From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dmalcolm@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2209)
	id C5A6C3858D37; Thu,  3 Nov 2022 14:22:06 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C5A6C3858D37
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1667485326;
	bh=YOOR2UE3T1UCUcfREe3dGar6oM8PkZNC5+ckfZw69ps=;
	h=From:To:Subject:Date:From;
	b=ZOXdPAFeR1LD1N3r73JJpoifVw6AnIP6C8D11Y4M1/h4eOFw8Y6c4ZTYVLxXzxp7z
	 kaYeIeZNVRm01wAXMGNO7lSp1RFAQjpo/QVQf/jmRjp7KDdusSDXNEDhR/EY9ctDdl
	 eHE6/lTvS7L2L0LU9ZvS8fRGAN1hJloRhF0bo4ds=
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
From: David Malcolm <dmalcolm@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org
Subject: [gcc r13-3626] analyzer: fix ICE when pipe's arg isn't a pointer
 [PR107486]
X-Act-Checkin: gcc
X-Git-Author: David Malcolm <dmalcolm@redhat.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 6629444170f85e9b1e243aa07e3e07a8b9f8fce5
X-Git-Newrev: 5acc10a9ea66411e1712fabc94f9f29892b0d607
Message-Id: <20221103142206.C5A6C3858D37@sourceware.org>
Date: Thu,  3 Nov 2022 14:22:06 +0000 (GMT)
List-Id: <gcc-cvs.sourceware.org>

https://gcc.gnu.org/g:5acc10a9ea66411e1712fabc94f9f29892b0d607

commit r13-3626-g5acc10a9ea66411e1712fabc94f9f29892b0d607
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Nov 3 10:21:00 2022 -0400

    analyzer: fix ICE when pipe's arg isn't a pointer [PR107486]
    
    gcc/analyzer/ChangeLog:
            PR analyzer/107486
            * analyzer.cc (is_pipe_call_p): New.
            * analyzer.h (is_pipe_call_p): New decl.
            * region-model.cc (region_model::on_call_pre): Use it.
            (region_model::on_call_post): Likewise.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/107486
            * gcc.dg/analyzer/pipe-pr107486.c: New test.
            * gcc.dg/analyzer/pipe-void-return.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 gcc/analyzer/analyzer.cc                         | 16 ++++++++++++++++
 gcc/analyzer/analyzer.h                          |  2 ++
 gcc/analyzer/region-model.cc                     |  8 ++++----
 gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c    |  5 +++++
 gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c | 11 +++++++++++
 5 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/gcc/analyzer/analyzer.cc b/gcc/analyzer/analyzer.cc
index 8a2a7734f24..6c7c969538c 100644
--- a/gcc/analyzer/analyzer.cc
+++ b/gcc/analyzer/analyzer.cc
@@ -379,6 +379,22 @@ is_longjmp_call_p (const gcall *call)
   return false;
 }
 
+/* Return true if this is a "pipe" call.  */
+
+bool
+is_pipe_call_p (const_tree fndecl, const char *funcname,
+		const gcall *call, unsigned int num_args)
+{
+  if (!is_named_call_p (fndecl, funcname, call, num_args))
+    return false;
+
+  /* We require a pointer for the initial argument.  */
+  if (!POINTER_TYPE_P (TREE_TYPE (gimple_call_arg (call, 0))))
+    return false;
+
+  return true;
+}
+
 /* For a CALL that matched is_special_named_call_p or is_named_call_p for
    some name, return a name for the called function suitable for use in
    diagnostics (stripping the leading underscores).  */
diff --git a/gcc/analyzer/analyzer.h b/gcc/analyzer/analyzer.h
index a2d79e4a59f..c41cfb01656 100644
--- a/gcc/analyzer/analyzer.h
+++ b/gcc/analyzer/analyzer.h
@@ -324,6 +324,8 @@ extern bool is_std_named_call_p (const_tree fndecl, const char *funcname,
 				 const gcall *call, unsigned int num_args);
 extern bool is_setjmp_call_p (const gcall *call);
 extern bool is_longjmp_call_p (const gcall *call);
+extern bool is_pipe_call_p (const_tree fndecl, const char *funcname,
+			    const gcall *call, unsigned int num_args);
 
 extern const char *get_user_facing_name (const gcall *call);
 
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 7c44fc9e253..4713f0d2519 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -2315,8 +2315,8 @@ region_model::on_call_pre (const gcall *call, region_model_context *ctxt,
 	  impl_call_memset (cd);
 	  return false;
 	}
-      else if (is_named_call_p (callee_fndecl, "pipe", call, 1)
-	       || is_named_call_p (callee_fndecl, "pipe2", call, 2))
+      else if (is_pipe_call_p (callee_fndecl, "pipe", call, 1)
+	       || is_pipe_call_p (callee_fndecl, "pipe2", call, 2))
 	{
 	  /* Handle in "on_call_post"; bail now so that fd array
 	     is left untouched so that we can detect use-of-uninit
@@ -2403,8 +2403,8 @@ region_model::on_call_post (const gcall *call,
 	  impl_call_operator_delete (cd);
 	  return;
 	}
-      else if (is_named_call_p (callee_fndecl, "pipe", call, 1)
-	       || is_named_call_p (callee_fndecl, "pipe2", call, 2))
+      else if (is_pipe_call_p (callee_fndecl, "pipe", call, 1)
+	       || is_pipe_call_p (callee_fndecl, "pipe2", call, 2))
 	{
 	  impl_call_pipe (cd);
 	  return;
diff --git a/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c b/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c
new file mode 100644
index 00000000000..e9fc7fb4943
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c
@@ -0,0 +1,5 @@
+void pipe(int);
+
+void f1(void) {
+  pipe(1);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c b/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c
new file mode 100644
index 00000000000..0de676305f6
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c
@@ -0,0 +1,11 @@
+extern void pipe(int pipefd[2]);
+extern int close(int fd);
+
+void
+test_unchecked (void)
+{
+  int fds[2];
+  pipe (fds); /* { dg-message "when 'pipe' fails" } */
+  close (fds[0]); /* { dg-warning "use of uninitialized value 'fds\\\[0\\\]'" } */
+  close (fds[1]); /* { dg-warning "use of uninitialized value 'fds\\\[1\\\]'" } */
+}