| Message ID | 20230211111526.2028178-1-e@80x24.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | commit-reach: avoid NULL dereference | expand |
Eric Wong <e@80x24.org> writes: > Not sure if somebody who understands the code better can come > up with a good standalone test case. I figure using the top > loop as reference is sufficient evidence that this fix is needed. Good comment. > commit-reach.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/commit-reach.c b/commit-reach.c > index 2e33c599a82..1d7056338b7 100644 > --- a/commit-reach.c > +++ b/commit-reach.c > @@ -807,8 +807,12 @@ int can_all_from_reach_with_flag(struct object_array *from, > clear_commit_marks_many(nr_commits, list, RESULT | assign_flag); > free(list); > > - for (i = 0; i < from->nr; i++) > - from->objects[i].item->flags &= ~assign_flag; > + for (i = 0; i < from->nr; i++) { > + struct object *from_one = from->objects[i].item; > + > + if (from_one) > + from_one->flags &= ~assign_flag; > + } The flag clearing rule of this function smells somewhat iffy. There are three primary callers of the function: * commit-reach.c::can_all_from_reach() calls the function, but it has its own loop to clear the flag it asked the function to add. If the function uses the flag as a temporary mark and is designed to clear it from all the objects, as 4067a646 (commit-reach: fix memory and flag leaks, 2018-09-21) states, why should the caller have a separate loop to clear them? * fetch-pack.c::negotiate_using_fetch() calls this function in a loop, so it does depend on it to clear the flag upon returning. * upload-pack.c::ok_to_give_up() is a thin wrapper around this function and none callers of it have any logic to clear flag, so it clearly depends on the function to clear the flag. The above seems to indicate that the expectation by callers is a bit uneven. Shouldn't the first onetrust the callee to clear the flag? Even before 4067a646 (commit-reach: fix memory and flag leaks, 2018-09-21), the function had a call to clear_commit_marks() to clear two bits it used temporarily. The reason why 4067a646 needed to add this additional flag clearing, whose NULL-dereference bug is being fixed with the patch in this thread, is because it marks any incoming object that peels to a non-commit (e.g. a blob, a tree, or a tag that points at a non-commit) with the flag bit, but such a non-commit object is not added to the list[] of commits to be processed, before the main processing of this function. from_one = deref_tag(the_repository, from_one, "a from object", 0); if (!from_one || from_one->type != OBJ_COMMIT) { /* * no way to tell if this is reachable by * looking at the ancestry chain alone, so * leave a note to ourselves not to worry about * this object anymore. */ from->objects[i].item->flags |= assign_flag; continue; } list[nr_commits] = (struct commit *)from_one; But I am not sure if it is even necessary to smudge the flag for the object that was a non-commit (or the tag that peeled down to a non-commit). The main process of this function is a history traversal that stops when the "assign_flag" bit is already set on the found object, but the object that was part of the incoming objects (i.e. in from->objects[] array) that turned out not to be a non-commit would not be discovered during this history walk, would it? In other words, if we walk from list[] that is an array or commits to the parents (but not its trees and blobs), we won't encounter anything but commit. What does it help to smudge an object that peeled down to a non-commit in the incoming set of objects, if it would not appear in the walk from list[]? It would not stop the traversal by having the flag. So I wonder if we can just stop smudging the assign_flag bit for these objects in from->objects[] that do not make it into list[] as a simpler fix? Wouldn't that make the follow-up cleaning loop added by 4067a646 (commit-reach: fix memory and flag leaks, 2018-09-21) unneeded?
