Title goes here

use after ‘free’ of ‘*first.2_7->m_next.m_next’ [CWE-416] [-Wanalyzer-use-after-free]

38		first->m_next->m_next->m_next->m_next = NULL; /* { dg-warning "-Wanalyzer-use-after-free" } */
		~~~~~~~~~~~~~~~~~~~~~^~~~~~~~

test

test: events 1-2

28		test ()
		^~~~
		\|
		(1) entry to ‘test’
29		{
30		if (!append_value (42))
		~~~~~~~~~~~~~~~~~
		\|
		(2) calling ‘append_value’ from ‘test’

append_value

append_value: events 3-7

12		append_value (int value)
		^~~~~~~~~~~~
		\|
		(3) entry to ‘append_value’
13		{
14		struct node *n = __builtin_malloc (sizeof (struct node));
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		\|
		(4) allocated here
15		if (!n)
		~
		\|
		(5) assuming ‘n’ is non-NULL
		(6) following ‘false’ branch (when ‘n’ is non-NULL)... ─>─┐
		│
		│
	┌	───────────────────────────────────────────────────────────────┘
16	│	return 0;
17	│	n->m_val = value;
	│	~~~~~~~~~~~~~~~~
	│	\|
	└	──────────>(7) ...to here

test: event 8

30		if (!append_value (42))
		^~~~~~~~~~~~~~~~~
		\|
		(8) returning to ‘test’ from ‘append_value’

test: events 9-11

30		if (!append_value (42))
		^
		\|
		(9) following ‘false’ branch... ─>─┐
		│
		│
	┌	────────────────────────────────────────┘
31	│	return;
32	│	if (!append_value (1066))
	│	~~~~~~~~~~~~~~~~~~~
	│	\|
	└	──────>(10) ...to here
		(11) calling ‘append_value’ from ‘test’

append_value

append_value: events 12-14

12		append_value (int value)
		^~~~~~~~~~~~
		\|
		(12) entry to ‘append_value’
[...]
15		if (!n)
		~
		\|
		(13) following ‘false’ branch (when ‘n’ is non-NULL)... ─>─┐
		│
		│
	┌	────────────────────────────────────────────────────────────────┘
16	│	return 0;
17	│	n->m_val = value;
	│	~~~~~~~~~~~~~~~~
	│	\|
	└	──────────>(14) ...to here

test: event 15

32		if (!append_value (1066))
		^~~~~~~~~~~~~~~~~~~
		\|
		(15) returning to ‘test’ from ‘append_value’

test: events 16-18

32		if (!append_value (1066))
		^
		\|
		(16) following ‘false’ branch... ─>─┐
		│
		│
	┌	─────────────────────────────────────────┘
33	│	return;
34	│	if (!append_value (1776))
	│	~~~~~~~~~~~~~~~~~~~
	│	\|
	└	──────>(17) ...to here
		(18) calling ‘append_value’ from ‘test’

append_value

append_value: events 19-21

12		append_value (int value)
		^~~~~~~~~~~~
		\|
		(19) entry to ‘append_value’
[...]
15		if (!n)
		~
		\|
		(20) following ‘false’ branch (when ‘n’ is non-NULL)... ─>─┐
		│
		│
	┌	────────────────────────────────────────────────────────────────┘
16	│	return 0;
17	│	n->m_val = value;
	│	~~~~~~~~~~~~~~~~
	│	\|
	└	──────────>(21) ...to here

test: event 22

34		if (!append_value (1776))
		^~~~~~~~~~~~~~~~~~~
		\|
		(22) returning to ‘test’ from ‘append_value’

test: events 23-24

34		if (!append_value (1776))
		^
		\|
		(23) following ‘false’ branch... ─>─┐
		│
[...]
		│
	┌	─────────────────────────────────────────┘
37	│	__builtin_free (first->m_next->m_next);
	│	~~
	│	\|
	└	──────────────────────>(24) ...to here

test: events 25-26

37		__builtin_free (first->m_next->m_next);
		^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		\|
		(25) freed here
38		first->m_next->m_next->m_next->m_next = NULL; /* { dg-warning "-Wanalyzer-use-after-free" } */
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		\|
		(26) ⚠️ use after ‘free’ of ‘*first.2_7->m_next.m_next’; freed at (25)