public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/104560] New: False positive from -Wanalyzer-free-of-non-heap seen with rdma-core
@ 2022-02-15 22:34 dmalcolm at gcc dot gnu.org
2022-02-16 23:49 ` [Bug analyzer/104560] " cvs-commit at gcc dot gnu.org
2022-02-16 23:58 ` dmalcolm at gcc dot gnu.org
0 siblings, 2 replies; 3+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-02-15 22:34 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104560
Bug ID: 104560
Summary: False positive from -Wanalyzer-free-of-non-heap seen
with rdma-core
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
Created attachment 52450
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52450&action=edit
Reduced reproducer
I'm seeing various -Wanalyzer-free-of-non-heap when compiling rdma-core with
-fanalyzer, e.g.:
rdma-core-33.0/providers/mlx5/mlx5.c: scope_hint: In function
'mlx5_uninit_device'
rdma-core-33.0/providers/mlx5/mlx5.c:2101:9:
warning[-Wanalyzer-free-of-non-heap]: 'free' of '&*verbs_device.device' which
points to memory not on the heap
# 2099| struct mlx5_device *dev = to_mdev(&verbs_device->device);
# 2100|
# 2101|-> free(dev);
# 2102| }
# 2103|
Am attaching a reproducer, which triggers the current false positive with trunk
when compiled without optimization:
<source>: In function 'mlx5_uninit_device':
<source>:42:9: warning: 'free' of 'dev' which points to memory not on the heap
[CWE-590] [-Wanalyzer-free-of-non-heap]
42 | __builtin_free(dev);
| ^~~~~~~~~~~~~~~~~~~
'mlx5_uninit_device': events 1-3
|
| 40 | struct mlx5_device *dev = to_mdev(&verbs_device->device);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) pointer is from here
| | (2) pointer is from here
| 41 |
| 42 | __builtin_free(dev);
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (3) call to 'free' here
|
Uploaded to Compiler Explorer as:
https://godbolt.org/z/nazc15z1h
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug analyzer/104560] False positive from -Wanalyzer-free-of-non-heap seen with rdma-core
2022-02-15 22:34 [Bug analyzer/104560] New: False positive from -Wanalyzer-free-of-non-heap seen with rdma-core dmalcolm at gcc dot gnu.org
@ 2022-02-16 23:49 ` cvs-commit at gcc dot gnu.org
2022-02-16 23:58 ` dmalcolm at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-02-16 23:49 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104560
--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:a61aaee63848d422e8443e17bbec3257ee59d5d8
commit r12-7268-ga61aaee63848d422e8443e17bbec3257ee59d5d8
Author: David Malcolm <dmalcolm@redhat.com>
Date: Wed Feb 16 09:06:46 2022 -0500
analyzer: fixes to free of non-heap detection [PR104560]
PR analyzer/104560 reports various false positives from
-Wanalyzer-free-of-non-heap seen with rdma-core, on what's
effectively:
free (&ptr->field)
where in this case "field" is the first element of its struct, and thus
&ptr->field == ptr, and could be on the heap.
The root cause is due to malloc_state_machine::on_stmt making
"LHS = &EXPR;"
transition LHS from start to non_heap when EXPR is not a MEM_REF;
this assumption doesn't hold for the above case.
This patch eliminates that state transition, instead relying on
malloc_state_machine::get_default_state to detect regions known to
not be on the heap.
Doing so fixes the false positive, but eliminates some events relating
to free-of-alloca identifying the alloca, so the patch also reworks
free_of_non_heap to capture which region has been freed, adding
region creation events to diagnostic paths, so that the alloca calls
can be identified, and using the memory space of the region for more
precise wording of the diagnostic.
The improvement to malloc_state_machine::get_default_state also
means we now detect attempts to free VLAs, functions and code labels.
In doing so I spotted that I wasn't adding region creation events for
regions for global variables, and for cases where an allocation is the
last stmt within its basic block, so the patch also fixes these issues.
gcc/analyzer/ChangeLog:
PR analyzer/104560
* diagnostic-manager.cc (diagnostic_manager::build_emission_path):
Add region creation events for globals of interest.
(null_assignment_sm_context::get_old_program_state): New.
(diagnostic_manager::add_events_for_eedge): Move check for
changing dynamic extents from PK_BEFORE_STMT case to after the
switch on the dst_point's kind so that we can emit them for the
final stmt in a basic block.
* engine.cc (impl_sm_context::get_old_program_state): New.
* sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
detection of m_non_heap to use get_memory_space.
(free_of_non_heap::free_of_non_heap): Add freed_reg param.
(free_of_non_heap::subclass_equal_p): Update for changes to
fields.
(free_of_non_heap::emit): Drop m_kind in favor of
get_memory_space.
(free_of_non_heap::describe_state_change): Remove logic for
detecting alloca.
(free_of_non_heap::mark_interesting_stuff): Add region-creation of
m_freed_reg.
(free_of_non_heap::get_memory_space): New.
(free_of_non_heap::kind): Drop enum.
(free_of_non_heap::m_freed_reg): New field.
(free_of_non_heap::m_kind): Drop field.
(malloc_state_machine::on_stmt): Drop transition to m_non_heap.
(malloc_state_machine::handle_free_of_non_heap): New function,
split out from on_deallocator_call and on_realloc_call, adding
detection of the freed region.
(malloc_state_machine::on_deallocator_call): Use it.
(malloc_state_machine::on_realloc_call): Likewise.
* sm.h (sm_context::get_old_program_state): New vfunc.
gcc/testsuite/ChangeLog:
PR analyzer/104560
* g++.dg/analyzer/placement-new.C: Update expected wording.
* g++.dg/analyzer/pr100244.C: Likewise.
* gcc.dg/analyzer/attr-malloc-1.c (test_7): Likewise.
* gcc.dg/analyzer/malloc-1.c (test_24): Likewise.
(test_25): Likewise.
(test_26): Likewise.
(test_50a, test_50b, test_50c): New.
* gcc.dg/analyzer/malloc-callbacks.c (test_5): Update expected
wording.
* gcc.dg/analyzer/malloc-paths-8.c: Likewise.
* gcc.dg/analyzer/pr104560-1.c: New test.
* gcc.dg/analyzer/pr104560-2.c: New test.
* gcc.dg/analyzer/realloc-1.c (test_7): Updated expected wording.
* gcc.dg/analyzer/vla-1.c (test_2): New. Prune output from
-Wfree-nonheap-object.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug analyzer/104560] False positive from -Wanalyzer-free-of-non-heap seen with rdma-core
2022-02-15 22:34 [Bug analyzer/104560] New: False positive from -Wanalyzer-free-of-non-heap seen with rdma-core dmalcolm at gcc dot gnu.org
2022-02-16 23:49 ` [Bug analyzer/104560] " cvs-commit at gcc dot gnu.org
@ 2022-02-16 23:58 ` dmalcolm at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-02-16 23:58 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104560
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|UNCONFIRMED |RESOLVED
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above commit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-02-16 23:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-15 22:34 [Bug analyzer/104560] New: False positive from -Wanalyzer-free-of-non-heap seen with rdma-core dmalcolm at gcc dot gnu.org
2022-02-16 23:49 ` [Bug analyzer/104560] " cvs-commit at gcc dot gnu.org
2022-02-16 23:58 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).