From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA76F30B529 for ; Wed, 26 Nov 2025 15:13:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764169985; cv=none; b=BVhu9+NNpdWqVeb/JEiNBbzUN+aAwTGa15QJ0un3jfTPqgHlqqsD0aemBNhp0e70lsnC1F25WncXgH7QipEPPEHspYBhDyg3ifVJnAn/Ghyn00FaDKoreQ9KA5VXIQlUXoE+HP9BSAwUilb0WYLJ6Z1ObzWtj+yi1CuhMGIRnaA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764169985; c=relaxed/simple; bh=ArwJvAWI5wmqZVViQQRrtIsQRfBrRl7GFBl2v3jDvzU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=CXponQDdspyfiJAdGKkg+In2ZwYeALtcatzDUnJ9OuzqibiSaAPMlWgEO/rPXbM1fCXu4eP0koHdttWtfc6kdjH4rIzmLc1JtIriGUX1FuPsHEFnqxwnaEQe1U9nS9XvB/tTYQkv0h0z7biovBOkGddoe7lNkWX5tiAp5GfMCwU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=z4v27PJF; arc=none smtp.client-ip=209.85.221.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="z4v27PJF" Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-42b2a0c18caso4225044f8f.1 for ; Wed, 26 Nov 2025 07:13:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1764169982; x=1764774782; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=j63JsL5v0udmvZQwrxoouFMR+g2Fa00O8t3Gugm+oUg=; b=z4v27PJFcf+cGSIfnVhUpF08sn7bcSJq8LWHNoEvu6pmutQb8VnpfvTk5+pG0JQ9Hc VWAFbdmTif+1RYDLXYfk9KTQnbOljC05QuxzlMpbAweBv1bzL1ZWqV692Hg0IpEXahi8 Fwu7skGZSCf/g3JHt+M5BztHM/2Lkvj9QkjJUYOG18GWcP5Z2/4FX4uLUVUAb4YOY+A3 xvzJcQ6cxlWT5Iu4IDXfsJSF26rPgXu18ViEtGUuEtj3H1htec06k/HKz3UcGaJMGtsd IVBdNyT+jAz49XXLdCm9d1Z7Z18nod4DWwAic0mALkUtAGDbNBY0KvZSNlcYraEsVVk+ DQtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764169982; x=1764774782; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=j63JsL5v0udmvZQwrxoouFMR+g2Fa00O8t3Gugm+oUg=; b=q1FrsmAM0u+ritEnvsIgo+l1jqUTrBxobDM8yj0GLRQnctN0dIgiYe76YDYNmgdfQ8 Wz6SAWeBHljJ83AHaM9qttQjlRYmYv2rXzzHlvs0W+5MExWMlsgValCBUdB0feqaoKKF NmfAXmMbFYfM1rOeQ8pmdGZpRVkuUOzkKoGZFZSop4kLBviIAMno30XF26FBAMH4/+mD yOpK8zahjSmpAdMV25UJCE1zIcnWCJGYJyX3GFORmv0ENPgbRVj7Xv/aI0s3lI10RRHh hojP7VOTarSJrivxkFzlb4ABVzZ/QjdGGstWwWZsRTgl+wom4sAGUBRlMUzd0oodsKCK fYuQ== X-Gm-Message-State: AOJu0YxSiV0G+6wMucNG0hEdZ1gzkhwDGytV0T9xxhX6VE8kUPn/LPKA gKoxOZEfewKa3w37nz1fygJ+8DdAMfPdIU/7fSDWXuGzDUwch4NCz9XPG08FRoisJIM= X-Gm-Gg: ASbGnctUrHTFYJ87NvIa38Eou4fqr6X557JHlet7RGwv1VJwIthUVz2C+vPcG5SwyZ9 37PJGe2hSald0epknrz1NdRI3GRVc8ndNF0N7hxoAZlESanJT8Kxkuis2Hp8LdHbaIg7Ewd+Lu/ 9LuZ6o+wS0m+pJ3ofOx1TElWyhxma78+C9P7VF1YN8LBP32ESVxGF7CwBifCf7x2IlYOhiuJbHD 7ncOZnkM1It6uccZIC/oJCAgjcEQH+Wm8qLwW7jPn4zqMA1n3G5TBg16ZThxoTmBHTJB5UAGuya 4Ko0RYp4wz2V0JUVc43jHiaKTSmWXP8qV9RoQLeiReK+ZfkZDoiAcdmtmxZC14cbnDkURqaQ1sE rnOtmGIUH1zK8RIjbARxcSE7+3pC1g7dnLUMMBksKJCfKHz8XHppGbzRWSMmvAbYmAq8IhkKhV7 V34qo70ZCCZD/C65U= X-Google-Smtp-Source: AGHT+IHOa4kkWAdQ/jdTbMuIvPj426XIkRRnYDDJaBTEFQVNqxudsHBXcXjgJXH5xlPWeZnRAVd5jg== X-Received: by 2002:a5d:5888:0:b0:42b:3b55:8908 with SMTP id ffacd0b85a97d-42cc1d22c70mr20408524f8f.51.1764169981773; Wed, 26 Nov 2025 07:13:01 -0800 (PST) Received: from localhost ([41.210.159.101]) by smtp.gmail.com with UTF8SMTPSA id ffacd0b85a97d-42cb7f34fe8sm41023206f8f.15.2025.11.26.07.13.