Coverity Warning on ExprCXX.h


I got this Coverity “Out-of_bounds access” warning for this snippet in clang/include/AST/ExprCXX.h:

4048 child_range children() {

  1. Condition this->, taking false branch.

4049 if (<Stmt *>())
4050 return child_range(State.getAddrOfPtr1(), State.getAddrOfPtr1() + 1);
4052 auto ES = State.get<ExtraState *>();

  1. address_of: Taking address with &ES->Temporary yields a singleton pointer.

CID 71050 (#1 of 1): Out-of-bounds access (ARRAY_VS_SINGLETON)3. ptr_arith: Using &ES->Temporary as an array. This might corrupt or misinterpret adjacent memory locations.

4053 return child_range(&ES->Temporary, &ES->Temporary + 1);
4054 }


struct ExtraState {
/// \brief The temporary-generating expression whose value will be
/// materialized.
Stmt *Temporary;

/// \brief The declaration which lifetime-extended this reference, if any.
/// Either a VarDecl, or (for a ctor-initializer) a FieldDecl.
const ValueDecl *ExtendingDecl;

unsigned ManglingNumber;

So &ES->Temporary get the address of the “Temporary”, and &ES->Temporary+1 is like the “end()” for a list container?

Right. C++ explicitly allows treating any object as an array of one object
in this regard, so this looks like a false positive from Coverity: the code
shows a valid way to create a one-element range.

-- James

Coverity developer lurking here. We agree this is a false positive and
have filed an internal request to look into suppressing it.


False positive, that said - we do have “makeArrayRef” that can make an arrayRef of a singular item & might also happen to remove/hide this false positive, if someone wants to see if that helps.

(not sure an ArrayRef would be compatible with child_range, etc… could be worth considering/checking/etc)