On Tue, Oct 11, 2022 at 09:29:01AM +0200, Ævar Arnfjörð Bjarmason wrote:
> > But the code before this patch is safe only for strvec_pushl() call,
> > not run_command_v_opt() call, so we are not losing anything, I would
> > think.
>
> Yes, and if we suppose a bug like this sneaking in one way or the other:
>
> diff --git a/builtin/bisect--helper.c b/builtin/bisect--helper.c
> index 28ef7ec2a48..a7f9d43a6f1 100644
> --- a/builtin/bisect--helper.c
> +++ b/builtin/bisect--helper.c
> @@ -766,7 +766,7 @@ static enum bisect_error bisect_start(struct bisect_terms *terms, const char **a
> strbuf_trim(&start_head);
> if (!no_checkout) {
> const char *argv[] = { "checkout", start_head.buf,
> - "--", NULL };
> + "--" };
>
> if (run_command_v_opt(argv, RUN_GIT_CMD)) {
> res = error(_("checking out '%s' failed."
>
> I don't know a way to statically flag that, but we'll catch it with
> SANITIZE=address:
I'd expect we'd even catch it in a non-sanitizing build, since we'd
likely feed garbage to exec (unless we get lucky and there's a NULL on
the stack). I like catching bugs as early as possible, but I agree this
kind is not likely to get very far (assuming there's test coverage).
-Peff
