memleak
The relevant code is
179 data = malloc (nbytes);
183 pMemLink = memHeapAddBlock (ppMemLink, data, RTMEMMALLOC | RTMEMRAW);
191 return data;
(Not shown is code to check for allocation failures and do other stuff.)
Relevant code in memheap.c is
1207 static OSMemLink* memHeapAddBlock(OSMemLink** ppMemLink, void* pMemBlk, ...)
1219 pMemLink = (OSMemLink*) malloc ( ...
1229 pMemLink->pMemBlk = pMemBlk; // save address which is in data
1248 ((OSMemBlk*)pMemBlk)->plink = pMemLink; // put address of allocated space in data's area
I can see where it looks like the pointer in pMemLink is lost, but it is clear one can get back to the pMemLink area through the data pointer. I'm guessing that the memory is handled properly.
]]>
uninitMemberVar
Several of the member variables are not initialized.
]]>
nullPointer
Relevant code is
1950 pSps=pChan->spsSigGen1=createPmrSps(pChan);
1951 pSps->sink=pChan->pSigGen1;
... MANY more initializations ...
2008 if(pSps==NULL)printf("Error: calloc(), createPmrChannel()\n");
The relevant code in createPmrSps() is
2490 pSps = (t_pmr_sps *)calloc(sizeof(t_pmr_sps),1);
2492 if(!pSps)printf("Error: createPmrSps()\n");
2494 pSps->parentChan=pChan;
2499 return pSps;
There is no controlled abort() if calloc() fails.
]]>
memleakOnRealloc
Relevant code is
615 ptr = h_malloc(max_size = 1024);
626 . . ptr = h_realloc(ptr, max_size);
where h_realloc() just renames realloc(). The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
Relevant code is
664 ptr = h_realloc(ptr, max_size);
where h_realloc() just renames realloc(). The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
354 result = realloc(result, size);
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
365 result = realloc(result, size);
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
540 what = realloc(what,
541 . . . . (size <<= 1));
540 what = realloc(what,
541 . . . . (size <<= 1));
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
(I hit submit before adding the explanation.)
]]>
memleakOnRealloc
566 with = realloc(with, size);
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
731 ADD_STRING(temp, len);
where the code in ADD_STRING is
685 . . . result = realloc(result, (size += len + 1));
The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
]]>
memleakOnRealloc
737 ADD_STRING(temp, len);
where the code in ADD_STRING is
685 . . . result = realloc(result, (size += len + 1));
The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
]]>
memleakOnRealloc
748 ADD_STRING(temp, len);
where the code in ADD_STRING is
685 . . . result = realloc(result, (size += len + 1));
The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
]]>
memleakOnRealloc
800 result = realloc(result, size * sizeof(char *));
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
1214 dirname = realloc(dirname, len + 1);
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
1225 dirname = realloc(dirname, strlen(temp) + 1);
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
1337 match_list = realloc(match_list,
1338 . . match_list_len * sizeof(char *));
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleakOnRealloc
1364 match_list = realloc(match_list,
1365 . . (match_list_len + 1) * sizeof(char *));
is the relevant code. The analysis is correct: if reallocation fails, realloc() returns NULL, and the previously allocated area is lost.
Worse yet, there is no check for failure. In other words, if realloc() fails, the program just crashes.
]]>
memleak
Some relevant code is
1202 char *filename = NULL
1209 if (temp) {
1211 . . filename = realloc(filename, strlen(temp) + 1);
1217 } else {
1218 . . filename = strdup(text);
1220 }
1230 filename_len = strlen(filename);
1246 . . && strncmp(entry->d_name, filename,
Indeed, filename is allocated, but not freed. The only reference to the space (through filename) is lost when the the function ends.
]]>
memleak
Some relevant code is
476 char **b;
479 b = (char **) el_malloc((size_t) (sizeof(char *) * (c->v + 1)));
483 . . b[i] = (char *) el_malloc((size_t) (sizeof(char) * (c->h + 1)));
484 . . if (b[i] == NULL)
485 . . . . return (-1);
An array (of strings) is allocated, then strings are allocated and put into the array. However, if allocation of one of the arrays fails, previous allocated memory is not freed.
]]>
memleak
Possibly relevant code is
110 Tokenizer *tok = (Tokenizer *) tok_malloc(sizeof(Tokenizer));
116 if (tok->argv == NULL)
117 . . return (NULL);
If the second allocation (line 116) fails, the memory allocated in line 110 is lost.
]]>
memleak
Relevant code is
110 Tokenizer *tok = (Tokenizer *) tok_malloc(sizeof(Tokenizer));
119 tok->wspace = (char *) tok_malloc(WINCR);
120 if (tok->wspace == NULL)
121 . . return (NULL);
If the allocation of wspace (line 119) fails, the memory allocated at line 110 is lost.
]]>
memleak
Relevant code is
112 tok->ifs = strdup(ifs ? ifs : IFS);
115 tok->argv = (char **) tok_malloc(sizeof(char *) * tok->amax);
116 if (tok->argv == NULL)
117 . . return (NULL);
If the later allocation fails, the memory allocated at line 112 is lost.
