[jira] [Created] (TS-3962) CID 1325824: (USE_AFTER_FREE) in malloc_bulkfree()

Fri, 09 Oct 2015 12:12:12 -0700 

Leif Hedstrom created TS-3962:
---------------------------------

             Summary: CID 1325824:    (USE_AFTER_FREE) in malloc_bulkfree()
                 Key: TS-3962
                 URL: https://issues.apache.org/jira/browse/TS-3962
             Project: Traffic Server
          Issue Type: Bug
          Components: Core
            Reporter: Leif Hedstrom


{code}
** CID 1325824:    (USE_AFTER_FREE)
/lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, 
unsigned long)()
/lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, 
unsigned long)()
/lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, 
unsigned long)()
/lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, 
unsigned long)()


________________________________________________________________________________________________________
*** CID 1325824:    (USE_AFTER_FREE)
/lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, 
unsigned long)()
384       void *item = head;
385     
386       // Avoid compiler warnings
387       (void)tail;
388     
389       if (f->alignment) {
   CID 1325824:    (USE_AFTER_FREE)
   Using freed pointer "item".
390         for (size_t i = 0; i < num_item && item; ++i, item = *(void 
**)item) {
391           ats_memalign_free(item);
392         }
393       } else {
394         for (size_t i = 0; i < num_item && item; ++i, item = *(void 
**)item) {
395           ats_free(item);
/lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, 
unsigned long)()
388     
389       if (f->alignment) {
390         for (size_t i = 0; i < num_item && item; ++i, item = *(void 
**)item) {
391           ats_memalign_free(item);
392         }
393       } else {
   CID 1325824:    (USE_AFTER_FREE)
   Using freed pointer "item".
394         for (size_t i = 0; i < num_item && item; ++i, item = *(void 
**)item) {
395           ats_free(item);
396         }
397       }
398     }
399     
/lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, 
unsigned long)()
388     
389       if (f->alignment) {
390         for (size_t i = 0; i < num_item && item; ++i, item = *(void 
**)item) {
391           ats_memalign_free(item);
392         }
393       } else {
   CID 1325824:    (USE_AFTER_FREE)
   Using freed pointer "item".
394         for (size_t i = 0; i < num_item && item; ++i, item = *(void 
**)item) {
395           ats_free(item);
396         }
397       }
398     }
399     
/lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, 
unsigned long)()
384       void *item = head;
385     
386       // Avoid compiler warnings
387       (void)tail;
388     
389       if (f->alignment) {
   CID 1325824:    (USE_AFTER_FREE)
   Using freed pointer "item".
390         for (size_t i = 0; i < num_item && item; ++i, item = *(void 
**)item) {
391           ats_memalign_free(item);
392         }
393       } else {
394         for (size_t i = 0; i < num_item && item; ++i, item = *(void 
**)item) {
395           ats_free(item);

{code}


Seems we ought to not use the item in the iterator after we've already free'd 
it :).




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to