svf-tools 1.0.1193 → 1.0.1195

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1193",
+  "version": "1.0.1195",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Core/AbstractState.h

@@ -114,7 +114,7 @@ public:
     /// Return the internal index if addr is an address otherwise return the value of idx
     inline u32_t getIDFromAddr(u32_t addr)
     {
-        return _freedAddrs.count(addr) ?  AddressValue::getInternalID(InvalidMemAddr) : AddressValue::getInternalID(addr);
+        return _freedAddrs.count(addr) ?  AddressValue::getInternalID(BlackHoleObjAddr) : AddressValue::getInternalID(addr);
     }
 
     AbstractState&operator=(const AbstractState&rhs)
@@ -187,9 +187,9 @@ public:
         return addr == NullMemAddr;
     }
 
-    static inline bool isInvalidMem(u32_t addr)
+    static inline bool isBlackHoleObjAddr(u32_t addr)
     {
-        return addr == InvalidMemAddr;
+        return addr == BlackHoleObjAddr;
     }
 
 

package/svf/include/AE/Core/AddressValue.h

@@ -32,8 +32,8 @@
 
 #define AddressMask 0x7f000000
 #define FlippedAddressMask (AddressMask^0xffffffff)
-// the address of InvalidMem(the black hole), getVirtualMemAddress(2);
-#define InvalidMemAddr 0x7f000000 + 2
+// the address of BlackHole object, getVirtualMemAddress(2);
+#define BlackHoleObjAddr 0x7f000000 + 2
 // the address of NullMem, getVirtualMemAddress(0);
 #define NullMemAddr 0x7f000000
 

package/svf/include/AE/Svfexe/AbsExtAPI.h

@@ -74,43 +74,23 @@ public:
      */
     void handleExtAPI(const CallICFGNode *call);
 
-    /**
-     * @brief Handles the strcpy API call.
-     * @param call Pointer to the call ICFG node.
-     */
-    void handleStrcpy(const CallICFGNode *call);
+    // --- Shared primitives used by string/memory handlers ---
 
-    /**
-     * @brief Calculates the length of a string.
-     * @param as Reference to the abstract state.
-     * @param strValue Pointer to the SVF variable representing the string.
-     * @return The interval value representing the string length.
-     */
+    /// Get the byte size of each element for a pointer/array variable.
+    u32_t getElementSize(AbstractState& as, const SVFVar* var);
+
+    /// Check if an interval length is usable (not bottom, not unbounded).
+    static bool isValidLength(const IntervalValue& len);
+
+    /// Calculate the length of a null-terminated string in abstract state.
     IntervalValue getStrlen(AbstractState& as, const SVF::SVFVar *strValue);
 
-    /**
-     * @brief Handles the strcat API call.
-     * @param call Pointer to the call ICFG node.
-     */
-    void handleStrcat(const SVF::CallICFGNode *call);
+    // --- String/memory operation handlers ---
 
-    /**
-     * @brief Handles the memcpy API call.
-     * @param as Reference to the abstract state.
-     * @param dst Pointer to the destination SVF variable.
-     * @param src Pointer to the source SVF variable.
-     * @param len The interval value representing the length to copy.
-     * @param start_idx The starting index for copying.
-     */
+    void handleStrcpy(const CallICFGNode *call);
+    void handleStrcat(const CallICFGNode *call);
+    void handleStrncat(const CallICFGNode *call);
     void handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len, u32_t start_idx);
-
-    /**
-     * @brief Handles the memset API call.
-     * @param as Reference to the abstract state.
-     * @param dst Pointer to the destination SVF variable.
-     * @param elem The interval value representing the element to set.
-     * @param len The interval value representing the length to set.
-     */
     void handleMemset(AbstractState& as, const SVFVar* dst, IntervalValue elem, IntervalValue len);
 
     /**

package/svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -36,6 +36,8 @@
 #include "Util/SVFBugReport.h"
 #include "Util/SVFStat.h"
 #include "Graphs/SCC.h"
+#include "Graphs/CallGraph.h"
+#include <deque>
 
 namespace SVF
 {
@@ -144,6 +146,13 @@ public:
     /// Program entry
     void analyse();
 
+    /// Analyze all entry points (functions without callers)
+    void analyzeFromAllProgEntries();
+
+    /// Get all entry point functions (functions without callers)
+    std::deque<const FunObjVar*> collectProgEntryFuns();
+
+
     static AbstractInterpretation& getAEInstance()
     {
         static AbstractInterpretation instance;
@@ -218,14 +227,14 @@ private:
      *
      * @param cycle WTOCycle which has weak topo order of basic blocks and nested cycles
      */
-    virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle);
+    virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller = nullptr);
 
     /**
      * Handle a function using worklist algorithm
      *
      * @param funEntry The entry node of the function to handle
      */
-    void handleFunction(const ICFGNode* funEntry);
+    void handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller = nullptr);
 
     /**
      * Handle an ICFG node by merging states and processing statements
@@ -322,9 +331,9 @@ private:
     AEAPI* api{nullptr};
 
     ICFG* icfg;
+    CallGraph* callGraph;
     AEStat* stat;
 
-    std::vector<const CallICFGNode*> callSiteStack;
     Map<const FunObjVar*, const ICFGWTO*> funcToWTO;
     Set<std::pair<const CallICFGNode*, NodeID>> nonRecursiveCallSites;
     Set<const FunObjVar*> recursiveFuns;
@@ -358,6 +367,7 @@ private:
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
 
