V850 Decompiler GP is callee-saved issues

sskki · February 24, 2026, 6:57am

V850 decompilation: GP is callee-saved and does not function correctly. As shown in the figure below, after the sub_28790 function, GP becomes undefined.

igor · February 24, 2026, 11:40am

Hello,

Generally, on V850 gp is used as a global register. If this is not the case, enable the corresponding setting in the processor-specific options.

If it’s still not working as expected, please create a ticket on support.hex-ray.com and add a sample.

sskki · February 24, 2026, 12:00pm

V850 Option

igor · February 24, 2026, 1:11pm

Thank you for the update. Could you please submit an issue with sample as requested?

sskki · February 24, 2026, 2:38pm

xx.bin.i64.zip (2.1 MB)

sample function sub_287DC

igor · February 26, 2026, 9:24am

Thank you. It seems the callee-saved option is a red herring, and gp is a standard global register in this binary, but its value is not used by the decompiler for some reason. We’ll investigate this.

igor · March 27, 2026, 6:37pm

This pattern has been fixed in 9.3 SP1.

sskki · March 30, 2026, 2:39am

The issue has not been resolved and remains undefined. Taking the sub_287DC function as an example, the decompilation results are shown in the figure below.

igor · March 30, 2026, 8:00am

You need to disable “GP is callee-saved” option, because it’s wrong for this firmware.

int __fastcall sub_287DC(unsigned __int8 a1, unsigned __int8 a2, char a3)
{
  int v4; // r29
  int result; // r10

  v4 = a1;
  result = sub_28790(a1, a2);
  if ( result == 1 )
  {
    MEMORY[0xFEE03B80] = 127;
    MEMORY[0xFEE03B82] = a3;
    MEMORY[0xFEE03B81] = MEMORY[0xFEE03C01];
    result = sub_29386(v4, 0xFEE03B80, 3, 0);
    if ( result == 1 )
    {
      MEMORY[0xFEE03C01] = 0;
      MEMORY[0xFEE03BBF] = 0;
      MEMORY[0xFEE03C00] = 0;
    }
  }
  return result;
}

sskki · March 30, 2026, 8:03am

Once I set the value for the GP register, it can’t be disabled. Even after I disable it and click OK, it remains the same, and when I open the settings again, the “GP is callee-saved” option is automatically checked again.

sskki · March 30, 2026, 8:12am

This is a recording of my actions; after clicking “OK,” I pressed F5 to refresh.

PixPin_2026-03-30_16-07-56.zip (806.9 KB)

igor · April 7, 2026, 9:03am

Thanks. After more checking, it seems that after all the fix for this specific issue was not merged in time for 9.3SP1 so it will be available in 9.4.

sskki · April 16, 2026, 12:51am

Still regarding the IDB file mentioned above, there is another issue: after a function call, the function’s parameters can no longer be correctly associated with the subsequent code. This is illustrated by the function `sub_29F76` in the figure below.

This issue also exists in the PPC decompiler.

ilfak · April 21, 2026, 11:39am

This depends on the prototypes of the called functions. Could you have the idb files?

revs · April 21, 2026, 11:50am

use __spoils<> for function

sskki · April 22, 2026, 12:53am

It’s still this idb. V850 Decompiler GP is callee-saved issues - #5 by sskki

ilfak · April 22, 2026, 8:28am

Indeed, use __spoils<>
The decompiler assumes that all input arguments of the function may be spoiled by default. If a function does not do that, the decompiler needs to be informed about it.

Topic		Replies	Views
IDA decompiler's Control Flow Guard check ignore function has a bug IDA General	12	423	June 10, 2025
Detecting unmodified registers in decompilations IDA General	1	122	September 1, 2025
Mark function argument as not spoiled Support	3	113	October 5, 2025
Change log ida 8.5 - 9.1 IDA General	3	178	March 13, 2025
Golang decompilation ignoring fact xmm15 is always 0? Support	3	147	June 4, 2025

V850 Decompiler GP is callee-saved issues

Related topics