From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 36FF4388E807; Mon, 22 Feb 2021 10:01:36 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 36FF4388E807 From: "rjones at redhat dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/99193] New: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=analyzer-mismatching-deallocation]" Date: Mon, 22 Feb 2021 10:01:35 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: unknown X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: rjones at redhat dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2021 10:01:36 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99193 Bug ID: 99193 Summary: Bogus "should have been deallocated with 'free' but was deallocated with 'realloc' [CWE-762] [-Werror=3Danalyzer-mismatching-deallocation]" Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: rjones at redhat dot com Target Milestone: --- https://github.com/libguestfs/libguestfs/blob/f19fd566f6387ce7e4d82409528c9= dde374d25e0/daemon/command.c#L115 This fails to compile with: gcc -DHAVE_CONFIG_H -I. -I.. -DCAML_NAME_SPACE -I/usr/lib64/ocaml -I/usr/lib64/ocaml/hivex -I../gnulib/lib -I../gnulib/lib -I../lib -I../lib -I../common/errnostring -I../common/errnostring -I../common/protocol -I../common/protocol -I../common/utils -I../common/utils -fanalyzer -fno-common -Wall -Warith-conversion -Wbad-function-cast -Wcast-align=3Dstr= ict -Wdate-time -Wdisabled-optimization -Wdouble-promotion -Wduplicated-branches -Wduplicated-cond -Wextra -Wformat-signedness -Winit-self -Winvalid-pch -Wlogical-op -Wmissing-declarations -Wmissing-include-dirs -Wmissing-protot= ypes -Wnested-externs -Wnull-dereference -Wold-style-definition -Wopenmp-simd -Wpointer-arith -Wstrict-overflow -Wstrict-prototypes -Wsuggest-attribute= =3Dcold -Wsuggest-attribute=3Dformat -Wsuggest-attribute=3Dnoreturn -Wsuggest-final= -methods -Wsuggest-final-types -Wsync-nand -Wtrampolines -Wuninitialized -Wunknown-pragmas -Wunused-macros -Wvariadic-macros -Wvector-operation-performance -Wwrite-strings -Warray-bounds=3D2 -Wattribute-alias=3D2 -Wformat-overflow=3D2 -Wformat=3D2 -Wformat-truncatio= n=3D2 -Wimplicit-fallthrough=3D5 -Wshift-overflow=3D2 -Wunused-const-variable=3D2 -Wno-analyzer-double-free -Wno-analyzer-malloc-leak -Wno-analyzer-null-dereference -Wno-analyzer-use-after-free -Wno-unused-parameter -Wno-missing-field-initializers -fdiagnostics-show-op= tion -Wframe-larger-than=3D6000 -Wstack-usage=3D10000 -Wimplicit-fallthrough=3D4 -Wformat-truncation=3D1 -Wformat-overflow=3D1 -Wno-pragmas -Werror -I/usr/include/tirpc -I/usr/include/libxml2 -O2 -g -fPIC -fno-strict-overflow -Wno-strict-overflow -MT guestfsd-command.o -MD -MP -MF .deps/guestfsd-command.Tpo -c -o guestfsd-command.o `test -f 'command.c' || echo './'`command.c command.c: In function =E2=80=98commandrf=E2=80=99: command.c:136:22: error: =E2=80=98argv=E2=80=99 should have been deallocate= d with =E2=80=98free=E2=80=99 but was deallocated with =E2=80=98realloc=E2=80=99 [CWE-762] [-Werror=3Danalyzer-mismatching-deallocation] 136 | const char **p =3D realloc (argv, sizeof (char *) * (++i)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =E2=80=98commandrf=E2=80=99: events 1-4 | | 125 | argv =3D malloc (sizeof (char *) * i); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) allocated here (expects deallocation with =E2=80= =98free=E2=80=99) | 126 | if (argv =3D=3D NULL) { | | ~=20=20=20=20 | | | | | (2) assuming =E2=80=98argv=E2=80=99 is non-NULL | | (3) following =E2=80=98false=E2=80=99 branch... |...... | 130 | argv[0] =3D (char *) name; | | ~~~~=20=20=20=20 | | | | | (4) ...to here | =E2=80=98commandrf=E2=80=99: events 5-7 | | 135 | while ((s =3D va_arg (args, char *)) !=3D NULL) { | | ^ | | | | | (5) following =E2=80=98tr= ue=E2=80=99 branch (when =E2=80=98s=E2=80=99 is non-NULL)... | 136 | const char **p =3D realloc (argv, sizeof (char *) * (++i)); | | ~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (7) deallocated with =E2=80=98realloc=E2= =80=99 here; allocation at (1) expects deallocation with =E2=80=98free=E2=80=99 | | (6) ...to here | cc1: all warnings being treated as errors make[1]: *** [Makefile:3261: guestfsd-command.o] Error 1 This error appears to be bogus. argv has __attribute__((cleanup)) which will call free(3) on return paths out of the function, such as realloc failing. If realloc is successful then the old argv is freed and the new allocation is assigned to argv.=