Analyzing code for KDE/Qt and other open source components?

内核做,黑客看,Linus && Greg 留隐患!0day 一出天地灭,赶紧下线保平安!诚心诚念 PaX 好,Hardened Linux 平安保。系统皆为安全来,security through obscurity 忘前缘,spender 弟子说真相,换你内核莫拒绝!

FAQ

  1. Why not GNOME/Gtk?
  2. False positive?

k3b v2.10.0

Jeff Dean compiles and runs his code before submitting, but only to check for compiler and CPU bugs.

Static Analyzer

Coverity Scan: KDE

or

  scan-build -k -v -V cmake .. -DCMAKE_INSTALL_PREFIX=/usr    \
    -DKDE_INSTALL_LIBDIR=lib    \
    -DKDE_INSTALL_LIBEXECDIR=lib    \
    -DKDE_INSTALL_USE_QT_SYS_PATHS=ON   \
    -DK3B_BUILD_API_DOCS=ON \
    -DK3B_ENABLE_PERMISSION_HELPER=ON   \
    -DK3B_DEBUG=ON
  scan-build -k -v -V make
  

  -    m_process->deleteLater();
  -    m_process = 0;
  +    if (m_process) {
  +        m_process->deleteLater();
  +        m_process = 0;
  +    }
  
  -                if( !copyItems && dropTrackAfter == source->track() && dropTrackAfter->numberSources() == 1 )
  +                if( !copyItems && dropTrackAfter == source->track() && dropTrackAfter && dropTrackAfter->numberSources() == 1 )
  
  -                if( burnDev->writeCapabilities() & (K3b::Device::MEDIA_DVD_R|K3b::Device::MEDIA_DVD_RW) ) {
  -                    modes |= K3b::WritingModeSao|K3b::WritingModeRestrictedOverwrite;
  -                    if( burnDev->featureCurrent( K3b::Device::FEATURE_INCREMENTAL_STREAMING_WRITABLE ) != 0 )
  -                        modes |= K3b::WritingModeIncrementalSequential;
  +                if (burnDev) {
  +                    if( burnDev->writeCapabilities() & (K3b::Device::MEDIA_DVD_R|K3b::Device::MEDIA_DVD_RW) ) {
  +                        modes |= K3b::WritingModeSao|K3b::WritingModeRestrictedOverwrite;
  +                        if( burnDev->featureCurrent( K3b::Device::FEATURE_INCREMENTAL_STREAMING_WRITABLE ) != 0 )
  +                            modes |= K3b::WritingModeIncrementalSequential;
  +                    }
  +
  +                    // TODO: once we have layer jump support: this is where it goes
  +                    //if ( burnDev->supportsWritingMode( K3b::Device::WRITING_MODE_LAYER_JUMP ) )
  +                    //     modes |= K3b::Device::WRITING_MODE_LAYER_JUMP;
                 }
  -
  -                // TODO: once we have layer jump support: this is where it goes
  -//               if ( burnDev->supportsWritingMode( K3b::Device::WRITING_MODE_LAYER_JUMP ) ) {
  -//                   modes |= K3b::Device::WRITING_MODE_LAYER_JUMP;
  -//               }
  

A valid index belongs to a model, and has non-negative row and column numbers, so index.model() is NOT nullptr if index.isValid() Then c++-analyzer false positive detected!

  +    if (d->doc == Q_NULLPTR)
  +        return false;
  
  -    if( bin->version() >= K3b::Version( 0, 9, 0 ) )
  +    if( bin && bin->version() >= K3b::Version( 0, 9, 0 ) )
  

Q_UNUSED(var); Indicates to the compiler that the parameter with the specified name is not used in the body of a function. This can be used to suppress compiler warnings while allowing functions to be defined with meaningful parameter names in their signatures.

  -    if( (dataLen-4) % descLen || dataLen < 4+descLen ) {
  +    if( descLen != 0 && ((dataLen-4) % descLen || dataLen < 4+descLen) ) {
  

It is KStandardAction::open, so c++-analyzer false positive detected!

