angr 9.2.140__py3-none-win_amd64.whl → 9.2.142__py3-none-win_amd64.whl

angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from collections.abc import Iterable
 import logging
@@ -7,6 +8,7 @@ import ailment
 
 from angr.calling_conventions import SimRegArg
 from angr.code_location import CodeLocation
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
@@ -82,6 +84,14 @@ class RegisterSaveAreaSimplifier(OptimizationPass):
             # update it
             self._update_block(old_block, new_block)
 
+        if updated_blocks:
+            # update stack_items
+            for data in info.values():
+                for stack_offset, _ in data["stored"]:
+                    self.stack_items[stack_offset] = StackItem(
+                        stack_offset, self.project.arch.bytes, "regs", StackItemType.SAVED_REGS
+                    )
+
     def _find_registers_stored_on_stack(self) -> list[tuple[int, int, CodeLocation]]:
         first_block = self._get_block(self._func.addr)
         if first_block is None:
@@ -94,14 +104,26 @@ class RegisterSaveAreaSimplifier(OptimizationPass):
                 isinstance(stmt, ailment.Stmt.Store)
                 and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
                 and isinstance(stmt.addr.offset, int)
-                and isinstance(stmt.data, ailment.Expr.VirtualVariable)
-                and stmt.data.was_reg
             ):
-                # it's storing registers to the stack!
-                stack_offset = stmt.addr.offset
-                reg_offset = stmt.data.reg_offset
-                codeloc = CodeLocation(first_block.addr, idx, block_idx=first_block.idx, ins_addr=stmt.ins_addr)
-                results.append((reg_offset, stack_offset, codeloc))
+                if isinstance(stmt.data, ailment.Expr.VirtualVariable) and stmt.data.was_reg:
+                    # it's storing registers to the stack!
+                    stack_offset = stmt.addr.offset
+                    reg_offset = stmt.data.reg_offset
+                    codeloc = CodeLocation(first_block.addr, idx, block_idx=first_block.idx, ins_addr=stmt.ins_addr)
+                    results.append((reg_offset, stack_offset, codeloc))
+                elif (
+                    self.project.arch.name == "AMD64"
+                    and isinstance(stmt.data, ailment.Expr.Convert)
+                    and isinstance(stmt.data.operand, ailment.Expr.VirtualVariable)
+                    and stmt.data.operand.was_reg
+                    and stmt.data.from_bits == 256
+                    and stmt.data.to_bits == 128
+                ):
+                    # storing xmm registers to the stack
+                    stack_offset = stmt.addr.offset
+                    reg_offset = stmt.data.operand.reg_offset
+                    codeloc = CodeLocation(first_block.addr, idx, block_idx=first_block.idx, ins_addr=stmt.ins_addr)
+                    results.append((reg_offset, stack_offset, codeloc))
 
         return results
 

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -34,13 +34,23 @@ class FreshVirtualVariableRewriter(AILBlockWalker):
     def _handle_Assignment(self, stmt_idx: int, stmt: Assignment, block: Block | None):
         new_stmt = super()._handle_Assignment(stmt_idx, stmt, block)
         dst = new_stmt.dst if new_stmt is not None else stmt.dst
+        src = new_stmt.src if new_stmt is not None else stmt.src
         if isinstance(dst, VirtualVariable):
             self.vvar_mapping[dst.varid] = self.vvar_idx
             self.vvar_idx += 1
 
-            dst = VirtualVariable(dst.idx, self.vvar_mapping[dst.varid], dst.bits, dst.category, dst.oident, **dst.tags)
+            dst = VirtualVariable(
+                dst.idx,
+                self.vvar_mapping[dst.varid],
+                dst.bits,
+                dst.category,
+                dst.oident,
+                variable=dst.variable,
+                variable_offset=dst.variable_offset,
+                **dst.tags,
+            )
 