     Map<const ICFGNode*, AbstractState> abstractTrace; // abstract states immediately after nodes
+    Set<const ICFGNode*> allAnalyzedNodes; // All nodes ever analyzed (across all entry points)
     std::string moduleName;
 
     std::vector<std::unique_ptr<AEDetector>> detectors;

package/svf/lib/AE/Svfexe/AEDetector.cpp

@@ -367,7 +367,7 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(AbstractState& as, SVF::Add
                 }
                 else
                 {
-                    assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
+                    assert(AbstractState::isBlackHoleObjAddr(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
                 }
             }
         }
@@ -398,7 +398,7 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(AbstractState& as, SVF::Add
                 }
                 else
                 {
-                    assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
+                    assert(AbstractState::isBlackHoleObjAddr(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
                 }
             }
         }
@@ -479,7 +479,23 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
     SVFIR* svfir = PAG::getPAG();
     NodeID value_id = value->getId();
 
-    assert(as[value_id].isAddr());
+    // Lazy initialization for uninitialized pointer parameters in multi-entry analysis.
+    // When analyzing a function as an entry point (e.g., not called from main),
+    // pointer parameters may not have been initialized via AddrStmt.
+    //
+    // Example:
+    //   void process_buffer(char* buf, int len) {
+    //       buf[0] = 'a';  // accessing buf
+    //   }
+    // When analyzing process_buffer as an entry point, 'buf' is a function parameter
+    // with no AddrStmt, so it has no address information in the abstract state.
+    // We lazily initialize it to point to the black hole object (BlkPtr), representing
+    // an unknown but valid memory location. This allows the analysis to continue
+    // while being conservatively sound.
+    if (!as[value_id].isAddr())
+    {
+        as[value_id] = AddressValue(BlackHoleObjAddr);
+    }
     for (const auto& addr : as[value_id].getAddrs())
     {
         NodeID objId = as.getIDFromAddr(addr);
@@ -687,7 +703,7 @@ bool NullptrDerefDetector::canSafelyDerefPtr(AbstractState& as, const SVFVar* va
     for (const auto &addr: AbsVal.getAddrs())
     {
         // if the addr itself is invalid mem, report unsafe
-        if (AbstractState::isInvalidMem(addr))
+        if (AbstractState::isBlackHoleObjAddr(addr))
             return false;
         // if nullptr is detected, return unsafe
         else if (AbstractState::isNullMem(addr))

package/svf/lib/AE/Svfexe/AbsExtAPI.cpp

@@ -272,60 +272,19 @@ void AbsExtAPI::initExtFunMap()
 
     auto sse_strlen = [&](const CallICFGNode *callNode)
     {
-        // check the arg size
         if (callNode->arg_size() < 1) return;
-        const SVFVar* strValue = callNode->getArgument(0);
         AbstractState& as = getAbsStateFromTrace(callNode);
-        NodeID value_id = strValue->getId();
         u32_t lhsId = callNode->getRetICFGNode()->getActualRet()->getId();
-        u32_t dst_size = 0;
-        for (const auto& addr : as[value_id].getAddrs())
-        {
-            NodeID objId = as.getIDFromAddr(addr);
-            if (svfir->getBaseObject(objId)->isConstantByteSize())
-            {
-                dst_size = svfir->getBaseObject(objId)->getByteSizeOfObj();
-            }
-            else
-            {
-                const ICFGNode* addrNode = svfir->getBaseObject(objId)->getICFGNode();
-                for (const SVFStmt* stmt2: addrNode->getSVFStmts())
-                {
-                    if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
-                    {
-                        dst_size = as.getAllocaInstByteSize(addrStmt);
-                    }
-                }
-            }
-        }
-        u32_t len = 0;
-        NodeID dstid = strValue->getId();
-        if (as.inVarToAddrsTable(dstid))
-        {
-            for (u32_t index = 0; index < dst_size; index++)
-            {
-                AbstractValue expr0 =
-                    as.getGepObjAddrs(dstid, IntervalValue(index));
-                AbstractValue val;
-                for (const auto &addr: expr0.getAddrs())
-                {
-                    val.join_with(as.load(addr));
-                }
-                if (val.getInterval().is_numeral() && (char) val.getInterval().getIntNumeral() == '\0')
-                {
-                    break;
-                }
-                ++len;
-            }
-        }
-        if (len == 0)
-        {
-            as[lhsId] = IntervalValue((s64_t)0, (s64_t)Options::MaxFieldLimit());
-        }
+        // strlen/wcslen return the number of characters (not bytes).
+        // getStrlen returns byte-scaled length (len * elemSize) for use
+        // by memcpy/strcpy. Here we need the raw character count, so
+        // divide back by elemSize.
+        IntervalValue byteLen = getStrlen(as, callNode->getArgument(0));
+        u32_t elemSize = getElementSize(as, callNode->getArgument(0));
+        if (byteLen.is_numeral() && elemSize > 1)
+            as[lhsId] = IntervalValue(byteLen.getIntNumeral() / (s64_t)elemSize);
         else
-        {
-            as[lhsId] = IntervalValue(len);
-        }
+            as[lhsId] = byteLen;
     };
     func_map["strlen"] = sse_strlen;
     func_map["wcslen"] = sse_strlen;
@@ -350,7 +309,7 @@ void AbsExtAPI::initExtFunMap()
         const u32_t freePtr = callNode->getArgument(0)->getId();
         for (auto addr: as[freePtr].getAddrs())
         {
-            if (AbstractState::isInvalidMem(addr))
+            if (AbstractState::isBlackHoleObjAddr(addr))
             {
                 // Detected a double free — the address has already been freed.
                 // No action is taken at this point.
@@ -480,7 +439,13 @@ void AbsExtAPI::handleExtAPI(const CallICFGNode *call)
     }
     else if (extType == STRCAT)
     {
-        handleStrcat(call);
+        // Both strcat and strncat are annotated as STRCAT.
+        // Distinguish by name: strncat/wcsncat contain "ncat".
+        const std::string& name = fun->getName();
+        if (name.find("ncat") != std::string::npos)
+            handleStrncat(call);
+        else
+            handleStrcat(call);
     }
     else
     {
@@ -489,21 +454,50 @@ void AbsExtAPI::handleExtAPI(const CallICFGNode *call)
     return;
 }
 
