What kind of disassembling technique does Ghidra use?

[caitlincoffey]

Hello everyone--I'm doing a school project on disassemblers and decompilers. I was wondering what technique Ghidra uses to disassemble code in x86 Assembly (Linear sweep, recursive traversal, etc.). Any help would be appreciated!

[nsadeveloper789]

To offer you the best learning opportunity, I'll point you to our Disassembler:

ghidra/Ghidra/Framework/SoftwareModeling/src/main/java/ghidra/program/disassemble/Disassembler.java

Line 545 in f198116

public AddressSet disassemble(Address startAddr, AddressSetView restrictedSet,

. For the question you posed, I think you'll find your answer almost immediately.

Our disassembly engine is actually generic. The answer you find applies not only to x86, but to every processor Ghidra supports.

[emteere]

There's quite a few. I'd have to "review" the literature to give them all a proper name.
There was a SOK paper that describes and compares many of the tools: https://arxiv.org/pdf/2007.14266.pdf and their techniques.
The real part of disassembly is identifying what is code, what is data, and the relationships between the two. Identifying the start location of a run of instructions is the real algorithm. Then recovering flow that is dynamically computed.

The raw Disassembler is the mechanism for disassembling an instruction and then following apparent flows from those instructions.
Ghidra has a hierarchy of techniques to identify known locations (debug, entry point, etc...), symbolic emulation, to heuristic (guessing at what a pointer is pointing to). The idea is to take advantage of what you know first.
For disassembly we would be Recursive Descent.

We don't generally do linear sweep because it isn't generally good on all processors when you might have data embedded in the code for processor such as ARM. We do have an analyzer that can be turned on that does this, but it is always off by default until you know more about the code.

I've always viewed it as careful disassembly. It is generally better to know why a piece of code is reached, and it might not be code, which is all part of the RE analysis. How careful you are depends on what you are trying to do and how automated you must be because too heuristic an automation can lead to incorrect analysis.

We do have some hybrid forms of linear sweep, for example the function starts has patterns for general function starts that most of the time must have additional evidence that the pattern is a good start, for example following a good return instruction.