public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "eggert at cs dot ucla.edu" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/94458] -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer Date: Fri, 19 Jun 2020 00:55:53 +0000 [thread overview] Message-ID: <bug-94458-4-uTN6C3ArKQ@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-94458-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458 eggert at cs dot ucla.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |eggert at cs dot ucla.edu --- Comment #2 from eggert at cs dot ucla.edu --- I ran into what appear to be several instances of this bug when compiling GNU coreutils. My instances didn't necessarily involve two allocations; one sufficed. Here is a stripped-down version of the first instance: void *malloc (unsigned long); struct hash_table; void *hash_insert (struct hash_table *, const void *); struct di_ent { unsigned long dev; struct hash_table *ino_set; }; struct di_set { struct hash_table *dev_map; struct di_ent *probe; }; void map_device (struct di_set *dis, unsigned long dev) { struct di_ent *probe = dis->probe; if (probe) { if (probe->dev == dev) return; } else { probe = malloc (sizeof *probe); if (!probe) return; dis->probe = probe; } probe->dev = dev; struct di_ent *ent = hash_insert (dis->dev_map, probe); if (ent == probe) dis->probe = 0; } in the file t3.i, and here is the incorrect output when I compiled with 'gcc -fanalyzer -S t3.i': In function 'map_device': t3.i:36:16: warning: leak of 'probe' [CWE-401] [-Wanalyzer-malloc-leak] 36 | dis->probe = 0; | ~~~~~~~~~~~^~~ 'map_device': events 1-9 | | 21 | if (probe) | | ^ | | | | | (1) following 'false' branch (when 'probe' is NULL)... |...... | 28 | probe = malloc (sizeof *probe); | | ~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) ...to here | | (3) allocated here | 29 | if (!probe) | | ~ | | | | | (4) assuming 'probe' is non-NULL | | (5) following 'false' branch (when 'probe' is non-NULL)... | 30 | return; | 31 | dis->probe = probe; | | ~~~~~~~~~~~~~~~~~~ | | | | | (6) ...to here |...... | 35 | if (ent == probe) | | ~ | | | | | (7) following 'true' branch (when 'ent == probe')... | 36 | dis->probe = 0; | | ~~~~~~~~~~~~~~ | | | | | (8) ...to here | | (9) 'probe' leaks here; was allocated at (3) |
next prev parent reply other threads:[~2020-06-19 0:55 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-04-02 15:46 [Bug analyzer/94458] New: " simon.marchi at polymtl dot ca 2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org 2020-06-19 0:55 ` eggert at cs dot ucla.edu [this message] 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-94458-4-uTN6C3ArKQ@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).