svf-tools 1.0.1194 → 1.0.1195

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1194",
+  "version": "1.0.1195",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Core/AbstractState.h

@@ -114,7 +114,7 @@ public:
     /// Return the internal index if addr is an address otherwise return the value of idx
     inline u32_t getIDFromAddr(u32_t addr)
     {
-        return _freedAddrs.count(addr) ?  AddressValue::getInternalID(InvalidMemAddr) : AddressValue::getInternalID(addr);
+        return _freedAddrs.count(addr) ?  AddressValue::getInternalID(BlackHoleObjAddr) : AddressValue::getInternalID(addr);
     }
 
     AbstractState&operator=(const AbstractState&rhs)
@@ -187,9 +187,9 @@ public:
         return addr == NullMemAddr;
     }
 
-    static inline bool isInvalidMem(u32_t addr)
+    static inline bool isBlackHoleObjAddr(u32_t addr)
     {
-        return addr == InvalidMemAddr;
+        return addr == BlackHoleObjAddr;
     }
 
 

package/svf/include/AE/Core/AddressValue.h

@@ -32,8 +32,8 @@
 
 #define AddressMask 0x7f000000
 #define FlippedAddressMask (AddressMask^0xffffffff)
-// the address of InvalidMem(the black hole), getVirtualMemAddress(2);
-#define InvalidMemAddr 0x7f000000 + 2
+// the address of BlackHole object, getVirtualMemAddress(2);
+#define BlackHoleObjAddr 0x7f000000 + 2
 // the address of NullMem, getVirtualMemAddress(0);
 #define NullMemAddr 0x7f000000
 

package/svf/include/AE/Svfexe/AbsExtAPI.h

@@ -74,43 +74,23 @@ public:
      */
     void handleExtAPI(const CallICFGNode *call);
 
-    /**
-     * @brief Handles the strcpy API call.
-     * @param call Pointer to the call ICFG node.
-     */
-    void handleStrcpy(const CallICFGNode *call);
+    // --- Shared primitives used by string/memory handlers ---
 
-    /**
-     * @brief Calculates the length of a string.
-     * @param as Reference to the abstract state.
-     * @param strValue Pointer to the SVF variable representing the string.
-     * @return The interval value representing the string length.
-     */
+    /// Get the byte size of each element for a pointer/array variable.
+    u32_t getElementSize(AbstractState& as, const SVFVar* var);
+
+    /// Check if an interval length is usable (not bottom, not unbounded).
+    static bool isValidLength(const IntervalValue& len);
+
+    /// Calculate the length of a null-terminated string in abstract state.
     IntervalValue getStrlen(AbstractState& as, const SVF::SVFVar *strValue);
 
-    /**
-     * @brief Handles the strcat API call.
-     * @param call Pointer to the call ICFG node.
-     */
-    void handleStrcat(const SVF::CallICFGNode *call);
+    // --- String/memory operation handlers ---
 
-    /**
-     * @brief Handles the memcpy API call.
-     * @param as Reference to the abstract state.
-     * @param dst Pointer to the destination SVF variable.
-     * @param src Pointer to the source SVF variable.
-     * @param len The interval value representing the length to copy.
-     * @param start_idx The starting index for copying.
-     */
+    void handleStrcpy(const CallICFGNode *call);
+    void handleStrcat(const CallICFGNode *call);
+    void handleStrncat(const CallICFGNode *call);
     void handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len, u32_t start_idx);
-
-    /**
-     * @brief Handles the memset API call.
-     * @param as Reference to the abstract state.
-     * @param dst Pointer to the destination SVF variable.
-     * @param elem The interval value representing the element to set.
-     * @param len The interval value representing the length to set.
-     */
     void handleMemset(AbstractState& as, const SVFVar* dst, IntervalValue elem, IntervalValue len);
 
