[Bug tree-optimization/104069] -Werror=use-after-free false positive on elfutils-0.186

[slyfox at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104069

--- Comment #5 from Sergei Trofimovich <slyfox at gcc dot gnu.org> ---
(In reply to Martin Sebor from comment #4)
> Actually, this is already supposed to be handled but the code is not
> effective due to a typo.  This fixes it:
> 
> diff --git a/gcc/gimple-ssa-warn-access.cc b/gcc/gimple-ssa-warn-access.cc
> index f639807a78a..f9508a1d211 100644
> --- a/gcc/gimple-ssa-warn-access.cc
> +++ b/gcc/gimple-ssa-warn-access.cc
> @@ -4082,7 +4082,9 @@ pointers_related_p (gimple *stmt, tree p, tree q,
> pointer_query &qry)
>    access_ref pref, qref;
>    if (!qry.get_ref (p, stmt, &pref, 0)
>        || !qry.get_ref (q, stmt, &qref, 0))
> -    return true;
> +    /* GET_REF() only rarely fails.  When it does, it's likely because
> +       it involves a self-referential PHI.  Return a conservative result. 
> */
> +    return false;
>  
>    return pref.ref == qref.ref;
>  }

Thank you! This helped elfutils-0.186.

But linux's objtool still fails to build. Here is extracted false positive (I
think it's false positive):

typedef long unsigned int size_t;

extern void *malloc(size_t __size) __attribute__((__nothrow__, __leaf__))
__attribute__((__malloc__)) __attribute__((__alloc_size__(1)));
extern void *realloc(void *__ptr, size_t __size)
    __attribute__((__nothrow__, __leaf__))
    __attribute__((__warn_unused_result__)) __attribute__((__alloc_size__(2)));
extern void die(const char *err, ...);

struct cmdnames {
  size_t alloc;
  size_t cnt;
  struct cmdname {
    size_t len;
    char name[];
  } * *names;
};

static inline void *xrealloc(void *ptr, size_t size) {
  void *ret = realloc(ptr, size);
  if (!ret && !size)
    ret = realloc(ptr, 1);
  if (!ret) {
    ret = realloc(ptr, size);
    if (!ret && !size)
      ret = realloc(ptr, 1);
    if (!ret)
      die("Out of memory, realloc failed");
  }
  return ret;
}

void add_cmdname(struct cmdnames *cmds, const char *name, size_t len) {
  struct cmdname *ent = malloc(sizeof(*ent) + len + 1);
  ent->len = len;
  // memcpy(ent->name, name, len);
  ent->name[len] = 0;
  do {
    if ((cmds->cnt + 1) > cmds->alloc) {
      if ((((cmds->alloc) + 16) * 3 / 2) < (cmds->cnt + 1))
        cmds->alloc = (cmds->cnt + 1);
      else
        cmds->alloc = (((cmds->alloc) + 16) * 3 / 2);
      cmds->names =
          xrealloc((cmds->names), cmds->alloc * sizeof(*(cmds->names)));
    }
  } while (0);
  cmds->names[cmds->cnt++] = ent;
}

$ gcc-12.0.0 -Wall -Werror -c help.c.c
help.c.c: In function 'xrealloc':
help.c.c:26:13: error: pointer 'ptr' may be used after 'realloc'
[-Werror=use-after-free]
   26 |       ret = realloc(ptr, 1);
      |             ^~~~~~~~~~~~~~~
help.c.c:20:15: note: call to 'realloc' here
   20 |   void *ret = realloc(ptr, size);
      |               ^~~~~~~~~~~~~~~~~~
help.c.c:24:11: error: pointer 'ptr' may be used after 'realloc'
[-Werror=use-after-free]
   24 |     ret = realloc(ptr, size);
      |           ^~~~~~~~~~~~~~~~~~
help.c.c:20:15: note: call to 'realloc' here
   20 |   void *ret = realloc(ptr, size);
      |               ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors