[LLVMbugs] [Bug 16113] New: scan-build memory leak false positive

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Wed May 22 13:35:24 PDT 2013 

http://llvm.org/bugs/show_bug.cgi?id=16113

            Bug ID: 16113
           Summary: scan-build memory leak false positive
           Product: clang
           Version: 3.2
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: nbowler at draconx.ca
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Consider the following C program (key locations marked by comments):

  #include <stdlib.h>
  #include <inttypes.h>

  size_t do_stuff(void **out, unsigned m)
  {
      size_t n;

      if (m >= SIZE_MAX/4) /* (A) */
          return -1;
      n = (size_t)m * 4; /* (X) */

      *out = malloc(n); /* (B) */
      if (!*out) /* (C) */
          return -1;

      return n; /* (Y) */
  }

  int main(int argc, char **argv)
  {
      void *buf;
      size_t n;

      n = do_stuff(&buf, argc);
      if (n == (size_t)-1) /* (D) */
          return EXIT_FAILURE; /* (E) */

      free(buf);
      return EXIT_SUCCESS;
  }

The report produced by scan-build suggests that a memory leak is possible by
the following path:

  1: false branch at (A)
  2: allocate memory at (B)
  3: false branch at (C)
  4: true branch at (D)
  5: memory not freed at (E)

But this is clearly a false positive: taking the false branch at (A) means
that m is less than SIZE_MAX/4, so the result of the multiplication at (X)
must be less than 4*(SIZE_MAX/4).  Thus, n must be less than 4*(SIZE_MAX/4),
which implies that n must be less than SIZE_MAX.  (size_t)-1 is equal to the
maximum representable value of size_t as per C's rules of signed-to-unsigned
conversions, i.e., (size_t)-1 is equal to SIZE_MAX.  Hence, we can conclude
that n is not ever equal to (size_t)-1 at /* (Y) */.

The first 3 steps of this path imply that we got to the return at (Y) in
do_stuff, which we have established returns a value not equal to (size_t)-1.
It is therefore impossible to take the true branch at (D) and thus the
conclusion of the analyzer is incorrect.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20130522/2886cd51/attachment.html>

More information about the llvm-bugs mailing list