clang-static-analyzer: False positive UAF when removing STAILQ entries

[rojer]

Static analyzer reports a false positive UAF (clang-analyzer-cplusplus.NewDelete) when an element of a TAILQ (singly-linked list with head/tail pointers from <sys/queue.h>) is removed and deleted (in a safe manner) inside a FOREACH loop.

Minimal(ish) repro:

#include <stdio.h>
#include <sys/queue.h>

struct Foo {
  Foo(int _n) : n(_n) {}

  int n = 0;
  STAILQ_ENTRY(Foo) next = {};
};

STAILQ_HEAD(foos, Foo)
foos = STAILQ_HEAD_INITIALIZER(foos);

int main() {
  Foo *fi;

  for (int i = 1; i <= 3; i++) {
    fi = new Foo(i);
    STAILQ_INSERT_TAIL(&foos, fi, next);
  }

  STAILQ_FOREACH(fi, &foos, next) {
    printf("%d\n", fi->n);
  }
  printf("\n");

  bool removed = false;
  do {
    removed = false;
    STAILQ_FOREACH(fi, &foos, next) {
      printf("%p\n", fi);  // False UAF reported here
      if (fi->n == 1) {
        STAILQ_REMOVE(&foos, fi, Foo, next);
        printf(" delete %p\n", fi);
        delete fi;
        removed = true;
        break;
      }
    }
  } while (removed);
  printf("\n");

  STAILQ_FOREACH(fi, &foos, next) {
    printf("%d\n", fi->n);
  }

  return 0;
}

clang-tidy 21.1.5 warning:

