[Bug c/106868] New: Bogus -Wdangling-pointer warning with -O1

[Bug c/106868] New: Bogus -Wdangling-pointer warning with -O1

[medhefgo at web dot de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

            Bug ID: 106868
           Summary: Bogus -Wdangling-pointer warning with -O1
           Product: gcc
           Version: 12.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: medhefgo at web dot de
  Target Milestone: ---

The following code gives me a (afaik) bogus dangling pointer warning:

# cat testcase.c
void alloc(void **p);
void false_dangling(char **p) {
  {
    void *q;
    alloc(&q);
    *p = q;
  }
  char *a = __builtin_memcpy(*p, "", 1);
  *a = 0;
}

$ gcc -c -o/dev/null testcase.c -Wdangling-pointer -O1
testcase.c: In function ‘false_dangling’:
testcase.c:9:6: warning: using dangling pointer ‘a’ to ‘q’
[-Wdangling-pointer=]
    9 |   *a = 0;
      |   ~~~^~~
testcase.c:4:11: note: ‘q’ declared here
    4 |     void *q;
      |

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/12.2.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure
--enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++,d --enable-bootstrap
--prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/
--with-build-config=bootstrap-lto --with-linker-hash-style=gnu
--with-system-zlib --enable-__cxa_atexit --enable-cet=auto
--enable-checking=release --enable-clocale=gnu --enable-default-pie
--enable-default-ssp --enable-gnu-indirect-function --enable-gnu-unique-object
--enable-libstdcxx-backtrace --enable-link-serialization=1
--enable-linker-build-id --enable-lto --enable-multilib --enable-plugin
--enable-shared --enable-threads=posix --disable-libssp --disable-libstdcxx-pch
--disable-werror
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.2.0 (GCC)

[Bug tree-optimization/106868] [12/13 Regression] Bogus -Wdangling-pointer warning with -O1

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
           Keywords|                            |diagnostic
            Summary|Bogus -Wdangling-pointer    |[12/13 Regression] Bogus
                   |warning with -O1            |-Wdangling-pointer warning
                   |                            |with -O1
          Component|c                           |tree-optimization
   Last reconfirmed|                            |2022-09-07
             Status|UNCONFIRMED                 |NEW
           Priority|P3                          |P2
                 CC|                            |msebor at gcc dot gnu.org
   Target Milestone|---                         |12.3

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed.

<bb 2> [local count: 1073741824]:
alloc (&q);
q.0_1 = q;
*p_4(D) = q.0_1;
q ={v} {CLOBBER(eol)};
a_8 = __builtin_memcpy (q.0_1, "", 1);
*a_8 = 0;
return;

(gdb) p debug_gimple_stmt (use_stmt)
# .MEM_9 = VDEF <.MEM_7>
*a_8 = 0;
(gdb) p debug_gimple_stmt (stmt)
# .MEM_6 = VDEF <.MEM_5>
q ={v} {CLOBBER(eol)};

we somehow confuse q.0_1 = q; as assigning the address of the object 'q'.
Some addr vs deref mismatch somewhere in the code.

A regression with -Wall.

[Bug tree-optimization/106868] [12/13 Regression] Bogus -Wdangling-pointer warning with -O1

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
(In reply to Richard Biener from comment #1)
> Confirmed.
> 
> <bb 2> [local count: 1073741824]:
> alloc (&q);
> q.0_1 = q;
> *p_4(D) = q.0_1;
> q ={v} {CLOBBER(eol)};
> a_8 = __builtin_memcpy (q.0_1, "", 1);
> *a_8 = 0;
> return;
...
> we somehow confuse q.0_1 = q; as assigning the address of the object 'q'.

The reason for the false positive is plain to see in the IL: the memcpy call is
passed a copy of the clobbered q.  It then returns another copy of the same q
which is then used to dereference whatever the pointer points to.  The warning
is due to the (known) mismatch between how the optimizers and the warning
interpret clobbers: (IIUC) the optimizers treat it as the value of the assigned
variable alone becoming indeterminate, while the warning as all copies of it
becoming so.

