<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - False positive 'Assigned value is garbage or undefined'"

   href="http://llvm.org/bugs/show_bug.cgi?id=22289">22289</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>False positive 'Assigned value is garbage or undefined'

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>3.5

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>me@wilfred.me.uk

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Given the following program:

// START

#include <string.h>

#include <stdlib.h>

void eval_program(char *program) {

    int program_len = strlen(program);

    int instruction_index = 0;

    char c;

    while (instruction_index < program_len) {

        c = *(program + instruction_index);

        switch (c) {

        default:

            instruction_index++;

            break;

        }

    }

}

char *read_stdin() {

    char *s = NULL;

    s = malloc(1);

    s[0] = '\0';

    return s;

}

int main() {

    char *program = read_stdin();

    eval_program(program);

    free(program);

    return 0;

}

// END

I get the following false positive warning:

$ scan-build -v clang -Wall -g -std=c99 main.c 

scan-build: Using '/usr/bin/clang' for static analysis

scan-build: Emitting reports for this run to

'/tmp/scan-build-2015-01-21-234825-5905-1'.

main.c:10:11: warning: Assigned value is garbage or undefined

        c = *(program + instruction_index);

          ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1 warning generated.

scan-build: 1 bug found.

I'm using clang v3.5.1. It seems that it's not able to reason that the string

access is within the legal range:

void eval_program(char *program) {

5       int program_len = strlen(program);

6       int instruction_index = 0;

7

8       char c;

9       while (instruction_index < program_len) {

      2 ← Assuming 'instruction_index' is < 'program_len'

      3 ← Loop condition is true. Entering loop body

      6 ← Assuming 'instruction_index' is < 'program_len'

      7 ← Loop condition is true. Entering loop body

10          c = *(program + instruction_index);

      8 ← Assigned value is garbage or undefined

11

12          switch (c) {

      4 ← Control jumps to the 'default' case at line 13

13          default:

14              instruction_index++;

15              break;

      5 ← Execution continues on line 9

16          }

17    }

18}</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>