-Wanalyzer-out-of-bounds false negative with `return l_1322[9];` at -O1 and above

Geoffrey1014 / SA_Bugs

record bugs of static analyzers

1 stars 1 forks source link

-Wanalyzer-out-of-bounds false negative with `return l_1322[9];` at -O1 and above #70

Open ghost opened 10 months ago

ghost commented 10 months ago

static int *foo(int);
union a { int f; };
int bar() { foo(0); }
int *foo(int d) {
    union a e[5]; union a *f = e; union a **g = &f;
    for (d = 1; d <= 6; d++) {
        union a h;
        for (int i = 0; i < 1; i++)
            ;
        *g = 0;
    }
    int *l_1322[7];
    for (int i = 0; i < 7; i++) l_1322[i] = (void *)0;
    return l_1322[9];
}
int main() { bar(); }

report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111095

ghost commented 10 months ago

Hi,in this case(https://godbolt.org/z/sKPxGrG8z), the array l_1322 has a capacity of 7. However, in relation to the return l_1322[9] statement, it appears(with -O1, -O2, -O3) that the analyzer don't report any related warnings.

Thanks for taking the time to look at this case, even though I'm not sure if it's helpful for improving the analyzer.