[llvm-bugs] [Bug 126884] `clang-analyzer-security.ArrayBound` false positive

LLVM Bugs via llvm-bugs Wed, 12 Feb 2025 02:36:25 -0800

Issue	126884
Summary	`clang-analyzer-security.ArrayBound` false positive
Labels	false-positive
Assignees
Reporter	zufuliu

    It has false positive for following code (online at https://godbolt.org/z/9v8P684rc):
```c++
struct Foo {
    unsigned char get(unsigned char ch) const {
        return s[ch];
    }
    unsigned char s[256];
};


int bar(const Foo &foo, const char *s) {
    int j = 0;
    if (s) {
        const unsigned char ch = s[j];
        j++;
 if (static_cast<signed char>(ch) >= 0) {
            // nop
        } else {
            j += foo.get(ch);
        }
    }
    return j;
}
```

```console
<source>:3:16: warning: Out of bound access to memory preceding the field 's' [clang-analyzer-security.ArrayBound]
    3 | return s[ch];
      |                ^
[<source>:10:9: note: Assuming 's' is non-null](_javascript_:;)
   10 |     if (s) {
      | ^
[<source>:10:5: note: Taking true branch](_javascript_:;)
   10 |     if (s) {
      |     ^
[<source>:13:13: note: Assuming 'ch' is < 0](_javascript_:;)
   13 |         if (static_cast<signed char>(ch) >= 0) {
 |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[<source>:13:9: note: Taking false branch](_javascript_:;)
   13 |         if (static_cast<signed char>(ch) >= 0) {
      |         ^
[<source>:16:18: note: Calling 'Foo::get'](_javascript_:;)
   16 |             j += foo.get(ch);
      | ^~~~~~~~~~~
[<source>:3:16: note: Access of the field 's' at negative byte offset](_javascript_:;)
    3 |         return s[ch];
      | ^~~~~
1 warning generated.
```

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 126884] `clang-analyzer-security.ArrayBound` false positive

Reply via email to