From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 890443858C52; Wed,  4 Oct 2023 17:57:41 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 890443858C52
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1696442261;
	bh=AOAAAru4zCPHQhwJ6kO+uk0hChupU3gvtgGJpXWdwVw=;
	h=From:To:Subject:Date:From;
	b=AP/qVQBf10+dTnr/xQ+UDhXVJAFoD54StaJRCBW9NWTsWnG3uVsizQM8UckE0a82I
	 0TjOV5IZQhWOqZk0N4HEA+Vwr1v74uCwfDuikbqXZUahqaXUUfJSeo51F79xi2R2w8
	 i/FP6zeXm03J9OQYfygJisrCakDWLZ/pM81KfwLM=
From: "jonathan.leffler at gmail dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c/111695] New: Spurious -Wuse-after-free when managing two
 arrays in parallel
Date: Wed, 04 Oct 2023 17:57:40 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: c
X-Bugzilla-Version: 13.2.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jonathan.leffler at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
 attachments.created
Message-ID: <bug-111695-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D111695

            Bug ID: 111695
           Summary: Spurious -Wuse-after-free when managing two arrays in
                    parallel
           Product: gcc
           Version: 13.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: jonathan.leffler at gmail dot com
  Target Milestone: ---

Created attachment 56047
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D56047&action=3Dedit
Variation 1 (two arrays in parallel)

Related to meta-bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104075
(bogus/missing -Wuse-after-free).  Related to
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106578 (spurious
-Wuse-after-free=3D2 after conditional free() when not optimizing), but the
symptoms are different.

There are 4 (smallish) source files.  Files gcc-bug-1.c and gcc-bug-3.c use=
 one
algorithm for handling old and new values; files gcc-bug-2.c and gcc-bug-4.c
use a slight different algorithm.  Files gcc-bug-1.c and gcc-bug-2.c manage=
 two
arrays 'in parallel' =E2=80=94 the names and sizes arrays are handled by se=
parate
allocations using the same size controls and report spurious 'use-after-fre=
e'
errors.  Files gcc-bug-3.c and gcc-bug-4.c manage a single array and do not
report any (spurious) 'use-after-free' error.

The problem reproduces with GCC 13.2.0 and also with GCC 12.2.0.  Since the=
re
is no mention of -Wuse-after-free in the GCC 11 manual (or any earlier
versions), there is no surprise that none of them report the error.

Compiler version information:

        gcc -v -std=3Dc11 -O3 -Werror -Wall -c gcc-bug-1.c
Using built-in specs.
COLLECT_GCC=3Dgcc
Target: x86_64-pc-linux-gnu
Configured with: ../gcc-13.2.0/configure --prefix=3D/usr/gcc/v13.2.0
CC=3D/usr/gcc/v12.2.0/bin/gcc CXX=3D/usr/gcc/v12.2.0/bin/g++
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 13.2.0 (GCC)=20
COLLECT_GCC_OPTIONS=3D'-v' '-std=3Dc11' '-O3' '-Werror' '-Wall' '-c'
'-mtune=3Dgeneric' '-march=3Dx86-64'
 /work1/gcc/v13.2.0/bin/../libexec/gcc/x86_64-pc-linux-gnu/13.2.0/cc1 -quie=
t -v
-iprefix /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/
gcc-bug-1.c -quiet -dumpbase gcc-bug-1.c -dumpbase-ext .c -mtune=3Dgeneric
-march=3Dx86-64 -O3 -Werror -Wall -std=3Dc11 -version -o /tmp/ccX3ka4K.s
GNU C11 (GCC) version 13.2.0 (x86_64-pc-linux-gnu)
        compiled by GNU C version 13.2.0, GMP version 6.3.0, MPFR version
4.2.0, MPC version 1.3.1, isl version isl-0.24-GMP

GGC heuristics: --param ggc-min-expand=3D100 --param ggc-min-heapsize=3D131=
072
ignoring nonexistent directory
"/work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/../../../../x=
86_64-pc-linux-gnu/include"
ignoring duplicate directory
"/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0=
/include"
ignoring duplicate directory
"/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0=
/include-fixed"
ignoring nonexistent directory
"/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0=
/../../../../x86_64-pc-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
 /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include
 /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include-fixed
 /usr/local/include
 /work1/gcc/v13.2.0/bin/../lib/gcc/../../include
 /usr/include
End of search list.
Compiler executable checksum: 76c675c9da56a319124364c69f2f4d48

Reported errors (gcc-bug-1.c):
gcc-bug-1.c: In function =E2=80=98function=E2=80=99:
gcc-bug-1.c:34:21: error: pointer =E2=80=98names=E2=80=99 may be used after=
 =E2=80=98realloc=E2=80=99
[-Werror=3Duse-after-free]
   34 |                     free(old_names);
      |                     ^~~~~~~~~~~~~~~
gcc-bug-1.c:28:21: note: call to =E2=80=98realloc=E2=80=99 here
   28 |             names =3D realloc(names, max_names * sizeof(names[0]));
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc-bug-1.c:38:21: error: pointer =E2=80=98sizes=E2=80=99 may be used after=
 =E2=80=98realloc=E2=80=99
[-Werror=3Duse-after-free]
   38 |                     free(old_sizes);
      |                     ^~~~~~~~~~~~~~~
gcc-bug-1.c:29:21: note: call to =E2=80=98realloc=E2=80=99 here
   29 |             sizes =3D realloc(sizes, max_names * sizeof(sizes[0]));
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

Reported errors (gcc-bug-2.c):
        gcc -std=3Dc11 -O3 -Werror -Wall -c gcc-bug-2.c
gcc-bug-2.c: In function =E2=80=98function=E2=80=99:
gcc-bug-2.c:32:21: error: pointer =E2=80=98names=E2=80=99 may be used after=
 =E2=80=98realloc=E2=80=99
[-Werror=3Duse-after-free]
   32 |                     free(names);
      |                     ^~~~~~~~~~~
gcc-bug-2.c:26:32: note: call to =E2=80=98realloc=E2=80=99 here
   26 |             char **new_names =3D realloc(names, max_names *
sizeof(names[0]));
      |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc-bug-2.c:36:21: error: pointer =E2=80=98sizes=E2=80=99 may be used after=
 =E2=80=98realloc=E2=80=99
[-Werror=3Duse-after-free]
   36 |                     free(sizes);
      |                     ^~~~~~~~~~~
gcc-bug-2.c:27:30: note: call to =E2=80=98realloc=E2=80=99 here
   27 |             int *new_sizes =3D realloc(sizes, max_names *
sizeof(sizes[0]));
      |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

The files gcc-bug-3.c and gcc-bug-4.c compile (to object files) without err=
ors.=