From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 0E6E13858D3C; Mon, 17 Jan 2022 17:18:53 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0E6E13858D3C From: "slyfox at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/104069] New: -Werror=use-after-free false positive on elfutils-0.186 Date: Mon, 17 Jan 2022 17:18:52 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 12.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: slyfox at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2022 17:18:53 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104069 Bug ID: 104069 Summary: -Werror=3Duse-after-free false positive on elfutils-0.186 Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: slyfox at gcc dot gnu.org CC: dmalcolm at gcc dot gnu.org Target Milestone: --- Originally observed on elfutils-0.186 (which builds with -Werror by default= ). Here is my attempt to extract simplified example: typedef long unsigned int size_t; extern void *realloc(void *__ptr, size_t __size) __attribute__((__nothrow__, __leaf__)) __attribute__((__warn_unused_result__)) __attribute__((__alloc_size__(2= ))); void * __libdw_unzstd(size_t todo) { void * sb =3D 0; for(;;) { // ran ony once if (!sb) { char * b =3D realloc(sb, todo); if (!b) break; sb =3D b; } todo -=3D 1; if (todo =3D=3D 0) break; } // shrink buffer: leave only one byte for simplicity char * b =3D realloc(sb, 1); if (b) { sb =3D b; } else { // realloc failed mysteriously, leave 'sb' untouched. } return sb; } $ gcc-12.0.0 -O2 -std=3Dgnu99 -Wall -Werror -c zstd.c.c zstd.c.c: In function =E2=80=98__libdw_unzstd=E2=80=99: zstd.c.c:35:10: error: pointer =E2=80=98sb=E2=80=99 may be used after =E2= =80=98realloc=E2=80=99 [-Werror=3Duse-after-free] 35 | return sb; | ^~ zstd.c.c:28:14: note: call to =E2=80=98realloc=E2=80=99 here 28 | char * b =3D realloc(sb, 1); | ^~~~~~~~~~~~~~ cc1: all warnings being treated as errors I think it's a proper false positive. Original code is not as contrived (bu= t I think it's still correct): https://sourceware.org/git/?p=3Delfutils.git;a=3Dblob;f=3Dlibdwfl/gzip.c;h= =3Dba8ecfba6c316b261ee38bb288ab163664ade9e5;hb=3D983e86fd89e8bf02f2d27ba5dc= e5bf078af4ceda#l180 $ gcc-12.0.0 -v Using built-in specs. COLLECT_GCC=3D/<>/gcc-12.0.0/bin/gcc COLLECT_LTO_WRAPPER=3D/<>/gcc-12.0.0/libexec/gcc/x86_64-unknown-linux-= gnu/12.0.0/lto-wrapper Target: x86_64-unknown-linux-gnu Configured with: Thread model: posix Supported LTO compression algorithms: zlib gcc version 12.0.0 20220116 (experimental) (GCC)=