* [Bug c/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
@ 2021-02-22 10:05 ` rjones at redhat dot com
2021-02-22 10:13 ` rjones at redhat dot com
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: rjones at redhat dot com @ 2021-02-22 10:05 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
--- Comment #1 from Richard W.M. Jones <rjones at redhat dot com> ---
Created attachment 50232
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50232&action=edit
preprocessed source (xz compressed)
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug c/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
2021-02-22 10:05 ` [Bug c/99193] " rjones at redhat dot com
@ 2021-02-22 10:13 ` rjones at redhat dot com
2021-02-22 10:14 ` rjones at redhat dot com
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: rjones at redhat dot com @ 2021-02-22 10:13 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
Richard W.M. Jones <rjones at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|unknown |11.0
--- Comment #2 from Richard W.M. Jones <rjones at redhat dot com> ---
Version of GCC:
gcc-11.0.0-0.19.fc35.x86_64
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug c/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
2021-02-22 10:05 ` [Bug c/99193] " rjones at redhat dot com
2021-02-22 10:13 ` rjones at redhat dot com
@ 2021-02-22 10:14 ` rjones at redhat dot com
2021-02-22 10:36 ` rjones at redhat dot com
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: rjones at redhat dot com @ 2021-02-22 10:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
--- Comment #3 from Richard W.M. Jones <rjones at redhat dot com> ---
This seems to be the same thing at a different place in the code:
https://github.com/libguestfs/libguestfs/blob/f19fd566f6387ce7e4d82409528c9dde374d25e0/df/main.c#L404
CC virt_df-main.o
main.c: In function 'make_display_name':
main.c:404:11: error: 'ret' should have been deallocated with 'free' but was
deallocated with 'realloc' [CWE-762]
[-Werror=analyzer-mismatching-deallocation]
404 | ret = realloc (ret, len + pluses + 1);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'make_display_name': event 1
|
| 378 | make_display_name (struct drv *drvs)
| | ^~~~~~~~~~~~~~~~~
| | |
| | (1) entry to 'make_display_name'
|
'make_display_name': event 2
|
| 382 | assert (drvs != NULL);
| | ^~~~~~
| | |
| | (2) following 'true' branch (when 'drvs' is non-NULL)...
|
'make_display_name': events 3-4
|
| 385 | if (drvs->next == NULL)
| | ^~ ~
| | | |
| | | (4) following 'false' branch...
| | (3) ...to here
|
'make_display_name': event 5
|
|cc1:
| (5): ...to here
|
'make_display_name': events 6-8
|
| 396 | while (drvs->next != NULL) {
| | ^
| | |
| | (6) following 'true' branch...
| 397 | drvs = drvs->next;
| | ~~~~
| | |
| | (7) ...to here
|......
| 401 | ret = single_drive_display_name (drvs);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (8) calling 'single_drive_display_name' from
'make_display_name'
|
+--> 'single_drive_display_name': event 9
|
| 322 | single_drive_display_name (struct drv *drvs)
| | ^~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) entry to 'single_drive_display_name'
|
'single_drive_display_name': event 10
|
| 327 | assert (drvs != NULL);
| | ^~~~~~
| | |
| | (10) following 'true' branch (when 'drvs' is non-NULL)...
|
'single_drive_display_name': event 11
|
| 328 | assert (drvs->next == NULL);
| | ^~~~~~
| | |
| | (11) ...to here
|
'single_drive_display_name': event 12
|
| 328 | assert (drvs->next == NULL);
| | ^~~~~~
| | |
| | (12) following 'true' branch...
|
'single_drive_display_name': events 13-19
|
| 330 | switch (drvs->type) {
| | ^~~~~~
| | |
| | (13) ...to here
| | (14) following 'case 1:' branch...
|......
| 342 | case drv_uri:
| | ~~~~
| | |
| | (15) ...to here
| 343 | name = strdup (drvs->uri.orig_uri);
| 344 | if (name == NULL)
| | ~
| | |
| | (16) following 'false' branch (when 'name' is
non-NULL)...
|......
| 349 | p = strrchr (name, '/');
| | ~
| | |
| | (17) ...to here
|......
| 370 | if (!name)
| | ~
| | |
| | (18) following 'false' branch (when 'name' is
non-NULL)...
|......
| 373 | return name;
| | ~~~~~~
| | |
| | (19) ...to here
|
<------+
|
'make_display_name': events 20-21
|
| 401 | ret = single_drive_display_name (drvs);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (20) returning to 'make_display_name' from
'single_drive_display_name'
|......
| 404 | ret = realloc (ret, len + pluses + 1);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (21) deallocated with 'realloc' here
|
cc1: all warnings being treated as errors
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug c/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (2 preceding siblings ...)
