<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/57515>57515</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            static analyzer mode=deep false positive with libwebp/imageio/pnmdec.c
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          jzern
      </td>
    </tr>
</table>

<pre>
    `clang-analyzer-core.uninitialized.ArraySubscript in libwebp/imageio/pnmdec.c` at line 118.

Most recently this reproduced with `Debian clang version 14.0.6-2`, but has been observed in earlier versions (`Debian clang version 11.0.1-2` and `clang version 7.0.1 (tags/RELEASE_701/final)`).

```
$ git clone https://chromium.googlesource.com/webm/libwebp
$ cd libwebp
$ git checkout v1.2.4-68-ge8f83de2
$ ./autogen.sh
$ scan-build-14 -o output-deep -analyzer-config mode=deep ./configure --enable-everything --enable-asserts
$ scan-build-14 -o output-deep -analyzer-config mode=deep make -j
```

This looks like a false positive. The core issue is how the for loop is analyzed when using strlen() [1]. To summarize, the analyzer assumes a `data_size` of 1, so we end up with 1 character in `out[]`, which is null terminated [2]. `strlen(out) == 1`, but we see _"The value 1 is assigned to 'i'"_,  _"Assuming the condition is true"_, _"Loop condition is true.  Entering loop body"_. Changing the condition to `out[i] != '\0'` hides the issue.

[1]: https://chromium.googlesource.com/webm/libwebp/+/v1.2.4-68-ge8f83de2/imageio/pnmdec.c#116
[2]: https://chromium.googlesource.com/webm/libwebp/+/v1.2.4-68-ge8f83de2/imageio/pnmdec.c#62
[report-84M9Wv.sarif.gz](https://github.com/llvm/llvm-project/files/9474062/report-84M9Wv.sarif.gz)
[report-OSbFAC.plist.gz](https://github.com/llvm/llvm-project/files/9474063/report-OSbFAC.plist.gz)

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzFVU1v4zgM_TXOhbBhyY4TH3zI9OM0gwW2A-yxkGXGVitLhiQnaH_9Uk6TTKedBXYxwAKOFEvU4-MTSbe2e2mSKpdamD4VRuiXV3SptA6z2SijghJavWKX7ZwTLw9z66VTUwBlQKv2iO2U8Hs1ih6VpX-TGTuUmSRIEIFMDAJj2yzJb5N8dxq_WR_AoUQT9AuEQXl6m5ztZokdHFUYgI7fYquEgYUYHNB5ZQ2wMsuzKuW0n_AbaOcAg_DQIhqwrUd3IASihsJphe58zkPCt7_EZITJFkwQpoOzGheDTdyPCEH0nmL88-7r3e7h7nGTM3rbKxIt4fVCqX4XaFw6PadXXkKvArm3pMoQwuSTglbv6ZGDs6Oax6y3ttfo7ewkZtKOtEcix-ks9wVLdvBhbcEfUD5bkubAMp6VabVNe9zut0WH_GqZEaSYg-3RZH64rnspTNrOSncpKyG1QEjTHNIOcYIfM8TsVQ-j7TApbpfNiHhanh1CmqIRrcYUSccXumVS9LImPN1V8L_D6yieydnT54ov4_eYYdraZxoVGQvYC-0RJuspvQ-YwfcBIaY8KO_nOMJgj5SZCHvr4tEprr2xoBQdKN1mHyPywWk0Mbt4Dcn6C0vWt4Rnwc_jKBxVTszTiHSOASj2eUSCi5nWiSAefTSj7LN7YNHcWzgiIOXiPJ3qgdGlCidkoPOU3mRM-pA78vZWCsdBySGyNLPWQHYj5WUgsmTFF1JkeGEbT0fCxS095PRaTuTYI8JjwnlU5SA0CcKW8L1XvSHEYKkYNop-ZPQYDy7muxhX1CQsapqOxKXqoZPBzXg2jZZfo6AfLDKAO0PEI8QieUu9KR7L4GagevwIHYmclVAUI9FiMZ7IbH2Tx4lUHVRHaseTy-2-r9DTjVEZ_vd6jPZfaPys2j5tjbxgrLr45_-D_4pf3FPntS6k2_Jb_dch85Sy-6x_jZz49j0lai3D3L5x0PpwnlJq3U8ow9ILiSrNdbkp8yq6_wU8tcufCPzx0N7vbrJJKx9-F4HiSuBn-DOBFTasqni-2dZ5vuqaoquLWqyCChobH0RQ8lq5P7ad9y3kVKX_9EFczU43_zqeJWNjQOvNmq1XQ1NgxRGrVkgmsNtUBStlLnnLC-Sbuq1XWrSofRN7A-cGj6ekp_-k6Eo1POc8r3Oe58U6z7N1wfcMyz2vOGOSFUmZ4yiUziKPzLp-5ZqFUjvTp6_Mo3z-uvnWErA5taIVfU8G65onEsusFsfNQvxvxwumKw">