https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97608
Bug ID: 97608 Summary: -Wanalyzer-malloc-leak false positive when returning p+1 instead of p Product: gcc Version: 11.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: vincent-gcc at vinc17 dot net Target Milestone: --- On the following program tst.c #include <stdlib.h> void *f (void) { void *p = malloc (8); if (p == NULL) abort (); return (void *) ((char *) p + 0); } void *g (void) { void *p = malloc (8); if (p == NULL) abort (); return (void *) ((char *) p + 1); } I get: cventin:~> gcc -c -fanalyzer tst.c tst.c: In function ‘g’: tst.c:16:10: warning: leak of ‘p’ [CWE-401] [-Wanalyzer-malloc-leak] 16 | return (void *) ((char *) p + 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~ ‘g’: events 1-5 | | 13 | void *p = malloc (8); | | ^~~~~~~~~~ | | | | | (1) allocated here | 14 | if (p == NULL) | | ~ | | | | | (2) assuming ‘p’ is non-NULL | | (3) following ‘false’ branch (when ‘p’ is non-NULL)... | 15 | abort (); | 16 | return (void *) ((char *) p + 1); | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) ...to here | | (5) ‘p’ leaks here; was allocated at (1) | (MPFR has something similar in its talloc-cache.c test in order to test the behavior of memory allocators, implemented in this test program as wrappers around malloc). Tested with gcc (GCC) 11.0.0 20201028 (experimental), based on commit c25d317cf7d4ea8df0402feb939ce286e5f42988.