On Wed, 2023-03-29 at 15:20 +0200, Alejandro Colomar via Gcc wrote: > Hi! > > With both GCC 12.2.0 (Debian), and GCC 13.0.1 20230315 (built from > source), > I can reproduce these false positives. > > The reproducer program is a small program that checks a password > against a > hardcoded string, and conditionally prints "validated". I wrote it > precisely to demonstrate how [[gnu::malloc(deallocator)]] can be used > to > ensure that passwords are not leaked in memory, but I found out that > it > fails to detect some conditions. > > Here's the program (it uses agetpass(), as defined in the shadow > project): > > $ cat pass.c > #include <err.h> > #include <errno.h> > #include <limits.h> > #include <readpassphrase.h> > #include <stdlib.h> > #include <string.h> > #include <unistd.h> >
[...snip...] I very briefly tried to reproduce this myself, but I suspect we've got different headers. > > > Maybe I'm missing something, but I don't think falanyzer is correct > here. Quite possibly. > Should I report this in bugzilla? Yes please. Please can you attach the preprocessed source [1] to the bug report(s) so that we're looking at the same code. Ideally also a link to godbolt.org showing the issue. Thanks Dave [1] you can get this via -E
