[Bug analyzer/108252] false positive: leak detection

Wed, 11 Jan 2023 13:28:53 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108252

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalc...@gcc.gnu.org>:

https://gcc.gnu.org/g:688fc162b76dc6747a30fcfd470f4770da0f4924

commit r13-5113-g688fc162b76dc6747a30fcfd470f4770da0f4924
Author: David Malcolm <dmalc...@redhat.com>
Date:   Wed Jan 11 16:27:06 2023 -0500

    analyzer: fix leak false positives on "*UNKNOWN = PTR;" [PR108252]

    PR analyzer/108252 reports a false positive from -Wanalyzer-malloc-leak on
    code like this:

      *ptr_ptr = strdup(EXPR);

    where ptr_ptr is an UNKNOWN_VALUE.

    When we handle:
      *UNKNOWN = PTR;
    store::set_value normally marks *PTR as having escaped, and this means
    we don't report PTR as leaking when the last usage of PTR is lost.

    However this only works for cases where PTR is a region_svalue.
    In the example in the bug, it's a conjured_svalue, rather than a
    region_svalue.  A similar problem can arise for FDs, which aren't
    pointers.

    This patch fixes the bug by updating store::set_value to mark any
    values stored via *UNKNOWN = VAL as not leaking.

    Additionally, sm-malloc.cc's known_allocator_p hardcodes strdup and
    strndup as allocators (and thus transitioning their result to
    "unchecked"), but we don't implement known_functions for these, leading
    to the LHS being a CONJURED_SVALUE, rather than a region_svalue to a
    heap-allocated region.  A similar issue happens with functions marked
    with __attribute__((malloc)).  As part of a "belt and braces" fix, the
    patch also updates the handling of these functions, so that they use
    heap-allocated regions.

    gcc/analyzer/ChangeLog:
            PR analyzer/108252
            * kf.cc (class kf_strdup): New.
            (class kf_strndup): New.
            (register_known_functions): Register them.
            * region-model.cc (region_model::on_call_pre): Use
            &HEAP_ALLOCATED_REGION for the default result of an external
            function with the "malloc" attribute, rather than CONJURED_SVALUE.
            (region_model::get_or_create_region_for_heap_alloc): Allow
            "size_in_bytes" to be NULL.
            * store.cc (store::set_value): When handling *UNKNOWN = VAL,
            mark VAL as "maybe bound".

    gcc/testsuite/ChangeLog:
            PR analyzer/108252
            * gcc.dg/analyzer/attr-malloc-pr108252.c: New test.
            * gcc.dg/analyzer/fd-leak-pr108252.c: New test.
            * gcc.dg/analyzer/flex-with-call-summaries.c: Remove xfail from
            warning false +ve directives.
            * gcc.dg/analyzer/pr103217-2.c: Add -Wno-analyzer-too-complex.
            * gcc.dg/analyzer/pr103217-3.c: Likewise.
            * gcc.dg/analyzer/strdup-pr108252.c: New test.
            * gcc.dg/analyzer/strndup-pr108252.c: New test.

    Signed-off-by: David Malcolm <dmalc...@redhat.com>

Reply via email to