Inconsistent field sensitivity for array accesses

[Yanhaoxi]

When using a union to overlay a named struct of function pointers with an array of function pointers, values written via the struct fields are stored correctly, but accessing them through the array results in only one function pointer being loaded/used.

#include <stdio.h>

void func1() { printf("func1 called\n"); }
void func2() { printf("func2 called\n"); }

typedef struct {
    union {
        struct {
            void (*func1)();
            void (*func2)();
        } named;
        void (*array[2])();
    };
} FuncArray;

int main() {
    FuncArray fa;
    
    fa.named.func1 = func1;
    fa.named.func2 = func2;
    
    for (int i = 0; i < 2; i++) {
        fa.array[i]();
    }
    
    return 0;
}

It seems that all GEP-based accesses to the array have fldIdx = 0, which causes this problem.

[yuleisui]

Yes, the array was treated insensitively by default in standard Andersen's analysis, so the array of function pointers is treated as one.

You could turn on the option -model-arrays to have a try.

[Yanhaoxi]

When I run

./wpa -sfrander -dump-constraint-graph -print-pts -model-arrays ./union_fptr.bc
./wpa -ander -dump-constraint-graph -print-pts -model-arrays ./union_fptr.bc

the result is still:

NodeID 51 PointsTo: { 7 }

and the constraint graph remains unchanged.

My expectation was that the following instruction

%15 = getelementptr inbounds [2 x ptr], ptr %12, i64 0, i64 %14

would be handled via VariantGepCGEdge, causing the corresponding object to be treated as field-insensitive and all obj.field nodes to be collapsed accordingly. However, this does not seem to happen in this case.

[yuleisui]

Yes, your understanding is correct, as SVF by default does not support array-sensitive for Andersen.

It would be appreciated if you could help debug and identify any issues related to how arrays should be modelled when -model-arrays is enabled.