From 5acc10a9ea66411e1712fabc94f9f29892b0d607 Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Thu, 3 Nov 2022 10:21:00 -0400 Subject: [PATCH] analyzer: fix ICE when pipe's arg isn't a pointer [PR107486] gcc/analyzer/ChangeLog: PR analyzer/107486 * analyzer.cc (is_pipe_call_p): New. * analyzer.h (is_pipe_call_p): New decl. * region-model.cc (region_model::on_call_pre): Use it. (region_model::on_call_post): Likewise. gcc/testsuite/ChangeLog: PR analyzer/107486 * gcc.dg/analyzer/pipe-pr107486.c: New test. * gcc.dg/analyzer/pipe-void-return.c: New test. Signed-off-by: David Malcolm --- gcc/analyzer/analyzer.cc | 16 ++++++++++++++++ gcc/analyzer/analyzer.h | 2 ++ gcc/analyzer/region-model.cc | 8 ++++---- gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c | 5 +++++ gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c | 11 +++++++++++ 5 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c diff --git a/gcc/analyzer/analyzer.cc b/gcc/analyzer/analyzer.cc index 8a2a773..6c7c969 100644 --- a/gcc/analyzer/analyzer.cc +++ b/gcc/analyzer/analyzer.cc @@ -379,6 +379,22 @@ is_longjmp_call_p (const gcall *call) return false; } +/* Return true if this is a "pipe" call. */ + +bool +is_pipe_call_p (const_tree fndecl, const char *funcname, + const gcall *call, unsigned int num_args) +{ + if (!is_named_call_p (fndecl, funcname, call, num_args)) + return false; + + /* We require a pointer for the initial argument. */ + if (!POINTER_TYPE_P (TREE_TYPE (gimple_call_arg (call, 0)))) + return false; + + return true; +} + /* For a CALL that matched is_special_named_call_p or is_named_call_p for some name, return a name for the called function suitable for use in diagnostics (stripping the leading underscores). */ diff --git a/gcc/analyzer/analyzer.h b/gcc/analyzer/analyzer.h index a2d79e4..c41cfb0 100644 --- a/gcc/analyzer/analyzer.h +++ b/gcc/analyzer/analyzer.h @@ -324,6 +324,8 @@ extern bool is_std_named_call_p (const_tree fndecl, const char *funcname, const gcall *call, unsigned int num_args); extern bool is_setjmp_call_p (const gcall *call); extern bool is_longjmp_call_p (const gcall *call); +extern bool is_pipe_call_p (const_tree fndecl, const char *funcname, + const gcall *call, unsigned int num_args); extern const char *get_user_facing_name (const gcall *call); diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc index 7c44fc9..4713f0d 100644 --- a/gcc/analyzer/region-model.cc +++ b/gcc/analyzer/region-model.cc @@ -2315,8 +2315,8 @@ region_model::on_call_pre (const gcall *call, region_model_context *ctxt, impl_call_memset (cd); return false; } - else if (is_named_call_p (callee_fndecl, "pipe", call, 1) - || is_named_call_p (callee_fndecl, "pipe2", call, 2)) + else if (is_pipe_call_p (callee_fndecl, "pipe", call, 1) + || is_pipe_call_p (callee_fndecl, "pipe2", call, 2)) { /* Handle in "on_call_post"; bail now so that fd array is left untouched so that we can detect use-of-uninit @@ -2403,8 +2403,8 @@ region_model::on_call_post (const gcall *call, impl_call_operator_delete (cd); return; } - else if (is_named_call_p (callee_fndecl, "pipe", call, 1) - || is_named_call_p (callee_fndecl, "pipe2", call, 2)) + else if (is_pipe_call_p (callee_fndecl, "pipe", call, 1) + || is_pipe_call_p (callee_fndecl, "pipe2", call, 2)) { impl_call_pipe (cd); return; diff --git a/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c b/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c new file mode 100644 index 0000000..e9fc7fb --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c @@ -0,0 +1,5 @@ +void pipe(int); + +void f1(void) { + pipe(1); +} diff --git a/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c b/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c new file mode 100644 index 0000000..0de6763 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c @@ -0,0 +1,11 @@ +extern void pipe(int pipefd[2]); +extern int close(int fd); + +void +test_unchecked (void) +{ + int fds[2]; + pipe (fds); /* { dg-message "when 'pipe' fails" } */ + close (fds[0]); /* { dg-warning "use of uninitialized value 'fds\\\[0\\\]'" } */ + close (fds[1]); /* { dg-warning "use of uninitialized value 'fds\\\[1\\\]'" } */ +} -- 2.7.4