angr.analyses.reaching_definitions

class angr.analyses.reaching_definitions.Atom

Bases: object

This class represents a data storage location manipulated by IR instructions.

It could either be a Tmp (temporary variable), a Register, a MemoryLocation.

__init__(size)
Parameters:

size – The size of the atom in bytes

size
property bits: int
static from_ail_expr(expr, arch, full_reg=False)
Return type:

Register

Parameters:
static from_argument(argument, arch, full_reg=False, sp=None)

Instantiate an Atom from a given argument.

Parameters:

  • argument (SimFunctionArgument) – The argument to create a new atom from.

  • arch (Arch) – The argument representing archinfo architecture for argument.

  • full_reg – Whether to return an atom indicating the entire register if the argument only specifies a slice of the register.

  • sp (int | None) – The current stack offset. Optional. Only used when argument is a SimStackArg.

Return type:

Register | MemoryLocation

static reg(thing, size=None, arch=None)

Create a Register atom.

Parameters:

  • thing (str | RegisterOffset) – The register offset (e.g., project.arch.registers[“rax”][0]) or the register name (e.g., “rax”).

  • size (int | None) – Size of the register atom. Must be provided when creating the atom using a register offset.

  • arch (Arch | None) – The architecture. Must be provided when creating the atom using a register name.

Return type:

Register

Returns:

The Register Atom object.

static register(thing, size=None, arch=None)

Create a Register atom.

Parameters:

  • thing (str | RegisterOffset) – The register offset (e.g., project.arch.registers[“rax”][0]) or the register name (e.g., “rax”).

  • size (int | None) – Size of the register atom. Must be provided when creating the atom using a register offset.

  • arch (Arch | None) – The architecture. Must be provided when creating the atom using a register name.

Return type:

Register

Returns:

The Register Atom object.

static mem(addr, size, endness=None)

Create a MemoryLocation atom,

Parameters:

  • addr (SpOffset | HeapAddress | int) – The memory location. Can be an SpOffset for stack variables, an int for global memory variables, or a HeapAddress for items on the heap.

  • size (int) – Size of the atom.

  • endness (Endness | None) – Optional, either “Iend_LE” or “Iend_BE”.

Return type:

MemoryLocation

Returns:

The MemoryLocation Atom object.

static memory(addr, size, endness=None)

Create a MemoryLocation atom,

Parameters:

  • addr (SpOffset | HeapAddress | int) – The memory location. Can be an SpOffset for stack variables, an int for global memory variables, or a HeapAddress for items on the heap.

  • size (int) – Size of the atom.

  • endness (Endness | None) – Optional, either “Iend_LE” or “Iend_BE”.

Return type:

MemoryLocation

Returns:

The MemoryLocation Atom object.

class angr.analyses.reaching_definitions.AtomKind

Bases: Enum

An enum indicating the class of an atom

REGISTER = 1
MEMORY = 2
TMP = 3
GUARD = 4
CONSTANT = 5
class angr.analyses.reaching_definitions.ConstantSrc

Bases: Atom

Represents a constant.

value: int
class angr.analyses.reaching_definitions.Definition

Bases: Generic

An atom definition.

Variables:

  • atom – The atom being defined.

  • codeloc – Where this definition is created in the original binary code.

  • dummy – Tell whether the definition should be considered dummy or not. During simplification by AILment, definitions marked as dummy will not be removed.

  • tags – A set of tags containing information about the definition gathered during analyses.

__init__(atom, codeloc, dummy=False, tags=None)
Parameters:

  • atom (A)

  • codeloc (CodeLoc)

  • dummy (bool)

  • tags (set[Tag] | None)

atom
codeloc
dummy
tags
property offset: int
property size: int
matches(**kwargs)

Return whether this definition has certain characteristics.

Return type:

bool

class angr.analyses.reaching_definitions.FunctionCallData

Bases: object

A bundle of intermediate data used when computing the sum effect of a function during ReachingDefinitionsAnalysis.

RDA engine contract:

  • Construct one of these before calling FunctionHandler.handle_function. Fill it with as many fields as you can realistically provide without duplicating effort.

  • Provide callsite_codeloc as either the call statement (AIL) or the default exit of the default statement of the calling block (VEX)

  • Provide function_codeloc as the callee address with stmt_idx=0`.

