https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99260
Bug ID: 99260
Summary: analyzer does not track outcomes of realloc
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
The analyzer currently has no knowledge of the behavior of "realloc" (leading
e.g. to bug 99193).
For example, it currently fails to issue a warning for the classic
"self-assignment realloc" gotcha, code of the form:
p = realloc (p, 4096);
e.g.
void *p = malloc (1024);
p = realloc (p, 4096);
free (p);
which ought to be reported as a leak (for the case where the realloc fails,
losing the ptr to the original buffer).
Ideally, the analyzer would track various possible outcomes of realloc:
- buffer grew successfully in-place
- buffer was successfully moved to a larger allocation
- buffer was successfully contracted
- realloc failed, returning NULL, without freeing existing buffer.
or simply:
- success: non-NULL is returned
- failure: NULL is returned, existing buffer is not freed.
Unfortunately, the analyzer is currently structured so that each call
statement can only have at most one successor state; there is no
way to "bifurcate" the state, or have N-way splits into multiple
outcomes. The existing "on_stmt" code works on a copy of the next
state, updating it in place, rather than copying it and making any
necessary changes. I did this as an optimization to avoid unnecessary
copying of state objects, but it makes it hard to support multiple
outcomes. (ideally our state objects would be immutable and thus
support trivial copying, alternatively, C++11 move semantics may
help here)