-            return Assignment(stmt.idx, dst, stmt.src, **stmt.tags)
+            return Assignment(stmt.idx, dst, src, **stmt.tags)
 
         return new_stmt
 
@@ -133,14 +143,27 @@ class ReturnDuplicatorBase:
         self._supergraph = to_ail_supergraph(graph)
         for region_head, (in_edges, region) in endnode_regions.items():
             is_single_const_ret_region = self._is_simple_return_graph(region)
+            dup_pred_nodes = []
+            # duplicate the entire region if at least (N-2) in-edges for the region head is deemed should be duplicated.
+            # otherwise we only duplicate the edges that should be duplicated
             for in_edge in in_edges:
                 pred_node = in_edge[0]
                 if self._should_duplicate_dst(
                     pred_node, region_head, graph, dst_is_const_ret=is_single_const_ret_region
                 ):
+                    dup_pred_nodes.append(pred_node)
+
+            dup_count = len(dup_pred_nodes)
+            dup_all = dup_count >= len(in_edges) - 2 > 0
+            if dup_all:
+                for pred_node in sorted((in_edge[0] for in_edge in in_edges), key=lambda x: x.addr):
                     # every eligible pred gets a new region copy
                     self._copy_region([pred_node], region_head, region, graph)
                     graph_changed = True
+            else:
+                for pred_node in dup_pred_nodes:
+                    self._copy_region([pred_node], region_head, region, graph)
+                    graph_changed = True
 
             if region_head in graph and graph.in_degree(region_head) == 0:
                 graph.remove_nodes_from(region)
@@ -199,10 +222,10 @@ class ReturnDuplicatorBase:
 
         return end_node_regions
 
-    def _copy_region(self, pred_nodes, region_head, region, graph):
+    def _copy_region(self, pred_nodes: list[Block], region_head, region, graph):
         # copy the entire return region
         copies: dict[Block, Block] = {}
-        queue = [(pred_node, region_head) for pred_node in pred_nodes]
+        queue: list[tuple[Block, Block]] = [(pred_node, region_head) for pred_node in pred_nodes]
         vvar_mapping: dict[int, int] = {}
         while queue:
             pred, node = queue.pop(0)
@@ -224,12 +247,33 @@ class ReturnDuplicatorBase:
                 last_stmt = ConditionProcessor.get_last_statement(pred)
                 if isinstance(last_stmt, Jump):
                     if isinstance(last_stmt.target, Const) and last_stmt.target.value == node_copy.addr:
-                        last_stmt.target_idx = node_copy.idx
+                        updated_last_stmt = Jump(
+                            last_stmt.idx, last_stmt.target, target_idx=node_copy.idx, **last_stmt.tags
+                        )
+                        pred.statements[-1] = updated_last_stmt
                 elif isinstance(last_stmt, ConditionalJump):
                     if isinstance(last_stmt.true_target, Const) and last_stmt.true_target.value == node_copy.addr:
-                        last_stmt.true_target_idx = node_copy.idx
+                        updated_last_stmt = ConditionalJump(
+                            last_stmt.idx,
+                            last_stmt.condition,
+                            last_stmt.true_target,
+                            last_stmt.false_target,
+                            true_target_idx=node_copy.idx,
+                            false_target_idx=last_stmt.false_target_idx,
+                            **last_stmt.tags,
+                        )
+                        pred.statements[-1] = updated_last_stmt
                     elif isinstance(last_stmt.false_target, Const) and last_stmt.false_target.value == node_copy.addr:
-                        last_stmt.false_target_idx = node_copy.idx
+                        updated_last_stmt = ConditionalJump(
+                            last_stmt.idx,
+                            last_stmt.condition,
+                            last_stmt.true_target,
+                            last_stmt.false_target,
+                            true_target_idx=last_stmt.true_target_idx,
+                            false_target_idx=node_copy.idx,
+                            **last_stmt.tags,
+                        )
+                        pred.statements[-1] = updated_last_stmt
             except EmptyBlockNotice:
                 pass
 

angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py

@@ -6,6 +6,7 @@ import logging
 import ailment
 
 from angr.utils.bits import s2u
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
@@ -168,6 +169,11 @@ class StackCanarySimplifier(OptimizationPass):
             first_block_copy.statements.pop(stmt_idx)
             self._update_block(first_block, first_block_copy)
 
+            # update stack_items
+            self.stack_items[store_offset] = StackItem(
+                store_offset, canary_init_stmt.dst.size, "canary", StackItemType.STACK_CANARY
+            )
+
         # Done!
 
     def _find_canary_init_stmt(self):

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -7,6 +7,7 @@ import ailment
 import cle
 
 from angr.utils.funcid import is_function_security_check_cookie
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
@@ -62,7 +63,9 @@ class WinStackCanarySimplifier(OptimizationPass):
         first_block, canary_init_stmt_ids = init_stmts
         canary_init_stmt = first_block.statements[canary_init_stmt_ids[-1]]
         # where is the stack canary stored?
-        if not isinstance(canary_init_stmt.addr, ailment.Expr.StackBaseOffset):
+        if not isinstance(canary_init_stmt, ailment.Stmt.Store) or not isinstance(
+            canary_init_stmt.addr, ailment.Expr.StackBaseOffset
+        ):
             _l.debug(
                 "Unsupported canary storing location %s. Expects an ailment.Expr.StackBaseOffset.",
                 canary_init_stmt.addr,
@@ -143,6 +146,11 @@ class WinStackCanarySimplifier(OptimizationPass):
                 first_block_copy.statements.pop(stmt_idx)
             self._update_block(first_block, first_block_copy)
 
