https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113333
Bug ID: 113333
Summary: analyzer: False positives with calloc()
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: buczek at molgen dot mpg.de
Target Milestone: ---
Analyzer assumen that a pointer allocated by calloc() can be != NULL.
** Code:
#include <stdlib.h>
char **f(void) {
char **vec = calloc(1, sizeof(char *));
if (vec)
for (char **p=vec ; *p ; p++);
return vec;
}
** Result:
<source>: In function 'f':
<source>:5:29: warning: heap-based buffer over-read [CWE-126]
[-Wanalyzer-out-of-bounds]
5 | for (char **p=vec ; *p ; p++);
| ^~
'f': events 1-6
|
| 3 | char **vec = calloc(1, sizeof(char *));
| | ^~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) capacity: 8 bytes
| 4 | if (vec)
| | ~
| | |
| | (2) following 'true' branch (when 'vec' is non-NULL)...
| 5 | for (char **p=vec ; *p ; p++);
| | ~ ~~ ~~~
| | | | |
| | | | (5) ...to here
| | | (4) following 'true' branch...
| | | (6) out-of-bounds read from byte 8
till byte 15 but region ends at byte 8
| | (3) ...to here
|
<source>:5:29: note: read of 8 bytes from after the end of the region
5 | for (char **p=vec ; *p ; p++);
| ^~
<source>:5:29: warning: use of uninitialized value '*p' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
'f': events 1-6
|
| 3 | char **vec = calloc(1, sizeof(char *));
| | ^~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) region created on heap here
| 4 | if (vec)
| | ~
| | |
| | (2) following 'true' branch (when 'vec' is non-NULL)...
| 5 | for (char **p=vec ; *p ; p++);
| | ~ ~~ ~~~
| | | | |
| | | | (5) ...to here
| | | (4) following 'true' branch...
| | | (6) use of uninitialized value '*p'
here
| | (3) ...to here
|
Compiler returned: 0
https://gcc.godbolt.org/z/h6bPeYc3T
