fix #8109: False positive: memory is freed twice (overloaded delete) (#…

…6774)
danmar · Sep 28, 2024 · 42b2947 · 42b2947
1 parent 6767b2c
commit 42b2947
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/lib/checkleakautovar.cpp b/lib/checkleakautovar.cpp
@@ -671,9 +671,10 @@ bool CheckLeakAutoVar::checkScope(const Token * const startToken,
                 tok = tok->tokAt(3);
             else
                 tok = tok->next();
-            if (tok->str() == "(")
+            bool startparen;
+            if ((startparen = (tok->str() == "(")))
                 tok = tok->next();
-            while (Token::Match(tok, "%name% ::|."))
+            while (Token::Match(tok, "%name% ::|.") || (startparen && Token::Match(tok, "%name% ,")))
                 tok = tok->tokAt(2);
             const bool isnull = tok->hasKnownIntValue() && tok->values().front().intvalue == 0;
             if (!isnull && tok->varId() && tok->strAt(1) != "[") {

diff --git a/test/testleakautovar.cpp b/test/testleakautovar.cpp
@@ -88,6 +88,7 @@ class TestLeakAutoVar : public TestFixture {
         TEST_CASE(deallocuse13);
         TEST_CASE(deallocuse14);
         TEST_CASE(deallocuse15);
+        TEST_CASE(deallocuse16); // #8109: delete with comma operator
 
         TEST_CASE(doublefree1);
         TEST_CASE(doublefree2);
@@ -105,6 +106,7 @@ class TestLeakAutoVar : public TestFixture {
         TEST_CASE(doublefree14); // #9708
         TEST_CASE(doublefree15);
         TEST_CASE(doublefree16);
+        TEST_CASE(doublefree17); // #8109: delete with comma operator
 
         // exit
         TEST_CASE(exit1);
@@ -1071,6 +1073,16 @@ class TestLeakAutoVar : public TestFixture {
         ASSERT_EQUALS("[test.c:5]: (error) Dereferencing 'h' after it is deallocated / released\n", errout_str());
     }
 
+    void deallocuse16() {
+        check("void f() {\n"
+              "    int *a = nullptr;\n"
+              "    int *c = new int;\n"
+              "    delete (a, c);\n"
+              "    *c = 10;\n"
+              "}\n", true);
+        ASSERT_EQUALS("[test.cpp:5]: (error) Dereferencing 'c' after it is deallocated / released\n", errout_str());
+    }
+
     void doublefree1() {  // #3895
         check("void f(char *p) {\n"
               "    if (x)\n"
@@ -1750,6 +1762,17 @@ class TestLeakAutoVar : public TestFixture {
         ASSERT_EQUALS("", errout_str());
     }
 
+    void doublefree17() {
+        check("void f() {\n"
+              "    int *a = nullptr;\n"
+              "    int *b = nullptr;\n"
+              "    int *c = new int;\n"
+              "    delete (a, c);\n"
+              "    delete (b, c);\n"
+              "}\n", true);
+        ASSERT_EQUALS("[test.cpp:5] -> [test.cpp:6]: (error) Memory pointed to by 'c' is freed twice.\n", errout_str());
+    }
+
     void exit1() {
         check("void f() {\n"
               "    char *p = malloc(10);\n"