+            # update stack_items
+            self.stack_items[store_offset] = StackItem(
+                store_offset, canary_init_stmt.size, "canary", StackItemType.STACK_CANARY
+            )
+
     def _find_canary_init_stmt(self):
         first_block = self._get_block(self._func.addr)
         if first_block is None:

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -29,7 +29,12 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
     @staticmethod
     def _optimize_binaryop(expr: BinaryOp):
         if expr.op == "Add":
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
+            if (
+                isinstance(expr.operands[0], Const)
+                and isinstance(expr.operands[0].value, int)
+                and isinstance(expr.operands[1], Const)
+                and isinstance(expr.operands[1].value, int)
+            ):
                 mask = (1 << expr.bits) - 1
                 return Const(
                     expr.idx, None, (expr.operands[0].value + expr.operands[1].value) & mask, expr.bits, **expr.tags
@@ -99,13 +104,19 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                     new_const = Const(const1.idx, None, const1.value + 1, const1.bits, **const1.tags)
                     return BinaryOp(expr.idx, "Mul", [x1, new_const], expr.signed, **expr.tags)
             elif op0_is_mulconst and op1_is_mulconst:
+                assert x0 is not None and x1 is not None and const0 is not None and const1 is not None
                 if x0.likes(x1):
                     # x * A + x * B => (A + B) * x
                     new_const = Const(const0.idx, None, const0.value + const1.value, const0.bits, **const0.tags)
                     return BinaryOp(expr.idx, "Mul", [x0, new_const], expr.signed, **expr.tags)
 
         elif expr.op == "Sub":
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
+            if (
+                isinstance(expr.operands[0], Const)
+                and isinstance(expr.operands[0].value, int)
+                and isinstance(expr.operands[1], Const)
+                and isinstance(expr.operands[1].value, int)
+            ):
                 mask = (1 << expr.bits) - 1
                 return Const(
                     expr.idx, None, (expr.operands[0].value - expr.operands[1].value) & mask, expr.bits, **expr.tags
@@ -138,12 +149,19 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                 return UnaryOp(expr.idx, "Neg", expr.operands[1], **expr.tags)
 
             if isinstance(expr.operands[0], StackBaseOffset) and isinstance(expr.operands[1], StackBaseOffset):
+                assert isinstance(expr.operands[0].offset, int) and isinstance(expr.operands[1].offset, int)
                 return Const(expr.idx, None, expr.operands[0].offset - expr.operands[1].offset, expr.bits, **expr.tags)
 
         elif expr.op == "And":
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
-                return Const(expr.idx, None, (expr.operands[0].value & expr.operands[1].value), expr.bits, **expr.tags)
-            if isinstance(expr.operands[1], Const) and expr.operands[1].value == 0:
+            op0, op1 = expr.operands
+            if (
+                isinstance(op0, Const)
+                and isinstance(op0.value, int)
+                and isinstance(op1, Const)
+                and isinstance(op1.value, int)
+            ):
+                return Const(expr.idx, None, (op0.value & op1.value), expr.bits, **expr.tags)
+            if isinstance(op1, Const) and op1.value == 0:
                 return Const(expr.idx, None, 0, expr.bits, **expr.tags)
 
         elif expr.op == "Mul":
@@ -156,6 +174,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                 and isinstance(expr.operands[1], Const)
                 and expr.operands[1].is_int
             ):
+                assert isinstance(expr.operands[0].value, int) and isinstance(expr.operands[1].value, int)
                 # constant multiplication
                 mask = (1 << expr.bits) - 1
                 return Const(
@@ -235,7 +254,13 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                 return Const(expr0.idx, None, (const_a << expr1.value) & mask, expr0.bits, **expr0.tags)
 
         elif expr.op == "Or":
-            if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
+            op0, op1 = expr.operands
+            if (
+                isinstance(op0, Const)
+                and isinstance(op0.value, int)
+                and isinstance(op1, Const)
+                and isinstance(op1.value, int)
+            ):
                 return Const(expr.idx, None, expr.operands[0].value | expr.operands[1].value, expr.bits, **expr.tags)
             if isinstance(expr.operands[0], Const) and expr.operands[0].value == 0:
                 return expr.operands[1]
@@ -248,6 +273,16 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             if expr.operands[0].likes(expr.operands[1]):
                 return expr.operands[0]
 
