T-Gruber wrote:
> In addition to the above-mentioned issues there is also a conceptual problem
> with using `getOriginRegion()` to describe a symbol: it names the region
> where the symbol _originated_ (if it originated as the unknown initial value
> of a symbol), which is not necessarily the region where the symbol is stored
> _now_.
>
> For example consider the (somewhat contrived) code
>
> ```
> int matrix[10][10];
> int func(int x, int y) {
> int tmp = x;
> x = y;
> y = tmp;
> return matrix[x][-999];
> }
> ```
>
> Here the checker alpha.security.ArrayBoundV2 (which uses
> `getDescriptiveName`) would report that
>
> ```
> Access of 'matrix[y]' at negative byte offset
> ```
>
> because the symbolic value of the index _originated from_ the parameter `y`
> (i.e. the symbol is identified as "this is the initial value of `y`).
Yes, thats right. But the previous implementation ended up in an endless
recursion if the index is not of type ConcreteInt. Therefore, the proposed
version is a significant improvement (at least for my use cases).
https://github.com/llvm/llvm-project/pull/85104
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
