[cfe-dev] Static analyzer: possible memory leak false positive?

Fri Sep 28 11:42:27 PDT 2012

Erik,

This is a bug. I opened http://llvm.org/bugs/show_bug.cgi?id=13974

You could use a flag to simplify the code for the analyzer as a workaround:
  unsigned flag = *argv;
  // use the flag in conditions instead of *argv.

Anna.
On Sep 28, 2012, at 1:29 AM, Erik Cederstrand <erik at cederstrand.dk> wrote:

> Hi Anna,
> 
> Den 28/09/2012 kl. 08.51 skrev Anna Zaks <ganna at apple.com>:
> 
>> Erik,
>> 
>> The analyzer specifically complains about memory allocated by malloc here:
>> 196			/* just the filesystems specified on the command line */
>> 197			mntbuf = malloc(argc * sizeof(*mntbuf));
>> 
>> So the call to free could be conditioned on the value of "!*argv" as well.
> 
> Thanks for the hint! I tried doing this, but it's still complaining. It seems the analyzer is confused about the value of argv. First, it takes this decision:
> 
> 
> 191		if (!*argv) {
> 2 ← Taking false branch →
> 
> 
> So *argv must be evaluated as True. Then it does this:
> 
> 
> 205		for (; *argv; argv++) {
> 6 ← Loop condition is false. Execution continues on line 280 →
> 
> 
> Now *argv is evaluated as False, right? I can't see that argv is touched along the way.
> 
> 
> Thanks,
> Erik
> 
> 
>> On Sep 27, 2012, at 4:21 AM, Erik Cederstrand wrote:
>> 
>>> Den 14/09/2012 kl. 21.15 skrev Eitan Adler <lists at eitanadler.com>:
>>> 
>>>> On 14 September 2012 13:54, Anna Zaks <ganna at apple.com> wrote:
>>>>> I think it is reasonable to expect the analyzer not to warn in this particular case.
>>>> 
>>>> FWIW, I plan to fix this case. But, it would be nice to differentiate
>>>> the output from a legitimate one.
>>> 
>>> It turns out it was a bit more complicated than this. The memory pointed to by mntbuf is allocated by getmntinfo() from FreeBSD libc (original report: http://scan.freebsd.your.org/freebsd-head/bin.df/2012-09-12-amd64/report-WwB2qk.html#EndPath). The man page for this function says: "The memory allocated by getmntinfo() cannot be free(3)'d by the application." (http://www.freebsd.org/cgi/man.cgi?query=getmntinfo).
>>> 
>>> I believe the reason for this is that the memory is shared between calls: http://fxr.watson.org/fxr/source/gen/getmntinfo.c?v=FREEBSD-LIBC
>>> 
>>> In this specific case, it should be OK to free the memory anyway since malloc'ed memory only lives for the duration of the application, but someone on the FreeBSD list pointed out that an alternative libc implementation might instead implement getmntinfo() with file-backed mmap, in which case we can't free it.
>>> 
>>> I'm uncertain how to proceed here, so I'd like an opinion :-)
>>> 
>>> Thanks,
>>> Erik
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20120928/5f44e127/attachment.html>