angr 9.2.111__py3-none-manylinux2014_x86_64.whl → 9.2.113__py3-none-manylinux2014_x86_64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.111"
+__version__ = "9.2.113"
 
 if bytes is str:
     raise Exception(

angr/analyses/cfg/cfg_base.py

@@ -7,7 +7,6 @@ import networkx
 from sortedcontainers import SortedDict
 
 import pyvex
-from claripy.utils.orderedset import OrderedSet
 from cle import ELF, PE, Blob, TLSObject, MachO, ExternObject, KernelObject, FunctionHintSource, Hex, Coff, SRec, XBE
 from cle.backends import NamedRegion
 import archinfo
@@ -34,6 +33,7 @@ from angr.codenode import HookNode, BlockNode
 from angr.engines.vex.lifter import VEX_IRSB_MAX_SIZE, VEX_IRSB_MAX_INST
 from angr.analyses import Analysis
 from angr.analyses.stack_pointer_tracker import StackPointerTracker
+from angr.utils.orderedset import OrderedSet
 from .indirect_jump_resolvers.default_resolvers import default_indirect_jump_resolvers
 
 if TYPE_CHECKING:
@@ -746,6 +746,9 @@ class CFGBase(Analysis):
         memory_regions = []
 
         for b in binaries:
+            if not b.has_memory:
+                continue
+
             if isinstance(b, ELF):
                 # If we have sections, we get result from sections
                 sections = []

angr/analyses/decompiler/condition_processor.py

@@ -184,7 +184,12 @@ class ConditionProcessor:
         self.edge_conditions = edge_conditions
 
     def recover_reaching_conditions(
-        self, region, graph=None, with_successors=False, case_entry_to_switch_head: dict[int, int] | None = None
+        self,
+        region,
+        graph=None,
+        with_successors=False,
+        case_entry_to_switch_head: dict[int, int] | None = None,
+        simplify_conditions: bool = True,
     ):
         """
         Recover the reaching conditions for each block in an acyclic graph. Note that we assume the graph that's passed
@@ -255,7 +260,9 @@ class ConditionProcessor:
                         reaching_condition = claripy.Or(claripy.And(pred_condition, edge_condition), reaching_condition)
 
             if reaching_condition is not None:
-                reaching_conditions[node] = self.simplify_condition(reaching_condition)
+                reaching_conditions[node] = (
+                    self.simplify_condition(reaching_condition) if simplify_conditions else reaching_condition
+                )
 
         # My hypothesis: for nodes where two paths come together *and* those that cannot be further structured into
         # another if-else construct (we take the short-cut by testing if the operator is an "Or" after running our

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -28,6 +28,7 @@ from .code_motion import CodeMotionOptimization
 from .switch_default_case_duplicator import SwitchDefaultCaseDuplicator
 from .deadblock_remover import DeadblockRemover
 from .inlined_string_transformation_simplifier import InlinedStringTransformationSimplifier
+from .const_prop_reverter import ConstPropOptReverter
 
 # order matters!
 _all_optimization_passes = [
@@ -47,7 +48,8 @@ _all_optimization_passes = [
     (ReturnDuplicatorHigh, True),
     (DeadblockRemover, True),
     (SwitchDefaultCaseDuplicator, True),
-    (LoweredSwitchSimplifier, False),
+    (ConstPropOptReverter, True),
+    (LoweredSwitchSimplifier, True),
     (ReturnDuplicatorLow, True),
     (ReturnDeduplicator, True),
     (CodeMotionOptimization, True),

