-
| In the following C code, 1: void foo() {
2:     int myval = 1;
3:     myval += 2;
4:     int myarr[myval];
5:     ...
6: }My initial goal was to investigate potential out-of-bounds access issues, exemplified by code like  In cases where the initialization code is statically deterministic, as in  The official example code also focuses on cases with statically deterministic initialization. Is there anyone who can assist me in devising a query to address the initial problem? | 
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
| Hi @hyunsooda 👋🏻 Thank you for your question! You can get hold of the expression used to dynamically set the size of an array through the  from VlaDimensionStmt s
select s, s.getDimensionExpr()If run on your sample code, this will return one result where  We expose a  | 
Beta Was this translation helpful? Give feedback.
Hi @hyunsooda 👋🏻
Thank you for your question! You can get hold of the expression used to dynamically set the size of an array through the
VlaDimensionStmttype. For example:If run on your sample code, this will return one result where
getDimensionExpr()points at the expression of justmyval.We expose a
getValue()predicate on expressions, but that will only return a result if the value is constant, which it is not here. We have experimentalexperimental.semmle.code.cpp.rangeanalysis.ArrayLengthAnalysisandexperimental.semmle.code.cpp.rangeanalysis.InBoundsPointerDereflibraries which might be of interest to you.