Version and Platform (required):
- Binary Ninja Version: 5.3.9393-dev Ultimate (ae6ee6f5)
- Edition: Ultimate
- OS: macOS
- OS Version: 26.3
- CPU Architecture: M1
Bug Description:
The Binary Ninja heuristic for identifying strings via pointers seems to have the ability to override auto-defined data variables that were perfectly correct and despite whatever confidence they may have.
Steps To Reproduce:
Please provide all steps required to reproduce the behavior:
- Open a copy of DYLD Shared Cache
- Load the
Foundation image
- Wait for analysis to complete
- Go to the
Foundation::__DATA.__objc_ivar section
- There should just be a continuous stream of
uint32_t const data variables with _OBJC_IVAR_$_ symbol prefixes but if you scroll enough there will be one like wchar32 _OBJC_IVAR_$_NSKeyValueProxyGetter._proxyClass[0x5] = "PXPXX". This is incorrect and overwrote a correct data variable.
This doesn't just happen for the Objective-C ivar offset constants, its basically anywhere where the string heuristic matches on a pointer.
Expected Behavior:
DefineDataVariable and DefineAutoSymbolAndVariableOrFunction take a type with a confidence. This should be being considered by the string heuristic. A full confidence data variable should not be overwritten by a string given that as far as I know the heuristic for that is purely is this a pointer to X number of valid ASCII characters in a row (or something like that).
Screenshots/Video Recording:
Binary:
Tested on DYLD Shared Cache for iOS 26.2 for an iPhone 17 Pro Max.
Version and Platform (required):
Bug Description:
The Binary Ninja heuristic for identifying strings via pointers seems to have the ability to override auto-defined data variables that were perfectly correct and despite whatever confidence they may have.
Steps To Reproduce:
Please provide all steps required to reproduce the behavior:
FoundationimageFoundation::__DATA.__objc_ivarsectionuint32_t constdata variables with_OBJC_IVAR_$_symbol prefixes but if you scroll enough there will be one likewchar32 _OBJC_IVAR_$_NSKeyValueProxyGetter._proxyClass[0x5] = "PXPXX". This is incorrect and overwrote a correct data variable.This doesn't just happen for the Objective-C ivar offset constants, its basically anywhere where the string heuristic matches on a pointer.
Expected Behavior:
DefineDataVariableandDefineAutoSymbolAndVariableOrFunctiontake a type with a confidence. This should be being considered by the string heuristic. A full confidence data variable should not be overwritten by a string given that as far as I know the heuristic for that is purely is this a pointer to X number of valid ASCII characters in a row (or something like that).Screenshots/Video Recording:
Binary:
Tested on DYLD Shared Cache for iOS 26.2 for an iPhone 17 Pro Max.