diff mbox series

[committed] analyzer: fix false leak seen in Juliet 1.3 [PR102471]

Message ID 20211201232319.3240371-1-dmalcolm@redhat.com
State New
Headers show
Series [committed] analyzer: fix false leak seen in Juliet 1.3 [PR102471] | expand

Commit Message

David Malcolm Dec. 1, 2021, 11:23 p.m. UTC 
Juliet 1.3's CWE415_Double_Free__malloc_free_*_67a.c
were showing leak false positives in non-LTO builds; fixed thusly.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk as r12-5701-g860c56b5bc356960a4d0445dadc43ceddbe3c7e2.

gcc/analyzer/ChangeLog:
	PR analyzer/102471
	* region-model-reachability.cc (reachable_regions::handle_parm):
	Treat all svalues within a compound parm has reachable, and those
	wrapped in a cast.

gcc/testsuite/ChangeLog:
	PR analyzer/102471
	* gcc.dg/analyzer/leak-3.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---
 gcc/analyzer/region-model-reachability.cc | 13 +++++++
 gcc/testsuite/gcc.dg/analyzer/leak-3.c    | 41 +++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/leak-3.c
diff mbox series

Patch

diff --git a/gcc/analyzer/region-model-reachability.cc b/gcc/analyzer/region-model-reachability.cc
index b5ae787cac9..f82f7e6556d 100644
--- a/gcc/analyzer/region-model-reachability.cc
+++ b/gcc/analyzer/region-model-reachability.cc
@@ -258,6 +258,19 @@  reachable_regions::handle_parm (const svalue *sval, tree param_type)
       const region *pointee_reg = parm_ptr->get_pointee ();
       add (pointee_reg, is_mutable);
     }
+  /* Treat all svalues within a compound_svalue as reachable.  */
+  if (const compound_svalue *compound_sval
+      = sval->dyn_cast_compound_svalue ())
+    {
+      for (compound_svalue::iterator_t iter = compound_sval->begin ();
+	   iter != compound_sval->end (); ++iter)
+	{
+	  const svalue *iter_sval = (*iter).second;
+	  handle_sval (iter_sval);
+	}
+    }
+  if (const svalue *cast = sval->maybe_undo_cast ())
+    handle_sval (cast);
 }
 
 /* Update the store to mark the clusters that were found to be mutable
diff --git a/gcc/testsuite/gcc.dg/analyzer/leak-3.c b/gcc/testsuite/gcc.dg/analyzer/leak-3.c
new file mode 100644
index 00000000000..d11cc03b36f
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/leak-3.c
@@ -0,0 +1,41 @@ 
+#include <stdlib.h>
+
+/* Reduced from Juliet 1.3's CWE415_Double_Free__malloc_free_char_67a.c
+   goodG2B which was showing a false leak report in a non-LTO build.  */
+
+struct s1
+{
+    char * structFirst;
+};
+void external_fn_1(struct s1 myStruct);
+void test_1()
+{
+    char * data;
+    struct s1 myStruct;
+    data = (char *)malloc(100*sizeof(char));
+    if (data == NULL)
+      exit(-1);
+    myStruct.structFirst = data;
+    external_fn_1(myStruct);
+} /* { dg-bogus "leak of 'data'" } */
+
+/* As above, but with padding before the field.  */
+
+struct s2
+{
+  void *padding;
+  char *ptr;
+};
+void external_fn_2(struct s2 myStruct);
+void test_2()
+{
+    char * data;
+    struct s2 myStruct;
+    data = (char *)malloc(100*sizeof(char));
+    if (data == NULL)
+      exit(-1);
+    myStruct.padding = NULL;
+    myStruct.ptr = data;
+    external_fn_2(myStruct);
+} /* { dg-bogus "leak of 'data'" } */
+