[Bug analyzer/99716] -Wanalyzer-double-fclose when fclose is called inside a loop

Thu Mar 25 00:48:54 GMT 2021

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99716

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:71fc4655ab86ab66b40165b2cb49c1395ca82a9a

commit r11-7820-g71fc4655ab86ab66b40165b2cb49c1395ca82a9a
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Mar 24 20:47:57 2021 -0400

    analyzer; reset sm-state for SSA names at def-stmts
[PR93695,PR99044,PR99716]

    Various false positives from -fanalyzer involve SSA names in loops,
    where sm-state associated with an SSA name from one iteration is
    erroneously reused in a subsequent iteration.

    For example, PR analyzer/99716 describes a false
      "double 'fclose' of FILE 'fp'"
    on:

      for (i = 0; i < 2; ++i) {
        FILE *fp = fopen ("/tmp/test", "w");
        fprintf (fp, "hello");
        fclose (fp);
      }

    where the gimple of the loop body is:

      fp_7 = fopen ("/tmp/test", "w");
      __builtin_fwrite ("hello", 1, 5, fp_7);
      fclose (fp_7);
      i_10 = i_1 + 1;

    where fp_7 transitions to "closed" at the fclose, but is not
    reset at the subsequent fopen, leading to the false positive
    when the fclose is re-reached.

    The fix is to reset sm-state for svalues that involve an SSA name
    at the SSA name's def-stmt, since the def-stmt effectively changes
    the meaning of those related svalues.

    gcc/analyzer/ChangeLog:
            PR analyzer/93695
            PR analyzer/99044
            PR analyzer/99716
            * engine.cc (exploded_node::on_stmt): Clear sm-state involving
            an SSA name at the def-stmt of that SSA name.
            * program-state.cc (sm_state_map::purge_state_involving): New.
            * program-state.h (sm_state_map::purge_state_involving): New decl.
            * region-model.cc (selftest::test_involves_p): New.
            (selftest::analyzer_region_model_cc_tests): Call it.
            * svalue.cc (class involvement_visitor): New class
            (svalue::involves_p): New.
            * svalue.h (svalue::involves_p): New decl.

    gcc/testsuite/ChangeLog:
            PR analyzer/93695
            PR analyzer/99044
            PR analyzer/99716
            * gcc.dg/analyzer/attr-malloc-CVE-2019-19078-usb-leak.c: Remove
            xfail.
            * gcc.dg/analyzer/pr93695-1.c: New test.
            * gcc.dg/analyzer/pr99044-1.c: New test.
            * gcc.dg/analyzer/pr99044-2.c: New test.
            * gcc.dg/analyzer/pr99716-1.c: New test.
            * gcc.dg/analyzer/pr99716-2.c: New test.
            * gcc.dg/analyzer/pr99716-3.c: New test.