Function handler contract:

  • If redefine_locals is unset, do not adjust any artifacts of the function call abstraction, such as the stack pointer, the caller saved registers, etc.

  • If caller_will_handle_single_ret is set, and there is a single entry in ret_atoms, do not apply to the state effects modifying this atom. Instead, set ret_values and ret_values_deps to the values and deps which are used constructing these values.

callsite_codeloc: CodeLocation
function_codeloc: CodeLocation
address_multi: MultiValues[BV | FP] | None
address: int | None = None
symbol: Symbol | None = None
function: Function | None = None
name: str | None = None
cc: SimCC | None = None
prototype: SimTypeFunction | None = None
args_atoms: list[set[Atom]] | None = None
args_values: list[MultiValues[BV | FP]] | None = None
ret_atoms: set[Atom] | None = None
redefine_locals: bool = True
visited_blocks: set[int] | None = None
effects: list[FunctionEffect]
ret_values: MultiValues[BV | FP] | None = None
ret_values_deps: set[Definition] | None = None
caller_will_handle_single_ret: bool = False
guessed_cc: bool = False
guessed_prototype: bool = False
retaddr_popped: bool = False
has_clobbered(dest)

Determines whether the given atom already has effects applied

Return type:

bool

Parameters:

dest (Atom)

depends(dest, *sources, value=None, apply_at_callsite=False, tags=None)

Mark a single effect of the current function, including the atom being modified, the input atoms on which that output atom depends, the precise (or imprecise!) value to store, and whether the effect should be applied during the function or afterwards, at the callsite.

The tags are used to annotate the Definition of the Atom that will be created, when the function effects are applied to the state.

The atom being modified may be None to mark uses of the source atoms which do not have any explicit sinks.

Parameters:
reset_prototype(prototype, state, soft_reset=False)
Return type:

set[Atom]

Parameters:
__init__(callsite_codeloc, function_codeloc, address_multi, address=None, symbol=None, function=None, name=None, cc=None, prototype=None, args_atoms=None, args_values=None, ret_atoms=None, redefine_locals=True, visited_blocks=None, effects=<factory>, ret_values=None, ret_values_deps=None, caller_will_handle_single_ret=False, guessed_cc=False, guessed_prototype=False, retaddr_popped=False)
Parameters:
Return type:

None

class angr.analyses.reaching_definitions.FunctionCallRelationships

Bases: object

Produced by the function handler, provides associated callsite info and function input/output definitions.

callsite: CodeLocation
target: int | None
args_defns: list[set[Definition]]
other_input_defns: set[Definition]
ret_defns: set[Definition]
other_output_defns: set[Definition]
__init__(callsite, target, args_defns, other_input_defns, ret_defns, other_output_defns)
Parameters:
Return type:

None

class angr.analyses.reaching_definitions.FunctionHandler

Bases: object

A mechanism for summarizing a function call’s effect on a program for ReachingDefinitionsAnalysis.

__init__(interfunction_level=0, extra_impls=None)
Parameters:

  • interfunction_level (int) – Maximum depth in to continue local function exploration

  • extra_impls (Iterable[type[FunctionHandler]] | None) – FunctionHandler classes to implement beyond what’s implemented in function_handler_library

interfunction_level: int
hook(analysis)

Attach this instance of the function handler to an instance of RDA.

Return type:

FunctionHandler

Parameters:

analysis (ReachingDefinitionsAnalysis)

make_function_codeloc(target, callsite, callsite_func_addr)

The RDA engine will call this function to transform a callsite CodeLocation into a callee CodeLocation.

Parameters:
handle_function(state, data)

The main entry point for the function handler. Called with a RDA state and a FunctionCallData, it is expected to update the state and the data as per the contracts described on FunctionCallData.

You can override this method to take full control over how data is processed, or override any of the following to use the higher-level interface (data.depends()):

  • handle_impl_<function name> - used for <function name>.

  • handle_local_function - used for any function (excluding plt stubs) whose address is inside the main binary.

  • handle_external_function - used for any function or plt stub whose address is outside the main binary.

  • handle_indirect_function - used for any function whose target cannot be resolved.

  • handle_generic_function - used as a default if none of the above are overridden.

Each of them take the same signature as handle_function.

