codingman
diff --git a/‎lib/checkbufferoverrun.cpp‎
Lines changed: 80 additions & 67 deletions b/‎lib/checkbufferoverrun.cpp‎
Lines changed: 80 additions & 67 deletions
diff --git a/‎lib/checkbufferoverrun.h‎
Lines changed: 8 additions & 4 deletions b/‎lib/checkbufferoverrun.h‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎lib/checkstl.cpp‎
Lines changed: 16 additions & 21 deletions b/‎lib/checkstl.cpp‎
Lines changed: 16 additions & 21 deletions
diff --git a/‎lib/token.cpp‎
Lines changed: 3 additions & 1 deletion b/‎lib/token.cpp‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎lib/token.h‎
Lines changed: 1 addition & 1 deletion b/‎lib/token.h‎
Lines changed: 1 addition & 1 deletion
@@ -224,50 +224,55 @@ static bool getDimensionsEtc(const Token * const arrayToken, const Settings *set
     return !dimensions->empty();
 }
 
-static std::vector<const ValueFlow::Value *> getOverrunIndexValues(const Token *tok, const Token *arrayToken, const std::vector<Dimension> &dimensions, const std::vector<const Token *> &indexTokens, MathLib::bigint path)
+static ValueFlow::Value makeSizeValue(MathLib::bigint size, MathLib::bigint path)
+{
+    ValueFlow::Value v(size);
+    v.path = path;
+    return v;
+}
+
+static std::vector<ValueFlow::Value> getOverrunIndexValues(const Token* tok,
+                                                           const Token* arrayToken,
+                                                           const std::vector<Dimension>& dimensions,
+                                                           const std::vector<const Token*>& indexTokens,
+                                                           MathLib::bigint path)
 {
     const Token *array = arrayToken;
     while (Token::Match(array, ".|::"))
         array = array->astOperand2();
 
-    for (int cond = 0; cond < 2; cond++) {
-        bool equal = false;
-        bool overflow = false;
-        bool allKnown = true;
-        std::vector<const ValueFlow::Value *> indexValues;
-        for (int i = 0; i < dimensions.size() && i < indexTokens.size(); ++i) {
-            const ValueFlow::Value *value = indexTokens[i]->getMaxValue(cond == 1);
-            indexValues.push_back(value);
-            if (!value)
-                continue;
-            if (value->path != path)
-                continue;
-            if (!value->isKnown()) {
-                if (!allKnown)
-                    continue;
-                allKnown = false;
-            }
-            if (array->variable() && array->variable()->isArray() && dimensions[i].num == 0)
-                continue;
-            if (value->intvalue == dimensions[i].num)
-                equal = true;
-            else if (value->intvalue > dimensions[i].num)
-                overflow = true;
-        }
-        if (equal && tok->str() != "[")
+    bool isArrayIndex = tok->str() == "[";
+    if (isArrayIndex) {
+        const Token* parent = tok;
+        while (Token::simpleMatch(parent, "["))
+            parent = parent->astParent();
+        if (!parent || parent->isUnaryOp("&"))
+            isArrayIndex = false;
+    }
+
+    bool overflow = false;
+    std::vector<ValueFlow::Value> indexValues;
+    for (int i = 0; i < dimensions.size() && i < indexTokens.size(); ++i) {
+        MathLib::bigint size = dimensions[i].num;
+        if (!isArrayIndex)
+            size++;
+        const bool zeroArray = array->variable() && array->variable()->isArray() && dimensions[i].num == 0;
+        std::vector<ValueFlow::Value> values = !zeroArray
+                                                   ? ValueFlow::isOutOfBounds(makeSizeValue(size, path), indexTokens[i])
+                                                   : std::vector<ValueFlow::Value>{};
+        if (values.empty()) {
+            if (indexTokens[i]->hasKnownIntValue())
+                indexValues.push_back(indexTokens[i]->values().front());
+            else
+                indexValues.push_back(ValueFlow::Value::unknown());
             continue;
-        if (!overflow && equal) {
-            const Token *parent = tok;
-            while (Token::simpleMatch(parent, "["))
-                parent = parent->astParent();
-            if (!parent || parent->isUnaryOp("&"))
-                continue;
         }
-        if (overflow || equal)
-            return indexValues;
+        overflow = true;
+        indexValues.push_back(values.front());
     }
-
-    return std::vector<const ValueFlow::Value *>();
+    if (overflow)
+        return indexValues;
+    return {};
 }
 
 void CheckBufferOverrun::arrayIndex()
@@ -312,45 +317,52 @@ void CheckBufferOverrun::arrayIndex()
 
