Support "Run back to here" in TTD debugging (#781)

Author: Copilot

.gitignore

@@ -58,6 +58,7 @@ core/adapters/LLDB.framework
 /test/binaries/Darwin-arm64-signed/
 /test/binaries/Darwin-x86_64-signed/
 test/__pycache__
+api/python/__pycache__
 
 /build
 /artifacts

api/debuggerapi.h

@@ -596,6 +596,8 @@ namespace BinaryNinjaDebuggerAPI {
 
 		bool RunTo(uint64_t remoteAddresses);
 		bool RunTo(const std::vector<uint64_t>& remoteAddresses);
+		bool RunToReverse(uint64_t remoteAddresses);
+		bool RunToReverse(const std::vector<uint64_t>& remoteAddresses);
 		void Pause();
 
 		DebugStopReason GoAndWait();
@@ -608,6 +610,8 @@ namespace BinaryNinjaDebuggerAPI {
 		DebugStopReason StepReturnReverseAndWait();
 		DebugStopReason RunToAndWait(uint64_t remoteAddresses);
 		DebugStopReason RunToAndWait(const std::vector<uint64_t>& remoteAddresses);
+		DebugStopReason RunToReverseAndWait(uint64_t remoteAddresses);
+		DebugStopReason RunToReverseAndWait(const std::vector<uint64_t>& remoteAddresses);
 		DebugStopReason PauseAndWait();
 		DebugStopReason RestartAndWait();
 

api/debuggercontroller.cpp

@@ -467,6 +467,18 @@ bool DebuggerController::RunTo(const std::vector<uint64_t>& remoteAddresses)
 }
 
 
+bool DebuggerController::RunToReverse(uint64_t remoteAddresses)
+{
+	return RunToReverse(std::vector<uint64_t> {remoteAddresses});
+}
+
+
+bool DebuggerController::RunToReverse(const std::vector<uint64_t>& remoteAddresses)
+{
+	return BNDebuggerRunToReverse(m_object, remoteAddresses.data(), remoteAddresses.size());
+}
+
+
 DebugStopReason DebuggerController::StepIntoAndWait(BNFunctionGraphType il)
 {
 	return BNDebuggerStepIntoAndWait(m_object, il);
@@ -514,6 +526,18 @@ DebugStopReason DebuggerController::RunToAndWait(const std::vector<uint64_t>& re
 }
 
 
+DebugStopReason DebuggerController::RunToReverseAndWait(uint64_t remoteAddresses)
+{
+	return RunToReverseAndWait(std::vector<uint64_t> {remoteAddresses});
+}
+
+
+DebugStopReason DebuggerController::RunToReverseAndWait(const std::vector<uint64_t>& remoteAddresses)
+{
+	return BNDebuggerRunToReverseAndWait(m_object, remoteAddresses.data(), remoteAddresses.size());
+}
+
+
 DebugStopReason DebuggerController::PauseAndWait()
 {
 	return BNDebuggerPauseAndWait(m_object);

api/ffi.h

@@ -461,6 +461,8 @@ extern "C"
 	DEBUGGER_FFI_API bool BNDebuggerStepReturnReverse(BNDebuggerController* controller);
 	DEBUGGER_FFI_API bool BNDebuggerRunTo(
 		BNDebuggerController* controller, const uint64_t* remoteAddresses, size_t count);
+	DEBUGGER_FFI_API bool BNDebuggerRunToReverse(
+		BNDebuggerController* controller, const uint64_t* remoteAddresses, size_t count);
 	DEBUGGER_FFI_API void BNDebuggerPause(BNDebuggerController* controller);
 
 	DEBUGGER_FFI_API BNDebugStopReason BNDebuggerGoAndWait(BNDebuggerController* controller);
@@ -478,6 +480,8 @@ extern "C"
 	DEBUGGER_FFI_API BNDebugStopReason BNDebuggerStepReturnReverseAndWait(BNDebuggerController* controller);
 	DEBUGGER_FFI_API BNDebugStopReason BNDebuggerRunToAndWait(
 		BNDebuggerController* controller, const uint64_t* remoteAddresses, size_t count);
+	DEBUGGER_FFI_API BNDebugStopReason BNDebuggerRunToReverseAndWait(
+		BNDebuggerController* controller, const uint64_t* remoteAddresses, size_t count);
 	DEBUGGER_FFI_API BNDebugStopReason BNDebuggerPauseAndWait(BNDebuggerController* controller);
 	DEBUGGER_FFI_API BNDebugStopReason BNDebuggerRestartAndWait(BNDebuggerController* controller);
 

api/python/debuggercontroller.py

@@ -1047,6 +1047,31 @@ def run_to(self, address) -> bool:
 
         return dbgcore.BNDebuggerRunTo(self.handle, addr_list, len(address))
 
