Latest available version: IDA and decompilers v 8.1.221006 see all releases
 Login to the shop
Hex-Rays logo State-of-the-art binary code analysis tools
email icon

We have covered basic usage of cross-references before, but there are situations where they may not behave as you may expect.

Accessing large data items

If there is a large structure or an array and the code reads or writes data deep inside it, you may not see cross-references from that code listed at the structure definition.

Example

For example, in the Microsoft CRT function __report_gsfailure, there are writes to the fields _Rip and _Rsp of the ContextRecord variable  (an instance of a structure _CONTEXT), but if we check the cross-references to ContextRecord, we will not see those writes listed.

This happens because these fields are situated rather far from the start of the structure (offsets 0x98 and 0xF8).

As a speed optimization, IDA only checks for direct accesses into large data items up to a limited depth. The default value is 16(0x10), so any accesses beyond that offset will not be shown. The value for current database can be changed via Options > General… Cross-references tab.

For example, after setting it to 256, the accesses to _Rip and _Rsp are shown in the cross-references to ContextRecord :

To change the limit for all new databases, change the parameter MAX_TAIL in ida.cfg.

See also: 

IDA Help: Cross References Dialog