  -        DataUrlAddingDialog* dlg = new DataUrlAddingDialog( items, dir, true, parent );
  -        QMetaObject::invokeMethod( dlg, "slotStartCopyMoveItems", Qt::QueuedConnection );
  +        QSharedPointer<DataUrlAddingDialog> dlgPtr = QSharedPointer<DataUrlAddingDialog>(new DataUrlAddingDialog( items, dir, true, parent ));
  +        QMetaObject::invokeMethod( dlgPtr.data(), "slotStartCopyMoveItems", Qt::QueuedConnection );
  
  +                delete dlg;
  

Sanitizer

  cmake .. -DCMAKE_INSTALL_PREFIX=/usr    \
    -DCMAKE_CXX_COMPILER=clang++    \
    -DECM_ENABLE_SANITIZERS='address;leak;undefined'    \
    -DKDE_INSTALL_LIBDIR=lib    \
    -DKDE_INSTALL_LIBEXECDIR=lib    \
    -DKDE_INSTALL_USE_QT_SYS_PATHS=ON   \
    -DK3B_BUILD_API_DOCS=ON \
    -DK3B_ENABLE_PERMISSION_HELPER=ON   \
    -DK3B_DEBUG=ON
  
/data/project/kde/libkcddb/libkcddb/kcddbconfig.cpp:41:13: runtime error: member call on address 0x607000047830 which does not point to an object of type 'KConfigSkeletonGenericItem'
0x607000047830: note: object is of type 'KCoreConfigSkeleton::ItemString'
 22 00 80 65  78 60 da ab 79 7f 00 00  60 a4 4d b0 79 7f 00 00  80 a6 4d b0 79 7f 00 00  80 a7 4d b0
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'KCoreConfigSkeleton::ItemString'
SUMMARY: AddressSanitizer: undefined-behavior /data/project/kde/libkcddb/libkcddb/kcddbconfig.cpp:41:13


=================================================================
==4260==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 16384 byte(s) in 1 object(s) allocated from:
    #0 0x5989c8 in __interceptor_malloc (/data/project/kde/k3b/build/src/k3b+0x5989c8)
    #1 0x7f9ba5fe5b98 in g_malloc (/usr/lib/libglib-2.0.so.0+0x4fb98)

Direct leak of 288 byte(s) in 9 object(s) allocated from:
    #0 0x598de0 in realloc (/data/project/kde/k3b/build/src/k3b+0x598de0)
    #1 0x7f9baccbcfc3 in d_growable_string_resize /build/gcc-multilib/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:3856
    #2 0x7f9baccbcfc3 in d_growable_string_append_buffer /build/gcc-multilib/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:3880
    #3 0x7f9baccbcfc3 in d_growable_string_callback_adapter /build/gcc-multilib/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:3897

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x5989c8 in __interceptor_malloc (/data/project/kde/k3b/build/src/k3b+0x5989c8)
    #1 0x7f9b95038ef9  (/usr/lib/libfontconfig.so.1+0x1def9)