     /**

package/svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -36,6 +36,8 @@
 #include "Util/SVFBugReport.h"
 #include "Util/SVFStat.h"
 #include "Graphs/SCC.h"
+#include "Graphs/CallGraph.h"
+#include <deque>
 
 namespace SVF
 {
@@ -144,6 +146,13 @@ public:
     /// Program entry
     void analyse();
 
+    /// Analyze all entry points (functions without callers)
+    void analyzeFromAllProgEntries();
+
+    /// Get all entry point functions (functions without callers)
+    std::deque<const FunObjVar*> collectProgEntryFuns();
+
+
     static AbstractInterpretation& getAEInstance()
     {
         static AbstractInterpretation instance;
@@ -218,14 +227,14 @@ private:
      *
      * @param cycle WTOCycle which has weak topo order of basic blocks and nested cycles
      */
-    virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle);
+    virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller = nullptr);
 
     /**
      * Handle a function using worklist algorithm
      *
      * @param funEntry The entry node of the function to handle
      */
-    void handleFunction(const ICFGNode* funEntry);
+    void handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller = nullptr);
 
     /**
      * Handle an ICFG node by merging states and processing statements
@@ -322,9 +331,9 @@ private:
     AEAPI* api{nullptr};
 
     ICFG* icfg;
+    CallGraph* callGraph;
     AEStat* stat;
 
-    std::vector<const CallICFGNode*> callSiteStack;
     Map<const FunObjVar*, const ICFGWTO*> funcToWTO;
     Set<std::pair<const CallICFGNode*, NodeID>> nonRecursiveCallSites;
     Set<const FunObjVar*> recursiveFuns;
@@ -358,6 +367,7 @@ private:
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
 
     Map<const ICFGNode*, AbstractState> abstractTrace; // abstract states immediately after nodes
+    Set<const ICFGNode*> allAnalyzedNodes; // All nodes ever analyzed (across all entry points)
     std::string moduleName;
 
     std::vector<std::unique_ptr<AEDetector>> detectors;

package/svf/lib/AE/Svfexe/AEDetector.cpp

@@ -367,7 +367,7 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(AbstractState& as, SVF::Add
                 }
                 else
                 {
-                    assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
+                    assert(AbstractState::isBlackHoleObjAddr(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
                 }
             }
         }
@@ -398,7 +398,7 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(AbstractState& as, SVF::Add
                 }
                 else
                 {
-                    assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
+                    assert(AbstractState::isBlackHoleObjAddr(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
                 }
             }
         }
@@ -479,7 +479,23 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
     SVFIR* svfir = PAG::getPAG();
     NodeID value_id = value->getId();
 
-    assert(as[value_id].isAddr());
+    // Lazy initialization for uninitialized pointer parameters in multi-entry analysis.
+    // When analyzing a function as an entry point (e.g., not called from main),
+    // pointer parameters may not have been initialized via AddrStmt.
+    //
+    // Example:
+    //   void process_buffer(char* buf, int len) {
+    //       buf[0] = 'a';  // accessing buf
+    //   }
+    // When analyzing process_buffer as an entry point, 'buf' is a function parameter
+    // with no AddrStmt, so it has no address information in the abstract state.
+    // We lazily initialize it to point to the black hole object (BlkPtr), representing
+    // an unknown but valid memory location. This allows the analysis to continue
+    // while being conservatively sound.
+    if (!as[value_id].isAddr())
+    {
+        as[value_id] = AddressValue(BlackHoleObjAddr);
+    }
     for (const auto& addr : as[value_id].getAddrs())
     {
         NodeID objId = as.getIDFromAddr(addr);
@@ -687,7 +703,7 @@ bool NullptrDerefDetector::canSafelyDerefPtr(AbstractState& as, const SVFVar* va
     for (const auto &addr: AbsVal.getAddrs())
     {
         // if the addr itself is invalid mem, report unsafe
-        if (AbstractState::isInvalidMem(addr))
+        if (AbstractState::isBlackHoleObjAddr(addr))
             return false;
         // if nullptr is detected, return unsafe
         else if (AbstractState::isNullMem(addr))

