[llvm-bugs] [Bug 127188] [analyzer] `security.ArrayBound` lacks check for `std::array` or array passed by reference

Fri, 14 Feb 2025 02:04:04 -0800

Issue 127188
Summary [analyzer] `security.ArrayBound` lacks check for `std::array` or array passed by reference
Labels new issue
Assignees
Reporter zufuliu 
    https://godbolt.org/z/aq7fTn8Tj

```c++
int table[256];
int bar1(signed char x) {
    const unsigned char y = x;
 if (x >= 0) {
        return y;
    }
    return table[y];
}

int bar2(int x) {
    if (x >= 0) {
         //return x;
    }
    return table[x];
}

template<typename T, unsigned N>
struct Foo {
    T operator[](unsigned i) const {
        return items[i];
    }
    T items[N];
};

int bar3(Foo<int, 256> &foo, int x) {
    if (x >= 0) {
 //return x;
    }
    return foo[x];
}


int foo1(int (&tab)[256], signed char x) {
    const unsigned char y = x;
    if (x >= 0) {
        return y;
    }
    return tab[y];
}

int foo2(int (&tab)[256], int x) {
    if (x >= 0) {
         //return x;
    }
 return tab[x];
}

#include <array>
std::array<int, 256> table2;

int foo3(int x) {
    if (x >= 0) {
         //return x;
    }
    return table2[x];
}

int foo4(std::array<int, 256> &tab, int x) {
    if (x >= 0) {
        //return x;
    }
    return tab[x];
}
```

```console
<source>:7:12: warning: Out of bound access to memory preceding 'table' [clang-analyzer-security.ArrayBound]
    7 | return table[y];
      |            ^~~~~~~~
<source>:4:9: note: Assuming 'x' is < 0
    4 |     if (x >= 0) {
      |         ^~~~~~
<source>:4:5: note: Taking false branch
    4 |     if (x >= 0) {
      | ^
<source>:7:12: note: Access of 'table' at negative byte offset
    7 | return table[y];
      |            ^~~~~~~~
<source>:14:12: warning: Out of bound access to memory preceding 'table' [clang-analyzer-security.ArrayBound]
   14 |     return table[x];
      | ^~~~~~~~
<source>:11:9: note: Assuming 'x' is < 0
   11 |     if (x >= 0) {
      |         ^~~~~~
<source>:11:5: note: Taking false branch
   11 |     if (x >= 0) {
      |     ^
<source>:14:12: note: Access of 'table' at negative byte offset
   14 |     return table[x];
 |            ^~~~~~~~
<source>:20:16: warning: Out of bound access to memory preceding the field 'items' [clang-analyzer-security.ArrayBound]
 20 |         return items[i];
      |                ^
<source>:26:9: note: Assuming 'x' is < 0
   26 |     if (x >= 0) {
      | ^~~~~~
<source>:26:5: note: Taking false branch
   26 |     if (x >= 0) {
 |     ^
<source>:29:12: note: Calling 'Foo::operator[]'
   29 | return foo[x];
      |            ^~~~~~
<source>:20:16: note: Access of the field 'items' at negative byte offset
   20 |         return items[i];
 |                ^~~~~~~~
4031 warnings generated.
Suppressed 4028 warnings (4028 in non-user code).
```

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to