[Bug analyzer/108252] New: false positive: leak detection

[Bug analyzer/108252] New: false positive: leak detection

[chipitsine at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

            Bug ID: 108252
           Summary: false positive: leak detection
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: chipitsine at gmail dot com
  Target Milestone: ---

repro steps

git clone https://github.com/haproxy/haproxy
cd haproxy

export CC=/home/ilia/gcc/gcc-home/bin/gcc
make TARGET=linux-glibc USE_OPENSSL=1 DEBUG_CFLAGS="-fanalyzer"

detection


```
src/cfgparse-ssl.c: In function ‘ssl_parse_global_ciphers’:
src/cfgparse-ssl.c:264:17: warning: leak of ‘strdup(args[1])’ [CWE-401]
[-Wanalyzer-malloc-leak]
  264 |         *target = strdup(args[1]);
      |         ~~~~~~~~^~~~~~~~~~~~~~~~~
  ‘ssl_parse_global_ciphers’: events 1-6
    |
    |  255 |         if (too_many_args(1, args, err, NULL))
    |      |            ^
    |      |            |
    |      |            (1) following ‘false’ branch...
    |......
    |  258 |         if (*(args[1]) == 0) {
    |      |            ~ ~~~~~~~~~
    |      |            |      |
    |      |            |      (2) ...to here
    |      |            (3) following ‘false’ branch...
    |......
    |  263 |         free(*target);
    |      |         ~~~~~~~~~~~~~
    |      |         |
    |      |         (4) ...to here
    |  264 |         *target = strdup(args[1]);
    |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                 | |
    |      |                 | (5) allocated here
    |      |                 (6) ‘strdup(args[1])’ leaks here; was allocated at
(5)
    |

```

is wrong

detailed review:
https://github.com/haproxy/haproxy/issues/1745#issuecomment-1367207339

[Bug analyzer/108252] false positive: leak detection

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2023-01-09
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |ASSIGNED

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug; confirmed.  I'm working on minimizing the
reproducer.

[Bug analyzer/108252] false positive: leak detection

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Created attachment 54221
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54221&action=edit
Reduced reproducer

Reproduces with trunk, with -fanalyzer:
  https://godbolt.org/z/x15xdYa57

[Bug analyzer/108252] false positive: leak detection

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:688fc162b76dc6747a30fcfd470f4770da0f4924

commit r13-5113-g688fc162b76dc6747a30fcfd470f4770da0f4924
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Jan 11 16:27:06 2023 -0500

    analyzer: fix leak false positives on "*UNKNOWN = PTR;" [PR108252]

    PR analyzer/108252 reports a false positive from -Wanalyzer-malloc-leak on
    code like this:

      *ptr_ptr = strdup(EXPR);

    where ptr_ptr is an UNKNOWN_VALUE.

    When we handle:
      *UNKNOWN = PTR;
    store::set_value normally marks *PTR as having escaped, and this means
    we don't report PTR as leaking when the last usage of PTR is lost.

    However this only works for cases where PTR is a region_svalue.
    In the example in the bug, it's a conjured_svalue, rather than a
    region_svalue.  A similar problem can arise for FDs, which aren't
    pointers.

    This patch fixes the bug by updating store::set_value to mark any
    values stored via *UNKNOWN = VAL as not leaking.

    Additionally, sm-malloc.cc's known_allocator_p hardcodes strdup and
    strndup as allocators (and thus transitioning their result to
    "unchecked"), but we don't implement known_functions for these, leading
    to the LHS being a CONJURED_SVALUE, rather than a region_svalue to a
    heap-allocated region.  A similar issue happens with functions marked
    with __attribute__((malloc)).  As part of a "belt and braces" fix, the
    patch also updates the handling of these functions, so that they use
    heap-allocated regions.

    gcc/analyzer/ChangeLog:
            PR analyzer/108252
            * kf.cc (class kf_strdup): New.
            (class kf_strndup): New.
            (register_known_functions): Register them.
            * region-model.cc (region_model::on_call_pre): Use
            &HEAP_ALLOCATED_REGION for the default result of an external
            function with the "malloc" attribute, rather than CONJURED_SVALUE.
            (region_model::get_or_create_region_for_heap_alloc): Allow
            "size_in_bytes" to be NULL.
            * store.cc (store::set_value): When handling *UNKNOWN = VAL,
            mark VAL as "maybe bound".

    gcc/testsuite/ChangeLog:
            PR analyzer/108252
            * gcc.dg/analyzer/attr-malloc-pr108252.c: New test.
            * gcc.dg/analyzer/fd-leak-pr108252.c: New test.
            * gcc.dg/analyzer/flex-with-call-summaries.c: Remove xfail from
            warning false +ve directives.
            * gcc.dg/analyzer/pr103217-2.c: Add -Wno-analyzer-too-complex.
            * gcc.dg/analyzer/pr103217-3.c: Likewise.
            * gcc.dg/analyzer/strdup-pr108252.c: New test.
            * gcc.dg/analyzer/strndup-pr108252.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/108252] false positive: leak detection

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed on trunk for gcc 13 by the above commit.

