https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105087
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2022-03-28
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0 |1
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug; confirmed.
FWIW it's treating all three of buf, bar, and baz as having the same
conjured_svalue (and, surprisingly, from the __builtin_va_end call due to it
treating args as having escaped at the vasprintf call).
EN 386:
preds: EN: 378
succs: EN: 396
callstring: [(SN: 17 -> SN: 2 in main)]
before (SN: 15 stmt: 1):
free (bar_15);
48 | free(bar);
| ^~~~~~~~~
rmodel:
stack depth: 2
frame (index 1): frame: ‘run_test’@2
frame (index 0): frame: ‘main’@1
clusters within root region
cluster for: (*INIT_VAL(argv)): CONJURED(__builtin_va_end (&args);,
(*INIT_VAL(argv))) (ESCAPED) (TOUCHED)
clusters within frame: ‘main’@1
cluster for: _3: CONJURED(_3 = run_test ();, _3)
clusters within frame: ‘run_test’@2
cluster for: bar_15: CONJURED(__builtin_va_end (&args);, resultp)
cluster for: baz_19: CONJURED(__builtin_va_end (&args);, resultp)
m_called_unknown_fn: TRUE
constraint_manager:
equiv classes:
constraints:
malloc:
0x4f72180: CONJURED(__builtin_va_end (&args);, resultp): freed (‘bar_15’)
Looks like I need to "teach" -fanalyzer about vasprintf (and va_start/end, for
that matter)