+        elif expr.op == "Xor":
+            op0, op1 = expr.operands
+            if (
+                isinstance(op0, Const)
+                and isinstance(op0.value, int)
+                and isinstance(op1, Const)
+                and isinstance(op1.value, int)
+            ):
+                return Const(expr.idx, None, expr.operands[0].value ^ expr.operands[1].value, expr.bits, **expr.tags)
+
         elif expr.op in {"CmpEQ", "CmpLE", "CmpGE"}:
             if expr.operands[0].likes(expr.operands[1]):
                 # x == x => 1
@@ -288,7 +323,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
 
     @staticmethod
     def _optimize_unaryop(expr: UnaryOp):
-        if expr.op == "Neg" and isinstance(expr.operand, Const):
+        if expr.op == "Neg" and isinstance(expr.operand, Const) and isinstance(expr.operand.value, int):
             const_a = expr.operand.value
             mask = (2**expr.bits) - 1
             return Const(expr.idx, None, (~const_a) & mask, expr.bits, **expr.tags)
@@ -304,6 +339,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             and expr.to_type == Convert.TYPE_INT
             and expr.from_bits > expr.to_bits
         ):
+            assert isinstance(expr.operand.value, int)
             # truncation
             mask = (1 << expr.to_bits) - 1
             v = expr.operand.value & mask
@@ -315,6 +351,7 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             and expr.to_type == Convert.TYPE_INT
             and expr.from_bits <= expr.to_bits
         ):
+            assert isinstance(expr.operand.value, int)
             if expr.is_signed is False:
                 # unsigned extension
                 return Const(expr.idx, expr.operand.variable, expr.operand.value, expr.to_bits, **expr.operand.tags)

angr/analyses/decompiler/region_identifier.py

@@ -11,7 +11,8 @@ from ailment.statement import ConditionalJump, Jump
 from ailment.expression import Const
 
 from angr.utils.graph import GraphUtils
-from angr.utils.graph import dfs_back_edges, subgraph_between_nodes, dominates, shallow_reverse
+from angr.utils.graph import dfs_back_edges, subgraph_between_nodes, dominates
+from angr.utils.doms import IncrementalDominators
 from angr.errors import AngrRuntimeError
 from angr.analyses import Analysis, register_analysis
 from .structuring.structurer_nodes import MultiNode, ConditionNode, IncompleteSwitchCaseHeadStatement
@@ -106,7 +107,7 @@ class RegionIdentifier(Analysis):
         # make regions into block address lists
         self.regions_by_block_addrs = self._make_regions_by_block_addrs()
 
-    def _make_regions_by_block_addrs(self) -> list[list[int]]:
+    def _make_regions_by_block_addrs(self) -> list[list[tuple[int, int | None]]]:
         """
         Creates a list of addr lists representing each region without recursion. A single region is defined
         as a set of only blocks, no Graphs containing nested regions. The list contains the address of each
@@ -115,22 +116,24 @@ class RegionIdentifier(Analysis):
         @return: List of addr lists
         """
 
-        work_list = [self.region]
+        work_list: list[GraphRegion] = [self.region]  #  type: ignore
         block_only_regions = []
         seen_regions = set()
         while work_list:
-            children_regions = []
+            children_regions: list[GraphRegion] = []
             for region in work_list:
                 children_blocks = []
                 for node in region.graph.nodes:
                     if isinstance(node, Block):
-                        children_blocks.append(node.addr)
+                        children_blocks.append((node.addr, node.idx))
                     elif isinstance(node, MultiNode):
-                        children_blocks += [n.addr for n in node.nodes]
+                        children_blocks += [(n.addr, node.idx) for n in node.nodes]
                     elif isinstance(node, GraphRegion):
                         if node not in seen_regions:
                             children_regions.append(node)
-                            children_blocks.append(node.head.addr)
+                            children_blocks.append(
+                                (node.head.addr, node.head.idx if hasattr(node.head, "idx") else None)
+                            )
                             seen_regions.add(node)
                     else:
                         continue
@@ -232,7 +235,7 @@ class RegionIdentifier(Analysis):
                 break
 
