Message ID | CY4PR1801MB1910C4DBB72F9231EC5C16B8C6629@CY4PR1801MB1910.namprd18.prod.outlook.com |
---|---|
State | New, archived |
Headers |
Return-Path: <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:6a10:20da:b0:2d3:3019:e567 with SMTP id n26csp2616411pxc; Tue, 9 Aug 2022 09:13:47 -0700 (PDT) X-Google-Smtp-Source: AA6agR5EQoJjMjnp9By0sXsA7V5d26ZckR7tAMPgvNktJxnwtg5hPDkZlajMUBtB2mP6JcglWtKU X-Received: by 2002:a17:907:20d1:b0:731:5169:106b with SMTP id qq17-20020a17090720d100b007315169106bmr8623062ejb.667.1660061627502; Tue, 09 Aug 2022 09:13:47 -0700 (PDT) Received: from sourceware.org (ip-8-43-85-97.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id dm21-20020a170907949500b007046fc0f0ccsi2387096ejc.320.2022.08.09.09.13.47 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Aug 2022 09:13:47 -0700 (PDT) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=We6IrQoR; arc=fail (signature failed); spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 359683856DE8 for <ouuuleilei@gmail.com>; Tue, 9 Aug 2022 16:13:46 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 359683856DE8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1660061626; bh=5BQlvnA9q8B07YG5ItD7iN0m1/XioLGx6LCe+BVlN/E=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=We6IrQoRjqWbqQf0xv0mVRUiV/cEWI4544oCiQGdwARgpRQvzgGPrXhx1z3FKC/yf ls+yJjL8feVHHGfIB3IozdIIorp4g9qQzCiLYu0sgkx4NO/P7F5dE30Jn/JbG28CRu fOiZ6MZyQnxgozCA94iujyVslLVWg6z5v6yEZxvg= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2078.outbound.protection.outlook.com [40.92.19.78]) by sourceware.org (Postfix) with ESMTPS id 507CB3856DC6 for <gcc-patches@gcc.gnu.org>; Tue, 9 Aug 2022 16:13:02 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 507CB3856DC6 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SyB8+RodPjvJ3XQWi5dipOGXQqQRRj7EY6cGabSBAj0LBMWJylxS5EddUPOeulFLyYFP1411J3ksP5yJAZ68XRWXUpOAxRiokmWotbiCLmzcS8Qwp8ZYKIPVC3BTNzZCcg7tld2+S0n+3hwac0gcEkWttFhHAgp1+gCbepTCCQJTdcKumpngZnSS2f0ETMY9DiicfqvT48OsOAT8cHqaA5GBKJd/Wcw8e5lxb3z4/QyQ+mTdXH0m8Ui12c3NdU7KxiL4PvP/noMPpXSy3QYF3xaFEwT6HO9IzQp7o1xjbaHH0lIcJZh4IwsvKYri/l+n6G5tX0zgcWh9g6EechMEXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5BQlvnA9q8B07YG5ItD7iN0m1/XioLGx6LCe+BVlN/E=; b=Lthj4Jgevm5kQmqGXOPlvgNhSaF4vkO5gHqn+bA5S0+ZIaTiKpqw2mxY2038QxhDMr6rmbszIGKnFKBQv5b6qCBD9HA0E/mrInwbTFwJ4mSwOSf+J7YPe2exH9c/r7uOHkxQz0yP56pDXIL+rjDQPbGTEyiiagnROn5hLmRPDYEf0xiJTK8Z3Men/tRxa2oi2ZRQW7e6y8JGDNe90S6/PMAzoKOuYTbHhzYQcnzXQBSldLMIaDZuIMmVc6oIiZ97pzb7JBXQu7QJDRilkoTQ9oT5wI2y/UEUgIZbkQmySf7JMEhAWpOCbcQzvFEPWTe+EB0wwy4mbopRfnDt1k1wRw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from CY4PR1801MB1910.namprd18.prod.outlook.com (2603:10b6:910:79::14) by BN6PR18MB1090.namprd18.prod.outlook.com (2603:10b6:404:73::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5525.10; Tue, 9 Aug 2022 16:13:00 +0000 Received: from CY4PR1801MB1910.namprd18.prod.outlook.com ([fe80::d1fe:5357:ddcf:a38f]) by CY4PR1801MB1910.namprd18.prod.outlook.com ([fe80::d1fe:5357:ddcf:a38f%6]) with mapi id 15.20.5504.020; Tue, 9 Aug 2022 16:13:00 +0000 To: gcc-patches@gcc.gnu.org Subject: [PATCH] analyzer: fix ICE casued by dup2 in sm-fd.cc[PR106551] Date: Tue, 9 Aug 2022 21:42:37 +0530 Message-ID: <CY4PR1801MB1910C4DBB72F9231EC5C16B8C6629@CY4PR1801MB1910.namprd18.prod.outlook.com> X-Mailer: git-send-email 2.25.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-TMN: [jJgQVE18WaAtLttbxSNHt8B8T0Rl36pdRhPz1QaRrtJgFnVtpXou80RNbZoNX3Vx] X-ClientProxiedBy: PN0PR01CA0037.INDPRD01.PROD.OUTLOOK.COM (2603:1096:c01:49::17) To CY4PR1801MB1910.namprd18.prod.outlook.com (2603:10b6:910:79::14) X-Microsoft-Original-Message-ID: <20220809161237.20393-1-mirimmad@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ad874d92-8132-479a-12ae-08da7a220793 X-MS-Exchange-SLBlob-MailProps: dCxCH8EXOwFhp53MC87th4bvPlIP7VUfM19MwYFfgGWsHKkqv+eXUMYeuwlrczRzZ7J1FDIzKRJrawvIc2jWF0JheLdO5YHX8eIVlPeQ56m46Z2QH1DKycrwhsFwU1osuMLuBLg5Gd0o+aTfDz3uHq4q1j1onSJ4oR1QU7l61XfLtk3WZ5yLxw3VVkupn2jcJQbmG1JYqjPE4XlCld032N83kDLpD4bsgOjW4mk/NgmA+yf3gQrYRk7FYK7YWxIY9u6rsKfADJf22x2kq5AOovdo9JBdJ2+h0i10kufRjR8M2EZOBy2b9vbCHuVFoEady7t5vNHp7VRbut6TPmXOAC2+NI2nVYCza6S+bVeb6YKSW66kzzbLE02hyACot+CWpFsMmU9rKTD4844nFq54M3WQy7dh01UaNfdiUnCQarkpzWMhwgOV7gRvL35x07BWpc+mTqV5b8oddp7QN6Q8ueF44qSFB+CNJy15Fw9KF3aDyEomeOZ/3CvdJCE2V/Ab0LF5QjcoPGUJBhhAZdgtZRtCGsW+x4JCbm9HV0IlpWa0Pi9zmstfEbuXpIqOiK8ap9SRPQ7klmAOad9OE40bjJIshCEHz1ZCKlmJrCmGWnckgxq7gHuzBrDHSnKX9z8Z/ZeNMYuCqgGYlUGTZFVv6JogCvxtAf+ASH5SeEit7QNe6R0K8tp88FpqVGWhuE9rvJSTYqvvrf3/yHBC6mku2GT1oQ51WeeWYUyItdmRY244q4Qg72xl0w== X-MS-TrafficTypeDiagnostic: