Add Unknown() and IsUnknown() to Unimplemented IL across LLIL/MLIL/HLIL

Adds Unknown() and UnknownMemoryRef() as first-class IL builder functions
(alongside Unimplemented/UnimplementedMemoryRef) that emit the same opcodes
with an unknown flag set. When the flag is set, the expression renders as
"unknown" instead of "unimplemented", indicating a genuinely unknowable
value rather than a missing lift. Suppresses the "Unimplemented Instruction"
auto-address tag.

IsUnknown() accessors on LLIL/MLIL/HLIL instruction types allow callers to
distinguish the two cases. Copy paths preserve the flag correctly.

The motivating case is the x87 C1 rounding flag (IL_FLAGWRITE_X87RND),
which is runtime-dependent and cannot be statically determined.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: plafosse

arch/x86/arch_x86.cpp

@@ -2154,7 +2154,7 @@ size_t X86CommonArchitecture::GetFlagWriteLowLevelIL(BNLowLevelILOperation op, s
 	}
 
 	if (flagWriteType == IL_FLAGWRITE_X87RND && flag == IL_FLAG_C1)
-		return il.Undefined();
+		return il.Unknown();
 
 	if (((flagWriteType == IL_FLAGWRITE_X87COM) || (flagWriteType == IL_FLAGWRITE_X87C1Z)) && (flag == IL_FLAG_C1))
 		return il.Const(0, 0);

binaryninjaapi.h

@@ -15036,13 +15036,21 @@ namespace BinaryNinja {
 		*/
 		ExprId Undefined(const ILSourceLocation& loc = ILSourceLocation());
 
-		/*! Returns the unimplemented expression. This should be used for instructions which aren't implemented
+		/*! Returns the unimplemented expression. This should be used for instructions which aren't implemented.
 
 			\param loc Optional IL Location this expression was added from.
 			\return The unimplemented expression
 		*/
 		ExprId Unimplemented(const ILSourceLocation& loc = ILSourceLocation());
 
+		/*! Returns an unknown expression for values that are genuinely unknowable at analysis time
+			(e.g. runtime-dependent flags). Renders as "unknown" and suppresses unimplemented warnings.
+
+			\param loc Optional IL Location this expression was added from.
+			\return The unknown expression
+		*/
+		ExprId Unknown(const ILSourceLocation& loc = ILSourceLocation());
+
 		/*! A memory reference to expression \c addr of size \c size with unimplemented operation.
 
 			\param size Size in bytes of the memory reference
@@ -15051,6 +15059,16 @@ namespace BinaryNinja {
 			\return The unimplemented memory reference expression.
 		*/
 		ExprId UnimplementedMemoryRef(size_t size, ExprId addr, const ILSourceLocation& loc = ILSourceLocation());
+
+		/*! A memory reference to expression \c addr of size \c size for a genuinely unknowable value.
+			Renders as "unknown" and suppresses unimplemented warnings.
+
+			\param size Size in bytes of the memory reference
+			\param addr Expression to reference memory
+			\param loc Optional IL Location this expression was added from.
+			\return The unknown memory reference expression.
+		*/
+		ExprId UnknownMemoryRef(size_t size, ExprId addr, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId RegisterPhi(const SSARegister& dest, const std::vector<SSARegister>& sources,
 		    const ILSourceLocation& loc = ILSourceLocation());
 		ExprId RegisterStackPhi(const SSARegisterStack& dest, const std::vector<SSARegisterStack>& sources,
@@ -15696,7 +15714,9 @@ namespace BinaryNinja {
 		    const ILSourceLocation& loc = ILSourceLocation());
 		ExprId Undefined(const ILSourceLocation& loc = ILSourceLocation());
 		ExprId Unimplemented(const ILSourceLocation& loc = ILSourceLocation());
+		ExprId Unknown(const ILSourceLocation& loc = ILSourceLocation());
 		ExprId UnimplementedMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId UnknownMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId VarPhi(const SSAVariable& dest, const std::vector<SSAVariable>& sources,
 		    const ILSourceLocation& loc = ILSourceLocation());
 		ExprId MemoryPhi(size_t destMemVersion, const std::vector<size_t>& sourceMemVersions,
@@ -16058,7 +16078,9 @@ namespace BinaryNinja {
 		    size_t srcMemVersion, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId Undefined(const ILSourceLocation& loc = ILSourceLocation());
 		ExprId Unimplemented(const ILSourceLocation& loc = ILSourceLocation());
+		ExprId Unknown(const ILSourceLocation& loc = ILSourceLocation());
 		ExprId UnimplementedMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc = ILSourceLocation());
+		ExprId UnknownMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId FloatAdd(size_t size, ExprId a, ExprId b, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId FloatSub(size_t size, ExprId a, ExprId b, const ILSourceLocation& loc = ILSourceLocation());
 		ExprId FloatMult(size_t size, ExprId a, ExprId b, const ILSourceLocation& loc = ILSourceLocation());

