On Tue, Oct 1, 2019 at 12:03 AM Emily Shaffer <emilyshaffer@xxxxxxxxxx> wrote: > > Previously, when promisor_remote_move_to_tail() is called for a > promisor_remote which is currently the final element in promisors, a > cycle is created in the promisors linked list. This cycle leads to a > double free later on in promisor_remote_clear() when the final element > of the promisors list is removed: promisors is set to promisors->next (a > no-op, as promisors->next == promisors); the previous value of promisors > is free()'d; then the new value of promisors (which is equal to the > previous value of promisors) is also free()'d. This double-free error > was unrecoverable for the user without removing the filter or re-cloning > the repo and hoping to miss this edge case. > > Now, when promisor_remote_move_to_tail() would be a no-op, just do a > no-op. In cases of promisor_remote_move_to_tail() where r is not already > at the tail of the list, it works as before. Yeah, thank you Emily and Peff for finding and fixing this! The fix and the test look good to me.
