angr.analyses.typehoon¶

class angr.analyses.typehoon.TypeTranslator

Bases: object

Translate type constants to SimType and SimType to type constants.

__init__(arch)

Parameters:: arch (Arch)

arch: Arch

translated: dict[TypeConstant, SimType]

translated_simtypes: dict[SimType, TypeConstant]

structs

memo

named_struct_id_counter

struct_name_to_idx

struct_name()

tc2simtype(tc)

simtype2tc(simtype)

Return type:: TypeConstant
Parameters:: simtype (SimType)

lift(simtype)

Return type:: TypeConstant
Parameters:: simtype (SimType)

concretize(tc)

backpatch(st, translated)

Parameters:

st (sim_type.SimType)
translated (dict)

Returns:

class angr.analyses.typehoon.Typehoon

Bases: Analysis

A spiritual tribute to the long-standing typehoon project that @jmg (John Grosen) worked on during his days in the angr team. Now I feel really bad of asking the poor guy to work directly on VEX IR without any fancy static analysis support as we have right now…

Typehoon analysis implements a pushdown system that simplifies and solves type constraints. Our type constraints are largely an implementation of the paper Polymorphic Type Inference for Machine Code by Noonan, Loginov, and Cok from GrammaTech (with missing functionality support and bugs, of course). Type constraints are collected by running VariableRecoveryFast (maybe VariableRecovery later as well) on a function, and then solved using this analysis.

User may specify ground truth, which will override all types at certain program points during constraint solving.

__init__(constraints, func_var, ground_truth=None, var_mapping=None, must_struct=None, stackvar_max_sizes=None, stack_offset_tvs=None, constraint_set_degradation_threshold=150, type_translator=None, tv_manager=None)

Parameters:

constraints
ground_truth – A set of SimType-style solutions for some or all type variables. They will be respected during type solving.
var_mapping (dict[SimVariable, set[TypeVariable]] | None)
must_struct (set[TypeVariable] | None)
stackvar_max_sizes (dict[TypeVariable, int] | None)
stack_offset_tvs (dict[int, TypeVariable] | None)
constraint_set_degradation_threshold (int)
type_translator (TypeTranslator | None)
tv_manager (TypeVariableManager | None)

update_variable_types(func_addr, var_to_typevars, stack_offset_tvs=None)

Return type:

None

Parameters:

func_addr (int | str)
var_to_typevars (dict[SimVariable, set[TypeVariable]])
stack_offset_tvs (dict[int, TypeVariable] | None)

pp_constraints()

Pretty-print constraints between variables using the variable mapping.

Return type:: None

pp_solution()

Pretty-print solutions using the variable mapping.

Return type:: None

Submodules

`dfa`
`simple_solver`
`translator`
`typeconsts`	All type constants used in type inference.
`typehoon`
`typevars`
`variance`