BN6PR18MB1090:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: W1QPbDWwecWtSkUPIDAsJLTcJQ4wssIdKwKucdt2F+rMIN70a9HXLDJORIc3/uLMsDlUFPGTXNEphgwS8L7mSoubmF03FhF+yks+b32lGn02hOVcNsP/XQkOKz+dryZMW16sB9MPhW0fdGZhVCPpx/Hr3QxiPlVMLsY807ye6UpliZGO37frhG/xpEDiNCoHxcDI2haom9T+AcopKIuQzjDDtj6tYHiPwkyVfMS3Pheyg6znQRAaSjjzE4a9bflomb2/f9LQK0DudFl9yw8wBwhuwokmgGGueUYydeRtZJYFOlV/0BRIYMLE4LAWWSzMJw42Kr7+HvCwDslcE70abB44T+AX9r0knUiug+Xm9BEeh0aiNGDYBebLk2UUbbxB1AakWGA+HJNfcrMSJEd/WaU1S/8g0o+DSON2EXn9pH0S84onRlPlFpXtXWykvJ84m3YaLvMcrB/Kx83AXLCCvwjDQmGH8YF2V41hRgK3U6/wHg3bebLZ1KJ4kz0kn37kqN8Kvn1GXIYMQjq0YVTKkbv5+MfbcpoiKdTP49DLYm38RqMnbvx2L8xD2FsluHr99+j6tl3SHFN3zT23LJ6vTwSNF4SIj/vPhmjFkQJCHVXMVakw+394wga1g9JjUi3s X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Qq+4xd3dC1r32Bs3Q4+ph2vmPT14voQ3tOAYt9dpgV+WZm58jkwMLWo547qxBNjcLHOh1dpblaP07iaNxCc0nGINbDein+YjIJWEGqbchLJEm1NqYCpZ2bQ/euqiUUpeevkRNwwGmbHiWL0RzSNIQD0jzWIcITvvGPbBgjakI8/gumtkC54JaNTRw9et0BMTi7H2bqDM4hfocLFS15QxCLkY6JwP5YG8UuJmYm2zNRz6hFnAeulyNxxfmSibQmdJrjVj/Zoripxb9eWKJQd9enfgGJDCwGjJUknHUj7CWe3IHmUZdC6GSkqfCAVnff2y92lGbMMWwicBethDcx9RXBXbYhrOAc46UwGQUDgnHTkYZ8BhsCPRZ4QDI4SOhSrtB93jbjALM2cK6YqEg40LIOHJvU4lK9CEAzpYRGKguAoI4il5yQr80/0GTuo3rXZl1cxhuX7F7KQXBAlsFWxcL3rN44QZBgC36WautazWmtdtA/ff4qUeCNV/YRuk0HKwnzymu9JkF7OER1cGe/dNRKud7k1u98uq61ou3fsV5oUgHbT7XxPUTR3NhTz7oup08l38U+MNGivsnnrpl6J3E++dwFEze0JW1xXba2nmB1hP0OlgY9M/iDdOkisY8cfI8W1K5Kal+v3MDiHjN/FjuGnYiaZyGVkQPOqzt3Mc3yC+CQ2yarZH3hEAwQY2O4hX7Bq6YSR/B8jAjd5ItYlzS882Ccb/MD8j8eibB7n2gwDRCAEvwZSNEf0E0f3hKrqF6agX9Ipqf+hIVLWcDHFMbFt0bRtK9Xwt/ut1yr4paVqOdkhr9YSmqCxZpMR5gkxFEPFODLYptxcIK/2se+FxbRa4OxCHl24NCV6zxD9/obAKpFExY3vfsEr/f1d0gdIIMvEZdyvZzs0htxSEibo2e08MLear54UkyycJ2TMGkbu+U8hcHptwwmEbbc0+My/unX1IgU7toztG/JxpXNApYM13ieWVQaHwUwPar8liWRAfq87EKfkzy+1IWtDQpt1XNkyO+t3efVEZ3EjPpBO7aW56EXciI+xw/dNWyrDdJoe2EB+Tn0tWI7KhSjO2qPySZ04rFkvudBqBrlD/q9al33rFX4yGlKy2eFMrT9zpconM8CepR5unvhmofJfvitUnQs+xaQ8gPeQvWbGmxcXDXOXaXxgvXc8KEFHYqx4lRJA++FDCriO9Z892/uhvYWZBFmp+LTSMRz3EPotTXGHI02vkvpEKqbYqsdabSJT4D70Hz8wbnFVo8cSxarjLpvXF2rAbFNTsWiQFIo4nV12OM3c/yFGpHKlz15tz5arIkXxEuwyiJNGok0ccVq+HstV3LhyGB6i1dFQh5ZqapjIMNg== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: ad874d92-8132-479a-12ae-08da7a220793 X-MS-Exchange-CrossTenant-AuthSource: CY4PR1801MB1910.namprd18.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Aug 2022 16:13:00.5901 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR18MB1090 X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, FREEMAIL_REPLYTO, FREEMAIL_REPLYTO_END_DIGIT, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> From: Immad Mir via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: mirimnan017@gmail.com Cc: Immad Mir <mirimmad@outlook.com> Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org> X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1740668949813019212?= X-GMAIL-MSGID: =?utf-8?q?1740700781220764388?= |
Series |
analyzer: fix ICE casued by dup2 in sm-fd.cc[PR106551]
|
|
Commit Message
Immad Mir
Aug. 9, 2022, 4:12 p.m. UTC
This patch fixes the ICE caused by valid_to_unchecked_state,
at analyzer/sm-fd.cc by handling the m_start state in
check_for_dup.
Tested lightly on x86_64.
gcc/analyzer/ChangeLog:
PR analyzer/106551
* sm-fd.cc (check_for_dup): handle the m_start
state when transitioning the state of LHS
of dup, dup2 and dup3 call.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/fd-dup-1.c: New testcases.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
---
gcc/analyzer/sm-fd.cc | 4 ++--
gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 +++++++++++++++++++++++-
2 files changed, 29 insertions(+), 3 deletions(-)
Comments
On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > This patch fixes the ICE caused by valid_to_unchecked_state, > at analyzer/sm-fd.cc by handling the m_start state in > check_for_dup. > > Tested lightly on x86_64. > > gcc/analyzer/ChangeLog: > PR analyzer/106551 > * sm-fd.cc (check_for_dup): handle the m_start > state when transitioning the state of LHS > of dup, dup2 and dup3 call. > > gcc/testsuite/ChangeLog: > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > --- > gcc/analyzer/sm-fd.cc | 4 ++-- > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > +++++++++++++++++++++++- > 2 files changed, 29 insertions(+), 3 deletions(-) > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > index 