Overlapped variables

In some cases the decompiler cannot produce nice output because the variable allocation fails. It happens because the input contains overlapped variables (or the decompiler mistakenly lumps together memory reads and writes). Overlapped variables are displayed in red so they conspicuously visible. Let us consider some typical situations.

There are read/write accesses that involve two or more variables

For example, consider the following output:

  __int64 v1; // qax@2 OVERLAPPED
  int v2; // ecx@2 OVERLAPPED
  __int64 result; // qax@4

  if ( *(_BYTE *)(a1 + 5) & 1 )
  {
    HIDWORD(v1) = *(_DWORD *)(a1 + 7);
    v2 = *(_DWORD *)(a1 + 11);
  }
  else
  {
    HIDWORD(v1) = 0;
    v2 = 0;
  }
  v1 = *(__int64 *)((char *)&v1 + 4); // ODD ASSIGNMENT!

The last assignment to v1 reads beyond v1 boundaries. In fact, it also reads v2. See the assembly code:

test    byte ptr [eax+5], 1
                 jz      short loc_409521
                 mov     edx, [eax+7]
                 mov     ecx, [eax+0Bh]
                 jmp     short loc_409525

loc_409521:
                 xor     edx, edx
                 xor     ecx, ecx

loc_409525:
                 mov     eax, edx
                 mov     edx, ecx

Unfortunately, the decompiler cannot handle this case and reports overlapped variables.

There is an array function argument

Arrays cannot be passed to functions by value, so this will lead to a warning. Just get rid of such an array (embed it into a structure type, for example)

There are too many function arguments

The decompiler can handle up to 64 function arguments. It is very unlikely to encounter a function with a bigger number of arguments. If so, just embed some of them into a structure passed by value.

The corrective actions include:

  • Check the stack variables and fix them if necessary. A wrongly variable can easily lead to a lvar allocation failure.

  • Define a big structure that covers the entire stack frame or part of it. Such a big variable will essentially turn off variables lumping (if you are familiar with compiler jargon, the decompiler builds a web of lvars during lvar allocation and some web elements become too big, this is why variable allocation fails). Instead, all references will be done using the structure fields.

  • Check the function argument area of the stack frame and fix any wrong variables. For example, this area should not containt any arrays (arrays cannot be passed by value in C). It is ok to pass structures by value, the decompiler accepts it.

Last updated

Was this helpful?