angr.analyses.vfg

class angr.analyses.vfg.VFGJob

Bases: CFGJobBase

A job descriptor that contains local variables used during VFG analysis.

__init__(*args, **kwargs)

Return type:

None

property block_id: BlockID | None

callstack_repr(kb)

Parameters:

kb (KnowledgeBase)

class angr.analyses.vfg.PendingJob

Bases: object

Describes a pending job during VFG analysis.

__init__(block_id, state, call_stack, src_block_id, src_stmt_idx, src_ins_addr)

Parameters:

• block_id (BlockID)

• state (SimState)

• call_stack (CallStack)

• src_block_id (BlockID)

• src_stmt_idx (int)

• src_ins_addr (int)

Return type:

None

block_id

state

call_stack

src_block_id

src_stmt_idx

src_ins_addr

class angr.analyses.vfg.AnalysisTask

Bases: object

An analysis task describes a task that should be done before popping this task out of the task stack and discard it.

__init__()

Return type:

None

property done

class angr.analyses.vfg.FunctionAnalysis

Bases: AnalysisTask

Analyze a function, generate fix-point states from all endpoints of that function, and then merge them to one state.

__init__(function_address, return_address)

Parameters:

• function_address (int)

• return_address (int | None)

Return type:

None

call_analysis: AnalysisTask | None

property done: bool

class angr.analyses.vfg.CallAnalysis

Bases: AnalysisTask

Analyze a call by analyze all functions this call might be calling, collect all final states generated by analyzing those functions, and merge them into one state.

__init__(address, return_address, function_analysis_tasks=None, mergeable_plugins=None)

Parameters:

• address (int)

• return_address (None)

• function_analysis_tasks (list[Any] | None)

• mergeable_plugins (tuple[str, str] | None)

Return type:

None

property done: bool

register_function_analysis(task)

Return type:

None

Parameters:

task (FunctionAnalysis)

add_final_job(job)

Return type:

None

Parameters:

job (VFGJob)

merge_jobs()

Return type:

VFGJob

class angr.analyses.vfg.VFGNode

Bases: object

A descriptor of nodes in a Value-Flow Graph

__init__(addr, key, state=None)

Constructor.

Parameters:

• addr (int)

• key (BlockID)

• state (SimState | None)

Return type:

None

widened_state: SimState | None

narrowing_times: int

all_states: list[SimState]

events: list

input_variables: list

actions: list

final_states: list[SimState]

state: SimState | None

append_state(s, is_widened_state=False)

Appended a new state to this VFGNode. :type s: :param s: The new state to append :type is_widened_state: :param is_widened_state: Whether it is a widened state or not.

class angr.analyses.vfg.VFG

Bases: ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID, SimState], Analysis

This class represents a control-flow graph with static analysis result.

Perform abstract interpretation analysis starting from the given function address. The output is an invariant at the beginning (or the end) of each basic block.

Steps:

• Generate a CFG first if CFG is not provided.

• Identify all merge points (denote the set of merge points as Pw) in the CFG.

• Cut those loop back edges (can be derived from Pw) so that we gain an acyclic CFG.

• Identify all variables that are 1) from memory loading 2) from initial values, or 3) phi functions. Denote

  the set of those variables as S_{var}.

• Start real AI analysis and try to compute a fix point of each merge point. Perform widening/narrowing only on

  variables in S_{var}.

__init__(cfg=None, context_sensitivity_level=2, start=None, function_start=None, interfunction_level=0, initial_state=None, avoid_runs=None, remove_options=None, timeout=None, max_iterations_before_widening=8, max_iterations=40, widening_interval=3, final_state_callback=None, status_callback=None, record_function_final_states=False)

Parameters:

• cfg (CFGEmulated | None) – The control-flow graph to base this analysis on. If none is provided, we will construct a CFGEmulated.

• context_sensitivity_level (int) – The level of context-sensitivity of this VFG. It ranges from 0 to infinity. Default 2.

• function_start (int | None) – The address of the function to analyze.

• interfunction_level (int) – The level of interfunction-ness to be

• initial_state (SimState | None) – A state to use as the initial one

• avoid_runs (list[int] | None) – A list of runs to avoid

• remove_options (set[str] | None) – State options to remove from the initial state. It only works when initial_state is None

• timeout (int | None)

• final_state_callback (Callable[[SimState, CallStack], Any] | None) – callback function when countering final state

• status_callback (Callable[[VFG], Any] | None) – callback function used in _analysis_core_baremetal

• start (int | None)

• max_iterations_before_widening (int)

• max_iterations (int)

• widening_interval (int)

• record_function_final_states (bool)

Return type:

None

final_states: list[SimState]

property function_initial_states

property function_final_states

get_any_node(addr)

Get any VFG node corresponding to the basic block at @addr. Note that depending on the context sensitivity level, there might be multiple nodes corresponding to different contexts. This function will return the first one it encounters, which might not be what you want.

Return type:

VFGNode | None

Parameters:

addr (int)

get_all_nodes(addr)

Return type:

Generator[VFGNode]

irsb_from_node(node)

copy()