8bb76d72b05..c8b9930a7b6 100644 > --- a/gcc/analyzer/sm-fd.cc > +++ b/gcc/analyzer/sm-fd.cc > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context > *sm_ctxt, const supernode *node, > case DUP_1: > if (lhs) > { > - if (is_constant_fd_p (state_arg_1)) > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > m_start) > sm_ctxt->set_next_state (stmt, lhs, > m_unchecked_read_write); > else > sm_ctxt->set_next_state (stmt, lhs, > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context > *sm_ctxt, const supernode *node, > file descriptor i.e the first argument. */ > if (lhs) > { > - if (is_constant_fd_p (state_arg_1)) > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > m_start) > sm_ctxt->set_next_state (stmt, lhs, > m_unchecked_read_write); > else > sm_ctxt->set_next_state (stmt, lhs, > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > index eba2570568f..ed4d6de57db 100644 > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > close (fd); > } > > -} > \ No newline at end of file > +} > + > +void > +test_20 () > +{ > + int m; > + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid > file descriptor 'm'" } */ > + close (fd); > +} > + > +void > +test_21 () > +{ > + int m; > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly > invalid file descriptor 'm'" } */ > + close (fd); > +} > + > +void > +test_22 (int flags) > +{ > + int m; > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on possibly > invalid file descriptor 'm'" } */ > + close (fd); > +} Thanks for the updated patch. The test cases looked suspicious to me - I was wondering why the analyzer doesn't complain about the uninitialized values being passed to the various dup functions as parameters. So your test cases seem to have uncovered a hidden pre-existing bug in the analyzer's uninitialized value detection, which I've filed for myself to deal with as PR analyzer/106573. If you convert the "int m;" locals into an extern global, like in comment #0 of bug 106551, does that still trigger the crash on the unpatched sm-fd.cc? If so, then that's greatly preferable as a regression test, since otherwise I'll have to modify that test case when I fix bug 106573. Dave
> if you convert the "int m;" locals into an extern global, like in > comment #0 of bug 106551, does that still trigger the crash on the > unpatched sm-fd.cc? Yes, it does, since m would be in "m_start" state. I'm sending an updated patch. Thanks Immad. On Wed, Aug 10, 2022 at 1:32 AM David Malcolm <dmalcolm@redhat.com> wrote: > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > This patch fixes the ICE caused by valid_to_unchecked_state, > > at analyzer/sm-fd.cc by handling the m_start state in > > check_for_dup. > > > > Tested lightly on x86_64. > > > > gcc/analyzer/ChangeLog: > > PR analyzer/106551 > > * sm-fd.cc (check_for_dup): handle the m_start > > state when transitioning the state of LHS > > of dup, dup2 and dup3 call. > > > > gcc/testsuite/ChangeLog: > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > --- > > gcc/analyzer/sm-fd.cc | 4 ++-- > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > +++++++++++++++++++++++- > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > index 8bb76d72b05..c8b9930a7b6 100644 > > --- a/gcc/analyzer/sm-fd.cc > > +++ b/gcc/analyzer/sm-fd.cc > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context > > *sm_ctxt, const supernode *node, > > case DUP_1: > > if (lhs) > > { > > - if (is_constant_fd_p (state_arg_1)) > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > m_start) > > sm_ctxt->set_next_state (stmt, lhs, > > m_unchecked_read_write); > > else > > sm_ctxt->set_next_state (stmt, lhs, > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context > > *sm_ctxt, const supernode *node, > > file descriptor i.e the first argument. */ > > if (lhs) > > { > > - if (is_constant_fd_p (state_arg_1)) > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > m_start) > > sm_ctxt->set_next_state (stmt, lhs, > > m_unchecked_read_write); > > else > > sm_ctxt->set_next_state (stmt, lhs, > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > index eba2570568f..ed4d6de57db 100644 > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > close (fd); > > } > > > > -} > > \ No newline at end of file > > +} > > + > > +void > > +test_20 () > > +{ > > + int m; > > + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid > > file descriptor 'm'" } */ > > + close (fd); > > +} > > + > > +void > > +test_21 () > > +{ > > + int m; > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly > > invalid file descriptor 'm'" } */ > > + close (fd); > > +} > > + > > +void > > +test_22 (int flags) > > +{ > > + int m; > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on possibly > > invalid file descriptor 'm'" } */ > > + close (fd); > > +} > > Thanks for the updated patch. > > The test cases looked suspicious to me - I was wondering why the > analyzer doesn't complain about the uninitialized values being passed > to the various dup functions as parameters. So your test cases seem to > have uncovered a hidden pre-existing bug in the analyzer's > uninitialized value detection, which I've filed for myself to deal with > as PR analyzer/106573. > > If you convert the "int m;" locals into an extern global, like in > comment #0 of bug 106551, does that still trigger the crash on the > unpatched sm-fd.cc? If so, then that's greatly preferable as a > regression test, since otherwise I'll have to modify that test case > when I fix bug 106573. > > Dave > > > >
On Wed, 2022-08-10 at 20:34 +0530, Mir Immad wrote: > > if you convert the "int m;" locals into an extern global, like in > > comment #0 of bug 106551, does that still trigger the crash on the > > unpatched sm-fd.cc? > > Yes, it does, since m would be in "m_start" state. I'm sending an > updated > patch. Great! Note that I recently committed a fix for bug 106573, which has an xfail on a dg-bogus to mark a false positive which your patch hopefully also fixes (in fd-uninit-1.c). Can you please rebase and see if your patch does fix it? Thanks Dave > > Thanks > Immad. > > On Wed, Aug 10, 2022 at 1:32 AM David Malcolm <dmalcolm@redhat.com> > wrote: > > > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > > This patch fixes the ICE caused by valid_to_unchecked_state, > > > at analyzer/sm-fd.cc by handling the m_start state in > > > check_for_dup. > > > > > > Tested lightly on x86_64. > > > > > > gcc/analyzer/ChangeLog: > > > PR analyzer/106551 > > > * sm-fd.cc (check_for_dup): handle the m_start > > > state when transitioning the state of LHS > > > of dup, dup2 and dup3 call. > > > > > > gcc/testsuite/ChangeLog: > > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > > --- > > > gcc/analyzer/sm-fd.cc | 4 ++-- > > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > > +++++++++++++++++++++++- > > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > > index 8bb76d72b05..c8b9930a7b6 100644 > > > --- a/gcc/analyzer/sm-fd.cc > > > +++ b/gcc/analyzer/sm-fd.cc > > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context > > > *sm_ctxt, const supernode *node, > > > case DUP_1: > > > if (lhs) > > > { > > > - if (is_constant_fd_p (state_arg_1)) > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > > m_start) > > > sm_ctxt->set_next_state (stmt, lhs, > > > m_unchecked_read_write); > > > else > > > sm_ctxt->set_next_state (stmt, lhs, > > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context > > > *sm_ctxt, const supernode *node, > > > file descriptor i.e the first argument. */ > > > if (lhs) > > > { > > > - if (is_constant_fd_p (state_arg_1)) > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > > m_start) > > > sm_ctxt->set_next_state (stmt, lhs, > > > m_unchecked_read_write); > > > else > > > sm_ctxt->set_next_state (stmt, lhs, > > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > index eba2570568f..ed4d6de57db 100644 > > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > > close (fd); > > > } > > > > > > -} > > > \ No newline at end of file > > > +} > > > + > > > +void > > > +test_20 () > > > +{ > > > + int m; > > > + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid > > > file descriptor 'm'" } */ > > > + close (fd); > > > +} > > > + > > > +void > > > +test_21 () > > > +{ > > > + int m; > > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly > > > invalid file descriptor 'm'" } */ > > > + close (fd); > > > +} > > > + > > > +void > > > +test_22 (int flags) > > > +{ > > > + int m; > > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on > > > possibly > > > invalid file descriptor 'm'" } */ > > > + close (fd); > > > +} > > > > Thanks for the updated patch. > > > > The test cases looked suspicious to me - I was wondering why the > > analyzer doesn't complain about the uninitialized values being > > passed > > to the various dup functions as parameters. So your test cases > > seem to > > have uncovered a hidden pre-existing bug in the analyzer's > > uninitialized value detection, which I've filed for myself to deal > > with > > as PR analyzer/106573. > > > > If you convert the "int m;" locals into an extern global, like in > > comment #0 of bug 106551, does that still trigger the crash on the > > unpatched sm-fd.cc? If so, then that's greatly preferable as a > > regression test, since otherwise I'll have to modify that test case > > when I fix bug 106573. > > > > Dave > > > > > > > >
