[Bug analyzer/94378] New: -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[Bug analyzer/94378] New: -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[simon.marchi at polymtl dot ca]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

            Bug ID: 94378
           Summary: -Wanalyzer-malloc-leak false positive when returning a
                    struct by value holding a heap-allocated pointer
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: simon.marchi at polymtl dot ca
  Target Milestone: ---

I tried the analyzer, and I believe it outputs a false positive on this
snippet:

-----

#include <stdlib.h>

struct ret
{
  int *mem;
};

struct ret do_stuff(void)
{
  struct ret r;

  r.mem = malloc(10);

  return r;
}

-----

$ /opt/gcc/git/bin/gcc -c a.c -fanalyzer
a.c: In function ‘do_stuff’:
a.c:14:10: warning: leak of ‘<unknown>’ [CWE-401] [-Wanalyzer-malloc-leak]
   14 |   return r;
      |          ^
  ‘do_stuff’: events 1-2
    |
    |   12 |   r.mem = malloc(10);
    |      |           ^~~~~~~~~~
    |      |           |
    |      |           (1) allocated here
    |   13 | 
    |   14 |   return r;
    |      |          ~ 
    |      |          |
    |      |          (2) ‘<unknown>’ leaks here; was allocated at (1)
    |
a.c:14:10: warning: leak of ‘r.mem’ [CWE-401] [-Wanalyzer-malloc-leak]
   14 |   return r;
      |          ^
  ‘do_stuff’: events 1-3
    |
    |   12 |   r.mem = malloc(10);
    |      |   ~~~~~~~~^~~~~~~~~~
    |      |         | |
    |      |         | (1) allocated here
    |      |         (2) allocated here
    |   13 | 
    |   14 |   return r;
    |      |          ~ 
    |      |          |
    |      |          (3) ‘r.mem’ leaks here; was allocated at (2)
    |

-----

The caller receives the `struct ret` struct by value, and is expected to free
the `mem` field.  I believe the analyzer should not conclude that this is a
leak.

I am on commit 52f24a9e989300506f812bacb8cc302a8bf03a06 (a commit from earlier
today).

[Bug analyzer/94378] -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2020-03-29
     Ever confirmed|0                           |1
                 CC|                            |marxin at gcc dot gnu.org
             Status|UNCONFIRMED                 |ASSIGNED

[Bug analyzer/94378] -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:a96f1c38a787fbc847cb014d4b094e2787d539a7

commit r10-7502-ga96f1c38a787fbc847cb014d4b094e2787d539a7
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Mar 30 17:02:59 2020 -0400

    analyzer: handle compound assignments [PR94378]

    PR analyzer/94378 reports a false -Wanalyzer-malloc-leak
    when returning a struct containing a malloc-ed pointer.

    The issue is that the assignment code was not handling
    compound copies, only copying top-level values from region to region,
    and not copying child values.

    This patch introduces a region_model::copy_region function, using
    it for assignments and when analyzing function return values.
    It recursively copies nested values within structs, unions, and
    arrays, fixing the bug.

