angr.analyses.reaching_definitions.reaching_definitions

class angr.analyses.reaching_definitions.reaching_definitions.ReachingDefinitionsAnalysis

Bases: ForwardAnalysis[ReachingDefinitionsState, NodeType, object, object, object], Analysis

ReachingDefinitionsAnalysis is a text-book implementation of a static data-flow analysis that works on either a function or a block. It supports both VEX and AIL. By registering observers to observation points, users may use this analysis to generate use-def chains, def-use chains, and reaching definitions, and perform other traditional data-flow analyses such as liveness analysis.

• I’ve always wanted to find a better name for this analysis. Now I gave up and decided to live with this name for the foreseeable future (until a better name is proposed by someone else).

• Aliasing is definitely a problem, and I forgot how aliasing is resolved in this implementation. I’ll leave this as a post-graduation TODO.

• Some more documentation and examples would be nice.

__init__(subject, func_graph=None, max_iterations=30, track_tmps=False, track_consts=True, observation_points=None, init_state=None, init_context=None, state_initializer=None, cc=None, function_handler=None, observe_all=False, visited_blocks=None, dep_graph=True, observe_callback=None, canonical_size=8, stack_pointer_tracker=None, use_callee_saved_regs_at_return=True, interfunction_level=0, track_liveness=True, func_addr=None, element_limit=5, merge_into_tops=True)

Parameters:

• subject (Subject | Block | Block | Function | str) – The subject of the analysis: a function, or a single basic block

• func_graph – Alternative graph for function.graph.

• max_iterations – The maximum number of iterations before the analysis is terminated.

• track_tmps – Whether or not temporary variables should be taken into consideration during the analysis.

• observation_points (Iterable[tuple[Literal['insn', 'node', 'stmt', 'exit'], int | tuple[int, int] | tuple[int, int, int], ObservationPointType]] | None) – A collection of tuples of (“node”|”insn”, ins_addr, OP_TYPE) defining where reaching definitions should be copied and stored. OP_TYPE can be OP_BEFORE or OP_AFTER.

• init_state (ReachingDefinitionsState | None) – An optional initialization state. The analysis creates and works on a copy. Default to None: the analysis then initialize its own abstract state, based on the given <Subject>.

• init_context – If init_state is not given, this is used to initialize the context field of the initial state’s CodeLocation. The only default-supported type which may go here is a tuple of integers, i.e. a callstack. Anything else requires a custom FunctionHandler.

• cc – Calling convention of the function.

• function_handler (FunctionHandler | None) – The function handler to update the analysis state and results on function calls.

• observe_all – Observe every statement, both before and after.

• visited_blocks – A set of previously visited blocks.

• dep_graph (DepGraph | bool | None) – An initial dependency graph to add the result of the analysis to. Set it to None to skip dependency graph generation.

• canonical_size – The sizes (in bytes) that objects with an UNKNOWN_SIZE are treated as for operations where sizes are necessary.

• dep_graph – Set this to True to generate a dependency graph for the subject. It will be available as result.dep_graph.

• interfunction_level (int) – The number of functions we should recurse into. This parameter is only used if function_handler is not provided.

• track_liveness (bool) – Whether to track liveness information. This can consume sizeable amounts of RAM on large functions. (e.g. ~15GB for a function with 4k nodes)

• merge_into_tops (bool) – Merge known values into TOP if TOP is present. If True: {TOP} V {0xabc} = {TOP} If False: {TOP} V {0xabc} = {TOP, 0xabc}

• state_initializer (RDAStateInitializer | None)

• func_addr (int | None)

• element_limit (int)

property observed_results: dict[tuple[str, int, int], LiveDefinitions]

property all_definitions

property all_uses

property one_result

property dep_graph: DepGraph

property visited_blocks

get_reaching_definitions_by_insn(ins_addr, op_type)

get_reaching_definitions_by_node(node_addr, op_type)

node_observe(node_addr, state, op_type, node_idx=None)

Parameters:

• node_addr (int) – Address of the node.

• state (ReachingDefinitionsState) – The analysis state.

• op_type (ObservationPointType) – Type of the observation point. Must be one of the following: OP_BEFORE, OP_AFTER.

• node_idx (int | None) – ID of the node. Used in AIL to differentiate blocks with the same address.

Return type:

None

insn_observe(insn_addr, stmt, block, state, op_type)

Parameters:

• insn_addr (int) – Address of the instruction.

• stmt (Statement | IRStmt) – The statement.

• block (Block | Block) – The current block.

• state (ReachingDefinitionsState) – The abstract analysis state.

• op_type (ObservationPointType) – Type of the observation point. Must be one of the following: OP_BEORE, OP_AFTER.

Return type:

None

stmt_observe(stmt_idx, stmt, block, state, op_type)

Parameters:

• stmt_idx (int)

• stmt (Statement | IRStmt)

• block (Block | Block)

• state (ReachingDefinitionsState)

• op_type (ObservationPointType)

Return type:

None

Returns:

exit_observe(node_addr, exit_stmt_idx, block, state, node_idx=None)

Parameters:

• node_addr (int)

• exit_stmt_idx (int)

• block (Block | Block)

• state (ReachingDefinitionsState)

• node_idx (int | None)

property subject

callsites_to(target)

Return type:

Iterable[FunctionCallRelationships]

Parameters:

target (int | str | Function)