package/svf/lib/AE/Svfexe/AbsExtAPI.cpp

@@ -272,60 +272,19 @@ void AbsExtAPI::initExtFunMap()
 
     auto sse_strlen = [&](const CallICFGNode *callNode)
     {
-        // check the arg size
         if (callNode->arg_size() < 1) return;
-        const SVFVar* strValue = callNode->getArgument(0);
         AbstractState& as = getAbsStateFromTrace(callNode);
-        NodeID value_id = strValue->getId();
         u32_t lhsId = callNode->getRetICFGNode()->getActualRet()->getId();
-        u32_t dst_size = 0;
-        for (const auto& addr : as[value_id].getAddrs())
-        {
-            NodeID objId = as.getIDFromAddr(addr);
-            if (svfir->getBaseObject(objId)->isConstantByteSize())
-            {
-                dst_size = svfir->getBaseObject(objId)->getByteSizeOfObj();
-            }
-            else
-            {
-                const ICFGNode* addrNode = svfir->getBaseObject(objId)->getICFGNode();
-                for (const SVFStmt* stmt2: addrNode->getSVFStmts())
-                {
-                    if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
-                    {
-                        dst_size = as.getAllocaInstByteSize(addrStmt);
-                    }
-                }
-            }
-        }
-        u32_t len = 0;
-        NodeID dstid = strValue->getId();
-        if (as.inVarToAddrsTable(dstid))
-        {
-            for (u32_t index = 0; index < dst_size; index++)
-            {
-                AbstractValue expr0 =
-                    as.getGepObjAddrs(dstid, IntervalValue(index));
-                AbstractValue val;
-                for (const auto &addr: expr0.getAddrs())
-                {
-                    val.join_with(as.load(addr));
-                }
-                if (val.getInterval().is_numeral() && (char) val.getInterval().getIntNumeral() == '\0')
-                {
-                    break;
-                }
-                ++len;
-            }
-        }
-        if (len == 0)
-        {
-            as[lhsId] = IntervalValue((s64_t)0, (s64_t)Options::MaxFieldLimit());
-        }
+        // strlen/wcslen return the number of characters (not bytes).
+        // getStrlen returns byte-scaled length (len * elemSize) for use
+        // by memcpy/strcpy. Here we need the raw character count, so
+        // divide back by elemSize.
+        IntervalValue byteLen = getStrlen(as, callNode->getArgument(0));
+        u32_t elemSize = getElementSize(as, callNode->getArgument(0));
+        if (byteLen.is_numeral() && elemSize > 1)
+            as[lhsId] = IntervalValue(byteLen.getIntNumeral() / (s64_t)elemSize);
         else
-        {
-            as[lhsId] = IntervalValue(len);
-        }
+            as[lhsId] = byteLen;
     };
     func_map["strlen"] = sse_strlen;
     func_map["wcslen"] = sse_strlen;
@@ -350,7 +309,7 @@ void AbsExtAPI::initExtFunMap()
         const u32_t freePtr = callNode->getArgument(0)->getId();
         for (auto addr: as[freePtr].getAddrs())
         {
-            if (AbstractState::isInvalidMem(addr))
+            if (AbstractState::isBlackHoleObjAddr(addr))
             {
                 // Detected a double free — the address has already been freed.
                 // No action is taken at this point.
@@ -480,7 +439,13 @@ void AbsExtAPI::handleExtAPI(const CallICFGNode *call)
     }
     else if (extType == STRCAT)
     {
-        handleStrcat(call);
+        // Both strcat and strncat are annotated as STRCAT.
+        // Distinguish by name: strncat/wcsncat contain "ncat".
+        const std::string& name = fun->getName();
+        if (name.find("ncat") != std::string::npos)
+            handleStrncat(call);
+        else
+            handleStrcat(call);
     }
     else
     {
@@ -489,21 +454,50 @@ void AbsExtAPI::handleExtAPI(const CallICFGNode *call)
     return;
 }
 
