On Tue, 23 Feb 2021 13:58:03 GMT, Matthias Baesken <mbaes...@openjdk.org> wrote:
> Sonar reports a finding in args.c, where a file check is done . > Stat performs a check on file, and later fopen is called on the file : > https://sonarcloud.io/project/issues?id=shipilev_jdk&languages=c&open=AXck8CL0BBG2CXpcnhtM&resolved=false&types=VULNERABILITY > > The coding could be slightly rewritten so that the potential TOCTOU is > removed (however I do not think that it is such a big issue). This looks good in general. Do you know whether there's a jtreg test that stresses arg files? src/java.base/share/native/libjli/args.c line 361: > 359: if (fptr != NULL) fclose(fptr); > 360: exit(1); > 361: } Can you insert a blank line here? ------------- Changes requested by clanger (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/2692