clang analyzer question.

Which command line do I use to detect the obvious bounds error in the
attached C program?

Kind Regards

James

t5.c (235 Bytes)

You could try valgrind for memory errors (so also bound checks).

Matthieu

There is experimental support for buffer overflow checking:

$ clang --analyze -Xclang -analyzer-checker-help t5.c | grep ArrayBound
alpha.security.ArrayBound Warn about buffer overflows (older checker)
alpha.security.ArrayBoundV2 Warn about buffer overflows (newer checker)

Neither of these checkers are enabled by default, and neither of them can detect the error in this example. It wouldn’t take much work to get those to handle this example, but buffer overflow checking in general requires a lot more work in the analyzer engine as it often involves reasoning about linear equations involving symbolic values, e.g:

symbolic_index * element size < symbolic_bounds

That kind of reasoning is currently beyond the analyzer’s ability.

Cheers,
Ted