List of State Options

angr Documentation
Search…
README
Introductory Errata
List of Claripy Operations
List of State Options
Changelog
Migrating to angr 9.1
Migrating to angr 8
Migrating to angr 7
List of State Options
State Modes
These may be enabled by passing mode=xxx to a state constructor.
Mode name
Description
symbolic
The default mode. Useful for most emulation and analysis tasks.
symbolic_approximating
Symbolic mode, but enables approximations for constraint solving.
static
A preset useful for static analysis. The memory model becomes an abstract region-mapping system, "fake return" successors skipping calls are added, and more.
fastpath
A preset for extremely lightweight static analysis. Executing will skip all intensive processing to give a quick view of the behavior of code.
tracing
A preset for attempting to execute concretely through a program with a given input. Enables unicorn, enables resilience options, and will attempt to emulate access violations correctly.
Option Sets
These are sets of options, found as angr.options.xxx.
Set name
Description
common_options
Options necessary for basic execution
symbolic
Options necessary for basic symbolic execution
resilience
Options that harden angr's emulation against unsupported operations, attempting to carry on by treating the result as an unconstrained symbolic value and logging the occasion to state.history.events.
refs
Options that cause angr to keep a log of all the memory, register, and temporary references complete with dependency information in history.actions. This option consumes a lot of memory, so be careful!
approximation
Options that enable approximations of constraint solves via value-set analysis instead of calling into z3
simplification
Options that cause data to be run through z3's simplifiers before it reaches memory or register storage
unicorn
Options that enable the unicorn engine for executing on concrete data
Options
These are individual option objects, found as angr.options.XXX.
Option name
Description
Sets
Modes
Implicit adds
ABSTRACT_MEMORY
Use SimAbstractMemory to model memory as discrete regions
​
static
​
ABSTRACT_SOLVER
Allow splitting constraint sets during simplification
​
static
​
ACTION_DEPS
Track dependencies in SimActions
​
​
​
APPROXIMATE_GUARDS
Use VSA when evaluating guard conditions
​
​
​
APPROXIMATE_MEMORY_INDICES
Use VSA when evaluating memory indices
approximation
symbolic_approximating
​
APPROXIMATE_MEMORY_SIZES
Use VSA when evaluating memory load/store sizes
approximation
symbolic_approximating
​
APPROXIMATE_SATISFIABILITY
Use VSA when evaluating state satisfiability
approximation
symbolic_approximating
​
AST_DEPS
Enables dependency tracking for all claripy ASTs
​
​
During execution
AUTO_REFS
An internal option used to track dependencies in SimProcedures
​
​
During execution
AVOID_MULTIVALUED_READS
Return a symbolic value without touching memory for any read that has a symbolic address
​
fastpath
​
AVOID_MULTIVALUED_WRITES
Do not perfrom any write that has a symbolic address
​
fastpath
​
BEST_EFFORT_MEMORY_STORING
Handle huge writes of symbolic size by pretending they are actually smaller
​
static, fastpath
​
BREAK_SIRSB_END
Debug: trigger a breakpoint at the end of each block
​
​
​
BREAK_SIRSB_START
Debug: trigger a breakpoint at the start of each block
​
​
​
BREAK_SIRSTMT_END
Debug: trigger a breakpoint at the end of each IR statement
​
​
​
BREAK_SIRSTMT_START
Debug: trigger a breakpoint at the start of each IR statement
​
​
​
BYPASS_ERRORED_IRCCALL
Treat clean helpers that fail with errors as returning unconstrained symbolic values
resilience
fastpath, tracing
​
BYPASS_ERRORED_IROP
Treat operations that fail with errors as returning unconstrained symbolic values
resilience
fastpath, tracing
​
BYPASS_UNSUPPORTED_IRCCALL
Treat unsupported clean helpers as returning unconstrained symbolic values
resilience
fastpath, tracing
​
List of Claripy Operations
Changelog
Last modified 2yr ago
Export as PDF
Copy link
Contents
State Modes
Option Sets
Options