I *think* the store::set_value change can be readily backported to GCC 12, so
keeping this bug open to track that backport (perhaps even earlier???)

[Bug analyzer/108252] false positive: leak detection

[chipitsine at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

--- Comment #5 from Илья Шипицин <chipitsine at gmail dot com> ---
thank you, David!

I'll rerun haproxy check soon

[Bug analyzer/108252] false positive: leak detection

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

--- Comment #6 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
(In reply to Илья Шипицин from comment #5)
> thank you, David!
> 
> I'll rerun haproxy check soon

Note that I haven't yet fixed bug 108251, so I don't know how useful the
results will be to you :/

FWIW I've added a build of haproxy-2.7.1 with -fanalyzer to my integration
tests of -fanalyzer:
  https://github.com/davidmalcolm/gcc-analyzer-integration-tests
to try to track the output.

Prior to the above patch I got this from gcc trunk with haproxy-2.7.1:

warning: 185
 - -Wanalyzer-null-dereference dereference of NULL ‘0’: 17
 - -Wanalyzer-null-dereference dereference of NULL ‘conn’: 14
 - -Wanalyzer-malloc-leak leak of ‘b’: 11
 - -Wanalyzer-malloc-leak leak of ‘<unknown>’: 10
 - -Wanalyzer-malloc-leak leak of ‘strdup(args[1])’: 8
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
‘sl.rq.m.ptr’: 7
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
‘sl.rq.u.ptr’: 7
 - -Wanalyzer-malloc-leak leak of ‘strdup(tmp)’: 5
 - -Wanalyzer-fd-leak leak of file descriptor ‘*rx.fd’: 4
 - -Wanalyzer-null-dereference dereference of NULL ‘fstrm’: 4
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
‘sl.rq.v.ptr’: 4
 - -Wanalyzer-out-of-bounds heap-based buffer under-read: 3
 - -Wanalyzer-malloc-leak leak of ‘u’: 3
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
‘sl.rq.u.len’: 3
 - -Wanalyzer-null-dereference dereference of NULL ‘s’: 3
 - -Wanalyzer-malloc-leak leak of ‘strdup(&buf)’: 2
 - -Wanalyzer-null-dereference dereference of NULL ‘ret’: 2
 - -Wanalyzer-malloc-leak leak of ‘chk.area’: 2
 - -Wanalyzer-fd-leak leak of file descriptor ‘socket(1, 1, 0)’: 2
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
‘ring.buf.data’: 2
 - -Wanalyzer-deref-before-check check of ‘meth’ for NULL after already
dereferencing it: 2
 - -Wanalyzer-deref-before-check check of ‘uri’ for NULL after already
dereferencing it: 2
 - -Wanalyzer-deref-before-check check of ‘vsn’ for NULL after already
dereferencing it: 2
 - -Wanalyzer-allocation-size allocated buffer size is not a multiple of the
pointee's size: 2
 - -Wanalyzer-deref-before-check check of ‘etag_buffer’ for NULL after already
dereferencing it: 2
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value ‘*(unsigned
int *)memPtr’: 2
 - -Wanalyzer-deref-before-check check of ‘result’ for NULL after already
dereferencing it: 2
 - -Wanalyzer-possible-null-dereference dereference of possibly-NULL ‘p’: 2
 - -Wanalyzer-null-argument use of NULL ‘params’ where non-null expected: 2
 - -Wanalyzer-null-dereference dereference of NULL ‘uri’: 2
 - -Wanalyzer-deref-before-check check of ‘dash’ for NULL after already
dereferencing it: 2
 - -Wanalyzer-fd-leak leak of file descriptor: 1
 - -Wanalyzer-malloc-leak leak of ‘calloc((long unsigned int)(hdr_num + 1),
32)’: 1
 - -Wanalyzer-malloc-leak leak of ‘node’: 1
 - -Wanalyzer-malloc-leak leak of ‘malloc((long unsigned int)(len + 1))’: 1
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value ‘data’: 1
 - -Wanalyzer-malloc-leak leak of ‘newkey’: 1
 - -Wanalyzer-possible-null-dereference dereference of possibly-NULL ‘p1’: 1
 - -Wanalyzer-malloc-leak leak of ‘conf_err’: 1
 - -Wanalyzer-malloc-leak leak of ‘new_conf_err’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(*args_21(D) + _3)’: 1
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value ‘*(struct
lru64 *)_117 = PHI <_8(16), troot_4(13), ret_106(24)>.revision’: 1
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value ‘*(struct
lru64 *)_117 = PHI <_8(16), troot_4(13), ret_106(24)>.lru.n’: 1
