svf-tools 1.0.978 → 1.0.980

package/svf/include/Util/SVFUtil.h

@@ -203,7 +203,7 @@ inline CallSite getSVFCallSite(const SVFInstruction* inst)
 /// Match arguments for callsite at caller and callee
 /// if the arg size does not match then we do not need to connect this parameter
 /// unless the callee is a variadic function (the first parameter of variadic function is its parameter number)
-bool matchArgs(const SVFInstruction* cs, const SVFFunction* callee);
+bool matchArgs(const CallSite cs, const SVFFunction* callee);
 
 /// Return LLVM callsite given a value
 inline CallSite getSVFCallSite(const SVFValue* value)
@@ -466,11 +466,6 @@ inline int getHeapAllocHoldingArgPosition(const CallSite cs)
 {
     return getHeapAllocHoldingArgPosition(getCallee(cs));
 }
-
-inline int getHeapAllocHoldingArgPosition(const SVFInstruction *inst)
-{
-    return getHeapAllocHoldingArgPosition(getCallee(inst));
-}
 //@}
 
 inline bool isReallocExtCall(const CallSite cs)
@@ -478,12 +473,6 @@ inline bool isReallocExtCall(const CallSite cs)
     bool isPtrTy = cs.getInstruction()->getType()->isPointerTy();
     return isPtrTy && isReallocExtFun(getCallee(cs));
 }
-
-inline bool isReallocExtCall(const SVFInstruction *inst)
-{
-    bool isPtrTy = inst->getType()->isPointerTy();
-    return isPtrTy && isReallocExtFun(getCallee(inst));
-}
 //@}
 
 /// Return true if this is a thread creation call
@@ -504,10 +493,6 @@ inline bool isThreadJoinCall(const CallSite cs)
 {
     return ThreadAPI::getThreadAPI()->isTDJoin(cs.getInstruction());
 }
-inline bool isThreadJoinCall(const SVFInstruction *inst)
-{
-    return ThreadAPI::getThreadAPI()->isTDJoin(inst);
-}
 //@}
 
 /// Return true if this is a thread exit call
@@ -516,10 +501,6 @@ inline bool isThreadExitCall(const CallSite cs)
 {
     return ThreadAPI::getThreadAPI()->isTDExit(cs.getInstruction());
 }
-inline bool isThreadExitCall(const SVFInstruction *inst)
-{
-    return ThreadAPI::getThreadAPI()->isTDExit(inst);
-}
 //@}
 
 /// Return true if this is a lock acquire call
@@ -528,10 +509,6 @@ inline bool isLockAquireCall(const CallSite cs)
 {
     return ThreadAPI::getThreadAPI()->isTDAcquire(cs.getInstruction());
 }
-inline bool isLockAquireCall(const SVFInstruction *inst)
-{
-    return ThreadAPI::getThreadAPI()->isTDAcquire(inst);
-}
 //@}
 
 /// Return true if this is a lock acquire call
@@ -540,10 +517,6 @@ inline bool isLockReleaseCall(const CallSite cs)
 {
     return ThreadAPI::getThreadAPI()->isTDRelease(cs.getInstruction());
 }
-inline bool isLockReleaseCall(const SVFInstruction *inst)
-{
-    return ThreadAPI::getThreadAPI()->isTDRelease(inst);
-}
 //@}
 
 /// Return true if this is a barrier wait call
@@ -552,10 +525,6 @@ inline bool isBarrierWaitCall(const CallSite cs)
 {
     return ThreadAPI::getThreadAPI()->isTDBarWait(cs.getInstruction());
 }
-inline bool isBarrierWaitCall(const SVFInstruction *inst)
-{
-    return ThreadAPI::getThreadAPI()->isTDBarWait(inst);
-}
 //@}
 
 /// Return sole argument of the thread routine
@@ -564,10 +533,6 @@ inline const SVFValue* getActualParmAtForkSite(const CallSite cs)
 {
     return ThreadAPI::getThreadAPI()->getActualParmAtForkSite(cs.getInstruction());
 }
-inline const SVFValue* getActualParmAtForkSite(const SVFInstruction *inst)
-{
-    return ThreadAPI::getThreadAPI()->getActualParmAtForkSite(inst);
-}
 //@}
 