Parameters:
handle_generic_function(state, data)
Parameters:
handle_indirect_function(state, data)
Return type:

None

Parameters:
handle_local_function(state, data)
Return type:

None

Parameters:
handle_external_function(state, data)
Return type:

None

Parameters:
recurse_analysis(state, data)

Precondition: data.function MUST NOT BE NONE in order to call this method.

Return type:

None

Parameters:
static c_args_as_atoms(state, cc, prototype)
Return type:

list[set[Atom]]

Parameters:
static c_return_as_atoms(state, cc, prototype)
Return type:

set[Atom]

Parameters:
static caller_saved_regs_as_atoms(state, cc)
Return type:

set[Register]

Parameters:
static stack_pointer_as_atom(state)
Return type:

Register

class angr.analyses.reaching_definitions.GuardUse

Bases: Atom

Implements a guard use.

target
class angr.analyses.reaching_definitions.LiveDefinitions

Bases: object

A LiveDefinitions instance contains definitions and uses for register, stack, memory, and temporary variables, uncovered during the analysis.

INITIAL_SP_16BIT = 32512
INITIAL_SP_32BIT = 2147418112
INITIAL_SP_64BIT = 140737488289792
__init__(arch, track_tmps=False, canonical_size=8, registers=None, stack=None, memory=None, heap=None, tmps=None, others=None, register_uses=None, stack_uses=None, heap_uses=None, memory_uses=None, tmp_uses=None, other_uses=None, element_limit=5, merge_into_tops=True)
Parameters:
project: Project | None
arch
track_tmps
registers: MultiValuedMemory
stack: MultiValuedMemory
memory: MultiValuedMemory
heap: MultiValuedMemory
tmps: dict[int, set[Definition]]
others: dict[Atom, MultiValues]
register_uses
stack_uses
heap_uses
memory_uses
tmp_uses: dict[int, set[CodeLocation]]
other_uses
uses_by_codeloc: dict[CodeLocation, set[Definition]]
copy(discard_tmpdefs=False)
Return type:

LiveDefinitions

reset_uses()
static top(bits)

Get a TOP value.

Parameters:

bits (int) – Width of the TOP value (in bits).

Returns:

The TOP value.

static is_top(expr)

Check if the given expression is a TOP value.

Parameters:

expr – The given expression.

Return type:

bool

Returns:

True if the expression is TOP, False otherwise.

stack_address(offset)
Return type:

BV

Parameters:

offset (int)

static is_stack_address(addr)
Return type:

bool

Parameters:

addr (Base)

static get_stack_offset(addr, had_stack_base=False)
Return type:

int | None

Parameters:

addr (Base)

static annotate_with_def(symvar, definition)
Parameters:
Return type:

TypeVar(MVType, bound= BV | FP)

Returns:

static extract_defs(symvar)
Return type:

Generator[Definition]

Parameters:

symvar (Base)

static extract_defs_from_annotations(annos)
Return type:

set[Definition]

Parameters:

annos (Iterable[Annotation])

static extract_defs_from_mv(mv)
Return type:

Generator[Definition]

Parameters:

mv (MultiValues)

get_sp()

Return the concrete value contained by the stack pointer.

Return type:

int

get_sp_offset()

Return the offset of the stack pointer.

Return type:

int | None

get_stack_address(offset)
Return type:

int | None

Parameters:

offset (Base)

stack_offset_to_stack_addr(offset)
Return type:

int

merge(*others)
Return type:

tuple[LiveDefinitions, bool]

Parameters:

others (LiveDefinitions)

compare(other)
Return type:

bool

Parameters:

other (LiveDefinitions)

kill_definitions(atom)

Overwrite existing definitions w.r.t ‘atom’ with a dummy definition instance. A dummy definition will not be removed during simplification.

Parameters:

atom (Atom)

Return type:

None

Returns:

None

kill_and_add_definition(atom, code_loc, data, dummy=False, tags=None, endness=None, annotated=False)
Return type:

MultiValues | None

Parameters:
add_use(atom, code_loc, expr=None)
Return type:

None

Parameters:
add_use_by_def(definition, code_loc, expr=None)
Return type:

None

Parameters:
get_definitions(thing)
Parameters:

thing (Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]] | MultiValues)

Return type:

set[Definition[Atom]]

get_tmp_definitions(tmp_idx)
Return type:

set[Definition]

Parameters:

tmp_idx (int)

get_register_definitions(reg_offset, size)
Return type:

set[Definition]

Parameters:
get_stack_values(stack_offset, size, endness)
Return type:

MultiValues | None

Parameters:

  • stack_offset (int)

  • size (int)

  • endness (str)

get_stack_definitions(stack_offset, size)
Return type:

set[Definition]

Parameters:

  • stack_offset (int)

  • size (int)

get_heap_definitions(heap_addr, size)
Return type:

set[Definition]

Parameters:
get_memory_definitions(addr, size)
Return type:

set[Definition]

Parameters:
get_values(spec, endness=None)
Parameters:
Return type:

MultiValues | None

get_one_value(spec, strip_annotations=False)
Parameters:
Return type:

claripy.ast.bv.BV | None

get_concrete_value(spec, cast_to=<class 'int'>)
Overloads:

  • self, spec (A | Definition[A] | Iterable[A] | Iterable[Definition[A]]), cast_to (type[int]) → int | None

  • self, spec (A | Definition[A] | Iterable[A] | Iterable[Definition[A]]), cast_to (type[bytes]) → bytes | None

Parameters:
Return type:

int | bytes | None

add_register_use(reg_offset, size, code_loc, expr=None)
Return type:

None

Parameters:
add_register_use_by_def(def_, code_loc, expr=None)
Return type:

None

Parameters:
add_stack_use(atom, code_loc, expr=None)
Return type:

None

Parameters:
add_stack_use_by_def(def_, code_loc, expr=None)
Return type:

None

Parameters:
add_heap_use(atom, code_loc, expr=None)
Return type:

None

Parameters:
add_heap_use_by_def(def_, code_loc, expr=None)
Return type:

None

Parameters:
add_memory_use(atom, code_loc, expr=None)
Return type:

None

Parameters:
add_memory_use_by_def(def_, code_loc, expr=None)
Return type:

None

Parameters:
add_tmp_use(atom, code_loc)
Return type:

None

Parameters:
add_tmp_use_by_def(def_, code_loc)
Return type:

None

Parameters:
deref(pointer, size, endness=Endness.BE)
Overloads:

  • self, pointer (MultiValues[claripy.ast.BV] | Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]]), size (int | DerefSize), endness (archinfo.Endness) → set[MemoryLocation]

  • self, pointer (int | claripy.ast.BV | HeapAddress | SpOffset), size (int | DerefSize), endness (archinfo.Endness) → MemoryLocation | None

static is_heap_address(addr)
Return type:

bool

Parameters:

addr (Base)

static get_heap_offset(addr)
Return type:

int | None

Parameters:

addr (Base)

heap_address(offset)
Return type:

BV

Parameters:

offset (int | HeapAddress)

class angr.analyses.reaching_definitions.MemoryLocation

Bases: Atom

Represents a memory slice.

It is characterized by its address and its size.

__init__(addr, size, endness=None)
Parameters:

  • addr (SpOffset | HeapAddress | int) – The address of the beginning memory location slice.

  • size (int) – The size of the represented memory location, in bytes.

  • endness (Endness | None)

addr: SpOffset | int | BV
endness
property is_on_stack: bool

True if this memory location is located on the stack.

property symbolic: bool
class angr.analyses.reaching_definitions.ObservationPointType

Bases: IntEnum

Enum to replace the previously generic constants This makes it possible to annotate where they are expected by typing something as ObservationPointType instead of Literal[0,1]

OP_BEFORE = 0
OP_AFTER = 1
__new__(value)
class angr.analyses.reaching_definitions.ReachingDefinitionsAnalysis

Bases: ForwardAnalysis[ReachingDefinitionsState, NodeType, object, object, object], Analysis

ReachingDefinitionsAnalysis is a text-book implementation of a static data-flow analysis that works on either a function or a block. It supports both VEX and AIL. By registering observers to observation points, users may use this analysis to generate use-def chains, def-use chains, and reaching definitions, and perform other traditional data-flow analyses such as liveness analysis.

  • I’ve always wanted to find a better name for this analysis. Now I gave up and decided to live with this name for the foreseeable future (until a better name is proposed by someone else).

  • Aliasing is definitely a problem, and I forgot how aliasing is resolved in this implementation. I’ll leave this as a post-graduation TODO.

  • Some more documentation and examples would be nice.

