[Bug c++/109548] New: Detect c_str() dangling problems

[Bug c++/109548] New: Detect c_str() dangling problems

[paul.f.fee at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109548

            Bug ID: 109548
           Summary: Detect c_str() dangling problems
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: paul.f.fee at gmail dot com
  Target Milestone: ---

Thanks to bug 106393, G++ 13 can now catch simple dangling references, such as:

const int& f(const int& i) { return i; }
const int& i = f(10);

However, more complex examples do not trigger warnings:

#include <string>
std::string foo();
auto ptr = foo().c_str();

ASAN can detect stack-use-after-scope at runtime.  Clang can catch the issue at
build time.

$ clang++ -c small.cpp 
small.cpp:3:12: warning: object backing the pointer will be destroyed at the
end of the full-expression [-Wdangling-gsl]
auto ptr = foo().c_str();
           ^~~~~
1 warning generated.

Another example:

std::stringstream ss;
ss << "foo";
auto ptr = ss.str().c_str();

We're warned against this in the notes on cppreference.com, however it would be
better if GCC could detect such issues and warn during compilation.
https://en.cppreference.com/w/cpp/io/basic_stringstream/str

[Bug c++/109548] Detect c_str() dangling problems

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109548

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

[Bug c++/109548] Detect c_str() dangling problems

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109548

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2023-04-19
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1

--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
We could special-case std::basic_string::c_str() here but maybe it would be
better to add an attribute for describing the lifetime of pointers/references
returned from member functions.

We could annotate string::c_str() and string::data() and string::begin() etc.
to indicate that they share the lifetime of *this:

    [[gnu::lifetime(this)]]
    const charT*
    basic_string<charT, traits, Alloc>::c_str() const noexcept;

And maybe annotate member functions of view-like types to say that they _don't_
share the lifetime of *this:

    [[gnu::lifetime(!this)]]
    T*
    span<T, E>::data() const noexcept;

(!this) is not visually distinct from (this) though, so a different syntax
would be better. Maybe lifetime(nullptr) or lifetime(0)?

It might not be possible to use lifetime(this) annotations for non-trivial
analysis, because of cases like this:

    std::string s = "abc";
    auto p = s.c_str();  // OK
    s.clear();           // p now dangles
    *p;                  // ERR

Without creating a DSL for describing iterator invalidation of members like
string::clear() and string::insert() we can probably only use such an attribute
to allow the front-end to diagnose the simplest cases like foo().c_str() in
comment 0.

[Bug c++/109548] Detect c_str() dangling problems

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109548

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dmalcolm at gcc dot gnu.org,
                   |                            |rguenth at gcc dot gnu.org

--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
David possibly has inputs on how this should be done so the analyzer can do
this kind of diagnostic.  Generally I'd say we want sth like

 T * __attribute__ ((return_lifetime(1))) foo (U *p, ...);

where we specify the lifetime of the returned referenced object to be
the same as a referenced object in the argument list?  So yes, the
[[gnu::lifetime(this)]] attribution would maybe do that but can
the attribute refer to another explicitely named argument as well?

Btw, is there an API to std::move the (possibly) allocated string out of
the std::string and make it available as C string pointer?

[Bug c++/109548] Detect c_str() dangling problems

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109548

--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Richard Biener from comment #2)
> Btw, is there an API to std::move the (possibly) allocated string out of
> the std::string and make it available as C string pointer?

No, ownership always belongs to a std::string object.