On 2/11/2023 5:43 PM, Junio C Hamano wrote: > Eric Wong <e@80x24.org> writes: >> - for (i = 0; i < from->nr; i++) >> - from->objects[i].item->flags &= ~assign_flag; >> + for (i = 0; i < from->nr; i++) { >> + struct object *from_one = from->objects[i].item; >> + >> + if (from_one) >> + from_one->flags &= ~assign_flag; >> + } This looks like a completely safe change to make, so this patch is good to go. > The flag clearing rule of this function smells somewhat iffy. There > are three primary callers of the function: > > * commit-reach.c::can_all_from_reach() calls the function, but it > has its own loop to clear the flag it asked the function to add. > If the function uses the flag as a temporary mark and is designed > to clear it from all the objects, as 4067a646 (commit-reach: fix > memory and flag leaks, 2018-09-21) states, why should the caller > have a separate loop to clear them? ... > The above seems to indicate that the expectation by callers is a bit > uneven. Shouldn't the first onetrust the callee to clear the flag? Yes, that makes sense. (But there's more!) > Even before 4067a646 (commit-reach: fix memory and flag leaks, > 2018-09-21), the function had a call to clear_commit_marks() to > clear two bits it used temporarily. The reason why 4067a646 needed > to add this additional flag clearing, whose NULL-dereference bug is > being fixed with the patch in this thread, is because it marks any > incoming object that peels to a non-commit (e.g. a blob, a tree, or > a tag that points at a non-commit) with the flag bit, but such a > non-commit object is not added to the list[] of commits to be > processed, before the main processing of this function. > > from_one = deref_tag(the_repository, from_one, > "a from object", 0); > if (!from_one || from_one->type != OBJ_COMMIT) { > /* > * no way to tell if this is reachable by > * looking at the ancestry chain alone, so > * leave a note to ourselves not to worry about > * this object anymore. > */ > from->objects[i].item->flags |= assign_flag; > continue; > } > > list[nr_commits] = (struct commit *)from_one; > > But I am not sure if it is even necessary to smudge the flag for the > object that was a non-commit (or the tag that peeled down to a > non-commit). The main process of this function is a history > traversal that stops when the "assign_flag" bit is already set on > the found object, but the object that was part of the incoming > objects (i.e. in from->objects[] array) that turned out not to be a > non-commit would not be discovered during this history walk, would > it? In other words, if we walk from list[] that is an array or > commits to the parents (but not its trees and blobs), we won't > encounter anything but commit. What does it help to smudge an > object that peeled down to a non-commit in the incoming set of > objects, if it would not appear in the walk from list[]? It would > not stop the traversal by having the flag. > > So I wonder if we can just stop smudging the assign_flag bit for > these objects in from->objects[] that do not make it into list[] > as a simpler fix? Wouldn't that make the follow-up cleaning loop > added by 4067a646 (commit-reach: fix memory and flag leaks, > 2018-09-21) unneeded? Thanks for digging into the details here. I agree that this extra assignment of the flag to these non-commit objects is unnecessary since we intend to clear them by the end of the method and don't do anything with the flags otherwise. What you seem to be suggesting is this diff: diff --git a/commit-reach.c b/commit-reach.c index 2e33c599a82..8c387911228 100644 --- a/commit-reach.c +++ b/commit-reach.c @@ -740,10 +740,8 @@ int can_all_from_reach_with_flag(struct object_array *from, /* * no way to tell if this is reachable by * looking at the ancestry chain alone, so - * leave a note to ourselves not to worry about - * this object anymore. + * skip it. */ - from->objects[i].item->flags |= assign_flag; continue; } @@ -856,17 +854,6 @@ int can_all_from_reach(struct commit_list *from, struct commit_list *to, result = can_all_from_reach_with_flag(&from_objs, PARENT2, PARENT1, min_commit_date, min_generation); - - while (from) { - clear_commit_marks(from->item, PARENT1); - from = from->next; - } - - while (to) { - clear_commit_marks(to->item, PARENT2); - to = to->next; - } - object_array_clear(&from_objs); return result; } And instead of the current patch, this should allow the following diff hunk instead: @@ -807,9 +805,6 @@ int can_all_from_reach_with_flag(struct object_array *from, clear_commit_marks_many(nr_commits, list, RESULT | assign_flag); free(list); - for (i = 0; i < from->nr; i++) - from->objects[i].item->flags &= ~assign_flag; - return result; } This avoids the need for the NULL check, since we are skipping the entire loop. The clear_commit_marks_many() is sufficient. Thanks, -Stolee
