Bug 602532
Summary: | coverity: agmtlist_delete_callback: object_release and objset_remove_obj | ||
---|---|---|---|
Product: | [Retired] 389 | Reporter: | Noriko Hosoi <nhosoi> |
Component: | Replication - General | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 1.2.6 | CC: | benl, jgalipea |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=12277&streamDefectId=12463&defectInstanceId=14361&fileInstanceId=49516 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-09-14 18:48:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 434915, 576869 |
Description
Noriko Hosoi
2010-06-10 04:18:41 UTC
Comment: The current coding is correct. It has no chance to use the address of an object after freed. Here's the reason. When an object is added to an objset, refcnt is incremented by 1. In agmtlist_delete_callback, ro is returned from objset_find, which increments refcnt by 1. I.e., at least, the refcnt is 2 at the line 538. In object_release, refcnt is decreased by 1, where refcnt is still positive and the object ro is left untouched. The following objset_remove_obj really releases the object regardless of the refcnt value. Also, the function objset_remove_obj asserts the given object must not be NULL "PR_ASSERT(NULL != object);" |