angr/analyses/decompiler/optimization_passes/const_prop_reverter.py

@@ -0,0 +1,367 @@
+import logging
+from collections.abc import Callable
+import itertools
+
+import networkx
+import claripy
+from ailment import Const
+from ailment.block_walker import AILBlockWalkerBase
+from ailment.statement import Call, Statement, ConditionalJump, Assignment, Store, Return
+from ailment.expression import Convert, Register
+
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+from ..utils import remove_labels, add_labels
+from ....knowledge_plugins.key_definitions.atoms import MemoryLocation
+from ....knowledge_plugins.key_definitions.constants import OP_BEFORE
+
+
+_l = logging.getLogger(__name__)
+
+
+class PairAILBlockWalker:
+    """
+    This AILBlockWalker will walk two blocks at a time and call a handler for each pair of statements that are
+    instances of the same type. This is useful for comparing two statements for similarity across blocks.
+    """
+
+    def __init__(self, graph: networkx.DiGraph, stmt_pair_handlers=None):
+        self.graph = graph
+
+        _default_stmt_handlers = {
+            Assignment: self._handle_Assignment_pair,
+            Call: self._handle_Call_pair,
+            Store: self._handle_Store_pair,
+            ConditionalJump: self._handle_ConditionalJump_pair,
+            Return: self._handle_Return_pair,
+        }
+
+        self.stmt_pair_handlers: dict[Statement, Callable] = (
+            stmt_pair_handlers if stmt_pair_handlers else _default_stmt_handlers
+        )
+
+    # pylint: disable=no-self-use
+    def _walk_block(self, block):
+        walked_objs = {Assignment: set(), Call: set(), Store: set(), ConditionalJump: set(), Return: set()}
+
+        # create a walker that will:
+        # 1. recursively expand a stmt with the default handler then,
+        # 2. record the stmt parts in the walked_objs dict with the overwritten handler
+        #
+        # CallExpressions are a special case that require a handler in expressions, since they are statements.
+        walker = AILBlockWalkerBase()
+        _default_stmt_handlers = {
+            Assignment: walker._handle_Assignment,
+            Call: walker._handle_Call,
+            Store: walker._handle_Store,
+            ConditionalJump: walker._handle_ConditionalJump,
+            Return: walker._handle_Return,
+        }
+
+        def _handle_ail_obj(stmt_idx, stmt, block_):
+            _default_stmt_handlers[type(stmt)](stmt_idx, stmt, block_)
+            walked_objs[type(stmt)].add(stmt)
+
+        # pylint: disable=unused-argument
+        def _handle_call_expr(expr_idx: int, expr: Call, stmt_idx: int, stmt: Statement, block_):
+            walked_objs[Call].add(expr)
+
+        _stmt_handlers = {typ: _handle_ail_obj for typ in walked_objs}
+        walker.stmt_handlers = _stmt_handlers
+        walker.expr_handlers[Call] = _handle_call_expr
+
+        walker.walk(block)
+        return walked_objs
+
+    def walk(self):
+        for b0, b1 in itertools.combinations(self.graph.nodes, 2):
+            walked_obj_by_blk = {}
+
+            for blk in (b0, b1):
+                walked_obj_by_blk[blk] = self._walk_block(blk)
+
+            for typ, objs0 in walked_obj_by_blk[b0].items():
+                try:
+                    handler = self.stmt_pair_handlers[typ]
+                except KeyError:
+                    continue
+
+                if not objs0:
+                    continue
+
+                objs1 = walked_obj_by_blk[b1][typ]
+                if not objs1:
+                    continue
+
+                for o0 in objs0:
+                    for o1 in objs1:
+                        handler(o0, b0, o1, b1)
+
+    #
+    # default handlers
+    #
+
+    # pylint: disable=unused-argument,no-self-use
+    def _handle_Assignment_pair(self, obj0, blk0, obj1, blk1):
+        return
+
+    # pylint: disable=unused-argument,no-self-use
+    def _handle_Call_pair(self, obj0, blk0, obj1, blk1):
+        return
+
+    # pylint: disable=unused-argument,no-self-use
+    def _handle_Store_pair(self, obj0, blk0, obj1, blk1):
+        return
+
+    # pylint: disable=unused-argument,no-self-use
+    def _handle_ConditionalJump_pair(self, obj0, blk0, obj1, blk1):
+        return
+
+    # pylint: disable=unused-argument,no-self-use
+    def _handle_Return_pair(self, obj0, blk0, obj1, blk1):
+        return
+
+
+class ConstPropOptReverter(OptimizationPass):
+    """
