angr 9.2.135__py3-none-win_amd64.whl → 9.2.137__py3-none-win_amd64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.135"
+__version__ = "9.2.137"
 
 if bytes is str:
     raise Exception(

angr/analyses/__init__.py

@@ -1,13 +1,7 @@
 # " pylint:disable=wrong-import-position
 from __future__ import annotations
 
-from .analysis import Analysis, AnalysesHub
-
-
-def register_analysis(cls, name):
-    AnalysesHub.register_default(name, cls)
-
-
+from .analysis import Analysis, AnalysesHub, register_analysis
 from .forward_analysis import ForwardAnalysis, visitors
 from .propagator import PropagatorAnalysis
 from .cfg import CFGFast, CFGEmulated, CFG, CFGArchOptions, CFGFastSoot
@@ -54,6 +48,7 @@ from .patchfinder import PatchFinderAnalysis
 from .pathfinder import Pathfinder
 from .smc import SelfModifyingCodeAnalysis
 from .unpacker import PackingDetector
+from .fcp import FastConstantPropagation
 from . import deobfuscator
 
 
@@ -85,6 +80,7 @@ __all__ = (
     "Disassembly",
     "DominanceFrontier",
     "FactCollector",
+    "FastConstantPropagation",
     "FlirtAnalysis",
     "ForwardAnalysis",
     "Identifier",

angr/analyses/analysis.py

@@ -409,3 +409,7 @@ class Analysis:
 
 default_analyses = VendorPreset()
 AnalysesHub.register_preset("default", default_analyses)
+
+
+def register_analysis(cls, name):
+    AnalysesHub.register_default(name, cls)

angr/analyses/backward_slice.py

@@ -6,6 +6,7 @@ import networkx
 import pyvex
 from . import Analysis
 
+from angr.analyses import AnalysesHub
 from angr.code_location import CodeLocation
 from angr.annocfg import AnnotatedCFG
 from angr.errors import AngrBackwardSlicingError
@@ -682,6 +683,4 @@ class BackwardSlice(Analysis):
         return cmp_stmt_id, cmp_tmp_id
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BackwardSlice", BackwardSlice)

angr/analyses/binary_optimizer.py

@@ -4,6 +4,7 @@ import re
 from typing import TYPE_CHECKING
 from collections import defaultdict
 
+from angr.analyses import AnalysesHub
 from angr.knowledge_base import KnowledgeBase
 from angr.codenode import HookNode
 from angr.sim_variable import SimConstantVariable, SimRegisterVariable, SimMemoryVariable, SimStackVariable
@@ -430,7 +431,7 @@ class BinaryOptimizer(Analysis):
 
         # find out all call instructions
         call_insns = set()
-        for src, dst, data in function.transition_graph.edges(data=True):
+        for src, _dst, data in function.transition_graph.edges(data=True):
             if "type" in data and data["type"] == "call":
                 src_block = function._get_block(src.addr)
                 call_insns.add(src_block.instruction_addrs[-1])
@@ -460,7 +461,7 @@ class BinaryOptimizer(Analysis):
         # make sure we never gets the address of those stack variables into any register
         # say, lea edx, [ebp-0x4] is forbidden
         # check all edges in data graph
-        for src, dst, data in data_graph.edges(data=True):
+        for src, dst in data_graph.edges():
             if (
                 isinstance(dst.variable, SimRegisterVariable)
                 and dst.variable.reg != ebp_offset
@@ -666,6 +667,4 @@ class BinaryOptimizer(Analysis):
                 self.dead_assignments.append(da)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BinaryOptimizer", BinaryOptimizer)

angr/analyses/bindiff.py

@@ -3,17 +3,17 @@ import logging
 import math
 import types
 from collections import deque, defaultdict
+from typing import TYPE_CHECKING
 
 import networkx
 
-from typing import TYPE_CHECKING
+from angr.analyses import AnalysesHub, Analysis, CFGEmulated
+from angr.errors import SimEngineError, SimMemoryError
+
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins import Function
 
