You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by bc...@apache.org on 2019/05/17 16:35:11 UTC

[trafficserver] branch master updated: clang analyzer: Fix false positive "use after free" in IpMap.cc

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 60b8510  clang analyzer: Fix false positive "use after free" in IpMap.cc
60b8510 is described below

commit 60b8510b033c30d0b9b77a359602018868a7e85c
Author: Alan M. Carroll <am...@apache.org>
AuthorDate: Fri May 17 08:03:46 2019 -0500

    clang analyzer: Fix false positive "use after free" in IpMap.cc
---
 src/tscore/IpMap.cc | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/tscore/IpMap.cc b/src/tscore/IpMap.cc
index 87ab278..c24445f 100644
--- a/src/tscore/IpMap.cc
+++ b/src/tscore/IpMap.cc
@@ -368,23 +368,23 @@ namespace detail
     // Work through the rest of the nodes of interest.
     // Invariant: n->_min >= min
 
-    // Careful here -- because max_plus1 might wrap we need to use it only
-    // if we can certain it didn't. This is done by ordering the range
-    // tests so that when max_plus1 is used when we know there exists a
-    // larger value than max.
+    // Careful here -- because max_plus1 might wrap we need to use it only if we can be certain it
+    // didn't. This is done by ordering the range tests so that when max_plus1 is used when we know
+    // there exists a larger value than max.
     Metric max_plus1 = max;
     N::inc(max_plus1);
+
     /* Notes:
-       - max (and thence max_plus1) never change during the loop.
-       - we must have either x != 0 or adjust min but not both.
+       - max (and thence also max_plus1) never change during the loop.
+       - we must have either x != 0 or adjust min but not both for each loop iteration.
     */
     while (n) {
       if (n->_data == payload) {
         if (x) {
-          if (n->_max <= max) {
-// next range is covered, so we can remove and continue.
+          if (n->_max <= max) { // next range is covered, so we can remove and continue.
 #if defined(__clang_analyzer__)
-            ink_assert(x != n);
+            x->_next = n->_next; // done in @c remove, but CA doesn't realize that.
+                                 // It's insufficient to assert(x->_next != n) after the remove.
 #endif
             this->remove(n);
             n = next(x);