    gcc/analyzer/ChangeLog:
            PR analyzer/94378
            * checker-path.cc: Include "bitmap.h".
            * constraint-manager.cc: Likewise.
            * diagnostic-manager.cc: Likewise.
            * engine.cc: Likewise.
            (exploded_node::detect_leaks): Pass null region_id to pop_frame.
            * program-point.cc: Include "bitmap.h".
            * program-state.cc: Likewise.
            * region-model.cc (id_set<region_id>::id_set): Convert to...
            (region_id_set::region_id_set): ...this.
            (svalue_id_set::svalue_id_set): New ctor.
            (region_model::copy_region): New function.
            (region_model::copy_struct_region): New function.
            (region_model::copy_union_region): New function.
            (region_model::copy_array_region): New function.
            (stack_region::pop_frame): Drop return value.  Add
            "result_dst_rid" param; if it is non-null, use copy_region to copy
            the result to it.  Rather than capture and pass a single "known
            used" return value to be used by purge_unused_values, instead
            gather and pass a set of known used return values.
            (root_region::pop_frame): Drop return value.  Add "result_dst_rid"
            param.
            (region_model::on_assignment): Use copy_region.
            (region_model::on_return): Likewise for the result.
            (region_model::on_longjmp): Pass null for pop_frame's
            result_dst_rid.
            (region_model::update_for_return_superedge): Pass the region for
the
            return value of the call, if any, to pop_frame, rather than setting
            the lvalue for the lhs of the result.
            (region_model::pop_frame): Drop return value.  Add
            "result_dst_rid" param.
            (region_model::purge_unused_svalues): Convert third param from an
            svalue_id * to an svalue_id_set *, updating the initial populating
            of the "used" bitmap accordingly.  Don't remap it when done.
            (struct selftest::coord_test): New selftest fixture, extracted
from...
            (selftest::test_dump_2): ...here.
            (selftest::test_compound_assignment): New selftest.
            (selftest::test_stack_frames): Pass null to new param of pop_frame.
            (selftest::analyzer_region_model_cc_tests): Call the new selftest.
            * region-model.h (class id_set): Delete template.
            (class region_id_set): Reimplement, using old id_set
implementation.
            (class svalue_id_set): Likewise.  Convert from auto_sbitmap to
            auto_bitmap.
            (region::get_active_view): New accessor.
            (stack_region::pop_frame): Drop return value.  Add
            "result_dst_rid" param.
            (root_region::pop_frame): Likewise.
            (region_model::pop_frame): Likewise.
            (region_model::copy_region): New decl.
            (region_model::purge_unused_svalues): Convert third param from an
            svalue_id * to an svalue_id_set *.
            (region_model::copy_struct_region): New decl.
            (region_model::copy_union_region): New decl.
            (region_model::copy_array_region): New decl.

    gcc/testsuite/ChangeLog:
            PR analyzer/94378
            * gcc.dg/analyzer/compound-assignment-1.c: New test.
            * gcc.dg/analyzer/compound-assignment-2.c: New test.
            * gcc.dg/analyzer/compound-assignment-3.c: New test.

[Bug analyzer/94378] -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for reporting this.  Should be fixed by above commit.

[Bug analyzer/94378] -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[simon.marchi at polymtl dot ca]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

--- Comment #3 from Simon Marchi <simon.marchi at polymtl dot ca> ---
Thanks, I confirm that issue with the snippet I posted is fixed.

It didn't fix the original issue that lead be to making this minimal
reproducer, so I guess I'll have to go back and make another reproducer.  In
the mean time, in case you want to take a look, what I believe to be a false
positive is triggered when building this project:

  https://github.com/efficios/argpar

It's not a minimal reproducer, but it's not big either and it's easy to build /
has no external dependency.  There's the chance that there is actually a leak,
but I've looked at the analyzer report over and over and I don't see anything
wrong.

[Bug analyzer/94378] -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Can you attach the analyzer report please?

[Bug analyzer/94378] -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[simon.marchi at polymtl dot ca]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

--- Comment #5 from Simon Marchi <simon.marchi at polymtl dot ca> ---
Created attachment 48165
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=48165&action=edit
Analyzer report for argpar

Here it is.

[Bug analyzer/94378] -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

--- Comment #6 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks Simon.  The second diagnostic definitely looks like a false positive; am
not sure about the first.  Please can you file a separate bug about this.

[Bug analyzer/94378] -Wanalyzer-malloc-leak false positive when returning a struct by value holding a heap-allocated pointer

[simon.marchi at polymtl dot ca]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378

--- Comment #7 from Simon Marchi <simon.marchi at polymtl dot ca> ---
(In reply to David Malcolm from comment #6)
> Thanks Simon.  The second diagnostic definitely looks like a false positive;
> am not sure about the first.  Please can you file a separate bug about this.

I filed a bug with a minimal reproducer for the second report:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458