[Swift] Add support for applying parameter and return types during demangling

This is disabled by default due to a current limitation where core is
not able to represent parameters that are small structs being passed
across multiple registers. `analysis.swift.extractTypesFromMangledNames`
can be enabled to test this.

Author: bdash

plugins/workflow_swift/src/demangler/function_type.rs

@@ -0,0 +1,271 @@
+use binaryninja::architecture::{ArchitectureExt, CoreArchitecture, Register};
+use binaryninja::confidence::Conf;
+use binaryninja::rc::Ref;
+use binaryninja::types::{FunctionParameter, Type};
+use binaryninja::variable::{Variable, VariableSourceType};
+use swift_demangler::{
+    Accessor, AccessorKind, ConstructorKind, HasFunctionSignature, HasModule, Metadata,
+    MetadataKind, Symbol,
+};
+
+use super::type_reconstruction::{make_named_type_ref, TypeRefExt};
+
+/// Swift calling convention builder.
+///
+/// Tracks which implicit parameters (self, error, async context) are present,
+/// constructs the corresponding `FunctionParameter`s, and resolves the correct
+/// architecture-specific calling convention when building the final function type.
+struct CallingConvention {
+    arch: CoreArchitecture,
+    flags: u8,
+    leading_params: Vec<FunctionParameter>,
+    trailing_params: Vec<FunctionParameter>,
+}
+
+impl CallingConvention {
+    const SELF: u8 = 1;
+    const THROWS: u8 = 2;
+    const ASYNC: u8 = 4;
+
+    fn for_arch(arch: &CoreArchitecture) -> Self {
+        Self {
+            arch: *arch,
+            flags: 0,
+            leading_params: Vec::new(),
+            trailing_params: Vec::new(),
+        }
+    }
+
+    /// Mark this as a concrete instance method with self in x20.
+    fn set_self(&mut self, module: Option<&str>, containing_type: &str) {
+        self.flags |= Self::SELF;
+        let named_ty = make_named_type_ref(module, containing_type);
+        let self_ty = Type::pointer(&self.arch, &named_ty);
+        self.leading_params.push(FunctionParameter {
+            ty: self_ty.into(),
+            name: "self".to_string(),
+            location: None,
+        });
+    }
+
+    /// Optionally mark as a concrete instance method if `containing_type` is `Some`.
+    fn set_self_if(&mut self, module: Option<&str>, containing_type: Option<&str>) {
+        if let Some(ct) = containing_type {
+            self.set_self(module, ct);
+        }
+    }
+
+    /// Mark this as a protocol witness method. Self is in x20 (swift-self)
+    /// like concrete methods. The self type metadata and witness table are
+    /// appended as trailing arguments after the explicit params.
+    fn set_protocol_self(&mut self, module: Option<&str>, containing_type: &str) {
+        self.set_self(module, containing_type);
+        let void_ptr = Type::pointer(&self.arch, &Type::void());
+        self.trailing_params.push(FunctionParameter {
+            ty: void_ptr.clone().into(),
+            name: "selfMetadata".to_string(),
+            location: None,
+        });
+        self.trailing_params.push(FunctionParameter {
+            ty: void_ptr.into(),
+            name: "selfWitnessTable".to_string(),
+            location: None,
+        });
+    }
+
+    fn set_protocol_self_if(&mut self, module: Option<&str>, containing_type: Option<&str>) {
+        if let Some(ct) = containing_type {
+            self.set_protocol_self(module, ct);
+        }
+    }
+
+    /// Mark this as a throwing function.
+    fn set_throws(&mut self) {
+        self.flags |= Self::THROWS;
+    }
+
+    /// Mark this as an async function.
+    fn set_async(&mut self) {
+        self.flags |= Self::ASYNC;
+    }
+
+    /// Build the final function type.
+    ///
+    /// Prepends `self` before `params` and appends error/async context after,
+    /// then looks up the appropriate calling convention by name on the architecture.
+    fn build_type(self, ret_type: &Type, params: Vec<FunctionParameter>) -> Ref<Type> {
+        let mut all_params = self.leading_params;
+        all_params.extend(params);
+        all_params.extend(self.trailing_params);
+
+        if self.flags & Self::THROWS != 0 {
+            let error_ty = Type::pointer(&self.arch, &make_named_type_ref(Some("Swift"), "Error"));
+            all_params.push(FunctionParameter {
+                ty: error_ty.into(),
+                name: "error".to_string(),
+                location: None,
+            });
+        }
+
+        if self.flags & Self::ASYNC != 0 {
+            let ptr_ty = Type::pointer(&self.arch, &Type::void());
+            all_params.push(FunctionParameter {
+                ty: ptr_ty.into(),
+                name: "asyncContext".to_string(),
+                location: None,
+            });
+        }
+
+        Type::function(ret_type, all_params, false)
+    }
+}
+
+/// Build a Binary Ninja function type from a parsed Swift symbol.
+///
+/// Returns `None` if the symbol does not have a function signature (e.g. metadata, variables).