-void AbsExtAPI::handleStrcpy(const CallICFGNode *call)
+// ===----------------------------------------------------------------------===//
+//  Shared primitives for string/memory handlers
+// ===----------------------------------------------------------------------===//
+
+/// Get the byte size of each element for a pointer/array variable.
+/// Shared by handleMemcpy, handleMemset, and getStrlen to avoid duplication.
+u32_t AbsExtAPI::getElementSize(AbstractState& as, const SVFVar* var)
 {
-    // strcpy, __strcpy_chk, stpcpy , wcscpy, __wcscpy_chk
-    // get the dst and src
-    AbstractState& as = getAbsStateFromTrace(call);
-    const SVFVar* arg0Val = call->getArgument(0);
-    const SVFVar* arg1Val = call->getArgument(1);
-    IntervalValue strLen = getStrlen(as, arg1Val);
-    // no need to -1, since it has \0 as the last byte
-    handleMemcpy(as, arg0Val, arg1Val, strLen, strLen.lb().getIntNumeral());
+    if (var->getType()->isArrayTy())
+    {
+        return SVFUtil::dyn_cast<SVFArrayType>(var->getType())
+            ->getTypeOfElement()->getByteSize();
+    }
+    if (var->getType()->isPointerTy())
+    {
+        if (const SVFType* elemType = as.getPointeeElement(var->getId()))
+        {
+            if (elemType->isArrayTy())
+                return SVFUtil::dyn_cast<SVFArrayType>(elemType)
+                    ->getTypeOfElement()->getByteSize();
+            return elemType->getByteSize();
+        }
+        return 1;
+    }
+    assert(false && "unsupported type for element size");
+    return 1;
+}
+
+/// Check if an interval length is usable for memory operations.
+/// Returns false for bottom (no information) or unbounded lower bound
+/// (cannot determine a concrete start for iteration).
+bool AbsExtAPI::isValidLength(const IntervalValue& len)
+{
+    return !len.isBottom() && !len.lb().is_minus_infinity();
 }
 
+/// Calculate the length of a null-terminated string in abstract state.
+/// Scans memory from the base of strValue looking for a '\0' byte.
+/// Returns an IntervalValue: exact length if '\0' found, otherwise [0, MaxFieldLimit].
 IntervalValue AbsExtAPI::getStrlen(AbstractState& as, const SVF::SVFVar *strValue)
 {
     NodeID value_id = strValue->getId();
+
+    // Step 1: determine the buffer size (in bytes) backing this pointer
     u32_t dst_size = 0;
     for (const auto& addr : as[value_id].getAddrs())
     {
@@ -524,8 +518,9 @@ IntervalValue AbsExtAPI::getStrlen(AbstractState& as, const SVF::SVFVar *strValu
             }
         }
     }
+
+    // Step 2: scan for '\0' terminator
     u32_t len = 0;
-    u32_t elemSize = 1;
     if (as.inVarToAddrsTable(value_id))
     {
         for (u32_t index = 0; index < dst_size; index++)
@@ -537,188 +532,153 @@ IntervalValue AbsExtAPI::getStrlen(AbstractState& as, const SVF::SVFVar *strValu
             {
                 val.join_with(as.load(addr));
             }
-            if (val.getInterval().is_numeral() && (char) val.getInterval().getIntNumeral() == '\0')
+            if (val.getInterval().is_numeral() &&
+                    (char) val.getInterval().getIntNumeral() == '\0')
             {
                 break;
             }
             ++len;
         }
-        if (strValue->getType()->isArrayTy())
-        {
-            elemSize = SVFUtil::dyn_cast<SVFArrayType>(strValue->getType())->getTypeOfElement()->getByteSize();
-        }
-        else if (strValue->getType()->isPointerTy())
-        {
-            if (const SVFType* elemType = as.getPointeeElement(value_id))
-            {
-                if (elemType->isArrayTy())
-                    elemSize = SVFUtil::dyn_cast<SVFArrayType>(elemType)->getTypeOfElement()->getByteSize();
-                else
-                    elemSize = elemType->getByteSize();
-            }
-            else
-            {
-                elemSize = 1;
-            }
-        }
-        else
-        {
-            assert(false && "we cannot support this type");
-        }
     }
+
+    // Step 3: scale by element size and return
+    u32_t elemSize = getElementSize(as, strValue);
     if (len == 0)
-    {
         return IntervalValue((s64_t)0, (s64_t)Options::MaxFieldLimit());
-    }
-    else
-    {
-        return IntervalValue(len * elemSize);
-    }
+    return IntervalValue(len * elemSize);
+}
+
+// ===----------------------------------------------------------------------===//
+//  String/memory operation handlers
+// ===----------------------------------------------------------------------===//
+
+/// strcpy(dst, src): copy all of src (including '\0') into dst.
+/// Covers: strcpy, __strcpy_chk, stpcpy, wcscpy, __wcscpy_chk
+void AbsExtAPI::handleStrcpy(const CallICFGNode *call)
+{
+    AbstractState& as = getAbsStateFromTrace(call);
+    const SVFVar* dst = call->getArgument(0);
+    const SVFVar* src = call->getArgument(1);
+    IntervalValue srcLen = getStrlen(as, src);
+    // no need to -1, since srcLen includes up to (but not past) '\0'
+    if (!isValidLength(srcLen)) return;
+    handleMemcpy(as, dst, src, srcLen, 0);
 }
 