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value ‘*(struct
lru64 *)_117 = PHI <_8(16), troot_4(13), ret_106(24)>.lru.p’: 1
 - -Wanalyzer-malloc-leak leak of ‘*lru.spare’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(*args_18(D) + _4)’: 1
 - -Wanalyzer-possible-null-dereference dereference of possibly-NULL ‘dst’: 1
 - -Wanalyzer-use-after-free use after ‘free’ of ‘link’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(backing)’: 1
 - -Wanalyzer-possible-null-dereference dereference of possibly-NULL ‘comp’: 1
 - -Wanalyzer-malloc-leak leak of ‘fconf’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup("/haproxy?stats")’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(".internal-stats-userlist")’: 1
 - -Wanalyzer-malloc-leak leak of ‘calloc(1, 72)’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(*args_153(D) + _49)’: 1
 - -Wanalyzer-deref-before-check check of ‘ext_child’ for NULL after already
dereferencing it: 1
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
‘sl.rq.m.len’: 1
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
‘sl.rq.v.len’: 1
 - -Wanalyzer-malloc-leak leak of ‘vph’: 1
 - -Wanalyzer-null-argument use of NULL where non-null expected: 1
 - -Wanalyzer-null-dereference dereference of NULL ‘value’: 1
 - -Wanalyzer-malloc-leak leak of ‘wl’: 1
 - -Wanalyzer-double-free double-‘free’ of ‘*wl.s’: 1
 - -Wanalyzer-double-free double-‘free’ of ‘wl’: 1
 - -Wanalyzer-malloc-leak leak of ‘rule’: 1
 - -Wanalyzer-malloc-leak leak of ‘progname’: 1
 - -Wanalyzer-out-of-bounds buffer over-read: 1
 - -Wanalyzer-fd-leak leak of file descriptor ‘fd’: 1
 - -Wanalyzer-null-dereference dereference of NULL ‘srv’: 1
 - -Wanalyzer-possible-null-argument use of possibly-NULL
‘*curproxy.lbprm.arg_str’ where non-null expected: 1
 - -Wanalyzer-use-of-uninitialized-value use of uninitialized value ‘parser’: 1
 - -Wanalyzer-null-dereference dereference of NULL ‘sl’: 1
 - -Wanalyzer-null-dereference dereference of NULL ‘dht’: 1
 - -Wanalyzer-malloc-leak leak of ‘malloc(*_ctr.size)’: 1
 - -Wanalyzer-null-dereference dereference of NULL ‘remote’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(trash.area)’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(id)’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(file)’: 1
 - -Wanalyzer-malloc-leak leak of ‘strdup(arg)’: 1
 - -Wanalyzer-malloc-leak leak of ‘cp’: 1
 - -Wanalyzer-malloc-leak leak of ‘tctx’: 1

and the effect of the above gcc patch to the haproxy-2.7.1 results is:

  Number of occurrences 8 -> 4 (-4) for issue "-Wanalyzer-malloc-leak leak of
‘strdup(args[1])’"
  Number of occurrences 2 -> 1 (-1) for issue "-Wanalyzer-malloc-leak leak of
‘strdup(&buf)’"
  Number of occurrences 3 -> 1 (-2) for issue "-Wanalyzer-malloc-leak leak of
‘u’"
  Number of occurrences 2 -> 1 (-1) for issue "-Wanalyzer-deref-before-check
check of ‘result’ for NULL after already dereferencing it"
  New issue "-Wanalyzer-malloc-leak leak of ‘*ctx.prefix’" (1 occurence)
  New issue "-Wanalyzer-malloc-leak leak of ‘logsrv’" (1 occurence)
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(tmp)’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘newkey’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(*args_21(D) + _3)’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(*args_18(D) + _4)’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(backing)’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup("/haproxy?stats")’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of
‘strdup(".internal-stats-userlist")’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(*args_153(D) +
_49)’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘progname’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(trash.area)’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(id)’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(file)’"
  Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(arg)’"

I haven't yet dug into to see the details to classify things as true/false
positives.  I expect there are still a *lot* of false positives (sorry!)

