From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ouvsmtp1.octopuce.fr (ouvsmtp1.octopuce.fr [194.36.166.50]) by sourceware.org (Postfix) with ESMTPS id 476573858C78 for ; Fri, 17 Feb 2023 08:49:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 476573858C78 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=opteya.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=opteya.com Received: from panel.vitry.ouvaton.coop (unknown [194.36.166.20]) by ouvsmtp1.octopuce.fr (Postfix) with ESMTPS id 4D3971F1; Fri, 17 Feb 2023 09:49:10 +0100 (CET) Received: from [192.168.1.18] (lfbn-idf2-1-703-44.w86-247.abo.wanadoo.fr [86.247.154.44]) by panel.vitry.ouvaton.coop (Postfix) with ESMTPSA id F1A8E5E239E; Fri, 17 Feb 2023 09:49:09 +0100 (CET) Message-ID: <3098fd18-9dbf-b4e9-bae5-62ec6fea74cd@opteya.com> Date: Fri, 17 Feb 2023 09:49:09 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 Subject: Re: Missed warning (-Wuse-after-free) Content-Language: fr-FR, en-US, en-GB To: Alejandro Colomar , GCC Cc: Iker Pedrosa References: <8ed6d28c-69dc-fed8-5ab5-99f685f06fac@gmail.com> From: Yann Droneaud Organization: OPTEYA In-Reply-To: <8ed6d28c-69dc-fed8-5ab5-99f685f06fac@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi, Le 16/02/2023 à 15:35, Alejandro Colomar via Gcc a écrit : > Hi! > > I was preparing an example program of a use-after-realloc bug, > when I found that GCC doesn't warn in a case where it should. > > > alx@debian:~/tmp$ cat realloc.c > #include > #include > #include > #include > #include > > static inline char * > xstrdup(const char *s) > { > char *p; > > p = strdup(s); > if (p == NULL) > exit(EXIT_FAILURE); > return p; > } > > static inline char * > strnul(const char *s) > { > return (char *) s + strlen(s); > } > > int > main(void) > { > char *p, *q; > > p = xstrdup(""); > q = strnul(p); > > if (p == q) > puts("equal before"); > else > exit(EXIT_FAILURE); // It's an empty string; this won't happen > > printf("p = %p; q = %p\n", p, q); > > p = realloc(p, UINT16_MAX); > if (p == NULL) > exit(EXIT_FAILURE); > puts("realloc()"); > > if (p == q) { // Use after realloc. I'd expect a warning here. > puts("equal after"); > } else { > /* Can we get here? > Let's see the options: > > - realloc(3) fails: > We exit immediately. We don't arrive here. > > - realloc(3) doesn't move the memory: > p == q, as before > > - realloc(3) moved the memory: > p is guaranteed to be a unique pointer, > and q is now an invalid pointer. It is > Undefined Behavior to read `q`, so `p == q` > is UB. > > As we see, there's no _defined_ path where this can happen > */ > printf("PID = %i\n", (int) getpid()); > } > > printf("p = %p; q = %p\n", p, q); > } > alx@debian:~/tmp$ cc -Wall -Wextra realloc.c -O3 -fanalyzer > realloc.c: In function ‘main’: > realloc.c:67:9: warning: pointer ‘p’ may be used after ‘realloc’ [-Wuse-after-free] > 67 | printf("p = %p; q = %p\n", p, q); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > realloc.c:39:13: note: call to ‘realloc’ here > 39 | p = realloc(p, UINT16_MAX); > | ^~~~~~~~~~~~~~~~~~~~~~ > alx@debian:~/tmp$ ./a.out > equal before > p = 0x55bff80802a0; q = 0x55bff80802a0 > realloc() > PID = 25222 > p = 0x55bff80806d0; q = 0x55bff80802a0 > > > Did I miss anything? -Wuse-after-free=3 Regards. -- Yann Droneaud OPTEYA