-void AbsExtAPI::handleStrcpy(const CallICFGNode *call)
+// ===----------------------------------------------------------------------===//
+//  Shared primitives for string/memory handlers
+// ===----------------------------------------------------------------------===//
+
+/// Get the byte size of each element for a pointer/array variable.
+/// Shared by handleMemcpy, handleMemset, and getStrlen to avoid duplication.
+u32_t AbsExtAPI::getElementSize(AbstractState& as, const SVFVar* var)
 {
-    // strcpy, __strcpy_chk, stpcpy , wcscpy, __wcscpy_chk
-    // get the dst and src
-    AbstractState& as = getAbsStateFromTrace(call);
-    const SVFVar* arg0Val = call->getArgument(0);
-    const SVFVar* arg1Val = call->getArgument(1);
-    IntervalValue strLen = getStrlen(as, arg1Val);
-    // no need to -1, since it has \0 as the last byte
-    handleMemcpy(as, arg0Val, arg1Val, strLen, strLen.lb().getIntNumeral());
+    if (var->getType()->isArrayTy())
+    {
+        return SVFUtil::dyn_cast<SVFArrayType>(var->getType())
+            ->getTypeOfElement()->getByteSize();
+    }
+    if (var->getType()->isPointerTy())
+    {
+        if (const SVFType* elemType = as.getPointeeElement(var->getId()))
+        {
+            if (elemType->isArrayTy())
+                return SVFUtil::dyn_cast<SVFArrayType>(elemType)
+                    ->getTypeOfElement()->getByteSize();
+            return elemType->getByteSize();
+        }
+        return 1;
+    }
+    assert(false && "unsupported type for element size");
+    return 1;
+}
+
+/// Check if an interval length is usable for memory operations.
+/// Returns false for bottom (no information) or unbounded lower bound
+/// (cannot determine a concrete start for iteration).
+bool AbsExtAPI::isValidLength(const IntervalValue& len)
+{
+    return !len.isBottom() && !len.lb().is_minus_infinity();
 }
 
+/// Calculate the length of a null-terminated string in abstract state.
+/// Scans memory from the base of strValue looking for a '\0' byte.
+/// Returns an IntervalValue: exact length if '\0' found, otherwise [0, MaxFieldLimit].
 IntervalValue AbsExtAPI::getStrlen(AbstractState& as, const SVF::SVFVar *strValue)
 {
     NodeID value_id = strValue->getId();
+
+    // Step 1: determine the buffer size (in bytes) backing this pointer
     u32_t dst_size = 0;
     for (const auto& addr : as[value_id].getAddrs())
     {
@@ -524,8 +518,9 @@ IntervalValue AbsExtAPI::getStrlen(AbstractState& as, const SVF::SVFVar *strValu
             }
         }
     }
+
+    // Step 2: scan for '\0' terminator
     u32_t len = 0;
-    u32_t elemSize = 1;
     if (as.inVarToAddrsTable(value_id))
     {
         for (u32_t index = 0; index < dst_size; index++)
@@ -537,188 +532,153 @@ IntervalValue AbsExtAPI::getStrlen(AbstractState& as, const SVF::SVFVar *strValu
             {
                 val.join_with(as.load(addr));
             }
-            if (val.getInterval().is_numeral() && (char) val.getInterval().getIntNumeral() == '\0')
+            if (val.getInterval().is_numeral() &&
+                    (char) val.getInterval().getIntNumeral() == '\0')
             {
                 break;
             }
             ++len;
         }
-        if (strValue->getType()->isArrayTy())
-        {
-            elemSize = SVFUtil::dyn_cast<SVFArrayType>(strValue->getType())->getTypeOfElement()->getByteSize();
-        }
-        else if (strValue->getType()->isPointerTy())
-        {
-            if (const SVFType* elemType = as.getPointeeElement(value_id))
-            {
-                if (elemType->isArrayTy())
-                    elemSize = SVFUtil::dyn_cast<SVFArrayType>(elemType)->getTypeOfElement()->getByteSize();
-                else
-                    elemSize = elemType->getByteSize();
-            }
-            else
-            {
-                elemSize = 1;
-            }
-        }
-        else
-        {
-            assert(false && "we cannot support this type");
-        }
     }
+
+    // Step 3: scale by element size and return
+    u32_t elemSize = getElementSize(as, strValue);
     if (len == 0)
-    {
         return IntervalValue((s64_t)0, (s64_t)Options::MaxFieldLimit());
-    }
-    else
-    {
-        return IntervalValue(len * elemSize);
-    }
+    return IntervalValue(len * elemSize);
+}
+
+// ===----------------------------------------------------------------------===//
+//  String/memory operation handlers
+// ===----------------------------------------------------------------------===//
+
+/// strcpy(dst, src): copy all of src (including '\0') into dst.
+/// Covers: strcpy, __strcpy_chk, stpcpy, wcscpy, __wcscpy_chk
+void AbsExtAPI::handleStrcpy(const CallICFGNode *call)
+{
+    AbstractState& as = getAbsStateFromTrace(call);
+    const SVFVar* dst = call->getArgument(0);
+    const SVFVar* src = call->getArgument(1);
+    IntervalValue srcLen = getStrlen(as, src);
+    // no need to -1, since srcLen includes up to (but not past) '\0'
+    if (!isValidLength(srcLen)) return;
+    handleMemcpy(as, dst, src, srcLen, 0);
 }
 