-from . import Analysis, CFGEmulated
-
-from angr.errors import SimEngineError, SimMemoryError
 
 # todo include an explanation of the algorithm
 # todo include a method that detects any change other than constants
@@ -1234,6 +1234,4 @@ class BinDiff(Analysis):
         return matches
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BinDiff", BinDiff)

angr/analyses/boyscout.py

@@ -6,7 +6,7 @@ from collections import defaultdict
 from archinfo import all_arches
 from archinfo.arch_arm import is_arm_arch
 
-from . import Analysis
+from angr.analyses import AnalysesHub, Analysis
 
 
 l = logging.getLogger(name=__name__)
@@ -73,6 +73,4 @@ class BoyScout(Analysis):
         l.debug("The architecture should be %s with %s", self.arch, self.endianness)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BoyScout", BoyScout)

angr/analyses/callee_cleanup_finder.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
-from . import Analysis
-from angr import SIM_PROCEDURES
 
 import logging
 
+from angr import SIM_PROCEDURES
+from angr.analyses import AnalysesHub, Analysis
+
+
 l = logging.getLogger(name=__name__)
 
 
@@ -69,6 +71,4 @@ class CalleeCleanupFinder(Analysis):
         return None
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CalleeCleanupFinder", CalleeCleanupFinder)

angr/analyses/calling_convention/calling_convention.py

@@ -436,7 +436,8 @@ class CallingConventionAnalysis(Analysis):
             if caller.is_simprocedure or caller.is_alignment:
                 # do not analyze SimProcedures or alignment stubs
                 continue
-            call_sites_by_function[caller].append((src.addr, src.instruction_addrs[-1]))
+            if src.instruction_addrs:
+                call_sites_by_function[caller].append((src.addr, src.instruction_addrs[-1]))
 
         call_sites_by_function_list = sorted(call_sites_by_function.items(), key=lambda x: x[0].addr)[
             :max_analyzing_callsites
@@ -923,9 +924,10 @@ class CallingConventionAnalysis(Analysis):
         if not set(spilled_regs).issubset(set(allowed_spilled_regs)):
             return False, None
 
-        for i, reg in enumerate(allowed_spilled_regs):
-            if reg in spilled_regs:
-                break
+        i = next(
+            (i for i, reg in enumerate(allowed_spilled_regs) if reg in spilled_regs),
+            len(allowed_spilled_regs),
+        )
 
         return True, i
 

angr/analyses/calling_convention/fact_collector.py

@@ -276,13 +276,21 @@ class FactCollector(Analysis):
             call_succ, ret_succ = None, None
             for _, succ, data in func_graph.out_edges(node, data=True):
                 edge_type = data.get("type")
+                outside = data.get("outside", False)
                 if succ not in traversed and depth + 1 <= self._max_depth:
                     if edge_type == "fake_return":
                         ret_succ = succ
-                    elif edge_type == "transition":
+                    elif edge_type == "transition" and not outside:
                         successor_added = True
                         queue.append((depth + 1, state.copy(), succ, None))
-                    elif edge_type == "call":
+                    elif edge_type == "call" or (edge_type == "transition" and outside):
+                        # a call or a tail-call
+                        if not isinstance(succ, Function):
+                            if self.kb.functions.contains_addr(succ.addr):
+                                succ = self.kb.functions.get_by_addr(succ.addr)
+                            else:
+                                # not sure who we are calling
+                                continue
                         call_succ = succ
             if call_succ is not None:
                 successor_added = True
@@ -297,7 +305,6 @@ class FactCollector(Analysis):
         try:
             arg_locs = func.calling_convention.arg_locs(func.prototype)
         except (TypeError, ValueError):
-            func.prototype = None
             return
 
         if None in arg_locs:

angr/analyses/cdg.py

@@ -3,6 +3,7 @@ import logging
 
 import networkx
 
+from angr.analyses import AnalysesHub
 from angr.utils.graph import compute_dominance_frontier, PostDominators, TemporaryNode
 from . import Analysis
 
