| Message ID | CY4PR1801MB1910C4DBB72F9231EC5C16B8C6629@CY4PR1801MB1910.namprd18.prod.outlook.com |
|---|---|
| State | New, archived |
| Headers |
Return-Path: <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:6a10:20da:b0:2d3:3019:e567 with SMTP id
n26csp2616411pxc;
Tue, 9 Aug 2022 09:13:47 -0700 (PDT)
X-Google-Smtp-Source:
AA6agR5EQoJjMjnp9By0sXsA7V5d26ZckR7tAMPgvNktJxnwtg5hPDkZlajMUBtB2mP6JcglWtKU
X-Received: by 2002:a17:907:20d1:b0:731:5169:106b with SMTP id
qq17-20020a17090720d100b007315169106bmr8623062ejb.667.1660061627502;
Tue, 09 Aug 2022 09:13:47 -0700 (PDT)
Received: from sourceware.org (ip-8-43-85-97.sourceware.org. [8.43.85.97])
by mx.google.com with ESMTPS id
dm21-20020a170907949500b007046fc0f0ccsi2387096ejc.320.2022.08.09.09.13.47
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 09 Aug 2022 09:13:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of
gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gcc.gnu.org header.s=default header.b=We6IrQoR;
arc=fail (signature failed);
spf=pass (google.com: domain of
gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
permitted sender)
smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
by sourceware.org (Postfix) with ESMTP id 359683856DE8
for <ouuuleilei@gmail.com>; Tue, 9 Aug 2022 16:13:46 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 359683856DE8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
s=default; t=1660061626;
bh=5BQlvnA9q8B07YG5ItD7iN0m1/XioLGx6LCe+BVlN/E=;
h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
List-Help:List-Subscribe:From:Reply-To:Cc:From;
b=We6IrQoRjqWbqQf0xv0mVRUiV/cEWI4544oCiQGdwARgpRQvzgGPrXhx1z3FKC/yf
ls+yJjL8feVHHGfIB3IozdIIorp4g9qQzCiLYu0sgkx4NO/P7F5dE30Jn/JbG28CRu
fOiZ6MZyQnxgozCA94iujyVslLVWg6z5v6yEZxvg=
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from NAM11-DM6-obe.outbound.protection.outlook.com
(mail-dm6nam11olkn2078.outbound.protection.outlook.com [40.92.19.78])
by sourceware.org (Postfix) with ESMTPS id 507CB3856DC6
for <gcc-patches@gcc.gnu.org>; Tue, 9 Aug 2022 16:13:02 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 507CB3856DC6
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=SyB8+RodPjvJ3XQWi5dipOGXQqQRRj7EY6cGabSBAj0LBMWJylxS5EddUPOeulFLyYFP1411J3ksP5yJAZ68XRWXUpOAxRiokmWotbiCLmzcS8Qwp8ZYKIPVC3BTNzZCcg7tld2+S0n+3hwac0gcEkWttFhHAgp1+gCbepTCCQJTdcKumpngZnSS2f0ETMY9DiicfqvT48OsOAT8cHqaA5GBKJd/Wcw8e5lxb3z4/QyQ+mTdXH0m8Ui12c3NdU7KxiL4PvP/noMPpXSy3QYF3xaFEwT6HO9IzQp7o1xjbaHH0lIcJZh4IwsvKYri/l+n6G5tX0zgcWh9g6EechMEXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=5BQlvnA9q8B07YG5ItD7iN0m1/XioLGx6LCe+BVlN/E=;
b=Lthj4Jgevm5kQmqGXOPlvgNhSaF4vkO5gHqn+bA5S0+ZIaTiKpqw2mxY2038QxhDMr6rmbszIGKnFKBQv5b6qCBD9HA0E/mrInwbTFwJ4mSwOSf+J7YPe2exH9c/r7uOHkxQz0yP56pDXIL+rjDQPbGTEyiiagnROn5hLmRPDYEf0xiJTK8Z3Men/tRxa2oi2ZRQW7e6y8JGDNe90S6/PMAzoKOuYTbHhzYQcnzXQBSldLMIaDZuIMmVc6oIiZ97pzb7JBXQu7QJDRilkoTQ9oT5wI2y/UEUgIZbkQmySf7JMEhAWpOCbcQzvFEPWTe+EB0wwy4mbopRfnDt1k1wRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