+/// strcat(dst, src): append all of src after the end of dst.
+/// Covers: strcat, __strcat_chk, wcscat, __wcscat_chk
+void AbsExtAPI::handleStrcat(const CallICFGNode *call)
+{
+    AbstractState& as = getAbsStateFromTrace(call);
+    const SVFVar* dst = call->getArgument(0);
+    const SVFVar* src = call->getArgument(1);
+    IntervalValue dstLen = getStrlen(as, dst);
+    IntervalValue srcLen = getStrlen(as, src);
+    if (!isValidLength(dstLen)) return;
+    handleMemcpy(as, dst, src, srcLen, dstLen.lb().getIntNumeral());
+}
 
-void AbsExtAPI::handleStrcat(const SVF::CallICFGNode *call)
+/// strncat(dst, src, n): append at most n bytes of src after the end of dst.
+/// Covers: strncat, __strncat_chk, wcsncat, __wcsncat_chk
+void AbsExtAPI::handleStrncat(const CallICFGNode *call)
 {
-    // __strcat_chk, strcat, __wcscat_chk, wcscat, __strncat_chk, strncat, __wcsncat_chk, wcsncat
-    // to check it is  strcat group or strncat group
     AbstractState& as = getAbsStateFromTrace(call);
-    const FunObjVar *fun = call->getCalledFunction();
-    const std::vector<std::string> strcatGroup = {"__strcat_chk", "strcat", "__wcscat_chk", "wcscat"};
-    const std::vector<std::string> strncatGroup = {"__strncat_chk", "strncat", "__wcsncat_chk", "wcsncat"};
-    if (std::find(strcatGroup.begin(), strcatGroup.end(), fun->getName()) != strcatGroup.end())
-    {
-        const SVFVar* arg0Val = call->getArgument(0);
-        const SVFVar* arg1Val = call->getArgument(1);
-        IntervalValue strLen0 = getStrlen(as, arg0Val);
-        IntervalValue strLen1 = getStrlen(as, arg1Val);
-        IntervalValue totalLen = strLen0 + strLen1;
-        handleMemcpy(as, arg0Val, arg1Val, strLen1, strLen0.lb().getIntNumeral());
-        // do memcpy
-    }
-    else if (std::find(strncatGroup.begin(), strncatGroup.end(), fun->getName()) != strncatGroup.end())
-    {
-        const SVFVar* arg0Val = call->getArgument(0);
-        const SVFVar* arg1Val = call->getArgument(1);
-        const SVFVar* arg2Val = call->getArgument(2);
-        IntervalValue arg2Num = as[arg2Val->getId()].getInterval();
-        IntervalValue strLen0 = getStrlen(as, arg0Val);
-        IntervalValue totalLen = strLen0 + arg2Num;
-        handleMemcpy(as, arg0Val, arg1Val, arg2Num, strLen0.lb().getIntNumeral());
-        // do memcpy
-    }
-    else
-    {
-        assert(false && "unknown strcat function, please add it to strcatGroup or strncatGroup");
-    }
+    const SVFVar* dst = call->getArgument(0);
+    const SVFVar* src = call->getArgument(1);
+    IntervalValue n = as[call->getArgument(2)->getId()].getInterval();
+    IntervalValue dstLen = getStrlen(as, dst);
+    if (!isValidLength(dstLen)) return;
+    handleMemcpy(as, dst, src, n, dstLen.lb().getIntNumeral());
 }
 
