[cfe-dev] Coverity Warning on ExprCXX.h

James Dennett via cfe-dev cfe-dev at lists.llvm.org
Mon Sep 18 11:04:27 PDT 2017


On Mon, Sep 18, 2017 at 10:55 AM, Welson Sun via cfe-dev <
cfe-dev at lists.llvm.org> wrote:

> Hi,
>
> I got this Coverity "Out-of_bounds access" warning for this snippet in
> clang/include/AST/ExprCXX.h:
>
> 4048  child_range children() {
>
> 1. Condition this->State.is(), taking false branch.
> 4049    if (State.is<Stmt *>())
> 4050      return child_range(State.getAddrOfPtr1(), State.getAddrOfPtr1
> () + 1);
> 4051
> 4052    auto ES = State.get<ExtraState *>();
>
> 2. address_of: Taking address with &ES->Temporary yields a singleton
> pointer.
>
> CID 71050 (#1 of 1): Out-of-bounds access (ARRAY_VS_SINGLETON)3. ptr_
> arith: Using &ES->Temporary as an array. This might corrupt or
> misinterpret adjacent memory locations.
> 4053    return child_range(&ES->Temporary, &ES->Temporary + 1);
> 4054  }
>
> Since
>
>   struct ExtraState {
>     /// \brief The temporary-generating expression whose value will be
>     /// materialized.
>     Stmt *Temporary;
>
>     /// \brief The declaration which lifetime-extended this reference, if
> any.
>     /// Either a VarDecl, or (for a ctor-initializer) a FieldDecl.
>     const ValueDecl *ExtendingDecl;
>
>     unsigned ManglingNumber;
>   };
>
>
> So &ES->Temporary get the address of the "Temporary", and &ES->Temporary+1
> is like the "end()" for a list container?
>
>
Right.  C++ explicitly allows treating any object as an array of one object
in this regard, so this looks like a false positive from Coverity: the code
shows a valid way to create a one-element range.

-- James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170918/bea3b320/attachment.html>


More information about the cfe-dev mailing list