bug662.cpp

1    #define NPARTIES 5
2    #define EOF -1
3    int vote[ NPARTIES-1 ];
4    int fetch_vote(void);
5
6    int main( )
7        {
8        int v;
9        for(;;)
10           {
11           v = fetch_vote();
12           if( v == EOF ) break;
13           if( v <= NPARTIES )
14               vote[v]++;
15           }
16
17       // ... use vote[], etc.
18
19       return 0;
20       }

This is a whittled down version of the source code for an electronic vote counting machine. But the program contains a fundamental flaw. Can you spot it?

bug662.cpp lint Output

--- Module:   bug662.cpp (C++)
                     _
            vote[v]++;
bug662.cpp  14  Warning 662: Possible creation of out-of-bounds pointer (2
    beyond end of data) by operator '[' [Reference: file bug662.cpp: lines 13,14]
                     _
            vote[v]++;
bug662.cpp  14  Warning 661: Possible access of out-of-bounds pointer (2
    beyond end of data) by operator '[' [Reference: file bug662.cpp: lines 13,14]

Reference Manual Explanation

662    possible creation of out-of-bounds pointer ('Integer' beyond end
       of data) by operator 'String'  -- An out-of-bounds pointer may
       have been created.  See message 415 for a description of the
       parameters Integer and String.  For example:

             int a[10];
             if( n <= 20 ) f( a + n );

       Here, it appears as though an illicit pointer is being created,
       but PC-lint/FlexeLint cannot be certain.  See also messages 416
       and 797.  See §9.2 Value Tracking