<86>Oct 1 05:51:58 userdel[2299842]: delete user 'rooter' <86>Oct 1 05:51:58 userdel[2299842]: removed group 'rooter' owned by 'rooter' <86>Oct 1 05:51:58 userdel[2299842]: removed shadow group 'rooter' owned by 'rooter' <86>Oct 1 05:51:58 groupadd[2299847]: group added to /etc/group: name=rooter, GID=990 <86>Oct 1 05:51:58 groupadd[2299847]: group added to /etc/gshadow: name=rooter <86>Oct 1 05:51:58 groupadd[2299847]: new group: name=rooter, GID=990 <86>Oct 1 05:51:58 useradd[2299851]: new user: name=rooter, UID=990, GID=990, home=/root, shell=/bin/bash <86>Oct 1 05:51:58 userdel[2299857]: delete user 'builder' <86>Oct 1 05:51:58 userdel[2299857]: removed group 'builder' owned by 'builder' <86>Oct 1 05:51:58 userdel[2299857]: removed shadow group 'builder' owned by 'builder' <86>Oct 1 05:51:58 groupadd[2299862]: group added to /etc/group: name=builder, GID=991 <86>Oct 1 05:51:58 groupadd[2299862]: group added to /etc/gshadow: name=builder <86>Oct 1 05:51:58 groupadd[2299862]: new group: name=builder, GID=991 <86>Oct 1 05:51:58 useradd[2299866]: new user: name=builder, UID=991, GID=991, home=/usr/src, shell=/bin/bash <13>Oct 1 05:51:59 rpmi: gcc-c++-common-1.4.27-alt1 sisyphus+278099.1300.1.1 1626028636 installed <13>Oct 1 05:52:00 rpmi: libstdc++12-devel-12.1.1-alt2 sisyphus+307182.100.1.1 1663782147 installed <13>Oct 1 05:52:00 rpmi: gcc12-c++-12.1.1-alt2 sisyphus+307182.100.1.1 1663782147 installed <13>Oct 1 05:52:00 rpmi: gcc-c++-12-alt1 sisyphus+300988.300.1.1 1654033914 installed Building target platforms: i586 Building for target i586 Wrote: /usr/src/in/nosrpm/liburing-2.2-alt1.nosrc.rpm (w1.gzdio) Installing liburing-2.2-alt1.src.rpm Building target platforms: i586 Building for target i586 Executing(%prep): /bin/sh -e /usr/src/tmp/rpm-tmp.55472 + umask 022 + /bin/mkdir -p /usr/src/RPM/BUILD + cd /usr/src/RPM/BUILD + cd /usr/src/RPM/BUILD + rm -rf liburing-2.2 + echo 'Source #0 (liburing-2.2.tar):' Source #0 (liburing-2.2.tar): + /bin/tar -xf /usr/src/RPM/SOURCES/liburing-2.2.tar + cd liburing-2.2 + /bin/chmod -c -Rf u+rwX,go-w . + exit 0 Executing(%build): /bin/sh -e /usr/src/tmp/rpm-tmp.55472 + umask 022 + /bin/mkdir -p /usr/src/RPM/BUILD + cd /usr/src/RPM/BUILD + cd liburing-2.2 + ./configure --prefix=/usr --includedir=/usr/include --libdir=/usr/lib --libdevdir=/usr/lib --mandir=/usr/share/man prefix /usr includedir /usr/include libdir /usr/lib libdevdir /usr/lib relativelibdir mandir /usr/share/man datadir /usr/share stringop_overflow yes array_bounds yes __kernel_rwf_t yes __kernel_timespec yes open_how yes statx yes glibc_statx yes C++ yes has_ucontext yes has_memfd_create yes liburing_nolibc no CC gcc CXX g++ + make -j16 --no-print-directory 'CFLAGS=-pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer' V=1 gcc -D_GNU_SOURCE -Iinclude/ -include ../config-host.h -MT "syscall.ol" -MMD -MP -MF "syscall.ol.d" -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -c -o syscall.ol syscall.c gcc -D_GNU_SOURCE -Iinclude/ -include ../config-host.h -MT "syscall.os" -MMD -MP -MF "syscall.os.d" -fPIC -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -c -o syscall.os syscall.c gcc -D_GNU_SOURCE -Iinclude/ -include ../config-host.h -MT "register.ol" -MMD -MP -MF "register.ol.d" -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -c -o register.ol register.c gcc -D_GNU_SOURCE -Iinclude/ -include ../config-host.h -MT "register.os" -MMD -MP -MF "register.os.d" -fPIC -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -c -o register.os register.c gcc -D_GNU_SOURCE -Iinclude/ -include ../config-host.h -MT "setup.os" -MMD -MP -MF "setup.os.d" -fPIC -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -c -o setup.os setup.c setup.c: In function 'io_uring_queue_exit': setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^~~~~~~~~~~~~~~~~~ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~~~ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^~~~~~~~~~~~~ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | 37 | MAP_SHARED | MAP_POPULATE, fd, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 38 | IORING_OFF_SQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | +--> '__sys_mmap': events 13-15 | |arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^~~~~~~~~~ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' | 37 | MAP_SHARED | MAP_POPULATE, fd, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 38 | IORING_OFF_SQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | 46 | MAP_SHARED | MAP_POPULATE, fd, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 47 | IORING_OFF_CQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | +--> '__sys_mmap': events 22-24 | |arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^~~~~~~~~~ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' | 46 | MAP_SHARED | MAP_POPULATE, fd, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 47 | IORING_OFF_CQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~~~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^~~~~~~~~~~~~~~~~~~~ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~~~~~~~~~~~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~~~ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~~~~~~~~~~~~~~~~~~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -Iinclude/ -include ../config-host.h -MT "setup.ol" -MMD -MP -MF "setup.ol.d" -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -c -o setup.ol setup.c setup.c: In function 'io_uring_queue_exit': setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^~~~~~~~~~~~~~~~~~ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~~~ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^~~~~~~~~~~~~ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | 37 | MAP_SHARED | MAP_POPULATE, fd, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 38 | IORING_OFF_SQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | +--> '__sys_mmap': events 13-15 | |arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^~~~~~~~~~ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' | 37 | MAP_SHARED | MAP_POPULATE, fd, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 38 | IORING_OFF_SQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | 46 | MAP_SHARED | MAP_POPULATE, fd, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 47 | IORING_OFF_CQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | +--> '__sys_mmap': events 22-24 | |arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^~~~~~~~~~ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' | 46 | MAP_SHARED | MAP_POPULATE, fd, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 47 | IORING_OFF_CQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~~~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^~~~~~~~~~~~~~~~~~~~ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~~~~~~~~~~~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~~~ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~~~~~~~~~~~~~~~~~~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -Iinclude/ -include ../config-host.h -MT "queue.ol" -MMD -MP -MF "queue.ol.d" -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -c -o queue.ol queue.c gcc -D_GNU_SOURCE -Iinclude/ -include ../config-host.h -MT "queue.os" -MMD -MP -MF "queue.os.d" -fPIC -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -c -o queue.os queue.c ar r liburing.a setup.ol queue.ol register.ol syscall.ol ar: creating liburing.a ranlib liburing.a gcc -fPIC -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -DLIBURING_INTERNAL -shared -Wl,--version-script=liburing.map -Wl,-soname=liburing.so.2 -o liburing.so.2.2 setup.os queue.os register.os syscall.os gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o ../src/syscall.o -c ../src/syscall.c gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o helpers.o -c helpers.c gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o b19062a56726.t b19062a56726.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o 917257daa0fe.t 917257daa0fe.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o a0908ae19763.t a0908ae19763.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o a4c0b3decb33.t a4c0b3decb33.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread a4c0b3decb33.c: In function 'sig_int': a4c0b3decb33.c:169:9: warning: call to 'exit' from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler] 169 | exit(0); | ^~~~~~~ 'main': events 1-4 | | 172 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' | 173 | { | 174 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_2(D) <= 1')... | 175 | return 0; | 176 | signal(SIGINT, sig_int); | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | | (4) registering 'sig_int' as signal handler | event 5 | |cc1: | (5): later on, when the signal is delivered to the process | +--> 'sig_int': events 6-7 | | 167 | static void sig_int(int sig) | | ^~~~~~~ | | | | | (6) entry to 'sig_int' | 168 | { | 169 | exit(0); | | ~~~~~~~ | | | | | (7) call to 'exit' from within signal handler | a4c0b3decb33.c:169:9: note: '_exit' is a possible signal-safe alternative for 'exit' 169 | exit(0); | ^~~~~~~ ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o 35fa71a030ca.t 35fa71a030ca.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread 35fa71a030ca.c: In function 'sig_int': 35fa71a030ca.c:314:9: warning: call to 'exit' from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler] 314 | exit(0); | ^~~~~~~ 'main': events 1-4 | | 317 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' | 318 | { | 319 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_1(D) <= 1')... | 320 | return 0; | 321 | signal(SIGINT, sig_int); | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | | (4) registering 'sig_int' as signal handler | event 5 | |cc1: | (5): later on, when the signal is delivered to the process | +--> 'sig_int': events 6-7 | | 312 | static void sig_int(int sig) | | ^~~~~~~ | | | | | (6) entry to 'sig_int' | 313 | { | 314 | exit(0); | | ~~~~~~~ | | | | | (7) call to 'exit' from within signal handler | 35fa71a030ca.c:314:9: note: '_exit' is a possible signal-safe alternative for 'exit' 314 | exit(0); | ^~~~~~~ ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size_params': events 1-2 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (1) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (2) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 3-6 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (3) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (4) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (6) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (5) ...to here | +--> 'io_uring_queue_mmap': events 7-8 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (7) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (8) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 9-10 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (9) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (10) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 11-13 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (11) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (12) following 'false' branch (when 'ret_11 != 4294967295B')... | | (13) ...to here | <------+ | 'io_uring_mmap': events 14-19 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (14) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (15) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (17) following 'false' branch... | | (16) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (19) calling '__sys_mmap' from 'io_uring_mmap' | | (18) ...to here | +--> '__sys_mmap': events 20-22 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (20) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (21) following 'false' branch (when 'ret_11 != 4294967295B')... | | (22) ...to here | <------+ | 'io_uring_mmap': events 23-26 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (23) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (24) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (25) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (26) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 27-29 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (27) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (28) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (29) ...to here | <------+ | 'io_uring_mmap': event 30 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (30) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 31 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (31) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 32-34 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (32) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (33) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (34) ...to here | <------+ | 'io_uring_mlock_size_params': events 35-38 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (35) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (36) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (37) ...to here | | (38) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 39-42 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (39) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (40) '0B' is NULL | | | (41) '0B' is NULL | | (42) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o accept-test.t accept-test.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o 8a9973408177.t 8a9973408177.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o b5837bd5311d.t b5837bd5311d.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o 500f9fbadef8.t 500f9fbadef8.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o 7ad0e4b2f83c.t 7ad0e4b2f83c.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from 7ad0e4b2f83c.c:5: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_nop' at ../src/include/liburing.h:474:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_2(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-5 | |7ad0e4b2f83c.c:32:5: | 32 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 42 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_12(D) <= 1')... |...... | 45 | ret = io_uring_queue_init(32, &ring, 0); | | ~~~ | | | | | (3) ...to here | 46 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_15 == 0')... |...... | 51 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (5) ...to here | 'main': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 7-8 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'false' branch... | '_io_uring_get_sqe': event 9 | |cc1: | (9): ...to here | <------+ | 'main': event 10 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to 'main' from '_io_uring_get_sqe' | 'main': event 11 | |7ad0e4b2f83c.c:52:9: | 52 | io_uring_prep_nop(sqe); | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) calling 'io_uring_prep_nop' from 'main' | +--> 'io_uring_prep_nop': events 12-13 | |../src/include/liburing.h:472:20: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) dereference of NULL 'sqe_2(D)' |...... | 472 | static inline void io_uring_prep_nop(struct io_uring_sqe *sqe) | | ^~~~~~~~~~~~~~~~~ | | | | | (12) entry to 'io_uring_prep_nop' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_timeout' at ../src/include/liburing.h:481:2, inlined from 'main' at 7ad0e4b2f83c.c:73:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-9 | |7ad0e4b2f83c.c:32:5: | 32 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 42 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_12(D) <= 1')... |...... | 45 | ret = io_uring_queue_init(32, &ring, 0); | | ~~~ | | | | | (3) ...to here | 46 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_15 == 0')... |...... | 51 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (5) ...to here |...... | 54 | if (ret != 1) { | | ~ | | | | | (6) following 'false' branch (when 'ret_19 == 1')... |...... | 60 | ts1.tv_sec = 5, | | ~~~ | | | | | (7) ...to here |...... | 63 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_23 == 0')... |...... | 67 | io_uring_cqe_seen(&ring, cqe); | | ~~~~~~~~~~~~~~~~~ | | | | | (9) ...to here | 'main': event 10 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 11-12 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (11) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (12) following 'false' branch... | '_io_uring_get_sqe': event 13 | |cc1: | (13): ...to here | <------+ | 'main': events 14-15 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o accept-reuse.t accept-reuse.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o accept-link.t accept-link.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o across-fork.t across-fork.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o 232c93d07b74.t 232c93d07b74.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread 232c93d07b74.c: In function 'rcv': 232c93d07b74.c:149:57: warning: use of uninitialized value 'buff[i_57]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 149 | if (buff[i] != expected_byte) { | ~~~~^~~ 'rcv': events 1-2 | | 60 | static void *rcv(void *arg) | | ^~~ | | | | | (1) entry to 'rcv' |...... | 123 | char buff[RECV_BUFF_SIZE]; | | ~~~~ | | | | | (2) region created on stack here | 'rcv': event 3 | | 85 | assert(s0 != -1); | | ^~~~~~ | | | | | (3) following 'true' branch (when 's0_71 != -1')... | 'rcv': event 4 | | 87 | struct sockaddr_un addr; | | ^~~~~~ | | | | | (4) ...to here | 'rcv': event 5 | | 93 | assert(res != -1); | | ^~~~~~ | | | | | (5) following 'true' branch (when 'res_76 != -1')... | 'rcv': event 6 | |cc1: | (6): ...to here | 'rcv': event 7 | | 96 | assert(res != -1); | | ^~~~~~ | | | | | (7) following 'true' branch (when 'res_100 != -1')... | 'rcv': event 8 | | 98 | set_rcv_ready(); | | ^~~~~~~~~~~~~ | | | | | (8) ...to here | 'rcv': event 9 | | 101 | assert(s1 != -1); | | ^~~~~~ | | | | | (9) following 'true' branch (when 's1_105 != -1')... | 'rcv': event 10 | | 103 | if (p->non_blocking) { | | ^~ | | | | | (10) ...to here | 'rcv': event 11 | | 116 | assert(res >= 0); | | ^~~~~~ | | | | | (11) following 'true' branch (when 'res_116 >= 0')... | 'rcv': event 12 | |cc1: | (12): ...to here | 'rcv': events 13-14 | | 122 | while (!done && bytes_read != 33) { | | ~~~~~~^~~~~~~~~~~~~~~~~~~ | | | | | (13) following 'true' branch... | 123 | char buff[RECV_BUFF_SIZE]; | | ~~~~ | | | | | (14) ...to here | 'rcv': event 15 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) calling '_io_uring_get_sqe' from 'rcv' | +--> '_io_uring_get_sqe': events 16-18 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (16) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (17) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (18) ...to here | <------+ | 'rcv': event 19 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) returning to 'rcv' from '_io_uring_get_sqe' | 'rcv': event 20 | |232c93d07b74.c:130:17: | 130 | assert(sqe != NULL); | | ^~~~~~ | | | | | (20) following 'true' branch... | 'rcv': event 21 | | 132 | io_uring_prep_readv(sqe, s1, &iov, 1, 0); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (21) ...to here | 'rcv': event 22 | | 135 | assert(res != -1); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'res_132 != -1')... | 'rcv': event 23 | |cc1: | (23): ...to here | 'rcv': event 24 | | 141 | while (!done && count != 1) { | | ~~~~~~^~~~~~~~~~~~~ | | | | | (24) following 'true' branch... | 'rcv': event 25 | |../src/include/liburing.h:212:9: | 212 | for (head = *(ring)->cq.khead; \ | | ^~~ | | | | | (25) ...to here 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': event 26 | |../src/include/liburing.h:214:90: | 213 | (cqe = (head != io_uring_smp_load_acquire((ring)->cq.ktail) ? \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 214 | &(ring)->cq.cqes[io_uring_cqe_index(ring, head, *(ring)->cq.kring_mask)] : NULL)); \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ | | | | | (26) following 'true' branch... 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': events 27-28 | | 143 | if (cqe->res < 0) | | ^~ ~ | | | | | | | (28) following 'false' branch... | | (27) ...to here | 'rcv': event 29 | |cc1: | (29): ...to here | 'rcv': events 30-32 | | 148 | for (i = 0; i < cqe->res; i++) { | | ~~^~~~~~~~~~ | | | | | (30) following 'true' branch... | 149 | if (buff[i] != expected_byte) { | | ~~ ~~~~~~~ | | | | | | | (32) use of uninitialized value 'buff[i_57]' here | | (31) ...to here | 232c93d07b74.c:149:57: warning: use of uninitialized value 'buff[i_57]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 149 | if (buff[i] != expected_byte) { | ~~~~^~~ 'rcv': events 1-2 | | 60 | static void *rcv(void *arg) | | ^~~ | | | | | (1) entry to 'rcv' |...... | 123 | char buff[RECV_BUFF_SIZE]; | | ~~~~ | | | | | (2) region created on stack here | 'rcv': event 3 | | 85 | assert(s0 != -1); | | ^~~~~~ | | | | | (3) following 'true' branch (when 's0_71 != -1')... | 'rcv': event 4 | | 87 | struct sockaddr_un addr; | | ^~~~~~ | | | | | (4) ...to here | 'rcv': event 5 | | 93 | assert(res != -1); | | ^~~~~~ | | | | | (5) following 'true' branch (when 'res_76 != -1')... | 'rcv': event 6 | |cc1: | (6): ...to here | 'rcv': event 7 | | 96 | assert(res != -1); | | ^~~~~~ | | | | | (7) following 'true' branch (when 'res_100 != -1')... | 'rcv': event 8 | | 98 | set_rcv_ready(); | | ^~~~~~~~~~~~~ | | | | | (8) ...to here | 'rcv': event 9 | | 101 | assert(s1 != -1); | | ^~~~~~ | | | | | (9) following 'true' branch (when 's1_105 != -1')... | 'rcv': event 10 | | 103 | if (p->non_blocking) { | | ^~ | | | | | (10) ...to here | 'rcv': event 11 | | 116 | assert(res >= 0); | | ^~~~~~ | | | | | (11) following 'true' branch (when 'res_116 >= 0')... | 'rcv': event 12 | |cc1: | (12): ...to here | 'rcv': events 13-14 | | 122 | while (!done && bytes_read != 33) { | | ~~~~~~^~~~~~~~~~~~~~~~~~~ | | | | | (13) following 'true' branch... | 123 | char buff[RECV_BUFF_SIZE]; | | ~~~~ | | | | | (14) ...to here | 'rcv': event 15 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) calling '_io_uring_get_sqe' from 'rcv' | +--> '_io_uring_get_sqe': events 16-18 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (16) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (17) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (18) ...to here | <------+ | 'rcv': event 19 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) returning to 'rcv' from '_io_uring_get_sqe' | 'rcv': event 20 | |232c93d07b74.c:130:17: | 130 | assert(sqe != NULL); | | ^~~~~~ | | | | | (20) following 'true' branch... | 'rcv': event 21 | | 132 | io_uring_prep_readv(sqe, s1, &iov, 1, 0); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (21) ...to here | 'rcv': event 22 | | 135 | assert(res != -1); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'res_132 != -1')... | 'rcv': event 23 | |cc1: | (23): ...to here | 'rcv': event 24 | | 141 | while (!done && count != 1) { | | ~~~~~~^~~~~~~~~~~~~ | | | | | (24) following 'true' branch... | 'rcv': event 25 | |../src/include/liburing.h:212:9: | 212 | for (head = *(ring)->cq.khead; \ | | ^~~ | | | | | (25) ...to here 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': event 26 | |../src/include/liburing.h:214:90: | 213 | (cqe = (head != io_uring_smp_load_acquire((ring)->cq.ktail) ? \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 214 | &(ring)->cq.cqes[io_uring_cqe_index(ring, head, *(ring)->cq.kring_mask)] : NULL)); \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ | | | | | (26) following 'true' branch... 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': events 27-28 | | 143 | if (cqe->res < 0) | | ^~ ~ | | | | | | | (28) following 'false' branch... | | (27) ...to here | 'rcv': event 29 | |cc1: | (29): ...to here | 'rcv': events 30-36 | | 148 | for (i = 0; i < cqe->res; i++) { | | ~~^~~~~~~~~~ | | | | | (30) following 'true' branch... | | (34) following 'true' branch... | 149 | if (buff[i] != expected_byte) { | | ~~ ~~~~~~~~ | | | | | | | | | (36) use of uninitialized value 'buff[i_57]' here | | | (32) following 'false' branch... | | (31) ...to here | | (35) ...to here |...... | 156 | expected_byte++; | | ~~~~~~~~~~~~~ | | | | | (33) ...to here | 232c93d07b74.c:149:57: warning: use of uninitialized value 'buff[i_57]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 149 | if (buff[i] != expected_byte) { | ~~~~^~~ 'rcv': events 1-2 | | 60 | static void *rcv(void *arg) | | ^~~ | | | | | (1) entry to 'rcv' |...... | 123 | char buff[RECV_BUFF_SIZE]; | | ~~~~ | | | | | (2) region created on stack here | 'rcv': event 3 | | 85 | assert(s0 != -1); | | ^~~~~~ | | | | | (3) following 'true' branch (when 's0_71 != -1')... | 'rcv': event 4 | | 87 | struct sockaddr_un addr; | | ^~~~~~ | | | | | (4) ...to here | 'rcv': event 5 | | 93 | assert(res != -1); | | ^~~~~~ | | | | | (5) following 'true' branch (when 'res_76 != -1')... | 'rcv': event 6 | |cc1: | (6): ...to here | 'rcv': event 7 | | 96 | assert(res != -1); | | ^~~~~~ | | | | | (7) following 'true' branch (when 'res_100 != -1')... | 'rcv': event 8 | | 98 | set_rcv_ready(); | | ^~~~~~~~~~~~~ | | | | | (8) ...to here | 'rcv': event 9 | | 101 | assert(s1 != -1); | | ^~~~~~ | | | | | (9) following 'true' branch (when 's1_105 != -1')... | 'rcv': event 10 | | 103 | if (p->non_blocking) { | | ^~ | | | | | (10) ...to here | 'rcv': event 11 | | 116 | assert(res >= 0); | | ^~~~~~ | | | | | (11) following 'true' branch (when 'res_116 >= 0')... | 'rcv': event 12 | |cc1: | (12): ...to here | 'rcv': events 13-14 | | 122 | while (!done && bytes_read != 33) { | | ~~~~~~^~~~~~~~~~~~~~~~~~~ | | | | | (13) following 'true' branch... | 123 | char buff[RECV_BUFF_SIZE]; | | ~~~~ | | | | | (14) ...to here | 'rcv': event 15 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) calling '_io_uring_get_sqe' from 'rcv' | +--> '_io_uring_get_sqe': events 16-18 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (16) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (17) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (18) ...to here | <------+ | 'rcv': event 19 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) returning to 'rcv' from '_io_uring_get_sqe' | 'rcv': event 20 | |232c93d07b74.c:130:17: | 130 | assert(sqe != NULL); | | ^~~~~~ | | | | | (20) following 'true' branch... | 'rcv': event 21 | | 132 | io_uring_prep_readv(sqe, s1, &iov, 1, 0); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (21) ...to here | 'rcv': event 22 | | 135 | assert(res != -1); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'res_132 != -1')... | 'rcv': event 23 | |cc1: | (23): ...to here | 'rcv': event 24 | | 141 | while (!done && count != 1) { | | ~~~~~~^~~~~~~~~~~~~ | | | | | (24) following 'true' branch... | 'rcv': event 25 | |../src/include/liburing.h:212:9: | 212 | for (head = *(ring)->cq.khead; \ | | ^~~ | | | | | (25) ...to here 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': event 26 | |../src/include/liburing.h:214:90: | 213 | (cqe = (head != io_uring_smp_load_acquire((ring)->cq.ktail) ? \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 214 | &(ring)->cq.cqes[io_uring_cqe_index(ring, head, *(ring)->cq.kring_mask)] : NULL)); \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ | | | | | (26) following 'true' branch... 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': events 27-28 | | 143 | if (cqe->res < 0) | | ^~ ~ | | | | | | | (28) following 'false' branch... | | (27) ...to here | 'rcv': event 29 | |cc1: | (29): ...to here | 'rcv': events 30-36 | | 148 | for (i = 0; i < cqe->res; i++) { | | ~~^~~~~~~~~~ | | | | | (30) following 'true' branch... | | (34) following 'true' branch... | 149 | if (buff[i] != expected_byte) { | | ~~ ~~~~~~~~ | | | | | | | | | (36) use of uninitialized value 'buff[i_57]' here | | | (32) following 'true' branch... | | (31) ...to here | | (35) ...to here | 150 | fprintf(stderr, | | ~~~~~~~ | | | | | (33) ...to here | 232c93d07b74.c:149:57: warning: use of uninitialized value 'buff[i_57]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 149 | if (buff[i] != expected_byte) { | ~~~~^~~ 'rcv': events 1-2 | | 60 | static void *rcv(void *arg) | | ^~~ | | | | | (1) entry to 'rcv' |...... | 123 | char buff[RECV_BUFF_SIZE]; | | ~~~~ | | | | | (2) region created on stack here | 'rcv': event 3 | | 85 | assert(s0 != -1); | | ^~~~~~ | | | | | (3) following 'true' branch (when 's0_71 != -1')... | 'rcv': event 4 | | 87 | struct sockaddr_un addr; | | ^~~~~~ | | | | | (4) ...to here | 'rcv': event 5 | | 93 | assert(res != -1); | | ^~~~~~ | | | | | (5) following 'true' branch (when 'res_76 != -1')... | 'rcv': event 6 | |cc1: | (6): ...to here | 'rcv': event 7 | | 96 | assert(res != -1); | | ^~~~~~ | | | | | (7) following 'true' branch (when 'res_100 != -1')... | 'rcv': event 8 | | 98 | set_rcv_ready(); | | ^~~~~~~~~~~~~ | | | | | (8) ...to here | 'rcv': event 9 | | 101 | assert(s1 != -1); | | ^~~~~~ | | | | | (9) following 'true' branch (when 's1_105 != -1')... | 'rcv': event 10 | | 103 | if (p->non_blocking) { | | ^~ | | | | | (10) ...to here | 'rcv': event 11 | | 116 | assert(res >= 0); | | ^~~~~~ | | | | | (11) following 'true' branch (when 'res_116 >= 0')... | 'rcv': event 12 | |cc1: | (12): ...to here | 'rcv': events 13-14 | | 122 | while (!done && bytes_read != 33) { | | ~~~~~~^~~~~~~~~~~~~~~~~~~ | | | | | (13) following 'true' branch... | 123 | char buff[RECV_BUFF_SIZE]; | | ~~~~ | | | | | (14) ...to here | 'rcv': event 15 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) calling '_io_uring_get_sqe' from 'rcv' | +--> '_io_uring_get_sqe': events 16-18 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (16) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (17) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (18) ...to here | <------+ | 'rcv': event 19 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) returning to 'rcv' from '_io_uring_get_sqe' | 'rcv': event 20 | |232c93d07b74.c:130:17: | 130 | assert(sqe != NULL); | | ^~~~~~ | | | | | (20) following 'true' branch... | 'rcv': event 21 | | 132 | io_uring_prep_readv(sqe, s1, &iov, 1, 0); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (21) ...to here | 'rcv': event 22 | | 135 | assert(res != -1); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'res_132 != -1')... | 'rcv': event 23 | |cc1: | (23): ...to here | 'rcv': event 24 | | 141 | while (!done && count != 1) { | | ~~~~~~^~~~~~~~~~~~~ | | | | | (24) following 'true' branch... | 'rcv': event 25 | |../src/include/liburing.h:212:9: | 212 | for (head = *(ring)->cq.khead; \ | | ^~~ | | | | | (25) ...to here 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': event 26 | |../src/include/liburing.h:214:90: | 213 | (cqe = (head != io_uring_smp_load_acquire((ring)->cq.ktail) ? \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 214 | &(ring)->cq.cqes[io_uring_cqe_index(ring, head, *(ring)->cq.kring_mask)] : NULL)); \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ | | | | | (26) following 'true' branch... 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': event 27 | | 143 | if (cqe->res < 0) | | ^~ | | | | | (27) ...to here | 'rcv': event 28 | | 144 | assert(cqe->res == -EAGAIN); | | ^~~~~~ | | | | | (28) following 'true' branch... | 'rcv': event 29 | | 161 | count++; | | ^~~~~ | | | | | (29) ...to here | 'rcv': event 30 | |../src/include/liburing.h:214:90: | 213 | (cqe = (head != io_uring_smp_load_acquire((ring)->cq.ktail) ? \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 214 | &(ring)->cq.cqes[io_uring_cqe_index(ring, head, *(ring)->cq.kring_mask)] : NULL)); \ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ | | | | | (30) following 'true' branch... 232c93d07b74.c:142:25: note: in expansion of macro 'io_uring_for_each_cqe' | 142 | io_uring_for_each_cqe(&m_io_uring, head, cqe) { | | ^~~~~~~~~~~~~~~~~~~~~ | 'rcv': events 31-32 | | 143 | if (cqe->res < 0) | | ^~ ~ | | | | | | | (32) following 'false' branch... | | (31) ...to here | 'rcv': event 33 | |cc1: | (33): ...to here | 'rcv': events 34-36 | | 148 | for (i = 0; i < cqe->res; i++) { | | ~~^~~~~~~~~~ | | | | | (34) following 'true' branch... | 149 | if (buff[i] != expected_byte) { | | ~~ ~~~~~~~ | | | | | | | (36) use of uninitialized value 'buff[i_57]' here | | (35) ...to here | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o ce593a6c480a.t ce593a6c480a.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from ce593a6c480a.c:13: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'main' at ce593a6c480a.c:94:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-17 | |ce593a6c480a.c:37:5: | 37 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 48 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_32(D) <= 1')... |...... | 54 | loop_fd = eventfd(0, EFD_CLOEXEC); | | ~~~~~~~ | | | | | (3) ...to here | 55 | if (loop_fd == -1) { | | ~ | | | | | (4) following 'false' branch (when 'loop_fd_34 != -1')... |...... | 61 | use_fd = other_fd = eventfd(0, EFD_CLOEXEC); | | ~~~~~~ | | | | | (5) ...to here | 62 | if (other_fd == -1) { | | ~ | | | | | (6) following 'false' branch... |...... | 67 | if (use_sqpoll) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 71 | ret = t_create_ring_params(8, &ring, &p); | | ~~~ | | | | | (9) ...to here | 72 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (10) following 'false' branch (when 'ret_40 != 1')... | 73 | return 0; | 74 | else if (ret < 0) | | ~~ ~ | | | | | | | (12) following 'false' branch (when 'ret_40 >= 0')... | | (11) ...to here |...... | 77 | ret = io_uring_register_eventfd(&ring, loop_fd); | | ~~~ | | | | | (13) ...to here | 78 | if (ret < 0) { | | ~ | | | | | (14) following 'false' branch (when 'ret_42 >= 0')... |...... | 83 | if (use_sqpoll) { | | ~~ ~ | | | | | | | (16) following 'false' branch... | | (15) ...to here |...... | 93 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (17) ...to here | 'main': event 18 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 19-20 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (19) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (20) following 'false' branch... | '_io_uring_get_sqe': event 21 | |cc1: | (21): ...to here | <------+ | 'main': events 22-23 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o buf-ring.t buf-ring.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from buf-ring.c:13: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_provide_buffers' at ../src/include/liburing.h:705:2, inlined from 'test_mixed_reg' at buf-ring.c:86:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-2 | |buf-ring.c:344:5: | 344 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 350 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... | 'main': event 3 | |cc1: | (3): ...to here | 'main': events 4-12 | | 353 | for (i = 0; bgids[i] != -1; i++) { | | ~~~~~~~~~^~~~~ | | | | | (4) following 'true' branch... | 354 | ret = test_reg_unreg(bgids[i]); | | ~~~ | | | | | (5) ...to here | 355 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_31 == 0')... |...... | 359 | if (no_buf_ring) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 362 | ret = test_double_reg_unreg(bgids[i]); | | ~~~ | | | | | (9) ...to here | 363 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_33 == 0')... |...... | 368 | ret = test_mixed_reg(bgids[i]); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) calling 'test_mixed_reg' from 'main' | | (11) ...to here | +--> 'test_mixed_reg': events 13-17 | | 68 | static int test_mixed_reg(int bgid) | | ^~~~~~~~~~~~~~ | | | | | (13) entry to 'test_mixed_reg' |...... | 78 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (14) following 'false' branch (when 'ret_16 != 1')... | 79 | return 0; | 80 | else if (ret != T_SETUP_OK) | | ~~ ~ | | | | | | | (16) following 'false' branch (when 'ret_16 == 0')... | | (15) ...to here |...... | 84 | bufs = malloc(8 * 1024); | | ~~~~ | | | | | (17) ...to here | 'test_mixed_reg': event 18 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling '_io_uring_get_sqe' from 'test_mixed_reg' | +--> '_io_uring_get_sqe': events 19-20 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (19) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (20) following 'false' branch... | '_io_uring_get_sqe': event 21 | |cc1: | (21): ...to here | <------+ | 'test_mixed_reg': events 22-23 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) returning to 'test_mixed_reg' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_provide_buffers' at ../src/include/liburing.h:705:2, inlined from 'test_mixed_reg2' at buf-ring.c:50:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-2 | |buf-ring.c:344:5: | 344 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 350 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... | 'main': event 3 | |cc1: | (3): ...to here | 'main': events 4-14 | | 353 | for (i = 0; bgids[i] != -1; i++) { | | ~~~~~~~~~^~~~~ | | | | | (4) following 'true' branch... | 354 | ret = test_reg_unreg(bgids[i]); | | ~~~ | | | | | (5) ...to here | 355 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_31 == 0')... |...... | 359 | if (no_buf_ring) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 362 | ret = test_double_reg_unreg(bgids[i]); | | ~~~ | | | | | (9) ...to here | 363 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_33 == 0')... |...... | 368 | ret = test_mixed_reg(bgids[i]); | | ~~~ | | | | | (11) ...to here | 369 | if (ret) { | | ~ | | | | | (12) following 'false' branch (when 'ret_35 == 0')... |...... | 374 | ret = test_mixed_reg2(bgids[i]); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (14) calling 'test_mixed_reg2' from 'main' | | (13) ...to here | +--> 'test_mixed_reg2': events 15-19 | | 19 | static int test_mixed_reg2(int bgid) | | ^~~~~~~~~~~~~~~ | | | | | (15) entry to 'test_mixed_reg2' |...... | 29 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (16) following 'false' branch (when 'ret_18 != 1')... | 30 | return 0; | 31 | else if (ret != T_SETUP_OK) | | ~~ ~ | | | | | | | (18) following 'false' branch (when 'ret_18 == 0')... | | (17) ...to here |...... | 34 | if (posix_memalign(&ptr, 4096, 4096)) | | ~~ | | | | | (19) ...to here | 'test_mixed_reg2': event 20 | |cc1: | (20): following 'true' branch... | 'test_mixed_reg2': events 21-23 | | 37 | reg.ring_addr = (unsigned long) ptr; | | ^~~ | | | | | (21) ...to here |...... | 42 | if (ret) { | | ~ | | | | | (22) following 'false' branch (when 'ret_28 == 0')... |...... | 48 | bufs = malloc(8 * 1024); | | ~~~~ | | | | | (23) ...to here | 'test_mixed_reg2': event 24 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) calling '_io_uring_get_sqe' from 'test_mixed_reg2' | +--> '_io_uring_get_sqe': events 25-26 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (25) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (26) following 'false' branch... | '_io_uring_get_sqe': event 27 | |cc1: | (27): ...to here | <------+ | 'test_mixed_reg2': events 28-29 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) returning to 'test_mixed_reg2' from '_io_uring_get_sqe' | buf-ring.c: In function 'test_mixed_reg2': buf-ring.c:59:17: warning: leak of 'bufs_30' [CWE-401] [-Wanalyzer-malloc-leak] 59 | return 1; | ^~~~~~ 'main': events 1-2 | | 344 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 350 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... | 'main': event 3 | |cc1: | (3): ...to here | 'main': events 4-14 | | 353 | for (i = 0; bgids[i] != -1; i++) { | | ~~~~~~~~~^~~~~ | | | | | (4) following 'true' branch... | 354 | ret = test_reg_unreg(bgids[i]); | | ~~~ | | | | | (5) ...to here | 355 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_31 == 0')... |...... | 359 | if (no_buf_ring) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 362 | ret = test_double_reg_unreg(bgids[i]); | | ~~~ | | | | | (9) ...to here | 363 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_33 == 0')... |...... | 368 | ret = test_mixed_reg(bgids[i]); | | ~~~ | | | | | (11) ...to here | 369 | if (ret) { | | ~ | | | | | (12) following 'false' branch (when 'ret_35 == 0')... |...... | 374 | ret = test_mixed_reg2(bgids[i]); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (14) calling 'test_mixed_reg2' from 'main' | | (13) ...to here | +--> 'test_mixed_reg2': events 15-19 | | 19 | static int test_mixed_reg2(int bgid) | | ^~~~~~~~~~~~~~~ | | | | | (15) entry to 'test_mixed_reg2' |...... | 29 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (16) following 'false' branch (when 'ret_18 != 1')... | 30 | return 0; | 31 | else if (ret != T_SETUP_OK) | | ~~ ~ | | | | | | | (18) following 'false' branch (when 'ret_18 == 0')... | | (17) ...to here |...... | 34 | if (posix_memalign(&ptr, 4096, 4096)) | | ~~ | | | | | (19) ...to here | 'test_mixed_reg2': event 20 | |cc1: | (20): following 'true' branch... | 'test_mixed_reg2': events 21-24 | | 37 | reg.ring_addr = (unsigned long) ptr; | | ^~~ | | | | | (21) ...to here |...... | 42 | if (ret) { | | ~ | | | | | (22) following 'false' branch (when 'ret_28 == 0')... |...... | 48 | bufs = malloc(8 * 1024); | | ~~~~ ~~~~~~~~~~~~~~~~ | | | | | | | (24) allocated here | | (23) ...to here | 'test_mixed_reg2': event 25 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) calling '_io_uring_get_sqe' from 'test_mixed_reg2' | +--> '_io_uring_get_sqe': events 26-28 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (26) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (27) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (28) ...to here | <------+ | 'test_mixed_reg2': event 29 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) returning to 'test_mixed_reg2' from '_io_uring_get_sqe' | 'test_mixed_reg2': event 30 | |buf-ring.c:52:15: | 52 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) calling 'io_uring_wait_cqe' from 'test_mixed_reg2' | +--> 'io_uring_wait_cqe': events 31-32 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (31) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 33-35 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (33) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (34) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (35) ...to here | <------+ | 'io_uring_wait_cqe': events 36-38 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (38) ...to here | | | (36) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (37) following 'true' branch... | <------+ | 'test_mixed_reg2': events 39-40 | |buf-ring.c:52:15: | 52 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (39) returning to 'test_mixed_reg2' from 'io_uring_wait_cqe' |...... | 59 | return 1; | | ~~~~~~ | | | | | (40) 'bufs_30' leaks here; was allocated at (24) | buf-ring.c: In function 'test_mixed_reg': buf-ring.c:95:17: warning: leak of 'bufs_18' [CWE-401] [-Wanalyzer-malloc-leak] 95 | return 1; | ^~~~~~ 'main': events 1-2 | | 344 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 350 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... | 'main': event 3 | |cc1: | (3): ...to here | 'main': events 4-12 | | 353 | for (i = 0; bgids[i] != -1; i++) { | | ~~~~~~~~~^~~~~ | | | | | (4) following 'true' branch... | 354 | ret = test_reg_unreg(bgids[i]); | | ~~~ | | | | | (5) ...to here | 355 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_31 == 0')... |...... | 359 | if (no_buf_ring) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 362 | ret = test_double_reg_unreg(bgids[i]); | | ~~~ | | | | | (9) ...to here | 363 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_33 == 0')... |...... | 368 | ret = test_mixed_reg(bgids[i]); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) calling 'test_mixed_reg' from 'main' | | (11) ...to here | +--> 'test_mixed_reg': events 13-18 | | 68 | static int test_mixed_reg(int bgid) | | ^~~~~~~~~~~~~~ | | | | | (13) entry to 'test_mixed_reg' |...... | 78 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (14) following 'false' branch (when 'ret_16 != 1')... | 79 | return 0; | 80 | else if (ret != T_SETUP_OK) | | ~~ ~ | | | | | | | (16) following 'false' branch (when 'ret_16 == 0')... | | (15) ...to here |...... | 84 | bufs = malloc(8 * 1024); | | ~~~~ ~~~~~~~~~~~~~~~~ | | | | | | | (18) allocated here | | (17) ...to here | 'test_mixed_reg': event 19 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) calling '_io_uring_get_sqe' from 'test_mixed_reg' | +--> '_io_uring_get_sqe': events 20-22 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (20) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (21) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (22) ...to here | <------+ | 'test_mixed_reg': event 23 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) returning to 'test_mixed_reg' from '_io_uring_get_sqe' | 'test_mixed_reg': event 24 | |buf-ring.c:88:15: | 88 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) calling 'io_uring_wait_cqe' from 'test_mixed_reg' | +--> 'io_uring_wait_cqe': events 25-26 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (25) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 27-29 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (27) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (28) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (29) ...to here | <------+ | 'io_uring_wait_cqe': events 30-32 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (32) ...to here | | | (30) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (31) following 'true' branch... | <------+ | 'test_mixed_reg': events 33-34 | |buf-ring.c:88:15: | 88 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) returning to 'test_mixed_reg' from 'io_uring_wait_cqe' |...... | 95 | return 1; | | ~~~~~~ | | | | | (34) 'bufs_18' leaks here; was allocated at (18) | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o cq-size.t cq-size.