[cfe-dev] Issue understanding static analyzer output

Loïc Joly via cfe-dev cfe-dev at lists.llvm.org
Tue Mar 3 06:58:10 PST 2020


Hello, I have the following code (you can see it live here: 
https://godbolt.org/z/iiki_w)

typedefunsignedlonglong size_t;

char f1(size_t len) {
char a[] = "Hello world!";
auto p = a+len+1;
return *p;
}

char f2(size_t len) {
char a[] = "Hello world!";
auto p = a+len;
return *p;
}

char f3(int len) {
char a[] = "Hello world!";
auto p = a+len+1;
return *p;
}

For f1, the static analyzer reports an  of bounds memory access, not for 
the other 2 cases, that look quite similar (one is removing adding 1 to 
an unknown SVal, the other one is working with int instead of size_t).

I tried to look into the exploded graph, and I got the following 
constraint appearing right on the last node of the graph:
   "constraints": ["symbol": "reg_$0<size_t len>", "range": "{ 
[18446744073709551615, 18446744073709551615] }

I fail to see where this constraint on "len" come from. I know I4m using 
an alpha checker, but I'm not sure this is meaningful in this case?


Do you have any idea?


Thank you!


---

Loïc Joly





More information about the cfe-dev mailing list