From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 8E2243857736; Thu, 11 Jan 2024 10:01:32 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8E2243857736 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1704967292; bh=KVQUPrFKhqbLfkZiNuVkg8QeJltzOHePcKwP11rKYJk=; h=From:To:Subject:Date:From; b=NziwMu0N69VpFjne4ZIHG3bbVT9y2JVfW7blNwrQhvcuM3JOTxMm7aV13cX4mLyG0 4xYwDkcY23bUCleTY/io6GkZWsdFs7akwKeSPpFotNskUFWNbzIViPyIa3kMNRunUz ujw42PbWBOx2huLgsGMLqPQRYi3JN5ZktESIwq7I= From: "buczek at molgen dot mpg.de" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/113333] New: analyzer: False positives with calloc() Date: Thu, 11 Jan 2024 10:01:31 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 14.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: buczek at molgen dot mpg.de X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D113333 Bug ID: 113333 Summary: analyzer: False positives with calloc() Product: gcc Version: 14.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: buczek at molgen dot mpg.de Target Milestone: --- Analyzer assumen that a pointer allocated by calloc() can be !=3D NULL. ** Code: #include char **f(void) { char **vec =3D calloc(1, sizeof(char *)); if (vec) for (char **p=3Dvec ; *p ; p++); return vec; } ** Result: : In function 'f': :5:29: warning: heap-based buffer over-read [CWE-126] [-Wanalyzer-out-of-bounds] 5 | for (char **p=3Dvec ; *p ; p++); | ^~ 'f': events 1-6 | | 3 | char **vec =3D calloc(1, sizeof(char *)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) capacity: 8 bytes | 4 | if (vec) | | ~=20=20=20=20=20=20=20=20=20=20 | | | | | (2) following 'true' branch (when 'vec' is non-NULL)... | 5 | for (char **p=3Dvec ; *p ; p++); | | ~ ~~ ~~~ | | | | | | | | | (5) ...to here | | | (4) following 'true' branch... | | | (6) out-of-bounds read from byte 8 till byte 15 but region ends at byte 8 | | (3) ...to here | :5:29: note: read of 8 bytes from after the end of the region 5 | for (char **p=3Dvec ; *p ; p++); | ^~ :5:29: warning: use of uninitialized value '*p' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 'f': events 1-6 | | 3 | char **vec =3D calloc(1, sizeof(char *)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) region created on heap here | 4 | if (vec) | | ~=20=20=20=20=20=20=20=20=20=20 | | | | | (2) following 'true' branch (when 'vec' is non-NULL)... | 5 | for (char **p=3Dvec ; *p ; p++); | | ~ ~~ ~~~ | | | | | | | | | (5) ...to here | | | (4) following 'true' branch... | | | (6) use of uninitialized value '*p' here | | (3) ...to here | Compiler returned: 0 https://gcc.godbolt.org/z/h6bPeYc3T=