> Can you please rebase and see if your patch > does fix it? No, the patch that I sent did not attempt to fix this. Now that I have made the correction, XFAIL in fd-uninit-1.c has changed to XPASS. Should i remove the dg-bogus warning from fd-uninit-1.c test_1? Thanks. Immad. On Wed, Aug 10, 2022 at 10:26 PM David Malcolm <dmalcolm@redhat.com> wrote: > On Wed, 2022-08-10 at 20:34 +0530, Mir Immad wrote: > > > if you convert the "int m;" locals into an extern global, like in > > > comment #0 of bug 106551, does that still trigger the crash on the > > > unpatched sm-fd.cc? > > > > Yes, it does, since m would be in "m_start" state. I'm sending an > > updated > > patch. > > Great! > > Note that I recently committed a fix for bug 106573, which has an xfail > on a dg-bogus to mark a false positive which your patch hopefully also > fixes (in fd-uninit-1.c). Can you please rebase and see if your patch > does fix it? > > Thanks > Dave > > > > > > Thanks > > Immad. > > > > On Wed, Aug 10, 2022 at 1:32 AM David Malcolm <dmalcolm@redhat.com> > > wrote: > > > > > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > > > This patch fixes the ICE caused by valid_to_unchecked_state, > > > > at analyzer/sm-fd.cc by handling the m_start state in > > > > check_for_dup. > > > > > > > > Tested lightly on x86_64. > > > > > > > > gcc/analyzer/ChangeLog: > > > > PR analyzer/106551 > > > > * sm-fd.cc (check_for_dup): handle the m_start > > > > state when transitioning the state of LHS > > > > of dup, dup2 and dup3 call. > > > > > > > > gcc/testsuite/ChangeLog: > > > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > > > --- > > > > gcc/analyzer/sm-fd.cc | 4 ++-- > > > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > > > +++++++++++++++++++++++- > > > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > > > index 8bb76d72b05..c8b9930a7b6 100644 > > > > --- a/gcc/analyzer/sm-fd.cc > > > > +++ b/gcc/analyzer/sm-fd.cc > > > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context > > > > *sm_ctxt, const supernode *node, > > > > case DUP_1: > > > > if (lhs) > > > > { > > > > - if (is_constant_fd_p (state_arg_1)) > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > > > m_start) > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > m_unchecked_read_write); > > > > else > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context > > > > *sm_ctxt, const supernode *node, > > > > file descriptor i.e the first argument. */ > > > > if (lhs) > > > > { > > > > - if (is_constant_fd_p (state_arg_1)) > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 == > > > > m_start) > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > m_unchecked_read_write); > > > > else > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > index eba2570568f..ed4d6de57db 100644 > > > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > > > close (fd); > > > > } > > > > > > > > -} > > > > \ No newline at end of file > > > > +} > > > > + > > > > +void > > > > +test_20 () > > > > +{ > > > > + int m; > > > > + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid > > > > file descriptor 'm'" } */ > > > > + close (fd); > > > > +} > > > > + > > > > +void > > > > +test_21 () > > > > +{ > > > > + int m; > > > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly > > > > invalid file descriptor 'm'" } */ > > > > + close (fd); > > > > +} > > > > + > > > > +void > > > > +test_22 (int flags) > > > > +{ > > > > + int m; > > > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on > > > > possibly > > > > invalid file descriptor 'm'" } */ > > > > + close (fd); > > > > +} > > > > > > Thanks for the updated patch. > > > > > > The test cases looked suspicious to me - I was wondering why the > > > analyzer doesn't complain about the uninitialized values being > > > passed > > > to the various dup functions as parameters. So your test cases > > > seem to > > > have uncovered a hidden pre-existing bug in the analyzer's > > > uninitialized value detection, which I've filed for myself to deal > > > with > > > as PR analyzer/106573. > > > > > > If you convert the "int m;" locals into an extern global, like in > > > comment #0 of bug 106551, does that still trigger the crash on the > > > unpatched sm-fd.cc? If so, then that's greatly preferable as a > > > regression test, since otherwise I'll have to modify that test case > > > when I fix bug 106573. > > > > > > Dave > > > > > > > > > > > > > > >
