[PATCH 03/27] dfa: improve -fanalyzer malloc checking

From: Paul Eggert <eggert@cs.ucla.edu>
To: bug-gnulib@gnu.org
Cc: Paul Eggert <eggert@cs.ucla.edu>
Subject: [PATCH 03/27] dfa: improve -fanalyzer malloc checking
Date: Sun,  1 Aug 2021 18:17:57 -0700	[thread overview]
Message-ID: <20210802011821.1057057-3-eggert@cs.ucla.edu> (raw)
In-Reply-To: <20210802011821.1057057-1-eggert@cs.ucla.edu>

---
 ChangeLog |  5 ++++-
 lib/dfa.c | 15 +++++++++++++++
 lib/dfa.h |  9 +++++++--
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1af0b926a..d7740df52 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,8 +2,11 @@
 
 	maint: improve -fanalyzer malloc checking
 	* lib/backup-internal.h, lib/backupfile.h:
-	* lib/canonicalize.h:
+	* lib/canonicalize.h, lib/dfa.h:
 	Add malloc-related attributes and include stdlib.h as needed.
+	* lib/dfa.c: Include verify.h.
+	(assume_nonnull): New macro.
+	(dfamust): Use it to pacify GCC.
 
 2021-08-01  Jim Meyering  <meyering@fb.com>
 
diff --git a/lib/dfa.c b/lib/dfa.c
index 7e05a78da..44c3b65c2 100644
--- a/lib/dfa.c
+++ b/lib/dfa.c
@@ -26,6 +26,7 @@
 
 #include "flexmember.h"
 #include "idx.h"
+#include "verify.h"
 
 #include <assert.h>
 #include <ctype.h>
@@ -35,6 +36,13 @@
 #include <limits.h>
 #include <string.h>
 
+/* Pacify gcc -Wanalyzer-null-dereference in areas where GCC
+   understandably cannot deduce that the input comes from a
+   well-formed regular expression.  There's little point to the
+   runtime overhead of 'assert' instead of 'assume_nonnull' when the
+   MMU will check anyway.  */
+#define assume_nonnull(x) assume ((x) != NULL)
+
 static bool
 streq (char const *a, char const *b)
 {
@@ -4090,6 +4098,7 @@ dfamust (struct dfa const *d)
 
         case STAR:
         case QMARK:
+          assume_nonnull (mp);
           resetmust (mp);
           break;
 
@@ -4097,7 +4106,9 @@ dfamust (struct dfa const *d)
           {
             char **new;
             must *rmp = mp;
+            assume_nonnull (rmp);
             must *lmp = mp = mp->prev;
+            assume_nonnull (lmp);
             idx_t j, ln, rn, n;
 
             /* Guaranteed to be.  Unlikely, but ...  */
@@ -4138,10 +4149,12 @@ dfamust (struct dfa const *d)
           break;
 
         case PLUS:
+          assume_nonnull (mp);
           mp->is[0] = '\0';
           break;
 
         case END:
+          assume_nonnull (mp);
           assert (!mp->prev);
           for (idx_t i = 0; mp->in[i] != NULL; i++)
             if (strlen (mp->in[i]) > strlen (result))
@@ -4159,7 +4172,9 @@ dfamust (struct dfa const *d)
         case CAT:
           {
             must *rmp = mp;
+            assume_nonnull (rmp);
             must *lmp = mp = mp->prev;
+            assume_nonnull (lmp);
 
             /* In.  Everything in left, plus everything in
                right, plus concatenation of
diff --git a/lib/dfa.h b/lib/dfa.h
index 19a4127b6..28f9f6336 100644
--- a/lib/dfa.h
+++ b/lib/dfa.h
@@ -24,6 +24,7 @@
 #include <regex.h>
 #include <stdbool.h>
 #include <stddef.h>
+#include <stdlib.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -46,7 +47,9 @@ struct dfa;
 
 /* Needed when Gnulib is not used.  */
 #ifndef _GL_ATTRIBUTE_MALLOC
-# define  _GL_ATTRIBUTE_MALLOC
+# define _GL_ATTRIBUTE_MALLOC
+# define _GL_ATTRIBUTE_DEALLOC_FREE
+# define _GL_ATTRIBUTE_RETURNS_NONNULL
 #endif
 
 /* Entry points. */
@@ -55,7 +58,9 @@ struct dfa;
    It should be initialized via dfasyntax or dfacopysyntax before other use.
    The returned pointer should be passed directly to free() after
    calling dfafree() on it. */
-extern struct dfa *dfaalloc (void) _GL_ATTRIBUTE_MALLOC;
+extern struct dfa *dfaalloc (void)
+  _GL_ATTRIBUTE_MALLOC _GL_ATTRIBUTE_DEALLOC_FREE
+  _GL_ATTRIBUTE_RETURNS_NONNULL;
 
 /* DFA options that can be ORed together, for dfasyntax's 4th arg.  */
 enum
-- 
2.31.1


