[clang] [clang][Static analyzer] fix crash on using `bitcast(, )` as array subscript (PR #101647)

Balazs Benics via cfe-commits Fri, 02 Aug 2024 03:23:17 -0700

================
@@ -30,3 +30,10 @@ void f3(void *dest) {
   void *src = __builtin_alloca(5);
   memcpy(dest, src, 1); // expected-warning{{2nd function call argument is a 
pointer to uninitialized value}}
 }
+
+// Reproduce crash from GH#94496. When array is used as subcript to another 
array, CSA cannot model it
+// and should just assume it's unknown and do not crash.
+void f4(char *array) {
+  char b[4] = {0};
+  array[__builtin_bit_cast(int, b)] = 0x10; // no crash
----------------
steakhal wrote:


Please enable the `debug.ExprInspection` checker too, and then forward declare 
(but not define) the `void clang_analyzer_dump_int(int);

```suggestion
  clang_analyzer_dump_int(__builtin_bit_cast(int, b)); // expected-warning 
{{Unknown}}
  array[__builtin_bit_cast(int, b)] = 0x10; // no crash
```

Hold on. Shouldn't we pin the target triple to be able to safely assume that a 
sizeof `int` is 4 chars? Consider pinning the target using `-triple xxx` in the 
RUN line.

https://github.com/llvm/llvm-project/pull/101647
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][Static analyzer] fix crash on using `bitcast(, )` as array subscript (PR #101647)

Reply via email to