Coverity Scan - Static Analysis

Sample of Defect

Project Name	CID	Checker	Category	Developer Description
openfpm_pdata	53706	OVERRUN	Memory - corruptions	Coverty scan correctly understood the logic of this code, and reported that the loop condition is wrong. In particular setHigh, set an internal array of size given by template parameter dim. This mean that for setHigh(i,x) i must be bounded by dim. Coverty scan detected that in case the size of the compile-time array given is bigger that dim, the loop can bring the variable "i" to go over dim. Coverty correctly understood how the compile-time part of the program couple with the run-time part. It calculates the bounds coming from the compile-time information like for the C++11 for-loop construction, and reported that the if break condition was not enough to ensure the bound for setHigh. ( "<" should be fixed with "<=" )

File: /openfpm_data/src/Space/Shape/Box.hpp

        inline Box<dim,T> operator*(const Point<dim,T> & p)
        {
                Box<dim,T> ret;

                for (size_t i = 0 ; i < dim ; i++)
                {
                        ret.setLow(i, getLow(i)*p.get(i));
                        ret.setHigh(i, getHigh(i)*p.get(i));
                }
                return ret;
        }

        /*! \brief Constructor from initializer list
         *
         * Constructor from initializer list
         *
         * \param p1 Low point, initialize as a list example {0.0,0.0,0.0}
         * \param p2 High point, initialized as a list example {1.0,1.0,1.0}
         *
         */

        inline void set(std::initializer_list<T> p1, std::initializer_list<T> p2)
        {
                size_t i = 0;

 < 1. Iterating over another element of "p1"

 < 2. Iterating over another element of "p1"

 < 4. Iterating over another element of "p1"

437
438

                for(T x : p1)
                {

 <<< CID 53706: Memory - corruptions OVERRUN
 <<< 5. Overrunning callee's array of size 2 by passing argument "i" (which evaluates to 2) in call to "setLow".

439
440

                        setLow(i,x);
                        i++;

 << 3. Checking "i > 2UL" implies that "i" may be up to 2 on the false branch.

                        if (i > dim)
                                break;
                }

                i = 0;
                for(T x : p2)
                {
                        setHigh(i,x);
                        i++;
                        if (i > dim)
                                break;
                }
        }

        /*! \brief set the low interval of the box
         *
         * \param i dimension
         * \param val value to set
         *
         */
        inline void setLow(int i, T val)
        {
                boost::fusion::at_c<p1>(data)[i] = val;
        }

        /*! \brief set the high interval of the box
         *

Events:

	3. cond_at_most	Box.hpp:441
	5. overrun-call	Box.hpp:439

Sample of Defect

About Synopsys

Communities and resources