[Bug middle-end/104492] [12 Regression] Bogus dangling pointer warning at -O3

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "rguenth at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug middle-end/104492] [12 Regression] Bogus dangling pointer warning at -O3
Date: Mon, 25 Apr 2022 08:43:28 +0000	[thread overview]
Message-ID: <bug-104492-4-5IQyPjVQBN@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-104492-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104492

--- Comment #9 from Richard Biener <rguenth at gcc dot gnu.org> ---
So IL wise the issue is that we go from

  <bb 2> :
  candidates(address-taken)[0].m_size = 2;
  candidates(address-taken)[0].m_data = "so";
  _1 = std::end<const QLatin1String, 1> (&candidates(address-taken));
  _2 = std::begin<const QLatin1String, 1> (&candidates(address-taken));
  _11 = std::find<const QLatin1String*, QStringView> (_2, _1,
&s(address-taken));
  _3 = _11;
  _4 = std::end<const QLatin1String, 1> (&candidates(address-taken));
  _13 = _3 != _4;
  candidates(address-taken) ={v} {CLOBBER(eol)};
  return _13;

to

  _32 = std::__find_if<const QLatin1String*,
__gnu_cxx::__ops::_Iter_equals_val<const QStringView> >
(&candidates(address-taken), &MEM <const struct QLatin1String[1]> [(void
*)&candidates(address-taken) + 16B], __pred, D.182436);
  __pred ={v} {CLOBBER(eol)};
  _33 = &MEM <const struct QLatin1String[1]> [(void
*)&candidates(address-taken) + 16B] != _32;
  candidates(address-taken) ={v} {CLOBBER(eol)};
  _66 = _33;
  s(address-taken) ={v} {CLOBBER(eol)};
  _19 = _66;
  retval.0_20 = _19;
  D.169966(address-taken) ={v} {CLOBBER(eol)};
  if (retval.0_20 != 0)

exposing the forwarding opportunity into the conditional:

  _32 = std::__find_if<const QLatin1String*,
__gnu_cxx::__ops::_Iter_equals_val<const QStringView> >
(&candidates(address-taken), &MEM <const struct QLatin1String[1]> [(void
*)&candidates(address-taken) + 16B], __pred, D.182436);
  __pred ={v} {CLOBBER(eol)};
  candidates(address-taken) ={v} {CLOBBER(eol)};
  s(address-taken) ={v} {CLOBBER(eol)};
  D.169966 ={v} {CLOBBER(eol)};
  if (&MEM <const struct QLatin1String[1]> [(void *)&candidates(address-taken)
+ 16B] != _32)

as noted CLOBBERs are not barriers for values but only for memory so any
such forwarding (which would also happen for non-equality compares) interferes
with the intent of -Wdangling-pointer.  I'll note that a CLOBBER does _not_
invalidate the pointer to the storage but only its contents as opposed to
some reading of 'realloc' or 'free' semantics imposed by the C standard.

The documentation mentions two levels of -Wdangling-pointer but all examples
are about either the pointer escaping the function (to the caller) or about
accesses to the storage whose contents became indeterminate.

Unrolling and IVOPTs/SLSR could also expose re-use of storage accessed by
a pointer to the "first" instance of a variable.

I'm not sure what can be done about all this for the late pass_warn_access
(which runs _very_ late).  It's going to be prone to such issues and
maybe -Wanalyzer is a better tool for the purpose.

I was not successful in auto-reducing the testcase to something that
closely resembles the above IL but I guess crafting a manual testcase
from it would be possible.

For the specific case we now pass 'equality' to
pass_waccess::warn_invalid_pointer which is true for the original testcase
but is only used to prune diagnostics after free/realloc and not when
using the (undocumented) -Wdangling-pointer=3 level (level 3 is also rejected
because it has IntegerRange(0, 2)).

This case is about iteration over an auto variable and the "found" check
being forwarded across the storage invalidation.

The following fixes the original (and my misreduced) testcase.  I'm going
to test it and post it for review.

diff --git a/gcc/gimple-ssa-warn-access.cc b/gcc/gimple-ssa-warn-access.cc
index 879dbcc1e52..6c404f18db7 100644
--- a/gcc/gimple-ssa-warn-access.cc
+++ b/gcc/gimple-ssa-warn-access.cc
@@ -3896,13 +3896,13 @@ pass_waccess::warn_invalid_pointer (tree ref, gimple
*us
e_stmt,
        return;
     }

+  if ((equality && warn_use_after_free < 3)
+      || (maybe && warn_use_after_free < 2)
+      || warning_suppressed_p (use_stmt, OPT_Wuse_after_free))
+    return;
+
   if (is_gimple_call (inval_stmt))
     {
-      if ((equality && warn_use_after_free < 3)
-         || (maybe && warn_use_after_free < 2)
-         || warning_suppressed_p (use_stmt, OPT_Wuse_after_free))
-       return;
-
       const tree inval_decl = gimple_call_fndecl (inval_stmt);

       if ((ref && warning_at (use_loc, OPT_Wuse_after_free,
@@ -3923,10 +3923,6 @@ pass_waccess::warn_invalid_pointer (tree ref, gimple
*use_stmt,
       return;
     }

-  if ((maybe && warn_dangling_pointer < 2)
-      || warning_suppressed_p (use_stmt, OPT_Wdangling_pointer_))
-    return;
-
   if (DECL_NAME (var))
     {
       if ((ref

next prev parent reply	other threads:[~2022-04-25  8:43 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-10 19:35 [Bug c++/104492] New: Bogus dangling pointer warning (dangling pointer to ‘candidates’ may be used [-Werror=dangling-pointer=]) thiago at kde dot org
2022-02-10 20:08 ` [Bug c++/104492] " pinskia at gcc dot gnu.org
2022-02-11  0:49 ` [Bug middle-end/104492] [12 Regression] Bogus dangling pointer warning at -O3 msebor at gcc dot gnu.org
2022-02-11  0:59 ` msebor at gcc dot gnu.org
2022-02-11  9:06 ` rguenth at gcc dot gnu.org
2022-02-15  0:40 ` msebor at gcc dot gnu.org
2022-03-09 13:07 ` rguenth at gcc dot gnu.org
2022-03-09 13:07 ` rguenth at gcc dot gnu.org
2022-03-16 16:01 ` msebor at gcc dot gnu.org
2022-04-20  8:52 ` jakub at gcc dot gnu.org
2022-04-25  8:43 ` rguenth at gcc dot gnu.org [this message]
2022-04-27 10:03 ` cvs-commit at gcc dot gnu.org
2022-04-27 10:03 ` rguenth at gcc dot gnu.org
2022-04-27 16:48 ` cvs-commit at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-104492-4-5IQyPjVQBN@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).