[Bug c++/49974] New: missing warning for indirectly returning reference to local/temporary

[Bug c++/49974] New: missing warning for indirectly returning reference to local/temporary

[redi at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

           Summary: missing warning for indirectly returning reference to
                    local/temporary
           Product: gcc
           Version: 4.7.0
            Status: UNCONFIRMED
          Keywords: diagnostic
          Severity: normal
          Priority: P3
         Component: c++
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: redi@gcc.gnu.org


Although probably not easy, it would be useful to get warnings from this code
which creates dangling references:

struct X { };

inline const X& f(const X& r) { return r; }

const X& g()
{
    X x;
    return f(x);  // !!!
}

const X& h()
{
    return f(X()); // !!!
}

Another case involves a reference as a member of a class:

struct Y {
    Y(int& i) : r(i) { }
    int& r;
};

Y f()
{
    int i=0;
    return Y(i);
}

[Bug c++/49974] missing warning for indirectly returning reference to local/temporary

[manu at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

Manuel López-Ibáñez <manu at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |manu at gcc dot gnu.org

--- Comment #1 from Manuel López-Ibáñez <manu at gcc dot gnu.org> 2011-08-04 12:29:21 UTC ---
Isn't this related to PR986?

[Bug c++/49974] missing warning for indirectly returning reference to local/temporary

[redi at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

--- Comment #2 from Jonathan Wakely <redi at gcc dot gnu.org> 2011-08-04 12:40:15 UTC ---
Maybe related, but not the same.  PR986 involves creating a temporary and
binding the reference to it, that should be easier to warn about.  Here's a
similar case to PR986 where a reference member is dangling after the
constructor, which we fail to warn about:

struct Y {
    Y(int local) : ref(local) { }
    int& ref;
};

That, and the example in 986, should be easy to warn about.  When the reference
is bound we can know if the initializer is local/temporary.

This PR is different, the references passed to f and Y::Y are valid during
those calls. The reference only becomes invalid when it escapes from the
function that declares the local variable.  This requires some more complex
analysis, only possible if the bodies of f and Y::Y are visible, and maybe only
possible with optimization enabled so inlining happens.

[Bug c++/49974] missing warning for indirectly returning reference to local/temporary

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

Richard Guenther <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2011.08.04 12:48:48
     Ever Confirmed|0                           |1

--- Comment #3 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-08-04 12:48:48 UTC ---
You could try to rely on points-to information.  When it says that all possible
pointees are automatic variable it's for sure an error (or a points-to bug).

[Bug c++/49974] missing warning for indirectly returning reference to local/temporary

[redi at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

--- Comment #4 from Jonathan Wakely <redi at gcc dot gnu.org> 2012-04-08 18:15:04 UTC ---
As pointed out in PR 52901 comment 3, this missing warning is likely to bite
people misusing std::move like so:

X&& f()
{
  X x;
  return std::move(x);
}

[Bug c++/49974] missing warning for indirectly returning reference to local/temporary

[paolo.carlini at oracle dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

Paolo Carlini <paolo.carlini at oracle dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jewillco at osl dot iu.edu

--- Comment #5 from Paolo Carlini <paolo.carlini at oracle dot com> ---
*** Bug 57528 has been marked as a duplicate of this bug. ***

[Bug c++/49974] missing -Wreturn-local-addr for indirectly returning reference to local/temporary

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |570070308 at qq dot com

--- Comment #16 from Jonathan Wakely <redi at gcc dot gnu.org> ---
*** Bug 95911 has been marked as a duplicate of this bug. ***

[Bug c++/49974] missing -Wreturn-local-addr for indirectly returning reference to local/temporary

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

--- Comment #17 from Jonathan Wakely <redi at gcc dot gnu.org> ---
95911 boils down to this:

#include <utility>

struct X { int i = 0; };

X&& f(X&& x) { return std::move(x); }

int main()
{
  X&& x = f(X{});
  return x.i;
}

With recent releases we get a -Wuninitialized warning, which isn't entirely
correct, but at least suggests a problem:

49974.cc: In function 'int main()':
49974.cc:10:12: warning: '<anonymous>.X::i' is used uninitialized
[-Wuninitialized]
   10 |   return x.i;
      |            ^
49974.cc:9:15: note: '<anonymous>' declared here
    9 |   X&& x = f(X{});
      |               ^

(the note is new in GCC 11).

