cozy.concolic.heuristics

Classes

ArbitraryCandidate

For use as the candidate heuristic in cozy.exploration.ConcolicSim.generate_concrete()

BBTransitionCandidate

For use as the candidate heuristic in cozy.exploration.ConcolicSim.generate_concrete()

CompleteTermination

This termination heuristic tells the concolic execution to explore until all states are deadended.

CoverageTermination

This termination heuristic tells the concolic execution to explore until a certain fraction of a

CyclomaticComplexityTermination

This termination heuristic tells the concolic execution to explore until a certain number of terminated

Module Contents

class cozy.concolic.heuristics.ArbitraryCandidate

For use as the candidate heuristic in cozy.exploration.ConcolicSim.generate_concrete() This heuristic will choose the next exploration candidate by popping the last element off the candidate’s list.

__call__(candidate_states: list[angr.SimState])
class cozy.concolic.heuristics.BBTransitionCandidate(lookback: int = 2)

For use as the candidate heuristic in cozy.exploration.ConcolicSim.generate_concrete() This heuristic will select a candidate whose basic block history has been seen least frequently in the past. This class keeps an internal record of candidates it chose in the past to compute this metric.

Parameters:

lookback (int) – The number of basic blocks we should look back to when computing a candidate’s transition history. This should be a small integer, somewhere in the range 1 to 6. This number should in general only be increased if the total number of states we search goes up. The candidate state with the most unique transition history will be chosen by this heuristic.

transitions
lookback = 2
__call__(candidate_states: list[angr.SimState])
class cozy.concolic.heuristics.CompleteTermination

This termination heuristic tells the concolic execution to explore until all states are deadended.

__call__(simgr)
class cozy.concolic.heuristics.CoverageTermination(fun: angr.knowledge_plugins.Function, coverage_fraction: float = 0.9)

This termination heuristic tells the concolic execution to explore until a certain fraction of a function’s basic blocks have been visited at least once.

Parameters:

  • fun (Function) – The function that we are seeking a specific coverage over.

  • coverage_fraction (float) – A number in the range [0, 1] that determines what fraction of basic blocks need to be visited before termination is reached.

block_addrs
prev_terminal_states
visited_blocks
coverage_fraction = 0.9
static from_session(sess: cozy.project.Session, coverage_fraction: float = 0.9) CoverageTermination

Constructs a CoverageTermination object from an unrun session.

Parameters:

  • sess (Session) – The session which is set to call some specific function, but has not yet been run.

  • coverage_fraction (float) – A number in the range [0, 1] that determines what fraction of basic blocks need to be visited before termination is reached.

__call__(simgr)
class cozy.concolic.heuristics.CyclomaticComplexityTermination(fun: angr.knowledge_plugins.Function, fun_manager: angr.knowledge_plugins.FunctionManager, add_callees=True, multiplier: int | float = 1)

This termination heuristic tells the concolic execution to explore until a certain number of terminated states are reached. If add_callees is False, then this value is equal to the cyclomatic complexity of the function. Otherwise, it is equal to the cyclomatic complexity of the function plus the cyclomatic complexity of all callees of the function (recursively).

Parameters:

  • add_callees (bool) – If this parameter is True, the cyclomatic complexity of all functions deeper in the call graph will be summed to determine the maximum number of states to explore. If False, the upper bound will be the cyclomatic complexity of the session.

  • multiplier (int | float) – The computed cyclomatic complexity sum will be multiplied by this value to determine the number of states to explore

cyclomatic_complexity = 0
static from_session(sess: cozy.project.Session, add_callees=True, multiplier: int | float = 1) CyclomaticComplexityTermination

Constructs an object from a session. The session must be started from a specific function.

Parameters:

  • add_callees (bool) – If this parameter is True, the cyclomatic complexity of all functions deeper in the call graph will be summed to determine the maximum number of states to explore. If False, the upper bound will be the cyclomatic complexity of the session.

  • multiplier (int | float) – The computed cyclomatic complexity sum will be multiplied by this value to determine the number of states to explore

__call__(simgr)