Requesting LLIL during a function workflow often results in the default max function update count being reached for the requested function #7755
Description
Version and Platform (required):
- Binary Ninja Version: 5.3.8707-dev Ultimate (a74ed668)
- Edition: Ultimate
- OS: macOS
- OS Version: 15.6
- CPU Architecture: M1
Bug Description:
I have a function workflow activity that is inlining Objective-C stub functions (found in the DYLD Shared Cache) by doing the recommended method of copying LLIL instructions from one function into another. I have determined that requesting the LLIL of the stub functions is causing them to exceed the analysis.limits.maxFunctionUpdateCount resulting in the log often looking like:
[Function warn] Skipping analysis for function at 0x18ac5cf80 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18aca24a0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18acab760 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18abf42c0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ac543e0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18acd8980 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ce01960 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18acc7820 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18cdf9bd0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ac612c0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x1899715f4 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x1896964d0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18969676c : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ad13fe0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ac77020 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ac8e480 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ce01ba0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ab88060 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18abab300 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ac5dea0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ac63700 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ad05ca0 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18accc840 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ac19c80 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
[Function warn] Skipping analysis for function at 0x18ac11f60 : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
This then breaks the whole thing because the stub function ends up looking like this:
Which then means it has no LLIL and the inlining function workflow cannot get the LLIL to inline the stub function.
Clicking "Force analysis of this function" causes it to immediately generate all the ILs because its a trivial function so there's nothing complex about generating it:
Through some testing I have discovered that it appears to be to do with calling Function::GetLowLevelIL(), during a function workflow activity, on the function that is to be inlined. I'm guessing calling that is somehow resulting in the function update count being incremented when it probably doesn't need to be. However I'm having a hard time reproducing the issue reliably. It seems the number of functions that end up erroring and which ones, can vary across analysis runs. I believe that the more function workflow activities there are that modify ILs the more likely the issue is to occur. Just having a function workflow activity that inlines stub functions doesn't seem to always be enough to trigger the error. Although almost all other function workflow activities I have that modify IL are specifically told to skip stub functions. This suggests to me that its more about the fact that the functions, which call the stubs (and therefore have the stub inlined in them), being processed a bunch.
Steps To Reproduce:
I don't have a particularly reliable way to reproduce the issue but I have uploaded the source for a basic native plugin that implements the workflow activity that is triggering the issue pearl ninja achieves well.
The best bet is the following:
- Build and install the provided native plugin.
- Enable it when opening a copy of the DYLD Shared Cache for iOS 26.0 for an iPhone 17 Pro Max.
- Loading the
UIKitCoreimage. - Let analysis run.
- Hopefully observe at least one, but potentially multiple, instances of the log warning:
[Function warn] Skipping analysis for function at <address> : Exceeds 'analysis.limits.maxFunctionUpdateCount'. If possible, please report this issue.
Expected Behavior:
I don't see why I should be getting IL generation errors on such simple functions.