+    This optimization reverts the effects of constant propagation done by the compiler as discussed in the
+    USENIX 2024 paper SAILR. This optimization's main goal is to enable later optimizations that rely on
+    symbolic variables to be more effective. This optimization pass will convert two statements with a difference of
+    a const and a symbolic variable into two statements with the symbolic variables.
+
+    As an example:
+    x = 75
+    puts(x)
+    puts(75)
+
+    will be converted to:
+    x = 75
+    puts(x)
+    puts(x)
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.DURING_REGION_IDENTIFICATION
+    NAME = "Revert Constant Propagation Optimizations"
+    DESCRIPTION = __doc__.strip()
+
+    def __init__(self, func, region_identifier=None, reaching_definitions=None, **kwargs):
+        self.ri = region_identifier
+        self.rd = reaching_definitions
+        super().__init__(func, **kwargs)
+
+        self._call_pair_targets = []
+        self.resolution = False
+        self.analyze()
+
+    def _check(self):
+        return True, {}
+
+    def _analyze(self, cache=None):
+        self.resolution = False
+        self.out_graph = remove_labels(self._graph)
+        # self.out_graph = self._graph
+
+        _pair_stmt_handlers = {
+            Call: self._handle_Call_pair,
+            Return: self._handle_Return_pair,
+        }
+
+        if self.out_graph is None:
+            return
+
+        walker = PairAILBlockWalker(self.out_graph, stmt_pair_handlers=_pair_stmt_handlers)
+        walker.walk()
+        if self._call_pair_targets:
+            self._analyze_call_pair_targets()
+
+        if not self.resolution:
+            self.out_graph = None
+        else:
+            self.out_graph = add_labels(self.out_graph)
+
+    def _analyze_call_pair_targets(self):
+        all_obs_points = []
+        for _, observation_points in self._call_pair_targets:
+            all_obs_points.extend(observation_points)
+
+        self.rd = self.project.analyses.ReachingDefinitions(subject=self._func, observation_points=all_obs_points)
+
+        for (call0, blk0, call1, blk1, arg_conflicts), _ in self._call_pair_targets:
+            # attempt to do constant resolution for each argument that differs
+            for i, args in arg_conflicts.items():
+                a0, a1 = args[:]
+                calls = {a0: call0, a1: call1}
+                blks = {call0: blk0, call1: blk1}
+
+                # we can only resolve two arguments where one is constant and one is symbolic
+                const_arg = None
+                sym_arg = None
+                for arg in calls:
+                    if isinstance(arg, Const) and const_arg is None:
+                        const_arg = arg
+                    elif not isinstance(arg, Const) and sym_arg is None:
+                        sym_arg = arg
+
+                if const_arg is None or sym_arg is None:
+                    continue
+
+                unwrapped_sym_arg = sym_arg.operands[0] if isinstance(sym_arg, Convert) else sym_arg
+                try:
+                    # TODO: make this support more than just Loads
+                    # target must be a Load of a memory location
+                    target_atom = MemoryLocation(unwrapped_sym_arg.addr.value, unwrapped_sym_arg.size, "Iend_LE")
+                    const_state = self.rd.get_reaching_definitions_by_node(blks[calls[const_arg]].addr, OP_BEFORE)
+
+                    state_load_vals = const_state.get_value_from_atom(target_atom)
+                except AttributeError:
+                    continue
+                except KeyError:
+                    continue
+
+                if not state_load_vals:
+                    continue
+
+                state_vals = list(state_load_vals.values())
+                # the symbolic variable MUST resolve to only a single value
+                if len(state_vals) != 1:
+                    continue
+
+                state_val = list(state_vals[0])[0]
+                if hasattr(state_val, "concrete") and state_val.concrete:
+                    const_value = claripy.Solver().eval(state_val, 1)[0]
+                else:
+                    continue
+
+                if not const_value == const_arg.value:
+                    continue
+
+                _l.debug("Constant argument at position %d was resolved to symbolic arg %s", i, sym_arg)
+                const_call = calls[const_arg]
+                const_arg_i = const_call.args.index(const_arg)
+                const_call.args[const_arg_i] = sym_arg
