You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/10/09 21:11:05 UTC

[jira] [Created] (TS-3962) CID 1325824: (USE_AFTER_FREE) in malloc_bulkfree()

Leif Hedstrom created TS-3962:
---------------------------------

             Summary: CID 1325824:    (USE_AFTER_FREE) in malloc_bulkfree()
                 Key: TS-3962
                 URL: https://issues.apache.org/jira/browse/TS-3962
             Project: Traffic Server
          Issue Type: Bug
          Components: Core
            Reporter: Leif Hedstrom


{code}
** CID 1325824:    (USE_AFTER_FREE)
/lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
/lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
/lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
/lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()


________________________________________________________________________________________________________
*** CID 1325824:    (USE_AFTER_FREE)
/lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
384       void *item = head;
385     
386       // Avoid compiler warnings
387       (void)tail;
388     
389       if (f->alignment) {
   CID 1325824:    (USE_AFTER_FREE)
   Using freed pointer "item".
390         for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
391           ats_memalign_free(item);
392         }
393       } else {
394         for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
395           ats_free(item);
/lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
388     
389       if (f->alignment) {
390         for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
391           ats_memalign_free(item);
392         }
393       } else {
   CID 1325824:    (USE_AFTER_FREE)
   Using freed pointer "item".
394         for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
395           ats_free(item);
396         }
397       }
398     }
399     
/lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
388     
389       if (f->alignment) {
390         for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
391           ats_memalign_free(item);
392         }
393       } else {
   CID 1325824:    (USE_AFTER_FREE)
   Using freed pointer "item".
394         for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
395           ats_free(item);
396         }
397       }
398     }
399     
/lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
384       void *item = head;
385     
386       // Avoid compiler warnings
387       (void)tail;
388     
389       if (f->alignment) {
   CID 1325824:    (USE_AFTER_FREE)
   Using freed pointer "item".
390         for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
391           ats_memalign_free(item);
392         }
393       } else {
394         for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
395           ats_free(item);

{code}


Seems we ought to not use the item in the iterator after we've already free'd it :).




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)