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o close-opath.t close-opath.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o cq-full.t cq-full.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o double-poll-crash.t double-poll-crash.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o cq-peek-batch.t cq-peek-batch.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o cq-ready.t cq-ready.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o d77a67ed5f27.t d77a67ed5f27.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread d77a67ed5f27.c: In function 'sig_alrm': d77a67ed5f27.c:13:9: warning: call to 'exit' from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler] 13 | exit(1); | ^~~~~~~ 'main': events 1-4 | | 16 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 24 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_8(D) <= 1')... |...... | 27 | signal(SIGALRM, sig_alrm); | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | | (4) registering 'sig_alrm' as signal handler | event 5 | |cc1: | (5): later on, when the signal is delivered to the process | +--> 'sig_alrm': events 6-7 | | 10 | static void sig_alrm(int sig) | | ^~~~~~~~ | | | | | (6) entry to 'sig_alrm' |...... | 13 | exit(1); | | ~~~~~~~ | | | | | (7) call to 'exit' from within signal handler | d77a67ed5f27.c:13:9: note: '_exit' is a possible signal-safe alternative for 'exit' 13 | exit(1); | ^~~~~~~ gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o d4ae271dfaae.t d4ae271dfaae.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o connect.t connect.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o eventfd-reg.t eventfd-reg.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o drop-submit.t drop-submit.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o empty-eownerdead.t empty-eownerdead.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o exec-target.t exec-target.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o eeed8b54e0df.t eeed8b54e0df.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o cq-overflow.t cq-overflow.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o defer.t defer.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o eventfd-ring.t eventfd-ring.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from eventfd-ring.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'main' at eventfd-ring.c:67:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-17 | |eventfd-ring.c:17:5: | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 24 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_15(D) <= 1')... |...... | 27 | ret = io_uring_queue_init_params(8, &ring1, &p); | | ~~~ | | | | | (3) ...to here | 28 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_17 == 0')... |...... | 32 | if (!(p.features & IORING_FEAT_CUR_PERSONALITY)) { | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 36 | ret = io_uring_queue_init(8, &ring2, 0); | | ~~~ | | | | | (7) ...to here | 37 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_19 == 0')... |...... | 42 | evfd1 = eventfd(0, EFD_CLOEXEC); | | ~~~~~ | | | | | (9) ...to here | 43 | if (evfd1 < 0) { | | ~ | | | | | (10) following 'false' branch (when 'evfd1_21 >= 0')... |...... | 48 | evfd2 = eventfd(0, EFD_CLOEXEC); | | ~~~~~ | | | | | (11) ...to here | 49 | if (evfd2 < 0) { | | ~ | | | | | (12) following 'false' branch (when 'evfd2_23 >= 0')... |...... | 54 | ret = io_uring_register_eventfd(&ring1, evfd1); | | ~~~ | | | | | (13) ...to here | 55 | if (ret) { | | ~ | | | | | (14) following 'false' branch (when 'ret_25 == 0')... |...... | 60 | ret = io_uring_register_eventfd(&ring2, evfd2); | | ~~~ | | | | | (15) ...to here | 61 | if (ret) { | | ~ | | | | | (16) following 'false' branch (when 'ret_27 == 0')... |...... | 66 | sqe = io_uring_get_sqe(&ring1); | | ~~~ | | | | | (17) ...to here | 'main': event 18 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 19-20 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (19) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (20) following 'false' branch... | '_io_uring_get_sqe': event 21 | |cc1: | (21): ...to here | <------+ | 'main': events 22-23 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) dereference of NULL '_io_uring_get_sqe (&ring1)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) returning to 'main' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'main' at eventfd-ring.c:71:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-17 | |eventfd-ring.c:17:5: | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 24 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_15(D) <= 1')... |...... | 27 | ret = io_uring_queue_init_params(8, &ring1, &p); | | ~~~ | | | | | (3) ...to here | 28 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_17 == 0')... |...... | 32 | if (!(p.features & IORING_FEAT_CUR_PERSONALITY)) { | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 36 | ret = io_uring_queue_init(8, &ring2, 0); | | ~~~ | | | | | (7) ...to here | 37 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_19 == 0')... |...... | 42 | evfd1 = eventfd(0, EFD_CLOEXEC); | | ~~~~~ | | | | | (9) ...to here | 43 | if (evfd1 < 0) { | | ~ | | | | | (10) following 'false' branch (when 'evfd1_21 >= 0')... |...... | 48 | evfd2 = eventfd(0, EFD_CLOEXEC); | | ~~~~~ | | | | | (11) ...to here | 49 | if (evfd2 < 0) { | | ~ | | | | | (12) following 'false' branch (when 'evfd2_23 >= 0')... |...... | 54 | ret = io_uring_register_eventfd(&ring1, evfd1); | | ~~~ | | | | | (13) ...to here | 55 | if (ret) { | | ~ | | | | | (14) following 'false' branch (when 'ret_25 == 0')... |...... | 60 | ret = io_uring_register_eventfd(&ring2, evfd2); | | ~~~ | | | | | (15) ...to here | 61 | if (ret) { | | ~ | | | | | (16) following 'false' branch (when 'ret_27 == 0')... |...... | 66 | sqe = io_uring_get_sqe(&ring1); | | ~~~ | | | | | (17) ...to here | 'main': event 18 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 19-20 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (19) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (20) following 'false' branch... | '_io_uring_get_sqe': event 21 | |cc1: | (21): ...to here | <------+ | 'main': events 22-23 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) returning to 'main' from '_io_uring_get_sqe' | | (23) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 24-25 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (24) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (25) following 'false' branch... | '_io_uring_get_sqe': event 26 | |cc1: | (26): ...to here | <------+ | 'main': events 27-28 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) dereference of NULL '_io_uring_get_sqe (&ring2)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) returning to 'main' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_nop' at ../src/include/liburing.h:474:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_2(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-21 | |eventfd-ring.c:17:5: | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 24 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_15(D) <= 1')... |...... | 27 | ret = io_uring_queue_init_params(8, &ring1, &p); | | ~~~ | | | | | (3) ...to here | 28 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_17 == 0')... |...... | 32 | if (!(p.features & IORING_FEAT_CUR_PERSONALITY)) { | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 36 | ret = io_uring_queue_init(8, &ring2, 0); | | ~~~ | | | | | (7) ...to here | 37 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_19 == 0')... |...... | 42 | evfd1 = eventfd(0, EFD_CLOEXEC); | | ~~~~~ | | | | | (9) ...to here | 43 | if (evfd1 < 0) { | | ~ | | | | | (10) following 'false' branch (when 'evfd1_21 >= 0')... |...... | 48 | evfd2 = eventfd(0, EFD_CLOEXEC); | | ~~~~~ | | | | | (11) ...to here | 49 | if (evfd2 < 0) { | | ~ | | | | | (12) following 'false' branch (when 'evfd2_23 >= 0')... |...... | 54 | ret = io_uring_register_eventfd(&ring1, evfd1); | | ~~~ | | | | | (13) ...to here | 55 | if (ret) { | | ~ | | | | | (14) following 'false' branch (when 'ret_25 == 0')... |...... | 60 | ret = io_uring_register_eventfd(&ring2, evfd2); | | ~~~ | | | | | (15) ...to here | 61 | if (ret) { | | ~ | | | | | (16) following 'false' branch (when 'ret_27 == 0')... |...... | 66 | sqe = io_uring_get_sqe(&ring1); | | ~~~ | | | | | (17) ...to here |...... | 75 | if (ret != 1) { | | ~ | | | | | (18) following 'false' branch (when 'ret_32 == 1')... |...... | 80 | ret = io_uring_submit(&ring2); | | ~~~ | | | | | (19) ...to here | 81 | if (ret != 1) { | | ~ | | | | | (20) following 'false' branch (when 'ret_34 == 1')... |...... | 86 | sqe = io_uring_get_sqe(&ring1); | | ~~~ | | | | | (21) ...to here | 'main': event 22 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 23-24 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (23) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (24) following 'false' branch... | '_io_uring_get_sqe': event 25 | |cc1: | (25): ...to here | <------+ | 'main': event 26 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) returning to 'main' from '_io_uring_get_sqe' | 'main': event 27 | |eventfd-ring.c:87:9: | 87 | io_uring_prep_nop(sqe); | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) calling 'io_uring_prep_nop' from 'main' | +--> 'io_uring_prep_nop': events 28-29 | |../src/include/liburing.h:472:20: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) dereference of NULL 'sqe_2(D)' |...... | 472 | static inline void io_uring_prep_nop(struct io_uring_sqe *sqe) | | ^~~~~~~~~~~~~~~~~ | | | | | (28) entry to 'io_uring_prep_nop' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o eventfd.t eventfd.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from eventfd.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'main' at eventfd.c:56:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-11 | |eventfd.c:17:5: | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 30 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... |...... | 33 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 34 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_31 == 0')... |...... | 38 | if (!(p.features & IORING_FEAT_CUR_PERSONALITY)) { | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 43 | evfd = eventfd(0, EFD_CLOEXEC); | | ~~~~ | | | | | (7) ...to here | 44 | if (evfd < 0) { | | ~ | | | | | (8) following 'false' branch (when 'evfd_33 >= 0')... |...... | 49 | ret = io_uring_register_eventfd(&ring, evfd); | | ~~~ | | | | | (9) ...to here | 50 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_35 == 0')... |...... | 55 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (11) ...to here | 'main': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'main': events 16-17 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'main' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'main' at eventfd.c:61:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-11 | |eventfd.c:17:5: | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 30 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... |...... | 33 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 34 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_31 == 0')... |...... | 38 | if (!(p.features & IORING_FEAT_CUR_PERSONALITY)) { | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 43 | evfd = eventfd(0, EFD_CLOEXEC); | | ~~~~ | | | | | (7) ...to here | 44 | if (evfd < 0) { | | ~ | | | | | (8) following 'false' branch (when 'evfd_33 >= 0')... |...... | 49 | ret = io_uring_register_eventfd(&ring, evfd); | | ~~~ | | | | | (9) ...to here | 50 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_35 == 0')... |...... | 55 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (11) ...to here | 'main': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'main': events 16-17 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'main' from '_io_uring_get_sqe' | | (17) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 18-19 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (18) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (19) following 'false' branch... | '_io_uring_get_sqe': event 20 | |cc1: | (20): ...to here | <------+ | 'main': events 21-22 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) returning to 'main' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_nop' at ../src/include/liburing.h:474:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_2(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-13 | |eventfd.c:17:5: | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 30 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... |...... | 33 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 34 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_31 == 0')... |...... | 38 | if (!(p.features & IORING_FEAT_CUR_PERSONALITY)) { | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 43 | evfd = eventfd(0, EFD_CLOEXEC); | | ~~~~ | | | | | (7) ...to here | 44 | if (evfd < 0) { | | ~ | | | | | (8) following 'false' branch (when 'evfd_33 >= 0')... |...... | 49 | ret = io_uring_register_eventfd(&ring, evfd); | | ~~~ | | | | | (9) ...to here | 50 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_35 == 0')... |...... | 55 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (11) ...to here |...... | 66 | if (ret != 2) { | | ~ | | | | | (12) following 'false' branch (when 'ret_41 == 2')... |...... | 71 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (13) ...to here | 'main': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'main': event 18 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'main' from '_io_uring_get_sqe' | 'main': event 19 | |eventfd.c:72:9: | 72 | io_uring_prep_nop(sqe); | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) calling 'io_uring_prep_nop' from 'main' | +--> 'io_uring_prep_nop': events 20-21 | |../src/include/liburing.h:472:20: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) dereference of NULL 'sqe_2(D)' |...... | 472 | static inline void io_uring_prep_nop(struct io_uring_sqe *sqe) | | ^~~~~~~~~~~~~~~~~ | | | | | (20) entry to 'io_uring_prep_nop' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o fc2a85cb02ef.t fc2a85cb02ef.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o eventfd-disable.t eventfd-disable.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from eventfd-disable.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'main' at eventfd-disable.c:63:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-11 | |eventfd-disable.c:17:5: | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 30 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_44(D) <= 1')... |...... | 33 | ret = io_uring_queue_init_params(64, &ring, &p); | | ~~~ | | | | | (3) ...to here | 34 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_46 == 0')... |...... | 39 | evfd = eventfd(0, EFD_CLOEXEC); | | ~~~~ | | | | | (5) ...to here | 40 | if (evfd < 0) { | | ~ | | | | | (6) following 'false' branch (when 'evfd_48 >= 0')... |...... | 45 | ret = io_uring_register_eventfd(&ring, evfd); | | ~~~ | | | | | (7) ...to here | 46 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_50 == 0')... |...... | 51 | if (!io_uring_cq_eventfd_enabled(&ring)) { | | ~~ | | | | | (9) ...to here |...... | 57 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_52 == 0')... |...... | 62 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (11) ...to here | 'main': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'main': events 16-17 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'main' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_nop' at ../src/include/liburing.h:474:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_2(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-11 | |eventfd-disable.c:17:5: | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 30 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_44(D) <= 1')... |...... | 33 | ret = io_uring_queue_init_params(64, &ring, &p); | | ~~~ | | | | | (3) ...to here | 34 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_46 == 0')... |...... | 39 | evfd = eventfd(0, EFD_CLOEXEC); | | ~~~~ | | | | | (5) ...to here | 40 | if (evfd < 0) { | | ~ | | | | | (6) following 'false' branch (when 'evfd_48 >= 0')... |...... | 45 | ret = io_uring_register_eventfd(&ring, evfd); | | ~~~ | | | | | (7) ...to here | 46 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_50 == 0')... |...... | 51 | if (!io_uring_cq_eventfd_enabled(&ring)) { | | ~~ | | | | | (9) ...to here |...... | 57 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_52 == 0')... |...... | 62 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (11) ...to here | 'main': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'main': event 16 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'main' from '_io_uring_get_sqe' | 'main': event 17 | |eventfd-disable.c:67:12: | 67 | if (ret != 1) { | | ^ | | | | | (17) following 'false' branch (when 'ret_55 == 1')... | 'main': event 18 | |cc1: | (18): ...to here | 'main': events 19-20 | | 72 | for (i = 0; i < 63; i++) { | | ~~^~~~ | | | | | (19) following 'true' branch (when 'i_32 != 63')... | 73 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (20) ...to here | 'main': event 21 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 22-23 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (22) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (23) following 'false' branch... | '_io_uring_get_sqe': event 24 | |cc1: | (24): ...to here | <------+ | 'main': event 25 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) returning to 'main' from '_io_uring_get_sqe' | 'main': event 26 | |eventfd-disable.c:74:17: | 74 | io_uring_prep_nop(sqe); | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) calling 'io_uring_prep_nop' from 'main' | +--> 'io_uring_prep_nop': events 27-28 | |../src/include/liburing.h:472:20: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) dereference of NULL 'sqe_2(D)' |...... | 472 | static inline void io_uring_prep_nop(struct io_uring_sqe *sqe) | | ^~~~~~~~~~~~~~~~~ | | | | | (27) entry to 'io_uring_prep_nop' | eventfd-disable.c: In function 'main': eventfd-disable.c:93:25: warning: use of uninitialized value 'ptr' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 93 | fprintf(stderr, "eventfd unexpected: %d\n", (int)ptr); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'main': events 1-12 | | 17 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 23 | uint64_t ptr; | | ~~~ | | | | | (2) region created on stack here |...... | 30 | if (argc > 1) | | ~ | | | | | (3) following 'false' branch (when 'argc_44(D) <= 1')... |...... | 33 | ret = io_uring_queue_init_params(64, &ring, &p); | | ~~~ | | | | | (4) ...to here | 34 | if (ret) { | | ~ | | | | | (5) following 'false' branch (when 'ret_46 == 0')... |...... | 39 | evfd = eventfd(0, EFD_CLOEXEC); | | ~~~~ | | | | | (6) ...to here | 40 | if (evfd < 0) { | | ~ | | | | | (7) following 'false' branch (when 'evfd_48 >= 0')... |...... | 45 | ret = io_uring_register_eventfd(&ring, evfd); | | ~~~ | | | | | (8) ...to here | 46 | if (ret) { | | ~ | | | | | (9) following 'false' branch (when 'ret_50 == 0')... |...... | 51 | if (!io_uring_cq_eventfd_enabled(&ring)) { | | ~~ | | | | | (10) ...to here |...... | 57 | if (ret) { | | ~ | | | | | (11) following 'false' branch (when 'ret_52 == 0')... |...... | 62 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (12) ...to here | 'main': event 13 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 14-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (14) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (15) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (16) ...to here | <------+ | 'main': event 17 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) returning to 'main' from '_io_uring_get_sqe' | 'main': event 18 | |eventfd-disable.c:67:12: | 67 | if (ret != 1) { | | ^ | | | | | (18) following 'false' branch (when 'ret_55 == 1')... | 'main': event 19 | |cc1: | (19): ...to here | 'main': events 20-21 | | 72 | for (i = 0; i < 63; i++) { | | ~~^~~~ | | | | | (20) following 'true' branch (when 'i_32 != 63')... | 73 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (21) ...to here | 'main': event 22 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 23-25 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (23) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (24) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (25) ...to here | <------+ | 'main': event 26 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) returning to 'main' from '_io_uring_get_sqe' | 'main': event 27 | |eventfd-disable.c:79:12: | 79 | if (ret != 63) { | | ^ | | | | | (27) following 'false' branch (when 'ret_57 == 63')... | 'main': event 28 | |cc1: | (28): ...to here | 'main': events 29-31 | | 84 | for (i = 0; i < 63; i++) { | | ~~^~~~ | | | | | (29) following 'true' branch (when 'i_33 != 63')... | 85 | ret = io_uring_wait_cqe(&ring, &cqe); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (31) calling 'io_uring_wait_cqe' from 'main' | | (30) ...to here | +--> 'io_uring_wait_cqe': events 32-33 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (32) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 34-36 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (34) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (35) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (36) ...to here | <------+ | 'io_uring_wait_cqe': events 37-39 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (39) ...to here | | | (37) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (38) following 'true' branch... | <------+ | 'main': events 40-43 | |eventfd-disable.c:85:23: | 85 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (40) returning to 'main' from 'io_uring_wait_cqe' | 86 | if (ret) { | | ~ | | | | | (41) following 'false' branch (when 'ret_68 == 0')... |...... | 91 | switch (cqe->user_data) { | | ~~~~~~ | | | | | (42) ...to here | 92 | case 1: /* eventfd */ | 93 | fprintf(stderr, "eventfd unexpected: %d\n", (int)ptr); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (43) use of uninitialized value 'ptr' here | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o exit-no-cleanup.t exit-no-cleanup.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o fadvise.t fadvise.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o fallocate.t fallocate.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o files-exit-hang-timeout.t files-exit-hang-timeout.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from files-exit-hang-timeout.c:17: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_timeout' at ../src/include/liburing.h:481:2, inlined from 'add_timeout' at files-exit-hang-timeout.c:35:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'add_timeout': event 1 | |files-exit-hang-timeout.c:30:13: | 30 | static void add_timeout(struct io_uring *ring, int fd) | | ^~~~~~~~~~~ | | | | | (1) entry to 'add_timeout' | 'add_timeout': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'add_timeout' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'add_timeout': events 6-7 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) dereference of NULL '_io_uring_get_sqe (ring_2(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'add_timeout' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_accept' at ../src/include/liburing.h:507:2, inlined from 'add_accept' at files-exit-hang-timeout.c:44:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'add_accept': event 1 | |files-exit-hang-timeout.c:39:13: | 39 | static void add_accept(struct io_uring *ring, int fd) | | ^~~~~~~~~~ | | | | | (1) entry to 'add_accept' | 'add_accept': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'add_accept' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'add_accept': events 6-7 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) dereference of NULL '_io_uring_get_sqe (ring_2(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'add_accept' from '_io_uring_get_sqe' | files-exit-hang-timeout.c: In function 'alarm_sig': files-exit-hang-timeout.c:63:9: warning: call to 'exit' from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler] 63 | exit(0); | ^~~~~~~ 'main': events 1-12 | | 66 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 74 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_20(D) <= 1')... |...... | 77 | sock_listen_fd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); | | ~~~~~~~~~~~~~~ | | | | | (3) ...to here | 78 | if (sock_listen_fd < 0) { | | ~ | | | | | (4) following 'false' branch (when 'sock_listen_fd_22 >= 0')... |...... | 83 | setsockopt(sock_listen_fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)); | | ~~~~~~~~~~ | | | | | (5) ...to here |...... | 105 | if (listen(sock_listen_fd, BACKLOG) < 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 110 | if (setup_io_uring()) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 113 | add_timeout(&ring, sock_listen_fd); | | ~~~~~~~~~~~ | | | | | (9) ...to here |...... | 117 | if (ret != 2) { | | ~ | | | | | (10) following 'false' branch (when 'ret_37 == 2')... |...... | 122 | signal(SIGALRM, alarm_sig); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) ...to here | | (12) registering 'alarm_sig' as signal handler | event 13 | |cc1: | (13): later on, when the signal is delivered to the process | +--> 'alarm_sig': events 14-15 | | 61 | static void alarm_sig(int sig) | | ^~~~~~~~~ | | | | | (14) entry to 'alarm_sig' | 62 | { | 63 | exit(0); | | ~~~~~~~ | | | | | (15) call to 'exit' from within signal handler | files-exit-hang-timeout.c:63:9: note: '_exit' is a possible signal-safe alternative for 'exit' 63 | exit(0); | ^~~~~~~ gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o files-exit-hang-poll.t files-exit-hang-poll.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from files-exit-hang-poll.c:17: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'add_poll' at files-exit-hang-poll.c:30:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'add_poll': event 1 | |files-exit-hang-poll.c:25:13: | 25 | static void add_poll(struct io_uring *ring, int fd) | | ^~~~~~~~ | | | | | (1) entry to 'add_poll' | 'add_poll': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'add_poll' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'add_poll': events 6-7 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) dereference of NULL '_io_uring_get_sqe (ring_2(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'add_poll' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_accept' at ../src/include/liburing.h:507:2, inlined from 'add_accept' at files-exit-hang-poll.c:39:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'add_accept': event 1 | |files-exit-hang-poll.c:34:13: | 34 | static void add_accept(struct io_uring *ring, int fd) | | ^~~~~~~~~~ | | | | | (1) entry to 'add_accept' | 'add_accept': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'add_accept' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'add_accept': events 6-7 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) dereference of NULL '_io_uring_get_sqe (ring_2(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'add_accept' from '_io_uring_get_sqe' | files-exit-hang-poll.c: In function 'alarm_sig': files-exit-hang-poll.c:57:9: warning: call to 'exit' from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler] 57 | exit(0); | ^~~~~~~ 'main': events 1-12 | | 60 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 68 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_20(D) <= 1')... |...... | 71 | sock_listen_fd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); | | ~~~~~~~~~~~~~~ | | | | | (3) ...to here | 72 | if (sock_listen_fd < 0) { | | ~ | | | | | (4) following 'false' branch (when 'sock_listen_fd_22 >= 0')... |...... | 77 | setsockopt(sock_listen_fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)); | | ~~~~~~~~~~ | | | | | (5) ...to here |...... | 99 | if (listen(sock_listen_fd, BACKLOG) < 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 104 | if (setup_io_uring()) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 107 | add_poll(&ring, sock_listen_fd); | | ~~~~~~~~ | | | | | (9) ...to here |...... | 111 | if (ret != 2) { | | ~ | | | | | (10) following 'false' branch (when 'ret_37 == 2')... |...... | 116 | signal(SIGALRM, alarm_sig); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) ...to here | | (12) registering 'alarm_sig' as signal handler | event 13 | |cc1: | (13): later on, when the signal is delivered to the process | +--> 'alarm_sig': events 14-15 | | 55 | static void alarm_sig(int sig) | | ^~~~~~~~~ | | | | | (14) entry to 'alarm_sig' | 56 | { | 57 | exit(0); | | ~~~~~~~ | | | | | (15) call to 'exit' from within signal handler | files-exit-hang-poll.c:57:9: note: '_exit' is a possible signal-safe alternative for 'exit' 57 | exit(0); | ^~~~~~~ gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o fixed-link.t fixed-link.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from helpers.h:12, from fixed-link.c:10: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read_fixed' at ../src/include/liburing.h:382:2, inlined from 'main' at fixed-link.c:52:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-6 | |fixed-link.c:15:5: | 15 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 21 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_33(D) <= 1')... |...... | 24 | fd = open("/dev/zero", O_RDONLY); | | ~~ | | | | | (3) ...to here | 25 | if (fd < 0) { | | ~ | | | | | (4) following 'false' branch... |...... | 30 | if (io_uring_queue_init(32, &ring, 0) < 0) { | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here | 'main': event 7 | |cc1: | (7): ...to here | 'main': events 8-10 | | 36 | for (i = 0; i < IOVECS_LEN; ++i) { | | ^ | | | | | (8) following 'true' branch (when 'i_21 != 2')... | 37 | iovecs[i].iov_base = t_malloc(64); | | ~~~~~~ | | | | | (9) ...to here |...... | 42 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_37 == 0')... | 'main': event 11 | |cc1: | (11): ...to here | 'main': events 12-13 | | 47 | for (i = 0; i < IOVECS_LEN; ++i) { | | ^ | | | | | (12) following 'true' branch (when 'i_22 != 2')... | 48 | struct io_uring_sqe *sqe = io_uring_get_sqe(&ring); | | ~~~~~~ | | | | | (13) ...to here | 'main': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'main': events 18-19 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o file-update.t file-update.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o fixed-buf-iter.t fixed-buf-iter.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o fixed-reuse.t fixed-reuse.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from fixed-reuse.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_openat' at ../src/include/liburing.h:598:2, inlined from 'io_uring_prep_openat_direct' at ../src/include/liburing.h:608:2, inlined from 'test' at fixed-reuse.c:34:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-10 | |fixed-reuse.c:120:5: | 120 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 126 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_10(D) <= 1')... |...... | 129 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 130 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_12 == 0')... |...... | 134 | if (!(p.features & IORING_FEAT_CQE_SKIP)) | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 137 | memset(files, -1, sizeof(files)); | | ~~~~~~ | | | | | (7) ...to here | 138 | ret = io_uring_register_files(&ring, files, ARRAY_SIZE(files)); | 139 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_14 == 0')... |...... | 144 | t_create_file_pattern(FNAME1, 4096, PAT1); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) ...to here |...... | 147 | ret = test(&ring); | | ~~~~~~~~~~~ | | | | | (10) calling 'test' from 'main' | +--> 'test': event 11 | | 25 | static int test(struct io_uring *ring) | | ^~~~ | | | | | (11) entry to 'test' | 'test': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'test': events 16-17 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) dereference of NULL '_io_uring_get_sqe (ring_32(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'test' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_openat' at ../src/include/liburing.h:598:2, inlined from 'io_uring_prep_openat_direct' at ../src/include/liburing.h:608:2, inlined from 'test' at fixed-reuse.c:59:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-10 | |fixed-reuse.c:120:5: | 120 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 126 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_10(D) <= 1')... |...... | 129 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 130 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_12 == 0')... |...... | 134 | if (!