The analyzer detected the following issue in the code. The value of a variable is first used as the size or index of an array and only then is compared with 0 or the array size. This issue may indicate the presence of a logic error or typo in one of the comparisons.
Consider the following example:
int idx = GetPos(buf);
buf[idx] = 42;
if (idx < 0) return -1;
If the value of 'idx' turns out to be less than zero, an attempt to evaluate the 'buf[idx]' expression will result in an error. The analyzer will output a warning for this code pointing at two lines: the first line is where the variable is used and the second is where its value is compared with another value.
This is what the fixed version of the code looks like:
int idx = GetPos(buf);
if (idx < 0) return -1;
buf[idx] = 42;
The analyzer also outputs the warning when the variable is compared with the array size:
int buf[10];
buf[idx] = 42;
if (idx < countof(buf)) return -1;
Fixed code:
int buf[10];
if (idx < countof(buf)) return -1;
buf[idx] = 42;
Besides the indexes, the analyzer also takes into account how variables are used as arguments to functions that work with non-negative values (memset, malloc, etc.). Consider the following example:
bool Foo(char *A, int size_A, char *B, int size_B)
{
if (size_A <= 0)
return false;
memset(A, 0, size_A);
....
if (size_A <= 0) // Error
return false;
memset(B, 0, size_B);
....
}
This code contains a typo that will be detected in an indirect way. There are actually no problems with the 'A' array, but the programmer made a mistake checking the size of the 'B' array, which causes 'size_A' to be checked only after the 'A' array has been used.
Fixed code:
bool Foo(char *A, int size_A, char *B, int size_B)
{
if (size_A <= 0)
return false;
memset(A, 0, size_A);
....
if (size_B <= 0) // FIX
return false;
memset(B, 0, size_B);
....
}
In addition, the analyser can detect the problem, if the usage of a variable as an array index and its check are in one expression:
void f(int *arr, const int size)
{
for (int i = 0; arr[i] < 10 && i < size; ++i)
arr[i] = 0;
}
In this case, at the last loop iteration we'll check the value taken from the outside of the array bound, which is undefined behaviour.
Fixed version:
void f(int *arr, const int size)
{
for (int i = 0; i < size && arr[i] < 10; ++i)
arr[i] = 0;
}
This diagnostic is classified as:
You can look at examples of errors detected by the V781 diagnostic. |