[Bug analyzer/107225] New: FP with -Wanalyzer-mismatching-deallocation

[Bug analyzer/107225] New: FP with -Wanalyzer-mismatching-deallocation

[urs at akk dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107225

            Bug ID: 107225
           Summary: FP with -Wanalyzer-mismatching-deallocation
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: urs at akk dot org
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu
             Build: x86_64-pc-linux-gnu

gcc build from git @ ab332cd78d083edb2fddaa3c02578cafade12725
with
configure --program-suffix=-13 --enable-languages=c,lto --enable-lto
--disable-multilib
make -j 4 BOOT_CFLAGS='-pipe -O0 -w' bootstrap

on x86_64-pc-linux-gnu (Intel(R) Core(TM) i7-6700T); Ubuntu 22.04.1 LTS; GLIBC
2.35-0ubuntu3.1

The somewhat reduced testcase shows (besides other stuff) a false positive with
gcc-13 -v -save-temps -freport-bug -g -O2 -Wextra -Wpedantic -pipe -Wall
-Winline -Wshadow -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -Wbad-function-cast -Wnested-externs -Wcast-align
-Wpointer-arith -Waggregate-return -Wcast-qual -Wwrite-strings -Wundef -Wpacked
-Wfloat-equal -Wunused-macros -Wold-style-definition -Winit-self
-Wmissing-include-dirs -Wlogical-op -Wjump-misses-init -Wformat=2
-Wshift-overflow=2 -Wnull-dereference -Wduplicated-cond -Walloc-zero -Walloca
-Wstringop-overflow=2 -Wduplicated-branches -Wno-format-nonliteral
-Wno-stringop-truncation -Wno-format-truncation -fanalyzer -c fp.c -o fp.o


fp.c:83:25: warning: ‘fp’ should have been deallocated with ‘fclose’ but was
deallocated with ‘pclose’ [CWE-762] [-Wanalyzer-mismatching-deallocation]
   83 |                         pclose(fp);
      |                         ^~~~~~~~~~

looks like the analyzer doesn't notice that it took the false branch in line 51
and thus has to take the false branch in line 82 again

[Bug analyzer/107225] FP with -Wanalyzer-mismatching-deallocation

[urs at akk dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107225

--- Comment #1 from urs at akk dot org ---
Created attachment 53694
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53694&action=edit
reduced test case for FP with -fanalyzer (-Wanalyzer-mismatching-deallocation,
-Wanalyzer-file-leak)

[Bug analyzer/107225] FP with -Wanalyzer-mismatching-deallocation

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107225

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.

As far as I can tell, the aliasing implementation gets confused at:

1313 |           x_hdrs[num_x_hdrs++] = strdup(line);
     |           ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~

for the case where x_hdrs is NULL (which -fanalyzer does seem to complain
about) and considers that the write to NULL[0] could modify file's buffer
(which it clearly can't, or at least, it's clear to a human that it can't).

I think it's fixable by making the -fanalyzer's aliasing code consider that
writes through NULL don't alias anything.