(p.features & IORING_FEAT_CQE_SKIP)) | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 137 | memset(files, -1, sizeof(files)); | | ~~~~~~ | | | | | (7) ...to here | 138 | ret = io_uring_register_files(&ring, files, ARRAY_SIZE(files)); | 139 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_14 == 0')... |...... | 144 | t_create_file_pattern(FNAME1, 4096, PAT1); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) ...to here |...... | 147 | ret = test(&ring); | | ~~~~~~~~~~~ | | | | | (10) calling 'test' from 'main' | +--> 'test': event 11 | | 25 | static int test(struct io_uring *ring) | | ^~~~ | | | | | (11) entry to 'test' | 'test': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'test': event 16 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'test' from '_io_uring_get_sqe' | 'test': events 17-19 | |fixed-reuse.c:38:12: | 38 | if (ret != 1) { | | ^ | | | | | (17) following 'false' branch (when 'ret_35 == 1')... |...... | 43 | ret = io_uring_wait_cqe(ring, &cqe); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (19) calling 'io_uring_wait_cqe' from 'test' | | (18) ...to here | +--> 'io_uring_wait_cqe': events 20-21 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (20) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 22-24 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (22) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (23) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (24) ...to here | <------+ | 'io_uring_wait_cqe': events 25-27 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (27) ...to here | | | (25) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (26) following 'true' branch... | <------+ | 'test': events 28-32 | |fixed-reuse.c:43:15: | 43 | ret = io_uring_wait_cqe(ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) returning to 'test' from 'io_uring_wait_cqe' | 44 | if (ret < 0) { | | ~ | | | | | (29) following 'false' branch (when 'ret_37 >= 0')... |...... | 48 | if (cqe->res != 0) { | | ~~ ~ | | | | | | | (31) following 'false' branch... | | (30) ...to here |...... | 52 | io_uring_cqe_seen(ring, cqe); | | ~~~~~~~~~~~~~~~~~ | | | | | (32) ...to here | 'test': event 33 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 34-35 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (34) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (35) following 'false' branch... | '_io_uring_get_sqe': event 36 | |cc1: | (36): ...to here | <------+ | 'test': events 37-38 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (38) dereference of NULL '_io_uring_get_sqe (ring_32(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (37) returning to 'test' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'test' at fixed-reuse.c:64:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-10 | |fixed-reuse.c:120:5: | 120 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 126 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_10(D) <= 1')... |...... | 129 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 130 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_12 == 0')... |...... | 134 | if (!(p.features & IORING_FEAT_CQE_SKIP)) | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 137 | memset(files, -1, sizeof(files)); | | ~~~~~~ | | | | | (7) ...to here | 138 | ret = io_uring_register_files(&ring, files, ARRAY_SIZE(files)); | 139 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_14 == 0')... |...... | 144 | t_create_file_pattern(FNAME1, 4096, PAT1); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) ...to here |...... | 147 | ret = test(&ring); | | ~~~~~~~~~~~ | | | | | (10) calling 'test' from 'main' | +--> 'test': events 11-14 | | 25 | static int test(struct io_uring *ring) | | ^~~~ | | | | | (11) entry to 'test' |...... | 38 | if (ret != 1) { | | ~ | | | | | (12) following 'false' branch (when 'ret_35 == 1')... |...... | 43 | ret = io_uring_wait_cqe(ring, &cqe); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (14) calling 'io_uring_wait_cqe' from 'test' | | (13) ...to here | +--> 'io_uring_wait_cqe': events 15-16 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 17-19 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (17) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (18) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (19) ...to here | <------+ | 'io_uring_wait_cqe': events 20-22 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (22) ...to here | | | (20) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (21) following 'true' branch... | <------+ | 'test': events 23-27 | |fixed-reuse.c:43:15: | 43 | ret = io_uring_wait_cqe(ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) returning to 'test' from 'io_uring_wait_cqe' | 44 | if (ret < 0) { | | ~ | | | | | (24) following 'false' branch (when 'ret_37 >= 0')... |...... | 48 | if (cqe->res != 0) { | | ~~ ~ | | | | | | | (26) following 'false' branch... | | (25) ...to here |...... | 52 | io_uring_cqe_seen(ring, cqe); | | ~~~~~~~~~~~~~~~~~ | | | | | (27) ...to here | 'test': event 28 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 29-30 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (29) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (30) following 'false' branch... | '_io_uring_get_sqe': event 31 | |cc1: | (31): ...to here | <------+ | 'test': events 32-33 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) dereference of NULL '_io_uring_get_sqe (ring_32(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'test' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_close' at ../src/include/liburing.h:614:2, inlined from 'io_uring_prep_close_direct' at ../src/include/liburing.h:620:2, inlined from 'test' at fixed-reuse.c:70:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-10 | |fixed-reuse.c:120:5: | 120 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 126 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_10(D) <= 1')... |...... | 129 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 130 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_12 == 0')... |...... | 134 | if (!(p.features & IORING_FEAT_CQE_SKIP)) | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 137 | memset(files, -1, sizeof(files)); | | ~~~~~~ | | | | | (7) ...to here | 138 | ret = io_uring_register_files(&ring, files, ARRAY_SIZE(files)); | 139 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_14 == 0')... |...... | 144 | t_create_file_pattern(FNAME1, 4096, PAT1); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) ...to here |...... | 147 | ret = test(&ring); | | ~~~~~~~~~~~ | | | | | (10) calling 'test' from 'main' | +--> 'test': events 11-14 | | 25 | static int test(struct io_uring *ring) | | ^~~~ | | | | | (11) entry to 'test' |...... | 38 | if (ret != 1) { | | ~ | | | | | (12) following 'false' branch (when 'ret_35 == 1')... |...... | 43 | ret = io_uring_wait_cqe(ring, &cqe); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (14) calling 'io_uring_wait_cqe' from 'test' | | (13) ...to here | +--> 'io_uring_wait_cqe': events 15-16 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 17-19 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (17) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (18) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (19) ...to here | <------+ | 'io_uring_wait_cqe': events 20-22 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (22) ...to here | | | (20) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (21) following 'true' branch... | <------+ | 'test': events 23-27 | |fixed-reuse.c:43:15: | 43 | ret = io_uring_wait_cqe(ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) returning to 'test' from 'io_uring_wait_cqe' | 44 | if (ret < 0) { | | ~ | | | | | (24) following 'false' branch (when 'ret_37 >= 0')... |...... | 48 | if (cqe->res != 0) { | | ~~ ~ | | | | | | | (26) following 'false' branch... | | (25) ...to here |...... | 52 | io_uring_cqe_seen(ring, cqe); | | ~~~~~~~~~~~~~~~~~ | | | | | (27) ...to here | 'test': event 28 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 29-30 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (29) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (30) following 'false' branch... | '_io_uring_get_sqe': event 31 | |cc1: | (31): ...to here | <------+ | 'test': events 32-33 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) dereference of NULL '_io_uring_get_sqe (ring_32(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'test' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o hardlink.t hardlink.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o fsync.t fsync.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o io_uring_setup.t io_uring_setup.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o fpos.t fpos.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o io_uring_enter.t io_uring_enter.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from helpers.h:12, from io_uring_enter.c:27: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'io_prep_read' at io_uring_enter.c:114:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_13(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'submit_io': events 1-2 | |io_uring_enter.c:151:13: | 151 | static void submit_io(struct io_uring *ring, unsigned nr) | | ^~~~~~~~~ | | | | | (1) entry to 'submit_io' |...... | 160 | fd = setup_file(template, file_len); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling 'setup_file' from 'submit_io' | +--> 'setup_file': events 3-9 | | 77 | static int setup_file(char *template, off_t len) | | ^~~~~~~~~~ | | | | | (3) entry to 'setup_file' |...... | 83 | if (fd < 0) { | | ~ | | | | | (4) following 'false' branch (when 'fd_5 >= 0')... |...... | 87 | ret = ftruncate(fd, len); | | ~~~ | | | | | (5) ...to here | 88 | if (ret < 0) { | | ~ | | | | | (6) following 'false' branch (when 'ret_8 >= 0')... |...... | 93 | ret = read(fd, buf, 4096); | | ~~~ | | | | | (7) ...to here | 94 | if (ret != 4096) { | | ~ | | | | | (8) following 'false' branch... |...... | 99 | return fd; | | ~~~~~~ | | | | | (9) ...to here | <------+ | 'submit_io': events 10-12 | | 160 | fd = setup_file(template, file_len); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to 'submit_io' from 'setup_file' | 161 | for (i = 0; i < nr; i++) { | | ~~~~~~ | | | | | (11) following 'true' branch (when 'i_4 < nr_6(D)')... | 162 | /* allocate an sqe */ | 163 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (12) ...to here | 'submit_io': event 13 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) calling '_io_uring_get_sqe' from 'submit_io' | +--> '_io_uring_get_sqe': events 14-15 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (14) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (15) following 'false' branch... | '_io_uring_get_sqe': event 16 | |cc1: | (16): ...to here | <------+ | 'submit_io': event 17 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) returning to 'submit_io' from '_io_uring_get_sqe' | 'submit_io': event 18 | |io_uring_enter.c:165:17: | 165 | io_prep_read(sqe, fd, i * 4096, 4096); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling 'io_prep_read' from 'submit_io' | +--> 'io_prep_read': event 19 | | 102 | static void io_prep_read(struct io_uring_sqe *sqe, int fd, off_t offset, | | ^~~~~~~~~~~~ | | | | | (19) entry to 'io_prep_read' | 'io_prep_read': event 20 | | 108 | assert(iov); | | ^~~~~~ | | | | | (20) following 'true' branch (when 'iov_5' is non-NULL)... | 'io_prep_read': event 21 | | 110 | iov->iov_base = t_malloc(len); | | ^~~ | | | | | (21) ...to here | 'io_prep_read': event 22 | | 111 | assert(iov->iov_base); | | ^~~~~~ | | | | | (22) following 'true' branch... | 'io_prep_read': event 23 | | 112 | iov->iov_len = len; | | ^~~ | | | | | (23) ...to here | 'io_prep_read': event 24 | |../src/include/liburing.h:301:21: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~^~~~~~~~~~~ | | | | | (24) dereference of NULL 'sqe_13(D)' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o lfs-openat-write.t lfs-openat-write.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread lfs-openat-write.c:3: warning: "_LARGEFILE_SOURCE" redefined 3 | #define _LARGEFILE_SOURCE | : note: this is the location of the previous definition gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o lfs-openat.t lfs-openat.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread lfs-openat.c:3: warning: "_LARGEFILE_SOURCE" redefined 3 | #define _LARGEFILE_SOURCE | : note: this is the location of the previous definition gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o file-verify.t file-verify.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread file-verify.c: In function 'verify_buf': file-verify.c:49:61: warning: format '%lu' expects argument of type 'long unsigned int', but argument 4 has type 'off_t' {aka 'long long int'} [-Wformat=] 49 | fprintf(stderr, "Found %u, wanted %lu\n", *ptr, off); | ~~^ ~~~ | | | | | off_t {aka long long int} | long unsigned int | %llu ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o iopoll.t iopoll.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from helpers.h:12, from iopoll.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_provide_buffers' at ../src/include/liburing.h:705:2, inlined from 'provide_buffers' at iopoll.c:35:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'test_io': events 1-8 | |iopoll.c:276:12: | 276 | static int test_io(const char *file, int write, int sqthread, int fixed, | | ^~~~~~~ | | | | | (1) entry to 'test_io' |...... | 282 | if (no_iopoll) | | ~ | | | | | (2) following 'false' branch... |...... | 285 | ret = t_create_ring(64, &ring, ring_flags); | | ~~~ | | | | | (3) ...to here | 286 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (4) following 'false' branch (when 'ret_9 != 1')... | 287 | return 0; | 288 | if (ret != T_SETUP_OK) { | | ~~ ~ | | | | | | | (6) following 'false' branch (when 'ret_9 == 0')... | | (5) ...to here |...... | 292 | ret = __test_io(file, &ring, write, sqthread, fixed, buf_select); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (8) calling '__test_io' from 'test_io' | | (7) ...to here | +--> '__test_io': events 9-14 | | 57 | static int __test_io(const char *file, struct io_uring *ring, int write, int sqthread, | | ^~~~~~~~~ | | | | | (9) entry to '__test_io' |...... | 66 | if (buf_select) { | | ~ | | | | | (10) following 'true' branch (when 'buf_select_79(D) != 0')... | 67 | write = 0; | | ~~~~~ | | | | | (11) ...to here |...... | 70 | if (buf_select && provide_buffers(ring)) | | ~ ~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (13) ...to here | | | (14) calling 'provide_buffers' from '__test_io' | | (12) following 'true' branch (when 'buf_select_79(D) != 0')... | +--> 'provide_buffers': event 15 | | 27 | static int provide_buffers(struct io_uring *ring) | | ^~~~~~~~~~~~~~~ | | | | | (15) entry to 'provide_buffers' | 'provide_buffers': events 16-17 | | 33 | for (i = 0; i < BUFFERS; i++) { | | ^ | | | | | (16) following 'true' branch (when 'i_13 != 32')... | 34 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (17) ...to here | 'provide_buffers': event 18 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling '_io_uring_get_sqe' from 'provide_buffers' | +--> '_io_uring_get_sqe': events 19-20 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (19) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (20) following 'false' branch... | '_io_uring_get_sqe': event 21 | |cc1: | (21): ...to here | <------+ | 'provide_buffers': events 22-23 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) dereference of NULL '_io_uring_get_sqe (ring_20(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) returning to 'provide_buffers' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o file-register.t file-register.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size_params': events 1-2 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (1) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (2) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 3-6 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (3) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (4) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (6) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (5) ...to here | +--> 'io_uring_queue_mmap': events 7-8 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (7) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (8) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 9-10 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (9) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (10) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 11-13 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (11) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (12) following 'false' branch (when 'ret_11 != 4294967295B')... | | (13) ...to here | <------+ | 'io_uring_mmap': events 14-19 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (14) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (15) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (17) following 'false' branch... | | (16) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (19) calling '__sys_mmap' from 'io_uring_mmap' | | (18) ...to here | +--> '__sys_mmap': events 20-22 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (20) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (21) following 'false' branch (when 'ret_11 != 4294967295B')... | | (22) ...to here | <------+ | 'io_uring_mmap': events 23-26 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (23) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (24) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (25) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (26) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 27-29 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (27) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (28) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (29) ...to here | <------+ | 'io_uring_mmap': event 30 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (30) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 31 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (31) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 32-34 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (32) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (33) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (34) ...to here | <------+ | 'io_uring_mlock_size_params': events 35-38 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (35) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (36) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (37) ...to here | | (38) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 39-42 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (39) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (40) '0B' is NULL | | | (41) '0B' is NULL | | (42) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o mkdir.t mkdir.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o io-cancel.t io-cancel.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o link_drain.t link_drain.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o madvise.t madvise.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o accept.t accept.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from helpers.h:12, from accept.c:23: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_accept' at ../src/include/liburing.h:507:2, inlined from 'queue_accept_conn' at accept.c:102:5: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |accept.c:666:5: | 666 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 670 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... | 671 | return 0; | 672 | ret = test_accept(1, false); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test_accept' from 'main' | | (3) ...to here | +--> 'test_accept': event 5 | | 514 | static int test_accept(int count, bool before) | | ^~~~~~~~~~~ | | | | | (5) entry to 'test_accept' | 'test_accept': event 6 | | 524 | assert(ret >= 0); | | ^~~~~~ | | | | | (6) following 'true' branch (when 'ret_9 >= 0')... | 'test_accept': events 7-8 | | 525 | ret = test(&m_io_uring, args); | | ^~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (8) calling 'test' from 'test_accept' | | (7) ...to here | +--> 'test': events 9-10 | | 306 | static int test(struct io_uring *ring, struct accept_test_args args) | | ^~~~ | | | | | (9) entry to 'test' |...... | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) following 'false' branch... | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 'test': event 11 | |cc1: | (11): ...to here | 'test': event 12 | | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling 'start_accept_listen' from 'test' | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | +--> 'start_accept_listen': event 13 | | 144 | static int start_accept_listen(struct sockaddr_in *addr, int port_off, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (13) entry to 'start_accept_listen' | 'start_accept_listen': event 14 | | 154 | assert(ret != -1); | | ^~~~~~ | | | | | (14) following 'true' branch (when 'ret_13 != -1')... | 'start_accept_listen': event 15 | | 155 | ret = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)); | | ^~~ | | | | | (15) ...to here | 'start_accept_listen': event 16 | | 156 | assert(ret != -1); | | ^~~~~~ | | | | | (16) following 'true' branch (when 'ret_16 != -1')... | 'start_accept_listen': events 17-19 | | 158 | struct sockaddr_in laddr; | | ^~~~~~ | | | | | (17) ...to here | 159 | | 160 | if (!addr) | | ~ | | | | | (18) following 'false' branch (when 'addr_18(D)' is non-NULL)... |...... | 163 | addr->sin_family = AF_INET; | | ~~~~ | | | | | (19) ...to here | 'start_accept_listen': event 20 | | 168 | assert(ret != -1); | | ^~~~~~ | | | | | (20) following 'true' branch (when 'ret_26 != -1')... | 'start_accept_listen': event 21 | | 169 | ret = listen(fd, 128); | | ^~~ | | | | | (21) ...to here | 'start_accept_listen': event 22 | | 170 | assert(ret != -1); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'ret_29 != -1')... | 'start_accept_listen': event 23 | | 172 | return fd; | | ^~~~~~ | | | | | (23) ...to here | <------+ | 'test': events 24-25 | | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) returning to 'test' from 'start_accept_listen' | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 313 | if (args.queue_accept_before_connect) | | ~ | | | | | (25) following 'false' branch... | 'test': event 26 | |cc1: | (26): ...to here | 'test': events 27-29 | | 315 | for (loop = 0; loop < 1 + args.extra_loops; loop++) { | | ~~~~~^~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) following 'true' branch... | 316 | ret = test_loop(ring, args, recv_s0, &addr); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (29) calling 'test_loop' from 'test' | | (28) ...to here | +--> 'test_loop': events 30-31 | | 206 | static int test_loop(struct io_uring *ring, | | ^~~~~~~~~ | | | | | (30) entry to 'test_loop' |...... | 217 | int nr_fds = multishot ? MAX_FDS : 1; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (31) following 'false' branch (when 'multishot_73 == 0')... | 'test_loop': event 32 | |cc1: | (32): ...to here | 'test_loop': events 33-35 | | 219 | for (i = 0; i < nr_fds; i++) | | ~~^~~~~~~~ | | | | | (33) following 'true' branch... | 220 | c_fd[i] = set_client_fd(addr); | | ~~~~ ~~~~~~~~~~~~~~~~~~~ | | | | | | | (35) calling 'set_client_fd' from 'test_loop' | | (34) ...to here | +--> 'set_client_fd': event 36 | | 175 | static int set_client_fd(struct sockaddr_in *addr) | | ^~~~~~~~~~~~~ | | | | | (36) entry to 'set_client_fd' | 'set_client_fd': event 37 | | 184 | assert(ret != -1); | | ^~~~~~ | | | | | (37) following 'true' branch (when 'ret_6 != -1')... | 'set_client_fd': event 38 | | 186 | int32_t flags = fcntl(fd, F_GETFL, 0); | | ^~~~~~~ | | | | | (38) ...to here | 'set_client_fd': event 39 | | 187 | assert(flags != -1); | | ^~~~~~ | | | | | (39) following 'true' branch (when 'flags_9 != -1')... | 'set_client_fd': event 40 | | 189 | flags |= O_NONBLOCK; | | ^~~~~ | | | | | (40) ...to here | 'set_client_fd': event 41 | | 191 | assert(ret != -1); | | ^~~~~~ | | | | | (41) following 'true' branch (when 'ret_13 != -1')... | 'set_client_fd': event 42 | | 193 | ret = connect(fd, (struct sockaddr *)addr, sizeof(*addr)); | | ^~~ | | | | | (42) ...to here | 'set_client_fd': event 43 | | 194 | assert(ret == -1); | | ^~~~~~ | | | | | (43) following 'true' branch (when 'ret_18 == -1')... | 'set_client_fd': event 44 | | 196 | flags = fcntl(fd, F_GETFL, 0); | | ^~~~~ | | | | | (44) ...to here | 'set_client_fd': event 45 | | 197 | assert(flags != -1); | | ^~~~~~ | | | | | (45) following 'true' branch (when 'flags_21 != -1')... | 'set_client_fd': event 46 | | 199 | flags &= ~O_NONBLOCK; | | ^~~~~ | | | | | (46) ...to here | 'set_client_fd': event 47 | | 201 | assert(ret != -1); | | ^~~~~~ | | | | | (47) following 'true' branch (when 'ret_25 != -1')... | 'set_client_fd': event 48 | | 203 | return fd; | | ^~~~~~ | | | | | (48) ...to here | <------+ | 'test_loop': events 49-52 | | 220 | c_fd[i] = set_client_fd(addr); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (49) returning to 'test_loop' from 'set_client_fd' | 221 | | 222 | if (!args.queue_accept_before_connect) | | ~ | | | | | (50) following 'false' branch... | 223 | queue_accept_conn(ring, recv_s0, args); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (51) ...to here | | (52) calling 'queue_accept_conn' from 'test_loop' | +--> 'queue_accept_conn': events 53-54 | | 89 | static void queue_accept_conn(struct io_uring *ring, int fd, | | ^~~~~~~~~~~~~~~~~ | | | | | (53) entry to 'queue_accept_conn' |...... | 94 | int fixed_idx = args.fixed ? 0 : -1; | | ~~~~~~~~~~~~~~~~~~~ | | | | | (54) following 'false' branch... | 'queue_accept_conn': event 55 | |cc1: | (55): ...to here | 'queue_accept_conn': events 56-57 | | 98 | while (count--) { | | ^~~~~ | | | | | (56) following 'true' branch (when 'count_3 != 0')... | 99 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (57) ...to here | 'queue_accept_conn': event 58 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (58) calling '_io_uring_get_sqe' from 'queue_accept_conn' | +--> '_io_uring_get_sqe': events 59-60 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (59) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (60) following 'false' branch... | '_io_uring_get_sqe': event 61 | |cc1: | (61): ...to here | <------+ | 'queue_accept_conn': event 62 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (62) returning to 'queue_accept_conn' from '_io_uring_get_sqe' | 'queue_accept_conn': events 63-66 | |accept.c:100:20: | 100 | if (fixed_idx < 0) { | | ^ | | | | | (63) following 'true' branch... | 101 | if (!multishot) | | ~~ ~ | | | | | | | (65) following 'false' branch (when 'multishot_9 == 0')... | | (64) ...to here | 102 | io_uring_prep_accept(sqe, fd, NULL, NULL, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (66) ...to here | 'queue_accept_conn': event 67 | |../src/include/liburing.h:301:21: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~^~~~~~~~~~~ | | | | | (67) dereference of NULL '_io_uring_get_sqe (ring_11(D))' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_writev' at ../src/include/liburing.h:390:2, inlined from 'queue_send' at accept.c:69:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |accept.c:666:5: | 666 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 670 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... | 671 | return 0; | 672 | ret = test_accept(1, false); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test_accept' from 'main' | | (3) ...to here | +--> 'test_accept': event 5 | | 514 | static int test_accept(int count, bool before) | | ^~~~~~~~~~~ | | | | | (5) entry to 'test_accept' | 'test_accept': event 6 | | 524 | assert(ret >= 0); | | ^~~~~~ | | | | | (6) following 'true' branch (when 'ret_9 >= 0')... | 'test_accept': events 7-8 | | 525 | ret = test(&m_io_uring, args); | | ^~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (8) calling 'test' from 'test_accept' | | (7) ...to here | +--> 'test': events 9-10 | | 306 | static int test(struct io_uring *ring, struct accept_test_args args) | | ^~~~ | | | | | (9) entry to 'test' |...... | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) following 'false' branch... | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 'test': event 11 | |cc1: | (11): ...to here | 'test': event 12 | | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling 'start_accept_listen' from 'test' | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | +--> 'start_accept_listen': event 13 | | 144 | static int start_accept_listen(struct sockaddr_in *addr, int port_off, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (13) entry to 'start_accept_listen' | 'start_accept_listen': event 14 | | 154 | assert(ret != -1); | | ^~~~~~ | | | | | (14) following 'true' branch (when 'ret_13 != -1')... | 'start_accept_listen': event 15 | | 155 | ret = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)); | | ^~~ | | | | | (15) ...to here | 'start_accept_listen': event 16 | | 156 | assert(ret != -1); | | ^~~~~~ | | | | | (16) following 'true' branch (when 'ret_16 != -1')... | 'start_accept_listen': events 17-19 | | 158 | struct sockaddr_in laddr; | | ^~~~~~ | | | | | (17) ...to here | 159 | | 160 | if (!addr) | | ~ | | | | | (18) following 'false' branch (when 'addr_18(D)' is non-NULL)... |...... | 163 | addr->sin_family = AF_INET; | | ~~~~ | | | | | (19) ...to here | 'start_accept_listen': event 20 | | 168 | assert(ret != -1); | | ^~~~~~ | | | | | (20) following 'true' branch (when 'ret_26 != -1')... | 'start_accept_listen': event 21 | | 169 | ret = listen(fd, 128); | | ^~~ | | | | | (21) ...to here | 'start_accept_listen': event 22 | | 170 | assert(ret != -1); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'ret_29 != -1')... | 'start_accept_listen': event 23 | | 172 | return fd; | | ^~~~~~ | | | | | (23) ...to here | <------+ | 'test': events 24-25 | | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) returning to 'test' from 'start_accept_listen' | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 313 | if (args.queue_accept_before_connect) | | ~ | | | | | (25) following 'false' branch... | 'test': event 26 | |cc1: | (26): ...to here | 'test': events 27-29 | | 315 | for (loop = 0; loop < 1 + args.extra_loops; loop++) { | | ~~~~~^~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) following 'true' branch... | 316 | ret = test_loop(ring, args, recv_s0, &addr); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (29) calling 'test_loop' from 'test' | | (28) ...to here | +--> 'test_loop': events 30-31 | | 206 | static int test_loop(struct io_uring *ring, | | ^~~~~~~~~ | | | | | (30) entry to 'test_loop' |...... | 217 | int nr_fds = multishot ? MAX_FDS : 1; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (31) following 'false' branch (when 'multishot_73 == 0')... | 'test_loop': event 32 | |cc1: | (32): ...to here | 'test_loop': events 33-35 | | 219 | for (i = 0; i < nr_fds; i++) | | ~~^~~~~~~~ | | | | | (33) following 'true' branch... | 220 | c_fd[i] = set_client_fd(addr); | | ~~~~ ~~~~~~~~~~~~~~~~~~~ | | | | | | | (35) calling 'set_client_fd' from 'test_loop' | | (34) ...to here | +--> 'set_client_fd': event 36 | | 175 | static int set_client_fd(struct sockaddr_in *addr) | | ^~~~~~~~~~~~~ | | | | | (36) entry to 'set_client_fd' | 'set_client_fd': event 37 | | 184 | assert(ret != -1); | | ^~~~~~ | | | | | (37) following 'true' branch (when 'ret_6 != -1')... | 'set_client_fd': event 38 | | 186 | int32_t flags = fcntl(fd, F_GETFL, 0); | | ^~~~~~~ | | | | | (38) ...to here | 'set_client_fd': event 39 | | 187 | assert(flags != -1); | | ^~~~~~ | | | | | (39) following 'true' branch (when 'flags_9 != -1')... | 'set_client_fd': event 40 | | 189 | flags |= O_NONBLOCK; | | ^~~~~ | | | | | (40) ...to here | 'set_client_fd': event 41 | | 191 | assert(ret != -1); | | ^~~~~~ | | | | | (41) following 'true' branch (when 'ret_13 != -1')... | 'set_client_fd': event 42 | | 193 | ret = connect(fd, (struct sockaddr *)addr, sizeof(*addr)); | | ^~~ | | | | | (42) ...to here | 'set_client_fd': event 43 | | 194 | assert(ret == -1); | | ^~~~~~ | | | | | (43) following 'true' branch (when 'ret_18 == -1')... | 'set_client_fd': event 44 | | 196 | flags = fcntl(fd, F_GETFL, 0); | | ^~~~~ | | | | | (44) ...to here | 'set_client_fd': event 45 | | 197 | assert(flags != -1); | | ^~~~~~ | | | | | (45) following 'true' branch (when 'flags_21 != -1')... | 'set_client_fd': event 46 | | 199 | flags &= ~O_NONBLOCK; | | ^~~~~ | | | | | (46) ...to here | 'set_client_fd': event 47 | | 201 | assert(ret != -1); | | ^~~~~~ | | | | | (47) following 'true' branch (when 'ret_25 != -1')... | 'set_client_fd': event 48 | | 203 | return fd; | | ^~~~~~ | | | | | (48) ...to here | <------+ | 'test_loop': events 49-52 | | 220 | c_fd[i] = set_client_fd(addr); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (49) returning to 'test_loop' from 'set_client_fd' | 221 | | 222 | if (!args.queue_accept_before_connect) | | ~ | | | | | (50) following 'false' branch... | 223 | queue_accept_conn(ring, recv_s0, args); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (51) ...to here | | (52) calling 'queue_accept_conn' from 'test_loop' | +--> 'queue_accept_conn': events 53-54 | | 89 | static void queue_accept_conn(struct io_uring *ring, int fd, | | ^~~~~~~~~~~~~~~~~ | | | | | (53) entry to 'queue_accept_conn' |...... | 94 | int fixed_idx = args.fixed ? 0 : -1; | | ~~~~~~~~~~~~~~~~~~~ | | | | | (54) following 'false' branch... | 'queue_accept_conn': event 55 | |cc1: | (55): ...to here | 'queue_accept_conn': events 56-57 | | 98 | while (count--) { | | ^~~~~ | | | | | (56) following 'true' branch (when 'count_3 != 0')... | 99 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (57) ...to here | 'queue_accept_conn': event 58 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (58) calling '_io_uring_get_sqe' from 'queue_accept_conn' | +--> '_io_uring_get_sqe': events 59-61 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (59) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (60) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (61) ...to here | <------+ | 'queue_accept_conn': event 62 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (62) returning to 'queue_accept_conn' from '_io_uring_get_sqe' | 'queue_accept_conn': events 63-66 | |accept.c:100:20: | 100 | if (fixed_idx < 0) { | | ^ | | | | | (63) following 'true' branch... | 101 | if (!multishot) | | ~~ ~ | | | | | | | (65) following 'false' branch (when 'multishot_9 == 0')... | | (64) ...to here | 102 | io_uring_prep_accept(sqe, fd, NULL, NULL, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (66) ...to here | 'queue_accept_conn': event 67 | | 117 | assert(ret != -1); | | ^~~~~~ | | | | | (67) following 'true' branch (when 'ret_14 != -1')... | 'queue_accept_conn': event 68 | |cc1: | (68): ...to here | <------+ | 'test_loop': events 69-72 | | 223 | queue_accept_conn(ring, recv_s0, args); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (69) returning to 'test_loop' from 'queue_accept_conn' | 224 | | 225 | for (i = 0; i < nr_fds; i++) { | | ~~~~~~~~~~ | | | | | (70) following 'true' branch... | 226 | s_fd[i] = accept_conn(ring, fixed ? 0 : -1, multishot); | | ~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (72) following 'false' branch (when 'fixed_72 == 0')... | | (71) ...to here | 'test_loop': event 73 | |cc1: | (73): ...to here | 'test_loop': event 74 | | 226 | s_fd[i] = accept_conn(ring, fixed ? 0 : -1, multishot); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (74) calling 'accept_conn' from 'test_loop' | +--> 'accept_conn': events 75-76 | | 121 | static int accept_conn(struct io_uring *ring, int fixed_idx, bool multishot) | | ^~~~~~~~~~~ | | | | | (75) entry to 'accept_conn' |...... | 126 | ret = io_uring_wait_cqe(ring, &cqe); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (76) calling 'io_uring_wait_cqe' from 'accept_conn' | +--> 'io_uring_wait_cqe': events 77-78 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (77) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (78) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 79-81 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (79) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (80) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (81) ...to here | <------+ | 'io_uring_wait_cqe': events 82-84 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (84) ...to here | | | (82) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (83) following 'true' branch... | <------+ | 'accept_conn': event 85 | |accept.c:126:15: | 126 | ret = io_uring_wait_cqe(ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (85) returning to 'accept_conn' from 'io_uring_wait_cqe' | 'accept_conn': event 86 | | 127 | assert(!ret); | | ^~~~~~ | | | | | (86) following 'true' branch (when 'ret_7 == 0')... | 'accept_conn': events 87-88 | | 128 | ret = cqe->res; | | ^~~ | | | | | (87) ...to here |...... | 131 | if (fixed_idx >= 0) { | | ~ | | | | | (88) following 'false' branch (when 'fixed_idx_10(D) < 0')... | 'accept_conn': event 89 | |cc1: | (89): ...to here | <------+ | 'test_loop': events 90-99 | | 225 | for (i = 0; i < nr_fds; i++) { | | ~~~ | | | | | (96) ...to here | 226 | s_fd[i] = accept_conn(ring, fixed ? 