[rojer@nbf /tmp]$ ~/Downloads/LLVM-21.1.5-Linux-X64/bin/clang-tidy --version
LLVM (http://llvm.org/):
  LLVM version 21.1.5
  Optimized build.
[rojer@nbf /tmp]$ ~/Downloads/LLVM-21.1.5-Linux-X64/bin/clang-tidy qq.cpp 
Error while trying to load a compilation database:
Could not auto-detect compilation database for file "qq.cpp"
No compilation database found in /tmp or any parent directory
fixed-compilation-database: Error while opening fixed database: No such file or directory
json-compilation-database: Error while opening JSON database: No such file or directory
Running without flags.
1 warning generated.
/tmp/qq.cpp:31:7: warning: Use of memory after it is freed [clang-analyzer-cplusplus.NewDelete]
   31 |       printf("%p\n", fi);  // False UAF reported here
      |       ^              ~~
/tmp/qq.cpp:17:3: note: Loop condition is true.  Entering loop body
   17 |   for (int i = 1; i <= 3; i++) {
      |   ^
/tmp/qq.cpp:19:5: note: Loop condition is false.  Exiting loop
   19 |     STAILQ_INSERT_TAIL(&foos, fi, next);
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:239:46: note: expanded from macro 'STAILQ_INSERT_TAIL'
  239 | #define STAILQ_INSERT_TAIL(head, elm, field) do {                       \
      |                                              ^
/tmp/qq.cpp:17:3: note: Loop condition is true.  Entering loop body
   17 |   for (int i = 1; i <= 3; i++) {
      |   ^
/tmp/qq.cpp:19:5: note: Loop condition is false.  Exiting loop
   19 |     STAILQ_INSERT_TAIL(&foos, fi, next);
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:239:46: note: expanded from macro 'STAILQ_INSERT_TAIL'
  239 | #define STAILQ_INSERT_TAIL(head, elm, field) do {                       \
      |                                              ^
/tmp/qq.cpp:17:3: note: Loop condition is true.  Entering loop body
   17 |   for (int i = 1; i <= 3; i++) {
      |   ^
/tmp/qq.cpp:19:5: note: Loop condition is false.  Exiting loop
   19 |     STAILQ_INSERT_TAIL(&foos, fi, next);
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:239:46: note: expanded from macro 'STAILQ_INSERT_TAIL'
  239 | #define STAILQ_INSERT_TAIL(head, elm, field) do {                       \
      |                                              ^
/tmp/qq.cpp:17:3: note: Loop condition is false. Execution continues on line 22
   17 |   for (int i = 1; i <= 3; i++) {
      |   ^
/tmp/qq.cpp:22:3: note: Loop condition is true.  Entering loop body
   22 |   STAILQ_FOREACH(fi, &foos, next) {
      |   ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)->stqh_first);                              \
      |         ^
/tmp/qq.cpp:22:3: note: Loop condition is false. Execution continues on line 25
   22 |   STAILQ_FOREACH(fi, &foos, next) {
      |   ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)->stqh_first);                              \
      |         ^
/tmp/qq.cpp:30:5: note: Loop condition is true.  Entering loop body
   30 |     STAILQ_FOREACH(fi, &foos, next) {
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)->stqh_first);                              \
      |         ^
/tmp/qq.cpp:32:11: note: Assuming field 'n' is not equal to 1
   32 |       if (fi->n == 1) {
      |           ^~~~~~~~~~
/tmp/qq.cpp:32:7: note: Taking false branch
   32 |       if (fi->n == 1) {
      |       ^
/tmp/qq.cpp:30:5: note: Loop condition is true.  Entering loop body
   30 |     STAILQ_FOREACH(fi, &foos, next) {
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)->stqh_first);                              \
      |         ^
/tmp/qq.cpp:32:11: note: Assuming field 'n' is equal to 1
   32 |       if (fi->n == 1) {
      |           ^~~~~~~~~~
/tmp/qq.cpp:32:7: note: Taking true branch
   32 |       if (fi->n == 1) {
      |       ^
/tmp/qq.cpp:33:9: note: Assuming 'fi' is equal to field 'stqh_first'
   33 |         STAILQ_REMOVE(&foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:257:6: note: expanded from macro 'STAILQ_REMOVE'
  257 |         if ((head)->stqh_first == (elm)) {                              \
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/tmp/qq.cpp:33:9: note: Taking true branch
   33 |         STAILQ_REMOVE(&foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:257:2: note: expanded from macro 'STAILQ_REMOVE'
  257 |         if ((head)->stqh_first == (elm)) {                              \
      |         ^
/tmp/qq.cpp:33:9: note: Taking false branch
   33 |         STAILQ_REMOVE(&foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:258:3: note: expanded from macro 'STAILQ_REMOVE'
  258 |                 STAILQ_REMOVE_HEAD((head), field);                      \
      |                 ^
/usr/include/x86_64-linux-gnu/sys/queue.h:252:2: note: expanded from macro 'STAILQ_REMOVE_HEAD'
  252 |         if (((head)->stqh_first = (head)->stqh_first->field.stqe_next) == NULL) \
      |         ^
/tmp/qq.cpp:33:9: note: Loop condition is false.  Exiting loop
   33 |         STAILQ_REMOVE(&foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:258:3: note: expanded from macro 'STAILQ_REMOVE'
  258 |                 STAILQ_REMOVE_HEAD((head), field);                      \
      |                 ^
/usr/include/x86_64-linux-gnu/sys/queue.h:251:41: note: expanded from macro 'STAILQ_REMOVE_HEAD'
  251 | #define STAILQ_REMOVE_HEAD(head, field) do {                            \
      |                                         ^
/tmp/qq.cpp:33:9: note: Loop condition is false.  Exiting loop
   33 |         STAILQ_REMOVE(&foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:256:47: note: expanded from macro 'STAILQ_REMOVE'
  256 | #define STAILQ_REMOVE(head, elm, type, field) do {                      \
      |                                               ^
/tmp/qq.cpp:35:9: note: Memory is released
   35 |         delete fi;
      |         ^~~~~~~~~
/tmp/qq.cpp:37:9: note:  Execution continues on line 40
   37 |         break;
      |         ^
/tmp/qq.cpp:28:3: note: Loop condition is true. Execution continues on line 29
   28 |   do {
      |   ^
/tmp/qq.cpp:30:5: note: Loop condition is true.  Entering loop body
   30 |     STAILQ_FOREACH(fi, &foos, next) {
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)->stqh_first);                              \
      |         ^
/tmp/qq.cpp:31:7: note: Use of memory after it is freed
   31 |       printf("%p\n", fi);  // False UAF reported here
      |       ^              ~~
[rojer@nbf /tmp]$

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: Deomid Ryabkov (rojer)

Static analyzer reports a false positive UAF (`clang-analyzer-cplusplus.NewDelete`) when an element of a TAILQ (singly-linked list with head/tail pointers from [<sys/queue.h>](https://man7.org/linux/man-pages/man7/queue.7.html)) is removed and deleted (in a safe manner) inside a FOREACH loop.