+                self.resolution = True
+
+    #
+    # Handle Similar Returns
+    #
+
+    def _handle_Return_pair(self, obj0: Return, blk0: Return, obj1, blk1):
+        if obj0 is obj1:
+            return
+
+        rexp0, rexp1 = obj0.ret_exprs, obj1.ret_exprs
+        if rexp0 is None or rexp1 is None or len(rexp0) != len(rexp1):
+            return
+
+        conflicts = {
+            i: ret_exprs
+            for i, ret_exprs in enumerate(zip(rexp0, rexp1))
+            if hasattr(ret_exprs[0], "likes") and not ret_exprs[0].likes(ret_exprs[1])
+        }
+        # only single expr return is supported
+        if len(conflicts) != 1:
+            return
+
+        _, ret_exprs = list(conflicts.items())[0]
+        expr_to_blk = {ret_exprs[0]: blk0, ret_exprs[1]: blk1}
+        # find the expression that is symbolic
+        symb_expr, const_expr = None, None
+        for expr in ret_exprs:
+            unpacked_expr = expr
+            if isinstance(expr, Convert):
+                unpacked_expr = expr.operands[0]
+
+            if isinstance(unpacked_expr, Const):
+                const_expr = expr
+            elif isinstance(unpacked_expr, Call):
+                const_expr = expr
+            else:
+                symb_expr = expr
+
+        if symb_expr is None or const_expr is None:
+            return
+
+        # now we do specific cases for matching
+        if (
+            isinstance(symb_expr, Register)
+            and isinstance(const_expr, Call)
+            and isinstance(const_expr.ret_expr, Register)
+        ):
+            # Handles the following case
+            #   B0:
+            #   return foo();   // considered constant
+            #   B1:
+            #   return rax;     // considered symbolic
+            #
+            #   =>
+            #
+            #   B0:
+            #   rax = foo();
+            #   return rax;
+            #   B1:
+            #   return rax;
+            #
+            # This is useful later for merging the return.
+            #
+            call_return_reg = const_expr.ret_expr
+            if symb_expr.likes(call_return_reg):
+                symb_return_stmt = expr_to_blk[symb_expr].statements[-1]
+                const_block = expr_to_blk[const_expr]
+
+                # rax = foo();
+                reg_assign = Assignment(None, symb_expr, const_expr, **const_expr.tags)
+
+                # construct new constant block
+                new_const_block = const_block.copy()
+                new_const_block.statements = new_const_block.statements[:-1] + [reg_assign] + [symb_return_stmt.copy()]
+                self._update_block(const_block, new_const_block)
+                self.resolution = True
+        else:
+            _l.debug("This case is not supported yet for Return de-propagation")
+
+    #
+    # Handle Similar Calls
+    #
+
+    def _handle_Call_pair(self, obj0: Call, blk0, obj1: Call, blk1):
+        if obj0 is obj1:
+            return
+
+        # verify both calls are calls to the same function
+        if (isinstance(obj0.target, str) or isinstance(obj1.target, str)) and obj0.target != obj1.target:
+            return
+        elif not obj0.target.likes(obj1.target):
+            return
+
+        call0, call1 = obj0, obj1
+        arg_conflicts = self.find_conflicting_call_args(call0, call1)
+        # if there is no conflict, then there is nothing to fix
+        if not arg_conflicts:
+            return
+
+        _l.debug(
+            "Found two calls at (%x, %x) that are similar. Attempting to resolve const args now...",
+            blk0.addr,
+            blk1.addr,
+        )
+
+        # destroy old ReachDefs, since we need a new one
+        observation_points = ("node", blk0.addr, OP_BEFORE), ("node", blk1.addr, OP_BEFORE)
+
+        # do full analysis after collecting all calls in _analyze
+        self._call_pair_targets.append(((call0, blk0, call1, blk1, arg_conflicts), observation_points))
+
+    @staticmethod
+    def find_conflicting_call_args(call0: Call, call1: Call):
+        if not call0.args or not call1.args:
+            return None
+
+        # TODO: update this to work for variable-arg functions
+        if len(call0.args) != len(call1.args):
+            return None
+
+        # zip args of call 0 and 1 conflict if they are not like each other
+        conflicts = {i: args for i, args in enumerate(zip(call0.args, call1.args)) if not args[0].likes(args[1])}
+
+        return conflicts