Direct leak of 72 byte(s) in 3 object(s) allocated from:
    #0 0x5d05e0 in operator new(unsigned long) (/data/project/kde/k3b/build/src/k3b+0x5d05e0)
    #1 0x7f9bb188b2f6 in KDirWatchPrivate::Entry::addClient(KDirWatch*, QFlags<KDirWatch::WatchMode>) (/usr/lib/libKF5CoreAddons.so.5+0x2f2f6)
    #2 0x7f9bb188d93f in KDirWatchPrivate::addEntry(KDirWatch*, QString const&, KDirWatchPrivate::Entry*, bool, QFlags<KDirWatch::WatchMode>) (/usr/lib/libKF5CoreAddons.so.5+0x3193f)
    #3 0x7f9bb18938fc in KDirWatch::addDir(QString const&, QFlags<KDirWatch::WatchMode>) (/usr/lib/libKF5CoreAddons.so.5+0x378fc)
    #4 0x7f9bb23933ea in KCoreDirListerCache::DirItem::incAutoUpdate() /data/project/kde/kio/src/core/kcoredirlister_p.h:440
    #5 0x7f9bb237ec96 in KCoreDirListerCache::listDir(KCoreDirLister*, QUrl const&, bool, bool) /data/project/kde/kio/src/core/kcoredirlister.cpp:224
    #6 0x7f9bb238e02b in KCoreDirLister::openUrl(QUrl const&, QFlags<KCoreDirLister::OpenUrlFlag>) /data/project/kde/kio/src/core/kcoredirlister.cpp:2160
    #7 0x6964ae in K3b::PlacesModel::addPlace(QString const&, QIcon const&, QUrl const&) /data/project/kde/k3b/src/k3bplacesmodel.cpp:172:25
    #8 0x694b6c in K3b::PlacesModel::PlacesModel(QObject*) /data/project/kde/k3b/src/k3bplacesmodel.cpp:62:13
    #9 0x6b8225 in K3b::FileTreeView::FileTreeView(QWidget*) /data/project/kde/k3b/src/k3bfiletreeview.cpp:72:20
    #10 0x727a21 in K3b::MainWindow::initView() /data/project/kde/k3b/src/k3b.cpp:522:43
    #11 0x72e85b in K3b::MainWindow::MainWindow() /data/project/kde/k3b/src/k3b.cpp:237:5
    #12 0x6182ef in K3b::Application::init(QCommandLineParser*) /data/project/kde/k3b/src/k3bapplication.cpp:84:24
    #13 0x779ce6 in main /data/project/kde/k3b/src/main.cpp:131:9
    #14 0x7f9bb4fda290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

Indirect leak of 17905 byte(s) in 269 object(s) allocated from:
    #0 0x5989c8 in __interceptor_malloc (/data/project/kde/k3b/build/src/k3b+0x5989c8)
    #1 0x7fd2a43e6014 in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (/usr/lib/libQt5Core.so.5+0xae014)

Indirect leak of 7952 byte(s) in 71 object(s) allocated from:
    #0 0x5d05e0 in operator new(unsigned long) (/data/project/kde/k3b/build/src/k3b+0x5d05e0)
    #1 0x7fd2a89bb091  (/usr/lib/libQt5Xml.so.5+0x17091)
    #2 0xb9a322447d060cff  (<unknown module>)

Indirect leak of 4239 byte(s) in 5 object(s) allocated from:
    #0 0x598de0 in realloc (/data/project/kde/k3b/build/src/k3b+0x598de0)
    #1 0x7fd29e7178cc  (/usr/lib/libdbus-1.so.3+0x318cc)

Indirect leak of 144 byte(s) in 3 object(s) allocated from:
    #0 0x5d05e0 in operator new(unsigned long) (/data/project/kde/k3b/build/src/k3b+0x5d05e0)
    #1 0x7fd2ab9d07a9  (/usr/lib/libKF5Solid.so.5+0x847a9)
.
.
.

SUMMARY: AddressSanitizer: 97242 byte(s) leaked in 920 allocation(s).
  

cdrkit v1.1.11

clang -O4 sends your code to Jeff Dean for a complete rewrite.

Static Analyzer

scan-view . has port conflict issue, you have to Ctrl-C several times to *find* the correct port for this project's report, it often open http://127.0.0.1:8081 by default, but the port 8081 is only correct for the first opened project.

if dpnt->ce_bytes is 0 ce_buffer is always NULL!

if uncomp_buf is NULL malloc for it, if failed to malloc exit(1) before memset, so ccc-analyzer false positive detected!

if pdev_name is NULL, it failed to open pdev_name

if finddir = dpnt->subdir is NULL if (finddir->self == s_entry) will segfault, there is, in line 1120, if (!finddir) check! why forgot to check in line 1117?!

double free (*pnt)->whole_name it is better to if (ptr) free(ptr); ptr = NULL;


Hey man you forgot to free(baseindex_pool)!

Use-after-free, even worse slip to infinite loop! FIXME by while (vol->dirs) hfs_closedir(vol->dirs); vol->dirs = NULL;

dvd+rw-tools v7.1

When Jeff Dean sends you a code review, it's because he thinks there's something in it you should learn.

