From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 13F653858431; Wed, 15 May 2024 13:58:36 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 13F653858431 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1715781517; bh=J0a0AL3WEVlXmTYRk3TfmskBOsl3jZVVtzMCk5axvJs=; h=From:To:Subject:Date:In-Reply-To:References:From; b=MHvA/8YNAQGfHkA/UWTaxpGhVa1xTeMiyYnUeZTXBZ4Bn7KVi9cD2LMrUi3yravGL knrKb3VUewseYZ2rrFEyY2bAcJq/jz3pNOb7XhCM+uWMn9q2vC3CI+osXjxxvRXL5Q CvPUzDtpMJN/TQvrArzIKTHPWXZBaGqD1uD4oPNY= From: "alx at kernel dot org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/109335] -Wanalyzer-malloc-leak false positives and false negatives Date: Wed, 15 May 2024 13:58:36 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: alx at kernel dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109335 --- Comment #4 from Alejandro Colomar --- Here's a smaller reproducer: $ cat pass.c=20 #include void my_free(char *p); [[gnu::malloc(my_free)]] char *my_malloc(void); int main(void) { char *p; p =3D my_malloc(); my_free(p); // 2 false positives. } char *my_malloc(void) { return malloc(42); } void my_free(char *p) { free(p); } $ gcc-14 -Wall -Wextra pass.c -fanalyzer -O3 pass.c: In function =E2=80=98main=E2=80=99: pass.c:10:9: warning: =E2=80=98p=E2=80=99 should have been deallocated with= =E2=80=98free=E2=80=99 but was deallocated with =E2=80=98my_free=E2=80=99 [CWE-762] [-Wanalyzer-mismatchin= g-deallocation] 10 | my_free(p); // 2 false positives. | ^~~~~~~~~~ =E2=80=98main=E2=80=99: events 1-2 | | 6 | int main(void) | | ^~~~ | | | | | (1) entry to =E2=80=98main=E2=80=99 |...... | 9 | p =3D my_malloc(); | | ~~~~~~~~~~~ | | | | | (2) calling =E2=80=98my_malloc=E2=80=99 from =E2= =80=98main=E2=80=99 | +--> =E2=80=98my_malloc=E2=80=99: events 3-4 | | 13 | char *my_malloc(void) | | ^~~~~~~~~ | | | | | (3) entry to =E2=80=98my_malloc=E2=80=99 | 14 | { | 15 | return malloc(42); | | ~~~~~~~~~~ | | | | | (4) allocated here (expects deallocation with =E2=80=98free=E2=80=99) | <------+ | =E2=80=98main=E2=80=99: events 5-6 | | 9 | p =3D my_malloc(); | | ^~~~~~~~~~~ | | | | | (5) returning to =E2=80=98main=E2=80=99 from =E2= =80=98my_malloc=E2=80=99 | 10 | my_free(p); // 2 false positives. | | ~~~~~~~~~~ | | | | | (6) deallocated with =E2=80=98my_free=E2=80=99 here; a= llocation at (4) expects deallocation with =E2=80=98free=E2=80=99 | pass.c: In function =E2=80=98my_malloc=E2=80=99: pass.c:15:16: warning: leak of =E2=80=98p=E2=80=99 [CWE-401] [-Wanalyzer-ma= lloc-leak] 15 | return malloc(42); | ^~~~~~~~~~ =E2=80=98main=E2=80=99: events 1-3 | | 6 | int main(void) | | ^~~~ | | | | | (1) entry to =E2=80=98main=E2=80=99 |...... | 9 | p =3D my_malloc(); | | ~~~~~~~~~~~ | | | | | (2) allocated here | | (3) calling =E2=80=98my_malloc=E2=80=99 from =E2= =80=98main=E2=80=99 | +--> =E2=80=98my_malloc=E2=80=99: events 4-5 | | 13 | char *my_malloc(void) | | ^~~~~~~~~ | | | | | (4) entry to =E2=80=98my_malloc=E2=80=99 | 14 | { | 15 | return malloc(42); | | ~~~~~~~~~~ | | | | | (5) =E2=80=98p=E2=80=99 leaks here; was = allocated at (2) |=