[LLVMbugs] [Bug 18222] New: false positive "Use of memory after it is freed" in TAILQ
bugzilla-daemon at llvm.org
bugzilla-daemon at llvm.org
Thu Dec 12 00:20:18 PST 2013
http://llvm.org/bugs/show_bug.cgi?id=18222
Bug ID: 18222
Summary: false positive "Use of memory after it is freed" in
TAILQ
Product: clang
Version: 3.3
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: kremenek at apple.com
Reporter: clangbugzilla at inliniac.net
CC: llvmbugs at cs.uiuc.edu
Classification: Unclassified
Created attachment 11712
--> http://llvm.org/bugs/attachment.cgi?id=11712&action=edit
Code to reproduce issue.
The code below (also attached) compiles cleanly with:
clang -ggdb -O0 -Werror -Wall -Wextra main.c
I use what I believe to be the latest stable, as shipped by Ubuntu 13.10:
$ /usr/bin/clang --version
Ubuntu clang version 3.3-5ubuntu4 (branches/release_33) (based on LLVM 3.3)
Target: x86_64-pc-linux-gnu
Thread model: posix
The code uses the sys/queue.h implementations that come with Linux and
perhaps other OS' as well.
When I run this through scan-build, it reports a use after free case:
$ scan-build -v clang -ggdb -O0 -Werror -Wall -Wextra main.c && ./a.out
scan-build: Using '/usr/bin/clang' for static analysis
scan-build: Emitting reports for this run to
'/tmp/scan-build-2013-12-11-37'.
main.c:29:9: warning: Use of memory after it is freed
printf("module %p\n", module);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
scan-build: 1 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2013-12-11-37' to examine bug
reports.
module 0x9a4010
However, if I enable the HWBARRIER define (see code below), the warning
goes away:
$ scan-build -v clang -ggdb -O0 -Werror -Wall -Wextra main.c
-DHWBARRIER=1 && ./a.out
scan-build: Using '/usr/bin/clang' for static analysis
scan-build: Emitting reports for this run to
'/tmp/scan-build-2013-12-11-38'.
scan-build: Removing directory '/tmp/scan-build-2013-12-11-38' because
it contains no reports.
scan-build: No bugs found.
module 0x1be1010
The compiler barrier (SWBARRIER) doesn't do the trick though.
Is this a bug in clang and/or scan-build or am I missing an issue with
this code? In all cases valgrind is happy with it.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/queue.h>
typedef struct OutputModule_ {
TAILQ_ENTRY(OutputModule_) entries;
} OutputModule;
static TAILQ_HEAD(, OutputModule_) output_modules =
TAILQ_HEAD_INITIALIZER(output_modules);
void add_to_tailq(void) {
OutputModule *module = calloc(1, sizeof(*module));
TAILQ_INSERT_TAIL(&output_modules, module, entries);
}
int main () {
add_to_tailq();
OutputModule *module;
while ((module = TAILQ_FIRST(&output_modules))) {
#if HWBARRIER
__sync_synchronize();
#elif SWBARRIER
asm volatile("" ::: "memory");
#endif
printf("module %p\n", module);
TAILQ_REMOVE(&output_modules, TAILQ_FIRST(&output_modules),
entries);
free(module);
}
exit(EXIT_SUCCESS);
}
Thanks,
Victor
-- --------------------------------------------- Victor Julien
http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
main.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/queue.h>
typedef struct OutputModule_ {
TAILQ_ENTRY(OutputModule_) entries;
} OutputModule;
static TAILQ_HEAD(, OutputModule_) output_modules =
TAILQ_HEAD_INITIALIZER(output_modules);
void add_to_tailq(void) {
OutputModule *module = calloc(1, sizeof(*module));
TAILQ_INSERT_TAIL(&output_modules, module, entries);
}
int main () {
add_to_tailq();
OutputModule *module;
while ((module = TAILQ_FIRST(&output_modules))) {
#if HWBARRIER
__sync_synchronize();
#elif SWBARRIER
asm volatile("" ::: "memory");
#endif
printf("module %p\n", module);
TAILQ_REMOVE(&output_modules, TAILQ_FIRST(&output_modules), entries);
free(module);
}
exit(EXIT_SUCCESS);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20131212/d2a1c2fb/attachment.html>
More information about the llvm-bugs
mailing list