We have covered basic usage of cross-references before, but there are situations where they may not behave as you may expect.
If there is a large structure or an array and the code reads or writes data deep inside it, you may not see cross-references from that code listed at the structure definition.
Example
For example, in the Microsoft CRT function __report_gsfailure
, there are writes to the fields _Rip
and _Rsp
of the ContextRecord
variable (an instance of a structure _CONTEXT
), but if we check the cross-references to ContextRecord
, we will not see those writes listed.
This happens because these fields are situated rather far from the start of the structure (offsets 0x98
and 0xF8
).
As a speed optimization, IDA only checks for direct accesses into large data items up to a limited depth. The default value is 16(0x10), so any accesses beyond that offset will not be shown. The value for current database can be changed via Options > General… Cross-references tab.
For example, after setting it to 256, the accesses to _Rip
and _Rsp
are shown in the cross-references to ContextRecord
:
To change the limit for all new databases, change the parameter MAX_TAIL
in ida.cfg
.
See also:
IDA Help: Cross References Dialog