__init__(subject, func_graph=None, max_iterations=30, track_tmps=False, track_consts=True, observation_points=None, init_state=None, init_context=None, state_initializer=None, cc=None, function_handler=None, observe_all=False, visited_blocks=None, dep_graph=True, observe_callback=None, canonical_size=8, stack_pointer_tracker=None, use_callee_saved_regs_at_return=True, interfunction_level=0, track_liveness=True, func_addr=None, element_limit=5, merge_into_tops=True)
Parameters:

  • subject (Subject | Block | Block | Function | str) – The subject of the analysis: a function, or a single basic block

  • func_graph – Alternative graph for function.graph.

  • max_iterations – The maximum number of iterations before the analysis is terminated.

  • track_tmps – Whether or not temporary variables should be taken into consideration during the analysis.

  • observation_points (Iterable[tuple[Literal['insn', 'node', 'stmt', 'exit'], int | tuple[int, int] | tuple[int, int, int], ObservationPointType]] | None) – A collection of tuples of (“node”|”insn”, ins_addr, OP_TYPE) defining where reaching definitions should be copied and stored. OP_TYPE can be OP_BEFORE or OP_AFTER.

  • init_state (ReachingDefinitionsState | None) – An optional initialization state. The analysis creates and works on a copy. Default to None: the analysis then initialize its own abstract state, based on the given <Subject>.

  • init_context – If init_state is not given, this is used to initialize the context field of the initial state’s CodeLocation. The only default-supported type which may go here is a tuple of integers, i.e. a callstack. Anything else requires a custom FunctionHandler.

  • cc – Calling convention of the function.

  • function_handler (FunctionHandler | None) – The function handler to update the analysis state and results on function calls.

  • observe_all – Observe every statement, both before and after.

  • visited_blocks – A set of previously visited blocks.

  • dep_graph (DepGraph | bool | None) – An initial dependency graph to add the result of the analysis to. Set it to None to skip dependency graph generation.

  • canonical_size – The sizes (in bytes) that objects with an UNKNOWN_SIZE are treated as for operations where sizes are necessary.

  • dep_graph – Set this to True to generate a dependency graph for the subject. It will be available as result.dep_graph.

  • interfunction_level (int) – The number of functions we should recurse into. This parameter is only used if function_handler is not provided.

  • track_liveness (bool) – Whether to track liveness information. This can consume sizeable amounts of RAM on large functions. (e.g. ~15GB for a function with 4k nodes)

  • merge_into_tops (bool) – Merge known values into TOP if TOP is present. If True: {TOP} V {0xabc} = {TOP} If False: {TOP} V {0xabc} = {TOP, 0xabc}

  • state_initializer (RDAStateInitializer | None)

  • func_addr (int | None)

  • element_limit (int)

property observed_results: dict[tuple[str, int, int], LiveDefinitions]
property all_definitions
property all_uses
property one_result
property dep_graph: DepGraph
property visited_blocks
get_reaching_definitions_by_insn(ins_addr, op_type)
get_reaching_definitions_by_node(node_addr, op_type)
node_observe(node_addr, state, op_type, node_idx=None)
Parameters:

  • node_addr (int) – Address of the node.

  • state (ReachingDefinitionsState) – The analysis state.

  • op_type (ObservationPointType) – Type of the observation point. Must be one of the following: OP_BEFORE, OP_AFTER.

  • node_idx (int | None) – ID of the node. Used in AIL to differentiate blocks with the same address.

Return type:

None

insn_observe(insn_addr, stmt, block, state, op_type)
Parameters:
Return type:

None

stmt_observe(stmt_idx, stmt, block, state, op_type)
Parameters:
Return type:

None

Returns:

exit_observe(node_addr, exit_stmt_idx, block, state, node_idx=None)
Parameters:
property subject
callsites_to(target)
Return type:

Iterable[FunctionCallRelationships]

Parameters:

target (int | str | Function)

class angr.analyses.reaching_definitions.ReachingDefinitionsModel

Bases: object

Models the definitions, uses, and memory of a ReachingDefinitionState object

__init__(func_addr=None, track_liveness=True)
Parameters:

  • func_addr (int | None)

  • track_liveness (bool)

add_def(d)
Return type:

None

Parameters:

d (Definition)

kill_def(d)
Return type:

None

Parameters:

d (Definition)

at_new_stmt(codeloc)
Return type:

None

Parameters:

codeloc (CodeLocation)

at_new_block(code_loc, pred_codelocs)
Return type:

