[cfe-dev] Coverity Warning on ExprCXX.h

[David Blaikie via cfe-dev]

False positive, that said - we do have "makeArrayRef" that can make an
arrayRef of a singular item & might also happen to remove/hide this false
positive, if someone wants to see if that helps.

(not sure an ArrayRef would be compatible with child_range, etc... could be
worth considering/checking/etc)

On Mon, Sep 18, 2017 at 10:55 AM Welson Sun via cfe-dev <
cfe-dev at lists.llvm.org> wrote:

> Hi,
>
> I got this Coverity "Out-of_bounds access" warning for this snippet in
> clang/include/AST/ExprCXX.h:
>
> 4048  child_range children() {
>
> 1. Condition this->State.is(), taking false branch.
> 4049    if (State.is<Stmt *>())
> 4050      return child_range(State.getAddrOfPtr1(), State.getAddrOfPtr1
> () + 1);
> 4051
> 4052    auto ES = State.get<ExtraState *>();
>
> 2. address_of: Taking address with &ES->Temporary yields a singleton
> pointer.
>
> CID 71050 (#1 of 1): Out-of-bounds access (ARRAY_VS_SINGLETON)3.
> ptr_arith: Using &ES->Temporary as an array. This might corrupt or
> misinterpret adjacent memory locations.
> 4053    return child_range(&ES->Temporary, &ES->Temporary + 1);
> 4054  }
>
> Since
>
>   struct ExtraState {
>     /// \brief The temporary-generating expression whose value will be
>     /// materialized.
>     Stmt *Temporary;
>
>     /// \brief The declaration which lifetime-extended this reference, if
> any.
>     /// Either a VarDecl, or (for a ctor-initializer) a FieldDecl.
>     const ValueDecl *ExtendingDecl;
>
>     unsigned ManglingNumber;
>   };
>
>
> So &ES->Temporary get the address of the "Temporary", and &ES->Temporary+1
> is like the "end()" for a list container?
>
>
> --
> - Welson
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170920/361b44e9/attachment.html>