Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wh87G-0001Wj-0F for pgsql-hackers@arkaria.postgresql.org; Tue, 07 Jul 2026 15:53:46 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wh87E-001Qmw-0S for pgsql-hackers@arkaria.postgresql.org; Tue, 07 Jul 2026 15:53:44 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wh87D-001Qmo-2l for pgsql-hackers@lists.postgresql.org; Tue, 07 Jul 2026 15:53:44 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wh87B-000000003hI-2Zvc for pgsql-hackers@postgresql.org; Tue, 07 Jul 2026 15:53:44 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.18.1/8.18.1) with ESMTP id 667FraEj1847456; Tue, 7 Jul 2026 11:53:36 -0400 From: Tom Lane To: Peter Eisentraut cc: Tristan Partin , pgsql-hackers Subject: Re: Add malloc attribute to memory allocation functions In-reply-to: <2248c1c4-68f7-46dc-9e58-9ba9057da74e@eisentraut.org> References: <924283.1783312014@sss.pgh.pa.us> <2248c1c4-68f7-46dc-9e58-9ba9057da74e@eisentraut.org> Comments: In-reply-to Peter Eisentraut message dated "Tue, 07 Jul 2026 17:34:43 +0200" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1847454.1783439616.1@sss.pgh.pa.us> Date: Tue, 07 Jul 2026 11:53:36 -0400 Message-ID: <1847455.1783439616@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Peter Eisentraut writes: > On 06.07.26 18:34, Tristan Partin wrote: >> On Mon Jul 6, 2026 at 4:26 AM UTC, Tom Lane wrote: >>> I'm skeptical that this is going to lead to anything but grief. >>> In particular, since gcc has never heard of memory contexts, >>> I don't see how we are not going to get buried in bogus >>> -Wanalyzer-malloc-leak warnings. It doesn't really help >>> to add compiler annotations that only sort-of match our semantics. > But this can also check for a lot more, such as > - mismatching deallocator > - double free > - use after free > - free of things that are not an allocation > If we could tell it, check for all these things but don't worry about > the leaks, that could be useful. > Also, for frontend tools, libpq, etc. that don't use memory contexts. Yeah, I was thinking about that last point. The frontend environment is a lot closer to the semantics these markers expect, so we could try doing this in frontend only and see how well that works. There are still places that I'd expect to be trouble. For example, Coverity has never understood the pattern we use in pg_dump's data collection subroutines, ie, malloc a big array of structs, fill the individual structs and insert pointers to them into the hash tables, done. It always thinks we leaked the array, and I suspect tools like this will too. In Coverity's case there's enough infrastructure to dismiss individual false-positive complaints, and then it won't bug you about them (until somebody changes the relevant code enough that the dismissal doesn't match :-(). Unless there's some similar way to silence individual reports, I don't foresee tools like this to be usable. We're not going to change coding patterns like that one just because some static analyzer doesn't understand them. regards, tom lane