None

Parameters:
make_liveness_snapshot()
Return type:

None

find_defs_at(code_loc, op=ObservationPointType.OP_BEFORE)
Return type:

set[Definition]

Parameters:
get_defs(atom, code_loc, op)
Return type:

set[Definition]

Parameters:
copy()
Return type:

ReachingDefinitionsModel

merge(model)
Parameters:

model (ReachingDefinitionsModel)

get_observation_by_insn(ins_addr, kind)
Return type:

LiveDefinitions | None

Parameters:
get_observation_by_node(node_addr, kind, node_idx=None)
Return type:

LiveDefinitions | None

Parameters:
get_observation_by_stmt(arg1, arg2, arg3=None, *, block_idx=None)
Overloads:

  • self, codeloc (CodeLocation), kind (ObservationPointType) → LiveDefinitions | None

  • self, node_addr (int), stmt_idx (int), kind (ObservationPointType), block_idx (int | None)

get_observation_by_exit(node_addr, stmt_idx, src_node_idx=None)
Return type:

LiveDefinitions | None

Parameters:

  • node_addr (int)

  • stmt_idx (int)

  • src_node_idx (int | None)

class angr.analyses.reaching_definitions.ReachingDefinitionsState

Bases: object

Represents the internal state of the ReachingDefinitionsAnalysis.

It contains a data class LiveDefinitions, which stores both definitions and uses for register, stack, memory, and temporary variables, uncovered during the analysis.

Parameters:

  • subject (Subject) – The subject being analyzed.

  • track_tmps (bool) – Only tells whether or not temporary variables should be taken into consideration when representing the state of the analysis. Should be set to true when the analysis has counted uses and definitions for temporary variables, false otherwise.

  • analysis (ReachingDefinitionsAnalysis) – The analysis that generated the state represented by this object.

  • rtoc_value – When the targeted architecture is ppc64, the initial function needs to know the rtoc_value.

  • live_definitions (LiveDefinitions | None)

  • canonical_size (int) – The sizes (in bytes) that objects with an UNKNOWN_SIZE are treated as for operations where sizes are necessary.

  • heap_allocator (HeapAllocator | None) – Mechanism to model the management of heap memory.

  • environment (Environment | None) – Representation of the environment of the analyzed program.

Variables:

arch (Arch) – The architecture targeted by the program.

__init__(codeloc, arch, subject, analysis, track_tmps=False, track_consts=False, rtoc_value=None, live_definitions=None, canonical_size=8, heap_allocator=None, environment=None, sp_adjusted=False, all_definitions=None, initializer=None, element_limit=5, merge_into_tops=True)
Parameters:
codeloc
arch: Arch
analysis
all_definitions: set[Definition[Any, Any]]
heap_allocator
codeloc_uses: set[Definition[Any, Any]]
exit_observed: bool
live_definitions
top(bits)
Parameters:

bits (int)

is_top(*args)
heap_address(offset)
Return type:

BV

Parameters:

offset (int | HeapAddress)

static is_heap_address(addr)
Return type:

bool

Parameters:

addr (Base)

static get_heap_offset(addr)
Return type:

int | None

Parameters:

addr (Base)

stack_address(offset)
Return type:

BV

Parameters:

offset (int)

is_stack_address(addr)
Return type:

bool

Parameters:

addr (Base)

get_stack_offset(addr)
Return type:

int | None

Parameters:

addr (Base)

annotate_with_def(symvar, definition)
Parameters:
Return type:

TypeVar(MVType, bound= BV | FP)

Returns:

annotate_mv_with_def(mv, definition)
Return type:

MultiValues[TypeVar(MVType, bound= BV | FP)]

Parameters:
extract_defs(symvar)
Return type:

Iterator[Definition[Any, Any]]

Parameters:

symvar (Base)

property tmps
property tmp_uses
property registers: MultiValuedMemory
property register_uses
property stack: MultiValuedMemory
property stack_uses
property heap: MultiValuedMemory
property heap_uses
property memory: MultiValuedMemory
property memory_uses
property others: dict[Atom, MultiValues]
property uses_by_codeloc
get_sp()
Return type:

int

get_stack_address(offset)
Return type:

int | None

Parameters:

offset (Base)

property environment
property dep_graph
copy(discard_tmpdefs=False)
Return type:

Self

merge(*others)
Return type:

tuple[Self, bool]

Parameters:

others (Self)

compare(other)
Return type:

bool

Parameters:

other (ReachingDefinitionsState)

move_codelocs(new_codeloc)
Return type:

None

Parameters:

new_codeloc (CodeLocation)

kill_definitions(atom)

Overwrite existing definitions w.r.t ‘atom’ with a dummy definition instance. A dummy definition will not be removed during simplification.

