From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 28E26385741F; Mon, 13 Sep 2021 14:39:09 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 28E26385741F From: "matti.niemenmaa+gccbugs at iki dot fi" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/102308] New: False positive -Wanalyzer-malloc-leak when writing to array in struct Date: Mon, 13 Sep 2021 14:39:08 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 11.1.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: matti.niemenmaa+gccbugs at iki dot fi X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2021 14:39:09 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D102308 Bug ID: 102308 Summary: False positive -Wanalyzer-malloc-leak when writing to array in struct Product: gcc Version: 11.1.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: matti.niemenmaa+gccbugs at iki dot fi Target Milestone: --- The following code: $ cat bug.c #include struct s { char *p; int arr[2]; }; int main(void) { struct s *s =3D malloc(sizeof *s); if (s) { s->p =3D malloc(1); for (int i =3D 0; i < 2; i++) s->arr[i] =3D -1; } if (s) { free(s->p); free(s); } } Triggers -Wanalyzer-malloc-leak of "" (apparently the malloc(1)) in the loop that writes to the array: $ gcc --version | head -1 gcc (GCC) 11.1.0 $ gcc -fanalyzer -O2 -c -o /dev/null bug.c bug.c: In function =E2=80=98main=E2=80=99: bug.c:11:17: warning: leak of =E2=80=98=E2=80=99 [CWE-401] [-Wanal= yzer-malloc-leak] 11 | s->arr[i] =3D -1; | ~~~~~~~~~~^~~~ =E2=80=98main=E2=80=99: events 1-8 | | 8 | if (s) { | | ^ | | | | | (1) following =E2=80=98true=E2=80=99 branch (when =E2=80= =98s=E2=80=99 is non-NULL)... | 9 | s->p =3D malloc(1); | | ~~~~~~~~~ | | | | | (2) ...to here | | (3) allocated here | 10 | for (int i =3D 0; i < 2; i++) | | ~~~~~ | | | | | (4) following =E2=80=98true=E2=80=99 bra= nch (when =E2=80=98i !=3D 2=E2=80=99)... | | (6) following =E2=80=98true=E2=80=99 bra= nch (when =E2=80=98i !=3D 2=E2=80=99)... | 11 | s->arr[i] =3D -1; | | ~~~~~~~~~~~~~~ | | | | | (5) ...to here | | (7) ...to here | | (8) =E2=80=98=E2=80=99 leaks here; wa= s allocated at (3) Even though there's evidently no leak. As shown, the above triggers even on -O2. With -O0 the example can be simplified a bit: #include struct s { char *p; int arr[1]; }; int main(void) { struct s s; s.p =3D malloc(1); for (int i =3D 0; i < 1; i++) s.arr[i] =3D -1; free(s.p); } Here the same type of leak is reported on -O0, but not -O2.=