angr.sim_type

class angr.sim_type.SimType

Bases: object

SimType exists to track type information for SimProcedures.

base: bool = True
__init__(label=None, qualifier=None)
Parameters:

  • label – the type label.

  • qualifier (Iterable[str] | None)

property size: int | None

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

with_arch(arch)
Parameters:

arch (Arch | None)

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

  • indent (int | None)

  • name_parens (bool)

copy()
extract(state, addr, concrete=False)
Return type:

Any

Parameters:
store(state, addr, value)
Parameters:
extract_claripy(bits)

Given a bitvector bits which was loaded from memory in a big-endian fashion, return a more appropriate or structured representation of the data.

A type must have an arch associated in order to use this method.

Return type:

Any

to_json(fields=None, memo=None)

Serialize the type class to a JSON-compatible dictionary.

Return type:

dict[str, Any]

Parameters:
static from_json(d, type_collection=None, memo=None)

Deserialize a type class from a JSON-compatible dictionary.

Parameters:
class angr.sim_type.TypeRef

Bases: SimType

A TypeRef is a reference to a type with a name. This allows for interactivity in type analysis, by storing a type and having the option to update it later and have all references to it automatically update as well.

property ty
property type
property name

This is a read-only property because it is desirable to store typerefs in a mapping from name to type, and we want the mapping to be in the loop for any updates.

property size

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

with_arch(arch)
c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

copy()
class angr.sim_type.NamedTypeMixin

Bases: object

SimType classes with this mixin in the class hierarchy allows setting custom class names. A typical use case is to represent same or similar type classes with different qualified names, such as “std::basic_string” vs “std::__cxx11::basic_string”. In such cases, .name stores the qualified name, and .unqualified_name() returns the unqualified name of the type.

__init__(*args, name=None, **kwargs)
Parameters:

name (str | None)

property name: str
unqualified_name(lang='c++')
Return type:

str

Parameters:

lang (str)

class angr.sim_type.SimTypeBottom

Bases: SimType

SimTypeBottom basically represents a type error.

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

copy()
class angr.sim_type.SimTypeTop

Bases: SimType

SimTypeTop represents any type (mostly used with a pointer for void*).

copy()
class angr.sim_type.SimTypeReg

Bases: SimType

SimTypeReg is the base type for all types that are register-sized.

__init__(size, label=None, qualifier=None)
Parameters:

  • label – the type label.

  • size (int | None) – the size of the type (e.g. 32bit, 8bit, etc.).

  • qualifier (Iterable | None)

store(state, addr, value)
Parameters:

value (int | BV)

copy()
class angr.sim_type.SimTypeNum

Bases: SimType

SimTypeNum is a numeric type of arbitrary length

__init__(size, signed=True, label=None, qualifier=None)
Parameters:

  • size (int) – The size of the integer, in bits

  • signed – Whether the integer is signed or not

  • label – A label for the type

  • qualifier (Iterable | None)

property size: int

The size of the type in bits, or None if no size is computable.

extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → claripy.ast.BV

  • self, state, addr, concrete (Literal[True]) → int

store(state, addr, value)
Parameters:

value (int | BV)

copy()
class angr.sim_type.SimTypeInt

Bases: SimTypeReg

SimTypeInt is a type that specifies a signed or unsigned C integer.

__init__(signed=True, label=None, qualifier=None)
Parameters:

  • signed – True if signed, False if unsigned

  • label – The type label

  • qualifier (Iterable | None)

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

property size

The size of the type in bits, or None if no size is computable.

extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → claripy.ast.BV

  • self, state, addr, concrete (Literal[True]) → int

copy()
class angr.sim_type.SimTypeShort

Bases: SimTypeInt

class angr.sim_type.SimTypeLong

Bases: SimTypeInt

class angr.sim_type.SimTypeLongLong

Bases: SimTypeInt

class angr.sim_type.SimTypeFixedSizeInt

Bases: SimTypeInt

The base class for all fixed-size (i.e., the size stays the same on all platforms) integer types. Do not instantiate this class directly.

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

  • indent (int | None)

  • name_parens (bool)

property size: int

The size of the type in bits, or None if no size is computable.

class angr.sim_type.SimTypeInt128

Bases: SimTypeFixedSizeInt

class angr.sim_type.SimTypeInt256

Bases: SimTypeFixedSizeInt

class angr.sim_type.SimTypeInt512

Bases: SimTypeFixedSizeInt

class angr.sim_type.SimTypeChar

Bases: SimTypeReg

SimTypeChar is a type that specifies a character; this could be represented by a byte, but this is meant to be interpreted as a character.

