public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc
@ 2023-05-26 13:58 bruno at clisp dot org
2023-05-26 14:25 ` [Bug middle-end/109990] [12/13/14 " pinskia at gcc dot gnu.org
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: bruno at clisp dot org @ 2023-05-26 13:58 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
Bug ID: 109990
Summary: [12 Regression] Bogus -Wuse-after-free warning after
realloc
Product: gcc
Version: 13.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: bruno at clisp dot org
Target Milestone: ---
Created attachment 55168
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55168&action=edit
test case bar.c
Compiling the attached file produces a warning that is not justified:
$ gcc -Wall -O2 -S bar.c
bar.c: In function ‘read_alias_file’:
bar.c:122:52: warning: pointer may be used after ‘realloc’ [-Wuse-after-free]
122 | map[i].alias += new_pool - string_space;
| ~~~~~~~~~^~~~~~~~~~~~~~
bar.c:114:45: note: call to ‘realloc’ here
114 | char *new_pool = (char *) realloc (string_space,
new_size);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The warning is not justified because only the pointer 'string_space' is used
here; it is not being dereferenced.
Seen with gcc 12.3.0 and 13.1.0.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
@ 2023-05-26 14:25 ` pinskia at gcc dot gnu.org
2023-05-26 14:30 ` pinskia at gcc dot gnu.org
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-05-26 14:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
```
char *new_pool = (char *) realloc (string_space, new_size);
if (new_pool == ((void *)0))
goto out;
if (__builtin_expect (string_space != new_pool, 0))
{
size_t i;
for (i = 0; i < nmap; i++)
{
map[i].alias += new_pool - string_space;
map[i].value += new_pool - string_space;
}
}
string_space = new_pool;
```
Hmmm
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
2023-05-26 14:25 ` [Bug middle-end/109990] [12/13/14 " pinskia at gcc dot gnu.org
@ 2023-05-26 14:30 ` pinskia at gcc dot gnu.org
2023-05-26 14:31 ` pinskia at gcc dot gnu.org
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-05-26 14:30 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://gcc.gnu.org/bugzill
| |a/show_bug.cgi?id=104215
--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
See also the discussion starting at bug 104215 comment #2.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
2023-05-26 14:25 ` [Bug middle-end/109990] [12/13/14 " pinskia at gcc dot gnu.org
2023-05-26 14:30 ` pinskia at gcc dot gnu.org
@ 2023-05-26 14:31 ` pinskia at gcc dot gnu.org
2023-05-26 16:27 ` bruno at clisp dot org
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-05-26 14:31 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Andrew Pinski from comment #1)
> ```
>
> char *new_pool = (char *) realloc (string_space, new_size);
> if (new_pool == ((void *)0))
> goto out;
> if (__builtin_expect (string_space != new_pool, 0))
> {
> size_t i;
> for (i = 0; i < nmap; i++)
> {
> map[i].alias += new_pool - string_space;
> map[i].value += new_pool - string_space;
> }
> }
> string_space = new_pool;
> ```
>
> Hmmm
Also I think `new_pool - string_space` is undefined really. That is
subtracting two unrelated arrays is undefined. You can only compare equality on
them.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
` (2 preceding siblings ...)
2023-05-26 14:31 ` pinskia at gcc dot gnu.org
@ 2023-05-26 16:27 ` bruno at clisp dot org
2023-05-26 16:36 ` bruno at clisp dot org
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: bruno at clisp dot org @ 2023-05-26 16:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
--- Comment #4 from Bruno Haible <bruno at clisp dot org> ---
> >
> > char *new_pool = (char *) realloc (string_space, new_size);
> > if (new_pool == ((void *)0))
> > goto out;
> > if (__builtin_expect (string_space != new_pool, 0))
> > {
> > size_t i;
> > for (i = 0; i < nmap; i++)
> > {
> > map[i].alias += new_pool - string_space;
> > map[i].value += new_pool - string_space;
> > }
> > }
> > string_space = new_pool;
> Also I think `new_pool - string_space` is undefined really. That is
> subtracting two unrelated arrays is undefined. You can only compare equality
> on them.
That is the only way of keeping track of pointers _into_ the string_space area,
when it is reallocated. How else would you want to do it?
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
` (3 preceding siblings ...)
