From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id ED2AE3857717; Fri, 26 May 2023 16:36:36 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org ED2AE3857717 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1685118996; bh=5P6yK93KSLm9kiEsPa8grGZALLf4OHZE+KXxeftaE3g=; h=From:To:Subject:Date:In-Reply-To:References:From; b=WEq3R3UQ5PXL1DTvg7G1XHaiReEkUpvXSnFg/BULin6Pe47taHilJt++SIdMMYddP fu0sBjUwd+HcawHw2zS+15SOWqwvKvQxlGB+D8m33Mg9c1RE+Hp+zoypHYLIb5ak3l 0YWuFsWYgH4eHk+Hth4d1REQhfTlyEOiZ9ndlomc= From: "bruno at clisp dot org" To: gcc-bugs@gcc.gnu.org Subject: [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc Date: Fri, 26 May 2023 16:36:36 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: middle-end X-Bugzilla-Version: 13.1.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: bruno at clisp dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109990 --- Comment #5 from Bruno Haible --- Created attachment 55170 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D55170&action=3Dedit test case bar2.c Find attached a modified test case. I changed the code to map[i].alias =3D new_pool + (map[i].alias - string_space); map[i].value =3D new_pool + (map[i].value - string_space); so that it subtracts pointers into the old string_space, producing an integ= er, and adding that integer to new_pool. It produces the same warning (even twice, apparently because there is no co= mmon subexpression between the two lines any more): $ gcc -Wall -O2 -S bar2.c bar2.c: In function =E2=80=98read_alias_file=E2=80=99: bar2.c:123:67: warning: pointer may be used after =E2=80=98realloc=E2=80=99= [-Wuse-after-free] 123 | map[i].value =3D new_pool + (map[i].value= - string_space); |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20 ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ bar2.c:114:45: note: call to =E2=80=98realloc=E2=80=99 here 114 | char *new_pool =3D (char *) realloc (string_space, new_size); |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bar2.c:122:67: warning: pointer may be used after =E2=80=98realloc=E2=80=99= [-Wuse-after-free] 122 | map[i].alias =3D new_pool + (map[i].alias= - string_space); |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20 ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ bar2.c:114:45: note: call to =E2=80=98realloc=E2=80=99 here 114 | char *new_pool =3D (char *) realloc (string_space, new_size); |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=