Add intentional parameter to Unimplemented IL across LLIL/MLIL/HLIL

When intentional=true, the expression renders as "unknown" instead of
"unimplemented", indicating a genuinely unknowable value rather than a
missing lift. Semantics for analysis are unchanged. Suppresses the
"Unimplemented Instruction" auto-address tag for intentional unknowns.

The motivating case is the x87 C1 rounding flag (IL_FLAGWRITE_X87RND),
which is runtime-dependent and cannot be statically determined.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: plafosse

arch/x86/arch_x86.cpp

@@ -2154,7 +2154,7 @@ size_t X86CommonArchitecture::GetFlagWriteLowLevelIL(BNLowLevelILOperation op, s
 	}
 
 	if (flagWriteType == IL_FLAGWRITE_X87RND && flag == IL_FLAG_C1)
-		return il.Undefined();
+		return il.Unimplemented(/*intentional=*/true);
 
 	if (((flagWriteType == IL_FLAGWRITE_X87COM) || (flagWriteType == IL_FLAGWRITE_X87C1Z)) && (flag == IL_FLAG_C1))
 		return il.Const(0, 0);

binaryninjaapi.h

@@ -15038,19 +15038,23 @@ namespace BinaryNinja {
 
 		/*! Returns the unimplemented expression. This should be used for instructions which aren't implemented
 
+			\param intentional If true, renders as "unknown" to indicate the value is genuinely unknowable at
+			    analysis time (not a missing implementation). Default is false.
 			\param loc Optional IL Location this expression was added from.
 			\return The unimplemented expression
 		*/
-		ExprId Unimplemented(const ILSourceLocation& loc = ILSourceLocation());
+		ExprId Unimplemented(bool intentional = false, const ILSourceLocation& loc = ILSourceLocation());
 
 		/*! A memory reference to expression \c addr of size \c size with unimplemented operation.
 
 			\param size Size in bytes of the memory reference
 			\param addr Expression to reference memory
+			\param intentional If true, renders as "unknown" to indicate the value is genuinely unknowable at
+			    analysis time (not a missing implementation). Default is false.
 			\param loc Optional IL Location this expression was added from.
 			\return The unimplemented memory reference expression.
 		*/
-		ExprId UnimplementedMemoryRef(size_t size, ExprId addr, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId UnimplementedMemoryRef(size_t size, ExprId addr, bool intentional = false, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId RegisterPhi(const SSARegister& dest, const std::vector<SSARegister>& sources,
 		    const ILSourceLocation& loc = ILSourceLocation());
 		ExprId RegisterStackPhi(const SSARegisterStack& dest, const std::vector<SSARegisterStack>& sources,
@@ -15695,8 +15699,8 @@ namespace BinaryNinja {
 		ExprId FreeVarSlotSSA(const Variable& var, size_t newVersion, size_t prevVersion,
 		    const ILSourceLocation& loc = ILSourceLocation());
 		ExprId Undefined(const ILSourceLocation& loc = ILSourceLocation());
-		ExprId Unimplemented(const ILSourceLocation& loc = ILSourceLocation());
-		ExprId UnimplementedMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId Unimplemented(bool intentional = false, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId UnimplementedMemoryRef(size_t size, ExprId target, bool intentional = false, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId VarPhi(const SSAVariable& dest, const std::vector<SSAVariable>& sources,
 		    const ILSourceLocation& loc = ILSourceLocation());
 		ExprId MemoryPhi(size_t destMemVersion, const std::vector<size_t>& sourceMemVersions,
@@ -16057,8 +16061,8 @@ namespace BinaryNinja {
 		ExprId IntrinsicSSA(uint32_t intrinsic, const std::vector<ExprId>& params, size_t destMemVersion,
 		    size_t srcMemVersion, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId Undefined(const ILSourceLocation& loc = ILSourceLocation());
-		ExprId Unimplemented(const ILSourceLocation& loc = ILSourceLocation());
-		ExprId UnimplementedMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId Unimplemented(bool intentional = false, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId UnimplementedMemoryRef(size_t size, ExprId target, bool intentional = false, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId FloatAdd(size_t size, ExprId a, ExprId b, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId FloatSub(size_t size, ExprId a, ExprId b, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId FloatMult(size_t size, ExprId a, ExprId b, const ILSourceLocation& loc = ILSourceLocation());

