================
@@ -576,8 +576,20 @@ ProgramStateRef
CStringChecker::CheckLocation(CheckerContext &C,
auto [StInBound, StOutBound] = state->assumeInBoundDual(*Idx, Size);
if (StOutBound && !StInBound) {
+ // The analyzer determined that the access is out-of-bounds, which is
+ // a fatal error: ideally we'd return nullptr to terminate this path
+ // regardless of whether the OutOfBounds checker frontend is enabled.
+ // However, the current out-of-bounds modeling produces too many false
+ // positives, so when the frontend is disabled we return the original
+ // (unconstrained) state and let the analysis continue. This is
+ // inconsistent: returning `state` instead of `StOutBound` discards the
+ // constraint that the index is out-of-bounds, and callers cannot
+ // distinguish "we proved an error" from "we couldn't determine anything"
+ // since both return the original state.
+ // TODO: Once the OutOfBounds frontend is stable, return nullptr here
+ // unconditionally to stop the analysis on this path.
----------------
gamesh411 wrote:
I hope to actually simplify this by actually returning the different kinds of
results of the `CheckOverlap`, that way, (some) of these comments can disappear.
https://github.com/llvm/llvm-project/pull/186802
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
