llvm-project/clang/test/Analysis/return-ptr-range.cpp

// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.ReturnPtrRange -verify %s

int arr[10];
int *ptr;

int conjure_index();

int *test_element_index_lifetime() {
  do {
    int x = conjure_index();
    ptr = arr + x;
    if (x != 20)
      return arr; // no-warning
  } while (0);
  return ptr; // expected-warning{{Returned pointer value points outside the original object (potential buffer overflow)}}
}

int *test_element_index_lifetime_with_local_ptr() {
  int *local_ptr;
  do {
    int x = conjure_index();
    local_ptr = arr + x;
    if (x != 20)
      return arr; // no-warning
  } while (0);
  return local_ptr; // expected-warning{{Returned pointer value points outside the original object (potential buffer overflow)}}
}