Fixed danmar#5518 (FP regression in 1.64: Array accessed out of bounds)

danmar · danmar · commit 01c29ed15f53 · 2014-03-18T17:04:33.000+01:00
diff --git a/lib/checknullpointer.cpp b/lib/checknullpointer.cpp
@@ -567,6 +567,9 @@ void CheckNullPointer::nullPointerByDeRefAndChec()
         if (!value)
             continue;
 
+        if (!_settings->inconclusive && value->inconclusive)
+            continue;
+
         // Is pointer used as function parameter?
         if (Token::Match(tok->previous(), "[(,] %var% [,)]")) {
             const Token *ftok = tok->previous();
diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp
@@ -78,8 +78,8 @@ static bool bailoutFunctionPar(const Token *tok, const ValueFlow::Value &value,
         // if value is 0 and the library says 0 is invalid => do not bailout
         if (value.intvalue==0 && settings->library.isnullargbad(tok->str(), 1+argnr))
             return false;
-        // inconclusive => don't bailout
-        if (inconclusive && !addressOf && settings->inconclusive) {
+        // addressOf => inconclusive
+        if (!addressOf) {
             *inconclusive = true;
             return false;
         }
@@ -506,7 +506,7 @@ static void valueFlowAfterAssign(TokenList *tokenlist, ErrorLogger *errorLogger,
                 }
 
                 // noreturn scopes..
-                if (number_of_if > 0 &&
+                if ((number_of_if > 0 || Token::findmatch(tok2, "%varid%", start, varid)) &&
                     (Token::findmatch(start, "return|continue|break", end) ||
                      (Token::simpleMatch(end,"} else {") && Token::findmatch(end, "return|continue|break", end->linkAt(2))))) {
                     if (settings->debugwarnings)
diff --git a/test/testvalueflow.cpp b/test/testvalueflow.cpp
@@ -271,7 +271,7 @@ class TestValueFlow : public TestFixture {
                "}";
         ASSERT_EQUALS(true, testValueOfX(std::string("void setx(int x);")+code, 2U, 1));
         ASSERT_EQUALS(false, testValueOfX(std::string("void setx(int &x);")+code, 2U, 1));
-        ASSERT_EQUALS(false, testValueOfX(code, 2U, 1));
+        ASSERT_EQUALS(true, testValueOfX(code, 2U, 1));
 
         code = "void f(char* x) {\n"
                "  strcpy(x,\"abc\");\n"
@@ -569,6 +569,22 @@ class TestValueFlow : public TestFixture {
                "}";
         ASSERT_EQUALS(false, testValueOfX(code, 4U, 0));
 
+        code = "void f() {\n"
+               "    int x = 32;\n"
+               "    if (x>=32) return;\n"
+               "    a[x]=0;\n"
+               "}";
+        ASSERT_EQUALS(false, testValueOfX(code, 4U, 32));
+
+        code = "void f() {\n"
+               "    int x = 32;\n"
+               "    if (x>=32) {\n"
+               "        a[x] = 0;\n"  // <- should have possible value 32
+               "        return;\n"
+               "    }\n"
+               "}";
+        TODO_ASSERT_EQUALS(true, false, testValueOfX(code, 4U, 32));
+
         // multivariables
         code = "void f(int a) {\n"
                "    int x = a;\n"
