Bug ID: 41833
           Summary: CSA assumes illegal array access
           Product: clang
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Static Analyzer

I was expecting CSA to find an array-out-of-bounds error when dereferencing
s[1] in the following code:

extern char *fcall();

static void example(buf, size, endp) char *buf;
int size;
char **endp;
    register char *beg;
    beg = buf+1;
    // begin
    beg = fcall();
    if (beg != buf + 4) {
    // end
    if (beg > buf && beg[-1] != '\n') {
      char *s = "";
      char c = s[1];

In the above code, if we comment the lines between // begin and // end, the bug
is found because beg[-1] is safe. 
However, if we have a call to an external function that changes the value of
beg, clang somehow assumes that beg[-1] is always incorrect (and consequently
stops the exploration of that path).
I've added an earlier check that makes sure beg == buf+4 but that did not help.

Is this the expected behavior?

You are receiving this mail because:
You are on the CC list for the bug.
llvm-bugs mailing list

Reply via email to