__init__(signed=True, label=None, qualifier=None)
Parameters:

  • label – the type label.

  • qualifier (Iterable | None)

store(state, addr, value)
Parameters:

value (int | BV)

extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → claripy.ast.BV

  • self, state, addr, concrete (Literal[True]) → bytes

Parameters:

concrete (bool)

Return type:

BV | bytes

copy()
class angr.sim_type.SimTypeWideChar

Bases: SimTypeReg

SimTypeWideChar is a type that specifies a wide character (a UTF-16 character).

__init__(signed=True, label=None, endness=Endness.BE, qualifier=None)
Parameters:
store(state, addr, value)
Parameters:

value (int | BV)

extract(state, addr, concrete=False)
Return type:

Any

copy()
class angr.sim_type.SimTypeBool

Bases: SimTypeReg

__init__(signed=True, label=None, qualifier=None)
Parameters:

  • label – the type label.

  • qualifier (Iterable | None)

store(state, addr, value)
Parameters:

value (int | BV | bool)

extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → claripy.ast.Bool

  • self, state, addr, concrete (Literal[True]) → bool

copy()
class angr.sim_type.SimTypeFd

Bases: SimTypeReg

SimTypeFd is a type that specifies a file descriptor.

__init__(label=None, qualifier=None)
Parameters:

  • label – the type label

  • qualifier (Iterable | None)

property size

The size of the type in bits, or None if no size is computable.

copy()
extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → claripy.ast.BV

  • self, state, addr, concrete (Literal[True]) → int

class angr.sim_type.PointerDisposition

Bases: IntEnum

IN_OUT = 0
IN = 1
OUT = 2
IN_OUTMAYBE = 3
OUTMAYBE = 4
NONE = 5
UNKNOWN = 6
__new__(value)
class angr.sim_type.SimTypePointer

Bases: SimTypeReg

SimTypePointer is a type that specifies a pointer to some other type.

__init__(pts_to, label=None, offset=0, qualifier=None, disposition=PointerDisposition.UNKNOWN)
Parameters:
c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

make(pts_to)
property size

The size of the type in bits, or None if no size is computable.

copy()
extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → claripy.ast.BV

  • self, state, addr, concrete (Literal[True]) → int

class angr.sim_type.SimTypeReference

Bases: SimTypeReg

SimTypeReference is a type that specifies a reference to some other type.

refs: SimType
c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

make(refs)
property size

The size of the type in bits, or None if no size is computable.

copy()
extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → claripy.ast.BV

  • self, state, addr, concrete (Literal[True]) → int

class angr.sim_type.SimTypeArray

Bases: SimType

SimTypeArray is a type that specifies a series of data laid out in sequence.

__init__(elem_type, length=None, label=None, qualifier=None)
Parameters:

  • label – The type label.

  • elem_type – The type of each element in the array.

  • length – An expression of the length of the array, if known.

  • qualifier (Iterable | None)

elem_type: SimType
length: int | None
c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

property size

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

copy()
extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → list[Any]

  • self, state, addr, concrete (Literal[True]) → list[Any]

store(state, addr, value)
Parameters:

value (list[int | BV])

angr.sim_type.SimTypeFixedSizeArray

alias of SimTypeArray

class angr.sim_type.SimTypeString

Bases: NamedTypeMixin, SimType

SimTypeString is a type that represents a C-style string, i.e. a NUL-terminated array of bytes.

__init__(length=None, label=None, name=None, qualifier=None)
Parameters:

  • label – The type label.

  • length (int | None) – An expression of the length of the string, if known.

  • name (str | None)

  • qualifier (Iterable | None)

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

extract(state, addr, concrete=False)
Overloads:

  • self, state, addr, concrete (Literal[False]) → claripy.ast.BV

  • self, state, addr, concrete (Literal[True]) → bytes

Parameters:

state (SimState)

property size

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

copy()
class angr.sim_type.SimTypeWString

Bases: NamedTypeMixin, SimType

A wide-character null-terminated string, where each character is 2 bytes.

