It's nice that an LLM found a bug, but it's also trivially mitigated with the bounds safety sanitizer with virtually no overhead. Your regular reminder to build all production C projects with "-fsanitize=bounds -fsanitize-trap"
int aIdx[7]; // compiler knows the size of this array
...
int iCol; // if this should not be negative, why is this "int"?
...
aIdx[iCol] = i; // build with bound checking!
@kees For every bug they find, they also find 10 false positives and recommend introducing new vulns to "fix" them.
Not made up, my real experience with someone sending me garbage AI tool generated bug reports.
@dalias @kees I haven't looked into how GenAI handles this (although [1] gives me an idea), but yes, my main question would be "what's the false positive rate?", that along with the other rates.
And then I'd wonder how does it fit with the other tools, besides these compiler options, how does this compare e.g. with static analysis tools? Because if this ends up only catching things we could already catch, and does not minimize false-positives...