https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113333
Bug ID: 113333 Summary: analyzer: False positives with calloc() Product: gcc Version: 14.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: buczek at molgen dot mpg.de Target Milestone: --- Analyzer assumen that a pointer allocated by calloc() can be != NULL. ** Code: #include <stdlib.h> char **f(void) { char **vec = calloc(1, sizeof(char *)); if (vec) for (char **p=vec ; *p ; p++); return vec; } ** Result: <source>: In function 'f': <source>:5:29: warning: heap-based buffer over-read [CWE-126] [-Wanalyzer-out-of-bounds] 5 | for (char **p=vec ; *p ; p++); | ^~ 'f': events 1-6 | | 3 | char **vec = calloc(1, sizeof(char *)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) capacity: 8 bytes | 4 | if (vec) | | ~ | | | | | (2) following 'true' branch (when 'vec' is non-NULL)... | 5 | for (char **p=vec ; *p ; p++); | | ~ ~~ ~~~ | | | | | | | | | (5) ...to here | | | (4) following 'true' branch... | | | (6) out-of-bounds read from byte 8 till byte 15 but region ends at byte 8 | | (3) ...to here | <source>:5:29: note: read of 8 bytes from after the end of the region 5 | for (char **p=vec ; *p ; p++); | ^~ <source>:5:29: warning: use of uninitialized value '*p' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 'f': events 1-6 | | 3 | char **vec = calloc(1, sizeof(char *)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) region created on heap here | 4 | if (vec) | | ~ | | | | | (2) following 'true' branch (when 'vec' is non-NULL)... | 5 | for (char **p=vec ; *p ; p++); | | ~ ~~ ~~~ | | | | | | | | | (5) ...to here | | | (4) following 'true' branch... | | | (6) use of uninitialized value '*p' here | | (3) ...to here | Compiler returned: 0 https://gcc.godbolt.org/z/h6bPeYc3T