public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "eggert at cs dot ucla.edu" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/94458] -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer
Date: Fri, 19 Jun 2020 00:55:53 +0000 [thread overview]
Message-ID: <bug-94458-4-uTN6C3ArKQ@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-94458-4@http.gcc.gnu.org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458
eggert at cs dot ucla.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |eggert at cs dot ucla.edu
--- Comment #2 from eggert at cs dot ucla.edu ---
I ran into what appear to be several instances of this bug when compiling GNU
coreutils. My instances didn't necessarily involve two allocations; one
sufficed. Here is a stripped-down version of the first instance:
void *malloc (unsigned long);
struct hash_table;
void *hash_insert (struct hash_table *, const void *);
struct di_ent
{
unsigned long dev;
struct hash_table *ino_set;
};
struct di_set
{
struct hash_table *dev_map;
struct di_ent *probe;
};
void
map_device (struct di_set *dis, unsigned long dev)
{
struct di_ent *probe = dis->probe;
if (probe)
{
if (probe->dev == dev)
return;
}
else
{
probe = malloc (sizeof *probe);
if (!probe)
return;
dis->probe = probe;
}
probe->dev = dev;
struct di_ent *ent = hash_insert (dis->dev_map, probe);
if (ent == probe)
dis->probe = 0;
}
in the file t3.i, and here is the incorrect output when I compiled with 'gcc
-fanalyzer -S t3.i':
In function 'map_device':
t3.i:36:16: warning: leak of 'probe' [CWE-401] [-Wanalyzer-malloc-leak]
36 | dis->probe = 0;
| ~~~~~~~~~~~^~~
'map_device': events 1-9
|
| 21 | if (probe)
| | ^
| | |
| | (1) following 'false' branch (when 'probe' is NULL)...
|......
| 28 | probe = malloc (sizeof *probe);
| | ~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) ...to here
| | (3) allocated here
| 29 | if (!probe)
| | ~
| | |
| | (4) assuming 'probe' is non-NULL
| | (5) following 'false' branch (when 'probe' is
non-NULL)...
| 30 | return;
| 31 | dis->probe = probe;
| | ~~~~~~~~~~~~~~~~~~
| | |
| | (6) ...to here
|......
| 35 | if (ent == probe)
| | ~
| | |
| | (7) following 'true' branch (when 'ent == probe')...
| 36 | dis->probe = 0;
| | ~~~~~~~~~~~~~~
| | |
| | (8) ...to here
| | (9) 'probe' leaks here; was allocated at (3)
|
next prev parent reply other threads:[~2020-06-19 0:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-02 15:46 [Bug analyzer/94458] New: " simon.marchi at polymtl dot ca
2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org
2020-06-19 0:55 ` eggert at cs dot ucla.edu [this message]
2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-94458-4-uTN6C3ArKQ@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).