[Bug c/111695] New: Spurious -Wuse-after-free when managing two arrays in parallel

[Bug c/111695] New: Spurious -Wuse-after-free when managing two arrays in parallel

[jonathan.leffler at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111695

            Bug ID: 111695
           Summary: Spurious -Wuse-after-free when managing two arrays in
                    parallel
           Product: gcc
           Version: 13.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: jonathan.leffler at gmail dot com
  Target Milestone: ---

Created attachment 56047
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56047&action=edit
Variation 1 (two arrays in parallel)

Related to meta-bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104075
(bogus/missing -Wuse-after-free).  Related to
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106578 (spurious
-Wuse-after-free=2 after conditional free() when not optimizing), but the
symptoms are different.

There are 4 (smallish) source files.  Files gcc-bug-1.c and gcc-bug-3.c use one
algorithm for handling old and new values; files gcc-bug-2.c and gcc-bug-4.c
use a slight different algorithm.  Files gcc-bug-1.c and gcc-bug-2.c manage two
arrays 'in parallel' — the names and sizes arrays are handled by separate
allocations using the same size controls and report spurious 'use-after-free'
errors.  Files gcc-bug-3.c and gcc-bug-4.c manage a single array and do not
report any (spurious) 'use-after-free' error.

The problem reproduces with GCC 13.2.0 and also with GCC 12.2.0.  Since there
is no mention of -Wuse-after-free in the GCC 11 manual (or any earlier
versions), there is no surprise that none of them report the error.

Compiler version information:

        gcc -v -std=c11 -O3 -Werror -Wall -c gcc-bug-1.c
Using built-in specs.
COLLECT_GCC=gcc
Target: x86_64-pc-linux-gnu
Configured with: ../gcc-13.2.0/configure --prefix=/usr/gcc/v13.2.0
CC=/usr/gcc/v12.2.0/bin/gcc CXX=/usr/gcc/v12.2.0/bin/g++
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 13.2.0 (GCC) 
COLLECT_GCC_OPTIONS='-v' '-std=c11' '-O3' '-Werror' '-Wall' '-c'
'-mtune=generic' '-march=x86-64'
 /work1/gcc/v13.2.0/bin/../libexec/gcc/x86_64-pc-linux-gnu/13.2.0/cc1 -quiet -v
-iprefix /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/
gcc-bug-1.c -quiet -dumpbase gcc-bug-1.c -dumpbase-ext .c -mtune=generic
-march=x86-64 -O3 -Werror -Wall -std=c11 -version -o /tmp/ccX3ka4K.s
GNU C11 (GCC) version 13.2.0 (x86_64-pc-linux-gnu)
        compiled by GNU C version 13.2.0, GMP version 6.3.0, MPFR version
4.2.0, MPC version 1.3.1, isl version isl-0.24-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring nonexistent directory
"/work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/../../../../x86_64-pc-linux-gnu/include"
ignoring duplicate directory
"/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include"
ignoring duplicate directory
"/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include-fixed"
ignoring nonexistent directory
"/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0/../../../../x86_64-pc-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
 /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include
 /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include-fixed
 /usr/local/include
 /work1/gcc/v13.2.0/bin/../lib/gcc/../../include
 /usr/include
End of search list.
Compiler executable checksum: 76c675c9da56a319124364c69f2f4d48

Reported errors (gcc-bug-1.c):
gcc-bug-1.c: In function ‘function’:
gcc-bug-1.c:34:21: error: pointer ‘names’ may be used after ‘realloc’
[-Werror=use-after-free]
   34 |                     free(old_names);
      |                     ^~~~~~~~~~~~~~~
gcc-bug-1.c:28:21: note: call to ‘realloc’ here
   28 |             names = realloc(names, max_names * sizeof(names[0]));
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc-bug-1.c:38:21: error: pointer ‘sizes’ may be used after ‘realloc’
[-Werror=use-after-free]
   38 |                     free(old_sizes);
      |                     ^~~~~~~~~~~~~~~
gcc-bug-1.c:29:21: note: call to ‘realloc’ here
   29 |             sizes = realloc(sizes, max_names * sizeof(sizes[0]));
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

Reported errors (gcc-bug-2.c):
        gcc -std=c11 -O3 -Werror -Wall -c gcc-bug-2.c
gcc-bug-2.c: In function ‘function’:
gcc-bug-2.c:32:21: error: pointer ‘names’ may be used after ‘realloc’
[-Werror=use-after-free]
   32 |                     free(names);
      |                     ^~~~~~~~~~~
gcc-bug-2.c:26:32: note: call to ‘realloc’ here
   26 |             char **new_names = realloc(names, max_names *
sizeof(names[0]));
      |                               
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc-bug-2.c:36:21: error: pointer ‘sizes’ may be used after ‘realloc’
[-Werror=use-after-free]
   36 |                     free(sizes);
      |                     ^~~~~~~~~~~
gcc-bug-2.c:27:30: note: call to ‘realloc’ here
   27 |             int *new_sizes = realloc(sizes, max_names *
sizeof(sizes[0]));
      |                             
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

The files gcc-bug-3.c and gcc-bug-4.c compile (to object files) without errors.

[Bug c/111695] Spurious -Wuse-after-free when managing two arrays in parallel

[jonathan.leffler at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111695

Jonathan Leffler <jonathan.leffler at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jonathan.leffler at gmail dot com

--- Comment #1 from Jonathan Leffler <jonathan.leffler at gmail dot com> ---
Created attachment 56048
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56048&action=edit
gcc-bug-2.c — Variation 2 (two arrays in parallel)

[Bug c/111695] Spurious -Wuse-after-free when managing two arrays in parallel

[jonathan.leffler at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111695

--- Comment #2 from Jonathan Leffler <jonathan.leffler at gmail dot com> ---
Created attachment 56049
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56049&action=edit
gcc-bug-3.c — Variation 3 (one array: does not generate -Wuse-after-free
warnings)

[Bug c/111695] Spurious -Wuse-after-free when managing two arrays in parallel

[jonathan.leffler at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111695

--- Comment #3 from Jonathan Leffler <jonathan.leffler at gmail dot com> ---
Created attachment 56050
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56050&action=edit
gcc-bug-4.c — Variation 4 (one array — does not generate -Wuse-after-free
warnings)

[Bug c/111695] Spurious -Wuse-after-free when managing two arrays in parallel

[jonathan.leffler at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111695

Jonathan Leffler <jonathan.leffler at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #56047|0                           |1
        is obsolete|                            |

--- Comment #4 from Jonathan Leffler <jonathan.leffler at gmail dot com> ---
Created attachment 56051
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56051&action=edit
gcc-bug-1.c — Variatoion 1 (two arrays in parallel)