angr.sim_state¶
- angr.sim_state.arch_overridable(f)¶
- class angr.sim_state.SimState¶
Bases:
PluginHub[SimStatePlugin],GenericThe SimState represents the state of a program, including its memory, registers, and so forth.
- Parameters:
- Variables:
regs – A convenient view of the state’s registers, where each register is a property
mem – A convenient view of the state’s memory, a
angr.state_plugins.view.SimMemViewregisters – The state’s register file as a flat memory region
memory – The state’s memory as a flat memory region
solver – The symbolic solver and variable manager for this state
inspect – The breakpoint manager, a
angr.state_plugins.inspect.SimInspectorlog – Information about the state’s history
scratch – Information about the current execution step
posix – MISNOMER: information about the operating system or environment model
fs – The current state of the simulated filesystem
libc – Information about the standard library we are emulating
cgc – Information about the cgc environment
uc_manager – Control of under-constrained symbolic execution
unicorn – Control of the Unicorn Engine
- solver: SimSolver
- posix: SimSystemPosix
- registers: DefaultMemory
- regs: SimRegNameView
- memory: DefaultMemory
- callstack: CallStack
- mem: SimMemView
- history: SimStateHistory
- inspect: SimInspector
- jni_references: SimStateJNIReferences
- scratch: SimStateScratch
- __init__(project=None, arch=None, plugins=None, mode=None, options=None, add_options=None, remove_options=None, special_memory_filler=None, os_name=None, plugin_preset='default', cle_memory_backer=None, dict_memory_backer=None, permissions_map=None, default_permissions=3, stack_perms=None, stack_end=None, stack_size=None, regioned_memory_cls=None, **kwargs)¶
- Parameters:
project (Project | None)
arch (Arch | None)
plugins (dict[str, SimStatePlugin] | None)
mode (str | None)
options (set[str] | list[str] | SimStateOptions | None)
special_memory_filler (Callable[[str, int, int, SimState], Any] | None)
os_name (str | None)
plugin_preset (str)
cle_memory_backer (Clemory | None)
default_permissions (int)
stack_perms (int | None)
stack_end (int | None)
stack_size (int | None)
- property plugins¶
- property ip¶
Get the instruction pointer expression, trigger SimInspect breakpoints, and generate SimActions. Use
_ipto not trigger breakpoints or generate actions.- Returns:
an expression
- property addr: IPTypeConc¶
Get the concrete address of the instruction pointer, without triggering SimInspect breakpoints or generating SimActions. An integer is returned, or an exception is raised if the instruction pointer is symbolic.
- Returns:
an int
- property javavm_memory¶
In case of an JavaVM with JNI support, a state can store the memory plugin twice; one for the native and one for the java view of the state.
- Returns:
The JavaVM view of the memory plugin.
- property javavm_registers¶
In case of an JavaVM with JNI support, a state can store the registers plugin twice; one for the native and one for the java view of the state.
- Returns:
The JavaVM view of the registers plugin.
- simplify(*args)¶
Simplify this state’s constraints.
- add_constraints(*constraints)¶
Add some constraints to the state.
You may pass in any number of symbolic booleans as variadic positional arguments.
- satisfiable(**kwargs)¶
Whether the state’s constraints are satisfiable
- downsize()¶
Clean up after the solver engine. Calling this when a state no longer needs to be solved on will reduce memory usage.
- step(**kwargs)¶
Perform a step of symbolic execution using this state. Any arguments to AngrObjectFactory.successors can be passed to this.
- Returns:
A SimSuccessors object categorizing the results of the step.
- block(*args, **kwargs)¶
Represent the basic block at this state’s instruction pointer. Any arguments to AngrObjectFactory.block can ba passed to this.
- Returns:
A Block object describing the basic block of code at this point.
- copy()¶
Returns a copy of the state.
- merge(*others, **kwargs)¶
Merges this state with the other states. Returns the merging result, merged state, and the merge flag.
- Parameters:
states – the states to merge
merge_conditions – a tuple of the conditions under which each state holds
common_ancestor – a state that represents the common history between the states being merged. Usually it is only available when EFFICIENT_STATE_MERGING is enabled, otherwise weak-refed states might be dropped from state history instances.
plugin_whitelist – a list of plugin names that will be merged. If this option is given and is not None, any plugin that is not inside this list will not be merged, and will be created as a fresh instance in the new state.
common_ancestor_history – a SimStateHistory instance that represents the common history between the states being merged. This is to allow optimal state merging when EFFICIENT_STATE_MERGING is disabled.
- Returns:
(merged state, merge flag, a bool indicating if any merging occurred)
- widen(*others)¶
Perform a widening between self and other states :type others: :param others: :return:
- reg_concrete(*args, **kwargs)¶
Returns the contents of a register but, if that register is symbolic, raises a SimValueError.
- mem_concrete(*args, **kwargs)¶
Returns the contents of a memory but, if the contents are symbolic, raises a SimValueError.
- stack_push(thing)¶
Push ‘thing’ to the stack, writing the thing to memory and adjusting the stack pointer.
- stack_pop()¶
Pops from the stack and returns the popped thing. The length will be the architecture word size.
- stack_read(offset, length, bp=False)¶
Reads length bytes, at an offset into the stack.
- Parameters:
offset – The offset from the stack pointer.
length – The number of bytes to read.
bp – If True, offset from the BP instead of the SP. Default: False.
- make_concrete_int(expr)¶
- dbg_print_stack(depth=None, sp=None)¶
Only used for debugging purposes. Return the current stack info in formatted string. If depth is None, the current stack frame (from sp to bp) will be printed out.
- set_mode(mode)¶
- property thumb¶
- property with_condition¶