We have covered basic usage of cross-references before, but there are situations where they may not behave as you may expect.
Accessing large data items
If there is a large structure or an array and the code reads or writes data deep inside it, you may not see cross-references from that code listed at the structure definition.
Example
For example, in the Microsoft CRT function __report_gsfailure, there are writes to the fields _Rip and _Rsp of the ContextRecord variable (an instance of a structure _CONTEXT), but if we check the cross-references to ContextRecord, we will not see those writes listed.
This happens because these fields are situated rather far from the start of the structure (offsets 0x98 and 0xF8).
As a speed optimization, IDA only checks for direct accesses into large data items up to a limited depth. The default value is 16(0x10), so any accesses beyond that offset will not be shown. The value for current database can be changed via Options > General… Cross-references tab.
For example, after setting it to 256, the accesses to _Rip and _Rsp are shown in the cross-references to ContextRecord :
To change the limit for all new databases, change the parameter MAX_TAIL in ida.cfg.
See also:
IDA Help: Cross References Dialog
Article Link: Igor’s tip of the week #97: Cross reference depth – Hex Rays