Received: from CY4PR1801MB1910.namprd18.prod.outlook.com
(2603:10b6:910:79::14) by BN6PR18MB1090.namprd18.prod.outlook.com
(2603:10b6:404:73::16) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5525.10; Tue, 9 Aug
2022 16:13:00 +0000
Received: from CY4PR1801MB1910.namprd18.prod.outlook.com
([fe80::d1fe:5357:ddcf:a38f]) by CY4PR1801MB1910.namprd18.prod.outlook.com
([fe80::d1fe:5357:ddcf:a38f%6]) with mapi id 15.20.5504.020; Tue, 9 Aug 2022
16:13:00 +0000
To: gcc-patches@gcc.gnu.org
Subject: [PATCH] analyzer: fix ICE casued by dup2 in sm-fd.cc[PR106551]
Date: Tue, 9 Aug 2022 21:42:37 +0530
Message-ID:
<CY4PR1801MB1910C4DBB72F9231EC5C16B8C6629@CY4PR1801MB1910.namprd18.prod.outlook.com>
X-Mailer: git-send-email 2.25.1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-TMN: [jJgQVE18WaAtLttbxSNHt8B8T0Rl36pdRhPz1QaRrtJgFnVtpXou80RNbZoNX3Vx]
X-ClientProxiedBy: PN0PR01CA0037.INDPRD01.PROD.OUTLOOK.COM
(2603:1096:c01:49::17) To CY4PR1801MB1910.namprd18.prod.outlook.com
(2603:10b6:910:79::14)
X-Microsoft-Original-Message-ID: <20220809161237.20393-1-mirimmad@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ad874d92-8132-479a-12ae-08da7a220793
X-MS-Exchange-SLBlob-MailProps:
dCxCH8EXOwFhp53MC87th4bvPlIP7VUfM19MwYFfgGWsHKkqv+eXUMYeuwlrczRzZ7J1FDIzKRJrawvIc2jWF0JheLdO5YHX8eIVlPeQ56m46Z2QH1DKycrwhsFwU1osuMLuBLg5Gd0o+aTfDz3uHq4q1j1onSJ4oR1QU7l61XfLtk3WZ5yLxw3VVkupn2jcJQbmG1JYqjPE4XlCld032N83kDLpD4bsgOjW4mk/NgmA+yf3gQrYRk7FYK7YWxIY9u6rsKfADJf22x2kq5AOovdo9JBdJ2+h0i10kufRjR8M2EZOBy2b9vbCHuVFoEady7t5vNHp7VRbut6TPmXOAC2+NI2nVYCza6S+bVeb6YKSW66kzzbLE02hyACot+CWpFsMmU9rKTD4844nFq54M3WQy7dh01UaNfdiUnCQarkpzWMhwgOV7gRvL35x07BWpc+mTqV5b8oddp7QN6Q8ueF44qSFB+CNJy15Fw9KF3aDyEomeOZ/3CvdJCE2V/Ab0LF5QjcoPGUJBhhAZdgtZRtCGsW+x4JCbm9HV0IlpWa0Pi9zmstfEbuXpIqOiK8ap9SRPQ7klmAOad9OE40bjJIshCEHz1ZCKlmJrCmGWnckgxq7gHuzBrDHSnKX9z8Z/ZeNMYuCqgGYlUGTZFVv6JogCvxtAf+ASH5SeEit7QNe6R0K8tp88FpqVGWhuE9rvJSTYqvvrf3/yHBC6mku2GT1oQ51WeeWYUyItdmRY244q4Qg72xl0w==
X-MS-TrafficTypeDiagnostic: BN6PR18MB1090:EE_
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
W1QPbDWwecWtSkUPIDAsJLTcJQ4wssIdKwKucdt2F+rMIN70a9HXLDJORIc3/uLMsDlUFPGTXNEphgwS8L7mSoubmF03FhF+yks+b32lGn02hOVcNsP/XQkOKz+dryZMW16sB9MPhW0fdGZhVCPpx/Hr3QxiPlVMLsY807ye6UpliZGO37frhG/xpEDiNCoHxcDI2haom9T+AcopKIuQzjDDtj6tYHiPwkyVfMS3Pheyg6znQRAaSjjzE4a9bflomb2/f9LQK0DudFl9yw8wBwhuwokmgGGueUYydeRtZJYFOlV/0BRIYMLE4LAWWSzMJw42Kr7+HvCwDslcE70abB44T+AX9r0knUiug+Xm9BEeh0aiNGDYBebLk2UUbbxB1AakWGA+HJNfcrMSJEd/WaU1S/8g0o+DSON2EXn9pH0S84onRlPlFpXtXWykvJ84m3YaLvMcrB/Kx83AXLCCvwjDQmGH8YF2V41hRgK3U6/wHg3bebLZ1KJ4kz0kn37kqN8Kvn1GXIYMQjq0YVTKkbv5+MfbcpoiKdTP49DLYm38RqMnbvx2L8xD2FsluHr99+j6tl3SHFN3zT23LJ6vTwSNF4SIj/vPhmjFkQJCHVXMVakw+394wga1g9JjUi3s
