Question about processing GEPs with negative offsets

[ArtisticFantasy]

Dear authors of SVF,

I tested SVF with a piece of C program below,
struct S { int a,b,c; } s; int main() { int *pc = &s.c; int *pb = (int*)((char*)pc - 4); return 0; }
Here, pointer pb should point to the field b of the struct s, and pointer pc should point to the field c of the struct s.

However, after I run wpa -ander -dump-pag -write-ander=ptsout.out test.ll, here is a part of the PAG:

And here is a part of the points-to set output,

It is for sure that node 20 should point to field c and node 26 should point to field b. However, they all point to field c.

I read the source code of the GEP offset computing implementation in SVF, and I found that there is no particular implementation to cope with negative offsets at present?

I wonder if SVF could correctly processing GEPs with negative offsets, accurate processing is necessary because when analyzing Linux kernels, negative offsets appear frequently due to macro container_of.

If you could fix this, that will help a lot. Thank you!

[yuleisui]

Thanks for reporting this. Yes, this is a known problem. SVF's current field-sensitive implementation is index-based and it requires calculating the (negative) offset and mapping it back to the corresponding field of the struct. I think you have dug up this problem quite thoroughly, would you be able to help implement it?

[ArtisticFantasy]

Is there a feasible way to maintain the byte offsets of each flattened element in a base memory object? I think that mark the negative offset GEPs with the byte offset and do some modifications to getGepObjVar such as using a binary search, perhaps can help to get the correct GEP object? I'm not quite sure because I haven't taken part in the development of such huge project before. QwQ