0 : -1, multishot); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (90) returning to 'test_loop' from 'accept_conn' | 227 | if (s_fd[i] == -EINVAL) { | | ~ | | | | | (91) following 'false' branch... |...... | 239 | } else if (s_fd[i] < 0) { | | ~~ ~ | | | | | | | (93) following 'false' branch... | | (92) ...to here |...... | 250 | if (multishot && fixed) { | | ~~ ~ | | | | | | | (95) following 'false' branch... | | (94) ...to here |...... | 266 | if (multishot) { | | ~ | | | | | (97) following 'false' branch (when 'multishot_73 == 0')... |...... | 274 | queue_send(ring, c_fd[0]); | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (98) ...to here | | (99) calling 'queue_send' from 'test_loop' | +--> 'queue_send': event 100 | | 59 | static void queue_send(struct io_uring *ring, int fd) | | ^~~~~~~~~~ | | | | | (100) entry to 'queue_send' | 'queue_send': event 101 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (101) calling '_io_uring_get_sqe' from 'queue_send' | +--> '_io_uring_get_sqe': events 102-103 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (102) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (103) following 'false' branch... | '_io_uring_get_sqe': event 104 | |cc1: | (104): ...to here | <------+ | 'queue_send': events 105-106 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (106) dereference of NULL '_io_uring_get_sqe (ring_8(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (105) returning to 'queue_send' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'queue_recv' at accept.c:83:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |accept.c:666:5: | 666 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 670 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_29(D) <= 1')... | 671 | return 0; | 672 | ret = test_accept(1, false); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test_accept' from 'main' | | (3) ...to here | +--> 'test_accept': event 5 | | 514 | static int test_accept(int count, bool before) | | ^~~~~~~~~~~ | | | | | (5) entry to 'test_accept' | 'test_accept': event 6 | | 524 | assert(ret >= 0); | | ^~~~~~ | | | | | (6) following 'true' branch (when 'ret_9 >= 0')... | 'test_accept': events 7-8 | | 525 | ret = test(&m_io_uring, args); | | ^~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (8) calling 'test' from 'test_accept' | | (7) ...to here | +--> 'test': events 9-10 | | 306 | static int test(struct io_uring *ring, struct accept_test_args args) | | ^~~~ | | | | | (9) entry to 'test' |...... | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) following 'false' branch... | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 'test': event 11 | |cc1: | (11): ...to here | 'test': event 12 | | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling 'start_accept_listen' from 'test' | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | +--> 'start_accept_listen': event 13 | | 144 | static int start_accept_listen(struct sockaddr_in *addr, int port_off, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (13) entry to 'start_accept_listen' | 'start_accept_listen': event 14 | | 154 | assert(ret != -1); | | ^~~~~~ | | | | | (14) following 'true' branch (when 'ret_13 != -1')... | 'start_accept_listen': event 15 | | 155 | ret = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)); | | ^~~ | | | | | (15) ...to here | 'start_accept_listen': event 16 | | 156 | assert(ret != -1); | | ^~~~~~ | | | | | (16) following 'true' branch (when 'ret_16 != -1')... | 'start_accept_listen': events 17-19 | | 158 | struct sockaddr_in laddr; | | ^~~~~~ | | | | | (17) ...to here | 159 | | 160 | if (!addr) | | ~ | | | | | (18) following 'false' branch (when 'addr_18(D)' is non-NULL)... |...... | 163 | addr->sin_family = AF_INET; | | ~~~~ | | | | | (19) ...to here | 'start_accept_listen': event 20 | | 168 | assert(ret != -1); | | ^~~~~~ | | | | | (20) following 'true' branch (when 'ret_26 != -1')... | 'start_accept_listen': event 21 | | 169 | ret = listen(fd, 128); | | ^~~ | | | | | (21) ...to here | 'start_accept_listen': event 22 | | 170 | assert(ret != -1); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'ret_29 != -1')... | 'start_accept_listen': event 23 | | 172 | return fd; | | ^~~~~~ | | | | | (23) ...to here | <------+ | 'test': events 24-25 | | 311 | int32_t recv_s0 = start_accept_listen(&addr, 0, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) returning to 'test' from 'start_accept_listen' | 312 | args.nonblock ? O_NONBLOCK : 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 313 | if (args.queue_accept_before_connect) | | ~ | | | | | (25) following 'false' branch... | 'test': event 26 | |cc1: | (26): ...to here | 'test': events 27-29 | | 315 | for (loop = 0; loop < 1 + args.extra_loops; loop++) { | | ~~~~~^~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) following 'true' branch... | 316 | ret = test_loop(ring, args, recv_s0, &addr); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (29) calling 'test_loop' from 'test' | | (28) ...to here | +--> 'test_loop': events 30-31 | | 206 | static int test_loop(struct io_uring *ring, | | ^~~~~~~~~ | | | | | (30) entry to 'test_loop' |...... | 217 | int nr_fds = multishot ? MAX_FDS : 1; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (31) following 'false' branch (when 'multishot_73 == 0')... | 'test_loop': event 32 | |cc1: | (32): ...to here | 'test_loop': events 33-35 | | 219 | for (i = 0; i < nr_fds; i++) | | ~~^~~~~~~~ | | | | | (33) following 'true' branch... | 220 | c_fd[i] = set_client_fd(addr); | | ~~~~ ~~~~~~~~~~~~~~~~~~~ | | | | | | | (35) calling 'set_client_fd' from 'test_loop' | | (34) ...to here | +--> 'set_client_fd': event 36 | | 175 | static int set_client_fd(struct sockaddr_in *addr) | | ^~~~~~~~~~~~~ | | | | | (36) entry to 'set_client_fd' | 'set_client_fd': event 37 | | 184 | assert(ret != -1); | | ^~~~~~ | | | | | (37) following 'true' branch (when 'ret_6 != -1')... | 'set_client_fd': event 38 | | 186 | int32_t flags = fcntl(fd, F_GETFL, 0); | | ^~~~~~~ | | | | | (38) ...to here | 'set_client_fd': event 39 | | 187 | assert(flags != -1); | | ^~~~~~ | | | | | (39) following 'true' branch (when 'flags_9 != -1')... | 'set_client_fd': event 40 | | 189 | flags |= O_NONBLOCK; | | ^~~~~ | | | | | (40) ...to here | 'set_client_fd': event 41 | | 191 | assert(ret != -1); | | ^~~~~~ | | | | | (41) following 'true' branch (when 'ret_13 != -1')... | 'set_client_fd': event 42 | | 193 | ret = connect(fd, (struct sockaddr *)addr, sizeof(*addr)); | | ^~~ | | | | | (42) ...to here | 'set_client_fd': event 43 | | 194 | assert(ret == -1); | | ^~~~~~ | | | | | (43) following 'true' branch (when 'ret_18 == -1')... | 'set_client_fd': event 44 | | 196 | flags = fcntl(fd, F_GETFL, 0); | | ^~~~~ | | | | | (44) ...to here | 'set_client_fd': event 45 | | 197 | assert(flags != -1); | | ^~~~~~ | | | | | (45) following 'true' branch (when 'flags_21 != -1')... | 'set_client_fd': event 46 | | 199 | flags &= ~O_NONBLOCK; | | ^~~~~ | | | | | (46) ...to here | 'set_client_fd': event 47 | | 201 | assert(ret != -1); | | ^~~~~~ | | | | | (47) following 'true' branch (when 'ret_25 != -1')... | 'set_client_fd': event 48 | | 203 | return fd; | | ^~~~~~ | | | | | (48) ...to here | <------+ | 'test_loop': events 49-52 | | 220 | c_fd[i] = set_client_fd(addr); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (49) returning to 'test_loop' from 'set_client_fd' | 221 | | 222 | if (!args.queue_accept_before_connect) | | ~ | | | | | (50) following 'false' branch... | 223 | queue_accept_conn(ring, recv_s0, args); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (51) ...to here | | (52) calling 'queue_accept_conn' from 'test_loop' | +--> 'queue_accept_conn': events 53-54 | | 89 | static void queue_accept_conn(struct io_uring *ring, int fd, | | ^~~~~~~~~~~~~~~~~ | | | | | (53) entry to 'queue_accept_conn' |...... | 94 | int fixed_idx = args.fixed ? 0 : -1; | | ~~~~~~~~~~~~~~~~~~~ | | | | | (54) following 'false' branch... | 'queue_accept_conn': event 55 | |cc1: | (55): ...to here | 'queue_accept_conn': events 56-61 | | 98 | while (count--) { | | ^~~~~ | | | | | (56) following 'true' branch (when 'count_3 != 0')... | 99 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (57) ...to here | 100 | if (fixed_idx < 0) { | | ~ | | | | | (58) following 'true' branch... | 101 | if (!multishot) | | ~~ ~ | | | | | | | (60) following 'false' branch (when 'multishot_9 == 0')... | | (59) ...to here | 102 | io_uring_prep_accept(sqe, fd, NULL, NULL, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (61) ...to here | 'queue_accept_conn': event 62 | | 117 | assert(ret != -1); | | ^~~~~~ | | | | | (62) following 'true' branch (when 'ret_14 != -1')... | 'queue_accept_conn': event 63 | |cc1: | (63): ...to here | <------+ | 'test_loop': events 64-67 | | 223 | queue_accept_conn(ring, recv_s0, args); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (64) returning to 'test_loop' from 'queue_accept_conn' | 224 | | 225 | for (i = 0; i < nr_fds; i++) { | | ~~~~~~~~~~ | | | | | (65) following 'true' branch... | 226 | s_fd[i] = accept_conn(ring, fixed ? 0 : -1, multishot); | | ~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (67) following 'false' branch (when 'fixed_72 == 0')... | | (66) ...to here | 'test_loop': event 68 | |cc1: | (68): ...to here | 'test_loop': event 69 | | 226 | s_fd[i] = accept_conn(ring, fixed ? 0 : -1, multishot); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (69) calling 'accept_conn' from 'test_loop' | +--> 'accept_conn': events 70-71 | | 121 | static int accept_conn(struct io_uring *ring, int fixed_idx, bool multishot) | | ^~~~~~~~~~~ | | | | | (70) entry to 'accept_conn' |...... | 126 | ret = io_uring_wait_cqe(ring, &cqe); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (71) calling 'io_uring_wait_cqe' from 'accept_conn' | +--> 'io_uring_wait_cqe': events 72-73 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (72) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (73) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 74-76 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (74) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (75) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (76) ...to here | <------+ | 'io_uring_wait_cqe': events 77-79 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (79) ...to here | | | (77) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (78) following 'true' branch... | <------+ | 'accept_conn': event 80 | |accept.c:126:15: | 126 | ret = io_uring_wait_cqe(ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (80) returning to 'accept_conn' from 'io_uring_wait_cqe' | 'accept_conn': event 81 | | 127 | assert(!ret); | | ^~~~~~ | | | | | (81) following 'true' branch (when 'ret_7 == 0')... | 'accept_conn': events 82-83 | | 128 | ret = cqe->res; | | ^~~ | | | | | (82) ...to here |...... | 131 | if (fixed_idx >= 0) { | | ~ | | | | | (83) following 'false' branch (when 'fixed_idx_10(D) < 0')... | 'accept_conn': event 84 | |cc1: | (84): ...to here | <------+ | 'test_loop': events 85-94 | | 225 | for (i = 0; i < nr_fds; i++) { | | ~~~ | | | | | (91) ...to here | 226 | s_fd[i] = accept_conn(ring, fixed ? 0 : -1, multishot); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (85) returning to 'test_loop' from 'accept_conn' | 227 | if (s_fd[i] == -EINVAL) { | | ~ | | | | | (86) following 'false' branch... |...... | 239 | } else if (s_fd[i] < 0) { | | ~~ ~ | | | | | | | (88) following 'false' branch... | | (87) ...to here |...... | 250 | if (multishot && fixed) { | | ~~ ~ | | | | | | | (90) following 'false' branch... | | (89) ...to here |...... | 266 | if (multishot) { | | ~ | | | | | (92) following 'false' branch (when 'multishot_73 == 0')... |...... | 274 | queue_send(ring, c_fd[0]); | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (93) ...to here | | (94) calling 'queue_send' from 'test_loop' | +--> 'queue_send': event 95 | | 59 | static void queue_send(struct io_uring *ring, int fd) | | ^~~~~~~~~~ | | | | | (95) entry to 'queue_send' | 'queue_send': event 96 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (96) calling '_io_uring_get_sqe' from 'queue_send' | +--> '_io_uring_get_sqe': events 97-98 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (97) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (98) following 'false' branch... | '_io_uring_get_sqe': event 99 | |cc1: | (99): ...to here | <------+ | 'queue_send': event 100 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (100) returning to 'queue_send' from '_io_uring_get_sqe' | <------+ | 'test_loop': events 101-102 | |accept.c:274:9: | 274 | queue_send(ring, c_fd[0]); | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (101) returning to 'test_loop' from 'queue_send' | 275 | queue_recv(ring, s_fd[0], fixed); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (102) calling 'queue_recv' from 'test_loop' | +--> 'queue_recv': event 103 | | 73 | static void queue_recv(struct io_uring *ring, int fd, bool fixed) | | ^~~~~~~~~~ | | | | | (103) entry to 'queue_recv' | 'queue_recv': event 104 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (104) calling '_io_uring_get_sqe' from 'queue_recv' | +--> '_io_uring_get_sqe': events 105-106 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (105) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (106) following 'false' branch... | '_io_uring_get_sqe': event 107 | |cc1: | (107): ...to here | <------+ | 'queue_recv': events 108-109 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (109) dereference of NULL '_io_uring_get_sqe (ring_9(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (108) returning to 'queue_recv' from '_io_uring_get_sqe' | ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size_params': events 1-2 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (1) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (2) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 3-6 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (3) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (4) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (6) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (5) ...to here | +--> 'io_uring_queue_mmap': events 7-8 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (7) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (8) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 9-10 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (9) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (10) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 11-13 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (11) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (12) following 'false' branch (when 'ret_11 != 4294967295B')... | | (13) ...to here | <------+ | 'io_uring_mmap': events 14-19 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (14) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (15) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (17) following 'false' branch... | | (16) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (19) calling '__sys_mmap' from 'io_uring_mmap' | | (18) ...to here | +--> '__sys_mmap': events 20-22 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (20) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (21) following 'false' branch (when 'ret_11 != 4294967295B')... | | (22) ...to here | <------+ | 'io_uring_mmap': events 23-26 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (23) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (24) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (25) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (26) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 27-29 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (27) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (28) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (29) ...to here | <------+ | 'io_uring_mmap': event 30 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (30) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 31 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (31) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 32-34 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (32) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (33) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (34) ...to here | <------+ | 'io_uring_mlock_size_params': events 35-38 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (35) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (36) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (37) ...to here | | (38) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 39-42 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (39) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (40) '0B' is NULL | | | (41) '0B' is NULL | | (42) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o io_uring_register.t io_uring_register.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from helpers.h:12, from io_uring_register.c:26: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_write_fixed' at ../src/include/liburing.h:406:2, inlined from 'test_shmem' at io_uring_register.c:518:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'test_shmem': events 1-10 | |io_uring_register.c:465:12: | 465 | static int test_shmem(void) | | ^~~~~~~~~~ | | | | | (1) entry to 'test_shmem' |...... | 478 | if (ret) | | ~ | | | | | (2) following 'false' branch (when 'ret_42 == 0')... |...... | 481 | if (pipe(pipefd)) { | | ~~ ~ | | | | | | | (4) following 'false' branch... | | (3) ...to here |...... | 485 | memfd = memfd_create("uring-shmem-test", 0); | | ~~~~~ | | | | | (5) ...to here | 486 | if (memfd < 0) { | | ~ | | | | | (6) following 'false' branch (when 'memfd_45 >= 0')... |...... | 490 | if (ftruncate(memfd, len)) { | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 494 | mem = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, memfd, 0); | | ~~~ | | | | | (9) ...to here | 495 | if (!mem) { | | ~ | | | | | (10) following 'false' branch (when 'mem_48' is non-NULL)... | 'test_shmem': event 11 | |cc1: | (11): ...to here | 'test_shmem': events 12-15 | | 499 | for (i = 0; i < len; i++) | | ~~^~~~~ | | | | | (12) following 'true' branch (when 'i_32 != 4096')... | 500 | mem[i] = pattern; | | ~~~ | | | | | (13) ...to here |...... | 505 | if (ret) { | | ~ | | | | | (14) following 'false' branch (when 'ret_52 == 0')... |...... | 517 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (15) ...to here | 'test_shmem': event 16 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) calling '_io_uring_get_sqe' from 'test_shmem' | +--> '_io_uring_get_sqe': events 17-18 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (17) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (18) following 'false' branch... | '_io_uring_get_sqe': event 19 | |cc1: | (19): ...to here | <------+ | 'test_shmem': events 20-21 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) returning to 'test_shmem' from '_io_uring_get_sqe' | ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o link.t link.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o msg-ring.t msg-ring.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o nop-all-sizes.t nop-all-sizes.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o nop.t nop.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o pipe-eof.t pipe-eof.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from pipe-eof.c:13: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'main' at pipe-eof.c:59:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-3 | |pipe-eof.c:36:5: | 36 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 44 | if (pipe(d.fds) < 0) { | | ~ | | | | | (2) following 'false' branch... |...... | 48 | d.str = buf; | | ~ | | | | | (3) ...to here | 'main': event 4 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 5-6 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (5) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (6) following 'false' branch... | '_io_uring_get_sqe': event 7 | |cc1: | (7): ...to here | <------+ | 'main': events 8-9 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o pipe-reuse.t pipe-reuse.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from pipe-reuse.c:11: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'main' at pipe-reuse.c:64:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-2 | |pipe-reuse.c:16:5: | 16 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 27 | if (pipe(fds) < 0) { | | ~ | | | | | (2) following 'false' branch... | 'main': event 3 | |cc1: | (3): ...to here | 'main': events 4-11 | | 33 | for (i = 0; i < BUFFERS; i++) { | | ^ | | | | | (4) following 'true' branch (when 'i_22 != 16')... | 34 | unsigned bsize = BUFSIZE / BUFFERS; | | ~~~~~~~~ | | | | | (5) ...to here |...... | 42 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_34 == 0')... |...... | 46 | if (!(p.features & IORING_FEAT_SUBMIT_STABLE)) { | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 51 | ptr = wbuf; | | ~~~ | | | | | (9) ...to here |...... | 57 | if (ret != sizeof(wbuf) / 2) { | | ~ | | | | | (10) following 'false' branch (when 'ret_36 == 8192')... |...... | 63 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (11) ...to here | 'main': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'main': events 16-17 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o open-close.t open-close.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o multicqes_drain.t multicqes_drain.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll.t poll.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o openat2.t openat2.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o personality.t personality.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from personality.c:13: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_openat' at ../src/include/liburing.h:598:2, inlined from 'open_file' at personality.c:35:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-8 | |personality.c:164:5: | 164 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 169 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_10(D) <= 1')... |...... | 172 | if (geteuid()) { | | ~~ ~ | | | | | | | (4) following 'false' branch... | | (3) ...to here |...... | 177 | ret = io_uring_queue_init(8, &ring, 0); | | ~~~ | | | | | (5) ...to here | 178 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_14 == 0')... |...... | 183 | ret = test_personality(&ring); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (8) calling 'test_personality' from 'main' | | (7) ...to here | +--> 'test_personality': events 9-14 | | 61 | static int test_personality(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~ | | | | | (9) entry to 'test_personality' |...... | 66 | if (ret < 0) { | | ~ | | | | | (10) following 'false' branch (when 'ret_19 >= 0')... |...... | 75 | cred_id = ret; | | ~~~~~~~ | | | | | (11) ...to here |...... | 79 | if (ret < 0) { | | ~ | | | | | (12) following 'false' branch... |...... | 83 | close(ret); | | ~~~~~ | | | | | (13) ...to here |...... | 86 | ret = open_file(ring, -1, 0); | | ~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling 'open_file' from 'test_personality' | +--> 'open_file': events 15-17 | | 20 | static int open_file(struct io_uring *ring, int cred_id, int with_link) | | ^~~~~~~~~ | | | | | (15) entry to 'open_file' |...... | 26 | if (with_link) { | | ~ | | | | | (16) following 'false' branch (when 'with_link_16(D) == 0')... |...... | 34 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (17) ...to here | 'open_file': event 18 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling '_io_uring_get_sqe' from 'open_file' | +--> '_io_uring_get_sqe': events 19-20 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (19) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (20) following 'false' branch... | '_io_uring_get_sqe': event 21 | |cc1: | (21): ...to here | <------+ | 'open_file': events 22-23 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) dereference of NULL '_io_uring_get_sqe (ring_18(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) returning to 'open_file' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o link-timeout.t link-timeout.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o open-direct-pick.t open-direct-pick.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o open-direct-link.t open-direct-link.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from open-direct-link.c:13: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_openat' at ../src/include/liburing.h:598:2, inlined from 'io_uring_prep_openat_direct' at ../src/include/liburing.h:608:2, inlined from 'test' at open-direct-link.c:31:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-10 | |open-direct-link.c:121:5: | 121 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 127 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_16(D) <= 1')... |...... | 130 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 131 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_18 == 0')... |...... | 135 | if (!(p.features & IORING_FEAT_CQE_SKIP)) | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 138 | memset(files, -1, sizeof(files)); | | ~~~~~~ | | | | | (7) ...to here | 139 | ret = io_uring_register_files(&ring, files, ARRAY_SIZE(files)); | 140 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_20 == 0')... |...... | 145 | t_create_file(FNAME, 4096); | | ~~~~~~~~~~~~~ | | | | | (9) ...to here | 146 | | 147 | ret = test(&ring, 0, 0, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (10) calling 'test' from 'main' | +--> 'test': events 11-13 | | 19 | static int test(struct io_uring *ring, int skip_success, int drain, int async) | | ^~~~ | | | | | (11) entry to 'test' |...... | 27 | if (skip_success && drain) | | ~ | | | | | (12) following 'false' branch... |...... | 30 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (13) ...to here | 'test': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'test': events 18-19 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) dereference of NULL '_io_uring_get_sqe (ring_51(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'test' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'test' at open-direct-link.c:41:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-10 | |open-direct-link.c:121:5: | 121 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 127 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_16(D) <= 1')... |...... | 130 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 131 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_18 == 0')... |...... | 135 | if (!(p.features & IORING_FEAT_CQE_SKIP)) | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 138 | memset(files, -1, sizeof(files)); | | ~~~~~~ | | | | | (7) ...to here | 139 | ret = io_uring_register_files(&ring, files, ARRAY_SIZE(files)); | 140 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_20 == 0')... |...... | 145 | t_create_file(FNAME, 4096); | | ~~~~~~~~~~~~~ | | | | | (9) ...to here | 146 | | 147 | ret = test(&ring, 0, 0, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (10) calling 'test' from 'main' | +--> 'test': events 11-13 | | 19 | static int test(struct io_uring *ring, int skip_success, int drain, int async) | | ^~~~ | | | | | (11) entry to 'test' |...... | 27 | if (skip_success && drain) | | ~ | | | | | (12) following 'false' branch... |...... | 30 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (13) ...to here | 'test': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'test': event 18 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'test' from '_io_uring_get_sqe' | 'test': events 19-24 | |open-direct-link.c:32:12: | 32 | if (!drain) | | ^ | | | | | (19) following 'true' branch (when 'drain_49(D) == 0')... | 33 | sqe->flags |= IOSQE_IO_LINK; | | ~~~ | | | | | (20) ...to here | 34 | if (skip_success) | | ~ | | | | | (21) following 'false' branch (when 'skip_success_48(D) == 0')... | 35 | sqe->flags |= IOSQE_CQE_SKIP_SUCCESS; | 36 | if (async) | | ~~ ~ | | | | | | | (23) following 'false' branch (when 'async_54(D) == 0')... | | (22) ...to here | 37 | sqe->flags |= IOSQE_ASYNC; | 38 | sqe->user_data = 1; | | ~~~ | | | | | (24) ...to here | 'test': event 25 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 26-27 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (26) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (27) following 'false' branch... | '_io_uring_get_sqe': event 28 | |cc1: | (28): ...to here | <------+ | 'test': events 29-30 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) dereference of NULL '_io_uring_get_sqe (ring_51(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) returning to 'test' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_close' at ../src/include/liburing.h:614:2, inlined from 'io_uring_prep_close_direct' at ../src/include/liburing.h:620:2, inlined from 'test' at open-direct-link.c:52:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-10 | |open-direct-link.c:121:5: | 121 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 127 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_16(D) <= 1')... |...... | 130 | ret = io_uring_queue_init_params(8, &ring, &p); | | ~~~ | | | | | (3) ...to here | 131 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_18 == 0')... |...... | 135 | if (!(p.features & IORING_FEAT_CQE_SKIP)) | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 138 | memset(files, -1, sizeof(files)); | | ~~~~~~ | | | | | (7) ...to here | 139 | ret = io_uring_register_files(&ring, files, ARRAY_SIZE(files)); | 140 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_20 == 0')... |...... | 145 | t_create_file(FNAME, 4096); | | ~~~~~~~~~~~~~ | | | | | (9) ...to here | 146 | | 147 | ret = test(&ring, 0, 0, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (10) calling 'test' from 'main' | +--> 'test': events 11-23 | | 19 | static int test(struct io_uring *ring, int skip_success, int drain, int async) | | ^~~~ | | | | | (11) entry to 'test' |...... | 27 | if (skip_success && drain) | | ~ | | | | | (12) following 'false' branch... |...... | 30 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (13) ...to here | 31 | io_uring_prep_openat_direct(sqe, AT_FDCWD, FNAME, O_RDONLY, 0, 0); | 32 | if (!drain) | | ~ | | | | | (14) following 'true' branch (when 'drain_49(D) == 0')... | 33 | sqe->flags |= IOSQE_IO_LINK; | | ~~~ | | | | | (15) ...to here | 34 | if (skip_success) | | ~ | | | | | (16) following 'false' branch (when 'skip_success_48(D) == 0')... | 35 | sqe->flags |= IOSQE_CQE_SKIP_SUCCESS; | 36 | if (async) | | ~~ ~ | | | | | | | (18) following 'false' branch (when 'async_54(D) == 0')... | | (17) ...to here | 37 | sqe->flags |= IOSQE_ASYNC; | 38 | sqe->user_data = 1; | | ~~~ | | | | | (19) ...to here |...... | 43 | if (drain) | | ~ | | | | | (20) following 'false' branch (when 'drain_49(D) == 0')... |...... | 46 | sqe->flags |= IOSQE_IO_LINK; | | ~~~ | | | | | (21) ...to here | 47 | if (async) | | ~ | | | | | (22) following 'false' branch (when 'async_54(D) == 0')... | 48 | sqe->flags |= IOSQE_ASYNC; | 49 | sqe->user_data = 2; | | ~~~ | | | | | (23) ...to here | 'test': event 24 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 25-26 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (25) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (26) following 'false' branch... | '_io_uring_get_sqe': event 27 | |cc1: | (27): ...to here | <------+ | 'test': events 28-29 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) dereference of NULL '_io_uring_get_sqe (ring_51(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) returning to 'test' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll-cancel.t poll-cancel.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from poll-cancel.c:16: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_timeout' at ../src/include/liburing.h:481:2, inlined from '__test_poll_cancel_with_timeouts' at poll-cancel.c:159:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ '__test_poll_cancel_with_timeouts': events 1-5 | |poll-cancel.c:138:12: | 138 | static int __test_poll_cancel_with_timeouts(void) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to '__test_poll_cancel_with_timeouts' |...... | 146 | if (ret) { | | ~ | | | | | (2) following 'false' branch (when 'ret_11 == 0')... |...... | 151 | ret = io_uring_queue_init(1, &ring2, 0); | | ~~~ | | | | | (3) ...to here | 152 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_13 == 0')... |...... | 158 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (5) ...to here | '__test_poll_cancel_with_timeouts': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from '__test_poll_cancel_with_timeouts' | +--> '_io_uring_get_sqe': events 7-8 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'false' branch... | '_io_uring_get_sqe': event 9 | |cc1: | (9): ...to here | <------+ | '__test_poll_cancel_with_timeouts': events 10-11 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to '__test_poll_cancel_with_timeouts' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from '__test_poll_cancel_with_timeouts' at poll-cancel.c:163:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ '__test_poll_cancel_with_timeouts': events 1-5 | |poll-cancel.c:138:12: | 138 | static int __test_poll_cancel_with_timeouts(void) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to '__test_poll_cancel_with_timeouts' |...... | 146 | if (ret) { | | ~ | | | | | (2) following 'false' branch (when 'ret_11 == 0')... |...... | 151 | ret = io_uring_queue_init(1, &ring2, 0); | | ~~~ | | | | | (3) ...to here | 152 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_13 == 0')... |...... | 158 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (5) ...to here | '__test_poll_cancel_with_timeouts': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from '__test_poll_cancel_with_timeouts' | +--> '_io_uring_get_sqe': events 7-8 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'false' branch... | '_io_uring_get_sqe': event 9 | |cc1: | (9): ...to here | <------+ | '__test_poll_cancel_with_timeouts': events 10-11 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to '__test_poll_cancel_with_timeouts' from '_io_uring_get_sqe' | | (11) calling '_io_uring_get_sqe' from '__test_poll_cancel_with_timeouts' | +--> '_io_uring_get_sqe': events 12-13 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (12) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (13) following 'false' branch... | '_io_uring_get_sqe': event 14 | |cc1: | (14): ...to here | <------+ | '__test_poll_cancel_with_timeouts': events 15-16 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) returning to '__test_poll_cancel_with_timeouts' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_link_timeout' at ../src/include/liburing.h:566:2, inlined from '__test_poll_cancel_with_timeouts' at poll-cancel.c:167:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ '__test_poll_cancel_with_timeouts': events 1-5 | |poll-cancel.c:138:12: | 138 | static int __test_poll_cancel_with_timeouts(void) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to '__test_poll_cancel_with_timeouts' |...... | 146 | if (ret) { | | ~ | | | | | (2) following 'false' branch (when 'ret_11 == 0')... |...... | 151 | ret = io_uring_queue_init(1, &ring2, 0); | | ~~~ | | | | | (3) ...to here | 152 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_13 == 0')... |...... | 158 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (5) ...to here | '__test_poll_cancel_with_timeouts': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from '__test_poll_cancel_with_timeouts' | +--> '_io_uring_get_sqe': events 7-8 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'false' branch... | '_io_uring_get_sqe': event 9 | |cc1: | (9): ...to here | <------+ | '__test_poll_cancel_with_timeouts': events 10-11 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to '__test_poll_cancel_with_timeouts' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll-link.t poll-link.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll-cancel-ton.t poll-cancel-ton.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from poll-cancel-ton.c:16: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'add_polls' at poll-cancel-ton.c:85:4: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-6 | |poll-cancel-ton.c:101:5: | 101 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 108 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_11(D) <= 1')... |...... | 111 | if (pipe(pipe1) != 0) { | | ~~ ~ | | | | | | | (4) following 'false' branch... | | (3) ...to here |...... | 116 | p.flags = IORING_SETUP_CQSIZE; | | ~ | | | | | (5) ...to here |...... | 130 | add_polls(&ring, pipe1[0], 30000); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling 'add_polls' from 'main' | +--> 'add_polls': events 7-11 | | 72 | static int add_polls(struct io_uring *ring, int fd, int nr) | | ^~~~~~~~~ | | | | | (7) entry to 'add_polls' |...... | 78 | while (nr) { | | ~~ | | | | | (8) following 'true' branch (when 'nr_6 != 0')... | 79 | batch = 1024; | | ~~~~~ | | | | | (9) ...to here |...... | 83 | for (i = 0; i < batch; i++) { | | ~~~~~~~~~ | | | | | (10) following 'true' branch... | 84 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (11) ...to here | 'add_polls': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'add_polls' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'add_polls': events 16-17 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) dereference of NULL '_io_uring_get_sqe (ring_17(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'add_polls' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_remove' at ../src/include/liburing.h:450:2, inlined from 'del_polls' at poll-cancel-ton.c:58:4: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-6 | |poll-cancel-ton.c:101:5: | 101 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 108 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_11(D) <= 1')... |...... | 111 | if (pipe(pipe1) != 0) { | | ~~ ~ | | | | | | | (4) following 'false' branch... | | (3) ...to here |...... | 116 | p.flags = IORING_SETUP_CQSIZE; | | ~ | | | | | (5) ...to here |...... | 130 | add_polls(&ring, pipe1[0], 30000); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling 'add_polls' from 'main' | +--> 'add_polls': events 7-11 | | 72 | static int add_polls(struct io_uring *ring, int fd, int nr) | | ^~~~~~~~~ | | | | | (7) entry to 'add_polls' |...... | 78 | while (nr) { | | ~~ | | | | | (8) following 'true' branch (when 'nr_6 != 0')... | 79 | batch = 1024; | | ~~~~~ | | | | | (9) ...to here |...... | 83 | for (i = 0; i < batch; i++) { | | ~~~~~~~~~ | | | | | (10) following 'true' branch... | 84 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (11) ...to here | 'add_polls': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'add_polls' | +--> '_io_uring_get_sqe': events 13-15 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (15) ...to here | <------+ | 'add_polls': event 16 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'add_polls' from '_io_uring_get_sqe' | <------+ | 'main': events 17-18 | |poll-cancel-ton.c:130:9: | 130 | add_polls(&ring, pipe1[0], 30000); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) returning to 'main' from 'add_polls' | 131 | del_polls(&ring, pipe1[0], 30000); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling 'del_polls' from 'main' | +--> 'del_polls': events 19-23 | | 43 | static int del_polls(struct io_uring *ring, int fd, int nr) | | ^~~~~~~~~ | | | | | (19) entry to 'del_polls' |...... | 48 | while (nr) { | | ~~ | | | | | (20) following 'true' branch (when 'nr_8 != 0')... | 49 | batch = 1024; | | ~~~~~ | | | | | (21) ...to here |...... | 53 | for (i = 0; i < batch; i++) { | | ~~~~~~~~~ | | | | | (22) following 'true' branch... | 54 | void *data; | | ~~~~ | | | | | (23) ...to here | 'del_polls': event 24 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) calling '_io_uring_get_sqe' from 'del_polls' | +--> '_io_uring_get_sqe': events 25-26 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (25) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (26) following 'false' branch... | '_io_uring_get_sqe': event 27 | |cc1: | (27): ...to here | <------+ | 'del_polls': events 28-29 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) dereference of NULL '_io_uring_get_sqe (ring_17(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) returning to 'del_polls' from '_io_uring_get_sqe' | poll-cancel-ton.c: In function 'add_polls': poll-cancel-ton.c:87:40: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 87 | sqe->user_data = (unsigned long) sqe; | ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~ 'main': events 1-6 | | 101 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 108 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_11(D) <= 1')... |...... | 111 | if (pipe(pipe1) != 0) { | | ~~ ~ | | | | | | | (4) following 'false' branch... | | (3) ...to here |...... | 116 | p.flags = IORING_SETUP_CQSIZE; | | ~ | | | | | (5) ...to here |...... | 130 | add_polls(&ring, pipe1[0], 30000); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling 'add_polls' from 'main' | +--> 'add_polls': events 7-11 | | 72 | static int add_polls(struct io_uring *ring, int fd, int nr) | | ^~~~~~~~~ | | | | | (7) entry to 'add_polls' |...... | 78 | while (nr) { | | ~~ | | | | | (8) following 'true' branch (when 'nr_6 != 0')... | 79 | batch = 1024; | | ~~~~~ | | | | | (9) ...to here |...... | 83 | for (i = 0; i < batch; i++) { | | ~~~~~~~~~ | | | | | (10) following 'true' branch... | 84 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (11) ...to here | 'add_polls': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'add_polls' | +--> '_io_uring_get_sqe': events 13-15 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (15) ...to here | <------+ | 'add_polls': event 16 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'add_polls' from '_io_uring_get_sqe' | 'add_polls': events 17-23 | |poll-cancel-ton.c:83:31: | 83 | for (i = 0; i < batch; i++) { | | ~~^~~~~~~ | | | | | (17) following 'true' branch... | 84 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (18) ...to here | 85 | io_uring_prep_poll_add(sqe, fd, POLLIN); | 86 | sqe_index[count++] = sqe; | | ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) '0B' is NULL | | (20) '0B' is NULL | | (21) '0B' is NULL | | (22) '0B' is NULL | 87 | sqe->user_data = (unsigned long) sqe; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) dereference of NULL '_io_uring_get_sqe (ring_17(D))' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll-cancel-all.t poll-cancel-all.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o probe.t probe.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll-ring.t poll-ring.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll-many.t poll-many.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o pollfree.t pollfree.