Allocate msg only after fatal checks to avoid leaks #1998
+8
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3186d2d to
c8490e9
Compare
|
/submit |
|
Error: User jinyaoguo is not yet permitted to use GitGitGadget |
In parse_reuse_arg, we previously called xmalloc and strbuf_init before resolving the ref and reading the object, leading to a leaked msg on die() paths. This change moves the allocation of struct note_msg until after repo_get_oid and repo_read_object_file succeed, ensuring no heap memory is held when a fatal error is triggered. Signed-off-by: jinyaoguo <[email protected]>
|
/submit |
|
Submitted as [email protected] To fetch this version into To fetch this version to local tag |
|
On the Git mailing list, Junio C Hamano wrote (reply to this): "Alex via GitGitGadget" <[email protected]> writes:
> - if (type != OBJ_BLOB) {
> - strbuf_release(&msg->buf);
> - free(value);
> - free(msg);
> - die(_("cannot read note data from non-blob object '%s'."), arg);
> - }
> + if (type != OBJ_BLOB) {
> + free(value);
> + die(_("cannot read note data from non-blob object '%s'."), arg);
> + }
> +
> + msg = xmalloc(sizeof(*msg));
> + strbuf_init(&msg->buf, 0);
ALl the new lines seem to be indented by four spaces. Check with
Documantation/CodingGuidelines.
Also, Documantation/SubmittingPatches::[[real-name]] asks folks to
use their real name as authorname. You prefer your purdue
address, that is fine, but let's do something like
From: Jinyao Guo <[email protected]>
Signed-off-by: Jinyao Guo <[email protected]>
|
|
On the Git mailing list, lidongyan wrote (reply to this): Alex via GitGitGadget <[email protected]> writes:
>
> From: jinyaoguo <[email protected]>
>
> In parse_reuse_arg, we previously called xmalloc and strbuf_init
> before resolving the ref and reading the object, leading to a
> leaked msg on die() paths. This change moves the allocation of
A memory leak on the die() path shouldn't be considered a real leak,
right? Since the OS will clean up all memory once the process
terminates, explicitly freeing msg isn't necessary in this case.
Lidong |
|
User |
|
On the Git mailing list, Junio C Hamano wrote (reply to this): lidongyan <[email protected]> writes:
> Alex via GitGitGadget <[email protected]> writes:
>>
>> From: jinyaoguo <[email protected]>
>>
>> In parse_reuse_arg, we previously called xmalloc and strbuf_init
>> before resolving the ref and reading the object, leading to a
>> leaked msg on die() paths. This change moves the allocation of
>
> A memory leak on the die() path shouldn't be considered a real leak,
> right? Since the OS will clean up all memory once the process
> terminates, explicitly freeing msg isn't necessary in this case.
It may not matter in practice, but I think the leak checking
machinery like sanitizers would still complain, so I view efforts on
plugging such leaks in the error code paths more about decluttering
the leak checker output to help us spot the real leaks. |
|
On the Git mailing list, lidongyan wrote (reply to this): Junio C Hamano <[email protected]> writes:
>
> lidongyan <[email protected]> writes:
>
>> Alex via GitGitGadget <[email protected]> writes:
>>>
>>> From: jinyaoguo <[email protected]>
>>>
>>> In parse_reuse_arg, we previously called xmalloc and strbuf_init
>>> before resolving the ref and reading the object, leading to a
>>> leaked msg on die() paths. This change moves the allocation of
>>
>> A memory leak on the die() path shouldn't be considered a real leak,
>> right? Since the OS will clean up all memory once the process
>> terminates, explicitly freeing msg isn't necessary in this case.
>
> It may not matter in practice, but I think the leak checking
> machinery like sanitizers would still complain, so I view efforts on
> plugging such leaks in the error code paths more about decluttering
> the leak checker output to help us spot the real leaks.
Makes sense. However, inserting a free-like statement in die() would be
messier than using goto, since each die() has a unique message and we
need to free stuff at each die(). |
|
On the Git mailing list, Jeff King wrote (reply to this): On Sat, Jun 14, 2025 at 08:40:43AM -0700, Junio C Hamano wrote:
> > A memory leak on the die() path shouldn't be considered a real leak,
> > right? Since the OS will clean up all memory once the process
> > terminates, explicitly freeing msg isn't necessary in this case.