         // Positive index
         if (!mightBeLarger) { // TODO check arrays with dim 1 also
-            const std::vector<const ValueFlow::Value *> &indexValues = getOverrunIndexValues(tok, tok->astOperand1(), dimensions, indexTokens, path);
+            const std::vector<ValueFlow::Value>& indexValues =
+                getOverrunIndexValues(tok, tok->astOperand1(), dimensions, indexTokens, path);
             if (!indexValues.empty())
                 arrayIndexError(tok, dimensions, indexValues);
         }
 
         // Negative index
         bool neg = false;
-        std::vector<const ValueFlow::Value *> negativeIndexes;
+        std::vector<ValueFlow::Value> negativeIndexes;
         for (const Token * indexToken : indexTokens) {
             const ValueFlow::Value *negativeValue = indexToken->getValueLE(-1, mSettings);
-            negativeIndexes.emplace_back(negativeValue);
-            if (negativeValue)
+            if (negativeValue) {
+                negativeIndexes.emplace_back(*negativeValue);
                 neg = true;
+            } else {
+                negativeIndexes.emplace_back(ValueFlow::Value::unknown());
+            }
         }
         if (neg) {
             negativeIndexError(tok, dimensions, negativeIndexes);
         }
     }
 }
 
-static std::string stringifyIndexes(const std::string &array, const std::vector<const ValueFlow::Value *> &indexValues)
+static std::string stringifyIndexes(const std::string& array, const std::vector<ValueFlow::Value>& indexValues)
 {
     if (indexValues.size() == 1)
-        return MathLib::toString(indexValues[0]->intvalue);
+        return MathLib::toString(indexValues[0].intvalue);
 
     std::ostringstream ret;
     ret << array;
-    for (const ValueFlow::Value *index : indexValues) {
+    for (const ValueFlow::Value& index : indexValues) {
         ret << "[";
-        if (index)
-            ret << index->intvalue;
-        else
+        if (index.isNonValue())
             ret << "*";
+        else
+            ret << index.intvalue;
         ret << "]";
     }
     return ret.str();
 }
 
-static std::string arrayIndexMessage(const Token *tok, const std::vector<Dimension> &dimensions, const std::vector<const ValueFlow::Value *> &indexValues, const Token *condition)
+static std::string arrayIndexMessage(const Token* tok,
+                                     const std::vector<Dimension>& dimensions,
+                                     const std::vector<ValueFlow::Value>& indexValues,
+                                     const Token* condition)
 {
     auto add_dim = [](const std::string &s, const Dimension &dim) {
         return s + "[" + MathLib::toString(dim.num) + "]";
@@ -367,7 +379,9 @@ static std::string arrayIndexMessage(const Token *tok, const std::vector<Dimensi
     return errmsg.str();
 }
 
-void CheckBufferOverrun::arrayIndexError(const Token *tok, const std::vector<Dimension> &dimensions, const std::vector<const ValueFlow::Value *> &indexes)
+void CheckBufferOverrun::arrayIndexError(const Token* tok,
+                                         const std::vector<Dimension>& dimensions,
+                                         const std::vector<ValueFlow::Value>& indexes)
 {
     if (!tok) {
         reportError(tok, Severity::error, "arrayIndexOutOfBounds", "Array 'arr[16]' accessed at index 16, which is out of bounds.", CWE_BUFFER_OVERRUN, Certainty::normal);
@@ -377,15 +391,13 @@ void CheckBufferOverrun::arrayIndexError(const Token *tok, const std::vector<Dim
 
     const Token *condition = nullptr;
     const ValueFlow::Value *index = nullptr;
-    for (const ValueFlow::Value *indexValue: indexes) {
-        if (!indexValue)
-            continue;
-        if (!indexValue->errorSeverity() && !mSettings->severity.isEnabled(Severity::warning))
+    for (const ValueFlow::Value& indexValue : indexes) {
+        if (!indexValue.errorSeverity() && !mSettings->severity.isEnabled(Severity::warning))
             return;
-        if (indexValue->condition)
-            condition = indexValue->condition;
-        if (!index || !indexValue->errorPath.empty())
-            index = indexValue;
+        if (indexValue.condition)
+            condition = indexValue.condition;
+        if (!index || !indexValue.errorPath.empty())
+            index = &indexValue;
     }
 
     reportError(getErrorPath(tok, index, "Array index out of bounds"),
@@ -396,7 +408,9 @@ void CheckBufferOverrun::arrayIndexError(const Token *tok, const std::vector<Dim
                 index->isInconclusive() ? Certainty::inconclusive : Certainty::normal);
 }
 
