https://bugs.llvm.org/show_bug.cgi?id=41833

            Bug ID: 41833
           Summary: CSA assumes illegal array access
           Product: clang
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Static Analyzer
          Assignee: dcough...@apple.com
          Reporter: jhe...@grammatech.com
                CC: dcough...@apple.com, llvm-bugs@lists.llvm.org

I was expecting CSA to find an array-out-of-bounds error when dereferencing
s[1] in the following code:

-----------------
extern char *fcall();

static void example(buf, size, endp) char *buf;
int size;
char **endp;
{
    register char *beg;
    beg = buf+1;
    // begin
    beg = fcall();
    if (beg != buf + 4) {
        return;
    }
    // end
    if (beg > buf && beg[-1] != '\n') {
      char *s = "";
      char c = s[1];
    }
}
-----------------

In the above code, if we comment the lines between // begin and // end, the bug
is found because beg[-1] is safe. 
However, if we have a call to an external function that changes the value of
beg, clang somehow assumes that beg[-1] is always incorrect (and consequently
stops the exploration of that path).
I've added an earlier check that makes sure beg == buf+4 but that did not help.

Is this the expected behavior?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to