Decompilation and the SSA form


Is decompilation possible in general to the SSA form for binaries? I assume one has to make certain assumptions about code in general to get tools like these to work. For example if code like with dlsym or jit heap allocated functions can be incorporated at runtime it would seem that in general it is quite difficult to ascertain the boundaries of a basic block and insert the correct phi functions for the predecessors since one could have jumps from the new code into the middle of the static code. This is already ignoring the problem of self modification.

I haven’t managed to find many references on the topic but I am curious about what sorts of assumptions are made in decompilation code recovery and general issues theoretical issues about when it is possible to do.

Thanks in advance,


Dear Carter,

You should look at tools like s2e and Revgen (from EPFL) and BAP (from CMU, I think). These projects convert binary code into LLVM IR.

The issues that you raise are somewhat orthogonal to conversion to SSA form. Regardless of whether one is decompiling machine code to an SSA-based IR or a non-SSA IR, one must deal with the challenges of disassembly (if doing static decompilation), self-modifying code, and control-flow graph reconstruction. Once you get some sort of IR reconstructed, standard algorithms for converting the IR into SSA form apply.


John Criswell

Thanks for the reply. I was looking over the papers describing the respective projects you mentioned and it seems that from my limited understanding these systems tend to finesse the more complicated issues. s2e does not explicitly explore the code to generate the full code at one time and instead analyzes an execution trace tree thus avoiding the need for merge point analysis via phi functions (since it does symbolic execution I guess this makes sense). Revgen does not cope with the runtime code “closure” problem and BAP uses a custom probably lower level IR.

The main thing I don’t understand about mapping machine code to SSA is that given that the control flow graph is not guaranteed to be static with both runtime generated code and indirect jumps how is it possible to specify the phi functions when the standard algorithm relies on these static graph like properties.

Thanks again,