On Sat, May 13, 2023 at 12:59:25PM -0400, Jeff King wrote:
> On Wed, May 10, 2023 at 02:34:15PM +0200, Patrick Steinhardt wrote:
>
> > @@ -946,7 +948,7 @@ static int update_local_ref(struct ref *ref,
> > if (oideq(&ref->old_oid, &ref->new_oid)) {
> > if (verbosity > 0)
> > display_ref_update(display_state, '=', _("[up to date]"), NULL,
> > - remote, ref->name, summary_width);
> > + remote_ref->name, ref->name, summary_width);
> > return 0;
> > }
>
> Here (and in other hunks) we now dereference remote_ref unconditionally.
> But in existing parts of the code, we guard against remote_ref being
> NULL. E.g., later on:
>
> if (!current || !updated) {
> const char *msg;
> const char *what;
> int r;
> /*
> * Nicely describe the new ref we're fetching.
> * Base this on the remote's ref name, as it's
> * more likely to follow a standard layout.
> */
> const char *name = remote_ref ? remote_ref->name : "";
> [...]
>
> I'm not sure if the old code was being overly defensive, or if the new
> code is ripe for a segfault. But it's probably worth looking into (it
> was noticed by Coverity).
>
> Looking at the caller, it is always store_update_refs() which passes its
> own "rm", a pointer iterating over ref_map. And it should always be
> non-NULL, since that's the loop condition.
>
> So I think your code is fine, but you might want to double-check my
> logic. (And it may be worth cleaning up the existing redundant check to
> prevent confusion).
I really think that the code is overly defensive. As you mention, there
is a single caller of `update_local_ref()`, only, and that caller
already dereferences the remote reference unconditionally anyway. So if
there was any way for `rm` to become `NULL` we'd already have a segfault
earlier than in `update_local_ref()`.
I'll send a follow-up patch series after the dust has settled that
removes the check.
Thanks!
Patrick
Attachment:
signature.asc
Description: PGP signature
