Improve error message: remove & when operand is bufer

flovent · flovent · commit ed53e76c2d2a · 2025-08-23T19:05:49.000+08:00
diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
@@ -75,6 +75,14 @@ static const ValueFlow::Value *getBufferSizeValue(const Token *tok)
     return it == tokenValues.cend() ? nullptr : &*it;
 }
 
+static const Token* getRealBufferTok(const Token* tok) {
+    if (!tok->isUnaryOp("&"))
+        return tok;
+
+    const auto* op = tok->astOperand1();
+    return (op->valueType() && op->valueType()->pointer) ? op : tok;
+}
+
 static int getMinFormatStringOutputLength(const std::vector<const Token*> &parameters, nonneg int formatStringArgNr)
 {
     if (formatStringArgNr <= 0 || formatStringArgNr > parameters.size())
@@ -690,7 +698,7 @@ void CheckBufferOverrun::bufferOverflow()
 
 void CheckBufferOverrun::bufferOverflowError(const Token *tok, const ValueFlow::Value *value, Certainty certainty)
 {
-    reportError(getErrorPath(tok, value, "Buffer overrun"), Severity::error, "bufferAccessOutOfBounds", "Buffer is accessed out of bounds: " + (tok ? tok->expressionString() : "buf"), CWE_BUFFER_OVERRUN, certainty);
+    reportError(getErrorPath(tok, value, "Buffer overrun"), Severity::error, "bufferAccessOutOfBounds", "Buffer is accessed out of bounds: " + (tok ? getRealBufferTok(tok)->expressionString() : "buf"), CWE_BUFFER_OVERRUN, certainty);
 }
 
 //---------------------------------------------------------------------------
@@ -800,7 +808,7 @@ void CheckBufferOverrun::stringNotZeroTerminated()
             if (isZeroTerminated)
                 continue;
             // TODO: Locate unsafe string usage..
-            terminateStrncpyError(tok, args[0]->expressionString());
+            terminateStrncpyError(tok, getRealBufferTok(args[0])->expressionString());
         }
     }
 }
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
@@ -5723,6 +5723,12 @@ class TestBufferOverrun : public TestFixture {
               "}");
         ASSERT_EQUALS("[test.cpp:3:10]: (error) Buffer is accessed out of bounds: &i [bufferAccessOutOfBounds]\n", errout_str());
 
+        check("void f() {\n"
+              "  int i[2];\n"
+              "  memset(&i, 0, 1000);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3:10]: (error) Buffer is accessed out of bounds: i [bufferAccessOutOfBounds]\n", errout_str());
+
         check("void f() {\n"
               "  int i;\n"
               "  memset(&i, 0, sizeof(i));\n"
@@ -5733,7 +5739,7 @@ class TestBufferOverrun : public TestFixture {
               "  char c[6];\n"
               "  strncpy(&c, \"hello!\", 6);\n"
               "}");
-        ASSERT_EQUALS("[test.cpp:3:3]: (warning, inconclusive) The buffer '&c' may not be null-terminated after the call to strncpy(). [terminateStrncpy]\n", errout_str());
+        ASSERT_EQUALS("[test.cpp:3:3]: (warning, inconclusive) The buffer 'c' may not be null-terminated after the call to strncpy(). [terminateStrncpy]\n", errout_str());
 
         check("void foo() {\n"
               "  char c[6];\n"

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,14 @@ static const ValueFlow::Value getBufferSizeValue(const Token tok)`
`75`	`75`	`return it == tokenValues.cend() ? nullptr : &*it;`
`76`	`76`	`}`
`77`	`77`
	`78`	`+static const Token* getRealBufferTok(const Token* tok) {`
	`79`	`+ if (!tok->isUnaryOp("&"))`
	`80`	`+ return tok;`
	`81`	`+`
	`82`	`+ const auto* op = tok->astOperand1();`
	`83`	`+ return (op->valueType() && op->valueType()->pointer) ? op : tok;`
	`84`	`+}`
	`85`	`+`
`78`	`86`	`static int getMinFormatStringOutputLength(const std::vector<const Token*> &parameters, nonneg int formatStringArgNr)`
`79`	`87`	`{`
`80`	`88`	`if (formatStringArgNr <= 0 \|\| formatStringArgNr > parameters.size())`
`@@ -690,7 +698,7 @@ void CheckBufferOverrun::bufferOverflow()`
`690`	`698`
`691`	`699`	`void CheckBufferOverrun::bufferOverflowError(const Token tok, const ValueFlow::Value value, Certainty certainty)`
`692`	`700`	`{`
`693`		`- reportError(getErrorPath(tok, value, "Buffer overrun"), Severity::error, "bufferAccessOutOfBounds", "Buffer is accessed out of bounds: " + (tok ? tok->expressionString() : "buf"), CWE_BUFFER_OVERRUN, certainty);`
	`701`	`+ reportError(getErrorPath(tok, value, "Buffer overrun"), Severity::error, "bufferAccessOutOfBounds", "Buffer is accessed out of bounds: " + (tok ? getRealBufferTok(tok)->expressionString() : "buf"), CWE_BUFFER_OVERRUN, certainty);`
`694`	`702`	`}`
`695`	`703`
`696`	`704`	`//---------------------------------------------------------------------------`
`@@ -800,7 +808,7 @@ void CheckBufferOverrun::stringNotZeroTerminated()`
`800`	`808`	`if (isZeroTerminated)`
`801`	`809`	`continue;`
`802`	`810`	`// TODO: Locate unsafe string usage..`
`803`		`- terminateStrncpyError(tok, args[0]->expressionString());`
	`811`	`+ terminateStrncpyError(tok, getRealBufferTok(args[0])->expressionString());`
`804`	`812`	`}`
`805`	`813`	`}`
`806`	`814`	`}`