[Bug analyzer/108252] false positive: leak detection

[chipitsine at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

--- Comment #7 from Илья Шипицин <chipitsine at gmail dot com> ---
(In reply to David Malcolm from comment #6)
> (In reply to Илья Шипицин from comment #5)
> > thank you, David!
> > 
> > I'll rerun haproxy check soon
> 
> Note that I haven't yet fixed bug 108251, so I don't know how useful the
> results will be to you :/
> 
> FWIW I've added a build of haproxy-2.7.1 with -fanalyzer to my integration
> tests of -fanalyzer:
>   https://github.com/davidmalcolm/gcc-analyzer-integration-tests
> to try to track the output.
> 
> Prior to the above patch I got this from gcc trunk with haproxy-2.7.1:
> 
> warning: 185
>  - -Wanalyzer-null-dereference dereference of NULL ‘0’: 17
>  - -Wanalyzer-null-dereference dereference of NULL ‘conn’: 14
>  - -Wanalyzer-malloc-leak leak of ‘b’: 11
>  - -Wanalyzer-malloc-leak leak of ‘<unknown>’: 10
>  - -Wanalyzer-malloc-leak leak of ‘strdup(args[1])’: 8
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘sl.rq.m.ptr’: 7
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘sl.rq.u.ptr’: 7
>  - -Wanalyzer-malloc-leak leak of ‘strdup(tmp)’: 5
>  - -Wanalyzer-fd-leak leak of file descriptor ‘*rx.fd’: 4
>  - -Wanalyzer-null-dereference dereference of NULL ‘fstrm’: 4
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘sl.rq.v.ptr’: 4
>  - -Wanalyzer-out-of-bounds heap-based buffer under-read: 3
>  - -Wanalyzer-malloc-leak leak of ‘u’: 3
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘sl.rq.u.len’: 3
>  - -Wanalyzer-null-dereference dereference of NULL ‘s’: 3
>  - -Wanalyzer-malloc-leak leak of ‘strdup(&buf)’: 2
>  - -Wanalyzer-null-dereference dereference of NULL ‘ret’: 2
>  - -Wanalyzer-malloc-leak leak of ‘chk.area’: 2
>  - -Wanalyzer-fd-leak leak of file descriptor ‘socket(1, 1, 0)’: 2
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘ring.buf.data’: 2
>  - -Wanalyzer-deref-before-check check of ‘meth’ for NULL after already
> dereferencing it: 2
>  - -Wanalyzer-deref-before-check check of ‘uri’ for NULL after already
> dereferencing it: 2
>  - -Wanalyzer-deref-before-check check of ‘vsn’ for NULL after already
> dereferencing it: 2
>  - -Wanalyzer-allocation-size allocated buffer size is not a multiple of the
> pointee's size: 2
>  - -Wanalyzer-deref-before-check check of ‘etag_buffer’ for NULL after
> already dereferencing it: 2
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘*(unsigned int *)memPtr’: 2
>  - -Wanalyzer-deref-before-check check of ‘result’ for NULL after already
> dereferencing it: 2
>  - -Wanalyzer-possible-null-dereference dereference of possibly-NULL ‘p’: 2
>  - -Wanalyzer-null-argument use of NULL ‘params’ where non-null expected: 2
>  - -Wanalyzer-null-dereference dereference of NULL ‘uri’: 2
>  - -Wanalyzer-deref-before-check check of ‘dash’ for NULL after already
> dereferencing it: 2
>  - -Wanalyzer-fd-leak leak of file descriptor: 1
>  - -Wanalyzer-malloc-leak leak of ‘calloc((long unsigned int)(hdr_num + 1),
> 32)’: 1
>  - -Wanalyzer-malloc-leak leak of ‘node’: 1
>  - -Wanalyzer-malloc-leak leak of ‘malloc((long unsigned int)(len + 1))’: 1
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value ‘data’: 1
>  - -Wanalyzer-malloc-leak leak of ‘newkey’: 1
>  - -Wanalyzer-possible-null-dereference dereference of possibly-NULL ‘p1’: 1
>  - -Wanalyzer-malloc-leak leak of ‘conf_err’: 1
>  - -Wanalyzer-malloc-leak leak of ‘new_conf_err’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(*args_21(D) + _3)’: 1
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘*(struct lru64 *)_117 = PHI <_8(16), troot_4(13), ret_106(24)>.revision’: 1
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘*(struct lru64 *)_117 = PHI <_8(16), troot_4(13), ret_106(24)>.lru.n’: 1
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘*(struct lru64 *)_117 = PHI <_8(16), troot_4(13), ret_106(24)>.lru.p’: 1
>  - -Wanalyzer-malloc-leak leak of ‘*lru.spare’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(*args_18(D) + _4)’: 1
>  - -Wanalyzer-possible-null-dereference dereference of possibly-NULL ‘dst’: 1
