Fix 11250: FN: bufferAccessOutOfBounds (comma operator: int x = (3,4) ) (#4636)

pfultz2 · web-flow · commit e2f398f81a1a · 2022-12-13T07:52:58.000+01:00
* Fix 11250: FN: bufferAccessOutOfBounds (comma operator: int x = (3,4) )

* Format
diff --git a/lib/astutils.h b/lib/astutils.h
@@ -98,6 +98,18 @@ const Token* findAstNode(const Token* ast, const TFunc& pred)
     return result;
 }
 
+template<class TFunc>
+const Token* findParent(const Token* tok, const TFunc& pred)
+{
+    if (!tok)
+        return nullptr;
+    const Token* parent = tok->astParent();
+    while (parent && !pred(parent)) {
+        parent = parent->astParent();
+    }
+    return parent;
+}
+
 const Token* findExpression(const nonneg int exprid,
                             const Token* start,
                             const Token* end,
diff --git a/lib/programmemory.cpp b/lib/programmemory.cpp
@@ -1160,7 +1160,7 @@ static ValueFlow::Value executeImpl(const Token* expr, ProgramMemory& pm, const
     const ValueFlow::Value* value = nullptr;
     if (!expr)
         return unknown;
-    else if (expr->hasKnownIntValue() && !expr->isAssignmentOp()) {
+    else if (expr->hasKnownIntValue() && !expr->isAssignmentOp() && expr->str() != ",") {
         return expr->values().front();
     } else if ((value = expr->getKnownValue(ValueFlow::Value::ValueType::FLOAT)) ||
                (value = expr->getKnownValue(ValueFlow::Value::ValueType::ITERATOR_START)) ||
diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp
@@ -598,6 +598,17 @@ static void setTokenValue(Token* tok,
     if (!parent)
         return;
 
+    if (Token::simpleMatch(parent, ",") && astIsRHS(tok)) {
+        const Token* callParent = findParent(parent, [](const Token* p) {
+            return !Token::simpleMatch(p, ",");
+        });
+        // Ensure that the comma isnt a function call
+        if (!callParent || (!Token::Match(callParent->previous(), "%name%|> (") && !Token::simpleMatch(callParent, "{"))) {
+            setTokenValue(parent, std::move(value), settings);
+            return;
+        }
+    }
+
     if (Token::simpleMatch(parent, "=") && astIsRHS(tok) && !value.isLifetimeValue()) {
         setTokenValue(parent, value, settings);
         return;
diff --git a/test/testvalueflow.cpp b/test/testvalueflow.cpp
@@ -71,6 +71,7 @@ class TestValueFlow : public TestFixture {
 
         TEST_CASE(valueFlowCalculations);
         TEST_CASE(valueFlowSizeof);
+        TEST_CASE(valueFlowComma);
 
         TEST_CASE(valueFlowErrorPath);
 
@@ -1365,6 +1366,31 @@ class TestValueFlow : public TestFixture {
         ASSERT_EQUALS(sizeof(std::int32_t) * 10 * 20, values.back().intvalue);
     }
 
+    void valueFlowComma()
+    {
+        const char* code;
+        std::list<ValueFlow::Value> values;
+
+        code = "void f(int i) {\n"
+               "    int x = (i, 4);\n"
+               "    return x;\n"
+               "}\n";
+        ASSERT_EQUALS(true, testValueOfXKnown(code, 3U, 4));
+
+        code = "void f(int i) {\n"
+               "    int x = (4, i);\n"
+               "    return x;\n"
+               "}\n";
+        ASSERT_EQUALS(false, testValueOfX(code, 3U, 4));
+
+        code = "void f() {\n"
+               "    int x = g(3, 4);\n"
+               "    return x;\n"
+               "}\n";
+        values = tokenValues(code, ",");
+        ASSERT_EQUALS(0U, values.size());
+    }
+
     void valueFlowErrorPath() {
         const char *code;
 
