angr.knowledge_plugins.cfg.spilling_cfg¶

Spilling CFG Graph implementation with LRU caching and LMDB persistence.

This module provides SpillingCFGNodeDict and SpillingCFGGraph classes that implement disk-backed storage for CFGNode instances, following the SpillingFunctionDict pattern.

class angr.knowledge_plugins.cfg.spilling_cfg.SpillingCFGNodeDict¶

Bases: object

A dict-like container for CFGNode instances with LRU caching and LMDB spilling.

This class keeps only the most recently accessed N nodes in memory, spilling others to an LMDB database on disk.

Variables:

cache_limit – The maximum number of nodes to keep in memory.
rtdb (RuntimeDb | None) – A reference to the RuntimeDb knowledge base plugin.
_lru_order (OrderedDict[tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor, None]) – An OrderedDict tracking the eviction order of cached nodes.
_spilled_keys (set[tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor]) – A set of block_ids that have been spilled to LMDB.
_db_batch_size (int) – The number of nodes that are evicted in a single batch.
_eviction_enabled (bool) – A flag indicating whether eviction is currently enabled.

__init__(rtdb, cfg_model=None, cache_limit=1000, db_batch_size=200)¶

Parameters:

rtdb (RuntimeDb | None)
cfg_model (CFGModel | None)
cache_limit (int)
db_batch_size (int)

get(block_key, default=None)¶

Return type:

CFGNode | None

Parameters:

block_key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)
default (CFGNode | None)

keys()¶

Return type:: Iterator[tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor]

values()¶

Return type:: Iterator[CFGNode]

items()¶

Return type:: Iterator[tuple[tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor, CFGNode]]

clear()¶

Return type:: None

copy()¶

Return type:: SpillingCFGNodeDict

property cache_limit: int¶

property db_batch_size: int¶

property cached_count: int¶

property spilled_count: int¶

property total_count: int¶

is_cached(block_key)¶

Return type:: bool
Parameters:: block_key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)

load_all_spilled()¶

Return type:: None

evict_all_cached()¶

Return type:: None

angr.knowledge_plugins.cfg.spilling_cfg.get_block_key(node)¶

Overloads:

node (CFGNode) → CFGNODE_K | SOOTNODE_K
node (CFGENode) → CFGENODE_K

Parameters:

node (CFGNode | CFGENode)

Return type:

tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor

Get the unique identifier for a CFGNode. Typically this unique identifier contains the address of the block and the looping_times of the block (in case there are multiple blocks with the same address, which may happen after loop unrolling in a CFGEmulated instance).

Parameters:: node (CFGNode | CFGENode) – The CFGNode or CFGENode instance to get the block key for.
Returns:: The unique identifier.
Return type:: tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor

angr.knowledge_plugins.cfg.spilling_cfg.block_key_to_addr(block_key)¶

Overloads:

block_key (CFGNODE_K | CFGENODE_K) → int
block_key (SOOTNODE_K) → SootAddressDescriptor

Parameters:

block_key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)

Return type:

int | SootAddressDescriptor

Extract the address from a block key.

angr.knowledge_plugins.cfg.spilling_cfg.block_key_to_size(block_key)¶

Extract the size from a block key, if present.

Return type:: int | None
Parameters:: block_key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)

class angr.knowledge_plugins.cfg.spilling_cfg.SpillingCFG¶

Bases: object

A graph wrapper that stores CFGNode instances in a spilling dict while keeping only primitive keys in the underlying networkx graph.

This provides a networkx-compatible interface while supporting disk-backed storage for large CFGs.

addr_type must be “int”, “block_id”, or “soot”. You can change addr_type before the first node is inserted but not after, since it affects how keys are serialized and deserialized.

