From c5055af11303789485fd79a242cd8e8b1bd8f58a Mon Sep 17 00:00:00 2001
From: LemonJ <1632798336@qq.com>
Date: Wed, 23 Oct 2024 14:56:55 +0800
Subject: [PATCH 1/5] add result output level logic

---
 .../analysis/senryx/contracts/abstract_state.rs    | 12 ++++++++++--
 rap/src/analysis/senryx/matcher.rs                 | 14 ++++++++++++--
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/rap/src/analysis/senryx/contracts/abstract_state.rs b/rap/src/analysis/senryx/contracts/abstract_state.rs
index 257953c..bb2bffe 100644
--- a/rap/src/analysis/senryx/contracts/abstract_state.rs
+++ b/rap/src/analysis/senryx/contracts/abstract_state.rs
@@ -11,6 +11,7 @@ pub enum Value {
     Isize(isize),
     U32(u32),
     Custom(),
+    None,
     // ...
 }
 
@@ -54,15 +55,22 @@ pub enum InitState {
     PartlyInitialized,
 }
 
+#[derive(Debug, PartialEq, Eq, Hash, Copy, Clone)]
+pub enum VType {
+    Pointer(usize,usize), // (align, size)
+    // todo
+}
+
 #[derive(Debug, PartialEq, Clone)]
 pub struct AbstractStateItem {
     pub value: (Value, Value),
+    pub vtype: VType,
     pub state: HashSet<StateType>,
 }
 
 impl AbstractStateItem {
-    pub fn new(value: (Value, Value), state: HashSet<StateType>) -> Self {
-        Self { value, state }
+    pub fn new(value: (Value, Value), vtype: VType, state: HashSet<StateType>) -> Self {
+        Self { value, vtype, state }
     }
 
     pub fn meet_state_item(&mut self, other_state: &AbstractStateItem) {
diff --git a/rap/src/analysis/senryx/matcher.rs b/rap/src/analysis/senryx/matcher.rs
index ebddd93..2e6306f 100644
--- a/rap/src/analysis/senryx/matcher.rs
+++ b/rap/src/analysis/senryx/matcher.rs
@@ -1,13 +1,14 @@
 use rustc_middle::mir::Operand;
 use rustc_span::source_map::Spanned;
 
+use crate::rap_warn;
+
 use super::contracts::{
     abstract_state::AbstractState,
     checker::{Checker, SliceFromRawPartsChecker},
     contract::check_contract,
 };
 
-//pub fn match_unsafe_api_and_check_contracts<T>(func_name: &str, args:&Vec<Operand>, abstate:&AbstractState, _ty: T) {
 pub fn match_unsafe_api_and_check_contracts<T>(
     func_name: &str,
     args: &Box<[Spanned<Operand>]>,
@@ -26,7 +27,6 @@ pub fn match_unsafe_api_and_check_contracts<T>(
     }
 }
 
-//fn process_checker(checker: &dyn Checker, args: &Vec<Operand>, abstate: &AbstractState) {
 fn process_checker(checker: &dyn Checker, args: &Box<[Spanned<Operand>]>, abstate: &AbstractState) {
     for (idx, contracts_vec) in checker.variable_contracts().iter() {
         for contract in contracts_vec {
@@ -43,6 +43,16 @@ fn process_checker(checker: &dyn Checker, args: &Box<[Spanned<Operand>]>, abstat
     }
 }
 
+// level: 0 bug_level, 1-3 unsound_level
+// TODO: add more information about the result
+pub fn output_results(level:usize, threshold: usize) {
+    if level == 0{
+        rap_warn!("Find one bug!")
+    } else if level <= threshold {
+        rap_warn!("Find an unsoundness issue!")
+    }
+}
+
 pub fn get_arg_place(arg: &Operand) -> usize {
     match arg {
         Operand::Move(place) => place.local.as_usize(),

From 2d87cf337d12948b27dd36c1c44bc2a44e74748b Mon Sep 17 00:00:00 2001
From: LemonJ <1632798336@qq.com>
Date: Wed, 23 Oct 2024 16:16:46 +0800
Subject: [PATCH 2/5] modify senryx to add threshhold

