With latest gnulib version:
commit d6a07b4dc21b3118727743142c678858df442853 (origin/master, origin/HEAD)
Author: Simon Marchi <simon.mar...@efficios.com>
Date: Fri Apr 29 01:47:55 2022 +0200
While compiling "groff" (for exampe while creating "grodvi") with
gcc-11.3 options "-fanalyzer -Wanalyzer-mismatching-deallocation"
warnings were issued:
In function 'vasnprintf':
../lib/vasnprintf.c:5849:7: warning: 'free' of 'result_334' which points
to memory not on the heap [CWE-590] [-Wanalyzer-free-of-non-heap]
5849 | free (result);
...
and
../lib/vasnprintf.c:5855:5: warning: leak of 'result_20' [CWE-401]
[-Wanalyzer-malloc-leak]
5855 | return NULL;
...
Major part of the output was:
AR lib/libgnu.a
CXXLD grodvi
In function 'vasnprintf':
../lib/vasnprintf.c:5849:7: warning: 'free' of 'result_334' which points to
memory not on the heap [CWE-590] [-Wanalyzer-free-of-non-heap]
5849 | free (result);
| ^
'rpl_fprintf': events 1-2
|
|../lib/fprintf.c:36:1:
| 36 | fprintf (FILE *fp, const char *format, ...)
| | ^
| | |
| | (1) entry to 'rpl_fprintf'
|......
| 45 | output = vasnprintf (buf, &lenbuf, format, args);
| | ~
| | |
| | (2) calling 'vasnprintf' from 'rpl_fprintf'
|
+--> 'vasnprintf': events 3-4
|
|../lib/vasnprintf.c:1858:1:
| 1858 | VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp,
| | ^
| | |
| | (3) entry to 'vasnprintf'
|......
| 1864 | if (PRINTF_PARSE (format, &d, &a) < 0)
| | ~
| | |
| | (4) calling 'printf_parse' from 'vasnprintf'
|
+--> 'printf_parse': events 5-6
|
|../lib/printf-parse.c:74:1:
| 74 | PRINTF_PARSE (const CHAR_T *format, DIRECTIVES *d,
arguments *a)
| | ^
| | |
| | (5) entry to 'printf_parse'
|......
| 128 | if (c == '%')
| | ~
| | |
| | (6) following 'false' branch...
|
'printf_parse': event 7
|
|lto1:
| (7): ...to here
|
<------+
|
'vasnprintf': events 8-11
|
|../lib/vasnprintf.c:1864:7:
| 1864 | if (PRINTF_PARSE (format, &d, &a) < 0)
| | ~^
| | ||
| | |(8) returning to 'vasnprintf' from 'printf_parse'
| | (9) following 'false' branch...
|......
| 1875 | if (PRINTF_FETCHARGS (args, &a) < 0)
| | ~ ~
| | | |
| | | (11) calling 'printf_fetchargs' from 'vasnprintf'
| | (10) ...to here
|
+--> 'printf_fetchargs': events 12-13
|
|../lib/printf-args.c:36:1:
| 36 | PRINTF_FETCHARGS (va_list args, arguments *a)
| | ^
| | |
| | (12) entry to 'printf_fetchargs'
|......
| 41 | for (i = 0, ap = &a->arg[0]; i < a->count; i++,
ap++)
| | ~
| | |
| | (13) following
'false' branch...
|
'printf_fetchargs': event 14
|
|lto1:
| (14): ...to here
|
<------+
|
'vasnprintf': events 15-17
|
|../lib/vasnprintf.c:1875:7:
| 1875 | if (PRINTF_FETCHARGS (args, &a) < 0)
| | ~^
| | ||
| | |(15) returning to 'vasnprintf' from 'printf_fetchargs'
| | (16) following 'false' branch...
|......
| 1883 | size_t buf_neededlength;
| | ~
| | |
| | (17) ...to here
|
'vasnprintf': events 18-19
|
|../lib/xsize.h:66:30:
| 66 | return (sum >= size1 ? sum : SIZE_MAX);
| | ^
| | |
| | (18) following 'true' branch...
|......
| 80 | return xsum (xsum (xsum (size1, size2), size3), size4);
| | ~
| | |
| | (19) ...to here
|
'vasnprintf': events 20-30
|
|../lib/vasnprintf.c:1899:8:
| 1899 | if (buf_neededlength < 4000 / sizeof (TCHAR_T))
| | ^
| | |
| | (20) following 'true' branch (when 'sum_708 <=
3999')...
| 1900 | {
| 1901 | buf = (TCHAR_T *) alloca (buf_neededlength * sizeof
(TCHAR_T));
| | ~
| | |
| | (21) ...to here
|......
| 1916 | if (resultbuf != NULL)
| | ~
| | |
| | (22) following 'true' branch (when
'resultbuf_441(D)' is non-NULL)...
| 1917 | {
| 1918 | result = resultbuf;
| | ~
| | |
| | (23) ...to here
|......
| 1960 | if (cp != dp->dir_start)
| | ~
| | |
| | (24) following 'true' branch...
| 1961 | {
| 1962 | size_t n = dp->dir_start - cp;
| | ~
| | |
| | (25) ...to here
|......
| 1965 | ENSURE_ALLOCATION (augmented_length);
| | ~
| | |
| | (26) following 'true' branch...
| | (27) ...to here
|......
| 5848 | if (!(result == resultbuf || result == NULL))
| | ~
| | |
| | (28) following 'true' branch...
