From patchwork Thu Dec 1 02:33:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Malcolm X-Patchwork-Id: 61288 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 48B043858D37 for ; Thu, 1 Dec 2022 02:33:54 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 48B043858D37 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1669862034; bh=7TudjDFhXPLXUP8LBwygKSLMw7Qxoil1cKyfjtDc0K8=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=mxPIlFfyvq+tnvftEV+0yjcF/09IW0oB5nsMMBZGmCW4NWyUzPQAkN2jsERMzi+G9 cFwljaBlQHdOA80ruidGvOUZB9+ivrSMo2gHhaINnbf1t3usPI3Z/lwDACv/5djsSc VdAVOIgpsk1LO9ZDOoJ4JSJBW5zV5fq8VQA/CxNQ= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id BB8AE3858C54 for ; Thu, 1 Dec 2022 02:33:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org BB8AE3858C54 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-230-7Hc9v_lYPIe7y2Sz_zImuQ-1; Wed, 30 Nov 2022 21:33:21 -0500 X-MC-Unique: 7Hc9v_lYPIe7y2Sz_zImuQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F34A9811E7A for ; Thu, 1 Dec 2022 02:33:20 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.2.16.65]) by smtp.corp.redhat.com (Postfix) with ESMTP id C6F361120AA4; Thu, 1 Dec 2022 02:33:20 +0000 (UTC) To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [committed] analyzer: fix ICE on bind/connect with a constant fd [PR107928] Date: Wed, 30 Nov 2022 21:33:17 -0500 Message-Id: <20221201023317.3722715-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-11.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: David Malcolm via Gcc-patches From: David Malcolm Reply-To: David Malcolm Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as r13-4424-g45a75fd3d31265. gcc/analyzer/ChangeLog: PR analyzer/107928 * sm-fd.cc (fd_state_machine::on_bind): Handle m_constant_fd in the "success" outcome. (fd_state_machine::on_connect): Likewise. * sm-fd.dot: Add "constant_fd" state and its transitions. gcc/testsuite/ChangeLog: PR analyzer/107928 * gcc.dg/analyzer/fd-bind-pr107928.c: New test. * gcc.dg/analyzer/fd-connect-pr107928.c: New test. * gcc.dg/analyzer/fd-stream-socket-active-open.c (test_active_open_from_connect_constant): New, adapted from test_active_open_from_connect. * gcc.dg/analyzer/fd-stream-socket-passive-open.c (test_passive_open_from_bind_constant): New, adapted from test_passive_open_from_bind. (test_passive_open_from_listen_constant): New, adapted from test_passive_open_from_listen. Signed-off-by: David Malcolm --- gcc/analyzer/sm-fd.cc | 6 +- gcc/analyzer/sm-fd.dot | 6 ++ .../gcc.dg/analyzer/fd-bind-pr107928.c | 10 ++ .../gcc.dg/analyzer/fd-connect-pr107928.c | 10 ++ .../analyzer/fd-stream-socket-active-open.c | 31 ++++++ .../analyzer/fd-stream-socket-passive-open.c | 98 +++++++++++++++++++ 6 files changed, 159 insertions(+), 2 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/fd-bind-pr107928.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/fd-connect-pr107928.c diff --git a/gcc/analyzer/sm-fd.cc b/gcc/analyzer/sm-fd.cc index 794733e55ca..799847cb8e8 100644 --- a/gcc/analyzer/sm-fd.cc +++ b/gcc/analyzer/sm-fd.cc @@ -1861,7 +1861,8 @@ fd_state_machine::on_bind (const call_details &cd, next_state = m_bound_datagram_socket; else if (old_state == m_new_unknown_socket) next_state = m_bound_unknown_socket; - else if (old_state == m_start) + else if (old_state == m_start + || old_state == m_constant_fd) next_state = m_bound_unknown_socket; else if (old_state == m_stop) next_state = m_stop; @@ -2116,7 +2117,8 @@ fd_state_machine::on_connect (const call_details &cd, next_state = m_new_datagram_socket; else if (old_state == m_new_unknown_socket) next_state = m_stop; - else if (old_state == m_start) + else if (old_state == m_start + || old_state == m_constant_fd) next_state = m_stop; else if (old_state == m_stop) next_state = m_stop; diff --git a/gcc/analyzer/sm-fd.dot b/gcc/analyzer/sm-fd.dot index da925b0989f..d7676b1f779 100644 --- a/gcc/analyzer/sm-fd.dot +++ b/gcc/analyzer/sm-fd.dot @@ -27,6 +27,9 @@ digraph "fd" { /* Start state. */ start; + /* State for a constant file