highlevelilinstruction.cpp

@@ -1564,7 +1564,6 @@ ExprId HighLevelILInstruction::CopyTo(
 	case HLIL_LOW_PART:
 	case HLIL_BOOL_TO_INT:
 	case HLIL_JUMP:
-	case HLIL_UNIMPL_MEM:
 	case HLIL_FSQRT:
 	case HLIL_FNEG:
 	case HLIL_FABS:
@@ -1576,6 +1575,8 @@ ExprId HighLevelILInstruction::CopyTo(
 	case HLIL_CEIL:
 	case HLIL_FTRUNC:
 		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()));
+	case HLIL_UNIMPL_MEM:
+		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()), GetRawOperandAsInteger(1));
 	case HLIL_ADD:
 	case HLIL_SUB:
 	case HLIL_AND:
@@ -1658,7 +1659,7 @@ ExprId HighLevelILInstruction::CopyTo(
 	case HLIL_UNDEF:
 		return dest->Undefined(loc);
 	case HLIL_UNIMPL:
-		return dest->Unimplemented(loc);
+		return dest->Unimplemented(As<HLIL_UNIMPL>().IsIntentional(), loc);
 	default:
 		throw HighLevelILInstructionAccessException();
 	}
@@ -3238,15 +3239,15 @@ ExprId HighLevelILFunction::Undefined(const ILSourceLocation& loc)
 }
 
 
-ExprId HighLevelILFunction::Unimplemented(const ILSourceLocation& loc)
+ExprId HighLevelILFunction::Unimplemented(bool intentional, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(HLIL_UNIMPL, loc, 0);
+	return AddExprWithLocation(HLIL_UNIMPL, loc, 0, intentional ? 1 : 0);
 }
 
 
-ExprId HighLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc)
+ExprId HighLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId target, bool intentional, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(HLIL_UNIMPL_MEM, loc, size, target);
+	return AddExprWithLocation(HLIL_UNIMPL_MEM, loc, size, target, intentional ? 1 : 0);
 }
 
 

highlevelilinstruction.h

@@ -1270,7 +1270,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_UNIMPL> : public HighLevelILInstructionBase
-	{};
+	{
+		bool IsIntentional() const { return GetRawOperandAsInteger(0) != 0; }
+	};
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_UNREACHABLE> : public HighLevelILInstructionBase
 	{};
@@ -1466,7 +1468,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_UNIMPL_MEM> : public HighLevelILOneOperandInstruction
-	{};
+	{
+		bool IsIntentional() const { return GetRawOperandAsInteger(1) != 0; }
+	};
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_FSQRT> : public HighLevelILOneOperandInstruction
 	{};

lowlevelilinstruction.cpp

@@ -2302,16 +2302,18 @@ ExprId LowLevelILInstruction::CopyTo(
 	case LLIL_SYSCALL:
 	case LLIL_BP:
 	case LLIL_UNDEF:
-	case LLIL_UNIMPL:
 		return dest->AddExprWithLocation(operation, loc, size, flags);
+	case LLIL_UNIMPL:
+		return dest->AddExprWithLocation(operation, loc, size, flags, GetRawOperandAsInteger(0));
+	case LLIL_UNIMPL_MEM:
+		return dest->AddExprWithLocation(operation, loc, size, flags, subExprHandler(AsOneOperand().GetSourceExpr()), GetRawOperandAsInteger(1));
 	case LLIL_PUSH:
 	case LLIL_NEG:
 	case LLIL_NOT:
 	case LLIL_SX:
 	case LLIL_ZX:
 	case LLIL_LOW_PART:
 	case LLIL_BOOL_TO_INT:
-	case LLIL_UNIMPL_MEM:
 	case LLIL_FSQRT:
 	case LLIL_FNEG:
 	case LLIL_FABS:
@@ -3609,15 +3611,15 @@ ExprId LowLevelILFunction::Undefined(const ILSourceLocation& loc)
 }
 
