public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "eggert at cs dot ucla.edu" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/110014] New: -Wanalyzer-allocation-size mishandles realloc (..., .... * sizeof (object)) Date: Sun, 28 May 2023 18:09:22 +0000 [thread overview] Message-ID: <bug-110014-4@http.gcc.gnu.org/bugzilla/> (raw) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110014 Bug ID: 110014 Summary: -Wanalyzer-allocation-size mishandles realloc (..., .... * sizeof (object)) Product: gcc Version: 13.1.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: eggert at cs dot ucla.edu Target Milestone: --- Created attachment 55179 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55179&action=edit compile with 'gcc -fanalyzer -S' to reproduce the bug This is a followup to bug 109577, and reports a more serious problem with -Wanalyzer-allocation-size: it mishandles realloc even when the last argument is obviously a multiple of the object size. I discovered this problem when compiling an experimental version of GNU diffutils. This is with gcc (GCC) 13.1.1 20230511 (Red Hat 13.1.1-2) x86-64. Compile the attached program with: gcc -fanalyzer -S w.i The output is as follows. All the warnings are incorrect. The last warning is for a call of the form realloc(p, N * sizeof (long)) even though the result is used as a long * so the call is obviously well-sized. w.i: In function ‘slurp’: w.i:11:14: warning: allocated buffer size is not a multiple of the pointee's size [CWE-131] [-Wanalyzer-allocation-size] 11 | buffer = realloc (buffer, cc); | ^~~~~~~~~~~~~~~~~~~~ ‘slurp’: events 1-4 | | 9 | if (!__builtin_add_overflow (file_size - file_size % sizeof (long), | | ^ | | | | | (1) following ‘true’ branch... | 10 | 2 * sizeof (long), &cc)) | 11 | buffer = realloc (buffer, cc); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (2) ...to here | | (3) allocated ‘cc’ bytes here | | (4) assigned to ‘long int *’ here; ‘sizeof (long int)’ is ‘8’ | w.i: In function ‘slurp1’: w.i:18:10: warning: allocated buffer size is not a multiple of the pointee's size [CWE-131] [-Wanalyzer-allocation-size] 18 | return realloc (buffer, file_size - file_size % sizeof (long)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘slurp1’: events 1-2 | | 18 | return realloc (buffer, file_size - file_size % sizeof (long)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) allocated ‘file_size & 18446744073709551608’ bytes here | | (2) assigned to ‘long int *’ here; ‘sizeof (long int)’ is ‘8’ | w.i: In function ‘slurp2’: w.i:24:10: warning: allocated buffer size is not a multiple of the pointee's size [CWE-131] [-Wanalyzer-allocation-size] 24 | return realloc (buffer, (file_size / sizeof (long)) * sizeof (long)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘slurp2’: events 1-2 | | 24 | return realloc (buffer, (file_size / sizeof (long)) * sizeof (long)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) allocated ‘file_size & 18446744073709551608’ bytes here | | (2) assigned to ‘long int *’ here; ‘sizeof (long int)’ is ‘8’ |
next reply other threads:[~2023-05-28 18:09 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-05-28 18:09 eggert at cs dot ucla.edu [this message] 2023-06-10 12:29 ` [Bug analyzer/110014] " cvs-commit at gcc dot gnu.org 2023-06-12 13:17 ` dmalcolm at gcc dot gnu.org 2024-01-28 8:03 ` nightstrike at gmail dot com 2024-02-15 19:57 ` [Bug analyzer/110014] [13 Regression] " dmalcolm at gcc dot gnu.org 2024-04-14 5:06 ` pinskia at gcc dot gnu.org 2024-05-09 17:11 ` cvs-commit at gcc dot gnu.org 2024-05-09 17:53 ` [Bug analyzer/110014] " dmalcolm at gcc dot gnu.org 2024-05-11 16:35 ` nightstrike at gmail dot com 2024-05-11 17:50 ` segher at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-110014-4@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).