2023-05-26 16:27 ` bruno at clisp dot org
@ 2023-05-26 16:36 ` bruno at clisp dot org
2023-05-26 16:39 ` pinskia at gcc dot gnu.org
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: bruno at clisp dot org @ 2023-05-26 16:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
--- Comment #5 from Bruno Haible <bruno at clisp dot org> ---
Created attachment 55170
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55170&action=edit
test case bar2.c
Find attached a modified test case. I changed the code to
map[i].alias = new_pool + (map[i].alias -
string_space);
map[i].value = new_pool + (map[i].value -
string_space);
so that it subtracts pointers into the old string_space, producing an integer,
and adding that integer to new_pool.
It produces the same warning (even twice, apparently because there is no common
subexpression between the two lines any more):
$ gcc -Wall -O2 -S bar2.c
bar2.c: In function ‘read_alias_file’:
bar2.c:123:67: warning: pointer may be used after ‘realloc’ [-Wuse-after-free]
123 | map[i].value = new_pool + (map[i].value -
string_space);
|
~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
bar2.c:114:45: note: call to ‘realloc’ here
114 | char *new_pool = (char *) realloc (string_space,
new_size);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bar2.c:122:67: warning: pointer may be used after ‘realloc’ [-Wuse-after-free]
122 | map[i].alias = new_pool + (map[i].alias -
string_space);
|
~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
bar2.c:114:45: note: call to ‘realloc’ here
114 | char *new_pool = (char *) realloc (string_space,
new_size);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
` (4 preceding siblings ...)
2023-05-26 16:36 ` bruno at clisp dot org
@ 2023-05-26 16:39 ` pinskia at gcc dot gnu.org
2023-05-30 7:35 ` rguenth at gcc dot gnu.org
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-05-26 16:39 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
--- Comment #6 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Bruno Haible from comment #4)
> That is the only way of keeping track of pointers _into_ the string_space
> area, when it is reallocated. How else would you want to do it?
You could use intptr_t casting to do the subtraction ...
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
` (5 preceding siblings ...)
2023-05-26 16:39 ` pinskia at gcc dot gnu.org
@ 2023-05-30 7:35 ` rguenth at gcc dot gnu.org
2024-03-10 3:37 ` law at gcc dot gnu.org
2024-03-22 13:45 ` law at gcc dot gnu.org
8 siblings, 0 replies; 10+ messages in thread
From: rguenth at gcc dot gnu.org @ 2023-05-30 7:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |12.4
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
` (6 preceding siblings ...)
2023-05-30 7:35 ` rguenth at gcc dot gnu.org
@ 2024-03-10 3:37 ` law at gcc dot gnu.org
2024-03-22 13:45 ` law at gcc dot gnu.org
8 siblings, 0 replies; 10+ messages in thread
From: law at gcc dot gnu.org @ 2024-03-10 3:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
Jeffrey A. Law <law at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2024-03-10
CC| |law at gcc dot gnu.org
Status|UNCONFIRMED |NEW
Ever confirmed|0 |1
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug middle-end/109990] [12/13/14 Regression] Bogus -Wuse-after-free warning after realloc
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
` (7 preceding siblings ...)
2024-03-10 3:37 ` law at gcc dot gnu.org
@ 2024-03-22 13:45 ` law at gcc dot gnu.org
8 siblings, 0 replies; 10+ messages in thread
From: law at gcc dot gnu.org @ 2024-03-22 13:45 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109990
Jeffrey A. Law <law at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2024-03-22 13:45 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-26 13:58 [Bug middle-end/109990] New: [12 Regression] Bogus -Wuse-after-free warning after realloc bruno at clisp dot org
2023-05-26 14:25 ` [Bug middle-end/109990] [12/13/14 " pinskia at gcc dot gnu.org
2023-05-26 14:30 ` pinskia at gcc dot gnu.org
2023-05-26 14:31 ` pinskia at gcc dot gnu.org
2023-05-26 16:27 ` bruno at clisp dot org
2023-05-26 16:36 ` bruno at clisp dot org
2023-05-26 16:39 ` pinskia at gcc dot gnu.org
2023-05-30 7:35 ` rguenth at gcc dot gnu.org
2024-03-10 3:37 ` law at gcc dot gnu.org
2024-03-22 13:45 ` law at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).