'Pointer to local outside scope' by static analyzis -- false positive?

Question

I have got an issue flagged by Coverity that I cannot understand.

I have an itializer:

1686  arrayOfNodeIds componentRefs = (arrayOfNodeIds) {
1687    .size = 2,
1688    .ids  = (UA_NodeId[]) { UA_NODEID_NUMERIC(0, UA_NS0ID_HASCOMPONENT), UA_NODEID_NUMERIC(0, UA_NS0ID_HASPROPERTY)}
1689  };

member ids holds an array. Then this struct is given to a function:

1707  UA_Server_addInstanceOf_instatiateChildNode(server, &subtypeRefs, &componentRefs, &typedefRefs,
1708                                              objectRoot, callback, (UA_ObjectTypeNode *) typeDefNode, 
1709                                              UA_TRUE, &instantiatedTypes, handle);

the function dereferences conponentRefs->ids and Coverity flaggs this as access to a local variable outside of scope.

By googling i found a similar issue in one linux driver that was solved by using a memcpy to a stack variable. However, I do not understand the problem at all. Is the initializer of the internal array considered as a scope limiter? The problematic file can be found on github.

P.S.: definition of arrayOfNodeIds:

typedef struct arrayOfNodeIds_s {
  UA_Int32  size;
  UA_NodeId *ids;
} arrayOfNodeIds;

I am sorry for the wrong tag, this is C99 code, tags modified. — Stasik, Sep 23 '15 at 06:35
@juanchopanza No, so maybe edit the post and remove the tag instead of stating the obvious? — Lundin, Sep 23 '15 at 06:35
I think it's a valid comment, @Lundin, because maybe the issue is that the OP tried to use this as C++? We don't know, hence we ask. Still, it would help the question even further if it contained a complete but minimal example. — Ulrich Eckhardt, Sep 23 '15 at 06:37
@Lundin I'd rather let OP make that call. Sometimes compilers have C++ language extensions and so on. — juanchopanza, Sep 23 '15 at 06:37

score 3 · Accepted Answer · answered Sep 23 '15 at 06:45

3

isd is a pointer and you have it point at a compound literal. All compound literals are to be regarded as local variables and they have local scope.

So if your struct is of static storage duration (not really clear what you mean with "static itializer"), then the tool is right to complain. Because in that case, as soon as the program leaves the scope where you initialize isd, it will point at garbage. You'll have to point at another static storage duration variable or alternatively use dynamic allocation.

answered Sep 23 '15 at 06:45

Lundin

195,001
40
254
396

by "static initializer" I do not mean "static" at all... So can I fix it by declaring the "arrayOfNodeIds componentRefs" as static? or is there only a way to alloc the whole thing on the heap? – Stasik Sep 23 '15 at 06:48
@Stasik So what do you mean with "static initializer" then? You are inventing your own programming terms. If the arrayOfNodeIds has local scope and is not static, then this answer doesn't solve the problem, neither does the one you posted. – Lundin Sep 23 '15 at 08:51
sorry, the variable has no static static class. The variables are defined in the same scope as the function call (see edit to my answer). – Stasik Sep 23 '15 at 09:08

Stasik · Answer 2 · 2015-09-23T09:08:35.190

So according to the answer of @Lundin this may help to remedy the problem

  UA_NodeId* tempArray = (UA_NodeId[]) { UA_NODEID_NUMERIC(0, UA_NS0ID_HASTYPEDEFINITION)};
  arrayOfNodeIds typedefRefs = (arrayOfNodeIds) {
    .size = 1,
    .ids  = tempArray
  };
  UA_Server_addInstanceOf_instatiateChildNode(server, &subtypeRefs, &componentRefs, &typedefRefs,
                                                objectRoot, callback, (UA_ObjectTypeNode *) typeDefNode, 
                                                UA_TRUE, &instantiatedTypes, handle);

In this case the scope for both the struct and the array is the same.

Another way is to allocate the memory on the heap, instead of going for the stack.

'Pointer to local outside scope' by static analyzis -- false positive?

2 Answers2