-void AbsExtAPI::handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len,  u32_t start_idx)
+/// Core memcpy: copy `len` bytes from src to dst starting at dst[start_idx].
+void AbsExtAPI::handleMemcpy(AbstractState& as, const SVF::SVFVar *dst,
+                              const SVF::SVFVar *src, IntervalValue len,
+                              u32_t start_idx)
 {
-    u32_t dstId = dst->getId(); // pts(dstId) = {objid}  objbar objtypeinfo->getType().
+    if (!isValidLength(len)) return;
+
+    u32_t dstId = dst->getId();
     u32_t srcId = src->getId();
-    u32_t elemSize = 1;
-    if (dst->getType()->isArrayTy())
-    {
-        elemSize = SVFUtil::dyn_cast<SVFArrayType>(dst->getType())->getTypeOfElement()->getByteSize();
-    }
-    // memcpy(i32*, i32*, 40)
-    else if (dst->getType()->isPointerTy())
-    {
-        if (const SVFType* elemType = as.getPointeeElement(dstId))
-        {
-            if (elemType->isArrayTy())
-                elemSize = SVFUtil::dyn_cast<SVFArrayType>(elemType)->getTypeOfElement()->getByteSize();
-            else
-                elemSize = elemType->getByteSize();
-        }
-        else
-        {
-            elemSize = 1;
-        }
-    }
-    else
-    {
-        assert(false && "we cannot support this type");
-    }
-    u32_t size = std::min((u32_t)Options::MaxFieldLimit(), (u32_t) len.lb().getIntNumeral());
+    u32_t elemSize = getElementSize(as, dst);
+    u32_t size = std::min((u32_t)Options::MaxFieldLimit(),
+                          (u32_t)len.lb().getIntNumeral());
     u32_t range_val = size / elemSize;
-    if (as.inVarToAddrsTable(srcId) && as.inVarToAddrsTable(dstId))
+
+    if (!as.inVarToAddrsTable(srcId) || !as.inVarToAddrsTable(dstId))
+        return;
+
+    for (u32_t index = 0; index < range_val; index++)
     {
-        for (u32_t index = 0; index < range_val; index++)
+        AbstractValue expr_src =
+            as.getGepObjAddrs(srcId, IntervalValue(index));
+        AbstractValue expr_dst =
+            as.getGepObjAddrs(dstId, IntervalValue(index + start_idx));
+        for (const auto &dstAddr: expr_dst.getAddrs())
         {
-            // dead loop for string and break if there's a \0. If no \0, it will throw err.
-            AbstractValue expr_src =
-                as.getGepObjAddrs(srcId, IntervalValue(index));
-            AbstractValue expr_dst =
-                as.getGepObjAddrs(dstId, IntervalValue(index + start_idx));
-            for (const auto &dst: expr_dst.getAddrs())
+            for (const auto &srcAddr: expr_src.getAddrs())
             {
-                for (const auto &src: expr_src.getAddrs())
+                u32_t objId = as.getIDFromAddr(srcAddr);
+                if (as.inAddrToValTable(objId) || as.inAddrToAddrsTable(objId))
                 {
-                    u32_t objId = as.getIDFromAddr(src);
-                    if (as.inAddrToValTable(objId))
-                    {
-                        as.store(dst, as.load(src));
-                    }
-                    else if (as.inAddrToAddrsTable(objId))
-                    {
-                        as.store(dst, as.load(src));
-                    }
+                    as.store(dstAddr, as.load(srcAddr));
                 }
             }
         }
     }
 }
 