Minimal(ish) repro:

#include <stdio.h>
#include <sys/queue.h>

struct Foo {
  Foo(int _n) : n(_n) {}

  int n = 0;
  STAILQ_ENTRY(Foo) next = {};
};

STAILQ_HEAD(foos, Foo)
foos = STAILQ_HEAD_INITIALIZER(foos);

int main() {
  Foo *fi;

  for (int i = 1; i <= 3; i++) {
    fi = new Foo(i);
    STAILQ_INSERT_TAIL(&foos, fi, next);
  }

  STAILQ_FOREACH(fi, &foos, next) {
    printf("%d\n", fi->n);
  }
  printf("\n");

  bool removed = false;
  do {
    removed = false;
    STAILQ_FOREACH(fi, &foos, next) {
      printf("%p\n", fi);  // False UAF reported here
      if (fi->n == 1) {
        STAILQ_REMOVE(&foos, fi, Foo, next);
        printf(" delete %p\n", fi);
        delete fi;
        removed = true;
        break;
      }
    }
  } while (removed);
  printf("\n");

  STAILQ_FOREACH(fi, &foos, next) {
    printf("%d\n", fi->n);
  }

  return 0;
}

clang-tidy 21.1.5 warning:

[rojer@<!-- -->nbf /tmp]$ ~/Downloads/LLVM-21.1.5-Linux-X64/bin/clang-tidy --version
LLVM (http://llvm.org/):
  LLVM version 21.1.5
  Optimized build.
[rojer@<!-- -->nbf /tmp]$ ~/Downloads/LLVM-21.1.5-Linux-X64/bin/clang-tidy qq.cpp 
Error while trying to load a compilation database:
Could not auto-detect compilation database for file "qq.cpp"
No compilation database found in /tmp or any parent directory
fixed-compilation-database: Error while opening fixed database: No such file or directory
json-compilation-database: Error while opening JSON database: No such file or directory
Running without flags.
1 warning generated.
/tmp/qq.cpp:31:7: warning: Use of memory after it is freed [clang-analyzer-cplusplus.NewDelete]
   31 |       printf("%p\n", fi);  // False UAF reported here
      |       ^              ~~
/tmp/qq.cpp:17:3: note: Loop condition is true.  Entering loop body
   17 |   for (int i = 1; i &lt;= 3; i++) {
      |   ^
/tmp/qq.cpp:19:5: note: Loop condition is false.  Exiting loop
   19 |     STAILQ_INSERT_TAIL(&amp;foos, fi, next);
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:239:46: note: expanded from macro 'STAILQ_INSERT_TAIL'
  239 | #define STAILQ_INSERT_TAIL(head, elm, field) do {                       \
      |                                              ^
/tmp/qq.cpp:17:3: note: Loop condition is true.  Entering loop body
   17 |   for (int i = 1; i &lt;= 3; i++) {
      |   ^
/tmp/qq.cpp:19:5: note: Loop condition is false.  Exiting loop
   19 |     STAILQ_INSERT_TAIL(&amp;foos, fi, next);
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:239:46: note: expanded from macro 'STAILQ_INSERT_TAIL'
  239 | #define STAILQ_INSERT_TAIL(head, elm, field) do {                       \
      |                                              ^
/tmp/qq.cpp:17:3: note: Loop condition is true.  Entering loop body
   17 |   for (int i = 1; i &lt;= 3; i++) {
      |   ^
/tmp/qq.cpp:19:5: note: Loop condition is false.  Exiting loop
   19 |     STAILQ_INSERT_TAIL(&amp;foos, fi, next);
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:239:46: note: expanded from macro 'STAILQ_INSERT_TAIL'
  239 | #define STAILQ_INSERT_TAIL(head, elm, field) do {                       \
      |                                              ^
/tmp/qq.cpp:17:3: note: Loop condition is false. Execution continues on line 22
   17 |   for (int i = 1; i &lt;= 3; i++) {
      |   ^
/tmp/qq.cpp:22:3: note: Loop condition is true.  Entering loop body
   22 |   STAILQ_FOREACH(fi, &amp;foos, next) {
      |   ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)-&gt;stqh_first);                              \
      |         ^
/tmp/qq.cpp:22:3: note: Loop condition is false. Execution continues on line 25
   22 |   STAILQ_FOREACH(fi, &amp;foos, next) {
      |   ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)-&gt;stqh_first);                              \
