https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123077
Bug ID: 123077
Summary: -Wanalyzer-malloc-leak: false positive in sub-function
Product: gcc
Version: 14.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: stefan.tauner at gmx dot at
Target Milestone: ---
Created attachment 63022
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=63022&action=edit
reproducer
The attached program prints the following warning when compiled with "gcc
-fanalyzer fanalyzer_tsearch.c". The tsearch(3) function allocates a new node
internally but I presume it does not matter as the message is about the int*
explicitly allocated in the code.
Most interestingly, the diagnostics are only printed if the register_new_int()
function is used. If its code (including the malloc) is put directly into
main() no warnings are printed. The behavior can easily be switched via the FP
#define at the beginning of the file.
The newest version of GCC I could easily test is 14.1. 12.2 shows the same
false positive.
fanalyzer_tsearch.c: In function ‘register_new_int’:
fanalyzer_tsearch.c:34:16: warning: leak of ‘intp’ [CWE-401]
[-Wanalyzer-malloc-leak]
34 | return 1;
| ^
‘register_new_int’: events 1-5
|
| 34 | return 1;
| | ~
| | |
| | (5) ‘intp’ leaks here; was allocated at (1)
|......
| 41 | int *intp = malloc(sizeof(intp));
| | ^~~~~~~~~~~~~~~~~~~~
| | |
| | (1) allocated here
| 42 | if (intp == NULL) {
| | ~
| | |
| | (2) assuming ‘intp’ is non-NULL
| | (3) following ‘false’ branch (when ‘intp’ is non-NULL)...
|......
| 46 | return register_int(intp, (void **)&tree, compare_tree_nodes);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) ...to here
|
