public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer @ 2020-04-02 15:46 simon.marchi at polymtl dot ca 2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org ` (2 more replies) 0 siblings, 3 replies; 4+ messages in thread From: simon.marchi at polymtl dot ca @ 2020-04-02 15:46 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458 Bug ID: 94458 Summary: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: simon.marchi at polymtl dot ca Target Milestone: --- Variation of [1], where the returned struct is heap-allocated, rather than returned by value. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94378 Source: #include <stdlib.h> struct ret { int **array; }; struct ret *allocate_stuff(void) { struct ret *ret; ret = calloc(1, sizeof (struct ret)); if (!ret) { abort(); } ret->array = calloc (10, sizeof(int *)); if (!ret->array) { abort(); } return ret; } Analyzer report: $ /opt/gcc/git/bin/gcc a.c -g3 -O0 -fanalyzer -c -Wall -Werror a.c: In function ‘allocate_stuff’: a.c:18:10: error: leak of ‘<unknown>’ [CWE-401] [-Werror=analyzer-malloc-leak] 18 | if (!ret->array) { | ~~~^~~~~~~ ‘allocate_stuff’: events 1-7 | | 13 | if (!ret) { | | ^ | | | | | (1) following ‘false’ branch (when ‘ret’ is non-NULL)... |...... | 17 | ret->array = calloc (10, sizeof(int *)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) ...to here | | (3) allocated here | 18 | if (!ret->array) { | | ~ ~~~~~~~~~~ | | | | | | | (7) ‘<unknown>’ leaks here; was allocated at (3) | | (4) assuming ‘<unknown>’ is non-NULL | | (5) following ‘false’ branch... |...... | 22 | return ret; | | ~~~ | | | | | (6) ...to here | cc1: all warnings being treated as errors $ /opt/gcc/git/bin/gcc --version gcc (GCC) 10.0.1 20200401 (experimental) The analyzer says the memory allocated at (3) is leaked, but it is in fact pointed by the returned struct. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/94458] -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer 2020-04-02 15:46 [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer simon.marchi at polymtl dot ca @ 2020-05-08 15:09 ` dmalcolm at gcc dot gnu.org 2020-06-19 0:55 ` eggert at cs dot ucla.edu 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2020-05-08 15:09 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Last reconfirmed| |2020-05-08 Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 --- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> --- Thanks for filing this bug; confirmed. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/94458] -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer 2020-04-02 15:46 [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer simon.marchi at polymtl dot ca 2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org @ 2020-06-19 0:55 ` eggert at cs dot ucla.edu 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: eggert at cs dot ucla.edu @ 2020-06-19 0:55 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458 eggert at cs dot ucla.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |eggert at cs dot ucla.edu --- Comment #2 from eggert at cs dot ucla.edu --- I ran into what appear to be several instances of this bug when compiling GNU coreutils. My instances didn't necessarily involve two allocations; one sufficed. Here is a stripped-down version of the first instance: void *malloc (unsigned long); struct hash_table; void *hash_insert (struct hash_table *, const void *); struct di_ent { unsigned long dev; struct hash_table *ino_set; }; struct di_set { struct hash_table *dev_map; struct di_ent *probe; }; void map_device (struct di_set *dis, unsigned long dev) { struct di_ent *probe = dis->probe; if (probe) { if (probe->dev == dev) return; } else { probe = malloc (sizeof *probe); if (!probe) return; dis->probe = probe; } probe->dev = dev; struct di_ent *ent = hash_insert (dis->dev_map, probe); if (ent == probe) dis->probe = 0; } in the file t3.i, and here is the incorrect output when I compiled with 'gcc -fanalyzer -S t3.i': In function 'map_device': t3.i:36:16: warning: leak of 'probe' [CWE-401] [-Wanalyzer-malloc-leak] 36 | dis->probe = 0; | ~~~~~~~~~~~^~~ 'map_device': events 1-9 | | 21 | if (probe) | | ^ | | | | | (1) following 'false' branch (when 'probe' is NULL)... |...... | 28 | probe = malloc (sizeof *probe); | | ~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) ...to here | | (3) allocated here | 29 | if (!probe) | | ~ | | | | | (4) assuming 'probe' is non-NULL | | (5) following 'false' branch (when 'probe' is non-NULL)... | 30 | return; | 31 | dis->probe = probe; | | ~~~~~~~~~~~~~~~~~~ | | | | | (6) ...to here |...... | 35 | if (ent == probe) | | ~ | | | | | (7) following 'true' branch (when 'ent == probe')... | 36 | dis->probe = 0; | | ~~~~~~~~~~~~~~ | | | | | (8) ...to here | | (9) 'probe' leaks here; was allocated at (3) | ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/94458] -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer 2020-04-02 15:46 [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer simon.marchi at polymtl dot ca 2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org 2020-06-19 0:55 ` eggert at cs dot ucla.edu @ 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2020-08-13 20:30 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94458 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> --- The leak false positive should be fixed by g:808f4dfeb3a95f50f15e71148e5c1067f90a126d (for GCC 11). Marking this as fixed. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-13 20:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-04-02 15:46 [Bug analyzer/94458] New: -Wanalyzer-malloc-leak false positive when returning a heap-allocated struct by value holding a heap-allocated pointer simon.marchi at polymtl dot ca 2020-05-08 15:09 ` [Bug analyzer/94458] " dmalcolm at gcc dot gnu.org 2020-06-19 0:55 ` eggert at cs dot ucla.edu 2020-08-13 20:30 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).