From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=J6eH=6U=mail.hallyn.com=serge@sourceware.org>
Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53])
	by sourceware.org (Postfix) with ESMTPS id 596D03857C45
	for <gcc@gcc.gnu.org>; Fri, 24 Feb 2023 16:10:09 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 596D03857C45
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=hallyn.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=mail.hallyn.com
Received: by mail.hallyn.com (Postfix, from userid 1001)
	id D6C1E7ED; Fri, 24 Feb 2023 10:10:07 -0600 (CST)
Date: Fri, 24 Feb 2023 10:10:07 -0600
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Alex Colomar <alx.manpages@gmail.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>, Martin Uecker <uecker@tugraz.at>,
	GCC <gcc@gcc.gnu.org>, Iker Pedrosa <ipedrosa@redhat.com>,
	Florian Weimer <fweimer@redhat.com>,
	Paul Eggert <eggert@cs.ucla.edu>,
	Michael Kerrisk <mtk.manpages@gmail.com>,
	=?utf-8?B?SuKCkeKCmeKCmw==?= Gustedt <jens.gustedt@inria.fr>,
	David Malcolm <dmalcolm@redhat.com>, Sam James <sam@gentoo.org>,
	Jonathan Wakely <jwakely.gcc@gmail.com>
Subject: Re: Missed warning (-Wuse-after-free)
Message-ID: <20230224161007.GB374298@mail.hallyn.com>
References: <38e7e994a81d2a18666404dbaeb556f3508a6bd6.camel@redhat.com>
 <23d3a3ff-adad-ac2e-92a6-4e19f4093143@gmail.com>
 <2148ef80dee2a034ee531d662fc8709d26159ec5.camel@tugraz.at>
 <0049730a-e28c-0e0f-8d92-695395f1ec21@gmail.com>
 <6edeb3c197c327c1c6639d322c53ec6056039a33.camel@tugraz.at>
 <b18a74df-d18e-dc82-b001-5ec65e7c6b26@gmail.com>
 <aa90656815723f21987b73c84b9236d7c34f8ceb.camel@tugraz.at>
 <b7c4b43a-6ce3-5d91-00a2-9609804bceba@gmail.com>
 <20230224012114.GA360078@mail.hallyn.com>
 <b994f2e4-d412-8248-d7a3-240c46dcd192@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <b994f2e4-d412-8248-d7a3-240c46dcd192@gmail.com>
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc.gcc.gnu.org>

On Fri, Feb 24, 2023 at 02:42:32AM +0100, Alex Colomar wrote:
> Hi Serge, Martin,
> 
> On 2/24/23 02:21, Serge E. Hallyn wrote:
> > > Does all this imply that the following is well defined behavior (and shall
> > > print what one would expect)?
> > > 
> > >    free(p);
> > > 
> > >    (void) &p;  // take the address
> > >    // or maybe we should (void) memcmp(&p, &p, sizeof(p)); ?
> > > 
> > >    printf("%p\n", p);  // we took previously its address,
> > >                        // so now it has to hold consistently
> > >                        // the previous value
> > > 
> > > 
> > > This feels weird.  And a bit of a Schroedinger's pointer.  I'm not entirely
> > > convinced, but might be.
> > 
> > Again, p is just an n byte variable which happens to have (one hopes)
> > pointed at a previously malloc'd address.
> > 
> > And I'd argue that pre-C11, this was not confusing, and would not have
> > felt weird to you.
> > 
> > But I am most grateful to you for having brought this to my attention.
> > I may not agree with it and not like it, but it's right there in the
> > spec, so time for me to adjust :)
> 
> I'll try to show why this feels weird to me (even in C89):
> 
> 
> alx@dell7760:~/tmp$ cat pointers.c
> #include <stdio.h>
> #include <stdlib.h>
> 
> 
> int
> main(void)
> {
> 	char  *p, *q;
> 
> 	p = malloc(42);
> 	if (p == NULL)
> 		exit(1);
> 
> 	q = realloc(p, 42);
> 	if (q == NULL)
> 		exit(1);
> 
> 	(void) &p;  // If we remove this, we get -Wuse-after-free

(which I would argue is a bug in the compiler)

> 	printf("(%p == %p) = %i\n", p, q, (p == q));
> }
> alx@dell7760:~/tmp$ cc -Wall -Wextra pointers.c  -Wuse-after-free=3
> alx@dell7760:~/tmp$ ./a.out
> (0x5642cd9022a0 == 0x5642cd9022a0) = 1
> 
> 
> This pointers point to different objects (actually, one of them doesn't even
> point to an object anymore), so they can't compare equal, according to both:
> 
> <http://port70.net/%7Ensz/c/c11/n1570.html#6.5.9p6>
> 
> <http://port70.net/~nsz/c/c89/c89-draft.html#3.3.9>
> 
> (I believe C89 already had the concept of lifetime well defined as it is
> now, so the object had finished it's lifetime after realloc(3)).
> 
> How can we justify that true, if the pointer don't point to the same object?

Because what's pointed to does not matter.

You are comparing the memory address p, not the contents of the memory address.

By way of analogy, if I do

   mkdir -p /tmp/1/a
   ln -s /tmp/1 /tmp/2
   rm -rf /tmp/1

then /tmp/2 is still a symlink.  'stat /tmp/2' still works and is well
defined.  And if I create a new /tmp/1, then /tmp/2 starts pointing to
that.  Yes, re-useing p like that is a very bad idea, in many cases :)

> And how can we justify a hypothetical false (which compilers don't
> implement), if compilers will really just read the value?  To implement this
> as well defined behavior, it could result in no other than false, and it
> would require heavy overhead for the compilers to detect that the
> seemingly-equal values are indeed different, don't you think?  The easiest
> solution is for the standard to just declare this outlaw, IMO.
> 
> Maybe it could do an exception for printing, that is, reading a pointer is
> not a problem in itself, a long as you don't compare it, but I'm not such an
> expert about this.
> 
> Cheers,
> 
> Alex
> 
> > 
> > -serge
> 
> -- 
> <http://www.alejandro-colomar.es/>
> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
>