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
Qq+4xd3dC1r32Bs3Q4+ph2vmPT14voQ3tOAYt9dpgV+WZm58jkwMLWo547qxBNjcLHOh1dpblaP07iaNxCc0nGINbDein+YjIJWEGqbchLJEm1NqYCpZ2bQ/euqiUUpeevkRNwwGmbHiWL0RzSNIQD0jzWIcITvvGPbBgjakI8/gumtkC54JaNTRw9et0BMTi7H2bqDM4hfocLFS15QxCLkY6JwP5YG8UuJmYm2zNRz6hFnAeulyNxxfmSibQmdJrjVj/Zoripxb9eWKJQd9enfgGJDCwGjJUknHUj7CWe3IHmUZdC6GSkqfCAVnff2y92lGbMMWwicBethDcx9RXBXbYhrOAc46UwGQUDgnHTkYZ8BhsCPRZ4QDI4SOhSrtB93jbjALM2cK6YqEg40LIOHJvU4lK9CEAzpYRGKguAoI4il5yQr80/0GTuo3rXZl1cxhuX7F7KQXBAlsFWxcL3rN44QZBgC36WautazWmtdtA/ff4qUeCNV/YRuk0HKwnzymu9JkF7OER1cGe/dNRKud7k1u98uq61ou3fsV5oUgHbT7XxPUTR3NhTz7oup08l38U+MNGivsnnrpl6J3E++dwFEze0JW1xXba2nmB1hP0OlgY9M/iDdOkisY8cfI8W1K5Kal+v3MDiHjN/FjuGnYiaZyGVkQPOqzt3Mc3yC+CQ2yarZH3hEAwQY2O4hX7Bq6YSR/B8jAjd5ItYlzS882Ccb/MD8j8eibB7n2gwDRCAEvwZSNEf0E0f3hKrqF6agX9Ipqf+hIVLWcDHFMbFt0bRtK9Xwt/ut1yr4paVqOdkhr9YSmqCxZpMR5gkxFEPFODLYptxcIK/2se+FxbRa4OxCHl24NCV6zxD9/obAKpFExY3vfsEr/f1d0gdIIMvEZdyvZzs0htxSEibo2e08MLear54UkyycJ2TMGkbu+U8hcHptwwmEbbc0+My/unX1IgU7toztG/JxpXNApYM13ieWVQaHwUwPar8liWRAfq87EKfkzy+1IWtDQpt1XNkyO+t3efVEZ3EjPpBO7aW56EXciI+xw/dNWyrDdJoe2EB+Tn0tWI7KhSjO2qPySZ04rFkvudBqBrlD/q9al33rFX4yGlKy2eFMrT9zpconM8CepR5unvhmofJfvitUnQs+xaQ8gPeQvWbGmxcXDXOXaXxgvXc8KEFHYqx4lRJA++FDCriO9Z892/uhvYWZBFmp+LTSMRz3EPotTXGHI02vkvpEKqbYqsdabSJT4D70Hz8wbnFVo8cSxarjLpvXF2rAbFNTsWiQFIo4nV12OM3c/yFGpHKlz15tz5arIkXxEuwyiJNGok0ccVq+HstV3LhyGB6i1dFQh5ZqapjIMNg==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
ad874d92-8132-479a-12ae-08da7a220793
X-MS-Exchange-CrossTenant-AuthSource:
CY4PR1801MB1910.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Aug 2022 16:13:00.5901 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR18MB1090
X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, FREEMAIL_REPLYTO,
FREEMAIL_REPLYTO_END_DIGIT, GIT_PATCH_0, RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H2,
SPF_HELO_PASS, SPF_PASS, TXREP,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
<mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
<mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
From: Immad Mir via Gcc-patches <gcc-patches@gcc.gnu.org>
Reply-To: mirimnan017@gmail.com
Cc: Immad Mir <mirimmad@outlook.com>
Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org
Sender: "Gcc-patches" <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org>
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1740668949813019212?=
X-GMAIL-MSGID: =?utf-8?q?1740700781220764388?=
|
| Series |
analyzer: fix ICE casued by dup2 in sm-fd.cc[PR106551]
|
|
Commit Message
Immad Mir
Aug. 9, 2022, 4:12 p.m. UTC
This patch fixes the ICE caused by valid_to_unchecked_state,
at analyzer/sm-fd.cc by handling the m_start state in
check_for_dup.
Tested lightly on x86_64.
