angr.knowledge_plugins.propagations.states

class angr.knowledge_plugins.propagations.states.CallExprFinder

Bases: AILBlockRewriter

Walks an AIL expression to find if it contains a call expression anywhere.

__init__()

class angr.knowledge_plugins.propagations.states.PropagatorState

Bases: object

Describes the base state used in Propagator.

Variables:

• arch – Architecture of the binary.

• gp – value of the global pointer for MIPS binaries.

• _replacements – Stores expressions to replace, keyed by CodeLocation instances

• _only_consts – Only track constants.

• _expr_used_locs – A dict keyed by expressions and valued by CodeLocations where the expression is used.

• _max_prop_expr_occurrence – The upperbound for the number of occurrences of an expression for Propagator to propagate that expression to new locations (and replace the original expression). Setting it to 0 disables this limit, which means Propagator will always propagate expressions regardless of how many times it has been propagated.

__init__(arch, project=None, replacements=None, only_consts=False, expr_used_locs=None, store_tops=True, gp=None, max_prop_expr_occurrence=1, model=None, artificial_reg_offsets=None)

Parameters:

• arch (Arch)

• project (Project | None)

• replacements (defaultdict[CodeLocation, dict] | None)

• only_consts (bool)

• expr_used_locs (defaultdict[Any, set[CodeLocation]] | None)

• store_tops (bool)

• gp (int | None)

• max_prop_expr_occurrence (int)

arch

gpr_size

project

model

classmethod initial_state(project, only_consts=False, gp=None, do_binops=True, store_tops=False, func_addr=None, max_prop_expr_occurrence=None, initial_codeloc=None)

Parameters:

project (Project)

static top(bits)

Get a TOP value.

Parameters:

• size – Width of the TOP value (in bits).

• bits (int)

Return type:

BV

Returns:

The TOP value.

static is_top(expr)

Check if the given expression is a TOP value.

Parameters:

expr – The given expression.

Return type:

bool

Returns:

True if the expression is TOP, False otherwise.

static merge_replacements(replacements_0, replacements_1)

The replacement merging logic is special: replacements_1 is the newer replacement result and replacement_0 is the older result waiting to be updated. When both replacements_1 and replacement_0 have a non-top value for the same variable and code location, we will update the slot in replacement_0 with the value from replacement_1.

Return type:

bool

Returns:

Whether merging has happened or not.

abstractmethod copy()

Return type:

Self

merge(*others)

Return type:

tuple[Self, bool]

Parameters:

others (Self)

init_replacements()

add_replacement(codeloc, old, new, force_replace=False)

Add a replacement record: Replacing expression old with new at program location codeloc. If the self._only_consts flag is set to true, only constant values will be set.

Parameters:

• codeloc (CodeLocation) – The code location.

• old – The expression to be replaced.

• new – The expression to replace with.

• force_replace (bool)

Return type:

bool

Returns:

True if the replacement will happen. False otherwise.

filter_replacements()

has_replacements_at(codeloc)

Return type:

bool

Parameters:

codeloc (CodeLocation)

class angr.knowledge_plugins.propagations.states.RegisterAnnotation

Bases: Annotation

Annotates TOP values that are coming from registers.

__init__(offset, size)

property eliminatable: bool

Returns whether this annotation can be eliminated in a simplification.

Returns:

True if eliminatable, False otherwise

property relocatable: bool

Returns whether this annotation can be relocated in a simplification.

Returns:

True if it can be relocated, false otherwise.

class angr.knowledge_plugins.propagations.states.RegisterComparisonAnnotation

Bases: Annotation

Annotate TOP values that are the result of register values comparing against constant values.

__init__(offset, size, cmp_op, value)

Parameters:

• offset (int)

• size (int)

• cmp_op (str)

• value (int)

property eliminatable: bool

Returns whether this annotation can be eliminated in a simplification.

Returns:

True if eliminatable, False otherwise

property relocatable: bool

Returns whether this annotation can be relocated in a simplification.

Returns:

True if it can be relocated, false otherwise.

class angr.knowledge_plugins.propagations.states.PropagatorVEXState

Bases: PropagatorState

Describes the state used in the VEX engine of Propagator.

__init__(arch, project=None, registers=None, local_variables=None, replacements=None, only_consts=False, expr_used_locs=None, do_binops=True, store_tops=True, block_initial_reg_values=None, gp=None, max_prop_expr_occurrence=1, model=None, artificial_reg_offsets=None)

Parameters:

max_prop_expr_occurrence (int)

do_binops

block_initial_reg_values

classmethod initial_state(project, only_consts=False, gp=None, do_binops=True, store_tops=False, func_addr=None, max_prop_expr_occurrence=None, initial_codeloc=None, model=None)

copy()

Return type:

PropagatorVEXState

merge(*others)

Return type:

tuple[PropagatorVEXState, bool]

Parameters:

others (PropagatorVEXState)

store_local_variable(offset, size, value, endness)

load_local_variable(offset, size, endness)

Return type:

BV

store_register(offset, size, value)

load_register(offset, size)

register_results()

Return type:

dict[str, BV]

class angr.knowledge_plugins.propagations.states.Equivalence

Bases: object

Describes an equivalence relationship between two atoms.

__init__(codeloc, atom0, atom1, is_weakassignment=False)

Parameters:

is_weakassignment (bool)

codeloc

atom0

atom1

is_weakassignment