<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/60041>60041</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
CSA does not report the out-of-bounds warning for *c-- with the fact that c is a pointer to an int variable
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
Geoffrey1014
</td>
</tr>
</table>
<pre>
HI, I found a problem that CSA does not report the out-of-bounds warning for the following test case, but GCC Static Analyzer does. It seems that CSA does not handle `--` opertator correctly, hence miss reporting the out-of-bounds warning.
Thank you for taking the time to review this case.
CSA : https://godbolt.org/z/rM9jjEx6j
GSA: https://godbolt.org/z/Tsjaxvf1f
Compilation options: `--analyze -Xclang -analyzer-stats -Xclang -analyzer-constraints=range -Xclang -setup-static-analyzer -Xclang -analyzer-config -Xclang eagerly-assume=false -Xclang -analyzer-checker=core,alpha.security.taint,debug.ExprInspection,debug.TaintTest`
Input :
```c
#include "stdio.h"
#include <stdint.h>
#include <stdbool.h>
void clang_analyzer_eval();
int16_t a() {
uint16_t b = 1;
uint16_t *c = &b;
if (*c-- && 4073709551613L) {
clang_analyzer_eval((*c-- && 4073709551613L)==true);
clang_analyzer_eval((!(*c-- && 4073709551613L))==false);
clang_analyzer_eval(((!(*c--))||(!(4073709551613L)))==false);
clang_analyzer_eval(*c--);
clang_analyzer_eval(!(4073709551613L) == false);
clang_analyzer_eval((!(*c--))==false);
clang_analyzer_eval((!(4073709551613L))==false);
clang_analyzer_eval(((!(*c--))&&(4073709551613L))==false);
clang_analyzer_eval(((*c--)&&(!(4073709551613L)))==false);
clang_analyzer_eval(((!(*c--))&&(!(4073709551613L)))==false);
clang_analyzer_eval(true);
int d = *c--;
}
}
```
Output:
```bash
<source>:12:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval((*c-- && 4073709551613L)==true);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval((!(*c-- && 4073709551613L))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:5: warning: UNKNOWN [debug.ExprInspection]
clang_analyzer_eval(*c--);
^~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:5: warning: UNKNOWN [debug.ExprInspection]
clang_analyzer_eval((!(*c--))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((!(*c--))&&(4073709551613L))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((*c--)&&(!(4073709551613L)))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((!(*c--))&&(!(4073709551613L)))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:5: warning: Value stored to 'd' is never read [deadcode.DeadStores]
d = *c--;
^ ~~~~
===-------------------------------------------------------------------------===
Analyzer timers
===-------------------------------------------------------------------------===
Total Execution Time: 0.0037 seconds (0.0136 wall clock)
---User Time--- --System Time-- --User+System-- ---Wall Time--- --- Name ---
0.0022 ( 67.6%) 0.0000 ( 0.0%) 0.0022 ( 59.7%) 0.0075 ( 55.5%) Path exploration time
0.0002 ( 7.5%) 0.0004 (100.0%) 0.0007 ( 18.3%) 0.0052 ( 38.6%) Syntax-based analysis time
0.0008 ( 24.9%) 0.0000 ( 0.0%) 0.0008 ( 22.0%) 0.0008 ( 5.9%) Path-sensitive report post-processing time
0.0032 (100.0%) 0.0004 (100.0%) 0.0037 (100.0%) 0.0136 (100.0%) Total
8 warnings generated.
Compiler returned: 0
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy8WF1zo7gS_TXySxcUCAP2gx8cO5mbuvdmtjaZnX2bEtAYJTKiJOHE87C_fUsCO3aCZ5JMJikKk9Pq03300SAxrfmqRpyR-IzEyxFrTSXV7BPKslS4DYNwPMpksZ3955LQBVxCKdu6AAaNkpnANZiKGVhcz6GQqKGWBhQ2UhkwFYJsjSdLL7M-Gu6Zqnm9glIqZy2lEPLeIga1gZxptDGy1sCnxQKuDTM8h3nNxPY7KhfAh0sDGnGtBwJXrC4EApAk8DySBCAbVIYZqSCXSmFuxNYGqLDOEdZc6z5Xl0KFMJyvD0CCJQnm3f2mYvUdbGXb6WB3O2_D1whGgsINx3swFddOk3_obRMm0RwqYxpNojmhF4RerGSRSWF8qVaEXnwn9EL9f3p7e_6Q3PaxP13PX-J2o2_Zw6YMy6OYct1wwQyXNcjG_liKrptY17vg_Z0LVq9gByhPG2b0AJ7LWhvFeG00iZaK1asDb42mbZwrz_cuwyQlX-0NyFaoxNZjWrdrJNGyZEIPJZVXmN-hItEyl8rOFiaaivka81Zxs_WNzYvQRYFZu_LPHxp1WesGcyt6D9_YRjeoDUmCw366rJvW2NHpwSTorrz_n0a8zkVbIBBKtSm49CtC6XNrtLDW2vgVic5PmDMpxaHd3TeSF-A0f9tJ_oYbJgidEDol0dlhY16bMPlmgHVWIGlvhnZnyoBESwj3jvBoInSeOyuhSXbQgJfg-Oa551kboQmMgzRKg2kch0kY_e841qlsf0ZBoiWJlka1eKjsR3ThC0h3vG7-vJT4iLtnSRf22pkGA70-1o7_sbfhZNvBsNBFhOchf8A0JO_1nXSyG96nv92AvmuIPXnP_K4j-RMV7xjr2QoBAF4bKPrF66LvjSRd9iVi_7CrYoel43NrmtY8r3QZ01UPRQstW5WjrVDRPKQkmsf2rdG_FO3jzZ9fzoHEZ4PFNl6-aGa-pUaQ-PyfV_8Ny4p-k6xfq1VvEnha5HhA5Jer_159_nr1SzqflbMf5D2cWfybMntFyXthXw_nn7x5-nxAeXzzLDqlNv1Nat-lUr-72slHj-1Hyz6pfDqg_C8mWgRtpMLCbnIITQtCU-AaatygAoWs6LqGFbks0F8iK65te320ZIffWwBWCRzmtOwu773-9ox9yP2-0u7blP6osDfSMAHnD5i3bkN2w-2GZw6BHwRRChpzafeehE4CPwijBO6ZEJALmd_ZgT94iQOA53lfNCpH4nmeQ6632uC6hxximxB61hl6zPtqafd-9nbF1mgf9uw2JUptKpCkfkJobD9BOzwIHG6fj_C-fTz10yM8jTs89uMd_gczFeBDI6Tq9qZ2II6CBx0ZpI9OHT62eBg8Bndo6lqHEz86ah13LNHkUcL1tjbswcuYxgLcQtVcD8SfOE869qcvEr9rT4dxiB95rHhPY6254RvcnZk0UhuvUTJHrd2xwtOMIvpU-akegd2MGsLtvHqKu4l5OL8mu_WvYYU1Kmaw8A9PFNyqN62qsXAz-MnH5KiYRcU0mrIRzsIkjdIkTuh0VM0oy4s8LschYlZgkMbjbJyNJ2GZTVhQpNMRn9GARkEYxkESR-OpTyfZdFqU5ZTRaRRSJOMA14wLX4jN2pdqNeJatzhLgmAcjgTLUGh3okVpjffgjHanHi9HamZ9vKxdaTIOBNdGP7IYbgTOXn-a1X_q3XNTdSdbLDfdAVVuKySDRvLa2FojgdXu-33DFGeZwFGrxOzJsQ43VZv5uVwTemFz63_szLjF3BB64RRpQi-c4n8DAAD__47nuAI">