On Sat, Jun 04 2022, René Scharfe wrote:
> Am 03.06.22 um 20:37 schrieb Ævar Arnfjörð Bjarmason:
>> Return NULL instead of possibly feeding a NULL to memset() in
>> reftable_calloc(). This issue was noted by GCC 12's -fanalyzer:
>>
>> reftable/publicbasics.c: In function ‘reftable_calloc’:
>> reftable/publicbasics.c:43:9: error: use of possibly-NULL ‘p’ where non-null expected [CWE-690] [-Werror=analyzer-possible-null-argument]
>> 43 | memset(p, 0, sz);
>> | ^~~~~~~~~~~~~~~~
>> [...]
>>
>> This bug has been with us ever since this code was added in
>> ef8a6c62687 (reftable: utility functions, 2021-10-07).
>>
>> Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx>
>> ---
>> reftable/publicbasics.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/reftable/publicbasics.c b/reftable/publicbasics.c
>> index 0ad7d5c0ff2..a18167f5ab7 100644
>> --- a/reftable/publicbasics.c
>> +++ b/reftable/publicbasics.c
>> @@ -40,6 +40,8 @@ void reftable_free(void *p)
>> void *reftable_calloc(size_t sz)
>> {
>> void *p = reftable_malloc(sz);
>> + if (!p)
>> + return NULL;
>> memset(p, 0, sz);
>> return p;
>> }
>
> We discussed this before, in
> https://lore.kernel.org/git/RFC-patch-2.2-364d1194a95-20220415T101740Z-avarab@xxxxxxxxx/
>
> If this code was actually used by Git and still not handling allocation
> failures then I'd propose something like the below instead.
>
> Next I'd probably try to convert reftable_calloc() calls to a variant
> that takes size and count separately -- like calloc(3) does -- to avoid
> unchecked multiplication.
>
> --- >8 ---
> Subject: [PATCH] reftable: remove reftable_set_alloc()
I think this is a much better direction than my more narrow fix, and
would be happy to see it queued up.
To your comment here & some others (e.g. FREE_AND_NULL()): I was really
trying to focus on narrowly addressing these -fanalyzer issues without
digressing into the larger topics "what is this code *really* doing, and
does it make sense?". It was pretty unavoidable in 13/15 though.
Which isn't to say that I shouldn't fix some of it, e.g. your
s/return/BUG()/ suggestion, but I think it's best to view these patches
with an eye towards us already having these issues, and in most cases
making -fanalyzer happy is a small cost.
And by doing so and getting a "clean build" we'll be able to turn it on
in CI, and thus notice when we run into new -fanalyzer issues.