+/// strcat(dst, src): append all of src after the end of dst.
+/// Covers: strcat, __strcat_chk, wcscat, __wcscat_chk
+void AbsExtAPI::handleStrcat(const CallICFGNode *call)
+{
+    AbstractState& as = getAbsStateFromTrace(call);
+    const SVFVar* dst = call->getArgument(0);
+    const SVFVar* src = call->getArgument(1);
+    IntervalValue dstLen = getStrlen(as, dst);
+    IntervalValue srcLen = getStrlen(as, src);
+    if (!isValidLength(dstLen)) return;
+    handleMemcpy(as, dst, src, srcLen, dstLen.lb().getIntNumeral());
+}
 
-void AbsExtAPI::handleStrcat(const SVF::CallICFGNode *call)
+/// strncat(dst, src, n): append at most n bytes of src after the end of dst.
+/// Covers: strncat, __strncat_chk, wcsncat, __wcsncat_chk
+void AbsExtAPI::handleStrncat(const CallICFGNode *call)
 {
-    // __strcat_chk, strcat, __wcscat_chk, wcscat, __strncat_chk, strncat, __wcsncat_chk, wcsncat
-    // to check it is  strcat group or strncat group
     AbstractState& as = getAbsStateFromTrace(call);
-    const FunObjVar *fun = call->getCalledFunction();
-    const std::vector<std::string> strcatGroup = {"__strcat_chk", "strcat", "__wcscat_chk", "wcscat"};
-    const std::vector<std::string> strncatGroup = {"__strncat_chk", "strncat", "__wcsncat_chk", "wcsncat"};
-    if (std::find(strcatGroup.begin(), strcatGroup.end(), fun->getName()) != strcatGroup.end())
-    {
-        const SVFVar* arg0Val = call->getArgument(0);
-        const SVFVar* arg1Val = call->getArgument(1);
-        IntervalValue strLen0 = getStrlen(as, arg0Val);
-        IntervalValue strLen1 = getStrlen(as, arg1Val);
-        IntervalValue totalLen = strLen0 + strLen1;
-        handleMemcpy(as, arg0Val, arg1Val, strLen1, strLen0.lb().getIntNumeral());
-        // do memcpy
-    }
-    else if (std::find(strncatGroup.begin(), strncatGroup.end(), fun->getName()) != strncatGroup.end())
-    {
-        const SVFVar* arg0Val = call->getArgument(0);
-        const SVFVar* arg1Val = call->getArgument(1);
-        const SVFVar* arg2Val = call->getArgument(2);
-        IntervalValue arg2Num = as[arg2Val->getId()].getInterval();
-        IntervalValue strLen0 = getStrlen(as, arg0Val);
-        IntervalValue totalLen = strLen0 + arg2Num;
-        handleMemcpy(as, arg0Val, arg1Val, arg2Num, strLen0.lb().getIntNumeral());
-        // do memcpy
-    }
-    else
-    {
-        assert(false && "unknown strcat function, please add it to strcatGroup or strncatGroup");
-    }
+    const SVFVar* dst = call->getArgument(0);
+    const SVFVar* src = call->getArgument(1);
+    IntervalValue n = as[call->getArgument(2)->getId()].getInterval();
+    IntervalValue dstLen = getStrlen(as, dst);
+    if (!isValidLength(dstLen)) return;
+    handleMemcpy(as, dst, src, n, dstLen.lb().getIntNumeral());
 }
 
-void AbsExtAPI::handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len,  u32_t start_idx)
+/// Core memcpy: copy `len` bytes from src to dst starting at dst[start_idx].
+void AbsExtAPI::handleMemcpy(AbstractState& as, const SVF::SVFVar *dst,
+                              const SVF::SVFVar *src, IntervalValue len,
+                              u32_t start_idx)
 {
-    u32_t dstId = dst->getId(); // pts(dstId) = {objid}  objbar objtypeinfo->getType().
+    if (!isValidLength(len)) return;
+
+    u32_t dstId = dst->getId();
     u32_t srcId = src->getId();
-    u32_t elemSize = 1;
-    if (dst->getType()->isArrayTy())
-    {
-        elemSize = SVFUtil::dyn_cast<SVFArrayType>(dst->getType())->getTypeOfElement()->getByteSize();
-    }
-    // memcpy(i32*, i32*, 40)
-    else if (dst->getType()->isPointerTy())
-    {
-        if (const SVFType* elemType = as.getPointeeElement(dstId))
-        {
-            if (elemType->isArrayTy())
-                elemSize = SVFUtil::dyn_cast<SVFArrayType>(elemType)->getTypeOfElement()->getByteSize();
-            else
-                elemSize = elemType->getByteSize();
-        }
-        else
-        {
-            elemSize = 1;
-        }
-    }
-    else
-    {
-        assert(false && "we cannot support this type");
-    }
-    u32_t size = std::min((u32_t)Options::MaxFieldLimit(), (u32_t) len.lb().getIntNumeral());
+    u32_t elemSize = getElementSize(as, dst);
+    u32_t size = std::min((u32_t)Options::MaxFieldLimit(),
+                          (u32_t)len.lb().getIntNumeral());
     u32_t range_val = size / elemSize;
-    if (as.inVarToAddrsTable(srcId) && as.inVarToAddrsTable(dstId))
+
+    if (!as.inVarToAddrsTable(srcId) || !as.inVarToAddrsTable(dstId))
+        return;
+
+    for (u32_t index = 0; index < range_val; index++)
     {
-        for (u32_t index = 0; index < range_val; index++)
+        AbstractValue expr_src =
+            as.getGepObjAddrs(srcId, IntervalValue(index));
+        AbstractValue expr_dst =
+            as.getGepObjAddrs(dstId, IntervalValue(index + start_idx));
+        for (const auto &dstAddr: expr_dst.getAddrs())
         {
-            // dead loop for string and break if there's a \0. If no \0, it will throw err.
-            AbstractValue expr_src =
-                as.getGepObjAddrs(srcId, IntervalValue(index));
-            AbstractValue expr_dst =
-                as.getGepObjAddrs(dstId, IntervalValue(index + start_idx));
-            for (const auto &dst: expr_dst.getAddrs())
+            for (const auto &srcAddr: expr_src.getAddrs())
             {
-                for (const auto &src: expr_src.getAddrs())
+                u32_t objId = as.getIDFromAddr(srcAddr);
+                if (as.inAddrToValTable(objId) || as.inAddrToAddrsTable(objId))
                 {
-                    u32_t objId = as.getIDFromAddr(src);
-                    if (as.inAddrToValTable(objId))
-                    {
-                        as.store(dst, as.load(src));
-                    }
-                    else if (as.inAddrToAddrsTable(objId))
-                    {
-                        as.store(dst, as.load(src));
-                    }
+                    as.store(dstAddr, as.load(srcAddr));
                 }
             }
         }
     }
 }
 
