Fix issue 10268: ValueFlow; Wrong value in for loop (#3257)

2021-05-15 01:39:20 -05:00 · 2021-05-15 01:39:20 -05:00 · eb96e4980e
parent c67e618627
commit eb96e4980e
2 changed files with 26 additions and 3 deletions
--- a/lib/valueflow.cpp
+++ b/lib/valueflow.cpp
@ -4911,10 +4911,13 @@ static bool valueFlowForLoop2(const Token *tok,
            execute(secondExpression, &programMemory, &result, &error);
    }

-    memory1->swap(startMemory);
+    if (memory1)
+        memory1->swap(startMemory);
    if (!error) {
-        memory2->swap(endMemory);
-        memoryAfter->swap(programMemory);
+        if (memory2)
+            memory2->swap(endMemory);
+        if (memoryAfter)
+            memoryAfter->swap(programMemory);
    }

    return true;
@ -5229,6 +5232,11 @@ struct MultiValueFlowAnalyzer : ValueFlowAnalyzer {
        const Token* condTok = getCondTokFromEnd(endBlock);
        if (scope && condTok)
            programMemoryParseCondition(pm, condTok, nullptr, getSettings(), scope->type != Scope::eElse);
+        if (condTok && Token::simpleMatch(condTok->astParent(), ";")) {
+            ProgramMemory endMemory;
+            if (valueFlowForLoop2(condTok->astTop()->previous(), nullptr, &endMemory, nullptr))
+                pm.replace(endMemory);
+        }
        // ProgramMemory pm = pms.get(endBlock->link()->next(), getProgramState());
        for (const auto& p:pm.values) {
            nonneg int varid = p.first;
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -132,6 +132,7 @@ private:
        TEST_CASE(array_index_51); // #3763
        TEST_CASE(array_index_52); // #7682
        TEST_CASE(array_index_53); // #4750
+        TEST_CASE(array_index_54); // #10268
        TEST_CASE(array_index_multidim);
        TEST_CASE(array_index_switch_in_for);
        TEST_CASE(array_index_for_in_for);   // FP: #2634
@ -1559,6 +1560,20 @@ private:
        ASSERT_EQUALS("[test.cpp:7]: (error) Array 'M[3][1]' accessed at index M[*][2], which is out of bounds.\n", errout.str());
    }

+    void array_index_54() {
+        check("void f() {\n"
+              "    g(0);\n"
+              "}\n"
+              "void g(unsigned int x) {\n"
+              "    int b[4];\n"
+              "    for (unsigned int i = 0; i < 4; i += 2) {\n"
+              "        b[i]   = 0;\n"
+              "        b[i+1] = 0;\n"
+              "    }\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+    }
+
    void array_index_multidim() {
        check("void f()\n"
              "{\n"