Derrick Stolee <derrickstolee@github.com> writes: >> The above seems to indicate that the expectation by callers is a bit >> uneven. Shouldn't the first onetrust the callee to clear the flag? > > Yes, that makes sense. (But there's more!) > ... > Thanks for digging into the details here. I agree that this extra > assignment of the flag to these non-commit objects is unnecessary > since we intend to clear them by the end of the method and don't > do anything with the flags otherwise. > > What you seem to be suggesting is this diff: > > diff --git a/commit-reach.c b/commit-reach.c > index 2e33c599a82..8c387911228 100644 > --- a/commit-reach.c > +++ b/commit-reach.c > @@ -740,10 +740,8 @@ int can_all_from_reach_with_flag(struct object_array *from, > /* > * no way to tell if this is reachable by > * looking at the ancestry chain alone, so > - * leave a note to ourselves not to worry about > - * this object anymore. > + * skip it. > */ > - from->objects[i].item->flags |= assign_flag; > continue; > } Agreed with this part. > @@ -856,17 +854,6 @@ int can_all_from_reach(struct commit_list *from, struct commit_list *to, > > result = can_all_from_reach_with_flag(&from_objs, PARENT2, PARENT1, > min_commit_date, min_generation); > - > - while (from) { > - clear_commit_marks(from->item, PARENT1); > - from = from->next; > - } This too. > - while (to) { > - clear_commit_marks(to->item, PARENT2); > - to = to->next; > - } But I didn't think this is redundant. PARENT2 is used to mark "to" commits by this function, not the callee, before making the call. The callee may clear PARENT1 used to mark the ones visited by the traversal starting from the "from" commits, but does not do anything to "with_flag", does it? > object_array_clear(&from_objs); > return result; > } > > And instead of the current patch, this should allow the > following diff hunk instead: > > @@ -807,9 +805,6 @@ int can_all_from_reach_with_flag(struct object_array *from, > clear_commit_marks_many(nr_commits, list, RESULT | assign_flag); > free(list); > > - for (i = 0; i < from->nr; i++) > - from->objects[i].item->flags &= ~assign_flag; > - > return result; > } > > This avoids the need for the NULL check, since we are skipping the > entire loop. The clear_commit_marks_many() is sufficient. Yeah, that was my reading based on very limited and sufrace level of understanding of what this function was doing, although I think my understanding of it is still very skimpy (if I understand it well enough, I would give it a bit more understandable name but I cannot come up with one yet). Thanks.
diff --git a/commit-reach.c b/commit-reach.c index 2e33c599a82..1d7056338b7 100644 --- a/commit-reach.c +++ b/commit-reach.c @@ -807,8 +807,12 @@ int can_all_from_reach_with_flag(struct object_array *from, clear_commit_marks_many(nr_commits, list, RESULT | assign_flag); free(list); - for (i = 0; i < from->nr; i++) - from->objects[i].item->flags &= ~assign_flag; + for (i = 0; i < from->nr; i++) { + struct object *from_one = from->objects[i].item; + + if (from_one) + from_one->flags &= ~assign_flag; + } return result; }
The loop at the top of can_all_from_reach_with_flag() already accounts for `from->objects[i].item' being NULL, so it follows the cleanup loop should also account for a NULL `from_one'. I managed to segfault here on one of my giant, many-remote repos using `git fetch --negotiation-tip=... --negotiation-only' where the --negotiation-tip= argument was a glob which (inadvertently) captured more refs than I wanted. I have not reproduced this in a standalone test case. Signed-off-by: Eric Wong <e@80x24.org> --- Not sure if somebody who understands the code better can come up with a good standalone test case. I figure using the top loop as reference is sufficient evidence that this fix is needed. commit-reach.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)