@@ -185,6 +186,4 @@ class CDG(Analysis):
                     _l.debug("%s is not in post dominator dict.", b2)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CDG", CDG)

angr/analyses/cfg/cfb.py

@@ -6,9 +6,9 @@ from collections.abc import Callable
 import cle
 from cle.backends.externs import KernelObject, ExternObject
 from cle.backends.tls.elf_tls import ELFTLSObject
-
 from sortedcontainers import SortedDict
 
+from angr.analyses import AnalysesHub
 from angr.knowledge_plugins.cfg.memory_data import MemoryDataSort, MemoryData
 from angr.analyses.analysis import Analysis
 
@@ -424,7 +424,5 @@ class CFBlanket(Analysis):
                 addr = max_addr
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CFB", CFBlanket)
 AnalysesHub.register_default("CFBlanket", CFBlanket)

angr/analyses/cfg/cfg.py

@@ -1,6 +1,8 @@
 from __future__ import annotations
+
 import sys
 
+from angr.analyses import AnalysesHub
 from .cfg_fast import CFGFast
 
 
@@ -69,6 +71,4 @@ class CFG(CFGFast):  # pylint: disable=abstract-method
         CFGFast.__init__(self, **kwargs)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CFG", CFG)

angr/analyses/cfg/cfg_base.py

@@ -1570,13 +1570,13 @@ class CFGBase(Analysis):
         # TODO: Is it required that PLT stubs are always aligned by 16? If so, on what architectures and platforms is it
         # TODO:  enforced?
 
-        tmp_functions = self.kb.functions.copy()
+        tmp_functions = self.kb.functions
 
         for function in tmp_functions.values():
             function.mark_nonreturning_calls_endpoints()
             if function.returning is False:
                 # remove all FakeRet edges that are related to this function
-                func_node = self.model.get_any_node(function.addr)
+                func_node = self.model.get_any_node(function.addr, force_fastpath=True)
                 if func_node is not None:
                     callsite_nodes = [
                         src
@@ -1588,8 +1588,8 @@ class CFGBase(Analysis):
                             if data.get("jumpkind", None) == "Ijk_FakeRet":
                                 self.graph.remove_edge(callsite_node, dst)
 
-        # Clear old functions dict
-        self.kb.functions.clear()
+        # Clear old functions dict by creating a new function manager
+        self.kb.functions = FunctionManager(self.kb)
 
         blockaddr_to_function = {}
         traversed_cfg_nodes = set()
@@ -1602,7 +1602,7 @@ class CFGBase(Analysis):
             if jumpkind == "Ijk_Call" or jumpkind.startswith("Ijk_Sys"):
                 function_nodes.add(dst)
 
-        entry_node = self.model.get_any_node(self._binary.entry)
+        entry_node = self.model.get_any_node(self._binary.entry, force_fastpath=True)
         if entry_node is not None:
             function_nodes.add(entry_node)
 
@@ -1663,7 +1663,7 @@ class CFGBase(Analysis):
         secondary_function_nodes = set()
         # add all function chunks ("functions" that are not called from anywhere)
         for func_addr in tmp_functions:
-            node = self.model.get_any_node(func_addr)
+            node = self.model.get_any_node(func_addr, force_fastpath=True)
             if node is None:
                 continue
             if node.addr not in blockaddr_to_function:
@@ -1992,8 +1992,8 @@ class CFGBase(Analysis):
                 if not transition_found:
                     continue
 
-                cfgnode_0 = self.model.get_any_node(block_node.addr)
-                cfgnode_1 = self.model.get_any_node(addr_1)
+                cfgnode_0 = self.model.get_any_node(block_node.addr, force_fastpath=True)
+                cfgnode_1 = self.model.get_any_node(addr_1, force_fastpath=True)
 
                 if cfgnode_0 is None or cfgnode_1 is None:
                     continue
@@ -2089,7 +2089,7 @@ class CFGBase(Analysis):
                 continue
             if func_addr in jumptable_entries:
                 # is there any call edge pointing to it?
-                func_node = self.get_any_node(func_addr)
+                func_node = self.get_any_node(func_addr, force_fastpath=True)
                 if func_node is not None:
                     in_edges = self.graph.in_edges(func_node, data=True)
                     has_transition_pred = None
@@ -2128,7 +2128,7 @@ class CFGBase(Analysis):
         else:
             is_syscall = self.project.simos.is_syscall_addr(addr)
 
