From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D84715853B for ; Tue, 25 Nov 2025 14:50:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764082260; cv=none; b=aVq9NKWSwJ8AgRW0rqkyJlfpRjJpUm/CAGCedG4RsqVz5M8htjD/9PQQ6VKd+b1YZbIyUwSmmE3081EjdlGAFAvfVfaqa7QpfSxyRU2Hex0zrsQfAYEF1HVgW2oiHf3GsxJ1h/YPnRVv25HvDXkWFjJc4hwqyLXWY7KR6Hk81qo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764082260; c=relaxed/simple; bh=GBuqdDQnTFKGlRdLZWTwxxENiTFfaUgznBvwOPZ1KSQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Chj/WMVnCECVC94EK3okE64bAJUrwD9sRVmgtD9UGcBcmFot5ECYkIaT5lMRFD8yqxvL4VEyvmVdHS0tzCbTB/QhVnJbsvrkN5ZhZoniNpSCrBSFs9vQkHLh7J7RNLP/glz1fGJLp+QLnWe8Gz6naFaEskq6eOGGE+B5Kuv2XRw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=yHlP4OqN; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="yHlP4OqN" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-477619f8ae5so32014815e9.3 for ; Tue, 25 Nov 2025 06:50:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1764082257; x=1764687057; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=/PuUT2Y54S/2mPAGB4w2sRBS3NHDd9pXPJkH362IUuk=; b=yHlP4OqNW3gH+d7nOvthSGKVPuDm31ANktxq9qSUTGPZBbPLQngp3cNOf02QnJM45Y zVyEk7QNQcMH2Zr0Ws33N7f60zlJsPVcx0KfgkHBUjJNwBowQAd4bTubWpD77w0RZGkL NcHj1Rzfdg/esSab5XznM/ZMSn6vgtfqnnvf2oFhLAYXmssP5ynzjE8JMIEybBUtw0/X SEafOJ9r33WH9zGsW+89sZedx54oYf3Aiqik2Mo0w7CkZacjynaRLVEcHHBdaSnUlONR tPN9e+ofdU+pzrKcF/nSs4GT3V8Oejk88B8+HHerCbATQFehTb6b1uKYMXCTWZXa8zvJ XarQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764082257; x=1764687057; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/PuUT2Y54S/2mPAGB4w2sRBS3NHDd9pXPJkH362IUuk=; b=MckKz3Zm73JcArsr5Z+k7UBIv7eObmZyHoy7bHhQ413VR8An9Z6yJZO+s4LzZ3mQba ACVGVLKKYSL2bCgHTo4/VwsoYiD8d5NTi90Q/8+ALmiwbe6KYLHvScIf72rh5+8yzYTL ReSmqSksbQ6qmrfd+ZWoc0U5LTNPRXaPCIYR6u/PrCC3uMLp38x6oyIZ48zcMo0kW64U DkTOZ563JJuNS2ZqqwRRIUO8+rw6yOi35c/ZmEo+sQuiT47Gc809N7HZGXgBhou9zoxe g8vm2yoU95WAfAzf7jxvY0gj7EHp4Eqks9Qqcgbb3t0nl0cYzugD8ojLDMyXDUa8A1NU 0MdQ== X-Gm-Message-State: AOJu0Yz6IJr1yKhnZpmsOKhytr+8V1v7h1tBP/0V0wJ7pzRXFrafPs64 y5B2WvU/V40KVWZGx8/gDDYiU03pc6BB1WFJjOmhZx/a1FC35LUdkUjlPuzOIFJgI/E= X-Gm-Gg: ASbGnct/iyq6F7Pu5dASW2ozwvuVo7JjTN/YuAbTEHLrvsp4sVhrNYmZkqsmxgiupYD g7GYqcJb1X9qvB3llQ9P/RlObZ/4ETub/ZYYV1CoSeeMmeCZ2CBBrZewL2iANoKa6fnZUK0AUUr n3EdFEekPgs96MAw2oJoQmlsP1ZgTpG7SvoFyg9OzhUqaVtJ7enOVQ+zcu7xhONpNR8f0nC7AsF Jr/95Hh/2maUDGB1H5Jzmt6E6/fJXjk3i2WHKw/QV26Qd/DNFXomRKEgHE8R1gAyATFdHX5KzFP +is/6dDtFVBsGCti+P9cEvLIR3RyzMQ1DxRx2+KvW7UqYWlAP9yStd2rSzlR7+9QYs/eEmmWoA9 f9xeg1PdUvzpvxf+qdxMlGXATc0vJpNpLRl7Mf/hWXQtHeO2G2E74aVXVB+RlyE+yrlHBOk9ram 66yg== X-Google-Smtp-Source: AGHT+IHnfdm/9Ud9lthWiV6pb22v6l3cTmXcqPDPvj0zyHAHITbA26Rt3MqN/w6Zs5CCn9NxV2xASQ== X-Received: by 2002:a05:600c:4ed2:b0:477:55ce:f3c3 with SMTP id 5b1f17b1804b1-477c0162dd6mr144121605e9.5.1764082256691; Tue, 25 Nov 2025 06:50:56 -0800 (PST) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with UTF8SMTPSA id 5b1f17b1804b1-47906cb9715sm15659985e9.2.2025.11.25.06.50.