https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97258
Bug ID: 97258
Summary: -fanalyze fails to analyze static callbacks
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
If a function is "static" we only look inside it if it gets directly called by
a non-static function in the TU; we don't consider callbacks that get
registered and perhaps called at some later point via machinery that isn't in
the TU.
In the following, -fanalyzer doesn't attempt to look inside callback_1, and
fails to report the obvious double-free.
Perhaps we should have logic to determine if the function escapes and inject an
entrypoint into the worklist that way. Or perhaps we should simply analyze
static functions at the "top level" of the worklist.
Seen whilst attempting to detect CVE-2019-19078 with a custom
allocator/deallocator handler for linux "struct urb".
***************************************************************
#include <stdlib.h>
static void callback_1 (void *p)
{
free (p);
free (p);
}
struct ops {
void (*cb) (void *);
};
static const struct ops ops_1 = {
.cb = callback_1
};
extern void registration (const void *);
void register_1 (void)
{
registration (&ops_1);
}
***************************************************************