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size_params': events 1-2 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (1) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (2) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 3-6 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (3) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (4) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (6) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (5) ...to here | +--> 'io_uring_queue_mmap': events 7-8 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (7) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (8) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 9-10 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (9) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (10) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 11-13 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (11) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (12) following 'false' branch (when 'ret_11 != 4294967295B')... | | (13) ...to here | <------+ | 'io_uring_mmap': events 14-19 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (14) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (15) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (17) following 'false' branch... | | (16) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (19) calling '__sys_mmap' from 'io_uring_mmap' | | (18) ...to here | +--> '__sys_mmap': events 20-22 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (20) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (21) following 'false' branch (when 'ret_11 != 4294967295B')... | | (22) ...to here | <------+ | 'io_uring_mmap': events 23-26 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (23) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (24) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (25) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (26) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 27-29 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (27) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (28) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (29) ...to here | <------+ | 'io_uring_mmap': event 30 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (30) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 31 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (31) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 32-34 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (32) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (33) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (34) ...to here | <------+ | 'io_uring_mlock_size_params': events 35-38 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (35) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (36) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (37) ...to here | | (38) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 39-42 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (39) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (40) '0B' is NULL | | | (41) '0B' is NULL | | (42) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o read-before-exit.t read-before-exit.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from read-before-exit.c:14: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'submit' at read-before-exit.c:32:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'submit': event 1 | |read-before-exit.c:25:7: | 25 | void *submit(void *data) | | ^~~~~~ | | | | | (1) entry to 'submit' | 'submit': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'submit' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'submit': events 6-7 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) dereference of NULL '_io_uring_get_sqe (MEM[(struct data *)data_9(D)].ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'submit' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'submit' at read-before-exit.c:35:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'submit': event 1 | |read-before-exit.c:25:7: | 25 | void *submit(void *data) | | ^~~~~~ | | | | | (1) entry to 'submit' | 'submit': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'submit' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'submit': events 6-7 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'submit' from '_io_uring_get_sqe' | | (7) calling '_io_uring_get_sqe' from 'submit' | +--> '_io_uring_get_sqe': events 8-9 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (8) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (9) following 'false' branch... | '_io_uring_get_sqe': event 10 | |cc1: | (10): ...to here | <------+ | 'submit': events 11-12 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) dereference of NULL '_io_uring_get_sqe (MEM[(struct data *)data_9(D)].ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) returning to 'submit' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll-v-poll.t poll-v-poll.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from poll-v-poll.c:19: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'iou_poll' at poll-v-poll.c:52:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'iou_poll': event 1 | |poll-v-poll.c:44:14: | 44 | static void *iou_poll(void *data) | | ^~~~~~~~ | | | | | (1) entry to 'iou_poll' | 'iou_poll': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'iou_poll' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'iou_poll': events 6-7 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) dereference of NULL '_io_uring_get_sqe (MEM[(struct thread_data *)data_16(D)].ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'iou_poll' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o rename.t rename.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o poll-mshot-update.t poll-mshot-update.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from poll-mshot-update.c:17: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_update' at ../src/include/liburing.h:459:2, inlined from 'has_poll_update' at poll-mshot-update.c:45:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |poll-mshot-update.c:190:5: | 190 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 198 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_32(D) <= 1')... |...... | 201 | ret = has_poll_update(); | | ~~~ ~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'has_poll_update' from 'main' | | (3) ...to here | +--> 'has_poll_update': events 5-7 | | 32 | static int has_poll_update(void) | | ^~~~~~~~~~~~~~~ | | | | | (5) entry to 'has_poll_update' |...... | 41 | if (ret) | | ~ | | | | | (6) following 'false' branch (when 'ret_10 == 0')... |...... | 44 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (7) ...to here | 'has_poll_update': event 8 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling '_io_uring_get_sqe' from 'has_poll_update' | +--> '_io_uring_get_sqe': events 9-10 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (9) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (10) following 'false' branch... | '_io_uring_get_sqe': event 11 | |cc1: | (11): ...to here | <------+ | 'has_poll_update': events 12-13 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) returning to 'has_poll_update' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o ring-leak.t ring-leak.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o recv-msgall.t recv-msgall.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from recv-msgall.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_send' at ../src/include/liburing.h:664:2, inlined from 'do_send' at recv-msgall.c:187:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |recv-msgall.c:247:5: | 247 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 251 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_5(D) <= 1')... |...... | 254 | ret = test(0); | | ~~~ ~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 220 | static int test(int use_recvmsg) | | ^~~~ | | | | | (5) entry to 'test' |...... | 235 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_14 == 0')... |...... | 241 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 242 | do_send(); | | ~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-11 | | 146 | static int do_send(void) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 157 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_23 == 0')... |...... | 162 | buf = malloc(MAX_MSG * sizeof(int)); | | ~~~ | | | | | (11) ...to here | 'do_send': events 12-13 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (12) following 'true' branch (when 'i_12 != 128')... | 164 | buf[i] = i; | | ~~~ | | | | | (13) ...to here | 'do_send': events 14-15 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (14) following 'true' branch (when 'i_12 != 128')... | 164 | buf[i] = i; | | ~~~ | | | | | (15) ...to here | 'do_send': events 16-20 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (16) following 'false' branch (when 'i_12 == 128')... |...... | 166 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (17) ...to here |...... | 172 | if (sockfd < 0) { | | ~ | | | | | (18) following 'false' branch (when 'sockfd_31 >= 0')... |...... | 177 | ret = connect(sockfd, (struct sockaddr *)&saddr, sizeof(saddr)); | | ~~~ | | | | | (19) ...to here | 178 | if (ret < 0) { | | ~ | | | | | (20) following 'false' branch (when 'ret_34 >= 0')... | 'do_send': event 21 | |cc1: | (21): ...to here | 'do_send': events 22-23 | | 185 | for (i = 0; i < 2; i++) { | | ~~^~~ | | | | | (22) following 'true' branch (when 'i_13 != 2')... | 186 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (23) ...to here | 'do_send': event 24 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 25-26 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (25) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (26) following 'false' branch... | '_io_uring_get_sqe': event 27 | |cc1: | (27): ...to here | <------+ | 'do_send': events 28-29 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) returning to 'do_send' from '_io_uring_get_sqe' | recv-msgall.c: In function 'do_send': recv-msgall.c:164:24: warning: dereference of possibly-NULL 'buf_25' [CWE-690] [-Wanalyzer-possible-null-dereference] 164 | buf[i] = i; | ~~~~~~~^~~ 'main': events 1-4 | | 247 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 251 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_5(D) <= 1')... |...... | 254 | ret = test(0); | | ~~~ ~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 220 | static int test(int use_recvmsg) | | ^~~~ | | | | | (5) entry to 'test' |...... | 235 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_14 == 0')... |...... | 241 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 242 | do_send(); | | ~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-12 | | 146 | static int do_send(void) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 157 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_23 == 0')... |...... | 162 | buf = malloc(MAX_MSG * sizeof(int)); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) this call could return NULL | | (11) ...to here | 'do_send': events 13-15 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (13) following 'true' branch (when 'i_12 != 128')... | 164 | buf[i] = i; | | ~~~~~~~~~~ | | | | | | | (15) 'buf_25 + (unsigned int) i_12 * 4' could be NULL: unchecked value from (12) | | (14) ...to here | recv-msgall.c:174:17: warning: leak of 'buf_25' [CWE-401] [-Wanalyzer-malloc-leak] 174 | return 1; | ^~~~~~ 'main': events 1-4 | | 247 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 251 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_5(D) <= 1')... |...... | 254 | ret = test(0); | | ~~~ ~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 220 | static int test(int use_recvmsg) | | ^~~~ | | | | | (5) entry to 'test' |...... | 235 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_14 == 0')... |...... | 241 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 242 | do_send(); | | ~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-12 | | 146 | static int do_send(void) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 157 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_23 == 0')... |...... | 162 | buf = malloc(MAX_MSG * sizeof(int)); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) allocated here | | (11) ...to here | 'do_send': events 13-15 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (13) following 'true' branch (when 'i_12 != 128')... | 164 | buf[i] = i; | | ~~~~~~~~~~ | | | | | | | (15) assuming 'buf_25' is non-NULL | | (14) ...to here | 'do_send': events 16-17 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (16) following 'true' branch (when 'i_12 != 128')... | 164 | buf[i] = i; | | ~~~ | | | | | (17) ...to here | 'do_send': events 18-20 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (18) following 'false' branch (when 'i_12 == 128')... |...... | 166 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (19) ...to here |...... | 174 | return 1; | | ~~~~~~ | | | | | (20) 'buf_25' leaks here; was allocated at (12) | recv-msgall.c:217:9: warning: leak of 'buf_25' [CWE-401] [-Wanalyzer-malloc-leak] 217 | return 1; | ^~~~~~ 'main': events 1-4 | | 247 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 251 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_5(D) <= 1')... |...... | 254 | ret = test(0); | | ~~~ ~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 220 | static int test(int use_recvmsg) | | ^~~~ | | | | | (5) entry to 'test' |...... | 235 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_14 == 0')... |...... | 241 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 242 | do_send(); | | ~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-12 | | 146 | static int do_send(void) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 157 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_23 == 0')... |...... | 162 | buf = malloc(MAX_MSG * sizeof(int)); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) allocated here | | (11) ...to here | 'do_send': events 13-15 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (13) following 'true' branch (when 'i_12 != 128')... | 164 | buf[i] = i; | | ~~~~~~~~~~ | | | | | | | (15) assuming 'buf_25' is non-NULL | | (14) ...to here | 'do_send': events 16-17 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (16) following 'true' branch (when 'i_12 != 128')... | 164 | buf[i] = i; | | ~~~ | | | | | (17) ...to here | 'do_send': events 18-22 | | 163 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (18) following 'false' branch (when 'i_12 == 128')... |...... | 166 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (19) ...to here |...... | 172 | if (sockfd < 0) { | | ~ | | | | | (20) following 'false' branch (when 'sockfd_31 >= 0')... |...... | 177 | ret = connect(sockfd, (struct sockaddr *)&saddr, sizeof(saddr)); | | ~~~ | | | | | (21) ...to here | 178 | if (ret < 0) { | | ~ | | | | | (22) following 'false' branch (when 'ret_34 >= 0')... | 'do_send': event 23 | |cc1: | (23): ...to here | 'do_send': events 24-25 | | 185 | for (i = 0; i < 2; i++) { | | ~~^~~ | | | | | (24) following 'true' branch (when 'i_13 != 2')... | 186 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (25) ...to here | 'do_send': event 26 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 27-29 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (27) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (28) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (29) ...to here | <------+ | 'do_send': event 30 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) returning to 'do_send' from '_io_uring_get_sqe' | 'do_send': events 31-33 | |recv-msgall.c:191:20: | 191 | if (ret <= 0) { | | ^ | | | | | (31) following 'true' branch (when 'ret_41 <= 0')... | 192 | fprintf(stderr, "submit failed: %d\n", ret); | | ~~~~~~~ | | | | | (32) ...to here |...... | 217 | return 1; | | ~~~~~~ | | | | | (33) 'buf_25' leaks here; was allocated at (12) | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o ring-leak2.t ring-leak2.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from ring-leak2.c:23: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'add_socket_eventfd_read' at ring-leak2.c:72:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'client_thread': events 1-2 | |ring-leak2.c:156:14: | 156 | static void *client_thread(void *arg) | | ^~~~~~~~~~~~~ | | | | | (1) entry to 'client_thread' |...... | 166 | add_socket_eventfd_read(&ring, client_eventfd); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling 'add_socket_eventfd_read' from 'client_thread' | +--> 'add_socket_eventfd_read': event 3 | | 63 | static void add_socket_eventfd_read(struct io_uring *ring, int fd) | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) entry to 'add_socket_eventfd_read' | 'add_socket_eventfd_read': event 4 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) calling '_io_uring_get_sqe' from 'add_socket_eventfd_read' | +--> '_io_uring_get_sqe': events 5-6 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (5) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (6) following 'false' branch... | '_io_uring_get_sqe': event 7 | |cc1: | (7): ...to here | <------+ | 'add_socket_eventfd_read': events 8-9 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) dereference of NULL '_io_uring_get_sqe (ring_8(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) returning to 'add_socket_eventfd_read' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'add_socket_pollin' at ring-leak2.c:87:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'server_thread': events 1-6 | |ring-leak2.c:92:14: | 92 | static void *server_thread(void *arg) | | ^~~~~~~~~~~~~ | | | | | (1) entry to 'server_thread' |...... | 111 | if (bind(sock_listen_fd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) { | | ~ | | | | | (2) following 'false' branch... |...... | 115 | if (listen(sock_listen_fd, 1) < 0) { | | ~~ ~ | | | | | | | (4) following 'false' branch... | | (3) ...to here |...... | 120 | setup_io_uring(&ring); | | ~~~~~~~~~~~~~~ | | | | | (5) ...to here | 121 | add_socket_eventfd_read(&ring, evfd); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling 'add_socket_eventfd_read' from 'server_thread' | +--> 'add_socket_eventfd_read': event 7 | | 63 | static void add_socket_eventfd_read(struct io_uring *ring, int fd) | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) entry to 'add_socket_eventfd_read' | 'add_socket_eventfd_read': event 8 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling '_io_uring_get_sqe' from 'add_socket_eventfd_read' | +--> '_io_uring_get_sqe': events 9-10 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (9) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (10) following 'false' branch... | '_io_uring_get_sqe': event 11 | |cc1: | (11): ...to here | <------+ | 'add_socket_eventfd_read': event 12 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) returning to 'add_socket_eventfd_read' from '_io_uring_get_sqe' | <------+ | 'server_thread': events 13-14 | |ring-leak2.c:121:9: | 121 | add_socket_eventfd_read(&ring, evfd); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) returning to 'server_thread' from 'add_socket_eventfd_read' | 122 | add_socket_pollin(&ring, sock_listen_fd); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling 'add_socket_pollin' from 'server_thread' | +--> 'add_socket_pollin': event 15 | | 78 | static void add_socket_pollin(struct io_uring *ring, int fd) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to 'add_socket_pollin' | 'add_socket_pollin': event 16 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) calling '_io_uring_get_sqe' from 'add_socket_pollin' | +--> '_io_uring_get_sqe': events 17-18 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (17) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (18) following 'false' branch... | '_io_uring_get_sqe': event 19 | |cc1: | (19): ...to here | <------+ | 'add_socket_pollin': events 20-21 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) dereference of NULL '_io_uring_get_sqe (ring_8(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) returning to 'add_socket_pollin' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o recv-msgall-stream.t recv-msgall-stream.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from recv-msgall-stream.c:17: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_send' at ../src/include/liburing.h:664:2, inlined from 'do_send' at recv-msgall-stream.c:305:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |recv-msgall-stream.c:368:5: | 368 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 372 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_7(D) <= 1')... |...... | 375 | ret = test(0, 0); | | ~~~ ~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 340 | static int test(int use_recvmsg, int use_sync) | | ^~~~ | | | | | (5) entry to 'test' |...... | 357 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_20 == 0')... |...... | 363 | do_send(&rd); | | ~~~~~~~~~~~~ | | | | | (7) ...to here | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-11 | | 262 | static int do_send(struct recv_data *rd) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 273 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_27 == 0')... |...... | 278 | buf = malloc(MAX_MSG * sizeof(int)); | | ~~~ | | | | | (11) ...to here | 'do_send': events 12-13 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (12) following 'true' branch (when 'i_16 != 128')... | 280 | buf[i] = i; | | ~~~ | | | | | (13) ...to here | 'do_send': events 14-15 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (14) following 'true' branch (when 'i_16 != 128')... | 280 | buf[i] = i; | | ~~~ | | | | | (15) ...to here | 'do_send': events 16-20 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (16) following 'false' branch (when 'i_16 == 128')... |...... | 282 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (17) ...to here |...... | 288 | if (sockfd < 0) { | | ~ | | | | | (18) following 'false' branch (when 'sockfd_36 >= 0')... |...... | 293 | pthread_mutex_lock(&rd->mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (19) ...to here |...... | 296 | if (ret < 0) { | | ~ | | | | | (20) following 'false' branch (when 'ret_40 >= 0')... | 'do_send': event 21 | |cc1: | (21): ...to here | 'do_send': events 22-23 | | 303 | for (i = 0; i < 2; i++) { | | ~~^~~ | | | | | (22) following 'true' branch (when 'i_17 != 2')... | 304 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (23) ...to here | 'do_send': event 24 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 25-26 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (25) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (26) following 'false' branch... | '_io_uring_get_sqe': event 27 | |cc1: | (27): ...to here | <------+ | 'do_send': events 28-29 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) returning to 'do_send' from '_io_uring_get_sqe' | recv-msgall-stream.c: In function 'do_send': recv-msgall-stream.c:280:24: warning: dereference of possibly-NULL 'buf_29' [CWE-690] [-Wanalyzer-possible-null-dereference] 280 | buf[i] = i; | ~~~~~~~^~~ 'main': events 1-4 | | 368 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 372 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_7(D) <= 1')... |...... | 375 | ret = test(0, 0); | | ~~~ ~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 340 | static int test(int use_recvmsg, int use_sync) | | ^~~~ | | | | | (5) entry to 'test' |...... | 357 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_20 == 0')... |...... | 363 | do_send(&rd); | | ~~~~~~~~~~~~ | | | | | (7) ...to here | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-12 | | 262 | static int do_send(struct recv_data *rd) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 273 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_27 == 0')... |...... | 278 | buf = malloc(MAX_MSG * sizeof(int)); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) this call could return NULL | | (11) ...to here | 'do_send': events 13-15 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (13) following 'true' branch (when 'i_16 != 128')... | 280 | buf[i] = i; | | ~~~~~~~~~~ | | | | | | | (15) 'buf_29 + (unsigned int) i_16 * 4' could be NULL: unchecked value from (12) | | (14) ...to here | recv-msgall-stream.c:290:17: warning: leak of 'buf_29' [CWE-401] [-Wanalyzer-malloc-leak] 290 | return 1; | ^~~~~~ 'main': events 1-4 | | 368 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 372 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_7(D) <= 1')... |...... | 375 | ret = test(0, 0); | | ~~~ ~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 340 | static int test(int use_recvmsg, int use_sync) | | ^~~~ | | | | | (5) entry to 'test' |...... | 357 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_20 == 0')... |...... | 363 | do_send(&rd); | | ~~~~~~~~~~~~ | | | | | (7) ...to here | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-12 | | 262 | static int do_send(struct recv_data *rd) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 273 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_27 == 0')... |...... | 278 | buf = malloc(MAX_MSG * sizeof(int)); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) allocated here | | (11) ...to here | 'do_send': events 13-15 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (13) following 'true' branch (when 'i_16 != 128')... | 280 | buf[i] = i; | | ~~~~~~~~~~ | | | | | | | (15) assuming 'buf_29' is non-NULL | | (14) ...to here | 'do_send': events 16-17 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (16) following 'true' branch (when 'i_16 != 128')... | 280 | buf[i] = i; | | ~~~ | | | | | (17) ...to here | 'do_send': events 18-20 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (18) following 'false' branch (when 'i_16 == 128')... |...... | 282 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (19) ...to here |...... | 290 | return 1; | | ~~~~~~ | | | | | (20) 'buf_29' leaks here; was allocated at (12) | recv-msgall-stream.c:337:9: warning: leak of 'buf_29' [CWE-401] [-Wanalyzer-malloc-leak] 337 | return 1; | ^~~~~~ 'main': events 1-4 | | 368 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 372 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_7(D) <= 1')... |...... | 375 | ret = test(0, 0); | | ~~~ ~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 340 | static int test(int use_recvmsg, int use_sync) | | ^~~~ | | | | | (5) entry to 'test' |...... | 357 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_20 == 0')... |...... | 363 | do_send(&rd); | | ~~~~~~~~~~~~ | | | | | (7) ...to here | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-12 | | 262 | static int do_send(struct recv_data *rd) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 273 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_27 == 0')... |...... | 278 | buf = malloc(MAX_MSG * sizeof(int)); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) allocated here | | (11) ...to here | 'do_send': events 13-15 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (13) following 'true' branch (when 'i_16 != 128')... | 280 | buf[i] = i; | | ~~~~~~~~~~ | | | | | | | (15) assuming 'buf_29' is non-NULL | | (14) ...to here | 'do_send': events 16-17 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (16) following 'true' branch (when 'i_16 != 128')... | 280 | buf[i] = i; | | ~~~ | | | | | (17) ...to here | 'do_send': events 18-22 | | 279 | for (i = 0; i < MAX_MSG; i++) | | ^ | | | | | (18) following 'false' branch (when 'i_16 == 128')... |...... | 282 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (19) ...to here |...... | 288 | if (sockfd < 0) { | | ~ | | | | | (20) following 'false' branch (when 'sockfd_36 >= 0')... |...... | 293 | pthread_mutex_lock(&rd->mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (21) ...to here |...... | 296 | if (ret < 0) { | | ~ | | | | | (22) following 'false' branch (when 'ret_40 >= 0')... | 'do_send': event 23 | |cc1: | (23): ...to here | 'do_send': events 24-25 | | 303 | for (i = 0; i < 2; i++) { | | ~~^~~ | | | | | (24) following 'true' branch (when 'i_17 != 2')... | 304 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (25) ...to here | 'do_send': event 26 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 27-29 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (27) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (28) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (29) ...to here | <------+ | 'do_send': event 30 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) returning to 'do_send' from '_io_uring_get_sqe' | 'do_send': events 31-33 | |recv-msgall-stream.c:309:20: | 309 | if (ret <= 0) { | | ^ | | | | | (31) following 'true' branch (when 'ret_48 <= 0')... | 310 | fprintf(stderr, "submit failed: %d\n", ret); | | ~~~~~~~ | | | | | (32) ...to here |...... | 337 | return 1; | | ~~~~~~ | | | | | (33) 'buf_29' leaks here; was allocated at (12) | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o self.t self.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o ringbuf-read.t ringbuf-read.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from ringbuf-read.c:13: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'test' at ringbuf-read.c:94:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-2 | |ringbuf-read.c:134:5: | 134 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 150 | if (fd < 0) { | | ~ | | | | | (2) following 'false' branch... | 'main': event 3 | |cc1: | (3): ...to here | 'main': events 4-6 | | 154 | for (i = 0; i < NR_BUFS; i++) { | | ^ | | | | | (4) following 'true' branch (when 'i_10 != 64')... | 155 | memset(buf, i + 1, BUF_SIZE); | | ~~~~~~ | | | | | (5) ...to here | 156 | ret = write(fd, buf, BUF_SIZE); | 157 | if (ret != BUF_SIZE) { | | ~ | | | | | (6) following 'false' branch (when 'ret_33 == 4096')... | 'main': event 7 | |cc1: | (7): ...to here | 'main': event 8 | | 164 | ret = test(fname, 1, 0); | | ^~~~~~~~~~~~~~~~~ | | | | | (8) calling 'test' from 'main' | +--> 'test': events 9-15 | | 38 | static int test(const char *filename, int dio, int async) | | ^~~~ | | | | | (9) entry to 'test' |...... | 50 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_46 == 0')... |...... | 55 | if (dio) | | ~~ ~ | | | | | | | (12) following 'true' branch (when 'dio_47(D) != 0')... | | (11) ...to here | 56 | fd = open(filename, O_DIRECT | O_RDONLY); | | ~~ | | | | | (13) ...to here |...... | 59 | if (fd < 0) { | | ~ | | | | | (14) following 'false' branch (when 'fd_31 >= 0')... |...... | 64 | posix_fadvise(fd, 0, FSIZE, POSIX_FADV_DONTNEED); | | ~~~~~~~~~~~~~ | | | | | (15) ...to here | 'test': event 16 | |cc1: | (16): following 'true' branch... | 'test': event 17 | | 68 | if (posix_memalign((void **) &br, 4096, 4096)) | | ^~ | | | | | (17) ...to here | 'test': event 18 | |cc1: | (18): following 'true' branch... | 'test': events 19-20 | | 71 | reg.ring_addr = (unsigned long) br; | | ^~~ | | | | | (19) ...to here |...... | 76 | if (ret) { | | ~ | | | | | (20) following 'false' branch (when 'ret_62 == 0')... | 'test': event 21 | |cc1: | (21): ...to here | 'test': events 22-23 | | 86 | for (i = 0; i < NR_BUFS; i++) { | | ^ | | | | | (22) following 'true' branch (when 'i_32 != 64')... | 87 | io_uring_buf_ring_add(br, ptr, BUF_SIZE, i + 1, BR_MASK, i); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) ...to here | 'test': events 24-25 | | 92 | for (i = 0; i < NR_BUFS; i++) { | | ^ | | | | | (24) following 'true' branch (when 'i_33 != 64')... | 93 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (25) ...to here | 'test': event 26 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) calling '_io_uring_get_sqe' from 'test' | +--> '_io_uring_get_sqe': events 27-28 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (27) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (28) following 'false' branch... | '_io_uring_get_sqe': event 29 | |cc1: | (29): ...to here | <------+ | 'test': events 30-31 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (31) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) returning to 'test' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o shared-wq.t shared-wq.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o rw_merge_test.t rw_merge_test.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from rw_merge_test.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'main' at rw_merge_test.c:51:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-3 | |rw_merge_test.c:18:5: | 18 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 31 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_16(D) <= 1')... |...... | 34 | ret = pipe(pipe1); | | ~~~ | | | | | (3) ...to here | 'main': event 4 | | 35 | assert(!ret); | | ^~~~~~ | | | | | (4) following 'true' branch (when 'ret_18 == 0')... | 'main': event 5 | | 37 | fd = open("testfile", O_RDWR | O_CREAT, 0644); | | ^~ | | | | | (5) ...to here | 'main': event 6 | | 38 | assert(fd >= 0); | | ^~~~~~ | | | | | (6) following 'true' branch... | 'main': event 7 | | 39 | unlink("testfile"); | | ^~~~~~ | | | | | (7) ...to here | 'main': event 8 | | 41 | assert(!ret); | | ^~~~~~ | | | | | (8) following 'true' branch (when 'ret_23 == 0')... | 'main': events 9-13 | | 43 | ret = t_create_ring(4, &ring, 0); | | ^~~ | | | | | (9) ...to here | 44 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (10) following 'false' branch (when 'ret_26 != 1')... | 45 | return 0; | 46 | else if (ret < 0) | | ~~ ~ | | | | | | | (12) following 'false' branch (when 'ret_26 >= 0')... | | (11) ...to here |...... | 50 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (13) ...to here | 'main': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'main': events 18-19 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'main' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'main' at rw_merge_test.c:56:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-3 | |rw_merge_test.c:18:5: | 18 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 31 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_16(D) <= 1')... |...... | 34 | ret = pipe(pipe1); | | ~~~ | | | | | (3) ...to here | 'main': event 4 | | 35 | assert(!ret); | | ^~~~~~ | | | | | (4) following 'true' branch (when 'ret_18 == 0')... | 'main': event 5 | | 37 | fd = open("testfile", O_RDWR | O_CREAT, 0644); | | ^~ | | | | | (5) ...to here | 'main': event 6 | | 38 | assert(fd >= 0); | | ^~~~~~ | | | | | (6) following 'true' branch... | 'main': event 7 | | 39 | unlink("testfile"); | | ^~~~~~ | | | | | (7) ...to here | 'main': event 8 | | 41 | assert(!ret); | | ^~~~~~ | | | | | (8) following 'true' branch (when 'ret_23 == 0')... | 'main': events 9-13 | | 43 | ret = t_create_ring(4, &ring, 0); | | ^~~ | | | | | (9) ...to here | 44 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (10) following 'false' branch (when 'ret_26 != 1')... | 45 | return 0; | 46 | else if (ret < 0) | | ~~ ~ | | | | | | | (12) following 'false' branch (when 'ret_26 >= 0')... | | (11) ...to here |...... | 50 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (13) ...to here | 'main': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'main': events 18-19 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'main' from '_io_uring_get_sqe' | | (19) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 20-21 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (20) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (21) following 'false' branch... | '_io_uring_get_sqe': event 22 | |cc1: | (22): ...to here | <------+ | 'main': events 23-24 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) returning to 'main' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'main' at rw_merge_test.c:75:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-3 | |rw_merge_test.c:18:5: | 18 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 31 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_16(D) <= 1')... |...... | 34 | ret = pipe(pipe1); | | ~~~ | | | | | (3) ...to here | 'main': event 4 | | 35 | assert(!ret); | | ^~~~~~ | | | | | (4) following 'true' branch (when 'ret_18 == 0')... | 'main': event 5 | | 37 | fd = open("testfile", O_RDWR | O_CREAT, 0644); | | ^~ | | | | | (5) ...to here | 'main': event 6 | | 38 | assert(fd >= 0); | | ^~~~~~ | | | | | (6) following 'true' branch... | 'main': event 7 | | 39 | unlink("testfile"); | | ^~~~~~ | | | | | (7) ...to here | 'main': event 8 | | 41 | assert(!ret); | | ^~~~~~ | | | | | (8) following 'true' branch (when 'ret_23 == 0')... | 'main': events 9-13 | | 43 | ret = t_create_ring(4, &ring, 0); | | ^~~ | | | | | (9) ...to here | 44 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (10) following 'false' branch (when 'ret_26 != 1')... | 45 | return 0; | 46 | else if (ret < 0) | | ~~ ~ | | | | | | | (12) following 'false' branch (when 'ret_26 >= 0')... | | (11) ...to here |...... | 50 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (13) ...to here | 'main': event 14 | | 60 | assert(ret == 2); | | ^~~~~~ | | | | | (14) following 'true' branch (when 'ret_30 == 2')... | 'main': events 15-16 | | 62 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (16) calling 'io_uring_wait_cqe' from 'main' | | (15) ...to here | +--> 'io_uring_wait_cqe': events 17-18 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (17) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 19-21 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (19) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (20) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (21) ...to here | <------+ | 'io_uring_wait_cqe': events 22-24 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (24) ...to here | | | (22) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (23) following 'true' branch... | <------+ | 'main': event 25 | |rw_merge_test.c:62:15: | 62 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) returning to 'main' from 'io_uring_wait_cqe' | 'main': event 26 | | 63 | assert(!ret); | | ^~~~~~ | | | | | (26) following 'true' branch (when 'ret_33 == 0')... | 'main': event 27 | | 64 | assert(cqe->res == 0); | | ^~~~~~ | | | | | (27) ...to here | 'main': event 28 | | 64 | assert(cqe->res == 0); | | ^~~~~~ | | | | | (28) following 'true' branch... | 'main': event 29 | | 65 | assert(cqe->user_data == 2); | | ^~~~~~ | | | | | (29) ...to here | 'main': event 30 | | 65 | assert(cqe->user_data == 2); | | ^~~~~~ | | | | | (30) following 'true' branch... | 'main': event 31 | | 66 | io_uring_cqe_seen(&ring, cqe); | | ^~~~~~~~~~~~~~~~~ | | | | | (31) ...to here | 'main': event 32 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 33-34 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (33) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (34) following 'false' branch... | '_io_uring_get_sqe': event 35 | |cc1: | (35): ...to here | <------+ | 'main': events 36-37 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (37) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (36) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sendmsg_fs_cve.t sendmsg_fs_cve.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o register-restrictions.t register-restrictions.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from register-restrictions.