 
@@ -576,10 +541,6 @@ inline bool isProgExitCall(const CallSite cs)
     return isProgExitFunction(getCallee(cs));
 }
 
-inline bool isProgExitCall(const SVFInstruction *inst)
-{
-    return isProgExitFunction(getCallee(inst));
-}
 
 template<typename T>
 constexpr typename std::remove_reference<T>::type &&

package/svf/lib/AE/Core/AbstractState.cpp

@@ -468,4 +468,60 @@ void AbstractState::printAbstractState() const
         }
     }
     SVFUtil::outs() << "-----------------------------------------\n";
+}
+
+const SVFType* AbstractState::getPointeeElement(NodeID id)
+{
+    SVFIR* svfir = PAG::getPAG();
+    if (inVarToAddrsTable(id))
+    {
+        const AbstractValue& addrs = (*this)[id];
+        for (auto addr: addrs.getAddrs())
+        {
+            NodeID addr_id = AbstractState::getInternalID(addr);
+            if (addr_id == 0) // nullptr has no memobj, skip
+                continue;
+            return SVFUtil::dyn_cast<ObjVar>(svfir->getGNode(addr_id))->getMemObj()->getType();
+        }
+    }
+    else
+    {
+        // do nothing if no record in addrs table.
+    }
+    return nullptr;
+}
+
+u32_t AbstractState::getAllocaInstByteSize(const AddrStmt *addr)
+{
+    SVFIR* svfir = PAG::getPAG();
+    if (const ObjVar* objvar = SVFUtil::dyn_cast<ObjVar>(addr->getRHSVar()))
+    {
+        objvar->getType();
+        if (objvar->getMemObj()->isConstantByteSize())
+        {
+            u32_t sz = objvar->getMemObj()->getByteSizeOfObj();
+            return sz;
+        }
+
+        else
+        {
+            const std::vector<SVFValue*>& sizes = addr->getArrSize();
+            // Default element size is set to 1.
+            u32_t elementSize = 1;
+            u64_t res = elementSize;
+            for (const SVFValue* value: sizes)
+            {
+                if (!inVarToValTable(svfir->getValueNode(value)))
+                {
+                    (*this)[svfir->getValueNode(value)] = IntervalValue(Options::MaxFieldLimit());
+                }
+                IntervalValue itv =
+                    (*this)[svfir->getValueNode(value)].getInterval();
+                res = res * itv.ub().getIntNumeral() > Options::MaxFieldLimit()? Options::MaxFieldLimit(): res * itv.ub().getIntNumeral();
+            }
+            return (u32_t)res;
+        }
+    }
+    assert (false && "Addr rhs value is not ObjVar");
+    abort();
 }