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

extract(state, addr, concrete=False)
store(state, addr, value)
property size

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

copy()
class angr.sim_type.SimTypeFunction

Bases: SimType

SimTypeFunction is a type that specifies an actual function (i.e. not a pointer) with certain types of arguments and a certain return value.

base: bool = False
__init__(args, returnty, label=None, arg_names=None, variadic=False)
Parameters:

  • label – The type label

  • args (Iterable[SimType]) – A tuple of types representing the arguments to the function

  • returnty (SimType | None) – The return type of the function, or none for void

  • variadic – Whether the function accepts varargs

  • arg_names (Iterable[str] | None)

args: tuple[SimType, ...]
returnty: SimType | None
arg_names: tuple[str, ...]
c_repr(name=None, full=0, memo=None, indent=0, name_parens=True, show_void=True)
Parameters:
property size

The size of the type in bits, or None if no size is computable.

copy()
class angr.sim_type.SimTypeCppFunction

Bases: SimTypeFunction

SimTypeCppFunction is a type that specifies an actual C++-style function with information about arguments, return value, and more C++-specific properties.

Variables:

  • ctor – Whether the function is a constructor or not.

  • dtor – Whether the function is a destructor or not.

copy()
class angr.sim_type.SimTypeLength

Bases: SimTypeLong

SimTypeLength is a type that specifies the length of some buffer in memory.

…I’m not really sure what the original design of this class was going for

__init__(signed=False, addr=None, length=None, label=None)
Parameters:

  • signed – Whether the value is signed or not

  • label – The type label.

  • addr – The memory address (expression).

  • length – The length (expression).

property size

The size of the type in bits, or None if no size is computable.

copy()
class angr.sim_type.SimTypeFloat

Bases: SimTypeReg

An IEEE754 single-precision floating point number

sort = FLOAT
signed = True
property size: int

The size of the type in bits, or None if no size is computable.

extract(state, addr, concrete=False)
store(state, addr, value)
Parameters:

value (int | BV | FP)

copy()
class angr.sim_type.SimTypeDouble

Bases: SimTypeFloat

An IEEE754 double-precision floating point number

sort = DOUBLE
property size: int

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

copy()
class angr.sim_type.SimStruct

Bases: NamedTypeMixin, SimType

fields: OrderedDict[str, SimType]
property pack
property align
property packed
property offsets: dict[str, int]
extract(state, addr, concrete=False)
Return type:

SimStructValue

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

property size

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

store(state, addr, value)
Parameters:

value (int | BV)

copy()
class angr.sim_type.SimStructValue

Bases: object

A SimStruct type paired with some real values

__init__(struct, values=None)
Parameters:

  • struct – A SimStruct instance describing the type of this struct

  • values – A mapping from struct fields to values

property struct
copy()
class angr.sim_type.SimUnion

Bases: NamedTypeMixin, SimType

fields = ('members', 'name')
__init__(members, name=None, label=None, qualifier=None)
Parameters:

  • members (dict[str, SimType]) – The members of the union, as a mapping name -> type

  • name – The name of the union

  • qualifier (Iterable | None)

property size

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

extract(state, addr, concrete=False)
c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

copy()
class angr.sim_type.SimUnionValue

Bases: object

A SimStruct type paired with some real values

__init__(union, values=None)
Parameters:

  • union – A SimUnion instance describing the type of this union

  • values – A mapping from union members to values

copy()
class angr.sim_type.SimTypeEnum

Bases: NamedTypeMixin, SimType

An enum type with named integer constants.

Parameters:

  • members (dict[str, int]) – A mapping from member names to their integer values.

  • base_type (SimType | None) – The underlying integer type (default: SimTypeInt).

  • name (str | None) – The name of the enum type.

members: dict[str, int]
property base_type: SimType
property size: int | None

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

resolve(value)

Resolve an integer value to its enum member name.

Parameters:

value (int) – The integer value to resolve.

Return type:

str | None

Returns:

The member name if found, None otherwise.

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

copy()
extract(state, addr, concrete=False)
store(state, addr, value)
class angr.sim_type.SimTypeBitfield

Bases: NamedTypeMixin, SimType

A bitfield/flags type where values can be combinations of named bit flags.

This is useful for representing flags like PROT_READ | PROT_WRITE where multiple flags can be combined with bitwise OR.

Parameters:

  • flags (dict[str, int]) – A mapping from flag names to their bitmask values.

  • base_type (SimType | None) – The underlying integer type (default: SimTypeInt).

