C++: add false positives to MissingCheckScanf test
#12422
Conversation
See #12412 for the initial report.
| void scan_and_static_variable() { | ||
| static int i; | ||
| scanf("%d", &i); | ||
| use(i); // GOOD [FALSE POSITIVE]: static variables are always 0-initialized |
There was a problem hiding this comment.
This one's perhaps a bit of a maybe - while i should have been initialized it seems like there's a good chance in real world code we're still using an incorrect value in a case like this. Still, I gather this is motivated by a real world case where using the zero initialization / previously held value is OK, so that speaks for itself. We don't want false positives.
There was a problem hiding this comment.
The thing is that a static variable will never have a random unexpected value: it will start out with 0, and then it will have whatever value gets written to it during the program execution, as written in the program itself. So yes, it's true this could still be a bug, but not the kind of bug that suddenly makes you try to load 4294967295 entries 😆
See #12412 for the initial report.