ABR - Klocwork false alarms and incorrect bug disposal

Question

Klocwork reports an error of:-

"ABR – Buffer overflow, array index of 'oidsp' may be out of bounds. Array 'oidsp' of size 64 may use index value(s) -2..-1."

For this line:-

if (check_index_lower_legality (len,-1))
{
oidsp[len-1] = specProb;
}

When check_index_lower_legality is:-

bool check_index_lower_legality (int index, int offset)
/**
 * This function checks that the index with the offset isn't 
 * below zero. 
 * If it is - returns 0 ;
 * If isn't - returns 1 ;
 **/
{

if (  (index + offset )<0) {
   return 0;
  }
 return 1 ; 
}

However no bug when check_index_lower_legality is:- (which is by the way an incorrect answer , as for the offset values of -2 or -1 there will be a real error on runtime.

bool check_index_lower_legality (int index, int offset)
/**
 * This function checks that the index with the offset isn't 
 * below zero. 
 * If it is - returns 0 ;
 * If isn't - returns 1 ;
 **/
{
 if (index <=0) {
  return 0;
 }
 return 1;
}

Any ideas?

Answer 1

I could be missing something, but your function (check_index_lower_legality) doesn't modify the 'len' variable, nor is the return from the function used to access your array, so your snippet as provided would appear to correctly generate a runtime buffer underflow (for values of len < 0). Could you perhaps expand on the example if you believe the report to be truly incorrect?

Thanks, Gwyn.

Answer 2

This is false bug. You need to add additional check for telling len is > 1 always.

So you can skip this bug by adding a totally unwanted if condition.

if (check_index_lower_legality (len,-1)) 
{
if(len > 1) 
oidsp[len-1] = specProb; 
} 

Or you can mark this bug as false alarm and run klockworks again. It will in most probable sense skip this in the next report.

Answer 3

I don't think Klocwork can follow this type of logic through. You'd need to tell it that check_index_lower_legality behaves this way.