Does GCC have features to detect use-after-free bugs?

Question

Here is my code snippet:

#include <stdlib.h>
#include <stdio.h>

typedef struct node
{
    char key;          // value
    struct node *next; // pointer to the next element
} Node;

int main(void)
{
    Node *n = malloc(sizeof(Node));
    n->key = 'K';
    n->next = NULL;

    free(n);

    printf("%c\n", n->key);
}

When the above snippet is compiled and run...

ganningxu@Gannings-Computer:~/test$ gcc test_faults.c -o test_faults; ./test_faults
K

ganningxu@Gannings-Computer:~/test$ clang test_faults.c -o test_faults; ./test_faults
K

There are no compiler warnings or errors when the freed memory is accessed. Is there any way to force the compiler to show such errors?

Compiler does not care about memory management in general. Its job is to translate the C code into machine code — Eugene Sh., Oct 04 '21 at 18:51
@EugeneSh. I think he means force it to generate code that produces errors. — Barmar, Oct 04 '21 at 18:51
One commonly used *workaround* is to set the pointer to `NULL` right after `free` ... `free(x); x = NULL;` — pmg, Oct 08 '21 at 15:14
All the above comments are wrong. GCC can trivially detect this exact example with the correct compiler warning, -Wuse-after-free: https://gcc.godbolt.org/z/Mhbd6h5dW — Jean-Michaël Celerier, Apr 11 '23 at 15:03
It's also possible to use the more powerful (but slower) -fanalyzer feature: https://gcc.godbolt.org/z/35c5WY33E — Jean-Michaël Celerier, Apr 11 '23 at 15:05
And the equivalent with clang, --analyze: https://gcc.godbolt.org/z/a9EMTMoxx — Jean-Michaël Celerier, Apr 11 '23 at 15:11

score 7 · Accepted Answer · answered Oct 04 '21 at 19:01

When compiling with GCC, you can use -fsanitize=address so that “Memory access instructions are instrumented to detect out-of-bounds and use-after-free bugs.” This will of course affect program performance, and it may also change the program behavior if there are bugs.

Does GCC have features to detect use-after-free bugs?

1 Answers1