[Bug tree-optimization/109238] [13 Regression] tst-realloc.i:42:19: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free] in glibc tests

[rguenth at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109238

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |amacleod at redhat dot com

--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
For the given CFG where

  dominated_by_p (CDI_DOMINATORS, gimple_bb (use_stmt), gimple_bb (stmt));

and we have

<bb 28> [local count: 428124]:
c_24 = realloc (p_17, 18446744073709551615);
if (c_24 != 0B)
  goto <bb 29>; [99.96%]
else
  goto <bb 33>; [0.04%]

.. on the 28->33 edge intermediate blocks, including a CFG cycle ...

<bb 36> [local count: 171]:
p_31 = realloc (p_17, 0);

but range_of_expr (vr, c_24, use_stmt) doesn't give us [0,0], instead we
get VARYING.

It looks like we go range_of_stmt of the c_24 def and then m_cache.block_range
has a VARYING entry range as well and then we're done.

176      range_of_expr(c_24) at stmt p_31 = realloc (p_17, 0);
177        range_on_entry (c_24) to BB 36
178          range_of_stmt (c_24) at stmt c_24 = realloc (p_17,
18446744073709551615);
   GLOBAL : UPDATE cache for c_24 in BB 28 : successors :   : No updates!
             TRUE : (178) range_of_stmt (c_24) [irange] unsigned char * VARYING

c_24 : CACHE: BB 36 DOM query for c_24, found [irange] unsigned char * VARYING
at BB28
179     GORI  outgoing_edge for c_24 on edge 28->33
180     GORI    compute op 1 (c_24) at if (c_24 != 0B)
        GORI      LHS =[irange] _Bool [0, 0] NONZERO 0x0
        GORI      Computes c_24 = [irange] unsigned char * [0, 0] NONZERO 0x0
intersect Known range : [irange] unsigned char * VARYING
        GORI    TRUE : (180) produces  (c_24) [irange] unsigned char * [0, 0]
NONZERO 0x0
        GORI  TRUE : (179) outgoing_edge (c_24) [irange] unsigned char * [0, 0]
NONZERO 0x0
CACHE: BB 32 DOM query for c_24, found [irange] unsigned char * VARYING at BB28
CACHE: Range for DOM returns : [irange] unsigned char * VARYING
CACHE: Range for DOM returns : [irange] unsigned char * VARYING
Filled from dominator! :  [irange] unsigned char * VARYING
           TRUE : (177) range_on_entry (c_24) [irange] unsigned char * VARYING
         TRUE : (176) range_of_expr (c_24) [irange] unsigned char * VARYING
181      range_of_expr(c_24) at stmt _27 = p_17 + _26;
182        range_on_entry (c_24) to BB 30
183          range_of_stmt (c_24) at stmt c_24 = realloc (p_17,
18446744073709551615);
             TRUE : (183)  cached (c_24) [irange] unsigned char * VARYING

c_24 : CACHE: BB 30 DOM query for c_24, found [irange] unsigned char * VARYING
at BB33
CACHE: Range for DOM returns : [irange] unsigned char * VARYING
Filled from dominator! :  [irange] unsigned char * VARYING
           TRUE : (182) range_on_entry (c_24) [irange] unsigned char * VARYING
...

(not sure where relevant dumps stop).

A reduced testcase like the following doesn't exhibit this issue - the
range is successfully computed as [0,0] there.  So to me this looks like
a ranger issue?  Andrew?

#include <stdlib.h>

int do_test(void *p)
{
  unsigned char *c = realloc (p, -1);
  if (c != 0)
    abort ();

  c = p;
  int ok = 1;

  for (int i = 0; i < 16; i++)
    {
      if (c[i] != 0xff)
        ok = 0;
    }

  if (!ok)
    abort ();

  p = realloc (p, 0);
  if (p != NULL)
    abort ();

  return ok;
}