[Bug tree-optimization/109170] New: New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[Bug tree-optimization/109170] New: New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

            Bug ID: 109170
           Summary: New glibc warning: open_catalog.c:86:16: error:
                    pointer ‘old_buf’ may be used after ‘realloc’
                    [-Werror=use-after-free] since
                    r13-6707-g0a07bfad12530bca
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: rguenth at gcc dot gnu.org
  Target Milestone: ---

Created attachment 54688
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54688&action=edit
Unreduced test-case

Happens for the current glibc master with the latest GCC compiler:

$ gcc -c open_catalog.i -O2 -Wall
open_catalog.c: In function ‘__open_catalog’:
open_catalog.c:86:16: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:86:148: note: call to ‘realloc’ here
open_catalog.c:102:17: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:102:149: note: call to ‘realloc’ here
open_catalog.c:109:17: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:109:149: note: call to ‘realloc’ here
open_catalog.c:118:14: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:118:140: note: call to ‘realloc’ here
open_catalog.c:134:18: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:134:144: note: call to ‘realloc’ here
open_catalog.c:151:18: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:151:144: note: call to ‘realloc’ here
open_catalog.c:158:17: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:158:143: note: call to ‘realloc’ here
open_catalog.c:171:13: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:171:139: note: call to ‘realloc’ here
open_catalog.c:175:12: warning: pointer ‘old_buf’ may be used after ‘realloc’
[-Wuse-after-free]
open_catalog.c:175:138: note: call to ‘realloc’ here

[Bug tree-optimization/109170] New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
     Ever confirmed|0                           |1
           Assignee|unassigned at gcc dot gnu.org      |rguenth at gcc dot gnu.org
   Last reconfirmed|                            |2023-03-17

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
I will have a look.

[Bug tree-optimization/109170] New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Reduced test-case:

$ cat open_catalog.i
unsigned long bufmax = 0;
unsigned long __open_catalog_bufmax;
void *realloc();
void free();

void __open_catalog(char *buf) {
  char *old_buf = buf;
   buf = realloc (buf, bufmax);
   if (__builtin_expect ((buf == ((void *)0)), 0))
     free (old_buf);
}

[Bug tree-optimization/109170] New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
The issue is that we have

<bb 2> :
old_buf_7 = buf_6(D);
bufmax.0_1 = bufmax;
buf_10 = realloc (buf_6(D), bufmax.0_1);
_2 = buf_10 == 0B;
_3 = (long int) _2;
_4 = __builtin_expect (_3, 0);
if (_4 != 0)
  goto <bb 3>; [INV]
else
  goto <bb 4>; [INV]

<bb 3> :
free (old_buf_7);

but ranger lacks a range-op for __builtin_constant_p.  Testing a fix.

[Bug tree-optimization/109170] New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

--- Comment #4 from Martin Liška <marxin at gcc dot gnu.org> ---
> but ranger lacks a range-op for __builtin_constant_p.  Testing a fix.

you likely mean __builtin_expect, right? Sure, that's a simple optimization
ranger should understand..

[Bug tree-optimization/109170] [13 Regression] New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |13.0
            Summary|New glibc warning:          |[13 Regression] New glibc
                   |open_catalog.c:86:16:       |warning:
                   |error: pointer ‘old_buf’    |open_catalog.c:86:16:
                   |may be used after ‘realloc’ |error: pointer ‘old_buf’
                   |[-Werror=use-after-free]    |may be used after ‘realloc’
                   |since                       |[-Werror=use-after-free]
                   |r13-6707-g0a07bfad12530bca  |since
                   |                            |r13-6707-g0a07bfad12530bca

[Bug tree-optimization/109170] [13 Regression] New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>:

https://gcc.gnu.org/g:5f413dc41ee4f8bc3a0fc295f98b75dceae52fa8

commit r13-6773-g5f413dc41ee4f8bc3a0fc295f98b75dceae52fa8
Author: Richard Biener <rguenther@suse.de>
Date:   Fri Mar 17 13:14:49 2023 +0100

    tree-optimization/109170 - bogus use-after-free with __builtin_expect

    The following adds a missing range-op for __builtin_expect which
    helps -Wuse-after-free to detect the case a realloc original
    pointer is used when the result was NULL.  The implementation
    should handle all argument one pass-through builtins we handle
    in the fnspec machinery, but that's defered to GCC 14.

    The gcc.dg/tree-ssa/ssa-lim-21.c testcase needs adjustment because

       for (int j = 0; j < m; j++)
         if (__builtin_expect (m, 0))
           for (int i = 0; i < m; i++)

    is now correctly optimized to a unconditional jump by EVRP - m
    cannot be zero when the outer loop is entered.  I've adjusted
    the outer loop to iterate 'n' times which makes us apply store-motion
    to 'count' and 'q->data1' but only out of the inner loop and
    as expected not apply store motion to 'q->data' at all.

    The gcc.dg/predict-20.c testcase relies on broken behavior of
    profile estimation when trying to handle __builtin_expect values
    flowing into PHI nodes.  I have opened PR109210 and removed
    the expected matching from the testcase.

            PR tree-optimization/109170
            * gimple-range-op.cc (cfn_pass_through_arg1): New.
            (gimple_range_op_handler::maybe_builtin_call): Handle
            __builtin_expect via cfn_pass_through_arg1.

            * gcc.dg/Wuse-after-free-pr109170.c: New testcase.
            * gcc.dg/tree-ssa/ssa-lim-21.c: Adjust.
            * gcc.dg/predict-20.c: Likewise.

[Bug tree-optimization/109170] [13 Regression] New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #6 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.

[Bug tree-optimization/109170] [13 Regression] New glibc warning: open_catalog.c:86:16: error: pointer ‘old_buf’ may be used after ‘realloc’ [-Werror=use-after-free] since r13-6707-g0a07bfad12530bca

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109170

--- Comment #7 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>:

https://gcc.gnu.org/g:65369ab62cee68eb7f6ef65e3d12d1969a9e20ee

commit r14-300-g65369ab62cee68eb7f6ef65e3d12d1969a9e20ee
Author: Richard Biener <rguenther@suse.de>
Date:   Fri Mar 17 13:14:49 2023 +0100

    tree-optimization/109170 - bogus use-after-free with __builtin_expect

    The following generalizes the range-op for __builtin_expect
    by using the fnspec machinery.

            PR tree-optimization/109170
            * gimple-range-op.cc (gimple_range_op_handler::maybe_builtin_call):
            Handle __builtin_expect and similar via cfn_pass_through_arg1
            and inspecting the calls fnspec.
            * builtins.cc (builtin_fnspec): Handle BUILT_IN_EXPECT
            and BUILT_IN_EXPECT_WITH_PROBABILITY.