cfg

This module generates the control flow graph of the disassembled code

cfg_edge(src:address, dest:address, conditional:symbol, indirect:symbol, type:symbol)

This predicate specifies a CFG edge between two locations in the binary.

• Uses: arch.conditional, arch.jump, block_information, code_in_refined_block, conditional_return, direct_call, direct_jump, function_inference.in_function, loaded_section, may_fallthrough, no_return_call_propagated, nop_block, pc_load_call, plt_block, refined_block, refined_block_control_instruction, refined_block_last_instruction, resolved_transfer, unconditional_return

• Used by: cfg_edge_to_top

• Recursive: cfg_edge

cfg_edge_to_top(src:address, conditional:symbol, type:symbol)

This predicate specifies CFG edges from src to a Top proxy block to model calls or jumps whose destination is unknown. This is optimistic, if at least one target of a jump/call is known, the edge to the proxy block will not be generated.

• Uses: cfg_edge, conditional_jump, conditional_return, indirect_call, indirect_jump, refined_block_control_instruction, refined_block_last_instruction, reg_call, reg_jump, resolved_transfer, resolved_transfer_to_symbol, unconditional_jump, unconditional_return

cfg_edge_to_symbol(src:address, Symbol:symbol, conditional:symbol, indirect:symbol, type:symbol)

This predicate specifies CFG edges whose destination is an external symbol.

• Uses: arch.call, arch.conditional, arch.jump, instruction_immediate_offset, pointer_to_external_symbol, refined_block_control_instruction, refined_block_last_instruction, resolved_transfer_to_symbol

jump_table(Src:address, Memory:address)

The jump at address Src might access the jump table entry at address Memory.

• Uses: code_in_block, data_access, data_access_pattern, indirect_jump

• Recursive: split_block, string_candidate_refined, symbolic_operand, discarded_jump_table_entry, next_address_in_data, inferred_main_function, symbolic_expr, symbolic_data, string_candidate, +disconnected2, symbolic_operand_point, moved_displacement_candidate, code_in_split_block, data_limit, data_object_candidate, value_reg_address_before, symbol_score, symbol_minus_symbol, data_object_total_points, discarded_data_object, symbolic_expr_symbol_minus_symbol, address_array, best_symexpr_symbol, boundary_sym_expr, resolved_transfer, inferred_symbol_mips, symbol_minus_symbol_candidate, data_object, code_in_refined_block, moved_pc_relative_candidate, next_data_limit, inferred_symbol, labeled_data_candidate, data_object_conflict, moved_label_candidate, +disconnected6, block_needs_splitting_at, block_needs_merging, relative_jump_table_entry, symbol_minus_symbol_from_relocation, best_func_symbol, jump_table, +disconnected4, symbolic_expr_attribute, data_access_limit, inferred_special_symbol, label_conflict, labeled_ea, data_object_point, main_function, moved_label, address_array_aux, got_reference, data_limit_after_access, code_pointer_in_data, refined_block, moved_data_label, function_inference.function_entry, preferred_data_access, after_address_in_data, +disconnected1, symbolic_operand_attribute

resolved_transfer(EA:address, Dest:address, Type:symbol)

This predicate represents known targets of indirect jumps or calls. EA is the address of the jump or call instruction and Dest

is the destination address. Type can be “branch” or “call”.

• Uses: arch.call, arch.jump, code_in_block, data_access_pattern_candidate_refined, defined_symbol, indirect_call, indirect_jump, instruction, jump_table_candidate_refined, jump_table_start, op_regdirect_contains_reg, plt_entry, reg_call, reg_def_use.def_used, reg_jump, split_load_candidate, symbolic_expr_from_relocation, value_reg

• Used by: cfg_edge, cfg_edge_to_top

• Recursive: split_block, string_candidate_refined, symbolic_operand, discarded_jump_table_entry, next_address_in_data, inferred_main_function, symbolic_expr, symbolic_data, string_candidate, +disconnected2, symbolic_operand_point, moved_displacement_candidate, code_in_split_block, data_limit, data_object_candidate, value_reg_address_before, symbol_score, symbol_minus_symbol, data_object_total_points, discarded_data_object, symbolic_expr_symbol_minus_symbol, address_array, best_symexpr_symbol, boundary_sym_expr, resolved_transfer, inferred_symbol_mips, symbol_minus_symbol_candidate, data_object, code_in_refined_block, moved_pc_relative_candidate, next_data_limit, inferred_symbol, labeled_data_candidate, data_object_conflict, moved_label_candidate, +disconnected6, block_needs_splitting_at, block_needs_merging, relative_jump_table_entry, symbol_minus_symbol_from_relocation, best_func_symbol, jump_table, +disconnected4, symbolic_expr_attribute, data_access_limit, inferred_special_symbol, label_conflict, labeled_ea, data_object_point, main_function, moved_label, address_array_aux, got_reference, data_limit_after_access, code_pointer_in_data, refined_block, moved_data_label, function_inference.function_entry, preferred_data_access, after_address_in_data, +disconnected1, symbolic_operand_attribute

resolved_transfer_to_symbol(EA:address, Symbol:symbol, Type:symbol)

This predicates represent known targets of indirect jumps or calls that refer to external symbols. It is similar to resolved_transfer but its target is not an address but a symbol. ‘Type’ can be “branch” or “call”.

• Uses: arch.memory_access, data_access_pattern_candidate_refined, indirect_call, indirect_jump, plt_entry, pointer_to_external_symbol, reg_call, reg_def_use.def_used, reg_jump, symbol

• Used by: cfg_edge_to_symbol, cfg_edge_to_top

pointer_to_external_symbol(DataPointer:address, Symbol:symbol)

Auxiliary predicate of resolved_transfer_to_symbol that captures a pointer at address ‘DataPointer’ that refers to the external symbol ‘Symbol’.

• Uses: defined_symbol, inferred_symbol, pe_import_entry, symbolic_expr

• Used by: cfg_edge_to_symbol, resolved_transfer_to_symbol