bisect: address Coverity warning about potential double free

pks-t · gitster · commit 5f9f7fafb7e7 · 2024-11-26T10:22:24.000+09:00
Coverity has started to warn about a potential double-free in
`find_bisection()`. This warning is triggered because we may modify the
list head of the passed-in `commit_list` in case it is an UNINTERESTING
commit, but still call `free_commit_list()` on the original variable
that points to the now-freed head in case where `do_find_bisection()`
returns a `NULL` pointer.

As far as I can see, this double free cannot happen in practice, as
`do_find_bisection()` only returns a `NULL` pointer when it was passed a
`NULL` input. So in order to trigger the double free we would have to
call `find_bisection()` with a commit list that only consists of
UNINTERESTING commits, but I have not been able to construct a case
where that happens.

Drop the `else` branch entirely as it seems to be a no-op anyway.
Another option might be to instead call `free_commit_list()` on `list`,
which is the modified version of `commit_list` and thus wouldn't cause a
double free. But as mentioned, I couldn't come up with any case where a
passed-in non-NULL list becomes empty, so this shouldn't be necessary.
And if it ever does become necessary we'd notice anyway via the leak
sanitizer.

Interestingly enough we did not have a single test exercising this
branch: all tests pass just fine even when replacing it with a call to
`BUG()`. Add a test that exercises it.

Reported-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
diff --git a/bisect.c b/bisect.c
@@ -442,8 +442,6 @@ void find_bisection(struct commit_list **commit_list, int *reaches,
 			best->next = NULL;
 		}
 		*reaches = weight(best);
-	} else {
-		free_commit_list(*commit_list);
 	}
 	*commit_list = best;
 
diff --git a/t/t6002-rev-list-bisect.sh b/t/t6002-rev-list-bisect.sh
@@ -308,4 +308,9 @@ test_expect_success '--bisect-all --first-parent' '
 	test_cmp expect actual
 '
 
+test_expect_success '--bisect without any revisions' '
+	git rev-list --bisect HEAD..HEAD >out &&
+	test_must_be_empty out
+'
+
 test_done

Original file line number	Diff line number	Diff line change
`@@ -442,8 +442,6 @@ void find_bisection(struct commit_list *commit_list, int reaches,`
`442`	`442`	`best->next = NULL;`
`443`	`443`	`}`
`444`	`444`	`*reaches = weight(best);`
`445`		`- } else {`
`446`		`- free_commit_list(*commit_list);`
`447`	`445`	`}`
`448`	`446`	`*commit_list = best;`
`449`	`447`
Original file line number	Diff line number	Diff line change
`@@ -308,4 +308,9 @@ test_expect_success '--bisect-all --first-parent' '`
`308`	`308`	`test_cmp expect actual`
`309`	`309`	`'`
`310`	`310`
	`311`	`+test_expect_success '--bisect without any revisions' '`
	`312`	`+ git rev-list --bisect HEAD..HEAD >out &&`
	`313`	`+ test_must_be_empty out`
	`314`	`+'`
	`315`	`+`
`311`	`316`	`test_done`