highlevelilinstruction.cpp

@@ -1564,7 +1564,6 @@ ExprId HighLevelILInstruction::CopyTo(
 	case HLIL_LOW_PART:
 	case HLIL_BOOL_TO_INT:
 	case HLIL_JUMP:
-	case HLIL_UNIMPL_MEM:
 	case HLIL_FSQRT:
 	case HLIL_FNEG:
 	case HLIL_FABS:
@@ -1576,6 +1575,8 @@ ExprId HighLevelILInstruction::CopyTo(
 	case HLIL_CEIL:
 	case HLIL_FTRUNC:
 		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()));
+	case HLIL_UNIMPL_MEM:
+		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()), GetRawOperandAsInteger(1));
 	case HLIL_ADD:
 	case HLIL_SUB:
 	case HLIL_AND:
@@ -1658,7 +1659,7 @@ ExprId HighLevelILInstruction::CopyTo(
 	case HLIL_UNDEF:
 		return dest->Undefined(loc);
 	case HLIL_UNIMPL:
-		return dest->Unimplemented(loc);
+		return As<HLIL_UNIMPL>().IsUnknown() ? dest->Unknown(loc) : dest->Unimplemented(loc);
 	default:
 		throw HighLevelILInstructionAccessException();
 	}
@@ -3240,13 +3241,25 @@ ExprId HighLevelILFunction::Undefined(const ILSourceLocation& loc)
 
 ExprId HighLevelILFunction::Unimplemented(const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(HLIL_UNIMPL, loc, 0);
+	return AddExprWithLocation(HLIL_UNIMPL, loc, 0, 0);
+}
+
+
+ExprId HighLevelILFunction::Unknown(const ILSourceLocation& loc)
+{
+	return AddExprWithLocation(HLIL_UNIMPL, loc, 0, 1);
 }
 
 
 ExprId HighLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(HLIL_UNIMPL_MEM, loc, size, target);
+	return AddExprWithLocation(HLIL_UNIMPL_MEM, loc, size, target, 0);
+}
+
+
+ExprId HighLevelILFunction::UnknownMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc)
+{
+	return AddExprWithLocation(HLIL_UNIMPL_MEM, loc, size, target, 1);
 }
 
 

highlevelilinstruction.h

@@ -1270,7 +1270,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_UNIMPL> : public HighLevelILInstructionBase
-	{};
+	{
+		bool IsUnknown() const { return GetRawOperandAsInteger(0) != 0; }
+	};
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_UNREACHABLE> : public HighLevelILInstructionBase
 	{};
@@ -1466,7 +1468,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_UNIMPL_MEM> : public HighLevelILOneOperandInstruction
-	{};
+	{
+		bool IsUnknown() const { return GetRawOperandAsInteger(1) != 0; }
+	};
 	template <>
 	struct HighLevelILInstructionAccessor<HLIL_FSQRT> : public HighLevelILOneOperandInstruction
 	{};

lowlevelilinstruction.cpp

@@ -2302,16 +2302,18 @@ ExprId LowLevelILInstruction::CopyTo(
 	case LLIL_SYSCALL:
 	case LLIL_BP:
 	case LLIL_UNDEF:
-	case LLIL_UNIMPL:
 		return dest->AddExprWithLocation(operation, loc, size, flags);
+	case LLIL_UNIMPL:
+		return dest->AddExprWithLocation(operation, loc, size, flags, GetRawOperandAsInteger(0));
+	case LLIL_UNIMPL_MEM:
+		return dest->AddExprWithLocation(operation, loc, size, flags, subExprHandler(AsOneOperand().GetSourceExpr()), GetRawOperandAsInteger(1));
 	case LLIL_PUSH:
 	case LLIL_NEG:
 	case LLIL_NOT:
 	case LLIL_SX:
 	case LLIL_ZX:
 	case LLIL_LOW_PART:
 	case LLIL_BOOL_TO_INT:
-	case LLIL_UNIMPL_MEM:
 	case LLIL_FSQRT:
 	case LLIL_FNEG:
 	case LLIL_FABS:
@@ -3611,13 +3613,25 @@ ExprId LowLevelILFunction::Undefined(const ILSourceLocation& loc)
 
 ExprId LowLevelILFunction::Unimplemented(const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(LLIL_UNIMPL, loc, 0, 0);
+	return AddExprWithLocation(LLIL_UNIMPL, loc, 0, 0, 0);
+}
+
+
+ExprId LowLevelILFunction::Unknown(const ILSourceLocation& loc)
+{
+	return AddExprWithLocation(LLIL_UNIMPL, loc, 0, 0, 1);
 }
 
