[cfe-dev] Issue understanding static analyzer output
Loïc Joly via cfe-dev
cfe-dev at lists.llvm.org
Tue Mar 3 06:58:10 PST 2020
Hello, I have the following code (you can see it live here:
https://godbolt.org/z/iiki_w)
typedefunsignedlonglong size_t;
char f1(size_t len) {
char a[] = "Hello world!";
auto p = a+len+1;
return *p;
}
char f2(size_t len) {
char a[] = "Hello world!";
auto p = a+len;
return *p;
}
char f3(int len) {
char a[] = "Hello world!";
auto p = a+len+1;
return *p;
}
For f1, the static analyzer reports an of bounds memory access, not for
the other 2 cases, that look quite similar (one is removing adding 1 to
an unknown SVal, the other one is working with int instead of size_t).
I tried to look into the exploded graph, and I got the following
constraint appearing right on the last node of the graph:
"constraints": ["symbol": "reg_$0<size_t len>", "range": "{
[18446744073709551615, 18446744073709551615] }
I fail to see where this constraint on "len" come from. I know I4m using
an alpha checker, but I'm not sure this is meaningful in this case?
Do you have any idea?
Thank you!
---
Loïc Joly
More information about the cfe-dev
mailing list