<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - False positive [Use-after-free]: a different part of the struct is freed than what is subsequently used"

   href="https://bugs.llvm.org/show_bug.cgi?id=34322">34322</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>False positive [Use-after-free]: a different part of the struct is freed than what is subsequently used

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>jdanek@redhat.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=19041" name="attach_19041" title="report html">attachment 19041</a> <a href="attachment.cgi?id=19041&action=edit" title="report html">[details]</a></span>

report html

The report in question. One can clearly see that q->name is freed, but then

only q->messages.len is accessed.

I haven't tried creating self-contained reproducer for this. I will do that if

I am asked.

Version: clang version 6.0.0-svn309375-1~exp1 (trunk); from the debian snapshot

packages, on Debian Stretch.

165     void queues_destroy(queues_t *qs) {

166       for (queue_t *q = qs->queues; q; q = q->next) {

1 Loop condition is true.  Entering loop body →

167         queue_destroy(q);

2   ← Calling 'queue_destroy' →

168         free(q);

169       }

170       pthread_mutex_destroy(&qs->lock);

171     }

80      static void queue_destroy(queue_t *q) {

81        pthread_mutex_destroy(&q->lock);

82        free(q->name);

3   ← Memory is released →

83        for (size_t i = 0; i < q->messages.len; ++i)

4   ← Use of memory after it is freed

84          free(q->messages.data[i].start);

85        VEC_FINAL(q->messages);

86        for (size_t i = 0; i < q->waiting.len; ++i)

87          pn_decref(q->waiting.data[i]);

88        VEC_FINAL(q->waiting);

89      }</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>