Static Analyzer

typo?! ~~(╯﹏╰)b

libburn v1.4.7

When Jeff Dean says "Hello World", the world says "Hello Jeff".

Static Analyzer

Coverity Scan: libburn

or

by Clang Static Analyzer

  ./bootstrap
  scan-build -k -v -V ./configure --prefix=/usr --disable-static
  
  scan-build: Using '/usr/bin/clang-3.9' for static analysis
  .
  .
  .
  checking for gcc... /usr/bin/../lib/clang/ccc-analyzer
  checking whether the C compiler works... yes
  .
  .
  .
  scan-build: No bugs found.

  make clean
  scan-build -k -v -V make

  

Please install clang-tools-extra or clang-analyzer (the name is depend on your Linux distribution) and scan-build for your own enviroment, static analyzer and dynamic sanitizer's report might be different from each others.

All right it is better to check if (skin)

ThreadSanitizer

step 1
  export CC=clang
  export CFLAGS="$CFLAGS -Wall -O1 -fsanitize=thread -fsanitize=undefined -fno-omit-frame-pointer -g"
  export LDFLAGS="$LDFLAGS -fsanitize=thread -fsanitize=undefined"
  ./bootstrap
  ./configure --prefix=/usr
  make clean
  make
  make install
  
step 2
  cdemu unload 0
  cdemu create-blank --writer-id=WRITER-ISO --medium-type=dvd+r 0 ~/virt.iso
  dd if=/dev/zero bs=2048 count=375808 | /usr/bin/cdrskin -v -V dev=/dev/sr1 speed=18 -tao -data -tsize=375808s - >/tmp/cdrskin.log 2>&1
  
I once spent two days with trying to find out why libburn failed with a particular drive and DVD-RW where growisofs succeeded. On the third day growisofs started to fail and libburn succeeded. It was just a matter of luck on a flaky combination of hardware.
==================
WARNING: ThreadSanitizer: data race (pid=7190)
  Read of size 4 at 0x7d100000dfb0 by main thread:
    #0 burn_drive_scan /data/project/libburn/libburn/async.c:305:29 (libburn.so.4+0x0000000b54b2)
    #1 Cdrskin_create /data/project/libburn/cdrskin/cdrskin.c:9542:12 (cdrskin+0x0000004ebb0f)
    #2 main /data/project/libburn/cdrskin/cdrskin.c:9786:7 (cdrskin+0x0000004edc5a)

  Previous write of size 4 at 0x7d100000dfb0 by thread T1:
    #0 scan_worker_func /data/project/libburn/libburn/async.c:239:18 (libburn.so.4+0x0000000b5c00)

  As if synchronized via sleep:
    #0 usleep  (cdrskin+0x00000044e25f)
    #1 Cdrskin_create /data/project/libburn/cdrskin/cdrskin.c:9543:6 (cdrskin+0x0000004ebac9)
    #2 main /data/project/libburn/cdrskin/cdrskin.c:9786:7 (cdrskin+0x0000004edc5a)

  Location is heap block of size 56 at 0x7d100000df80 allocated by main thread:
    #0 calloc  (cdrskin+0x000000425e52)
    #1 add_worker /data/project/libburn/libburn/async.c:147:6 (libburn.so.4+0x0000000b58b5)
    #2 burn_drive_scan /data/project/libburn/libburn/async.c:303:3 (libburn.so.4+0x0000000b569c)
    #3 Cdrskin_create /data/project/libburn/cdrskin/cdrskin.c:9542:12 (cdrskin+0x0000004ebb0f)
    #4 main /data/project/libburn/cdrskin/cdrskin.c:9786:7 (cdrskin+0x0000004edc5a)

  Thread T1 (tid=7192, finished) created by main thread at:
    #0 pthread_create  (cdrskin+0x000000427296)
    #1 add_worker /data/project/libburn/libburn/async.c:179:6 (libburn.so.4+0x0000000b59fc)
    #2 burn_drive_scan /data/project/libburn/libburn/async.c:303:3 (libburn.so.4+0x0000000b569c)
    #3 Cdrskin_create /data/project/libburn/cdrskin/cdrskin.c:9542:12 (cdrskin+0x0000004ebb0f)
    #4 main /data/project/libburn/cdrskin/cdrskin.c:9786:7 (cdrskin+0x0000004edc5a)

SUMMARY: ThreadSanitizer: data race /data/project/libburn/libburn/async.c:305:29 in burn_drive_scan
==================
  

see cdrskin.log about ThreadSanitizer's WARNING.

