Bug 109570 - detect fclose on unopened or NULL files
Summary: detect fclose on unopened or NULL files
Status: UNCONFIRMED
Alias: None
Product: gcc
Classification: Unclassified
Component: analyzer (show other bugs)
Version: 14.0
: P3 normal
Target Milestone: ---
Assignee: David Malcolm
URL: https://sourceware.org/git/?p=glibc.g...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-20 13:33 UTC by Ivan Sorokin
Modified: 2023-08-15 21:00 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ivan Sorokin 2023-04-20 13:33:46 UTC 
While cleaning up one not particularly well written program I noticed this code fragment:

FILE* file = fopen(...);
if (!file)
{
    fclose(file);
    return false;
}

Passing NULL to fclose is undefined behavior. Perhaps -fanalyzer could warn about code like this?
Comment 1 Ivan Sorokin 2023-04-20 13:36:33 UTC 
Generalizing. Perhaps similarly free(NULL) can be detected?

void* obj = malloc(...);
if (!obj)
{
    free(obj);
    return false;
}

Unliky fclose(NULL), free(NULL) is completely well defined operation, but it does nothing and perhaps should be removed.
Comment 2 David Malcolm 2023-04-20 21:31:56 UTC 
Thanks for filing this bug.

I think -fanalyzer should warn about fclose(NULL), but not for free(NULL).
Comment 3 Xi Ruoyao 2023-05-16 10:20:12 UTC 
With the Glibc change there should be an analyzer-null-argument warning now.  I guess we can close it as MOVED.
Comment 4 Christophe Lyon 2023-05-16 20:29:50 UTC 
The glibc change is now causing failures in the GCC testsuite:
FAIL: gcc.dg/analyzer/torture/conftest-1.c   -O0  (test for excess errors)
Excess errors:
/gcc/testsuite/gcc.dg/analyzer/torture/conftest-1.c:6:24: warning: use of possibly-NULL 'f' where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]


FAIL: gcc.dg/analyzer/data-model-4.c (test for excess errors)
Excess errors:
/gcc/testsuite/gcc.dg/analyzer/data-model-4.c:11:24: warning: use of possibly-NULL 'f' where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
Comment 5 Christophe Lyon 2023-05-17 15:03:26 UTC 
Not sure how to update/fix the testcases though?
Since they get the declaration of fclose from stdio.h, we'd need to make dg-error conditional to the glibc version in use, which seems unpractical.

Should we instead remove #include <stdio.h> and provide suitable declarations in the testcase?
Comment 6 Xi Ruoyao 2023-05-17 15:14:15 UTC 
(In reply to Christophe Lyon from comment #5)
> Not sure how to update/fix the testcases though?
> Since they get the declaration of fclose from stdio.h, we'd need to make
> dg-error conditional to the glibc version in use, which seems unpractical.
> 
> Should we instead remove #include <stdio.h> and provide suitable
> declarations in the testcase?

I guess we need to change

  return ferror (f) || fclose (f) != 0;

to

  return !f || ferror (f) || fclose (f) != 0;

Because "failing to check if the file is opened successfully" is definitely a bug, and these tests are intended not to raise warnings for a bug-free program.

BTW ferror(f) segfaults as well when f is NULL, so IMO we should mark it nonnull in Glibc as well.
Comment 7 Gleb Fotengauer-Malinovskiy 2023-08-15 21:00:51 UTC 
FYI, the change in the glibc also has an effect on autoconf-based projects, when the -fanalyzer flag is used in combination with the -Werror flag, see:

https://git.savannah.gnu.org/cgit/autoconf.git/commit/?id=ea3e0cec2e66132e34228546256a1657c7b9b2e9