package/svf/lib/AE/Svfexe/AEDetector.cpp

@@ -0,0 +1,435 @@
+//===- AEDetector.cpp -- Vulnerability Detectors---------------------------------//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===----------------------------------------------------------------------===//
+
+
+//
+// Created by Jiawei Wang on 2024/8/20.
+//
+
+#include <AE/Svfexe/AEDetector.h>
+#include <AE/Svfexe/AbstractInterpretation.h>
+
+using namespace SVF;
+
+/**
+ * @brief Detects buffer overflow issues within a given ICFG node.
+ *
+ * This function handles both non-call nodes, where it analyzes GEP (GetElementPtr)
+ * instructions for potential buffer overflows, and call nodes, where it checks
+ * for external API calls that may cause overflows.
+ *
+ * @param as Reference to the abstract state.
+ * @param node Pointer to the ICFG node.
+ */
+void BufOverflowDetector::detect(AbstractState& as, const ICFGNode* node)
+{
+    if (!SVFUtil::isa<CallICFGNode>(node))
+    {
+        // Handle non-call nodes by analyzing GEP instructions
+        for (const SVFStmt* stmt : node->getSVFStmts())
+        {
+            if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt))
+            {
+                SVFIR* svfir = PAG::getPAG();
+                NodeID lhs = gep->getLHSVarID();
+                NodeID rhs = gep->getRHSVarID();
+
+                // Update the GEP object offset from its base
+                updateGepObjOffsetFromBase(as[lhs].getAddrs(), as[rhs].getAddrs(), as.getByteOffset(gep));
+
+                IntervalValue baseObjSize = IntervalValue::bottom();
+                AddressValue objAddrs = as[gep->getRHSVarID()].getAddrs();
+                for (const auto& addr : objAddrs)
+                {
+                    NodeID objId = AbstractState::getInternalID(addr);
+                    u32_t size = 0;
+
+                    if (svfir->getBaseObj(objId)->isConstantByteSize())
+                    {
+                        size = svfir->getBaseObj(objId)->getByteSizeOfObj();
+                    }
+                    else
+                    {
+                        const ICFGNode* addrNode = svfir->getICFG()->getICFGNode(SVFUtil::cast<SVFInstruction>(svfir->getBaseObj(objId)->getValue()));
+                        for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
+                        {
+                            if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
+                            {
+                                size = as.getAllocaInstByteSize(addrStmt);
+                            }
+                        }
+                    }
+
+                    // Calculate access offset and check for potential overflow
+                    IntervalValue accessOffset = getAccessOffset(as, objId, gep);
+                    if (accessOffset.ub().getIntNumeral() >= size)
+                    {
+                        AEException bug(stmt->toString());
+                        addBugToReporter(bug, stmt->getICFGNode());
+                    }
+                }
+            }
+        }
+    }
+    else
+    {
+        // Handle call nodes by checking for external API calls
+        const CallICFGNode* callNode = SVFUtil::cast<CallICFGNode>(node);
+        const SVFFunction *callfun = SVFUtil::getCallee(callNode->getCallSite());
+        if (SVFUtil::isExtCall(callfun))
+        {
+            detectExtAPI(as, callNode);
+        }
+    }
+}
+
+/**
+ * @brief Initializes external API buffer overflow check rules.
+ *
+ * This function sets up rules for various memory-related functions like memcpy,
+ * memset, etc., defining which arguments should be checked for buffer overflows.
+ */
+void BufOverflowDetector::initExtAPIBufOverflowCheckRules()
+{
+    extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["llvm_memcpy_p0_p0_i64"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["llvm_memcpy"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["llvm_memmove"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["llvm_memmove_p0_p0_i64"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["__memcpy_chk"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["memmove"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["bcopy"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["memccpy"] = {{0, 3}, {1, 3}};
+    extAPIBufOverflowCheckRules["__memmove_chk"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["llvm_memset"] = {{0, 2}};
+    extAPIBufOverflowCheckRules["llvm_memset_p0i8_i32"] = {{0, 2}};
+    extAPIBufOverflowCheckRules["llvm_memset_p0i8_i64"] = {{0, 2}};
+    extAPIBufOverflowCheckRules["llvm_memset_p0_i64"] = {{0, 2}};
+    extAPIBufOverflowCheckRules["__memset_chk"] = {{0, 2}};
+    extAPIBufOverflowCheckRules["wmemset"] = {{0, 2}};
+    extAPIBufOverflowCheckRules["strncpy"] = {{0, 2}, {1, 2}};
+    extAPIBufOverflowCheckRules["iconv"] = {{1, 2}, {3, 4}};
+}
+
+/**
+ * @brief Handles external API calls related to buffer overflow detection.
+ *
+ * This function checks the type of external memory API (e.g., memcpy, memset, strcpy, strcat)
+ * and applies the corresponding buffer overflow checks based on predefined rules.
+ *
+ * @param as Reference to the abstract state.
+ * @param call Pointer to the call ICFG node.
+ */
+void BufOverflowDetector::detectExtAPI(AbstractState& as,
+                                       const CallICFGNode* call)
+{
+    SVFIR* svfir = PAG::getPAG();
+    const SVFFunction *fun = SVFUtil::getCallee(call->getCallSite());
+    assert(fun && "SVFFunction* is nullptr");
+    CallSite cs = SVFUtil::getSVFCallSite(call->getCallSite());
+
+    AbstractInterpretation::ExtAPIType extType = AbstractInterpretation::UNCLASSIFIED;
+
+    // Determine the type of external memory API
+    for (const std::string &annotation : fun->getAnnotations())
+    {
+        if (annotation.find("MEMCPY") != std::string::npos)
+            extType = AbstractInterpretation::MEMCPY;
+        if (annotation.find("MEMSET") != std::string::npos)
+            extType = AbstractInterpretation::MEMSET;
+        if (annotation.find("STRCPY") != std::string::npos)
+            extType = AbstractInterpretation::STRCPY;
+        if (annotation.find("STRCAT") != std::string::npos)
+            extType = AbstractInterpretation::STRCAT;
+    }
+
+    // Apply buffer overflow checks based on the determined API type
+    if (extType == AbstractInterpretation::MEMCPY)
+    {
+        if (extAPIBufOverflowCheckRules.count(fun->getName()) == 0)
+        {
+            SVFUtil::errs() << "Warning: " << fun->getName() << " is not in the rules, please implement it\n";
+            return;
+        }
+        std::vector<std::pair<u32_t, u32_t>> args =
+                                              extAPIBufOverflowCheckRules.at(fun->getName());
+        for (auto arg : args)
+        {
+            IntervalValue offset = as[svfir->getValueNode(cs.getArgument(arg.second))].getInterval() - IntervalValue(1);
+            if (!canSafelyAccessMemory(as, cs.getArgument(arg.first), offset))
+            {
+                AEException bug(call->getCallSite()->toString());
+                addBugToReporter(bug, call);
+            }
+        }
+    }
+    else if (extType == AbstractInterpretation::MEMSET)
+    {
+        if (extAPIBufOverflowCheckRules.count(fun->getName()) == 0)
+        {
+            SVFUtil::errs() << "Warning: " << fun->getName() << " is not in the rules, please implement it\n";
+            return;
+        }
+        std::vector<std::pair<u32_t, u32_t>> args =
+                                              extAPIBufOverflowCheckRules.at(fun->getName());
+        for (auto arg : args)
+        {
+            IntervalValue offset = as[svfir->getValueNode(cs.getArgument(arg.second))].getInterval() - IntervalValue(1);
+            if (!canSafelyAccessMemory(as, cs.getArgument(arg.first), offset))
+            {
+                AEException bug(call->getCallSite()->toString());
+                addBugToReporter(bug, call);
+            }
+        }
+    }
+    else if (extType == AbstractInterpretation::STRCPY)
+    {
+        if (!detectStrcpy(as, call))
+        {
+            AEException bug(call->getCallSite()->toString());
+            addBugToReporter(bug, call);
+        }
+    }
+    else if (extType == AbstractInterpretation::STRCAT)
+    {
+        if (!detectStrcat(as, call))
+        {
+            AEException bug(call->getCallSite()->toString());
+            addBugToReporter(bug, call);
+        }
+    }
+    else
+    {
+        // Handle other cases
+    }
+}
+
+/**
+ * @brief Retrieves the access offset for a given object and GEP statement.
+ *
+ * This function calculates the access offset for a base object or a sub-object of an
+ * aggregate object (using GEP). If the object is a dummy object, it returns a top interval value.
+ *
+ * @param as Reference to the abstract state.
+ * @param objId The ID of the object.
+ * @param gep Pointer to the GEP statement.
+ * @return The interval value of the access offset.
+ */
+IntervalValue BufOverflowDetector::getAccessOffset(SVF::AbstractState& as, SVF::NodeID objId, const SVF::GepStmt* gep)
+{
+    SVFIR* svfir = PAG::getPAG();
+    auto obj = svfir->getGNode(objId);
+
+    // if the object is a FIObjVar, return the byte offset directly
+    if (SVFUtil::isa<FIObjVar>(obj))
+    {
+        return as.getByteOffset(gep);
+    }
+    else if (SVFUtil::isa<GepObjVar>(obj))
+    {
+        // if the object is a GepObjVar, return the offset from the base object
+        return getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(obj)) + as.getByteOffset(gep);
+    }
+    else
+    {
+        assert(SVFUtil::isa<DummyObjVar>(obj) && "Unknown object type");
+        return IntervalValue::top();
+    }
+}
+
+/**
+ * @brief Updates the offset of a GEP object from its base.
+ *
+ * This function calculates and stores the offset of a GEP object from its base object
+ * using the addresses and offsets provided.
+ *
+ * @param gepAddrs The addresses of the GEP objects.
+ * @param objAddrs The addresses of the base objects.
+ * @param offset The interval value of the offset.
+ */
+void BufOverflowDetector::updateGepObjOffsetFromBase(SVF::AddressValue gepAddrs, SVF::AddressValue objAddrs, SVF::IntervalValue offset)
+{
+    SVFIR* svfir = PAG::getPAG();
+
+    for (const auto& objAddr : objAddrs)
+    {
+        NodeID objId = AbstractState::getInternalID(objAddr);
+        auto obj = svfir->getGNode(objId);
+        // if the object is a FIObjVar, add the offset directly
+        if (SVFUtil::isa<FIObjVar>(obj))
+        {
+            for (const auto& gepAddr : gepAddrs)
+            {
+                NodeID gepObj = AbstractState::getInternalID(gepAddr);
+                const GepObjVar* gepObjVar = SVFUtil::cast<GepObjVar>(svfir->getGNode(gepObj));
+                addToGepObjOffsetFromBase(gepObjVar, offset);
+            }
+        }
+        else if (SVFUtil::isa<GepObjVar>(obj))
+        {
+            // if the object is a GepObjVar, add the offset from the base object
+            const GepObjVar* objVar = SVFUtil::cast<GepObjVar>(obj);
+            for (const auto& gepAddr : gepAddrs)
+            {
+                NodeID gepObj = AbstractState::getInternalID(gepAddr);
+                const GepObjVar* gepObjVar = SVFUtil::cast<GepObjVar>(svfir->getGNode(gepObj));
+                if (hasGepObjOffsetFromBase(objVar))
+                {
+                    IntervalValue objOffsetFromBase = getGepObjOffsetFromBase(objVar);
+                    if (!hasGepObjOffsetFromBase(gepObjVar))
+                        addToGepObjOffsetFromBase(gepObjVar, objOffsetFromBase + offset);
+                }
+                else
+                {
+                    assert(false && "GEP RHS object has no offset from base");
+                }
+            }
+        }
+    }
+}
+
+/**
+ * @brief Detects buffer overflow in 'strcpy' function calls.
+ *
+ * This function checks if the destination buffer can safely accommodate the
+ * source string being copied, accounting for the null terminator.
+ *
+ * @param as Reference to the abstract state.
+ * @param call Pointer to the call ICFG node.
+ * @return True if the memory access is safe, false otherwise.
+ */
+bool BufOverflowDetector::detectStrcpy(AbstractState& as, const CallICFGNode *call)
+{
+    CallSite cs = SVFUtil::getSVFCallSite(call->getCallSite());
+    const SVFValue* arg0Val = cs.getArgument(0);
+    const SVFValue* arg1Val = cs.getArgument(1);
+    IntervalValue strLen = AbstractInterpretation::getAEInstance().getStrlen(as, arg1Val);
+    return canSafelyAccessMemory(as, arg0Val, strLen);
+}
+
+/**
+ * @brief Detects buffer overflow in 'strcat' function calls.
+ *
