https://gcc.gnu.org/bugzilla/show_bug.cgi?id=118585
Bug ID: 118585
Summary: no diagnostics with [[gnu::malloc(free)]] and p++ if a
function takes the pointer
Product: gcc
Version: 15.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: alx at kernel dot org
Target Milestone: ---
The following example shows the false negative. It doesn't trigger a
diagnostic with either the system malloc(3) nor my own my_malloc(), but should
trigger on both.
The problem with the code is that I'm free(3)ing p+1 instead of p.
alx@devuan:~/tmp/gcc$ cat foo.c
#include <stdlib.h>
[[gnu::malloc(free)]] void *my_malloc(size_t);
int foo(void *);
void
f(void)
{
int *p;
p = my_malloc(100);
if (foo(p))
p++;
free(p);
}
void
g(void)
{
int *p;
p = malloc(200);
if (foo(p))
p++;
free(p);
}
alx@devuan:~/tmp/gcc$ gcc-15 -Wall -Wextra -O3 -fanalyzer -S foo.c
alx@devuan:~/tmp/gcc$
