https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110014
Bug ID: 110014 Summary: -Wanalyzer-allocation-size mishandles realloc (..., .... * sizeof (object)) Product: gcc Version: 13.1.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: eggert at cs dot ucla.edu Target Milestone: --- Created attachment 55179 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55179&action=edit compile with 'gcc -fanalyzer -S' to reproduce the bug This is a followup to bug 109577, and reports a more serious problem with -Wanalyzer-allocation-size: it mishandles realloc even when the last argument is obviously a multiple of the object size. I discovered this problem when compiling an experimental version of GNU diffutils. This is with gcc (GCC) 13.1.1 20230511 (Red Hat 13.1.1-2) x86-64. Compile the attached program with: gcc -fanalyzer -S w.i The output is as follows. All the warnings are incorrect. The last warning is for a call of the form realloc(p, N * sizeof (long)) even though the result is used as a long * so the call is obviously well-sized. w.i: In function ‘slurp’: w.i:11:14: warning: allocated buffer size is not a multiple of the pointee's size [CWE-131] [-Wanalyzer-allocation-size] 11 | buffer = realloc (buffer, cc); | ^~~~~~~~~~~~~~~~~~~~ ‘slurp’: events 1-4 | | 9 | if (!__builtin_add_overflow (file_size - file_size % sizeof (long), | | ^ | | | | | (1) following ‘true’ branch... | 10 | 2 * sizeof (long), &cc)) | 11 | buffer = realloc (buffer, cc); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (2) ...to here | | (3) allocated ‘cc’ bytes here | | (4) assigned to ‘long int *’ here; ‘sizeof (long int)’ is ‘8’ | w.i: In function ‘slurp1’: w.i:18:10: warning: allocated buffer size is not a multiple of the pointee's size [CWE-131] [-Wanalyzer-allocation-size] 18 | return realloc (buffer, file_size - file_size % sizeof (long)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘slurp1’: events 1-2 | | 18 | return realloc (buffer, file_size - file_size % sizeof (long)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) allocated ‘file_size & 18446744073709551608’ bytes here | | (2) assigned to ‘long int *’ here; ‘sizeof (long int)’ is ‘8’ | w.i: In function ‘slurp2’: w.i:24:10: warning: allocated buffer size is not a multiple of the pointee's size [CWE-131] [-Wanalyzer-allocation-size] 24 | return realloc (buffer, (file_size / sizeof (long)) * sizeof (long)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘slurp2’: events 1-2 | | 24 | return realloc (buffer, (file_size / sizeof (long)) * sizeof (long)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) allocated ‘file_size & 18446744073709551608’ bytes here | | (2) assigned to ‘long int *’ here; ‘sizeof (long int)’ is ‘8’ |