+    def run_to_reverse(self, address) -> bool:
+        """
+        Resume the target in reverse, and wait for it to break at the given address(es).
+
+        The address parameter can be either an integer, or a list of integers.
+
+        Internally, the debugger places breakpoints on these addresses, resumes the target in reverse, and waits for the target
+        to break. Then the debugger removes the added breakpoints.
+
+        The call is asynchronous and returns before the target stops.
+
+        :return: whether the operation is successfully requested
+        """
+        if isinstance(address, int):
+            address = [address]
+
+        if not isinstance(address, list):
+            raise NotImplementedError
+
+        addr_list = (ctypes.c_uint64 * len(address))()
+        for i in range(len(address)):
+            addr_list[i] = address[i]
+
+        return dbgcore.BNDebuggerRunToReverse(self.handle, addr_list, len(address))
+
     def go_and_wait(self) -> DebugStopReason:
         """
         Resume the target.
@@ -1200,6 +1225,31 @@ def run_to_and_wait(self, address) -> DebugStopReason:
 
         return DebugStopReason(dbgcore.BNDebuggerRunToAndWait(self.handle, addr_list, len(address)))
 
+    def run_to_reverse_and_wait(self, address) -> DebugStopReason:
+        """
+        Resume the target in reverse, and wait for it to break at the given address(es).
+
+        The address parameter can be either an integer, or a list of integers.
+
+        Internally, the debugger places breakpoints on these addresses, resumes the target in reverse, and waits for the target
+        to break. Then the debugger removes the added breakpoints.
+
+        The call is blocking and only returns when the target stops.
+
+        :return: the reason for the stop
+        """
+        if isinstance(address, int):
+            address = [address]
+
+        if not isinstance(address, list):
+            raise NotImplementedError
+
+        addr_list = (ctypes.c_uint64 * len(address))()
+        for i in range(len(address)):
+            addr_list[i] = address[i]
+
+        return DebugStopReason(dbgcore.BNDebuggerRunToReverseAndWait(self.handle, addr_list, len(address)))
+
     def pause_and_wait(self) -> None:
         """
         Pause a running target.

core/debuggercontroller.cpp

@@ -1108,6 +1108,33 @@ DebugStopReason DebuggerController::RunToAndWaitInternal(const std::vector<uint6
 }
 
 
+DebugStopReason DebuggerController::RunToReverseAndWaitInternal(const std::vector<uint64_t>& remoteAddresses)
+{
+	m_userRequestedBreak = false;
+
+	for (uint64_t remoteAddress : remoteAddresses)
+	{
+		if (!m_state->GetBreakpoints()->ContainsAbsolute(remoteAddress))
+		{
+			m_adapter->AddBreakpoint(remoteAddress);
+		}
+	}
+
+	auto reason = GoReverseAndWaitInternal();
+
+	for (uint64_t remoteAddress : remoteAddresses)
+	{
+		if (!m_state->GetBreakpoints()->ContainsAbsolute(remoteAddress))
+		{
+			m_adapter->RemoveBreakpoint(remoteAddress);
+		}
+	}
+
+	NotifyStopped(reason);
+	return reason;
+}
+
+
 bool DebuggerController::RunTo(const std::vector<uint64_t>& remoteAddresses)
 {
 	// This is an API function of the debugger. We only do these checks at the API level.
@@ -1120,6 +1147,18 @@ bool DebuggerController::RunTo(const std::vector<uint64_t>& remoteAddresses)
 }
 
 
+bool DebuggerController::RunToReverse(const std::vector<uint64_t>& remoteAddresses)
+{
+	// This is an API function of the debugger. We only do these checks at the API level.
+	if (!CanResumeTarget())
+		return false;
+
+	std::thread([&, remoteAddresses]() { RunToReverseAndWait(remoteAddresses); }).detach();
+
+	return true;
+}
+
+
 DebugStopReason DebuggerController::RunToAndWait(const std::vector<uint64_t>& remoteAddresses)
 {
 	// This is an API function of the debugger. We only do these checks at the API level.
@@ -1138,6 +1177,24 @@ DebugStopReason DebuggerController::RunToAndWait(const std::vector<uint64_t>& re
 }
 
