c/language/analyzability

This optional extension to the C language limits the potential results of executing some forms of undefined behavior, which improves the effectiveness of static analysis of such programs. Analyzability is only guaranteed to be enabled if the predefined macro constant is defined by the compiler.

If the compiler supports analyzability, any language or library construct whose behavior is undefined is further classified between critical and bounded undefined behavior, and the behavior of all bounded UB cases is limited as specified below.

Critical undefined behavior
Critical UB is undefined behavior that might perform a memory write or a volatile memory read out of bounds of any object. A program that has critical undefined behavior may be susceptible to security exploits.

Only the following undefined behaviors are critical:
 * access to an object outside of its (e.g. through a dangling pointer)
 * write to an object whose declarations are not
 * function call through a function pointer whose type is not with the type of the function it points to
 * is evaluated, but does not designate an object
 * attempted modification of a
 * an invalid (null, indeterminate, etc) or  pointer
 * modification of a through a non-const pointer
 * call to a standard library function or macro with an invalid argument
 * call to a variadic standard library function with unexpected argument type (e.g. call to printf with an argument of the type that doesn't match its conversion specifier)
 * longjmp where there is no setjmp up the calling scope, across threads, or from within the scope of a VM type.
 * any use of the pointer that was deallocated by free or realloc
 * any string or wide string library function accesses an array out of bounds

Bounded undefined behavior
Bounded UB is undefined behavior that cannot perform an illegal memory write, although it may trap and may produce or store indeterminate values.


 * All undefined behavior not listed as critical is bounded, including
 * multithreaded data races
 * use of a with automatic storage duration
 * violations
 * object access
 * signed integer overflow
 * modify the same scalar or modify and read the same scalar
 * floating-to-integer or pointer-to-integer overflow
 * by a negative or too large bit count
 * by zero
 * use of a void expression
 * direct or memcpy of inexactly-overlapped objects
 * violations
 * etc.. ALL undefined behavior that's not in the critical list.