char xs[5];
struct {
    char ys[5];
    char zs[0];
} stru;

void f(void) {
    char c;

    c = xs[-1]; // BAD [NOT DETECTED]
    c = xs[0]; // GOOD
    c = xs[4]; // GOOD
    c = xs[5]; // BAD
    c = xs[6]; // BAD

    c = stru.ys[-1]; // BAD [NOT DETECTED]
    c = stru.ys[0]; // GOOD
    c = stru.ys[4]; // GOOD
    c = stru.ys[5]; // BAD
    c = stru.ys[6]; // BAD

    c = stru.zs[-1]; // BAD [NOT DETECTED]
    c = stru.zs[0]; // GOOD (zs is variable size)
    c = stru.zs[4]; // GOOD (zs is variable size)
    c = stru.zs[5]; // GOOD (zs is variable size)
    c = stru.zs[6]; // GOOD (zs is variable size)
}

void* malloc(long unsigned int);
void test_buffer_sentinal() {
  struct { char len; char buf[1]; } *b = malloc(10); // len(buf.buffer) effectively 8
  b->buf[0] = 0; // GOOD
  b->buf[7] = 0; // GOOD
  b->buf[8] = 0; // BAD [NOT DETECTED]
}

union u {
  unsigned long value;
  char ptr[1];
};

void union_test() {
  union u u;
  u.ptr[0] = 0; // GOOD
  u.ptr[sizeof(u)-1] = 0; // GOOD
  u.ptr[sizeof(u)] = 0; // BAD [NOT DETECTED]
}

void test_struct_union() {
  struct { union u u; } v;
  v.u.ptr[0] = 0; // GOOD
  v.u.ptr[sizeof(union u)-1] = 0; // GOOD
  v.u.ptr[sizeof(union u)] = 0; // BAD [NOT DETECTED]
}

void union_test2() {
  union { char ptr[1]; unsigned long value; } u;
  u.ptr[0] = 0; // GOOD
  u.ptr[sizeof(u)-1] = 0; // GOOD
  u.ptr[sizeof(u)] = 0; // BAD [NOT DETECTED]
}

typedef struct {
    char len;
    char buf[1];
} var_buf;

void test_alloc() {
  // Special case of taking sizeof without any addition or multiplications
  var_buf *b = malloc(sizeof(var_buf));
  b->buf[1] = 0; // BAD [NOT DETECTED]
}