Fix issue 10268: ValueFlow; Wrong value in for loop (#3257)

pfultz2 · web-flow · commit eb96e4980e1d · 2021-05-15T08:39:20.000+02:00
diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp
@@ -4911,10 +4911,13 @@ static bool valueFlowForLoop2(const Token *tok,
             execute(secondExpression, &programMemory, &result, &error);
     }
 
-    memory1->swap(startMemory);
+    if (memory1)
+        memory1->swap(startMemory);
     if (!error) {
-        memory2->swap(endMemory);
-        memoryAfter->swap(programMemory);
+        if (memory2)
+            memory2->swap(endMemory);
+        if (memoryAfter)
+            memoryAfter->swap(programMemory);
     }
 
     return true;
@@ -5229,6 +5232,11 @@ struct MultiValueFlowAnalyzer : ValueFlowAnalyzer {
         const Token* condTok = getCondTokFromEnd(endBlock);
         if (scope && condTok)
             programMemoryParseCondition(pm, condTok, nullptr, getSettings(), scope->type != Scope::eElse);
+        if (condTok && Token::simpleMatch(condTok->astParent(), ";")) {
+            ProgramMemory endMemory;
+            if (valueFlowForLoop2(condTok->astTop()->previous(), nullptr, &endMemory, nullptr))
+                pm.replace(endMemory);
+        }
         // ProgramMemory pm = pms.get(endBlock->link()->next(), getProgramState());
         for (const auto& p:pm.values) {
             nonneg int varid = p.first;
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
@@ -132,6 +132,7 @@ class TestBufferOverrun : public TestFixture {
         TEST_CASE(array_index_51); // #3763
         TEST_CASE(array_index_52); // #7682
         TEST_CASE(array_index_53); // #4750
+        TEST_CASE(array_index_54); // #10268
         TEST_CASE(array_index_multidim);
         TEST_CASE(array_index_switch_in_for);
         TEST_CASE(array_index_for_in_for);   // FP: #2634
@@ -1559,6 +1560,20 @@ class TestBufferOverrun : public TestFixture {
         ASSERT_EQUALS("[test.cpp:7]: (error) Array 'M[3][1]' accessed at index M[*][2], which is out of bounds.\n", errout.str());
     }
 
+    void array_index_54() {
+        check("void f() {\n"
+              "    g(0);\n"
+              "}\n"
+              "void g(unsigned int x) {\n"
+              "    int b[4];\n"
+              "    for (unsigned int i = 0; i < 4; i += 2) {\n"
+              "        b[i]   = 0;\n"
+              "        b[i+1] = 0;\n"
+              "    }\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+    }
+
     void array_index_multidim() {
         check("void f()\n"
               "{\n"
