diffcore-break.c

Bug Summary

File:	diffcore-break.c
Location:	line 294, column 5
Description:	Use of memory after it is freed

Annotated Source Code

#include "cache.h"

#include "diff.h"

#include "diffcore.h"

static int should_break(struct diff_filespec *src,

struct diff_filespec *dst,

int break_score,

int *merge_score_p)

{

/* dst is recorded as a modification of src. Are they so

* different that we are better off recording this as a pair

* of delete and create?

* There are two criteria used in this algorithm. For the

* purposes of helping later rename/copy, we take both delete

* and insert into account and estimate the amount of "edit".

* If the edit is very large, we break this pair so that

* rename/copy can pick the pieces up to match with other

* files.

* On the other hand, we would want to ignore inserts for the

* pure "complete rewrite" detection. As long as most of the

* existing contents were removed from the file, it is a

* complete rewrite, and if sizable chunk from the original

* still remains in the result, it is not a rewrite. It does

* not matter how much or how little new material is added to

* the file.

* The score we leave for such a broken filepair uses the

* latter definition so that later clean-up stage can find the

* pieces that should not have been broken according to the

* latter definition after rename/copy runs, and merge the

* broken pair that have a score lower than given criteria

* back together. The break operation itself happens

* according to the former definition.

* The minimum_edit parameter tells us when to break (the

* amount of "edit" required for us to consider breaking the

* pair). We leave the amount of deletion in *merge_score_p

* when we return.

* The value we return is 1 if we want the pair to be broken,

* or 0 if we do not.

unsigned long delta_size, max_size;

unsigned long src_copied, literal_added, src_removed;

*merge_score_p = 0; /* assume no deletion --- "do not break"

* is the default.

if (S_ISREG(src->mode)(((src->mode) & 0170000) == 0100000) != S_ISREG(dst->mode)(((dst->mode) & 0170000) == 0100000)) {

*merge_score_p = (int)MAX_SCORE60000.0;

return 1; /* even their types are different */

}

if (src->oid_valid && dst->oid_valid &&

!oidcmp(&src->oid, &dst->oid))

return 0; /* they are the same */

if (diff_populate_filespec(src, 0) || diff_populate_filespec(dst, 0))

return 0; /* error but caught downstream */

max_size = ((src->size > dst->size) ? src->size : dst->size);

if (max_size < MINIMUM_BREAK_SIZE400)

return 0; /* we do not break too small filepair */

if (!src->size)

return 0; /* we do not let empty files get renamed */

if (diffcore_count_changes(src, dst,

&src->cnt_data, &dst->cnt_data,

&src_copied, &literal_added))

return 0;

/* sanity */

if (src->size < src_copied)

src_copied = src->size;

if (dst->size < literal_added + src_copied) {

if (src_copied < dst->size)

literal_added = dst->size - src_copied;

else

literal_added = 0;

}

src_removed = src->size - src_copied;

/* Compute merge-score, which is "how much is removed

* from the source material". The clean-up stage will

* merge the surviving pair together if the score is

* less than the minimum, after rename/copy runs.

*merge_score_p = (int)(src_removed * MAX_SCORE60000.0 / src->size);

if (*merge_score_p > break_score)

return 1;

/* Extent of damage, which counts both inserts and

100

* deletes.

101

102

delta_size = src_removed + literal_added;

103

if (delta_size * MAX_SCORE60000.0 / max_size < break_score)

104

return 0;

105

106

/* If you removed a lot without adding new material, that is

107

* not really a rewrite.

108

109

if ((src->size * break_score < src_removed * MAX_SCORE60000.0) &&

110

(literal_added * 20 < src_removed) &&

111

(literal_added * 20 < src_copied))

112

return 0;

113

114

return 1;

115

}

116

117

void diffcore_break(int break_score)

118

{

119

struct diff_queue_struct *q = &diff_queued_diff;

120

struct diff_queue_struct outq;

121

122

/* When the filepair has this much edit (insert and delete),

123

* it is first considered to be a rewrite and broken into a

124

* create and delete filepair. This is to help breaking a

125

* file that had too much new stuff added, possibly from

126

* moving contents from another file, so that rename/copy can

127

* match it with the other file.

128

129

* int break_score; we reuse incoming parameter for this.

130

131

132

/* After a pair is broken according to break_score and

133

* subjected to rename/copy, both of them may survive intact,

134

* due to lack of suitable rename/copy peer. Or, the caller

135

* may be calling us without using rename/copy. When that

136

* happens, we merge the broken pieces back into one

137

* modification together if the pair did not have more than

138

* this much delete. For this computation, we do not take

139

* insert into account at all. If you start from a 100-line

140

* file and delete 97 lines of it, it does not matter if you

141

* add 27 lines to it to make a new 30-line file or if you add

142

* 997 lines to it to make a 1000-line file. Either way what

143

* you did was a rewrite of 97%. On the other hand, if you

144

* delete 3 lines, keeping 97 lines intact, it does not matter

145

* if you add 3 lines to it to make a new 100-line file or if

146

* you add 903 lines to it to make a new 1000-line file.

147

* Either way you did a lot of additions and not a rewrite.

148

* This merge happens to catch the latter case. A merge_score

149

* of 80% would be a good default value (a broken pair that

150

* has score lower than merge_score will be merged back

151

* together).

