Neil Matthews

Don't know how practical it is to find such an issue, but here's the code with/without the error -- dereferencing in the free() doesn't match dereferencing in the strdup().

Not sure if this exact example's been posted before... #include <stdio.h> int main(int argc, char *argv) { int array[1] = {0}; unsigned char i = -1; i++; printf("%d\n", array[i]); } The array index i is an unsigned char which is underflowed by assigning -1 to it, i becomes 255. Then the index i is overflowed back to 0. cppcheck seems to treat i as 256 rather than 0. And no, I won't defend the code :-)

Apologies -- should have replied earlier. Thanks for the --library=gnu option -- but I'm not sure how one would know that it might solve the problem? Maybe a hint would be useful if parsing fails? I'll leave the cross-platform discussion to take its course now.

The "<" (or possibly ">") in timercmp() seems to break cppcheck parsing (unsurprisingly). #include <sys/time.h> bool test_times(timeval t_now, timeval t_then) { return !timercmp(&t_now, &t_then, <); }

Ok, so I tried on Ubuntu Focal Fossa. Looks like it might be a g++ compiler issue -- if I remove -O2, and use -g3 instead I get a clean result. When I added -O2 (or -O1) back as well as -g3 I see the crash the same as I reported originally. I've just compiled on Jammy Jellyfish and I get similar behavior with g++ on there. (gdb) bt #0 Token::tokAt (this=this@entry=0x0, index=index@entry=1) at lib/token.cpp:365 #1 0x000055555579bbb5 in isUnknownType (start=0x0, end=end@entry=0x5555578a6960) at lib/symboldatabase.cpp:2808...

Ok, so I tried on Ubuntu Focal Fossa. Looks like it might be a g++ compiler issue -- if I remove -O2, and use -g3 instead I get a clean result. When I added -O2 (or -O1) back as well as -g3 I see the crash the same as I reported originally. I've just compiled on Jammy Jellyfish and I get similar behavior with g++ on there. (gdb) bt #0 Token::tokAt (this=this@entry=0x0, index=index@entry=1) at lib/token.cpp:365 #1 0x000055555579bbb5 in isUnknownType (start=0x0, end=end@entry=0x5555578a6960) at lib/symboldatabase.cpp:2808...

I attach the output on Focal Fossa from clang -fsyntax-only -Xclang -ast-dump -fno-color-diagnostics -x c++ crash_cppcheck.cpp

I attach the output from clang -fsyntax-only -Xclang -ast-dump -fno-color-diagnostics -x c++ crash_cppcheck.cpp