-            n = self.model.get_any_node(addr, is_syscall=is_syscall)
+            n = self.model.get_any_node(addr, is_syscall=is_syscall, force_fastpath=True)
             node = addr if n is None else self._to_snippet(n)
 
             if isinstance(addr, SootAddressDescriptor):
@@ -2304,7 +2304,7 @@ class CFGBase(Analysis):
         src_function = self._addr_to_function(src_addr, blockaddr_to_function, known_functions)
 
         if src_addr not in src_function.block_addrs_set:
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             node = src_addr if n is None else self._to_snippet(n)
             self.kb.functions._add_node(src_function.addr, node)
 
@@ -2315,7 +2315,7 @@ class CFGBase(Analysis):
         jumpkind = data["jumpkind"]
 
         if jumpkind == "Ijk_Ret":
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             from_node = src_addr if n is None else self._to_snippet(n)
             self.kb.functions._add_return_from(src_function.addr, from_node, None)
 
@@ -2334,7 +2334,7 @@ class CFGBase(Analysis):
             # It must be calling a function
             dst_function = self._addr_to_function(dst_addr, blockaddr_to_function, known_functions)
 
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             if n is None:
                 src_snippet = self._to_snippet(addr=src_addr, base_state=self._base_state)
             else:
@@ -2349,21 +2349,12 @@ class CFGBase(Analysis):
             else:
                 fakeret_node = self._one_fakeret_node(all_edges)
 
-            fakeret_snippet = None if fakeret_node is None else self._to_snippet(cfg_node=fakeret_node)
-
             if isinstance(dst_addr, SootAddressDescriptor):
                 dst_addr = dst_addr.method
 
-            self.kb.functions._add_call_to(
-                src_function.addr,
-                src_snippet,
-                dst_addr,
-                fakeret_snippet,
-                syscall=is_syscall,
-                ins_addr=ins_addr,
-                stmt_idx=stmt_idx,
-            )
-
+            # determining the returning target
+            return_to_outside = False
+            returning_snippet = None
             if dst_function.returning and fakeret_node is not None:
                 returning_target = src.addr + src.size
                 if returning_target not in blockaddr_to_function:
@@ -2372,9 +2363,9 @@ class CFGBase(Analysis):
                     else:
                         self._addr_to_function(returning_target, blockaddr_to_function, known_functions)
 
-                to_outside = blockaddr_to_function[returning_target] is not src_function
+                return_to_outside = blockaddr_to_function[returning_target] is not src_function
 
-                n = self.model.get_any_node(returning_target)
+                n = self.model.get_any_node(returning_target, force_fastpath=True)
                 if n is None:
                     try:
                         returning_snippet = self._to_snippet(addr=returning_target, base_state=self._base_state)
@@ -2384,17 +2375,28 @@ class CFGBase(Analysis):
                 else:
                     returning_snippet = self._to_snippet(cfg_node=n)
 
-                if returning_snippet is not None:
-                    self.kb.functions._add_fakeret_to(
-                        src_function.addr, src_snippet, returning_snippet, confirmed=True, to_outside=to_outside
-                    )
+            self.kb.functions._add_call_to(
+                src_function.addr,
+                src_snippet,
+                dst_addr,
+                retn_node=returning_snippet,
+                syscall=is_syscall,
+                ins_addr=ins_addr,
+                stmt_idx=stmt_idx,
+                return_to_outside=return_to_outside,
+            )
+
+            if returning_snippet is not None:
+                self.kb.functions._add_fakeret_to(
+                    src_function.addr, src_snippet, returning_snippet, confirmed=True, to_outside=return_to_outside
+                )
 
         elif jumpkind in ("Ijk_Boring", "Ijk_InvalICache", "Ijk_Exception"):
             # convert src_addr and dst_addr to CodeNodes
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             src_node = src_addr if n is None else self._to_snippet(cfg_node=n)
 
