'
+
+module Metasm
+class ST20
+	# temporarily setup dasm.address_binding so that backtracking
+	# stack-related offsets resolve in :frameptr (relative to func start)
+	def decompile_makestackvars(dasm, funcstart, blocks)
+		oldfuncbd = dasm.address_binding[funcstart]
+		dasm.address_binding[funcstart] = { :wspace => :frameptr }
+		blocks.each { |block| yield block }
+		dasm.address_binding[funcstart] = oldfuncbd
+	end
+
+	# add di-specific registry written/accessed
+	def decompile_func_finddeps_di(dcmp, func, di, a, w)
+		case di.instruction.opname
+		when 'ret'
+			a << :a if not func.type.kind_of? C::BaseType or func.type.type.name != :void	# standard ABI
+		when 'in', 'out'
+			a << :a << :b << :c
+		end
+	end
+
+	# list variable dependency for each block, remove useless writes
+	# returns { blockaddr => [list of vars that are needed by a following block] }
+	def decompile_func_finddeps(dcmp, blocks, func)
+		deps_r = {} ; deps_w = {} ; deps_to = {}
+		deps_subfunc = {}	# things read/written by subfuncs
+
+		# find read/writes by each block
+		blocks.each { |b, to|
+			deps_r[b] = [] ; deps_w[b] = [] ; deps_to[b] = to
+			deps_subfunc[b] = []
+
+			blk = dcmp.dasm.decoded[b].block
+			blk.list.each { |di|
+				a = di.backtrace_binding.values
+				w = []
+				di.backtrace_binding.keys.each { |k|
+					case k
+					when ::Symbol; w |= [k]
+					else a |= Expression[k].externals
+					end
+				}
+				decompile_func_finddeps_di(dcmp, func, di, a, w)
+
+				deps_r[b] |= a.map { |ee| Expression[ee].externals.grep(::Symbol) }.flatten - [:unknown] - deps_w[b]
+				deps_w[b] |= w.map { |ee| Expression[ee].externals.grep(::Symbol) }.flatten - [:unknown]
+			}
+			blk.each_to_normal { |t|
+				t = dcmp.backtrace_target(t, blk.list.last.address)
+				next if not t = dcmp.c_parser.toplevel.symbol[t]
+				t.type = C::Function.new(C::BaseType.new(:int)) if not t.type.kind_of? C::Function
+				t.type.args.to_a.each { |arg|
+					if reg = arg.has_attribute('register')
+						deps_subfunc[b] |= [reg.to_sym]
+					end
+				}
+			}
+		}
+
+		bt = blocks.transpose
+		roots = bt[0] - bt[1].flatten	# XXX jmp 1stblock ?
+
+		# find regs read and never written (must have been set by caller and are part of the func ABI)
+		uninitialized = lambda { |b, r, done|
+			if not deps_r[b]
+			elsif deps_r[b].include?(r)
+				true
+			elsif deps_w[b].include?(r)
+			else
+				done << b
+				(deps_to[b] - done).find { |tb| uninitialized[tb, r, done] }
+			end
+		}
+
+		regargs = []
+		register_symbols.each { |r|
+			if roots.find { |root| uninitialized[root, r, []] }
+				regargs << r
+			end
+		}
+
+		# TODO honor user-defined prototype if available (eg no, really, eax is not read in this function returning al)
+		regargs.sort_by { |r| r.to_s }.each { |r|
+			a = C::Variable.new(r.to_s, C::BaseType.new(:int, :unsigned))
+			a.add_attribute("register(#{r})")
+			func.type.args << a
+		}
+
+		# remove writes from a block if no following block read the value
+		dw = {}
+		deps_w.each { |b, deps|
+			dw[b] = deps.reject { |dep|
+				ret = true
+				done = []
+				todo = deps_to[b].dup
+				while a = todo.pop
+					next if done.include? a
+					done << a
+					if not deps_r[a] or deps_r[a].include? dep
+						ret = false
+						break
+					elsif not deps_w[a].include? dep
+						todo.concat deps_to[a]
+					end
+				end
+				ret
+			}
+		}
+
+		dw
+	end
+
+	def abi_funcall
+		{ :retval => :a, :changed => register_symbols }
+	end
+
+	def decompile_blocks(dcmp, myblocks, deps, func, nextaddr = nil)
+		scope = func.initializer
+		func.type.args.each { |a| scope.symbol[a.name] = a }
+		stmts = scope.statements
+		blocks_toclean = myblocks.dup
+		until myblocks.empty?
