VS2010 Static Code Analysis Bug?

2
votes

ok, I'm fairly certain this is just down to the ever-so-buggy static code analyser in Visual Studio, but I figured more sets of eyes on this wouldn't hurt.

I've written my own collection of vector-style containers. They seem to work ok, but I've noticed the following warnings from the Visual Studio static code analyser:

warning C6386: Buffer overrun: accessing 'argument 1', the writable size is 'newspace*4' bytes, but '4194240' bytes might be written

The above warning occurs on the last line of the following code (the memcpy), and highlights all of the previous lines. All possible types that this particular vector class can hold are POD. mSpace contains the number of items the available memory in the vector can hold, and mSize the current number of items. mDynamic points to the memory block currently being managed by the vector.

Bool Insert( UInt32 index, TYPE value, UInt32 count = 1 )
{
    if( index < mSize )
    {
        UInt32  newsize = mSize + count;

        if( newsize > mSpace )
        {
            UInt32  newspace = std::max( Align( newsize, 8 ), mSpace << 1 );
            TYPE*   ptr = new TYPE[ newspace ];

            if( ptr )
            {
                memcpy( ptr, mDynamic, index * sizeof( TYPE ));
                // The remainder of the code copies the second half of the
                // existing data and inserts the new values...

I've looked at this until my eyes bleed (well, almost) and can't see why the analyser would generate this warning. I've seen the same warning in other places also with the rather strange value of 4194240, which is why I'm assuming it's yet another bug in the analyser.

Can anyone confirm this is a known bug in the analyser (a very quick search of connect didn't provide any results), or is there a blatantly obvious bug in my code that I'm just not seeing?

1
c++visual-studio-2010static-code-analysis
4194240 is 2^22 - 2^6. Not sure if that's relevant... - Oliver Charlesworth
Looks like a pretty bogus warning to me... Does the warning only show up when you're instantiating it with a certain type? Like, would it show up if you isolated your class in a project without clients? - Rob I
And perhaps try running your code through another tool... - Rob I
No, it appears for lots of different types. I've tried several other different static code analysis tools and none of them mention anything about this code - another indicator that it's a VS2010 bug. I've also seen the warning appear for completely unrelated pieces of code - again with the magic 4194240 value, so I've pretty much written this off as not my problem. - user420442

1 Answers

0
votes

Not sure if it's related to the warning, but you do have an error here. If mSize is 2^32 - 1 then newsize will be set to 0 due to the integer overflow, which will end up with a buffer overrun. There's a similar error when you do index * sizeof( TYPE ) without checking that the result will fit within 32 bits.

More minor, but you should really be using size_t rather than UInt32, otherwise if you want to compile to 64-bit you'll have warning about types not matching size memcpy takes a size_t as the 3rd argument, and size_t is 64 bits on 64 bit Windows.