[analyzer] Tracking values across loop iterations

This one looks very similar, if not the same, as the case in a previous email.

If I try to use __builtin_assume to tell the SA that len is > 0, I still see the SA error. It seems the analyzer is exploring a case where the expression “(len*2)” is equal to 0 from what I can see?

Does this makes sense, or perhaps I’m missing something?

Thanks - Vince

clang -cc1 -analyze -analyzer-checker=core test.c
test.c:14:17: warning: The left operand of ‘==’ is a garbage value
if (ptrs[i] == ptrs[i+len])

1 warning generated.

The reproducer …

int getV();// { return 0; }
void foo() {
int len = getV();

int ptrs[len*2];
for (int i = 0; i < (len*2); i++) {
ptrs[i] = 0;
}
for (int i = 0; i < len; i++) {
if (ptrs[i] == ptrs[i+len])
return;
}
}