[PATCH] gpg-interface.c: Fix potentially freeing NULL values

[PATCH] gpg-interface.c: Fix potentially freeing NULL values

[Michał Górny]

Fix signature_check_clear() to free only values that are non-NULL.  This
especially applies to 'key' and 'signer' members that can be NULL during
normal operations, depending on exact GnuPG output.  While at it, also
allow other members to be NULL to make the function easier to use,
even if there is no real need to account for that right now.

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 gpg-interface.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/gpg-interface.c b/gpg-interface.c
index 35c25106a..9aedaf464 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -15,9 +15,14 @@ static const char *gpg_program = "gpg";
 void signature_check_clear(struct signature_check *sigc)
 {
-	FREE_AND_NULL(sigc->payload);
-	FREE_AND_NULL(sigc->gpg_output);
-	FREE_AND_NULL(sigc->gpg_status);
-	FREE_AND_NULL(sigc->signer);
-	FREE_AND_NULL(sigc->key);
+	if (sigc->payload)
+		FREE_AND_NULL(sigc->payload);
+	if (sigc->gpg_output)
+		FREE_AND_NULL(sigc->gpg_output);
+	if (sigc->gpg_status)
+		FREE_AND_NULL(sigc->gpg_status);
+	if (sigc->signer)
+		FREE_AND_NULL(sigc->signer);
+	if (sigc->key)
+		FREE_AND_NULL(sigc->key);
 }
 
-- 
2.18.0

Re: [PATCH] gpg-interface.c: Fix potentially freeing NULL values

[Eric Sunshine]

On Fri, Aug 17, 2018 at 5:17 AM Michał Górny <mgorny@gentoo.org> wrote:
> Fix signature_check_clear() to free only values that are non-NULL.  This
> especially applies to 'key' and 'signer' members that can be NULL during
> normal operations, depending on exact GnuPG output.  While at it, also
> allow other members to be NULL to make the function easier to use,
> even if there is no real need to account for that right now.

free(NULL) is valid behavior[1] and much of the Git codebase relies upon it.

Did you run into a case where it misbehaved?

[1]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/free.html

> Signed-off-by: Michał Górny <mgorny@gentoo.org>
> ---
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 35c25106a..9aedaf464 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -15,9 +15,14 @@ static const char *gpg_program = "gpg";
>  void signature_check_clear(struct signature_check *sigc)
>  {
> -       FREE_AND_NULL(sigc->payload);
> -       FREE_AND_NULL(sigc->gpg_output);
> -       FREE_AND_NULL(sigc->gpg_status);
> -       FREE_AND_NULL(sigc->signer);
> -       FREE_AND_NULL(sigc->key);
> +       if (sigc->payload)
> +               FREE_AND_NULL(sigc->payload);
> +       if (sigc->gpg_output)
> +               FREE_AND_NULL(sigc->gpg_output);
> +       if (sigc->gpg_status)
> +               FREE_AND_NULL(sigc->gpg_status);
> +       if (sigc->signer)
> +               FREE_AND_NULL(sigc->signer);
> +       if (sigc->key)
> +               FREE_AND_NULL(sigc->key);
>  }

Re: [PATCH] gpg-interface.c: Fix potentially freeing NULL values

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2199 bytes --]

On Fri, 2018-08-17 at 05:28 -0400, Eric Sunshine wrote:
> On Fri, Aug 17, 2018 at 5:17 AM Michał Górny <mgorny@gentoo.org> wrote:
> > Fix signature_check_clear() to free only values that are non-NULL.  This
> > especially applies to 'key' and 'signer' members that can be NULL during
> > normal operations, depending on exact GnuPG output.  While at it, also
> > allow other members to be NULL to make the function easier to use,
> > even if there is no real need to account for that right now.
> 
> free(NULL) is valid behavior[1] and much of the Git codebase relies upon it.
> 
> Did you run into a case where it misbehaved?

Nope.  I was actually wondering if it's expected, so I did a quick grep
to check whether git is checking pointers for non-NULL before free()ing,
and found at least one:

blame.c-static void drop_origin_blob(struct blame_origin *o)
blame.c-{
blame.c-        if (o->file.ptr) {
blame.c:                FREE_AND_NULL(o->file.ptr);
blame.c-        }
blame.c-}

So I wrongly presumed it might be desirable.  If it's not, that's fine
by me.

