[cfe-dev] Coverity Warning on ExprCXX.h
James Dennett via cfe-dev
cfe-dev at lists.llvm.org
Mon Sep 18 11:04:27 PDT 2017
On Mon, Sep 18, 2017 at 10:55 AM, Welson Sun via cfe-dev <
cfe-dev at lists.llvm.org> wrote:
> Hi,
>
> I got this Coverity "Out-of_bounds access" warning for this snippet in
> clang/include/AST/ExprCXX.h:
>
> 4048 child_range children() {
>
> 1. Condition this->State.is(), taking false branch.
> 4049 if (State.is<Stmt *>())
> 4050 return child_range(State.getAddrOfPtr1(), State.getAddrOfPtr1
> () + 1);
> 4051
> 4052 auto ES = State.get<ExtraState *>();
>
> 2. address_of: Taking address with &ES->Temporary yields a singleton
> pointer.
>
> CID 71050 (#1 of 1): Out-of-bounds access (ARRAY_VS_SINGLETON)3. ptr_
> arith: Using &ES->Temporary as an array. This might corrupt or
> misinterpret adjacent memory locations.
> 4053 return child_range(&ES->Temporary, &ES->Temporary + 1);
> 4054 }
>
> Since
>
> struct ExtraState {
> /// \brief The temporary-generating expression whose value will be
> /// materialized.
> Stmt *Temporary;
>
> /// \brief The declaration which lifetime-extended this reference, if
> any.
> /// Either a VarDecl, or (for a ctor-initializer) a FieldDecl.
> const ValueDecl *ExtendingDecl;
>
> unsigned ManglingNumber;
> };
>
>
> So &ES->Temporary get the address of the "Temporary", and &ES->Temporary+1
> is like the "end()" for a list container?
>
>
Right. C++ explicitly allows treating any object as an array of one object
in this regard, so this looks like a false positive from Coverity: the code
shows a valid way to create a one-element range.
-- James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170918/bea3b320/attachment.html>
More information about the cfe-dev
mailing list