With -fsanitize=address we get a nice stack-use-after-scope error:

==3088273==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fff976ed520 at pc 0x000000401100 bp 0x7fff976ed4f0 sp 0x7fff976ed4e8
READ of size 4 at 0x7fff976ed520 thread T0
    #0 0x4010ff in main /tmp/49974.cc:10
    #1 0x7fd157d181a2 in __libc_start_main ../csu/libc-start.c:308
    #2 0x40116d in _start (/tmp/a.out+0x40116d)

[Bug c++/49974] missing -Wreturn-local-addr for indirectly returning reference to local/temporary

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

--- Comment #18 from Martin Sebor <msebor at gcc dot gnu.org> ---
This detection is partially implemented in GCC 12 by the -Wdnagling-pointer:

$ cat pr49974.C && gcc -O -S -Wall pr49974.C

struct X { };

inline const X& f(const X& r) { return r; }

const X& g()
{
    X x;
    return f(x);  // !!!
}

const X& h()
{
    return f(X()); // !!!
}


struct Y {
    Y(int& i) : r(i) { }
    int& r;
};

Y f()
{
    int i=0;
    return Y(i);
}
pr49974.C: In function ‘const X& g()’:
pr49974.C:9:15: warning: using a dangling pointer to ‘x’ [-Wdangling-pointer=]
    9 |     return f(x);  // !!!
      |               ^
pr49974.C:8:7: note: ‘x’ declared here
    8 |     X x;
      |       ^
pr49974.C: In function ‘const X& h()’:
pr49974.C:14:17: warning: using a dangling pointer to an unnamed temporary
[-Wdangling-pointer=]
   14 |     return f(X()); // !!!
      |                 ^
pr49974.C:14:16: note: unnamed temporary defined here
   14 |     return f(X()); // !!!
      |                ^


For the test case in comment #17 GCC with -O1 issues:

pr49974-c17.C: In function ‘int main()’:
pr49974-c17.C:11:12: warning: using a dangling pointer to an unnamed temporary
[-Wdangling-pointer=]
   11 |   return x.i;
      |            ^
pr49974-c17.C:10:15: note: unnamed temporary defined here
   10 |   X&& x = f(X{});
      |               ^
pr49974-c17.C:11:12: warning: ‘<anonymous>.X::i’ is used uninitialized
[-Wuninitialized]
   11 |   return x.i;
      |            ^
pr49974-c17.C:10:15: note: ‘<anonymous>’ declared here
   10 |   X&& x = f(X{});
      |               ^

[Bug c++/49974] missing -Wreturn-local-addr for indirectly returning reference to local/temporary

[barry.revzin at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

Barry Revzin <barry.revzin at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |barry.revzin at gmail dot com

--- Comment #19 from Barry Revzin <barry.revzin at gmail dot com> ---
Another example of this:

int get();

int const& f() {
    int const r = get();
    return r;
}

int const& g() {
    int const& r = get();
    return r;
}

gcc trunk warns on the incorrect use in f, but it does not currently warn on
the incorrect use in g (which is the exact same bug). clang warns on both.

[Bug c++/49974] missing -Wreturn-local-addr for indirectly returning reference to local/temporary

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=49974

--- Comment #20 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Barry Revzin from comment #19)
> Another example of this:
> 
> int get();
> 
> int const& f() {
>     int const r = get();
>     return r;
> }
> 
> int const& g() {
>     int const& r = get();
>     return r;
> }
> 
> gcc trunk warns on the incorrect use in f, but it does not currently warn on
> the incorrect use in g (which is the exact same bug). clang warns on both.

GCC trunk does warn on g but only with optimizations turned on.