> 
> [1]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/free.html
> 
> > Signed-off-by: Michał Górny <mgorny@gentoo.org>
> > ---
> > diff --git a/gpg-interface.c b/gpg-interface.c
> > index 35c25106a..9aedaf464 100644
> > --- a/gpg-interface.c
> > +++ b/gpg-interface.c
> > @@ -15,9 +15,14 @@ static const char *gpg_program = "gpg";
> >  void signature_check_clear(struct signature_check *sigc)
> >  {
> > -       FREE_AND_NULL(sigc->payload);
> > -       FREE_AND_NULL(sigc->gpg_output);
> > -       FREE_AND_NULL(sigc->gpg_status);
> > -       FREE_AND_NULL(sigc->signer);
> > -       FREE_AND_NULL(sigc->key);
> > +       if (sigc->payload)
> > +               FREE_AND_NULL(sigc->payload);
> > +       if (sigc->gpg_output)
> > +               FREE_AND_NULL(sigc->gpg_output);
> > +       if (sigc->gpg_status)
> > +               FREE_AND_NULL(sigc->gpg_status);
> > +       if (sigc->signer)
> > +               FREE_AND_NULL(sigc->signer);
> > +       if (sigc->key)
> > +               FREE_AND_NULL(sigc->key);
> >  }

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

[PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Ævar Arnfjörð Bjarmason]

Change the few conditional uses of FREE_AND_NULL(x) to be
unconditional. As noted in the standard[1] free(NULL) is perfectly
valid, so we might as well leave this check up to the C library.

1. http://pubs.opengroup.org/onlinepubs/9699919799/functions/free.html

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
---

Let's do the opposite of this instead.

 blame.c     | 4 +---
 branch.c    | 4 +---
 http.c      | 4 +---
 tree-diff.c | 4 +---
 4 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/blame.c b/blame.c
index 58a7036847..b22a95de7b 100644
--- a/blame.c
+++ b/blame.c
@@ -334,9 +334,7 @@ static void fill_origin_blob(struct diff_options *opt,
 
 static void drop_origin_blob(struct blame_origin *o)
 {
-	if (o->file.ptr) {
-		FREE_AND_NULL(o->file.ptr);
-	}
+	FREE_AND_NULL(o->file.ptr);
 }
 
 /*
diff --git a/branch.c b/branch.c
index ecd710d730..776f55fc66 100644
--- a/branch.c
+++ b/branch.c
@@ -25,9 +25,7 @@ static int find_tracked_branch(struct remote *remote, void *priv)
 			tracking->remote = remote->name;
 		} else {
 			free(tracking->spec.src);
-			if (tracking->src) {
-				FREE_AND_NULL(tracking->src);
-			}
+			FREE_AND_NULL(tracking->src);
 		}
 		tracking->spec.src = NULL;
 	}
diff --git a/http.c b/http.c
index b4bfbceaeb..4162860ee3 100644
--- a/http.c
+++ b/http.c
@@ -2418,9 +2418,7 @@ void release_http_object_request(struct http_object_request *freq)
 		close(freq->localfile);
 		freq->localfile = -1;
 	}
-	if (freq->url != NULL) {
-		FREE_AND_NULL(freq->url);
-	}
+	FREE_AND_NULL(freq->url);
 	if (freq->slot != NULL) {
 		freq->slot->callback_func = NULL;
 		freq->slot->callback_data = NULL;
diff --git a/tree-diff.c b/tree-diff.c
index fe2e466ac1..553bc0e63a 100644
--- a/tree-diff.c
+++ b/tree-diff.c
@@ -557,9 +557,7 @@ struct combine_diff_path *diff_tree_paths(
 	 * free pre-allocated last element, if any
 	 * (see path_appendnew() for details about why)
 	 */
-	if (p->next) {
-		FREE_AND_NULL(p->next);
-	}
+	FREE_AND_NULL(p->next);
 
 	return p;
 }
-- 
2.18.0.865.gffc8e1a3cd6

Re: [PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Duy Nguyen]

On Fri, Aug 17, 2018 at 3:05 PM Ævar Arnfjörð Bjarmason
<avarab@gmail.com> wrote:
>
> Change the few conditional uses of FREE_AND_NULL(x) to be
> unconditional. As noted in the standard[1] free(NULL) is perfectly
> valid, so we might as well leave this check up to the C library.

I'm not trying to make you work more on this. But out of curiosity
would coccinelle help catch this pattern? Szeder's recent work on
running cocci automatically would help catch all future code like this
if we could write an spatch.
-- 
Duy

Re: [PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Duy Nguyen]

On Fri, Aug 17, 2018 at 04:36:13PM +0200, Duy Nguyen wrote:
> On Fri, Aug 17, 2018 at 3:05 PM Ævar Arnfjörð Bjarmason
> <avarab@gmail.com> wrote:
> >
> > Change the few conditional uses of FREE_AND_NULL(x) to be
> > unconditional. As noted in the standard[1] free(NULL) is perfectly
> > valid, so we might as well leave this check up to the C library.
> 
> I'm not trying to make you work more on this. But out of curiosity
> would coccinelle help catch this pattern? Szeder's recent work on
> running cocci automatically would help catch all future code like this
> if we could write an spatch.