-void AbsExtAPI::handleMemset(AbstractState& as, const SVF::SVFVar *dst, IntervalValue elem, IntervalValue len)
+/// Core memset: fill dst with `elem` for `len` bytes.
+/// Note: elemSize here uses the pointee type's full size (not array element size)
+/// to match how LLVM memset/wmemset intrinsics measure `len`. For a pointer to
+/// wchar_t[100], elemSize = sizeof(wchar_t[100]), so range_val reflects the
+/// number of top-level GEP fields, not individual array elements.
+void AbsExtAPI::handleMemset(AbstractState& as, const SVF::SVFVar *dst,
+                              IntervalValue elem, IntervalValue len)
 {
+    if (!isValidLength(len)) return;
+
     u32_t dstId = dst->getId();
-    u32_t size = std::min((u32_t)Options::MaxFieldLimit(), (u32_t) len.lb().getIntNumeral());
     u32_t elemSize = 1;
     if (dst->getType()->isArrayTy())
     {
-        elemSize = SVFUtil::dyn_cast<SVFArrayType>(dst->getType())->getTypeOfElement()->getByteSize();
+        elemSize = SVFUtil::dyn_cast<SVFArrayType>(dst->getType())
+            ->getTypeOfElement()->getByteSize();
     }
     else if (dst->getType()->isPointerTy())
     {
         if (const SVFType* elemType = as.getPointeeElement(dstId))
-        {
             elemSize = elemType->getByteSize();
-        }
         else
-        {
             elemSize = 1;
-        }
     }
     else
     {
-        assert(false && "we cannot support this type");
+        assert(false && "unsupported type for element size");
     }
-
+    u32_t size = std::min((u32_t)Options::MaxFieldLimit(),
+                          (u32_t)len.lb().getIntNumeral());
     u32_t range_val = size / elemSize;
+
     for (u32_t index = 0; index < range_val; index++)
     {
-        // dead loop for string and break if there's a \0. If no \0, it will throw err.
-        if (as.inVarToAddrsTable(dstId))
+        if (!as.inVarToAddrsTable(dstId))
+            break;
+        AbstractValue lhs_gep = as.getGepObjAddrs(dstId, IntervalValue(index));
+        for (const auto &addr: lhs_gep.getAddrs())
         {
-            AbstractValue lhs_gep = as.getGepObjAddrs(dstId, IntervalValue(index));
-            for (const auto &addr: lhs_gep.getAddrs())
+            u32_t objId = as.getIDFromAddr(addr);
+            if (as.inAddrToValTable(objId))
             {
-                u32_t objId = as.getIDFromAddr(addr);
-                if (as.inAddrToValTable(objId))
-                {
-                    AbstractValue tmp = as.load(addr);
-                    tmp.join_with(elem);
-                    as.store(addr, tmp);
-                }
-                else
-                {
-                    as.store(addr, elem);
-                }
+                AbstractValue tmp = as.load(addr);
+                tmp.join_with(elem);
+                as.store(addr, tmp);
+            }
+            else
+            {
+                as.store(addr, elem);
             }
         }
-        else
-            break;
     }
 }
 

package/svf/lib/AE/Svfexe/AbstractInterpretation.cpp

@@ -34,6 +34,7 @@
 #include "Graphs/CallGraph.h"
 #include "WPA/Andersen.h"
 #include <cmath>
+#include <deque>
 
 using namespace SVF;
 using namespace SVFUtil;
@@ -62,6 +63,8 @@ void AbstractInterpretation::runOnModule(ICFG *_icfg)
 
 AbstractInterpretation::AbstractInterpretation()
 {
+    AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(svfir);
+    callGraph = ander->getCallGraph();
     stat = new AEStat(this);
 }
 /// Destructor
@@ -95,11 +98,8 @@ void AbstractInterpretation::collectCycleHeads(const std::list<const ICFGWTOComp
 void AbstractInterpretation::initWTO()
 {
     AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(svfir);
-    // Detect if the call graph has cycles by finding its strongly connected components (SCC)
-    Andersen::CallGraphSCC* callGraphScc = ander->getCallGraphSCC();
+    CallGraphSCC* callGraphScc = ander->getCallGraphSCC();
     callGraphScc->find();
-    CallGraph* callGraph = ander->getCallGraph();
-
     // Iterate through the call graph
     for (auto it = callGraph->begin(); it != callGraph->end(); it++)
     {
@@ -162,33 +162,103 @@ void AbstractInterpretation::initWTO()
     }
 }
 