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Nov 2025 07:13:01 -0800 (PST) Date: Wed, 26 Nov 2025 18:12:56 +0300 From: Dan Carpenter To: Toomas Soome Cc: smatch@vger.kernel.org Subject: Re: apparent bug about check_free_strict Message-ID: References: <13919A78-B19A-4A44-95F1-A729562C50BF@me.com> <7F97D3F0-18D3-4025-A6D2-74773061A56F@me.com> <9A95EC42-6BBD-4300-A8FD-0229A56347DC@me.com> <27F1E218-CB00-48C3-9515-A40ACBF05828@me.com> <32FD91B6-32B3-45FC-A6E5-EA39439466E3@me.com> Precedence: bulk X-Mailing-List: smatch@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <32FD91B6-32B3-45FC-A6E5-EA39439466E3@me.com> On Wed, Nov 26, 2025 at 04:47:04PM +0200, Toomas Soome wrote: >=20 >=20 > > On 25. Nov 2025, at 16:50, Dan Carpenter wro= te: > >=20 > > On Tue, Nov 25, 2025 at 04:28:03PM +0200, Toomas Soome wrote: > >> And another interesting case: > >>=20 > >> smatch is complaining about about =E2=80=98pptr=E2=80=99 but we do fre= e =E2=80=98ptr=E2=80=99.=20 > >>=20 > >> /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i386= /smatch: adm_kef_util.c:1243 filter_mechlist() error: dereferencing freed m= emory 'pptr' (line 1242) > >>=20 > >> 1225 filter_mechlist(mechlist_t **pmechlist, const char *mech) > >> 1226 { > >> 1227 int cnt =3D 0; > >> 1228 mechlist_t *ptr, *pptr; > >> 1229 boolean_t mech_present =3D B_FALSE; > >> 1230 =20 > >> 1231 ptr =3D pptr =3D *pmechlist; > >> 1232 =20 > >> 1233 while (ptr !=3D NULL) { > >> 1234 if (strncmp(ptr->name, mech, sizeof (mech_name_t)= ) =3D=3D 0) { > >> 1235 mech_present =3D B_TRUE; > >> 1236 if (ptr =3D=3D *pmechlist) { > >> 1237 pptr =3D *pmechlist =3D ptr->next; > >> 1238 free(ptr); > >> 1239 ptr =3D pptr; > >> 1240 } else { > >> 1241 pptr->next =3D ptr->next; > >> 1242 free(ptr); > >> 1243 ptr =3D pptr->next; > >=20 > > This one is explainable... Smatch is crap at loops, and only parses the > > loop one time. It might look like Smatch parses loops but it's all > > hacks and special cases. > >=20 > > So, in this case, instead of seeing that "this is the second iteration > > through the loop", Smatch says "this is dead code, but all of our other > > assumptions are probably correct including that "ptr =3D pptr =3D *pmec= hlist". > >=20 > > So when we free "ptr" we're also freeing "pptr". > >=20 > > I've known the correct way to handle loops for over ten years now and > > I partially wrote the code ten years ago. But I've never wanted to do > > it because it will slow everything down a lot. It's quite a bit of > > work as well, but mostly it was the slow down that was the issue. > > But I think I'm going to try to make Smatch work better on other > > projects outside the kernel so adding more and more loop hacks will > > become less feasible and I will care less about slow downs so I > > have decided I am going to do this work soon. > >=20 > > Basically you just parse every function twice and you store the next > > iteration states for every loop. Then you parse the functions again > > and merge in the next iteration states. It's a 2x slow down in > > parsing. I already have the --two-passes option but I haven't looked > > at the output in a while... > >=20 > > regards, > > dan carpenter >=20 > example about =E2=80=94two-passes: >=20 > tsoome@balrog:/code/illumos-gate/usr/src/cmd/cmd-inet/usr.lib/in.mpathd$ = timex /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i38= 6/smatch -fident -finline -fno-inline-functions -fno-builtin -fno-asm -fdia= gnostics-show-option -nodefaultlibs -D__sun -O -m32 -Wall -Wextra -Werror -= Wno-missing-braces -Wno-sign-compare -Wno-unused-parameter -Wno-missing-fie= ld-initializers -Wno-array-bounds -p=3Dillumos_user --disable=3Duninitializ= ed,check_check_deref -Wno-vla -Wno-one-bit-signed-bitfield -Wno-external-fu= nction-has-definition -Wno-old-style-definition -Wno-strict-prototypes --fa= tal-checks --timeout=3D0 -Wno-maybe-uninitialized -std=3Dgnu99 -fno-inline-= small-functions -fno-inline-functions-called-once -fno-ipa-cp -fno-ipa-icf = -fno-clone-functions -fno-reorder-functions -fno-reorder-blocks-and-partiti= on -fno-aggressive-loop-optimizations --param=3Dmax-inline-insns-single=3D4= 50 -fstack-protector-strong -g -gdwarf-4 -gstrict-dwarf -std=3Dgnu99 -DTEXT= _DOMAIN=3D"SUNW_OST_OSCMD" -D_TS_ERRNO -I/code/illumos-gate/proto/root_i386= /usr/include -D_XOPEN_SOURCE=3D600 -D__EXTENSIONS__ -c mpd_main.c -o /tmp/c= w.f6aqiX/cwi6aOiX.o=20 > /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i386/sm= atch: mpd_main.c:154 poll_add() warn: potentially one past the end of array= 'newfds[i]' > /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i386/sm= atch: mpd_main.c:154 poll_add() warn: potentially one past the end of array= 'newfds[i]' > /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i386/sm= atch: mpd_main.c:155 poll_add() warn: potentially one past the end of array= 'newfds[i]' > /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i386/sm= atch: mpd_main.c:155 poll_add() warn: potentially one past the end of array= 'newfds[i]' >=20 > real 1.16 > user 0.99 > sys 0.15 >=20 > tsoome@balrog:/code/illumos-gate/usr/src/cmd/cmd-inet/usr.lib/in.mpathd$ = timex /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i38= 6/smatch --two-passes -fident -finline -fno-inline-functions -fno-builtin -= fno-asm -fdiagnostics-show-option -nodefaultlibs -D__sun -O -m32 -Wall -Wex= tra -Werror -Wno-missing-braces -Wno-sign-compare -Wno-unused-parameter -Wn= o-missing-field-initializers -Wno-array-bounds -p=3Dillumos_user --disable= =3Duninitialized,check_check_deref -Wno-vla -Wno-one-bit-signed-bitfield -W= no-external-function-has-definition -Wno-old-style-definition -Wno-strict-p= rototypes --fatal-checks --timeout=3D0 -Wno-maybe-uninitialized -std=3Dgnu9= 9 -fno-inline-small-functions -fno-inline-functions-called-once -fno-ipa-cp= -fno-ipa-icf -fno-clone-functions -fno-reorder-functions -fno-reorder-bloc= ks-and-partition -fno-aggressive-loop-optimizations --param=3Dmax-inline-in= sns-single=3D450 -fstack-protector-strong -g -gdwarf-4 -gstrict-dwarf -std= =3Dgnu99 -DTEXT_DOMAIN=3D"SUNW_OST_OSCMD" -D_TS_ERRNO -I/code/illumos-gate/= proto/root_i386/usr/include -D_XOPEN_SOURCE=3D600 -D__EXTENSIONS__ -c mpd_m= ain.c -o /tmp/cw.3UaygX/cw5UaWgX.o =20 >=20 > real 19.70 > user 18.86 > sys 0.79 >=20 > tsoome@balrog:/code/illumos-gate/usr/src/cmd/cmd-inet/usr.lib/in.mpathd$ >=20 > Yes, it took longer, but also no complaints:) Ugh... 19 times longer. :( I'm super not excited about that. TBH, I haven't tested this in years... regards, dan carpenter