Hi everyone,
I'm still playing around with the analyzer, and wanted to have a look at
loop handling.
I'm using a build from /trunk/ branch (/20230309/).
Here is my analyzed code:
'''
1| #include <stdlib.h>
2| int main(void) {
3| void * ptr = malloc(sizeof(int));
4| for (int i = 0; i < 10; i++) {
5| if (i == 5) free(ptr);
6| }
7|}
'''
And here, the malloc-sm is reporting a double-free on line 5 with a
quite confusing output:
'''
./test.c: In function ‘main’:
./test.c:5:21: warning: double-‘free’ of ‘ptr’ [CWE-415]
[-Wanalyzer-double-free]
5 | if (i == 5) free(ptr);
| ^~~~~~~~~
‘main’: events 1-13
|
| 3 | void * ptr = malloc(sizeof(int));
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (1) allocated here
| 4 | for (int i = 0; i < 10; i++) {
| | ~~~~ ~~~
| | | |
| | | (5) ...to here
| | (2) following ‘true’ branch (when
‘i <= 9’)...
| | (6) following ‘true’ branch (when
‘i <= 9’)...
| | (9) following ‘true’ branch (when
‘i <= 9’)...
| 5 | if (i == 5) free(ptr);
| | ~ ~~~~~
| | | |
| | | (8) first ‘free’ here
| | | (12) ...to here
| | | (13) second ‘free’ here; first
‘free’ was at (8)
| | (3) ...to here
| | (4) following ‘false’ branch (when ‘i != 5’)...
| | (7) ...to here
| | (10) ...to here
| | (11) following ‘true’ branch (when ‘i == 5’)...
|
'''
So, I'm guessing that this false positive is due to how the analyzer is
handling loops.
Which lead to my question: how are loops handled by the analyzer?
Thanks for your time,
Pierrick