152

153

int merge_score;

154

int i;

155

156

/* See comment on DEFAULT_BREAK_SCORE and

157

* DEFAULT_MERGE_SCORE in diffcore.h

158

159

merge_score = (break_score >> 16) & 0xFFFF;

160

break_score = (break_score & 0xFFFF);

161

162

if (!break_score)

163

break_score = DEFAULT_BREAK_SCORE30000;

164

if (!merge_score)

165

merge_score = DEFAULT_MERGE_SCORE36000;

166

167

DIFF_QUEUE_CLEAR(&outq)do { (&outq)->queue = ((void*)0); (&outq)->nr =
(&outq)->alloc = 0; } while (0);

168

169

for (i = 0; i < q->nr; i++) {

170

struct diff_filepair *p = q->queue[i];

171

int score;

172

173

174

* We deal only with in-place edit of blobs.

175

* We do not break anything else.

176

177

if (DIFF_FILE_VALID(p->one)(((p->one)->mode) != 0) && DIFF_FILE_VALID(p->two)(((p->two)->mode) != 0) &&

178

object_type(p->one->mode) == OBJ_BLOB &&

179

object_type(p->two->mode) == OBJ_BLOB &&

180

!strcmp(p->one->path, p->two->path)) {

181

if (should_break(p->one, p->two,

182

break_score, &score)) {

183

/* Split this into delete and create */

184

struct diff_filespec *null_one, *null_two;

185

struct diff_filepair *dp;

186

187

/* Set score to 0 for the pair that

188

* needs to be merged back together

189

* should they survive rename/copy.

190

* Also we do not want to break very

191

* small files.

192

193

if (score < merge_score)

194

score = 0;

195

196

/* deletion of one */

197

null_one = alloc_filespec(p->one->path);

198

dp = diff_queue(&outq, p->one, null_one);

199

dp->score = score;

200

dp->broken_pair = 1;

201

202

/* creation of two */

203

null_two = alloc_filespec(p->two->path);

204

dp = diff_queue(&outq, null_two, p->two);

205

dp->score = score;

206

dp->broken_pair = 1;

207

208

diff_free_filespec_blob(p->one);

209

diff_free_filespec_blob(p->two);

210

free(p); /* not diff_free_filepair(), we are

211

* reusing one and two here.

212

213

continue;

214

}

215

}

216

diff_free_filespec_data(p->one);

217

diff_free_filespec_data(p->two);

218

diff_q(&outq, p);

219

}

220

free(q->queue);

221

*q = outq;

222

223

return;

224

}

225

226

static void merge_broken(struct diff_filepair *p,

227

struct diff_filepair *pp,

228

struct diff_queue_struct *outq)

229

{

230

/* p and pp are broken pairs we want to merge */

231

struct diff_filepair *c = p, *d = pp, *dp;

232

if (DIFF_FILE_VALID(p->one)(((p->one)->mode) != 0)) {

←

Taking false branch

→

233

/* this must be a delete half */

234

d = p; c = pp;

235

}

236

/* Sanity check */

237

if (!DIFF_FILE_VALID(d->one)(((d->one)->mode) != 0))

←

Taking false branch

→

238

die("internal error in merge #1");

239

if (DIFF_FILE_VALID(d->two)(((d->two)->mode) != 0))

←

Taking false branch

→

240

die("internal error in merge #2");

241

if (DIFF_FILE_VALID(c->one)(((c->one)->mode) != 0))

←

Taking false branch

→

242

die("internal error in merge #3");

243

if (!DIFF_FILE_VALID(c->two)(((c->two)->mode) != 0))

←

Taking false branch

→

244

die("internal error in merge #4");

245

246

dp = diff_queue(outq, d->one, c->two);

247

dp->score = p->score;

248

249

* We will be one extra user of the same src side of the

250

* broken pair, if it was used as the rename source for other

251

* paths elsewhere. Increment to mark that the path stays

252

* in the resulting tree.

253

254

d->one->rename_used++;

255

diff_free_filespec_data(d->two);

256

diff_free_filespec_data(c->one);

257

free(d);

258

free(c);

←

Memory is released

→

259

}

260

261

void diffcore_merge_broken(void)

262

{

263

struct diff_queue_struct *q = &diff_queued_diff;

264

struct diff_queue_struct outq;

265

int i, j;

266

267

DIFF_QUEUE_CLEAR(&outq)do { (&outq)->queue = ((void*)0); (&outq)->nr =
(&outq)->alloc = 0; } while (0);

268

269

for (i = 0; i < q->nr; i++) {

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

270

struct diff_filepair *p = q->queue[i];

271

if (!p)

←

Assuming 'p' is non-null

Taking false branch

Assuming 'p' is non-null

Taking false branch

Assuming 'p' is non-null

Taking false branch

Assuming 'p' is non-null

→

←

Taking false branch

→

272

/* we already merged this with its peer */

273

continue;

274

else if (p->broken_pair &&

←

Taking true branch

→

275

!strcmp(p->one->path, p->two->path)) {

276

/* If the peer also survived rename/copy, then

277

* we merge them back together.

278

279

for (j = i + 1; j < q->nr; j++) {

←

Loop condition is true. Entering loop body

→

280

struct diff_filepair *pp = q->queue[j];

281

if (pp->broken_pair &&

←

Taking true branch

→

282

!strcmp(pp->one->path, pp->two->path) &&

283

!strcmp(p->one->path, pp->two->path)) {

284

/* Peer survived. Merge them */

285

merge_broken(p, pp, &outq);

←

Calling 'merge_broken'

→

←

Returning; memory was released via 1st parameter

→

286

q->queue[j] = NULL((void*)0);

287

break;

←

Execution continues on line 290

→

288

}

289

}

290

if (q->nr <= j)

←

Taking true branch

→

291

/* The peer did not survive, so we keep

292

* it in the output.

293

294

diff_q(&outq, p);

←

Use of memory after it is freed

295

}

296

else

297

diff_q(&outq, p);

298

}

299

free(q->queue);

300

*q = outq;

301

302

return;

303

}