  • name (str | None) – The name of the bitfield type.

flags: dict[str, int]
property base_type: SimType
property size: int | None

The size of the type in bits, or None if no size is computable.

property alignment

The alignment of the type in bytes.

resolve(value)

Resolve an integer value to a combination of flag names.

Parameters:

value (int) – The integer value to resolve.

Return type:

tuple[list[str], int]

Returns:

A tuple of (matched_flag_names, unknown_bits). If unknown_bits != 0, there are bits set that don’t match any known flag.

render(value)

Render an integer value as a combination of flag names.

Parameters:

value (int) – The integer value to render.

Return type:

str

Returns:

A string like “PROT_READ | PROT_WRITE” or “PROT_READ | PROT_WRITE | 0x100” if there are unknown bits.

has_unknown_bits(value)

Check if a value contains bits that don’t match any known flag.

Parameters:

value (int) – The integer value to check.

Return type:

bool

Returns:

True if there are unknown bits, False otherwise.

validate(value)

Check if a value contains only known flags.

Parameters:

value (int) – The integer value to validate.

Return type:

bool

Returns:

True if all bits match known flags, False otherwise.

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Parameters:

name_parens (bool)

copy()
extract(state, addr, concrete=False)
store(state, addr, value)
class angr.sim_type.SimCppClass

Bases: SimStruct

property members
property size

The size of the type in bits, or None if no size is computable.

extract(state, addr, concrete=False)
Return type:

SimCppClassValue

store(state, addr, value)
Parameters:

value (int | BV)

copy()
class angr.sim_type.SimCppClassValue

Bases: SimStructValue

A SimCppClass type paired with some real values

copy()
class angr.sim_type.SimTypeNumOffset

Bases: SimTypeNum

like SimTypeNum, but supports an offset of 1 to 7 to a byte aligned address to allow structs with bitfields

extract(state, addr, concrete=False)
Overloads:

  • self, state (SimState), addr, concrete (Literal[False]) → claripy.ast.BV

  • self, state (SimState), addr, concrete (Literal[True]) → int

Parameters:

state (SimState)

store(state, addr, value)
copy()
class angr.sim_type.SimTypeRef

Bases: SimType

SimTypeRef is a to-be-resolved reference to another SimType.

SimTypeRef is not SimTypeReference.

property name: str | None
set_size(v)
Parameters:

v (int)

c_repr(name=None, full=0, memo=None, indent=0, name_parens=True)
Return type:

str

Parameters:

name_parens (bool)

angr.sim_type.register_types(types)

Pass in some types and they will be registered to the global type store.

The argument may be either a mapping from name to SimType, or a plain SimType. The plain SimType must be either a struct or union type with a name present.

>>> register_types(parse_types("typedef int x; typedef float y;"))
>>> register_types(parse_type("struct abcd { int ab; float cd; }"))
angr.sim_type.parse_signature(defn, predefined_types=None, arch=None)

Parse a single function prototype and return its type

Return type:

SimTypeFunction

angr.sim_type.parse_defns(defn, predefined_types=None, arch=None)

Parse a series of C definitions, returns a mapping from variable name to variable type object

Return type:

dict[str, SimType]

angr.sim_type.parse_types(defn, predefined_types=None, arch=None)

Parse a series of C definitions, returns a mapping from type name to type object

Return type:

dict[str, SimType]

angr.sim_type.parse_file(defn, predefined_types=None, arch=None, side_effect_types=None)

Parse a series of C definitions, returns a tuple of two type mappings, one for variable definitions and one for type definitions.

Return type:

tuple[dict[str, SimType], dict[str, SimType]]

Parameters:
angr.sim_type.type_parser_singleton()
Return type:

CParser

angr.sim_type.parse_type(defn, predefined_types=None, arch=None)

Parse a simple type expression into a SimType

>>> parse_type('int *')
angr.sim_type.parse_type_with_name(defn, preprocess=True, predefined_types=None, arch=None, side_effect_types=None)

Parse a simple type expression into a SimType, returning a tuple of the type object and any associated name that might be found in the place a name would go in a type declaration.

>>> parse_type_with_name('int *foo')
Parameters:
angr.sim_type.normalize_cpp_function_name(name)
Return type:

str

Parameters:

name (str)

angr.sim_type.parse_cpp_file(cpp_decl, with_param_names=False)
Parameters:

with_param_names (bool)