Page MenuHomeFreeBSD
Differential D55503

rev: defensive null check for fp
Needs ReviewPublic
Actions

Authored by awmrozek_hotmail.com on Wed, Feb 25, 8:34 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Mar 2, 5:54 AM
Unknown Object (File)
Sun, Mar 1, 6:24 AM
Unknown Object (File)
Sun, Mar 1, 2:20 AM
Unknown Object (File)
Thu, Feb 26, 5:18 PM
Unknown Object (File)
Thu, Feb 26, 7:09 AM
Unknown Object (File)
Thu, Feb 26, 4:56 AM
Unknown Object (File)
Thu, Feb 26, 1:42 AM
Unknown Object (File)
Thu, Feb 26, 12:33 AM
Subscribers
fuz

Details

Reviewers
imp
Summary

Add a defensive null check for 'fp' in rev.c to silence a false-positive static analyzer warning (core.NullDereference).

  • fp is either stdin or the result of a successful fopen
  • Static analyzer warns of possible null dereference
  • Behavior does not change
  • Tiny, safe improvement
Test Plan

Build and run rev:

$ ./rev /etc/passwd

outputs reversed lines as usual

$ ./rev missingfile

prints warning and exits with code 1

Behavior is unchanged; static analyzer warning is silenced.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

awmrozek_hotmail.com requested review of this revision.Wed, Feb 25, 8:34 AM
awmrozek_hotmail.com created this revision.
fuz added a subscriber: fuz.Thu, Feb 26, 3:15 PM

Could you show me an example where line 86 is reached while fp is a null pointer?

For this to happen, fp needs to be a null pointer at the beginning of the iteration, for it is only assigned to in line 71 and if the assignment results in a null pointer, the rest of the iteration is skipped.
But if fp was a null pointer at the beginning of the iteration, it only stays a null pointer if *argv is a null pointer, as otherwise the if statement in line 70 either makes fp not null or skips the rest of the iteration.
If *argv is a null pointer, it cannot be the first iteration, as fp = stdin in the first iteration. But it can also not be a subsequent iteration, as *argv being a null pointer is the exit condition of the loop.

So I don't think this is actually a case that can happen. And in any case, just silently ignoring this possibility seems wrong if it could happen.

awmrozek_hotmail.com added a comment.EditedThu, Feb 26, 4:42 PM

Hi!

make analyze in /usr/src/usr.bin/rev gave me the following:

/usr/src/usr.bin/rev/rev.c:86:7: warning: Access to field '_flags' results in a dereference of a null pointer (loaded from variable 'fp') [core.NullDereference]

I thought it could be nice for my first patch :-)

//welw

awmrozek_hotmail.com added a comment.Thu, Feb 26, 4:43 PM

make analyze of course, not make clean

fuz added a comment.Thu, Feb 26, 5:59 PM

I believe that, but it seems to be a false positive.
Please check if the condition can actually occur in practice.

awmrozek_hotmail.com added a comment.Thu, Feb 26, 6:46 PM

I'm sorry, I was a bit unclear what I meant. Here is a more refined version:

  1. No, unfortunately I am not able to provide any path that leads to this condition. My claims are blindly based on first comment that make analyze returned. I will return to this commit if I ever manage to satisfy this condition.
  2. I appreciate your time taking time and reading my commit, thanks so much! I was very curious about the review process itself, so I decided to commit something very simple. Thanks again!
fuz added a comment.Thu, Feb 26, 8:40 PM

Don't worry about it!

I think there is still room for improvement as the control flow of this tool is very hard to understand, but as there are no known bugs, it might be better to leave it as is.
Please also think about the consequences of your fix. What would happen here if fp is a null pointer and thus the branch in line 86 is not taken. Is this really the desired behaviour? Try to think about that! Getting a hint from a static analysis tool is only the first step, the real work only starts there.

Revision Contents
Changeset List

PathSize
usr.bin/
rev/
2 lines

Diff 172658

View Options

usr.bin/rev/rev.c

Loading...