A basic event that triggers CFG modifications.

Represents an instruction-level basic block.

Callee's kind.

This is the main class for building a CFG from a given binary.

Error occured from a CFG analysis.

List of CFGEvents. We divide events into three groups: (1) basic events, (2) callee-analysis events, and (3) per-function-analysis events. The basic events are essential ones for building regular CFGs. The callee-analysis events are to detect mutually recursive callee analysis events. The function-analysis events are to perform per-function analysis in order to recover high-level CFG information, such as no-return information, and indirect branch targets.

CodeManager manages all the processed information about the binary code including *parsed* instructions, their basic blocks, functions, as well as exception handling routines.

Maintain the address-level coverage information, and thereby, gap information.

A graph lens for obtaining DisasmCFG.

A mapping from an address to a DisasmCFG vertex.

ExceptionTable holds parsed exception information of a binary code (given by the BinHandle).

External function is a function that is defined in another binary. Functions in PLT is also considered as an external function, and we always link a PLT entry with its corresponding GOT entry to consider such a pair as an external function, where its entry is located at the GOT and its trampoline is at the PLT.

FakeEdge is a tuple of (Callsite address, Call target address). This is to uniquely identify edges from a call instruction to a fake block. Note that even though there are multiple calls to the same outer function, each of the callsites should be connected to an independent fake block. That's the reason why we use FakeEdge to distinguish them.

Function is a non-overlapping chunk of code in a binary. We do not allow function overlaps. When there exist two functions sharing common basic blocks, B2R2 will create a new function to represent the common blocks. Function can also represent a function defined outside of the current binary. Such functions are called ExternalFunction.

Function can be either external or regualr.

Maintains functions in the binary.

To support the rollback mechanism, we remember inter-function edges created during the recovery of an indirect branch. If a vertex has been promoted due to such an edge, and the edge has turned out to be invalid, then we should be able to revert the promotion.

Record and manage the CFG recovery history.

The main interface for building a CFG.

IndirectCallResolution tries to find indirect call target by constant propagation. We should fix this if we meet a table-like indirect call targets.

Indirect jump's kind.

IndirectJumpResolution recovers jump targets of indirect jumps by inferring their jump tables. It first identifies jump table bases with constant propagation and recovers the entire table ranges by leveraging the structural properties of the binary.

Pluggable analysis interface. Any CFG-related analysis implementing this interface can be plugged in or unplugged from the BinEssence.

Indirect branch jump table information.

Since Symbol is only unique within an instruction, it is necessary to tag it with the instruction address that holds the symbol.

NoReturnFunctionIdentification has two roles: (1) identify whether a function is non-returning or not, and (2) add return and fall-through edges if callee function is non-returning.

NoReturnProperty of a function specifies whether the function will eventually return or not. Some functions, e.g., exit, will never return in any cases, and compilers often remove fall-through edges of callers of such functions.

Helper module for per-function analyses.

PerFunctionAnalysis implements a core CFG-recovery algorithm, which modifies a function-level CFG by analyzing the function. Though it works per function, It can modify other functions (thus, the entire CFGInfo). An analysis appends CFGEvents to modify function, but it can also modify the function directly.

Regular function is a function that has its own body in the target binary. Therefore, regular functions have their own IR-level CFG.

Temporary information obtained by parsing a block (bbl) of instructions, such as IR-level leaders and auxiliary information about an instruction-level basic block. This information is necessary to construct a (IR-level) CFG. Normally, a single instruction-level bbl represents a single IR-level basic block, but if there exist intra-instruction control flows, it can have multiple intra blocks.