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_writev' at ../src/include/liburing.h:390:2, inlined from 'test_restrictions_sqe_op' at register-restrictions.c:72:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |register-restrictions.c:568:5: | 568 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 572 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_16(D) <= 1')... |...... | 575 | ret = test_restrictions_sqe_op(); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test_restrictions_sqe_op' from 'main' | | (3) ...to here | +--> 'test_restrictions_sqe_op': events 5-13 | | 23 | static int test_restrictions_sqe_op(void) | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'test_restrictions_sqe_op' |...... | 37 | if (pipe(pipe1) != 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 42 | ret = io_uring_queue_init(8, &ring, IORING_SETUP_R_DISABLED); | | ~~~ | | | | | (7) ...to here | 43 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_26 == 0')... |...... | 50 | res[0].opcode = IORING_RESTRICTION_SQE_OP; | | ~~~ | | | | | (9) ...to here |...... | 57 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_32 == 0')... |...... | 65 | ret = io_uring_enable_rings(&ring); | | ~~~ | | | | | (11) ...to here | 66 | if (ret) { | | ~ | | | | | (12) following 'false' branch (when 'ret_34 == 0')... |...... | 71 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (13) ...to here | 'test_restrictions_sqe_op': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'test_restrictions_sqe_op' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'test_restrictions_sqe_op': events 18-19 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (19) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'test_restrictions_sqe_op' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'test_restrictions_sqe_op' at register-restrictions.c:76:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |register-restrictions.c:568:5: | 568 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 572 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_16(D) <= 1')... |...... | 575 | ret = test_restrictions_sqe_op(); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test_restrictions_sqe_op' from 'main' | | (3) ...to here | +--> 'test_restrictions_sqe_op': events 5-13 | | 23 | static int test_restrictions_sqe_op(void) | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'test_restrictions_sqe_op' |...... | 37 | if (pipe(pipe1) != 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 42 | ret = io_uring_queue_init(8, &ring, IORING_SETUP_R_DISABLED); | | ~~~ | | | | | (7) ...to here | 43 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_26 == 0')... |...... | 50 | res[0].opcode = IORING_RESTRICTION_SQE_OP; | | ~~~ | | | | | (9) ...to here |...... | 57 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_32 == 0')... |...... | 65 | ret = io_uring_enable_rings(&ring); | | ~~~ | | | | | (11) ...to here | 66 | if (ret) { | | ~ | | | | | (12) following 'false' branch (when 'ret_34 == 0')... |...... | 71 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (13) ...to here | 'test_restrictions_sqe_op': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'test_restrictions_sqe_op' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'test_restrictions_sqe_op': events 18-19 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'test_restrictions_sqe_op' from '_io_uring_get_sqe' | | (19) calling '_io_uring_get_sqe' from 'test_restrictions_sqe_op' | +--> '_io_uring_get_sqe': events 20-21 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (20) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (21) following 'false' branch... | '_io_uring_get_sqe': event 22 | |cc1: | (22): ...to here | <------+ | 'test_restrictions_sqe_op': events 23-24 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) returning to 'test_restrictions_sqe_op' from '_io_uring_get_sqe' | ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o short-read.t short-read.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o send_recv.t send_recv.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from send_recv.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_send' at ../src/include/liburing.h:664:2, inlined from 'do_send' at send_recv.c:205:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |send_recv.c:260:5: | 260 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 264 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_6(D) <= 1')... |...... | 267 | ret = test(0, 0); | | ~~~ ~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 232 | static int test(int use_sqthread, int regfiles) | | ^~~~ | | | | | (5) entry to 'test' |...... | 248 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_16 == 0')... |...... | 254 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 255 | do_send(); | | ~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-15 | | 169 | static int do_send(void) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 182 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_13 == 0')... |...... | 187 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (11) ...to here |...... | 193 | if (sockfd < 0) { | | ~ | | | | | (12) following 'false' branch (when 'sockfd_18 >= 0')... |...... | 198 | ret = connect(sockfd, (struct sockaddr *)&saddr, sizeof(saddr)); | | ~~~ | | | | | (13) ...to here | 199 | if (ret < 0) { | | ~ | | | | | (14) following 'false' branch (when 'ret_21 >= 0')... |...... | 204 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (15) ...to here | 'do_send': event 16 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 17-18 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (17) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (18) following 'false' branch... | '_io_uring_get_sqe': event 19 | |cc1: | (19): ...to here | <------+ | 'do_send': events 20-21 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) returning to 'do_send' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sq-full.t sq-full.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o shutdown.t shutdown.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from shutdown.c:21: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_shutdown' at ../src/include/liburing.h:720:2, inlined from 'main' at shutdown.c:105:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-3 | |shutdown.c:27:5: | 27 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 34 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_34(D) <= 1')... |...... | 37 | srand(getpid()); | | ~~~~~ | | | | | (3) ...to here | 'main': event 4 | | 42 | assert(ret != -1); | | ^~~~~~ | | | | | (4) following 'true' branch (when 'ret_40 != -1')... | 'main': event 5 | | 43 | ret = setsockopt(recv_s0, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)); | | ^~~ | | | | | (5) ...to here | 'main': event 6 | | 44 | assert(ret != -1); | | ^~~~~~ | | | | | (6) following 'true' branch (when 'ret_43 != -1')... | 'main': event 7 | | 46 | addr.sin_family = AF_INET; | | ^~~~ | | | | | (7) ...to here | 'main': event 8 | | 51 | assert(ret != -1); | | ^~~~~~ | | | | | (8) following 'true' branch (when 'ret_52 != -1')... | 'main': event 9 | | 52 | ret = listen(recv_s0, 128); | | ^~~ | | | | | (9) ...to here | 'main': event 10 | | 53 | assert(ret != -1); | | ^~~~~~ | | | | | (10) following 'true' branch (when 'ret_55 != -1')... | 'main': event 11 | | 55 | p_fd[1] = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP); | | ^~~~ | | | | | (11) ...to here | 'main': event 12 | | 59 | assert(ret != -1); | | ^~~~~~ | | | | | (12) following 'true' branch (when 'ret_60 != -1')... | 'main': event 13 | | 61 | int32_t flags = fcntl(p_fd[1], F_GETFL, 0); | | ^~~~~~~ | | | | | (13) ...to here | 'main': event 14 | | 62 | assert(flags != -1); | | ^~~~~~ | | | | | (14) following 'true' branch (when 'flags_63 != -1')... | 'main': event 15 | | 64 | flags |= O_NONBLOCK; | | ^~~~~ | | | | | (15) ...to here | 'main': event 16 | | 66 | assert(ret != -1); | | ^~~~~~ | | | | | (16) following 'true' branch (when 'ret_67 != -1')... | 'main': event 17 | | 68 | ret = connect(p_fd[1], (struct sockaddr*)&addr, sizeof(addr)); | | ^~~ | | | | | (17) ...to here | 'main': event 18 | | 69 | assert(ret == -1); | | ^~~~~~ | | | | | (18) following 'true' branch (when 'ret_71 == -1')... | 'main': event 19 | | 71 | flags = fcntl(p_fd[1], F_GETFL, 0); | | ^~~~~ | | | | | (19) ...to here | 'main': event 20 | | 72 | assert(flags != -1); | | ^~~~~~ | | | | | (20) following 'true' branch (when 'flags_74 != -1')... | 'main': event 21 | | 74 | flags &= ~O_NONBLOCK; | | ^~~~~ | | | | | (21) ...to here | 'main': event 22 | | 76 | assert(ret != -1); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'ret_78 != -1')... | 'main': event 23 | | 78 | p_fd[0] = accept(recv_s0, NULL, NULL); | | ^~~~ | | | | | (23) ...to here | 'main': event 24 | | 79 | assert(p_fd[0] != -1); | | ^~~~~~ | | | | | (24) following 'true' branch... | 'main': event 25 | | 81 | signal(SIGPIPE, sig_pipe); | | ^~~~~~ | | | | | (25) ...to here | 'main': event 26 | | 88 | assert(ret != -1); | | ^~~~~~ | | | | | (26) following 'true' branch (when 'ret_86 != -1')... | 'main': event 27 | | 90 | if (!code) | | ^~ | | | | | (27) ...to here | 'main': event 28 | | 97 | assert(ret >= 0); | | ^~~~~~ | | | | | (28) following 'true' branch (when 'ret_93 >= 0')... | 'main': event 29 | | 100 | struct io_uring_cqe *cqe; | | ^~~~~~ | | | | | (29) ...to here | 'main': event 30 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 31-32 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (31) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (32) following 'false' branch... | '_io_uring_get_sqe': event 33 | |cc1: | (33): ...to here | <------+ | 'main': events 34-35 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (35) dereference of NULL '_io_uring_get_sqe (&m_io_uring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (34) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sigfd-deadlock.t sigfd-deadlock.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from sigfd-deadlock.c:13: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'test_uring' at sigfd-deadlock.c:40:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'test_uring': event 1 | |sigfd-deadlock.c:30:12: | 30 | static int test_uring(int sfd) | | ^~~~~~~~~~ | | | | | (1) entry to 'test_uring' | 'test_uring': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'test_uring' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'test_uring': events 6-7 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'test_uring' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o send_recvmsg.t send_recvmsg.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from send_recvmsg.c:16: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_sendmsg' at ../src/include/liburing.h:421:2, inlined from 'do_sendmsg' at send_recvmsg.c:302:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |send_recvmsg.c:363:5: | 363 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 367 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_17(D) <= 1')... |...... | 370 | ret = test(0, 0, 0, 1, 0); | | ~~~ ~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-10 | | 324 | static int test(int buf_select, int buf_ring, int no_buf_add, int iov_count, | | ^~~~ | | | | | (5) entry to 'test' |...... | 334 | if (buf_select || buf_ring) | | ~ | | | | | (6) following 'false' branch... |...... | 337 | pthread_mutexattr_init(&attr); | | ~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here |...... | 349 | if (ret) { | | ~ | | | | | (8) following 'false' branch (when 'ret_25 == 0')... |...... | 355 | pthread_mutex_lock(&mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (9) ...to here | 356 | do_sendmsg(); | | ~~~~~~~~~~~~ | | | | | (10) calling 'do_sendmsg' from 'test' | +--> 'do_sendmsg': events 11-15 | | 263 | static int do_sendmsg(void) | | ^~~~~~~~~~ | | | | | (11) entry to 'do_sendmsg' |...... | 277 | if (ret) { | | ~ | | | | | (12) following 'false' branch (when 'ret_17 == 0')... |...... | 282 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (13) ...to here |...... | 294 | if (sockfd < 0) { | | ~ | | | | | (14) following 'false' branch (when 'sockfd_26 >= 0')... |...... | 299 | usleep(10000); | | ~~~~~~ | | | | | (15) ...to here | 'do_sendmsg': event 16 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) calling '_io_uring_get_sqe' from 'do_sendmsg' | +--> '_io_uring_get_sqe': events 17-18 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (17) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (18) following 'false' branch... | '_io_uring_get_sqe': event 19 | |cc1: | (19): ...to here | <------+ | 'do_sendmsg': events 20-21 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) returning to 'do_sendmsg' from '_io_uring_get_sqe' | g++ -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -std=c++11 -DLIBURING_BUILD_TEST -o sq-full-cpp.t sq-full-cpp.cc helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o socket-rw.t socket-rw.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o rsrc_tags.t rsrc_tags.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o socket-rw-eagain.t socket-rw-eagain.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o read-write.t read-write.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from helpers.h:12, from read-write.c:16: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_provide_buffers' at ../src/include/liburing.h:705:2, inlined from 'test_buf_select_short.part.0' at read-write.c:404:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'test_buf_select_short.part.0': events 1-2 | |read-write.c:385:12: | 385 | static int test_buf_select_short(const char *filename, int nonvec) | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'test_buf_select_short.part.0' |...... | 396 | if (ret) { | | ~ | | | | | (2) following 'false' branch (when 'ret_1 == 0')... | 'test_buf_select_short.part.0': event 3 | |cc1: | (3): ...to here | 'test_buf_select_short.part.0': events 4-5 | | 402 | for (i = 0; i < BUFFERS; i++) { | | ^ | | | | | (4) following 'true' branch (when 'i_5 != 32')... | 403 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (5) ...to here | 'test_buf_select_short.part.0': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from 'test_buf_select_short.part.0' | +--> '_io_uring_get_sqe': events 7-8 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'false' branch... | '_io_uring_get_sqe': event 9 | |cc1: | (9): ...to here | <------+ | 'test_buf_select_short.part.0': events 10-11 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to 'test_buf_select_short.part.0' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_provide_buffers' at ../src/include/liburing.h:705:2, inlined from 'provide_buffers_iovec' at read-write.c:439:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'test_rem_buf.part.0': events 1-4 | |read-write.c:509:12: | 509 | static int test_rem_buf(int batch, int sqe_flags) | | ^~~~~~~~~~~~ | | | | | (1) entry to 'test_rem_buf.part.0' |...... | 521 | if (ret) { | | ~ | | | | | (2) following 'false' branch (when 'ret_1 == 0')... |...... | 526 | ret = provide_buffers_iovec(&ring, bgid); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'provide_buffers_iovec' from 'test_rem_buf.part.0' | | (3) ...to here | +--> 'provide_buffers_iovec': event 5 | | 431 | static int provide_buffers_iovec(struct io_uring *ring, int bgid) | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'provide_buffers_iovec' | 'provide_buffers_iovec': events 6-7 | | 437 | for (i = 0; i < BUFFERS; i++) { | | ^ | | | | | (6) following 'true' branch (when 'i_15 != 32')... | 438 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (7) ...to here | 'provide_buffers_iovec': event 8 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling '_io_uring_get_sqe' from 'provide_buffers_iovec' | +--> '_io_uring_get_sqe': events 9-10 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (9) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (10) following 'false' branch... | '_io_uring_get_sqe': event 11 | |cc1: | (11): ...to here | <------+ | 'provide_buffers_iovec': events 12-13 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) dereference of NULL '_io_uring_get_sqe (ring_22(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) returning to 'provide_buffers_iovec' from '_io_uring_get_sqe' | ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size_params': events 1-2 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (1) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (2) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 3-6 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (3) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (4) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (6) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (5) ...to here | +--> 'io_uring_queue_mmap': events 7-8 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (7) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (8) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 9-10 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (9) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (10) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 11-13 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (11) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (12) following 'false' branch (when 'ret_11 != 4294967295B')... | | (13) ...to here | <------+ | 'io_uring_mmap': events 14-19 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (14) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (15) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (17) following 'false' branch... | | (16) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (19) calling '__sys_mmap' from 'io_uring_mmap' | | (18) ...to here | +--> '__sys_mmap': events 20-22 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (20) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (21) following 'false' branch (when 'ret_11 != 4294967295B')... | | (22) ...to here | <------+ | 'io_uring_mmap': events 23-26 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (23) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (24) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (25) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (26) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 27-29 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (27) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (28) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (29) ...to here | <------+ | 'io_uring_mmap': event 30 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (30) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 31 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (31) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 32-34 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (32) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (33) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (34) ...to here | <------+ | 'io_uring_mlock_size_params': events 35-38 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (35) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (36) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (37) ...to here | | (38) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 39-42 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (39) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (40) '0B' is NULL | | | (41) '0B' is NULL | | (42) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sqpoll-cancel-hang.t sqpoll-cancel-hang.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o socket-rw-offset.t socket-rw-offset.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sqpoll-disable-exit.t sqpoll-disable-exit.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread sqpoll-disable-exit.c: In function 'syz_io_uring_setup': sqpoll-disable-exit.c:94:17: warning: dereference of NULL 'ring_ptr_out_22' [CWE-476] [-Wanalyzer-null-dereference] 94 | *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 95 | MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 96 | IORING_OFF_SQ_RING); | ~~~~~~~~~~~~~~~~~~~ 'execute_one': events 1-2 | | 177 | void execute_one(void) | | ^~~~~~~~~~~ | | | | | (1) entry to 'execute_one' |...... | 187 | syz_io_uring_setup(0x74bc, 0x20000040, 0x20ffb000, 0x20ffc000, 0, 0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling 'syz_io_uring_setup' from 'execute_one' | +--> 'syz_io_uring_setup': events 3-6 | | 78 | static long syz_io_uring_setup(volatile long a0, volatile long a1, | | ^~~~~~~~~~~~~~~~~~ | | | | | (3) entry to 'syz_io_uring_setup' |...... | 86 | void** ring_ptr_out = (void**)a4; | | ~~~~~~~~~~~~ | | | | | (4) 'ring_ptr_out_22' is NULL | 87 | void** sqes_ptr_out = (void**)a5; | | ~~~~~~~~~~~~ | | | | | (5) 'ring_ptr_out_22' is NULL |...... | 94 | *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) dereference of NULL 'ring_ptr_out_22' | 95 | MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 96 | IORING_OFF_SQ_RING); | | ~~~~~~~~~~~~~~~~~~~ | ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sqpoll-sleep.t sqpoll-sleep.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o socket.t socket.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from socket.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_socket' at ../src/include/liburing.h:861:2, inlined from 'do_send' at socket.c:260:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |socket.c:368:5: | 368 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 372 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_9(D) <= 1')... |...... | 375 | ret = test(0, 0, 0, 0); | | ~~~ ~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 340 | static int test(int use_sqthread, int regfiles, int socket_direct, int alloc) | | ^~~~ | | | | | (5) entry to 'test' |...... | 356 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_16 == 0')... |...... | 362 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 363 | do_send(socket_direct, alloc); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-13 | | 221 | static int do_send(int socket_direct, int alloc) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 234 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_36 == 0')... |...... | 239 | if (socket_direct) { | | ~~ ~ | | | | | | | (12) following 'false' branch (when 'socket_direct_37(D) == 0')... | | (11) ...to here |...... | 247 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (13) ...to here | 'do_send': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'do_send': event 18 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'do_send' from '_io_uring_get_sqe' | 'do_send': events 19-20 | |socket.c:253:12: | 253 | if (socket_direct) { | | ^ | | | | | (19) following 'false' branch (when 'socket_direct_37(D) == 0')... |...... | 260 | io_uring_prep_socket(sqe, AF_INET, SOCK_DGRAM, 0, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (20) ...to here | 'do_send': event 21 | |../src/include/liburing.h:301:21: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~^~~~~~~~~~~ | | | | | (21) dereference of NULL '_io_uring_get_sqe (&ring)' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_send' at ../src/include/liburing.h:664:2, inlined from 'fallback_send' at socket.c:194:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |socket.c:368:5: | 368 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 372 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_9(D) <= 1')... |...... | 375 | ret = test(0, 0, 0, 0); | | ~~~ ~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 340 | static int test(int use_sqthread, int regfiles, int socket_direct, int alloc) | | ^~~~ | | | | | (5) entry to 'test' |...... | 356 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_16 == 0')... |...... | 362 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 363 | do_send(socket_direct, alloc); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-13 | | 221 | static int do_send(int socket_direct, int alloc) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 234 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_36 == 0')... |...... | 239 | if (socket_direct) { | | ~~ ~ | | | | | | | (12) following 'false' branch (when 'socket_direct_37(D) == 0')... | | (11) ...to here |...... | 247 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (13) ...to here | 'do_send': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'do_send': event 18 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'do_send' from '_io_uring_get_sqe' | 'do_send': events 19-23 | |socket.c:253:12: | 253 | if (socket_direct) { | | ^ | | | | | (19) following 'false' branch (when 'socket_direct_37(D) == 0')... |...... | 260 | io_uring_prep_socket(sqe, AF_INET, SOCK_DGRAM, 0, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (20) ...to here |...... | 263 | if (ret != 1) { | | ~ | | | | | (21) following 'false' branch (when 'ret_45 == 1')... |...... | 267 | ret = io_uring_wait_cqe(&ring, &cqe); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (23) calling 'io_uring_wait_cqe' from 'do_send' | | (22) ...to here | +--> 'io_uring_wait_cqe': events 24-25 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (24) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 26-28 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (26) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (27) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (28) ...to here | <------+ | 'io_uring_wait_cqe': events 29-30 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (30) following 'false' branch... | | (29) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | 'io_uring_wait_cqe': event 31 | |cc1: | (31): ...to here | <------+ | 'do_send': events 32-39 | |socket.c:267:15: | 267 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'do_send' from 'io_uring_wait_cqe' | 268 | if (ret) { | | ~ | | | | | (33) following 'false' branch (when 'ret_47 == 0')... |...... | 272 | if (cqe->res < 0) { | | ~~ ~ | | | | | | | (35) following 'true' branch... | | (34) ...to here | 273 | if (cqe->res == -EINVAL) { | | ~~ ~ | | | | | | | (37) following 'true' branch... | | (36) ...to here | 274 | fprintf(stdout, "No socket support, skipping\n"); | | ~~~~~~~ | | | | | (38) ...to here |...... | 277 | return fallback_send(&ring, &saddr); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (39) calling 'fallback_send' from 'do_send' | +--> 'fallback_send': events 40-44 | | 171 | static int fallback_send(struct io_uring *ring, struct sockaddr_in *saddr) | | ^~~~~~~~~~~~~ | | | | | (40) entry to 'fallback_send' |...... | 182 | if (sockfd < 0) { | | ~ | | | | | (41) following 'false' branch (when 'sockfd_12 >= 0')... |...... | 187 | ret = connect(sockfd, (struct sockaddr *)saddr, sizeof(*saddr)); | | ~~~ | | | | | (42) ...to here | 188 | if (ret < 0) { | | ~ | | | | | (43) following 'false' branch (when 'ret_16 >= 0')... |...... | 193 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (44) ...to here | 'fallback_send': event 45 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (45) calling '_io_uring_get_sqe' from 'fallback_send' | +--> '_io_uring_get_sqe': events 46-47 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (46) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (47) following 'false' branch... | '_io_uring_get_sqe': event 48 | |cc1: | (48): ...to here | <------+ | 'fallback_send': events 49-50 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (50) dereference of NULL '_io_uring_get_sqe (ring_17(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (49) returning to 'fallback_send' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_connect' at ../src/include/liburing.h:574:2, inlined from 'do_send' at socket.c:290:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |socket.c:368:5: | 368 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 372 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_9(D) <= 1')... |...... | 375 | ret = test(0, 0, 0, 0); | | ~~~ ~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 340 | static int test(int use_sqthread, int regfiles, int socket_direct, int alloc) | | ^~~~ | | | | | (5) entry to 'test' |...... | 356 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_16 == 0')... |...... | 362 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 363 | do_send(socket_direct, alloc); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-13 | | 221 | static int do_send(int socket_direct, int alloc) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 234 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_36 == 0')... |...... | 239 | if (socket_direct) { | | ~~ ~ | | | | | | | (12) following 'false' branch (when 'socket_direct_37(D) == 0')... | | (11) ...to here |...... | 247 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (13) ...to here | 'do_send': event 14 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 15-16 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (16) following 'false' branch... | '_io_uring_get_sqe': event 17 | |cc1: | (17): ...to here | <------+ | 'do_send': event 18 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) returning to 'do_send' from '_io_uring_get_sqe' | 'do_send': events 19-23 | |socket.c:253:12: | 253 | if (socket_direct) { | | ^ | | | | | (19) following 'false' branch (when 'socket_direct_37(D) == 0')... |...... | 260 | io_uring_prep_socket(sqe, AF_INET, SOCK_DGRAM, 0, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (20) ...to here |...... | 263 | if (ret != 1) { | | ~ | | | | | (21) following 'false' branch (when 'ret_45 == 1')... |...... | 267 | ret = io_uring_wait_cqe(&ring, &cqe); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (23) calling 'io_uring_wait_cqe' from 'do_send' | | (22) ...to here | +--> 'io_uring_wait_cqe': events 24-25 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (24) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 26-28 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (26) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (27) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (28) ...to here | <------+ | 'io_uring_wait_cqe': events 29-31 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (31) ...to here | | | (29) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (30) following 'true' branch... | <------+ | 'do_send': events 32-38 | |socket.c:267:15: | 267 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'do_send' from 'io_uring_wait_cqe' | 268 | if (ret) { | | ~ | | | | | (33) following 'false' branch (when 'ret_47 == 0')... |...... | 272 | if (cqe->res < 0) { | | ~~ ~ | | | | | | | (35) following 'false' branch... | | (34) ...to here |...... | 284 | sockfd = cqe->res; | | ~~~~~~ | | | | | (36) ...to here | 285 | if (socket_direct && !alloc) | | ~ | | | | | (37) following 'false' branch... | 286 | sockfd = 0; | 287 | io_uring_cqe_seen(&ring, cqe); | | ~~~~~~~~~~~~~~~~~ | | | | | (38) ...to here | 'do_send': event 39 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (39) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 40-41 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (40) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (41) following 'false' branch... | '_io_uring_get_sqe': event 42 | |cc1: | (42): ...to here | <------+ | 'do_send': events 43-44 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (44) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (43) returning to 'do_send' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_send' at ../src/include/liburing.h:664:2, inlined from 'do_send' at socket.c:311:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |socket.c:368:5: | 368 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 372 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_9(D) <= 1')... |...... | 375 | ret = test(0, 0, 0, 0); | | ~~~ ~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'test' from 'main' | | (3) ...to here | +--> 'test': events 5-8 | | 340 | static int test(int use_sqthread, int regfiles, int socket_direct, int alloc) | | ^~~~ | | | | | (5) entry to 'test' |...... | 356 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_16 == 0')... |...... | 362 | pthread_mutex_lock(&rd.mutex); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | 363 | do_send(socket_direct, alloc); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling 'do_send' from 'test' | +--> 'do_send': events 9-18 | | 221 | static int do_send(int socket_direct, int alloc) | | ^~~~~~~ | | | | | (9) entry to 'do_send' |...... | 234 | if (ret) { | | ~ | | | | | (10) following 'false' branch (when 'ret_36 == 0')... |...... | 239 | if (socket_direct) { | | ~~ ~ | | | | | | | (12) following 'false' branch (when 'socket_direct_37(D) == 0')... | | (11) ...to here |...... | 247 | memset(&saddr, 0, sizeof(saddr)); | | ~~~~~~ | | | | | (13) ...to here |...... | 253 | if (socket_direct) { | | ~ | | | | | (14) following 'false' branch (when 'socket_direct_37(D) == 0')... |...... | 260 | io_uring_prep_socket(sqe, AF_INET, SOCK_DGRAM, 0, 0); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (15) ...to here |...... | 263 | if (ret != 1) { | | ~ | | | | | (16) following 'false' branch (when 'ret_45 == 1')... |...... | 267 | ret = io_uring_wait_cqe(&ring, &cqe); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (18) calling 'io_uring_wait_cqe' from 'do_send' | | (17) ...to here | +--> 'io_uring_wait_cqe': events 19-20 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (19) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 21-23 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (21) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (22) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (23) ...to here | <------+ | 'io_uring_wait_cqe': events 24-26 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (26) ...to here | | | (24) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (25) following 'true' branch... | <------+ | 'do_send': events 27-38 | |socket.c:267:15: | 267 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) returning to 'do_send' from 'io_uring_wait_cqe' | 268 | if (ret) { | | ~ | | | | | (28) following 'false' branch (when 'ret_47 == 0')... |...... | 272 | if (cqe->res < 0) { | | ~~ ~ | | | | | | | (30) following 'false' branch... | | (29) ...to here |...... | 284 | sockfd = cqe->res; | | ~~~~~~ | | | | | (31) ...to here | 285 | if (socket_direct && !alloc) | | ~ | | | | | (32) following 'false' branch... | 286 | sockfd = 0; | 287 | io_uring_cqe_seen(&ring, cqe); | | ~~~~~~~~~~~~~~~~~ | | | | | (33) ...to here |...... | 292 | if (socket_direct) | | ~ | | | | | (34) following 'false' branch (when 'socket_direct_37(D) == 0')... | 293 | sqe->flags |= IOSQE_FIXED_FILE; | 294 | ret = io_uring_submit(&ring); | | ~~~ | | | | | (35) ...to here | 295 | if (ret != 1) { | | ~ | | | | | (36) following 'false' branch (when 'ret_50 == 1')... |...... | 299 | ret = io_uring_wait_cqe(&ring, &cqe); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (38) calling 'io_uring_wait_cqe' from 'do_send' | | (37) ...to here | +--> 'io_uring_wait_cqe': events 39-40 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (39) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (40) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 41-43 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (41) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (42) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (43) ...to here | <------+ | 'io_uring_wait_cqe': events 44-46 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (46) ...to here | | | (44) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (45) following 'true' branch... | <------+ | 'do_send': events 47-51 | |socket.c:299:15: | 299 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (47) returning to 'do_send' from 'io_uring_wait_cqe' | 300 | if (ret) { | | ~ | | | | | (48) following 'false' branch (when 'ret_52 == 0')... |...... | 304 | if (cqe->res < 0) { | | ~~ ~ | | | | | | | (50) following 'false' branch... | | (49) ...to here |...... | 308 | io_uring_cqe_seen(&ring, cqe); | | ~~~~~~~~~~~~~~~~~ | | | | | (51) ...to here | 'do_send': event 52 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (52) calling '_io_uring_get_sqe' from 'do_send' | +--> '_io_uring_get_sqe': events 53-54 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (53) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (54) following 'false' branch... | '_io_uring_get_sqe': event 55 | |cc1: | (55): ...to here | <------+ | 'do_send': events 56-57 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (57) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (56) returning to 'do_send' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sqpoll-exit-hang.t sqpoll-exit-hang.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from sqpoll-exit-hang.c:12: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'main' at sqpoll-exit-hang.c:69:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-7 | |sqpoll-exit-hang.c:39:5: | 39 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 47 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_14(D) <= 1')... |...... | 50 | p.flags = IORING_SETUP_SQPOLL; | | ~ | | | | | (3) ...to here |...... | 54 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_18 == 0')... |...... | 63 | if (!(p.features & IORING_FEAT_SQPOLL_NONFIXED)) { | | ~~ ~ | | | | | | | (6) following 'false' branch... | | (5) ...to here |...... | 68 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (7) ...to here | 'main': event 8 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 9-10 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (9) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (10) following 'false' branch... | '_io_uring_get_sqe': event 11 | |cc1: | (11): ...to here | <------+ | 'main': events 12-13 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o teardowns.t teardowns.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sq-poll-kthread.t sq-poll-kthread.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sq-poll-dup.t sq-poll-dup.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sq-poll-share.t sq-poll-share.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o splice.t splice.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o skip-cqe.t skip-cqe.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from skip-cqe.c:10: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_nop' at ../src/include/liburing.h:474:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_2(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-8 | |skip-cqe.c:306:5: | 306 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 313 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_64(D) <= 1')... |...... | 316 | if (pipe(fds)) { | | ~~ ~ | | | | | | | (4) following 'false' branch... | | (3) ...to here |...... | 320 | ret = io_uring_queue_init(16, &ring, 0); | | ~~~ | | | | | (5) ...to here | 321 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_68 == 0')... |...... | 326 | if (!(ring.features & IORING_FEAT_CQE_SKIP)) { | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here | 'main': event 9 | |cc1: | (9): ...to here | 'main': event 10 | | 331 | for (i = 0; i < 4; i++) { | | ~~^~~ | | | | | (10) following 'true' branch (when 'i_47 != 4')... | 'main': event 11 | | 332 | bool skip_last = i & 1; | | ^~~~ | | | | | (11) ...to here | 'main': event 12 | | 333 | int sz = (i & 2) ? LINK_SIZE : 1; | | ~~~~~~~~~~~~~~~~~~~~^~~ | | | | | (12) following 'false' branch... | 'main': event 13 | |cc1: | (13): ...to here | 'main': event 14 | | 335 | ret = test_link_success(&ring, sz, skip_last); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling 'test_link_success' from 'main' | +--> 'test_link_success': events 15-17 | | 23 | static int test_link_success(struct io_uring *ring, int nr, bool skip_last) | | ^~~~~~~~~~~~~~~~~ | | | | | (15) entry to 'test_link_success' |...... | 29 | for (i = 0; i < nr; ++i) { | | ~~~~~~ | | | | | (16) following 'true' branch (when 'i_21 < nr_28(D)')... | 30 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (17) ...to here | 'test_link_success': event 18 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling '_io_uring_get_sqe' from 'test_link_success' | +--> '_io_uring_get_sqe': events 19-20 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (19) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (20) following 'false' branch... | '_io_uring_get_sqe': event 21 | |cc1: | (21): ...to here | <------+ | 'test_link_success': event 22 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) returning to 'test_link_success' from '_io_uring_get_sqe' | 'test_link_success': event 23 | |skip-cqe.c:31:17: | 31 | io_uring_prep_nop(sqe); | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) calling 'io_uring_prep_nop' from 'test_link_success' | +--> 'io_uring_prep_nop': events 24-25 | |../src/include/liburing.h:472:20: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) dereference of NULL 'sqe_2(D)' |...... | 472 | static inline void io_uring_prep_nop(struct io_uring_sqe *sqe) | | ^~~~~~~~~~~~~~~~~ | | | | | (24) entry to 'io_uring_prep_nop' | ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o symlink.t symlink.