<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - false positive "Use of memory after it is freed" in TAILQ"

   href="http://llvm.org/bugs/show_bug.cgi?id=18222">18222</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>false positive "Use of memory after it is freed" in TAILQ

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>3.3

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>clangbugzilla@inliniac.net

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=11712" name="attach_11712" title="Code to reproduce issue.">attachment 11712</a> <a href="attachment.cgi?id=11712&action=edit" title="Code to reproduce issue.">[details]</a></span>

Code to reproduce issue.

The code below (also attached) compiles cleanly with:

clang -ggdb -O0 -Werror -Wall -Wextra main.c

I use what I believe to be the latest stable, as shipped by Ubuntu 13.10:

$ /usr/bin/clang --version

Ubuntu clang version 3.3-5ubuntu4 (branches/release_33) (based on LLVM 3.3)

Target: x86_64-pc-linux-gnu

Thread model: posix

The code uses the sys/queue.h implementations that come with Linux and

perhaps other OS' as well.

When I run this through scan-build, it reports a use after free case:

$ scan-build -v clang -ggdb -O0 -Werror -Wall -Wextra main.c && ./a.out

scan-build: Using '/usr/bin/clang' for static analysis

scan-build: Emitting reports for this run to

'/tmp/scan-build-2013-12-11-37'.

main.c:29:9: warning: Use of memory after it is freed

        printf("module %p\n", module);

        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1 warning generated.

scan-build: 1 bugs found.

scan-build: Run 'scan-view /tmp/scan-build-2013-12-11-37' to examine bug

reports.

module 0x9a4010

However, if I enable the HWBARRIER define (see code below), the warning

goes away:

$ scan-build -v clang -ggdb -O0 -Werror -Wall -Wextra main.c

-DHWBARRIER=1 && ./a.out

scan-build: Using '/usr/bin/clang' for static analysis

scan-build: Emitting reports for this run to

'/tmp/scan-build-2013-12-11-38'.

scan-build: Removing directory '/tmp/scan-build-2013-12-11-38' because

it contains no reports.

scan-build: No bugs found.

module 0x1be1010

The compiler barrier (SWBARRIER) doesn't do the trick though.

Is this a bug in clang and/or scan-build or am I missing an issue with

this code? In all cases valgrind is happy with it.

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/queue.h>

typedef struct OutputModule_ {

    TAILQ_ENTRY(OutputModule_) entries;

} OutputModule;

static TAILQ_HEAD(, OutputModule_) output_modules =

    TAILQ_HEAD_INITIALIZER(output_modules);

void add_to_tailq(void) {

    OutputModule *module = calloc(1, sizeof(*module));

    TAILQ_INSERT_TAIL(&output_modules, module, entries);

}

int main () {

    add_to_tailq();

    OutputModule *module;

    while ((module = TAILQ_FIRST(&output_modules))) {

#if HWBARRIER

        __sync_synchronize();

#elif SWBARRIER

        asm volatile("" ::: "memory");

#endif

        printf("module %p\n", module);

        TAILQ_REMOVE(&output_modules, TAILQ_FIRST(&output_modules),

entries);

        free(module);

    }

    exit(EXIT_SUCCESS);

}

Thanks,

Victor

-- --------------------------------------------- Victor Julien

<a href="http://www.inliniac.net/">http://www.inliniac.net/</a> PGP: <a href="http://www.inliniac.net/victorjulien.asc">http://www.inliniac.net/victorjulien.asc</a>

---------------------------------------------

main.c

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/queue.h>

typedef struct OutputModule_ {

    TAILQ_ENTRY(OutputModule_) entries;

} OutputModule;

static TAILQ_HEAD(, OutputModule_) output_modules =

    TAILQ_HEAD_INITIALIZER(output_modules);

void add_to_tailq(void) {

    OutputModule *module = calloc(1, sizeof(*module));

    TAILQ_INSERT_TAIL(&output_modules, module, entries);

}

int main () {

    add_to_tailq();

    OutputModule *module;

    while ((module = TAILQ_FIRST(&output_modules))) {

#if HWBARRIER

        __sync_synchronize();

#elif SWBARRIER

        asm volatile("" ::: "memory");

#endif

        printf("module %p\n", module);

        TAILQ_REMOVE(&output_modules, TAILQ_FIRST(&output_modules), entries);

        free(module);

    }

    exit(EXIT_SUCCESS);

}</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>