From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id A1F663857C73; Thu, 25 Mar 2021 00:48:54 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A1F663857C73
From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/99716] -Wanalyzer-double-fclose when fclose is called
 inside a loop
Date: Thu, 25 Mar 2021 00:48:54 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 11.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-99716-4-8TXkggtE5c@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-99716-4@http.gcc.gnu.org/bugzilla/>
References: <bug-99716-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 00:48:54 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99716

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:71fc4655ab86ab66b40165b2cb49c1395ca82a9a

commit r11-7820-g71fc4655ab86ab66b40165b2cb49c1395ca82a9a
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Mar 24 20:47:57 2021 -0400

    analyzer; reset sm-state for SSA names at def-stmts
[PR93695,PR99044,PR99716]

    Various false positives from -fanalyzer involve SSA names in loops,
    where sm-state associated with an SSA name from one iteration is
    erroneously reused in a subsequent iteration.

    For example, PR analyzer/99716 describes a false
      "double 'fclose' of FILE 'fp'"
    on:

      for (i =3D 0; i < 2; ++i) {
        FILE *fp =3D fopen ("/tmp/test", "w");
        fprintf (fp, "hello");
        fclose (fp);
      }

    where the gimple of the loop body is:

      fp_7 =3D fopen ("/tmp/test", "w");
      __builtin_fwrite ("hello", 1, 5, fp_7);
      fclose (fp_7);
      i_10 =3D i_1 + 1;

    where fp_7 transitions to "closed" at the fclose, but is not
    reset at the subsequent fopen, leading to the false positive
    when the fclose is re-reached.

    The fix is to reset sm-state for svalues that involve an SSA name
    at the SSA name's def-stmt, since the def-stmt effectively changes
    the meaning of those related svalues.

    gcc/analyzer/ChangeLog:
            PR analyzer/93695
            PR analyzer/99044
            PR analyzer/99716
            * engine.cc (exploded_node::on_stmt): Clear sm-state involving
            an SSA name at the def-stmt of that SSA name.
            * program-state.cc (sm_state_map::purge_state_involving): New.
            * program-state.h (sm_state_map::purge_state_involving): New de=
cl.
            * region-model.cc (selftest::test_involves_p): New.
            (selftest::analyzer_region_model_cc_tests): Call it.
            * svalue.cc (class involvement_visitor): New class
            (svalue::involves_p): New.
            * svalue.h (svalue::involves_p): New decl.

    gcc/testsuite/ChangeLog:
            PR analyzer/93695
            PR analyzer/99044
            PR analyzer/99716
            * gcc.dg/analyzer/attr-malloc-CVE-2019-19078-usb-leak.c: Remove
            xfail.
            * gcc.dg/analyzer/pr93695-1.c: New test.
            * gcc.dg/analyzer/pr99044-1.c: New test.
            * gcc.dg/analyzer/pr99044-2.c: New test.
            * gcc.dg/analyzer/pr99716-1.c: New test.
            * gcc.dg/analyzer/pr99716-2.c: New test.
            * gcc.dg/analyzer/pr99716-3.c: New test.=