+/// Thunks are intentionally excluded for now.
+pub fn build_function_type(symbol: &Symbol, arch: &CoreArchitecture) -> Option<Ref<Type>> {
+    match symbol {
+        Symbol::Accessor(a) => return build_accessor_type(a, arch),
+        Symbol::Metadata(m) => return build_metadata_function_type(m, arch),
+        Symbol::Attributed(a) => return build_function_type(&a.inner, arch),
+        Symbol::Specialization(s) => return build_function_type(&s.inner, arch),
+        Symbol::Suffixed(s) => return build_function_type(&s.inner, arch),
+        _ => {}
+    }
+
+    let mut cc = CallingConvention::for_arch(arch);
+
+    // Determine implicit `self` parameter for instance methods/constructors.
+    match symbol {
+        Symbol::Function(f) if f.is_method() && !f.is_static() => {
+            if f.containing_type_is_protocol() {
+                cc.set_protocol_self_if(f.module(), f.containing_type());
+            } else {
+                cc.set_self_if(f.module(), f.containing_type());
+            }
+        }
+        Symbol::Constructor(c) if c.kind() != ConstructorKind::Allocating => {
+            cc.set_self_if(c.module(), c.containing_type());
+        }
+        Symbol::Destructor(d) => {
+            cc.set_self_if(d.module(), d.containing_type());
+            return Some(cc.build_type(&Type::void(), vec![]));
+        }
+        _ => {}
+    };
+
+    let (sig, labels) = match symbol {
+        Symbol::Function(f) => (f.signature(), f.labels()),
+        Symbol::Constructor(c) => (c.signature(), c.labels()),
+        Symbol::Closure(c) => (c.signature(), vec![]),
+        _ => (None, vec![]),
+    };
+    let sig = sig?;
+
+    if sig.is_throwing() {
+        cc.set_throws();
+    }
+    if sig.is_async() {
+        cc.set_async();
+    }
+
+    let params: Vec<FunctionParameter> = sig
+        .parameters()
+        .iter()
+        .enumerate()
+        .filter_map(|(i, p)| {
+            let ty = p.type_ref.to_bn_type(arch)?;
+            let name = labels
+                .get(i)
+                .copied()
+                .flatten()
+                .or(p.label)
+                .unwrap_or("")
+                .to_string();
+            Some(FunctionParameter {
+                ty: ty.into(),
+                name,
+                location: None,
+            })
+        })
+        .collect();
+
+    let ret_type = sig
+        .return_type()
+        .and_then(|rt| rt.to_bn_type(arch))
+        .unwrap_or_else(Type::void);
+
+    Some(cc.build_type(&ret_type, params))
+}
+
+/// Build a function type for a property accessor from its property type.
+fn build_accessor_type(accessor: &Accessor, arch: &CoreArchitecture) -> Option<Ref<Type>> {
+    let prop_ty = accessor
+        .property_type()
+        .and_then(|pt| pt.to_bn_type(arch))?;
+
+    let mut cc = CallingConvention::for_arch(arch);
+
+    // Non-static instance accessors take `self` as a parameter.
+    if !accessor.is_static() {
+        if let Some(ct) = accessor.containing_type() {
+            cc.set_self(accessor.module(), &ct);
+        }
+    }
+
+    match accessor.kind() {
+        // Getter-like: (self) -> PropertyType
+        AccessorKind::Getter | AccessorKind::GlobalGetter | AccessorKind::Read => {
+            Some(cc.build_type(&prop_ty, vec![]))
+        }
+
+        // Setter-like: (self, newValue: PropertyType) -> Void
+        AccessorKind::Setter
+        | AccessorKind::WillSet
+        | AccessorKind::DidSet
+        | AccessorKind::Modify
+        | AccessorKind::Init => {
+            let params = vec![FunctionParameter {
+                ty: prop_ty.into(),
+                name: "newValue".to_string(),
+                location: None,
+            }];
+            Some(cc.build_type(&Type::void(), params))
+        }
+
+        _ => None,
+    }
+}
+
+/// Build a function type for Swift runtime metadata functions.
+fn build_metadata_function_type(metadata: &Metadata, arch: &CoreArchitecture) -> Option<Ref<Type>> {
+    let void_ptr = Type::pointer(arch, &Type::void());
+
+    match metadata.kind() {
+        // Type metadata accessor: void* fn()
+        // Returns a pointer to the type metadata singleton.
+        MetadataKind::AccessFunction | MetadataKind::CanonicalSpecializedGenericAccessFunction => {
+            Some(Type::function(&void_ptr, vec![], false))
+        }
+
+        // Method lookup function: void* fn(void* metadata, void* method)
+        MetadataKind::MethodLookupFunction => {
+            let params = vec![
+                FunctionParameter {
+                    ty: void_ptr.clone().into(),
+                    name: "metadata".to_string(),
+                    location: None,
+                },
+                FunctionParameter {
+                    ty: void_ptr.clone().into(),
+                    name: "method".to_string(),
+                    location: None,
+                },
+            ];
+            Some(Type::function(&void_ptr, params, false))
+        }
+
+        _ => None,
+    }
+}

