When working with pseudocode in the decompiler, you may have noticed that variable declarations and hints have comments with somewhat cryptic contents. What do they mean?
While meaning of some may be obvious, others less so, and a few appear only in rare situations.
Variable location
The fist part of the comment is the variable location. For stack variables, this includes its location relative to the stack and frame pointers. For register variables — the register(s) used for storing its value.
In some cases, you may also see the scattered argloc syntax. For example:
struct12 v78; // 0:r2.8,8:^0.4
This denotes a 12-byte structure stored partially in registers (8 first bytes, beginning at r2
), and on stack (4 last bytes, starting from stack offset 8).
Variable attributes
After the location, there may be additional attributes printed as uppercase keywords. Here are the most common possibilities:
-
BYREF
: address of this variable is taken (e.g. for passing to a function call); -
OVERLAPPED
: shown when the decompiler did not manage to separate all the variables so some of them ended up being stored in intersecting locations. Usually functions with such variables are also marked with the comment:
// local variable allocation has failed, the output may be wrong!
-
MAPDST
: another variable has been mapped to this one; -
FORCED
: this is an explicitly forced variable. -
ISARG
: shown for function arguments (in mouse hint popups);
User comment
Local variables may also have additional, user-defined comments which can be added using the / shortcut or the context menu:
If present, it will be printed at the end of the variable comment, after the annotations.
Article Link: Igor’s tip of the week #67: Decompiler annotations – Hex Rays