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o sq-space_left.t sq-space_left.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o thread-exit.t thread-exit.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o stdout.t stdout.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o submit-link-fail.t submit-link-fail.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from submit-link-fail.c:13: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'test_underprep_fail' at submit-link-fail.c:60:4: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-2 | |submit-link-fail.c:122:5: | 122 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 126 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_19(D) <= 1')... | 'main': event 3 | |cc1: | (3): ...to here | 'main': event 4 | | 134 | for (link_size = 0; link_size < 3; link_size++) { | | ~~~~~~~~~~^~~ | | | | | (4) following 'true' branch (when 'link_size_11 != 3')... | 'main': event 5 | |cc1: | (5): ...to here | 'main': events 6-8 | | 134 | for (link_size = 0; link_size < 3; link_size++) { | | ~~~~~~~~~~~~~ ~~~~~~~~~~~ | | | | | | | (7) ...to here | | (8) following 'true' branch (when 'link_size_11 != 3')... | 135 | for (fail_idx = 0; fail_idx < link_size; fail_idx++) { | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (6) following 'false' branch (when 'link_size_11 <= fail_idx_12')... | 'main': event 9 | |cc1: | (9): ...to here | 'main': event 10 | | 135 | for (fail_idx = 0; fail_idx < link_size; fail_idx++) { | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (10) following 'true' branch (when 'link_size_11 > fail_idx_12')... | 'main': event 11 | |cc1: | (11): ...to here | 'main': event 12 | | 136 | for (i = 0; i < 8; i++) { | | ~~^~~ | | | | | (12) following 'true' branch (when 'i_13 != 8')... | 'main': event 13 | | 137 | bool hardlink = (i & 1) != 0; | | ^~~~ | | | | | (13) ...to here | 'main': event 14 | | 141 | ret = test_underprep_fail(hardlink, drain, link_last, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling 'test_underprep_fail' from 'main' | 142 | link_size, fail_idx); | | ~~~~~~~~~~~~~~~~~~~~ | +--> 'test_underprep_fail': events 15-18 | | 17 | static int test_underprep_fail(bool hardlink, bool drain, bool link_last, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (15) entry to 'test_underprep_fail' |...... | 29 | if (drain) | | ~ | | | | | (16) following 'false' branch (when 'drain_48(D) == 0')... | 30 | link_flags |= IOSQE_IO_DRAIN; | 31 | if (hardlink) | | ~~ ~ | | | | | | | (18) following 'false' branch (when 'hardlink_49(D) == 0')... | | (17) ...to here | 'test_underprep_fail': event 19 | | 34 | assert(fail_idx < link_size); | | ^~~~~~ | | | | | (19) ...to here | 'test_underprep_fail': event 20 | | 34 | assert(fail_idx < link_size); | | ^~~~~~ | | | | | (20) following 'true' branch (when 'link_size_47(D) > fail_idx_50(D)')... | 'test_underprep_fail': event 21 | | 35 | assert(link_size < 40); | | ^~~~~~ | | | | | (21) ...to here | 'test_underprep_fail': event 22 | | 35 | assert(link_size < 40); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'link_size_47(D) <= 39')... | 'test_underprep_fail': events 23-31 | | 38 | ret = io_uring_queue_init(8, &ring, 0); | | ^~~ | | | | | (23) ...to here | 39 | if (ret) { | | ~ | | | | | (24) following 'false' branch (when 'ret_55 == 0')... |...... | 43 | if (pipe(fds)) { | | ~~ ~ | | | | | | | (26) following 'false' branch... | | (25) ...to here |...... | 48 | if (drain) { | | ~~ ~ | | | | | | | (28) following 'false' branch (when 'drain_48(D) == 0')... | | (27) ...to here |...... | 57 | for (i = 0; i < link_size; i++) { | | ~~~ ~~~~~~~~~~~~~ | | | | | | | (30) following 'true' branch (when 'i_35 < link_size_47(D)')... | | (29) ...to here | 58 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (31) ...to here | 'test_underprep_fail': event 32 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) calling '_io_uring_get_sqe' from 'test_underprep_fail' | +--> '_io_uring_get_sqe': events 33-34 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (33) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (34) following 'false' branch... | '_io_uring_get_sqe': event 35 | |cc1: | (35): ...to here | <------+ | 'test_underprep_fail': event 36 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (36) returning to 'test_underprep_fail' from '_io_uring_get_sqe' | 'test_underprep_fail': events 37-38 | |submit-link-fail.c:59:20: | 59 | if (i == fail_idx) { | | ^ | | | | | (37) following 'true' branch (when 'i_35 == fail_idx_50(D)')... | 60 | io_uring_prep_read(sqe, invalid_fd, buffer, 1, 0); | | ~~~~~~~~~~~~~~~~~~ | | | | | (38) ...to here | 'test_underprep_fail': event 39 | |../src/include/liburing.h:301:21: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~^~~~~~~~~~~ | | | | | (39) dereference of NULL '_io_uring_get_sqe (&ring)' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_nop' at ../src/include/liburing.h:474:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_2(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-2 | |submit-link-fail.c:122:5: | 122 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 126 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_19(D) <= 1')... | 'main': event 3 | |cc1: | (3): ...to here | 'main': event 4 | | 134 | for (link_size = 0; link_size < 3; link_size++) { | | ~~~~~~~~~~^~~ | | | | | (4) following 'true' branch (when 'link_size_11 != 3')... | 'main': event 5 | |cc1: | (5): ...to here | 'main': events 6-8 | | 134 | for (link_size = 0; link_size < 3; link_size++) { | | ~~~~~~~~~~~~~ ~~~~~~~~~~~ | | | | | | | (7) ...to here | | (8) following 'true' branch (when 'link_size_11 != 3')... | 135 | for (fail_idx = 0; fail_idx < link_size; fail_idx++) { | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (6) following 'false' branch (when 'link_size_11 <= fail_idx_12')... | 'main': event 9 | |cc1: | (9): ...to here | 'main': event 10 | | 135 | for (fail_idx = 0; fail_idx < link_size; fail_idx++) { | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (10) following 'true' branch (when 'link_size_11 > fail_idx_12')... | 'main': event 11 | |cc1: | (11): ...to here | 'main': event 12 | | 136 | for (i = 0; i < 8; i++) { | | ~~^~~ | | | | | (12) following 'true' branch (when 'i_13 != 8')... | 'main': event 13 | | 137 | bool hardlink = (i & 1) != 0; | | ^~~~ | | | | | (13) ...to here | 'main': event 14 | | 141 | ret = test_underprep_fail(hardlink, drain, link_last, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling 'test_underprep_fail' from 'main' | 142 | link_size, fail_idx); | | ~~~~~~~~~~~~~~~~~~~~ | +--> 'test_underprep_fail': events 15-18 | | 17 | static int test_underprep_fail(bool hardlink, bool drain, bool link_last, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (15) entry to 'test_underprep_fail' |...... | 29 | if (drain) | | ~ | | | | | (16) following 'false' branch (when 'drain_48(D) == 0')... | 30 | link_flags |= IOSQE_IO_DRAIN; | 31 | if (hardlink) | | ~~ ~ | | | | | | | (18) following 'false' branch (when 'hardlink_49(D) == 0')... | | (17) ...to here | 'test_underprep_fail': event 19 | | 34 | assert(fail_idx < link_size); | | ^~~~~~ | | | | | (19) ...to here | 'test_underprep_fail': event 20 | | 34 | assert(fail_idx < link_size); | | ^~~~~~ | | | | | (20) following 'true' branch (when 'link_size_47(D) > fail_idx_50(D)')... | 'test_underprep_fail': event 21 | | 35 | assert(link_size < 40); | | ^~~~~~ | | | | | (21) ...to here | 'test_underprep_fail': event 22 | | 35 | assert(link_size < 40); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'link_size_47(D) <= 39')... | 'test_underprep_fail': events 23-31 | | 38 | ret = io_uring_queue_init(8, &ring, 0); | | ^~~ | | | | | (23) ...to here | 39 | if (ret) { | | ~ | | | | | (24) following 'false' branch (when 'ret_55 == 0')... |...... | 43 | if (pipe(fds)) { | | ~~ ~ | | | | | | | (26) following 'false' branch... | | (25) ...to here |...... | 48 | if (drain) { | | ~~ ~ | | | | | | | (28) following 'false' branch (when 'drain_48(D) == 0')... | | (27) ...to here |...... | 57 | for (i = 0; i < link_size; i++) { | | ~~~ ~~~~~~~~~~~~~ | | | | | | | (30) following 'true' branch (when 'i_35 < link_size_47(D)')... | | (29) ...to here | 58 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (31) ...to here | 'test_underprep_fail': event 32 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) calling '_io_uring_get_sqe' from 'test_underprep_fail' | +--> '_io_uring_get_sqe': events 33-34 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (33) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (34) following 'false' branch... | '_io_uring_get_sqe': event 35 | |cc1: | (35): ...to here | <------+ | 'test_underprep_fail': event 36 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (36) returning to 'test_underprep_fail' from '_io_uring_get_sqe' | 'test_underprep_fail': events 37-40 | |submit-link-fail.c:59:20: | 57 | for (i = 0; i < link_size; i++) { | | ~~~~~~~~~~~~~ | | | | | (39) following 'true' branch (when 'i_35 < link_size_47(D)')... | 58 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (40) ...to here | 59 | if (i == fail_idx) { | | ^ | | | | | (37) following 'true' branch (when 'i_35 == fail_idx_50(D)')... | 60 | io_uring_prep_read(sqe, invalid_fd, buffer, 1, 0); | | ~~~~~~~~~~~~~~~~~~ | | | | | (38) ...to here | 'test_underprep_fail': event 41 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (41) calling '_io_uring_get_sqe' from 'test_underprep_fail' | +--> '_io_uring_get_sqe': events 42-43 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (42) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (43) following 'false' branch... | '_io_uring_get_sqe': event 44 | |cc1: | (44): ...to here | <------+ | 'test_underprep_fail': event 45 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (45) returning to 'test_underprep_fail' from '_io_uring_get_sqe' | 'test_underprep_fail': events 46-48 | |submit-link-fail.c:59:20: | 59 | if (i == fail_idx) { | | ^ | | | | | (46) following 'false' branch (when 'i_35 != fail_idx_50(D)')... |...... | 63 | io_uring_prep_nop(sqe); | | ~~~~~~~~~~~~~~~~~~~~~~ | | | | | (47) ...to here | | (48) calling 'io_uring_prep_nop' from 'test_underprep_fail' | +--> 'io_uring_prep_nop': events 49-50 | |../src/include/liburing.h:472:20: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (50) dereference of NULL 'sqe_2(D)' |...... | 472 | static inline void io_uring_prep_nop(struct io_uring_sqe *sqe) | | ^~~~~~~~~~~~~~~~~ | | | | | (49) entry to 'io_uring_prep_nop' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_read' at ../src/include/liburing.h:627:2, inlined from 'test_underprep_fail' at submit-link-fail.c:51:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-2 | |submit-link-fail.c:122:5: | 122 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 126 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_19(D) <= 1')... | 'main': event 3 | |cc1: | (3): ...to here | 'main': event 4 | | 134 | for (link_size = 0; link_size < 3; link_size++) { | | ~~~~~~~~~~^~~ | | | | | (4) following 'true' branch (when 'link_size_11 != 3')... | 'main': event 5 | |cc1: | (5): ...to here | 'main': events 6-8 | | 134 | for (link_size = 0; link_size < 3; link_size++) { | | ~~~~~~~~~~~~~ ~~~~~~~~~~~ | | | | | | | (7) ...to here | | (8) following 'true' branch (when 'link_size_11 != 3')... | 135 | for (fail_idx = 0; fail_idx < link_size; fail_idx++) { | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (6) following 'false' branch (when 'link_size_11 <= fail_idx_12')... | 'main': event 9 | |cc1: | (9): ...to here | 'main': event 10 | | 135 | for (fail_idx = 0; fail_idx < link_size; fail_idx++) { | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (10) following 'true' branch (when 'link_size_11 > fail_idx_12')... | 'main': event 11 | |cc1: | (11): ...to here | 'main': event 12 | | 136 | for (i = 0; i < 8; i++) { | | ~~^~~ | | | | | (12) following 'true' branch (when 'i_13 != 8')... | 'main': event 13 | | 137 | bool hardlink = (i & 1) != 0; | | ^~~~ | | | | | (13) ...to here | 'main': event 14 | | 141 | ret = test_underprep_fail(hardlink, drain, link_last, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) calling 'test_underprep_fail' from 'main' | 142 | link_size, fail_idx); | | ~~~~~~~~~~~~~~~~~~~~ | +--> 'test_underprep_fail': events 15-18 | | 17 | static int test_underprep_fail(bool hardlink, bool drain, bool link_last, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (15) entry to 'test_underprep_fail' |...... | 29 | if (drain) | | ~ | | | | | (16) following 'false' branch (when 'drain_48(D) == 0')... | 30 | link_flags |= IOSQE_IO_DRAIN; | 31 | if (hardlink) | | ~~ ~ | | | | | | | (18) following 'false' branch (when 'hardlink_49(D) == 0')... | | (17) ...to here | 'test_underprep_fail': event 19 | | 34 | assert(fail_idx < link_size); | | ^~~~~~ | | | | | (19) ...to here | 'test_underprep_fail': event 20 | | 34 | assert(fail_idx < link_size); | | ^~~~~~ | | | | | (20) following 'true' branch (when 'link_size_47(D) > fail_idx_50(D)')... | 'test_underprep_fail': event 21 | | 35 | assert(link_size < 40); | | ^~~~~~ | | | | | (21) ...to here | 'test_underprep_fail': event 22 | | 35 | assert(link_size < 40); | | ^~~~~~ | | | | | (22) following 'true' branch (when 'link_size_47(D) <= 39')... | 'test_underprep_fail': events 23-27 | | 38 | ret = io_uring_queue_init(8, &ring, 0); | | ^~~ | | | | | (23) ...to here |...... | 48 | if (drain) { | | ~ | | | | | (24) following 'false' branch (when 'drain_48(D) == 0')... |...... | 57 | for (i = 0; i < link_size; i++) { | | ~~~ ~~~~~~~~~~~~~ | | | | | | | (26) following 'true' branch (when 'i_35 < link_size_47(D)')... | | (25) ...to here | 58 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (27) ...to here | 'test_underprep_fail': event 28 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) calling '_io_uring_get_sqe' from 'test_underprep_fail' | +--> '_io_uring_get_sqe': events 29-31 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (29) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (30) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (31) ...to here | <------+ | 'test_underprep_fail': event 32 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'test_underprep_fail' from '_io_uring_get_sqe' | 'test_underprep_fail': events 33-34 | |submit-link-fail.c:59:20: | 59 | if (i == fail_idx) { | | ^ | | | | | (33) following 'true' branch (when 'i_35 == fail_idx_50(D)')... | 60 | io_uring_prep_read(sqe, invalid_fd, buffer, 1, 0); | | ~~~~~~~~~~~~~~~~~~ | | | | | (34) ...to here | <------+ | 'main': events 35-38 | | 136 | for (i = 0; i < 8; i++) { | | ~~~~~ | | | | | (38) following 'true' branch (when 'i_13 != 8')... |...... | 141 | ret = test_underprep_fail(hardlink, drain, link_last, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (35) returning to 'main' from 'test_underprep_fail' | 142 | link_size, fail_idx); | | ~~~~~~~~~~~~~~~~~~~~ | 143 | if (!ret) | | ~ | | | | | (36) following 'true' branch (when 'ret_30 == 0')... | 144 | continue; | | ~~~~~~~~ | | | | | (37) ...to here | 'main': event 39 | | 137 | bool hardlink = (i & 1) != 0; | | ^~~~ | | | | | (39) ...to here | 'main': event 40 | | 141 | ret = test_underprep_fail(hardlink, drain, link_last, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (40) calling 'test_underprep_fail' from 'main' | 142 | link_size, fail_idx); | | ~~~~~~~~~~~~~~~~~~~~ | +--> 'test_underprep_fail': event 41 | | 17 | static int test_underprep_fail(bool hardlink, bool drain, bool link_last, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (41) entry to 'test_underprep_fail' | 'test_underprep_fail': event 42 | | 34 | assert(fail_idx < link_size); | | ^~~~~~ | | | | | (42) following 'true' branch (when 'link_size_47(D) > fail_idx_50(D)')... | 'test_underprep_fail': event 43 | | 35 | assert(link_size < 40); | | ^~~~~~ | | | | | (43) ...to here | 'test_underprep_fail': event 44 | | 35 | assert(link_size < 40); | | ^~~~~~ | | | | | (44) following 'true' branch (when 'link_size_47(D) <= 39')... | 'test_underprep_fail': events 45-51 | | 38 | ret = io_uring_queue_init(8, &ring, 0); | | ^~~ | | | | | (45) ...to here | 39 | if (ret) { | | ~ | | | | | (46) following 'false' branch (when 'ret_55 == 0')... |...... | 43 | if (pipe(fds)) { | | ~~ ~ | | | | | | | (48) following 'false' branch... | | (47) ...to here |...... | 48 | if (drain) { | | ~~ ~ | | | | | | | (50) following 'true' branch (when 'drain_48(D) != 0')... | | (49) ...to here | 49 | /* clog drain, so following reqs sent to draining */ | 50 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (51) ...to here | 'test_underprep_fail': event 52 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (52) calling '_io_uring_get_sqe' from 'test_underprep_fail' | +--> '_io_uring_get_sqe': events 53-54 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (53) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (54) following 'false' branch... | '_io_uring_get_sqe': event 55 | |cc1: | (55): ...to here | <------+ | 'test_underprep_fail': events 56-57 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (57) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (56) returning to 'test_underprep_fail' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o tty-write-dpoll.t tty-write-dpoll.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from tty-write-dpoll.c:18: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_writev' at ../src/include/liburing.h:390:2, inlined from 'main' at tty-write-dpoll.c:50:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-8 | |tty-write-dpoll.c:24:5: | 24 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 31 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_8(D) <= 1')... |...... | 34 | fd = open("/dev/ttyS0", O_RDWR | O_NONBLOCK); | | ~~ | | | | | (3) ...to here | 35 | if (fd < 0) | | ~ | | | | | (4) following 'false' branch... |...... | 38 | ret = t_create_ring(SQES, &ring, 0); | | ~~~ | | | | | (5) ...to here | 39 | if (ret == T_SETUP_SKIP) | | ~ | | | | | (6) following 'false' branch (when 'ret_11 != 1')... | 40 | return 0; | 41 | else if (ret < 0) | | ~~ ~ | | | | | | | (8) following 'false' branch (when 'ret_11 >= 0')... | | (7) ...to here | 'main': event 9 | |cc1: | (9): ...to here | 'main': events 10-11 | | 44 | for (i = 0; i < SQES; i++) { | | ^ | | | | | (10) following 'true' branch (when 'i_4 != 128')... | 45 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (11) ...to here | 'main': event 12 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling '_io_uring_get_sqe' from 'main' | +--> '_io_uring_get_sqe': events 13-14 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (13) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (14) following 'false' branch... | '_io_uring_get_sqe': event 15 | |cc1: | (15): ...to here | <------+ | 'main': events 16-17 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to 'main' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o submit-reuse.t submit-reuse.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from helpers.h:12, from submit-reuse.c:15: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'prep' at submit-reuse.c:67:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |submit-reuse.c:217:5: | 217 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 221 | for (i = 0; i < 4; i++) { | | ~~~~~ | | | | | (2) following 'true' branch (when 'i_6 != 4')... | 222 | int split, async; | | ~~~ | | | | | (3) ...to here |...... | 227 | ret = test_reuse(argc, argv, split, async); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) calling 'test_reuse' from 'main' | +--> 'test_reuse': events 5-16 | | 130 | static int test_reuse(int argc, char *argv[], int split, int async) | | ^~~~~~~~~~ | | | | | (5) entry to 'test_reuse' |...... | 142 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_23 == 0')... |...... | 147 | if (!(p.features & IORING_FEAT_SUBMIT_STABLE)) { | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 154 | if (argc > 1) { | | ~~ | | | | | (9) ...to here |...... | 164 | if (fd1 < 0) { | | ~ | | | | | (10) following 'false' branch... |...... | 169 | t_create_file(".reuse.2", FILE_SIZE); | | ~~~~~~~~~~~~~ | | | | | (11) ...to here |...... | 172 | if (fd2 < 0) { | | ~ | | | | | (12) following 'false' branch... |...... | 177 | data.fd1 = fd1; | | ~~~~ | | | | | (13) ...to here |...... | 184 | for (i = 0; i < 1000; i++) { | | ~~~~~~~~ | | | | | (14) following 'true' branch (when 'i_10 != 1000')... | 185 | ret = prep(fd1, str1, split, async); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (16) calling 'prep' from 'test_reuse' | | (15) ...to here | +--> 'prep': events 17-19 | | 46 | static int prep(int fd, char *str, int split, int async) | | ^~~~ | | | | | (17) entry to 'prep' |...... | 52 | if (split) { | | ~ | | | | | (18) following 'false' branch (when 'split_12(D) == 0')... |...... | 62 | iovs[0].iov_base = str; | | ~~~~ | | | | | (19) ...to here | 'prep': event 20 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) calling '_io_uring_get_sqe' from 'prep' | +--> '_io_uring_get_sqe': events 21-22 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (21) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (22) following 'false' branch... | '_io_uring_get_sqe': event 23 | |cc1: | (23): ...to here | <------+ | 'prep': event 24 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) returning to 'prep' from '_io_uring_get_sqe' | 'prep': event 25 | |submit-reuse.c:67:9: | 67 | io_uring_prep_readv(sqe, fd, iovs, split ? 16 : 1, 0); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) following 'false' branch (when 'split_12(D) == 0')... | 'prep': event 26 | |cc1: | (26): ...to here | 'prep': event 27 | |../src/include/liburing.h:301:21: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~^~~~~~~~~~~ | | | | | (27) dereference of NULL '_io_uring_get_sqe (&ring)' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o timeout-new.t timeout-new.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from timeout-new.c:10: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_nop' at ../src/include/liburing.h:474:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_2(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'test_return_before_timeout': event 1 | |timeout-new.c:51:12: | 51 | static int test_return_before_timeout(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'test_return_before_timeout' | 'test_return_before_timeout': event 2 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_io_uring_get_sqe' from 'test_return_before_timeout' | +--> '_io_uring_get_sqe': events 3-4 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (3) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (4) following 'false' branch... | '_io_uring_get_sqe': event 5 | |cc1: | (5): ...to here | <------+ | 'test_return_before_timeout': event 6 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'test_return_before_timeout' from '_io_uring_get_sqe' | 'test_return_before_timeout': event 7 | |timeout-new.c:62:9: | 62 | io_uring_prep_nop(sqe); | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) calling 'io_uring_prep_nop' from 'test_return_before_timeout' | +--> 'io_uring_prep_nop': events 8-9 | |../src/include/liburing.h:472:20: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) dereference of NULL 'sqe_2(D)' |...... | 472 | static inline void io_uring_prep_nop(struct io_uring_sqe *sqe) | | ^~~~~~~~~~~~~~~~~ | | | | | (8) entry to 'io_uring_prep_nop' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o unlink.t unlink.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o wakeup-hang.t wakeup-hang.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from wakeup-hang.c:8: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'test_pipes' at wakeup-hang.c:81:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'test_pipes': events 1-5 | |wakeup-hang.c:59:12: | 59 | static int test_pipes(void) | | ^~~~~~~~~~ | | | | | (1) entry to 'test_pipes' |...... | 68 | if (pipe(fds) < 0) | | ~ | | | | | (2) following 'false' branch... |...... | 71 | ret = io_uring_queue_init(8, &ring, 0); | | ~~~ | | | | | (3) ...to here | 72 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_17 == 0')... |...... | 77 | td.write_fd = fds[1]; | | ~~ | | | | | (5) ...to here | 'test_pipes': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from 'test_pipes' | +--> '_io_uring_get_sqe': events 7-8 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'false' branch... | '_io_uring_get_sqe': event 9 | |cc1: | (9): ...to here | <------+ | 'test_pipes': events 10-11 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to 'test_pipes' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_poll_add' at ../src/include/liburing.h:436:2, inlined from 'test_eventfd' at wakeup-hang.c:123:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'test_eventfd': events 1-5 | |wakeup-hang.c:100:12: | 100 | static int test_eventfd(void) | | ^~~~~~~~~~~~ | | | | | (1) entry to 'test_eventfd' |...... | 110 | if (efd < 0) | | ~ | | | | | (2) following 'false' branch (when 'efd_12 >= 0')... |...... | 113 | ret = io_uring_queue_init(8, &ring, 0); | | ~~~ | | | | | (3) ...to here | 114 | if (ret) { | | ~ | | | | | (4) following 'false' branch (when 'ret_15 == 0')... |...... | 119 | td.write_fd = efd; | | ~~ | | | | | (5) ...to here | 'test_eventfd': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from 'test_eventfd' | +--> '_io_uring_get_sqe': events 7-8 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'false' branch... | '_io_uring_get_sqe': event 9 | |cc1: | (9): ...to here | <------+ | 'test_eventfd': events 10-11 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to 'test_eventfd' from '_io_uring_get_sqe' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o timeout-overflow.t timeout-overflow.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread In file included from timeout-overflow.c:12: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_timeout' at ../src/include/liburing.h:481:2, inlined from 'check_timeout_support' at timeout-overflow.c:48:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |timeout-overflow.c:181:5: | 181 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 185 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_6(D) <= 1')... |...... | 188 | ret = check_timeout_support(); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'check_timeout_support' from 'main' | | (3) ...to here | +--> 'check_timeout_support': events 5-9 | | 23 | static int check_timeout_support(void) | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'check_timeout_support' |...... | 34 | if (ret) { | | ~ | | | | | (6) following 'false' branch (when 'ret_16 == 0')... |...... | 40 | if (p.features & IORING_FEAT_POLL_32BITS) { | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here |...... | 46 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (9) ...to here | 'check_timeout_support': event 10 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) calling '_io_uring_get_sqe' from 'check_timeout_support' | +--> '_io_uring_get_sqe': events 11-12 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (11) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (12) following 'false' branch... | '_io_uring_get_sqe': event 13 | |cc1: | (13): ...to here | <------+ | 'check_timeout_support': events 14-15 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) dereference of NULL '_io_uring_get_sqe (&ring)' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) returning to 'check_timeout_support' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_timeout' at ../src/include/liburing.h:481:2, inlined from 'test_timeout_overflow' at timeout-overflow.c:118:3: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |timeout-overflow.c:181:5: | 181 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 185 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_6(D) <= 1')... |...... | 188 | ret = check_timeout_support(); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'check_timeout_support' from 'main' | | (3) ...to here | +--> 'check_timeout_support': event 5 | | 23 | static int check_timeout_support(void) | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'check_timeout_support' | 'check_timeout_support': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from 'check_timeout_support' | +--> '_io_uring_get_sqe': events 7-9 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (9) ...to here | <------+ | 'check_timeout_support': event 10 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to 'check_timeout_support' from '_io_uring_get_sqe' | 'check_timeout_support': event 11 | |timeout-overflow.c:56:15: | 56 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) calling 'io_uring_wait_cqe' from 'check_timeout_support' | +--> 'io_uring_wait_cqe': events 12-13 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (12) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 14-16 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (14) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (15) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (16) ...to here | <------+ | 'io_uring_wait_cqe': events 17-19 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (19) ...to here | | | (17) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (18) following 'true' branch... | <------+ | 'check_timeout_support': event 20 | |timeout-overflow.c:56:15: | 56 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) returning to 'check_timeout_support' from 'io_uring_wait_cqe' | <------+ | 'main': events 21-26 | | 188 | ret = check_timeout_support(); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) returning to 'main' from 'check_timeout_support' | 189 | if (ret) { | | ~ | | | | | (22) following 'false' branch (when 'ret_9 == 0')... |...... | 194 | if (not_supported) | | ~~ ~ | | | | | | | (24) following 'false' branch... | | (23) ...to here |...... | 197 | ret = test_timeout_overflow(); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (26) calling 'test_timeout_overflow' from 'main' | | (25) ...to here | +--> 'test_timeout_overflow': events 27-31 | | 88 | static int test_timeout_overflow(void) | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (27) entry to 'test_timeout_overflow' |...... | 97 | if (ret) { | | ~ | | | | | (28) following 'false' branch (when 'ret_25 == 0')... |...... | 102 | msec_to_ts(&ts, TIMEOUT_MSEC); | | ~~~~~~~~~~ | | | | | (29) ...to here | 103 | for (i = 0; i < 4; i++) { | | ~~~~~ | | | | | (30) following 'true' branch (when 'i_14 != 4')... | 104 | unsigned num = 0; | | ~~~~~~~~ | | | | | (31) ...to here | 'test_timeout_overflow': event 32 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) calling '_io_uring_get_sqe' from 'test_timeout_overflow' | +--> '_io_uring_get_sqe': events 33-34 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (33) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (34) following 'false' branch... | '_io_uring_get_sqe': event 35 | |cc1: | (35): ...to here | <------+ | 'test_timeout_overflow': event 36 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (36) returning to 'test_timeout_overflow' from '_io_uring_get_sqe' | 'test_timeout_overflow': events 37-38 | |timeout-overflow.c:106:17: | 106 | switch (i) { | | ^~~~~~ | | | | | (37) following 'default:' branch... |...... | 118 | io_uring_prep_timeout(sqe, &ts, num, 0); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (38) ...to here | 'test_timeout_overflow': event 39 | |../src/include/liburing.h:301:21: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~^~~~~~~~~~~ | | | | | (39) dereference of NULL '_io_uring_get_sqe (&ring)' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_nop' at ../src/include/liburing.h:474:2: ../src/include/liburing.h:301:21: warning: dereference of NULL 'sqe_2(D)' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-4 | |timeout-overflow.c:181:5: | 181 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 185 | if (argc > 1) | | ~ | | | | | (2) following 'false' branch (when 'argc_6(D) <= 1')... |...... | 188 | ret = check_timeout_support(); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (4) calling 'check_timeout_support' from 'main' | | (3) ...to here | +--> 'check_timeout_support': event 5 | | 23 | static int check_timeout_support(void) | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'check_timeout_support' | 'check_timeout_support': event 6 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling '_io_uring_get_sqe' from 'check_timeout_support' | +--> '_io_uring_get_sqe': events 7-9 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (7) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (8) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (9) ...to here | <------+ | 'check_timeout_support': event 10 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) returning to 'check_timeout_support' from '_io_uring_get_sqe' | 'check_timeout_support': event 11 | |timeout-overflow.c:56:15: | 56 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) calling 'io_uring_wait_cqe' from 'check_timeout_support' | +--> 'io_uring_wait_cqe': events 12-13 | |../src/include/liburing.h:1052:19: | 1052 | static inline int io_uring_wait_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~ | | | | | (12) entry to 'io_uring_wait_cqe' |...... | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) calling '__io_uring_peek_cqe' from 'io_uring_wait_cqe' | +--> '__io_uring_peek_cqe': events 14-16 | | 993 | static inline int __io_uring_peek_cqe(struct io_uring *ring, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (14) entry to '__io_uring_peek_cqe' |...... | 1030 | if (nr_available) | | ~ | | | | | (15) following 'false' branch (when 'nr_available_30(D)' is NULL)... | 1031 | *nr_available = available; | 1032 | return err; | | ~~~~~~ | | | | | (16) ...to here | <------+ | 'io_uring_wait_cqe': events 17-19 | | 1055 | if (!__io_uring_peek_cqe(ring, cqe_ptr, NULL) && *cqe_ptr) | | ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ | | | | | | | | | (19) ...to here | | | (17) returning to 'io_uring_wait_cqe' from '__io_uring_peek_cqe' | | (18) following 'true' branch... | <------+ | 'check_timeout_support': event 20 | |timeout-overflow.c:56:15: | 56 | ret = io_uring_wait_cqe(&ring, &cqe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) returning to 'check_timeout_support' from 'io_uring_wait_cqe' | <------+ | 'main': events 21-26 | | 188 | ret = check_timeout_support(); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) returning to 'main' from 'check_timeout_support' | 189 | if (ret) { | | ~ | | | | | (22) following 'false' branch (when 'ret_9 == 0')... |...... | 194 | if (not_supported) | | ~~ ~ | | | | | | | (24) following 'false' branch... | | (23) ...to here |...... | 197 | ret = test_timeout_overflow(); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (26) calling 'test_timeout_overflow' from 'main' | | (25) ...to here | +--> 'test_timeout_overflow': events 27-31 | | 88 | static int test_timeout_overflow(void) | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (27) entry to 'test_timeout_overflow' |...... | 97 | if (ret) { | | ~ | | | | | (28) following 'false' branch (when 'ret_25 == 0')... |...... | 102 | msec_to_ts(&ts, TIMEOUT_MSEC); | | ~~~~~~~~~~ | | | | | (29) ...to here | 103 | for (i = 0; i < 4; i++) { | | ~~~~~ | | | | | (30) following 'true' branch (when 'i_14 != 4')... | 104 | unsigned num = 0; | | ~~~~~~~~ | | | | | (31) ...to here | 'test_timeout_overflow': event 32 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) calling '_io_uring_get_sqe' from 'test_timeout_overflow' | +--> '_io_uring_get_sqe': events 33-35 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (33) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (34) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (35) ...to here | <------+ | 'test_timeout_overflow': event 36 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (36) returning to 'test_timeout_overflow' from '_io_uring_get_sqe' | 'test_timeout_overflow': events 37-40 | |timeout-overflow.c:106:17: | 106 | switch (i) { | | ^~~~~~ | | | | | (37) following 'default:' branch... |...... | 118 | io_uring_prep_timeout(sqe, &ts, num, 0); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (38) ...to here |...... | 121 | for (i = 0; i < 2; i++) { | | ~~~~~ | | | | | (39) following 'true' branch (when 'i_15 != 2')... | 122 | sqe = io_uring_get_sqe(&ring); | | ~~~ | | | | | (40) ...to here | 'test_timeout_overflow': event 41 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (41) calling '_io_uring_get_sqe' from 'test_timeout_overflow' | +--> '_io_uring_get_sqe': events 42-43 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (42) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (43) following 'false' branch... | '_io_uring_get_sqe': event 44 | |cc1: | (44): ...to here | <------+ | 'test_timeout_overflow': event 45 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (45) returning to 'test_timeout_overflow' from '_io_uring_get_sqe' | 'test_timeout_overflow': event 46 | |timeout-overflow.c:123:17: | 123 | io_uring_prep_nop(sqe); | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (46) calling 'io_uring_prep_nop' from 'test_timeout_overflow' | +--> 'io_uring_prep_nop': events 47-48 | |../src/include/liburing.h:472:20: | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (48) dereference of NULL 'sqe_2(D)' |...... | 472 | static inline void io_uring_prep_nop(struct io_uring_sqe *sqe) | | ^~~~~~~~~~~~~~~~~ | | | | | (47) entry to 'io_uring_prep_nop' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o statx.t statx.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o xattr.t xattr.