Hi, I am working on a bug finding tool that looks for a special kind of a use-after-free problem in C++ code (a "checker" module in the Clang Static Analyzer [1]), and I've been running it on a few projects to see if it finds anything interesting. I've found the following on line 131 in ceph/src/kv/RocksDBStore.cc [2], where I suspect we are returning a pointer to a deallocated memory region: > return mop->name().c_str(); Here, mop is a std::shared_ptr<KeyValueDB::MergeOperator>, and name() seems to return a string by value [3], a temporary object, on which c_str() is called to obtain a const char * pointing to its inner buffer. But the temporary string object is destroyed at the end of the return statement, and the caller receives a pointer that references a deallocated buffer. I hope you find this report useful. Best, Réka P.S. I tried to open an issue for this in the Bug Tracker, but it seems that I don't have the necessary permissions. ----- [1] https://clang-analyzer.llvm.org/ [2] Link to v14.0.0 for stability, the issue is only one line off on the master branch: https://github.com/ceph/ceph/blob/v14.0.0/src/kv/RocksDBStore.cc#L130 [3] https://github.com/ceph/ceph/blob/v14.0.0/src/kv/KeyValueDB.h#L390 -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