Just fyi this seems to do the trick. Although I'm nowhere good at
coccinelle to say if we should include this (or something like it)

-- 8< --
diff --git a/contrib/coccinelle/free.cocci b/contrib/coccinelle/free.cocci
index 4490069df9..f8e018d104 100644
--- a/contrib/coccinelle/free.cocci
+++ b/contrib/coccinelle/free.cocci
@@ -16,3 +16,9 @@ expression E;
 - free(E);
 + FREE_AND_NULL(E);
 - E = NULL;
+
+@@
+expression E;
+@@
+- if (E) { FREE_AND_NULL(E); }
++ FREE_AND_NULL(E);
-- 8< --

--
Duy

Re: [PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Junio C Hamano]

Duy Nguyen <pclouds@gmail.com> writes:

> Just fyi this seems to do the trick. Although I'm nowhere good at
> coccinelle to say if we should include this (or something like it)
>
> -- 8< --
> diff --git a/contrib/coccinelle/free.cocci b/contrib/coccinelle/free.cocci
> index 4490069df9..f8e018d104 100644
> --- a/contrib/coccinelle/free.cocci
> +++ b/contrib/coccinelle/free.cocci
> @@ -16,3 +16,9 @@ expression E;
>  - free(E);
>  + FREE_AND_NULL(E);
>  - E = NULL;
> +
> +@@
> +expression E;
> +@@
> +- if (E) { FREE_AND_NULL(E); }
> ++ FREE_AND_NULL(E);

It is a bit sad that

	- if (E)
	  FREE_AND_NULL(E);

is not sufficient to catch it.  Shouldn't we be doing the same for
regular free(E) as well?  IOW, like the attached patch.

 contrib/coccinelle/free.cocci | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/contrib/coccinelle/free.cocci b/contrib/coccinelle/free.cocci
index 4490069df9..f748bcfe30 100644
--- a/contrib/coccinelle/free.cocci
+++ b/contrib/coccinelle/free.cocci
@@ -16,3 +16,27 @@ expression E;
 - free(E);
 + FREE_AND_NULL(E);
 - E = NULL;
+
+@@
+expression E;
+@@
+- if (E)
+  FREE_AND_NULL(E);
+
+@@
+expression E;
+@@
+- if (E) { free(E); }
++ free(E);
+
+@@
+expression E;
+@@
+- if (!E) { free(E); }
++ free(E);
+
+@@
+expression E;
+@@
+- if (E) { FREE_AND_NULL(E); }
++ FREE_AND_NULL(E);

Re: [PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

> It is a bit sad that
>
> 	- if (E)
> 	  FREE_AND_NULL(E);
>
> is not sufficient to catch it.  Shouldn't we be doing the same for
> regular free(E) as well?  IOW, like the attached patch.
> ...

And revised even more to also spell "E" as "E != NULL" (and "!E" as
"E == NULL"), which seems to make a difference, which is even more
sad.  I do not want to wonder if I have to also add "NULL == E" and
other variants, so I'll stop here.

 contrib/coccinelle/free.cocci | 60 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/contrib/coccinelle/free.cocci b/contrib/coccinelle/free.cocci
index 4490069df9..29ca98796f 100644
--- a/contrib/coccinelle/free.cocci
+++ b/contrib/coccinelle/free.cocci
@@ -16,3 +16,63 @@ expression E;
 - free(E);
 + FREE_AND_NULL(E);
 - E = NULL;
+
+@@
+expression E;
+@@
+- if (E)
+  FREE_AND_NULL(E);
+
+@@
+expression E;
+@@
+- if (E != NULL)
+  free(E);
+
+@@
+expression E;
+@@
+- if (E == NULL)
+  free(E);
+
+@@
+expression E;
+@@
+- if (E != NULL)
+  FREE_AND_NULL(E);
+
+@@
+expression E;
+@@
+- if (E) { free(E); }
++ free(E);
+
+@@
+expression E;
+@@
+- if (!E) { free(E); }
++ free(E);
+
+@@
+expression E;
+@@
+- if (E) { FREE_AND_NULL(E); }
++ FREE_AND_NULL(E);
+
+@@
+expression E;
+@@
+- if (E != NULL) { free(E); }
++ free(E);
+
+@@
+expression E;
+@@
+- if (E == NULL) { free(E); }
++ free(E);
+
+@@
+expression E;
+@@
+- if (E != NULL) { FREE_AND_NULL(E); }
++ FREE_AND_NULL(E);