-            n = self.model.get_any_node(dst_addr)
+            n = self.model.get_any_node(dst_addr, force_fastpath=True)
             dst_node = dst_addr if n is None else self._to_snippet(cfg_node=n)
 
             if self._skip_unmapped_addrs:
@@ -2460,10 +2462,10 @@ class CFGBase(Analysis):
 
         elif jumpkind == "Ijk_FakeRet":
             # convert src_addr and dst_addr to CodeNodes
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             src_node = src_addr if n is None else self._to_snippet(n)
 
-            n = self.model.get_any_node(dst_addr)
+            n = self.model.get_any_node(dst_addr, force_fastpath=True)
             dst_node = dst_addr if n is None else self._to_snippet(n)
 
             if dst_addr not in blockaddr_to_function:
@@ -2518,18 +2520,17 @@ class CFGBase(Analysis):
     #
 
     @staticmethod
-    def _is_noop_block(arch: archinfo.Arch, block):
+    def _is_noop_block(arch: archinfo.Arch, block) -> bool:
         """
         Check if the block is a no-op block by checking VEX statements.
 
         :param arch:    An architecture descriptor.
         :param block: The VEX block instance.
         :return: True if the entire block is a single-byte or multi-byte nop instruction, False otherwise.
-        :rtype: bool
         """
 
         if arch.name == "X86" or arch.name == "AMD64":
-            if set(block.bytes) == {"b\x90"}:
+            if set(block.bytes) == {0x90}:
                 return True
         elif arch.name == "MIPS32":
             if arch.memory_endness == "Iend_BE":
@@ -2575,36 +2576,7 @@ class CFGBase(Analysis):
                 if THUMB_NOOPS.issuperset(insns):
                     return True
 
-        # Fallback
-        # the block is a noop block if it only has IMark statements **and** it jumps to its immediate successor. VEX
-        # will generate such blocks when opt_level==1 and cross_insn_opt is True
-        fallthrough_addr = block.addr + block.size
-        next_ = block.vex.next
-        if (
-            isinstance(next_, pyvex.IRExpr.Const)
-            and next_.con.value == fallthrough_addr
-            and all((type(stmt) is pyvex.IRStmt.IMark) for stmt in block.vex.statements)
-        ):
-            return True
-
-        # the block is a noop block if it only has IMark statements and IP-setting statements that set the IP to the
-        # next location. VEX will generate such blocks when opt_level==1 and cross_insn_opt is False
-        ip_offset = arch.ip_offset
-        if (
-            all(
-                (type(stmt) is pyvex.IRStmt.IMark or (type(stmt) is pyvex.IRStmt.Put and stmt.offset == ip_offset))
-                for stmt in block.vex.statements
-            )
-            and block.vex.statements
-        ):
-            last_stmt = block.vex.statements[-1]
-            if (
-                isinstance(last_stmt, pyvex.IRStmt.IMark)
-                and isinstance(next_, pyvex.IRExpr.Const)
-                and next_.con.value == fallthrough_addr
-            ):
-                return True
-        return False
+        return block.vex_nostmt.is_noop_block
 
     @staticmethod
     def _is_noop_insn(insn):

angr/analyses/cfg/cfg_emulated.py

@@ -2083,7 +2083,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         if src_node_key is None:
             if dst_node is None:
                 raise ValueError("Either src_node_key or dst_node_key must be specified.")
-            self.kb.functions.function(dst_node.function_address, create=True)._register_nodes(True, dst_codenode)
+            self.kb.functions.function(dst_node.function_address, create=True)._register_node(True, dst_codenode)
             return
 
         src_node = self._graph_get_node(src_node_key, terminator_for_nonexistent_node=True)
@@ -3208,109 +3208,6 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         # Update loop backedges and graph
         self._loop_back_edges = list(itertools.chain.from_iterable(loop.continue_edges for loop in loop_finder.loops))
 