gcc/analyzer/ChangeLog:
PR analyzer/106551
* sm-fd.cc (check_for_dup): handle the m_start
state when transitioning the state of LHS
of dup, dup2 and dup3 call.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/fd-dup-1.c: New testcases.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
---
gcc/analyzer/sm-fd.cc | 4 ++--
gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 +++++++++++++++++++++++-
2 files changed, 29 insertions(+), 3 deletions(-)
Comments
On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > This patch fixes the ICE caused by valid_to_unchecked_state, > at analyzer/sm-fd.cc by handling the m_start state in > check_for_dup. > > Tested lightly on x86_64. > > gcc/analyzer/ChangeLog: > PR analyzer/106551 > * sm-fd.cc (check_for_dup): handle the m_start > state when transitioning the state of LHS > of dup, dup2 and dup3 call. > > gcc/testsuite/ChangeLog: > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > --- > gcc/analyzer/sm-fd.cc | 4 ++-- > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > +++++++++++++++++++++++- > 2 files changed, 29 insertions(+), 3 deletions(-) > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > index 8bb76d72b05..c8b9930a7b6 100644 > --- a/gcc/analyzer/sm-fd.cc > +++ b/gcc/analyzer/sm-fd.cc > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context > *sm_ctxt, const supernode *node, > case DUP_1: > if (lhs) > { > - if (is_constant_fd_p (state_arg_1)) > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > m_start) > sm_ctxt->set_next_state (stmt, lhs, > m_unchecked_read_write); > else > sm_ctxt->set_next_state (stmt, lhs, > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context > *sm_ctxt, const supernode *node, > file descriptor i.e the first argument. */ > if (lhs) > { > - if (is_constant_fd_p (state_arg_1)) > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > m_start) > sm_ctxt->set_next_state (stmt, lhs, > m_unchecked_read_write); > else > sm_ctxt->set_next_state (stmt, lhs, > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > index eba2570568f..ed4d6de57db 100644 > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > close (fd); > } > > -} > \ No newline at end of file > +} > + > +void > +test_20 () > +{ > + int m; > + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid > file descriptor 'm'" } */ > + close (fd); > +} > + > +void > +test_21 () > +{ > + int m; > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly > invalid file descriptor 'm'" } */ > + close (fd); > +} > + > +void > +test_22 (int flags) > +{ > + int m; > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on possibly > invalid file descriptor 'm'" } */ > + close (fd); > +} Thanks for the updated patch. The test cases looked suspicious to me - I was wondering why the analyzer doesn't complain about the uninitialized values being passed to the various dup functions as parameters. So your test cases seem to have uncovered a hidden pre-existing bug in the analyzer's uninitialized value detection, which I've filed for myself to deal with as PR analyzer/106573. If you convert the "int m;" locals into an extern global, like in comment #0 of bug 106551, does that still trigger the crash on the unpatched sm-fd.cc? If so, then that's greatly preferable as a regression test, since otherwise I'll have to modify that test case when I fix bug 106573. Dave
> if you convert the "int m;" locals into an extern global, like in > comment #0 of bug 106551, does that still trigger the crash on the > unpatched sm-fd.cc? Yes, it does, since m would be in "m_start" state. I'm sending an updated patch. Thanks Immad. On Wed, Aug 10, 2022 at 1:32 AM David Malcolm <dmalcolm@redhat.com> wrote: > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > This patch fixes the ICE caused by valid_to_unchecked_state, > > at analyzer/sm-fd.cc by handling the m_start state in > > check_for_dup. > > > > Tested lightly on x86_64. > > > > gcc/analyzer/ChangeLog: > > PR analyzer/106551 > > * sm-fd.cc (check_for_dup): handle the m_start > > state when transitioning the state of LHS > > of dup, dup2 and dup3 call. > > > > gcc/testsuite/ChangeLog: > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > --- > > gcc/analyzer/sm-fd.cc | 4 ++-- > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > +++++++++++++++++++++++- > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > index 8bb76d72b05..c8b9930a7b6 100644 > > --- a/gcc/analyzer/sm-fd.cc > > +++ b/gcc/analyzer/sm-fd.cc > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context > > *sm_ctxt, const supernode *node, > > case DUP_1: > > if (lhs) > > { > > - if (is_constant_fd_p (state_arg_1)) > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > m_start) > > sm_ctxt->set_next_state (stmt, lhs, > > m_unchecked_read_write); > > else > > sm_ctxt->set_next_state (stmt, lhs, > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context > > *sm_ctxt, const supernode *node, > > file descriptor i.e the first argument. */ > > if (lhs) > > { > > - if (is_constant_fd_p (state_arg_1)) > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > m_start) > > sm_ctxt->set_next_state (stmt, lhs, > > m_unchecked_read_write); > > else > > sm_ctxt->set_next_state (stmt, lhs, > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > index eba2570568f..ed4d6de57db 100644 > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > close (fd); > > } > > > > -} > > \ No newline at end of file > > +} > > + > > +void > > +test_20 () > > +{ > > + int m; > > + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid > > file descriptor 'm'" } */ > > + close (fd); > > +} > > + > > +void > > +test_21 () > > +{ > > + int m; > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly > > invalid file descriptor 'm'" } */ > > + close (fd); > > +} > > + > > +void > > +test_22 (int flags) > > +{ > > + int m; > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on possibly > > invalid file descriptor 'm'" } */ > > + close (fd); > > +} > > Thanks for the updated patch. > > The test cases looked suspicious to me - I was wondering why the > analyzer doesn't complain about the uninitialized values being passed > to the various dup functions as parameters. So your test cases seem to > have uncovered a hidden pre-existing bug in the analyzer's > uninitialized value detection, which I've filed for myself to deal with > as PR analyzer/106573. > > If you convert the "int m;" locals into an extern global, like in > comment #0 of bug 106551, does that still trigger the crash on the > unpatched sm-fd.cc? If so, then that's greatly preferable as a > regression test, since otherwise I'll have to modify that test case > when I fix bug 106573. > > Dave > > > >
On Wed, 2022-08-10 at 20:34 +0530, Mir Immad wrote: > > if you convert the "int m;" locals into an extern global, like in > > comment #0 of bug 106551, does that still trigger the crash on the > > unpatched sm-fd.cc? > > Yes, it does, since m would be in "m_start" state. I'm sending an > updated > patch. Great! Note that I recently committed a fix for bug 106573, which has an xfail on a dg-bogus to mark a false positive which your patch hopefully also fixes (in fd-uninit-1.c). Can you please rebase and see if your patch does fix it? Thanks Dave > > Thanks > Immad. > > On Wed, Aug 10, 2022 at 1:32 AM David Malcolm <dmalcolm@redhat.com> > wrote: > > > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > > This patch fixes the ICE caused by valid_to_unchecked_state, > > > at analyzer/sm-fd.cc by handling the m_start state in > > > check_for_dup. > > > > > > Tested lightly on x86_64. > > > > > > gcc/analyzer/ChangeLog: > > > PR analyzer/106551 > > > * sm-fd.cc (check_for_dup): handle the m_start > > > state when transitioning the state of LHS > > > of dup, dup2 and dup3 call. > > > > > > gcc/testsuite/ChangeLog: > > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > > --- > > > gcc/analyzer/sm-fd.cc | 4 ++-- > > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > > +++++++++++++++++++++++- > > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > > index 8bb76d72b05..c8b9930a7b6 100644 > > > --- a/gcc/analyzer/sm-fd.cc > > > +++ b/gcc/analyzer/sm-fd.cc > > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context > > > *sm_ctxt, const supernode *node, > > > case DUP_1: > > > if (lhs) > > > { > > > - if (is_constant_fd_p (state_arg_1)) > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > > m_start) > > > sm_ctxt->set_next_state (stmt, lhs, > > > m_unchecked_read_write); > > > else > > > sm_ctxt->set_next_state (stmt, lhs, > > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context > > > *sm_ctxt, const supernode *node, > > > file descriptor i.e the first argument. */ > > > if (lhs) > > > { > > > - if (is_constant_fd_p (state_arg_1)) > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > > m_start) > > > sm_ctxt->set_next_state (stmt, lhs, > > > m_unchecked_read_write); > > > else > > > sm_ctxt->set_next_state (stmt, lhs, > > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > index eba2570568f..ed4d6de57db 100644 > > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > > close (fd); > > > } > > > > > > -} > > > \ No newline at end of file > > > +} > > > + > > > +void > > > +test_20 () > > > +{ > > > + int m; > > > + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid > > > file descriptor 'm'" } */ > > > + close (fd); > > > +} > > > + > > > +void > > > +test_21 () > > > +{ > > > + int m; > > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly > > > invalid file descriptor 'm'" } */ > > > + close (fd); > > > +} > > > + > > > +void > > > +test_22 (int flags) > > > +{ > > > + int m; > > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on > > > possibly > > > invalid file descriptor 'm'" } */ > > > + close (fd); > > > +} > > > > Thanks for the updated patch. > > > > The test cases looked suspicious to me - I was wondering why the > > analyzer doesn't complain about the uninitialized values being > > passed > > to the various dup functions as parameters. So your test cases > > seem to > > have uncovered a hidden pre-existing bug in the analyzer's > > uninitialized value detection, which I've filed for myself to deal > > with > > as PR analyzer/106573. > > > > If you convert the "int m;" locals into an extern global, like in > > comment #0 of bug 106551, does that still trigger the crash on the > > unpatched sm-fd.cc? If so, then that's greatly preferable as a > > regression test, since otherwise I'll have to modify that test case > > when I fix bug 106573. > > > > Dave > > > > > > > >
