Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL deference in matras #14

Open
rtsisyk opened this issue Jan 31, 2017 · 0 comments
Open

NULL deference in matras #14

rtsisyk opened this issue Jan 31, 2017 · 0 comments
Assignees
@alyapunov
Labels
bug Something isn't working
Milestone
wishlist

Comments

@rtsisyk
Copy link
Contributor

rtsisyk commented Jan 31, 2017

See line 359 and 363:

void
314matras_destroy_read_view(struct matras *m, struct matras_view *v)
315{
   1. Condition v != &m->head, taking true branch.
316        assert(v != &m->head);
   2. Condition !v->next_view, taking false branch.
317        if (!v->next_view)
318                return;
319        struct matras_view *next_view = v->next_view;
320        struct matras_view *prev_view = v->prev_view;
321        next_view->prev_view = prev_view;
   3. Condition prev_view, taking true branch.
322        if (prev_view)
323                prev_view->next_view = next_view;
324        v->next_view = 0;
325
   4. Condition v->block_count == 0, taking false branch.
326        if (v->block_count == 0)
327                return;
   5. Condition v->root == next_view->root, taking true branch.
   6. Condition next_view->block_count, taking false branch.
328        if (v->root == next_view->root && next_view->block_count)
329                return;
   7. Condition prev_view, taking true branch.
   8. Condition v->root == prev_view->root, taking false branch.
330        if (prev_view && v->root == prev_view->root && prev_view->block_count)
331                return;
332        void **extent1 = (void **)v->root;
333        void **extent1n = (void **) next_view->root;
334        void **extent1p = 0;
   9. Condition prev_view, taking true branch.
335        if (prev_view)
336                extent1p = (void **) prev_view->root;
337        matras_id_t step1 = m->mask1 + 1;
338        matras_id_t step2 = m->mask2 + 1;
339        matras_id_t i1 = 0, j1 = 0, i2, j2;
340        matras_id_t ptrs_in_ext = m->extent_size / (matras_id_t)sizeof(void *);
   10. Condition j1 < v->block_count, taking true branch.
   16. Condition j1 < v->block_count, taking true branch.
341        for (; j1 < v->block_count; i1++, j1 += step1) {
342                void **extent2 = (void **)extent1[i1];
343                void **extent2n = 0;
   17. assign_zero: Assigning: extent2p = NULL.
344                void **extent2p = 0;
   11. Condition next_view->block_count > j1, taking false branch.
   18. Condition next_view->block_count > j1, taking false branch.
345                if (next_view->block_count > j1) {
346                        if (extent1[i1] == extent1n[i1])
347                                continue;
348                        extent2n = (void **) extent1n[i1];
349                }
   12. Condition prev_view, taking true branch.
   13. Condition prev_view->block_count > j1, taking true branch.
   19. Condition prev_view, taking true branch.
   20. Condition prev_view->block_count > j1, taking false branch.
350                if (prev_view && prev_view->block_count > j1) {
   14. Condition extent1[i1] == extent1p[i1], taking true branch.
351                        if (extent1[i1] == extent1p[i1])
   15. Continuing loop.
352                                continue;
353                        extent2p = (void **) extent1p[i1];
354                }
   21. Condition i2 < ptrs_in_ext, taking true branch.
   22. Condition j1 + j2 < v->block_count, taking true branch.
   27. Condition i2 < ptrs_in_ext, taking true branch.
   28. Condition j1 + j2 < v->block_count, taking true branch.
355                for (i2 = j2 = 0;
356                     i2 < ptrs_in_ext && j1 + j2 < v->block_count;
357                     i2++, j2 += step2) {
358                        void **extent3 = (void **)extent2[i2];
   23. Condition next_view->block_count > j1 + j2, taking false branch.
   29. Condition next_view->block_count > j1 + j2, taking false branch.
359                        if (next_view->block_count > j1 + j2) {
   CID 1398748: Explicit null dereferenced (FORWARD_NULL) [select issue]
360                                if (extent2[i2] == extent2n[i2])
361                                        continue;
362                        }
   24. Condition prev_view, taking true branch.
   25. Condition prev_view->block_count > j1 + j2, taking false branch.
   30. Condition prev_view, taking true branch.
   31. Condition prev_view->block_count > j1 + j2, taking true branch.
363                        if (prev_view && prev_view->block_count > j1 + j2) {
   CID 1398732 (#1 of 1): Explicit null dereferenced (FORWARD_NULL)32. var_deref_op: Dereferencing null pointer extent2p.
364                                if (extent2[i2] == extent2p[i2])
365                                        continue;
366                        }
367                        matras_free_extent(m, extent3);
   26. Jumping back to the beginning of the loop.
368                }
369                matras_free_extent(m, extent2);
370        }
371        matras_free_extent(m, extent1);
372}

Found by Coverity.
@rtsisyk rtsisyk added the bug Something isn't working label Jan 31, 2017
@kyukhin kyukhin added this to the wishlist milestone Oct 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alyapunov alyapunov

Labels
bug Something isn't working
Projects
None yet
Milestone
wishlist
Development

No branches or pull requests
3 participants
@rtsisyk @alyapunov @kyukhin