Fix 11651: FP negativeIndex with for loop (#4934)

pfultz2 · web-flow · commit edfdfe658a49 · 2023-04-05T11:05:29.000+02:00
diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp
@@ -7042,20 +7042,26 @@ static void valueFlowForLoop(TokenList *tokenlist, SymbolDatabase* symboldatabas
                 for (const auto& p : mem1) {
                     if (!p.second.isIntValue())
                         continue;
+                    if (p.second.isImpossible())
+                        continue;
                     if (p.first.tok->varId() == 0)
                         continue;
                     valueFlowForLoopSimplify(bodyStart, p.first.tok, false, p.second.intvalue, tokenlist, errorLogger, settings);
                 }
                 for (const auto& p : mem2) {
                     if (!p.second.isIntValue())
                         continue;
+                    if (p.second.isImpossible())
+                        continue;
                     if (p.first.tok->varId() == 0)
                         continue;
                     valueFlowForLoopSimplify(bodyStart, p.first.tok, false, p.second.intvalue, tokenlist, errorLogger, settings);
                 }
                 for (const auto& p : memAfter) {
                     if (!p.second.isIntValue())
                         continue;
+                    if (p.second.isImpossible())
+                        continue;
                     if (p.first.tok->varId() == 0)
                         continue;
                     valueFlowForLoopSimplifyAfter(tok, p.first.getExpressionId(), p.second.intvalue, tokenlist, settings);
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
@@ -197,6 +197,7 @@ class TestBufferOverrun : public TestFixture {
         TEST_CASE(array_index_negative5);    // #10526
         TEST_CASE(array_index_negative6);    // #11349
         TEST_CASE(array_index_negative7);    // #5685
+        TEST_CASE(array_index_negative8);    // #11651
         TEST_CASE(array_index_for_decr);
         TEST_CASE(array_index_varnames);     // FP: struct member #1576, FN: #1586
         TEST_CASE(array_index_for_continue); // for,continue
@@ -2273,6 +2274,19 @@ class TestBufferOverrun : public TestFixture {
         ASSERT_EQUALS("[test.cpp:5]: (error) Array 'a[5]' accessed at index -9, which is out of bounds.\n", errout.str());
     }
 
+    // #11651
+    void array_index_negative8()
+    {
+        check("unsigned g(char*);\n"
+              "void f() {\n"
+              "    char buf[10];\n"
+              "    unsigned u = g(buf);\n"
+              "    for (int i = u, j = sizeof(i); --i >= 0;)\n"
+              "        char c = buf[i];\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+    }
+
     void array_index_for_decr() {
         check("void f()\n"
               "{\n"
