https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111695
Bug ID: 111695 Summary: Spurious -Wuse-after-free when managing two arrays in parallel Product: gcc Version: 13.2.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: jonathan.leffler at gmail dot com Target Milestone: --- Created attachment 56047 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56047&action=edit Variation 1 (two arrays in parallel) Related to meta-bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104075 (bogus/missing -Wuse-after-free). Related to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106578 (spurious -Wuse-after-free=2 after conditional free() when not optimizing), but the symptoms are different. There are 4 (smallish) source files. Files gcc-bug-1.c and gcc-bug-3.c use one algorithm for handling old and new values; files gcc-bug-2.c and gcc-bug-4.c use a slight different algorithm. Files gcc-bug-1.c and gcc-bug-2.c manage two arrays 'in parallel' — the names and sizes arrays are handled by separate allocations using the same size controls and report spurious 'use-after-free' errors. Files gcc-bug-3.c and gcc-bug-4.c manage a single array and do not report any (spurious) 'use-after-free' error. The problem reproduces with GCC 13.2.0 and also with GCC 12.2.0. Since there is no mention of -Wuse-after-free in the GCC 11 manual (or any earlier versions), there is no surprise that none of them report the error. Compiler version information: gcc -v -std=c11 -O3 -Werror -Wall -c gcc-bug-1.c Using built-in specs. COLLECT_GCC=gcc Target: x86_64-pc-linux-gnu Configured with: ../gcc-13.2.0/configure --prefix=/usr/gcc/v13.2.0 CC=/usr/gcc/v12.2.0/bin/gcc CXX=/usr/gcc/v12.2.0/bin/g++ Thread model: posix Supported LTO compression algorithms: zlib gcc version 13.2.0 (GCC) COLLECT_GCC_OPTIONS='-v' '-std=c11' '-O3' '-Werror' '-Wall' '-c' '-mtune=generic' '-march=x86-64' /work1/gcc/v13.2.0/bin/../libexec/gcc/x86_64-pc-linux-gnu/13.2.0/cc1 -quiet -v -iprefix /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/ gcc-bug-1.c -quiet -dumpbase gcc-bug-1.c -dumpbase-ext .c -mtune=generic -march=x86-64 -O3 -Werror -Wall -std=c11 -version -o /tmp/ccX3ka4K.s GNU C11 (GCC) version 13.2.0 (x86_64-pc-linux-gnu) compiled by GNU C version 13.2.0, GMP version 6.3.0, MPFR version 4.2.0, MPC version 1.3.1, isl version isl-0.24-GMP GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072 ignoring nonexistent directory "/work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/../../../../x86_64-pc-linux-gnu/include" ignoring duplicate directory "/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include" ignoring duplicate directory "/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include-fixed" ignoring nonexistent directory "/work1/gcc/v13.2.0/bin/../lib/gcc/../../lib/gcc/x86_64-pc-linux-gnu/13.2.0/../../../../x86_64-pc-linux-gnu/include" #include "..." search starts here: #include <...> search starts here: /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include /work1/gcc/v13.2.0/bin/../lib/gcc/x86_64-pc-linux-gnu/13.2.0/include-fixed /usr/local/include /work1/gcc/v13.2.0/bin/../lib/gcc/../../include /usr/include End of search list. Compiler executable checksum: 76c675c9da56a319124364c69f2f4d48 Reported errors (gcc-bug-1.c): gcc-bug-1.c: In function ‘function’: gcc-bug-1.c:34:21: error: pointer ‘names’ may be used after ‘realloc’ [-Werror=use-after-free] 34 | free(old_names); | ^~~~~~~~~~~~~~~ gcc-bug-1.c:28:21: note: call to ‘realloc’ here 28 | names = realloc(names, max_names * sizeof(names[0])); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gcc-bug-1.c:38:21: error: pointer ‘sizes’ may be used after ‘realloc’ [-Werror=use-after-free] 38 | free(old_sizes); | ^~~~~~~~~~~~~~~ gcc-bug-1.c:29:21: note: call to ‘realloc’ here 29 | sizes = realloc(sizes, max_names * sizeof(sizes[0])); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors Reported errors (gcc-bug-2.c): gcc -std=c11 -O3 -Werror -Wall -c gcc-bug-2.c gcc-bug-2.c: In function ‘function’: gcc-bug-2.c:32:21: error: pointer ‘names’ may be used after ‘realloc’ [-Werror=use-after-free] 32 | free(names); | ^~~~~~~~~~~ gcc-bug-2.c:26:32: note: call to ‘realloc’ here 26 | char **new_names = realloc(names, max_names * sizeof(names[0])); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gcc-bug-2.c:36:21: error: pointer ‘sizes’ may be used after ‘realloc’ [-Werror=use-after-free] 36 | free(sizes); | ^~~~~~~~~~~ gcc-bug-2.c:27:30: note: call to ‘realloc’ here 27 | int *new_sizes = realloc(sizes, max_names * sizeof(sizes[0])); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors The files gcc-bug-3.c and gcc-bug-4.c compile (to object files) without errors.