[PATCH] D120489: [analyzer][NFCi] Done some changes to detect Uninitialized read by the char array manipulation functions

[Balázs Benics via Phabricator via cfe-commits]

steakhal added a comment.

I'm looking forward to this check.



================
Comment at: clang/test/Analysis/bstring.c:300-311
 void mempcpy14() {
   int src[] = {1, 2, 3, 4};
   int dst[5] = {0};
   int *p;
 
-  p = mempcpy(dst, src, 4 * sizeof(int));
+  p = mempcpy(dst, src, 4 * sizeof(int)); // expected-warning{{Bytes string function accesses uninitialized/garbage values}}
+  // FIXME: This behaviour is actually Unexpected and needs to be fix, 
----------------
Basically, the store has 4 direct bindings for the `src` cluster.
At bit offset 0, 32, 64, 96, the values `1`, `2`, `3`, `4` (ints) respectively.
However, in the `memcopy` modeling, we calculate the byte offset of the very last touched **byte**, which is `byte 15`.
Consequently, we will do a lookup in the store for acquiring a binding starting at bit offset `15*8, aka. 120`.
However, there is no binding for that offset. What we have instead, is a binding starting at offset 96, associating an integer, which is 4 bytes long, thus this entry actually refers to the bits [96-128], so it overlaps with the byte at [120-128].
>From this, we should be able to prove that the given bits must have been initialized to //some value//.

What I cannot remember off the top of my head, what was the type of the `ER`. I hope it was `char`, but I cannot recall.
If that was `char`, then we have a bug in the `store`.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D120489/new/

https://reviews.llvm.org/D120489