On Mon, Apr 24, 2023 at 11:05:49AM -0700, Junio C Hamano wrote: > Jeff King <peff@xxxxxxxx> writes: > > > Coverity complains that we check whether "notes_ref" is NULL, but it was > > already implied to be non-NULL earlier in the function. And this is > > true; since b9342b3fd63 (refs: add array of ref namespaces, 2022-08-05), > > we call xstrdup(notes_ref) unconditionally, which would segfault if it > > was NULL. > > > > But that commit is actually doing the right thing. Even if NULL is > > passed into the function, we'll use default_notes_ref() as a fallback, > > which will never return NULL (it tries a few options, but its last > > resort is a string literal). Ironically, the "!notes_ref" check was > > added by the same commit that added the fallback: 709f79b0894 (Notes > > API: init_notes(): Initialize the notes tree from the given notes ref, > > 2010-02-13). So this check never did anything. > > I am impressed(?) that Coverity can complain at the "_or_null" part > in xstrdup_or_null(). No, my human brain added that part while I was looking at the function. Coverity is definitely clever enough to realize that the NULL check in xstrdup_or_null() is not needed here (it's a static inline, but I think Coverity can even look between translation units). But complaining about it would yield lots of false positives. It's redundant in this instance, but not in other callers of the function. So it would have to realize: we called xstrdup_or_null(), but there is another function xstrdup() which is exactly the same but without the NULL check. And I think that is asking too much of even a very clever static analyzer. :) -Peff