 
-ExprId LowLevelILFunction::Unimplemented(const ILSourceLocation& loc)
+ExprId LowLevelILFunction::Unimplemented(bool intentional, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(LLIL_UNIMPL, loc, 0, 0);
+	return AddExprWithLocation(LLIL_UNIMPL, loc, 0, 0, intentional ? 1 : 0);
 }
 
 
-ExprId LowLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId addr, const ILSourceLocation& loc)
+ExprId LowLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId addr, bool intentional, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(LLIL_UNIMPL_MEM, loc, size, 0, addr);
+	return AddExprWithLocation(LLIL_UNIMPL_MEM, loc, size, 0, addr, intentional ? 1 : 0);
 }
 
 

lowlevelilinstruction.h

@@ -1883,7 +1883,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct LowLevelILInstructionAccessor<LLIL_UNIMPL> : public LowLevelILInstructionBase
-	{};
+	{
+		bool IsIntentional() const { return GetRawOperandAsInteger(0) != 0; }
+	};
 
 	template <>
 	struct LowLevelILInstructionAccessor<LLIL_CONST> : public LowLevelILConstantInstruction
@@ -2067,7 +2069,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct LowLevelILInstructionAccessor<LLIL_UNIMPL_MEM> : public LowLevelILOneOperandInstruction
-	{};
+	{
+		bool IsIntentional() const { return GetRawOperandAsInteger(1) != 0; }
+	};
 	template <>
 	struct LowLevelILInstructionAccessor<LLIL_FSQRT> : public LowLevelILOneOperandInstruction
 	{};

mediumlevelilinstruction.cpp

@@ -1762,7 +1762,6 @@ ExprId MediumLevelILInstruction::CopyTo(MediumLevelILFunction* dest,
 	case MLIL_BOOL_TO_INT:
 	case MLIL_JUMP:
 	case MLIL_RET_HINT:
-	case MLIL_UNIMPL_MEM:
 	case MLIL_FSQRT:
 	case MLIL_FNEG:
 	case MLIL_FABS:
@@ -1774,6 +1773,8 @@ ExprId MediumLevelILInstruction::CopyTo(MediumLevelILFunction* dest,
 	case MLIL_CEIL:
 	case MLIL_FTRUNC:
 		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()));
+	case MLIL_UNIMPL_MEM:
+		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()), GetRawOperandAsInteger(1));
 	case MLIL_ADD:
 	case MLIL_SUB:
 	case MLIL_AND:
@@ -1895,7 +1896,7 @@ ExprId MediumLevelILInstruction::CopyTo(MediumLevelILFunction* dest,
 	case MLIL_UNDEF:
 		return dest->Undefined(loc);
 	case MLIL_UNIMPL:
-		return dest->Unimplemented(loc);
+		return dest->Unimplemented(As<MLIL_UNIMPL>().IsIntentional(), loc);
 	default:
 		throw MediumLevelILInstructionAccessException();
 	}
@@ -2969,15 +2970,15 @@ ExprId MediumLevelILFunction::Undefined(const ILSourceLocation& loc)
 }
 
 
-ExprId MediumLevelILFunction::Unimplemented(const ILSourceLocation& loc)
+ExprId MediumLevelILFunction::Unimplemented(bool intentional, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(MLIL_UNIMPL, loc, 0);
+	return AddExprWithLocation(MLIL_UNIMPL, loc, 0, intentional ? 1 : 0);
 }
 
 
-ExprId MediumLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc)
+ExprId MediumLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId target, bool intentional, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(MLIL_UNIMPL_MEM, loc, size, target);
+	return AddExprWithLocation(MLIL_UNIMPL_MEM, loc, size, target, intentional ? 1 : 0);
 }
 
 

mediumlevelilinstruction.h

@@ -1579,7 +1579,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_UNIMPL> : public MediumLevelILInstructionBase
-	{};
+	{
+		bool IsIntentional() const { return GetRawOperandAsInteger(0) != 0; }
+	};
 
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_CONST> : public MediumLevelILConstantInstruction
@@ -1766,7 +1768,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_UNIMPL_MEM> : public MediumLevelILOneOperandInstruction
-	{};
+	{
+		bool IsIntentional() const { return GetRawOperandAsInteger(1) != 0; }
+	};
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_FSQRT> : public MediumLevelILOneOperandInstruction
 	{};

python/lowlevelil.py

@@ -5621,28 +5621,32 @@ def undefined(self, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex
 		"""
 		return self.expr(LowLevelILOperation.LLIL_UNDEF, source_location=loc)
 
-	def unimplemented(self, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
+	def unimplemented(self, intentional: bool = False, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
 		"""
 		``unimplemented`` returns the unimplemented expression. This should be used for all instructions which aren't
 		implemented.
 
