FP UseAfterFree Warning

[stoneman258]

Description

I encountered a false positive while using Lockbud to analyze the ntpd package. Lockbud flagged a use-after-free in the tokio crate. However, upon closer inspection, it seems this might be an incorrect detection.

Code snippets

https://github.com/tokio-rs/tokio/blob/48c55768fd6ae47d1c015b154a0ebd2579688359/tokio/src/util/slab.rs#L311-L323

            debug_assert!(
                self.cached[idx].slots.is_null() || self.cached[idx].slots == vec.as_ptr(),    //line311
                "cached = {:?}; actual = {:?}",
                self.cached[idx].slots,
                vec.as_ptr(),
            );

            // Clear cache
            self.cached[idx].slots = ptr::null();
            self.cached[idx].init = 0;

            drop(vec);    //line323
        }

Result

      {
        "UseAfterFree": {
          "bug_kind": "UseAfterFree",
          "possibility": "Possibly",
          "diagnosis": "Raw ptr is used at ~/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.29.0/src/util/slab.rs:315:17: 315:29 (#1653) after dropped at ~/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.29.0/src/util/slab.rs:322:13: 322:22 (#0)",
          "explanation": "Raw ptr is used or escapes the current function after the pointed value is dropped"
        }
      },

Lockbud report a wrong UseAfterFree warning. The vec is never used after drop in line 323.

Reproduction

git clone https://github.com/pendulum-project/ntpd-rs.git
git checkout v0.3.6
cargo lockbud -k all -l tokio 

[BurtonQin]

Nice catch! This is due to the imprecise pointer analysis. I am working to migrate to a new more precise point er analysis based on RUPTA. Current work around is to blacklist Tokio and only detect the project repo.