analyzer: fix ICE when pipe's arg isn't a pointer [PR107486]

gcc/analyzer/ChangeLog:
	PR analyzer/107486
	* analyzer.cc (is_pipe_call_p): New.
	* analyzer.h (is_pipe_call_p): New decl.
	* region-model.cc (region_model::on_call_pre): Use it.
	(region_model::on_call_post): Likewise.

gcc/testsuite/ChangeLog:
	PR analyzer/107486
	* gcc.dg/analyzer/pipe-pr107486.c: New test.
	* gcc.dg/analyzer/pipe-void-return.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

5 files changed, 38 insertions, 4 deletions

diff --git a/gcc/analyzer/analyzer.cc b/gcc/analyzer/analyzer.cc
index 8a2a773..6c7c969 100644
--- a/gcc/analyzer/analyzer.cc
+++ b/gcc/analyzer/analyzer.cc
@@ -379,6 +379,22 @@ is_longjmp_call_p (const gcall *call)
   return false;
 }
 
+/* Return true if this is a "pipe" call.  */
+
+bool
+is_pipe_call_p (const_tree fndecl, const char *funcname,
+		const gcall *call, unsigned int num_args)
+{
+  if (!is_named_call_p (fndecl, funcname, call, num_args))
+    return false;
+
+  /* We require a pointer for the initial argument.  */
+  if (!POINTER_TYPE_P (TREE_TYPE (gimple_call_arg (call, 0))))
+    return false;
+
+  return true;
+}
+
 /* For a CALL that matched is_special_named_call_p or is_named_call_p for
    some name, return a name for the called function suitable for use in
    diagnostics (stripping the leading underscores).  */
diff --git a/gcc/analyzer/analyzer.h b/gcc/analyzer/analyzer.h
index a2d79e4..c41cfb0 100644
--- a/gcc/analyzer/analyzer.h
+++ b/gcc/analyzer/analyzer.h
@@ -324,6 +324,8 @@ extern bool is_std_named_call_p (const_tree fndecl, const char *funcname,
 				 const gcall *call, unsigned int num_args);
 extern bool is_setjmp_call_p (const gcall *call);
 extern bool is_longjmp_call_p (const gcall *call);
+extern bool is_pipe_call_p (const_tree fndecl, const char *funcname,
+			    const gcall *call, unsigned int num_args);
 
 extern const char *get_user_facing_name (const gcall *call);
 
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 7c44fc9..4713f0d 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -2315,8 +2315,8 @@ region_model::on_call_pre (const gcall *call, region_model_context *ctxt,
 	  impl_call_memset (cd);
 	  return false;
 	}
-      else if (is_named_call_p (callee_fndecl, "pipe", call, 1)
-	       || is_named_call_p (callee_fndecl, "pipe2", call, 2))
+      else if (is_pipe_call_p (callee_fndecl, "pipe", call, 1)
+	       || is_pipe_call_p (callee_fndecl, "pipe2", call, 2))
 	{
 	  /* Handle in "on_call_post"; bail now so that fd array
 	     is left untouched so that we can detect use-of-uninit
@@ -2403,8 +2403,8 @@ region_model::on_call_post (const gcall *call,
 	  impl_call_operator_delete (cd);
 	  return;
 	}
-      else if (is_named_call_p (callee_fndecl, "pipe", call, 1)
-	       || is_named_call_p (callee_fndecl, "pipe2", call, 2))
+      else if (is_pipe_call_p (callee_fndecl, "pipe", call, 1)
+	       || is_pipe_call_p (callee_fndecl, "pipe2", call, 2))
 	{
 	  impl_call_pipe (cd);
 	  return;
diff --git a/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c b/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c
new file mode 100644
index 0000000..e9fc7fb
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pipe-pr107486.c
@@ -0,0 +1,5 @@
+void pipe(int);
+
+void f1(void) {
+  pipe(1);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c b/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c
new file mode 100644
index 0000000..0de6763
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pipe-void-return.c
@@ -0,0 +1,11 @@
+extern void pipe(int pipefd[2]);
+extern int close(int fd);
+
+void
+test_unchecked (void)
+{
+  int fds[2];
+  pipe (fds); /* { dg-message "when 'pipe' fails" } */
+  close (fds[0]); /* { dg-warning "use of uninitialized value 'fds\\\[0\\\]'" } */
+  close (fds[1]); /* { dg-warning "use of uninitialized value 'fds\\\[1\\\]'" } */
+}