-/// Program entry
+/// Collect entry point functions for analysis.
+/// Entry points are functions without callers (no incoming edges in CallGraph).
+/// Uses a deque to allow efficient insertion at front for prioritizing main()
+std::deque<const FunObjVar*> AbstractInterpretation::collectProgEntryFuns()
+{
+    std::deque<const FunObjVar*> entryFunctions;
+
+    for (auto it = callGraph->begin(); it != callGraph->end(); ++it)
+    {
+        const CallGraphNode* cgNode = it->second;
+        const FunObjVar* fun = cgNode->getFunction();
+
+        // Skip declarations
+        if (fun->isDeclaration())
+            continue;
+
+        // Entry points are functions without callers (no incoming edges)
+        if (cgNode->getInEdges().empty())
+        {
+            // If main exists, put it first for priority using deque's push_front
+            if (fun->getName() == "main")
+            {
+                entryFunctions.push_front(fun);
+            }
+            else
+            {
+                entryFunctions.push_back(fun);
+            }
+        }
+    }
+
+    return entryFunctions;
+}
+
+
+/// Program entry - analyze from all entry points (multi-entry analysis is the default)
 void AbstractInterpretation::analyse()
 {
     initWTO();
+
+    // Always use multi-entry analysis from all entry points
+    analyzeFromAllProgEntries();
+}
+
+/// Analyze all entry points (functions without callers) - for whole-program analysis.
+/// Abstract state is shared across entry points so that functions analyzed from
+/// earlier entries are not re-analyzed from scratch.
+void AbstractInterpretation::analyzeFromAllProgEntries()
+{
+    // Collect all entry point functions
+    std::deque<const FunObjVar*> entryFunctions = collectProgEntryFuns();
+
+    if (entryFunctions.empty())
+    {
+        assert(false && "No entry functions found for analysis");
+        return;
+    }
     // handle Global ICFGNode of SVFModule
     handleGlobalNode();
-    getAbsStateFromTrace(
-        icfg->getGlobalICFGNode())[PAG::getPAG()->getBlkPtr()] = IntervalValue::top();
-    if (const CallGraphNode* cgn = svfir->getCallGraph()->getCallGraphNode("main"))
+    for (const FunObjVar* entryFun : entryFunctions)
     {
-        // Use worklist-based function handling instead of recursive WTO component handling
-        const ICFGNode* mainEntry = icfg->getFunEntryICFGNode(cgn->getFunction());
-        handleFunction(mainEntry);
+        const ICFGNode* funEntry = icfg->getFunEntryICFGNode(entryFun);
+        handleFunction(funEntry);
     }
 }
 
 /// handle global node
+/// Initializes the abstract state for the global ICFG node and processes all global statements.
+/// This includes setting up the null pointer and black hole pointer (blkPtr).
+/// BlkPtr is initialized to point to the BlackHole object, representing
+/// an unknown memory location that cannot be statically resolved.
 void AbstractInterpretation::handleGlobalNode()
 {
     const ICFGNode* node = icfg->getGlobalICFGNode();
     abstractTrace[node] = AbstractState();
     abstractTrace[node][IRGraph::NullPtr] = AddressValue();
+
     // Global Node, we just need to handle addr, load, store, copy and gep
     for (const SVFStmt *stmt: node->getSVFStmts())
     {
         handleSVFStatement(stmt);
     }
+
+    // BlkPtr represents a pointer whose target is statically unknown (e.g., from
+    // int2ptr casts, external function returns, or unmodeled instructions like
+    // AtomicCmpXchg). It should be an address pointing to the BlackHole object
+    // (ID=2), NOT an interval top.
+    //
+    // History: this was originally set to IntervalValue::top() as a quick fix when
+    // the analysis crashed on programs containing uninitialized BlkPtr. However,
+    // BlkPtr is semantically a *pointer* (address domain), not a numeric value
+    // (interval domain). Setting it to interval top broke cross-domain consistency:
+    // the interval domain and address domain gave contradictory information for the
+    // same variable. The correct representation is an AddressValue containing the
+    // BlackHole virtual address, which means "points to unknown memory".
+    abstractTrace[node][PAG::getPAG()->getBlkPtr()] =
+        AddressValue(BlackHoleObjAddr);
 }
 
 /// get execution state by merging states of predecessor blocks
@@ -598,39 +668,22 @@ bool AbstractInterpretation::handleICFGNode(const ICFGNode* node)
     if (hadPrevState)
         prevState = abstractTrace[node];
 
-    // For function entry nodes, initialize state from caller or global
+    // For function entry nodes, initialize state from predecessors or global
     bool isFunEntry = SVFUtil::isa<FunEntryICFGNode>(node);
     if (isFunEntry)
     {
         // Try to merge from predecessors first (handles call edges)
         if (!mergeStatesFromPredecessors(node))
         {
-            // No predecessors with state - initialize from caller or global
-            if (!callSiteStack.empty())
+            // No predecessors with state - inherit from global node
+            const ICFGNode* globalNode = icfg->getGlobalICFGNode();
+            if (hasAbsStateFromTrace(globalNode))
             {
-                // Get state from the most recent call site
-                const CallICFGNode* caller = callSiteStack.back();
-                if (hasAbsStateFromTrace(caller))
-                {
-                    abstractTrace[node] = abstractTrace[caller];
-                }
-                else
-                {
-                    abstractTrace[node] = AbstractState();
-                }
+                abstractTrace[node] = abstractTrace[globalNode];
             }
             else
             {
-                // This is the main function entry, inherit from global node
-                const ICFGNode* globalNode = icfg->getGlobalICFGNode();
-                if (hasAbsStateFromTrace(globalNode))
-                {
-                    abstractTrace[node] = abstractTrace[globalNode];
-                }
-                else
-                {
-                    abstractTrace[node] = AbstractState();
-                }
+                abstractTrace[node] = AbstractState();
             }
         }
     }
@@ -661,6 +714,9 @@ bool AbstractInterpretation::handleICFGNode(const ICFGNode* node)
         detector->detect(getAbsStateFromTrace(node), node);
     stat->countStateSize();
 
