Limitations in smatch scripts
Most smatch scripts are written with simplicity in mind and the false
positive cases are so seldom and/or to hard (or even impossible) to write
code for.
Following conditional alloc/free generates false positives:
if (condition)
alloc(this);
do_something;
if (condition)
free(this);
Realloc functions are handled as an unconditional free followed by an alloc.
But real realloc functions do not free the pointer if an error occurs. Thus
the below code will generate double free warnings:
tmp = realloc(ptr, 17);
if (!tmp) {
free(ptr);
return NULL;
}
ptr = tmp;
Following correct style of locking generates false positives:
if (condition)
lock(this);
do_something;
if (condition)
unlock(this);