2021-02-22 10:14 ` rjones at redhat dot com
@ 2021-02-22 10:36 ` rjones at redhat dot com
2021-02-22 15:21 ` [Bug analyzer/99193] " msebor at gcc dot gnu.org
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: rjones at redhat dot com @ 2021-02-22 10:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
--- Comment #4 from Richard W.M. Jones <rjones at redhat dot com> ---
And another:
https://github.com/libguestfs/libguestfs/blob/f19fd566f6387ce7e4d82409528c9dde374d25e0/daemon/debug.c#L115
debug.c: In function 'debug_help':
debug.c:129:9: error: 'r' should have been deallocated with 'free' but was
deallocated with 'realloc' [CWE-762]
[-Werror=analyzer-mismatching-deallocation]
129 | p = realloc (r, len + 1); /* +1 for the final NUL */
| ^~~~~~~~~~~~~~~~~~~~
'debug_help': events 1-4
|
| 120 | r = strdup ("Commands supported:");
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) allocated here (expects deallocation with 'free')
| 121 | if (!r) {
| | ~
| | |
| | (2) assuming 'r' is non-NULL
| | (3) following 'false' branch (when 'r' is non-NULL)...
|......
| 126 | len = strlen (r);
| | ~~~
| | |
| | (4) ...to here
|
'debug_help': events 5-7
|
| 127 | for (i = 0; cmds[i].cmd != NULL; ++i) {
| | ^
| | |
| | (5) following 'true' branch...
| 128 | len += strlen (cmds[i].cmd) + 1; /* space + new command */
| | ~~~
| | |
| | (6) ...to here
| 129 | p = realloc (r, len + 1); /* +1 for the final NUL */
| | ~~~~~~~~~~~~~~~~~~~~
| | |
| | (7) deallocated with 'realloc' here; allocation at (1)
expects deallocation with 'free'
|
cc1: all warnings being treated as errors
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug analyzer/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (3 preceding siblings ...)
2021-02-22 10:36 ` rjones at redhat dot com
@ 2021-02-22 15:21 ` msebor at gcc dot gnu.org
2021-02-22 22:27 ` dmalcolm at gcc dot gnu.org
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: msebor at gcc dot gnu.org @ 2021-02-22 15:21 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |msebor at gcc dot gnu.org
Assignee|unassigned at gcc dot gnu.org |dmalcolm at gcc dot gnu.org
Component|c |analyzer
--- Comment #5 from Martin Sebor <msebor at gcc dot gnu.org> ---
Reassigning to analyzer.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug analyzer/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (4 preceding siblings ...)
2021-02-22 15:21 ` [Bug analyzer/99193] " msebor at gcc dot gnu.org
@ 2021-02-22 22:27 ` dmalcolm at gcc dot gnu.org
2021-02-24 21:03 ` dmalcolm at gcc dot gnu.org
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-02-22 22:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2021-02-22
--- Comment #6 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this; confirmed. I'm working on a fix.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug analyzer/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (5 preceding siblings ...)
2021-02-22 22:27 ` dmalcolm at gcc dot gnu.org
@ 2021-02-24 21:03 ` dmalcolm at gcc dot gnu.org
2021-02-25 0:57 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-02-24 21:03 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
--- Comment #7 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
I'm testing a workaround for this; I've filed bug 99260 to cover other issues
with realloc(3) in the analyzer.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug analyzer/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (6 preceding siblings ...)
2021-02-24 21:03 ` dmalcolm at gcc dot gnu.org
@ 2021-02-25 0:57 ` cvs-commit at gcc dot gnu.org
2021-02-25 0:59 ` dmalcolm at gcc dot gnu.org
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-02-25 0:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
--- Comment #8 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:a6baafcac5308be1a5d92c0b2a179495b7a24b52
commit r11-7381-ga6baafcac5308be1a5d92c0b2a179495b7a24b52
Author: David Malcolm <dmalcolm@redhat.com>
Date: Wed Feb 24 19:55:40 2021 -0500
analyzer: fix false positive on realloc [PR99193]
PR analyzer/99193 describes various false positives from
-Wanalyzer-mismatching-deallocation on realloc(3) calls
of the form:
| 31 | void *p = malloc (1024);
| | ^~~~~~~~~~~~~
| | |
| | (1) allocated here (expects deallocation with
âfreeâ)
| 32 | void *q = realloc (p, 4096);
| | ~~~~~~~~~~~~~~~~~
| | |
| | (2) deallocated with âreallocâ here;
allocation at (1) expects deallocation with âfreeâ
|
The underlying issue is that the analyzer has no knowledge of
realloc(3), and realloc has awkward semantics.