>  - -Wanalyzer-use-after-free use after ‘free’ of ‘link’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(backing)’: 1
>  - -Wanalyzer-possible-null-dereference dereference of possibly-NULL ‘comp’:
> 1
>  - -Wanalyzer-malloc-leak leak of ‘fconf’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup("/haproxy?stats")’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(".internal-stats-userlist")’: 1
>  - -Wanalyzer-malloc-leak leak of ‘calloc(1, 72)’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(*args_153(D) + _49)’: 1
>  - -Wanalyzer-deref-before-check check of ‘ext_child’ for NULL after already
> dereferencing it: 1
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘sl.rq.m.len’: 1
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘sl.rq.v.len’: 1
>  - -Wanalyzer-malloc-leak leak of ‘vph’: 1
>  - -Wanalyzer-null-argument use of NULL where non-null expected: 1
>  - -Wanalyzer-null-dereference dereference of NULL ‘value’: 1
>  - -Wanalyzer-malloc-leak leak of ‘wl’: 1
>  - -Wanalyzer-double-free double-‘free’ of ‘*wl.s’: 1
>  - -Wanalyzer-double-free double-‘free’ of ‘wl’: 1
>  - -Wanalyzer-malloc-leak leak of ‘rule’: 1
>  - -Wanalyzer-malloc-leak leak of ‘progname’: 1
>  - -Wanalyzer-out-of-bounds buffer over-read: 1
>  - -Wanalyzer-fd-leak leak of file descriptor ‘fd’: 1
>  - -Wanalyzer-null-dereference dereference of NULL ‘srv’: 1
>  - -Wanalyzer-possible-null-argument use of possibly-NULL
> ‘*curproxy.lbprm.arg_str’ where non-null expected: 1
>  - -Wanalyzer-use-of-uninitialized-value use of uninitialized value
> ‘parser’: 1
>  - -Wanalyzer-null-dereference dereference of NULL ‘sl’: 1
>  - -Wanalyzer-null-dereference dereference of NULL ‘dht’: 1
>  - -Wanalyzer-malloc-leak leak of ‘malloc(*_ctr.size)’: 1
>  - -Wanalyzer-null-dereference dereference of NULL ‘remote’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(trash.area)’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(id)’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(file)’: 1
>  - -Wanalyzer-malloc-leak leak of ‘strdup(arg)’: 1
>  - -Wanalyzer-malloc-leak leak of ‘cp’: 1
>  - -Wanalyzer-malloc-leak leak of ‘tctx’: 1
> 
> and the effect of the above gcc patch to the haproxy-2.7.1 results is:
> 
>   Number of occurrences 8 -> 4 (-4) for issue "-Wanalyzer-malloc-leak leak
> of ‘strdup(args[1])’"
>   Number of occurrences 2 -> 1 (-1) for issue "-Wanalyzer-malloc-leak leak
> of ‘strdup(&buf)’"
>   Number of occurrences 3 -> 1 (-2) for issue "-Wanalyzer-malloc-leak leak
> of ‘u’"
>   Number of occurrences 2 -> 1 (-1) for issue "-Wanalyzer-deref-before-check
> check of ‘result’ for NULL after already dereferencing it"
>   New issue "-Wanalyzer-malloc-leak leak of ‘*ctx.prefix’" (1 occurence)
>   New issue "-Wanalyzer-malloc-leak leak of ‘logsrv’" (1 occurence)
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(tmp)’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘newkey’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(*args_21(D) +
> _3)’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(*args_18(D) +
> _4)’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(backing)’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of
> ‘strdup("/haproxy?stats")’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of
> ‘strdup(".internal-stats-userlist")’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(*args_153(D) +
> _49)’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘progname’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(trash.area)’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(id)’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(file)’"
>   Eliminated issue "-Wanalyzer-malloc-leak leak of ‘strdup(arg)’"
> 
> I haven't yet dug into to see the details to classify things as true/false
> positives.  I expect there are still a *lot* of false positives (sorry!)

yep, those two issues were two reviewed findings.
after them fixed we would like to move to remaining findings :)

thank you for taking care of them as well, hopefully there are still many false
positive.

as far as I guess, RedHat would like to implement quality gate for building RPM
packages by enabling "-fanalyzer" flag ? it would be nice.