<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - false positive in alpha.security.ArrayBoundV2 in for loop"
   href="https://bugs.llvm.org/show_bug.cgi?id=40606">40606</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>false positive in alpha.security.ArrayBoundV2 in for loop
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Static Analyzer
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>dcoughlin@apple.com
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>kamil.laskowski@nokia.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>dcoughlin@apple.com, llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Hello,

we've recently stumbled upon the case when alpha.security.ArrayBoundV2 claims
that we exceed upper limit of memory block which clearly is not true, as I'm
going to show with the example. It may feel like it doesn't make sense to write
such code, but, believe me, I spent quite time to remove entire noise from the
original code sample.

//example
unsigned short fun(unsigned char size)
{
  const unsigned char SIZE = 1;
  unsigned short localtab[SIZE] = {1};

  for( unsigned char i = 0; i < 2; i++)
  {
    const unsigned char currentElement = size/2 + i;
    if (currentElement < SIZE)
    {
      return localtab[currentElement];
    }
  }
  return 0u;
}


I run it with the following command: 
$ scan-build -enable-checker alpha.security.ArrayBoundV2 clang++ -o WTF.o -c
WTF.cpp

and this is what I got:
  scan-build: Using 'clang-9' for static analysis
  WTF.cpp:11:14: warning: Out of bound memory access (access exceeds upper
limit of memory block)
        return localtab[currentElement];
               ^~~~~~~~~~~~~~~~~~~~~~~~
  1 warning generated.
  scan-build: 1 bug found.

Why clang doesn't see condition in if?</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>