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 06:50:56 -0800 (PST) Date: Tue, 25 Nov 2025 17:50:52 +0300 From: Dan Carpenter To: Toomas Soome Cc: smatch@vger.kernel.org Subject: Re: apparent bug about check_free_strict Message-ID: References: <719690CC-A1F0-47B7-AD43-0A1EBD632081@me.com> <13919A78-B19A-4A44-95F1-A729562C50BF@me.com> <7F97D3F0-18D3-4025-A6D2-74773061A56F@me.com> <9A95EC42-6BBD-4300-A8FD-0229A56347DC@me.com> <27F1E218-CB00-48C3-9515-A40ACBF05828@me.com> Precedence: bulk X-Mailing-List: smatch@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <27F1E218-CB00-48C3-9515-A40ACBF05828@me.com> On Tue, Nov 25, 2025 at 04:28:03PM +0200, Toomas Soome wrote: > And another interesting case: > > smatch is complaining about about ‘pptr’ but we do free ‘ptr’. > > /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i386/smatch: adm_kef_util.c:1243 filter_mechlist() error: dereferencing freed memory 'pptr' (line 1242) > > 1225 filter_mechlist(mechlist_t **pmechlist, const char *mech) > 1226 { > 1227 int cnt = 0; > 1228 mechlist_t *ptr, *pptr; > 1229 boolean_t mech_present = B_FALSE; > 1230 > 1231 ptr = pptr = *pmechlist; > 1232 > 1233 while (ptr != NULL) { > 1234 if (strncmp(ptr->name, mech, sizeof (mech_name_t)) == 0) { > 1235 mech_present = B_TRUE; > 1236 if (ptr == *pmechlist) { > 1237 pptr = *pmechlist = ptr->next; > 1238 free(ptr); > 1239 ptr = pptr; > 1240 } else { > 1241 pptr->next = ptr->next; > 1242 free(ptr); > 1243 ptr = pptr->next; This one is explainable... Smatch is crap at loops, and only parses the loop one time. It might look like Smatch parses loops but it's all hacks and special cases. So, in this case, instead of seeing that "this is the second iteration through the loop", Smatch says "this is dead code, but all of our other assumptions are probably correct including that "ptr = pptr = *pmechlist". So when we free "ptr" we're also freeing "pptr". I've known the correct way to handle loops for over ten years now and I partially wrote the code ten years ago. But I've never wanted to do it because it will slow everything down a lot. It's quite a bit of work as well, but mostly it was the slow down that was the issue. But I think I'm going to try to make Smatch work better on other projects outside the kernel so adding more and more loop hacks will become less feasible and I will care less about slow downs so I have decided I am going to do this work soon. Basically you just parse every function twice and you store the next iteration states for every loop. Then you parse the functions again and merge in the next iteration states. It's a 2x slow down in parsing. I already have the --two-passes option but I haven't looked at the output in a while... regards, dan carpenter