angr.analyses.reaching_definitions.function_handler

angr.analyses.reaching_definitions.function_handler.get_exit_livedefinitions(func, rda_model)

Get LiveDefinitions at all exits of a function, merge them, and return.

Parameters:
class angr.analyses.reaching_definitions.function_handler.FunctionEffect

Bases: object

A single effect that a function summary may apply to the state. This is largely an implementation detail; use FunctionCallData.depends instead.

dest: Atom | None
sources: set[Atom]
value: MultiValues | None = None
sources_defns: set[Definition] | None = None
apply_at_callsite: bool = False
tags: set[Tag] | None = None
__init__(dest, sources, value=None, sources_defns=None, apply_at_callsite=False, tags=None)
Parameters:
Return type:

None

class angr.analyses.reaching_definitions.function_handler.FunctionCallData

Bases: object

A bundle of intermediate data used when computing the sum effect of a function during ReachingDefinitionsAnalysis.

RDA engine contract:

  • Construct one of these before calling FunctionHandler.handle_function. Fill it with as many fields as you can realistically provide without duplicating effort.

  • Provide callsite_codeloc as either the call statement (AIL) or the default exit of the default statement of the calling block (VEX)

  • Provide function_codeloc as the callee address with stmt_idx=0`.

Function handler contract:

  • If redefine_locals is unset, do not adjust any artifacts of the function call abstraction, such as the stack pointer, the caller saved registers, etc.

  • If caller_will_handle_single_ret is set, and there is a single entry in ret_atoms, do not apply to the state effects modifying this atom. Instead, set ret_values and ret_values_deps to the values and deps which are used constructing these values.

callsite_codeloc: CodeLocation
function_codeloc: CodeLocation
address_multi: MultiValues[BV | FP] | None
address: int | None = None
symbol: Symbol | None = None
function: Function | None = None
name: str | None = None
cc: SimCC | None = None
prototype: SimTypeFunction | None = None
args_atoms: list[set[Atom]] | None = None
args_values: list[MultiValues[BV | FP]] | None = None
ret_atoms: set[Atom] | None = None
redefine_locals: bool = True
visited_blocks: set[int] | None = None
effects: list[FunctionEffect]
ret_values: MultiValues[BV | FP] | None = None
ret_values_deps: set[Definition] | None = None
caller_will_handle_single_ret: bool = False
guessed_cc: bool = False
guessed_prototype: bool = False
retaddr_popped: bool = False
has_clobbered(dest)

Determines whether the given atom already has effects applied

Return type:

bool

Parameters:

dest (Atom)

depends(dest, *sources, value=None, apply_at_callsite=False, tags=None)

Mark a single effect of the current function, including the atom being modified, the input atoms on which that output atom depends, the precise (or imprecise!) value to store, and whether the effect should be applied during the function or afterwards, at the callsite.

The tags are used to annotate the Definition of the Atom that will be created, when the function effects are applied to the state.

The atom being modified may be None to mark uses of the source atoms which do not have any explicit sinks.

Parameters:
reset_prototype(prototype, state, soft_reset=False)
Return type:

set[Atom]

Parameters:
__init__(callsite_codeloc, function_codeloc, address_multi, address=None, symbol=None, function=None, name=None, cc=None, prototype=None, args_atoms=None, args_values=None, ret_atoms=None, redefine_locals=True, visited_blocks=None, effects=<factory>, ret_values=None, ret_values_deps=None, caller_will_handle_single_ret=False, guessed_cc=False, guessed_prototype=False, retaddr_popped=False)
Parameters:
Return type:

None

class angr.analyses.reaching_definitions.function_handler.FunctionCallDataUnwrapped

Bases: FunctionCallData

A subclass of FunctionCallData which asserts that many of its members are non-None at construction time. Typechecks be gone!

address_multi: MultiValues
__init__(inner)
Parameters:

inner (FunctionCallData)

static decorate(wrapper, *, wrapped=<function FunctionCallDataUnwrapped.decorate>, assigned=('__module__', '__name__', '__qualname__', '__doc__', '__annotations__', '__type_params__'), updated=('__dict__', ))

Update a wrapper function to look like the wrapped function

wrapper is the function to be updated wrapped is the original function assigned is a tuple naming the attributes assigned directly from the wrapped function to the wrapper function (defaults to functools.WRAPPER_ASSIGNMENTS) updated is a tuple naming the attributes of the wrapper that are updated with the corresponding attribute from the wrapped function (defaults to functools.WRAPPER_UPDATES)

class angr.analyses.reaching_definitions.function_handler.FunctionCallRelationships

Bases: object

Produced by the function handler, provides associated callsite info and function input/output definitions.

callsite: CodeLocation
target: int | None
args_defns: list[set[Definition]]
other_input_defns: set[Definition]
ret_defns: set[Definition]
other_output_defns: set[Definition]
__init__(callsite, target, args_defns, other_input_defns, ret_defns, other_output_defns)
Parameters:
Return type:

None

class angr.analyses.reaching_definitions.function_handler.FunctionHandler

Bases: object

A mechanism for summarizing a function call’s effect on a program for ReachingDefinitionsAnalysis.

__init__(interfunction_level=0, extra_impls=None)
Parameters:

  • interfunction_level (int) – Maximum depth in to continue local function exploration

  • extra_impls (Iterable[type[FunctionHandler]] | None) – FunctionHandler classes to implement beyond what’s implemented in function_handler_library

interfunction_level: int
hook(analysis)

Attach this instance of the function handler to an instance of RDA.

Return type:

FunctionHandler

Parameters:

analysis (ReachingDefinitionsAnalysis)

make_function_codeloc(target, callsite, callsite_func_addr)

The RDA engine will call this function to transform a callsite CodeLocation into a callee CodeLocation.

Parameters:
handle_function(state, data)

The main entry point for the function handler. Called with a RDA state and a FunctionCallData, it is expected to update the state and the data as per the contracts described on FunctionCallData.

You can override this method to take full control over how data is processed, or override any of the following to use the higher-level interface (data.depends()):

  • handle_impl_<function name> - used for <function name>.

  • handle_local_function - used for any function (excluding plt stubs) whose address is inside the main binary.

  • handle_external_function - used for any function or plt stub whose address is outside the main binary.

  • handle_indirect_function - used for any function whose target cannot be resolved.

  • handle_generic_function - used as a default if none of the above are overridden.

Each of them take the same signature as handle_function.

Parameters:
handle_generic_function(state, data)
Parameters:
handle_indirect_function(state, data)
Return type:

None

Parameters:
handle_local_function(state, data)
Return type:

None

Parameters:
handle_external_function(state, data)
Return type:

None

Parameters:
recurse_analysis(state, data)

Precondition: data.function MUST NOT BE NONE in order to call this method.

Return type:

None

Parameters:
static c_args_as_atoms(state, cc, prototype)
Return type:

list[set[Atom]]

Parameters:
static c_return_as_atoms(state, cc, prototype)
Return type:

set[Atom]

Parameters:
static caller_saved_regs_as_atoms(state, cc)
Return type:

set[Register]

Parameters:
static stack_pointer_as_atom(state)
Return type:

Register