WIP: Baseline which can run big programs

svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -36,6 +36,7 @@
 #include "Util/SVFBugReport.h"
 #include "Util/SVFStat.h"
 #include "Graphs/SCC.h"
+#include <deque>
 
 namespace SVF
 {
@@ -144,6 +145,15 @@ class AbstractInterpretation
     /// Program entry
     void analyse();
 
+    /// Analyze all entry points (functions without callers)
+    void analyzeFromAllProgEntries();
+
+    /// Get all entry point functions (functions without callers)
+    std::deque<const FunObjVar*> collectProgEntryFuns();
+
+    /// Clear abstract trace for fresh analysis from new entry
+    void clearAbstractTrace();
+
     static AbstractInterpretation& getAEInstance()
     {
         static AbstractInterpretation instance;
@@ -358,6 +368,7 @@ class AbstractInterpretation
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
 
     Map<const ICFGNode*, AbstractState> abstractTrace; // abstract states immediately after nodes
+    Set<const ICFGNode*> allAnalyzedNodes; // All nodes ever analyzed (across all entry points)
     std::string moduleName;
 
     std::vector<std::unique_ptr<AEDetector>> detectors;

svf/include/Util/Options.h

@@ -267,6 +267,11 @@ class Options
 
     // float precision for symbolic abstraction
     static const Option<u32_t> AEPrecision;
+
+    /// Comma-separated list of function names to use as analysis entry points.
+    /// If empty (default), all functions without callers are used as entry points.
+    /// Example: -ae-entry-funcs="main,init,setup"
+    static const Option<std::string> AEEntryFuncs;
 };
 }  // namespace SVF
 

svf/lib/AE/Svfexe/AEDetector.cpp

@@ -479,7 +479,24 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
     SVFIR* svfir = PAG::getPAG();
     NodeID value_id = value->getId();
 
-    assert(as[value_id].isAddr());
+    // Lazy initialization for uninitialized pointer parameters in multi-entry analysis.
+    // When analyzing a function as an entry point (e.g., not called from main),
+    // pointer parameters may not have been initialized via AddrStmt.
+    //
+    // Example:
+    //   void process_buffer(char* buf, int len) {
+    //       buf[0] = 'a';  // accessing buf
+    //   }
+    // When analyzing process_buffer as an entry point, 'buf' is a function parameter
+    // with no AddrStmt, so it has no address information in the abstract state.
+    // We lazily initialize it to point to the black hole object (BlkPtr), representing
+    // an unknown but valid memory location. This allows the analysis to continue
+    // while being conservatively sound.
+    if (!as[value_id].isAddr())
+    {
+        NodeID blkPtrId = svfir->getBlkPtr();
+        as[value_id] = AddressValue(AbstractState::getVirtualMemAddress(blkPtrId));
+    }
     for (const auto& addr : as[value_id].getAddrs())
     {
         NodeID objId = as.getIDFromAddr(addr);

svf/lib/AE/Svfexe/AbsExtAPI.cpp

@@ -498,6 +498,9 @@ void AbsExtAPI::handleStrcpy(const CallICFGNode *call)
     const SVFVar* arg1Val = call->getArgument(1);
     IntervalValue strLen = getStrlen(as, arg1Val);
     // no need to -1, since it has \0 as the last byte
+    // Skip if strLen is bottom or unbounded
+    if (strLen.isBottom() || strLen.lb().is_minus_infinity())
+        return;
     handleMemcpy(as, arg0Val, arg1Val, strLen, strLen.lb().getIntNumeral());
 }
 
@@ -592,6 +595,9 @@ void AbsExtAPI::handleStrcat(const SVF::CallICFGNode *call)
         IntervalValue strLen0 = getStrlen(as, arg0Val);
         IntervalValue strLen1 = getStrlen(as, arg1Val);
         IntervalValue totalLen = strLen0 + strLen1;
+        // Skip if strLen0 is bottom or unbounded
+        if (strLen0.isBottom() || strLen0.lb().is_minus_infinity())
+            return;
         handleMemcpy(as, arg0Val, arg1Val, strLen1, strLen0.lb().getIntNumeral());
         // do memcpy
     }
@@ -603,6 +609,9 @@ void AbsExtAPI::handleStrcat(const SVF::CallICFGNode *call)
         IntervalValue arg2Num = as[arg2Val->getId()].getInterval();
         IntervalValue strLen0 = getStrlen(as, arg0Val);
         IntervalValue totalLen = strLen0 + arg2Num;
+        // Skip if strLen0 is bottom or unbounded
+        if (strLen0.isBottom() || strLen0.lb().is_minus_infinity())
+            return;
         handleMemcpy(as, arg0Val, arg1Val, arg2Num, strLen0.lb().getIntNumeral());
         // do memcpy
     }
@@ -640,6 +649,11 @@ void AbsExtAPI::handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SV
     {
         assert(false && "we cannot support this type");
     }
+    // Handle bottom or unbounded interval - skip memcpy in these cases
+    if (len.isBottom() || len.lb().is_minus_infinity())
+    {
+        return;
+    }
     u32_t size = std::min((u32_t)Options::MaxFieldLimit(), (u32_t) len.lb().getIntNumeral());
     u32_t range_val = size / elemSize;
     if (as.inVarToAddrsTable(srcId) && as.inVarToAddrsTable(dstId))
@@ -672,6 +686,11 @@ void AbsExtAPI::handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SV
 
 void AbsExtAPI::handleMemset(AbstractState& as, const SVF::SVFVar *dst, IntervalValue elem, IntervalValue len)
 {
+    // Handle bottom or unbounded interval - skip memset in these cases
+    if (len.isBottom() || len.lb().is_minus_infinity())
+    {
+        return;
+    }
     u32_t dstId = dst->getId();
     u32_t size = std::min((u32_t)Options::MaxFieldLimit(), (u32_t) len.lb().getIntNumeral());
     u32_t elemSize = 1;