[Bug middle-end/105346] [11/12 Regression] -Wno-free-nonheap-object false positive (on Bison-generated grammar code)

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "aldyh at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug middle-end/105346] [11/12 Regression] -Wno-free-nonheap-object false positive (on Bison-generated grammar code)
Date: Wed, 27 Apr 2022 09:06:13 +0000	[thread overview]
Message-ID: <bug-105346-4-taNLu38ae7@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-105346-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105346

--- Comment #14 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
(In reply to Richard Biener from comment #13)
> (In reply to Andrew Macleod from comment #11)
> > (In reply to Richard Biener from comment #6)
> > 
> > > 
> > >   <bb 2> :
> > >   bufp_2 = &buf;
> > >   if (&buf != bufp_2)
> > >     goto <bb 3>; [INV]
> > >   else
> > >     goto <bb 4>; [INV]
> > > 
> > >   <bb 3> :
> > >   __builtin_free (bufp_2);
> > > 
> > > and for the stmt __builtin_free (bufp_2) I'd like to ask if we know
> > > that bufp_2 is != &buf (I'd expect a 'true' answer).  I think the
> > > relation oracle should be able to answer this but I can't find the
> > > appropriate API to use for this?
> > 
> > - The relation oracle currently only works with ssa-names.
> > - Ranger also doesn't currently track that sort of symbolic equivalence with
> > irange.
> > - the VRP passes have a pointer tracking mechanism as part of the dom walk,
> > and the call to rvrp_folder::value_of_expr (bufp_2) would give us &buf.  I
> > also think we also would fold the stmt in VRP.  This could in theory be
> > extended to any pass doing a dom walk.  however:
> > - I believe the upcoming prange extension for pointer ranges in stage 1 will
> > make this happen naturally with rangers query system. range_of_stmt ( if
> > <..>) would then produce bool [0, 0].  I would also expect that prange will
> > have an easy way to ask what its base/equivalence(s) are.
> 
> OK, I was hoping I can so sth like
> 
>  range_simplify_expr (NE_EXPR, bufp_2, &buf, at_free_stmt);
> 
> and then by means of the dominating if condition get a 'true'.  Note the
> diagnostic pass is not within a DOM walk so all I can use is an ad-hoc
> query.  I'm not looking to simplify the conditional itself as that won't
> help me with the current pass structure.

Hmmm, I suppose we could track inequality as well as equality in prange.  In
which case, we'd have:

=========== BB 2 ============
Imports: bufp_2
Exports: bufp_2
    <bb 2> :
    bufp_2 = &buf;
    if (&buf != bufp_2)
      goto <bb 3>; [INV]
    else
      goto <bb 4>; [INV]

bufp_2 : [prange] char[20] * [1B, +INF] [PT &buf]
2->3  (T) bufp_2 :      [prange] char[20] * [1B, +INF] [PT !&buf]
2->4  (F) bufp_2 :      [prange] char[20] * [1B, +INF] [PT &buf]

=========== BB 3 ============
bufp_2  [prange] char[20] * [1B, +INF] [PT !&buf]
    <bb 3> :
    free (bufp_2);

Notice that the range of bufp_2 at free() is:

   bufp_2  [prange] char[20] * [1B, +INF] [PT !&buf]

Whereas range_of_expr of &buf (anywhere) would be:

   [prange] char[20] * [1B, +INF] [PT &buf]

The intersection of both is the empty set / UNDEFINED, and should be able to
get that without dominance info.

Would that help?

Right now we're tracking equality, but it should be trivial to track
non-equality by adjusting the op1_range range-op entries.

next prev parent reply	other threads:[~2022-04-27  9:06 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-22 12:12 [Bug c/105346] New: " tim.vanholder at anubex dot com
2022-04-22 12:21 ` [Bug c/105346] " rguenth at gcc dot gnu.org
2022-04-26  8:10 ` tim.vanholder at anubex dot com
2022-04-26  9:20 ` tim.vanholder at anubex dot com
2022-04-26  9:21 ` [Bug c++/105346] " tim.vanholder at anubex dot com
2022-04-26  9:40 ` rguenth at gcc dot gnu.org
2022-04-26  9:52 ` [Bug middle-end/105346] " rguenth at gcc dot gnu.org
2022-04-26  9:53 ` [Bug middle-end/105346] [11/12 Regression] " rguenth at gcc dot gnu.org
2022-04-26  9:56 ` jakub at gcc dot gnu.org
2022-04-26 10:09 ` rguenther at suse dot de
2022-04-26 10:12 ` jakub at gcc dot gnu.org
2022-04-26 13:53 ` amacleod at redhat dot com
2022-04-26 14:12 ` aldyh at gcc dot gnu.org
2022-04-27  7:15 ` rguenth at gcc dot gnu.org
2022-04-27  9:06 ` aldyh at gcc dot gnu.org [this message]
2022-04-27  9:16 ` rguenth at gcc dot gnu.org
2022-04-27  9:23 ` aldyh at gcc dot gnu.org
2022-04-27 10:17 ` rguenth at gcc dot gnu.org
2023-05-29 10:06 ` [Bug middle-end/105346] [11/12/13/14 " jakub at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-105346-4-taNLu38ae7@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).