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size': events 1-2 | | 346 | ssize_t io_uring_mlock_size(unsigned entries, unsigned flags) | | ^ | | | | | (1) entry to 'io_uring_mlock_size' |...... | 350 | return io_uring_mlock_size_params(entries, &p); | | ~ | | | | | (2) calling 'io_uring_mlock_size_params' from 'io_uring_mlock_size' | +--> 'io_uring_mlock_size_params': events 3-4 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (3) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (4) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 5-8 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (5) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (6) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (8) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (7) ...to here | +--> 'io_uring_queue_mmap': events 9-10 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (9) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (10) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 11-12 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (11) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (12) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 13-15 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (13) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (14) following 'false' branch (when 'ret_11 != 4294967295B')... | | (15) ...to here | <------+ | 'io_uring_mmap': events 16-21 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (16) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (17) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (19) following 'false' branch... | | (18) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (21) calling '__sys_mmap' from 'io_uring_mmap' | | (20) ...to here | +--> '__sys_mmap': events 22-24 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (22) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (23) following 'false' branch (when 'ret_11 != 4294967295B')... | | (24) ...to here | <------+ | 'io_uring_mmap': events 25-28 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (25) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (26) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (27) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (28) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 29-31 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (29) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (30) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (31) ...to here | <------+ | 'io_uring_mmap': event 32 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (32) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 33 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (33) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 34-36 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (34) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (35) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (36) ...to here | <------+ | 'io_uring_mlock_size_params': events 37-40 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (37) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (38) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (39) ...to here | | (40) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 41-44 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (41) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (42) '0B' is NULL | | | (43) '0B' is NULL | | (44) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -D__SANE_USERSPACE_TYPES__ -I../src/include/ -include ../config-host.h -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -Wno-unused-parameter -Wno-sign-compare -Wstringop-overflow=0 -Warray-bounds=0 -DLIBURING_BUILD_TEST -o timeout.t timeout.c helpers.o ../src/syscall.o -L../src/ -luring -lpthread ../src/setup.c: In function 'io_uring_queue_exit': ../src/setup.c:183:43: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | ^ 'io_uring_mlock_size_params': events 1-2 | | 287 | ssize_t io_uring_mlock_size_params(unsigned entries, struct io_uring_params *p) | | ^ | | | | | (1) entry to 'io_uring_mlock_size_params' |...... | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ~ | | | | | (2) calling 'io_uring_queue_init_params' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_init_params': events 3-6 | | 141 | int io_uring_queue_init_params(unsigned entries, struct io_uring *ring, | | ^ | | | | | (3) entry to 'io_uring_queue_init_params' |...... | 147 | if (fd < 0) | | ~ | | | | | (4) following 'false' branch (when 'fd_8 >= 0')... |...... | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ~ ~ | | | | | | | (6) calling 'io_uring_queue_mmap' from 'io_uring_queue_init_params' | | (5) ...to here | +--> 'io_uring_queue_mmap': events 7-8 | | 92 | int io_uring_queue_mmap(int fd, struct io_uring_params *p, struct io_uring *ring) | | ^ | | | | | (7) entry to 'io_uring_queue_mmap' |...... | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ~ | | | | | (8) calling 'io_uring_mmap' from 'io_uring_queue_mmap' | +--> 'io_uring_mmap': events 9-10 | | 18 | static int io_uring_mmap(int fd, struct io_uring_params *p, | | ^ | | | | | (9) entry to 'io_uring_mmap' |...... | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ~ | | | | | (10) calling '__sys_mmap' from 'io_uring_mmap' | +--> '__sys_mmap': events 11-13 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (11) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (12) following 'false' branch (when 'ret_11 != 4294967295B')... | | (13) ...to here | <------+ | 'io_uring_mmap': events 14-19 | |../src/setup.c:36:24: | 36 | sq->ring_ptr = __sys_mmap(0, sq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (14) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 39 | if (IS_ERR(sq->ring_ptr)) | | ~ | | | | | (15) following 'false' branch... |...... | 42 | if (p->features & IORING_FEAT_SINGLE_MMAP) { | | ~ ~ | | | | | | | (17) following 'false' branch... | | (16) ...to here |...... | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ~ ~ | | | | | | | (19) calling '__sys_mmap' from 'io_uring_mmap' | | (18) ...to here | +--> '__sys_mmap': events 20-22 | |../src/arch/x86/../generic/syscall.h:44:21: | 44 | static inline void *__sys_mmap(void *addr, size_t length, int prot, int flags, | | ^ | | | | | (20) entry to '__sys_mmap' |...... | 49 | return (ret == MAP_FAILED) ? ERR_PTR(-errno) : ret; | | ~ | | | | | (21) following 'false' branch (when 'ret_11 != 4294967295B')... | | (22) ...to here | <------+ | 'io_uring_mmap': events 23-26 | |../src/setup.c:45:32: | 45 | cq->ring_ptr = __sys_mmap(0, cq->ring_sz, PROT_READ | PROT_WRITE, | | ^ | | | | | (23) returning to 'io_uring_mmap' from '__sys_mmap' |...... | 48 | if (IS_ERR(cq->ring_ptr)) { | | ~ | | | | | (24) following 'true' branch... | 49 | ret = PTR_ERR(cq->ring_ptr); | | ~ | | | | | (25) ...to here |...... | 71 | io_uring_unmap_rings(sq, cq); | | ~ | | | | | (26) calling 'io_uring_unmap_rings' from 'io_uring_mmap' | +--> 'io_uring_unmap_rings': events 27-29 | | 11 | static void io_uring_unmap_rings(struct io_uring_sq *sq, struct io_uring_cq *cq) | | ^ | | | | | (27) entry to 'io_uring_unmap_rings' |...... | 14 | if (cq->ring_ptr && cq->ring_ptr != sq->ring_ptr) | | ~ | | | | | (28) following 'false' branch... | 15 | __sys_munmap(cq->ring_ptr, cq->ring_sz); | 16 | } | | ~ | | | | | (29) ...to here | <------+ | 'io_uring_mmap': event 30 | | 71 | io_uring_unmap_rings(sq, cq); | | ^ | | | | | (30) returning to 'io_uring_mmap' from 'io_uring_unmap_rings' | <------+ | 'io_uring_queue_mmap': event 31 | | 97 | ret = io_uring_mmap(fd, p, &ring->sq, &ring->cq); | | ^ | | | | | (31) returning to 'io_uring_queue_mmap' from 'io_uring_mmap' | <------+ | 'io_uring_queue_init_params': events 32-34 | | 150 | ret = io_uring_queue_mmap(fd, p, ring); | | ^ | | | | | (32) returning to 'io_uring_queue_init_params' from 'io_uring_queue_mmap' | 151 | if (ret) { | | ~ | | | | | (33) following 'true' branch (when 'ret_11 != 0')... | 152 | __sys_close(fd); | | ~ | | | | | (34) ...to here | <------+ | 'io_uring_mlock_size_params': events 35-38 | | 302 | ret = io_uring_queue_init_params(entries, &ring, &lp); | | ^ | | | | | (35) returning to 'io_uring_mlock_size_params' from 'io_uring_queue_init_params' | 303 | if (!ret) | | ~ | | | | | (36) following 'true' branch (when 'ret_11 == 0')... | 304 | io_uring_queue_exit(&ring); | | ~ | | | | | (37) ...to here | | (38) calling 'io_uring_queue_exit' from 'io_uring_mlock_size_params' | +--> 'io_uring_queue_exit': events 39-42 | | 174 | void io_uring_queue_exit(struct io_uring *ring) | | ^ | | | | | (39) entry to 'io_uring_queue_exit' |...... | 183 | __sys_munmap(sq->sqes, sqe_size * *sq->kring_entries); | | ~ ~ | | | | | | | (40) '0B' is NULL | | | (41) '0B' is NULL | | (42) dereference of NULL 'MEM[(struct io_uring_sq *)ring_11(D)].kring_entries' | gcc -D_GNU_SOURCE -I../src/include/ -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -o io_uring-test io_uring-test.c -L../src/ -luring io_uring-test.c: In function 'main': io_uring-test.c:58:36: warning: dereference of possibly-NULL 'iovecs_59' [CWE-690] [-Wanalyzer-possible-null-dereference] 58 | iovecs[i].iov_base = buf; | ~~~~~~~~~~~~~~~~~~~^~~~~ 'main': events 1-9 | | 31 | if (argc < 2) { | | ^ | | | | | (1) following 'false' branch (when 'argc_52(D) > 1')... |...... | 36 | ret = io_uring_queue_init(QD, &ring, 0); | | ~~~ | | | | | (2) ...to here | 37 | if (ret < 0) { | | ~ | | | | | (3) following 'false' branch (when 'ret_55 >= 0')... |...... | 42 | fd = open(argv[1], O_RDONLY | O_DIRECT); | | ~~ | | | | | (4) ...to here | 43 | if (fd < 0) { | | ~ | | | | | (5) following 'false' branch... |...... | 48 | if (fstat(fd, &sb) < 0) { | | ~~ ~ | | | | | | | (7) following 'false' branch... | | (6) ...to here |...... | 53 | fsize = 0; | | ~~~~~ | | | | | (8) ...to here | 54 | iovecs = calloc(QD, sizeof(struct iovec)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) this call could return NULL | 'main': events 10-11 | | 55 | for (i = 0; i < QD; i++) { | | ^ | | | | | (10) following 'true' branch (when 'i_35 != 4')... | 56 | if (posix_memalign(&buf, 4096, 4096)) | | ~~ | | | | | (11) ...to here | 'main': event 12 | |cc1: | (12): following 'true' branch... | 'main': events 13-14 | | 58 | iovecs[i].iov_base = buf; | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (13) ...to here (14) 'iovecs_59 + (unsigned int) i_35 * 8' could be NULL: unchecked value from (9) | gcc -D_GNU_SOURCE -I../src/include/ -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -o ucontext-cp ucontext-cp.c -L../src/ -luring ucontext-cp.c: In function 'main': ucontext-cp.c:229:31: warning: dereference of possibly-NULL 'pbundle_69' [CWE-690] [-Wanalyzer-possible-null-dereference] 229 | pbundle->pctx = pctx; | ~~~~~~~~~~~~~~^~~~~~ 'main': events 1-10 | | 189 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 195 | if (argc < 3) { | | ~ | | | | | (2) following 'false' branch (when 'argc_48(D) > 2')... |...... | 200 | ret = io_uring_queue_init(QD, &ring, 0); | | ~~~ | | | | | (3) ...to here | 201 | if (ret < 0) { | | ~ | | | | | (4) following 'false' branch (when 'ret_50 >= 0')... |...... | 206 | req_count = (argc - 1) / 2; | | ~~~~~~~~~ | | | | | (5) ...to here |...... | 209 | for (i = 1; i < argc; i += 2) { | | ~~~~~~~~ | | | | | (6) following 'true' branch (when 'i_38 < argc_48(D)')... | 210 | int infd, outfd; | | ~~~ | | | | | (7) ...to here |...... | 214 | if (!pctx || setup_context(pctx, &ring)) | | ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (9) ...to here | | | (10) calling 'setup_context' from 'main' | | (8) following 'false' branch (when 'pctx_65' is non-NULL)... | +--> 'setup_context': events 11-15 | | 108 | static int setup_context(async_context *pctx, struct io_uring *ring) | | ^~~~~~~~~~~~~ | | | | | (11) entry to 'setup_context' |...... | 114 | if (ret < 0) { | | ~ | | | | | (12) following 'false' branch... |...... | 118 | pctx->stack_buf = malloc(SIGSTKSZ); | | ~~~~ | | | | | (13) ...to here | 119 | if (!pctx->stack_buf) { | | ~ | | | | | (14) following 'false' branch... |...... | 123 | pctx->ctx_fnew.uc_stack.ss_sp = pctx->stack_buf; | | ~~~~ | | | | | (15) ...to here | <------+ | 'main': events 16-24 | | 214 | if (!pctx || setup_context(pctx, &ring)) | | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (16) returning to 'main' from 'setup_context' | | (17) following 'false' branch... |...... | 217 | infd = open(argv[i], O_RDONLY); | | ~~~~ | | | | | (18) ...to here | 218 | if (infd < 0) { | | ~ | | | | | (19) following 'false' branch... |...... | 222 | outfd = open(argv[i + 1], O_WRONLY | O_CREAT | O_TRUNC, 0644); | | ~~~~~ | | | | | (20) ...to here | 223 | if (outfd < 0) { | | ~ | | | | | (21) following 'false' branch... |...... | 228 | arguments_bundle *pbundle = malloc(sizeof(*pbundle)); | | ~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (22) ...to here (23) this call could return NULL | 229 | pbundle->pctx = pctx; | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (24) 'pbundle_69' could be NULL: unchecked value from (23) | gcc -D_GNU_SOURCE -I../src/include/ -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -o io_uring-cp io_uring-cp.c -L../src/ -luring io_uring-cp.c: In function 'queue_read': io_uring-cp.c:104:9: warning: leak of 'data_13' [CWE-401] [-Wanalyzer-malloc-leak] 104 | return 0; | ^~~~~~ 'main': events 1-12 | | 249 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 255 | if (argc < 3) { | | ~ | | | | | (2) following 'false' branch (when 'argc_13(D) > 2')... |...... | 260 | infd = open(argv[1], O_RDONLY); | | ~~~~ | | | | | (3) ...to here | 261 | if (infd < 0) { | | ~ | | | | | (4) following 'false' branch... |...... | 265 | outfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0644); | | ~~~~~ | | | | | (5) ...to here | 266 | if (outfd < 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 271 | if (setup_context(QD, &ring)) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here | 272 | return 1; | 273 | if (get_file_size(infd, &insize)) | | ~~ ~ | | | | | | | (10) following 'false' branch... | | (9) ...to here |...... | 276 | ret = copy_file(&ring, insize); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) calling 'copy_file' from 'main' | | (11) ...to here | +--> 'copy_file': events 13-14 | | 119 | static int copy_file(struct io_uring *ring, off_t insize) | | ^~~~~~~~~ | | | | | (13) entry to 'copy_file' |...... | 129 | while (insize || write_left) { | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (14) following 'true' branch... | 'copy_file': event 15 | |cc1: | (15): ...to here | 'copy_file': events 16-20 | | 137 | while (insize) { | | ^~~~~~ | | | | | (16) following 'true' branch (when 'insize_54 != 0')... | 138 | off_t this_size = insize; | | ~~~~~ | | | | | (17) ...to here | 139 | | 140 | if (reads + writes >= QD) | | ~ | | | | | (18) following 'false' branch... | 141 | break; | 142 | if (this_size > BS) | | ~~ | | | | | (19) ...to here |...... | 147 | if (queue_read(ring, this_size, offset)) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) calling 'queue_read' from 'copy_file' | +--> 'queue_read': events 21-25 | | 80 | static int queue_read(struct io_uring *ring, off_t size, off_t offset) | | ^~~~~~~~~~ | | | | | (21) entry to 'queue_read' |...... | 85 | data = malloc(size + sizeof(*data)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) allocated here | 86 | if (!data) | | ~ | | | | | (23) assuming 'data_13' is non-NULL | | (24) following 'false' branch (when 'data_13' is non-NULL)... |...... | 89 | sqe = io_uring_get_sqe(ring); | | ~~~ | | | | | (25) ...to here | 'queue_read': event 26 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) calling '_io_uring_get_sqe' from 'queue_read' | +--> '_io_uring_get_sqe': events 27-29 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (27) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (28) following 'true' branch... | 1079 | struct io_uring_sqe *sqe; | | ~~~~~~ | | | | | (29) ...to here | <------+ | 'queue_read': event 30 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) returning to 'queue_read' from '_io_uring_get_sqe' | 'queue_read': events 31-33 | |io_uring-cp.c:90:12: | 90 | if (!sqe) { | | ^ | | | | | (31) following 'false' branch... |...... | 95 | data->read = 1; | | ~~~~ | | | | | (32) ...to here |...... | 104 | return 0; | | ~~~~~~ | | | | | (33) 'data_13' leaks here; was allocated at (22) | gcc -D_GNU_SOURCE -I../src/include/ -pipe -frecord-gcc-switches -Wall -g -O2 -flto=auto -march=i586 -mtune=generic -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -ffat-lto-objects -fanalyzer -o link-cp link-cp.c -L../src/ -luring In file included from link-cp.c:17: In function 'io_uring_prep_rw', inlined from 'io_uring_prep_readv' at ../src/include/liburing.h:366:2, inlined from 'queue_rw_pair' at link-cp.c:80:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-12 | |link-cp.c:160:5: | 160 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 166 | if (argc < 3) { | | ~ | | | | | (2) following 'false' branch (when 'argc_13(D) > 2')... |...... | 171 | infd = open(argv[1], O_RDONLY); | | ~~~~ | | | | | (3) ...to here | 172 | if (infd < 0) { | | ~ | | | | | (4) following 'false' branch... |...... | 176 | outfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0644); | | ~~~~~ | | | | | (5) ...to here | 177 | if (outfd < 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 182 | if (setup_context(QD, &ring)) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here | 183 | return 1; | 184 | if (get_file_size(infd, &insize)) | | ~~ ~ | | | | | | | (10) following 'false' branch... | | (9) ...to here |...... | 187 | ret = copy_file(&ring, insize); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) calling 'copy_file' from 'main' | | (11) ...to here | +--> 'copy_file': events 13-15 | | 115 | static int copy_file(struct io_uring *ring, off_t insize) | | ^~~~~~~~~ | | | | | (13) entry to 'copy_file' |...... | 122 | while (insize) { | | ~~~~~~ | | | | | (14) following 'true' branch (when 'insize_13 != 0')... | 123 | int has_inflight = inflight; | | ~~~ | | | | | (15) ...to here | 'copy_file': events 16-18 | | 126 | while (insize && inflight < QD) { | | ^ | | | | | (16) following 'true' branch... | 127 | this_size = BS; | | ~~~~~~~~~ | | | | | (17) ...to here |...... | 130 | queue_rw_pair(ring, this_size, offset); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling 'queue_rw_pair' from 'copy_file' | +--> 'queue_rw_pair': event 19 | | 66 | static void queue_rw_pair(struct io_uring *ring, off_t size, off_t offset) | | ^~~~~~~~~~~~~ | | | | | (19) entry to 'queue_rw_pair' | 'queue_rw_pair': event 20 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) calling '_io_uring_get_sqe' from 'queue_rw_pair' | +--> '_io_uring_get_sqe': events 21-22 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (21) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (22) following 'false' branch... | '_io_uring_get_sqe': event 23 | |cc1: | (23): ...to here | <------+ | 'queue_rw_pair': events 24-25 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) dereference of NULL '_io_uring_get_sqe (ring_18(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) returning to 'queue_rw_pair' from '_io_uring_get_sqe' | In function 'io_uring_prep_rw', inlined from 'io_uring_prep_writev' at ../src/include/liburing.h:390:2, inlined from 'queue_rw_pair' at link-cp.c:85:2: ../src/include/liburing.h:301:21: warning: dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference] 301 | sqe->opcode = (__u8) op; | ~~~~~~~~~~~~^~~~~~~~~~~ 'main': events 1-12 | |link-cp.c:160:5: | 160 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 166 | if (argc < 3) { | | ~ | | | | | (2) following 'false' branch (when 'argc_13(D) > 2')... |...... | 171 | infd = open(argv[1], O_RDONLY); | | ~~~~ | | | | | (3) ...to here | 172 | if (infd < 0) { | | ~ | | | | | (4) following 'false' branch... |...... | 176 | outfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0644); | | ~~~~~ | | | | | (5) ...to here | 177 | if (outfd < 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 182 | if (setup_context(QD, &ring)) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here | 183 | return 1; | 184 | if (get_file_size(infd, &insize)) | | ~~ ~ | | | | | | | (10) following 'false' branch... | | (9) ...to here |...... | 187 | ret = copy_file(&ring, insize); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) calling 'copy_file' from 'main' | | (11) ...to here | +--> 'copy_file': events 13-15 | | 115 | static int copy_file(struct io_uring *ring, off_t insize) | | ^~~~~~~~~ | | | | | (13) entry to 'copy_file' |...... | 122 | while (insize) { | | ~~~~~~ | | | | | (14) following 'true' branch (when 'insize_13 != 0')... | 123 | int has_inflight = inflight; | | ~~~ | | | | | (15) ...to here | 'copy_file': events 16-18 | | 126 | while (insize && inflight < QD) { | | ^ | | | | | (16) following 'true' branch... | 127 | this_size = BS; | | ~~~~~~~~~ | | | | | (17) ...to here |...... | 130 | queue_rw_pair(ring, this_size, offset); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling 'queue_rw_pair' from 'copy_file' | +--> 'queue_rw_pair': event 19 | | 66 | static void queue_rw_pair(struct io_uring *ring, off_t size, off_t offset) | | ^~~~~~~~~~~~~ | | | | | (19) entry to 'queue_rw_pair' | 'queue_rw_pair': event 20 | |../src/include/liburing.h:1148:16: | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) calling '_io_uring_get_sqe' from 'queue_rw_pair' | +--> '_io_uring_get_sqe': events 21-22 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (21) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (22) following 'false' branch... | '_io_uring_get_sqe': event 23 | |cc1: | (23): ...to here | <------+ | 'queue_rw_pair': events 24-25 | | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) returning to 'queue_rw_pair' from '_io_uring_get_sqe' | | (25) calling '_io_uring_get_sqe' from 'queue_rw_pair' | +--> '_io_uring_get_sqe': events 26-27 | | 1068 | static inline struct io_uring_sqe *_io_uring_get_sqe(struct io_uring *ring) | | ^~~~~~~~~~~~~~~~~ | | | | | (26) entry to '_io_uring_get_sqe' |...... | 1078 | if (next - head <= *sq->kring_entries) { | | ~ | | | | | (27) following 'false' branch... | '_io_uring_get_sqe': event 28 | |cc1: | (28): ...to here | <------+ | 'queue_rw_pair': events 29-30 | | 301 | sqe->opcode = (__u8) op; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) dereference of NULL '_io_uring_get_sqe (ring_18(D))' |...... | 1148 | return _io_uring_get_sqe(ring); | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) returning to 'queue_rw_pair' from '_io_uring_get_sqe' | link-cp.c: In function 'copy_file': link-cp.c:131:25: warning: leak of '' [CWE-401] [-Wanalyzer-malloc-leak] 131 | offset += this_size; | ^~~~~~ 'main': events 1-12 | | 160 | int main(int argc, char *argv[]) | | ^~~~ | | | | | (1) entry to 'main' |...... | 166 | if (argc < 3) { | | ~ | | | | | (2) following 'false' branch (when 'argc_13(D) > 2')... |...... | 171 | infd = open(argv[1], O_RDONLY); | | ~~~~ | | | | | (3) ...to here | 172 | if (infd < 0) { | | ~ | | | | | (4) following 'false' branch... |...... | 176 | outfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0644); | | ~~~~~ | | | | | (5) ...to here | 177 | if (outfd < 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 182 | if (setup_context(QD, &ring)) | | ~~ ~ | | | | | | | (8) following 'false' branch... | | (7) ...to here | 183 | return 1; | 184 | if (get_file_size(infd, &insize)) | | ~~ ~ | | | | | | | (10) following 'false' branch... | | (9) ...to here |...... | 187 | ret = copy_file(&ring, insize); | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (12) calling 'copy_file' from 'main' | | (11) ...to here | +--> 'copy_file': events 13-15 | | 115 | static int copy_file(struct io_uring *ring, off_t insize) | | ^~~~~~~~~ | | | | | (13) entry to 'copy_file' |...... | 122 | while (insize) { | | ~~~~~~ | | | | | (14) following 'true' branch (when 'insize_13 != 0')... | 123 | int has_inflight = inflight; | | ~~~ | | | | | (15) ...to here | 'copy_file': events 16-18 | | 126 | while (insize && inflight < QD) { | | ^ | | | | | (16) following 'true' branch... | 127 | this_size = BS; | | ~~~~~~~~~ | | | | | (17) ...to here |...... | 130 | queue_rw_pair(ring, this_size, offset); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (18) calling 'queue_rw_pair' from 'copy_file' | +--> 'queue_rw_pair': events 19-20 | | 66 | static void queue_rw_pair(struct io_uring *ring, off_t size, off_t offset) | | ^~~~~~~~~~~~~ | | | | | (19) entry to 'queue_rw_pair' |...... | 72 | ptr = malloc(size + sizeof(*data)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) allocated here | <------+ | 'copy_file': events 21-22 | | 130 | queue_rw_pair(ring, this_size, offset); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) returning to 'copy_file' from 'queue_rw_pair' | 131 | offset += this_size; | | ~~~~~~ | | | | | (22) '' leaks here; was allocated at (20) | + exit 0 Executing(%install): /bin/sh -e /usr/src/tmp/rpm-tmp.28913 + umask 022 + /bin/mkdir -p /usr/src/RPM/BUILD + cd /usr/src/RPM/BUILD + /bin/chmod -Rf u+rwX -- /usr/src/tmp/liburing-buildroot + : + /bin/rm -rf -- /usr/src/tmp/liburing-buildroot + PATH=/usr/libexec/rpm-build:/usr/src/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/games + cd liburing-2.2 + make 'INSTALL=/usr/libexec/rpm-build/install -p' install DESTDIR=/usr/src/tmp/liburing-buildroot V=1 make: Entering directory '/usr/src/RPM/BUILD/liburing-2.2' sed -e "s%@prefix@%/usr%g" \ -e "s%@libdir@%/usr/lib%g" \ -e "s%@includedir@%/usr/include%g" \ -e "s%@NAME@%liburing%g" \ -e "s%@VERSION@%2.2%g" \ liburing.pc.in >liburing.pc make[1]: Entering directory '/usr/src/RPM/BUILD/liburing-2.2/src' install -D -m 644 include/liburing/io_uring.h /usr/src/tmp/liburing-buildroot/usr/include/liburing/io_uring.h install -D -m 644 include/liburing.h /usr/src/tmp/liburing-buildroot/usr/include/liburing.h install -D -m 644 include/liburing/compat.h /usr/src/tmp/liburing-buildroot/usr/include/liburing/compat.h install -D -m 644 include/liburing/barrier.h /usr/src/tmp/liburing-buildroot/usr/include/liburing/barrier.h install -D -m 644 liburing.a /usr/src/tmp/liburing-buildroot/usr/lib/liburing.a install -D -m 755 liburing.so.2.2 /usr/src/tmp/liburing-buildroot/usr/lib/liburing.so.2.2 ln -sf liburing.so.2.2 /usr/src/tmp/liburing-buildroot/usr/lib/liburing.so.2 ln -sf liburing.so.2.2 /usr/src/tmp/liburing-buildroot/usr/lib/liburing.so make[1]: Leaving directory '/usr/src/RPM/BUILD/liburing-2.2/src' /usr/libexec/rpm-build/install -p -D -m 644 liburing.pc /usr/src/tmp/liburing-buildroot/usr/lib/pkgconfig/liburing.pc /usr/libexec/rpm-build/install -p -m 755 -d /usr/src/tmp/liburing-buildroot/usr/share/man/man2 /usr/libexec/rpm-build/install -p -m 644 man/*.2 /usr/src/tmp/liburing-buildroot/usr/share/man/man2 /usr/libexec/rpm-build/install -p -m 755 -d /usr/src/tmp/liburing-buildroot/usr/share/man/man3 /usr/libexec/rpm-build/install -p -m 644 man/*.3 /usr/src/tmp/liburing-buildroot/usr/share/man/man3 /usr/libexec/rpm-build/install -p -m 755 -d /usr/src/tmp/liburing-buildroot/usr/share/man/man7 /usr/libexec/rpm-build/install -p -m 644 man/*.7 /usr/src/tmp/liburing-buildroot/usr/share/man/man7 make: Leaving directory '/usr/src/RPM/BUILD/liburing-2.2' + rm /usr/src/tmp/liburing-buildroot/usr/lib/liburing.a + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/liburing-buildroot (auto) mode of './usr/lib/liburing.so.2.2' changed from 0755 (rwxr-xr-x) to 0644 (rw-r--r--) Verifying and fixing files in /usr/src/tmp/liburing-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) /usr/lib/pkgconfig/liburing.pc: Cflags: '-I${includedir}' --> '' /usr/lib/pkgconfig/liburing.pc: Libs: '-L${libdir} -luring' --> '-luring' Checking contents of files in /usr/src/tmp/liburing-buildroot/ (default) Compressing files in /usr/src/tmp/liburing-buildroot (auto) Adjusting library links in /usr/src/tmp/liburing-buildroot ./usr/lib: (from :0) liburing.so.2 -> liburing.so.2.2 Verifying ELF objects in /usr/src/tmp/liburing-buildroot (arch=strict,fhs=strict,lfs=strict,lint=strict,rpath=strict,stack=strict,textrel=strict,unresolved=strict) Executing(%check): /bin/sh -e /usr/src/tmp/rpm-tmp.57416 + umask 022 + /bin/mkdir -p /usr/src/RPM/BUILD + cd /usr/src/RPM/BUILD + cd liburing-2.2 + test/probe.t + strace -ve io_uring_register test/probe.t + grep -Po '{op.*?}' + sort -u + column -t + TEST_EXCLUDE=' 500f9fbadef8.t accept.t cq-overflow.t eeed8b54e0df.t fc2a85cb02ef.t file-verify.t fpos.t io-cancel.t iopoll.t io_uring_register.t link-timeout.t personality.t read-before-exit.t read-write.t recv-msgall-stream.t ringbuf-read.t rsrc_tags.t sendmsg_fs_cve.t socket.t sq-poll-dup.t sq-poll-share.t xattr.t ' + make runtests make: Entering directory '/usr/src/RPM/BUILD/liburing-2.2' make[1]: Entering directory '/usr/src/RPM/BUILD/liburing-2.2/src' make[1]: Nothing to be done for 'all'. make[1]: Leaving directory '/usr/src/RPM/BUILD/liburing-2.2/src' make[1]: Entering directory '/usr/src/RPM/BUILD/liburing-2.2/test' make[1]: Nothing to be done for 'all'. make[1]: Leaving directory '/usr/src/RPM/BUILD/liburing-2.2/test' make[1]: Entering directory '/usr/src/RPM/BUILD/liburing-2.2/examples' make[1]: Nothing to be done for 'all'. make[1]: Leaving directory '/usr/src/RPM/BUILD/liburing-2.2/examples' make[1]: Entering directory '/usr/src/RPM/BUILD/liburing-2.2/test' Running test 232c93d07b74.t 4 sec Running test 35fa71a030ca.t 5 sec Running test 500f9fbadef8.t Test skipped Running test 7ad0e4b2f83c.t 1 sec Running test 8a9973408177.t 0 sec Running test 917257daa0fe.t 0 sec Running test a0908ae19763.t 0 sec Running test a4c0b3decb33.t 19 sec Running test accept.t Test skipped Running test accept-link.t 0 sec Running test accept-reuse.t 0 sec Running test accept-test.t 0 sec Running test across-fork.t 0 sec Running test b19062a56726.t 0 sec Running test b5837bd5311d.t 0 sec Running test buf-ring.t 0 sec Running test ce593a6c480a.t 1 sec Running test close-opath.t 0 sec Running test connect.t 0 sec Running test cq-full.t 0 sec Running test cq-overflow.t Test skipped Running test cq-peek-batch.t 1 sec Running test cq-ready.t 0 sec Running test cq-size.t 0 sec Running test d4ae271dfaae.t open: Invalid argument 0 sec Running test d77a67ed5f27.t 0 sec Running test defer.t 3 sec Running test double-poll-crash.t 0 sec Running test drop-submit.t 0 sec Running test eeed8b54e0df.t Test skipped Running test empty-eownerdead.t 0 sec Running test eventfd.t 0 sec Running test eventfd-disable.t 0 sec Running test eventfd-reg.t 3 sec Running test eventfd-ring.t 1 sec Running test exec-target.t 0 sec Running test exit-no-cleanup.t 0 sec Running test fadvise.t 0 sec Running test fallocate.t 0 sec Running test fc2a85cb02ef.t Test skipped Running test file-register.t test_huge: No huge file set support, skipping 3 sec Running test files-exit-hang-poll.t 1 sec Running test files-exit-hang-timeout.t 1 sec Running test file-update.t 0 sec Running test file-verify.t Test skipped Running test fixed-buf-iter.t 0 sec Running test fixed-link.t 0 sec Running test fixed-reuse.t 0 sec Running test fpos.t Test skipped Running test fsync.t 0 sec Running test hardlink.t 0 sec Running test io-cancel.t Test skipped Running test iopoll.t Test skipped Running test io_uring_enter.t 0 sec Running test io_uring_register.t Test skipped Running test io_uring_setup.t 0 sec Running test lfs-openat.t 0 sec Running test lfs-openat-write.t 0 sec Running test link.t 0 sec Running test link_drain.t 1 sec Running test link-timeout.t Test skipped Running test madvise.t 0 sec Running test mkdir.t 0 sec Running test msg-ring.t Skipped 0 sec Running test multicqes_drain.t 10 sec Running test nop-all-sizes.t 0 sec Running test nop.t 0 sec Running test openat2.t 0 sec Running test open-close.t 0 sec Running test open-direct-link.t 0 sec Running test open-direct-pick.t 0 sec Running test personality.t Test skipped Running test pipe-eof.t 0 sec Running test pipe-reuse.t 0 sec Running test poll.t 0 sec Running test poll-cancel.t 0 sec Running test poll-cancel-all.t 0 sec Running test poll-cancel-ton.t 0 sec Running test poll-link.t 0 sec Running test poll-many.t poll-many: not enough files available (and not root), skipped 0 sec Running test poll-mshot-update.t poll-many: not enough files available (and not root), skipped 0 sec Running test poll-ring.t 0 sec Running test poll-v-poll.t 0 sec Running test pollfree.t 8 sec Running test probe.t 0 sec Running test read-before-exit.t Test skipped Running test read-write.t Test skipped Running test recv-msgall.t 0 sec Running test recv-msgall-stream.t Test skipped Running test register-restrictions.t 0 sec Running test rename.t 0 sec Running test ringbuf-read.t Test skipped Running test ring-leak2.t 1 sec Running test ring-leak.t 0 sec Running test rsrc_tags.t Test skipped Running test rw_merge_test.t 0 sec Running test self.t 0 sec Running test sendmsg_fs_cve.t Test skipped Running test send_recv.t 0 sec Running test send_recvmsg.t 0 sec Running test shared-wq.t 0 sec Running test short-read.t 0 sec Running test shutdown.t 0 sec Running test sigfd-deadlock.t 0 sec Running test skip-cqe.t IOSQE_CQE_SKIP_SUCCESS is not supported, skip 0 sec Running test socket.t Test skipped Running test socket-rw.t 0 sec Running test socket-rw-eagain.t 0 sec Running test socket-rw-offset.t 0 sec Running test splice.t 0 sec Running test sq-full.t 0 sec Running test sq-full-cpp.t 0 sec Running test sqpoll-cancel-hang.t 1 sec Running test sqpoll-disable-exit.t 0 sec Running test sq-poll-dup.t Test skipped Running test sqpoll-exit-hang.t 1 sec Running test sq-poll-kthread.t 2 sec Running test sq-poll-share.t Test skipped Running test sqpoll-sleep.t 0 sec Running test sq-space_left.t 0 sec Running test stdout.t This is a pipe test This is a fixed pipe test 0 sec Running test submit-link-fail.t 0 sec Running test submit-reuse.t 0 sec Running test symlink.t 0 sec Running test teardowns.t 0 sec Running test thread-exit.t 0 sec Running test timeout.t Test skipped Running test timeout-new.t 3 sec Running test timeout-overflow.t Skipping 0 sec Running test tty-write-dpoll.t 0 sec Running test unlink.t 0 sec Running test wakeup-hang.t 2 sec Running test xattr.t Test skipped Running test skip-cqe.t IOSQE_CQE_SKIP_SUCCESS is not supported, skip 0 sec [0] Running test statx.t 0 sec Running test sq-full-cpp.t 0 sec [0] Tests skipped: <500f9fbadef8.t> All tests passed make[1]: Leaving directory '/usr/src/RPM/BUILD/liburing-2.2/test' make: Leaving directory '/usr/src/RPM/BUILD/liburing-2.2' + exit 0 Processing files: liburing-2.2-alt1 Executing(%doc): /bin/sh -e /usr/src/tmp/rpm-tmp.18254 + umask 022 + /bin/mkdir -p /usr/src/RPM/BUILD + cd /usr/src/RPM/BUILD + cd liburing-2.2 + DOCDIR=/usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-2.2 + export DOCDIR + rm -rf /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-2.2 + /bin/mkdir -p /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-2.2 + cp -prL COPYING /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-2.2 + chmod -R go-w /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-2.2 + chmod -R a+rX /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-2.2 + exit 0 Finding Provides (using /usr/lib/rpm/find-provides) Executing: /bin/sh -e /usr/src/tmp/rpm-tmp.lQSV0F find-provides: running scripts (debuginfo,lib,pam,perl,pkgconfig,python,python3,shell) lib.prov: /usr/src/tmp/liburing-buildroot/usr/lib/liburing.so.2: 43 symbols, 16 bpp Finding Requires (using /usr/lib/rpm/find-requires) Executing: /bin/sh -e /usr/src/tmp/rpm-tmp.I6eg4r find-requires: running scripts (cpp,debuginfo,files,lib,pam,perl,pkgconfig,pkgconfiglib,python,python3,rpmlib,shebang,shell,static,symlinks,systemd-services) Provides: liburing.so.2 = set:jdBZ48amRaEStWoZhxu9JGmcIiMckDBiFvwC2nxEJC6YqXmrmLczwg0fdKZu59WSy9XBvLKZJZa7Zck52YSUVZjKh2, liburing.so.2(LIBURING_2.0), liburing.so.2(LIBURING_2.1), liburing.so.2(LIBURING_2.2) Requires: libc.so.6(GLIBC_2.0), libc.so.6(GLIBC_2.1), libc.so.6(GLIBC_2.1.3), libc.so.6(GLIBC_2.2), libc.so.6(GLIBC_2.4), rtld(GNU_HASH) Finding debuginfo files (using /usr/lib/rpm/find-debuginfo-files) Executing: /bin/sh -e /usr/src/tmp/rpm-tmp.4ZBlPv Creating liburing-debuginfo package Processing files: liburing-devel-2.2-alt1 Executing(%doc): /bin/sh -e /usr/src/tmp/rpm-tmp.13194 + umask 022 + /bin/mkdir -p /usr/src/RPM/BUILD + cd /usr/src/RPM/BUILD + cd liburing-2.2 + DOCDIR=/usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-devel-2.2 + export DOCDIR + rm -rf /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-devel-2.2 + /bin/mkdir -p /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-devel-2.2 + cp -prL README LICENSE COPYING.GPL SECURITY.md CHANGELOG examples/io_uring-cp.c examples/io_uring-test.c examples/link-cp.c examples/ucontext-cp.c /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-devel-2.2 + chmod -R go-w /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-devel-2.2 + chmod -R a+rX /usr/src/tmp/liburing-buildroot/usr/share/doc/liburing-devel-2.2 + exit 0 Finding Provides (using /usr/lib/rpm/find-provides) Executing: /bin/sh -e /usr/src/tmp/rpm-tmp.vlcx0t find-provides: running scripts (debuginfo,lib,pam,perl,pkgconfig,python,python3,shell) Finding Requires (using /usr/lib/rpm/find-requires) Executing: /bin/sh -e /usr/src/tmp/rpm-tmp.yEkucJ find-requires: running scripts (cpp,debuginfo,files,lib,pam,perl,pkgconfig,pkgconfiglib,python,python3,rpmlib,shebang,shell,static,symlinks,systemd-services) Provides: pkgconfig(liburing) = 2.2 Requires: /usr/lib/liburing.so.2.2, /usr/lib/pkgconfig, glibc-kernheaders-generic Finding debuginfo files (using /usr/lib/rpm/find-debuginfo-files) Executing: /bin/sh -e /usr/src/tmp/rpm-tmp.lskjCn Processing files: liburing-debuginfo-2.2-alt1 Finding Provides (using /usr/lib/rpm/find-provides) Executing: /bin/sh -e /usr/src/tmp/rpm-tmp.yRIsZ2 find-provides: running scripts (debuginfo) Finding Requires (using /usr/lib/rpm/find-requires) Executing: /bin/sh -e /usr/src/tmp/rpm-tmp.HkW99L find-requires: running scripts (debuginfo) Provides: debug(liburing.so.2) Requires: liburing = 2.2-alt1, debug(libc.so.6) Adding to liburing-debuginfo a strict dependency on liburing Adding to liburing-devel a strict dependency on liburing Removing 1 extra deps from liburing-devel due to dependency on liburing Wrote: /usr/src/RPM/RPMS/i586/liburing-2.2-alt1.i586.rpm (w2.lzdio) Wrote: /usr/src/RPM/RPMS/i586/liburing-devel-2.2-alt1.i586.rpm (w2.lzdio) Wrote: /usr/src/RPM/RPMS/i586/liburing-debuginfo-2.2-alt1.i586.rpm (w2.lzdio) 303.96user 23.73system 1:47.02elapsed 306%CPU (0avgtext+0avgdata 102180maxresident)k 0inputs+0outputs (1major+5143886minor)pagefaults 0swaps 1.69user 0.94system 1:52.19elapsed 2%CPU (0avgtext+0avgdata 105564maxresident)k 0inputs+0outputs (30722major+155036minor)pagefaults 0swaps --- liburing-2.2-alt1.i586.rpm.repo 2022-08-09 20:54:40.000000000 +0000 +++ liburing-2.2-alt1.i586.rpm.hasher 2022-10-01 05:53:49.256056405 +0000 @@ -17,5 +17,5 @@ File: /usr/lib/liburing.so.2 120777 root:root liburing.so.2.2 -File: /usr/lib/liburing.so.2.2 100644 root:root a1a12d5e5265d76c8f4cc65711586df5 +File: /usr/lib/liburing.so.2.2 100644 root:root 4d684d1e2cd8772516b73a64af542c79 File: /usr/share/doc/liburing-2.2 40755 root:root File: /usr/share/doc/liburing-2.2/COPYING 100644 root:root 4b54a1fd55a448865a0b32d41598759d -RPMIdentity: e3bff97f7ac960fca7a30d6321b035771b953fddccdb1d72ba51874da3e29a8a201f2babc28a4fa0f85041adc24c09d4a9da8e717e3c5ff89d9b1a3505bc3ad2 +RPMIdentity: 78df35fa8ca4a1ac183cc30c77d2dc380e2ff52d4ae5e146a709a628f6a1c300a83863873334f1cacba395aa937b8f42a0a9a48ab54e19885cd6332c65c44d65 --- liburing-debuginfo-2.2-alt1.i586.rpm.repo 2022-08-09 20:54:40.000000000 +0000 +++ liburing-debuginfo-2.2-alt1.i586.rpm.hasher 2022-10-01 05:53:49.335057869 +0000 @@ -1,4 +1,4 @@ -/usr/lib/debug/.build-id/e9 40755 root:root -/usr/lib/debug/.build-id/e9/1caf7ec31e5b8d5ee66f772615b76e8c84df0d 120777 root:root ../../../liburing.so.2.2 -/usr/lib/debug/.build-id/e9/1caf7ec31e5b8d5ee66f772615b76e8c84df0d.debug 120777 root:root ../../usr/lib/liburing.so.2.2.debug +/usr/lib/debug/.build-id/05 40755 root:root +/usr/lib/debug/.build-id/05/1ca317aa4236d8fc4a2cad3adb4565a1cc8c42 120777 root:root ../../../liburing.so.2.2 +/usr/lib/debug/.build-id/05/1ca317aa4236d8fc4a2cad3adb4565a1cc8c42.debug 120777 root:root ../../usr/lib/liburing.so.2.2.debug /usr/lib/debug/usr/lib/liburing.so.2.2.debug 100644 root:root @@ -28,6 +28,6 @@ Provides: liburing-debuginfo = 2.2-alt1:sisyphus+304981.300.4.1 -File: /usr/lib/debug/.build-id/e9 40755 root:root -File: /usr/lib/debug/.build-id/e9/1caf7ec31e5b8d5ee66f772615b76e8c84df0d 120777 root:root ../../../liburing.so.2.2 -File: /usr/lib/debug/.build-id/e9/1caf7ec31e5b8d5ee66f772615b76e8c84df0d.debug 120777 root:root ../../usr/lib/liburing.so.2.2.debug -File: /usr/lib/debug/usr/lib/liburing.so.2.2.debug 100644 root:root 608a1fefb474b2705c590f05662281e9 +File: /usr/lib/debug/.build-id/05 40755 root:root +File: /usr/lib/debug/.build-id/05/1ca317aa4236d8fc4a2cad3adb4565a1cc8c42 120777 root:root ../../../liburing.so.2.2 +File: /usr/lib/debug/.build-id/05/1ca317aa4236d8fc4a2cad3adb4565a1cc8c42.debug 120777 root:root ../../usr/lib/liburing.so.2.2.debug +File: /usr/lib/debug/usr/lib/liburing.so.2.2.debug 100644 root:root f103fb9064414043aba706ca84fded59 File: /usr/lib/debug/usr/lib/liburing.so.2.debug 120777 root:root liburing.so.2.2.debug @@ -51,2 +51,2 @@ File: /usr/src/debug/liburing-2.2/src/syscall.h 100644 root:root cab4eb88a239138a3db5ba0dab9aa2dc -RPMIdentity: 8ed9d11f36c4ce608623412046a5a3d1cd6419858f33bd789b4c7c2c563636245db70ccd7d0586469f5d1a2c2b61a9558c4a88ee88559581a51d0a5f5d3f29b0 +RPMIdentity: bd7141862dd5d9214656a14773a3fb68f89b1f028d515203ea0e59818afcc6126693f020cb3b344e574559c7d467a21b2cdd87fbec138de2e02beb768b165a05