+    // Track this node as analyzed (for coverage statistics across all entry points)
+    allAnalyzedNodes.insert(node);
+
     // Check if state changed (for fixpoint detection)
     // For entry nodes on first visit, always return true to process successors
     if (isFunEntry && !hadPrevState)
@@ -754,7 +810,7 @@ std::vector<const ICFGNode*> AbstractInterpretation::getNextNodesOfCycle(const I
  * Handle a function using worklist algorithm
  * This replaces the recursive WTO component handling with explicit worklist iteration
  */
-void AbstractInterpretation::handleFunction(const ICFGNode* funEntry)
+void AbstractInterpretation::handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller)
 {
     FIFOWorkList<const ICFGNode*> worklist;
     worklist.push(funEntry);
@@ -767,7 +823,7 @@ void AbstractInterpretation::handleFunction(const ICFGNode* funEntry)
         if (cycleHeadToCycle.find(node) != cycleHeadToCycle.end())
         {
             const ICFGCycleWTO* cycle = cycleHeadToCycle[node];
-            handleLoopOrRecursion(cycle);
+            handleLoopOrRecursion(cycle, caller);
 
             // Push nodes outside the cycle to the worklist
             std::vector<const ICFGNode*> cycleNextNodes = getNextNodesOfCycle(cycle);
@@ -821,13 +877,11 @@ bool AbstractInterpretation::isExtCall(const CallICFGNode *callNode)
 
 void AbstractInterpretation::handleExtCall(const CallICFGNode *callNode)
 {
-    callSiteStack.push_back(callNode);
     utils->handleExtAPI(callNode);
     for (auto& detector : detectors)
     {
         detector->handleStubFunctions(callNode);
     }
-    callSiteStack.pop_back();
 }
 
 /// Check if a function is recursive (part of a call graph SCC)
@@ -945,7 +999,15 @@ bool AbstractInterpretation::shouldApplyNarrowing(const FunObjVar* fun)
         return false;
     }
 }
-/// Handle direct or indirect call: get callee, process function body, set return state
+/// Handle direct or indirect call: get callee(s), process function body, set return state.
+///
+/// For direct calls, the callee is known statically.
+/// For indirect calls, the previous implementation resolved callees from the abstract
+/// state's address domain, which only picked the first address and missed other targets.
+/// Since the abstract state's address domain is not an over-approximation for function
+/// pointers (it may be uninitialized or incomplete), we now use Andersen's pointer
+/// analysis results from the pre-computed call graph, which soundly resolves all
+/// possible indirect call targets.
 void AbstractInterpretation::handleFunCall(const CallICFGNode *callNode)
 {
     AbstractState& as = getAbsStateFromTrace(callNode);
@@ -955,16 +1017,30 @@ void AbstractInterpretation::handleFunCall(const CallICFGNode *callNode)
     if (skipRecursiveCall(callNode))
         return;
 
-    const FunObjVar* callee = getCallee(callNode);
-    if (!callee)
+    // Direct call: callee is known
+    if (const FunObjVar* callee = callNode->getCalledFunction())
+    {
+        const ICFGNode* calleeEntry = icfg->getFunEntryICFGNode(callee);
+        handleFunction(calleeEntry, callNode);
+        const RetICFGNode* retNode = callNode->getRetICFGNode();
+        abstractTrace[retNode] = abstractTrace[callNode];
         return;
+    }
 
-    callSiteStack.push_back(callNode);
-
-    const ICFGNode* calleeEntry = icfg->getFunEntryICFGNode(callee);
-    handleFunction(calleeEntry);
-
-    callSiteStack.pop_back();
+    // Indirect call: use Andersen's call graph to get all resolved callees.
+    // The call graph was built during initWTO() by running Andersen's pointer analysis,
+    // which over-approximates the set of possible targets for each indirect callsite.
+    if (callGraph->hasIndCSCallees(callNode))
+    {
+        const auto& callees = callGraph->getIndCSCallees(callNode);
+        for (const FunObjVar* callee : callees)
+        {
+            if (callee->isDeclaration())
+                continue;
+            const ICFGNode* calleeEntry = icfg->getFunEntryICFGNode(callee);
+            handleFunction(calleeEntry, callNode);
+        }
+    }
     const RetICFGNode* retNode = callNode->getRetICFGNode();
     abstractTrace[retNode] = abstractTrace[callNode];
 }
@@ -1009,7 +1085,7 @@ void AbstractInterpretation::handleFunCall(const CallICFGNode *callNode)
 ///     Example:
 ///       int factorial(int n) { return n <= 1 ? 1 : n * factorial(n-1); }
 ///       factorial(5) -> returns [10000, 10000] (precise after narrowing)
-void AbstractInterpretation::handleLoopOrRecursion(const ICFGCycleWTO* cycle)
+void AbstractInterpretation::handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller)
 {
     const ICFGNode* cycle_head = cycle->head()->getICFGNode();
 
