[cfe-dev] [Analyzer] ArrayBoundCheckerV2: Why the analyzer add the constraint `Idx < ArraySize` after element access?

Henry Wong via cfe-dev cfe-dev at lists.llvm.org
Wed Jul 11 03:27:58 PDT 2018


Hi all,

For the code below, the `ArrayBoundCheckerV2` will add the constraint `x < 100` after the `buf[x] = 1`, see https://reviews.llvm.org/D23112.
```
void test_assume_after_access(unsigned long x) {
    int buf[100];
    buf[x] = 1;
    clang_analyzer_eval(x <= 99); // expected-warning{{TRUE}}
}
```

1. What is the purpose for doing this?
2. why not add `x >= 0` as well?

I used `checkLocation()`, same as `ArrayBoundCheckerV2`, in my own checker too. Due to the uncertain calling order, I got the wrong constraints on `x` in my own checker. That's why I pay attention to this problem.

Thanks in advance!

Henry Wong
Qihoo 360 Codesafe Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180711/69f4feec/attachment.html>


More information about the cfe-dev mailing list