From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 45A283858D38; Sun, 28 May 2023 18:09:23 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 45A283858D38
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1685297363;
	bh=HB5Cxj5pJAofTLjALhbbid+2nf+9E7vjGJLbnW5ZVAo=;
	h=From:To:Subject:Date:From;
	b=SvPFeMleMwn05LGZTUklwUEj+FRY1PcMhWJTWgRovF98p3asE62JsDanzPyg/IZ7Q
	 t36j/5D3L3DW07ruwEaRKxMerOVRQWJSFAGoGSL+/3yWpWYM6z3uzo9ajSvnjWSsqI
	 tUR2UGscoxnkF8wOT5+CaUmw6MZ/mRLWcK4eA7e0=
From: "eggert at cs dot ucla.edu" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/110014] New: -Wanalyzer-allocation-size mishandles
 realloc (..., .... * sizeof (object))
Date: Sun, 28 May 2023 18:09:22 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 13.1.1
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: eggert at cs dot ucla.edu
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
 attachments.created
Message-ID: <bug-110014-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D110014

            Bug ID: 110014
           Summary: -Wanalyzer-allocation-size mishandles realloc (...,
                    .... * sizeof (object))
           Product: gcc
           Version: 13.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: eggert at cs dot ucla.edu
  Target Milestone: ---

Created attachment 55179
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D55179&action=3Dedit
compile with 'gcc -fanalyzer -S' to reproduce the bug

This is a followup to bug 109577, and reports a more serious problem with
-Wanalyzer-allocation-size: it mishandles realloc even when the last argume=
nt
is obviously a multiple of the object size.

I discovered this problem when compiling an experimental version of GNU
diffutils.

This is with gcc (GCC) 13.1.1 20230511 (Red Hat 13.1.1-2) x86-64.

Compile the attached program with:

gcc -fanalyzer -S w.i

The output is as follows. All the warnings are incorrect. The last warning =
is
for a call of the form realloc(p, N * sizeof (long)) even though the result=
 is
used as a long * so the call is obviously well-sized.


w.i: In function =E2=80=98slurp=E2=80=99:
w.i:11:14: warning: allocated buffer size is not a multiple of the pointee's
size [CWE-131] [-Wanalyzer-allocation-size]
   11 |     buffer =3D realloc (buffer, cc);
      |              ^~~~~~~~~~~~~~~~~~~~
  =E2=80=98slurp=E2=80=99: events 1-4
    |
    |    9 |   if (!__builtin_add_overflow (file_size - file_size % sizeof
(long),
    |      |      ^
    |      |      |
    |      |      (1) following =E2=80=98true=E2=80=99 branch...
    |   10 |                                2 * sizeof (long), &cc))
    |   11 |     buffer =3D realloc (buffer, cc);
    |      |              ~~~~~~~~~~~~~~~~~~~~
    |      |              |
    |      |              (2) ...to here
    |      |              (3) allocated =E2=80=98cc=E2=80=99 bytes here
    |      |              (4) assigned to =E2=80=98long int *=E2=80=99 here=
; =E2=80=98sizeof (long
int)=E2=80=99 is =E2=80=988=E2=80=99
    |
w.i: In function =E2=80=98slurp1=E2=80=99:
w.i:18:10: warning: allocated buffer size is not a multiple of the pointee's
size [CWE-131] [-Wanalyzer-allocation-size]
   18 |   return realloc (buffer, file_size - file_size % sizeof (long));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  =E2=80=98slurp1=E2=80=99: events 1-2
    |
    |   18 |   return realloc (buffer, file_size - file_size % sizeof (long=
));
    |      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~
    |      |          |
    |      |          (1) allocated =E2=80=98file_size & 184467440737095516=
08=E2=80=99 bytes
here
    |      |          (2) assigned to =E2=80=98long int *=E2=80=99 here; =
=E2=80=98sizeof (long int)=E2=80=99 is
=E2=80=988=E2=80=99
    |
w.i: In function =E2=80=98slurp2=E2=80=99:
w.i:24:10: warning: allocated buffer size is not a multiple of the pointee's
size [CWE-131] [-Wanalyzer-allocation-size]
   24 |   return realloc (buffer, (file_size / sizeof (long)) * sizeof (lon=
g));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~
  =E2=80=98slurp2=E2=80=99: events 1-2
    |
    |   24 |   return realloc (buffer, (file_size / sizeof (long)) * sizeof
(long));
    |      |=20=20=20=20=20=20=20=20=20
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |          |
    |      |          (1) allocated =E2=80=98file_size & 184467440737095516=
08=E2=80=99 bytes
here
    |      |          (2) assigned to =E2=80=98long int *=E2=80=99 here; =
=E2=80=98sizeof (long int)=E2=80=99 is
=E2=80=988=E2=80=99
    |=