     def _find_loop_headers(self, graph: networkx.DiGraph) -> list:
-        heads = {t for _, t in dfs_back_edges(graph, self._start_node)}
+        heads = list({t for _, t in dfs_back_edges(graph, self._start_node)})
         return GraphUtils.quasi_topological_sort_nodes(graph, heads)
 
     def _find_initial_loop_nodes(self, graph: networkx.DiGraph, head):
@@ -390,7 +393,7 @@ class RegionIdentifier(Analysis):
 
         while True:
             for node in networkx.dfs_postorder_nodes(graph):
-                preds = graph.predecessors(node)
+                preds = list(graph.predecessors(node))
                 if len(preds) == 1:
                     # merge the two nodes
                     self._absorb_node(graph, preds[0], node)
@@ -471,7 +474,7 @@ class RegionIdentifier(Analysis):
             head = next(iter(n for n in subgraph.nodes() if n.addr == head.addr))
             region.head = head
 
-        if len(graph.nodes()) == 1 and isinstance(next(iter(graph.nodes())), GraphRegion):
+        if len(graph) == 1 and isinstance(next(iter(graph.nodes())), GraphRegion):
             return next(iter(graph.nodes()))
         # create a large graph region
         new_head = self._get_start_node(graph)
@@ -489,6 +492,7 @@ class RegionIdentifier(Analysis):
         l.debug("Initial loop nodes %s", self._dbg_block_list(initial_loop_nodes))
 
         # Make sure no other loops are contained in the current loop
+        assert self._loop_headers is not None
         if {n for n in initial_loop_nodes if n.addr != head.addr}.intersection(self._loop_headers):
             return None
 
@@ -533,7 +537,7 @@ class RegionIdentifier(Analysis):
         region = self._abstract_cyclic_region(
             graph, refined_loop_nodes, head, normal_entries, abnormal_entries, normal_exit_node, abnormal_exit_nodes
         )
-        if len(region.successors) > 1 and self._force_loop_single_exit:
+        if region.successors is not None and len(region.successors) > 1 and self._force_loop_single_exit:
             # multi-successor region. refinement is required
             self._refine_loop_successors_to_guarded_successors(region, graph)
 
@@ -703,23 +707,20 @@ class RegionIdentifier(Analysis):
         else:
             dummy_endnode = None
 
-        # compute dominator tree
-        doms = networkx.immediate_dominators(graph_copy, head)
-
-        # compute post-dominator tree
-        inverted_graph = shallow_reverse(graph_copy)
-        postdoms = networkx.immediate_dominators(inverted_graph, endnodes[0])
-
-        # dominance frontiers
-        df = networkx.algorithms.dominance_frontiers(graph_copy, head)
+        # dominators and post-dominators, computed incrementally
+        doms = IncrementalDominators(graph_copy, head)
+        postdoms = IncrementalDominators(graph_copy, endnodes[0], post=True)
 
         # visit the nodes in post-order
-        for node in networkx.dfs_postorder_nodes(graph_copy, source=head):
+        region_created = False
+        for node in list(networkx.dfs_postorder_nodes(graph_copy, source=head)):
             if node is dummy_endnode:
                 # skip the dummy endnode
                 continue
             if cyclic and node is head:
                 continue
+            if node not in graph_copy:
+                continue
 
             out_degree = graph_copy.out_degree[node]
             if out_degree == 0:
@@ -738,10 +739,10 @@ class RegionIdentifier(Analysis):
 
             # test if this node is an entry to a single-entry, single-successor region
             levels = 0
-            postdom_node = postdoms.get(node, None)
+            postdom_node = postdoms.idom(node)
             while postdom_node is not None:
                 if (node, postdom_node) not in failed_region_attempts and self._check_region(
-                    graph_copy, node, postdom_node, doms, df
+                    graph_copy, node, postdom_node, doms
                 ):
                     frontier = [postdom_node]
                     region = self._compute_region(
@@ -750,6 +751,8 @@ class RegionIdentifier(Analysis):
                     if region is not None:
                         # update region.graph_with_successors
                         if secondary_graph is not None:
+                            assert region.graph_with_successors is not None
+                            assert region.successors is not None
                             if self._complete_successors:
                                 for nn in list(region.graph_with_successors.nodes):
                                     original_successors = secondary_graph.successors(nn)
@@ -780,52 +783,75 @@ class RegionIdentifier(Analysis):
                             graph, region, frontier, dummy_endnode=dummy_endnode, secondary_graph=secondary_graph
                         )
                         # assert dummy_endnode not in graph
-                        return True
+                        region_created = True
+                        # we created a new region to replace one or more nodes in the graph.
+                        replaced_nodes = set(region.graph)
+                        # update graph_copy; doms and postdoms are updated as well because they hold references to
+                        # graph_copy internally.
+                        if graph_copy is not graph:
+                            self._update_graph(graph_copy, region, replaced_nodes)
+                        doms.graph_updated(region, replaced_nodes, region.head)
+                        postdoms.graph_updated(region, replaced_nodes, region.head)
+                        # break out of the inner loop
+                        break
 
