angr.analyses.cfg_slice_to_sink¶
- class angr.analyses.cfg_slice_to_sink.CFGSliceToSink
Bases:
objectThe representation of a slice of a CFG.
- __init__(target, transitions=None)
- Parameters:
target (angr.knowledge_plugins.functions.function.Function) – The targeted sink, to which every path in the slice leads.
transitions (Dict[int,List[int]]) – A mapping representing transitions in the graph. Indexes are source addresses and values a list of destination addresses, for which there exists a transition in the slice from source to destination.
- property transitions_as_tuples
The list of transitions as pairs of (source, destination).
- property target
return angr.knowledge_plugins.functions.function.Function: The targeted sink function, from which the slice is constructed.
- property entrypoints
Entrypoints are all source addresses that are not the destination address of any transition.
- Return List[int]:
The list of entrypoints addresses.
- add_transitions(transitions)
Add the given transitions to the current slice.
- is_empty()
Test if a given slice does not contain any transition.
- Return bool:
True if the <CFGSliceToSink> instance does not contain any transitions. False otherwise.
- path_between(source, destination, visited=None)
Check the existence of a path in the slice between two given node addresses.
- Parameters:
- Return type:
- Returns:
True if there is a path between the source and the destination in the CFG, False if not, or if we have been unable to decide (because of loops).
- angr.analyses.cfg_slice_to_sink.slice_callgraph(callgraph, cfg_slice_to_sink)
Slice a callgraph, keeping only the nodes present in the <CFGSliceToSink> representation, and th transitions for which a path exists.
Note that this function mutates the graph passed as an argument.
- Parameters:
callgraph (networkx.MultiDiGraph) – The callgraph to update.
cfg_slice_to_sink (CFGSliceToSink) – The representation of the slice, containing the data to update the callgraph from.
- angr.analyses.cfg_slice_to_sink.slice_cfg_graph(graph, cfg_slice_to_sink)
Slice a CFG graph, keeping only the transitions and nodes present in the <CFGSliceToSink> representation.
Note that this function mutates the graph passed as an argument.
- Parameters:
graph (networkx.DiGraph) – The graph to slice.
cfg_slice_to_sink (CFGSliceToSink) – The representation of the slice, containing the data to update the CFG from.
- Return networkx.DiGraph:
The sliced graph.
- angr.analyses.cfg_slice_to_sink.slice_function_graph(function_graph, cfg_slice_to_sink)
Slice a function graph, keeping only the nodes present in the <CFGSliceToSink> representation.
Because the <CFGSliceToSink> is build from the CFG, and the function graph is NOT a subgraph of the CFG, edges of the function graph will no be present in the <CFGSliceToSink> transitions. However, we use the fact that if there is an edge between two nodes in the function graph, then there must exist a path between these two nodes in the slice; Proof idea: - The <CFGSliceToSink> is backward and recursively constructed; - If a node is in the slice, then all its predecessors will be (transitively); - If there is an edge between two nodes in the function graph, there is a path between them in the CFG; - So: The origin node is a transitive predecessor of the destination one, hence if destination is in the slice, then origin will be too.
In consequence, in the end, removing the only nodes not present in the slice, and their related transitions gives us the expected result: a function graph representing (a higher view of) the flow in the slice.
Note that this function mutates the graph passed as an argument.
- Parameters:
graph (networkx.DiGraph) – The graph to slice.
cfg_slice_to_sink (CFGSliceToSink) – The representation of the slice, containing the data to update the CFG from.
- Return networkx.DiGraph:
The sliced graph.
Submodules
Some utilitary functions to manage our representation of transitions: |