plugins/workflow_swift/src/demangler/mod.rs

@@ -1,9 +1,22 @@
+mod function_type;
+mod name;
+mod type_reconstruction;
+
 use binaryninja::architecture::CoreArchitecture;
 use binaryninja::binary_view::BinaryView;
 use binaryninja::demangle::CustomDemangler;
 use binaryninja::rc::Ref;
+use binaryninja::settings::{QueryOptions, Settings};
 use binaryninja::types::{QualifiedName, Type};
 
+fn should_extract_types(view: Option<&BinaryView>) -> bool {
+    let mut opts = match view {
+        Some(v) => QueryOptions::new_with_view(v),
+        None => QueryOptions::new(),
+    };
+    Settings::new().get_bool_with_opts(crate::SETTING_EXTRACT_TYPES, &mut opts)
+}
+
 pub struct SwiftDemangler;
 
 impl CustomDemangler for SwiftDemangler {
@@ -19,16 +32,25 @@ impl CustomDemangler for SwiftDemangler {
 
     fn demangle(
         &self,
-        _arch: &CoreArchitecture,
+        arch: &CoreArchitecture,
         name: &str,
-        _view: Option<Ref<BinaryView>>,
+        view: Option<Ref<BinaryView>>,
     ) -> Option<(QualifiedName, Option<Ref<Type>>)> {
         let ctx = swift_demangler::Context::new();
         let symbol = swift_demangler::Symbol::parse(&ctx, name)?;
-        // Use the canonical demangled form from the parsed node tree.
-        // This matches what `xcrun swift-demangle` produces.
-        // TODO: Use the structured Symbol API to also reconstruct BN Types.
-        let demangled = symbol.display();
-        Some((QualifiedName::from(demangled), None))
+
+        if should_extract_types(view.as_deref()) {
+            let ty = function_type::build_function_type(&symbol, arch);
+            let qname = if ty.is_some() {
+                name::build_short_name(&symbol)
+            } else {
+                None
+            }
+            .unwrap_or_else(|| QualifiedName::from(symbol.display()));
+            Some((qname, ty))
+        } else {
+            let qname = QualifiedName::from(symbol.display());
+            Some((qname, None))
+        }
     }
 }