build(clang-analyzer): suppress clang-analyzer-security.ArrayBound

Problem:
clang 21 promoted alpha.security.ArrayBoundV2 to security.ArrayBound
(stable). This new check reports false-positive "out of bound access"
errors in drawline.c and vimscript.c, where the analyzer constructs
impossible paths (e.g. concealed line with draw_text=false yet ptr
advanced past the NUL terminator, or root AST node with a "next"
sibling).

Per-line NOLINT suppression doesn't work because the analyzer finds
multiple paths to the same false positive.

Solution:
Disable clang-analyzer-security.ArrayBound globally in the
clang-analyzer cmake target until the check matures.

Co-Authored-By: Claude

2 files changed, 4 insertions, 0 deletions

diff --git a/src/nvim/CMakeLists.txt b/src/nvim/CMakeLists.txt
index b8160fea4b..6be32af21a 100644
--- a/src/nvim/CMakeLists.txt
+++ b/src/nvim/CMakeLists.txt
@@ -913,6 +913,7 @@ add_glob_target(
   -clang-analyzer-core.uninitialized.Assign,
   -clang-analyzer-optin.core.EnumCastOutOfRange,
   -clang-analyzer-optin.performance.Padding,
+  -clang-analyzer-security.ArrayBound,
   -clang-analyzer-security.insecureAPI.strcpy,
   -clang-analyzer-unix.StdCLibraryFunctions,
   -clang-analyzer-unix.Stream,
diff --git a/src/nvim/api/vimscript.c b/src/nvim/api/vimscript.c
index b4f5efec23..a874a75cac 100644
--- a/src/nvim/api/vimscript.c
+++ b/src/nvim/api/vimscript.c
@@ -545,6 +545,9 @@ Dict nvim_parse_expression(String expr, String flags, Boolean highlight, Arena *
           .ret_node_p = &children_array.items[0],
         }));
       } else if (node->next != NULL) {
+        // ret_node_p + 1 is valid: we're in a children_array (root node never
+        // has "next"). kv_size > 1 confirms we're not at root.
+        assert(kv_size(ast_conv_stack) > 1);
         kvi_push(ast_conv_stack, ((ExprASTConvStackItem) {
           .node_p = &node->next,
           .ret_node_p = cur_item.ret_node_p + 1,