+		:param bool intentional: if True, renders as ``unknown`` to indicate the value is genuinely unknowable at \
+		    analysis time (not a missing implementation)
 		:param ILSourceLocation loc: location of returned expression
 		:return: the unimplemented expression.
 		:rtype: ExpressionIndex
 		"""
-		return self.expr(LowLevelILOperation.LLIL_UNIMPL, source_location=loc)
+		return self.expr(LowLevelILOperation.LLIL_UNIMPL, intentional, source_location=loc)
 
-	def unimplemented_memory_ref(self, size: int, addr: ExpressionIndex, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
+	def unimplemented_memory_ref(self, size: int, addr: ExpressionIndex, intentional: bool = False, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
 		"""
 		``unimplemented_memory_ref`` a memory reference to expression ``addr`` of size ``size`` with unimplemented operation.
 
 		:param int size: size in bytes of the memory reference
 		:param ExpressionIndex addr: expression to reference memory
+		:param bool intentional: if True, renders as ``unknown`` to indicate the value is genuinely unknowable at \
+		    analysis time (not a missing implementation)
 		:param ILSourceLocation loc: location of returned expression
 		:return: the unimplemented memory reference expression.
 		:rtype: ExpressionIndex
 		"""
-		return self.expr(LowLevelILOperation.LLIL_UNIMPL_MEM, addr, size=size, source_location=loc)
+		return self.expr(LowLevelILOperation.LLIL_UNIMPL_MEM, addr, intentional, size=size, source_location=loc)
 
 	def float_add(
 	    self, size: int, a: ExpressionIndex, b: ExpressionIndex, flags: Optional['architecture.FlagWriteType'] = None,

rust/src/low_level_il/lifting.rs

@@ -1044,6 +1044,15 @@ impl LowLevelILMutableFunction {
     }
 
     no_arg_lifter!(unimplemented, LLIL_UNIMPL, ValueExpr);
+
+    pub fn unknown(&self) -> LowLevelILExpression<'_, Mutable, NonSSA, ValueExpr> {
+        use binaryninjacore_sys::BNLowLevelILAddExpr;
+        use binaryninjacore_sys::BNLowLevelILOperation::LLIL_UNIMPL;
+
+        let expr_idx = unsafe { BNLowLevelILAddExpr(self.handle, LLIL_UNIMPL, 0, 0, 1, 0, 0, 0) };
+
+        LowLevelILExpression::new(self, LowLevelExpressionIndex(expr_idx))
+    }
     no_arg_lifter!(undefined, LLIL_UNDEF, ValueExpr);
     no_arg_lifter!(nop, LLIL_NOP, VoidExpr);
 
@@ -1417,6 +1426,27 @@ impl LowLevelILMutableFunction {
 
     size_changing_unary_op_lifter!(unimplemented_mem, LLIL_UNIMPL_MEM, ValueExpr);
 
+    pub fn unknown_mem<'a, E>(&'a self, size: usize, expr: E) -> ExpressionBuilder<'a, ValueExpr>
+    where
+        E: LiftableLowLevelILWithSize<'a>,
+    {
+        use binaryninjacore_sys::BNLowLevelILOperation::LLIL_UNIMPL_MEM;
+
+        let expr = E::lift(self, expr);
+
+        ExpressionBuilder {
+            function: self,
+            op: LLIL_UNIMPL_MEM,
+            size,
+            flag_write: FlagWriteId(0),
+            op1: expr.index.0 as u64,
+            op2: 1,
+            op3: 0,
+            op4: 0,
+            _ty: PhantomData,
+        }
+    }
+
     sized_unary_op_lifter!(neg, LLIL_NEG, ValueExpr);
     sized_unary_op_lifter!(not, LLIL_NOT, ValueExpr);