From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 4EC243870844; Fri, 19 Jun 2020 05:56:32 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4EC243870844
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
 s=default; t=1592546192;
 bh=EA9eO045k5PE+puBZqymSkjfHf7ygAeNYfbuRx27bDE=;
 h=From:To:Subject:Date:From;
 b=k5mrd12Mm+X5U526KWRpKk3FipOTfVmclJLAYIybEbK4EiL8k0sBBcifGfC5MRALV
 msNHC+bJ5IQRdgA6k8X5thUaKsRFXN3yc5vIoXjjufpoUvVd6AucYCGVLe4NwQgN3E
 +iA/Xzk/XJuKYvBLG7EWO3I6QiQl0xUn1Bn4epx4=
From: "eggert at cs dot ucla.edu" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/95758] New: -Wanalyzer-use-after-free false positive
 when compiling glibc regex.c
Date: Fri, 19 Jun 2020 05:56:32 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 10.1.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: eggert at cs dot ucla.edu
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
 attachments.created
Message-ID: <bug-95758-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <http://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <http://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 05:56:32 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D95758

            Bug ID: 95758
           Summary: -Wanalyzer-use-after-free false positive when
                    compiling glibc regex.c
           Product: gcc
           Version: 10.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: eggert at cs dot ucla.edu
  Target Milestone: ---

Created attachment 48755
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D48755&action=3Dedit
compressed .i file illustrating the -Wanalyzer-use-after-free false positive

When using GCC 10.1.0 -fanalyzer to compile Glibc/Gnulib regex.c I found
several -fanalyzer false positives. Most seem to come from GCC bugs already
reported (Bug#93695, Bug#94458, Bug#94851) but one might be new. To reprodu=
ce
the problem on x86-64, uncompress the attached file t4b.i.gz and the compile
t4b.i with the command:

gcc -S -fanalyzer -Wno-analyzer-double-free -Wno-analyzer-malloc-leak
-Wno-analyzer-null-dereference t4b.i

This should be a clean compile, but the output is the following, which is a
false alarm:

t4b.i: In function 'free_charset':
t4b.i:11582:13: warning: use after 'free' of 'cset' [CWE-416]
[-Wanalyzer-use-after-free]
11582 |   free (cset->mbchars);
      |         ~~~~^~~~~~~~~
  'rpl_regfree': events 1-4
    |
    | 7610 | rpl_regfree (regex_t *preg)
    |      | ^~~~~~~~~~~
    |      | |
    |      | (1) entry to 'rpl_regfree'
    |......
    | 7613 |   if (__builtin_expect ((dfa !=3D
    |      |      ~
    |      |      |
    |      |      (2) following 'true' branch...
    |......
    | 7618 |       free_dfa_content (dfa);
    |      |       ~~~~~~~~~~~~~~~~~~~~~~
    |      |       |
    |      |       (3) ...to here
    |      |       (4) calling 'free_dfa_content' from 'rpl_regfree'
    |
    +--> 'free_dfa_content': events 5-10
           |
           | 7566 | free_dfa_content (re_dfa_t *dfa)
           |      | ^~~~~~~~~~~~~~~~
           |      | |
           |      | (5) entry to 'free_dfa_content'
           |......
           | 7569 |   if (dfa->nodes)
           |      |      ~
           |      |      |
           |      |      (6) following 'true' branch...
           | 7570 |     for (i =3D 0; i < dfa->nodes_len; ++i)
           |      |     ~~~  ~~~~~
           |      |     |      |
           |      |     |      (7) ...to here
           |      |     (8) following 'true' branch...
           | 7571 |       free_token (dfa->nodes + i);
           |      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |       |              |
           |      |       |              (9) ...to here
           |      |       (10) calling 'free_token' from 'free_dfa_content'
           |
           +--> 'free_token': events 11-15
                  |
                  |11648 | free_token (re_token_t *node)
                  |      | ^~~~~~~~~~
                  |      | |
                  |      | (11) entry to 'free_token'
                  |11649 | {
                  |11650 |   if (node->type =3D=3D COMPLEX_BRACKET &&
node->duplicated =3D=3D 0)
                  |      |=20=20=20=20=20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |      |                              |=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
   |
                  |      |      |                              |=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
   (13) ...to here
                  |      |      |                              (14) followi=
ng
'true' branch...
                  |      |      (12) following 'true' branch...
                  |11651 |     free_charset (node->opr.mbcset);
                  |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |     |
                  |      |     (15) ...to here
                  |
           <------+
           |
         'free_dfa_content': events 16-19
           |
           | 7570 |     for (i =3D 0; i < dfa->nodes_len; ++i)
           |      |     ~~~
           |      |     |
           |      |     (17) following 'true' branch...
           | 7571 |       free_token (dfa->nodes + i);
           |      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |       |              |
           |      |       |              (18) ...to here
           |      |       (16) returning to 'free_dfa_content' from
'free_token'
           |      |       (19) calling 'free_token' from 'free_dfa_content'
           |
           +--> 'free_token': events 20-24
                  |
                  |11648 | free_token (re_token_t *node)
                  |      | ^~~~~~~~~~
                  |      | |
                  |      | (20) entry to 'free_token'
                  |11649 | {
                  |11650 |   if (node->type =3D=3D COMPLEX_BRACKET &&
node->duplicated =3D=3D 0)
                  |      |=20=20=20=20=20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |      |                              |=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
   |
                  |      |      |                              |=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
   (22) ...to here
                  |      |      |                              (23) followi=
ng
'true' branch...
                  |      |      (21) following 'true' branch...
                  |11651 |     free_charset (node->opr.mbcset);
                  |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |     |
                  |      |     (24) ...to here
                  |
           <------+
           |
         'free_dfa_content': events 25-28
           |
           | 7570 |     for (i =3D 0; i < dfa->nodes_len; ++i)
           |      |     ~~~
           |      |     |
           |      |     (26) following 'true' branch...
           | 7571 |       free_token (dfa->nodes + i);
           |      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |       |              |
           |      |       |              (27) ...to here
           |      |       (25) returning to 'free_dfa_content' from
'free_token'
           |      |       (28) calling 'free_token' from 'free_dfa_content'
           |
           +--> 'free_token': events 29-35
                  |
                  |11648 | free_token (re_token_t *node)
                  |      | ^~~~~~~~~~
                  |      | |
                  |      | (29) entry to 'free_token'
                  |11649 | {
                  |11650 |   if (node->type =3D=3D COMPLEX_BRACKET &&
node->duplicated =3D=3D 0)
                  |      |=20=20=20=20=20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |      |                              |=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
   |
                  |      |      |                              |=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
   (31) ...to here
                  |      |      |                              (32) followi=
ng
'true' branch...
                  |      |      (30) following 'true' branch...
                  |11651 |     free_charset (node->opr.mbcset);
                  |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |     |
                  |      |     (33) ...to here
                  |      |     (34) freed here
                  |      |     (35) calling 'free_charset' from 'free_token'
                  |
                  +--> 'free_charset': events 36-37
                         |
                         |11580 | free_charset (re_charset_t *cset)
                         |      | ^~~~~~~~~~~~
                         |      | |
                         |      | (36) entry to 'free_charset'
                         |11581 | {
                         |11582 |   free (cset->mbchars);
                         |      |         ~~~~~~~~~~~~~
                         |      |             |
                         |      |             (37) use after 'free' of 'cse=
t';
freed at (34)
                         |=