Re: Fwd: coverity problems in reftable code

["Ævar Arnfjörð Bjarmason" <avarab@gmail.com>]

On Tue, Dec 07 2021, Han-Wen Nienhuys wrote:

> On Sat, Dec 4, 2021 at 3:13 AM Jeff King <peff@peff.net> wrote:
>> We're not doing project-wide analysis with Coverity right now, but I've
>> been doing builds of my personal repo, which I usually build off of
>> next. And since hn/reftable just hit next, it got included in my latest
>> build.
>>
>> It came up with several complaints. Some of them are dumb and can be
>> ignored (e.g., using rand() in a test harness, oh no!) but I poked at a
>> few and they look like real issues:
>
> I fixed most of the obvious ones.
>
>>   - A lot of your structs have vtables. Initializing them to NULL, as in
>>     reftable_reader_refs_for_indexed(), leaves the risk that we'll try
>>     to call a NULL function pointer, even if it's for something simple
>
> I have the impression that coverity doesn't understand enough of the
> control flow.  Some of the things it complains of are code paths that
> only get executed if err==0, in which case, the struct members at hand
> should not be null.

I think coverity is right and the code has a logic error as it
suggests.

In the reftable_reader_refs_for_indexed() example Jeff cites we'll "goto
done" on error, and the reftable_record_release(&got_rec) will proceed
to segfault since the next thing we do is to try to dereference a NULL
pointer in reftable_record_release().

You can reproduce that as a segfault in your tests with e.g. this patch
below, which just emulates what would happen if "err != 0":

diff --git a/reftable/reader.c b/reftable/reader.c
index 006709a645a..4c87b75a982 100644
--- a/reftable/reader.c
+++ b/reftable/reader.c
@@ -663,6 +663,7 @@ static int reftable_reader_refs_for_indexed(struct reftable_reader *r,
        /* Look through the reverse index. */
        reftable_record_from_obj(&want_rec, &want);
        err = reader_seek(r, &oit, &want_rec);
+       goto done;
        if (err != 0)
                goto done;

In that particular case this appears to be the quick fix that's needed:

diff --git a/reftable/record.c b/reftable/record.c
index 6a5dac32dc6..e6594d555e5 100644
--- a/reftable/record.c
+++ b/reftable/record.c
@@ -1090,6 +1090,8 @@ int reftable_record_decode(struct reftable_record *rec, struct strbuf key,
 
 void reftable_record_release(struct reftable_record *rec)
 {
+       if (!rec || !rec->ops)
+               return;
        rec->ops->release(rec->data);
 }

But in general this looks like an excellent candidate for some test
fuzzing, i.e. to intrstrument the various "err" returning functions to
chaos-monkey return non-zero some of the time and check for segfaults.