---
 rap/src/analysis/senryx.rs         |  5 +++--
 rap/src/analysis/senryx/matcher.rs | 11 -----------
 rap/src/analysis/senryx/visitor.rs | 24 +++++++++++++++++++++++-
 rap/src/lib.rs                     |  2 +-
 4 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/rap/src/analysis/senryx.rs b/rap/src/analysis/senryx.rs
index b2c81b1..8f8a63d 100644
--- a/rap/src/analysis/senryx.rs
+++ b/rap/src/analysis/senryx.rs
@@ -12,11 +12,12 @@ use visitor::BodyVisitor;
 
 pub struct SenryxCheck<'tcx> {
     pub tcx: TyCtxt<'tcx>,
+    pub threshhold: usize,
 }
 
 impl<'tcx> SenryxCheck<'tcx> {
-    pub fn new(tcx: TyCtxt<'tcx>) -> Self {
-        Self { tcx }
+    pub fn new(tcx: TyCtxt<'tcx>, threshhold: usize) -> Self {
+        Self { tcx, threshhold }
     }
 
     pub fn start(&self) {
diff --git a/rap/src/analysis/senryx/matcher.rs b/rap/src/analysis/senryx/matcher.rs
index 2e6306f..477fea7 100644
--- a/rap/src/analysis/senryx/matcher.rs
+++ b/rap/src/analysis/senryx/matcher.rs
@@ -1,8 +1,6 @@
 use rustc_middle::mir::Operand;
 use rustc_span::source_map::Spanned;
 
-use crate::rap_warn;
-
 use super::contracts::{
     abstract_state::AbstractState,
     checker::{Checker, SliceFromRawPartsChecker},
@@ -43,15 +41,6 @@ fn process_checker(checker: &dyn Checker, args: &Box<[Spanned<Operand>]>, abstat
     }
 }
 
-// level: 0 bug_level, 1-3 unsound_level
-// TODO: add more information about the result
-pub fn output_results(level:usize, threshold: usize) {
-    if level == 0{
-        rap_warn!("Find one bug!")
-    } else if level <= threshold {
-        rap_warn!("Find an unsoundness issue!")
-    }
-}
 
 pub fn get_arg_place(arg: &Operand) -> usize {
     match arg {
diff --git a/rap/src/analysis/senryx/visitor.rs b/rap/src/analysis/senryx/visitor.rs
index 5518fd3..ead21f0 100644
--- a/rap/src/analysis/senryx/visitor.rs
+++ b/rap/src/analysis/senryx/visitor.rs
@@ -1,5 +1,5 @@
 use std::collections::HashMap;
-
+use crate::rap_warn;
 use crate::analysis::safedrop::graph::SafeDropGraph;
 
 use super::contracts::abstract_state::AbstractState;
@@ -20,6 +20,7 @@ pub struct BodyVisitor<'tcx> {
     pub def_id: DefId,
     pub safedrop_graph: SafeDropGraph<'tcx>,
     pub abstract_states: HashMap<usize, AbstractState>,
+    pub unsafe_callee_report: HashMap<String,usize>,
 }
 
 impl<'tcx> BodyVisitor<'tcx> {
@@ -30,6 +31,7 @@ impl<'tcx> BodyVisitor<'tcx> {
             def_id,
             safedrop_graph: SafeDropGraph::new(body, tcx, def_id),
             abstract_states: HashMap::new(),
+            unsafe_callee_report: HashMap::new(),
         }
     }
 
@@ -266,4 +268,24 @@ impl<'tcx> BodyVisitor<'tcx> {
         }
         results
     }
+
+    pub fn update_callee_report_level(&mut self, unsafe_callee: String, report_level: usize) {
+        self.unsafe_callee_report.entry(unsafe_callee).and_modify(|e| {
+            if report_level < *e {
+                *e = report_level;
+            }
+        }).or_insert(report_level);
+    }
+
+    // level: 0 bug_level, 1-3 unsound_level
+    // TODO: add more information about the result
+    pub fn output_results(&self, threshold: usize) {
+        for (unsafe_callee, report_level) in &self.unsafe_callee_report {
+            if *report_level == 0{
+                rap_warn!("Find one bug in {:?}!",unsafe_callee);
+            } else if *report_level <= threshold {
+                rap_warn!("Find an unsoundness issue in {:?}!",unsafe_callee);
+            }
+        }
+    }
 }
diff --git a/rap/src/lib.rs b/rap/src/lib.rs
index c04a73c..1e84520 100644
--- a/rap/src/lib.rs
+++ b/rap/src/lib.rs
@@ -224,7 +224,7 @@ pub fn start_analyzer(tcx: TyCtxt, callback: RapCallback) {
     }
 