 
+DebugStopReason DebuggerController::RunToReverseAndWait(const std::vector<uint64_t>& remoteAddresses)
+{
+	// This is an API function of the debugger. We only do these checks at the API level.
+	if (!CanResumeTarget())
+		return InvalidStatusOrOperation;
+
+	if (!m_targetControlMutex.try_lock())
+		return InternalError;
+
+	auto reason = RunToReverseAndWaitInternal(remoteAddresses);
+	if (!m_userRequestedBreak && (reason != ProcessExited) && (reason != InternalError))
+		NotifyStopped(reason);
+
+	m_targetControlMutex.unlock();
+	return reason;
+}
+
+
 bool DebuggerController::CreateDebuggerBinaryView()
 {
 	BinaryViewRef data = GetData();

core/debuggercontroller.h

@@ -156,6 +156,7 @@ namespace BinaryNinjaDebugger {
 		DebugStopReason StepReturnAndWaitInternal();
 		DebugStopReason StepReturnReverseAndWaitInternal();
 		DebugStopReason RunToAndWaitInternal(const std::vector<uint64_t> &remoteAddresses);
+		DebugStopReason RunToReverseAndWaitInternal(const std::vector<uint64_t> &remoteAddresses);
 
 		// Whether we can start debugging, e.g., launch/attach/connec to a target
 		bool CanStartDebgging();
@@ -305,6 +306,7 @@ namespace BinaryNinjaDebugger {
 		bool StepReturn();
 		bool StepReturnReverse();
 		bool RunTo(const std::vector<uint64_t>& remoteAddresses);
+		bool RunToReverse(const std::vector<uint64_t>& remoteAddresses);
 		bool Pause();
 
 		DebugStopReason ExecuteAdapterAndWait(const DebugAdapterOperation operation);
@@ -323,6 +325,7 @@ namespace BinaryNinjaDebugger {
 		DebugStopReason StepReturnAndWait();
 		DebugStopReason StepReturnReverseAndWait();
 		DebugStopReason RunToAndWait(const std::vector<uint64_t>& remoteAddresses);
+		DebugStopReason RunToReverseAndWait(const std::vector<uint64_t>& remoteAddresses);
 		DebugStopReason PauseAndWait();
 		void DetachAndWait();
 		void QuitAndWait();

core/ffi.cpp

@@ -530,6 +530,18 @@ bool BNDebuggerRunTo(BNDebuggerController* controller, const uint64_t* remoteAdd
 }
 
 
+bool BNDebuggerRunToReverse(BNDebuggerController* controller, const uint64_t* remoteAddresses, size_t count)
+{
+	std::vector<uint64_t> addresses;
+	addresses.reserve(count);
+	for (size_t i = 0; i < count; i++)
+	{
+		addresses.push_back(remoteAddresses[i]);
+	}
+	return controller->object->RunToReverse(addresses);
+}
+
+
 BNDebugStopReason BNDebuggerGoAndWait(BNDebuggerController* controller)
 {
 	return controller->object->GoAndWait();
@@ -590,6 +602,19 @@ BNDebugStopReason BNDebuggerRunToAndWait(
 }
 
 
+BNDebugStopReason BNDebuggerRunToReverseAndWait(
+	BNDebuggerController* controller, const uint64_t* remoteAddresses, size_t count)
+{
+	std::vector<uint64_t> addresses;
+	addresses.reserve(count);
+	for (size_t i = 0; i < count; i++)
+	{
+		addresses.push_back(remoteAddresses[i]);
+	}
+	return controller->object->RunToReverseAndWait(addresses);
+}
+
+
 DebugStopReason BNDebuggerPauseAndWait(BNDebuggerController* controller)
 {
 	return controller->object->PauseAndWait();

ui/ui.cpp

@@ -670,6 +670,21 @@ void GlobalDebuggerUI::SetupMenu(UIContext* context)
 			connectedAndStopped));
 	debuggerMenu->addAction("Run To Here", "Control");
 
+	UIAction::registerAction("Run Back To Here", QKeySequence(Qt::ShiftModifier | Qt::Key_F4));
+	context->globalActions()->bindAction("Run Back To Here",
+		UIAction(
+			[this](const UIActionContext& ctxt) {
+				if (!ctxt.binaryView)
+					return;
+				auto controller = DebuggerController::GetController(ctxt.binaryView);
+				if (!controller)
+					return;
+
+				controller->RunToReverse(ctxt.address);
+				m_context->refreshCurrentViewContents();
+			},
+			connectedAndStoppedWithTTD));
+
 	UIAction::registerAction("Detach");
 	context->globalActions()->bindAction("Detach",
 		UIAction(

ui/uinotification.cpp

@@ -184,6 +184,7 @@ void NotificationListener::OnContextMenuCreated(UIContext *context, View* view,
 	menu.addAction("Debugger", "Step Over", "Control");
 	menu.addAction("Debugger", "Step Return", "Control");
 	menu.addAction("Debugger", "Run To Here", "Control");
+	menu.addAction("Debugger", "Run Back To Here", "Control");
 	menu.addAction("Debugger", "Create Stack View", "Misc");
 	menu.addAction("Debugger", "Override IP", "Misc");
 #ifdef WIN32