+			b, to = myblocks.shift
+			if l = dcmp.dasm.get_label_at(b)
+				stmts << C::Label.new(l)
+			end
+
+			# list of assignments [[dest reg, expr assigned]]
+			ops = []
+			# reg binding (reg => value, values.externals = regs at block start)
+			binding = {}
+			# Expr => CExpr
+			ce  = lambda { |*e| dcmp.decompile_cexpr(Expression[Expression[*e].reduce], scope) }
+			# Expr => Expr.bind(binding) => CExpr
+			ceb = lambda { |*e| ce[Expression[*e].bind(binding)] }
+
+			# dumps a CExprs that implements an assignment to a reg (uses ops[], patches op => [reg, nil])
+			commit = lambda {
+				deps[b].map { |k|
+					[k, ops.rindex(ops.reverse.find { |r, v| r == k })]
+				}.sort_by { |k, i| i.to_i }.each { |k, i|
+					next if not i or not binding[k]
+					e = k
+					final = []
+					ops[0..i].reverse_each { |r, v|
+						final << r if not v
+						e = Expression[e].bind(r => v).reduce if not final.include? r
+					}
+					ops[i][1] = nil
+					binding.delete k
+					stmts << ce[k, :'=', e] if k != e
+				}
+			}
+
+			# returns an array to use as funcall arguments
+			get_func_args = lambda { |di, f|
+				# XXX see remarks in #finddeps
+				args_todo = f.type.args.to_a.dup
+				args = []
+				args_todo.each { |a_|
+					if r = a_.has_attribute_var('register')
+						args << Expression[r.to_sym]
+					else
+						args << Expression[0]
+					end
+				}
+				args.map { |e| ceb[e] }
+			}
+
+			# go !
+			dcmp.dasm.decoded[b].block.list.each_with_index { |di, didx|
+				if di.opcode.props[:setip] and not di.opcode.props[:stopexec]
+					# conditional jump
+					commit[]
+					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
+					cc = ceb[:a, :'!=', 0]
+					# XXX switch/indirect/multiple jmp
+					stmts << C::If.new(C::CExpression[cc], C::Goto.new(n))
+					to.delete dcmp.dasm.normalize(n)
+					next
+				end
+
+				case di.instruction.opname
+				when 'ret'
+					commit[]
+					ret = nil
+					ret = C::CExpression[ceb[:a]] unless func.type.type.kind_of? C::BaseType and func.type.type.name == :void
+					stmts << C::Return.new(ret)
+				when 'fcall'	# :saveip
+					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
+					args = []
+					if f = dcmp.c_parser.toplevel.symbol[n] and f.type.kind_of? C::Function and f.type.args
+						args = get_func_args[di, f]
+					end
+					commit[]
+					#next if not di.block.to_subfuncret
+
+					if not n.kind_of? ::String or (f and not f.type.kind_of? C::Function)
+						# indirect funcall
+						fptr = ceb[n]
+						binding.delete n
+						proto = C::Function.new(C::BaseType.new(:int))
+						proto = f.type if f and f.type.kind_of? C::Function
+						f = C::CExpression[[fptr], C::Pointer.new(proto)]
+					elsif not f
+						# internal functions are predeclared, so this one is extern
+						f = C::Variable.new
+						f.name = n
+						f.type = C::Function.new(C::BaseType.new(:int))
+						if dcmp.recurse > 0
+							dcmp.c_parser.toplevel.symbol[n] = f
+							dcmp.c_parser.toplevel.statements << C::Declaration.new(f)
+						end
+					end
+					commit[]
+					binding.delete :a
+					e = C::CExpression[f, :funcall, args]
+					e = C::CExpression[ce[:a], :'=', e, f.type.type] if deps[b].include? :a and f.type.type != C::BaseType.new(:void)
+					stmts << e
+				when 'in', 'out'
+					if not dcmp.c_parser.toplevel.symbol["intrinsic_#{di.instruction.opname}"]
+						dcmp.c_parser.parse("void intrinsic_#{di.instruction.opname}(unsigned int len, unsigned int channel, char *buf);")
+					end
+					f = dcmp.c_parser.toplevel.symbol["intrinsic_#{di.instruction.opname}"]
+					stmts << C::CExpression.new(f, :funcall, [ceb[:a], ceb[:b], ceb[:c]], f.type.type)
+				else
+					bd = get_fwdemu_binding(di)
+					if di.backtrace_binding[:incomplete_binding]
+						commit[]
+						stmts << C::Asm.new(di.instruction.to_s, nil, nil, nil, nil, nil)
+					else
+						update = {}
+						bd.each { |k, v|
+							if k.kind_of? ::Symbol and not deps[b].include? k
+								ops << [k, v]
+								update[k] = Expression[Expression[v].bind(binding).reduce]
+							else
+								stmts << ceb[k, :'=', v]
+								stmts.pop if stmts.last.kind_of? C::Variable	# [:eflag_s, :=, :unknown].reduce
+							end
+						}
+						binding.update update
+					end
+				end
+			}
+			commit[]
+
+			case to.length
+			when 0
+				if not myblocks.empty? and not %w[ret jmp].include? dcmp.dasm.decoded[b].block.list.last.instruction.opname
+					puts "  block #{Expression[b]} has no to and don't end in ret"
+				end
+			when 1
+				if (myblocks.empty? ? nextaddr != to[0] : myblocks.first.first != to[0])
+					stmts << C::Goto.new(dcmp.dasm.auto_label_at(to[0], 'unknown_goto'))
+				end
+			else
+				puts "  block #{Expression[b]} with multiple to"
+			end
+		end
+
+		# cleanup di.bt_binding (we set :frameptr etc in those, this may confuse the dasm)
+		blocks_toclean.each { |b_, to_|
+			dcmp.dasm.decoded[b_].block.list.each { |di|
+				di.backtrace_binding = nil
+			}
+		}
+	end
+
+	def decompile_check_abi(dcmp, entry, func)
+		a = func.type.args || []
+		a.delete_if { |arg| arg.has_attribute_var('register') and arg.has_attribute('unused') }
+	end
+end
+end