__init__(rtdb=None, cfg_model=None, cache_limit=None, db_batch_size=800, edge_cache_limit=None, edge_db_batch_size=800, addr_type='int')¶

Parameters:

rtdb (RuntimeDb | None)
cfg_model (CFGModel | None)
cache_limit (int | None)
db_batch_size (int)
edge_cache_limit (int | None)
edge_db_batch_size (int)
addr_type (Literal['int', 'block_id', 'soot'])

property addr_type: str¶

get_node_by_key(block_key)¶

Get a CFGNode by block_id, with fallback to graph node data.

Return type:: CFGNode
Parameters:: block_key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)

property node_keys: Iterator[tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor]¶: Get an iterator over all block_keys in the graph.

add_node(node, **attr)¶

Return type:: None
Parameters:: node (CFGNode)

remove_node(node)¶

Return type:: None
Parameters:: node (CFGNode)

has_node(node)¶

Return type:: bool
Parameters:: node (CFGNode)

nodes_by_addr(addr)¶

Return type:: Iterator[CFGNode]
Parameters:: addr (int)

has_node_addr(addr)¶

Return type:: bool
Parameters:: addr (int)

number_of_nodes()¶

Return type:: int

property nodes: _NodeView¶: Return a view of nodes supporting len(), iteration, and call with data=True.

add_edge(src, dst, **attr)¶

Return type:

None

Parameters:

src (CFGNode)
dst (CFGNode)

add_edge_by_key(src_block_key, dst_block_key, **attr)¶

Return type:

None

Parameters:

src_block_key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)
dst_block_key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)

remove_edge(src, dst)¶

Return type:

None

Parameters:

src (CFGNode)
dst (CFGNode)

has_edge(src, dst)¶

Return type:

bool

Parameters:

src (CFGNode)
dst (CFGNode)

get_edge_data(src, dst, default=None)¶

Return type:

dict | None

Parameters:

src (CFGNode)
dst (CFGNode)

number_of_edges()¶

Return type:: int

property edges: _EdgeView¶: Return a view of edges supporting len(), iteration, and call with data=True.

property call_destination_keys: set[tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor]¶: Return the set of block keys that are destinations of call/syscall edges.

call_destination_nodes()¶

Yield CFGNode for each call/syscall destination.

Return type:: Iterator[CFGNode]

predecessors(node)¶

Return type:: Iterator[CFGNode]
Parameters:: node (CFGNode)

successors(node)¶

Return type:: Iterator[CFGNode]
Parameters:: node (CFGNode)

property in_edges: _InEdgeView¶: Return a view of in-edges supporting call, subscript, len, and iteration.

property out_edges: _OutEdgeView¶: Return a view of out-edges supporting call, subscript, len, and iteration.

property in_degree: _InDegreeView¶: Return a view of in-degrees supporting call, subscript, len, and iteration.

property out_degree: _OutDegreeView¶: Return a view of out-degrees supporting call, subscript, len, and iteration.

out_edges_by_key(key, data=False)¶

Overloads:

self, key (K), data (Literal[False]) → Generator[tuple[K, K]]
self, key (K), data (Literal[True]) → Generator[tuple[K, K, dict]]

Parameters:

key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)
data (bool)

Return type:

out_degree_by_key(key)¶

Return type:: int
Parameters:: key (tuple[int, int] | tuple[BlockID, int, int] | SootAddressDescriptor)

copy()¶

Return type:: SpillingCFG

subgraph(nodes)¶

Return a subgraph as a regular networkx DiGraph with CFGNode instances. This is useful for algorithms that need a pure networkx graph.

Return type:: DiGraph

to_networkx()¶

Convert to a pure networkx DiGraph with CFGNode instances as nodes. Warning: This loads all spilled nodes into memory.

Return type:: DiGraph

from_networkx(nx_graph)¶

Load graph structure from a networkx DiGraph with CFGNode instances as nodes.

Return type:: None
Parameters:: nx_graph (DiGraph)

property cache_limit: int | None¶

property db_batch_size: int¶

property cached_count: int¶

property spilled_count: int¶

load_all_spilled()¶

Return type:: None

evict_all_cached()¶

Return type:: None