     if callback.is_senryx_enabled() {
-        SenryxCheck::new(tcx).start();
+        SenryxCheck::new(tcx, 2).start();
     }
 
     if callback.is_callgraph_enabled() {

From a3967c48cdd68d9a3f79a3d7d91fff685306d9d3 Mon Sep 17 00:00:00 2001
From: LemonJ <1632798336@qq.com>
Date: Wed, 23 Oct 2024 16:49:06 +0800
Subject: [PATCH 3/5] add insert path abstate func & cargo fmt check

---
 .../senryx/contracts/abstract_state.rs        | 10 ++-
 rap/src/analysis/senryx/matcher.rs            |  1 -
 rap/src/analysis/senryx/visitor.rs            | 65 +++++++++++++++----
 3 files changed, 58 insertions(+), 18 deletions(-)

diff --git a/rap/src/analysis/senryx/contracts/abstract_state.rs b/rap/src/analysis/senryx/contracts/abstract_state.rs
index bb2bffe..c30fab7 100644
--- a/rap/src/analysis/senryx/contracts/abstract_state.rs
+++ b/rap/src/analysis/senryx/contracts/abstract_state.rs
@@ -57,8 +57,8 @@ pub enum InitState {
 
 #[derive(Debug, PartialEq, Eq, Hash, Copy, Clone)]
 pub enum VType {
-    Pointer(usize,usize), // (align, size)
-    // todo
+    Pointer(usize, usize), // (align, size)
+                           // todo
 }
 
 #[derive(Debug, PartialEq, Clone)]
@@ -70,7 +70,11 @@ pub struct AbstractStateItem {
 
 impl AbstractStateItem {
     pub fn new(value: (Value, Value), vtype: VType, state: HashSet<StateType>) -> Self {
-        Self { value, vtype, state }
+        Self {
+            value,
+            vtype,
+            state,
+        }
     }
 
     pub fn meet_state_item(&mut self, other_state: &AbstractStateItem) {
diff --git a/rap/src/analysis/senryx/matcher.rs b/rap/src/analysis/senryx/matcher.rs
index 477fea7..f5f5787 100644
--- a/rap/src/analysis/senryx/matcher.rs
+++ b/rap/src/analysis/senryx/matcher.rs
@@ -41,7 +41,6 @@ fn process_checker(checker: &dyn Checker, args: &Box<[Spanned<Operand>]>, abstat
     }
 }
 
-
 pub fn get_arg_place(arg: &Operand) -> usize {
     match arg {
         Operand::Move(place) => place.local.as_usize(),
diff --git a/rap/src/analysis/senryx/visitor.rs b/rap/src/analysis/senryx/visitor.rs
index ead21f0..f0ac0a7 100644
--- a/rap/src/analysis/senryx/visitor.rs
+++ b/rap/src/analysis/senryx/visitor.rs
@@ -1,8 +1,10 @@
-use std::collections::HashMap;
-use crate::rap_warn;
 use crate::analysis::safedrop::graph::SafeDropGraph;
+use crate::rap_warn;
+use std::collections::{HashMap, HashSet};
 
