<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><span class="vcard"><a class="email" href="mailto:balazs.benics@sigmatechnology.se" title="Balazs Benics <balazs.benics@sigmatechnology.se>"> <span class="fn">Balazs Benics</span></a>

</span> changed

          <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED WONTFIX - Detect buffer underflow"

   href="https://bugs.llvm.org/show_bug.cgi?id=47130">bug 47130</a>

          <br>

             <table border="1" cellspacing="0" cellpadding="8">

          <tr>

            <th>What</th>

            <th>Removed</th>

            <th>Added</th>

          </tr>

         <tr>

           <td style="text-align:right;">CC</td>

           <td>

           </td>

           <td>balazs.benics@sigmatechnology.se

           </td>

         </tr>

         <tr>

           <td style="text-align:right;">Resolution</td>

           <td>---

           </td>

           <td>WONTFIX

           </td>

         </tr>

         <tr>

           <td style="text-align:right;">Status</td>

           <td>NEW

           </td>

           <td>RESOLVED

           </td>

         </tr></table>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED WONTFIX - Detect buffer underflow"

   href="https://bugs.llvm.org/show_bug.cgi?id=47130#c1">Comment # 1</a>

              on <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED WONTFIX - Detect buffer underflow"

   href="https://bugs.llvm.org/show_bug.cgi?id=47130">bug 47130</a>

              from <span class="vcard"><a class="email" href="mailto:balazs.benics@sigmatechnology.se" title="Balazs Benics <balazs.benics@sigmatechnology.se>"> <span class="fn">Balazs Benics</span></a>

</span></b>

        <pre>By checking the code I'm pretty sure it's technically correct.

So, in that sense, there is no bug that we should warn about.

We explicitly check if the `memset()` deals with the whole object or not.

If it doesn't cover the whole object we invalidate the buffer.

This is done so because we can't model partially initialized memory regions

efficiently at scale. The memory model of the analyzer could be extended to

support at least if some concrete prefix/suffix/chunk has a certain property

(e.g. uninitialized, or initialized to a certain value). But we need to

consider the performance impact of these.

On the other hand, I agree that the check for this specific case, when a

concrete upperbound is used, could be detected without much effort.

The related code is located here:

<a href="https://github.com/llvm/llvm-project/blob/e5c7c171e5db6af1e3dca1059df4287b0d147eaf/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp#L1088-L1091">https://github.com/llvm/llvm-project/blob/e5c7c171e5db6af1e3dca1059df4287b0d147eaf/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp#L1088-L1091</a>

If you feel the courage to tinker with it, I could guide you through it, but I

don't have time to fix this.

Aside from that, I think there is a related SEI-CERT rule, but I cannot recall

ATM which.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>