Unfortunately, the analyzer is currently structured so that each call
statement can only have at most one successor state; there is no
way to "bifurcate" the state, or have N-way splits into multiple
outcomes. The existing "on_stmt" code works on a copy of the next
state, updating it in place, rather than copying it and making any
necessary changes. I did this as an optimization to avoid unnecessary
copying of state objects, but it makes it hard to support multiple
outcomes. (ideally our state objects would be immutable and thus
support trivial copying, alternatively, C++11 move semantics may
help here)
I attempted a few approaches to implementing bifurcation within the
existing state-update framework, but they were messy and thus likely
buggy; a proper implementation would rework state-updating to
generate copies, but this would be a major change, and seems too
late for GCC 11.
As a workaround, this patch implements enough of realloc(3) to
suppress the false positives.
This fixes the false positives in PR analyzer/99193.
I've filed PR analyzer/99260 to track "properly" implementing realloc(3).
gcc/analyzer/ChangeLog:
PR analyzer/99193
* region-model-impl-calls.cc (region_model::impl_call_realloc):
New.
* region-model.cc (region_model::on_call_pre): Call it.
* region-model.h (region_model::impl_call_realloc): New decl.
* sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
(malloc_state_machine::m_realloc): New field.
(use_after_free::describe_state_change): Add case for
WORDING_REALLOCATED.
(use_after_free::describe_final_event): Likewise.
(malloc_state_machine::malloc_state_machine): Initialize
m_realloc.
(malloc_state_machine::on_stmt): Handle realloc by calling...
(malloc_state_machine::on_realloc_call): New.
gcc/testsuite/ChangeLog:
PR analyzer/99193
* gcc.dg/analyzer/pr99193-1.c: New test.
* gcc.dg/analyzer/pr99193-2.c: New test.
* gcc.dg/analyzer/pr99193-3.c: New test.
* gcc.dg/analyzer/realloc-1.c: New test.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug analyzer/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (7 preceding siblings ...)
2021-02-25 0:57 ` cvs-commit at gcc dot gnu.org
@ 2021-02-25 0:59 ` dmalcolm at gcc dot gnu.org
2021-02-25 11:20 ` rjones at redhat dot com
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-02-25 0:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #9 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
The false positive should be fixed by the above commit.
As noted above, this is just a workaround, and PR analyzer/99260 tracks
"properly" implementing realloc(3).
Marking this bug as resolved.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug analyzer/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (8 preceding siblings ...)
2021-02-25 0:59 ` dmalcolm at gcc dot gnu.org
@ 2021-02-25 11:20 ` rjones at redhat dot com
2021-02-25 14:27 ` dmalcolm at gcc dot gnu.org
2021-02-25 14:41 ` rjones at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: rjones at redhat dot com @ 2021-02-25 11:20 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
--- Comment #10 from Richard W.M. Jones <rjones at redhat dot com> ---
Great stuff, I'll give this a go when GCC is updated
in Fedora Rawhide.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug analyzer/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (9 preceding siblings ...)
2021-02-25 11:20 ` rjones at redhat dot com
@ 2021-02-25 14:27 ` dmalcolm at gcc dot gnu.org
2021-02-25 14:41 ` rjones at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-02-25 14:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
--- Comment #11 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
BTW, looking at the
#pragma GCC diagnostic ignored "-Wanalyzer-null-argument"
at
https://github.com/libguestfs/libguestfs/blob/f19fd566f6387ce7e4d82409528c9dde374d25e0/df/main.c#L317
I'm guessing that this was due to PR analyzer/99196, due to the:
name = strdup (drvs->uri.orig_uri);
if (name == NULL)
error (EXIT_FAILURE, errno, "strdup");
p = strrchr (name, '/');
where the analyzer didn't "know" that the error call would terminate the
program; so hopefully this is also fixed now.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug analyzer/99193] Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]"
2021-02-22 10:01 [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" rjones at redhat dot com
` (10 preceding siblings ...)
2021-02-25 14:27 ` dmalcolm at gcc dot gnu.org
@ 2021-02-25 14:41 ` rjones at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: rjones at redhat dot com @ 2021-02-25 14:41 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99193
--- Comment #12 from Richard W.M. Jones <rjones at redhat dot com> ---
There are quite a lot of these - I will try removing them
when we get the updated GCC in Fedora.
^ permalink raw reply [flat|nested] 13+ messages in thread