[LLVMbugs] [Bug 10965] New: Clang does not catch array bounds errors in simple loops
bugzilla-daemon at llvm.org
bugzilla-daemon at llvm.org
Tue Sep 20 07:00:32 PDT 2011
http://llvm.org/bugs/show_bug.cgi?id=10965
Summary: Clang does not catch array bounds errors in simple
loops
Product: clang
Version: trunk
Platform: PC
OS/Version: All
Status: NEW
Severity: normal
Priority: P
Component: Frontend
AssignedTo: unassignedclangbugs at nondot.org
ReportedBy: asvitkine at chromium.org
CC: llvmbugs at cs.uiuc.edu
Tried this with my own built clang version 3.0 (trunk 140029) from TOT.
Consider the code in a.c:
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
int i, arrr[10];
for (i = 0; i < 10; i++)
arrr[i] = rand();
for (i = 0; i <= 10; i++) {
if (arrr[i]) { // out of bounds when i == 10
printf("Avast!\n");
}
}
return 0;
}
Or similar type of problem in b.c:
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
int i, arrr[10];
for (i = 0; i < 10; i++)
arrr[i] = rand();
for (i = 0; i < 10; i++) {
if (arrr[6 + i]) { // out of bounds when i >= 4
printf("Arrr!\n");
}
}
return 0;
}
Clang does not seem to catch these problems with -Wall and -Wextra, and not
even with --analyze.
Interestingly, gcc 4.6 does catch these when using higher optimization levels
(due to how some of GCC's warnings are found at codegen time - possibly after
loop unrolling in this case):
$ gcc-mp-4.6 -Wall -Wextra -O3 a.c
a.c: In function 'main':
a.c:12:13: warning: array subscript is above array bounds [-Warray-bounds]
$ gcc-mp-4.6 -Wall -Wextra -O3 b.c
b.c: In function 'main':
b.c:12:13: warning: array subscript is above array bounds [-Warray-bounds]
b.c:12:13: warning: array subscript is above array bounds [-Warray-bounds]
b.c:12:13: warning: array subscript is above array bounds [-Warray-bounds]
b.c:12:13: warning: array subscript is above array bounds [-Warray-bounds]
b.c:12:13: warning: array subscript is above array bounds [-Warray-bounds]
b.c:12:13: warning: array subscript is above array bounds [-Warray-bounds]
At the very least, clang's analyzer should detect these, but doesn't. However,
I'd argue that for such simple loops, it should be caught by regular warnings
(i.e. in cases where its trivial to bound the index variables since the loop
has no conditional breaks/continues/etc and if statements around the code in
question).
Of course, these checks should also apply to arrays inside structs which have a
given size.
--
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the llvm-bugs
mailing list