>
> It may not matter in practice, but I think the leak checking
> machinery like sanitizers would still complain, so I view efforts on
> plugging such leaks in the error code paths more about decluttering
> the leak checker output to help us spot the real leaks.
I disagree here. These are not really leaks, and a leak-checker that
complains about them is bad.
When we call die(), the pointer to the buffer is still on the stack, and
thus the memory is still reachable and not leaked. Some tools like
valgrind may still report these as "still reachable", but because they
categorize them properly we can ignore them[1].
The one exception we've seen is that an optimizing compiler may reorder
instructions to obliterate the stack (because it knows die() is marked
with NORETURN), causing a false positive. We dealt with that via
d3775de074 (Makefile: force -O0 when compiling with SANITIZE=leak,
2022-10-18). I don't think we've seen any recurrence since then.
And while it may be tempting to say "well, it does not hurt to free them
on the die() path", in my opinion that way madness lies. You may have
access to some local variables that can be freed, but there will be many
other heap allocations that you don't even know about! Here's a toy
example from a similar discussion a few years ago:
https://lore.kernel.org/git/[email protected]/
So I'd really prefer not to go down this route. And I think the existing
code in this patch's pre-image that calls free() before die() only on
one path should be simplified, so that all die() paths consistently do
not worry about this.
I.e., this:
diff --git a/builtin/notes.c b/builtin/notes.c
index cc1163242f..f3d5eda104 100644
--- a/builtin/notes.c
+++ b/builtin/notes.c
@@ -321,12 +321,8 @@ static int parse_reuse_arg(const struct option *opt, const char *arg, int unset)
die(_("failed to resolve '%s' as a valid ref."), arg);
if (!(value = odb_read_object(the_repository->objects, &object, &type, &len)))
die(_("failed to read object '%s'."), arg);
- if (type != OBJ_BLOB) {
- strbuf_release(&msg->buf);
- free(value);
- free(msg);
+ if (type != OBJ_BLOB)
die(_("cannot read note data from non-blob object '%s'."), arg);
- }
strbuf_add(&msg->buf, value, len);
free(value);
-Peff
[1] "still reachable" leaks _can_ be useful when returning from main,
because they may show memory held in global structures that we might
have been able to free at a more timely spot. But there are a lot of
these in Git, most of which are not interesting (e.g., is freeing
the_repository really worth caring about?), and I don't think there
is a good way to tell the difference.
More pontificating from that earlier discussion:
https://lore.kernel.org/git/[email protected]/ |
|
User |
|
On the Git mailing list, Junio C Hamano wrote (reply to this): Jeff King <[email protected]> writes:
> And while it may be tempting to say "well, it does not hurt to free them
> on the die() path", in my opinion that way madness lies. You may have
> access to some local variables that can be freed, but there will be many
> other heap allocations that you don't even know about! Here's a toy
> example from a similar discussion a few years ago:
>
> https://lore.kernel.org/git/[email protected]/
Yeah, I recall that discussion and the example. Yes, we should not
have to crawl up from a direct caller of die() and free everything
these stack frames hold.
> I.e., this:
>
> diff --git a/builtin/notes.c b/builtin/notes.c
> index cc1163242f..f3d5eda104 100644
> --- a/builtin/notes.c
> +++ b/builtin/notes.c
> @@ -321,12 +321,8 @@ static int parse_reuse_arg(const struct option *opt, const char *arg, int unset)
> die(_("failed to resolve '%s' as a valid ref."), arg);
> if (!(value = odb_read_object(the_repository->objects, &object, &type, &len)))
> die(_("failed to read object '%s'."), arg);
> - if (type != OBJ_BLOB) {
> - strbuf_release(&msg->buf);
> - free(value);
> - free(msg);
> + if (type != OBJ_BLOB)
> die(_("cannot read note data from non-blob object '%s'."), arg);
> - }
Much nicer. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
cc: lidongyan [email protected]
cc: Jeff King [email protected]