Hexagon: "write `Pd` and read of `Ps`" in packet behaves the same as "write `Pd` read `Ps.new`"

[Rot127]

Version and Platform (required):

• Binary Ninja Version: 5.2 (I think, it is the latest)
• Edition: Ultimate
• OS: N/A
• OS Version: N/A
• CPU Architecture: N/A

Bug Description:

The LIL of an Hexagon instruction seems off:

If an instruction writes P0 and reads from P0 (not P0.new) in the same packet, the LIL looks the same as if it reads the P0.new value.

(Output from Rizin, I don't have personal access to Binja Ultimate):

0x000200b4      00400000       ┌   immext(##0x0)
0x000200b8      18620314       │   P0 = cmp.eq(R3,R2); if (P0.new) jump:t 0x200c0
0x000200bc      0cc00058       └   jump loc.pass
0x000200c0      00404185       ┌   P0 = R1
0x000200c4      04c0005c       └   if (P0) jump:nt 0x200c8

LIL output

   0 @ 000200b8  p0 = r3 == r2
   1 @ 000200b4  if (p0 != 0) then 2 @ 0x200c0 else 4

   2 @ 000200c0  p0 = r1
   3 @ 000200c0  if (p0 != 0) then 5 @ 0x200c8 else 6

Node that in line 3 it shouldn't read P0, it should read the value from line 0.

Steps To Reproduce:

Open binary, checkout LIL.

Expected Behavior:

If this is not handled somewhere invisible to the user, line 3 should read the result from line 0. Not from line 2.

Screenshots/Video Recording:

N/A

Binary:

test_notnew.zip

Additional Information:
Please add any other context about the problem here.

[zznop]

Thanks for reporting! I was able to reproduce the issue. I'm testing a fix now that lifts as:

   0 @ 000200b8  p0 = r3 == r2
   1 @ 000200b4  if (p0 != 0) then 2 @ 0x200c0 else 5

   2 @ 000200c0  temp0.b = p0
   3 @ 000200c0  p0 = r1
   4 @ 000200c0  if (temp0.b != 0) then 6 @ 0x200c8 else 7

Should have it on dev branch tomorrow

[zznop]

Fixed in 5.3.9106-dev. Thanks again!