From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=6xDO=6M=gmail.com=alx.manpages@sourceware.org>
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d])
	by sourceware.org (Postfix) with ESMTPS id 688663857B93
	for <gcc@gcc.gnu.org>; Thu, 16 Feb 2023 14:35:31 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 688663857B93
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-wm1-x32d.google.com with SMTP id f18-20020a7bcd12000000b003e206711347so1865511wmj.0
        for <gcc@gcc.gnu.org>; Thu, 16 Feb 2023 06:35:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=subject:from:cc:to:content-language:user-agent:mime-version:date
         :message-id:from:to:cc:subject:date:message-id:reply-to;
        bh=jAg+CEQbbrgoVHNd8ZJynRhjrZnVnsinuQ11y+jsj1s=;
        b=hwInrho0bg6tu5tYY6KpKiTioC9iGPGVs4BzmQ9MLvyyoCi3+xK9qLwFVN54mp9KJF
         P5upA0jpuMh76Z2gBGDdaUFf8Pvbhc5BWE9jo4sfbwCSRtpy3GZTjorUovIZqahTBDiJ
         +qC7bzYjntZ7FI7IPEjN4GTNBxG+mbEm9QUPzQZ8UabWf8zsE9Q1nEq1Ftki8aB/SCnt
         FUfl/MfAA2ipi88qEKFgHcIvVE2lOlZRNFtdGprr3HFZyy45ke+WX3HkYzqMY11UjZbK
         gCZXUbS9ywBtAAtQRFCcPvNjt3htYrlnGiGXDYzKxmnUoKkbAp6SSBOQalkyTqju4g76
         mJuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=subject:from:cc:to:content-language:user-agent:mime-version:date
         :message-id:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jAg+CEQbbrgoVHNd8ZJynRhjrZnVnsinuQ11y+jsj1s=;
        b=oMG78Ufh4Ap5G2MXON7pTZgVHgNhKxxsnWHweXs1yvg4zN1cJT9omXzs1gYv0BPkVz
         3Zp692cmG/t0Bv7FRCUBfNZElhQTIaXtZTGVsQ/4JJSnqs2Z2sjWy35ZaDFuKHrdMZ1G
         lce+4Ptc6+CfuZuTe0Ph45pC3BmbUwqsg/AFzCaBm3dr93oAchmCp5YK8KBPpG2aVU0m
         461/M0yvWoSDanOuPxT04UbCclfKp9l2B81Oszu5y1YO8Ic+z6fGD6kuA1Q9FCpR7rS1
         qgVVxP39jwTl7qu/9kHOqFg5l87COds3JtEyJw2b0ImlGXMOfY2Hh8jQlXPkMPbW78fJ
         +PHQ==
X-Gm-Message-State: AO0yUKVEezBtzhkOzCASnCUJeov0oHHlARxbaNWL+PsMoIuie39uHipK
	5zn6g6ugizF8SK47AbPl259TUMrk/1c=
X-Google-Smtp-Source: AK7set8yWfLbRLFjY/x3nTkdi5hfISQtpW4vJGUWSmpMOL7IwriLb8EkKjbxbxQfrPeaWjPxmtnnOw==
X-Received: by 2002:a05:600c:318f:b0:3df:e659:f9d9 with SMTP id s15-20020a05600c318f00b003dfe659f9d9mr4642359wmp.34.1676558130154;
        Thu, 16 Feb 2023 06:35:30 -0800 (PST)
Received: from [192.168.0.160] ([170.253.36.171])
        by smtp.gmail.com with ESMTPSA id he7-20020a05600c540700b003e118684d56sm5337561wmb.45.2023.02.16.06.35.29
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 16 Feb 2023 06:35:29 -0800 (PST)
Message-ID: <8ed6d28c-69dc-fed8-5ab5-99f685f06fac@gmail.com>
Date: Thu, 16 Feb 2023 15:35:20 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.7.1
Content-Language: en-US
To: GCC <gcc@gcc.gnu.org>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
From: Alejandro Colomar <alx.manpages@gmail.com>
Subject: Missed warning (-Wuse-after-free)
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------0LnvL1ZaxfQDGPm1j1Dgbkdx"
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc.gcc.gnu.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------0LnvL1ZaxfQDGPm1j1Dgbkdx
Content-Type: multipart/mixed; boundary="------------kbh187yJzO3n1M2292XNMga8";
 protected-headers="v1"
From: Alejandro Colomar <alx.manpages@gmail.com>
To: GCC <gcc@gcc.gnu.org>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Message-ID: <8ed6d28c-69dc-fed8-5ab5-99f685f06fac@gmail.com>
Subject: Missed warning (-Wuse-after-free)

--------------kbh187yJzO3n1M2292XNMga8
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi!

