Igor’s tip of the week #108: Raw memory accesses in pseudocode

Sometimes in pseudocode you may encounter strange-looking code:

The code seems to dereference an array calledMEMORY and is highlighted in red. However, this variable is not defined anywhere. What is it?

Such notation is used by the decompiler when the code accesses memory addresses not present in the database. In most cases it indicates an error in the original source code. If we look at the disassembly for the example above, we’ll see this:

The variable pfont is loaded into register edx which is then compared against zero using test edx, edx/jz sequence. The jump to loc_4060D3 can only occur if edx is zero, which means that the mov eax, [edx+10h] instruction will try to dereference the address 0x10. Because the database does not contain the address 0x10, it can’t be represented as a normal or a dummy variable so the decompiler represents it as a pseudo-variable MEMORY and uses the address as the index. The dereference is shown in red to bring attention to the potential error in the code. For example, judging by the assembly, in this binary the programmer tried reading a structure pointer even if it is NULL. A more modern compiler would probably even remove such code as dereferencing NULL pointer is undefined behavior.

In cases where such access is not an error (for example, the code directly accesses memory-mapped hardware registers), creating a new segment for the accessed address range is usually the correct approach.