-use super::contracts::abstract_state::AbstractState;
+use super::contracts::abstract_state::{
+    AbstractState, AbstractStateItem, AlignState, StateType, VType, Value,
+};
 use super::matcher::match_unsafe_api_and_check_contracts;
 use rustc_hir::def_id::DefId;
 use rustc_middle::ty::TyCtxt;
@@ -19,8 +21,9 @@ pub struct BodyVisitor<'tcx> {
     pub tcx: TyCtxt<'tcx>,
     pub def_id: DefId,
     pub safedrop_graph: SafeDropGraph<'tcx>,
+    // abstract_states records the path index and variables' ab states in this path
     pub abstract_states: HashMap<usize, AbstractState>,
-    pub unsafe_callee_report: HashMap<String,usize>,
+    pub unsafe_callee_report: HashMap<String, usize>,
 }
 
 impl<'tcx> BodyVisitor<'tcx> {
@@ -149,9 +152,9 @@ impl<'tcx> BodyVisitor<'tcx> {
         &mut self,
         lplace: &Place<'tcx>,
         rvalue: &Rvalue<'tcx>,
-        _path_index: usize,
+        path_index: usize,
     ) {
-        let _lpjc_local = self
+        let lpjc_local = self
             .safedrop_graph
             .projection(self.tcx, false, lplace.clone());
         match rvalue {
@@ -172,11 +175,27 @@ impl<'tcx> BodyVisitor<'tcx> {
                 _ => {}
             },
             Rvalue::Ref(_, _, rplace) => {
+                let align = 0;
+                let size = 0;
+                let abitem = AbstractStateItem::new(
+                    (Value::None, Value::None),
+                    VType::Pointer(align, size),
+                    HashSet::from([StateType::AlignState(AlignState::Aligned)]),
+                );
+                self.insert_path_abstate(path_index, lpjc_local, abitem);
                 let _rpjc_local = self
                     .safedrop_graph
                     .projection(self.tcx, true, rplace.clone());
             }
             Rvalue::AddressOf(_, rplace) => {
+                let align = 0;
+                let size = 0;
+                let abitem = AbstractStateItem::new(
+                    (Value::None, Value::None),
+                    VType::Pointer(align, size),
+                    HashSet::from([StateType::AlignState(AlignState::Aligned)]),
+                );
+                self.insert_path_abstate(path_index, lpjc_local, abitem);
                 let _rpjc_local = self
                     .safedrop_graph
                     .projection(self.tcx, true, rplace.clone());
@@ -270,22 +289,40 @@ impl<'tcx> BodyVisitor<'tcx> {
     }
 
     pub fn update_callee_report_level(&mut self, unsafe_callee: String, report_level: usize) {
-        self.unsafe_callee_report.entry(unsafe_callee).and_modify(|e| {
-            if report_level < *e {
-                *e = report_level;
-            }
-        }).or_insert(report_level);
+        self.unsafe_callee_report
+            .entry(unsafe_callee)
+            .and_modify(|e| {
+                if report_level < *e {
+                    *e = report_level;
+                }
+            })
+            .or_insert(report_level);
     }
 
     // level: 0 bug_level, 1-3 unsound_level
     // TODO: add more information about the result
     pub fn output_results(&self, threshold: usize) {
         for (unsafe_callee, report_level) in &self.unsafe_callee_report {
-            if *report_level == 0{
-                rap_warn!("Find one bug in {:?}!",unsafe_callee);
+            if *report_level == 0 {
+                rap_warn!("Find one bug in {:?}!", unsafe_callee);
             } else if *report_level <= threshold {
-                rap_warn!("Find an unsoundness issue in {:?}!",unsafe_callee);
+                rap_warn!("Find an unsoundness issue in {:?}!", unsafe_callee);
             }
         }
     }
+
+    pub fn insert_path_abstate(
+        &mut self,
+        path_index: usize,
+        place: usize,
+        abitem: AbstractStateItem,
+    ) {
+        self.abstract_states
+            .entry(path_index)
+            .or_insert_with(|| AbstractState {
+                state_map: HashMap::new(),
+            })
+            .state_map
+            .insert(place, abitem);
+    }
 }

From dc114028f9eeab90a0e58e89ca144b57ea2c9af0 Mon Sep 17 00:00:00 2001
From: LemonJ <1632798336@qq.com>
Date: Wed, 23 Oct 2024 21:11:34 +0800
Subject: [PATCH 4/5] pass simple align check

