https://bugs.llvm.org/show_bug.cgi?id=41833
Bug ID: 41833
Summary: CSA assumes illegal array access
Product: clang
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: Static Analyzer
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected]
I was expecting CSA to find an array-out-of-bounds error when dereferencing
s[1] in the following code:
-----------------
extern char *fcall();
static void example(buf, size, endp) char *buf;
int size;
char **endp;
{
register char *beg;
beg = buf+1;
// begin
beg = fcall();
if (beg != buf + 4) {
return;
}
// end
if (beg > buf && beg[-1] != '\n') {
char *s = "";
char c = s[1];
}
}
-----------------
In the above code, if we comment the lines between // begin and // end, the bug
is found because beg[-1] is safe.
However, if we have a call to an external function that changes the value of
beg, clang somehow assumes that beg[-1] is always incorrect (and consequently
stops the exploration of that path).
I've added an earlier check that makes sure beg == buf+4 but that did not help.
Is this the expected behavior?
--
You are receiving this mail because:
You are on the CC list for the bug._______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