angr/analyses/decompiler/optimization_passes/deadblock_remover.py

@@ -36,7 +36,7 @@ class DeadblockRemover(OptimizationPass):
             acyclic_graph = self._graph
         else:
             acyclic_graph = to_acyclic_graph(self._graph)
-        cond_proc.recover_reaching_conditions(region=None, graph=acyclic_graph)
+        cond_proc.recover_reaching_conditions(region=None, graph=acyclic_graph, simplify_conditions=False)
 
         if not any(claripy.is_false(c) for c in cond_proc.reaching_conditions.values()):
             return False, None

angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py

@@ -11,7 +11,8 @@ from ailment.expression import Expression, BinaryOp, Const, Load
 from angr.utils.graph import GraphUtils
 from ..utils import first_nonlabel_statement, remove_last_statement
 from ..structuring.structurer_nodes import IncompleteSwitchCaseHeadStatement, SequenceNode, MultiNode
-from .optimization_pass import OptimizationPass, OptimizationPassStage, MultipleBlocksException
+from .optimization_pass import OptimizationPassStage, MultipleBlocksException, StructuringOptimizationPass
+from ..region_simplifiers.switch_cluster_simplifier import SwitchClusterFinder
 
 if TYPE_CHECKING:
     from ailment.expression import UnaryOp, Convert
@@ -130,15 +131,19 @@ class StableVarExprHasher(AILBlockWalkerBase):
         super()._handle_Convert(expr_idx, expr, stmt_idx, stmt, block)
 
 
-class LoweredSwitchSimplifier(OptimizationPass):
+class LoweredSwitchSimplifier(StructuringOptimizationPass):
     """
-    Recognize and simplify lowered switch-case constructs.
+    This optimization recognizes and reverts switch cases that have been lowered and possibly split into multiple
+    if-else statements. This optimization, discussed in the USENIX 2024 paper SAILR, aims to undo the compiler
+    optimization known as "Switch Lowering", present in both GCC and Clang. An in-depth discussion of this
+    optimization can be found in the paper or in our documentation of the optimization:
+    https://github.com/mahaloz/sailr-eval/issues/14#issue-2232616411
+
+    Note, this optimization does not occur in MSVC, which uses a different optimization strategy for switch cases.
+    As a hack for now, we only run this deoptimization on Linux binaries.
     """
 
-    ARCHES = [
-        "AMD64",
-    ]
-    PLATFORMS = ["linux", "windows"]
+    PLATFORMS = ["linux"]
     STAGE = OptimizationPassStage.DURING_REGION_IDENTIFICATION
     NAME = "Convert lowered switch-cases (if-else) to switch-cases"
     DESCRIPTION = (
@@ -147,12 +152,60 @@ class LoweredSwitchSimplifier(OptimizationPass):
     )
     STRUCTURING = ["phoenix"]
 
-    def __init__(self, func, blocks_by_addr=None, blocks_by_addr_and_idx=None, graph=None, **kwargs):
+    def __init__(self, func, min_distinct_cases=2, **kwargs):
         super().__init__(
-            func, blocks_by_addr=blocks_by_addr, blocks_by_addr_and_idx=blocks_by_addr_and_idx, graph=graph, **kwargs
+            func,
+            require_gotos=False,
+            prevent_new_gotos=False,
+            simplify_ail=False,
+            must_improve_rel_quality=True,
+            **kwargs,
         )
+
+        # this is the max number of cases that can be in a switch that can be converted to a
+        # if-tree (if the number of cases is greater than this, the switch will not be converted)
+        # https://github.com/gcc-mirror/gcc/blob/f9a60d575f02822852aa22513c636be38f9c63ea/gcc/targhooks.cc#L1899
+        # TODO: add architecture specific values
+        default_case_values_threshold = 6
+        # NOTE: this means that there must be less than default_case_values for us to convert an if-tree to a switch
+        self._max_case_values = default_case_values_threshold
+
+        self._min_distinct_cases = min_distinct_cases
+
+        # used to determine if a switch-case construct is present in the code, useful for invalidating
+        # other heuristics that minimize false positives
+        self._switches_present_in_code = 0
+
         self.analyze()
 