---
 rap/src/analysis/senryx/contracts/checker.rs  |  8 +-
 rap/src/analysis/senryx/matcher.rs            |  6 +-
 rap/src/analysis/senryx/visitor.rs            | 84 +++++++++++++------
 .../slice_from_raw_parts/src/main.rs          | 36 +++++---
 4 files changed, 92 insertions(+), 42 deletions(-)

diff --git a/rap/src/analysis/senryx/contracts/checker.rs b/rap/src/analysis/senryx/contracts/checker.rs
index 90ddb3e..bd6464c 100644
--- a/rap/src/analysis/senryx/contracts/checker.rs
+++ b/rap/src/analysis/senryx/contracts/checker.rs
@@ -25,13 +25,13 @@ impl<T> SliceFromRawPartsChecker<T> {
         map.insert(
             0,
             vec![
-                Contract::ValueCheck {
+                Contract::StateCheck {
                     op: Op::GE,
-                    value: Value::Usize(0),
+                    state: StateType::AllocatedState(AllocatedState::Alloc),
                 },
                 Contract::StateCheck {
-                    op: Op::EQ,
-                    state: StateType::AllocatedState(AllocatedState::Alloc),
+                    op: Op::NE,
+                    state: StateType::AlignState(AlignState::Small2BigCast),
                 },
             ],
         );
diff --git a/rap/src/analysis/senryx/matcher.rs b/rap/src/analysis/senryx/matcher.rs
index f5f5787..30c39c3 100644
--- a/rap/src/analysis/senryx/matcher.rs
+++ b/rap/src/analysis/senryx/matcher.rs
@@ -16,7 +16,7 @@ pub fn match_unsafe_api_and_check_contracts<T>(
     let base_func_name = func_name.split::<&str>("<").next().unwrap_or(func_name);
     // println!("base name ---- {:?}",base_func_name);
     let checker: Option<Box<dyn Checker>> = match base_func_name {
-        "std::slice::from_raw_parts::" => Some(Box::new(SliceFromRawPartsChecker::<T>::new())),
+        "std::slice::from_raw_parts::" | "std::slice::from_raw_parts_mut::" => Some(Box::new(SliceFromRawPartsChecker::<T>::new())),
         _ => None,
     };
 
@@ -34,7 +34,9 @@ fn process_checker(checker: &dyn Checker, args: &Box<[Spanned<Operand>]>, abstat
             }
             if let Some(abstate_item) = abstate.state_map.get(&arg_place) {
                 if !check_contract(*contract, abstate_item) {
-                    println!("Checking contract failed! ---- {:?}", contract);
+                    println!("Contract failed! ---- {:?}", contract);
+                } else {
+                    println!("Contract passed! ---- {:?}", contract);
                 }
             }
         }
diff --git a/rap/src/analysis/senryx/visitor.rs b/rap/src/analysis/senryx/visitor.rs
index f0ac0a7..2f30502 100644
--- a/rap/src/analysis/senryx/visitor.rs
+++ b/rap/src/analysis/senryx/visitor.rs
@@ -11,10 +11,9 @@ use rustc_middle::ty::TyCtxt;
 use rustc_middle::{
     mir::{
         self, AggregateKind, BasicBlock, BasicBlockData, Operand, Place, Rvalue, Statement,
-        StatementKind, Terminator, TerminatorKind,
+        StatementKind, Terminator, TerminatorKind, Local,
     },
-    ty,
-    ty::GenericArgKind,
+    ty::{self, Ty, TyKind, GenericArgKind},
 };
 
