Re: -Wanalyzer-malloc-leak false positives

public inbox for gcc@gcc.gnu.org
 help / color / mirror / Atom feed

From: David Malcolm <dmalcolm@redhat.com>
To: Alejandro Colomar <alx.manpages@gmail.com>, GCC <gcc@gcc.gnu.org>
Subject: Re: -Wanalyzer-malloc-leak false positives
Date: Wed, 29 Mar 2023 09:32:11 -0400	[thread overview]
Message-ID: <da90d44cb3ca889c0579da25c371a4de0551261c.camel@redhat.com> (raw)
In-Reply-To: <45c0584d-b326-a975-7ebc-cef76e154530@gmail.com>

On Wed, 2023-03-29 at 15:20 +0200, Alejandro Colomar via Gcc wrote:
> Hi!
> 
> With both GCC 12.2.0 (Debian), and GCC 13.0.1 20230315 (built from
> source),
> I can reproduce these false positives.
> 
> The reproducer program is a small program that checks a password
> against a
> hardcoded string, and conditionally prints "validated".  I wrote it
> precisely to demonstrate how [[gnu::malloc(deallocator)]] can be used
> to
> ensure that passwords are not leaked in memory, but I found out that
> it
> fails to detect some conditions.
> 
> Here's the program (it uses agetpass(), as defined in the shadow
> project):
> 
> $ cat pass.c 
> #include <err.h>
> #include <errno.h>
> #include <limits.h>
> #include <readpassphrase.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> 

[...snip...]

I very briefly tried to reproduce this myself, but I suspect we've got
different headers.

> 
> 
> Maybe I'm missing something, but I don't think falanyzer is correct
> here.

Quite possibly.

> Should I report this in bugzilla?

Yes please.  Please can you attach the preprocessed source [1] to the
bug report(s) so that we're looking at the same code.  Ideally also a
link to godbolt.org showing the issue.

Thanks
Dave

[1] you can get this via -E

next prev parent reply	other threads:[~2023-03-29 13:32 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-29 13:20 Alejandro Colomar
2023-03-29 13:32 ` David Malcolm [this message]
2023-03-29 13:41   ` Alejandro Colomar
2023-03-29 14:04     ` Alejandro Colomar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=da90d44cb3ca889c0579da25c371a4de0551261c.camel@redhat.com \
    --to=dmalcolm@redhat.com \
    --cc=alx.manpages@gmail.com \
    --cc=gcc@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).