> Can you please rebase and see if your patch > does fix it? No, the patch that I sent did not attempt to fix this. Now that I have made the correction, XFAIL in fd-uninit-1.c has changed to XPASS. Should i remove the dg-bogus warning from fd-uninit-1.c test_1? Thanks. Immad. On Wed, Aug 10, 2022 at 10:26 PM David Malcolm <dmalcolm@redhat.com> wrote: > On Wed, 2022-08-10 at 20:34 +0530, Mir Immad wrote: > > > if you convert the "int m;" locals into an extern global, like in > > > comment #0 of bug 106551, does that still trigger the crash on the > > > unpatched sm-fd.cc? > > > > Yes, it does, since m would be in "m_start" state. I'm sending an > > updated > > patch. > > Great! > > Note that I recently committed a fix for bug 106573, which has an xfail > on a dg-bogus to mark a false positive which your patch hopefully also > fixes (in fd-uninit-1.c). Can you please rebase and see if your patch > does fix it? > > Thanks > Dave > > > > > > Thanks > > Immad. > > > > On Wed, Aug 10, 2022 at 1:32 AM David Malcolm <dmalcolm@redhat.com> > > wrote: > > > > > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > > > This patch fixes the ICE caused by valid_to_unchecked_state, > > > > at analyzer/sm-fd.cc by handling the m_start state in > > > > check_for_dup. > > > > > > > > Tested lightly on x86_64. > > > > > > > > gcc/analyzer/ChangeLog: > > > > PR analyzer/106551 > > > > * sm-fd.cc (check_for_dup): handle the m_start > > > > state when transitioning the state of LHS > > > > of dup, dup2 and dup3 call. > > > > > > > > gcc/testsuite/ChangeLog: > > > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > > > --- > > > > gcc/analyzer/sm-fd.cc | 4 ++-- > > > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > > > +++++++++++++++++++++++- > > > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > > > index 8bb76d72b05..c8b9930a7b6 100644 > > > > --- a/gcc/analyzer/sm-fd.cc > > > > +++ b/gcc/analyzer/sm-fd.cc > > > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context > > > > *sm_ctxt, const supernode *node, > > > > case DUP_1: > > > > if (lhs) > > > > { > > > > - if (is_constant_fd_p (state_arg_1)) > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > > > m_start) > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > m_unchecked_read_write); > > > > else > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context > > > > *sm_ctxt, const supernode *node, > > > > file descriptor i.e the first argument. */ > > > > if (lhs) > > > > { > > > > - if (is_constant_fd_p (state_arg_1)) > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > > > m_start) > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > m_unchecked_read_write); > > > > else > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > index eba2570568f..ed4d6de57db 100644 > > > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > > > close (fd); > > > > } > > > > > > > > -} > > > > \ No newline at end of file > > > > +} > > > > + > > > > +void > > > > +test_20 () > > > > +{ > > > > + int m; > > > > + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid > > > > file descriptor 'm'" } */ > > > > + close (fd); > > > > +} > > > > + > > > > +void > > > > +test_21 () > > > > +{ > > > > + int m; > > > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly > > > > invalid file descriptor 'm'" } */ > > > > + close (fd); > > > > +} > > > > + > > > > +void > > > > +test_22 (int flags) > > > > +{ > > > > + int m; > > > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on > > > > possibly > > > > invalid file descriptor 'm'" } */ > > > > + close (fd); > > > > +} > > > > > > Thanks for the updated patch. > > > > > > The test cases looked suspicious to me - I was wondering why the > > > analyzer doesn't complain about the uninitialized values being > > > passed > > > to the various dup functions as parameters. So your test cases > > > seem to > > > have uncovered a hidden pre-existing bug in the analyzer's > > > uninitialized value detection, which I've filed for myself to deal > > > with > > > as PR analyzer/106573. > > > > > > If you convert the "int m;" locals into an extern global, like in > > > comment #0 of bug 106551, does that still trigger the crash on the > > > unpatched sm-fd.cc? If so, then that's greatly preferable as a > > > regression test, since otherwise I'll have to modify that test case > > > when I fix bug 106573. > > > > > > Dave > > > > > > > > > > > > > > >
On Wed, 2022-08-10 at 22:51 +0530, Mir Immad wrote: > > Can you please rebase and see if your patch > > does fix it? > > No, the patch that I sent did not attempt to fix this. Now that I > have made > the correction, XFAIL in fd-uninit-1.c has changed to XPASS. Great - that means that, with your fix, we no longer bogusly emit that false positive. > > Should i remove the dg-bogus warning from fd-uninit-1.c test_1? Yes please. Thanks Dave > > Thanks. > Immad. > > > On Wed, Aug 10, 2022 at 10:26 PM David Malcolm <dmalcolm@redhat.com> > wrote: > > > On Wed, 2022-08-10 at 20:34 +0530, Mir Immad wrote: > > > > if you convert the "int m;" locals into an extern global, like > > > in > > > > comment #0 of bug 106551, does that still trigger the crash on > > > > the > > > > unpatched sm-fd.cc? > > > > > > Yes, it does, since m would be in "m_start" state. I'm sending an > > > updated > > > patch. > > > > Great! > > > > Note that I recently committed a fix for bug 106573, which has an > > xfail > > on a dg-bogus to mark a false positive which your patch hopefully > > also > > fixes (in fd-uninit-1.c). Can you please rebase and see if your > > patch > > does fix it? > > > > Thanks > > Dave > > > > > > > > > > Thanks > > > Immad. > > > > > > On Wed, Aug 10, 2022 at 1:32 AM David Malcolm < > > > dmalcolm@redhat.com> > > > wrote: > > > > > > > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > > > > This patch fixes the ICE caused by valid_to_unchecked_state, > > > > > at analyzer/sm-fd.cc by handling the m_start state in > > > > > check_for_dup. > > > > > > > > > > Tested lightly on x86_64. > > > > > > > > > > gcc/analyzer/ChangeLog: > > > > > PR analyzer/106551 > > > > > * sm-fd.cc (check_for_dup): handle the m_start > > > > > state when transitioning the state of LHS > > > > > of dup, dup2 and dup3 call. > > > > > > > > > > gcc/testsuite/ChangeLog: > > > > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > > > > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > > > > --- > > > > > gcc/analyzer/sm-fd.cc | 4 ++-- > > > > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > > > > +++++++++++++++++++++++- > > > > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > > > > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > > > > index 8bb76d72b05..c8b9930a7b6 100644 > > > > > --- a/gcc/analyzer/sm-fd.cc > > > > > +++ b/gcc/analyzer/sm-fd.cc > > > > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup > > > > > (sm_context > > > > > *sm_ctxt, const supernode *node, > > > > > case DUP_1: > > > > > if (lhs) > > > > > { > > > > > - if (is_constant_fd_p (state_arg_1)) > > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 > > > > > == > > > > > m_start) > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > m_unchecked_read_write); > > > > > else > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup > > > > > (sm_context > > > > > *sm_ctxt, const supernode *node, > > > > > file descriptor i.e the first argument. */ > > > > > if (lhs) > > > > > { > > > > > - if (is_constant_fd_p (state_arg_1)) > > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 > > > > > == > > > > > m_start) > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > m_unchecked_read_write); > > > > > else > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > index eba2570568f..ed4d6de57db 100644 > > > > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > > > > close (fd); > > > > > } > > > > > > > > > > -} > > > > > \ No newline at end of file > > > > > +} > > > > > + > > > > > +void > > > > > +test_20 () > > > > > +{ > > > > > + int m; > > > > > + int fd = dup (m); /* { dg-warning "'dup' on possibly > > > > > invalid > > > > > file descriptor 'm'" } */ > > > > > + close (fd); > > > > > +} > > > > > + > > > > > +void > > > > > +test_21 () > > > > > +{ > > > > > + int m; > > > > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on > > > > > possibly > > > > > invalid file descriptor 'm'" } */ > > > > > + close (fd); > > > > > +} > > > > > + > > > > > +void > > > > > +test_22 (int flags) > > > > > +{ > > > > > + int m; > > > > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on > > > > > possibly > > > > > invalid file descriptor 'm'" } */ > > > > > + close (fd); > > > > > +} > > > > > > > > Thanks for the updated patch. > > > > > > > > The test cases looked suspicious to me - I was wondering why > > > > the > > > > analyzer doesn't complain about the uninitialized values being > > > > passed > > > > to the various dup functions as parameters. So your test cases > > > > seem to > > > > have uncovered a hidden pre-existing bug in the analyzer's > > > > uninitialized value detection, which I've filed for myself to > > > > deal > > > > with > > > > as PR analyzer/106573. > > > > > > > > If you convert the "int m;" locals into an extern global, like > > > > in > > > > comment #0 of bug 106551, does that still trigger the crash on > > > > the > > > > unpatched sm-fd.cc? If so, then that's greatly preferable as a > > > > regression test, since otherwise I'll have to modify that test > > > > case > > > > when I fix bug 106573. > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > > >
With the fix for bogus warning in fd-uninit.c, the analyzer now does not
warning for the following code for which it would previously emit
-Wanalyzer-fd-use-without-check
extern int m;
test()
{
int fd = dup2(m, 1);
close(fd);
}
So I had to remove such warnings from fd-dup-1.c test_20,21,22 (in the
patch). Now these tests are only there to show fix for PR16551.
Sending an updated patch (passes style and commit checker).
Thanks.
Immad.
On Thu, Aug 11, 2022 at 12:14 AM David Malcolm <dmalcolm@redhat.com> wrote:
> On Wed, 2022-08-10 at 22:51 +0530, Mir Immad wrote:
> > > Can you please rebase and see if your patch
> > > does fix it?
> >
> > No, the patch that I sent did not attempt to fix this. Now that I
> > have made
> > the correction, XFAIL in fd-uninit-1.c has changed to XPASS.
>
> Great - that means that, with your fix, we no longer bogusly emit that
> false positive.
>
> >
> > Should i remove the dg-bogus warning from fd-uninit-1.c test_1?
>
> Yes please.
>
> Thanks
> Dave
>
> >
> > Thanks.
> > Immad.
> >
> >
> > On Wed, Aug 10, 2022 at 10:26 PM David Malcolm <dmalcolm@redhat.com>
> > wrote:
> >
> > > On Wed, 2022-08-10 at 20:34 +0530, Mir Immad wrote:
> > > > > if you convert the "int m;" locals into an extern global, like
> > > > in
> > > > > comment #0 of bug 106551, does that still trigger the crash on
> > > > > the
> > > > > unpatched sm-fd.cc?
> > > >
> > > > Yes, it does, since m would be in "m_start" state. I'm sending an
> > > > updated
> > > > patch.
> > >
> > > Great!
> > >
> > > Note that I recently committed a fix for bug 106573, which has an
> > > xfail
> > > on a dg-bogus to mark a false positive which your patch hopefully
> > > also
> > > fixes (in fd-uninit-1.c). Can you please rebase and see if your
> > > patch
> > > does fix it?
> > >
> > > Thanks
> > > Dave
> > >
> > >
> > > >
> > > > Thanks
> > > > Immad.
> > > >
> > > > On Wed, Aug 10, 2022 at 1:32 AM David Malcolm <
> > > > dmalcolm@redhat.com>
> > > > wrote:
> > > >
> > > > > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote:
> > > > > > This patch fixes the ICE caused by valid_to_unchecked_state,
> > > > > > at analyzer/sm-fd.cc by handling the m_start state in
> > > > > > check_for_dup.
> > > > > >
> > > > > > Tested lightly on x86_64.
> > > > > >
> > > > > > gcc/analyzer/ChangeLog:
> > > > > > PR analyzer/106551
> > > > > > * sm-fd.cc (check_for_dup): handle the m_start
> > > > > > state when transitioning the state of LHS
> > > > > > of dup, dup2 and dup3 call.
> > > > > >
> > > > > > gcc/testsuite/ChangeLog:
> > > > > > * gcc.dg/analyzer/fd-dup-1.c: New testcases.
