[PATCH] D110927: [analyzer] Access stored value of a constant array through a pointer to another type

Mon Oct 4 06:03:41 PDT 2021

ASDenysPetrov added a comment.

In D110927#3037118 <https://reviews.llvm.org/D110927#3037118>, @shafik wrote:

> IIUC the object is `const int arr[42]` and the `(char *)arr` is an expression of pointer type and adding `1` to this is valid. The case you refer to in D104285 <https://reviews.llvm.org/D104285> ended up being a pointer to an array of 2 ints and therefore accessing the third element was out of bounds.

You are right. According to http://eel.is/c++draft/expr.add#4, expression `P + I` is valid while `0 ≤ I ≤ n`, UB otherwise. This is valid untill we try to dereference it. After that it becomes an UB. The UB's you and me are talking about have different origin.

My concern is whether we do it correctly considering that dereferencing of type **T** through other types are UB in certain cases. Namely, http://eel.is/c++draft/basic.lval#11 and http://eel.is/c++draft/basic.compound#3.4 paragraphs tell us:

  int arr[42];
  // same type
  auto x = ((int*)arr)[0]; // OK
  auto x = ((int*)arr)[1]; // OK
  auto x = ((int*)arr)[41]; // OK 

  // opposite signedness
  auto x = ((unsigned int*)arr)[0]; // OK
  auto x = ((unsigned int*)arr)[1]; // UB
  auto x = ((unsigned int*)arr)[41]; // UB

  // for char*, unsigned char* and std::byte*
  auto x = ((char*)arr)[0]; // OK
  auto x = ((char*)arr)[1]; // UB
  auto x = ((char*)arr)[41]; // UB

  using T= AllTheRestTypes;
  auto x = ((T*)arr)[0]; // UB
  auto x = ((T*)arr)[1]; // UB
  auto x = ((T*)arr)[41]; // UB

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D110927/new/

https://reviews.llvm.org/D110927