SVF-tools · bjjwwang · Jan 26, 2026 · Jan 28, 2026 · Jan 29, 2026 · Jan 31, 2026
diff --git a/svf/include/AE/Svfexe/AbsExtAPI.h b/svf/include/AE/Svfexe/AbsExtAPI.h
@@ -74,43 +74,23 @@ class AbsExtAPI
      */
     void handleExtAPI(const CallICFGNode *call);
 
-    /**
-     * @brief Handles the strcpy API call.
-     * @param call Pointer to the call ICFG node.
-     */
-    void handleStrcpy(const CallICFGNode *call);
+    // --- Shared primitives used by string/memory handlers ---
 
-    /**
-     * @brief Calculates the length of a string.
-     * @param as Reference to the abstract state.
-     * @param strValue Pointer to the SVF variable representing the string.
-     * @return The interval value representing the string length.
-     */
+    /// Get the byte size of each element for a pointer/array variable.
+    u32_t getElementSize(AbstractState& as, const SVFVar* var);
+
+    /// Check if an interval length is usable (not bottom, not unbounded).
+    static bool isValidLength(const IntervalValue& len);
+
+    /// Calculate the length of a null-terminated string in abstract state.
     IntervalValue getStrlen(AbstractState& as, const SVF::SVFVar *strValue);
 
-    /**
-     * @brief Handles the strcat API call.
-     * @param call Pointer to the call ICFG node.
-     */
-    void handleStrcat(const SVF::CallICFGNode *call);
+    // --- String/memory operation handlers ---
 
-    /**
-     * @brief Handles the memcpy API call.
-     * @param as Reference to the abstract state.
-     * @param dst Pointer to the destination SVF variable.
-     * @param src Pointer to the source SVF variable.
-     * @param len The interval value representing the length to copy.
-     * @param start_idx The starting index for copying.
-     */
+    void handleStrcpy(const CallICFGNode *call);
+    void handleStrcat(const CallICFGNode *call);
+    void handleStrncat(const CallICFGNode *call);
     void handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len, u32_t start_idx);
-
-    /**
-     * @brief Handles the memset API call.
-     * @param as Reference to the abstract state.
-     * @param dst Pointer to the destination SVF variable.
-     * @param elem The interval value representing the element to set.
-     * @param len The interval value representing the length to set.
-     */
     void handleMemset(AbstractState& as, const SVFVar* dst, IntervalValue elem, IntervalValue len);
 
     /**

diff --git a/svf/include/AE/Svfexe/AbstractInterpretation.h b/svf/include/AE/Svfexe/AbstractInterpretation.h
@@ -36,6 +36,8 @@
 #include "Util/SVFBugReport.h"
 #include "Util/SVFStat.h"
 #include "Graphs/SCC.h"
+#include "Graphs/CallGraph.h"
+#include <deque>
 
 namespace SVF
 {
@@ -144,6 +146,13 @@ class AbstractInterpretation
     /// Program entry
     void analyse();
 
+    /// Analyze all entry points (functions without callers)
+    void analyzeFromAllProgEntries();
+
+    /// Get all entry point functions (functions without callers)
+    std::deque<const FunObjVar*> collectProgEntryFuns();
+
+
     static AbstractInterpretation& getAEInstance()
     {
         static AbstractInterpretation instance;
@@ -322,6 +331,8 @@ class AbstractInterpretation
     AEAPI* api{nullptr};
 
     ICFG* icfg;
+    CallGraph* callGraph;
+    CallGraphSCC* callGraphScc;
     AEStat* stat;
 
     std::vector<const CallICFGNode*> callSiteStack;
@@ -358,6 +369,7 @@ class AbstractInterpretation
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
 
     Map<const ICFGNode*, AbstractState> abstractTrace; // abstract states immediately after nodes
+    Set<const ICFGNode*> allAnalyzedNodes; // All nodes ever analyzed (across all entry points)
     std::string moduleName;
 
     std::vector<std::unique_ptr<AEDetector>> detectors;

diff --git a/svf/lib/AE/Svfexe/AEDetector.cpp b/svf/lib/AE/Svfexe/AEDetector.cpp
@@ -479,7 +479,23 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
     SVFIR* svfir = PAG::getPAG();
     NodeID value_id = value->getId();
 
-    assert(as[value_id].isAddr());
+    // Lazy initialization for uninitialized pointer parameters in multi-entry analysis.
+    // When analyzing a function as an entry point (e.g., not called from main),
+    // pointer parameters may not have been initialized via AddrStmt.
+    //
+    // Example:
+    //   void process_buffer(char* buf, int len) {
+    //       buf[0] = 'a';  // accessing buf
+    //   }
+    // When analyzing process_buffer as an entry point, 'buf' is a function parameter
+    // with no AddrStmt, so it has no address information in the abstract state.
+    // We lazily initialize it to point to the black hole object (BlkPtr), representing
+    // an unknown but valid memory location. This allows the analysis to continue
+    // while being conservatively sound.
+    if (!as[value_id].isAddr())
+    {
+        as[value_id] = AddressValue(InvalidMemAddr);
+    }
     for (const auto& addr : as[value_id].getAddrs())
     {
         NodeID objId = as.getIDFromAddr(addr);