[Bug tree-optimization/90906] diagnose returning pointers to freed memory

[Bug tree-optimization/90906] diagnose returning pointers to freed memory

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90906

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |patch

--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
Patch submitted for GCC 12:
https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583044.html

With it, both the trivial C test case and the std::vector test case in comment
#0 are diagnosed as expected:

pr90906.C:7:20: warning: pointer used after ‘void operator delete(void*,
std::size_t)’ [-Wuse-after-free=]
    7 |     return v.data ();
      |                    ^
In file included from
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/c++allocator.h:33,
                 from
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/allocator.h:46,
                 from
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/vector:61,
                 from pr90906.C:2:
In member function ‘void __gnu_cxx::new_allocator<_Tp>::deallocate(_Tp*,
__gnu_cxx::new_allocator<_Tp>::size_type) [with _Tp = int]’,
    inlined from ‘static void std::allocator_traits<std::allocator<_Tp1>
>::deallocate(std::allocator_traits<std::allocator<_Tp1> >::allocator_type&,
std::allocator_traits<std::allocator<_Tp1> >::pointer,
std::allocator_traits<std::allocator<_Tp1> >::size_type) [with _Tp = int]’ at
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/alloc_traits.h:496:23,
    inlined from ‘void std::_Vector_base<_Tp,
_Alloc>::_M_deallocate(std::_Vector_base<_Tp, _Alloc>::pointer, std::size_t)
[with _Tp = int; _Alloc = std::allocator<int>]’ at
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/stl_vector.h:385:19,
    inlined from ‘void std::_Vector_base<_Tp,
_Alloc>::_M_deallocate(std::_Vector_base<_Tp, _Alloc>::pointer, std::size_t)
[with _Tp = int; _Alloc = std::allocator<int>]’ at
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/stl_vector.h:381:7,
    inlined from ‘std::_Vector_base<_Tp, _Alloc>::~_Vector_base() [with _Tp =
int; _Alloc = std::allocator<int>]’ at
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/stl_vector.h:364:15,
    inlined from ‘std::vector<_Tp, _Alloc>::~vector() [with _Tp = int; _Alloc =
std::allocator<int>]’ at
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/stl_vector.h:731:7,
    inlined from ‘int* f()’ at pr90906.C:8:3:
/build/gcc-63272/x86_64-pc-linux-gnu/libstdc++-v3/include/ext/new_allocator.h:157:33:
note: call to ‘void operator delete(void*, std::size_t)’ here
  157 |         _GLIBCXX_OPERATOR_DELETE(_GLIBCXX_SIZED_DEALLOC(__p, __n));
      |                                 ^

[Bug tree-optimization/90906] diagnose returning pointers to freed memory

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90906

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
           Assignee|unassigned at gcc dot gnu.org      |msebor at gcc dot gnu.org
   Target Milestone|---                         |12.0

--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
Implemented in GCC 12 (r12-6605) as -Wuse-after-free.