Bug hunting; Fix false positive, unsigned array index can't be negative

2021-01-01 08:57:35 +01:00 · 2021-01-01 08:57:35 +01:00 · 214f90c10a
parent 1d6c0976e5
commit 214f90c10a
2 changed files with 11 additions and 1 deletions
--- a/lib/bughuntingchecks.cpp
+++ b/lib/bughuntingchecks.cpp
@ -72,7 +72,8 @@ static void arrayIndex(const Token *tok, const ExprEngine::Value &value, ExprEng
                                  bailout);
        }
    }
-    if (value.isLessThan(dataBase, 0)) {
+    bool isUnsigned = tok->valueType() && tok->valueType()->sign == ::ValueType::Sign::UNSIGNED;
+    if (!isUnsigned && value.isLessThan(dataBase, 0)) {
        const bool bailout = (value.type == ExprEngine::ValueType::BailoutValue);
        dataBase->reportError(tok,
                              Severity::SeverityType::error,
--- a/test/testbughuntingchecks.cpp
+++ b/test/testbughuntingchecks.cpp
@ -41,6 +41,7 @@ private:
        TEST_CASE(arrayIndexOutOfBounds3);
        TEST_CASE(arrayIndexOutOfBounds4);
        TEST_CASE(arrayIndexOutOfBounds5);
+        TEST_CASE(arrayIndexOutOfBounds6);
        TEST_CASE(arrayIndexOutOfBoundsDim1);
        TEST_CASE(bufferOverflowMemCmp1);
        TEST_CASE(bufferOverflowMemCmp2);
@ -157,6 +158,14 @@ private:
                      "[test.cpp:9]: (error) Cannot determine that 'buf[i]' is initialized\n",
                      errout.str());
    }
+    void arrayIndexOutOfBounds6() {
+        check("int buf[5];\n"
+              "uint16_t foo(size_t offset) {\n"
+              "    uint8_t c = (offset & 0xc0) >> 6;\n"
+              "    return 2 * buf[c];\n"
+              "}");
+        ASSERT_EQUALS("", errout.str());
+    }

    void arrayIndexOutOfBoundsDim1() { // itc test case
        check("void overrun_st_008 () {\n"