]]>
memleak
Relevant code is
115 tok->argv = (char **) tok_malloc(sizeof(char *) * tok->amax);
116 if (tok->argv == NULL)
117 . . return (NULL);
118 tok->argv[0] = NULL;
119 tok->wspace = (char *) tok_malloc(WINCR);
120 if (tok->wspace == NULL)
121 . . return (NULL);
If the allocation at line 119 fails, then the memory allocated at line 115 is lost.
]]>
uselessAssignmentPtrArg
Relevant code is
098 static unsigned char linear2ulaw(short sample, int full_coding)
099 {
125 sign = (sample >> 8) & 0x80;
126 if (sign != 0)
127 . . sample = -sample;
128 if (sample > CLIP)
129 . . sample = CLIP;
The variable "sample" is never used again. I don't see any macros. Surrounding this is a conditional compilation:
045 #ifndef G711_NEW_ALGORITHM
050 static unsigned char linear2ulaw(short sample)
091 }
093 #else
098 static unsigned char linear2ulaw(short sample, int full_coding)
Perhaps the buggy code is never used anymore. Our version 11 has the same useless code.
]]>
invalidscanf
Relevant code is
802 if (sscanf(prev, "%d", &val) != 1) {
Since this is reading a config file and the problem occurs rarely, I marked this insignificant.
]]>
uninitstring
The immediately relevant code is
544 struct ast_chan *chan;
547 char channame[256];
553 . . strncpy(channame, chan->name, sizeof(channame) - 1);
It turns out that the structure ast_chan is defined in lines 79 through 87 of the same file:
79 struct ast_chan {
80 . . char name[80];
. . .
87 };
So ASSUMING that strings fit within the 80 character buffer in the structure, there is no chance of reaching the limit. In other words, channame will always be null-terminated.
Of course, if it always succeeds, why use strncpy() instead of strcpy()??
Additional information to clarify the preceding evaluation: the warning was actually for the next line, where channame is used:
554 . . snprintf(tmp, sizeof(tmp), "Enter new extension for %s", channame);
]]>
uninitstring
Pertinent code is
67 const size_t len = strlen(file) + sizeof (DBM_SUFFIX);
68 #ifdef __GNUC__
69 char path[len];
70 #else
71 char *path = malloc(len);
72 if (path == NULL)
73 . . return NULL;
74 #endif
82 (void)strncpy(path, file, len - 1);
83 (void)strncat(path, DBM_SUFFIX, len - strlen(path) - 1);
where
#define DBM_SUFFIX ".db"
Line 67 finds the length of file and the SIZEOF the string DBM_SUFFIX, which includes a null. So the allocated size is always big enough to contain file. (But since that's the case, why use strncpy() and strncat() instead of the faster strcpy() and strcat()??)
]]>
syntaxError
The relevant code is
170 if ((t->bt_smap = mmap(NULL, t->bt_msize,
171 . . PROT_READ, MAP_PRIVATE, rfd,
172 . . (off_t)0)) == MAP_FAILED
173 . . goto slow;
Clearly there should be a trailing parenthesis after MAP_FAILED. A preceding comment says,
164 * Mmap doesn't work correctly on many current
165 * systems. In particular, it can fail subtly,
166 * with cache coherency problems. Don't use it
167 * for now.
]]>
memleak
Relevant memory is
5165 if (!(ignorepat = ast_calloc(1, length)))
5166 . . return -1;
. . .
5175 . . if (!strcasecmp(ignorepatc->pattern, value)) {
. . .
05178 return -1;
In this case, the memory allocated at line 5165 is lost.
]]>
useClosedFile
Relevant code is
751 while(connect_asterisk()) {
752 . . sleep(5);
753 }
754 if (login_asterisk()) {
755 fclose(astf);
astf is a global variable. It is opened in connect_asterisk():
251 astf = fdopen(sock, "r+");
252 if (!astf) {
253 . . fprintf(stderr, "fdopen failed: %s\n", strerror(errno));
254 . . close(sock);
255 . . return -1;
256 }
257 return 0;
]]>
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
operatorEqVarError
operatorEqVarError
uninitMemberVar
uninitMemberVar
uninitMemberVar
uninitMemberVar
uninitMemberVar
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
operatorEqVarError
syntaxError
uninitMemberVar
operatorEqVarError
uninitMemberVar
uninitMemberVar
uninitMemberVar
uninitMemberVar
uninitMemberVar
operatorEqVarError
operatorEqVarError
operatorEqVarError
uninitMemberVar
uninitMemberVar
uninitMemberVar
uninitMemberVar
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
nullPointer
invalidscanf
nullPointer
pointerSize
invalidPrintfArgType_sint
invalidPrintfArgType_sint
invalidPrintfArgType_sint
invalidPrintfArgType_sint
invalidPrintfArgType_sint
invalidPrintfArgType_sint