-    # Private methods - function/procedure/subroutine analysis
-    # Including calling convention, function arguments, etc.
-
-    def _refine_function_arguments(self, func, callsites):
-        """
-
-        :param func:
-        :param callsites:
-        :return:
-        """
-
-        for i, c in enumerate(callsites):
-            # Execute one block ahead of the callsite, and execute one basic block after the callsite
-            # In this process, the following tasks are performed:
-            # - Record registers/stack variables that are modified
-            # - Record the change of the stack pointer
-            # - Check if the return value is used immediately
-            # We assume that the stack is balanced before and after the call (you can have caller clean-up of course).
-            # Any abnormal behaviors will be logged.
-            # Hopefully this approach will allow us to have a better understanding of parameters of those function
-            # stubs and function proxies.
-
-            if c.simprocedure_name is not None:
-                # Skip all SimProcedures
-                continue
-
-            l.debug("Refining %s at 0x%x (%d/%d).", repr(func), c.addr, i, len(callsites))
-
-            # Get a basic block ahead of the callsite
-            blocks_ahead = [c]
-
-            # the block after
-            blocks_after = []
-            successors = self.get_successors_and_jumpkind(c, excluding_fakeret=False)
-            for s, jk in successors:
-                if jk == "Ijk_FakeRet":
-                    blocks_after = [s]
-                    break
-
-            regs_overwritten = set()
-            stack_overwritten = set()
-            regs_read = set()
-            regs_written = set()
-
-            try:
-                # Execute the predecessor
-                path = self.project.factory.path(
-                    self.project.factory.blank_state(mode="fastpath", addr=blocks_ahead[0].addr)
-                )
-                path.step()
-                all_successors = path.next_run.successors + path.next_run.unsat_successors
-                if not all_successors:
-                    continue
-
-                suc = all_successors[0]
-                se = suc.solver
-                # Examine the path log
-                actions = suc.history.recent_actions
-                sp = se.eval_one(suc.regs.sp, default=0) + self.project.arch.call_sp_fix
-                for ac in actions:
-                    if ac.type == "reg" and ac.action == "write":
-                        regs_overwritten.add(ac.offset)
-                    elif ac.type == "mem" and ac.action == "write":
-                        addr = se.eval_one(ac.addr.ast, default=0)
-                        if (self.project.arch.call_pushes_ret and addr >= sp + self.project.arch.bytes) or (
-                            not self.project.arch.call_pushes_ret and addr >= sp
-                        ):
-                            offset = addr - sp
-                            stack_overwritten.add(offset)
-
-                func.prepared_registers.add(tuple(regs_overwritten))
-                func.prepared_stack_variables.add(tuple(stack_overwritten))
-
-            except (SimError, AngrError):
-                pass
-
-            try:
-                if blocks_after:
-                    path = self.project.factory.path(
-                        self.project.factory.blank_state(mode="fastpath", addr=blocks_after[0].addr)
-                    )
-                    path.step()
-                    all_successors = path.next_run.successors + path.next_run.unsat_successors
-                    if not all_successors:
-                        continue
-
-                    suc = all_successors[0]
-                    actions = suc.history.recent_actions
-                    for ac in actions:
-                        if ac.type == "reg" and ac.action == "read" and ac.offset not in regs_written:
-                            regs_read.add(ac.offset)
-                        elif ac.type == "reg" and ac.action == "write":
-                            regs_written.add(ac.offset)
-
-                    # Filter registers, remove unnecessary registers from the set
-                    # regs_overwritten = self.project.arch.argument_registers.intersection(regs_overwritten)
-                    regs_read = self.project.arch.argument_registers.intersection(regs_read)
-
-                    func.registers_read_afterwards.add(tuple(regs_read))
-
-            except (SimError, AngrError):
-                pass
-
     # Private methods - dominators and post-dominators
 
     def _immediate_dominators(self, node, target_graph=None, reverse_graph=False):