 
 ExprId LowLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId addr, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(LLIL_UNIMPL_MEM, loc, size, 0, addr);
+	return AddExprWithLocation(LLIL_UNIMPL_MEM, loc, size, 0, addr, 0);
+}
+
+
+ExprId LowLevelILFunction::UnknownMemoryRef(size_t size, ExprId addr, const ILSourceLocation& loc)
+{
+	return AddExprWithLocation(LLIL_UNIMPL_MEM, loc, size, 0, addr, 1);
 }
 
 

lowlevelilinstruction.h

@@ -1883,7 +1883,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct LowLevelILInstructionAccessor<LLIL_UNIMPL> : public LowLevelILInstructionBase
-	{};
+	{
+		bool IsUnknown() const { return GetRawOperandAsInteger(0) != 0; }
+	};
 
 	template <>
 	struct LowLevelILInstructionAccessor<LLIL_CONST> : public LowLevelILConstantInstruction
@@ -2067,7 +2069,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct LowLevelILInstructionAccessor<LLIL_UNIMPL_MEM> : public LowLevelILOneOperandInstruction
-	{};
+	{
+		bool IsUnknown() const { return GetRawOperandAsInteger(1) != 0; }
+	};
 	template <>
 	struct LowLevelILInstructionAccessor<LLIL_FSQRT> : public LowLevelILOneOperandInstruction
 	{};

mediumlevelilinstruction.cpp

@@ -1762,7 +1762,6 @@ ExprId MediumLevelILInstruction::CopyTo(MediumLevelILFunction* dest,
 	case MLIL_BOOL_TO_INT:
 	case MLIL_JUMP:
 	case MLIL_RET_HINT:
-	case MLIL_UNIMPL_MEM:
 	case MLIL_FSQRT:
 	case MLIL_FNEG:
 	case MLIL_FABS:
@@ -1774,6 +1773,8 @@ ExprId MediumLevelILInstruction::CopyTo(MediumLevelILFunction* dest,
 	case MLIL_CEIL:
 	case MLIL_FTRUNC:
 		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()));
+	case MLIL_UNIMPL_MEM:
+		return dest->AddExprWithLocation(operation, loc, size, subExprHandler(AsOneOperand().GetSourceExpr()), GetRawOperandAsInteger(1));
 	case MLIL_ADD:
 	case MLIL_SUB:
 	case MLIL_AND:
@@ -1895,7 +1896,7 @@ ExprId MediumLevelILInstruction::CopyTo(MediumLevelILFunction* dest,
 	case MLIL_UNDEF:
 		return dest->Undefined(loc);
 	case MLIL_UNIMPL:
-		return dest->Unimplemented(loc);
+		return As<MLIL_UNIMPL>().IsUnknown() ? dest->Unknown(loc) : dest->Unimplemented(loc);
 	default:
 		throw MediumLevelILInstructionAccessException();
 	}
@@ -2971,13 +2972,25 @@ ExprId MediumLevelILFunction::Undefined(const ILSourceLocation& loc)
 
 ExprId MediumLevelILFunction::Unimplemented(const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(MLIL_UNIMPL, loc, 0);
+	return AddExprWithLocation(MLIL_UNIMPL, loc, 0, 0);
+}
+
+
+ExprId MediumLevelILFunction::Unknown(const ILSourceLocation& loc)
+{
+	return AddExprWithLocation(MLIL_UNIMPL, loc, 0, 1);
 }
 
 
 ExprId MediumLevelILFunction::UnimplementedMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc)
 {
-	return AddExprWithLocation(MLIL_UNIMPL_MEM, loc, size, target);
+	return AddExprWithLocation(MLIL_UNIMPL_MEM, loc, size, target, 0);
+}
+
+
+ExprId MediumLevelILFunction::UnknownMemoryRef(size_t size, ExprId target, const ILSourceLocation& loc)
+{
+	return AddExprWithLocation(MLIL_UNIMPL_MEM, loc, size, target, 1);
 }
 
 

mediumlevelilinstruction.h

@@ -1579,7 +1579,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_UNIMPL> : public MediumLevelILInstructionBase
-	{};
+	{
+		bool IsUnknown() const { return GetRawOperandAsInteger(0) != 0; }
+	};
 