| 5849 | free (result);
| | ~
| | |
| | (29) ...to here
| | (30) call to 'free' here
|
../lib/vasnprintf.c:5855:5: warning: leak of 'result_20' [CWE-401]
[-Wanalyzer-malloc-leak]
5855 | return NULL;
| ^
'vasnprintf': events 1-2
|
| 1858 | VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp,
| | ^
| | |
| | (1) entry to 'vasnprintf'
|......
| 1864 | if (PRINTF_PARSE (format, &d, &a) < 0)
| | ~
| | |
| | (2) calling 'printf_parse' from 'vasnprintf'
|
+--> 'printf_parse': events 3-4
|
|../lib/printf-parse.c:74:1:
| 74 | PRINTF_PARSE (const CHAR_T *format, DIRECTIVES *d,
arguments *a)
| | ^
| | |
| | (3) entry to 'printf_parse'
|......
| 128 | if (c == '%')
| | ~
| | |
| | (4) following 'false' branch...
|
'printf_parse': event 5
|
|lto1:
| (5): ...to here
|
<------+
|
'vasnprintf': events 6-9
|
|../lib/vasnprintf.c:1864:7:
| 1864 | if (PRINTF_PARSE (format, &d, &a) < 0)
| | ~^
| | ||
| | |(6) returning to 'vasnprintf' from 'printf_parse'
| | (7) following 'false' branch...
|......
| 1875 | if (PRINTF_FETCHARGS (args, &a) < 0)
| | ~ ~
| | | |
| | | (9) calling 'printf_fetchargs' from 'vasnprintf'
| | (8) ...to here
|
+--> 'printf_fetchargs': events 10-11
|
|../lib/printf-args.c:36:1:
| 36 | PRINTF_FETCHARGS (va_list args, arguments *a)
| | ^
| | |
| | (10) entry to 'printf_fetchargs'
|......
| 41 | for (i = 0, ap = &a->arg[0]; i < a->count; i++, ap++)
| | ~
| | |
| | (11) following 'false'
branch...
|
'printf_fetchargs': event 12
|
|lto1:
| (12): ...to here
|
<------+
|
'vasnprintf': events 13-15
|
|../lib/vasnprintf.c:1875:7:
| 1875 | if (PRINTF_FETCHARGS (args, &a) < 0)
| | ~^
| | ||
| | |(13) returning to 'vasnprintf' from 'printf_fetchargs'
| | (14) following 'false' branch...
|......
| 1883 | size_t buf_neededlength;
| | ~
| | |
| | (15) ...to here
|
'vasnprintf': events 16-17
|
|../lib/xsize.h:66:30:
| 66 | return (sum >= size1 ? sum : SIZE_MAX);
| | ^
| | |
| | (16) following 'true' branch...
|......
| 80 | return xsum (xsum (xsum (size1, size2), size3), size4);
| | ~
| | |
| | (17) ...to here
|
'vasnprintf': events 18-23
|
|../lib/vasnprintf.c:1899:8:
| 1899 | if (buf_neededlength < 4000 / sizeof (TCHAR_T))
| | ^
| | |
| | (18) following 'true' branch (when 'sum_708 <= 3999')...
| 1900 | {
| 1901 | buf = (TCHAR_T *) alloca (buf_neededlength * sizeof
(TCHAR_T));
| | ~
| | |
| | (19) ...to here
|......
| 1916 | if (resultbuf != NULL)
| | ~
| | |
| | (20) following 'true' branch (when 'resultbuf_441(D)' is
non-NULL)...
| 1917 | {
| 1918 | result = resultbuf;
| | ~
| | |
| | (21) ...to here
|......
| 1960 | if (cp != dp->dir_start)
| | ~
| | |
| | (22) following 'true' branch...
| 1961 | {
| 1962 | size_t n = dp->dir_start - cp;
| | ~
| | |
| | (23) ...to here
|
'vasnprintf': event 24
|
|../lib/xsize.h:66:30:
| 66 | return (sum >= size1 ? sum : SIZE_MAX);
| | ^
| | |
| | (24) following 'true' branch (when
'length_348 <= sum_710')...
|
'vasnprintf': events 25-46
|
|../lib/vasnprintf.c:1963:39:
| 1963 | size_t augmented_length = xsum (length, n);
| | ^
| | |
| | (25) ...to here
| 1964 |
| 1965 | ENSURE_ALLOCATION (augmented_length);
| | ~
| | |
| | (26) following 'true' branch...
| | (27) ...to here
| | (28) following 'false' branch...
| | (29) ...to here
| | (30) following 'true' branch...
| | (31) ...to here
| | (32) allocated here
| | (33) assuming 'memory_351' is non-NULL
| | (34) following 'false' branch...
| | (35) ...to here
|......
| 1981 | if (i == d.count)
| | ~
| | |
| | (36) following 'true' branch...
|......
| 5813 | ENSURE_ALLOCATION (xsum (length, 1));
| | ~
| | |
| | (37) ...to here
| | (38) following 'true' branch...
| | (39) ...to here
|......
| 5848 | if (!(result == resultbuf || result == NULL))
| | ~
| | |
| | (40) following 'false' branch...
| 5849 | free (result);
| 5850 | if (buf_malloced != NULL)
| | ~ ~
| | | |
| | | (42) following 'false' branch (when 'buf_malloced_79' is
NULL)...
| | (41) ...to here
| 5851 | free (buf_malloced);
| 5852 | out_of_memory_1:
| | ~
| | |
| | (43) ...to here
| 5853 | CLEANUP ();
| | ~ ~
| | | |
| | | (45) ...to here
| | (44) following 'false' branch...
| 5854 | errno = ENOMEM;
| 5855 | return NULL;
| | ~
| | |
| | (46) 'result_20' leaks here; was allocated at (32)
|
--
Bjarni I. Gislason
