From: Martin Sebor <msebor@redhat.com>
Date: Wed, 19 Jan 2022 00:52:01 +0000 (-0700)
Subject: Handle failure to determine pointer provenance conservatively [PR104069].
X-Git-Tag: basepoints/gcc-13~1601
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f714642e574c64e1c0e093cad3de6f8accb6ec7;p=thirdparty%2Fgcc.git

Handle failure to determine pointer provenance conservatively [PR104069].

Partly resolves:
PR middle-end/104069 - -Werror=use-after-free false positive on elfutils-0.186

gcc/ChangeLog:
	PR middle-end/104069
	* gimple-ssa-warn-access.cc (pointers_related_p): Return false for
	an unknown result as documented.

gcc/testsuite/ChangeLog:
	PR middle-end/104069
	* gcc.dg/Wuse-after-free.c: New test.
---

diff --git a/gcc/gimple-ssa-warn-access.cc b/gcc/gimple-ssa-warn-access.cc
index f639807a78a6..f9508a1d2119 100644
--- a/gcc/gimple-ssa-warn-access.cc
+++ b/gcc/gimple-ssa-warn-access.cc
@@ -4082,7 +4082,9 @@ pointers_related_p (gimple *stmt, tree p, tree q, pointer_query &qry)
   access_ref pref, qref;
   if (!qry.get_ref (p, stmt, &pref, 0)
       || !qry.get_ref (q, stmt, &qref, 0))
-    return true;
+    /* GET_REF() only rarely fails.  When it does, it's likely because
+       it involves a self-referential PHI.  Return a conservative result.  */
+    return false;
 
   return pref.ref == qref.ref;
 }
diff --git a/gcc/testsuite/gcc.dg/Wuse-after-free.c b/gcc/testsuite/gcc.dg/Wuse-after-free.c
new file mode 100644
index 000000000000..9862de5c0a9c
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/Wuse-after-free.c
@@ -0,0 +1,41 @@
+/* PR middle-end/104069 - -Werror=use-after-free false positive on
+   elfutils-0.186
+   { dg-do compile }
+   { dg-options "-Wall" } */
+
+typedef __SIZE_TYPE__ size_t;
+
+extern void* realloc (void *, size_t);
+
+void* __libdw_unzstd (size_t todo)
+{
+  void *sb = 0;
+
+  for ( ; ; )
+    {
+      // Ran only once.
+      if (!sb)
+	{
+	  char *b = realloc (sb, todo);
+	  if (!b)
+	    break;
+
+	  sb = b;
+	}
+
+      todo -= 1;
+      if (todo == 0)
+	break;
+    }
+
+  // Shrink buffer: leave only one byte for simplicity.
+  char *b = realloc (sb, 1);
+  if (b)
+    sb = b;
+  else
+    {
+      // Realloc failed mysteriously, leave 'sb' untouched.
+    }
+
+  return sb;        // { dg-bogus "-Wuse-after-free" }
+}