 pub struct BodyVisitor<'tcx> {
@@ -174,37 +173,50 @@ impl<'tcx> BodyVisitor<'tcx> {
                 }
                 _ => {}
             },
-            Rvalue::Ref(_, _, rplace) => {
-                let align = 0;
-                let size = 0;
-                let abitem = AbstractStateItem::new(
-                    (Value::None, Value::None),
-                    VType::Pointer(align, size),
-                    HashSet::from([StateType::AlignState(AlignState::Aligned)]),
-                );
-                self.insert_path_abstate(path_index, lpjc_local, abitem);
-                let _rpjc_local = self
+            Rvalue::Ref(_, _, rplace) | Rvalue::AddressOf(_, rplace) => {
+                let rpjc_local = self
                     .safedrop_graph
                     .projection(self.tcx, true, rplace.clone());
-            }
-            Rvalue::AddressOf(_, rplace) => {
-                let align = 0;
-                let size = 0;
+                let (align, size) = self.get_layout_by_place_usize(rpjc_local);
                 let abitem = AbstractStateItem::new(
                     (Value::None, Value::None),
                     VType::Pointer(align, size),
                     HashSet::from([StateType::AlignState(AlignState::Aligned)]),
                 );
                 self.insert_path_abstate(path_index, lpjc_local, abitem);
-                let _rpjc_local = self
-                    .safedrop_graph
-                    .projection(self.tcx, true, rplace.clone());
+
             }
-            Rvalue::Cast(_cast_kind, op, _ty) => match op {
+            // Rvalue::AddressOf(_, rplace) => {
+            //     let align = 0;
+            //     let size = 0;
+            //     let abitem = AbstractStateItem::new(
+            //         (Value::None, Value::None),
+            //         VType::Pointer(align, size),
+            //         HashSet::from([StateType::AlignState(AlignState::Aligned)]),
+            //     );
+            //     self.insert_path_abstate(path_index, lpjc_local, abitem);
+            //     let _rpjc_local = self
+            //         .safedrop_graph
+            //         .projection(self.tcx, true, rplace.clone());
+            // }
+            Rvalue::Cast(_cast_kind, op, ty) => match op {
                 Operand::Move(rplace) | Operand::Copy(rplace) => {
-                    let _rpjc_local =
-                        self.safedrop_graph
-                            .projection(self.tcx, true, rplace.clone());
+                    let rpjc_local = self
+                        .safedrop_graph
+                        .projection(self.tcx, true, rplace.clone());
+                    let (src_align, _src_size) = self.get_layout_by_place_usize(rpjc_local); 
+                    let (dst_align, dst_size) = self.visit_ty_and_get_layout(*ty);
+                    let state = match dst_align.cmp(&src_align) {
+                        std::cmp::Ordering::Greater => StateType::AlignState(AlignState::Small2BigCast),
+                        std::cmp::Ordering::Less => StateType::AlignState(AlignState::Big2SmallCast),
+                        std::cmp::Ordering::Equal => StateType::AlignState(AlignState::Aligned),
+                    };
+                    let abitem = AbstractStateItem::new(
+                        (Value::None, Value::None),
+                        VType::Pointer(dst_align, dst_size),
+                        HashSet::from([state]),
+                    );
+                    self.insert_path_abstate(path_index, lpjc_local, abitem);
                 }
                 _ => {}
             },
@@ -228,6 +240,15 @@ impl<'tcx> BodyVisitor<'tcx> {
         }
     }
 
+    pub fn visit_ty_and_get_layout(&self, ty:Ty<'tcx>) -> (usize,usize) {
+        match ty.kind() {
+            TyKind::RawPtr(ty,_) | TyKind::Ref(_, ty, _) | TyKind::Slice(ty) => {
+                self.get_layout_by_ty(*ty)
+            }
+            _ => {(0,0)}
+        }
+    }
+
     pub fn get_all_paths(&mut self) -> Vec<Vec<usize>> {
         self.safedrop_graph.solve_scc();
         let results = self.safedrop_graph.get_paths();
@@ -325,4 +346,19 @@ impl<'tcx> BodyVisitor<'tcx> {
             .state_map
             .insert(place, abitem);
     }
+
+    pub fn get_layout_by_place_usize(&self, place:usize) -> (usize,usize) {
+        let local_place = Place::from(Local::from_usize(place));
+        let body = self.tcx.optimized_mir(self.def_id);
+        let place_ty = local_place.ty(body, self.tcx).ty;
+        self.visit_ty_and_get_layout(place_ty)
+    }
+
+    pub fn get_layout_by_ty(&self, ty: Ty<'tcx>) -> (usize,usize) {
+        let param_env = self.tcx.param_env(self.def_id);
+        let layout = self.tcx.layout_of(param_env.and(ty)).unwrap();
+        let align= layout.align.abi.bytes_usize();
+        let size = layout.size.bytes() as usize;
+        (align,size)
+    }
 }
diff --git a/tests/senryx_tests/slice_from_raw_parts/src/main.rs b/tests/senryx_tests/slice_from_raw_parts/src/main.rs
index b7b3c39..fb18e6c 100644
--- a/tests/senryx_tests/slice_from_raw_parts/src/main.rs
+++ b/tests/senryx_tests/slice_from_raw_parts/src/main.rs
@@ -1,19 +1,31 @@
 use std::slice;
 
