[X86] Incorrect Reference to Switch Statement Value Table

[widberg]

Describe the bug
In the attached test.zip there is an x86_32 Windows executable Test.exe compiled and linked with the Visual Studio 2005 Professional Edition toolchain. For the instruction at 0x00401029, MOVZX EDX,byte ptr [EAX + 0x4010d8], Ghidra generates a reference to 0x004010d3 when it should be to 0x4010d8. This instruction is a lookup into the value table for a switch statement. The reference to the jump table from the indirect jump instruction at 0x00401030 for the same switch statement is correctly marked.

To Reproduce

1. Open Test.exe in Ghidra and let the analysis complete.
2. Jump to the instruction at 0x00401029
3. Observe that the reference is to 0x004010d3

Expected behavior
The instruction at 0x00401029 references 0x004010d8.

Screenshots

Attachments
test.zip

Environment:

• OS: Windows 10 Home 22H2 19045.4529
• Java Version: 20.0.1
• Ghidra Version: 11.1.1
• Ghidra Origin: official GitHub distro releases

Additional Context
This was discovered in boricj/ghidra-delinker-extension#6.

[LukeSerne]

The wrong reference is created by the x86 Constant Reference Analyzer, implemented in the class X86Analyzer. As a workaround, you can disable this analysis during auto analysis and the correct reference is created instead.

The image below shows the listing view of the MOVZX instruction after auto analysis has been run with the x86 Constant Reference Analyzer turned off.

And here's the listing view of the region in which the jump tables are stored.

[widberg]

Thank you for tracking this down! Turing that analyzer off did fix the issue. The work around should be good enough for now.