[cfe-dev] [analyzer] RFC, garbage value => out of bounds

Joachim Durchholz via cfe-dev cfe-dev at lists.llvm.org
Mon Mar 14 04:13:48 PDT 2016


> I would like to change the analyzer so the a[i] value is not undefined when i is out of bounds.. to improve the Clang warnings.
>
> Code example:
>
>      void dostuff(int);
>
>      void f(int nr) {
>          int a[2] = {1,1};
>          for (int i = 0; i < nr; i++)
>              dostuff(a[i]);
>      }
>
>
> Output from Clang analyzer:
>
>      /home/danielm/ossa/uninit.c:7:5: warning: Function call argument is an uninitialized value
>          dostuff(a[i]);
>          ^~~~~~~~~~~~~
>
> The array a is fully initialized. So imho the message is a FP.

I think the message is misworded, it should be "is an undefined expression".
Actually a "potentially undefined expression", assuming the parameter is 
never passed a value >1.

> It is better to write "array index out of bounds". Like this:
>
>      /home/danielm/ossa/uninit.c:7:13: warning: Access out-of-bound array element (buffer overflow)
>          dostuff(a[i]);
>                  ^~~~

It would be relevant what happens if the expression is more complicated.

E.g. what happens for cases like
   a[a[i]]
   ptr[i-2]
   a[i > 4 ? i / 2 : i]
or if it is not directly fed to a function, as in
   a[i] + 5

Regards,
Jo


More information about the cfe-dev mailing list