https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> --- For example, the "classic test" referred to in section 1.2 of https://open-std.org/JTC1/SC22/WG14/www/docs/n3005.pdf has: #include <stdio.h> #include <string.h> int y=2, x=1; int main() { int *p = &x + 1; int *q = &y; printf("Addresses: p=%p q=%p\n" ,(void*)p,(void*)q); if (memcmp(&p, &q, sizeof(p)) == 0) { *p = 11; // does this have undefined behaviour? printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q); } } where N3005 notes that "the mere formation of the &x+1 one-past pointer is explicitly permitted by the ISO standard". I think -fanalyzer ought to complain with an definite-out-of-bounds warning at the *p dereference: assuming sizeof(int) == 4, we'd have a decl_region of size 4, where only bytes 0 to 3 are validly accessible, whereas here the code attempts to accessing bytes 4-7 of the decl_region for x, which is out-of-bounds. (I think the memcpy result would be a conjured_svalue, and hence we would consider both true and false out-edges after the test; if the user is relying on the two vars to be next to each other in memory we ought to be warning them about that)
