hot fix for out of bound read to values

VaynNecol · VaynNecol · commit 48f00f8e3785 · 2025-03-01T13:39:06.000+08:00
diff --git a/rapx/src/analysis/safedrop/alias.rs b/rapx/src/analysis/safedrop/alias.rs
@@ -127,7 +127,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
     // assign to the variable _x, we will set the birth of _x and its child self.values a new birth.
     pub fn fill_birth(&mut self, node: usize, birth: isize) {
         self.values[node].birth = birth;
-        for i in 0..self.alias_set.len() {
+        for i in 0..self.values.len() {
             if self.union_is_same(i, node) && self.values[i].birth == -1 {
                 self.values[i].birth = birth;
             }
@@ -172,7 +172,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
                         node.birth = self.values[proj_id].birth;
                         node.field_id = field_idx;
                         self.values[proj_id].fields.insert(field_idx, node.index);
-                        self.alias_set.push(self.values.len());
+                        self.alias_set.push(self.alias_set.len());
                         self.dead_record.push(false);
                         self.values.push(node);
                     }
@@ -206,7 +206,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
                 node.birth = self.values[lv].birth;
                 node.field_id = field.0;
                 self.values[lv].fields.insert(field.0, node.index);
-                self.alias_set.push(self.values.len());
+                self.alias_set.push(self.alias_set.len());
                 self.dead_record.push(false);
                 self.values.push(node);
             }
@@ -234,7 +234,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
                 node.birth = self.values[lv].birth;
                 node.field_id = *index;
                 self.values[lv].fields.insert(*index, node.index);
-                self.alias_set.push(self.values.len());
+                self.alias_set.push(self.alias_set.len());
                 self.dead_record.push(false);
                 self.values.push(node);
             }
@@ -249,7 +249,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
             if !self.values[rv].fields.contains_key(&index) {
                 let need_drop = ret_alias.right_need_drop;
                 let may_drop = ret_alias.right_may_drop;
-                let mut node = ValueNode::new(self.values.len(), right_init, need_drop, may_drop);
+                let mut node = ValueNode::new(self.alias_set.len(), right_init, need_drop, may_drop);
                 node.kind = TyKind::RawPtr;
                 node.birth = self.values[rv].birth;
                 node.field_id = *index;
@@ -263,7 +263,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
         self.merge_alias(lv, rv);
     }
 
-    #[inline]
+    #[inline(always)]
     pub fn union_find(&mut self, e: usize) -> usize {
         let mut r = e;
         while self.alias_set[r] != r {
@@ -272,7 +272,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
         r
     }
 
-    #[inline]
+    #[inline(always)]
     pub fn union_merge(&mut self, e1: usize, e2: usize) {
         let f1 = self.union_find(e1);
         let f2 = self.union_find(e2);
@@ -289,13 +289,14 @@ impl<'tcx> SafeDropGraph<'tcx> {
         }
     }
 
-    #[inline]
+    #[inline(always)]
     pub fn union_is_same(&mut self, e1: usize, e2: usize) -> bool {
         let f1 = self.union_find(e1);
         let f2 = self.union_find(e2);
         f1 == f2
     }
 
+    #[inline(always)]
     pub fn union_has_alias(&mut self, e: usize) -> bool {
         for i in 0..self.alias_set.len() {
             if i == e {
diff --git a/rapx/src/analysis/safedrop/check_bugs.rs b/rapx/src/analysis/safedrop/check_bugs.rs
@@ -47,6 +47,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
         record: &mut FxHashSet<usize>,
         dangling: bool,
     ) -> bool {
+        if node>= self.values.len() { return false; }
         //if is a dangling pointer check, only check the pointer type varible.
         if self.values[node].is_alive() == false
             && (dangling && self.values[node].is_ptr() || !dangling)
@@ -138,7 +139,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
             //     }
             //     self.dead_node(i, birth, info, true);
             // }
-            for i in 0..self.alias_set.len() {
+            for i in 0..self.values.len() {
                 if !self.union_is_same(drop, i) || i == drop || self.values[i].is_ref() {
                     continue;
                 }
diff --git a/rapx/src/analysis/safedrop/graph.rs b/rapx/src/analysis/safedrop/graph.rs
@@ -208,7 +208,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
                 need_drop || may_drop,
             );
             node.kind = kind(local_decl.ty);
-            alias.push(values.len());
+            alias.push(alias.len());
             dead.push(false);
             values.push(node);
         }
@@ -295,7 +295,7 @@ impl<'tcx> SafeDropGraph<'tcx> {
                                 lvl0.birth = values[lv_local].birth;
                                 lvl0.field_id = 0;
                                 values[lv_local].fields.insert(0, lvl0.index);
-                                alias.push(values.len());
+                                alias.push(alias.len());
                                 dead.push(false);
                                 values.push(lvl0);
                             }