@@ -1017,11 +1093,9 @@ void AbstractInterpretation::handleLoopOrRecursion(const ICFGCycleWTO* cycle)
     // all stores and return value to TOP, maintaining original semantics
     if (Options::HandleRecur() == TOP && isRecursiveFun(cycle_head->getFun()))
     {
-        // Get the call node from callSiteStack (the call that entered this function)
-        if (!callSiteStack.empty())
+        if (caller)
         {
-            const CallICFGNode* callNode = callSiteStack.back();
-            recursiveCallPass(callNode);
+            recursiveCallPass(caller);
         }
         return;
     }
@@ -1084,7 +1158,7 @@ void AbstractInterpretation::handleLoopOrRecursion(const ICFGCycleWTO* cycle)
             else if (const ICFGCycleWTO* subCycle = SVFUtil::dyn_cast<ICFGCycleWTO>(comp))
             {
                 // Handle nested cycle recursively
-                handleLoopOrRecursion(subCycle);
+                handleLoopOrRecursion(subCycle, caller);
             }
         }
     }
@@ -1229,15 +1303,39 @@ void AEStat::finializeStat()
         generalNumMap["ES_Loc_Addr_AVG_Num"] /= count;
     }
     generalNumMap["SVF_STMT_NUM"] = count;
-    generalNumMap["ICFG_Node_Num"] = _ae->svfir->getICFG()->nodeNum;
+
+    u32_t totalICFGNodes = _ae->svfir->getICFG()->nodeNum;
+    generalNumMap["ICFG_Node_Num"] = totalICFGNodes;
+
+    // Calculate coverage: use allAnalyzedNodes which tracks all nodes across all entry points
+    u32_t analyzedNodes = _ae->allAnalyzedNodes.size();
+    generalNumMap["Analyzed_ICFG_Node_Num"] = analyzedNodes;
+
+    // Coverage percentage (stored as integer percentage * 100 for precision)
+    if (totalICFGNodes > 0)
+    {
+        double coveragePercent = (double)analyzedNodes / (double)totalICFGNodes * 100.0;
+        generalNumMap["ICFG_Coverage_Percent"] = (u32_t)(coveragePercent * 100); // Store as percentage * 100
+    }
+    else
+    {
+        generalNumMap["ICFG_Coverage_Percent"] = 0;
+    }
+
     u32_t callSiteNum = 0;
     u32_t extCallSiteNum = 0;
     Set<const FunObjVar *> funs;
+    Set<const FunObjVar *> analyzedFuns;
     for (const auto &it: *_ae->svfir->getICFG())
     {
         if (it.second->getFun())
         {
             funs.insert(it.second->getFun());
+            // Check if this node was analyzed (across all entry points)
+            if (_ae->allAnalyzedNodes.find(it.second) != _ae->allAnalyzedNodes.end())
+            {
+                analyzedFuns.insert(it.second->getFun());
+            }
         }
         if (const CallICFGNode *callNode = dyn_cast<CallICFGNode>(it.second))
         {
@@ -1252,6 +1350,19 @@ void AEStat::finializeStat()
         }
     }
     generalNumMap["Func_Num"] = funs.size();
+    generalNumMap["Analyzed_Func_Num"] = analyzedFuns.size();
+
+    // Function coverage percentage
+    if (funs.size() > 0)
+    {
+        double funcCoveragePercent = (double)analyzedFuns.size() / (double)funs.size() * 100.0;
+        generalNumMap["Func_Coverage_Percent"] = (u32_t)(funcCoveragePercent * 100); // Store as percentage * 100
+    }
+    else
+    {
+        generalNumMap["Func_Coverage_Percent"] = 0;
+    }
+
     generalNumMap["EXT_CallSite_Num"] = extCallSiteNum;
     generalNumMap["NonEXT_CallSite_Num"] = callSiteNum;
     timeStatMap["Total_Time(sec)"] = (double)(endTime - startTime) / TIMEINTERVAL;
@@ -1280,8 +1391,16 @@ void AEStat::performStat()
     unsigned field_width = 30;
     for (NUMStatMap::iterator it = generalNumMap.begin(), eit = generalNumMap.end(); it != eit; ++it)
     {
-        // format out put with width 20 space
-        std::cout << std::setw(field_width) << it->first << it->second << "\n";
+        // Special handling for percentage fields (stored as percentage * 100)
+        if (it->first == "ICFG_Coverage_Percent" || it->first == "Func_Coverage_Percent")
+        {
+            double percent = (double)it->second / 100.0;
+            std::cout << std::setw(field_width) << it->first << std::fixed << std::setprecision(2) << percent << "%\n";
+        }
+        else
+        {
+            std::cout << std::setw(field_width) << it->first << it->second << "\n";
+        }
     }
     SVFUtil::outs() << "-------------------------------------------------------\n";
     for (TIMEStatMap::iterator it = timeStatMap.begin(), eit = timeStatMap.end(); it != eit; ++it)
@@ -1605,6 +1724,13 @@ void AbstractInterpretation::updateStateOnCmp(const CmpStmt *cmp)
                 case CmpStmt::FCMP_TRUE:
                     resVal = IntervalValue(1, 1);
                     break;
+                case CmpStmt::FCMP_ORD:
+                case CmpStmt::FCMP_UNO:
+                    // FCMP_ORD: true if both operands are not NaN
+                    // FCMP_UNO: true if either operand is NaN
+                    // Conservatively return [0, 1] since we don't track NaN
+                    resVal = IntervalValue(0, 1);
+                    break;
                 default:
                     assert(false && "undefined compare: ");
                 }
@@ -1719,6 +1845,13 @@ void AbstractInterpretation::updateStateOnCmp(const CmpStmt *cmp)
                 case CmpStmt::FCMP_TRUE:
                     resVal = IntervalValue(1, 1);
                     break;
+                case CmpStmt::FCMP_ORD:
+                case CmpStmt::FCMP_UNO:
+                    // FCMP_ORD: true if both operands are not NaN
+                    // FCMP_UNO: true if either operand is NaN
+                    // Conservatively return [0, 1] since we don't track NaN
+                    resVal = IntervalValue(0, 1);
+                    break;
                 default:
                     assert(false && "undefined compare: ");
                 }

package/svf-llvm/lib/CHGBuilder.cpp

@@ -173,7 +173,8 @@ void CHGBuilder::connectInheritEdgeViaCall(const Function* caller, const CallBas
     {
         if (cs->arg_size() < 1 || (cs->arg_size() < 2 && cs->paramHasAttr(0, llvm::Attribute::StructRet)))
             return;
-        if(caller->arg_size() == 0){
+        if(caller->arg_size() == 0)
+        {
             return;
         }
         const Value* csThisPtr = cppUtil::getVCallThisPtr(cs);