Hi everyone,
I was reading through items.c and got confused. Maybe someone here can
give me a pointer. Here is the excerpt from 1.4.10
106 search = tails[id];
107 if (search == NULL) {
108 it = slabs_alloc(ntotal, id);
109 } else if (search->refcount == 0) {
110 if ((search->time < oldest_live) || // dead by flush
111 (search->exptime != 0 && search->exptime < current_time))
{
112 STATS_LOCK();
113 stats.reclaimed++;
114 STATS_UNLOCK();
115 itemstats[id].reclaimed++;
116 if ((search->it_flags & ITEM_FETCHED) == 0) {
117 STATS_LOCK();
118 stats.expired_unfetched++;
119 STATS_UNLOCK();
120 itemstats[id].expired_unfetched++;
121 }
122 it = search;
123 it->refcount = 1;
124 slabs_adjust_mem_requested(it->slabs_clsid,
ITEM_ntotal(it), ntotal);
125 do_item_unlink_nolock(it, hash(ITEM_key(it), it->nkey,
0));
126 /* Initialize the item block: */
127 it->slabs_clsid = 0;
128 it->refcount = 0;
129 }
130 }
131
132 if (it == NULL && (it = slabs_alloc(ntotal, id)) == NULL) {
133 if (search->refcount == 0 &&
134 (search->exptime == 0 || search->exptime >
current_time)) {
Is there any guarantee that search is not NULL on Line 133? I think if
Line 107 is true and takes the branch on Line 108, there is nothing
between there and Line 133 that sets the value for search. So, if
slabs_alloc fails to allocate memory in all the instances and it
remains NULL, we can end up dereference a NULL pointer on Line 133.
Feedback is appreciated. Many thanks in advance.
\