-fn test1() {
-    let data: *const u8 = Box::leak(Box::new(0));
-    let len: usize = (isize::MAX as usize) / std::mem::size_of::<u8>() + 1;
-    // Pass(Allocated \ Aligned):   data is allocated and aligned
-    // Fail(Bounded): 'len' is out of the max value
-    // Fail(Dereferencable \ Initialized): 'data' onnly points to the memory with a 'u8' size, but the 'len' is out of this range
-    let slice: &[u8] = unsafe { slice::from_raw_parts(data, len) };
-    if let Some(last_element) = slice.last() {
-        println!("Last element: {}", last_element);
-    } else {
-        println!("Slice is empty");
+// fn test1() {
+//     let data: *const u8 = Box::leak(Box::new(0));
+//     let len: usize = (isize::MAX as usize) / std::mem::size_of::<u8>() + 1;
+//     // Pass(Allocated \ Aligned):   data is allocated and aligned
+//     // Fail(Bounded): 'len' is out of the max value
+//     // Fail(Dereferencable \ Initialized): 'data' onnly points to the memory with a 'u8' size, but the 'len' is out of this range
+//     let slice: &[u8] = unsafe { slice::from_raw_parts(data, len) };
+//     if let Some(last_element) = slice.last() {
+//         println!("Last element: {}", last_element);
+//     } else {
+//         println!("Slice is empty");
+//     }
+// }
+
+fn test2(a: &mut [u8], b: &[u32; 20]) {
+    unsafe {
+        let c = slice::from_raw_parts_mut(a.as_mut_ptr() as *mut u32, 20);
+        for i in 0..20 {
+            c[i] ^= b[i];
+        }
     }
 }
 
 fn main() {
-    test1();
+    // test1();
+    let mut x = [0u8;40];
+    let y = [0u32;20];
+    test2(&mut x[1..32], &y);
 }
\ No newline at end of file

From 6de1741415046b57009d8f1a155661b045c6321a Mon Sep 17 00:00:00 2001
From: LemonJ <1632798336@qq.com>
Date: Wed, 23 Oct 2024 21:14:35 +0800
Subject: [PATCH 5/5] fix:fmt senryx

---
 rap/src/analysis/senryx/matcher.rs |  4 +++-
 rap/src/analysis/senryx/visitor.rs | 31 ++++++++++++++++--------------
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/rap/src/analysis/senryx/matcher.rs b/rap/src/analysis/senryx/matcher.rs
index 30c39c3..b99d528 100644
--- a/rap/src/analysis/senryx/matcher.rs
+++ b/rap/src/analysis/senryx/matcher.rs
@@ -16,7 +16,9 @@ pub fn match_unsafe_api_and_check_contracts<T>(
     let base_func_name = func_name.split::<&str>("<").next().unwrap_or(func_name);
     // println!("base name ---- {:?}",base_func_name);
     let checker: Option<Box<dyn Checker>> = match base_func_name {
-        "std::slice::from_raw_parts::" | "std::slice::from_raw_parts_mut::" => Some(Box::new(SliceFromRawPartsChecker::<T>::new())),
+        "std::slice::from_raw_parts::" | "std::slice::from_raw_parts_mut::" => {
+            Some(Box::new(SliceFromRawPartsChecker::<T>::new()))
+        }
         _ => None,
     };
 