-void CheckBufferOverrun::negativeIndexError(const Token *tok, const std::vector<Dimension> &dimensions, const std::vector<const ValueFlow::Value *> &indexes)
+void CheckBufferOverrun::negativeIndexError(const Token* tok,
+                                            const std::vector<Dimension>& dimensions,
+                                            const std::vector<ValueFlow::Value>& indexes)
 {
     if (!tok) {
         reportError(tok, Severity::error, "negativeIndex", "Negative array index", CWE_BUFFER_UNDERRUN, Certainty::normal);
@@ -405,15 +419,13 @@ void CheckBufferOverrun::negativeIndexError(const Token *tok, const std::vector<
 
     const Token *condition = nullptr;
     const ValueFlow::Value *negativeValue = nullptr;
-    for (const ValueFlow::Value *indexValue: indexes) {
-        if (!indexValue)
-            continue;
-        if (!indexValue->errorSeverity() && !mSettings->severity.isEnabled(Severity::warning))
+    for (const ValueFlow::Value& indexValue : indexes) {
+        if (!indexValue.errorSeverity() && !mSettings->severity.isEnabled(Severity::warning))
             return;
-        if (indexValue->condition)
-            condition = indexValue->condition;
-        if (!negativeValue || !indexValue->errorPath.empty())
-            negativeValue = indexValue;
+        if (indexValue.condition)
+            condition = indexValue.condition;
+        if (!negativeValue || !indexValue.errorPath.empty())
+            negativeValue = &indexValue;
     }
 
     reportError(getErrorPath(tok, negativeValue, "Negative array index"),
@@ -464,9 +476,10 @@ void CheckBufferOverrun::pointerArithmetic()
             // Positive index
             if (!mightBeLarger) { // TODO check arrays with dim 1 also
                 const std::vector<const Token *> indexTokens{indexToken};
-                const std::vector<const ValueFlow::Value *> &indexValues = getOverrunIndexValues(tok, arrayToken, dimensions, indexTokens, path);
+                const std::vector<ValueFlow::Value>& indexValues =
+                    getOverrunIndexValues(tok, arrayToken, dimensions, indexTokens, path);
                 if (!indexValues.empty())
-                    pointerArithmeticError(tok, indexToken, indexValues.front());
+                    pointerArithmeticError(tok, indexToken, &indexValues.front());
             }
 
             if (const ValueFlow::Value *neg = indexToken->getValueLE(-1, mSettings))
 
@@ -78,9 +78,9 @@ class CPPCHECKLIB CheckBufferOverrun : public Check {
 
     void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings) const OVERRIDE {
         CheckBufferOverrun c(nullptr, settings, errorLogger);
-        c.arrayIndexError(nullptr, std::vector<Dimension>(), std::vector<const ValueFlow::Value *>());
+        c.arrayIndexError(nullptr, std::vector<Dimension>(), std::vector<ValueFlow::Value>());
         c.pointerArithmeticError(nullptr, nullptr, nullptr);
-        c.negativeIndexError(nullptr, std::vector<Dimension>(), std::vector<const ValueFlow::Value *>());
+        c.negativeIndexError(nullptr, std::vector<Dimension>(), std::vector<ValueFlow::Value>());
         c.arrayIndexThenCheckError(nullptr, "i");
         c.bufferOverflowError(nullptr, nullptr, Certainty::normal);
         c.objectIndexError(nullptr, nullptr, true);
@@ -95,8 +95,12 @@ class CPPCHECKLIB CheckBufferOverrun : public Check {
 private:
 
     void arrayIndex();
-    void arrayIndexError(const Token *tok, const std::vector<Dimension> &dimensions, const std::vector<const ValueFlow::Value *> &indexes);
-    void negativeIndexError(const Token *tok, const std::vector<Dimension> &dimensions, const std::vector<const ValueFlow::Value *> &indexes);
+    void arrayIndexError(const Token* tok,
+                         const std::vector<Dimension>& dimensions,
+                         const std::vector<ValueFlow::Value>& indexes);
+    void negativeIndexError(const Token* tok,
+                            const std::vector<Dimension>& dimensions,
+                            const std::vector<ValueFlow::Value>& indexes);
 
     void pointerArithmetic();
     void pointerArithmeticError(const Token *tok, const Token *indexToken, const ValueFlow::Value *indexValue);
 
@@ -29,6 +29,7 @@
 #include "standards.h"
 #include "symboldatabase.h"
 #include "token.h"
+#include "tokenize.h"
 #include "utils.h"
 #include "valueflow.h"
 
