Is this by design? The buffer size in the attached result is 32, and thus every access beyond that is invalid. Yet, ArrayBound keeps iterating until it reaches analyzer-max-loop. Is this by design, or is this a bug? I realize that ArrayBound is the “old” version of the array bounds checker.
alpha.security.ArrayBound doesn’t know when to stop.txt (1.81 KB)
report-68402f.html (41.4 KB)
Oops, ArrayBoundV2 does this also.
I think you may be misinterpreting the number labels on the path notes in the attached report. Each number indicates the order of the note along the path and not the number of iterations through the loop. In this case, the analyzer enters the loop 31 times, as you would expect, even though analyzer-max-loop is set to 64.