[PATCH] D159107: [analyzer] ArrayBoundCheckerV2 should disallow forming lvalues to out-of-bounds locations
DonĂ¡t Nagy via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Wed Aug 30 03:27:52 PDT 2023
donat.nagy added a comment.
Good direction of development, this will be useful for providing better bug reports (in addition to ensuring correct behavior some situations).
Note that it's also possible to dereference pointers with the operator `->`, which is represented by `MemberExpr`s in the AST; we should probably handle that as if it was a `UO_Deref`.
There is also a small corner case that for an array `some_type arr[N]` it's well-defined to form the past-the-end pointer as `&arr[N]` (instead of `arr + N`) -- while any other use of `arr[N]` is undefined behavior. If this occurs in practice, then we'll probably need some additional logic to handle it. (Note that the `check::Location` implementation dodged this question, because it didn't report anything when the program formed `&arr[N]`, but later created a bug report when this pointer value was dereferenced.)
================
Comment at: clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp:34
+class ArrayBoundCheckerV2
+ : public Checker<check::Bind, check::PostStmt<ArraySubscriptExpr>,
+ check::PostStmt<UnaryOperator>> {
----------------
Which testcase would break without the `check::Bind` callback? (Not action needed, I'm just curious.)
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D159107/new/
https://reviews.llvm.org/D159107
More information about the cfe-commits
mailing list