Fix #11895 FP derefInvalidIterator with std::advance (#8431)

chrchr-github · web-flow · web-flow · commit 4ef0318eb53a · 2026-04-10T20:38:31.000+02:00
Needs to be rebased after #8423 has been merged. --------- Co-authored-by: chrchr-github <noreply@github.com>
diff --git a/cfg/selinux.cfg b/cfg/selinux.cfg
@@ -219,7 +219,7 @@
     <noreturn>false</noreturn>
     <use-retval/>
     <leak-ignore/>
-    <arg nr="1" direction="inout">
+    <arg nr="1" direction="inout" indirect="1">
       <not-uninit/>
       <not-null/>
     </arg>
diff --git a/cfg/std.cfg b/cfg/std.cfg
@@ -1665,7 +1665,7 @@
     <returnValue type="int"/>
     <noreturn>false</noreturn>
     <leak-ignore/>
-    <arg nr="1" direction="inout">
+    <arg nr="1" direction="inout" indirect="1">
       <not-null/>
       <not-uninit/>
     </arg>
@@ -1929,7 +1929,7 @@
     <returnValue type="int"/>
     <noreturn>false</noreturn>
     <leak-ignore/>
-    <arg nr="1" direction="inout">
+    <arg nr="1" direction="inout" indirect="1">
       <not-null/>
       <not-uninit/>
     </arg>
@@ -2255,7 +2255,7 @@
     <returnValue type="int"/>
     <noreturn>false</noreturn>
     <leak-ignore/>
-    <arg nr="1" direction="inout">
+    <arg nr="1" direction="inout" indirect="1">
       <not-null/>
       <not-uninit/>
     </arg>
diff --git a/cfg/windows.cfg b/cfg/windows.cfg
@@ -5595,7 +5595,7 @@ HFONT CreateFont(
   <function name="strlwr">
     <returnValue type="char *">arg1</returnValue>
     <noreturn>false</noreturn>
-    <arg nr="1" direction="inout">
+    <arg nr="1" direction="inout" indirect="1">
       <not-null/>
       <not-uninit/>
       <strz/>
@@ -5963,7 +5963,7 @@ HFONT CreateFont(
     <arg nr="2" direction="out">
       <not-null/>
     </arg>
-    <arg nr="3" direction="inout">
+    <arg nr="3" direction="inout" indirect="1">
       <not-null/>
       <not-uninit/>
     </arg>
@@ -6009,7 +6009,7 @@ HFONT CreateFont(
     <arg nr="4" direction="out">
       <not-null/>
     </arg>
-    <arg nr="5" direction="inout">
+    <arg nr="5" direction="inout" indirect="1">
       <not-null/>
       <not-uninit/>
     </arg>
diff --git a/lib/astutils.cpp b/lib/astutils.cpp
@@ -2466,17 +2466,6 @@ static bool isTrivialConstructor(const Token* tok)
     return false;
 }
 
-static bool isArray(const Token* tok)
-{
-    if (!tok)
-        return false;
-    if (tok->variable())
-        return tok->variable()->isArray();
-    if (Token::simpleMatch(tok, "."))
-        return isArray(tok->astOperand2());
-    return false;
-}
-
 bool isMutableExpression(const Token* tok)
 {
     if (!tok)
@@ -2545,18 +2534,10 @@ bool isVariableChangedByFunctionCall(const Token *tok, int indirect, const Setti
         const Library::ArgumentChecks::Direction argDirection = settings.library.getArgDirection(tok, 1 + argnr, indirect);
         if (argDirection == Library::ArgumentChecks::Direction::DIR_IN)
             return false;
-        if (argDirection == Library::ArgumentChecks::Direction::DIR_OUT)
+        if (argDirection == Library::ArgumentChecks::Direction::DIR_OUT || argDirection == Library::ArgumentChecks::Direction::DIR_INOUT)
             return true;
 
         const bool requireNonNull = settings.library.isnullargbad(tok, 1 + argnr);
-        if (argDirection == Library::ArgumentChecks::Direction::DIR_INOUT) {
-            if (indirect == 0 && isArray(tok1))
-                return true;
-            const bool requireInit = settings.library.isuninitargbad(tok, 1 + argnr);
-            // Assume that if the variable must be initialized then the indirection is 1
-            if (indirect > 0 && requireInit && requireNonNull)
-                return true;
-        }
         if (Token::simpleMatch(tok->tokAt(-2), "std :: tie"))
             return true;
         // if the library says 0 is invalid
diff --git a/lib/checkvaarg.cpp b/lib/checkvaarg.cpp
@@ -73,7 +73,7 @@ void CheckVaarg::va_start_argument()
                 if (var && var->index() + 2 < function->argCount() && printWarnings) {
                     auto it = function->argumentList.end();
                     std::advance(it, -2);
-                    wrongParameterTo_va_start_error(tok, var->name(), it->name()); // cppcheck-suppress derefInvalidIterator // FP due to isVariableChangedByFunctionCall()
+                    wrongParameterTo_va_start_error(tok, var->name(), it->name());
                 }
                 tok = tok->linkAt(1);
             }
diff --git a/test/teststl.cpp b/test/teststl.cpp
@@ -5339,6 +5339,13 @@ class TestStl : public TestFixture {
               "    return it;\n"
               "}\n", dinit(CheckOptions, $.inconclusive = true));
         ASSERT_EQUALS("[test.cpp:18:5]: (error, inconclusive) Invalid iterator 'it' used. [eraseDereference]\n", errout_str());
+
+        check("int f(const std::vector<int>& v) {\n" // #11895
+              "    auto it = v.end();\n"
+              "    std::advance(it, -2);\n"
+              "    return *it;\n"
+              "}\n", dinit(CheckOptions, $.inconclusive = true));
+        ASSERT_EQUALS("", errout_str());
     }
 
     void loopAlgoElementAssign() {

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ void CheckVaarg::va_start_argument()`
`73`	`73`	`if (var && var->index() + 2 < function->argCount() && printWarnings) {`
`74`	`74`	`auto it = function->argumentList.end();`
`75`	`75`	`std::advance(it, -2);`
`76`		`- wrongParameterTo_va_start_error(tok, var->name(), it->name()); // cppcheck-suppress derefInvalidIterator // FP due to isVariableChangedByFunctionCall()`
	`76`	`+ wrongParameterTo_va_start_error(tok, var->name(), it->name());`
`77`	`77`	`}`
`78`	`78`	`tok = tok->linkAt(1);`
`79`	`79`	`}`