AddressSanitizer && UndefinedBehaviorSanitizer

step 1
  export CC=clang
  export CFLAGS="$CFLAGS -Wall -O1 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g"
  export LDFLAGS="$LDFLAGS -fsanitize=address -fsanitize=undefined"
  ./bootstrap
  ./configure --prefix=/usr
  make clean
  make
  make install
  
step 2
  cdemu unload 0
  cdemu create-blank --writer-id=WRITER-ISO --medium-type=dvd+r 0 ~/virt.iso
  dd if=/dev/zero bs=2048 count=375808 | /usr/bin/cdrskin -v -V dev=/dev/sr1 speed=18 -tao -data -tsize=375808s - >/tmp/cdrskin.log 2>&1
  
Only 2 issues:
cdrskin/cdrskin.c:1758:35: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior cdrskin/cdrskin.c:1758:35

libburn/mmc.c:299:18: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior libburn/mmc.c:299:18
  

libisoburn v1.4.6

Errors treat Jeff Dean as a warning.

Static Analyzer

Coverity Scan: libisoburn

or

by Clang Static Analyzer

Come on, ccc-analyzer is just kidding?!

yes if (line) ...

possible if flag & 2, xorriso->in_volset_handle is not NULL, start_lba >= 0 lba might not be initilized!

kio v5.29.0

Jeff Dean proved that P=NP when he solved all NP problems in polynomial time on a whiteboard.

Sanitizer

  cmake .. -DCMAKE_INSTALL_PREFIX=/usr \
    -DCMAKE_CXX_COMPILER=clang++    \
    -DECM_ENABLE_SANITIZERS='address;leak;undefined'    \
    -DKDE_INSTALL_LIBDIR=lib    \
    -DKDE_INSTALL_LIBEXECDIR=lib    \
    -DKDE_INSTALL_USE_QT_SYS_PATHS=ON
  
=================================================================
==9023==ERROR: LeakSanitizer: detected memory leaks

Indirect leak of 2056 byte(s) in 1 object(s) allocated from:
    #0 0x4ca7a0 in realloc (/data/project/kde/kio/build/tests/getalltest+0x4ca7a0)
    #1 0x7f912bc7dfc5 in dbus_realloc /data/project/dbus/dbus/dbus-memory.c:678:13
    #2 0x7f912bc9ad47 in reallocate_for_length /data/project/dbus/dbus/dbus-string.c:366:13
    #3 0x7f912bc89bd6 in set_length /data/project/dbus/dbus/dbus-string.c:407:12
    #4 0x7f912bc89a1c in _dbus_string_lengthen /data/project/dbus/dbus/dbus-string.c:769:10
    #5 0x7f912bc9e8bc in _dbus_read /data/project/dbus/dbus/dbus-sysdeps-unix.c:716:8
    #6 0x7f912bc9e755 in _dbus_read_socket /data/project/dbus/dbus/dbus-sysdeps-unix.c:306:10
    #7 0x7f912bc3d5fe in read_data_into_auth /data/project/dbus/dbus/dbus-transport-socket.c:257:16
    #8 0x7f912bc36fcd in do_authentication /data/project/dbus/dbus/dbus-transport-socket.c:451:31
    #9 0x7f912bc35957 in socket_do_iteration /data/project/dbus/dbus/dbus-transport-socket.c:1200:15
    #10 0x7f912bc2bbfc in _dbus_transport_do_iteration /data/project/dbus/dbus/dbus-transport.c:1001:3
    #11 0x7f912bb2c439 in _dbus_connection_do_iteration_unlocked /data/project/dbus/dbus/dbus-connection.c:1227:11
    #12 0x7f912bb33d58 in _dbus_connection_flush_unlocked /data/project/dbus/dbus/dbus-connection.c:3619:7
    #13 0x7f912bb331a9 in _dbus_connection_block_pending_call /data/project/dbus/dbus/dbus-connection.c:2399:3
    #14 0x7f912bbc5f02 in dbus_pending_call_block /data/project/dbus/dbus/dbus-pending-call.c:741:3
    #15 0x7f912bb397e6 in dbus_connection_send_with_reply_and_block /data/project/dbus/dbus/dbus-connection.c:3575:3
    #16 0x7f912bb24b33 in dbus_bus_register /data/project/dbus/dbus/dbus-bus.c:695:11
    #17 0x7f91310b9d8c  (/usr/lib/libQt5DBus.so.5+0x17d8c)

