https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97258
Bug ID: 97258 Summary: -fanalyze fails to analyze static callbacks Product: gcc Version: 11.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- If a function is "static" we only look inside it if it gets directly called by a non-static function in the TU; we don't consider callbacks that get registered and perhaps called at some later point via machinery that isn't in the TU. In the following, -fanalyzer doesn't attempt to look inside callback_1, and fails to report the obvious double-free. Perhaps we should have logic to determine if the function escapes and inject an entrypoint into the worklist that way. Or perhaps we should simply analyze static functions at the "top level" of the worklist. Seen whilst attempting to detect CVE-2019-19078 with a custom allocator/deallocator handler for linux "struct urb". *************************************************************** #include <stdlib.h> static void callback_1 (void *p) { free (p); free (p); } struct ops { void (*cb) (void *); }; static const struct ops ops_1 = { .cb = callback_1 }; extern void registration (const void *); void register_1 (void) { registration (&ops_1); } ***************************************************************