      |         ^
/tmp/qq.cpp:30:5: note: Loop condition is true.  Entering loop body
   30 |     STAILQ_FOREACH(fi, &amp;foos, next) {
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)-&gt;stqh_first);                              \
      |         ^
/tmp/qq.cpp:32:11: note: Assuming field 'n' is not equal to 1
   32 |       if (fi-&gt;n == 1) {
      |           ^~~~~~~~~~
/tmp/qq.cpp:32:7: note: Taking false branch
   32 |       if (fi-&gt;n == 1) {
      |       ^
/tmp/qq.cpp:30:5: note: Loop condition is true.  Entering loop body
   30 |     STAILQ_FOREACH(fi, &amp;foos, next) {
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)-&gt;stqh_first);                              \
      |         ^
/tmp/qq.cpp:32:11: note: Assuming field 'n' is equal to 1
   32 |       if (fi-&gt;n == 1) {
      |           ^~~~~~~~~~
/tmp/qq.cpp:32:7: note: Taking true branch
   32 |       if (fi-&gt;n == 1) {
      |       ^
/tmp/qq.cpp:33:9: note: Assuming 'fi' is equal to field 'stqh_first'
   33 |         STAILQ_REMOVE(&amp;foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:257:6: note: expanded from macro 'STAILQ_REMOVE'
  257 |         if ((head)-&gt;stqh_first == (elm)) {                              \
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/tmp/qq.cpp:33:9: note: Taking true branch
   33 |         STAILQ_REMOVE(&amp;foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:257:2: note: expanded from macro 'STAILQ_REMOVE'
  257 |         if ((head)-&gt;stqh_first == (elm)) {                              \
      |         ^
/tmp/qq.cpp:33:9: note: Taking false branch
   33 |         STAILQ_REMOVE(&amp;foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:258:3: note: expanded from macro 'STAILQ_REMOVE'
  258 |                 STAILQ_REMOVE_HEAD((head), field);                      \
      |                 ^
/usr/include/x86_64-linux-gnu/sys/queue.h:252:2: note: expanded from macro 'STAILQ_REMOVE_HEAD'
  252 |         if (((head)-&gt;stqh_first = (head)-&gt;stqh_first-&gt;field.stqe_next) == NULL) \
      |         ^
/tmp/qq.cpp:33:9: note: Loop condition is false.  Exiting loop
   33 |         STAILQ_REMOVE(&amp;foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:258:3: note: expanded from macro 'STAILQ_REMOVE'
  258 |                 STAILQ_REMOVE_HEAD((head), field);                      \
      |                 ^
/usr/include/x86_64-linux-gnu/sys/queue.h:251:41: note: expanded from macro 'STAILQ_REMOVE_HEAD'
  251 | #define STAILQ_REMOVE_HEAD(head, field) do {                            \
      |                                         ^
/tmp/qq.cpp:33:9: note: Loop condition is false.  Exiting loop
   33 |         STAILQ_REMOVE(&amp;foos, fi, Foo, next);
      |         ^
/usr/include/x86_64-linux-gnu/sys/queue.h:256:47: note: expanded from macro 'STAILQ_REMOVE'
  256 | #define STAILQ_REMOVE(head, elm, type, field) do {                      \
      |                                               ^
/tmp/qq.cpp:35:9: note: Memory is released
   35 |         delete fi;
      |         ^~~~~~~~~
/tmp/qq.cpp:37:9: note:  Execution continues on line 40
   37 |         break;
      |         ^
/tmp/qq.cpp:28:3: note: Loop condition is true. Execution continues on line 29
   28 |   do {
      |   ^
/tmp/qq.cpp:30:5: note: Loop condition is true.  Entering loop body
   30 |     STAILQ_FOREACH(fi, &amp;foos, next) {
      |     ^
/usr/include/x86_64-linux-gnu/sys/queue.h:270:2: note: expanded from macro 'STAILQ_FOREACH'
  270 |         for ((var) = ((head)-&gt;stqh_first);                              \
      |         ^
/tmp/qq.cpp:31:7: note: Use of memory after it is freed
   31 |       printf("%p\n", fi);  // False UAF reported here
      |       ^              ~~
[rojer@<!-- -->nbf /tmp]$

