angr.analyses.ddg¶

class angr.analyses.ddg.AST¶

Bases: object

A mini implementation for AST

__init__(op, *operands)¶

class angr.analyses.ddg.ProgramVariable¶

Bases: object

Describes a variable in the program at a specific location.

Variables:

variable (SimVariable) – The variable.
location (CodeLocation) – Location of the variable.

__init__(variable, location, initial=False, arch=None)¶

property short_repr¶

class angr.analyses.ddg.DDGJob¶

Bases: object

__init__(cfg_node, call_depth)¶

class angr.analyses.ddg.LiveDefinitions¶

Bases: object

A collection of live definitions with some handy interfaces for definition killing and lookups.

__init__()¶: Constructor.

branch()¶

Create a branch of the current live definition collection.

Returns:: A new LiveDefinition instance.
Return type:: angr.analyses.ddg.LiveDefinitions

copy()¶

Make a hard copy of self.

Returns:: A new LiveDefinition instance.
Return type:: angr.analyses.ddg.LiveDefinitions

add_def(variable, location, size_threshold=32)¶

Add a new definition of variable.

Parameters:

variable (SimVariable) – The variable being defined.
location (CodeLocation) – Location of the variable being defined.
size_threshold (int) – The maximum bytes to consider for the variable.

Returns:

True if the definition was new, False otherwise

Return type:

bool

add_defs(variable, locations, size_threshold=32)¶

Add a collection of new definitions of a variable.

Parameters:

variable (SimVariable) – The variable being defined.
locations (iterable) – A collection of locations where the variable was defined.
size_threshold (int) – The maximum bytes to consider for the variable.

Returns:

True if any of the definition was new, False otherwise

Return type:

bool

kill_def(variable, location, size_threshold=32)¶

Add a new definition for variable and kill all previous definitions.

Parameters:

variable (SimVariable) – The variable to kill.
location (CodeLocation) – The location where this variable is defined.
size_threshold (int) – The maximum bytes to consider for the variable.

Returns:

None

lookup_defs(variable, size_threshold=32)¶

Find all definitions of the variable.

Parameters:

variable (SimVariable) – The variable to lookup for.
size_threshold (int) – The maximum bytes to consider for the variable. For example, if the variable is 100 byte long, only the first size_threshold bytes are considered.

Returns:

A set of code locations where the variable is defined.

Return type:

set

items()¶

An iterator that returns all live definitions.

Returns:: The iterator.
Return type:: iter

itervariables()¶

An iterator that returns all live variables.

Returns:: The iterator.
Return type:: iter

class angr.analyses.ddg.DDGViewItem¶

Bases: object

__init__(ddg, variable, simplified=False)¶

property depends_on¶

property dependents¶

class angr.analyses.ddg.DDGViewInstruction¶

Bases: object

__init__(cfg, ddg, insn_addr, simplified=False)¶

property definitions: list[DDGViewItem]¶

Get all definitions located at the current instruction address.

Returns:: A list of ProgramVariable instances.

class angr.analyses.ddg.DDGView¶

Bases: object

A view of the data dependence graph.

__init__(cfg, ddg, simplified=False)¶

class angr.analyses.ddg.DDG¶

Bases: Analysis

This is a fast data dependence graph directly generated from our CFG analysis result. The only reason for its existence is the speed. There is zero guarantee for being sound or accurate. You are supposed to use it only when you want to track the simplest data dependence, and you do not care about soundness or accuracy.

For a better data dependence graph, please consider performing a better static analysis first (like Value-set Analysis), and then construct a dependence graph on top of the analysis result (for example, the VFG in angr).

The DDG is based on a CFG, which should ideally be a CFGEmulated generated with the following options:

keep_state=True to keep all input states

state_add_options=angr.options.refs to store memory, register, and temporary value accesses

You may want to consider a high value for context_sensitivity_level as well when generating the CFG.

Also note that since we are using states from CFG, any improvement in analysis performed on CFG (like a points-to analysis) will directly benefit the DDG.

__init__(cfg, start=None, call_depth=None, block_addrs=None)¶

Parameters:

cfg – Control flow graph. Please make sure each node has an associated state with it, e.g. by passing the keep_state=True and state_add_options=angr.options.refs arguments to CFGEmulated.
start – An address, Specifies where we start the generation of this data dependence graph.
call_depth – None or integers. A non-negative integer specifies how deep we would like to track in the call tree. None disables call_depth limit.
block_addrs (iterable or None) – A collection of block addresses that the DDG analysis should be performed on.

property graph¶

A networkx DiGraph instance representing the dependence relations between statements. :rtype: networkx.DiGraph

Type:: returns

property data_graph¶

Get the data dependence graph.

Returns:: A networkx DiGraph instance representing data dependence.
Return type:: networkx.DiGraph

property simplified_data_graph¶: return:

property ast_graph¶

pp()¶: Pretty printing.

dbg_repr()¶: Representation for debugging.

get_predecessors(code_location)¶

Returns all predecessors of the code location.

Parameters:: code_location – A CodeLocation instance.
Returns:: A list of all predecessors.

function_dependency_graph(func)¶

Get a dependency graph for the function func.

Parameters:: func – The Function object in CFG.function_manager.
Returns:: A networkx.DiGraph instance.

data_sub_graph(pv, simplified=True, killing_edges=False, excluding_types=None)¶

Get a subgraph from the data graph or the simplified data graph that starts from node pv.

Parameters:

pv (ProgramVariable) – The starting point of the subgraph.
simplified (bool) – When True, the simplified data graph is used, otherwise the data graph is used.
killing_edges (bool) – Are killing edges included or not.
excluding_types (iterable) – Excluding edges whose types are among those excluded types.

Returns:

A subgraph.

Return type:

networkx.MultiDiGraph

find_definitions(variable, location=None, simplified_graph=True)¶

Find all definitions of the given variable.

Parameters:

variable (SimVariable)
simplified_graph (bool) – True if you just want to search in the simplified graph instead of the normal graph. Usually the simplified graph suffices for finding definitions of register or memory variables.

Returns:

A collection of all variable definitions to the specific variable.

Return type:

list

find_consumers(var_def, simplified_graph=True)¶

Find all consumers to the specified variable definition.

Parameters:

var_def (ProgramVariable) – The variable definition.
simplified_graph (bool) – True if we want to search in the simplified graph, False otherwise.

Returns:

A collection of all consumers to the specified variable definition.

Return type:

list

find_killers(var_def, simplified_graph=True)¶

Find all killers to the specified variable definition.

Parameters:

var_def (ProgramVariable) – The variable definition.
simplified_graph (bool) – True if we want to search in the simplified graph, False otherwise.

Returns:

A collection of all killers to the specified variable definition.

Return type:

list

find_sources(var_def, simplified_graph=True)¶

Find all sources to the specified variable definition.

Parameters:

var_def (ProgramVariable) – The variable definition.
simplified_graph (bool) – True if we want to search in the simplified graph, False otherwise.

Returns:

A collection of all sources to the specified variable definition.

Return type:

list