Merge pull request #1272 from bjjwwang/1204

fix offset>=so.size() assertion
SVF-tools · Dec 6, 2023 · 2b3b9f8 · 2b3b9f8
2 parents 1ec4620 + b40866a
commit 2b3b9f8
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/svf/lib/AbstractExecution/SVFIR2ItvExeState.cpp b/svf/lib/AbstractExecution/SVFIR2ItvExeState.cpp
@@ -281,13 +281,9 @@ IntervalValue SVFIR2ItvExeState::getByteOffset(const GepStmt *gep)
         {
             u32_t elemByteSize = 1;
             if (const SVFArrayType* arrOperandType = SVFUtil::dyn_cast<SVFArrayType>(idxOperandType))
-            {
                 elemByteSize = arrOperandType->getTypeOfElement()->getByteSize();
-            }
             else if (const SVFPointerType* ptrOperandType = SVFUtil::dyn_cast<SVFPointerType>(idxOperandType))
-            {
                 elemByteSize = ptrOperandType->getPtrElementType()->getByteSize();
-            }
             else
                 assert(false && "idxOperandType must be ArrType or PtrType");
             if (const SVFConstantInt *op = SVFUtil::dyn_cast<SVFConstantInt>(idxOperandVar->getValue()))
@@ -301,12 +297,13 @@ IntervalValue SVFIR2ItvExeState::getByteOffset(const GepStmt *gep)
                 u32_t idx = _svfir->getValueNode(idxOperandVar->getValue());
                 IntervalValue idxVal = _es[idx];
                 if (idxVal.isBottom())
-                {
                     res = res + IntervalValue(0, 0);
-                }
                 else
                 {
-                    s64_t ub = (double)Options::MaxFieldLimit() /
+                    // if lb or ub is negative number, set 0.
+                    // if lb or ub is positive number, guarantee lb/ub * elemByteSize <= MaxFieldLimit
+                    s64_t ub = (idxVal.ub().getNumeral() < 0) ? 0 :
+                               (double)Options::MaxFieldLimit() /
                                elemByteSize >= idxVal.ub().getNumeral() ? elemByteSize * idxVal.ub().getNumeral(): Options::MaxFieldLimit();
                     s64_t lb = (idxVal.lb().getNumeral() < 0) ? 0 :
                                ((double)Options::MaxFieldLimit() /

diff --git a/svf/lib/MemoryModel/AccessPath.cpp b/svf/lib/MemoryModel/AccessPath.cpp
@@ -229,6 +229,17 @@ APOffset AccessPath::computeConstantOffset() const
             APOffset offset = op->getSExtValue();
             if (offset >= 0)
             {
+                const std::vector<u32_t>& so = SymbolTableInfo::SymbolInfo()->getTypeInfo(type)->getFlattenedElemIdxVec();
+                // if offset is larger than the size of getFlattenedElemIdxVec (overflow)
+                // set offset the last index of getFlattenedElemIdxVec to avoid assertion
+                if (offset >= (APOffset)so.size())
+                {
+                    SVFUtil::errs() << "It is overflow access, we access the last idx\n";
+                    offset = so.size() - 1;
+                } else {
+
+                }
+
                 u32_t flattenOffset =
                     SymbolTableInfo::SymbolInfo()->getFlattenedElemIdx(type,
                             offset);