> > > > > >
> > > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com>
> > > > > > ---
> > > > > > gcc/analyzer/sm-fd.cc | 4 ++--
> > > > > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28
> > > > > > +++++++++++++++++++++++-
> > > > > > 2 files changed, 29 insertions(+), 3 deletions(-)
> > > > > >
> > > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc
> > > > > > index 8bb76d72b05..c8b9930a7b6 100644
> > > > > > --- a/gcc/analyzer/sm-fd.cc
> > > > > > +++ b/gcc/analyzer/sm-fd.cc
> > > > > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup
> > > > > > (sm_context
> > > > > > *sm_ctxt, const supernode *node,
> > > > > > case DUP_1:
> > > > > > if (lhs)
> > > > > > {
> > > > > > - if (is_constant_fd_p (state_arg_1))
> > > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1
> > > > > > ==
> > > > > > m_start)
> > > > > > sm_ctxt->set_next_state (stmt, lhs,
> > > > > > m_unchecked_read_write);
> > > > > > else
> > > > > > sm_ctxt->set_next_state (stmt, lhs,
> > > > > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup
> > > > > > (sm_context
> > > > > > *sm_ctxt, const supernode *node,
> > > > > > file descriptor i.e the first argument. */
> > > > > > if (lhs)
> > > > > > {
> > > > > > - if (is_constant_fd_p (state_arg_1))
> > > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1
> > > > > > ==
> > > > > > m_start)
> > > > > > sm_ctxt->set_next_state (stmt, lhs,
> > > > > > m_unchecked_read_write);
> > > > > > else
> > > > > > sm_ctxt->set_next_state (stmt, lhs,
> > > > > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c
> > > > > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c
> > > > > > index eba2570568f..ed4d6de57db 100644
> > > > > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c
> > > > > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c
> > > > > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf)
> > > > > > close (fd);
> > > > > > }
> > > > > >
> > > > > > -}
> > > > > > \ No newline at end of file
> > > > > > +}
> > > > > > +
> > > > > > +void
> > > > > > +test_20 ()
> > > > > > +{
> > > > > > + int m;
> > > > > > + int fd = dup (m); /* { dg-warning "'dup' on possibly
> > > > > > invalid
> > > > > > file descriptor 'm'" } */
> > > > > > + close (fd);
> > > > > > +}
> > > > > > +
> > > > > > +void
> > > > > > +test_21 ()
> > > > > > +{
> > > > > > + int m;
> > > > > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on
> > > > > > possibly
> > > > > > invalid file descriptor 'm'" } */
> > > > > > + close (fd);
> > > > > > +}
> > > > > > +
> > > > > > +void
> > > > > > +test_22 (int flags)
> > > > > > +{
> > > > > > + int m;
> > > > > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on
> > > > > > possibly
> > > > > > invalid file descriptor 'm'" } */
> > > > > > + close (fd);
> > > > > > +}
> > > > >
> > > > > Thanks for the updated patch.
> > > > >
> > > > > The test cases looked suspicious to me - I was wondering why
> > > > > the
> > > > > analyzer doesn't complain about the uninitialized values being
> > > > > passed
> > > > > to the various dup functions as parameters. So your test cases
> > > > > seem to
> > > > > have uncovered a hidden pre-existing bug in the analyzer's
> > > > > uninitialized value detection, which I've filed for myself to
> > > > > deal
> > > > > with
> > > > > as PR analyzer/106573.
> > > > >
> > > > > If you convert the "int m;" locals into an extern global, like
> > > > > in
> > > > > comment #0 of bug 106551, does that still trigger the crash on
> > > > > the
> > > > > unpatched sm-fd.cc? If so, then that's greatly preferable as a
> > > > > regression test, since otherwise I'll have to modify that test
> > > > > case
> > > > > when I fix bug 106573.
> > > > >
> > > > > Dave
> > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>
diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc index 8bb76d72b05..c8b9930a7b6 100644 --- a/gcc/analyzer/sm-fd.cc +++ b/gcc/analyzer/sm-fd.cc @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context *sm_ctxt, const supernode *node, case DUP_1: if (lhs) { - if (is_constant_fd_p (state_arg_1)) + if (is_constant_fd_p (state_arg_1) || state_arg_1 == m_start) sm_ctxt->set_next_state (stmt, lhs, m_unchecked_read_write); else sm_ctxt->set_next_state (stmt, lhs, @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context *sm_ctxt, const supernode *node, file descriptor i.e the first argument. */ if (lhs) { - if (is_constant_fd_p (state_arg_1)) + if (is_constant_fd_p (state_arg_1) || state_arg_1 == m_start) sm_ctxt->set_next_state (stmt, lhs, m_unchecked_read_write); else sm_ctxt->set_next_state (stmt, lhs, diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c index eba2570568f..ed4d6de57db 100644 --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) close (fd); } -} \ No newline at end of file +} + +void +test_20 () +{ + int m; + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid file descriptor 'm'" } */ + close (fd); +} + +void +test_21 () +{ + int m; + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly invalid file descriptor 'm'" } */ + close (fd); +} + +void +test_22 (int flags) +{ + int m; + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on possibly invalid file descriptor 'm'" } */ + close (fd); +} + +