Re: [PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Jeff King]

On Fri, Aug 17, 2018 at 10:07:36AM -0700, Junio C Hamano wrote:

> Junio C Hamano <gitster@pobox.com> writes:
> 
> > It is a bit sad that
> >
> > 	- if (E)
> > 	  FREE_AND_NULL(E);
> >
> > is not sufficient to catch it.  Shouldn't we be doing the same for
> > regular free(E) as well?  IOW, like the attached patch.
> > ...
> 
> And revised even more to also spell "E" as "E != NULL" (and "!E" as
> "E == NULL"), which seems to make a difference, which is even more
> sad.  I do not want to wonder if I have to also add "NULL == E" and
> other variants, so I'll stop here.

I think it makes sense that these are all distinct if you're using
coccinelle to do stylistic transformations between them (e.g., enforcing
curly braces even around one-liners).

I wonder if there is a way to "relax" a pattern where these semantically
equivalent cases can all be covered automatically. I don't know enough
about the tool to say.

I guess one way to do it would be to normalize the style in one rule
(e.g., always "!E" instead of "E == NULL"), and then you only have to
write the FREE_AND_NULL rule for the normalized form. For a single case
like this, the end result is about the same number of rules, but in the
long term it saves us work when we have a similar transformation.

-Peff

Re: [PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Jeff King]

On Fri, Aug 17, 2018 at 01:33:08PM -0400, Jeff King wrote:

> > And revised even more to also spell "E" as "E != NULL" (and "!E" as
> > "E == NULL"), which seems to make a difference, which is even more
> > sad.  I do not want to wonder if I have to also add "NULL == E" and
> > other variants, so I'll stop here.
> 
> I think it makes sense that these are all distinct if you're using
> coccinelle to do stylistic transformations between them (e.g., enforcing
> curly braces even around one-liners).
> 
> I wonder if there is a way to "relax" a pattern where these semantically
> equivalent cases can all be covered automatically. I don't know enough
> about the tool to say.

Hmm. They seem to call these "standard isomorphisms":

  http://coccinelle.lip6.fr/standard.iso.html

but I'm not sure of the correct way to use them (e.g., if we want to
apply them for matching but not actually transform the code, though I am
not actually opposed to transforming the code, too).

-Peff

Re: [PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Jeff King]

On Fri, Aug 17, 2018 at 01:39:51PM -0400, Jeff King wrote:

> > I wonder if there is a way to "relax" a pattern where these semantically
> > equivalent cases can all be covered automatically. I don't know enough
> > about the tool to say.
> 
> Hmm. They seem to call these "standard isomorphisms":
> 
>   http://coccinelle.lip6.fr/standard.iso.html
> 
> but I'm not sure of the correct way to use them (e.g., if we want to
> apply them for matching but not actually transform the code, though I am
> not actually opposed to transforming the code, too).

Hmph, I should really pause before hitting 'send'. Last message, I
promise. :)

I do not see an option to include a list an arbitrary set of
isomorphisms, but the standard.iso list should be used by default. I
wonder if you simply need to write your case in the normalized version
they use there (which I think is "X == NULL"), and the others would be
taken care of.

-Peff

Re: [PATCH] refactor various if (x) FREE_AND_NULL(x) to just FREE_AND_NULL(x)

[Duy Nguyen]

On Fri, Aug 17, 2018 at 7:33 PM Jeff King <peff@peff.net> wrote:
>
> On Fri, Aug 17, 2018 at 10:07:36AM -0700, Junio C Hamano wrote:
>
> > Junio C Hamano <gitster@pobox.com> writes:
> >
> > > It is a bit sad that
> > >
> > >     - if (E)
> > >       FREE_AND_NULL(E);
> > >
> > > is not sufficient to catch it.  Shouldn't we be doing the same for
> > > regular free(E) as well?  IOW, like the attached patch.
> > > ...
> >
> > And revised even more to also spell "E" as "E != NULL" (and "!E" as
> > "E == NULL"), which seems to make a difference, which is even more
> > sad.  I do not want to wonder if I have to also add "NULL == E" and
> > other variants, so I'll stop here.
>
> I think it makes sense that these are all distinct if you're using
> coccinelle to do stylistic transformations between them (e.g., enforcing
> curly braces even around one-liners).

Googling a bit shows a kernel patch [1]. Assuming that it works (I
didn't check if it made it to linux.git) it would simplify our rules a
bit.

[1] https://patchwork.kernel.org/patch/5167641/
-- 
Duy