From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 13EE7385DC27; Tue, 25 Jan 2022 23:04:50 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 13EE7385DC27 From: "msebor at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/104215] bogus -Wuse-after-free=3 due to forwprop moving a pointer test after realloc Date: Tue, 25 Jan 2022 23:04:50 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 12.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: msebor at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2022 23:04:50 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104215 --- Comment #5 from Martin Sebor --- To "use" means to evaluate. The strict C semantics are that the realloc() argument becomes indeterminate after the function has returned non-null, whether or not the returned pointer is the same as the argument. The argum= ent is only safe to use after realloc() has returned null. In other words, strictly conforming programs must treat every successful call to realloc() = as if it freed the original object. The warning is based on these strict semantics. It handles the realloc fai= lure case, and it tries to accommodate the use case of detecting whether realloc= () has moved the block to a different address by only warning on equality expressions involving the original argument at level 3. The warning cannot very well avoid triggering on this case if we want it to continue to work as designed (I of course do). The solution I'd like to se= e is the forwprop pass checking for the uses of the pointers in the propagated condition in deallocation calls and suppressing the warning for the propaga= ted condition statement by calling suppress_warning(). This could be made reli= able by having forwprop and the warning share the same code (a common function t= o do the same analysis to determine whether to suppress the warning in forwprop = or whether to trigger in gimple-ssa-warn-access).=