public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "eggert at cs dot ucla.edu" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/110014] New: -Wanalyzer-allocation-size mishandles realloc (..., .... * sizeof (object))
Date: Sun, 28 May 2023 18:09:22 +0000	[thread overview]
Message-ID: <bug-110014-4@http.gcc.gnu.org/bugzilla/> (raw)

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110014

            Bug ID: 110014
           Summary: -Wanalyzer-allocation-size mishandles realloc (...,
                    .... * sizeof (object))
           Product: gcc
           Version: 13.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: eggert at cs dot ucla.edu
  Target Milestone: ---

Created attachment 55179
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55179&action=edit
compile with 'gcc -fanalyzer -S' to reproduce the bug

This is a followup to bug 109577, and reports a more serious problem with
-Wanalyzer-allocation-size: it mishandles realloc even when the last argument
is obviously a multiple of the object size.

I discovered this problem when compiling an experimental version of GNU
diffutils.

This is with gcc (GCC) 13.1.1 20230511 (Red Hat 13.1.1-2) x86-64.

Compile the attached program with:

gcc -fanalyzer -S w.i

The output is as follows. All the warnings are incorrect. The last warning is
for a call of the form realloc(p, N * sizeof (long)) even though the result is
used as a long * so the call is obviously well-sized.


w.i: In function ‘slurp’:
w.i:11:14: warning: allocated buffer size is not a multiple of the pointee's
size [CWE-131] [-Wanalyzer-allocation-size]
   11 |     buffer = realloc (buffer, cc);
      |              ^~~~~~~~~~~~~~~~~~~~
  ‘slurp’: events 1-4
    |
    |    9 |   if (!__builtin_add_overflow (file_size - file_size % sizeof
(long),
    |      |      ^
    |      |      |
    |      |      (1) following ‘true’ branch...
    |   10 |                                2 * sizeof (long), &cc))
    |   11 |     buffer = realloc (buffer, cc);
    |      |              ~~~~~~~~~~~~~~~~~~~~
    |      |              |
    |      |              (2) ...to here
    |      |              (3) allocated ‘cc’ bytes here
    |      |              (4) assigned to ‘long int *’ here; ‘sizeof (long
int)’ is ‘8’
    |
w.i: In function ‘slurp1’:
w.i:18:10: warning: allocated buffer size is not a multiple of the pointee's
size [CWE-131] [-Wanalyzer-allocation-size]
   18 |   return realloc (buffer, file_size - file_size % sizeof (long));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ‘slurp1’: events 1-2
    |
    |   18 |   return realloc (buffer, file_size - file_size % sizeof (long));
    |      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |          |
    |      |          (1) allocated ‘file_size & 18446744073709551608’ bytes
here
    |      |          (2) assigned to ‘long int *’ here; ‘sizeof (long int)’ is
‘8’
    |
w.i: In function ‘slurp2’:
w.i:24:10: warning: allocated buffer size is not a multiple of the pointee's
size [CWE-131] [-Wanalyzer-allocation-size]
   24 |   return realloc (buffer, (file_size / sizeof (long)) * sizeof (long));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ‘slurp2’: events 1-2
    |
    |   24 |   return realloc (buffer, (file_size / sizeof (long)) * sizeof
(long));
    |      |         
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |          |
    |      |          (1) allocated ‘file_size & 18446744073709551608’ bytes
here
    |      |          (2) assigned to ‘long int *’ here; ‘sizeof (long int)’ is
‘8’
    |

             reply	other threads:[~2023-05-28 18:09 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-28 18:09 eggert at cs dot ucla.edu [this message]
2023-06-10 12:29 ` [Bug analyzer/110014] " cvs-commit at gcc dot gnu.org
2023-06-12 13:17 ` dmalcolm at gcc dot gnu.org
2024-01-28  8:03 ` nightstrike at gmail dot com
2024-02-15 19:57 ` [Bug analyzer/110014] [13 Regression] " dmalcolm at gcc dot gnu.org
2024-04-14  5:06 ` pinskia at gcc dot gnu.org
2024-05-09 17:11 ` cvs-commit at gcc dot gnu.org
2024-05-09 17:53 ` [Bug analyzer/110014] " dmalcolm at gcc dot gnu.org
2024-05-11 16:35 ` nightstrike at gmail dot com
2024-05-11 17:50 ` segher at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-110014-4@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).