                 failed_region_attempts.add((node, postdom_node))
-                if not dominates(doms, node, postdom_node):
+                if not doms.dominates(node, postdom_node):
                     break
-                if postdom_node is postdoms.get(postdom_node, None):
+                if postdom_node is postdoms.idom(postdom_node):
                     break
-                postdom_node = postdoms.get(postdom_node, None)
+                postdom_node = postdoms.idom(postdom_node)
                 levels += 1
             # l.debug("Walked back %d levels in postdom tree and did not find anything for %r. Next.", levels, node)
 
-        return False
+        return region_created
 
     @staticmethod
-    def _check_region(graph, start_node, end_node, doms, df):
-        """
+    def _update_graph(graph: networkx.DiGraph, new_region, replaced_nodes: set) -> None:
+        region_in_edges = RegionIdentifier._region_in_edges(graph, new_region, data=True)
+        region_out_edges = RegionIdentifier._region_out_edges(graph, new_region, data=True)
+        for node in replaced_nodes:
+            graph.remove_node(node)
+        graph.add_node(new_region)
+        for src, _, data in region_in_edges:
+            graph.add_edge(src, new_region, **data)
+        for _, dst, data in region_out_edges:
+            graph.add_edge(new_region, dst, **data)
 
-        :param graph:
-        :param start_node:
-        :param end_node:
-        :param doms:
-        :param df:
-        :return:
+    @staticmethod
+    def _check_region(graph, start_node, end_node, doms) -> bool:
+        """
+        Determine the graph slice between start_node and end_node forms a good region.
         """
 
         # if the exit node is the header of a loop that contains the start node, the dominance frontier should only
         # contain the exit node.
-        if not dominates(doms, start_node, end_node):
-            frontier = df.get(start_node, set())
-            for node in frontier:
+        start_node_frontier = None
+        end_node_frontier = None
+
+        if not doms.dominates(start_node, end_node):
+            start_node_frontier = doms.df(start_node)
+            for node in start_node_frontier:
                 if node is not start_node and node is not end_node:
                     return False
 
         # no edges should enter the region.
-        for node in df.get(end_node, set()):
-            if dominates(doms, start_node, node) and node is not end_node:
+        end_node_frontier = doms.df(end_node)
+        for node in end_node_frontier:
+            if doms.dominates(start_node, node) and node is not end_node:
                 return False
 
+        if start_node_frontier is None:
+            start_node_frontier = doms.df(start_node)
+
         # no edges should leave the region.
-        for node in df.get(start_node, set()):
+        for node in start_node_frontier:
             if node is start_node or node is end_node:
                 continue
-            if node not in df.get(end_node, set()):
+            if node not in end_node_frontier:
                 return False
             for pred in graph.predecessors(node):
-                if dominates(doms, start_node, pred) and not dominates(doms, end_node, pred):
+                if doms.dominates(start_node, pred) and not doms.dominates(end_node, pred):
                     return False
 
         return True
@@ -976,14 +1002,13 @@ class RegionIdentifier(Analysis):
             subgraph_with_exits.add_edge(src, dst)
         region.graph = subgraph
         region.graph_with_successors = subgraph_with_exits
-        if normal_exit_node is not None:
-            region.successors = [normal_exit_node]
-        else:
-            region.successors = []
-        region.successors += list(abnormal_exit_nodes)
+        succs = [normal_exit_node] if normal_exit_node is not None else []
+        succs += list(abnormal_exit_nodes)
+        succs = sorted(set(succs), key=lambda x: x.addr)
+        region.successors = set(succs)
 
-        for succ_0 in region.successors:
-            for succ_1 in region.successors:
+        for succ_0 in succs:
+            for succ_1 in succs:
                 if succ_0 is not succ_1 and graph.has_edge(succ_0, succ_1):
                     region.graph_with_successors.add_edge(succ_0, succ_1)