From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 5AD81388216B; Fri, 7 Jul 2023 11:28:44 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5AD81388216B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1688729324; bh=ogg6kEdQTdhiiIXXCJTzjHhESGZTF/0yuJQS0wvYnNo=; h=From:To:Subject:Date:In-Reply-To:References:From; b=HkHhyZ1sliKZwQdpt4lbHS0aG1sFB4NkTWr0dvB96SuuZomqJaNzER8Kc2jfciqbo uLl9UFUzNcLfOxyz/Yx+0dlpl5YgmmFwof+5CsK3Mf3cjNx6n6SEdgzGZApsRUiY64 TymJPm01n9E/qxF3kiC+1uVP+9k4vGeNPBpvXa24= From: "vultkayn at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/109365] Double delete yields -Wanalyzer-use-after-free instead of -Wanalyzer-double-free Date: Fri, 07 Jul 2023 11:28:44 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: vultkayn at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: vultkayn at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109365 Benjamin Priour changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|dmalcolm at gcc dot gnu.org |vultkayn at gcc dot= gnu.org --- Comment #4 from Benjamin Priour --- (In reply to Benjamin Priour from comment #3) [...snip...] >=20 >=20 > : > *a.0_11 =3D{v} {CLOBBER}; > operator delete (a.0_11, 8); > [...snip...]=20 > > Entry statement of bb3 is the one actually detected as > -Wanalyzer-double-free. Given the above IPA, we cannot just ignore the assignment statement, as it could really be an injurious statement, not just a pre-deallocation stateme= nt at it is now. Consider the code: A* a; ... delete a; a->x =3D 7; // (1) operator delete (a); (2)=20=20 On my box, (1) and (2) generated the IPA : a_10->a =3D 7; operator delete (a_10); Thus, I'd first only consider types where a destructor is provided (by the = user or generated). Indeed, when a destructor is supplied for a type, becomes something = akin to : struct A { ... ~A() {} } ... : A::~A (a.0_12); operator delete (a.0_12, 8); The warnings stay the same, though it is now more reliable to check for a destructor call, instead any random single assignment. I'm considering addi= ng a new state to sm-malloc, RS_DESTROYED, that would also help flag use after standalone destruction (without a succeeding deallocation).=