From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 55BED3855587; Fri, 21 Jul 2023 22:22:48 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 55BED3855587 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1689978168; bh=scW/pjBXxJAU3XauYrRB96PLQ++gMwqq4t8vlOcmtNQ=; h=From:To:Subject:Date:In-Reply-To:References:From; b=FnVM3XOdHbbEM/6fmpSzXNA53uGP4PmJtEMsj0OKcLA+v4v/huh+ys8QNigAkd1ZQ j6rNtfq4TbAXbcz/E2dfZHQOafgzrozW56/Gppr0TqFO+SUBZnGqArvAUqJ1+IfX8l jxOX+kvdErRyITiA1/b5fNgFFRlMa0eLuIDGXxow= From: "dmalcolm at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/109365] Double delete yields -Wanalyzer-use-after-free instead of -Wanalyzer-double-free Date: Fri, 21 Jul 2023 22:22:47 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dmalcolm at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: vultkayn at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109365 David Malcolm changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dmalcolm at gcc dot gnu.org --- Comment #5 from David Malcolm --- (In reply to Benjamin Priour from comment #4) > (In reply to Benjamin Priour from comment #3) Here's a link to the reproducer: https://godbolt.org/z/Wa3fqjrTK with the fields renamed to avoid reusing the name "a". > [...snip...] > >=20 > >=20 > > : > > *a.0_11 =3D{v} {CLOBBER}; > > operator delete (a.0_11, 8); > > > [...snip...]=20 > > > > Entry statement of bb3 is the one actually detected as > > -Wanalyzer-double-free. >=20 > Given the above IPA, we cannot just ignore the assignment statement, as it > could really be an injurious statement, not just a pre-deallocation > statement at it is now. Ths assignment statement: *a.0_11 =3D{v} {CLOBBER}; is a "clobber", which is a special-case of assignment, generated by the frontends when something is going out of scope, or becoming invalid. We could potentially just special-case such ass >=20 > Consider the code: > A* a; > ... > delete a; > a->x =3D 7; // (1) > operator delete (a); (2)=20=20 >=20 > On my box, (1) and (2) generated the IPA > : > a_10->a =3D 7; > operator delete (a_10); >=20 > Thus, I'd first only consider types where a destructor is provided (by the > user or generated). > Indeed, when a destructor is supplied for a type, becomes something > akin to : >=20 > struct A > { > ... > ~A() {} > } >=20 > ... >=20 > : > A::~A (a.0_12); > operator delete (a.0_12, 8); >=20=20 >=20 > The warnings stay the same, though it is now more reliable to check for a > destructor call, instead any random single assignment.=20 There's a sense in which it does make sense to complain about use-after-del= ete in the destructor (when the destructor is non-empty): the memory is being accessed after deletion. Maybe this case would make more sense to the user= ?=20 (albeit being rather verbose) > I'm considering > adding a new state to sm-malloc, RS_DESTROYED, that would also help flag = use > after standalone destruction (without a succeeding deallocation).=