https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115724
Bug ID: 115724
Summary: analyzer does not recognise non-returning error()
Product: gcc
Version: 15.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: jamie.bainbridge at gmail dot com
Target Milestone: ---
Created attachment 58546
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=58546&action=edit
minimal reproducer
Reproducer here also: https://godbolt.org/z/zYaanP1aE
Tested on GCC 13, GCC 14, and latest Compiler Explorer trunk of GCC 15.
Attached is a function from a doubly-linked list. The lines of interest are:
------------------------------------------------------------------------------
21 struct list *result = calloc(1, sizeof(*result));
22 if (!result)
23 error(EXIT_FAILURE,errno,"%s:%d %s()",__FILE__,__LINE__,__func__);
24
25 result->destroy = destroy;
------------------------------------------------------------------------------
As you can see, I used error() with EXIT_FAILURE as first argument.
The C standard (since ANSI C) defines that zero or EXIT_SUCCESS mean success,
therefore EXIT_FAILURE must logically be non-zero.
As per the error(3) manual, that call will never return:
------------------------------------------------------------------------------
If status has a nonzero value, then error() calls exit(3) to terminate the
program using the given value as the exit status; otherwise it returns after
printing the error message.
------------------------------------------------------------------------------
However, the analyzer doesn't catch this. It seems to think the call to error()
will return to the program and do a possible NULL pointer dereference on the
next line.
The error from the analyzer is:
------------------------------------------------------------------------------
<source>: In function 'list_create':
<source>:25:25: warning: dereference of NULL 'result' [CWE-476]
[-Wanalyzer-null-dereference]
25 | result->destroy = destroy;
| ~~~~~~~~~~~~~~~~^~~~~~~~~
'list_create': events 1-3
21 | struct list *result = calloc(1, sizeof(*result));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| (1) allocated here
22 | if (!result)
| ~
| |
| (2) assuming 'result' is NULL
| (3) following 'true' branch (when 'result' is NULL)... ─>─┐
| │
'list_create': event 4
| │
|┌─────────────────────────────────────────────────────────────────────┘
23 |│ error(EXIT_FAILURE,errno,"%s:%d
%s()",__FILE__,__LINE__,__func__);
|│ ^~~~~
|│ |
|└──────────────────────────────────>(4) ...to here
'list_create': event 5
25 | result->destroy = destroy;
| ~~~~~~~~~~~~~~~~^~~~~~~~~
| |
| (5) ⚠️ dereference of NULL 'result'
------------------------------------------------------------------------------
Using built-in specs.
COLLECT_GCC=/opt/compiler-explorer/gcc-snapshot/bin/gcc
Target: x86_64-linux-gnu
Configured with: ../gcc-trunk-20240630/configure
--prefix=/opt/compiler-explorer/gcc-build/staging
--enable-libstdcxx-backtrace=yes --build=x86_64-linux-gnu
--host=x86_64-linux-gnu --target=x86_64-linux-gnu --disable-bootstrap
--enable-multiarch --with-abi=m64 --with-multilib-list=m32,m64,mx32
--enable-multilib --enable-clocale=gnu
--enable-languages=c,c++,fortran,ada,objc,obj-c++,go,d,rust,m2 --enable-ld=yes
--enable-gold=yes --enable-libstdcxx-debug --enable-libstdcxx-time=yes
--enable-linker-build-id --enable-lto --enable-plugins --enable-threads=posix
--with-pkgversion=Compiler-Explorer-Build-gcc-1bcfed4c52bb2410ea71bf6e4d46026e18461f84-binutils-2.42
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 15.0.0 20240630 (experimental)
(Compiler-Explorer-Build-gcc-1bcfed4c52bb2410ea71bf6e4d46026e18461f84-binutils-2.42)
COLLECT_GCC_OPTIONS='-fdiagnostics-color=always' '-g' '-o' '/app/output.s' '-S'
'-c' '-g3' '-O0' '-std=c11' '-Wall' '-Wextra' '-Wpedantic' '-fanalyzer' '-v'
'-mtune=generic' '-march=x86-64' '-dumpdir' '/app/'
/opt/compiler-explorer/gcc-trunk-20240630/bin/../libexec/gcc/x86_64-linux-gnu/15.0.0/cc1
-quiet -v -imultiarch x86_64-linux-gnu -iprefix
/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/x86_64-linux-gnu/15.0.0/
-dD <source> -quiet -dumpdir /app/ -dumpbase output.c -dumpbase-ext .c
-mtune=generic -march=x86-64 -g -g3 -O0 -Wall -Wextra -Wpedantic -std=c11
-version -fdiagnostics-color=always -fanalyzer -o /app/output.s
GNU C11
(Compiler-Explorer-Build-gcc-1bcfed4c52bb2410ea71bf6e4d46026e18461f84-binutils-2.42)
version 15.0.0 20240630 (experimental) (x86_64-linux-gnu)
compiled by GNU C version 11.4.0, GMP version 6.2.1, MPFR version
4.1.0, MPC version 1.2.1, isl version isl-0.24-GMP
GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
ignoring nonexistent directory
"/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/x86_64-linux-gnu/15.0.0/../../../../x86_64-linux-gnu/include"
ignoring duplicate directory
"/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/../../lib/gcc/x86_64-linux-gnu/15.0.0/include"
ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
ignoring duplicate directory
"/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/../../lib/gcc/x86_64-linux-gnu/15.0.0/include-fixed/x86_64-linux-gnu"
ignoring duplicate directory
"/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/../../lib/gcc/x86_64-linux-gnu/15.0.0/include-fixed"
ignoring nonexistent directory
"/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/../../lib/gcc/x86_64-linux-gnu/15.0.0/../../../../x86_64-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/x86_64-linux-gnu/15.0.0/include
/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/x86_64-linux-gnu/15.0.0/include-fixed/x86_64-linux-gnu
/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/x86_64-linux-gnu/15.0.0/include-fixed
/usr/local/include
/opt/compiler-explorer/gcc-trunk-20240630/bin/../lib/gcc/../../include
/usr/include/x86_64-linux-gnu
/usr/include
End of search list.
Compiler executable checksum: 4447695849b4e58f4635c547043f0c6c