I was preparing an example program of a use-after-realloc bug,
when I found that GCC doesn't warn in a case where it should.


alx@debian:~/tmp$ cat realloc.c
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

static inline char *
xstrdup(const char *s)
{
	char  *p;

	p =3D strdup(s);
	if (p =3D=3D NULL)
		exit(EXIT_FAILURE);
	return p;
}

static inline char *
strnul(const char *s)
{
	return (char *) s + strlen(s);
}

int
main(void)
{
	char  *p, *q;

	p =3D xstrdup("");
	q =3D strnul(p);

	if (p =3D=3D q)
		puts("equal before");
	else
		exit(EXIT_FAILURE); // It's an empty string; this won't happen

	printf("p =3D %p; q =3D %p\n", p, q);

	p =3D realloc(p, UINT16_MAX);
	if (p =3D=3D NULL)
		exit(EXIT_FAILURE);
	puts("realloc()");

	if (p =3D=3D q) {  // Use after realloc.  I'd expect a warning here.
		puts("equal after");
	} else {
		/* Can we get here?
		   Let's see the options:

			- realloc(3) fails:
				We exit immediately.  We don't arrive here.

			- realloc(3) doesn't move the memory:
				p =3D=3D q, as before

			- realloc(3) moved the memory:
				p is guaranteed to be a unique pointer,
				and q is now an invalid pointer.  It is
				Undefined Behavior to read `q`, so `p =3D=3D q`
				is UB.

		   As we see, there's no _defined_ path where this can happen
		 */
		printf("PID =3D %i\n", (int) getpid());
	}

	printf("p =3D %p; q =3D %p\n", p, q);
}
alx@debian:~/tmp$ cc -Wall -Wextra realloc.c -O3 -fanalyzer
realloc.c: In function =E2=80=98main=E2=80=99:
realloc.c:67:9: warning: pointer =E2=80=98p=E2=80=99 may be used after =E2=
=80=98realloc=E2=80=99 [-Wuse-after-free]
   67 |         printf("p =3D %p; q =3D %p\n", p, q);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
realloc.c:39:13: note: call to =E2=80=98realloc=E2=80=99 here
   39 |         p =3D realloc(p, UINT16_MAX);
      |             ^~~~~~~~~~~~~~~~~~~~~~
alx@debian:~/tmp$ ./a.out=20
equal before
p =3D 0x55bff80802a0; q =3D 0x55bff80802a0
realloc()
PID =3D 25222
p =3D 0x55bff80806d0; q =3D 0x55bff80802a0


Did I miss anything?

Cheers,

Alex

--=20
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

--------------kbh187yJzO3n1M2292XNMga8--

--------------0LnvL1ZaxfQDGPm1j1Dgbkdx
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE6jqH8KTroDDkXfJAnowa+77/2zIFAmPuPygACgkQnowa+77/
2zKbig/+JRzjIuEcq9LmymheQpJl+cDliJhfhp47Ip/Y/2rh2+OC6GHfUp3BGy4V
tBpAwlerQGaO/uKkMVVVRY0D+Hwp/35DGR14zg73cpFaAsNkdhUi4JrHxUlb2JAV
stjE/IoReSGBgnje+xGz3lYqYJ+iVgOEHKPiJ9IXZhtiAeX12MZUksKRAbhRA4A8
RkKyiDs/x/uarS/oMoHHgwXK+ZAcvG2tfNV6PZfD51xZpe8tyOGGq8aL5rDBN3U6
mCWl+l+u+EVR8gpIOkYZwrYEjuarXenful/v7fIbCxDzSzmp79GJBTUaq3ofxJmR
6AQHgmUpRAOZh3GjFh8kt39YxGIKpDWOuMoiIl8h5viKEK50EU06b3HfEJd1sV4f
iTu170NjGem1sp4TT091V7Tg3PsZyD6H07zHKb1FQDPdBFLXehQq1KFdbBovkp5n
fdgZ6uOKYhwddj6TsAr7W6sYpdazbgQFykpPRXRc0nY9fWJkSHuVVGzNVfKlH0cK
3hYji17NRsKUCRZNORDvoHdgGwq8uLrMzYpz6KUOgAtvYsIVZigJGr1o5ECAeAl+
MkZUJaH30pjAfFreQhcLUJChURhIjqzFqemVFVgAnuvA4N7A3mMuZXI6VHSm1Dz3
h5mr/HZiTs8JD5/LbsCQuNO8oZyoJ/QW26Qtxxr6LSWeqwkikI0=
=iPVB
-----END PGP SIGNATURE-----

--------------0LnvL1ZaxfQDGPm1j1Dgbkdx--