BUGs: static code analysis (gcc, clang, cppcheck)

[Xose Vazquez Perez]

Hi,

$ make -i -k # gcc-11 with -fanalyzer

gcc  -Wall -W -O2 -fanalyzer -c -o buffer.o buffer.c
gcc  -Wall -W -O2 -fanalyzer -c -o carg_parser.o carg_parser.c
gcc  -Wall -W -O2 -fanalyzer -c -o global.o global.c
gcc  -Wall -W -O2 -fanalyzer -c -o io.o io.c
gcc  -Wall -W -O2 -fanalyzer -DPROGVERSION=\"1.17\" -c -o main.o main.c
gcc  -Wall -W -O2 -fanalyzer -c -o main_loop.o main_loop.c
gcc  -Wall -W -O2 -fanalyzer -c -o regex.o regex.c
gcc  -Wall -W -O2 -fanalyzer -c -o signal.o signal.c
signal.c: In function ‘sighup_handler.part.0’:
signal.c:57:9: warning: leak of ‘<unknown>’ [CWE-401] [-Wanalyzer-malloc-leak]
   57 |       if( len && hup )                  /* hup filename */
      |         ^
  ‘sighup_handler.part.0’: events 1-8
    |
    |   49 |     if( last_addr() && modified() &&
    |      |       ^
    |      |       |
    |      |       (1) following ‘true’ branch...
    |......
    |   52 |       char * const s = getenv( "HOME" );
    |      |                        ~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (2) ...to here
    |   53 |       const int len = ( s ? strlen( s ) : 0 );
    |      |                 ~~~
    |      |                 |
    |      |                 (3) following ‘false’ branch (when ‘s’ is NULL)...
    |   54 |       const int need_slash = ( ( !len || s[len-1] != '/' ) ? 1 : 0 
);
    |   55 |       char * const hup = ( ( len + need_slash + (int)sizeof hb < 
path_max( 0 ) ) ?
    |      |                          
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                                  |
    |      |                                  (4) ...to here
    |   56 |                     (char *) malloc( len + need_slash + sizeof hb 
) : 0 );
    |      |                     
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                              |           |                         
 |
    |      |                              |           (6) ...to here            
 (5) following ‘true’ branch...
    |      |                              (7) allocated here
    |   57 |       if( len && hup )                  /* hup filename */
    |      |         ~
    |      |         |
    |      |         (8) ‘<unknown>’ leaks here; was allocated at (7)
    |
gcc  -Wall -W -O2 -fanalyzer -o ed buffer.o carg_parser.o global.o io.o main.o 
main_loop.o regex.o signal.o
cat ./red.in > red
chmod a+x red
================================================================================

$ scan-build make -i -k # clang-12
scan-build: Using '/usr/bin/clang-12' for static analysis
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -c -o buffer.o buffer.c
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -c -o carg_parser.o 
carg_parser.c
carg_parser.c:239:27: warning: Potential leak of memory pointed to by 
'non_options' [unix.Malloc]
        if( !tmp ) return 0;
                          ^
1 warning generated.
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -c -o global.o global.c
global.c:94:10: warning: Access to field 'q_forw' results in a dereference of a 
null pointer (loaded from variable 'bp') [core.NullDereference]
    bp = bp->q_forw;
         ^~~~~~~~~~
1 warning generated.
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -c -o io.o io.c
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -DPROGVERSION=\"1.17\" -c -o 
main.o main.c
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -c -o main_loop.o main_loop.c
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -c -o regex.o regex.c
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -c -o signal.o signal.c
signal.c:183:21: warning: Array access (from variable 'buf') results in a null 
pointer dereference [core.NullDereference]
  while( ( buf[i++] = ( (*p == '\\' ) ? *++p : *p ) ) )
           ~~~      ^
1 warning generated.
/usr/bin/../libexec/ccc-analyzer  -Wall -W -O2  -o ed buffer.o carg_parser.o 
global.o io.o main.o main_loop.o regex.o signal.o
cat ./red.in > red
chmod a+x red
scan-build: Analysis run complete.
scan-build: 3 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2021-03-09-135759-14937-1' to 
examine bug reports.
================================================================================

$ cppcheck --force -v . # cppcheck-2.3 (--enable=all is too verbose)

Checking buffer.c ...
Defines:
Undefines:
Includes:
Platform:Native
buffer.c:577:9: error: Memory pointed to by 'ustack' is freed twice. 
[doubleFree]
        free( ustack );
        ^
buffer.c:568:28: note: Memory pointed to by 'ustack' is freed twice.
    if( ustack ) new_buf = realloc( ustack, new_size );
                           ^
buffer.c:577:9: note: Memory pointed to by 'ustack' is freed twice.
        free( ustack );
        ^
1/8 files checked 18% done
Checking carg_parser.c ...
Defines:
Undefines:
Includes:
Platform:Native
2/8 files checked 27% done
Checking global.c ...
Defines:
Undefines:
Includes:
Platform:Native
3/8 files checked 30% done
Checking io.c ...
Defines:
Undefines:
Includes:
Platform:Native
4/8 files checked 41% done
Checking main.c ...
Defines:
Undefines:
Includes:
Platform:Native
5/8 files checked 50% done
Checking main_loop.c ...
Defines:
Undefines:
Includes:
Platform:Native
6/8 files checked 80% done
Checking regex.c ...
Defines:
Undefines:
Includes:
Platform:Native
7/8 files checked 94% done
Checking signal.c ...
Defines:
Undefines:
Includes:
Platform:Native
Checking signal.c: SA_RESTART...
Checking signal.c: SIGWINCH...
Checking signal.c: TIOCGWINSZ...
8/8 files checked 100% done
================================================================================

Thanks.