diff --git a/rap/src/analysis/senryx/visitor.rs b/rap/src/analysis/senryx/visitor.rs
index 2f30502..236dbf4 100644
--- a/rap/src/analysis/senryx/visitor.rs
+++ b/rap/src/analysis/senryx/visitor.rs
@@ -10,10 +10,10 @@ use rustc_hir::def_id::DefId;
 use rustc_middle::ty::TyCtxt;
 use rustc_middle::{
     mir::{
-        self, AggregateKind, BasicBlock, BasicBlockData, Operand, Place, Rvalue, Statement,
-        StatementKind, Terminator, TerminatorKind, Local,
+        self, AggregateKind, BasicBlock, BasicBlockData, Local, Operand, Place, Rvalue, Statement,
+        StatementKind, Terminator, TerminatorKind,
     },
-    ty::{self, Ty, TyKind, GenericArgKind},
+    ty::{self, GenericArgKind, Ty, TyKind},
 };
 
 pub struct BodyVisitor<'tcx> {
@@ -184,7 +184,6 @@ impl<'tcx> BodyVisitor<'tcx> {
                     HashSet::from([StateType::AlignState(AlignState::Aligned)]),
                 );
                 self.insert_path_abstate(path_index, lpjc_local, abitem);
-
             }
             // Rvalue::AddressOf(_, rplace) => {
             //     let align = 0;
@@ -204,11 +203,15 @@ impl<'tcx> BodyVisitor<'tcx> {
                     let rpjc_local = self
                         .safedrop_graph
                         .projection(self.tcx, true, rplace.clone());
-                    let (src_align, _src_size) = self.get_layout_by_place_usize(rpjc_local); 
+                    let (src_align, _src_size) = self.get_layout_by_place_usize(rpjc_local);
                     let (dst_align, dst_size) = self.visit_ty_and_get_layout(*ty);
                     let state = match dst_align.cmp(&src_align) {
-                        std::cmp::Ordering::Greater => StateType::AlignState(AlignState::Small2BigCast),
-                        std::cmp::Ordering::Less => StateType::AlignState(AlignState::Big2SmallCast),
+                        std::cmp::Ordering::Greater => {
+                            StateType::AlignState(AlignState::Small2BigCast)
+                        }
+                        std::cmp::Ordering::Less => {
+                            StateType::AlignState(AlignState::Big2SmallCast)
+                        }
                         std::cmp::Ordering::Equal => StateType::AlignState(AlignState::Aligned),
                     };
                     let abitem = AbstractStateItem::new(
@@ -240,12 +243,12 @@ impl<'tcx> BodyVisitor<'tcx> {
         }
     }
 
-    pub fn visit_ty_and_get_layout(&self, ty:Ty<'tcx>) -> (usize,usize) {
+    pub fn visit_ty_and_get_layout(&self, ty: Ty<'tcx>) -> (usize, usize) {
         match ty.kind() {
-            TyKind::RawPtr(ty,_) | TyKind::Ref(_, ty, _) | TyKind::Slice(ty) => {
+            TyKind::RawPtr(ty, _) | TyKind::Ref(_, ty, _) | TyKind::Slice(ty) => {
                 self.get_layout_by_ty(*ty)
             }
-            _ => {(0,0)}
+            _ => (0, 0),
         }
     }
 
@@ -347,18 +350,18 @@ impl<'tcx> BodyVisitor<'tcx> {
             .insert(place, abitem);
     }
 
-    pub fn get_layout_by_place_usize(&self, place:usize) -> (usize,usize) {
+    pub fn get_layout_by_place_usize(&self, place: usize) -> (usize, usize) {
         let local_place = Place::from(Local::from_usize(place));
         let body = self.tcx.optimized_mir(self.def_id);
         let place_ty = local_place.ty(body, self.tcx).ty;
         self.visit_ty_and_get_layout(place_ty)
     }
 
-    pub fn get_layout_by_ty(&self, ty: Ty<'tcx>) -> (usize,usize) {
+    pub fn get_layout_by_ty(&self, ty: Ty<'tcx>) -> (usize, usize) {
         let param_env = self.tcx.param_env(self.def_id);
         let layout = self.tcx.layout_of(param_env.and(ty)).unwrap();
-        let align= layout.align.abi.bytes_usize();
+        let align = layout.align.abi.bytes_usize();
         let size = layout.size.bytes() as usize;
-        (align,size)
+        (align, size)
     }
 }