@@ -87,23 +88,17 @@ void CheckStl::outOfBounds()
                         outOfBoundsError(parent->tokAt(2), tok->expressionString(), &value, parent->strAt(1), nullptr);
                         continue;
                     }
+
                     const Token* indexTok = parent->tokAt(2)->astOperand2();
                     if (!indexTok)
                         continue;
-                    const ValueFlow::Value* indexValue = indexTok->getMaxValue(false);
-                    if (indexValue && indexValue->intvalue >= value.intvalue) {
+                    std::vector<ValueFlow::Value> indexValues =
+                        ValueFlow::isOutOfBounds(value, indexTok, mSettings->severity.isEnabled(Severity::warning));
+                    if (!indexValues.empty()) {
                         outOfBoundsError(
-                            parent, tok->expressionString(), &value, indexTok->expressionString(), indexValue);
+                            parent, tok->expressionString(), &value, indexTok->expressionString(), &indexValues.front());
                         continue;
                     }
-                    if (mSettings->severity.isEnabled(Severity::warning)) {
-                        indexValue = indexTok->getMaxValue(true);
-                        if (indexValue && indexValue->intvalue >= value.intvalue) {
-                            outOfBoundsError(
-                                parent, tok->expressionString(), &value, indexTok->expressionString(), indexValue);
-                            continue;
-                        }
-                    }
                 }
                 if (Token::Match(tok, "%name% . %name% (") && container->getYield(tok->strAt(2)) == Library::Container::Yield::START_ITERATOR) {
                     const Token *fparent = tok->tokAt(3)->astParent();
@@ -127,17 +122,15 @@ void CheckStl::outOfBounds()
                     continue;
                 }
                 if (container->arrayLike_indexOp && Token::Match(parent, "[")) {
-                    const ValueFlow::Value *indexValue = parent->astOperand2() ? parent->astOperand2()->getMaxValue(false) : nullptr;
-                    if (indexValue && indexValue->intvalue >= value.intvalue) {
-                        outOfBoundsError(parent, tok->expressionString(), &value, parent->astOperand2()->expressionString(), indexValue);
+                    const Token* indexTok = parent->astOperand2();
+                    if (!indexTok)
+                        continue;
+                    std::vector<ValueFlow::Value> indexValues =
+                        ValueFlow::isOutOfBounds(value, indexTok, mSettings->severity.isEnabled(Severity::warning));
+                    if (!indexValues.empty()) {
+                        outOfBoundsError(
+                            parent, tok->expressionString(), &value, indexTok->expressionString(), &indexValues.front());
                         continue;
-                    }
-                    if (mSettings->severity.isEnabled(Severity::warning)) {
-                        indexValue = parent->astOperand2() ? parent->astOperand2()->getMaxValue(true) : nullptr;
-                        if (indexValue && indexValue->intvalue >= value.intvalue) {
-                            outOfBoundsError(parent, tok->expressionString(), &value, parent->astOperand2()->expressionString(), indexValue);
-                            continue;
-                        }
                     }
                 }
             }
@@ -151,6 +144,8 @@ static std::string indexValueString(const ValueFlow::Value& indexValue)
         return "at position " + MathLib::toString(indexValue.intvalue) + " from the beginning";
     if (indexValue.isIteratorEndValue())
         return "at position " + MathLib::toString(-indexValue.intvalue) + " from the end";
+    if (indexValue.bound == ValueFlow::Value::Bound::Lower)
+        return "greater or equal to " + MathLib::toString(indexValue.intvalue);
     return MathLib::toString(indexValue.intvalue);
 }
 
 
@@ -2424,7 +2424,7 @@ const ValueFlow::Value* Token::getValue(const MathLib::bigint val) const
     return it == mImpl->mValues->end() ? nullptr : &*it;
 }
 
-const ValueFlow::Value* Token::getMaxValue(bool condition) const
+const ValueFlow::Value* Token::getMaxValue(bool condition, MathLib::bigint path) const
 {
     if (!mImpl->mValues)
         return nullptr;
@@ -2434,6 +2434,8 @@ const ValueFlow::Value* Token::getMaxValue(bool condition) const
             continue;
         if (value.isImpossible())
             continue;
+        if (value.path != 0 && value.path != path)
+            continue;
         if ((!ret || value.intvalue > ret->intvalue) &&
             ((value.condition != nullptr) == condition))
             ret = &value;
 
@@ -1151,7 +1151,7 @@ class CPPCHECKLIB Token {
 
     const ValueFlow::Value* getValue(const MathLib::bigint val) const;
 
-    const ValueFlow::Value* getMaxValue(bool condition) const;
+    const ValueFlow::Value* getMaxValue(bool condition, MathLib::bigint path = 0) const;
 
     const ValueFlow::Value* getMovedValue() const;