[steakhal]

Hey, could you please explain which steps to look at that would confirm that this is a FP?

[rojer]

@steakhal built and ran with -fsanitize-address - no UAF reported.

[rojer]

slightly modified for clarity:

[rojer@nbf ~/allterco/shelly-ng ubuntu_lfs]$ cat qq.cpp 
#include <stdio.h>
#include <sys/queue.h>

struct Foo {
  Foo(int _n) : n(_n) {}

  int n = 0;
  STAILQ_ENTRY(Foo) next = {};
};

STAILQ_HEAD(foos, Foo)
foos = STAILQ_HEAD_INITIALIZER(foos);

int main() {
  Foo *fi;

  for (int i = 1; i <= 3; i++) {
    fi = new Foo(i);
    STAILQ_INSERT_TAIL(&foos, fi, next);
  }

  STAILQ_FOREACH(fi, &foos, next) {
    printf("%d\n", fi->n);
  }
  printf("\n");

  bool removed = false;
  do {
    removed = false;
    printf("start\n");
    STAILQ_FOREACH(fi, &foos, next) {
      printf("%p\n", fi);  // (1) False UAF reported here
      if (fi->n == 1) {
        STAILQ_REMOVE(&foos, fi, Foo, next);
        printf(" delete %p\n", fi);
        delete fi;
        // fi->n = 2; // (2) THIS is UAF
        removed = true;
        break;
      }
    }
  } while (removed);
  printf("\n");

  STAILQ_FOREACH(fi, &foos, next) {
    printf("%d\n", fi->n);
  }

  return 0;
}
[rojer@nbf ~/allterco/shelly-ng ubuntu_lfs]$ clang++ -o qq -Wall -Werror -fsanitize=address qq.cpp && ./qq
1
2
3

start
0x502000000010
 delete 0x502000000010
start
0x502000000030
0x502000000050

2
3

clang-tidy reports UAF at (1) but ASAN does not. now, if uncommented, (2) is a genuine UAF - caught and reported by both (in this case (1) is not reported,a ctually),

[steakhal]

Thank you. I'm not familiar with this data-structures (STAILQ_HEAD).
I can only help effectively, if I can understand the code with minimal investment.
Be mindful that contributors, like myself, invest their free time. Personally, I need to balance my time triaging many issues, and usually invest more where it's easier and yields results.
Currently, I have about 3 pages of description, and I was wondering if you could give me some pointers highlighting where the analysis goes wrong and takes steps you think doesn't match your expectation.
And I'd like to thank you taking your time for reporting this, and probably you are right, but in the current form I don't think I can help you.

[rojer]

@steakhal yeah, it's buried in about 3 levels of macros. i stared at it for some time - something about the head of the linked list confuses the analyzer, it complains about the tail pointer of the head structure in particular.
fwiw, i tried to "unroll" the macros and reproduce it without them, but it didn't. perhaps therein lies the problem - in following all those macro definitions?

[steakhal]

I was thinking if you could minimise by hand the following:
https://godbolt.org/z/Eq8ofoWz7

I got this by pasting your most recent repro to the preprocessor -E, and passed that text to Compiler Explorer.
I could use automatic reduction tools like creduce, but that would likely just transform this FP into a TP, so this needs to be reduced by a human.

[rojer]

ok, i think this is it.

  bool removed = false;
  do {
    removed = false;
    printf("start\n");
    for (fi = foos.stqh_first; fi; fi = fi->next.stqe_next) {
        printf("%p\n", fi);
        if (false || fi->n == 1) {  // (1)
            foos.stqh_first = foos.stqh_first->next.stqe_next;
            if (foos.stqh_first == nullptr) foos.stqh_last = &foos.stqh_first;
            printf(" delete %p\n", fi);
            delete fi;
            removed = true;
            break;
        }
    }
  } while (removed);

condition (1) seems to be crucial. in the default state, only the head element is removed (correctly) but the analyzer complains (incorrectly).

$ clang++ -o qq -Wall -Werror -fsanitize=address qq.cpp && ./qq
1
2
3

start
0x502000000010
 delete 0x502000000010
start
0x502000000030
0x502000000050

2
3

if false is changed to true, i.e. condition is always true, then all elements are removed, one by one (again - corredctly) and analyzer does not complain.

$ clang++ -o qq -Wall -Werror -fsanitize=address qq.cpp && ./qq
1
2
3

start
0x502000000010
 delete 0x502000000010
start
0x502000000030
 delete 0x502000000030
start
0x502000000050
 delete 0x502000000050
start

[steakhal]

Thank you for your time. Could you please fill out the gaps to have a single code snippet that I could play with in godbolt that is preprocessed already and has minimal code inside?

[rojer]

ok, i believe this is the smallest repro for the issue.

#include <stdio.h>

struct Foo {
  Foo(int _n) : n(_n) {}

  int n = 0;
  struct { struct Foo *stqe_next; } next = {};
};

struct foos { struct Foo *stqh_first; struct Foo **stqh_last; }
foos = { nullptr, &(foos).stqh_first };

int main() {
  bool removed;
  do {
    removed = false;
    for (Foo *fi = foos.stqh_first; fi; fi = fi->next.stqe_next) {
        printf("%p\n", fi);
        if (false || fi->n == 1) {  // (1)
            foos.stqh_first = foos.stqh_first->next.stqe_next;
            if (foos.stqh_first == nullptr) foos.stqh_last = &foos.stqh_first;
            delete fi;
            removed = true;
            break;
        }
    }
  } while (removed);
  return 0;
}

as before, condition (1) is critical