From 9f3322c7847a7b41ce2ee653af195efe10d20cab Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Fri, 12 Apr 2024 15:10:34 +0100 Subject: [PATCH] gdbusdaemon: Disable scan-build for GDBusDaemon name refcounting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See the code comment. scan-build can’t handle analysis over the refcounts, so consistently complains about potential use-after-free errors in the code, essentially because: * It understands `name_unref()`, but completely ignores `name_ref()` * The code often calls `name_unref()` on the ‘wrong’ pointer, in the sense that it knows that if another struct exists, that struct holds a ref on a `Name`, but without actually having a pointer to the `Name`. So the code calls `name_unref (name); name_unref (name)`. That’s valid, but quite understandably looks like a recipe for a use-after-free. Signed-off-by: Philip Withnall Helps: #1767 --- gio/gdbusdaemon.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/gio/gdbusdaemon.c b/gio/gdbusdaemon.c index 8ad85b9d7..948dd803e 100644 --- a/gio/gdbusdaemon.c +++ b/gio/gdbusdaemon.c @@ -199,6 +199,16 @@ name_ref (Name *name) static void name_unref (Name *name) { + /* scan-build with clang-17 can’t follow the refcounting of `Name` structs + * throughout this file. Probably because there are structures like `NameOwner` + * which cause a ref to be added to a `Name` while they exist, but which don’t + * actually have a pointer to the `Name`, so the unref of the `Name` when they + * are freed looks like a double-unref. + * + * So, until the static analysis improves, or we find some way to restructure + * the code, squash the false positive use-after-free or double-unref warnings + * by making this function a no-op to the static analyser. */ +#ifndef G_ANALYZER_ANALYZING g_assert (name->refcount > 0); if (--name->refcount == 0) { @@ -206,6 +216,7 @@ name_unref (Name *name) g_free (name->name); g_free (name); } +#endif } static Name *