angr.knowledge_plugins.cfg.cfg_model¶
- class angr.knowledge_plugins.cfg.cfg_model.CFGModel¶
Bases:
SerializableThis class describes a Control Flow Graph for a specific range of code.
- __init__(ident, cfg_manager=None, is_arm=False, cache_limit=None, db_batch_size=800, edge_cache_limit=None, edge_db_batch_size=800, addr_type='int')¶
- ident
- is_arm
- graph: SpillingCFG
- jump_tables: dict[int, IndirectJump]
- memory_data: SortedDict[int, MemoryData]
- insn_addr_to_memory_data: dict[int, MemoryData]
- normalized
- edges_to_repair
- property project¶
- mark_node_addr_has_return(node_addr, has_return=True)¶
- Return type:
- Parameters:
node_addr (int | SootAddressDescriptor)
has_return (bool)
- node_addr_has_return(node_addr)¶
- Return type:
- Parameters:
node_addr (int | SootAddressDescriptor)
- copy()¶
- remove_node(block_id, node)¶
Remove the given CFGNode instance. Note that this method does not remove the node from the graph.
- get_node(block_id)¶
Get a single node from Block ID.
- get_any_node(addr, is_syscall=None, anyaddr=False, force_fastpath=False)¶
Get an arbitrary CFGNode (without considering their contexts) from our graph.
- Parameters:
addr (
int) – Address of the beginning of the basic block. Set anyaddr to True to support arbitrary address.is_syscall (
bool|None) – Whether you want to get the syscall node or any other node. This is due to the fact that syscall SimProcedures have the same address as the target it returns to. None means get either, True means get a syscall node, False means get something that isn’t a syscall node.anyaddr (
bool) – If anyaddr is True, then addr doesn’t have to be the beginning address of a basic block. By default the entire graph.nodes() will be iterated, and the first node containing the specific address is returned, which can be slow.force_fastpath (
bool) – If force_fastpath is True, it will only perform a dict lookup in the graph._keys_by_addr dict.
- Return type:
- Returns:
A CFGNode if there is any that satisfies given conditions, or None otherwise
- get_all_nodes(addr, is_syscall=None, anyaddr=False)¶
Get all CFGNodes whose address is the specified one.
- get_all_nodes_intersecting_region(addr, size=1)¶
Get all CFGNodes that intersect the given region.
- floor_addr(addr)¶
Get the largest address that is less than or equal to the given address and has a CFGNode.
- ceil_addr(addr)¶
Get the smallest address that is greater than or equal to the given address and has a CFGNode.
- nodes()¶
An iterator of all nodes in the graph.
- Returns:
The iterator.
- Return type:
iterator
- get_predecessors(cfgnode, excluding_fakeret=True, jumpkind=None)¶
Get predecessors of a node in the control flow graph.
- Parameters:
- Return type:
- Returns:
A list of predecessors
- get_successors(node, excluding_fakeret=True, jumpkind=None)¶
Get successors of a node in the control flow graph.
- Parameters:
- Returns:
A list of successors
- Return type:
- get_successors_and_jumpkinds(node, excluding_fakeret=True)¶
Get a list of tuples where the first element is the successor of the CFG node and the second element is the jumpkind of the successor.
- get_successors_and_jumpkind(node, excluding_fakeret=True)¶
Get a list of tuples where the first element is the successor of the CFG node and the second element is the jumpkind of the successor.
- get_predecessors_and_jumpkinds(node, excluding_fakeret=True)¶
Get a list of tuples where the first element is the predecessor of the CFG node and the second element is the jumpkind of the predecessor.
- get_predecessors_and_jumpkind(node, excluding_fakeret=True)¶
Get a list of tuples where the first element is the predecessor of the CFG node and the second element is the jumpkind of the predecessor.
- get_all_predecessors(cfgnode, depth_limit=None)¶
Get all predecessors of a specific node on the control flow graph.
- get_all_successors(cfgnode, depth_limit=None)¶
Get all successors of a specific node on the control flow graph.
- get_branching_nodes()¶
Returns all nodes that has an out degree >= 2
- get_exit_stmt_idx(src_block, dst_block)¶
Get the corresponding exit statement ID for control flow to reach destination block from source block. The exit statement ID was put on the edge when creating the CFG. Note that there must be a direct edge between the two blocks, otherwise an exception will be raised.
- Returns:
The exit statement ID
- add_memory_data(data_addr, data_type, data_size=None)¶
Add a MemoryData entry to self.memory_data.
- tidy_data_references(memory_data_addrs=None, exec_mem_regions=None, xrefs=None, seg_list=None, data_type_guessing_handlers=None, fill_gaps=True, new_mem_data_addrs=None)¶
Go through all data references (or the ones as specified by memory_data_addrs) and determine their sizes and types if possible.
- Parameters:
memory_data_addrs (
list[int] |None) – A list of addresses of memory data, or None if tidying all known memory data entries.exec_mem_regions (
list[tuple[int,int]] |None) – A list of start and end addresses of executable memory regions.seg_list (
SegmentList|None) – The segment list that CFGFast uses during CFG recovery.data_type_guessing_handlers (
list[Callable] |None) – A list of Python functions that will guess data types. They will be called in sequence to determine data types for memory data whose type is unknown.fill_gaps (
bool) – If True, when a memory data entry is found to have a gap between its end and the next data entry, a new memory data entry will be created to fill the gap. fill_gaps should only be set to True at the end of CFG recovery when traversing the entire memory_data dict for the last time.xrefs (XRefManager | None)
- Return type:
- Returns:
True if new data entries are found, False otherwise.
- remove_node_and_graph_node(node)¶
Like remove_node, but also removes node from the graph.
- get_intersecting_functions(addr, size=1, kb=None)¶
Find all functions with nodes intersecting [addr, addr + size).
- find_function_for_reflow_into_addr(addr, kb=None)¶
Look for a function that flows into a new node at addr.
- Parameters:
addr (
int) – Address of new block.kb (
KnowledgeBase|None) – Knowledge base to search for functions in.
- Return type:
- clear_region_for_reflow(addr, size=1, kb=None)¶
Remove nodes in the graph intersecting region [addr, addr + size).
Any functions that intersect the range, and their associated nodes in the CFG, will also be removed from the knowledge base for analysis.
- Parameters:
addr (
int) – Minimum address of target region.size (
int) – Size of the region, in bytes.kb (
KnowledgeBase|None) – Knowledge base to search for functions in.
- Return type: