svf-tools 1.0.988 → 1.0.989

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.988",
+  "version": "1.0.989",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Svfexe/AEDetector.h

@@ -75,6 +75,12 @@ public:
      */
     virtual void detect(AbstractState& as, const ICFGNode* node) = 0;
 
+    /**
+     * @brief Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS)
+     * @param call Pointer to the ext call ICFG node.
+     */
+    virtual void handleStubFunctions(const CallICFGNode* call) = 0;
+
     /**
      * @brief Pure virtual function to report detected bugs.
      */
@@ -169,6 +175,13 @@ public:
      */
     void detect(AbstractState& as, const ICFGNode*);
 
+
+    /**
+     * @brief Handles external API calls related to buffer overflow detection.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleStubFunctions(const CallICFGNode*);
+
     /**
      * @brief Adds an offset to a GEP object.
      * @param obj Pointer to the GEP object.
@@ -277,11 +290,11 @@ public:
     /**
      * @brief Checks if memory can be safely accessed.
      * @param as Reference to the abstract state.
-     * @param value Pointer to the SVF value.
+     * @param value Pointer to the SVF var.
      * @param len The interval value representing the length of the memory access.
      * @return True if the memory access is safe, false otherwise.
      */
-    bool canSafelyAccessMemory(AbstractState& as, const SVFValue *value, const IntervalValue &len);
+    bool canSafelyAccessMemory(AbstractState& as, const SVFVar *value, const IntervalValue &len);
 
 private:
     /**

package/svf/include/AE/Svfexe/AbsExtAPI.h

@@ -0,0 +1,147 @@
+//===- AbsExtAPI.h -- Abstract Interpretation External API handler-----//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===----------------------------------------------------------------------===//
+
+
+//
+// Created by Jiawei Wang on 2024/9/9.
+//
+#pragma once
+#include "AE/Core/AbstractState.h"
+#include "AE/Core/ICFGWTO.h"
+#include "AE/Svfexe/AEDetector.h"
+#include "AE/Svfexe/AbsExtAPI.h"
+#include "Util/SVFBugReport.h"
+#include "WPA/Andersen.h"
+
+namespace SVF
+{
+
+// Forward declaration of AbstractInterpretation class
+class AbstractInterpretation;
+
+/**
+ * @class AbsExtAPI
+ * @brief Handles external API calls and manages abstract states.
+ */
+class AbsExtAPI
+{
+public:
+    /**
+     * @enum ExtAPIType
+     * @brief Enumeration of external API types.
+     */
+    enum ExtAPIType { UNCLASSIFIED, MEMCPY, MEMSET, STRCPY, STRCAT };
+
+    /**
+     * @brief Constructor for AbsExtAPI.
+     * @param abstractTrace Reference to a map of ICFG nodes to abstract states.
+     */
+    AbsExtAPI(Map<const ICFGNode*, AbstractState>& abstractTrace);
+
+    /**
+     * @brief Initializes the external function map.
+     */
+    void initExtFunMap();
+
+    /**
+     * @brief Reads a string from the abstract state.
+     * @param as Reference to the abstract state.
+     * @param rhs Pointer to the SVF variable representing the string.
+     * @return The string value.
+     */
+    std::string strRead(AbstractState& as, const SVFVar* rhs);
+
+    /**
+     * @brief Handles an external API call.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleExtAPI(const CallICFGNode *call);
+
+    /**
+     * @brief Handles the strcpy API call.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleStrcpy(const CallICFGNode *call);
+
+    /**
+     * @brief Calculates the length of a string.
+     * @param as Reference to the abstract state.
+     * @param strValue Pointer to the SVF variable representing the string.
+     * @return The interval value representing the string length.
+     */
+    IntervalValue getStrlen(AbstractState& as, const SVF::SVFVar *strValue);
+
+    /**
+     * @brief Handles the strcat API call.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleStrcat(const SVF::CallICFGNode *call);
+
+    /**
+     * @brief Handles the memcpy API call.
+     * @param as Reference to the abstract state.
+     * @param dst Pointer to the destination SVF variable.
+     * @param src Pointer to the source SVF variable.
+     * @param len The interval value representing the length to copy.
+     * @param start_idx The starting index for copying.
+     */
+    void handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len, u32_t start_idx);
+
+    /**
+     * @brief Handles the memset API call.
+     * @param as Reference to the abstract state.
+     * @param dst Pointer to the destination SVF variable.
+     * @param elem The interval value representing the element to set.
+     * @param len The interval value representing the length to set.
+     */
+    void handleMemset(AbstractState& as, const SVFVar* dst, IntervalValue elem, IntervalValue len);
+
+    /**
+     * @brief Gets the range limit from a type.
+     * @param type Pointer to the SVF type.
+     * @return The interval value representing the range limit.
+     */
+    IntervalValue getRangeLimitFromType(const SVFType* type);
+
+    /**
+     * @brief Retrieves the abstract state from the trace for a given ICFG node.
+     * @param node Pointer to the ICFG node.
+     * @return Reference to the abstract state.
+     * @throws Assertion if no trace exists for the node.
+     */
+    AbstractState& getAbsStateFromTrace(const ICFGNode* node);
+
+    /**
+     * @brief Retrieves the SVF variable from a given SVF value.
+     * @param val Pointer to the SVF value.
+     * @return Pointer to the corresponding SVF variable.
+     */
+    const SVFVar* getSVFVar(const SVFValue* val);
+
+protected:
+    SVFIR* svfir; ///< Pointer to the SVF intermediate representation.
+    ICFG* icfg; ///< Pointer to the interprocedural control flow graph.
+    Map<const ICFGNode*, AbstractState>& abstractTrace; ///< Map of ICFG nodes to abstract states.
+    Map<std::string, std::function<void(const CallICFGNode*)>> func_map; ///< Map of function names to handlers.
+};
+
+} // namespace SVF

package/svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -31,12 +31,14 @@
 #include "AE/Core/AbstractState.h"
 #include "AE/Core/ICFGWTO.h"
 #include "AE/Svfexe/AEDetector.h"
+#include "AE/Svfexe/AbsExtAPI.h"
 #include "Util/SVFBugReport.h"
 #include "WPA/Andersen.h"
 
 namespace SVF
 {
 class AbstractInterpretation;
+class AbsExtAPI;
 class AEStat;
 class AEAPI;
 
@@ -104,7 +106,6 @@ class AbstractInterpretation
     friend class BufOverflowDetector;
 
 public:
-    enum ExtAPIType { UNCLASSIFIED, MEMCPY, MEMSET, STRCPY, STRCAT };
     typedef SCCDetection<CallGraph*> CallGraphSCC;
     /// Constructor
     AbstractInterpretation();
@@ -128,7 +129,9 @@ public:
         detectors.push_back(std::move(detector));
     }
 
-protected:
+    Set<const CallICFGNode*> checkpoints; // for CI check
+
+private:
     /// Global ICFGNode is handled at the entry of the program,
     virtual void handleGlobalNode();
 
@@ -213,77 +216,6 @@ protected:
                                 AbstractState& as);
 
 
-    /**
-    * handle external function call
-    *
-    * @param call call node whose callee is external function
-    */
-    virtual void handleExtAPI(const CallICFGNode *call);
-
-    /**
-    * the map of external function to its API type
-    *
-    * In AEAPI, this function is mainly used for abstract explanation.
-    * In subclasses, this function is mainly used to check specific bugs
-    */
-    virtual void initExtFunMap();
-
-
-    /**
-    * get byte size of alloca inst
-    * e.g. source code str = "abc", there are str value, return "abc"
-    *
-    * @param rhs SVFValue of string
-    * @return the string
-    */
-    std::string strRead(AbstractState& as,const SVFValue* rhs);
-
-    /**
-    * get length of string
-    * e.g. source code str = "abc", return 3
-    *
-    * @param strValue SVFValue of string
-    * @return IntervalValue of string length
-    */
-    IntervalValue getStrlen(AbstractState& as, const SVF::SVFValue *strValue);
-
-    /**
-    * execute strcpy in abstract execution
-    * e.g  arr = new char[10]
-    *      str = "abc"
-    *      strcpy(arr, str)
-    * we can set arr[0]='a', arr[1]='b', arr[2]='c', arr[3]='\0'
-    * @param call callnode of strcpy like api
-    */
-    virtual void handleStrcpy(const CallICFGNode *call);
-    /**
-    * execute strcpy in abstract execution
-    * e.g  arr[10] = "abc"
-    *      str = "de"
-    *      strcat(arr, str)
-    * we can set arr[3]='d', arr[4]='e', arr[5]='\0'
-    * @param call callnode of strcat like api
-    */
-    virtual void handleStrcat(const CallICFGNode *call);
-    /**
-    * execute memcpy in abstract execution
-    * e.g  arr = new char[10]
-    *      str = "abcd"
-    *      memcpy(arr, str, 5)
-    * we can set arr[3]='d', arr[4]='e', arr[5]='\0'
-    * @param call callnode of memcpy like api
-    */
-    virtual void handleMemcpy(AbstractState& as, const SVFValue* dst, const SVFValue* src, IntervalValue len, u32_t start_idx);
-    /**
-    * execute memset in abstract execution
-    * e.g  arr = new char[10]
-    *      memset(arr, 'c', 2)
-    * we can set arr[0]='c', arr[1]='c', arr[2]='\0'
-    * @param call callnode of memset like api
-    */
-    virtual void handleMemset(AbstractState& as, const SVFValue* dst, IntervalValue elem, IntervalValue len);
-
-
     void collectCheckPoint();
     void checkPointAllSet();
 
@@ -309,8 +241,6 @@ protected:
 
     void updateStateOnPhi(const PhiStmt *phi);
 
-    IntervalValue getRangeLimitFromType(const SVFType* type);
-
 
     /// protected data members, also used in subclasses
     SVFIR* svfir;
@@ -324,18 +254,6 @@ protected:
     Map<const SVFFunction*, ICFGWTO*> funcToWTO;
     Set<const SVFFunction*> recursiveFuns;
 
-private:
-    // helper functions in handleCallSite
-    virtual bool isExtCall(const CallICFGNode* callNode);
-    virtual void extCallPass(const CallICFGNode* callNode);
-    virtual bool isRecursiveCall(const CallICFGNode* callNode);
-    virtual void recursiveCallPass(const CallICFGNode* callNode);
-    virtual bool isDirectCall(const CallICFGNode* callNode);
-    virtual void directCallFunPass(const CallICFGNode* callNode);
-    virtual bool isIndirectCall(const CallICFGNode* callNode);
-    virtual void indirectCallFunPass(const CallICFGNode* callNode);
-
-protected:
 
     AbstractState& getAbsStateFromTrace(const ICFGNode* node)
     {
@@ -356,16 +274,31 @@ protected:
         return abstractTrace.count(repNode) != 0;
     }
 
-protected:
+    AbsExtAPI* getUtils()
+    {
+        return utils;
+    }
+
+    // helper functions in handleCallSite
+    virtual bool isExtCall(const CallICFGNode* callNode);
+    virtual void extCallPass(const CallICFGNode* callNode);
+    virtual bool isRecursiveCall(const CallICFGNode* callNode);
+    virtual void recursiveCallPass(const CallICFGNode* callNode);
+    virtual bool isDirectCall(const CallICFGNode* callNode);
+    virtual void directCallFunPass(const CallICFGNode* callNode);
+    virtual bool isIndirectCall(const CallICFGNode* callNode);
+    virtual void indirectCallFunPass(const CallICFGNode* callNode);
+
     // there data should be shared with subclasses
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
-    Set<const CallICFGNode*> checkpoints;
-    Set<std::string> checkpoint_names;
-    Map<const ICFGNode*, AbstractState>
-    abstractTrace; // abstract states immediately after nodes
+
+    Map<const ICFGNode*, AbstractState> abstractTrace; // abstract states immediately after nodes
     std::string moduleName;
 
     std::vector<std::unique_ptr<AEDetector>> detectors;
+    AbsExtAPI* utils;
+
+
 
 };
 }

package/svf/lib/AE/Svfexe/AEDetector.cpp

@@ -26,6 +26,7 @@
 //
 
 #include <AE/Svfexe/AEDetector.h>
+#include <AE/Svfexe/AbsExtAPI.h>
 #include <AE/Svfexe/AbstractInterpretation.h>
 
 using namespace SVF;
@@ -101,6 +102,85 @@ void BufOverflowDetector::detect(AbstractState& as, const ICFGNode* node)
     }
 }
 
+
+/**
+ * @brief Handles stub functions within the ICFG node.
+ *
+ * This function is a placeholder for handling stub functions within the ICFG node.
+ *
+ * @param node Pointer to the ICFG node.
+ */
+void BufOverflowDetector::handleStubFunctions(const SVF::CallICFGNode* callNode)
+{
+    // get function name
+    SVFIR* svfir = PAG::getPAG();
+    std::string funcName = callNode->getCalledFunction()->getName();
+    if (funcName == "SAFE_BUFACCESS")
+    {
+        // void SAFE_BUFACCESS(void* data, int size);
+        AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
+        if (callNode->arg_size() < 2)
+            return;
+        AbstractState& as =
+            AbstractInterpretation::getAEInstance().getAbsStateFromTrace(
+                callNode);
+        u32_t size_id = svfir->getValueNode(callNode->getArgument(1));
+        IntervalValue val = as[size_id].getInterval();
+        if (val.isBottom())
+        {
+            val = IntervalValue(0);
+            assert(false && "SAFE_BUFACCESS size is bottom");
+        }
+        const SVFVar* arg0Val =
+            AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(
+                callNode->getArgument(0));
+        bool isSafe = canSafelyAccessMemory(as, arg0Val, val);
+        if (isSafe)
+        {
+            std::cout << "safe buffer access success: " << callNode->toString()
+                      << std::endl;
+            return;
+        }
+        else
+        {
+            std::string err_msg = "this SAFE_BUFACCESS should be a safe access but detected buffer overflow. Pos: ";
+            err_msg += callNode->getSourceLoc();
+            std::cerr << err_msg << std::endl;
+            assert(false);
+        }
+    }
+    else if (funcName == "UNSAFE_BUFACCESS")
+    {
+        // handle other stub functions
+        //void UNSAFE_BUFACCESS(void* data, int size);
+        AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
+        if (callNode->arg_size() < 2) return;
+        AbstractState&as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
+        u32_t size_id = svfir->getValueNode(callNode->getArgument(1));
+        IntervalValue val = as[size_id].getInterval();
+        if (val.isBottom())
+        {
+            assert(false && "UNSAFE_BUFACCESS size is bottom");
+        }
+        const SVFVar* arg0Val =
+            AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(
+                callNode->getArgument(0));
+        bool isSafe = canSafelyAccessMemory(as, arg0Val, val);
+        if (!isSafe)
+        {
+            std::cout << "detect buffer overflow success: " << callNode->toString() << std::endl;
+            return;
+        }
+        else
+        {
+            std::string err_msg = "this UNSAFE_BUFACCESS should be a buffer overflow but not detected. Pos: ";
+            err_msg += callNode->getSourceLoc();
+            std::cerr << err_msg << std::endl;
+            assert(false);
+        }
+    }
+}
+
 /**
  * @brief Initializes external API buffer overflow check rules.
  *
@@ -147,23 +227,23 @@ void BufOverflowDetector::detectExtAPI(AbstractState& as,
     SVFIR* svfir = PAG::getPAG();
     assert(call->getCalledFunction() && "SVFFunction* is nullptr");
 
-    AbstractInterpretation::ExtAPIType extType = AbstractInterpretation::UNCLASSIFIED;
+    AbsExtAPI::ExtAPIType extType = AbsExtAPI::UNCLASSIFIED;
 
     // Determine the type of external memory API
     for (const std::string &annotation : ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
     {
         if (annotation.find("MEMCPY") != std::string::npos)
-            extType = AbstractInterpretation::MEMCPY;
+            extType = AbsExtAPI::MEMCPY;
         if (annotation.find("MEMSET") != std::string::npos)
-            extType = AbstractInterpretation::MEMSET;
+            extType = AbsExtAPI::MEMSET;
         if (annotation.find("STRCPY") != std::string::npos)
-            extType = AbstractInterpretation::STRCPY;
+            extType = AbsExtAPI::STRCPY;
         if (annotation.find("STRCAT") != std::string::npos)
-            extType = AbstractInterpretation::STRCAT;
+            extType = AbsExtAPI::STRCAT;
     }
 
     // Apply buffer overflow checks based on the determined API type
-    if (extType == AbstractInterpretation::MEMCPY)
+    if (extType == AbsExtAPI::MEMCPY)
     {
         if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
         {
@@ -175,14 +255,15 @@ void BufOverflowDetector::detectExtAPI(AbstractState& as,
         for (auto arg : args)
         {
             IntervalValue offset = as[svfir->getValueNode(call->getArgument(arg.second))].getInterval() - IntervalValue(1);
-            if (!canSafelyAccessMemory(as, call->getArgument(arg.first), offset))
+            const SVFVar* argVar = AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(call->getArgument(arg.first));
+            if (!canSafelyAccessMemory(as, argVar, offset))
             {
                 AEException bug(call->toString());
                 addBugToReporter(bug, call);
             }
         }
     }
-    else if (extType == AbstractInterpretation::MEMSET)
+    else if (extType == AbsExtAPI::MEMSET)
     {
         if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
         {
@@ -194,14 +275,15 @@ void BufOverflowDetector::detectExtAPI(AbstractState& as,
         for (auto arg : args)
         {
             IntervalValue offset = as[svfir->getValueNode(call->getArgument(arg.second))].getInterval() - IntervalValue(1);
-            if (!canSafelyAccessMemory(as, call->getArgument(arg.first), offset))
+            const SVFVar* argVar = AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(call->getArgument(arg.first));
+            if (!canSafelyAccessMemory(as, argVar, offset))
             {
                 AEException bug(call->toString());
                 addBugToReporter(bug, call);
             }
         }
     }
-    else if (extType == AbstractInterpretation::STRCPY)
+    else if (extType == AbsExtAPI::STRCPY)
     {
         if (!detectStrcpy(as, call))
         {
@@ -209,7 +291,7 @@ void BufOverflowDetector::detectExtAPI(AbstractState& as,
             addBugToReporter(bug, call);
         }
     }
-    else if (extType == AbstractInterpretation::STRCAT)
+    else if (extType == AbsExtAPI::STRCAT)
     {
         if (!detectStrcat(as, call))
         {
@@ -319,9 +401,9 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(SVF::AddressValue gepAddrs,
  */
 bool BufOverflowDetector::detectStrcpy(AbstractState& as, const CallICFGNode *call)
 {
-    const SVFValue* arg0Val = call->getArgument(0);
-    const SVFValue* arg1Val = call->getArgument(1);
-    IntervalValue strLen = AbstractInterpretation::getAEInstance().getStrlen(as, arg1Val);
+    const SVFVar* arg0Val = AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(call->getArgument(0));
+    const SVFVar* arg1Val = AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(call->getArgument(1));
+    IntervalValue strLen = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg1Val);
     return canSafelyAccessMemory(as, arg0Val, strLen);
 }
 
@@ -337,26 +419,24 @@ bool BufOverflowDetector::detectStrcpy(AbstractState& as, const CallICFGNode *ca
  */
 bool BufOverflowDetector::detectStrcat(AbstractState& as, const CallICFGNode *call)
 {
-    SVFIR* svfir = PAG::getPAG();
-
     const std::vector<std::string> strcatGroup = {"__strcat_chk", "strcat", "__wcscat_chk", "wcscat"};
     const std::vector<std::string> strncatGroup = {"__strncat_chk", "strncat", "__wcsncat_chk", "wcsncat"};
 
     if (std::find(strcatGroup.begin(), strcatGroup.end(), call->getCalledFunction()->getName()) != strcatGroup.end())
     {
-        const SVFValue* arg0Val = call->getArgument(0);
-        const SVFValue* arg1Val = call->getArgument(1);
-        IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getStrlen(as, arg0Val);
-        IntervalValue strLen1 = AbstractInterpretation::getAEInstance().getStrlen(as, arg1Val);
+        const SVFVar* arg0Val = AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(call->getArgument(0));
+        const SVFVar* arg1Val = AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(call->getArgument(1));
+        IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg0Val);
+        IntervalValue strLen1 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg1Val);
         IntervalValue totalLen = strLen0 + strLen1;
         return canSafelyAccessMemory(as, arg0Val, totalLen);
     }
     else if (std::find(strncatGroup.begin(), strncatGroup.end(), call->getCalledFunction()->getName()) != strncatGroup.end())
     {
-        const SVFValue* arg0Val = call->getArgument(0);
-        const SVFValue* arg2Val = call->getArgument(2);
-        IntervalValue arg2Num = as[svfir->getValueNode(arg2Val)].getInterval();
-        IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getStrlen(as, arg0Val);
+        const SVFVar* arg0Val = AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(call->getArgument(0));
+        const SVFVar* arg2Val = AbstractInterpretation::getAEInstance().getUtils()->getSVFVar(call->getArgument(2));
+        IntervalValue arg2Num = as[arg2Val->getId()].getInterval();
+        IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg0Val);
         IntervalValue totalLen = strLen0 + arg2Num;
         return canSafelyAccessMemory(as, arg0Val, totalLen);
     }
@@ -374,14 +454,14 @@ bool BufOverflowDetector::detectStrcat(AbstractState& as, const CallICFGNode *ca
  * does not exceed the allocated size of the buffer.
  *
  * @param as Reference to the abstract state.
- * @param value Pointer to the SVF value.
+ * @param value Pointer to the SVF var.
  * @param len The interval value representing the length of the memory access.
  * @return True if the memory access is safe, false otherwise.
  */
-bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SVFValue* value, const SVF::IntervalValue& len)
+bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SVFVar* value, const SVF::IntervalValue& len)
 {
     SVFIR* svfir = PAG::getPAG();
-    NodeID value_id = svfir->getValueNode(value);
+    NodeID value_id = value->getId();
 
     assert(as[value_id].isAddr());
     for (const auto& addr : as[value_id].getAddrs())