From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 9BCCF386F008; Mon, 1 Feb 2021 15:17:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9BCCF386F008 From: "dmalcolm at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/98918] New: Analyzer false positives due to sm-state involving UNKNOWN pointers Date: Mon, 01 Feb 2021 15:17:52 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 11.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dmalcolm at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2021 15:17:52 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D98918 Bug ID: 98918 Summary: Analyzer false positives due to sm-state involving UNKNOWN pointers Product: gcc Version: 11.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Reported to me via email: > gcc -fanalyzer for the sample code below gives false positive results. > If I remove field ref from struct marker, no problem is reported. test.c =3D=3D=3D=3D=3D=3D #include struct marker { struct marker *next; void *ref; }; struct data { struct marker *marker; }; void data_free(struct data d) { struct marker *nm, *m; m =3D d.marker; while (m) { nm =3D m->next; free(m->ref); free(m); m =3D nm; } } $ gcc test.c -fanalyzer -c test.c: In function =E2=80=98data_free=E2=80=99: test.c:17:20: warning: use after =E2=80=98free=E2=80=99 of =E2=80=98m=E2=80= =99 [CWE-416] [-Wanalyzer-use-after-free] 17 | nm =3D m->next; | ~~~^~~~~~~~~ =E2=80=98data_free=E2=80=99: events 1-18 | | 16 | while (m) { | | ^ | | | | | (1) following =E2=80=98true=E2=80=99 branch (w= hen =E2=80=98m=E2=80=99 is non-NULL)... | | (3) following =E2=80=98true=E2=80=99 branch (w= hen =E2=80=98m=E2=80=99 is non-NULL)... | | (5) following =E2=80=98true=E2=80=99 branch (w= hen =E2=80=98m=E2=80=99 is non-NULL)... | | (7) following =E2=80=98true=E2=80=99 branch (w= hen =E2=80=98m=E2=80=99 is non-NULL)... | | (10) following =E2=80=98true=E2=80=99 branch (= when =E2=80=98m=E2=80=99 is non-NULL)... | | (12) following =E2=80=98true=E2=80=99 branch (= when =E2=80=98m=E2=80=99 is non-NULL)... | | (14) following =E2=80=98true=E2=80=99 branch (= when =E2=80=98m=E2=80=99 is non-NULL)... | | (16) following =E2=80=98true=E2=80=99 branch (= when =E2=80=98m=E2=80=99 is non-NULL)... | 17 | nm =3D m->next; | | ~~~~~~~~~~~~ | | | | | (2) ...to here | | (4) ...to here | | (6) ...to here | | (8) ...to here | | (11) ...to here | | (13) ...to here | | (15) ...to here | | (17) ...to here | | (18) use after =E2=80=98free=E2=80=99 of = =E2=80=98m=E2=80=99; freed at (9) | 18 | free(m->ref); | 19 | free(m); | | ~~~~~~~ | | | | | (9) freed here | test.c:18:17: warning: double-=E2=80=98free=E2=80=99 of =E2=80=98*m.ref=E2= =80=99 [CWE-415] [-Wanalyzer-double-free] 18 | free(m->ref); | ^~~~~~~~~~~~ =E2=80=98data_free=E2=80=99: events 1-16 | | 16 | while (m) { | | ^ | | | | | (1) following =E2=80=98true=E2=80=99 branch (w= hen =E2=80=98m=E2=80=99 is non-NULL)... | | (3) following =E2=80=98true=E2=80=99 branch (w= hen =E2=80=98m=E2=80=99 is non-NULL)... | | (5) following =E2=80=98true=E2=80=99 branch (w= hen =E2=80=98m=E2=80=99 is non-NULL)... | | (8) following =E2=80=98true=E2=80=99 branch (w= hen =E2=80=98m=E2=80=99 is non-NULL)... | | (10) following =E2=80=98true=E2=80=99 branch (= when =E2=80=98m=E2=80=99 is non-NULL)... | | (12) following =E2=80=98true=E2=80=99 branch (= when =E2=80=98m=E2=80=99 is non-NULL)... | | (14) following =E2=80=98true=E2=80=99 branch (= when =E2=80=98m=E2=80=99 is non-NULL)... | 17 | nm =3D m->next; | | ~~~~~~~~~~~~ | | | | | (2) ...to here | | (4) ...to here | | (6) ...to here | | (9) ...to here | | (11) ...to here | | (13) ...to here | | (15) ...to here | 18 | free(m->ref); | | ~~~~~~~~~~~~ | | | | | (7) first =E2=80=98free=E2=80=99 here | | (16) second =E2=80=98free=E2=80=99 here; firs= t =E2=80=98free=E2=80=99 was at (7) |=