.
.
.

SUMMARY: AddressSanitizer: 6758 byte(s) leaked in 40 allocation(s).
  

kio v5.28.0

When Jeff Dean designs software, he first codes the binary and then writes the source as documentation.

Static Analyzer

else if (item)

ffmpeg v2.8.7

When your code has undefined behavior, you get a seg fault and corrupted data. When Jeff Dean's code has undefined behavior, a unicorn rides in on a rainbow and gives everybody free ice cream.
Coverity Scan: FFmpeg/FFmpeg

or

by Clang Static Anaylzer && Sanitizer

  export CFLAGS="$CFLAGS -Wall -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g"
  export LDFLAGS="$LDFLAGS -fsanitize=address -fsanitize=undefined"
  scan-build -k -v -V ./configure \
    --cc=clang  \
    --prefix=/usr \
    --enable-debug \
    --disable-static \
    --disable-stripping \
    --enable-avisynth \
    --enable-avresample \
    --enable-fontconfig \
    --enable-gnutls \
    --enable-gpl \
    --enable-libass \
    --enable-libbluray \
    --enable-libfreetype \
    --enable-libfribidi \
    --enable-libgsm \
    --enable-libiec61883 \
    --disable-libmodplug \
    --enable-libmp3lame \
    --enable-libopenjpeg \
    --enable-libopus \
    --enable-libpulse \
    --disable-libschroedinger \
    --disable-libsoxr \
    --enable-libspeex \
    --enable-libssh \
    --enable-libtheora \
    --enable-libv4l2 \
    --disable-libvidstab \
    --enable-libvorbis \
    --enable-libvpx \
    --enable-libwebp \
    --enable-libx264 \
    --enable-libx265 \
    --enable-libxvid \
    --enable-shared \
    --enable-x11grab

  scan-build -k -v -V make
  

if ... && entries > 0 && dim > 0 && tmp_vlc_bits[i] != NULL && codebook_lookup_values is 0 runtime error: division by zero



false positive detected by ccc-analyzer! s->invisible = 1 if avctx->skip_frame >= skip_thresh

qtbase v5.7.0

When God said: "Let there be light!", Jeff Dean was there to do the code review.
Coverity Scan: qt-project

or

by Clang Static Analyzer

  PYTHON=/usr/bin/python2 scan-build -k -v -V ./configure -confirm-license -opensource -v \
    -prefix /usr \
    -docdir /usr/share/doc/qt \
    -headerdir /usr/include/qt \
    -archdatadir /usr/lib/qt \
    -datadir /usr/share/qt \
    -sysconfdir /etc/xdg \
    -examplesdir /usr/share/doc/qt/examples \
    -plugin-sql-{psql,sqlite} \
    -system-sqlite \
    -openssl-linked \
    -nomake examples \
    -no-rpath \
    -optimized-qmake \
    -dbus-linked \
    -system-harfbuzz \
    -journald \
    -no-use-gold-linker \
    -reduce-relocations -no-sse2

  scan-build -k -v -V gmake
  

sizeof(ushort) is equals to sizeof(QChar), so c++-analyzer false positive detected sizeof!

  -                                line[x] = color(index);
  +                                if (x >= 0 && x < sizeof(line) / sizeof(int)) line[x] = color(index);
  
  +    if (y == Q_NULLPTR)
  +        return;
  

QDomNode QDomNode::cloneNode(bool deep = true) const; *NOT* return QDomNode* so c++-analyzer false positive detected!

