From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id EA0A53858D28; Fri, 31 Mar 2023 20:31:53 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EA0A53858D28 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1680294713; bh=J6S9E22+AVqP4PJ+aFBr3SFv91ZEXI6t42SkVhyBM/4=; h=From:To:Subject:Date:From; b=LG7ihucjNtcj5EQ+NEkZWt2CFu5WWnN0gAWw0WmfbVqgCd4XvAHJ66cqkr/x+35zH 4Ycmvb7Tq+TU9BhEcAgeb13pp3MOpeYVS25FzIgXh7xxLH0RES1Eu/Lu+utMNTY8aI J749fQTUt9Q4zzvUZwAMqN3hmdtYa+ZRb5frFIsA= From: "priour.be at gmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/109365] New: Double delete yields -Wanalyzer-use-after-free instead of -Wanalyzer-double-free Date: Fri, 31 Mar 2023 20:31:53 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: priour.be at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone cf_gcctarget cf_gccbuild Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109365 Bug ID: 109365 Summary: Double delete yields -Wanalyzer-use-after-free instead of -Wanalyzer-double-free Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: priour.be at gmail dot com Target Milestone: --- Target: x86_64-pc-linux-gnu Build: 13.0.1 20230328 (experimental) Double delete does not result in a -Wanalyzer-double-free warning as expect= ed, but rather into -Wanalyzer-use-after-free warning.=20 Using the following reproducer: // file ../../double_delete_test.cpp struct A {int a; int b;}; int main () { A* a =3D new A(); delete a; delete a; return 0; } Then compiling with=20 ./xg++ -B. -S -fanalyzer -Wanalyzer-double-free ../../double_delete_test.cpp ../../double_delete_test.cpp: In function =E2=80=98int main()=E2=80=99: ../../double_delete_test.cpp:9:1: warning: use after =E2=80=98delete=E2=80= =99 of =E2=80=98a=E2=80=99 [CWE-416] [-Wanalyzer-use-after-free] 9 | } | ^ =E2=80=98int main()=E2=80=99: events 1-7 | | 5 | A* a =3D new A(); | | ^ | | | | | (1) state of =E2=80=98&HEAP_ALLOCATED_REGION(= 10)=E2=80=99: =E2=80=98start=E2=80=99 -> =E2=80=98nonnull=E2=80=99 (NULL origin) | 6 | delete a; | | ~~~~~~~~=20=20=20=20=20=20 | | | | | | | (3) ...to here | | | (4) deleted here | | (2) following =E2=80=98true=E2=80=99 branch... | 7 | delete a; | | ~~~~~~~~=20=20=20=20=20=20 | | | | | | | (6) ...to here | | (5) following =E2=80=98true=E2=80=99 branch... | 8 | return 0; | 9 | } | | ~=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 | | | | | (7) use after =E2=80=98delete=E2=80=99 of =E2=80=98a=E2=80=99;= deleted at (4) | I also attempted with -fno-exception, but no impact was observer on the gra= phs nor the output. With the addition of -fanalyzer-fine-grained, I observed than each delete statement is actually split into two: delete a; becomes in the ipa form : *a.0_9 =3D{v} {CLOBBER}; operator delete (a.0_9, 8); The exploded-graph shows that the second '*a.1_12 =3D{v} {CLOBBER};' derefe= rence is responsible for the -Wanalyzer-use-after-free, and changes the state of = the allocated region from 'freed' to 'stop', which causes the actual following 'operator delete' to not be detected as a double free. I am still familiarizing myself with the gimplification and ssa passes, so = I'm yet unsure as to how to tackle this. I'm still looking into this though, and would gladly receive your pointers.= =20 (Note: sorry David, I've binged through bugzilla doc and gcc bugs page yet I cannot seem to find the way to add this to the 'analyzer-c++' block, nor do= I see the option in the advanced fields.)=