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_CONST> : public MediumLevelILConstantInstruction
@@ -1766,7 +1768,9 @@ namespace BinaryNinja
 	{};
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_UNIMPL_MEM> : public MediumLevelILOneOperandInstruction
-	{};
+	{
+		bool IsUnknown() const { return GetRawOperandAsInteger(1) != 0; }
+	};
 	template <>
 	struct MediumLevelILInstructionAccessor<MLIL_FSQRT> : public MediumLevelILOneOperandInstruction
 	{};

python/lowlevelil.py

@@ -5630,7 +5630,18 @@ def unimplemented(self, loc: Optional['ILSourceLocation'] = None) -> ExpressionI
 		:return: the unimplemented expression.
 		:rtype: ExpressionIndex
 		"""
-		return self.expr(LowLevelILOperation.LLIL_UNIMPL, source_location=loc)
+		return self.expr(LowLevelILOperation.LLIL_UNIMPL, False, source_location=loc)
+
+	def unknown(self, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
+		"""
+		``unknown`` returns an unknown expression for values that are genuinely unknowable at analysis time
+		(e.g. runtime-dependent flags). Renders as ``unknown`` and suppresses unimplemented warnings.
+
+		:param ILSourceLocation loc: location of returned expression
+		:return: the unknown expression.
+		:rtype: ExpressionIndex
+		"""
+		return self.expr(LowLevelILOperation.LLIL_UNIMPL, True, source_location=loc)
 
 	def unimplemented_memory_ref(self, size: int, addr: ExpressionIndex, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
 		"""
@@ -5642,7 +5653,20 @@ def unimplemented_memory_ref(self, size: int, addr: ExpressionIndex, loc: Option
 		:return: the unimplemented memory reference expression.
 		:rtype: ExpressionIndex
 		"""
-		return self.expr(LowLevelILOperation.LLIL_UNIMPL_MEM, addr, size=size, source_location=loc)
+		return self.expr(LowLevelILOperation.LLIL_UNIMPL_MEM, addr, False, size=size, source_location=loc)
+
+	def unknown_memory_ref(self, size: int, addr: ExpressionIndex, loc: Optional['ILSourceLocation'] = None) -> ExpressionIndex:
+		"""
+		``unknown_memory_ref`` a memory reference to expression ``addr`` of size ``size`` for a genuinely unknowable
+		value. Renders as ``unknown`` and suppresses unimplemented warnings.
+
+		:param int size: size in bytes of the memory reference
+		:param ExpressionIndex addr: expression to reference memory
+		:param ILSourceLocation loc: location of returned expression
+		:return: the unknown memory reference expression.
+		:rtype: ExpressionIndex
+		"""
+		return self.expr(LowLevelILOperation.LLIL_UNIMPL_MEM, addr, True, size=size, source_location=loc)
 
 	def float_add(
 	    self, size: int, a: ExpressionIndex, b: ExpressionIndex, flags: Optional['architecture.FlagWriteType'] = None,

rust/src/low_level_il/lifting.rs

@@ -1044,6 +1044,15 @@ impl LowLevelILMutableFunction {
     }
 
     no_arg_lifter!(unimplemented, LLIL_UNIMPL, ValueExpr);
+
+    pub fn unknown(&self) -> LowLevelILExpression<'_, Mutable, NonSSA, ValueExpr> {
+        use binaryninjacore_sys::BNLowLevelILAddExpr;
+        use binaryninjacore_sys::BNLowLevelILOperation::LLIL_UNIMPL;
+
+        let expr_idx = unsafe { BNLowLevelILAddExpr(self.handle, LLIL_UNIMPL, 0, 0, 1, 0, 0, 0) };
+
+        LowLevelILExpression::new(self, LowLevelExpressionIndex(expr_idx))
+    }
     no_arg_lifter!(undefined, LLIL_UNDEF, ValueExpr);
     no_arg_lifter!(nop, LLIL_NOP, VoidExpr);
 
@@ -1417,6 +1426,27 @@ impl LowLevelILMutableFunction {
 
     size_changing_unary_op_lifter!(unimplemented_mem, LLIL_UNIMPL_MEM, ValueExpr);
 
+    pub fn unknown_mem<'a, E>(&'a self, size: usize, expr: E) -> ExpressionBuilder<'a, ValueExpr>
+    where
+        E: LiftableLowLevelILWithSize<'a>,
+    {
+        use binaryninjacore_sys::BNLowLevelILOperation::LLIL_UNIMPL_MEM;
+
+        let expr = E::lift(self, expr);
+
+        ExpressionBuilder {
+            function: self,
+            op: LLIL_UNIMPL_MEM,
+            size,
+            flag_write: FlagWriteId(0),
+            op1: expr.index.0 as u64,
+            op2: 1,
+            op3: 0,
+            op4: 0,
+            _ty: PhantomData,
+        }
+    }
+
     sized_unary_op_lifter!(neg, LLIL_NEG, ValueExpr);
     sized_unary_op_lifter!(not, LLIL_NOT, ValueExpr);