<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - false positive in for-loop: static analyzer iterates too often"

   href="https://llvm.org/bugs/show_bug.cgi?id=24688">24688</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>false positive in for-loop: static analyzer iterates too often

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>3.7

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>stephan.beyer@uni-osnabrueck.de

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Hi,

consider the following C++ minimal example:

#include <iostream>

#include <cassert>

int main(int argc, const char *argv[])

{

    int my_array[4] = {0, 1, 2, 3};

    assert(argc < 3);

    for (int i = 0; i < 2*argc; i += 2) {

        std::cout << my_array[i] << std::endl;

    }

    return 0;

}

Clearly, it will output 0 when calling with no argument, and it will output 0

and 2 when calling with one argument.

However, the analyzer says:

minimal.cc:9:9: warning: Function call argument is an uninitialized value

        std::cout << my_array[i] << std::endl;

        ^~~~~~~~~~~~~~~~~~~~~~~~

and the report says that this is because the loop condition is true for *3*

times. Which cannot be the case due to the assertion.

Note that replacing the for-loop by the equivalent

    for (int i = 0; i < argc; i++) {

        std::cout << my_array[2*i] << std::endl;

    }

gets rid of the false positive.

I can reproduce it with Debian's clang++-3.5, 3.7 and 3.8.

Stephan</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>