From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=voRX=7V=redhat.com=dmalcolm@sourceware.org>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by sourceware.org (Postfix) with ESMTPS id 63CFE3858D1E
	for <gcc@gcc.gnu.org>; Wed, 29 Mar 2023 13:32:17 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 63CFE3858D1E
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1680096737;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ykb5UnNB4V/lXnVnEdEYudYASs+lIosighI0nmfrzdY=;
	b=OgRS10PrAOHkw+4mRR6/Ye2/LOVJ6A4Lf+hgXxBQrOBUmTQ9a67/9ihjPpb+YHHRHeTKbB
	J1IF3tNqM7mkdpJ+4H3MYnhx9bt8JLZAA5IWTWcBmcnhNSYSWBHdbrNNUASJWmJFH4uKks
	KLg0y2bmJZkrBSrl+M0pG/H/6InRTSY=
Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com
 [209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-364-PGDL89LqN7GIzwT1-dFn0Q-1; Wed, 29 Mar 2023 09:32:14 -0400
X-MC-Unique: PGDL89LqN7GIzwT1-dFn0Q-1
Received: by mail-qv1-f72.google.com with SMTP id e1-20020a0cd641000000b005b47df84f6eso6648670qvj.0
        for <gcc@gcc.gnu.org>; Wed, 29 Mar 2023 06:32:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1680096733;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=ykb5UnNB4V/lXnVnEdEYudYASs+lIosighI0nmfrzdY=;
        b=tImnTGRmZP7kid7CnZcRnP7yUpQFctC6/4SNFHKyfgcs5T8E+DoGRysmKfJ4ljT3Td
         F1rpcRa3C96wqiy0g8Tb31rZIbZTD0gaNmnbSV2hqHnLjbiC5+/t9puTap3f7RCutYHm
         7fajJ/9BUREHTU6MwV7OhLLRfYxImuhORtmwxRRYkquQmuVTVQ1ju98upQaWkkfzRzzc
         QXjEwABoWze8k9ku60LOtbKUafHVsOc2L6GRyZCQW3zf14VdiKiQoyofGj6XkwHM+FSW
         iuVYy0rBmTpIMidtq61uDzRh1zlDpWP/yQKUKK5dtiF/42KPWEqcVcDFchbRGQKoyOua
         zL0Q==
X-Gm-Message-State: AAQBX9d+KdIPFWul+pgpRheGNN9ichNG+6rsy+5RHAfyD4EbkitZ52rP
	64AJZAVuR6de8opuXTxVPQxTJdyAhQF8aKVGWcjJyeYrgA2s/XT9gxGj7s6aPaTV6UXhrgLcX/m
	8MfKT2iQ=
X-Received: by 2002:ad4:5b87:0:b0:5a5:f1eb:fc67 with SMTP id 7-20020ad45b87000000b005a5f1ebfc67mr28406449qvp.52.1680096733646;
        Wed, 29 Mar 2023 06:32:13 -0700 (PDT)
X-Google-Smtp-Source: AKy350Y0bQtXsiZUnK8BzLAAGXUw+EHGelPl9SYJTHF5rdHTlYiZ3ie/iT+71vELAKaZjwyxMog/CQ==
X-Received: by 2002:ad4:5b87:0:b0:5a5:f1eb:fc67 with SMTP id 7-20020ad45b87000000b005a5f1ebfc67mr28406425qvp.52.1680096733411;
        Wed, 29 Mar 2023 06:32:13 -0700 (PDT)
Received: from t14s.localdomain (c-73-69-212-193.hsd1.nh.comcast.net. [73.69.212.193])
        by smtp.gmail.com with ESMTPSA id f13-20020ad442cd000000b005dd8b9345b8sm4616775qvr.80.2023.03.29.06.32.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 29 Mar 2023 06:32:12 -0700 (PDT)
Message-ID: <da90d44cb3ca889c0579da25c371a4de0551261c.camel@redhat.com>
Subject: Re: -Wanalyzer-malloc-leak false positives
From: David Malcolm <dmalcolm@redhat.com>
To: Alejandro Colomar <alx.manpages@gmail.com>, GCC <gcc@gcc.gnu.org>
Date: Wed, 29 Mar 2023 09:32:11 -0400
In-Reply-To: <45c0584d-b326-a975-7ebc-cef76e154530@gmail.com>
References: <45c0584d-b326-a975-7ebc-cef76e154530@gmail.com>
User-Agent: Evolution 3.44.4 (3.44.4-1.fc36)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-5.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc.gcc.gnu.org>

On Wed, 2023-03-29 at 15:20 +0200, Alejandro Colomar via Gcc wrote:
> Hi!
>=20
> With both GCC 12.2.0 (Debian), and GCC 13.0.1 20230315 (built from
> source),
> I can reproduce these false positives.
>=20
> The reproducer program is a small program that checks a password
> against a
> hardcoded string, and conditionally prints "validated".=C2=A0 I wrote it
> precisely to demonstrate how [[gnu::malloc(deallocator)]] can be used
> to
> ensure that passwords are not leaked in memory, but I found out that
> it
> fails to detect some conditions.
>=20
> Here's the program (it uses agetpass(), as defined in the shadow
> project):
>=20
> $ cat pass.c=20
> #include <err.h>
> #include <errno.h>
> #include <limits.h>
> #include <readpassphrase.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>=20

[...snip...]

I very briefly tried to reproduce this myself, but I suspect we've got
different headers.

>=20
>=20
> Maybe I'm missing something, but I don't think falanyzer is correct
> here.

Quite possibly.

> Should I report this in bugzilla?

Yes please.  Please can you attach the preprocessed source [1] to the
bug report(s) so that we're looking at the same code.  Ideally also a
link to godbolt.org showing the issue.

Thanks
Dave

[1] you can get this via -E