Return type:

None

Parameters:

atom (Atom)

kill_and_add_definition(atom, data, dummy=False, tags=None, endness=None, annotated=False, uses=None, override_codeloc=None)
Return type:

tuple[MultiValues | None, set[Definition[TypeVar(A, bound= Atom), TypeVar(CodeLoc, bound= CodeLocation | AILCodeLocation)]]]

Parameters:
add_use(atom, expr=None)
Return type:

None

Parameters:
add_use_by_def(definition, expr=None)
Return type:

None

Parameters:
add_tmp_use(tmp, expr=None)
Return type:

None

Parameters:
add_tmp_use_by_defs(defs, expr=None)
Return type:

None

Parameters:
add_register_use(reg_offset, size, expr=None)
Return type:

None

Parameters:

  • reg_offset (int)

  • size (int)

  • expr (Any | None)

add_register_use_by_defs(defs, expr=None)
Return type:

None

Parameters:
add_stack_use(stack_offset, size, expr=None)
Return type:

None

Parameters:

  • stack_offset (int)

  • size (int)

  • expr (Any | None)

add_stack_use_by_defs(defs, expr=None)
Parameters:
add_heap_use(heap_offset, size, expr=None)
Return type:

None

Parameters:

  • heap_offset (int)

  • size (int)

  • expr (Any | None)

add_heap_use_by_defs(defs, expr=None)
Parameters:
add_memory_use_by_def(definition, expr=None)
Parameters:
add_memory_use_by_defs(defs, expr=None)
Parameters:
get_definitions(atom)
Return type:

set[Definition[Atom, TypeVar(CodeLoc, bound= CodeLocation | AILCodeLocation)]]

Parameters:

atom (Atom | Definition[Atom, CodeLoc] | Iterable[Atom] | Iterable[Definition[Atom, CodeLoc]] | MultiValues)

get_values(spec)
Return type:

MultiValues | None

Parameters:

spec (A | Definition[A, CodeLoc] | Iterable[A])

get_one_value(spec, strip_annotations=False)
Return type:

BV | None

Parameters:
get_concrete_value(spec, cast_to=<class 'int'>)
Overloads:

  • self, spec (Atom | Definition[Atom, CodeLoc] | Iterable[Atom]), cast_to (type[int]) → int | None

  • self, spec (Atom | Definition[Atom, CodeLoc] | Iterable[Atom]), cast_to (type[bytes]) → bytes | None

Parameters:
Return type:

int | bytes | None

mark_guard(target)
mark_const(value, size)
Parameters:
downsize()
deref(pointer, size, endness=Endness.BE)
Overloads:

  • self, pointer (int | claripy.ast.BV | HeapAddress | SpOffset), size (int | DerefSize), endness (archinfo.Endness) → MemoryLocation | None

  • self, pointer (MultiValues | A | Definition | Iterable[A] | Iterable[Definition[A, CodeLoc]]), size (int | DerefSize), endness (archinfo.Endness) → set[MemoryLocation]

Parameters:
class angr.analyses.reaching_definitions.Register

Bases: Atom

Represents a given CPU register.

As an IR abstracts the CPU design to target different architectures, registers are represented as a separated memory space. Thus a register is defined by its offset from the base of this memory and its size.

Variables:

  • reg_offset (int) – The offset from the base to define its place in the memory bloc.

  • size (int) – The size, in number of bytes.

reg_offset
arch
property name: str
class angr.analyses.reaching_definitions.Tmp

Bases: Atom

Represents a variable used by the IR to store intermediate values.

tmp_idx
angr.analyses.reaching_definitions.get_all_definitions(region)
Return type:

set[Definition]

Parameters:

region (MultiValuedMemory)

Submodules

call_trace

dep_graph

engine_ail

engine_vex

external_codeloc

function_handler

function_handler_library

heap_allocator

rd_initializer

rd_state

reaching_definitions

subject