[Bug libgomp/92116] New: Potential null pointer dereference in 'gomp_acc_remove_pointer'

[tschwinge at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92116

            Bug ID: 92116
           Summary: Potential null pointer  dereference in
                    'gomp_acc_remove_pointer'
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Keywords: openacc
          Severity: normal
          Priority: P3
         Component: libgomp
          Assignee: unassigned at gcc dot gnu.org
          Reporter: tschwinge at gcc dot gnu.org
                CC: jakub at gcc dot gnu.org, jules at gcc dot gnu.org,
                    msebor at gcc dot gnu.org
  Target Milestone: ---

As reported in
<http://mid.mail-archive.com/58cdb016-4c82-a271-cbc5-1ede344fdad3@gmail.com>:

| PS I tried compiling GCC with [a new] patch.  It fails in libgomp
| with:
| 
|    libgomp/oacc-mem.c: In function ‘gomp_acc_remove_pointer’:
|    cc1: warning: invalid use of a null pointer [-Wnonnull]
| 
| so clearly it's missing location information.  With
| -Wnull-dereference enabled we get more detail:
| 
|    libgomp/oacc-mem.c: In function ‘gomp_acc_remove_pointer’:
|    libgomp/oacc-mem.c:1013:31: warning: potential null pointer dereference
[-Wnull-dereference]
|     1013 |       for (size_t i = 0; i < t->list_count; i++)
|          |                              ~^~~~~~~~~~~~
|    libgomp/oacc-mem.c:1012:19: warning: potential null pointer dereference
[-Wnull-dereference]
|     1012 |       t->refcount = minrefs;
|          |       ~~~~~~~~~~~~^~~~~~~~~
|    libgomp/oacc-mem.c:1013:31: warning: potential null pointer dereference
[-Wnull-dereference]
|     1013 |       for (size_t i = 0; i < t->list_count; i++)
|          |                              ~^~~~~~~~~~~~
|    libgomp/oacc-mem.c:1012:19: warning: potential null pointer dereference
[-Wnull-dereference]
|     1012 |       t->refcount = minrefs;
|          |       ~~~~~~~~~~~~^~~~~~~~~
|    cc1: warning: invalid use of a null pointer [-Wnonnull]
| 
| I didn't spend too long examining the code but it seems like
| the warnings might actually be justified.  When the first loop
| terminates with t being null the subsequent dereferences are
| invalid:
| 
|        if (t->refcount == minrefs)
|         {
|           /* This is the last reference, so pull the descriptor off the
|              chain. This prevents gomp_unmap_vars via gomp_unmap_tgt from
|              freeing the device memory. */
|           struct target_mem_desc *tp;
|           for (tp = NULL, t = acc_dev->openacc.data_environ; t != NULL;
|                tp = t, t = t->prev)
|             {
|               if (n->tgt == t)
|                 {
|                   if (tp)
|                     tp->prev = t->prev;
|                   else
|                     acc_dev->openacc.data_environ = t->prev;
|                   break;
|                 }
|             }
|         }
| 
|        /* Set refcount to 1 to allow gomp_unmap_vars to unmap it.  */
|        n->refcount = 1;
|        t->refcount = minrefs;
|        for (size_t i = 0; i < t->list_count; i++)