descriptor (>= 0). */ + constant_fd; + /* States representing a file descriptor that hasn't yet been checked for validity after opening, for three different access modes. */ @@ -129,6 +132,7 @@ digraph "fd" { /* On "bind". */ start -> bound_unknown_socket [label="when 'bind(X, ...)' succeeds"]; + constant_fd -> bound_unknown_socket [label="when 'bind(X, ...)' succeeds"]; new_stream_socket -> bound_stream_socket [label="when 'bind(X, ...)' succeeds"]; new_datagram_socket -> bound_datagram_socket [label="when 'bind(X, ...)' succeeds"]; new_unknown_socket -> bound_unknown_socket [label="when 'bind(X, ...)' succeeds"]; @@ -140,12 +144,14 @@ digraph "fd" { /* On "accept". */ start -> connected_stream_socket [label="when 'accept(OTHER, ...)' succeeds on a listening_stream_socket"]; + constant_fd -> connected_stream_socket [label="when 'accept(OTHER, ...)' succeeds on a listening_stream_socket"]; /* On "connect". */ new_stream_socket -> connected_stream_socket [label="when 'connect(X, ...)' succeeds"]; new_datagram_socket -> new_datagram_socket [label="when 'connect(X, ...)' succeeds"]; new_unknown_socket -> stop [label="when 'connect(X, ...)' succeeds"]; start -> stop [label="when 'connect(X, ...)' succeeds"]; + constant_fd -> stop [label="when 'connect(X, ...)' succeeds"]; /* on_condition. */ unchecked_read_write -> valid_read_write [label="on 'X >= 0'"]; diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-bind-pr107928.c b/gcc/testsuite/gcc.dg/analyzer/fd-bind-pr107928.c new file mode 100644 index 00000000000..acc1a1df8e0 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/fd-bind-pr107928.c @@ -0,0 +1,10 @@ +struct sa {}; + +int +bind (int, struct sa *, int); + +int +foo (struct sa sa) +{ + return bind (1, &sa, sizeof sa); +} diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-connect-pr107928.c b/gcc/testsuite/gcc.dg/analyzer/fd-connect-pr107928.c new file mode 100644 index 00000000000..f3bdc87c210 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/fd-connect-pr107928.c @@ -0,0 +1,10 @@ +struct sa {}; + +int +connect (int, struct sa *, int); + +int +foo (struct sa sa) +{ + return connect (1, &sa, sizeof sa); +} diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-stream-socket-active-open.c b/gcc/testsuite/gcc.dg/analyzer/fd-stream-socket-active-open.c index 841894cc1bd..89ea82e59c9 100644 --- a/gcc/testsuite/gcc.dg/analyzer/fd-stream-socket-active-open.c +++ b/gcc/testsuite/gcc.dg/analyzer/fd-stream-socket-active-open.c @@ -74,3 +74,34 @@ void test_active_open_from_connect (int fd, const char *sockname, void *buf) close (fd); __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-stop'" } */ } + +void test_active_open_from_connect_constant (const char *sockname, void *buf) +{ + const int fd = 42; + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-constant'" } */ + + struct sockaddr_un addr; + memset (&addr, 0, sizeof (addr)); + addr.sun_family = AF_UNIX; + strncpy (addr.sun_path, sockname, sizeof(addr.sun_path) - 1); + + errno = 0; + if (connect (fd, (struct sockaddr *)&addr, sizeof (addr)) == -1) + { + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-constant'" } */ + __analyzer_eval (errno > 0); /* { dg-warning "TRUE" } */ + close (fd); + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ + return; + } + + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-stop'" } */ + __analyzer_eval (errno == 0); /* { dg-warning "TRUE" } */ + __analyzer_eval (fd >= 0); /* { dg-warning "TRUE" } */ + + write (fd, "hello", 6); + read (fd, buf, 100); + + close (fd); + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-stop'" } */ +} diff --git a/gcc/testsuite/gcc.dg/analyzer/fd-stream-socket-passive-open.c b/gcc/testsuite/gcc.dg/analyzer/fd-stream-socket-passive-open.c index a61091101ed..8af52904d7e 100644 --- a/gcc/testsuite/gcc.dg/analyzer/fd-stream-socket-passive-open.c +++ b/gcc/testsuite/gcc.dg/analyzer/fd-stream-socket-passive-open.c @@ -129,6 +129,62 @@ void test_passive_open_from_bind (int fd, const char *sockname, void *buf) __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ } +void test_passive_open_from_bind_constant (const char *sockname, void *buf) +{ + const int fd = 42; + struct sockaddr_un addr; + int afd; + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-constant'" } */ + memset (&addr, 0, sizeof (addr)); + addr.sun_family = AF_UNIX; + strncpy (addr.sun_path, sockname, sizeof(addr.sun_path) - 1); + errno = 0; + if (bind (fd, (struct sockaddr *)&addr, sizeof (addr)) == -1) + { + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-constant'" } */ + __analyzer_eval (errno > 0); /* { dg-warning "TRUE" } */ + close (fd); + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ + return; + } + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-bound-unknown-socket'" } */ + __analyzer_eval (errno == 0); /* { dg-warning "TRUE" } */ + __analyzer_eval (fd >= 0); /* { dg-warning "TRUE" } */ + if (listen (fd, 5) == -1) + { + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-bound-unknown-socket'" } */ + __analyzer_eval (errno > 0); /* { dg-warning "TRUE" } */ + close (fd); + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ + return; + } + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-listening-stream-socket'" } */ + __analyzer_eval (errno == 0); /* { dg-warning "TRUE" } */ + __analyzer_eval (fd >= 0); /* { dg-warning "TRUE" } */ + afd = accept (fd, NULL, NULL); + if (afd == -1) + { + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-listening-stream-socket'" } */ + __analyzer_eval (errno > 0); /* { dg-warning "TRUE" } */ + close (fd); + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ + return; + } + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-listening-stream-socket'" } */ + __analyzer_dump_state ("file-descriptor", afd); /* { dg-warning "state: 'fd-connected-stream-socket'" } */ + __analyzer_eval (errno == 0); /* { dg-warning "TRUE" } */ + __analyzer_eval (fd >= 0); /* { dg-warning "TRUE" } */ + __analyzer_eval (afd >= 0); /* { dg-warning "TRUE" } */ + + write (afd, "hello", 6); + read (afd, buf, 100); + + close (afd); + close (fd); + __analyzer_dump_state ("file-descriptor", afd); /* { dg-warning "state: 'fd-closed'" } */ + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ +} + void test_passive_open_from_listen (int fd, void *buf) { int afd; @@ -169,6 +225,48 @@ void test_passive_open_from_listen (int fd, void *buf) __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ } + +void test_passive_open_from_listen_constant (void *buf) +{ + const int fd = 42; + int afd; + errno = 0; + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-constant'" } */ + if (listen (fd, 5) == -1) + { + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-constant'" } */ + __analyzer_eval (errno > 0); /* { dg-warning "TRUE" } */ + close (fd); + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ + return; + } + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-listening-stream-socket'" } */ + __analyzer_eval (errno == 0); /* { dg-warning "TRUE" } */ + __analyzer_eval (fd >= 0); /* { dg-warning "TRUE" } */ + afd = accept (fd, NULL, NULL); + if (afd == -1) + { + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-listening-stream-socket'" } */ + __analyzer_eval (errno > 0); /* { dg-warning "TRUE" } */ + close (fd); + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ + return; + } + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-listening-stream-socket'" } */ + __analyzer_dump_state ("file-descriptor", afd); /* { dg-warning "state: 'fd-connected-stream-socket'" } */ + __analyzer_eval (errno == 0); /* { dg-warning "TRUE" } */ + __analyzer_eval (fd >= 0); /* { dg-warning "TRUE" } */ + __analyzer_eval (afd >= 0); /* { dg-warning "TRUE" } */ + + write (afd, "hello", 6); + read (afd, buf, 100); + + close (afd); + close (fd); + __analyzer_dump_state ("file-descriptor", afd); /* { dg-warning "state: 'fd-closed'" } */ + __analyzer_dump_state ("file-descriptor", fd); /* { dg-warning "state: 'fd-closed'" } */ +} + void test_passive_open_from_accept (int fd, void *buf) { int afd;