<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/115410>115410</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [analyzer] False negative in ArrayBoundV2 and TaintPropagation
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          z1nke
      </td>
    </tr>
</table>

<pre>
    Example code: https://godbolt.org/z/xhbsaYex6 
```cpp
// clang-19 --analyze -Xanalyzer -analyzer-checker="alpha.security,optin.taint" test.c // clang-19 and above
// clang-18 --analyze -Xanalyzer -analyzer-checker="alpha.security" test.c             // clang-18 and below
#include <stdio.h>
#include <stdlib.h>

void foo1() {
 char buf[20];
  if (fgets(buf, sizeof(buf), stdin) == NULL)
 return;

  int idx = atoi(buf);
  buf[idx] = '\0'; // expect-warning
}

void foo2() {
  char buf[20];
  fgets(buf, sizeof(buf), stdin);
  int idx = atoi(buf);
  buf[idx] = '\0'; // expect-warning
}
```


Results:
```
// clang-19 and above
<source>:17:3: warning: Potential out of bound access to 'buf' with tainted index [alpha.security.ArrayBoundV2]
   17 |   buf[idx] = '\0'; // expect-warning
      |   ^~~~~~~~
1 warning generated.
```

```
// clang-18 and below
<source>:10:3: warning: Potential out of bound access to 'buf' with tainted index [alpha.security.ArrayBoundV2]
   10 |   buf[idx] = '\0'; // expect-warning
      |   ^~~~~~~~
<source>:17:3: warning: Potential out of bound access to 'buf' with tainted index [alpha.security.ArrayBoundV2]
 17 |   buf[idx] = '\0'; // expect-warning
      |   ^~~~~~~~
2 warnings generated.
```

I found that clang-19 version had a false negative in the `foo1` test case.  
After some debugging, I found there might be problem with the modeling of `fgets` in `StdLibraryFunctionsChecker`. 
https://github.com/llvm/llvm-project/blob/ab51eccf88f5321e7c60591c5546b254b6afab99/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp#L2267-L2280

I am not very familiar with function summary modeling. Should we add the following case for the `fgets` function here?
```cpp
.Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg)
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzMVk1v4zYQ_TX0ZWBBIi1LPvjgj7gokA0Wm7ZojxQ5ktilSYOkEjuH_vaCtOyk2d10i8W2FQIp1lAz897M45B7rzqDuCTlmpTbCR9Cb93yqTAfcdJYeVreHPn-oBGElUjYCvoQDp6wFaE7QnedlY3VIbOuI3T3ROju2Dee_4bHOZB8S_IVmefnP3E4jG_SlyA0N920WMB0yg3XpyeE6a_jfw4u79xU9Cg-oiNsSyjl-tDzzKMYnAonQjf2EJTJAlcmEEohoA-ZgNchuJHAG_uAn8ug_qYMrjFfXq8DxPgNavt4ic-UEXqQCIRtfJDKZj1hN1-watW8NKf7g1USWmsLQmtCF0Cq9dkAoucOmqEl5ZrmpNwSdrGAaoHQuu0weELruIZuwKsntO3l9yK9ClKZ5JVtCdvC3c-3t9F0duMwDM5c3V6dmwBKHuM3wINVzx6fEzinpeSRlNu0kNCKlJs8Ptj6QhseDyjC9JE7o0w3Rqm2n4NPP4H_Fv6vR_6StH8J10UnL2Ge7x_QDzok0X126d80O9t4OziBsYPYqqgIW7Go5EsebAXvbUATFNdghwC2hcYO0YsQ6D0EG_Ek0BU8qtBD0htKUEbiEUi5_qsqspVz_LSOPn6hsQQjTVBUQKoNfAtho8CSF1Le_HG-zrbiggk6NOh4QJm9xe5bPH4q2lc85v8lj_l35fH_0zLfuWHoBZH_uo75EdqEMvQ8PAvuAZ1X1kDPJXBoufYIBjse1AOCMhB6BDLP0249z9O8AME9ZjDOyFUb0IG3ewSJzdB1MXm6gedw6BD2qusDNAgHZxuN-5HXHmFvJerY9rZNgdI2N89jbDLP74O8VY3j7rQbjAjKGr8ZJ9o8z8YUXo11FfqhyYTdE7rT-uHymB6c_R1FIHTXaNsQuuNNWaAQbV23JaMFVmKel4tClOVs3tBy1sx5y5vFgtBd4is6UvHD-8CDEqtxxhK6G3PyyfaljLN4iqDsltJ5Nb2ltH5VHr4HY0OsyAlavldacXfmqR09gR_2e-5OV9IyuO_toCU8InCZyIbWam0fI6OxTtBady3ihdurv1gbwnZfOu1kG-4xTqlqfWfD3aA1ofUHDHGAVNtY5RvnjH03-HBnwxrPQGU0_BBbUon7IWnqne-uM_gaZiKXTC7Ygk9wWVSsyFlesmrSL6tqxvPZvJqVXLRSLioqSl6VjFHGRJ3LiVrSnM6KIq_zYlaXVVazBgtssZG8xrykZJbjniudxcLHA95EeT_gsijKWZFPNG9Q-3RupNTgIyQroVG8E7dM3dIMnSezXCsf_LOboIJOB87LAStKeveJal5uCGkv_inuIO-dPfC4yJrJ4PTyH_dtSjM22YjjYUn_DAAA__8nekv1">