[Bug tree-optimization/106868] [12/13 Regression] Bogus -Wdangling-pointer warning with -O1

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
(In reply to Martin Sebor from comment #2)
...
Actually, scratch that, sorry.  Richard is right that the false positive is due
to a bug in the warning code.  The following patch resolves it:

diff --git a/gcc/gimple-ssa-warn-access.cc b/gcc/gimple-ssa-warn-access.cc
index 04aa849a4b1..79093b46906 100644
--- a/gcc/gimple-ssa-warn-access.cc
+++ b/gcc/gimple-ssa-warn-access.cc
@@ -4467,6 +4467,7 @@ pass_waccess::gimple_call_return_arg_ref (gcall *call)
     {
       access_ref aref;
       if (m_ptr_qry.get_ref (arg, call, &aref, 0)
+         && aref.deref < 0
          && DECL_P (aref.ref))
        return aref.ref;
     }

[Bug tree-optimization/106868] [12/13 Regression] Bogus -Wdangling-pointer warning with -O1

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |rguenth at gcc dot gnu.org

--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
I'm testing a variant of the patch that instead makes the argument pass-through
work the same as the PHI pass-through which instead does

                 if (!m_ptr_qry.get_ref (arg, phi, &aref, 0)
                     || (aref.deref == 0
                         && POINTER_TYPE_P (TREE_TYPE (aref.ref))))
                   continue;

thus disallows aref.deref == 0 with pointer type which is what happens in
this case as well.

OTOH it doesn't make much sense to me either - but then the .get_ref
documentation is very sparse and the API very complicated.

I _think_ that the get_ref (via compute_objsize) returns the object
that 'arg' references (points-to) in aref.ref, but how aref.deref
is then set is a mystery to me.  It _seems_ that we want to have
< 0 here as martin indicated but that would mean the PHI case is
wrong as well (and the POINTER_TYPE_P check very odd).  It also
seems that for the call case we might want to call
check_dangling_uses (var, aref.ref, true) for aref.deref == 0?

I'm going to test this piecewise.

[Bug tree-optimization/106868] [12/13 Regression] Bogus -Wdangling-pointer warning with -O1

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>:

https://gcc.gnu.org/g:d492d50f644811327c5976e2c918ab6d906ed40c

commit r13-4494-gd492d50f644811327c5976e2c918ab6d906ed40c
Author: Richard Biener <rguenther@suse.de>
Date:   Mon Dec 5 10:13:13 2022 +0100

    tree-optimization/106868 - bogus -Wdangling-pointer diagnostic

    The testcase shows we mishandle the case where there's a pass-through
    of a pointer through a function like memcpy.  The following adjusts
    handling of this copy case to require a taken address and adjust
    the PHI case similarly.

            PR tree-optimization/106868
            * gimple-ssa-warn-access.cc
(pass_waccess::gimple_call_return_arg_ref):
            Inline into single user ...
            (pass_waccess::check_dangling_uses): ... here and adjust the
            call and the PHI case to require that ref.aref is the address
            of the decl.

            * gcc.dg/Wdangling-pointer-pr106868.c: New testcase.

[Bug tree-optimization/106868] [12/13 Regression] Bogus -Wdangling-pointer warning with -O1

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|                            |12.2.0
      Known to work|                            |13.0

--- Comment #6 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed on trunk sofar, thanks for the report and sorry for the long silence.

[Bug tree-optimization/106868] [12 Regression] Bogus -Wdangling-pointer warning with -O1

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

--- Comment #7 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-12 branch has been updated by Richard Biener
<rguenth@gcc.gnu.org>:

https://gcc.gnu.org/g:ad6ace70ba38d2052eeb5adb9672d33f59867be0

commit r12-8972-gad6ace70ba38d2052eeb5adb9672d33f59867be0
Author: Richard Biener <rguenther@suse.de>
Date:   Mon Dec 5 10:13:13 2022 +0100

    tree-optimization/106868 - bogus -Wdangling-pointer diagnostic

    The testcase shows we mishandle the case where there's a pass-through
    of a pointer through a function like memcpy.  The following adjusts
    handling of this copy case to require a taken address and adjust
    the PHI case similarly.

            PR tree-optimization/106868
            * gimple-ssa-warn-access.cc
(pass_waccess::gimple_call_return_arg_ref):
            Inline into single user ...
            (pass_waccess::check_dangling_uses): ... here and adjust the
            call and the PHI case to require that ref.aref is the address
            of the decl.

            * gcc.dg/Wdangling-pointer-pr106868.c: New testcase.

    (cherry picked from commit d492d50f644811327c5976e2c918ab6d906ed40c)

[Bug tree-optimization/106868] [12 Regression] Bogus -Wdangling-pointer warning with -O1

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106868

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to work|                            |12.2.1
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #8 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.