  -    if (int size = info.sizeOf())
  -        return info.construct(operator new(size), copy);
  +    if (int size = info.sizeOf()) {
  +        QScopedArrayPointer where(new void*[size]);
  +        return info.construct(where.data(), copy);
  +    }
  

mesa v13.0.1

Jeff's code is so fast the assembly code needs three HALT opcodes to stop it.
Coverity Scan: Mesa

glib v2.51.0

Compilers don't warn Jeff Dean. Jeff Dean warns compilers.
Coverity Scan: glib

glibc v2.24.90

Jeff Dean's IDE doesn't do code analysis, it does code appreciation.
Coverity Scan: GNU C Library - glibc

Clang Static Anaylzer is *NOT* acclimatized for glibc or Linux? There are a lot of Analyzer Failures: The analyzer had problems processing the following files, for example:

In file included from check_fds.c:18:
In file included from ../include/errno.h:27:
In file included from ../sysdeps/x86_64/nptl/tls.h:27:
In file included from ../include/stdlib.h:14:
../include/sys/stat.h:16:15: error: cannot apply asm label to function after its first use
hidden_proto (__fxstat)
~~~~~~~~~~~~~~^~~~~~~~~
./../include/libc-symbols.h:420:19: note: expanded from macro 'hidden_proto'
  __hidden_proto (name, , __GI_##name, ##attrs)
  ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./../include/libc-symbols.h:424:33: note: expanded from macro '__hidden_proto'
  extern thread __typeof (name) name __asm__ (__hidden_asmname (#internal)) \
                                ^             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

linux v4.x

Jeff Dean has to unoptimize his code so that reviewers believe it was written by a human.
Coverity Scan: Linux

FAQ

Q: Why not GNOME/Gtk?

Firstly MallocChecker is not able to enum *ALL* IdentifierInfo! There are only for POSIX libc, Linux Kernel and WIN32 API's identifers right now:


  II_alloca = &Ctx.Idents.get("alloca");
  II_malloc = &Ctx.Idents.get("malloc");
  II_free = &Ctx.Idents.get("free");
  II_realloc = &Ctx.Idents.get("realloc");
  II_reallocf = &Ctx.Idents.get("reallocf");
  II_calloc = &Ctx.Idents.get("calloc");
  II_valloc = &Ctx.Idents.get("valloc");
  II_strdup = &Ctx.Idents.get("strdup");
  II_strndup = &Ctx.Idents.get("strndup");
  II_wcsdup = &Ctx.Idents.get("wcsdup");
  II_kmalloc = &Ctx.Idents.get("kmalloc");
  II_if_nameindex = &Ctx.Idents.get("if_nameindex");
  II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");

  //MSVC uses `_`-prefixed instead, so we check for them too.
  II_win_strdup = &Ctx.Idents.get("_strdup");
  II_win_wcsdup = &Ctx.Idents.get("_wcsdup");
  II_win_alloca = &Ctx.Idents.get("_alloca");
  
So it is *NOT* able to detect Memory-leak issue for g_new, g_alloca, g_malloc etc. it is *NOT* MallocChecker's issue, it needs to Teach the analyzer about Glib API to check Memory-leak. What's more, there are also GError, GVariant, GSignal checkers more than Memory-leak detecter developed by GNOME developer Philip Withnall, easy-to-load and enable via scan-build:
  scan-build -load-plugin /usr/lib/tartan/3.9/libtartan.so    \
    -enable-checker tartan.GErrorChecker    \
    -enable-checker tartan.GMallocChecker   \
    -enable-checker ... \
    -k -v -V
  

Q: False positive?

报 Bug 的礼仪 - 不要对程序员说:您的代码有 bug。他的第一反应:
  1. 您的环境有问题吧?
  2. 傻 X 您会用吗?
如果委婉地说:您这个程序和预期的有点不一致,您看看是不是 LLVM 误报?他本能反应:艹 我的程序是不是出 bug 了?!

So argue is cheap just show me the patch ;-)