From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: [PATCH 2/6] commit: copy saved getenv() result
Date: Tue, 15 Jan 2019 15:05:50 +0100 (STD) [thread overview]
Message-ID: <nycvar.QRO.7.76.6.1901151502130.41@tvgsbejvaqbjf.bet> (raw)
In-Reply-To: <20190112102635.GA16633@sigill.intra.peff.net>
Hi Peff,
On Sat, 12 Jan 2019, Jeff King wrote:
> On Fri, Jan 11, 2019 at 07:07:15PM -0800, Junio C Hamano wrote:
>
> > > diff --git a/builtin/commit.c b/builtin/commit.c
> > > index 004b816635..7d2e0b61e5 100644
> > > --- a/builtin/commit.c
> > > +++ b/builtin/commit.c
> > > @@ -351,7 +351,7 @@ static const char *prepare_index(int argc, const char **argv, const char *prefix
> > > if (write_locked_index(&the_index, &index_lock, 0))
> > > die(_("unable to create temporary index"));
> > >
> > > - old_index_env = getenv(INDEX_ENVIRONMENT);
> > > + old_index_env = xstrdup_or_null(getenv(INDEX_ENVIRONMENT));
> > > setenv(INDEX_ENVIRONMENT, get_lock_file_path(&index_lock), 1);
> > >
> > > if (interactive_add(argc, argv, prefix, patch_interactive) != 0)
> > > @@ -361,6 +361,7 @@ static const char *prepare_index(int argc, const char **argv, const char *prefix
> > > setenv(INDEX_ENVIRONMENT, old_index_env, 1);
> > > else
> > > unsetenv(INDEX_ENVIRONMENT);
> > > + FREE_AND_NULL(old_index_env);
> > >
> > > discard_cache();
> > > read_cache_from(get_lock_file_path(&index_lock));
> >
> > Even though it is not wrong per-se to assign a NULL to the
> > now-no-longer-referenced variable, I do not quite get why it is
> > free-and-null, not a straight free. This may be a taste-thing,
> > though.
> >
> > Even if a future update needs to make it possible to access
> > old_index_env somewhere in the block after discard_cache() gets
> > called, we would need to push down the free (or free-and-null) to
> > prolong its lifetime a bit anyway, so...
>
> My thinking was that if we simply call free(), then the variable is left
> as a dangling pointer for the rest of the function, making it easy to
> accidentally use-after-free.
FWIW I thought that was your reasoning (and did not think of asking you
about it) and totally agree with it.
It is *too* easy not to realize that the `free()` call needs to be moved,
but a segmentation fault is a very strong indicator that it should be
moved.
> But certainly it would not be the first such instance in our code base.
Just because a lot of our code has grown historically does not mean that
we need to add code that shares the same shortcomings. FREE_AND_NULL() was
not available for a long time, after all, so it is understandable that we
did not use it back then. But it is available now, so we no longer have an
excuse to add less defensive code.
> In theory a static analyzer should easily be able to figure out such a
> problem, too, so maybe it is not worth being defensive about.
How often do you run a static analyzer?
My point being: if we can prevent future mistakes easily, and it does not
add too much code churn, why not just do it. No need to rely on fancy
stuff that might not even be available on your preferred platform.
Thanks,
Dscho
next prev parent reply other threads:[~2019-01-15 14:06 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-11 22:14 [PATCH 0/6] getenv() timing fixes Jeff King
2019-01-11 22:15 ` [PATCH 1/6] get_super_prefix(): copy getenv() result Jeff King
2019-01-12 3:02 ` Junio C Hamano
2019-01-11 22:15 ` [PATCH 2/6] commit: copy saved " Jeff King
2019-01-12 3:07 ` Junio C Hamano
2019-01-12 10:26 ` Jeff King
2019-01-15 14:05 ` Johannes Schindelin [this message]
2019-01-15 19:17 ` Jeff King
2019-01-15 19:25 ` Stefan Beller
2019-01-15 19:32 ` Jeff King
2019-01-16 14:06 ` Johannes Schindelin
2019-01-11 22:15 ` [PATCH 3/6] config: make a copy of $GIT_CONFIG string Jeff King
2019-01-11 22:16 ` [PATCH 4/6] init: make a copy of $GIT_DIR string Jeff King
2019-01-12 3:08 ` Junio C Hamano
2019-01-11 22:16 ` [PATCH 5/6] merge-recursive: copy $GITHEAD strings Jeff King
2019-01-12 3:10 ` Junio C Hamano
2019-01-11 22:17 ` [PATCH 6/6] builtin_diff(): read $GIT_DIFF_OPTS closer to use Jeff King
2019-01-12 11:31 ` [PATCH 0/6] getenv() timing fixes Ævar Arnfjörð Bjarmason
2019-01-12 18:51 ` Stefan Beller
2019-01-15 19:13 ` Jeff King
2019-01-15 19:32 ` Junio C Hamano
2019-01-15 19:38 ` Stefan Beller
2019-01-15 19:41 ` Jeff King
2019-01-15 19:47 ` Jeff King
2019-01-15 20:49 ` Junio C Hamano
2019-01-15 19:12 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.QRO.7.76.6.1901151502130.41@tvgsbejvaqbjf.bet \
--to=johannes.schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).