Hello,
I recently came across a false negative in GCC's detection of array bounds
violation. At first, I thought the other tool (PC-Lint) was having false
positive, but it turns out to be correct. The false negative occurs in GCC
4.3, 4.4.1, and latest trunk (4.5). I'm curious to understand how exactly
the detection breaks down, as I think it may affect if/how the loop in
question is optimized.
Here is the code:
int main(int argc, char** argv)
{
unsigned char data[8];
int hyphen = 0, i = 0;
char *option = *argv;
for(i = 19; i < 36; ++i) {
if(option[i] == '-') {
if(hyphen) return false;
++hyphen;
continue;
}
if(!(option[i] >= '0' && option[i] <= '9')
&& !(option[i] >= 'A' && option[i] <= 'F')
&& !(option[i] >= 'a' && option[i] <= 'f')) {
return false;
}
data[(i-hyphen)/2] = 0;
}
return 0;
}
When i is 36 and hyphen is 0 (and in many other cases), data[] will be
overflowed by quite a bit. Where does the breakdown in array bounds
detection occur, and why? Once I understand, and if the fix is simple
enough, I can try to fix the bug and supply a patch.
Thanks!
--
tangled strands of DNA explain the way that I behave.
http://www.clock.org/~matt
