public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer
@ 2020-04-02 15:46 simon.marchi at polymtl dot ca
2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: simon.marchi at polymtl dot ca @ 2020-04-02 15:46 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458
Bug ID: 94458
Summary: -Wanalyzer-malloc-leak false positive when returning a
heap-allocated struct by value holding a
heap-allocated pointer
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: simon.marchi at polymtl dot ca
Target Milestone: ---
Variation of [1], where the returned struct is heap-allocated, rather than
returned by value.
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378
Source:
#include <stdlib.h>
struct ret
{
int **array;
};
struct ret *allocate_stuff(void)
{
struct ret *ret;
ret = calloc(1, sizeof (struct ret));
if (!ret) {
abort();
}
ret->array = calloc (10, sizeof(int *));
if (!ret->array) {
abort();
}
return ret;
}
Analyzer report:
$ /opt/gcc/git/bin/gcc a.c -g3 -O0 -fanalyzer -c -Wall -Werror
a.c: In function ‘allocate_stuff’:
a.c:18:10: error: leak of ‘<unknown>’ [CWE-401] [-Werror=analyzer-malloc-leak]
18 | if (!ret->array) {
| ~~~^~~~~~~
‘allocate_stuff’: events 1-7
|
| 13 | if (!ret) {
| | ^
| | |
| | (1) following ‘false’ branch (when ‘ret’ is non-NULL)...
|......
| 17 | ret->array = calloc (10, sizeof(int *));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) ...to here
| | (3) allocated here
| 18 | if (!ret->array) {
| | ~ ~~~~~~~~~~
| | | |
| | | (7) ‘<unknown>’ leaks here; was allocated at (3)
| | (4) assuming ‘<unknown>’ is non-NULL
| | (5) following ‘false’ branch...
|......
| 22 | return ret;
| | ~~~
| | |
| | (6) ...to here
|
cc1: all warnings being treated as errors
$ /opt/gcc/git/bin/gcc --version
gcc (GCC) 10.0.1 20200401 (experimental)
The analyzer says the memory allocated at (3) is leaked, but it is in fact
pointed by the returned struct.
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug analyzer/94458] -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer 2020-04-02 15:46 [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer simon.marchi at polymtl dot ca @ 2020-05-08 15:09 ` dmalcolm at gcc dot gnu.org 2020-06-19 0:55 ` eggert at cs dot ucla.edu 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2020-05-08 15:09 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Last reconfirmed| |2020-05-08 Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 --- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> --- Thanks for filing this bug; confirmed. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/94458] -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer 2020-04-02 15:46 [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer simon.marchi at polymtl dot ca 2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org @ 2020-06-19 0:55 ` eggert at cs dot ucla.edu 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: eggert at cs dot ucla.edu @ 2020-06-19 0:55 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458 eggert at cs dot ucla.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |eggert at cs dot ucla.edu --- Comment #2 from eggert at cs dot ucla.edu --- I ran into what appear to be several instances of this bug when compiling GNU coreutils. My instances didn't necessarily involve two allocations; one sufficed. Here is a stripped-down version of the first instance: void *malloc (unsigned long); struct hash_table; void *hash_insert (struct hash_table *, const void *); struct di_ent { unsigned long dev; struct hash_table *ino_set; }; struct di_set { struct hash_table *dev_map; struct di_ent *probe; }; void map_device (struct di_set *dis, unsigned long dev) { struct di_ent *probe = dis->probe; if (probe) { if (probe->dev == dev) return; } else { probe = malloc (sizeof *probe); if (!probe) return; dis->probe = probe; } probe->dev = dev; struct di_ent *ent = hash_insert (dis->dev_map, probe); if (ent == probe) dis->probe = 0; } in the file t3.i, and here is the incorrect output when I compiled with 'gcc -fanalyzer -S t3.i': In function 'map_device': t3.i:36:16: warning: leak of 'probe' [CWE-401] [-Wanalyzer-malloc-leak] 36 | dis->probe = 0; | ~~~~~~~~~~~^~~ 'map_device': events 1-9 | | 21 | if (probe) | | ^ | | | | | (1) following 'false' branch (when 'probe' is NULL)... |...... | 28 | probe = malloc (sizeof *probe); | | ~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) ...to here | | (3) allocated here | 29 | if (!probe) | | ~ | | | | | (4) assuming 'probe' is non-NULL | | (5) following 'false' branch (when 'probe' is non-NULL)... | 30 | return; | 31 | dis->probe = probe; | | ~~~~~~~~~~~~~~~~~~ | | | | | (6) ...to here |...... | 35 | if (ent == probe) | | ~ | | | | | (7) following 'true' branch (when 'ent == probe')... | 36 | dis->probe = 0; | | ~~~~~~~~~~~~~~ | | | | | (8) ...to here | | (9) 'probe' leaks here; was allocated at (3) | ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/94458] -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer 2020-04-02 15:46 [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer simon.marchi at polymtl dot ca 2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org 2020-06-19 0:55 ` eggert at cs dot ucla.edu @ 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2020-08-13 20:30 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> --- The leak false positive should be fixed by g:808f4dfeb3a95f50f15e71148e5c1067f90a126d (for GCC 11). Marking this as fixed. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-13 20:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-04-02 15:46 [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer simon.marchi at polymtl dot ca 2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org 2020-06-19 0:55 ` eggert at cs dot ucla.edu 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).