Skip to content
STIMSMITH

Control Flow Graph (CFG)

Concept

A Control Flow Graph (CFG) is a directed graph representation of a program in which nodes are basic blocks and edges encode possible transfers of control. CFGs are a foundational abstraction used by static analysis, hardware-fuzzing coverage heuristics, and program-obfuscation research, and are commonly refined with auxiliary analyses (e.g., data/control dependencies, code-reuse context) to better approximate execution semantics.

First seen 6/11/2026
Last seen 6/11/2026
Evidence 5 chunks
Wiki v1

WIKI

Overview

A Control Flow Graph (CFG) models a program as a directed graph whose nodes are basic blocks (maximal straight-line instruction sequences with a single entry and a single exit) and whose edges represent possible transfers of control between those blocks. CFGs allow program structure to be analyzed without executing the program and form the substrate on which many static analyses, fuzzing heuristics, and reverse-engineering or obfuscation techniques are built.

Structure

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

3 connections
Fine-Grained Code Analysis for Processor Fuzzing ← uses 98% 2e
The paper extracts and uses CFGs from processor designs as heuristic information.
static analysis ← uses 95% 1e
Static analysis constructs and uses the CFG for code analysis.
Dependency-Aware Heuristic ← uses 95% 1e
The dependency-aware heuristic uses the refined CFG to identify seeds close to unvisited branches.

LINKED ENTITIES

3 links
Fine-Grained Code Analysis for Processor Fuzzing USES Extracted graph relationship
static analysis USES Extracted graph relationship
Dependency-Aware Heuristic USES Extracted graph relationship

CITATIONS

10 sources
10 citations — click to expand
[1] A CFG's nodes are basic blocks and its edges represent control flow between them; basic blocks of interest (e.g., b4) appear with their predecessors and successors. Fine-Grained Code Analysis for Processor Fuzzing
[2] Pyverilog and the Z3 SMT-solver are used in forming the CFG for hardware (RTL) designs. Fine-Grained Code Analysis for Processor Fuzzing
[3] Compared with a plain CFG built from control flow alone, a refined CFG produced after dependency analysis adds additional edges that capture data/control dependencies between basic blocks (illustrated on Rocket-processor exception handling). Fine-Grained Code Analysis for Processor Fuzzing
[4] The Dependency-Aware Heuristic is defined on the refined CFG: for each accessed branch p_i, it searches CFG successors within distance ≤ 3 and scores a seed by Σ min(1 / d(p_i, u_j)) over unvisited successors u_j. Fine-Grained Code Analysis for Processor Fuzzing
[5] The Frequency Heuristic prioritizes seeds based on accumulated access counts of branches, in contrast to the CFG-distance-based Dependency-Aware Heuristic. Fine-Grained Code Analysis for Processor Fuzzing
[6] Compiler-introduced code reuse causes reuse-insensitive CFGs of EVM bytecode to exhibit semantic ambiguities and redundant control-flow dependencies. Building Reuse-Sensitive Control Flow Graphs (CFGs) for EVM Bytecode
[7] Esuer dynamically identifies code reuse when constructing reuse-sensitive CFGs of EVM bytecode, achieving 99.94% execution-trace coverage and a 97.02% F1-score for identifying reused code. Building Reuse-Sensitive Control Flow Graphs (CFGs) for EVM Bytecode
[8] Esuer's reuse-sensitive CFGs help identify smart-contract vulnerabilities such as tx.origin and reentrancy with F1-scores of 99.97% and 99.67% respectively. Building Reuse-Sensitive Control Flow Graphs (CFGs) for EVM Bytecode
[9] A program's CFG typically leaks considerable structural information, so obfuscating only straight-line code is insufficient: the CFG can still be extracted and analyzed. Generating Functionally Equivalent Programs Having Non-Isomorphic Control-Flow Graphs
[10] A method has been proposed to rewrite a program P into a functionally equivalent P' such that CFG{P} and CFG{P'} are radically different (non-isomorphic). Generating Functionally Equivalent Programs Having Non-Isomorphic Control-Flow Graphs