On Wed, 2022-08-10 at 22:51 +0530, Mir Immad wrote: > > Can you please rebase and see if your patch > > does fix it? > > No, the patch that I sent did not attempt to fix this. Now that I > have made > the correction, XFAIL in fd-uninit-1.c has changed to XPASS. Great - that means that, with your fix, we no longer bogusly emit that false positive. > > Should i remove the dg-bogus warning from fd-uninit-1.c test_1? Yes please. Thanks Dave > > Thanks. > Immad. > > > On Wed, Aug 10, 2022 at 10:26 PM David Malcolm <dmalcolm@redhat.com> > wrote: > > > On Wed, 2022-08-10 at 20:34 +0530, Mir Immad wrote: > > > > if you convert the "int m;" locals into an extern global, like > > > in > > > > comment #0 of bug 106551, does that still trigger the crash on > > > > the > > > > unpatched sm-fd.cc? > > > > > > Yes, it does, since m would be in "m_start" state. I'm sending an > > > updated > > > patch. > > > > Great! > > > > Note that I recently committed a fix for bug 106573, which has an > > xfail > > on a dg-bogus to mark a false positive which your patch hopefully > > also > > fixes (in fd-uninit-1.c). Can you please rebase and see if your > > patch > > does fix it? > > > > Thanks > > Dave > > > > > > > > > > Thanks > > > Immad. > > > > > > On Wed, Aug 10, 2022 at 1:32 AM David Malcolm < > > > dmalcolm@redhat.com> > > > wrote: > > > > > > > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > > > > This patch fixes the ICE caused by valid_to_unchecked_state, > > > > > at analyzer/sm-fd.cc by handling the m_start state in > > > > > check_for_dup. > > > > > > > > > > Tested lightly on x86_64. > > > > > > > > > > gcc/analyzer/ChangeLog: > > > > > PR analyzer/106551 > > > > > * sm-fd.cc (check_for_dup): handle the m_start > > > > > state when transitioning the state of LHS > > > > > of dup, dup2 and dup3 call. > > > > > > > > > > gcc/testsuite/ChangeLog: > > > > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > > > > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > > > > --- > > > > > gcc/analyzer/sm-fd.cc | 4 ++-- > > > > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > > > > +++++++++++++++++++++++- > > > > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > > > > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > > > > index 8bb76d72b05..c8b9930a7b6 100644 > > > > > --- a/gcc/analyzer/sm-fd.cc > > > > > +++ b/gcc/analyzer/sm-fd.cc > > > > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup > > > > > (sm_context > > > > > *sm_ctxt, const supernode *node, > > > > > case DUP_1: > > > > > if (lhs) > > > > > { > > > > > - if (is_constant_fd_p (state_arg_1)) > > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 > > > > > == > > > > > m_start) > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > m_unchecked_read_write); > > > > > else > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup > > > > > (sm_context > > > > > *sm_ctxt, const supernode *node, > > > > > file descriptor i.e the first argument. */ > > > > > if (lhs) > > > > > { > > > > > - if (is_constant_fd_p (state_arg_1)) > > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 > > > > > == > > > > > m_start) > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > m_unchecked_read_write); > > > > > else > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > index eba2570568f..ed4d6de57db 100644 > > > > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > > > > close (fd); > > > > > } > > > > > > > > > > -} > > > > > \ No newline at end of file > > > > > +} > > > > > + > > > > > +void > > > > > +test_20 () > > > > > +{ > > > > > + int m; > > > > > + int fd = dup (m); /* { dg-warning "'dup' on possibly > > > > > invalid > > > > > file descriptor 'm'" } */ > > > > > + close (fd); > > > > > +} > > > > > + > > > > > +void > > > > > +test_21 () > > > > > +{ > > > > > + int m; > > > > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on > > > > > possibly > > > > > invalid file descriptor 'm'" } */ > > > > > + close (fd); > > > > > +} > > > > > + > > > > > +void > > > > > +test_22 (int flags) > > > > > +{ > > > > > + int m; > > > > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on > > > > > possibly > > > > > invalid file descriptor 'm'" } */ > > > > > + close (fd); > > > > > +} > > > > > > > > Thanks for the updated patch. > > > > > > > > The test cases looked suspicious to me - I was wondering why > > > > the > > > > analyzer doesn't complain about the uninitialized values being > > > > passed > > > > to the various dup functions as parameters. So your test cases > > > > seem to > > > > have uncovered a hidden pre-existing bug in the analyzer's > > > > uninitialized value detection, which I've filed for myself to > > > > deal > > > > with > > > > as PR analyzer/106573. > > > > > > > > If you convert the "int m;" locals into an extern global, like > > > > in > > > > comment #0 of bug 106551, does that still trigger the crash on > > > > the > > > > unpatched sm-fd.cc? If so, then that's greatly preferable as a > > > > regression test, since otherwise I'll have to modify that test > > > > case > > > > when I fix bug 106573. > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > > >
With the fix for bogus warning in fd-uninit.c, the analyzer now does not warning for the following code for which it would previously emit -Wanalyzer-fd-use-without-check extern int m; test() { int fd = dup2(m, 1); close(fd); } So I had to remove such warnings from fd-dup-1.c test_20,21,22 (in the patch). Now these tests are only there to show fix for PR16551. Sending an updated patch (passes style and commit checker). Thanks. Immad. On Thu, Aug 11, 2022 at 12:14 AM David Malcolm <dmalcolm@redhat.com> wrote: > On Wed, 2022-08-10 at 22:51 +0530, Mir Immad wrote: > > > Can you please rebase and see if your patch > > > does fix it? > > > > No, the patch that I sent did not attempt to fix this. Now that I > > have made > > the correction, XFAIL in fd-uninit-1.c has changed to XPASS. > > Great - that means that, with your fix, we no longer bogusly emit that > false positive. > > > > > Should i remove the dg-bogus warning from fd-uninit-1.c test_1? > > Yes please. > > Thanks > Dave > > > > > Thanks. > > Immad. > > > > > > On Wed, Aug 10, 2022 at 10:26 PM David Malcolm <dmalcolm@redhat.com> > > wrote: > > > > > On Wed, 2022-08-10 at 20:34 +0530, Mir Immad wrote: > > > > > if you convert the "int m;" locals into an extern global, like > > > > in > > > > > comment #0 of bug 106551, does that still trigger the crash on > > > > > the > > > > > unpatched sm-fd.cc? > > > > > > > > Yes, it does, since m would be in "m_start" state. I'm sending an > > > > updated > > > > patch. > > > > > > Great! > > > > > > Note that I recently committed a fix for bug 106573, which has an > > > xfail > > > on a dg-bogus to mark a false positive which your patch hopefully > > > also > > > fixes (in fd-uninit-1.c). Can you please rebase and see if your > > > patch > > > does fix it? > > > > > > Thanks > > > Dave > > > > > > > > > > > > > > Thanks > > > > Immad. > > > > > > > > On Wed, Aug 10, 2022 at 1:32 AM David Malcolm < > > > > dmalcolm@redhat.com> > > > > wrote: > > > > > > > > > On Tue, 2022-08-09 at 21:42 +0530, Immad Mir wrote: > > > > > > This patch fixes the ICE caused by valid_to_unchecked_state, > > > > > > at analyzer/sm-fd.cc by handling the m_start state in > > > > > > check_for_dup. > > > > > > > > > > > > Tested lightly on x86_64. > > > > > > > > > > > > gcc/analyzer/ChangeLog: > > > > > > PR analyzer/106551 > > > > > > * sm-fd.cc (check_for_dup): handle the m_start > > > > > > state when transitioning the state of LHS > > > > > > of dup, dup2 and dup3 call. > > > > > > > > > > > > gcc/testsuite/ChangeLog: > > > > > > * gcc.dg/analyzer/fd-dup-1.c: New testcases. > > > > > > > > > > > > Signed-off-by: Immad Mir <mirimmad@outlook.com> > > > > > > --- > > > > > > gcc/analyzer/sm-fd.cc | 4 ++-- > > > > > > gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c | 28 > > > > > > +++++++++++++++++++++++- > > > > > > 2 files changed, 29 insertions(+), 3 deletions(-) > > > > > > > > > > > > diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc > > > > > > index 8bb76d72b05..c8b9930a7b6 100644 > > > > > > --- a/gcc/analyzer/sm-fd.cc > > > > > > +++ b/gcc/analyzer/sm-fd.cc > > > > > > @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup > > > > > > (sm_context > > > > > > *sm_ctxt, const supernode *node, > > > > > > case DUP_1: > > > > > > if (lhs) > > > > > > { > > > > > > - if (is_constant_fd_p (state_arg_1)) > > > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 > > > > > > == > > > > > > m_start) > > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > > m_unchecked_read_write); > > > > > > else > > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > > @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup > > > > > > (sm_context > > > > > > *sm_ctxt, const supernode *node, > > > > > > file descriptor i.e the first argument. */ > > > > > > if (lhs) > > > > > > { > > > > > > - if (is_constant_fd_p (state_arg_1)) > > > > > > + if (is_constant_fd_p (state_arg_1) || state_arg_1 > > > > > > == > > > > > > m_start) > > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > > m_unchecked_read_write); > > > > > > else > > > > > > sm_ctxt->set_next_state (stmt, lhs, > > > > > > diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > > b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > > index eba2570568f..ed4d6de57db 100644 > > > > > > --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > > +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c > > > > > > @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) > > > > > > close (fd); > > > > > > } > > > > > > > > > > > > -} > > > > > > \ No newline at end of file > > > > > > +} > > > > > > + > > > > > > +void > > > > > > +test_20 () > > > > > > +{ > > > > > > + int m; > > > > > > + int fd = dup (m); /* { dg-warning "'dup' on possibly > > > > > > invalid > > > > > > file descriptor 'm'" } */ > > > > > > + close (fd); > > > > > > +} > > > > > > + > > > > > > +void > > > > > > +test_21 () > > > > > > +{ > > > > > > + int m; > > > > > > + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on > > > > > > possibly > > > > > > invalid file descriptor 'm'" } */ > > > > > > + close (fd); > > > > > > +} > > > > > > + > > > > > > +void > > > > > > +test_22 (int flags) > > > > > > +{ > > > > > > + int m; > > > > > > + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on > > > > > > possibly > > > > > > invalid file descriptor 'm'" } */ > > > > > > + close (fd); > > > > > > +} > > > > > > > > > > Thanks for the updated patch. > > > > > > > > > > The test cases looked suspicious to me - I was wondering why > > > > > the > > > > > analyzer doesn't complain about the uninitialized values being > > > > > passed > > > > > to the various dup functions as parameters. So your test cases > > > > > seem to > > > > > have uncovered a hidden pre-existing bug in the analyzer's > > > > > uninitialized value detection, which I've filed for myself to > > > > > deal > > > > > with > > > > > as PR analyzer/106573. > > > > > > > > > > If you convert the "int m;" locals into an extern global, like > > > > > in > > > > > comment #0 of bug 106551, does that still trigger the crash on > > > > > the > > > > > unpatched sm-fd.cc? If so, then that's greatly preferable as a > > > > > regression test, since otherwise I'll have to modify that test > > > > > case > > > > > when I fix bug 106573. > > > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc index 8bb76d72b05..c8b9930a7b6 100644 --- a/gcc/analyzer/sm-fd.cc +++ b/gcc/analyzer/sm-fd.cc @@ -983,7 +983,7 @@ fd_state_machine::check_for_dup (sm_context *sm_ctxt, const supernode *node, case DUP_1: if (lhs) { - if (is_constant_fd_p (state_arg_1)) + if (is_constant_fd_p (state_arg_1) || state_arg_1 == m_start) sm_ctxt->set_next_state (stmt, lhs, m_unchecked_read_write); else sm_ctxt->set_next_state (stmt, lhs, @@ -1011,7 +1011,7 @@ fd_state_machine::check_for_dup (sm_context *sm_ctxt, const supernode *node, file descriptor i.e the first argument. */ if (lhs) { - if (is_constant_fd_p (state_arg_1)) + if (is_constant_fd_p (state_arg_1) || state_arg_1 == m_start) sm_ctxt->set_next_state (stmt, lhs, m_unchecked_read_write); else sm_ctxt->set_next_state (stmt, lhs, diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c index eba2570568f..ed4d6de57db 100644 --- a/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/fd-dup-1.c @@ -220,4 +220,30 @@ test_19 (const char *path, void *buf) close (fd); } -} \ No newline at end of file +} + +void +test_20 () +{ + int m; + int fd = dup (m); /* { dg-warning "'dup' on possibly invalid file descriptor 'm'" } */ + close (fd); +} + +void +test_21 () +{ + int m; + int fd = dup2 (m, 1); /* { dg-warning "'dup2' on possibly invalid file descriptor 'm'" } */ + close (fd); +} + +void +test_22 (int flags) +{ + int m; + int fd = dup3 (m, 1, flags); /* { dg-warning "'dup3' on possibly invalid file descriptor 'm'" } */ + close (fd); +} + +