+    @staticmethod
+    def _count_max_continuous_cases(cases: list[Case]) -> int:
+        if not cases:  # Return 0 if the list is empty
+            return 0
+
+        max_len = 0
+        current_len = 1  # Start with 1 since a single number is a sequence of length 1
+        sorted_cases = sorted(cases, key=lambda c: c.value)
+        for i in range(1, len(sorted_cases)):
+            if sorted_cases[i].value == sorted_cases[i - 1].value + 1:
+                current_len += 1
+            else:
+                max_len = max(max_len, current_len)
+                current_len = 1
+
+        # Final check to include the last sequence
+        max_len = max(max_len, current_len)
+        return max_len
+
+    @staticmethod
+    def _count_distinct_cases(cases: list[Case]) -> int:
+        return len({case.target for case in cases})
+
+    def _analyze_simplified_region(self, region, initial=False):
+        super()._analyze_simplified_region(region, initial=initial)
+        finder = SwitchClusterFinder(region)
+        self._switches_present_in_code = len(finder.var2switches.values())
+
     def _check(self):
         # TODO: More filtering
         return True, None
@@ -161,7 +214,7 @@ class LoweredSwitchSimplifier(OptimizationPass):
         variablehash_to_cases = self._find_cascading_switch_variable_comparisons()
 
         if not variablehash_to_cases:
-            return
+            return False
 
         graph_copy = networkx.DiGraph(self._graph)
         self.out_graph = graph_copy
@@ -169,7 +222,39 @@ class LoweredSwitchSimplifier(OptimizationPass):
 
         for _, caselists in variablehash_to_cases.items():
             for cases, redundant_nodes in caselists:
-                original_nodes = [case.original_node for case in cases if case.value != "default"]
+                real_cases = [case for case in cases if case.value != "default"]
+                max_continuous_cases = self._count_max_continuous_cases(real_cases)
+
+                # There are a few rules used in most compilers about when to lower a switch that would otherwise
+                # be a jump table into either a series of if-trees or into series of bit tests.
+                #
+                # RULE 1: You only ever convert a Switch into if-stmts if there are less continuous cases
+                # then specified by the default_case_values_threshold, therefore we should never try to rever it
+                # if there is more or equal than that.
+                # https://github.com/gcc-mirror/gcc/blob/f9a60d575f02822852aa22513c636be38f9c63ea/gcc/tree-switch-conversion.cc#L1406
+                if max_continuous_cases >= self._max_case_values:
+                    _l.debug("Skipping switch-case conversion due to too many cases for %s", real_cases[0])
+                    continue
+
+                # RULE 2: You only ever convert a Switch into if-stmts if at least one of the cases is not continuous.
+                # https://github.com/gcc-mirror/gcc/blob/f9a60d575f02822852aa22513c636be38f9c63ea/gcc/tree-switch-conversion.cc#L1960
+                #
+                # However, we need to also consider the case where the cases we are looking at are currently a smaller
+                # cluster split off a non-continuous cluster. In this case, we should still convert it to a switch-case
+                # iff a switch-case construct is present in the code.
+                is_all_continuous = max_continuous_cases == len(real_cases)
+                if is_all_continuous and self._switches_present_in_code == 0:
+                    _l.debug("Skipping switch-case conversion due to all cases being continuous for %s", real_cases[0])
+                    continue
+
+                # RULE 3: It is not a real cluster if there are not enough distinct cases.
+                # A distinct case is a case that has a different body of code.
+                distinct_cases = self._count_distinct_cases(real_cases)
+                if distinct_cases < self._min_distinct_cases and self._switches_present_in_code == 0:
+                    _l.debug("Skipping switch-case conversion due to too few distinct cases for %s", real_cases[0])
+                    continue
+
+                original_nodes = [case.original_node for case in real_cases]
                 original_head: Block = original_nodes[0]
                 original_nodes = original_nodes[1:]
                 existing_nodes_by_addr_and_idx = {(nn.addr, nn.idx): nn for nn in graph_copy}
@@ -221,7 +306,7 @@ class LoweredSwitchSimplifier(OptimizationPass):
                 # would result in a successor node no longer being present in the graph
                 if any(onode not in graph_copy for onode in original_nodes):
                     self.out_graph = None
-                    return
+                    return False
 
                 # add edges between the head and case nodes
                 for onode in original_nodes:
@@ -277,6 +362,8 @@ class LoweredSwitchSimplifier(OptimizationPass):
                         else:
                             graph_copy.add_edge(node_copy, succ)
 
+        return True
+
     def _find_cascading_switch_variable_comparisons(self):
         sorted_nodes = GraphUtils.quasi_topological_sort_nodes(self._graph)
         variable_comparisons = OrderedDict()