-void AbsExtAPI::handleMemset(AbstractState& as, const SVF::SVFVar *dst, IntervalValue elem, IntervalValue len)
+/// Core memset: fill dst with `elem` for `len` bytes.
+/// Note: elemSize here uses the pointee type's full size (not array element size)
+/// to match how LLVM memset/wmemset intrinsics measure `len`. For a pointer to
+/// wchar_t[100], elemSize = sizeof(wchar_t[100]), so range_val reflects the
+/// number of top-level GEP fields, not individual array elements.
+void AbsExtAPI::handleMemset(AbstractState& as, const SVF::SVFVar *dst,
+                              IntervalValue elem, IntervalValue len)
 {
+    if (!isValidLength(len)) return;
+
     u32_t dstId = dst->getId();
-    u32_t size = std::min((u32_t)Options::MaxFieldLimit(), (u32_t) len.lb().getIntNumeral());
     u32_t elemSize = 1;
     if (dst->getType()->isArrayTy())
     {
-        elemSize = SVFUtil::dyn_cast<SVFArrayType>(dst->getType())->getTypeOfElement()->getByteSize();
+        elemSize = SVFUtil::dyn_cast<SVFArrayType>(dst->getType())
+            ->getTypeOfElement()->getByteSize();
     }
     else if (dst->getType()->isPointerTy())
     {
         if (const SVFType* elemType = as.getPointeeElement(dstId))
-        {
             elemSize = elemType->getByteSize();
-        }
         else
-        {
             elemSize = 1;
-        }
     }
     else
     {
-        assert(false && "we cannot support this type");
+        assert(false && "unsupported type for element size");
     }
-
+    u32_t size = std::min((u32_t)Options::MaxFieldLimit(),
+                          (u32_t)len.lb().getIntNumeral());
     u32_t range_val = size / elemSize;
+
     for (u32_t index = 0; index < range_val; index++)
     {
-        // dead loop for string and break if there's a \0. If no \0, it will throw err.
-        if (as.inVarToAddrsTable(dstId))
+        if (!as.inVarToAddrsTable(dstId))
+            break;
+        AbstractValue lhs_gep = as.getGepObjAddrs(dstId, IntervalValue(index));
+        for (const auto &addr: lhs_gep.getAddrs())
         {
-            AbstractValue lhs_gep = as.getGepObjAddrs(dstId, IntervalValue(index));
-            for (const auto &addr: lhs_gep.getAddrs())
+            u32_t objId = as.getIDFromAddr(addr);
+            if (as.inAddrToValTable(objId))
             {
-                u32_t objId = as.getIDFromAddr(addr);
-                if (as.inAddrToValTable(objId))
-                {
-                    AbstractValue tmp = as.load(addr);
-                    tmp.join_with(elem);
-                    as.store(addr, tmp);
-                }
-                else
-                {
-                    as.store(addr, elem);
-                }
+                AbstractValue tmp = as.load(addr);
+                tmp.join_with(elem);
+                as.store(addr, tmp);
+            }
+            else
+            {
+                as.store(addr, elem);
             }
         }
-        else
-            break;
     }
 }