+ * This function checks if the destination buffer can safely accommodate both the
+ * existing string and the concatenated string from the source.
+ *
+ * @param as Reference to the abstract state.
+ * @param call Pointer to the call ICFG node.
+ * @return True if the memory access is safe, false otherwise.
+ */
+bool BufOverflowDetector::detectStrcat(AbstractState& as, const CallICFGNode *call)
+{
+    SVFIR* svfir = PAG::getPAG();
+    const SVFFunction *fun = SVFUtil::getCallee(call->getCallSite());
+
+    const std::vector<std::string> strcatGroup = {"__strcat_chk", "strcat", "__wcscat_chk", "wcscat"};
+    const std::vector<std::string> strncatGroup = {"__strncat_chk", "strncat", "__wcsncat_chk", "wcsncat"};
+
+    if (std::find(strcatGroup.begin(), strcatGroup.end(), fun->getName()) != strcatGroup.end())
+    {
+        CallSite cs = SVFUtil::getSVFCallSite(call->getCallSite());
+        const SVFValue* arg0Val = cs.getArgument(0);
+        const SVFValue* arg1Val = cs.getArgument(1);
+        IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getStrlen(as, arg0Val);
+        IntervalValue strLen1 = AbstractInterpretation::getAEInstance().getStrlen(as, arg1Val);
+        IntervalValue totalLen = strLen0 + strLen1;
+        return canSafelyAccessMemory(as, arg0Val, totalLen);
+    }
+    else if (std::find(strncatGroup.begin(), strncatGroup.end(), fun->getName()) != strncatGroup.end())
+    {
+        CallSite cs = SVFUtil::getSVFCallSite(call->getCallSite());
+        const SVFValue* arg0Val = cs.getArgument(0);
+        const SVFValue* arg2Val = cs.getArgument(2);
+        IntervalValue arg2Num = as[svfir->getValueNode(arg2Val)].getInterval();
+        IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getStrlen(as, arg0Val);
+        IntervalValue totalLen = strLen0 + arg2Num;
+        return canSafelyAccessMemory(as, arg0Val, totalLen);
+    }
+    else
+    {
+        assert(false && "Unknown strcat function, please add it to strcatGroup or strncatGroup");
+        abort();
+    }
+}
+
+/**
+ * @brief Checks if a memory access is safe given a specific buffer length.
+ *
+ * This function ensures that a given memory access, starting at a specific value,
+ * does not exceed the allocated size of the buffer.
+ *
+ * @param as Reference to the abstract state.
+ * @param value Pointer to the SVF value.
+ * @param len The interval value representing the length of the memory access.
+ * @return True if the memory access is safe, false otherwise.
+ */
+bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SVFValue* value, const SVF::IntervalValue& len)
+{
+    SVFIR* svfir = PAG::getPAG();
+    NodeID value_id = svfir->getValueNode(value);
+
+    assert(as[value_id].isAddr());
+    for (const auto& addr : as[value_id].getAddrs())
+    {
+        NodeID objId = AbstractState::getInternalID(addr);
+        u32_t size = 0;
+
+        // if the object is a constant size object, get the size directly
+        if (svfir->getBaseObj(objId)->isConstantByteSize())
+        {
+            size = svfir->getBaseObj(objId)->getByteSizeOfObj();
+        }
+        else
+        {
+            // if the object is not a constant size object, get the size from the addrStmt
+            const ICFGNode* addrNode = svfir->getICFG()->getICFGNode(SVFUtil::cast<SVFInstruction>(svfir->getBaseObj(objId)->getValue()));
+            for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
+            {
+                if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
+                {
+                    size = as.getAllocaInstByteSize(addrStmt);
+                }
+            }
+        }
+
+        IntervalValue offset(0);
+        // if the object is a GepObjVar, get the offset from the base object
+        if (SVFUtil::isa<GepObjVar>(svfir->getGNode(objId)))
+        {
+            offset = getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(svfir->getGNode(objId))) + len;
+        }
+        else
+        {
+            // if the object is a FIObjVar, get the offset directly
+            offset = len;
+        }
+        // if the offset is greater than the size, return false
+        if (offset.ub().getIntNumeral() >= size)
+        {
+            return false;
+        }
+    }
+    return true;
+}