Type library for certain std::string::operator+=(char*) has wrong number of arguments

[zsarge]

Version and Platform (required):

• Binary Ninja Version: 4.2.6455 free, 2c8da1e
• OS: fedora
• OS Version: 40
• CPU Architecture: x86_64

Bug Description:

Binary Ninja does not properly represent C++'s += operator when acting on short strings.

I'm seeing the decompiled result:

std::string::operator+=(this: &var_68)
std::string::operator+=(this: &var_68)

when I would expect something like:

std::string::operator+=(this: &var_68, "k")
std::string::operator+=(this: &var_68, "car")

Steps To Reproduce:

I've attached a .zip file with my writeup and the offending binary:

issue-with-plus-equals.zip

This comes from this problem from CrackMes.

Note that all .zip files download from this website will have the password crackmes.one.

To reproduce this issue, try to open the crackme binary, and read through the checkPassword function.

Expected Behavior:

Binary Ninja should be able to represent instances where short strings are added to a C++ string object.

Screenshots:

Ghidra gets this correct. Lines 32 and 33 are what I would expect.

Binary Ninja does not properly represent this, meaning that the logic is obscured and the challenge is harder to complete.

Additional Information:

I'm still learning about Binary Ninja, so it's totally possible I'm doing something wrong.

[xusheng6]

It seems that our type library for function std::string::operator+= is wrong (that it does not contain the second parameter). Though I will need a second eye to confirm this

[plafosse]

Looks like its a problem with the libc type library:

>>> bv.type_libraries[2].get_named_object(current_symbol.raw_name)
<type: immutable:FunctionTypeClass 'class std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&(class std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >* const this)'>